e ar

at r

ticl
u
e
fe

Will Technology Defeat Your Auditor?

Paul Munter

T
here’s Cendant, the course of an audit
McKesson/ Enron is only the latest of a growing list of frauds is found in SAS No.
HBOC, Waste that went undetected for years. Even if your audi- 82, Consideration of
Management, Sun- tor is honest, the widespread use of technology Fraud in a Financial
beam, and now, of makes it tougher for him to find the crime—and Statement Audit,
course, Enron. The make the bad guys do the time. But what do you which was issued in
one thing that can be have a right to expect from your auditor? February 1997. SAS
said with virtual cer- © 2002 Wiley Periodicals, Inc.
No. 82 specifically
tainty is that these sub- addressed the issue of
stantial frauds will not fraud for the first time
be the last ones played in the audit literature
on the investing public. Is there Of course, part of the prob- and provided guidance to the
any wonder that investors con- lem relates to the understanding auditor in discharging the
tinue to expect that auditors will of the auditor’s current respon- responsibilities to consider
detect fraud in the process of sibilities for the detection of fraud in a financial statement
auditing and certifying the com- fraud. Another piece of the puz- audit. SAS No. 82 was an
panies’ financial statements? zle is the widespread use of attempt to clarify the auditor’s
And yet, in each of these technology that can make it responsibility to plan and per-
cases, the frauds went on for even more difficult for the form the audit to obtain reason-
years either without the knowl- auditor to detect a fraud able assurance about whether
edge of the auditor or, in the scheme. In this article, we will the financial statements are free
opinion of some, the participa- examine the auditor’s current from material misstatement,
tion or willful disregard by the responsibilities for detection of whether caused by error or
auditors. Prompted by cases fraud as well as the auditor’s fraud. Additionally, SAS No. 82
such as these, as well as the rec- responsibilities for understand- provided more guidance on the
ommendations of the O’Malley ing the impact of technology on standard of due professional
Panel, the Auditing Standards the company’s financial report- care in the performance of
Board (ASB) of the American ing practices. work, including the need to
Institute of Certified Public exercise professional skepti-
Accountants (AICPA) is current- AUDITOR’S RESPONSIBILITY cism, and the concept of “rea-
ly working on revisions to the FOR DETECTION OF FRAUD IN sonable assurance.” Additional-
audit literature that would AN AUDIT ly, the ASB concluded that a
increase the auditor’s responsi- specific assessment of the risk
bilities related to fraud detection The current guidance to of fraud is needed to add assur-
and reporting in the conduct of auditors on the responsibility ance that the responsibility of
an audit. for the detection of fraud during the auditor regarding detection

© 2002 Wiley Periodicals, Inc.

Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/jcaf.10065 17
18
of material misstatement due to
fraud is appropriately addressed.
Consideration of Fraud Risk
Factors
Under the current audit litera-
ture, the auditor is required, in
every audit, to assess the risk of
material misstatement due to
fraud by considering whether risk
factors exist that might indicate
the existence of fraud. SAS No.
82 requires auditors to consider
two types of fraud risk factors: (1)
factors relating to fraudulent
financial reporting and (2) factors
relating to any misappropriation
of assets. SAS No. 82 acknowl-
edges the need for auditors
to use professional judg-
ment when assessing the
significance of risk factors
and determining the appro-
priate audit response; how-
ever, SAS No. 82 includes
guidance to help the auditor
in his/her consideration of
those risk factors that are
determined to be present. An
important issue, and part of the
reason why the ASB is now
reconsidering the auditor’s respon- While the standard provides
sibility for the detection of fraud,
is that SAS No. 82 does not
require auditors to consider any
particular fraud risk factors nor
does it require the auditor to con-
duct any forensic or other fraud
detection tests. Rather, SAS No.
82 provides examples of fraud
risk factors that auditors should
consider in planning the audit.
Fraud risk factors and other
considerations may come to the
auditor’s attention while per-
forming procedures relating to
client acceptance and continu-
ance, during engagement plan-
ning, or during the process of
understanding an entity’s internal believes (individually or in com-
control, or while conducting
fieldwork. As such, the assess-
ment of risk of material mis-
The Journal of Corporate Accounting & Finance
statement due to fraud is cumu-
lative and ongoing.
