Barbara R. Farrell
Joseph R. Franco
Citation: Farrell, Barbara R. and Joseph R. Franco. 1999. "The Role of the Auditor in the Prevention and Detection of Business Fraud: SAS No. 82." Western Criminology Review 2/1. [Online]. Available: http://wcr.sonoma.edu/v2n1/v2n1.html.
The cost of fraud to business in 1996 was six percent of annual revenue. Everyone is victimized by high product costs and lower corporate profits. When fraud is detected within a business, there is usually shock and disbelief that a trusted employee who resembles the "person next door" could have done what they are accused of. In light of the cost and characteristics of offenders, it is important to develop strategies to prevent or detect business fraud. In light of heightened public expectations and new expectations for auditors following the savings and loans scandals, this paper asks what the responsibilities are of external auditors, internal auditors, and management.
Keywords: auditor, business crime, fraud prevention and detection, SAS No. 82, white collar crime, certified public accountants, forensic accounting
When fraud is discovered within a business, the initial response is "How could that have happened?" And if audited financial statements were issued the question asked is, "Why didnt the auditors have a clue?" These two questions raise the question of whose responsibility it is to prevent and detect fraud. The cost of fraud to businesses today is mounting, as is the level of concern among professionals.
Definition of Fraud
Fraud, according to Websters New World Dictionary, is the "intentional deception to cause a person to give up property or some lawful right." The Association of Fraud Examiners(1999) Report to the Nation on Occupational Fraud and Abuse further defines occupational fraud and abuse as "[t]he use of ones occupation for personal enrichment through the deliberate misuse or misapplication of employing an organizations resources or assets." A third definition comes from the Federal Bureau of Investigation. It defines fraud as "[t]he fraudulent conversion and obtaining of money or property by false pretenses: included are larcenies by bailee and bad checks, except forgeries and counterfeiting" (FBI 1984:342). The common thread among these definitions is that fraud is a deliberate deception for the gratification of an individual or group. Fraud requires a theft, often accompanied by concealment of the theft, and the translation of the stolen assets or resources into personal assets or resources. We are concerned here with fraud that may be detected through auditors and managers.
The Cost of Fraud to Businesses
The cost of fraud to businesses is difficult to estimate because not all fraud and abuse is discovered, not all uncovered fraud is reported, and civil or criminal action is not always pursued. A conservative estimate of the cost to organizations is approximately six percent of annual revenue, or over $400 billion annually (Association of Fraud Examiners 1999). During 1995 and 1996, fraud and abuse accounted for over $9 per employee per day, assuming a 365 day year.
These are only estimates of the direct economic loss to business. However, legal, accounting, and increased insurance costs, and loss of productivity associated with hiring and firing employees, are additional factors that must be considered. To quantify all these indirect costs is beyond the scope of this paper, but most experts agree that companies usually suffer similar losses and organizations are paying for them through their normal operating expenses.
Data show that the overall cost of fraud is over double the amount of missing money or assets. As computerized systems become more complex, so is the expected cost of fraud. Approximately one in twenty company failures are attributed to fraud. One of these recent controversial and costly frauds is BCCI in Great Britain (MacErlean 1998:43).
It is the trusted and valued employee who generally commits business fraud. When frauds are discovered, there is often shock and disbelief that they could have committed such an act. The perpetrator of business fraud could be "the person next door." This person is likely to be a married male with a family, religious affiliation, and above average education (Russell 1995:38). The losses for men employees are four times greater than those of women employees. Losses of employees over 60 years old are 28 times greater than those 25 years old or younger. Approximately 58 percent of reported fraud is committed by non-managerial employees, 30 percent by managers, and 12 percent by owner executives. However, the loss by non-managerial employees is $60,000, for managers,$250,000, and $1,000,000 for owner executives,. Finally, employees with post-graduate degrees have losses five times greater than those who graduate from high school (Association of Fraud Examiners 1999).1
In most cases, offenders do not view stealing from companies as harmful; they may think that the crime was victimless; and they do not view their theft as being devastating or costly to the business. Many frauds occur because the opportunity exists and the perpetrator does not believe he/she will be caught. In many cases the offender has "little or no criminal self-concept and offenders view violations as part of their work" (Hagan 1997:319). Further, they usually minimize their crime since it results in minor losses for a large volume of clients; no one client is usually targeted for the crime.
