. 65
( 82 .)


Ibid., pp. 17“19.
328 A Perspective on Fraud and the Auditor

Opportunities for fraudulent financial reporting are present when the fraud is easier to
commit and when detection is less likely. Frequently these opportunities arise from:
The absence of a board of directors or audit committee that vigilantly oversees
the financial reporting process.
Weak or nonexistent internal accounting controls. This situation can occur, for
example, when a company™s revenue system is overloaded from a rapid expan-
sion of sales, an acquisition of a new division, or the entry into a new, unfamiliar
line of business.
Unusual or complex transactions. Examples include the consolidation of two
companies, the divestiture or closing of a specific operation, and agreements to
buy or sell government securities under a repurchase agreement.
Accounting estimates requiring significant subjective judgment by company man-
agement. Examples include reserves for loan losses and the yearly provision for
warranty expense.
Ineffective internal audit staffs. This situation may result from inadequate staff
size and severely limited audit scope.
A weak corporate ethical climate exacerbates these situations. Opportunities for
fraudulent financial reporting also increase dramatically when the accounting princi-
ples for transactions are nonexistent, evolving, or subject to varying interpretations.12

The rationale for management fraud is based on the various pressures that em-
anate from the internal and external environment of the corporation. Moreover,
such frauds are augmented by the economic motives of the perpetrator as well as
the organizational structure of the entity.

Computer Fraud
In addition to management fraud, computer fraud has been a major constant prob-
lem of the business community. In 1987, the National Commission on Fraudulent
Financial Reporting concluded:

The increasing power and sophistication of computers and computer-based infor-
mation systems may contribute even more to the changing nature of fraudulent fi-
nancial reporting. The last decade has seen the decentralization and the proliferation
of computers and information systems into almost every part of the company. This

National Commission on Fraudulent Financial Reporting, Report of the National Commission on
Fraudulent Financial Reporting, pp. 23“24. For a good discussion, see James D. Stice, W. Steve Al-
brecht, and Leslie M. Brown, “Lessons to be Learned”ZZZZ Best, Regina, and Lincoln Savings,”
CPA Journal 61, No. 4 (April 1991), pp. 52“53. A recent study of 75 fraud and 75 no-fraud firms
noted that no-fraud firms with outside members on the board of directors significantly reduce the like-
lihood of financial statement fraud. See Mark S. Beasley, “An Empirical Analysis of the Relation be-
tween the Board of Director Composition and Financial Statement Fraud,” Accounting Review 71, No.
4 (October 1996), pp. 443“465. For additional reading, see a Best Practices Council of the National
Association of Corporate Directors report, Coping with Fraud and Other Illegal Activity (Washington,
D.C.: National Association of Corporate Directors, 1998); Mark S. Beasley, Joseph V. Carcello, and
Dana R. Hermanson, Fraudulent Financial Reporting: 1987“1997 An Analysis of U.S. Public Compa-
nies (New York: COSO of the Treadway Commission, 1999).
The External Auditor™s Responsibility 329

development has enabled management to make decisions more quickly and on the
basis of more timely and accurate information. Yet by doing what they do best”
placing vast quantities of data within easy reach”computers multiply the potential
for misusing or manipulating information, increasing the risk of fraudulent financial

As defined by Brandt Allen:

Computer fraud is . . . any defalcation or embezzlement accomplished by tampering
with computer programs, data files, operations, equipment or media and resulting in
losses sustained by the organization whose computer system was manipulated.14

For an expanded discussion of computer fraud, see The Computer and Internet
Fraud Manual published by the Association of Certified Fraud Examiners.

An Overview15
As discussed in Chapter 6 dealing with audit planning, the Auditing Standards
Board of the AICPA issued a standard that requires independent auditors to assess
the risk of materially misstated financial statements due to fraud.
The AICPA™s new fraud standard (SAS No. 99, “Consideration of Fraud in a
Financial Statement Audit,” effective for audits beginning on or after December
15, 2002, supersedes the previous SAS No. 82 fraud standard) will have new
implications for audit committees. Although the new fraud standard provides ex-
ternal auditors with revised and expanded guidelines on consideration of fraud
during an audit engagement, their responsibility to plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free
of material misstatements, whether caused by error or fraud, has not changed.
However, external auditors are required to give consideration of fraud throughout
the audit and place increased emphasis on the need for heightened professional
SAS No. 99 retains the two types of fraud as noted in SAS No. 82: (1) fraud-
ulent financial reporting, involving intentional material misstatements or omis-
sions of material amounts or disclosures in the financial statements, and (2)
misappropriation of assets, involving the theft of an entity™s assets.

