. 67
( 82 .)


However, the audit committee may wish to engage special investigators and/or ex-
ternal auditors whereby both groups will coordinate their efforts with the internal
auditors. Moreover, the surety company usually makes its own investigation be-
cause it must attest to the validity of the entity™s claim. However, it is important to
recognize that such an investigation should not be made solely by the surety com-
pany because its objective is to minimize the claim for the loss. Thus the audit
committee should ensure that the investigation is properly coordinated with the au-
ditors or the special investigators and the surety company. In particular, the com-
mittee should be assured that: (1) the suspect has not been notified of the present
investigation; (2) the investigation has been properly planned in advance and will
be conducted expeditiously to prevent covering up the evidence; (3) all corporate
transactions involving the suspect and the methods used to perpetrate the fraud
have been properly investigated and documented; (4) the existence of possible col-
lusion has been carefully considered; (5) the dollar amount of the defalcation has
been properly ascertained and the amount of the funds recovered; and (6) any legal
action, if appropriate, has been taken against the perpetrator(s). Such assurance is
obtained through the committee™s review of the reports from the auditors, legal
counsel, and the surety company as well as its consultation with the external audit
partner regarding disclosure matters in the financial statements.
From the preceding discussion, it is evident that the audit committee should
recognize not only the primary purpose of the annual audit examination but also
the implications of the auditor™s responsibility for the detection of fraud. The com-
mittee will look primarily to the internal and external auditors for assistance con-
cerning the necessary measures for the prevention of fraud. For example, it may
request a periodic survey of the fraud prevention measures within the entity. Such
a survey may be done by the internal audit group to determine the soundness of the
system of internal control. Consequently, during its review of the audit plans dis-
cussed in Chapters 6 and 7, the committee should address the need for a survey of
the fraud prevention measures. When such a survey is conducted, the committee
should review the internal auditor™s report with the outside audit partner to obtain
the partner™s assessment of the entity™s fraud prevention activities. The committee
should be satisfied that there is adequate follow-up regarding the internal auditor™s
recommendations so that if and when fraud should occur, it can be confident that
the cause of the fraud was not related to recommendations that were overlooked.
Such an oversight on the part of the committee may be a cause for an unrecovered
insurance claim. It is obvious that the audit committee must be alert not only to the
possibility of fraud but also to the steps necessary to safeguard the entity from
such fraud.
As Hugh L. Marsh and Thomas E. Powell conclude:
It would be a misconception to believe the possibility of fraud is the only reason for
establishing a chartered audit committee. While the primary role has been to oversee
management™s financial and reporting responsibilities, it is only one task. Neverthe-
less, the Treadway Commission™s investigations indicated that audit committees
could serve very effectively to reduce the incidence of fraud. When fraudulent fi-
nancial reporting did occur despite the existence of an audit committee, the follow-
ing important points in the audit committee™s charter often had been omitted:
The Audit Committee™s Oversight Approach to Fraud Risk Assessment 339

Authorization for resources. As noted by the Treadway Commission, only in unusual
circumstances would an audit committee need a separate staff, but the means for ac-
complishing this should be addressed.
Issues related to CPAs™ independence. The press has made much ado about the prac-
tice of some CPAs of using audit services as a “loss leader” for management advi-
sory services. Strong opinions have been expressed on both sides of this issue, but it
would seem prudent for the audit committee to oversee management™s judgments
about the independence of its CPAs.
Seeking a second opinion. Some observers speak of it disparagingly as “opinion
shopping”; others refer to it as seeking a technically correct opinion. But any time a
second opinion is sought, the audit committee should know what the issues were and
how they were resolved.
Preservation of internal auditor independence. Internal auditors occupy the unique
position of “independent” staff members. This independence is strengthened and en-
sured through audit committee action. Direct and unrestricted access to records is es-
sential and the audit committee should concur with the appointment and discharge of
the director of internal audit.29

As part of their oversight of the audit process and the SAS No. 99 requirements,
audit committees need to assure the full board of directors of any indications of
possible fraud and illegal acts, including management™s remedial actions. More
specifically, audit committees can expect to have discussions with their external
auditors regarding fraud risk areas during the information-gathering phase. Like-
wise, audit committees will be notified about fraud findings and reportable condi-
tions during the communication phase.
To achieve effective oversight responsibility for fraud risk areas, audit com-
mittees should consider this two-step approach:

1. Complete a profile worksheet with the details of the entity™s potential fraud risk
2. Address a set of representative questions for the preaudit and postaudit

Audit Committee™s Profile Worksheet”Fraud Risk Areas
Given the thrust of the new fraud standard, it is reasonable to expect that audit
committees will include a statement regarding their fraud risk discussions in their
written charter, which is disclosed in the entity™s annual proxy statement. Exhibit
11.5 shows a suggested format for a profile worksheet.

Hugh L. Marsh and Thomas E. Powell, “The Audit Committee Charter: Rx for Fraud Prevention,”
Journal of Accountancy 167, No. 2 (February 1989), pp. 55“57.
Exhibit 11.5 Audit Committee™s Profile Worksheet of the Entity™s Fraud Risk Areas

