The expanding role of the forensic accountant

The Sarbanes-Oxley Act (SOX), the Statement on Auditing Standards-99 (SAS 99), and the Public Company Accounting Oversight Board (PCAOB) have not removed the pressures on CFOs to manipulate accounting statements. The PCAOB recommends that an auditor should perform at least one walkthrough for each major class of transactions. SAS 99 does not require the use of forensic specialists but does recommend brainstorming, increased professional skepticism, and unpredictable audit tests. A proactive fraud approach involves a review of internal controls and the identification of the areas most subject to fraud. Certified Forensic Accountants, Cr.FAs, will continue to be in demand to supplement the efforts of internal and external auditors. Key Words: accounting entries, Sarbanes-Oxley Act, fraud, COSO, SAS 99, materiality, walkthroughs, proactive ********** In March 2005, Bernard Ebbers, the former CEO of WorldCom, was convicted on nine counts of fraud including securities fraud, filing false reports, and conspiracy. Although this case was treated by the press as a singular event, convictions for corporate fraud are much more widespread than many realize. On March 22, 2005, The Wall Street Journal reported that from 1978-2002, federal regulators initiated 585 enforcement actions for financial misrepresentation by publicly traded companies, citing 2,310 individuals and 657 firms as being potentially liable. Clearly, internal and external auditors must utilize more fraud detection and forensic techniques into their audit programs. If fraud is suspected and the auditors have no forensic accountants on staff, a Certified Forensic Accountant, Cr.FA, should be consulted. * Insiders or outsiders with special ties to the company or management dominated the board of directors of the identified companies. They typically comprised about 60% of the board and collectively owned nearly one-third of the company's stock. * Family relationships among the directors and/or officers affected nearly 40% of the companies. * The amounts of the fraud were relatively large compared to the size of the companies. The average financial statement misstatement or misappropriation of assets was $25 million, with the average company having assets of $533 million. * Most frauds overlapped at least two periods, frequently involving both quarterly and annual financial statements. * The typical financial-statement fraud involved the overstatement of revenues and assets. Over half the fraud involved revenue recognition issues by recording revenues prematurely or deliberately misstating revenues. About half the fraud also involved the overstatement of assets by underestimating the allowance for receivables; overstating the value of inventory, property, plants, equipment, and other fixed assets; and recording nonexistent assets. * Over half the audit reports (55%) issued in the last year of the fraud period contained unqualified opinions. Accounting Profession's Inaction

Unfortunately, the accounting profession has been reluctant to assume responsibility for the detection of fraud, and only in recent years have auditing rules specifically addressed the need to uncover fraud. In 1998, at the request of the chairman of the SEC, the Public Oversight Board appointed a panel called the Panel on Audit Effectiveness that consisted of eight members who were charged with thoroughly examining the current audit model. In 2000, the Panel issued a 200-page report, Reports and Recommendations, which included a recommendation that auditors should perform forensic-type procedures during every audit to enhance the prospects of detecting material financial-statement fraud. In auditing, materiality is an important governing standard in terms of transactions that require investigation. Materiality is often defined in terms of a transaction's or account's relative size as compared to revenue or total assets. In a forensic investigation, materiality means something entirely different. As pointed out by Lorraine Horton, "In investigative accounting, it is the opposite. I am looking for one transaction that will be the key. The one transaction that is a little different, no matter how small the difference, and that will open the door." (4) For example, checking the payment made to a utility company may lead to the discovery of an executive's $4 million condo on the books of a corporation. Under the cockroach theory of fraud, there is never just one incident or red flag of fraud. To illustrate the importance of small details, consider the following example. A former Scotland Yard scientist tried to create the world's biggest fraud by authenticating $2.5 trillion worth of fake U.S. Treasury bonds. When two men tried to pass off $25 million worth of these bonds in Toronto in 2001, a policeman noticed the bonds bore the word "dollar" rather than "dollars." Police later raided a London bank vault and discovered that the bonds had been printed with an ink jet printer that had not yet been invented when the bonds were allegedly produced. In addition, zip codes were used even though they were not introduced until 1963. (5) Walkthroughs Are Recommended The PCAOB recommends that an auditor perform at least one walkthrough for each major class of transactions. A major class of transactions is identified as similar transactions that are significant to the company's financial statements. A walkthrough requires an auditor to trace a transaction from origination through the company's information systems until it is reflected in the company's financial reports. The walkthrough should include the entire process of initiating, authorizing, recording, processing, and reporting individual transactions and controls for each of the significant processes identified. Walkthroughs are vital in evaluating the effectiveness of an internal control system. * Public document reviews and background investigations (nonfinancial documents) * Interviews of knowledgeable persons * Confidential sources * Laboratory analyses of physical and electronic evidence * Physical and electronic surveillance * Undercover operations * Analyses of financial transactions (8)