National Commission on Fraudulent Financial Reporting, Report of the National Commission on
Fraudulent Financial Reporting, p. 28. The reader may wish to review the Equity Funding Corpora-
tion of America case, which illustrates the use of computers to create fictitious insurance policies and,
in turn, overstate assets by more than $120 million and overstate the corporation™s earnings. See
United States v. Weiner, 578 F. 2d 757 (9th Cir.), cert. denied, 439 U.S. 981 (1978).
Brandt Allen, “The Biggest Computer Frauds: Lessons for CPA™s,” Journal of Accountancy 143, No.
5 (May 1977), 52.
In addition to the external auditor™s role and responsibility for detecting fraud and illegal acts, the
reader may wish to consult other auditing standards with respect to the internal auditor, fraud exam-
iner, and government auditors. See the bibliography for the applicable reference.
330 A Perspective on Fraud and the Auditor

The new standard requires the external auditors to identify and document fraud
risks rather than fraud risk factors (e.g., risk of misappropriation of inventory).
Additionally, the news standard renames the categories of fraud risk factors:
(1) incentive/pressure, (2) opportunity, and (3) attitudes/rationalization. (For addi-
tional information, see appendix to SAS No. 99 as well as Chapter 6.)
SAS No. 99 establishes the following process to address the potential for in-
tentional material misstatements in the financial statements. The standard requires
the auditors to:

• Gather information necessary to identify the risks of material misstatements
• Identify risks of material misstatements
• Assess identified risks
• Respond to the results of the assessment
• Evaluate audit evidence
• Communicate fraud to interested parties
Document the auditors™ consideration of fraud16

With respect to the effect of fraud on the auditor™s report, the Board states:

The auditor should evaluate whether identified risks of material misstatement due to
fraud can be related to specific financial-statement account balances or classes of
transactions and related assertions, or whether they relate more pervasively to the fi-
nancial statements as a whole. Relating the risks of material misstatement due to
fraud to the individual accounts, classes of transactions, and assertions will assist the
auditor in subsequently designing appropriate auditing procedures.
Certain accounts, classes of transactions, and assertions that have high inherent risk
because they involve a high degree of management judgment and subjectivity also
may present risks of material misstatement due to fraud because they are susceptible
to manipulation by management. For example, liabilities resulting from a restruc-
turing may be deemed to have high inherent risk because of the high degree of sub-
jectivity and management judgment involved in their estimation. Similarly, revenues
for software developers may be deemed to have high inherent risk because of the
complex accounting principles applicable to the recognition and measurement of
software revenue transactions. Assets resulting from investing activities may be
deemed to have high inherent risk because of the subjectivity and management judg-
ment involved in estimating fair values of those investments.
In summary, the identification of a risk of material misstatement due to fraud in-
volves the application of professional judgment and includes the consideration of the
attributes of the risk, including:
• The type of risk that may exist, that is, whether it involves fraudulent financial re-
porting or misappropriation of assets

Statement on Auditing Standards No. 99, “Consideration of Fraud in a Financial Statement Audit,”
par. 2. For further reference, see Douglas R. Carmichael, “The Auditor™s New Guide to Errors, Irregu-
larities and Illegal Acts,” Journal of Accountancy 166, No. 3 (September 1988), pp. 40“48.
The External Auditor™s Responsibility 331

• The significance of the risk, that is, whether it is of a magnitude that could lead
to result in a possible material misstatement of the financial statements
• The likelihood of the risk, that is, the likelihood that it will result in a material
misstatement in the financial statementsa
• The pervasiveness of the risk, that is, whether the potential risk is pervasive to the
financial statements as a whole or specifically related to a particular assertion, ac-
count, or class of transactions.17

The occurrence of material misstatements of financial statements due to fraud is relatively infrequent
in relation to the total population of published financial statements. However, the auditor should not
use this as a basis to conclude that one or more risks of a material misstatement due to fraud are not
present in a particular entity.

