Escolar Documentos
Profissional Documentos
Cultura Documentos
at r
ticl
u
e
fe
T
here’s Cendant, the course of an audit
McKesson/ Enron is only the latest of a growing list of frauds is found in SAS No.
HBOC, Waste that went undetected for years. Even if your audi- 82, Consideration of
Management, Sun- tor is honest, the widespread use of technology Fraud in a Financial
beam, and now, of makes it tougher for him to find the crime—and Statement Audit,
course, Enron. The make the bad guys do the time. But what do you which was issued in
one thing that can be have a right to expect from your auditor? February 1997. SAS
said with virtual cer- © 2002 Wiley Periodicals, Inc.
No. 82 specifically
tainty is that these sub- addressed the issue of
stantial frauds will not fraud for the first time
be the last ones played in the audit literature
on the investing public. Is there Of course, part of the prob- and provided guidance to the
any wonder that investors con- lem relates to the understanding auditor in discharging the
tinue to expect that auditors will of the auditor’s current respon- responsibilities to consider
detect fraud in the process of sibilities for the detection of fraud in a financial statement
auditing and certifying the com- fraud. Another piece of the puz- audit. SAS No. 82 was an
panies’ financial statements? zle is the widespread use of attempt to clarify the auditor’s
And yet, in each of these technology that can make it responsibility to plan and per-
cases, the frauds went on for even more difficult for the form the audit to obtain reason-
years either without the knowl- auditor to detect a fraud able assurance about whether
edge of the auditor or, in the scheme. In this article, we will the financial statements are free
opinion of some, the participa- examine the auditor’s current from material misstatement,
tion or willful disregard by the responsibilities for detection of whether caused by error or
auditors. Prompted by cases fraud as well as the auditor’s fraud. Additionally, SAS No. 82
such as these, as well as the rec- responsibilities for understand- provided more guidance on the
ommendations of the O’Malley ing the impact of technology on standard of due professional
Panel, the Auditing Standards the company’s financial report- care in the performance of
Board (ASB) of the American ing practices. work, including the need to
Institute of Certified Public exercise professional skepti-
Accountants (AICPA) is current- AUDITOR’S RESPONSIBILITY cism, and the concept of “rea-
ly working on revisions to the FOR DETECTION OF FRAUD IN sonable assurance.” Additional-
audit literature that would AN AUDIT ly, the ASB concluded that a
increase the auditor’s responsi- specific assessment of the risk
bilities related to fraud detection The current guidance to of fraud is needed to add assur-
and reporting in the conduct of auditors on the responsibility ance that the responsibility of
an audit. for the detection of fraud during the auditor regarding detection
of material misstatement due to statement due to fraud is cumu- those risk factors. These consid-
fraud is appropriately addressed. lative and ongoing. erations are central to the stan-
The auditor’s response to dard. By specifically requiring
Consideration of Fraud Risk the risk assessment associated that the auditor document this
Factors with any potential fraud is consideration, the auditor is con-
influenced largely by the degree fronted with a mandate to specif-
Under the current audit litera- of risk assessed. Thus, the audi- ically and consciously assess the
ture, the auditor is required, in tor should consider whether impact of these risk factors in
every audit, to assess the risk of there is a need for an overall order to comply with the docu-
material misstatement due to response, one that is specific to mentation requirements.
fraud by considering whether risk a particular account balance, Additionally, SAS No. 82
factors exist that might indicate class of transactions or asser- specified that whenever the audi-
the existence of fraud. SAS No. tion, or both. Another shortfall tor has determined that there is
82 requires auditors to consider of SAS No. 82 is that it indi- evidence that a fraud may exist,
two types of fraud risk factors: (1) cates that in some cases when the auditor will need to bring that
factors relating to fraudulent fraud risk factors are present, matter to the attention of appro-
financial reporting and (2) factors there may be no need to modify priate levels of management.
relating to any misappropriation procedures. In other cases, SAS Fraud involving senior manage-
of assets. SAS No. 82 acknowl- No. 82 indicates that proce- ment or fraud that causes a mate-
edges the need for auditors rial misstatement in finan-
to use professional judg- …SAS No. 82 does not require cial statements should be
ment when assessing the reported directly to the
significance of risk factors auditors to consider any particular audit committee or others
and determining the appro- fraud risk factors nor does it require with equivalent authority
priate audit response; how- and responsibility.