Business Crime Raises Questions About the Auditor
As Geis (1994) and others (e.g., Robinson, this issue) have noted, assaults on the public by those in business, politics, and the professions wreak much more havoc than those committed by street offenders. Fraudulent behavior can include not only the affected companies, but on a larger scale may have a direct impact on the health and well being of the public or other employees at the corporation.
Some fraudulent behavior may include cutting costs, spending corporate and shareholder money on personal expenses, and manipulating financial records for personal needs. Such was the case in the 1980s with Lincoln Savings and Loan scandal. In April, 1989, when the Federal Home Loan Bank Board seized control of Lincoln Savings and Loan, only twenty-three percent of the total $5.3 billion in assets were invested in residential mortgage loans (Lincolns principle line of business, according to Charles Keatings purchase agreement). Almost sixty-seven percent of Lincolns asset portfolio was invested in high-risk land ventures and commercial development projects, again in contrast to Keatings purchase agreement.
In the Congressional hearings that followed the collapse of Lincoln, the initial focus was on the methods used by Keating and his associates in circumventing banking laws. However, later in the hearings the focus was on the independent auditors and their failure to expose fraudulent real estate transactions that allowed Lincoln to report millions in non-existent profits. These transactions included exchanges of property with related parties to record large paper profits. These profits were never realized because Lincoln never received payments on notes attached to the properties. Nonetheless, these paper profits did allow for hefty compensation packages for Keating and his associates and for almost unlimited expense account disbursements for these executives. After the collapse of Lincoln, investors were not as fortunate. Many believed the bonds of Lincoln were federally insured, which was unfortunately not true. Monies invested in Lincoln were gone. Losses linked to the downfall of Lincoln were estimated at $3.4 billion, making it the most costly savings and loan failure ever (Knapp 1997: 57-69).
Controls Auditors Have in Preventing Fraudulent Activity
Due in part to the phenomenal losses in the savings and loan industry, a controversy has existed concerning the role of the external auditor and the publics perception of that role. SAS No. 53, "The Auditors Responsibility to Detect and Report Errors and Irregularities," issued by the Accounting Standards Board (1988), was originally intended to address this problem. However, the Public Oversight Board of the AICPA SEC Practice Section concluded in 1993 that management believed that auditors had a greater responsibility for the detection of fraud than was currently being met. Business owners, legislators, judges, juries, and the general public also share such beliefs. Most people do not realize what the responsibility of the auditor is. According to SAS No. 1, Codification of Auditing Standards and Procedures:
"The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by error or fraud, that are not material to the financial statements are detected."
In an attempt to stifle criticism and appropriately respond to the publics demand for improved auditor performance, the American Institute of Certified Public Accountants issued SAS No. 82. The new auditing standard details the auditors responsibility to detect and report material misstatement in financial statements due to fraud. This is the first time the AICPA has used the word "fraud" rather than the more discreet word "irregularity." The two types of misstatement relevant to the auditors consideration of fraud in a financial statement audit are those arising from fraudulent financial reporting and misappropriation of assets. The SAS is effective for financial statement audit periods ending on or after December 15, 1997.
Under SAS No. 82, the auditor has the responsibility to plan and perform an audit to obtain reasonable assurance about whether financial statements are free of material misstatement. The auditor is required to consider forty-one risk factors relating to fraudulent financial reporting and misappropriation of assets when designing an audit plan. Furthermore, the plan needs to be continuously modified during the audit on the basis of information gathered concerning these factors. The SAS has provided examples of conditions that would require reconsideration of an initial risk assessment. However, auditors must still use subjective judgment in analyzing the many risk factors. For example, one risk factor to be assessed by the auditor is "management displays a significant disregard to regulatory authorities" (SAS 82 1997: 90). However, the auditor must use "professional judgment" in conducting an audit where risk factors such as this are present and must document these risk factors in the work papers (SAS 82 1997: 90). Acknowledging that the difference between fraud and error is intent, the AICPA assigns the task of evaluating this difference to the auditor.
