New Antifraud Audit Standard Approved —SAS No. 99 - 1/3/2003

New Antifraud Audit Standard Approved
Consideration of Fraud in a Financial Statement Audit
In the aftermath of the Enron and Worldcom fiascoes that rocked not only the accounting profession, but the major financial markets as well, the AICPA is stepping up efforts to fight corporate fraud. The Auditing Standards Board (ASB) of the AICPA has recently approved a new standard, Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit SAS No. 99 provides auditors with additional guidance for detecting material fraud. The standard directs auditors to approach every audit with "professional skepticism" and not assume that management is honest. It puts fraud at the forefront of the auditor's mind.

SAS No. 99's key provisions include the following:

Increased emphasis on professional skepticism.

The audit team needs to set aside existing beliefs about management's honesty and exchange ideas on how frauds could occur. The audit team members should keep in mind the incentives,
opportunities, and ability to rationalize that usually precede fraud perpetration. In simple English this means that your auditors must look at every phase of your credit union's operation and assess how and where fraud could occur in that aspect of the operations. Furthermore, auditors must also look at every individual within the credit union, from the CEO right on down, and determine if they have the motive, ability and opportunity to commit fraud. These evaluations and
discussions should put the audit team in a better position to design audit tests that are responsive
to the risks of fraud.

Discussions with management.

The engagement team should ask management and others in the organization about the risk of fraud and whether they are aware of any frauds. The auditors should make a point of talking to employees in and outside management, thereby giving employees and others the opportunity and encouragement to "blow the whistle." Concern that a coworker will turn them in might also deter others from committing fraud. Under the provisions of SAS No. 99, auditors now will be asking management and employees directly if they have knowledge of any wrong doing in the credit union. How employees will react to this will be interesting, but be prepared, because we are going to be adding this line of questioning to the audit programs.

Unpredictable audit tests.

The engagement team should test areas, locations, and accounts that otherwise might not be tested. From the client's viewpoint, the tests should be unpredictable and unexpected.
They say variety is the spice of life. If auditing can be considered spicy at all, it is the variations in the audit program that make it so. Frequently, after issuing a Management or Reportable Conditions Letter, credit unions ask why we haven't commented on a particular area before. The credit union may have been functioning in this manner for several years, why is it now an issue? That is because the audit program is always changing and evolving. Yes, there are certain audit tasks that are routine. Those tasks must be done in every audit. We always try, however to throw in a few new wrinkles with every audit. It keeps you, and us, on our toes.

Responding to management override of controls.

The standard includes procedures to test for management override of controls on every audit.
One of the biggest concerns in the accounting industry is when the top dogs in a company are the ones committing the fraud. Most every credit union that we deal with has some form of controls that will catch a teller if they are clipping a few bucks here and there. The real risk is when top management goes bad. It does happen. And, the damage can be devastating. We do, as part of our regular audit program, evaluate closely the Board and Supervisory/Audit Committee over sight of management. Expect this type of review to continue and, probably, intensify.

SAS No. 99 is effective for audits of financial statements for periods beginning on or after December 15, 2002.

Clearly, the fight against fraud is not just the external auditor's responsibility. Internal auditors,
management, boards of directors, Supervisory/Audit Committees, and employees have a role in this effort. We, as CPAs, bring additional and various technical skills and expertise to the effort, and, hopefully, we can assist all of you in playing your parts.

The fight against fraud begins with strong fraud prevention programs and internal controls. SAS No. 99 requires auditors to review the credit union's programs and controls to address fraud risks. Depending on the existing control structure, management may need to implement stronger fraud prevention programs and controls than are currently in place. Earlier it was stated that auditors need to approach every audit with an increased degree of "professional skepticism". You, as credit union CEOs and directors, must develop this same skepticism. Never assume that an employee, no matter how long they have worked for the credit union, and no matter how dependable they have been, is always going to be honest.

The risk of fraud can be reduced through a combination of prevention, deterrence, and detection measures. Fraud is often difficult to detect, however, because it frequently involves concealment through falsification of documents or collusion. Therefore, it is important to place a strong
emphasis on fraud prevention by reducing opportunities for fraud to take place (Strong internal controls!). Fraud deterrence, starts with persuading individuals not to commit fraud given the likelihood of detection and punishment. Moreover, prevention and deterrence measures are much less costly than the time and expense required for fraud detection and investigation. Historically it is cheaper to implement a sound control procedure than it is to have someone looking over an employees shoulder. An effective system of internal controls will have both, but, ideally the audit and review aspect can be minimized if the roadblocks that stop fraud are in place.

