Please Note: Blog posts are not selected, edited or screened by Seeking Alpha editors.

SAS No. 99 & The Panel on Audit Effectiveness Recommendations Regarding Fraud and Forensics

This is the first of three academic papers which I wrote this past semester while pursuing my Masters in Accounting about forensic accounting concepts. While this is especially pertinent for accounting professionals, I am a strong believer that all finance and investing professionals should at least be familiar with the procedures that are employed in preparing and auditing financial statements. This paper was prepared on September 23, 2009.

The Public Oversight Board was an independent regulatory agency created in 1977 with the objective of ensuring that the audited financial statements of public corporations presented an accurate and clear picture of the financial health of the company that stakeholders could rely upon. To further achieve this goal, the Public Oversight Board established the Panel on Audit Effectiveness (“PoAE” or “Panel”) in October 1998 based upon a request from the Securities and Exchange Commission. The PoAE dedicated two years to gathering and analyzing both quantitative data and qualitative reports to issue its recommendations on methodologies that would improve audit quality if implemented. Specifically, the Panel reviewed audit reports for public companies and surveyed individuals involved with audit reporting. In retrospect, it is apparent that the audits performed during this time period were not of the highest quality so it is likely that the Panel received very disconcerting feedback, thereby coloring their recommendations more towards forensic procedures. The final report issued on August 31, 2000 addressed numerous issues in the financial reporting process and targeted the responsible stakeholders including audit committees, regulators, and auditors. The panel summarized its findings in three main points:

  • The risk-based approach to audits of financial statements is appropriate, but it needs to be enhanced, updated, and implemented more consistently.
  • Auditors should perform “forensic-type” procedures on every audit to enhance the prospects of detecting material financial statement fraud.
  • The governance of the auditing profession should be enhanced through a strengthened POB [Public Oversight Board] that would oversee the processes of setting auditing standards, monitoring auditor performance, and disciplining auditors for substandard performance, as well as conduct special reviews as appropriate.


These three conclusions are eerie in retrospect of the countless high profile accounting frauds that were underway during the time that the report was research. It would be almost exactly one year later that then Enron employee, Sherron Watkins, wrote her infamous memo to Enron’s CEO, Ken Lay, asking if “Enron has become a risky place to work” in light of the “elaborate accounting hoax.[1] While the PoAE’s recommendations had pervasive impacts for the entire accounting profession and regulatory community, the second finding regarding forensic accounting was especially relevant. Unlike many of the changes that resulted from the Sarbanes-Oxley Act (“SOX”), recommended forensic activities had an enveloping impact on staff auditors.

The Panel elaborated on the forensics point, which can be summarized by specifying three primary actions that they wanted implemented. In general, a “forensics-type” stage of fieldwork would be added to all audits, ideally towards the beginning of the audit with a focus on discussing how fraud could be perpetrated in the organization. In addition, forensic audits would be far less predictable by including surprise audits and substantive examinations of common accounts, in addition to the standard auditor procedures. Lastly, auditors would focus on nonstandard entries and examine how certain accounting issues involving judgment were resolved. The overall objectives of forensic techniques are to prevent, deter, and detect fraudulent activities to enhance audit quality. Whereas the first action focuses on professional skepticism of personnel, the last two strive to procedurally improve audits by mandating certain substantive tests.

In direct response to the PoAE’s recommendations and the high profile accounting scandals of the past year (2001), the Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit (“SAS 99”), was issued by the Auditing Standards Board in October 2002. SAS 99 made great strides in improving financial reporting and audit quality; however, it was far from perfect in completely addressing all of the Panel’s recommendations on the topic. In order to assess SAS 99’s compliance with the Panel’s recommendations, it is important to first highlight the key provisions of the statement.

SAS 99 contains a multitude of changes to SAS 82, which it supersedes, and focuses primarily on increasing the awareness among auditors regarding fraud, the Panel’s first goal. This was also the objective of SAS 82; however, SAS 82 did not increase the responsibilities of auditors with regard to forensic techniques. SAS 82 only vaguely required auditors to “assess the risk of material misstatement of the financial statements due to fraud in every audit”.[2] As with SAS 82, SAS 99’s primary mechanism to deter and detect fraud is an elevated professional skepticism among auditors but also enhances the required audit procedures. The standard begins by generally describing fraud and the fraud triangle. This provides auditors with a better understanding of what fraud entails (versus an error), and gives an overview of the factors that contribute to fraud (primarily incentives/pressures, opportunity, and rationalization/attitude). At the most basic level, auditors cannot detect fraud if they are unable to distinguish it from errors: this overview in the standard helps to alleviate the problem. Before Sarbanes-Oxley and despite SAS 82, detecting fraud was not a primary auditing objective and appears to only have been uncovered by chance in the ordinary course of the audit. It is likely that “red flags” were noticed but inexperienced auditors did not comprehend the magnitude of what they uncovered. SAS 99 set forth a much more details framework for auditors to follow to systematically uproot fraud.

The most significant requirement in SAS 99 is that all audits must have a comprehensive brainstorming session on the topic of fraud in the planning phase. This brainstorming session provides an outlet for experienced auditors to chronicle their prior experiences with the client to less experienced engagement members and provide examples of ways in which fraud could theoretically be perpetrated by the client. By understanding the risks of the client, weaknesses can be assessed and the engagement team can identify accounts that are vulnerable to manipulation. With this knowledge, auditors can develop a much more appropriate audit program that is better tailored to the client’s unique risks. For example, the valuation of high-tech companies is sensitive to revenues; therefore, the team would dedicate extra resources to fraud detection in this area. Not only does this help to orient staff and other less experienced auditors toward detecting fraud, but enhances the professional skepticism of the entire engagement team. In summary, the brainstorming session puts all auditors on alert that fraud is a significant possibility and threat at their client, regardless of their preconceived notions about the client.