ever, SAS No. 82 includes
the auditor to conduct any forensic
guidance to help the auditor or other fraud detection tests. Categories of Fraud
in his/her consideration of
those risk factors that are Although fraud is a
determined to be present. An dures may need to be modified broad legal concept, the auditor’s
important issue, and part of the or the auditor may even need to interest specifically relates to
reason why the ASB is now resign from the engagement. fraudulent acts that cause a mate-
reconsidering the auditor’s respon- While the standard provides rial misstatement in the financial
sibility for the detection of fraud, guidance for an overall consid- statements. The primary factor
is that SAS No. 82 does not eration and for specific consid- that distinguishes fraud from an
require auditors to consider any erations at the account balance, error is whether the underlying
particular fraud risk factors nor class of transactions, and asser- action that results in the misstate-
does it require the auditor to con- tion level, it falls short of pro- ment in financial statements is
duct any forensic or other fraud viding specific guidance or intentional or unintentional. As
detection tests. Rather, SAS No. establishing specific audit pro- noted earlier, two types of fraud
82 provides examples of fraud cedures that are required. are relevant to the auditor’s con-
risk factors that auditors should An important part of SAS sideration in a financial state-
consider in planning the audit. No. 82 is the documentation of ment audit: (1) fraudulent finan-
Fraud risk factors and other the assessment process that is cial reporting and (2)
considerations may come to the needed. Specifically, the auditor misappropriation of assets.
auditor’s attention while per- should document evidence of the
forming procedures relating to performance of the assessment, (1) Fraudulent financial report-
client acceptance and continu- how fraud risk factors and other ing refers to intentional
ance, during engagement plan- conditions were considered, the misstatements or omissions
ning, or during the process of fraud risk factors that the auditor of amounts or disclosures
understanding an entity’s internal believes (individually or in com- in financial statements.
control, or while conducting bination) significantly affect the Fraudulent financial report-
fieldwork. As such, the assess- risk of material misstatement, ing may involve acts such
ment of risk of material mis- and the auditor’s response to as the following:
the use of substantive testing auditors may need to consider approvals and reviews of activi-
only. That is, in many IT situa- the implications of IT in evaluat- ties, and reconciliations and fol-
tions, it will be an absolute ing any of the five components low-up of reconciling items.
necessity that the auditor obtain of internal control as they relate Alternatively, an entity may
evidence that allows for control to the achievement of the entity’s have complex IT systems that
risk to be assessed at a level objectives. For example, in use automated procedures to ini-
below the maximum level. Stated today’s business world, it is not tiate, record, process, and report
differently, there are many times uncommon to find entities that transactions, in which case
in a complex IT environment have complex, highly integrated records in electronic format
where tests of controls will be IT systems that share data and replace paper documents such as
mandatory for the auditor. that are used to support all purchase orders, invoices, and
When the ASB issued SAS aspects of the entity’s financial shipping documents. Controls in
No. 78, it incorporated a “COSO reporting, operations, and com- systems that use IT consist of a
model” approach to the defini- pliance objectives. As ERP combination of automated con-
tion of internal controls. It (enterprise resource planning) trols (for example, controls
described internal controls as a systems become more compre- embedded in computer pro-
process that is effected by the hensive and more widely in use, grams) and manual controls. Fur-
entity’s board of directors, man- this issue becomes more and ther, manual controls may be
agement, and other personnel independent of the IT system and
and that is designed to pro- may use information pro-
vide reasonable assurance Moving from paper-based systems duced by the IT system, or
of the achievement of may be limited to monitor-
objectives regarding (a) that rely primarily on manual con- ing the effective function-
reliability of financial trols to electronic systems using a ing of the system and the
reporting, (b) effectiveness combination of manual and automat- automated controls and
and efficiency of opera- handling exceptions. An
tions, and (c) compliance ed controls often changes the funda- entity’s mix of manual and
with applicable laws and mental manner in which transactions automated controls varies
regulations. Additionally, with the nature and com-
internal control over safe- are initiated, recorded, processed, plexity of the entity’s use of
guarding of asserts against and reported. IT. As with all changes in
unauthorized acquisition, an entity’s systems, there
use, or disposition often are both benefits and risks
will include controls relating to more prevalent—even for small- that the auditor must deal with.