Keys to Fraud Prevention

Antifraud programs and controls, include the following key elements:

Create and maintain a culture of honesty and high ethics.

The organization's ethical culture needs to be set by management through their daily words, and more important, their actions. Therefore, the organization's value system depends less on a written code of conduct (which is nevertheless important), than on daily consistent adherence to these values. Companies should also clearly communicate their ethical values, decision making processes, and codes of conduct to all employees. Doing so can help to empower employees to make appropriate ethical decisions even when they are confronted with a new dilemma. We have for years advised credit unions to talk to their employees and staff about fraud. At least annually you should pull out the fraud policy and the code of ethics policy and review it with the entire staff. Educating everyone about fraud, the lack of tolerance for fraud, and fraud prevention is one of the best deterrents.

Evaluate the risks of fraud, and implement steps to mitigate them.

Fraud risk assessment should be part of an enterprise-wide risk monitoring process. A response to the assessed risks may include preventative controls (reducing the opportunity to commit fraud), mitigation controls (reducing the impact of the potential fraud), or transference (selecting appropriate fraud insurance such as a fidelity insurance policy). Preventative controls are the roadblocks to fraud mentioned earlier. Segregation of duties, dual control over cash and securities, loan approval limits, check signing and wire transfer limits, and computer system access passwords are all examples of preventative controls. Typically, the average fraud in a credit union lasts from six to eighteen months, and results in losses of $25,000 to $500,000, depending on the nature of the fraud. Mitigation controls reduce the impact of the fraud in that they can determine how quickly the fraud is detected. Remember an effective system of internal controls contains the roadblocks to prevent fraud, but also the review process to detect the fraud. Selecting appropriate fraud insurance such as a fidelity insurance policy is an important, but often overlooked aspect of the fraud prevention process. You need to fully understand your insurance policies so you know exactly what is covered. Unless your credit union has the proper coverage, not all losses from fraud can be transferred to your insurance carrier.

Develop an appropriate oversight process.

Internal and external parties need to oversee the risk of and responses to fraudulent financial reporting. Although the entire management team shares the responsibility for implementing and monitoring these activities, the entity's CEO should initiate and support such measures. Further, the entire organization should adopt a level of fraud awareness similar to that of a "neighborhood watch" program. Employees should have a means to communicate wrongdoing without fear of retribution because tips from employees are still the number one way to uncover fraud.

Further, independent verifications by internal and external auditors help to ensure controls are operating effectively. Such reviews should be reported directly to the Supervisory/Audit Committee. Coupled with following up suspected wrongdoing, these reviews send a strong message of deterrence throughout the organization. Oversight needs to take a tiered approach so that override at any given layer, including the CEO, may be identified and properly handled. The top layer of this oversight process is reserved for the Supervisory/Audit Committee, who must ensure top management upholds its responsibilities to the organization. Translation: The Supervisory/Audit Committee has to be proactive in the area of internal controls. You must lead the way in ensuring that the prevention and detection of fraud in your credit union is not on the back burner, but at the forefront of the credit union's goals and mission.

In the wake of recent revelations about the accounting industry, the AICPA, through SAS No. 99 and other publications, is advising all CPAs to get more training in fraud prevention and detection. At Anderson & French, we recognized the importance of this years ago. Three key members of our audit team are licensed by the National Association of Certified Fraud Examiners as Certified Fraud Examiners. This professional designation makes us experts in the eyes of many industry observers, in the area of fraud and forensic auditing, as well as the prevention and detection of credit union fraud. Experience has taught us that it is much better for all concerned to focus on the prevention of fraud than the forensic auditing of a fraud.

Many fraudsters use "tried and true" methods of deception; others introduce new methods. As experienced forensic accountants, we can assist you in raising awareness of these methods, old or new. This, in turn, can help foster intolerance for fraud in your credit union.

We will be putting some additional articles on credit union employee fraud on our new web site. You will be able to access them at or If you have any questions or need any help in this area we are the ones to call.

Portions of this article appear in the November 2002 issue of The Practicing CPA, published by the AICPA, in an article by Richard B. Lanza, CPA, PMP, Senior Manager, A1CPA Program Management Office.