Forensic accountants must be aware that the data-driven approaches do not detect all fraud schemes such as bribery and kickbacks. Often corruption and collusion involve the circumvention of control by top executives. So searching the relevant transactions data for patterns, red flags, and unexplained relationships may not yield positive results because the information may not be recorded within the system. Thus, "behavioral concepts and qualitative factors frequently allow the auditor to look beyond the data, both with respect to data that is there and data that isn't." (9) Like Sisyphus, the mythological character who was condemned to roll a rock up a hill each day only to watch it roll back down again, external and internal accountants cannot seem to make much progress in eliminating fraud from financial statements and the workplace. "During one investigation, we found in the auditing working papers a statement written in the margin of the internal audit working paper by the internal audit manager: 'Conceal from bankers,'" says Nichols L. Feakins, CPA, partner at San Mataeo, California, based forensic accounting firm Feakins & Feakins. "It sounds amazing, but the [third party] auditors had put B-level staff on the project who simply didn't read the documents and missed it." (10) Conclusion Fraud has become an issue of major importance in the public arena since the shocking revelation of the financial difficulties of Enron and a succession of other companies such as WorldCom. The ensuing public outcry resulted in the passage of the Sarbanes-Oxley Act of 2002, the most far-reaching legislation affecting the securities markets since the SLC acts of 1933 and 1934. The passage of SOX required the formation of the PCAOB, whose charge is the passage of rules intended to strengthen auditor independence and improve financial transparency. However, the need for forensic specialists has not declined even with the effort to pass laws and regulations intended to deter the incidence of fraud. Two new polls reported by Fortune Magazine show the continuing pressure on executives to meet earnings targets and the temptation to utilize accounting tricks to achieve those targets. A survey by CFO Magazine found that since 2001, 18% of financial executives said that they felt more pressure to use tricky accounting methods to make results appear more favorable, while 51% felt that there was no change in pressure to manipulate accounting numbers as compared to 2001. Another study from Duke University revealed that while only 8% of CFOs would be willing to use accounting tricks, 80% would decrease discretionary spending and 55% would delay new projects to meet the earnings target. (11) These results confirm the continuing pressure on financial executives to produce artificially higher profits and the need for continued vigilance to prevent fraud and abuse. Fraud accounting specialists such as Certified Forensic Accountants, Cr.FAs, who are trained to aggressively detect the potential for fraud are going to be in continuing demand to supplement the efforts of auditors.

SAS 82's effects on fraud discovery

Issued in 1997, SAS 82, Consideration of Fraud in a Financial Statement Audit, attempted to address certain perceived shortcomings of the audit process and audit quality. Today, the Auditing Standards Board is again considering the role of the audit in fraud detection in response to issues raised by the O'Malley Panel on Audit Effectiveness. Before engaging in a new round of standards setting, however, the auditing profession should carefully consider whether SAS 82's implementation meets its objectives and investigate its impact on the audit process. The authors' research indicates that SAS 82