The auditor’s response to
the risk assessment associated
with any potential fraud is
influenced largely by the degree
of risk assessed. Thus, the audi-
tor should consider whether
there is a need for an overall
response, one that is specific to
a particular account balance,
class of transactions or asser-
tion, or both. Another shortfall
of SAS No. 82 is that it indi-
cates that in some cases when
fraud risk factors are present,
there may be no need to modify
procedures. In other cases, SAS
No. 82 indicates that proce-
…SAS No. 82 does not require
auditors to consider any particular
fraud risk factors nor does it require
the auditor to conduct any forensic
or other fraud detection tests.
dures may need to be modified
or the auditor may even need to
resign from the engagement.
guidance for an overall consid-
eration and for specific consid-
erations at the account balance,
class of transactions, and asser-
tion level, it falls short of pro-
viding specific guidance or
establishing specific audit pro-
cedures that are required.
An important part of SAS
No. 82 is the documentation of
the assessment process that is
needed. Specifically, the auditor
should document evidence of the
performance of the assessment,
how fraud risk factors and other
conditions were considered, the
fraud risk factors that the auditor
bination) significantly affect the
risk of material misstatement,
and the auditor’s response to
those risk factors. These consid-
erations are central to the stan-
dard. By specifically requiring
that the auditor document this
consideration, the auditor is con-
fronted with a mandate to specif-
ically and consciously assess the
impact of these risk factors in
order to comply with the docu-
mentation requirements.
Additionally, SAS No. 82
specified that whenever the audi-
tor has determined that there is
evidence that a fraud may exist,
the auditor will need to bring that
matter to the attention of appro-
priate levels of management.
Fraud involving senior manage-
ment or fraud that causes a mate-
rial misstatement in finan-
cial statements should be
reported directly to the
audit committee or others
with equivalent authority
and responsibility.
Categories of Fraud
Although fraud is a
broad legal concept, the auditor’s
interest specifically relates to
fraudulent acts that cause a mate-
rial misstatement in the financial
statements. The primary factor
that distinguishes fraud from an
error is whether the underlying
action that results in the misstate-
ment in financial statements is
intentional or unintentional. As
noted earlier, two types of fraud
are relevant to the auditor’s con-
sideration in a financial state-
ment audit: (1) fraudulent finan-
cial reporting and (2)
misappropriation of assets.
(1) Fraudulent financial report-
ing refers to intentional
misstatements or omissions
of amounts or disclosures
in financial statements.
Fraudulent financial report-
ing may involve acts such
as the following:
© 2002 Wiley Periodicals, Inc.
May/June 2002
(a) Manipulation, falsifica-
tion, or alteration of
accounting records or
supporting documents
from which financial
statements are prepared.
(b) Misrepresentation in, or
intentional omission
from, the financial state-
ments of events, transac-
tions, or other signifi-
cant information.
(c) Intentional misapplica-
tion of accounting prin-
ciples relating to
amounts, classification,
manner of presentation,
or disclosure.
(2) Misappropriation of assets
(also referred to as
defalcation) involves
the theft of an entity’s
assets. Misappropria-
tion can be accom-
plished in various ways,
including embezzling
receipts, stealing or
misusing assets, or caus-
ing an entity to pay for goods
or services not received.
Misappropriation of assets
may be accompanied by false
or misleading records or doc-
uments and may involve one
or more individuals among
management, employees, or
third parties.
Risk factors that relate to
fraudulent financial reporting may
be grouped into three categories:
(1) Management Characteristics.
These pertain to manage-
ment’s abilities, pressures,
style, and attitude relating to
internal control and the
financial reporting process.
(2) Industry Conditions. These
involve the economic and
regulatory environment in
which the entity operates.
(3) Operating Characteristics
and Financial Stability.
© 2002 Wiley Periodicals, Inc.
These pertain to the nature
and complexity of the entity
and its transactions, the enti-
ty’s financial condition, and
its profitability.
Risk factors that relate to
misappropriation of assets may
be grouped into three categories:
(1) Susceptibility of Assets to
Misappropriation. These
pertain to the nature of an
entity’s assets and the degree
to which they are subject to
theft (in effect, this should
be addressed in the auditor’s
assessment of inherent risk).
