Update on Fraud
Issuance of SAS 99, November 2002
The accounting profession has been under increasing criticism for failing to
discover material frauds that had taken place in organizations that are now counted
among the largest bankruptcies ever in America (WorldCom, Enron, Adelphia Systems,
and Global Crossing) as well as other situations where audits were conducted with the
presumption that fraud was not likely. The profession has responded with SAS 99. The
new standard reiterates the auditor’s responsibility to plan and conduct the audit to
provide reasonable assurance that material fraud will be detected. Further, the new
standard fundamentally changes the auditor’s presumption that fraud exists in some areas,
such as revenue recognition, and outlines detailed procedures to identify the risk of fraud
and procedures used to address those risks. The new standard can be obtained at
The auditor remains responsible to “plan and perform the audit to obtain
reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud.” Fraud continues to be defined as an
“intentional act that results in a material misstatement in the financial statements that are
the subject of an audit.” Two types of misstatements arising from fraud are:
• Misstatements arising from fraudulent financial reporting. These include
material misstatements or omissions of amounts or disclosures designed to
deceive financial statement users. Generally such misstatements are carried out
o Manipulation, falsification or alteration of accounting records or
o Misrepresentation or omission of events, transactions, or other significant
o Intentional misapplication of accounting principles.
• Misstatements arising from misappropriation of assets. This is generally referred
to as defalcations and involves the theft of assets that are covered up in the
OVERVIEW OF CHANGES
The major changes in the new standard include:
• Audit Team Brainstorming. A responsibility for the audit team to essentially
“brainstorm” about the possibility of fraud and the manner in which fraud might
be committed prior to the start of the audit.
• Auditor must consider how fraud can be perpetrated and covered up. A
responsibility to consider the risk of fraud, including the risk that the fraud could
be cleverly covered up in false documents or supporting evidence the auditor
• Presumption of Fraud in Revenue Recognition. A presumption that fraud will be
present, especially in sensitive areas where fraud has historically occurred. The
auditor should presume that fraud takes place in revenue recognition and
overstatement of certain assets that are susceptible to manipulation and cover-up.
• Must consider Incentives, Opportunities, and Rationalization for Fraud. A
requirement that the auditor specifically consider all the elements that may make
fraud more likely, including the nature of executive compensation and pressure to
meet earnings targets.
• Greater Susceptibility of Evidence Manipulation. A clear recognition that
management or others will work hard to cover up a fraud. The auditor needs to be
skeptical of management responses and consider the alternatives management
might have to cover up a fraud.
• Journal Entries are Important. Many frauds are covered up through non-
supported journal entries or accounting estimates.
• Great Skepticism of Management Responses. Greater skepticism to be given to
management responses coupled with an increase in the amount and nature of
evidence required to corroborate management responses to auditor inquiries.
• Reporting Responsibilities. The auditor has responsibility to report fraud during
the audit to management, even if they are not material to the financial statements,
and to the audit committee. Management needs to be aware of all frauds even if
such frauds are not deemed material to the financial statements.
• New Technology Facilitates New Methods to Perpetrate Fraud. New types of
organizational structures, new entities, or complex financial instruments provide
opportunities to cover up fraud through either unnecessary complexity or even by
side agreements among entities. Computerized information systems provide new
opportunities to change documentation and methods of committing fraud.
• Recognition that Collusion may be Likely. The collusion may be among entity
employees, but could also occur between management and third parties.
• Predictability of Audit Procedures. The audit team should work to eliminate
predictability in audit procedures, such as rotating tests of particular assets over a
period of time, to reduce the opportunities for a perpetrator to effectively cover up
• Analytical Procedures Should Tie to Operational or Industry Data. The auditor
should not look just at relationships within the financial statements. Rather, the
auditor should analyze financial data in relationship to other operational data such
as production capacity or purchased supplies.