has heightened awareness of the risks of financial reporting fraud, increased the amount of audit planning for fraud detection, and refocused certain aspects of the audit planning and implementation process. They also suggest that SAS 82 may have created higher expectations in the investing public than can be fulfilled by the current audit process. The 1997 issuance of SAS 82, Consideration of Fraud in a Financial Statement Audit, attempted to address public criticism of the audit process and audit quality. SAS 82 requires that independent auditors make a specific assessment of the risk of material misstatement on financial statements attributable to fraudulent financial reporting or asset misappropriation at the beginning of the audit and maintain this focus throughout. SAS 82 requires the assessment of the risk of material misstatement and consideration of nearly 40 specific fraud risk factors. These include management, industry, and operational characteristics. Specifically, auditors are required to make inquiries of management concerning the possible risk of fraud and to document in the workpapers any identified risk factors as well as their response to these risk factors. The standard became effective for financial statement audit periods ending on or after December 15, 1997. Expectations Regarding SAS 82 Before SAS 82, fraud detection standards were set by SAS 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities. Issued in 1988, SAS 53 was intended to narrow the expectation gap between the independent auditor's actual responsibilities to detect financial statement misstatements and financial statement users' perceptions of these responsibilities. Within several years, however, the AICPA's Expectation Gap Roundtable and the Public Oversight Board (POB) raised serious concerns about SAS 53's success in bridging the expectation gap. In 1993, the POB concluded that there was a widespread belief that auditors had a greater responsibility for the detection of fraud than was being met. The Auditing Standards Board (ASB) concluded that some practitioners did not understand their fraud detection responsibilities under SAS 53, and it sought to clarify the auditor's responsibility for the detection and reporting of fraud through SAS 82. "I am hopeful that the standard [SAS 82] will enhance the likelihood of detection of material misstatement due to fraud," said David Landsittel, the ASB fraud task force chair, "further enabling the CPA profession to serve the public interest and increase the value of our services." Joseph P. Liotta, another member of the ASB fraud task force, indicated that SAS 82 requires auditors to ascertain management's understanding of the risk of fraud. Auditors must determine whether management is aware of any fraud perpetrated against the entity. The new standard has also led to the incorporation of new fraud terminology in the management representation letter. Liotta suggested that SAS 82 would result in auditors asking different questions of management. According to Liotta, "Research has shown that more frauds will be found by simply asking the right questions." Liotta suggested that, in a majority of cases, SAS 82 would have little or no impact on audit fees. However, he also said that audit fees might increase in "some situations, particularly initial public offerings or certain industries that require more effort on the public accountant's part." Liotta also suggested that audit cost increases could be likely in companies where management is not effectively addressing fraud risk factors.

SAS #82: sword or shield?

Views From Corporate And Public Practice On The New Fraud Detection Standard SAS No. 82 "Consideration of Fraud in a Financial Statement Audit was recently issued by the American Institute of Certified PublicAccountants (AICPA, 1997). It is the fourth authoritative expression issued by the profession in the last twenty-five years that attempts to define the accountant's responsibility to detect fraud when performing an audit of financial statements in conformity with generally accepted auditing standards(GAAS).

This article provides a critical overview of SAS #82. It also presents a comparative summary of the views expressed by senior members from the corporate financial reporting community as well as views from assurance service partners in public practice. Historical Perspective of Accountant's Responsibility A historical review of the three authoritative statements preceding SAS #82 provide (1) a basis for understanding why the new statement was issued and (2) also helps explain some potential problems with the new standard. When the Auditing Standards Board (ASB) was formed in 1972, they issued SAS No. 1 "Codification on Statement of Auditing Standards." This was a codification of the 54 Statement on Auditing Procedure (SAPs) that were in effect when the ASB became operative. In the general auditing standards of Section 110.05-.08, two points about the accountant's responsibility may be discerned: 1. The discovery of fraud is not an objective of the independent auditor's examination. 2. An ordinary examination "cannot be relied upon to assure its discovery." Another comparison was that SAS #82 provided "an audit standard with a responsibility to detect fraud" that was"unchanged" from the status quo of SAS #53. The new statement merely "CLARIFIED" the responsibility with "new performance standards to address the responsibility." When compared to SAS #53, the expected result under SAS #82 was to be "improved fraud detection in an audit" versus "little improvement in fraud detection" under the guidance provided by SAS #53. A careful reading of these comparisons by the AICPA might lead one to believe that a higher standard of performance should be expected in the detection of fraud in the course of a financial statement audit. Under SAS #53, the auditor's responsibility in AU Section 316.05 stated: The auditor should assess the risk that errors and irregularities may cause the financial statements to contain a material misstatement. based on that assessment, the auditor should design the audit to provide reasonable assurance of detecting errors and irregularities that are material to the financial statements. Commendably, SAS #82 elevated the auditor's responsibility to AU Section 110, and in the author's opinion, has both clarified and arguably, has strengthened the accountant's responsibility (along with some protective shields) as follows: The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors, or fraud, that are not material to the financial statements are detected. (Emphasis added by author) Essentially, the preceding may be used in an attempt to shield the profession from the public's expectation that an audit of the financial statements, in conformity with generally accepted auditing standards, will discover

