SAS 99
Encyclopedia
Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board
of the American Institute of Certified Public Accountants
(AICPA) in October 2002. The original exposure draft was distributed in February 2002. SAS 99, which supersedes SAS 82, was issued partly in response to recent accounting scandals
at Enron, WorldCom, Adelphia, and Tyco. The standard incorporates recommendations from various contributors including the International Auditing & Assurance Standards Board. SAS 99 became effective for audits of financial statements for periods beginning on or after December 15, 2002.
SAS 99 requires auditors to ask management questions about their awareness and understanding of fraud. Auditors will then make a decision as to whether they need to ‘educate’ management about fraud and the types of controls that will deter and detect fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity.
A similar criticism is that SAS 99 doesn’t close expectation gaps. The guidelines and suggestions provided in the standard increase expectations on the profession. As a result, auditors must consider the requirements of SAS 99 as the minimum level of work required to detect fraud. They must be prepared to defend any decision not to pursue one of the recommended procedures listed in SAS 99.
Auditing Standards Board
In the United States, the Auditing Standards Board is the senior technical committee designated by the American Institute of Certified Public Accountants to issue auditing, attestation, and quality control statements, standards and guidance to certified public accountants for non-public company...
of the American Institute of Certified Public Accountants
American Institute of Certified Public Accountants
Founded in 1887, the American Institute of Certified Public Accountants is the national professional organization of Certified Public Accountants in the United States, with more than 370,000 CPA members in 128 countries in business and industry, public practice, government, education, student...
(AICPA) in October 2002. The original exposure draft was distributed in February 2002. SAS 99, which supersedes SAS 82, was issued partly in response to recent accounting scandals
Accounting scandals
Accounting scandals, or corporate accounting scandals, are political and business scandals which arise with the disclosure of misdeeds by trusted executives of large public corporations...
at Enron, WorldCom, Adelphia, and Tyco. The standard incorporates recommendations from various contributors including the International Auditing & Assurance Standards Board. SAS 99 became effective for audits of financial statements for periods beginning on or after December 15, 2002.
Describes fraud and its characteristics.
SAS 99 defines fraud as an intentional act that results in a material misstatement in financial statements. There are two types of fraud considered: misstatements arising from fraudulent financial reporting (e.g. falsification of accounting records) and misstatements arising from misappropriation of assets (e.g. theft of assets or fraudulent expenditures). The standard describes the fraud triangle. Generally, the three ‘fraud triangle’ conditions are present when fraud occurs. First, there is an incentive or pressure that provides a reason to commit fraud. Second, there is an opportunity for fraud to be perpetrated (e.g. absence of controls, ineffective controls, or the ability of management to override controls.) Third, the individuals committing the fraud possess an attitude that enables them to rationalize the fraud.Requires ‘brainstorming’ sessions to discuss how and where the entity’s financial statements might be susceptible to material misstatement due to fraud.
This requirement is a new concept in audit standards and it has two primary objectives. The first objective is so the engagement team will have an opportunity for the seasoned team members to share their experiences with the client and how a fraud might be perpetrated and concealed. The second objective is to set the proper “tone at the top” for conducting the engagement. The brainstorming session is to be conducted in a manner that models the proper degree of professional skepticism and sets the culture for the entire audit.Requires the auditor to gather information necessary to identify risks of material misstatement due to fraud by the following
- Making inquiries of management and others within the entity
- Considering the results of analytical procedures performed in planning the audit.
- Considering fraud risk factors.
- Considering certain other information
SAS 99 requires auditors to ask management questions about their awareness and understanding of fraud. Auditors will then make a decision as to whether they need to ‘educate’ management about fraud and the types of controls that will deter and detect fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity.
Requires the auditor to use the information gathered to identify risks that may result in a material misstatement.
This section provides guidance and support on how to identify and assess risks. It challenges auditors to change the way they think about assessing fraud risks. Auditors should identify risks and synthesize how those risks could lead to a material misstatement. This section specifically requires that improper revenue recognition and management override of controls be considered.Requires the auditor to evaluate the entity’s programs and controls that address the identified risks of material misstatement.
SAS 99 provides specific examples of programs and controls for both large and small businesses. The auditor should consider which controls mitigate the identified fraud risks.Requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment.
The standard provides examples of conditions that may be identified during the audit that might indicate fraud. One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel. The auditors must determine whether the results of their tests affect their assessment.Provides guidance regarding the auditor’s communications about fraud to management, the audit committee, and others.
The standard requires that any evidence that fraud may exist must be communicated to management and others. The level of severity is insignificant.Describes documentation requirements.
SAS 99 significantly extends the documentation requirements of the previous standard. Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor’s response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additional audit procedures or other responses, and (6) nature of communications about fraud made to management and others.Criticisms of SAS 99
The primary criticism of the standard is that many procedures are suggested rather than required. For example, it is suggested that auditors consider surprise procedures like showing up unannounced for an inventory count. In actual practice auditors often tell clients which inventory locations they are going to ‘observe.’ Telling clients which locations are going to be audited makes it easy to commit inventory fraud.A similar criticism is that SAS 99 doesn’t close expectation gaps. The guidelines and suggestions provided in the standard increase expectations on the profession. As a result, auditors must consider the requirements of SAS 99 as the minimum level of work required to detect fraud. They must be prepared to defend any decision not to pursue one of the recommended procedures listed in SAS 99.
Related Regulations
- Gramm-Leach-Bliley ActGramm-Leach-Bliley ActThe Gramm–Leach–Bliley Act , also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress...
- Sarbanes-Oxley ActSarbanes-Oxley ActThe Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
- Health Insurance Portability and Accountability ActHealth Insurance Portability and Accountability ActThe Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
(HIPAA) - SB 1386SB 1386SB1386, amending civil codes 1798.29, 1798.82 and 1798.84 is a California law regulating the privacy of personal information. The law was introduced by California State Senator Peace on February 12, 2002, and became operative July 1, 2003....
- FISMA