The standard continues to emphasize the need for professional skepticism. Auditors need
to conduct audits with a mindset that the possibility of material misstatement due to fraud
exists even if all the past experiences with a company have been positive. More to the
“the auditor should not be satisfied with less-than-persuasive evidence because of
a belief that management is honest.”
That above statement about management trust addresses one of the most fundamental
auditing postulates as the profession has previously believed that a presumption that
management is not honest would make the cost of an audit prohibitively expensive. The
new concept is that every inquiry and response by management must be corroborated by
factual information and auditor analysis.
MOTIVATIONS TO COMMIT FRAUD
The Standard draws on considerable research that identifies three factors associated with
• Incentives or Pressure to commit fraud,
• Opportunities to commit fraud,
• Attitudes or ability to rationalize the fraud.
The AICPA and other auditing organizations have developed a supplemental guide that
contains more detail on the potential fraud factors. More information can be found at:
Incentives or Pressures to Commit Fraud
The audit team should consider the incentives or pressures to commit fraud on each
engagement, including the most likely areas in which fraud might take place. The
• Management compensation schemes,
• Other financial pressures for either improved earnings or improved balance sheet,
• Personal factors, including the personal need for assets,
• Debt covenants,
• Personal wealth tied to either financial results or survival of the company.
Opportunities to Commit Fraud
One of the most fundamental and consistent findings in fraud research is that there must
be an opportunity for fraud to be committed. While this may sound trite, i.e. “everyone
has an opportunity to commit fraud,” it really conveys much more. It is not only that an
opportunity exists, but there is either a lack of controls or complexity associated with a
transaction such that the perpetrator assesses the risk of being caught as low. For
example, a lack of segregation of duties may encourage a perpetrator to think he or she
can take cash payments and cover the defalcation through adjustments to the accounts
receivable. Alternatively, the size and complexity of Special Purpose Entities at Enron,
or the sheer size of capital investments (as well as knowledge of audit procedures used by
the external auditor) at WorldCom may have led the perpetrators to assess the likelihood
of being detected as small. Some of the opportunities that the auditor should consider
• Significant related party transactions,
• Industry dominance, including an ability to dictate terms or conditions to
suppliers or customers,
• The entity makes a number of subjective judgments regarding assets or
• There is ineffective monitoring of management, either because the board of
directors is not independent or effective, or there is a dominating manager,
• There is a complex or unstable organizational structure, and/or
• The internal control system is weak or non-existent.
Attitude or Ability to Rationalize the Fraud
Is it acceptable to push accounting to the limits as long as a standard does not prohibit a
particular accounting treatment? Do accountants enhance their personal value in a
company if they are good ‘financial engineers’? Somehow, the generally accepted
answers to these questions during the late 1990’s and early part of 2000-2001 was
unfortunately a resounding “YES!” Many in the profession felt that they were adding
value by finding ways to “dress up the financial statements,” even when the financial
statements did not accurately portray real economic events. We know that individuals are
good at rationalizing what would otherwise seem to be inappropriate behavior.
The nature of the fraud rationalization will often differ as to whether the fraud is a
defalcation or a financial statement fraud. For defalcations, the personal rationalizations
often revolve around personal financial problems, mistreatment by the company, or a
sense of entitlement (i.e. the company owes me!) by the individual perpetrating the fraud.
PLANNING THE AUDIT
A possibility of either type of fraud is present in every audit. The possibility that
management may be deceitful, or cover up frauds, may occur on every engagement.
Financial factors may arise during the current year that did not exist previously and may
influence either an individual to perpetrate a defalcation or management to engage in
fraudulent financial reporting. The audit team must analyze the changes in the company,
its controls, and its environment at the start of every audit to assess the risk that a fraud
may have taken place.
An overview of the audit process is shown in Exhibit 1 in flowchart form. The major
processes are to:
• Discussion among engagement personnel regarding the risks of material
misstatement due to fraud.