financial reporting and opera- er and midsized entities. It is important that the audi-
tions objectives. Furthermore, Moving from paper-based tor remember that internal con-
internal control is defined as systems that rely primarily on trol can provide only reasonable
consisting of five interrelated manual controls to electronic assurance regarding the achieve-
components: (a) control environ- systems using a combination of ment of an entity’s control objec-
ment, (b) risk assessment, (c) manual and automated controls tives. As a consequence, it is
control activities, (d) informa- often changes the fundamental necessary for the auditor to per-
tion and communication, and (e) manner in which transactions form substantive tests in addition
monitoring. Importantly, auditors are initiated, recorded, to an evaluation of controls
must also understand that these processed, and reported. In a (which, often, will include the
five components of internal con- manual system, an entity uses tests of controls).
trol interact with the three objec- manual procedures and records
tives of internal control. in paper format (for example, to WHAT DOES THE FUTURE
enter sales orders, authorize HOLD?
Effects of IT on Internal credit, prepare shipping reports
Control and Audit Process and invoices, and maintain By now, two things should
accounts receivable records). be clear. First, there is a signifi-
Because the use of IT is so Controls in a “traditional” sys- cant body of audit literature that
extensive in today’s business tem also are manual, and may attempts to provide guidance to
world, SAS No. 94 asserts that include procedures such as auditors as they carry out their
responsibilities to evaluate the much of these costs? That issue • Changes in audit pricing so
appropriateness of a company’s really gets to the heart of the that the amount charged for
financial reporting practice. Sec- pricing strategy of audits. Over the audit is more reflective
ond, the guidance is not enough! the past several years, many of the auditor’s responsibili-
In spite of all the guidance, we audit firms have been willing to ties and risk.
continue to see the headlines use the audit as a “loss leader” • Changes in the personnel on
filled with discussion about the to get a foot in the door so that the audit engagement per-
latest financial fraud. other, potentially more lucrative, forming key procedures—
It also should now be clear services can be sold to the client. particularly in fraud-sensi-
that auditors will find it neces- If the auditor is to take on tive aspects of the audit. This
sary in certain engagements to greater responsibility for detec- will require more experi-
conduct fraud investigations. The tion of fraud in an audit, that also enced, higher-level involve-
major problem is that there is no means accepting greater risk. ment by partners and man-
specific guidance in the audit lit- From an economic perspective, if agers in the audit.
erature to help the auditors in audit firms are to survive, they
their determination as to when to must begin to price audits in Investors in public compa-
apply additional procedures to more realistic ways. This will nies currently receive informa-
detect fraud and what type of mean that companies may have to tion in the company’s proxy
procedures to apply. Further- expect increases in the amounts statement indicating the amount
more, there is the issue of the charged by their auditors. being paid to the audit firm for
cost and benefit of these addi- Thus, changes we can expect audit services and for other serv-
tional tests. If auditors are to be to see in the near future are the ices. Ultimately, it is up to
the “fraud police,” it will be nec- following: investors to make the determina-
essary to expand the scope of tion whether the costs of these
audits. This will mean, of • Changes in audit standards additional procedures (and the
course, that someone will have requiring certain “fraud protection they can potentially
to bear the increased costs asso- detection” procedures to be bring to investors) are worth-
ciated with the audit process. performed in virtually every while in terms of the potential
Therein lies one of the major audit—the ASB currently benefits that investors will derive
concerns: Who will bear the has this topic on its agenda from the additional comfort they
cost? Will companies be and it is likely that a new have in receiving financial state-
required to pay significantly SAS containing these ments that truly reflect the enti-
more for their audits? Or will requirements will be issued ty’s financial position, results of
audit firms be required to absorb before year-end. operations, and its cash flows.
Paul Munter, Ph.D., CPA, is a KPMG Peat Marwick Professor of Accounting at the University of Miami. He
is editor-in-chief of The Journal of Corporate Accounting & Finance.