"management fraud." Unfortunately, the latter is a primary cause of the expectation gap between the accounting profession and the financial community. Finally, there are two problems from a operational standpoint. First, the list of approximately fifty "fraud risk factors" arranged in 5 categories in SAS #82, may become interpreted in court as rules and guidelines to be followed in identifying and evaluating risk in a case where a fraud was not detected. The absence of any factors mentioned in the standard that are not documented by the auditor may be considered as a "lack of due professional care" and thus nonconformity with GAAS. This gives rise to the second operational problem. The problem is time management. The auditor is under time pressure to complete the engagement and pressure to contain the cost of services. In order to cope with these time pressures while complying with documentation requirements, it is possible that some accountants may spend time being preoccupied with completing the formal documentation of risk factors and overlook the substantive signals these factors provide in the risk assessment and evaluation phase of the audit. Auditors are drawing fewer numerical samples to test. Instead, they are relying more on analytical procedures with reduced substantive testing because of material risk assessments of control weaknesses. Some empirical evidence developed earlier this decade suggests these concerns may have merit, but naturally only time and experience, perhaps in the form of fraud litigation, will provide substantial answers to these concerns. Views from Corporate and Public Practice on the New Fraud Standard Two unique differences were noted. One respondent viewed the new standard as being more of a "sword" than a "shield," or a combination of the two as the other eight responded. He felt the new standard compelled a more proactive role in looking for fraud, and thus giving a greater opportunity to be more aggressive when professional skepticism was deemed appropriate. He said: "SAS-82 is another GAP statement. While we may think it doesn't change our responsibility, the public is expecting something different." Likewise, the other partner felt that SAS-82 had raised the corporate community's expectation level for fraud detection. "Some corporate readers and less sophiscated investors see the Statement as saying 'and now they'll discover fraud too'." 3. The final question asked about the time and cost impact of SAS-82 and how it would affect client fees. The responses here were more divided between the largest firms and other firms. In all cases, there was expected to be increased time and cost involved in implementation. However, the larger firms did not appear to be as willing to pass along cost increases to clients as did the nonnational firms. Stated plainly, the audit is viewed as a commodity where price competition is a factor to be considered. This was not as apparent for the non-national firms. Times for implementation ranged from a few hours up to 2 or 3 percent of total audit time. Time for repeat uses of the Statement was expected to decline this year. Members from the Corporate Community One potential problem in the research approach used in this study is that none of the nine members from the corporate community were clients of the non-national public accounting firms. This is relevant because of the error potential it introduces in the following question answered by the corporate community.

The AICPA would have members think the responsibility standard has not been changed. Unfortunately, the old ploy of banging the shoe on a desk top and repeatedly saying "no change" does not make it so. An careful analysis of the Statement and other AICPA commentary, along with the views collected from members of the corporate community and even some auditors, tends to support the position that SAS-82 will not narrow the "expectation gap." In fact, it may even widen the chasm. Certainly using the word "fraud" in a technical audit standard instead of putting it in the auditor's report clearly for the public view will not be missed by a litigator seeking damages in a case of undiscovered management fraud. SAS-82 may provide members in public practice with some comfort by many of the "shields" it contains couched in technical rhetoric. However, it will be left to time, and the subsequent discovery of frauds that were not initially detected by the auditor. At that point, it will be left to the resultant litigation to determine the true quality of the guidance provided to the profession and the comfort given to the financial community by SAS-82.