• Obtaining information needed to identify risks of material misstatement due to
• Identifying the risks that may result in material misstatement due to fraud.
• Assessing those risks.
• Developing an overall audit plan that reflects those risks.
• Gathering and evaluating audit evidence, corroborating evidence, and determining
whether or not a material fraud exists.
• Communicating the existence of fraud to management, the audit committee, and
others that may be required.
• Documenting the audit process and findings regarding fraud.
Discussion of Fraud Possibilities Prior to Finalizing Audit Plan
The audit team should “brainstorm” about how and where they believe a company’s
financial statements might be susceptible to fraud. This should include a discussion of
how management could perpetrate and conceal fraudulent financial statement reporting,
or how an individual could conduct a defalcation and cover it up. Such brainstorming
requires a great deal of knowledge about the company and its control structure as well as
the effect of compensation schemes and other motivating factors. Here the audit team
must consider the overall company’s culture and the possibility of management override
of controls. The audit team should draw on past experiences with the company as well as
experiences with other companies and research that has been conducted on the
perpetration of frauds.
Obtaining Information About Fraud Risks
The auditor’s responsibility for planning the audit has not changed. However, the auditor
should identify specific procedures that could signal the possibility of fraud. Some of the
procedures that may be considered by the auditor include:
• Making inquiries of management and others, e.g. audit committee chairs, to
obtain their views about risk of fraud and controls set up to address those risks,
• Performing analytical review and consider any unusual or unexpected
• Reviewing the risk factors identified earlier (motivation, opportunity,
• Reviewing management responses to recommendations for control improvements
and internal audit reports.
Identifying Risks of Fraud
The auditor should examine each of the three fraud risk conditions (motivation,
opportunity, rationalization) to determine the likelihood of fraud. All three need not be
present. The auditor should be aware that certain classes of transactions are highly
susceptible to fraud, such as estimates or those that involve complex accounting
principles, or those that are complex in structure. The auditor must consider:
• The type of risk.
• The potential significance of the risk.
• The likelihood of an occurrence of fraud due to the risk.
• The pervasiveness of the risk.
The auditor should always presume there is a risk of improper revenue recognition, and a
risk that management could override controls.
Assessing the Risks
The audit team should assess each of the risks in conjunction with the previous
brainstorming that took place at the beginning of the audit engagement. This initial
assessment should be supplemented by knowledge of controls, analytical procedures, and
fraud likelihoods to develop a plan to ensure that the audit develops evidence to
accurately assess the existence or non-existence of fraud.
Developing the Revised Audit Plan
The previous assessment should lead the audit team to a point where they can identify the
likelihoods of fraud and how the fraud might happen. Given the audit team’s knowledge
of industry, management motivations, and the entity’s control structure, the audit team
should develop hypotheses about how fraud could be conducted and covered up. These
hypotheses should be prioritized based on:
• Analytical review results that indicate unusual relationships.
• Current economic conditions and their impact on the entity.
• Quality of the company’s controls.
The audit team should design specific audit tests based on the ranking of the most likely
format of a fraud, and then move down the line. The audit team should obtain additional
corroboration of management’s explanations or representations.
Other Factors To Consider
When a high risk of material fraud exists, audit management and the audit team should
consider the following courses of action:
• Assignment of more experienced team members or specialists to the engagement
• Pay close attention to accounting areas that are highly subjective or those that are
• Decrease the predictability of audit procedures. Surprise visits, observation of
assets, performing more procedures at year-end, are all examples of procedures
that would decrease predictability.
Responding to the Risks: Audit Changes
The audit team should first consider how the highest hypothesized fraudulent activity
might take place. Then, the audit team should: first, should consider the type of
evidence, such as analytical review, could provide insight on the existence of a potential
fraud. Finally, depending on the likelihood assessment of fraud, the auditor should
develop and implement the most effective audit procedures.
Analytical Develop Planned
Evidence. Audit Approach.
