The financial statement
The major accounting scandals occurred in large companies such as Enron Corporation, WorldCom, Tyco International, Waste Management Inc, and American International Group (AIG), just to cite a few, put the accounting and auditing profession under public scrutiny. The collapse of Arthur Andersen questioned the competence and independence of auditors and left a legacy of change on the laws governing the accounting profession. The U.S. Congress passed the Sarbanes-Oxley Act of 2002; this legislation was designed to increase the accountability and regulation of the accounting profession. One of its provisions restricts auditors from providing consulting services in order to maintain their independence. Another important change under Sarbanes-Oxley title II also deals with external audit partner rotation.
Although, Auditing Standard Board issued Statement on Auditing Statement No. 99 (Consideration of Fraud in a Financial Statement Audit) prior to all these well-known scandals, this was released in the midst of these corporate scandals. This statement replaces SAS 82, and aims to increase the probability that auditors will detect fraud and also to improve the auditor performance. All organizations are exposed to fraudulent activity; no one is immune to fraud, and when this occurs in the organization, the question is: Why didn't the auditors discover the fraud? According to the standards adopted by the Public Company Accounting Oversight Board (PCAOB), AU section 316.02, (Responsibilities and Functions of the Independent Auditor) states: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." Even though auditors' efforts to detect fraud, it is still possible this will go undetected due to the inherent limitations of an audit.
SAS 99 - DEFINITION AND TYPES OF FRAUD
Before considering the auditors' responsibility to detect fraud, it is important to know SAS 99 (AU Section 316, paragraph .05) definition of fraud as "an intentional act that results in a material misstatement in financial statements that are the subject of an audit." It also emphasizes the two types of misstatements that are important to the auditor's consideration of fraud.
Fraud arises from fraudulent financial reporting and from misappropriation of assets (SAS 99 AU Section 316, paragraph .06). Fraudulent financial reporting as defined by SAS 99 is "an intentional misstatement or omission of an amount or disclosure in financial statements" whose examples include the manipulation, falsification, or alteration of records or documents; the misrepresentation or omission of transactions or events; and the intentional misapplication of an accounting principle. On the other hand, Misappropriation of assets "theft of assets" whose examples include embezzling cash, stealing inventory, or causing payment for services not received. Fraudulent financial reporting is often called management fraud and involves the use of misleading financial statements to deceive investors and creditors. Misappropriation of assets is often perpetrated by employees and deceives management.
The Sarbanes-Oxley Act of 2002 and its public accounting regulatory body, the PCAOB made significant changes to many aspects of the financial reporting process. Among the most important changes are:
- The creation of the Public Company Oversight Board (PCAOB)
- Auditor independence
- External audit partner rotation
- Auditor report on internal control over financial reporting
CHANGES ON THE LAWS GOVERNING THE ACCOUNTING PROFESSION IN RECENT YEARS
Creation of the Public Company Oversight Board (PCAOB)
The PCAOB is an independent non-government organization established under Title I Section 101 of the Sarbanes-Oxley Act, charged with oversight of audits of public companies and its auditors. The purpose of the PCAOB is to protect the interest of investors and to further the public interest. The PCAOB is responsible for:
- Registering public accounting firms that prepare audit reports for public companies
- Establish rules for financial audits, ethics, and auditor independence
- Inspection of registered public accounting firms, and conduct investigations and disciplinary proceedings.
- Enforce compliance of the act
Impact of Sarbanes-Oxley Act on Independent Auditors
Sarbanes Oxley act of 2002 was the reaction of the US Congress in response to the financial statement frauds perpetrated by some large companies. Among the recent changes on the laws governing the accounting profession that are intended to reduce the number of financial frauds and to increase public confidence, and the quality of audits are:
Sarbanes Oxley, Section 201, Services Outside The Scope of Practice Of Auditors
The Act limits the consulting services an auditor can provide to public companies including the design and implementation of financial information systems. All of the following services compromise auditors' independence, and simultaneously creates in investors and creditors a lack of confidence in financial statements.
- bookkeeping or other related accounting services
- design and implementation of financial information systems
- services of appraisal or valuation
- actuarial services;
- internal audit outsourcing
- functions of management or human resources;
- broker, investment advice, or services of investment banking
- legal advice and expert services not related to the audit; and
- any other service that the Board determines, by regulation, is not permitted
Under Sox 201(h), an auditor needs the approval of the client's audit committee to provide tax services, tax advice and the preparation of tax returns. Additionally, the cost for tax services must be disclosed in the proxy statements and annual reports of the client.