It is in the evaluation of controls
where fraud detection and technology
often can be on a collisions course.
(2) Employee Relationships or
Pressures. While the auditor
currently is not specifically
required to investigate these
risk factors, the auditor
should, nonetheless, be alert
to the possibility of such risk
factors and, if identified,
investigate. These pertain to
the extent of financial stress
among employees and
whether there are adverse
relationships between
employees and the entity,
especially employees that
have access to assets suscep-
tible to misappropriation.
(3) Controls. These involve the
lack of controls designed to
prevent or detect misappro-
priations of assets.
It is in the evaluation of controls
where fraud detection and tech-
nology often can be on a colli-
sions course.
19
TECHNOLOGY
CONSIDERATIONS IN AN AUDIT
Because technology is
becoming more and more inte-
gral to business processes, it is
becoming increasing difficult for
auditors to rely on traditional
(paper) audit evidence in obtain-
ing sufficient and competent evi-
dential matter. In recognition of
this and to provide additional
guidance to auditors, in May
2001 the ASB issued SAS No.
94, The Effect of Information
Technology on the Auditor’s
Consideration of Internal Con-
trol in a Financial Statement
Audit. SAS No. 94 amended the
guidance in SAS No. 55,
Consideration of Internal
Control in a Financial
Statement Audit, as previ-
ously amended by SAS
No. 78, Consideration of
Internal Control in a
Financial Statement Audit:
An Amendment to State-
ment on Auditing Standards No.
55. Specifically, SAS No. 94
provides guidance to auditors
about the effect of information
technology (IT) on internal con-
trols, and on the auditor’s under-
standing of internal controls,
including the required assess-
ment of control risk.
The attributes of audit evi-
dence (paper versus electronic)
are the following:
• Difficulty of alteration. Easi-
ly altered evidence lacks
credibility and has reduced
value to the auditor. Paper
evidence is difficult to alter
without detection. An auditor
has a reasonable likelihood
of detecting significant alter-
ations that have been made
to paper documents. This
quality provides auditors
with some assurance that the
evidence represents original
20
information. However, alter-
ations due to the operation of
a “system” may not be
detected, unless specifically
designed tests are performed.
• Prima facie credibility. Cred-
ibility is enhanced when the
source of the evidence is
independent in relation to the
client and the auditor has the
ability to corroborate that
evidence. Paper documents
(e.g., incoming purchase
orders) usually have a high
degree of credibility. Howev-
er, a purchase order transmit-
ted electronically from a cus-
tomer derives its credibility
primarily from the controls
within the electronic
environment. A fraudu-
lent or altered electron-
ic purchase order
exhibits no apparent
difference, compared
to a valid purchase
order, when extracted
from the electronic
environment of the entity.
• Completeness of documents.
Competent evidence includes
the essential terms of a trans-
action so that an auditor can
verify the validity of the
transaction. Paper evidence
typically includes all of the
essential terms of a transac-
tion. Paper evidence also
includes information regard-
ing other parties to the trans-
action (e.g., customer name
and address, or preferred
shipping methods) on the
face of the document. Work
on the completeness assertion
for paper documents often
includes review of acknowl-
edgments of data entry and
postings. An electronic envi-
ronment may mask this evi-
dence with codes or by cross- to assess control risk below the
references to other data files
that may not be visible to the ments. To the extent that the
users of the data.
The Journal of Corporate Accounting & Finance
• Evidence of approvals.
Approvals integrated into
the evidence add to the
completeness of the evi-
dence. Paper documents typ-
ically show approvals on
their face. For example,
incoming purchase orders
may have marketing depart-
ment price approvals and
credit department approvals
written on the face of each
original document. The
same treatment may apply to
electronic approvals by inte-
grating approvals into the
electronic record. Electronic
elements may require addi-
tional interpretation.
SAS No. 94 does not mandate that
the auditor must be able to assess
control risk below the maximum level
in all IT environments.
• Ease of use. This factor
relates to evaluating and
understanding evidence.
Auditors use traditional
paper evidence without addi-
tional tools or expert analy-
sis. Electronic evidence often
requires extraction of the
desired data by an auditor
knowledgeable in electronic
data extraction techniques or
through use of a specialist.
