Enjoy this excerpt from Leita's upcoming book on Fraud in Government.
March 30, 2011
Those Nasty SAS 99 Questions
Aren’t those mandatory, rude fraud questions fun? As the first step of SAS 99, auditors stop just short of saying accusing the people running the program of committing fraud. Just short.
The people responsible for running the program get understandably upset; nobody likes such direct and accusatory inquiries. And auditors, unless they enjoy seeing people squirm, don’t like asking either.
SAS 99 is a Statement on Auditing Standards promulgated by the AICPA that directly addresses the auditor's responsibility for fraud. And the AICPA doesn't pull any punches when it comes to this topic!
What is Required?
Financial auditors are required, at a minimum, to interview and make inquiries as required by SAS 99. SAS 99 requires the auditor to interview:
- The audit committee
- The internal audit director
- Front line staff
Additional interviews and inquiries should be made if they are needed to meet the audit objectives.
How Did We Get Here?
The Certified Fraud Examiners will tell you that one of the best ways to find fraud is to ask about it. Supposedly, some people need to be prompted to share; they won’t naturally bring this up and seek to resolve it, because the payoff isn’t there.
I was talking to a San Francisco taxi driver recently and he told me that he hates working on Saturday nights. Drunks think it is funny to walk away after a ride and not pay. If the taxi driver calls the police, it consumes hours of his time, and time is money. So, he pretty much has to let them get away with it.
One auditor told me that the head of an Indian Tribal Council confided in him that fraud was rampant throughout his organization, but he knew that if he said anything, he would get drummed out of office. Only upon hearing the auditor’s pointed SAS 99 questions did he hint at what he knew.
When put on the spot, folks might tell you.
Each fraud interview can consume an hour of your time - 15 minutes to prepare, 20 minutes to conduct, 25 minutes to document. And this assumes the client doesn't have anything juicy to say.
- Be prepared to ask some version of these questions in order to comply with the standard:
- Do you have any knowledge of fraud or suspected fraud affecting the entity?
- Are you aware of allegations of fraud?
- What do you do to prevent fraud?
Are employees made aware of their responsibilities regarding ethical behavior?
- If someone would commit fraud here, how would they do it?
I paraphrased those out of the AICPA standards, but you should look at the standards yourself, really… you should:http://www.aicpa.org/download/members/div/auditstd/AU-00316.PDF.
These questions that are required by SAS 99 regarding fraud are not guaranteed to uncover fraud. But the questions do highlight areas that the auditor may want to focus on to provide some modicum of assurance that fraud didn't and isn't happening.
Now, if you are an auditor, you might be thinking, “I’ll just skip a few of those more pointed questions and soften up the others. They’ll get the hint and I won’t have to be so direct.” Nice try, but these questions aren’t that flexible.
If you want to comply with standards, you are going to have to inquire directly, without beating around the bush. If you want to do your best at diligently trying to uncover fraud, then SAS 99 pointed, rude questions make good sense.
Please do not try to conduct your fraud interviews using a questionnaire that you email to the interviewee. That is completely bypassing the intent of the standard. People are not going to tell you whether their boss is committing fraud on a questionnaire. No one hates their career that much!
I got a real kick out a participant in my ‘Fraud in the Government Course’ at the LBJ School. She was an accounts payable clerk at a water utility and came to class so that she could answer the auditors’ questions. The auditors sent her a SAS 99 questionnaire every year asking her ,“If fraud were committed in this organization, how would it occur?” or something to that effect. For years, she said that she didn’t know of any way. This is exactly what the auditor wanted to hear.
But it bothered her that she didn’t have a good answer! So she came to my class so that she could answer with a few examples! Now she is going to worry the heck out of the auditor. Sometimes, I think that in learning about fraud, some participants take away ideas to commit fraud themselves.
Preparing Your Client
SAS 99 is an unpleasant audit standard for everyone involved.
If you are an audit client, you might be thinking, “I’m not answering those questions! No one said I had to and I am going to call my lawyer!” You can do that, but realize that good auditors go where their gut leads them. And a thorough auditor could interpret your resistance as a red flag that you know something, and that further investigation is needed. Not always, but that is the risk you take by making a big deal of this. It is probably better to just play along, unless of course, you are guilty. J
The only way an auditor is going to come out of the SAS 99 interview with their relationship with the client intact is to tell the client that you are required to ask these crazy questions. Give them a preview of what is about to happen and why you have to do it.
You might start with, “This is an uncomfortable part of my job. I am sure you have heard of all of the scandals, like Enron, WorldCom, Bernie Madoff, involving fraud. And I have a professional responsibility to do my best to detect fraud in every organization that I audit. The standards that I adhere to require that I ask you some pretty pointed questions, and they are going to sound very rude. But another thing my standards require is that I ask these questions without softening them or altering them.”
It is always a good idea to give the client a minute to think, and ask them to share their concerns or ask any questions. Say, “What questions do you have about this interview?” Check out the phrasing of that question. I recommend that you phrase your question that way because if you say something else like "Do you understand?” They will automatically respond affirmatively as they don’t want to look stupid. And asking, “Do you have any questions?” implies that they shouldn’t have any. So saying, “What are your questions?” lets them know that they naturally should have some and you welcome their questions!
You might also warn them that the word ‘fraud’ will be used frequently during your inquiry. The word “fraud” tends to get people upset. In the government-auditing world, the acronym FRA was used to label some engagements. FRA stands for Financial Related Audit and it was a GAO term during in the 80s and 90s. When I used it in entrance conferences with clients, you should have seen them freak out! They thought I was saying that I was conducting a fraud audit (fra… fraud…) After a few anxious calls from auditees, audit management sent an urgent memo, “Never use that term AGAIN!”
Next, answer their questions politely and ask their permission to proceed. You could say something like, “If at any time you want to stop, just let me know. May I proceed?”
Then begin the inquisition.
Leita Hart-Fanta, CPA, CGFM, CGAP
Resides in Austin, Texas and can be reached at firstname.lastname@example.org.
subscribe to this newsletter at http://www.auditskills.com