Finally, the external auditor has a responsibility to communicate fraud to the
audit committee or board of directors. More specifically:

Whenever the auditor has determined that there is evidence that fraud may exist, that
matter should be brought to the attention of an appropriate level of management.
This is appropriate even if the matter might be considered inconsequential, such as
a minor defalcation by an employee at a low level in the entity™s organization. Fraud
involving senior management and fraud (whether caused by senior management or
other employees) that causes a material misstatement of the financial statements
should be reported directly to the audit committee. In addition, the auditor should
reach an understanding with the audit committee regarding the nature and extent of
communications with the committee about misappropriations perpetrated by lower-
level employees.
If the auditor, as a result of the assessment of the risks of material misstatement,
has identified risks of material misstatement due to fraud that have continuing con-
trol implications (whether or not transactions or adjustments that could be the result
of fraud have been detected), the auditor should consider whether these risks repre-
sent reportable conditions relating to the entity™s internal control that should be com-
municated to senior management and the audit committee. (See SAS No. 60,
Communication of Internal Control Related Matters Noted in an Audit {AICPA,
Professional Standards, vol. 1, AU sec. 325.04]). The auditor also should consider
whether the absence of or deficiencies in programs and controls to mitigate specific
risks of fraud or to otherwise help prevent, deter, and detect fraud represent re-
portable conditions that should be communicated to senior management and the
audit committee.
The auditor also may wish to communicate other risks of fraud identified as a re-
sult of the assessment of the risks of material misstatements due to fraud. Such a
communication may be a part of an overall communication to the audit committee of
business and financial statement risks affecting the entity and/or in conjunction with
the auditor communication about the quality of the entity™s accounting principles
(see SAS No. 61, AU sec. 380.11).
The disclosure of possible fraud to parties other than the client™s senior manage-
ment and its audit committee ordinarily is not part of the auditor™s responsibility
and ordinarily would be precluded by the auditor™s ethical or legal obligations of

Ibid., pars. 38, 39, 40.
332 A Perspective on Fraud and the Auditor

confidentiality unless the matter is reflected in the auditor™s report. The auditor
should recognize, however, that in the following circumstances a duty to disclose to
parties outside the entity may exist:
a. To comply with certain legal and regulatory requirementsa
b. To a successor auditor when the successor makes inquiries in accordance with
SAS No. 84, Communications Between Predecessor and Successor Auditorsb
(AICPA, Professional Standards, vol. 1, AU sec. 315)
c. In response to a subpoena
d. To a funding agency or other specified agency in accordance with requirements
for the auditors of entities that receive governmental financial assistancec
Because potential conflicts between the auditor™s ethical and legal obligations for
confidentiality of client matters may be complex, the auditor may wish to consult
with legal counsel before discussing matters covered by paragraphs 79 through 81
with parties outside the client.18

These requirements include reports in connection with the termination of the engagement, such as
when the entity reports an auditor change on Form 8-K and the fraud or related risk factors constitute
a reportable event or is the source of a disagreement, as these terms are defined in Item 304 of Reg-
ulation S-K. These requirements also include reports that may be required, under certain circum-
stances, pursuant to Section 10A(b)1 of the Securities Exchange Act of 1934 relating to an illegal act
that has a material effect on the financial statements.
SAS No. 84 requires the specific permission of the client.
For example, Government Auditing Standards (the Yellow Book) require auditors to report fraud or
illegal acts directly to parties outside the audited entity in certain circumstances.

In addition to fraud in a financial statement audit, the external auditor has a re-
sponsibility for detecting illegal acts by client companies. As defined by the Au-
diting Standards Board:

The term illegal acts, for purposes of this Statement, refers to violations of laws or
governmental regulations. Illegal acts by clients are acts attributable to the entity
whose financial statements are under audit or acts by management or employees act-
ing on behalf of the entity. Illegal acts by clients do not include personal misconduct
by the entity™s personnel unrelated to their business activities.19

Although the external auditor may recognize that the client has committed an il-
legal act, the determination of whether the act is illegal is dependent on legal judg-
ment. Therefore, the auditor would consult with legal counsel or await a court
ruling, depending on the circumstances.
In view of the fact that illegal acts vary in their relation to the financial state-
ments, the Auditing Standards Board makes this distinction between direct and in-
direct effects:

The auditor considers laws and regulations that are generally recognized by auditors
to have a direct and material effect on the determination of financial statement


. 65
( 82 .)