Services Available from:
with SEC,
Audit Committee Internal External Legal Board of or Sarbanes-
Practice Area Management Auditors Auditors Counsel Directors Oxley Act Comments:
Knowledge Areas
Industrv Matters
Competition ” ” ”
Economic conditions ” ” ”
Technology ” ” ”
Government regulations ” ” ” ”
Industry accounting practices ” ” ”
Entity™s Business Matters
Organizational structure
(management integrity) ” ”
Business and product segments
(Business model profile) ” ” ”
Policies and procedures for detecting fraud,
illegal acts, and whistleblower protection
(e.g., conflicts-of-interests (related party
transactions) monitoring, compliance with
the corporate code of conduct, monitoring
compliance with laws and regulations,
and management override of control(s)) ” ” ” ” ” ”
Management™s risk assessment process (busi-
A Perspective on Fraud and the Auditor

ness risk profile and internal control concepts) ” ” ”
Accounting policies and practices ” ” ”
Complex business transactions and contracts ” ” ” ”
Frequent change of legal counsel ”
Financial reporting process (quarterly and
annual financial statements) ” ” ” ”
Internal communication process ” ” ” ” ” ”
External communication process ” ”
External Audit Process
Selection or retention of auditors (terms of
service, qualifications, composition, and
independence of the audit engagement team) ” ” ” ” ”
Frequent change of auditors (disagreement
on GAAP, which causes opinion shipping). ” ” ” ” ”
Quantity of lawsuits against the CPA firm ” ” ” ” ”
Nonacceptance of recommendations in the
management letter (breakdowns in
internal controls) ” ” ” ”
Internal Audit Process
Approve hiring or termination of the internal
auditing executive (term of service,
qualifications and composition of the
internal audit groups) ” ” ”
Departmental organization and size ” ”
Reporting responsibility ”
Scope restrictions and access to requested
The Audit Committee™s Oversight Approach to Fraud Risk Assessment

information ”
Quantity of special projects and investigations
dealing with material noncompliance ” ” ”
342 A Perspective on Fraud and the Auditor

To adequately plan a review of the fraud risk areas, audit committees need
knowledge about the entity™s:

• Business model and industry
• Business risks and internal control environment
• Policies and procedures for detecting fraud and illegal acts
• Accounting industry practices
• Complex business transactions and significant contracts
• Financial reporting process

Likewise, audit committees need to review:

• The operational characteristics of the entity and the vulnerability of the indus-
try to changing economic conditions and competitive pressures. Such a review
usually would include recent annual and interim financial statements, SEC fil-
ings (1O-Qs and 10-Ks), annual proxy statement, the entity™s website, and an-
alytical review procedures (e.g., absolute data comparison, financial ratio data)
Additionally, an evaluation of management integrity would include biograph-
ical information on senior executives and financial management.
• Management™s risk assessment process and related internal controls (i.e., the
components of COSO™s Internal Control”Integrated Framework)
• Management™s policies and procedures with respect to:
• Conflicts-of-interest statements
• Corporate code of conduct
• Laws and regulations
• Management override of controls
• Industry accounting practices, with particular emphasis on the appropriate-
ness of accounting principles
• Complex business transactions (e.g., restructuring charges)
• Financial reporting process at the individual financial account and transaction
class level
• Internal and external communication processes
• Internal and external auditing processes

Audit Committee™s Meetings and Agendas”Fraud Risk Areas
Based on the profile worksheet, audit committees need to know what questions to
ask with respect to the auditors™ assessment of fraud risk and their response to the
overall audit approach.
During the preaudit meeting, audit committees can elicit information that is
helpful in setting objectives and implementation measures related to fraud pre-
vention and detection. For example, audit committees may ask the auditors to ex-
pand the scope of their examination with respect to areas of revenue recognition
The Audit Committee™s Oversight Approach to Fraud Risk Assessment 343

Exhibit 11.6 Representative Questions for Preaudit Meetings”Fraud Risk Planning

• To what extent can the planned audit scope be relied on to detect fraud? (See audit
engagement letter for the auditors™ responsibilities.)
• What steps were taken by the audit engagement team in assessing the likelihood that
fraud which may affect financial information may be occurring?
• Inquiries of management and employees other than management
• Observations with regard to preliminary analytical procedures, including procedures
related to revenue recognition (i.e., unusual and unexpected results)
• Consideration of fraud risk factors relative to fraudulent financial reporting and
misappropriation of assets (incentives/pressures, opportunities, and attitudes/
• Consideration of other information (e.g., integrity of management)
• Identification of fraud risks, including type of risk, significance, likelihood and
• Assessment of identified fraud risks and consideration of the entity™s programs and
controls to prevent, detect, and mitigate fraud
• Response to fraud risk assessment in the overall audit approach, including the
nature, timing, and extent of audit procedures as well as additional procedures
related to management override of controls
• What areas will be emphasized due to the heightened likelihood of fraud?
• What areas require special attention by the audit committee? (e.g., Sarbanes-Oxley™s
Corporate and Criminal Fraud Accountability provision, including record retention
and destruction procedures as well as whistleblower protection)
• Were there any allegations of unethical behavior in the financial reporting process?

or misappropriation of inventory. This information is also useful in setting objec-
tives in areas such as internal audit and special investigations. Exhibits 11.6 and
11.7 provide questions that enable audit committees to establish specific objec-
tives related to fraud risk areas.
During the postaudit meeting, audit committees need answers to questions deal-
ing with fraud detection, illegal acts, and breakdowns in internal control that arose
in the audit engagement. Exhibit 11.7 indicates some representative questions.
In reviewing the financial statements, audit committees should request a fraud
risk assessment at the financial account and transaction class level. They should be
alert to areas that involve judgment in recognition, valuation, measurement, and
disclosure as well as management™s assertions regarding asset realization and lia-
bility measurement.
In addition, audit committees should be alert to situations involving break-
downs in the system of internal control. As previously noted, audit committees
should review and study the areas of COSO™s Internal Control”Integrated Frame-
work in the context of the auditors™ fraud risk assessment.
Final}y, audit committees should be concerned with material audit adjustments
and immaterial uncorrected misstatements, including aggressive versus conserva-
tive accounting policies and any changes in accounting principles.
344 A Perspective on Fraud and the Auditor


. 67
( 82 .)