• Clarity. Competent evidence
should allow the same con-
clusions to be drawn by dif-
ferent auditors performing
the same tasks. The nature of
electronic evidence is not
always clear.
SAS No. 94 does not man-
date that the auditor must be able
maximum level in all IT environ-
auditor believes that assessing
control risk at the maximum
level and performing a substan-
tive audit would be an effective
approach, the auditor can do so.
However, the auditor needs to be
aware that in many IT environ-
ments, because audit evidence
does not exist outside the IT
environment, such an approach
might not result in an effective
audit. Furthermore, even when
the auditor has obtained eviden-
tial matter that allows for an
assessment of control risk below
the maximum level, there will
still be a need to perform sub-
stantive tests on significant
amounts. Stated differently, an
audit involves both an assess-
ment of control risk and the
design, performance, and
evaluation of substantive
tests to reduce audit risk to
an acceptably low level.
Remember, of course, that a
part of the auditor’s assess-
ment of audit risk is the risk
of fraud that could material-
ly affect the financial statements.
Concept of Internal Control
The auditor is required in all
audits to obtain an understanding
of internal control sufficient to
plan the audit. As such, the audi-
tor will need to perform proce-
dures that will aid in an under-
standing of the design of controls
that are relevant to financial
statement assertions and to deter-
mine whether the controls have
been placed in operation. To
obtain this understanding, the
auditor will need to consider how
the entity uses IT, manual proce-
dures, and other processes and
how those processes affect the
controls that are relevant to the
audit. Importantly, SAS No. 94
notes that in an IT environment,
it may not be practical or even
possible to reduce audit risk to
an acceptably low level through
© 2002 Wiley Periodicals, Inc.
May/June 2002
the use of substantive testing
only. That is, in many IT situa-
tions, it will be an absolute
necessity that the auditor obtain
evidence that allows for control
risk to be assessed at a level
below the maximum level. Stated
differently, there are many times
in a complex IT environment
where tests of controls will be
mandatory for the auditor.
When the ASB issued SAS
No. 78, it incorporated a “COSO
model” approach to the defini-
tion of internal controls. It
described internal controls as a
process that is effected by the
entity’s board of directors, man-
agement, and other personnel
and that is designed to pro-
vide reasonable assurance
of the achievement of
objectives regarding (a)
reliability of financial
reporting, (b) effectiveness
and efficiency of opera-
tions, and (c) compliance
with applicable laws and
regulations. Additionally,
internal control over safe-
guarding of asserts against
unauthorized acquisition,
use, or disposition often
will include controls relating to
financial reporting and opera-
tions objectives. Furthermore,
internal control is defined as
consisting of five interrelated
components: (a) control environ-
ment, (b) risk assessment, (c)
control activities, (d) informa-
tion and communication, and (e)
monitoring. Importantly, auditors
must also understand that these
five components of internal con-
trol interact with the three objec-
tives of internal control.
Effects of IT on Internal
Control and Audit Process
Because the use of IT is so
extensive in today’s business
world, SAS No. 94 asserts that
© 2002 Wiley Periodicals, Inc.
auditors may need to consider
the implications of IT in evaluat-
ing any of the five components
of internal control as they relate
to the achievement of the entity’s
objectives. For example, in
today’s business world, it is not
uncommon to find entities that
have complex, highly integrated
IT systems that share data and
that are used to support all
aspects of the entity’s financial
reporting, operations, and com-
pliance objectives. As ERP
(enterprise resource planning)
systems become more compre-
hensive and more widely in use,
this issue becomes more and
Moving from paper-based systems
that rely primarily on manual con-
trols to electronic systems using a
combination of manual and automat-
ed controls often changes the funda-
mental manner in which transactions
are initiated, recorded, processed,
and reported.
more prevalent—even for small-
er and midsized entities.
Moving from paper-based
systems that rely primarily on
manual controls to electronic
systems using a combination of
manual and automated controls
often changes the fundamental
manner in which transactions
are initiated, recorded,
processed, and reported. In a
manual system, an entity uses
manual procedures and records
in paper format (for example, to
enter sales orders, authorize
credit, prepare shipping reports
and invoices, and maintain
accounts receivable records).
