SAS 99 -- 17 ways to protect yourself from malpractice

By Gary D. Zeune, CPA

Congress mandated as Sarbanes-Oxley (SoX) for public companies and their auditors. Think of SAS 99 as SoX for everyone else. SAS 99 became effective for audits of financial statements for periods beginning on or after
December 15, 2002 and applies to audits of all nonpublic entities, private companies, non-profits, government units, etc. The trigger is an audit. The status of the entity is irrelevant. If you don’t follow SAS 99 and miss a fraud, the plaintiff’s attorney will use it as a road map to sue you. So every time you check “no” or “not applicable”, how are you going to answer the bank’s attorney’s question, “Why do you think you’re smarter than the Auditing Standards Board?”




Ignore these at your own risk
Could your audit workpapers withstand the scrutiny that some firms have undergone in the recent scandals? If not, think about these before you finish the field work:
  1. The first problem is the title: Consideration of Fraud in a Financial Statement Audit. SAS 99 doesn’t require you to just think about fraud. It requires you perform the audit differently. So reword your audit programs to force yourself to think about what SAS 99 requires. Consistent wording in your audit programs year after year makes it easy for the plaintiff’s attorney to show you didn’t implement SAS 99 with all its new requirements.
  2. SAS 82 and now SAS 99 still allow and don't prohibit auditor practices that make it easy for clients to commit fraud. For example, it's only suggested that auditors 'consider' surprise procedures. It should be required that you vary procedures to keep the client off balance.
  3. Auditors often tell clients which inventory locations they are going to 'observe'. How much easier can you make it for a client to commit inventory fraud than to tell them which locations you're going to count?
  4. Protect yourself against sloppy language. Remember that every time SAS 99 says a procedure ‘should’ be performed, it MUST be performed.
  5. Don’t make the mistake of firing your riskiest clients, then trusting the remaining clients because of an honest track record. “But I trusted my client,” is NOT a defense. SAS 99 is crystal clear on this point . . . “trust” is NOT an internal control.
  6. Remember that judges and juries can override our rules and standards because GAAP and GAAS do NOT have the weight of LAW. Just because you put all the marks in the right little boxes on the check list does not mean you’ve done a successful audit. For example inventory observations began when McKesson & Robbins’ auditors missed the fact that five Canadian warehouses that were supposed to be full were in fact empty. The managing partner of the Big-8 firm didn’t want to sully the integrity of the CEO by counting the inventory. Sounds silly now, doesn’t it?
  7. Don’t’ fall into the “expectation gap.”’ The expectation gap is the primary cause of malpractice liability. It occurs when you believe that SAS 99 is the maximum level of work required. Thus, you often perform work below the level required. But judges, juries, SEC, etc. have said, over and over again, that audit standards are the minimum level of acceptable performance.
  8. You don’t get a “learning period” to implement SAS 99. Why? Because each year’s audit stands on its own. This is the most dangerous year to audit under SAS 99 because it’s new.
  9. Paragraph 1 of SAS 99 states “the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” Thus, SAS 99 clearly says that auditors have a positive, affirmative, duty to detect fraud.
  10. SAS 99 says all management frauds are material because they signal that the person lacks integrity, including turning in fake expenses. Further, materiality isn’t just an amount. A small amount also can be material because of the reason it’s there. For example, a small amount is material if it accomplishes something BIG, such as getting the bank loan renewed or maintaining your stock price.
  11. If you don’t pursue the ‘red flags’ of fraud — whether or not they are listed in SAS 99 — odds are you will be held liable for resulting losses.
  12. If you win business or keep clients by promoting your firm as client "financial partners," think how a jury will interpret that. Not a good idea. So review your proposals and marketing brochures.
  13. The cost of audits is on the rise. If your client switches to a compilation or review, the bankers may not notice. Talk to your counsel about adding, in large, bold print, "NOT AN AUDIT OPINION" at the top of your compilation and review reports.
  14. Using desktop publishing, some former clients will create their own fake audit opinion. Talk to your counsel about alerting the bank that you no longer audit the company.
  15. SAS 99 warns that no matter how good internal controls are, management can always override them. (WorldCom CFO Scott Sullivan allegedly made journal entries to commit an $11 billion fraud.)
  16. To avoid detection, clients attempt to have everything look ‘normal’. So in contradiction to SAS 99, don’t wait until you have identified a risk of material fraud to perform surprise and other additional procedures. That’s backwards. Perform the procedures to identify the risk.
  17. If you’re conducting the audit for bank loan covenant, minimize your risk by teaching every team member WHY the audit is being done, so they’ll know what to look for.
The final word
Remember, like teenagers getting their driver’s license, getting an audit is a privilege, not a right. The best way to protect yourself and your firm is to select very carefully those with whom you do business. Do NOT accept clients just because they are willing to pay for the work. For example, in the infamous ZZZZ Best Carpet Cleaning fraud, CEO Barry Minkow and CFO Mark Morze picked the auditors because they believed the firm would be the easiest to fool. If you don’t know anything about the potential client’s business, take a pass. In this new environment, the fees are simply not worth the risk.
Please contact me if you have any questions. . . . gdz_
© Gary D. Zeune, CPA, is founder of The Pros & The Cons, the only speakers’ bureau in the United States for white-collar criminals. He has written several books and has authored more than 35 articles on fraud and performance measures in national publications. Zeune teaches fraud classes for the FBI, the U.S. Attorney, more than 30 state and national CPA societies, and numerous banks and accounting firms. He can be reached at or via his Web site.

You may like these other stories...

For the first time in the five-year history of’s rankings of the top 50 accounting firms to work for in North America, a firm has held the top spot as best accounting employer for two consecutive years....
With tomorrow being Tax Day, you might see some procrastinators at your office filling out forms, printing out paperwork, or getting last-minute tax advice from their accountant so they can meet the IRS’s filing...
You can read volumes on how to manage an accounting practice. But if you want the quick version, just read the following four points. Everything else is just commentary.  (These points come out of the 1997 book, The...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.