Those Nasty SAS 99 Questions


Enjoy this excerpt from Leita's upcoming book on Fraud in Government.


March 30, 2011

Those Nasty SAS 99 Questions
 “Do you know of anyone committing fraud in your organization?” asks the auditor, reading from his mandatory list of Statements on Auditing Standards 99 questions. And the client responds, “Are you accusing me of committing fraud!?!”


Early Bird Discount still available for The Single Audit Series until April 1!Click here to register today.

Aren’t those mandatory, rude fraud questions fun? As the first step of SAS 99, auditors stop just short of saying accusing the people running the program of committing fraud. Just short.

The people responsible for running the program get understandably upset; nobody likes such direct and accusatory inquiries. And auditors, unless they enjoy seeing people squirm, don’t like asking either.

SAS 99 is a Statement on Auditing Standards promulgated by the AICPA that directly addresses the auditor's responsibility for fraud. And the AICPA doesn't pull any punches when it comes to this topic!

What is Required?

Financial auditors are required, at a minimum, to interview and make inquiries as required by SAS 99. SAS 99 requires the auditor to interview:

  • Management
  • The audit committee
  • The internal audit director
  • Front line staff

Additional interviews and inquiries should be made if they are needed to meet the audit objectives. 

How Did We Get Here?

The Certified Fraud Examiners will tell you that one of the best ways to find fraud is to ask about it. Supposedly, some people need to be prompted to share; they won’t naturally bring this up and seek to resolve it, because the payoff isn’t there.

I was talking to a San Francisco taxi driver recently and he told me that he hates working on Saturday nights. Drunks think it is funny to walk away after a ride and not pay. If the taxi driver calls the police, it consumes hours of his time, and time is money. So, he pretty much has to let them get away with it. 

One auditor told me that the head of an Indian Tribal Council confided in him that fraud was rampant throughout his organization, but he knew that if he said anything, he would get drummed out of office. Only upon hearing the auditor’s pointed SAS 99 questions did he hint at what he knew.

When put on the spot, folks might tell you. 

Be Prepared

Each fraud interview can consume an hour of your time - 15 minutes to prepare, 20 minutes to conduct, 25 minutes to document. And this assumes the client doesn't have anything juicy to say.

  • Be prepared to ask some version of these questions in order to comply with the standard:
  • Do you have any knowledge of fraud or suspected fraud affecting the entity?
  • Are you aware of allegations of fraud?
  • What do you do to prevent fraud?
    Are employees made aware of their responsibilities regarding ethical behavior?
  • If someone would commit fraud here, how would they do it?

I paraphrased those out of the AICPA standards, but you should look at the standards yourself, really… you should:

These questions that are required by SAS 99 regarding fraud are not guaranteed to uncover fraud. But the questions do highlight areas that the auditor may want to focus on to provide some modicum of assurance that fraud didn't and isn't happening.

Now, if you are an auditor, you might be thinking, “I’ll just skip a few of those more pointed questions and soften up the others. They’ll get the hint and I won’t have to be so direct.” Nice try, but these questions aren’t that flexible. 

If you want to comply with standards, you are going to have to inquire directly, without beating around the bush. If you want to do your best at diligently trying to uncover fraud, then SAS 99 pointed, rude questions make good sense. 

Please do not try to conduct your fraud interviews using a questionnaire that you email to the interviewee. That is completely bypassing the intent of the standard. People are not going to tell you whether their boss is committing fraud on a questionnaire. No one hates their career that much!

I got a real kick out a participant in my ‘Fraud in the Government Course’ at the LBJ School. She was an accounts payable clerk at a water utility and came to class so that she could answer the auditors’ questions. The auditors sent her a SAS 99 questionnaire every year asking her ,“If fraud were committed in this organization, how would it occur?” or something to that effect. For years, she said that she didn’t know of any way. This is exactly what the auditor wanted to hear. 

But it bothered her that she didn’t have a good answer! So she came to my class so that she could answer with a few examples! Now she is going to worry the heck out of the auditor. Sometimes, I think that in learning about fraud, some participants take away ideas to commit fraud themselves.

Preparing Your Client

SAS 99 is an unpleasant audit standard for everyone involved. 

If you are an audit client, you might be thinking, “I’m not answering those questions! No one said I had to and I am going to call my lawyer!” You can do that, but realize that good auditors go where their gut leads them. And a thorough auditor could interpret your resistance as a red flag that you know something, and that further investigation is needed. Not always, but that is the risk you take by making a big deal of this. It is probably better to just play along, unless of course, you are guilty. J

The only way an auditor is going to come out of the SAS 99 interview with their relationship with the client intact is to tell the client that you are required to ask these crazy questions. Give them a preview of what is about to happen and why you have to do it.

You might start with, “This is an uncomfortable part of my job. I am sure you have heard of all of the scandals, like Enron, WorldCom, Bernie Madoff, involving fraud. And I have a professional responsibility to do my best to detect fraud in every organization that I audit. The standards that I adhere to require that I ask you some pretty pointed questions, and they are going to sound very rude. But another thing my standards require is that I ask these questions without softening them or altering them.” 

It is always a good idea to give the client a minute to think, and ask them to share their concerns or ask any questions. Say, “What questions do you have about this interview?” Check out the phrasing of that question. I recommend that you phrase your question that way because if you say something else like "Do you understand?” They will automatically respond affirmatively as they don’t want to look stupid. And asking, “Do you have any questions?” implies that they shouldn’t have any. So saying, “What are your questions?” lets them know that they naturally should have some and you welcome their questions!