Audit Partner Rotation:
Sarbanes Oxley Section 203 - A lead audit partner or the audit partner responsible for reviewing the audit must be rotated after five years and are subject to a timeout period of five years.
Auditor Report on Internal Control over Financial Reporting
Section 404 of the Act requires that management report in the quality of its internal control, and the independent auditor must attest and report on management's assessment of the effectiveness of the company's internal control over financial reporting.
AUDITORS' RESPONSIBILITY TO DETECT FRAUD
According to the standards adopted by the Public Company Accounting Oversight Board (PCAOB), AU 316 Section 110.02, in a financial statement audit "the auditor has the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud." Any misstatement can be caused by unintentional error or intentional fraud, as indicated in the definition of fraud, intent is the main difference between an error and fraud. SAS No. 99 requires that an auditor:
Exercise professional Skepticism (AU Section 316.13)
PCAOB AU §230 paragraphs .07 through .09 which refers to "Due professional care in the performance of work," requires the auditor to exercise professional skepticism in all aspects of the engagement. Professional skepticism is defined by SAS 99 AU 316.13 as "an approach that includes a questioning mind and a critical assessment of audit evidence". Professional skepticism should be exercised at the planning stage of an engagement and while performing audit procedures and gathering evidence. When considering the possibility that a material misstatement due to fraud could be present, the auditor should not assume that management is dishonest, but the possibility of dishonesty must be considered.
Discuss among audit staff throughout the engagement the risk of fraud causing material misstatement (AU Section 316.14 through 316.18)
While planning and throughout the engagement, members conforming the audit should discuss the probability that the financial statements might be at risk of material misstatement caused by fraud. All members of the audit should meet to exchange ideas and brainstorming about where the financial statements are susceptible to fraud, how assets could be misappropriated, and how management might engage in fraudulent financial reporting. The discussion must contain a consideration of the known external and internal factors affecting the entity that might
- Create incentives or pressures for managements or employees to commit fraud,
- Provide opportunities for managements or employees to commit fraud, and
- Expose an environment that permits management to rationalize committing fraud.
AU 316.16 emphasizes the need that team members must maintain a questioning mind and as indicated in AU 316.13, the auditor should continually exercise professional skepticism in gathering and evaluating evidence during the audit. The auditor's assessment of the risks of material misstatement due to fraud should be performed in a continuous basis throughout the audit (AU 316.68). Audit team members should thoroughly probe issues, acquire additional evidence as necessary, and consult with other team members and firm experts as needed (AU 316.16).
AU Section 316.17 states that even though professional judgment must be used in deciding which audit team members should be included in the discussion, the discussion would normally include key members. Other factors that should be considered when planning the discussion include
- Whether to have multiple discussions if the audit involves more than one location.
- Whether to incorporate specialists assigned to the audit.
PCAOB AU Section 316.18 states that the audit team members should continue to communicate throughout the audit about the risk of material misstatement due to fraud at or near the completion of the field work.
Obtain information to identify the risk of fraud (AU Section 311.19 through .34)
Performing procedures required under (AU Section 311.06 through .08) planning, the auditor should obtain knowledge about the entity's business and the industry in which it operates that enables him to identify the risks of material misstatements caused by fraud. To obtain information used in considering the risks of material misstatement due to fraud, the auditor should perform the following procedures described in AU 316 Paragraphs .35 through .42)
- Obtain information from management and others within the entity to find their judgment about the risks of fraud and how they will focus on it. (See paragraphs .20 through .27.)
- Take into account any unusual or unexpected relationship that has been identified when performing analytical procedures in planning the audit. (See paragraphs .28 through .30.)
- Consideration of the existence of factors of risk. (See paragraphs .31 through .33, and the Appendix [paragraph .85].)
- Take into account other information that may be useful in the recognition of risks of material misstatement due to fraud. (See paragraph .34.)
Identifying risks that may cause material misstatement (AU Section 316.35 through .42)
In identifying risks of material misstatement due to fraud, the auditor must use the information collected to identify risks that may result in a material misstatement due to fraud.
If the auditor observes the three fraud conditions incentives/pressures, opportunities, and rationalizations, the risk of material misstatement due to fraud may be greater. However, if the auditor doesn't observe one or more of these fraud conditions, the auditor should not assume that the risk of material misstatement doesn't exist (PCAOB AU 316.35).
SAS 99 (AU 316.38) requires the auditor to "evaluate whether identified risks of material misstatement due to fraud can be related to specific financial-statement account balances or classes of transactions and related assertions, or whether they relate more pervasively to the financial statements as a whole." It is of great help if the auditor can associate the risks of material misstatement due to fraud with individual accounts, classes of transactions, and assertions in order to design appropriate auditing procedures.
