This chapter summarizes the responsibilities specified in professional literature for external auditors, internal auditors, government auditors, and fraud examiners. The term external auditors refers to independent CPAs who audit financial statements for the purpose of rendering an opinion. Internal auditors and Certified Internal Auditors are persons who can be both independent and CPAs but are employed within organizations. Government auditors are auditors whose work is governed by the GAO audit standards, whether they are audit employees of governments or of public accounting firms engaged to perform government audits. Fraud examiners are people engaged specifically for fraud investigation work, particularly persons qualified as Certified Fraud Examiners.

The official AICPA auditing standards are extensive. Relevant standards concern errors and frauds (SAS 99 issued in 2002), illegal acts by clients (SAS 54, AU 317), auditing accounting estimates (SAS 57, AU 342), and communication with audit committees (SAS 61, AU 380).

CONSIDERATION OF FRAUD IN A FINANCIAL STATEMENT AUDIT (SAS 99)

The first AICPA statement on auditing standards that explicitly used the "fraud" word was SAS 82, issued in 1997. This auditing standard was revised and expanded with the issue of SAS 99 in 2002. With this standard the AICPA generally accepted auditing standards (GAAS) contain numerous requirements for obtaining reasonable assurance of material fraud detection, overall audit responses, specific procedural responses, documentation, and reports to management and the board of directors.

Excerpts of the explicit SAS 99 requirements (but not the more general discussion of guidance, which is more thoroughly covered in other chapters in this book anyway) are in the sections below. This is a condensed version of SAS 99 covering the elements that are requirements for independent audit performance. Indeed, the auditing standards state: Auditors have responsibilities to plan and perform audits to obtain reasonable assurance that financial statements are free of material misstatement, whether caused by error or fraud."

• "Fraud" is defined as an intentional act that results in a material misstatement in financial statements that are the subject of an audit.
• Characteristics of fraud include: (a) concealment through collusion among management, employees, or third parties, (b) withheld, misrepresented, or falsified documentation, and (c) the ability of management to override or instruct others to override what otherwise appear to be effective controls.
• Fraud is a broad legal concept. Auditors do not take the place of judges and juries to determine whether fraud has occurred.
• Independent auditors’ concerns are focused on management fraud—the question of whether financial statements are materially misstated (the subject of the audit report which is the public product of every independent audit).
• Independent auditors are concerned about employee fraud against the

• Three conditions lead to fraud, and they are in the categories of incentive (motive), opportunity (access to assets, lack of control, management override of control), and attitude (lack of personal integrity, ability to rationalize). These points of the fraud triangle are thoroughly covered in Chapter 6 in his book.
• Independent auditors are generally not trained and are not expected to be experts in authentication of forged or falsified documents used to conceal frauds. When auditors notice questioned documents, they should ask for specialists’ assistance.
• With a GAAS audit, independent auditors cannot give absolute assurance that they will detect material misstatements caused by fraud.

• When planning an audit, audit team members should discuss fraud. This is brainstorming and a requirement to induce everyone to think fraud during the course of the audit. Discussion is an exchange of ideas and contributes fraud awareness (professional skepticism) along the line of asking "What can go wrong?"
• Auditors should discuss motive, opportunity, and attitude (the fraud triangle), setting aside any prior beliefs about management honesty and integrity.
• Emphasize in the discussion the need to have persuasive evidence even in light of beliefs about management honesty.

• Interview managers, the audit committee, and internal auditors about fraud risks and how the organization deals with them. (This is FAQ—Fraud Awareness Questioning—covered in Chapter 6 in this book.)

• Any knowledge or suspicion of frauds?
• Specific fraud risks in the organization?
• Programs and controls to mitigate fraud risks?
• Communication to employees about business practices and ethical behavior?
• Reports to the audit committee about risks and controls?
• Audit committee’s views and knowledge or suspicion of fraud?
• Internal auditors’ work and knowledge about fraud risks and fraud findings?

• Interview other managers and employees outside the finance and accounting functions (operating managers, employees involved in transaction contracting, in-house legal counsel) for information about fraud risks, frauds, and potential management override of controls.
• Consider carefully a large array of risk factors. Many are covered in Chapter 6 in this book, and the auditing standard lists many, for example: heavy competition, vulnerability to technological change, interest rates, business failures in the industry, operating losses, investment analyst expectations, financing needs, debt covenants, management incentive compensation plans, accounting involving estimates, complex transactions, ineffective board of directors, high turnover, lack of controls, clever misapplication of accounting principles, disputes and arguments with auditors, and more.
• Based on audit team discussion and these interviews, identify fraud risks in relation to motives, opportunities, and rationalizations (the fraud triangle). [However, ascertaining and observing individual managers attitudes and propensity for rationalization are difficult and not really expected of independent auditors.]
• Identify fraud risks in relation to their type (e.g., revenue overstatement), significance (i.e., potential materiality), likelihood (i.e., probability of occurrence), and pervasiveness (i.e., throughout financial statements, particular account). The perception that fraud in financial statements is generally infrequent is not a basis for concluding that a particular type of fraud is not present in the organization under audit.

• Evaluate the design of the organization’s programs and controls for preventing and detecting financial misstatements.
• If designed properly, obtain evidence that the programs and controls have been placed in operation. [The auditing standard itself is silent about any requirement always to perform tests of controls to determine whether controls in operation actually operate effectively, although actual testing might be a good practice.]