Comparison of Develop
financial results procedures that are
with other skeptical in nature
Rank ordering of
indicators of and have the
economic activity, highest likelihood
e.g. production of detecting fraud
statistics, etc. if it exists.
The nature of audit procedures may be changed to obtain additional corroborative
evidence, or to obtain more direct evidence. For example, the auditor may extend
confirmation procedures to include direct correspondence with customers, or may
confirm major attributes of a sales contract. Or the auditor may choose to observe the
counting of inventory at all locations rather than at selected locations.
The timing of the gathering of evidence may also change. For an example, more of the
substantive testing, such as the observation of inventory or direct tests of accounts
receivable, may take place at year-end. Cut-off tests for both sales and inventory may be
extended and conducted at year-end.
The extent of procedures should be directly related to the audit team’s assessment of the
likelihood of risk. The audit team may be encouraged to do more analysis by utilizing
generalized audit software to examine a larger percentage of a population.
Examples of extended audit procedures include:
• Performing procedures at locations on a surprise or unannounced basis.
• Requiring that inventories be counted and observed at year-end.
• Making oral inquiries of major customers and suppliers.
• Performing analytical procedures using disaggregated data that would show more
• Examining details of major sales contracts.
• Examining financial viability of customers.
• Examining in detail, all reciprocal transactions or similar transactions between
two entities, e.g. sales of similar assets to each other, to determine the economic
viability and the correspondence with similar transactions in the marketplace.
• Making a detailed examination of journal entries.
Evaluating Audit Evidence
The auditor’s skepticism should be heightened whenever:
• There are discrepancies in the accounting records. These include transactions
not recorded in a timely fashion, unsupported transactions, last-minute
adjustments, or situations in which the auditor has tips or complaints about
• The auditor finds conflicting or missing evidential matter. Examples include:
missing documents, altered document, significant unexplained reconciliations,
missing inventory, unavailable or missing electronic evidence, or the inability to
produce evidence related to the design and operation of the entity’s computerized
• The relationship with management seems strained. Examples of such problems
might include: denial of access to records, undue time pressures, unusual delays
in providing requested information, unwillingness to provide electronic data or
access to electronic systems, or an unwillingness to revise disclosures in response
to an auditor request to make such disclosures more transparent and informative.
The auditor should always be alert to an unusual amount of revenue being recorded near
year-end, or at the end of quarterly reporting time frames. Similarly, the auditor should
examine all accruals or changes in estimates that occur in a similar time frame. The audit
team should always consider the relationship of reported financial results with underlying
economic factors. For example, the auditor should ask whether:
• Reported net income mirrors cash inflows over a period of time.
• There is consistency between operating accounts, most especially those of
inventory, accounts payable, sales, and cost of goods sold.
• The entity’s profitability trends differ significantly from the industry’s trends. For
example, why would a bank have loan loss rates that are one-half of that of the
rest of the industry when its loan portfolio mirrors that of the rest of the industry?
• There is a viable relationship between sales and production data.
The bottom line is this: auditors need to exercise judgment. They need to understand the
business and they need to have a strong base of knowledge to both ask the above
questions and to analyze responses they receive. When discrepancies exist, the audit
team must follow up with further information and evidence that either corroborates
management’s view or indicates there is a real problem that is going to require financial
Communicating the Existence of Fraud
All fraud should be communicated to a level at which effective action can be taken to
ensure that the fraud will be dealt with and the likelihood of similar fraud in the future
will be decreased. Whenever fraud involves senior management, or involves
misstatements that are material to the financial statements, the existence and nature of the
fraud should be reported to the audit committee. In some cases, the auditor may be
required to report the fraud to outside parties, such as to meet regulatory requirements.
The audit team should document the full extent of the process described above. That
documentation must include the nature of the discussion among audit team members and
the team’s assessment of fraud risk, as well as how hypothesized fraud might take place.