Another significant new requirement for auditors “provides guidance about how the auditor obtains knowledge about the entity’s business and the industry in which it operates”, specifically by making inquiries of management, the audit committee, internal auditors, and others within the organization. The subject of these inquiries is to assess management’s knowledge of fraud and any programs or policies in place to mitigate identified risks. Prior to this point, management and the board of directors (particularly the audit committee) were generally unresponsive to the auditors’ inquiries with respect to fraud. Based upon an analysis of uncovered frauds from this period, it is apparent that management was more concerned with obtaining “plausible deniability” than really learning how their subordinates met their aggressive targets. In addition to simply questioning management, it is critical to inquiry of operating personnel not involved in financial reporting and at other levels of the organization because it is likely that management may be deceitful if they are engaging in fraud.

SAS 99 imposes a focus on fraud in three traditional audit steps: identifying risks, evaluating internal controls, and assessing risks of material misstatements. Unfortunately specific procedures are commonly not given, but instead generalities are used such as, “for example, controls to address specific assets susceptible to misappropriation… [and] programs to promote a culture of honesty and ethical behavior.” The benefit of this approach is that it grants flexibility for auditing firms to implement these procedures in the way that they choose; however, the “requirement” is rather lax. Other suggested audit procedures are included in paragraphs .54 through .66. For example, paragraph .63 discusses tactics for validating accounting estimates.

The final requirement area describes the documentation requirements in an auditor’s determination of fraud. In brief, the auditor needs to document the requirements discussed above ranging from the planning to specific analytical procedures performed, as well as the results of the findings. Documentation is always a critical aspect of the auditing process but the importance is elevated due to the sensitive nature of the subject matter and the potential for litigation. There are generally two possible roles that the working papers can serve in litigation depending on the audit findings. If the accounting firm issues an unqualified report and fails to find material fraud associated with firm failure, it is likely that shareholder litigation will result. In such litigation, the working papers are vital for determining whether the auditors on the engagement exercised professionalism in their procedures and performed the appropriate procedures. In another scenario, if the engagement team does uncover fraud, the working papers will be instrumental in providing the details of the fraud for shareholder litigation or governmental investigation.

Other provisions in SAS99 serve as guidance or reminders but are not explicit requirements. A significant portion of the accompanying exhibit is oriented at company’s management and includes ways to reduce the level of misappropriate and fraud (for example, “creating a culture of honesty and high ethics” and “setting the tone at the top”) but these principles are rather general and difficult to explicitly audit. The statement closes with further discussion of the importance of the audit committee, internal audit function, and certified fraud examiners.

In general, SAS 99 is focused on increasing the awareness of fraud and enhancing professional skepticism in auditors. It is important to recognize the requirements that are included while also being aware of areas in which the statement does not include precise guidelines. Many of the provisions are merely recommendations, rather than requirements, thus expectations for auditors increase somewhat but the quality of audits may not increase in a similar manner. For example, the surprise audit tactics such as physical inspections are suggested but are not required. Even the requirements are not precise in their required implementation. Although the legal expectations may not increase due to the careful wording of the standard, the public will see that there is a fraud standard and may be under the false impression that auditors are providing a guarantee that they will uncover all fraud. Therefore SAS 99 does meet the minimum recommendation of the Panel’s recommendation as there is a required brainstorming session on fraud required for every audit; however, this is not to the degree that the Panel had recommended. The Panel’s recommendations give the impression that forensic procedures and enhanced substantive tests would be a focal point of audits but that is not the reality of SAS 99. It is important to stress that while the Panel’s recommendations are important for eliminating fraud in companies, it is impossible for auditors to detect all fraud, even if auditors are executed properly due to the nature of auditing (i.e. use of sampling techniques). In order for auditors to come closer to detecting all fraud, audit fees would necessarily skyrocket and become prohibitive to clients. As always, there is a necessary tradeoff between audit quality and cost feasibility.

SAS 99 includes enough significant requirements, primarily brainstorming, conferring with “outsiders” and “others”, and documentation procedures, that it is difficult to argue that the Panel’s recommendations were not considered when developing the standard. Due to the diverse nature of fraud types that could be perpetrated, the standard setters correctly deferred to a more principles based approach rather than rules based requirements. The require procedures stressed throughout the paper are so vital in detecting and deterring fraud that they should be performed on all engagements. On the other hand, the recommendations included provide a strong source of additional procedures that the auditor can employ if they deem necessary based upon the client’s risk profile. It could be argued that more of these recommended procedures should have been required and that the Panel’s recommendations should have been followed more closely but for the risk and cost reasons discussed above, the standard setters made the appropriate choice. The tendency following a financial crisis is to over-regulate but it fortunately appears that this was not the case with SAS 99. Considering the fact that there have not been widespread accounting frauds in the post SOX/SAS 99 era thus far, it appears as if the correct balance was achieved.

In conclusion, SAS 99 does an adequate job at responding to the Panel on Audit Effectiveness’ recommendations regarding fraud. The statement includes enough requirements regarding forensics to sufficiently improve audit quality in regards to fraud while still providing auditors will enough flexibility to conduct the audit with respect the unique risks of each client. The most important aspect of SAS 99 is the general increase in professional skepticism regarding fraud, which is achieved primarily via brainstorming and conferring with others. As the disastrous SEC investigations of the Madoff ponzi scheme reveal, maintaining professional skepticism and a healthy sense of cynicism are often the most important ingredients in uncovering deceitful activities.

[1] United States House of Representative Archive – Lay Letter

[2] The Auditor and Fraud by Jane Mancino, The Journal of Accountancy, April 1997.

Disclosure: No positions