SAS 99 -- 17 ways to protect yourself from malpractice
By Gary D. Zeune, CPA
- The first problem is the title: Consideration of Fraud in a Financial Statement Audit. SAS 99 doesn’t require you to just think about fraud. It requires you perform the audit differently. So reword your audit programs to force yourself to think about what SAS 99 requires. Consistent wording in your audit programs year after year makes it easy for the plaintiff’s attorney to show you didn’t implement SAS 99 with all its new requirements.
- SAS 82 and now SAS 99 still allow and don't prohibit auditor practices that make it easy for clients to commit fraud. For example, it's only suggested that auditors 'consider' surprise procedures. It should be required that you vary procedures to keep the client off balance.
- Auditors often tell clients which inventory locations they are going to 'observe'. How much easier can you make it for a client to commit inventory fraud than to tell them which locations you're going to count?
- Protect yourself against sloppy language. Remember that every time SAS 99 says a procedure ‘should’ be performed, it MUST be performed.
- Don’t make the mistake of firing your riskiest clients, then trusting the remaining clients because of an honest track record. “But I trusted my client,” is NOT a defense. SAS 99 is crystal clear on this point . . . “trust” is NOT an internal control.
- Remember that judges and juries can override our rules and standards because GAAP and GAAS do NOT have the weight of LAW. Just because you put all the marks in the right little boxes on the check list does not mean you’ve done a successful audit. For example inventory observations began when McKesson & Robbins’ auditors missed the fact that five Canadian warehouses that were supposed to be full were in fact empty. The managing partner of the Big-8 firm didn’t want to sully the integrity of the CEO by counting the inventory. Sounds silly now, doesn’t it?
- Don’t’ fall into the “expectation gap.”’ The expectation gap is the primary cause of malpractice liability. It occurs when you believe that SAS 99 is the maximum level of work required. Thus, you often perform work below the level required. But judges, juries, SEC, etc. have said, over and over again, that audit standards are the minimum level of acceptable performance.
- You don’t get a “learning period” to implement SAS 99. Why? Because each year’s audit stands on its own. This is the most dangerous year to audit under SAS 99 because it’s new.
- Paragraph 1 of SAS 99 states “the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” Thus, SAS 99 clearly says that auditors have a positive, affirmative, duty to detect fraud.
- SAS 99 says all management frauds are material because they signal that the person lacks integrity, including turning in fake expenses. Further, materiality isn’t just an amount. A small amount also can be material because of the reason it’s there. For example, a small amount is material if it accomplishes something BIG, such as getting the bank loan renewed or maintaining your stock price.
- If you don’t pursue the ‘red flags’ of fraud — whether or not they are listed in SAS 99 — odds are you will be held liable for resulting losses.
- If you win business or keep clients by promoting your firm as client "financial partners," think how a jury will interpret that. Not a good idea. So review your proposals and marketing brochures.
- The cost of audits is on the rise. If your client switches to a compilation or review, the bankers may not notice. Talk to your counsel about adding, in large, bold print, "NOT AN AUDIT OPINION" at the top of your compilation and review reports.
- Using desktop publishing, some former clients will create their own fake audit opinion. Talk to your counsel about alerting the bank that you no longer audit the company.
- SAS 99 warns that no matter how good internal controls are, management can always override them. (WorldCom CFO Scott Sullivan allegedly made journal entries to commit an $11 billion fraud.)
- To avoid detection, clients attempt to have everything look ‘normal’. So in contradiction to SAS 99, don’t wait until you have identified a risk of material fraud to perform surprise and other additional procedures. That’s backwards. Perform the procedures to identify the risk.
- If you’re conducting the audit for bank loan covenant, minimize your risk by teaching every team member WHY the audit is being done, so they’ll know what to look for.