Under Suspicion

New fraud detection rules may mean more thorough, time-consuming, and confrontational audits.
Lauren JohnNovember 1, 1997

Dealing with external auditors has never been easy. But for companies closing their books at the end of this year, the next audit cycle may be downright painful.

A new standard for reporting and detecting fraud, developed by the American Institute of Certified Public Accountants (AICPA), is set to kick in as of December 15. Under its auspices, auditors are mandated to aggressively seek out and report fraud using a detailed set of guidelines. The catch is that the resultant documents could possibly be used against them in court if any material fraud is missed. In the end, say some experts, finance executives may soon find themselves considered more suspects than clients.

While in theory auditors have always been responsible for reporting on activities that could affect the accuracy of financial statements, historically there have been few clear-cut guidelines, says Paul Munter, chairman of the accounting department at the University of Miami at Coral Gables, Florida. But with fraud costing American business more than $400 billion per year, and auditors increasingly being sued for “reckless audits,” the need for clear standards has become apparent, says Steve Albrecht, director of Brigham Young University’s School of Accountancy and Information Systems. “Fraud by its very nature is hidden, but there has been growing public and government expectation that auditors should be able to find it,” says Albrecht.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

To meet those expectations, the AICPA developed Statement on Auditing Standards (SAS) No. 82–“Consideration of Fraud in a Financial Statement Audit”–over the past three years. The title itself is the first indication of anew, tougher stance, says Dan Guy, vice president of professional standards at the AICPA. “It’s the first time in the Auditing Standards Board’s almost-60-year history that we’ve actually used the “f” word– fraud–in the title of a standard,” he says. “There are no euphemistic expressions here, like the word irregularities used in previous standards.” Adds Munter: “The new standard requires auditors to explicitly evaluate information that may have been only intuitively considered in the past.”

For finance executives, however, these new evaluations, coupled with fraud standards that were previously released in the 1995 Private Securities Litigation Act, promise audits that will be more time consuming, more involved, and potentially more confrontational, says Gary Zeune, a speaker on fraud and author of The CEO’s Complete Guide to Committing Fraud. What’s more, says Lawrence Wojcik, a securities and professional malpractice attorney at Rudnick & Wolfe, in Chicago, the two standards could have “a potentially chilling effect on the relationship between auditors and clients.” For example, clients who uncover problems on their own, such as inaccurate inventory counts or payroll errors, may now think twice before pointing them out “off the record” to their accountants, he says, adding, “The [Securities and Exchange Commission] has always wanted the word independent, as in ‘independent auditor,’ to mean more, and now it will.”


Although many finance executives are just realizing the potential impact of SAS 82, it will affect the audits of all financial statements for periods ending on or after December 15, 1997, and require independent auditors to focus on the risk of fraud that might cause “a material misstatement to the financial statements.”

“We’re not talking about theft of petty cash,” says David L. Landsittel, chair of the AICPA fraud task force that developed SAS 82. “We’re talking about misstatements large enough to be important to investors.”

To identify those misstatements, SAS 82 focuses on two basic types of fraud: fraudulent financial reporting and misappropriation of assets. In addition, it lists more than 40 specific fraud risk factors (see box, page 87), or “red flags,” based on actual fraud cases. While many factors relate to internal controls and financial reporting processes, others encourage auditors to look beyond the financial statements and explore their client’s business environment. “Auditors cannot rely on an audit of the financial statements to fulfill their obligations under the new standard, but must consider the audit in the context of what is happening to the client in general,” says Zeune.

Thus, for example, paragraph 17a of the new standard suggests that auditors might want to examine the structure of management compensation systems to see if they could be catalysts for fraud. “If all senior managers, including finance executives, have bonuses tied to the bottom line, management could potentially have greater incentive to be aggressive with respect to income recognition,” says Pat McDonnell, vice chairman of business assurance services at Coopers & Lybrand LLP, in Chicago.

Auditors will also look at risk factors relating to industry conditions, operating characteristics, and financial stability, Landsittel says. As a result, auditors might ask clients about company vulnerability to rapidly changing technology, or look at significant declines in customer demand. At the very least, says Zeune, CFOs can expect to be asked a lot more questions about “what keeps them up at night.”

It’s what auditors must do with the information that could give companies nightmares, however. Under SAS 82, for example, auditors must document identified risk factors and describe how clients plan to eliminate them. In the rare cases in which management ignores their advice, the auditors have the option of either offering an adverse opinion or resigning. However, they are not obligated to report the matter to authorities outside the company. “Under SAS 82, the auditor’s responsibility to be a whistle- blower ends at the board level,” says Zeune.

Where the AICPA steps out, however, the government steps in. Rules outlined in the Private Securities Litigation Reform Act, passed by Congress in 1995, require auditors of publicly held companies to inform the SEC if a client under suspicion fails to take remedial action. The law, often referred to as the Wyden proposal, in recognition of the Oregon congressman who introduced it, was the first legislation ever to require auditors to adopt procedures in their audits to detect and, if necessary, report illegal acts. Ultimately, the Reform Act is a powerful warning to auditors about their potential liability in fraud cases, says Wojcik. It forces them to sort out whether a client’s potentially fraudulent activities were “intentional or just a case of bad controls,” he adds.