Controls in a “traditional” sys-
tem also are manual, and may
include procedures such as
21
approvals and reviews of activi-
ties, and reconciliations and fol-
low-up of reconciling items.
Alternatively, an entity may
have complex IT systems that
use automated procedures to ini-
tiate, record, process, and report
transactions, in which case
records in electronic format
replace paper documents such as
purchase orders, invoices, and
shipping documents. Controls in
systems that use IT consist of a
combination of automated con-
trols (for example, controls
embedded in computer pro-
grams) and manual controls. Fur-
ther, manual controls may be
independent of the IT system and
may use information pro-
duced by the IT system, or
may be limited to monitor-
ing the effective function-
ing of the system and the
automated controls and
handling exceptions. An
entity’s mix of manual and
automated controls varies
with the nature and com-
plexity of the entity’s use of
IT. As with all changes in
an entity’s systems, there
are both benefits and risks
that the auditor must deal with.
It is important that the audi-
tor remember that internal con-
trol can provide only reasonable
assurance regarding the achieve-
ment of an entity’s control objec-
tives. As a consequence, it is
necessary for the auditor to per-
form substantive tests in addition
to an evaluation of controls
(which, often, will include the
tests of controls).
WHAT DOES THE FUTURE
HOLD?
By now, two things should
be clear. First, there is a signifi-
cant body of audit literature that
attempts to provide guidance to
auditors as they carry out their
22
responsibilities to evaluate the
appropriateness of a company’s
financial reporting practice. Sec-
ond, the guidance is not enough!
In spite of all the guidance, we
continue to see the headlines
filled with discussion about the
latest financial fraud.
It also should now be clear
that auditors will find it neces-
sary in certain engagements to
conduct fraud investigations. The
major problem is that there is no
specific guidance in the audit lit-
erature to help the auditors in
their determination as to when to
apply additional procedures to
detect fraud and what type of
procedures to apply. Further-
more, there is the issue of the
cost and benefit of these addi-
tional tests. If auditors are to be
the “fraud police,” it will be nec-
essary to expand the scope of
audits. This will mean, of
course, that someone will have
to bear the increased costs asso-
ciated with the audit process.
Therein lies one of the major
concerns: Who will bear the
cost? Will companies be
required to pay significantly
more for their audits? Or will
audit firms be required to absorb
Paul Munter, Ph.D., CPA, is a KPMG Peat Marwick Professor of Accounting at the University of Miami. He
is editor-in-chief of The Journal of Corporate Accounting & Finance.
The Journal of Corporate Accounting & Finance
much of these costs? That issue
really gets to the heart of the
pricing strategy of audits. Over
the past several years, many
audit firms have been willing to
use the audit as a “loss leader”
to get a foot in the door so that
other, potentially more lucrative,
services can be sold to the client.
If the auditor is to take on
greater responsibility for detec-
tion of fraud in an audit, that also
means accepting greater risk.
From an economic perspective, if
audit firms are to survive, they
must begin to price audits in
more realistic ways. This will
mean that companies may have to
expect increases in the amounts
charged by their auditors.
Thus, changes we can expect
to see in the near future are the
following:
• Changes in audit standards
requiring certain “fraud
detection” procedures to be
performed in virtually every
audit—the ASB currently
has this topic on its agenda
and it is likely that a new
SAS containing these
requirements will be issued
before year-end.
• Changes in audit pricing so
that the amount charged for
the audit is more reflective
of the auditor’s responsibili-
ties and risk.
• Changes in the personnel on
the audit engagement per-
forming key procedures—
particularly in fraud-sensi-
tive aspects of the audit. This
will require more experi-
enced, higher-level involve-
ment by partners and man-
agers in the audit.
Investors in public compa-
nies currently receive informa-
tion in the company’s proxy
statement indicating the amount
being paid to the audit firm for
audit services and for other serv-
ices. Ultimately, it is up to
investors to make the determina-
tion whether the costs of these
additional procedures (and the
protection they can potentially
bring to investors) are worth-
while in terms of the potential
benefits that investors will derive
from the additional comfort they
have in receiving financial state-
ments that truly reflect the enti-
ty’s financial position, results of
operations, and its cash flows.
© 2002 Wiley Periodicals, Inc.