Similarly, the Private Securities Litigation Reform Act of 1995 imposes some of the same requirements on public company auditors. The requirements are as follows:
1. Audits must include procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on financial statement amounts.
2. Each audit must include procedures to identify related-party transactions that are material.
3. Each audit must include an evaluation of the ability of the issuer of financial statements to continue as a going concern.
When the exposure draft for SAS No. 82 and the Private Securities Litigation Reform Act of 1995 were released, most CPAs in the field had mixed feelings about them. This generally less-than-favorable reaction led us to conduct a survey to ascertain how members of the accounting profession view these recent changes, and to determine new trends that are developing in the field of public accounting.
Top of page
Our objectives in performing the survey were to determine the variation in the opinions of those working for "Big Six" and other accounting firms, and whether years of experience as a CPA practitioner affect respondents opinions of SAS No. 82. We mailed approximately 1,700 questionnaires to accounting firms in the New York, New Jersey, and Connecticut areas, and approximately 300 questionnaires to "Big Six" accounting firms in large cities across the United States. The response rate was approximately ten percent, a sample of 180. The respondents were primarily managers and partners.
A copy of the questionnaire is included in Appendix A. It was developed to focus on the following issues:
- how auditors feel about the new legislation;
- if they felt they were being asked to be detectives for the profession;
- if they felt they there was a significant amount of blame being placed on the auditors for irregularities that have occurred in the past;
- if the general trend was toward the accounting profession becoming significantly more conservative;
- and if they had to make their career choice over again, would they still choose the field of accounting.
Respondents were asked to answer the questions using Likert response options ranging from 1 (strongly disagree) to 5 (strongly agree), with "3" as "neutral." In addition, some questions are also included in the survey that ask respondents to determine how much additional work the new legislation would require in the average audit.
Because of the low response level we can not be certain if these findings are representative of the population. Therefore, the findings can only be taken as suggestive. They do, however, draw attention to significant questions and issues that have not be discussed very much by criminologists.
Should the Auditor's Responsibility Include Searching for Fraud?
Current legislation under SAS No. 82 states: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement whether caused by error or fraud." SAS No. 82 then goes on to describe fraud, requires the auditor to assess the risk of material misstatement, and provides guidance on the evaluation of audit tests. Since the responsibility for the detection of fraud is now placed with the auditor, how do CPAs in the field feel about this?
The mean of all respondents on a scale of 1 (strongly disagree) to 5 (strongly agree) was 2.247. Over 61% of the 178 respondants disagreed that they should be responsible for searching for fraud. Forty-six or nearly 26 percent were neutral (data not shown). This indicates a desire to maintain current auditing standards rather than to change to SAS No. 82 standards. This may be typical of initial responses of accountants until they experience the actual impact of the changes.
Clearly, this finding concerning auditors' perception of their responsibility is not widely held by the public at large. After the costly savings and loan failures of the 1980s, the general public and Congress felt that the CPAs were partly responsible and was the reason for this legislation. The Resolution Trust Corporation provided statistics showing that forty percent of savings and loan failures were attributable to fraud, yet the auditors appeared unaware of the financial irregularities. For example, in California from 1985 to 1986, twenty-eight out of thirty savings and loans that filed for bankruptcy received clean opinions just before their filings (Wyden, 1995). Overall, the public was outraged the auditors were not aware of the financial improprieties and wanted the independent auditor to take a more proactive role in looking at the financial statements.
Should the Auditor act as "Police" or "Detective" When Conducting an Audit?