While only time will tell the true effects of the new standards, many industry watchers predict that long-standing relationships will change. In the short run, for example, the new rules will put an end to such unofficial practices as “auditors telling clients where they were going to observe inventory,” says Zeune, “or having clients actually prepare the work papers for them.”

As for the long term, Wojcik offers the following scenario: “Let’s say you’re a CFO and your accounting staff tells you an error has been uncovered. You don’t know what caused it–it’s a material problem.” In the old days, Wojcik says, you would bring in your auditor as an objective, knowledgeable party. “But under the new standards, auditors may potentially go overboard in the other direction and bring the matter all the way up to the board of directors and even the SEC,” he says. And should there be an internal board investigation, or a public SEC investigation, or, in rarer cases, an actual lawsuit, “SAS 82 provides a road map of how to sue auditors,” Zeune says.

In addition, most experts believe that audits conducted under SAS 82 rules will take longer, at least at first. “Auditors looking at December 1997 year-end statements are going to have to approach [them] the way they would an entirely new engagement,” Munter says. And at smaller companies with fewer checks and balances, the process could take even longer, he says.

Experts, however, disagree about whether audits will actually cost more. Zeune believes that for companies with effective internal control systems, widely dispersed decision- making authority, and effective boards of directors, audit costs may rise 5 percent. But for companies where management is dominated by one person and the board of directors essentially functions as a rubber stamp, costs may rise as high as 25 percent. But Wojcik believes that at least for Big Six clients, a fee increase would be a poor exercise in public relations. “If I ask for a fee increase, I’m implicitly telling my clients they are no good,” he says. Landsittel believes that additional audit costs will be “inconsequential” for companies that “themselves diligently assess the risk of fraud and respond appropriately with mitigating controls.” But where companies are more cavalier about fraud, costs could increase significantly, he adds. Meanwhile, Munter believes that costs will definitely go up, although, “whether or not they are borne by the auditor or the client remains to be seen.”


For their part, many finance executives hope SAS 82 will result in a creative dialogue rather than a confrontation with their auditors. “Our Arthur Andersen partner called us in March to say we needed to sit down and go through SAS 82 before fieldwork started,” says Eric DeMarco, CFO of $200 million Titan Corp., in San Diego, who does not anticipate that his relationship with the auditor will change. “Our internal control structure is very good,” he asserts. “If there are things that need to be adjusted, I want to know.”

Rik Ross, newly appointed CFO of $40 million beauty products developer and marketer Styling Technology Corp., in Phoenix, who comes to his new job after eight years at Arthur Andersen LLP, concurs. “I’ve read the SAS guidelines, and the questions there are the same questions asked in one form or another throughout my career at Arthur Andersen.” In fact, says Monica Gill, CFO of Schlotzsky’s Inc., an Austin, Texas-based franchiser of deli restaurants, “in the end, SAS 82 may turn out to be a bigger burden on auditors than on clients.”

Still, to prepare for their next audit, Munter recommends that finance executives read SAS 82, understand the risk factors involved, and anticipate their auditor’s questions. “Where the focus has traditionally been on accounting controls only, now it is extended to operating and business risks,” he says. Consequently, “if I were CFO, I would raise certain issues, such as, Am I filing returns and payroll taxes in compliance with new tax laws? before the auditor raises them with me.”

In addition, says Landsittel, “CFOs might want to share concerns about inventory theft, or even business ethics in a certain foreign country.” And at companies that have been victimized in the past, Albrecht recommends “documenting examples of where fraud or potential fraud has occurred– illustrating the problem and how the company dealt with it.” Such documentation, says Albrecht, would not only show the company’s proactive response to problems, but could also be used in training sessions to prevent future incidents.

In the end, the additional scrutiny may actually be good for companies. Jon Danski, senior vice president and controller at $7 billion ITT Corp., in New York, explains, for example, that at his company, the importance of internal controls has typically been communicated through policy manuals and questionnaires. “But the new audit process,” he says, “will help to formalize this process even more and help us incorporate new concepts into our codes of conduct and compliance.” Still, when it comes to detecting fraud, “managers should not view [the increased auditor responsibility] as letting them off the hook,” he says. “Auditors are not taking any responsibility away from us.”


She new AICPA fraud detection guidelines outline specific risk fac-tors that must by considered by auditors in two areas– fraudulent financial reporting and misappropriation of assets. The risks pertaining to fraudulent financial reporting are divided into three categories and involve the following:

  • Management characteristics
  • Inadequate monitoring of internal controls
  • Overly aggressive financial targets
  • Attempts to use aggressive accounting practices
  • Ineffective accounting or internal auditing staff
  • Significant disregard for regulatory authorities
  • High turnover of senior management
  • Industry conditions
  • New statutory or regulatory requirements
  • Business failures in the industry
  • Declining margins in the industry
  • Operating characteristics
  • Pressure to obtain additional capital
  • Significant related-party transactions
  • Overly complex organizational structure
  • Unrealistic sales projections