SAS 99 (AU 316.41) since material misstatements often result from an overstatement or an understatement of revenues, the auditor should ordinarily assume that there is a risk of material misstatement due to fraudulent revenue recognition. SAS 99 (AU 316.42) requires that if specific risks of material misstatement due to fraud are not identified, the auditor should address the risk that management override of control could occur in every audit.
Assessing identified risks SAS 99 (AU 316.43 through .45)
The auditor is required to assess the identified risks that could result in a material misstatement due to fraud. Based in the understanding of internal controls required by Section (AU 316.19), the auditor should determine if the entity has appropriately designed and placed in operation programs and controls that deal with identified risks of material misstatements due to fraud. The auditor should consider if management's programs and controls reduce identified risks of material misstatement due to fraud or if specific control weakness may increase the risks.
Responding to the Results of the Assessment SAS 99 (AU 316.46-.67)
The auditor responds to the assessment of risk of material misstatement due to fraud in the following way:
- An overall response as to how the audit is conducted
- Specific responses concerning modifications of the nature, timing, and extent of procedures to be performed
- Responses to further focus on the risk of material misstatement due to fraud concerning management override of control.
The auditor performs audit procedures to reduce the risk of fraud and evaluates the audit evidence obtained.
Evaluate audit evidence SAS 99 (AU 316.68 through .78)
The assessment of the risks of material misstatement due to fraud must be an ongoing process throughout the audit. The auditor should identify conditions that either change or support the auditor's judgment regarding the assessment of the risk of material misstatement due to fraud, for the purpose of evaluating audit evidence; the auditor should consider the following:
- Inconsistencies in the accounting records such as unauthorized transactions, and last-minute adjustments that significantly affect the financial statements.
- Conflicting or missing audit evidence such as missing documents, altered documents, significant unexplained items on reconciliations, and inconsistent or doubtful responses by the company's personnel to auditor inquiries.
- Difficult or irregular relationships between the auditor and management such as too much time pressures imposed by management to resolve complicated or controversial issues, and significant delays in providing information requested for the audit.
The auditor should consider if the analytical procedures performed as substantive tests or in the overall review stage of the audit reveal a risk of material misstatement due to fraud that was not recognized previously. The auditor should apply substantive analytical procedures to revenue through the end of the period as required by SAS 99 (AU 316.29).
Internal Auditor's Responsibility for Fraud Detection
Both, internal and external auditors today are assuming a more important role in the detection and prevention of fraud. Nowadays, auditors are facing a greater responsibility to detect fraud in the course of their audits as well as to recommend the appropriate controls to prevent it. Internal auditors examine and evaluate all of the company's systems, functions, processes, activities, and help management to accomplish objectives through a disciplined approach to governance, control, and risk improvement. Internal auditing plays an important role in ensuring the effectiveness of internal controls and where there is a suspicion of fraud in the course of an audit; the internal auditor should have the evidence to report it to the appropriate authorities within the organization. Internal auditors are in a better position to detect fraud than external auditors because internal auditors are at the organization sites on a daily basis.
The Sarbanes Oxley Act had a remarkable effect on public accounting as a response to auditors' unethical behavior and fraudulent management's behavior. SAS 99 did not change the overall auditor's responsibility for fraud detection, instead; this standard was intended to improve auditor performance and to increase the probability to detect fraud. SAS 99 emphasizes professional skepticism, requires planning for the likelihood to detect fraud, and requires a written assessment of fraud risks. On the other hand, internal auditors examine the existing internal controls for compliance to entity's policies and help management to accomplish objectives. Both, internal and external auditors today are assuming a more important role in the detection and prevention of fraud in order to reduce the number of financial frauds and to increase public confidence, and the quality of audits.
- PCAOB AU Section 316
- PCAOB AU Section 316, paragraph .06 - SAS 99
- SAS 99 AU Section 316, paragraph .06
- Section 101(a) - Sarbanes-Oxley
- Stimson William A, ISO 9001 & Sarbanes-Oxley: A System of Governance (Chico: 2006), p 51
- Sarbanes-Oxley Section 201(g)
- Siegel, J, Dauber, N, & Shim, J, The Vest Pocket CPA. (Hoboken:2008), p 680
- Sarbanes-Oxley - Title IV: Section 404
- PCAOB AU Section 316, paragraph .06 - SAS 99
- David N. Ricchiute, Auditing (Mason: 2005), p 258
- AU Section 316.15
- Robert Moeller, Brinks Modern Internal Auditing (Hoboken: Wiley & Sons, 2009), p 585