Many people within auditing firms have stated that they feel they are being asked to be the detectives for the business community. They feel what is being asked of them really should be the responsibility of the Certified Fraud Examiner (CFE). An issue often raised is how auditors can perform their duties when they have to have a healthy level of doubt about the assertions in the financial statements. Our respondents were asked the question, "Should the CPA act as the police or detectives when performing the audit?" The mean response (n=179) was 1.804 or in the negative. Nearly 76 percent of the respondants disagreed with the statement, a resounding no! Nineteen percent were neutral (data not shown). This finding indicates the strong desire of auditors to maintain only those responsibilities they perceive as key to their role in the audit process. This may also indicate that changes brought about with the implementation of the SAS No. 82 requiring a "policing component" clearly require added responsibility and may necessitate additional training and changes to job description requirements. Again, although the general public may believe policing is within the auditors duties, even SAS No. 82 does not require this.
Top of page
THE RESPONSIBILITIES OF MANAGEMENT
Given that CPAs do not agree with the changed expectations of their role, and the limits on the auditor's possible role in controlling fraud, other considerations in the prevention and detection of corporate fraud should be discussed. These include managerial controls, employee screening, forensic accounting, and others.
Managerial Controls. Organizations with one hundred or fewer employees have the greatest median losses per capita. The primary reason for this is because internal controls are less sophisticated and stringent in smaller organizations. So what, if any, are managements responsibilities when it comes to the prevention or detection of fraud? Annual reports of management clearly state that management is responsible for the preparation and integrity of the financial information presented, and the company and management maintain a system of internal controls to provide for administrative and accounting controls. All professional literature makes it clear that the responsibility of internal controls, proper reporting, and the adoption of sound accounting policies rests solely with management, not the auditors.
To combat the problem of fraud, a crucial element in deterring theft is strict internal controls, segregation of duties, and separation of functions. For example, simple procedures such as not letting the person writing the checks reconcile the bank statement, not letting the receiving department maintain physical inventory records, not letting the person initiating the purchase order approve the payment, and not letting the person maintaining the personnel database also issue payroll checks, may help separate incompatible functions within a business. Thus, internal controls may be strengthened and fraud deterred by separation of functions.
Screening. Another element to combat fraud is adequate employee screening. Although this statement might seem obvious, a good rule to follow to minimize the risk of fraud is to hire honest employees. There are many organizations specializing in pre-employment screening. These screening tests include lie detector and drug tests and fingerprinting of employees. Through adequate background checks of information on resumes and applications, an employer can elicit significantly more information and determine if the original information is accurate.
Organizational Climate. A third component to deterring fraud is creating a business environment that reduces the perceived need of a pressured employee to commit fraud. This environment includes creating open and consistent communications for hiring, evaluating employee performance, and assessing employees for promotion. These factors, along with counseling programs and employee enrichment efforts, might curtail the perceived need of an employee to commit fraud.
Others. Finally, a few additional components to business fraud prevention include setting up a hotline whereby fellow employees can report improper conduct, having a high level employee review unopened bank statements monthly, establishing a written code of ethics, and making sure management level employees are role models. Although these additional practices may not seem important, they help establish the tone within the work environment and may help deter fraudulent activities (Jones 1996: 23).
A New Specialization in Accounting. Within the last ten years, the alarming increase in the cost of fraud to businesses has brought attention to a specialization called forensic accounting. Forensic accounting is the integration of accounting, auditing, and special investigative skills. The goal of forensic accounting is to uncover the paper trail left by a fraud and prepare the investigation prior to presenting it to a court of law. Forensic accountants are trained to examine financial statements and related materials for wrongdoing and analyze the reality of business situations. Former law enforcement officers, who know how to integrate their investigative skills to business, are frequently found in the ranks of forensic accountants. Many of the large accounting firms have expanded their forensic accounting departments to address an increase in deception and the criminal activities being encountered by business. The personnel hired by public accounting and law firms in their forensic accounting departments are primarily former FBI agents, accountants with additional computer expertise, former "white collar" law enforcement investigators, and business wise computer experts.