You might also warn them that the word ‘fraud’ will be used frequently during your inquiry. The word “fraud” tends to get people upset. In the government-auditing world, the acronym FRA was used to label some engagements. FRA stands for Financial Related Audit and it was a GAO term during in the 80s and 90s. When I used it in entrance conferences with clients, you should have seen them freak out! They thought I was saying that I was conducting a fraud audit (fra… fraud…) After a few anxious calls from auditees, audit management sent an urgent memo, “Never use that term AGAIN!”

Next, answer their questions politely and ask their permission to proceed. You could say something like, “If at any time you want to stop, just let me know. May I proceed?”   

Then begin the inquisition.


Leita Hart-Fanta, CPA, CGFM, CGAP
Resides in Austin, Texas and can be reached at


subscribe to this newsletter at



This blog

Governmental auditors unite! Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of “The Yellow Book Interpreted” and owner of a website devoted to training for governmental auditors. Whether you are an internal auditor or monitor for a government entity or a CPA doing grant audits, you will enjoy Leita’s humorous take on the complexity of auditing in the government environment.

More from this blog

Bloggers crew

Steve Knowles has spent 25 years in business and practice in the UK, but he also worked in the states and the years haven't dulled his way of seeing an alternative view to everyone else, and every day is a new adventure.


Joel M. Ungar, CPA is a lifelong resident of the Detroit area and a graduate of The University of Michigan. He is a principal with Silberstein Ungar, PLLC, a Top 15 auditor of SEC public reporting companies.


Allan Boress, CPA, with over 25 years as a practitioner and consultant to the accounting profession. Mr. Boress is the author of 12 published books in 6 different languages, including a best-seller, The "I-Hate-Selling" Book.


Larry Perry, CPA, CPA Firm Support Services, LLC, is the author of accounting and auditing manuals, author and presenter of live staff training seminars, and author of webcast and self-study CPE programs. He blogs about small audits, reviews, and compilations.

Sandra Wiley, COO and Shareholder, is ranked by Accounting Today as one of the 100 Most Influential People in Accounting as a result of her prominent role as an industry expert on HR and training as well as influence as a management and planning consultant. She is also a founding member of The CPA Consultant's Alliance. Sandra is a certified Kolbe™ trainer who advises firms on building balanced teams, managing employee conflict and hiring staff.

Maria Calabrese, CIR, Human Resources manager for Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC in Cranford, New Jersey, Maria's topics revolve around the world of: Mentoring, Performance management, and The "Y Generation," a.k.a. "The whY generation".


William Brighenti is a CPA, Certified QuickBooks ProAdvisor, and Certified [Business] Valuation Analyst, operating an accounting, tax, and QuickBooks consulting firm in Hartford, Connecticut, Accountants CPA Hartford.


Ken Garen, CPA, is the co-founder and President of Universal Business Computing Company (, a software development firm of high-volume, high-productivity accounting and payroll technology.


Eva Rosenberg, MBA, EA, is the publisher of, and author of the weekly syndicated Ask TaxMama column. She provides answers to tax questions from taxpayers and tax professionals worldwide.


Amy Vetter, CPA, CITP is the CPA Programs Leader for Intacct Corporation responsible for leading the CPA/BPO Partners nationally.

Brian Strahle is the owner of LEVERAGE SALT, LLC where he provides state and local tax technical services to accounting firms, law firms and tax research organizations across the United States. He also writes a weekly column in Tax Analysts State tax Notes entitled, "The SALT Effect." For more info, visit his website:
Scott H. Cytron, ABC, is president of Cytron and Company, known for helping companies and organizations improve their bottom line through a hybrid of strategic public relations, communications, marketing programs and top-notch client service. An accredited consultant, Scott works with companies, organizations and individuals in professional services (accounting, finance, medical, legal, engineering), high-tech and B2B/B2C product/service sales.

Rita Keller is a nationally known CPA firm management consultant, speaker, author, mentor and blogger. She has over 30 years hands-on experience in CPA firm management, marketing, technology and administrative operations.

Stacy Kildal is the mom of two fantastic kids, an Advanced Certified QuickBooks ProAdvisor, Certified Enterprise Solutions ProAdvisor, Sleeter Group Certified Consultant, a nationally recognized member of the Intuit Trainer and Writer Network, and co-host of RadioFree QuickBooks.
Michael Alter's blog specializes in providing practical advice to those who seek greater profitability and practice management tactics that enhance deeper client relationships.

Sally Glick, CMO, Principal, Marketer of the Year in 2003 and AAM Hall of Famer in 2007, leads a lively discussion of the constantly expanding roles of marketing and the professional marketers that drive this initiative in accounting firms of all sizes.


The IMA Young Professionals Blog features the insights of IMA’s Young Professionals Committee. Committee members share advice and experiences on careers, continuing education, work/life balance, and other issues affecting young accounting and finance professionals.


FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI.


Sue Anderson has 30 years of experience in continuing education for accountants. Currently she is the program director for online CPE provider CPE Link.


Jim Fahey is COO of Apple Growth Partners, a regional CPA firm in Ohio. His focus is on the effective and efficient use of technology within the firm by all team members.

Caleb Newquist is the Editor-in-Chief of Sift Media US, overseeing content for both AccountingWEB and Going Concern.

Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of "The Yellow Book Interpreted" and owner of a website devoted to training for governmental auditors.


AccountingWEB is more than just a U.S. team of journalists and financial and technology experts - we have an international side, too! Members of our British team who publish share their ideas, insights, and perspectives from across the pond.