• Testing the operating effectiveness of an organization’s programs and controls is not enough to reduce fraud risk to an appropriately low level. Because management may be able to override controls, substantive procedures are required.
• Overall response: Assign to the audit team persons who have specialized skill and knowledge and extensive experience.
• Overall response: Apply professional skepticism by designing procedures to obtain more reliable evidence and obtain corroboration of management representations using third-party confirmations, specialist’s skills, analytical procedures, independent documentation, and interviews with people outside the organization.
• Overall response: Review choice and clever application of accounting principles and management estimates in light of bias that can create material misstatements.
• Overall response: Inject an element of surprise (unpredictability) by using different sampling methods, testing accounts not normally tested, performing procedures at different locations, performing procedures unannounced--not telling management where and when audit attention will be focused.
• Specific response: Change the nature of substantive audit procedures to obtain reliable evidence, such as public record information about customers, vendors, and counterparties; physical inspections of asset; computerized data mining; additional interviews with managers and others.
• Specific response: Change the timing of substantive audit procedures to perform substantive audit procedures at the year-end; also at end of interim reporting periods.
• Specific response: Change the extent of substantive audit procedures by using larger sample sizes than usual; applying analytical procedures at a detail level (e.g., locations, lines of business, months); employing computer-assisted techniques to audit target samples or entire data populations. [One such technique is digit and number analysis covered in Chapter 15 in this book.]
• This item is not especially explicit in the auditing standards statements, but it is good advice: Pay particular attention in planning and performing work in areas known to have been used by other entities to perpetrate frauds, such as revenue recognition; expense deferral; inventory valuation; liability estimates; off-balance-sheet financing; disclosure omission/obfuscation; and others in the rich imaginations of persons who manipulate financial statements.
• If auditors cannot be satisfied that procedures will be effective, the appropriate course of action may be withdrawal from the engagement

Auditing standards do not pay much attention to employee frauds against the organization, except to the extent that a cover-up might produce materially misstated account balances. The attention is on balance sheet amounts, especially overstated assets and omitted liabilities. Auditing standards refer to procedures already recommended in connection with detecting fraudulent financial statements. In the author’s opinion, the auditing standards seem to suggest by silence that an organization’s fraud losses to employee and customer embezzlement, theft, and shoplifting do not misstate an income statement or balance sheet so long as the losses are deducted from or offset against revenues.

Procedures to deal with possible management override of controls are required in all audits. Management override-attention procedures include these:

• Audit journal entries and account adjustments, especially ones that are not routine; arise at interim and annual report preparation dates; contain round numbers; and otherwise "look odd."
• Audit managers’ accounting estimates for evidence of systematic bias. Perform a retrospective review of past estimates in light of subsequent developments. [For example, review the past year’s account receivable write-offs in comparison to the allowance established for them.]
• Evaluate the business rationale for significant unusual transactions. Look for related parties and learn the financial capability of the other parties to complex transactions.

• Throughout the audit, pay attention to warning signs such as: incomplete recordings, unsupported transactions, missing documents, photocopied documents, unexplained reconciling items, missing inventory, management interference with the audit work (complaints, delays, denied access), and more.
• Throughout the audit discern whether analytical substantive procedures indicate out-of-expectation financial reporting.
• At the end of the audit, put altogether the initial brainstorming, subsequent findings, signs and signals (or lack thereof), and make a final assessment of overall fraud risk of material misstatement.

As a book author, I take liberty to offer another thought that is not in the official auditing standards. The subject is "attempted fraud," which is nowhere defined in law or auditing literature. In my opinion, it arises when managers try to misstate account balances and financial reports and the auditors find the attempt, recommend adjustment in the financial reports, and the managers accept and record the adjustment(s). Managers most likely will not admit "I tried this fraud and you caught it, so the financial reports are OK." More than likely, managers admit to innocent error or misinterpretation of accounting principles to excuse "attempted fraud." Auditors must remain sensitive to human defense behavior that may not yield obvious signs of disappointment over getting caught.

• When auditors find fraud, tell the appropriate level of management, even if the fraud might be considered inconsequential (e.g., low-level employee embezzlement or theft).
• When auditors find fraud ["attempted fraud?"] that causes material misstatement in financial statements or involves senior managers, tell the audit committee.
• Report control weaknesses to management and the audit committee.
• Disclose possible fraud in limited circumstances after satisfying ethical and legal confidentiality questions by:

• Complying with legal and regulatory requirements (including reporting a change of auditors on SEC Form 8-K, reporting control matters and disagreements according to Item 304 of SEC Regulation S-K, and reporting illegal acts under Section 10A(b)1 of the Securities Exchange Act of 1934).
• Responding to a successor auditor's inquiries (SAS 84).
• Responding to a subpoena.
• Communicating with a funding or other agency when required in audits of entities that receive governmental financial assistance.

In the audit working papers, document in particular:

• The audit team planning discussion: how, when, who, what to describe the meeting and the matters discussed.
• Procedures performed to identify fraud risks.
• Specific risks identified and the plan for the response procedures.
• Since improper revenue recognition is presumed always to be a fraud risk, tell [justify] the reasons for not identifying revenue recognition as a potential fraud risk in a particular audit.
• The results of procedures performed to deal further with the risk of management override of controls.
• Other risks identified during the audit and further response procedures.
• Nature, timing, and content of communications to management, audit committee, and others.