Forensic accountants are retained in many business situations to analyze, interpret, summarize and present financial issues and situations in an understandable and supportable manner. Examples of situations where forensic accountants might be involved are:
In addition to public accounting and law firms adding forensic accounting departments, many banks and brokerage firms are now adding these departments to investigate possible frauds. Although it is not yet the norm for all businesses to have forensic accounting departments, the trend has increased considerably.
Fraud and white collar crime have increased considerably over the last ten years, and professionals believe this trend is likely to continue. The cost to business and the public can only be estimated, as many crimes go unreported. However, the statistics we currently have show the astronomical values associated with fraud. Also, the expansion of computers into businesses may make organizations more vulnerable to fraud and abuse.
In order to combat fraud and white collar crime in businesses, a concerted effort must be exerted by the management of the business, the external auditors, and by all employees of the business. Everyone must realize that fraud is not a victimless crime. The cost of fraud and theft are shared by all through higher costs and lower corporate profits. Through adequate internal controls by management, better working environments for employees, more stringent requirements for external auditors, and codes of ethics for employees, everyone can start to combat frauds and defalcations within corporate America.
1. One explanation for the conventional characteristics of employees who commit fraud is that they may doing so in order to satisfy business objectives (Navron 1997: 59). For instance, when management requires higher sales quotas of their employees, they may indirectly encourage fraud by creating a stressful workplace environment and/or internal levels of competition among employees. Corporations may be setting themselves up for corporate crime.
Other characteristics of offenders may be understood in light of the degree of responsibility associated with persons in different positions. The older the employee, the higher the level of responsibility, and the greater the access to financial accounts and company assets. Also, losses by highly educated employees exceed those with only a high school education because of the complexity and length of the deception.
Top of page
American Institute of Certified Public Accountants. SAS82.
Accounting Standards Board. 1988. "The Auditor's Responsibility to Detect and Report Errors and Irregularities."
Association of Certified Fraud Examiners. 1999. "Report on the Nation Occupational Fraud and Abuse." [Online]. Available: http://www.cfenet.com/summary.html. Accessed 7/28/99.
Federal Bureau of Investigation. 1984. Uniform Crime Reports. US Government Printing Office.
Geis, Gilbert. 1994. "Corporate Crime: "Three Strikes Youre Out?" Multinational Monitor 15/6:30-31.
Hagan, Frank E. 1997. Introduction to Criminology: Theories, Methods and Criminal Behavior, 4th edition.
Knapp, Michael C. 1999. "Lincoln Savings and Loan Association." Contemporary Auditing: Issues and Cases. 57-69.
MacErlean, Neasa. 1993. "Fraud Prevention and the Accountant." Accountancy 112:42-44.
Navran, Frank. 1997. " Are Your Employees Cheating to Keep Up?" Workforce 76:58-62.
Private Securities Litigation Reform Act of 1995. Pub. L. 104-67, Dec. 22, 1995, 109 Stat. 737.
Robinson, Matthew B. 1999. "What You Don't Know Can Hurt You: Perceptions and Misconceptions of Harmful Behaviors Among Criminology and Criminal Justice Students." Western Criminology Review 2(1). [Online]. Available: http://wcr.sonoma.edu/v2n1/robinson.html (this issue).
Russell, Ronald C. 1995. "Understanding Fraud and Embezzlement."Ohio CPA Journal 54/1:37-39.
Sutherland, E.H. 1940. "White Collar Criminality." American Sociological Review 7:1-12.
Wyden, Ron. 1995. "Requiring Auditors Who Really Audit: A Decade After the Darkest Days of the S&L Collapse, the Financial Fraud Detection and Disclosure Act will Answer the Questions: Where Were the Accountants and Why Didnt They Speak Up? It will Also Put Well Armed Auditors Back Where They Belong." Roll Call (March 27).
Top of page