The remainder of the documentation should include a discussion of the factors that led to
the risk assessment, the procedures performed, the need for corroborating evidence, the
effect on the audit, and finally, the evaluation of audit evidence and communication to
The public has demanded that audit teams do a better job in identifying and finding
possible fraud. The standard lays out practical guidance to assist audit teams in
accomplishing that objective. An overview of the overall process is shown below in
Figure 1 - Summary of SAS 99
Intentional misstatement arising from:
a. Fraudulent financial reporting, or
b. Misappropriation of assets.
Factors usually present when fraud occurs:
1. Fraud may be concealed:
a. Withholding evidence, misrepresenting information, or falsifying documentation.
2. Management has unique ability to perpetrate fraud:
a. Recording fictitious journal entries.
b. Intentionally biasing assumptions and judgments used to estimate account
c. Altering records and terms related to significant or unusual transactions.
Auditor has responsibility to plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material misstatement
(error or fraud).
professional Questioning mind and critical assessment of audit evidence.
3 1. Share experienced auditor's insights.
2. Emphasize professional skepticism.
Discuss 3. Discuss known external and internal factors affecting the entity that might:
with a. Create incentive/pressures.
engagement b. Provide the opportunity for fraud.
personnel. c. Indicate a culture or environment that enables management to
rationalize committing fraud.
4. Discuss whether audit team needs specialists.
information 1. Inquire of management, audit committee, internal auditors, & others.
needed to a. Knowledge of any fraud, suspected fraud, or allegations of fraud affecting
identify the the entity.
risks of b. Management’s understanding about the risks of fraud, including specific
material fraud risks the entity has identified or account balances or classes of
misstatement transactions for which a risk of fraud may be likely to exit.
due to fraud. c. Programs and controls the entity has established to mitigate specific
d. Nature and extent of monitoring operating locations or business
segments and any locations or segments for which a risk of fraud may be
more likely to exist.
e. Whether and how management communicates to employees its views on
business practices and ethical behavior.
2. Consider unusual or unexpected relationships identified by analytical
procedures, especially those related to revenue recognition.
3. Consider fraud risk factors.
5 4. Consider other helpful information.
Identify risks Consider the:
that may a. Type of risk.
result in a b. Significance of the risk.
material c. Likelihood of the risk.
misstatement d. Pervasiveness of the risk.
due to fraud.
The auditor should ordinarily presume that there is a risk of material
misstatement due to fraud relating to revenue recognition.
The auditor should address the risk of management override of controls.
evaluation Consider specific controls and broader programs designed to prevent, deter,
of the and detect fraud.
Respond to Overall response - Consider:
the results 1. Professional skepticism:
of the a. Obtain more reliable evidence.
assessment. b. Obtain additional corroborating evidence.
2. Assignment of personnel and supervision - specialists or more experienced
3. More careful consideration of management's selection and application of
4. Adding an element of unpredictability of auditing procedures.
A response involving the nature, timing, and extent of audit procedures
performed or to be performed.
A response involving the performance of procedures to further address the risk:
a. Revenue recognition.
b. Inventory quantities.
c. Management estimates.
Responses to further address risk of management override of controls:
a. Examine journal entries & other adjustments made in preparation of
b. Review accounting estimates for biases.
c. Evaluate business rationale for significant unusual transactions.
It may not be practicable to sufficiently address risk. Withdrawal may be
8 Fraud risk assessment is ongoing throughout the audit. Conditions affecting
assessment of risk include:
Evaluate a. Discrepancies in accounting records.
audit b. Conflicting or missing evidential matter.
evidence. c. Problematic or unusual relationships between audit and management.
Evaluate whether analytical procedures performed as substantive tests or in
final review stage indicate a previously unrecognized risk of material
misstatement due to fraud.
Evaluate risks at or near the completion of the audit.
Respond to misstatements that may be the result of fraud.
Yes or unable material No
a. Consider implications on audit.
b. Discuss further investigation
a. If of little significance, may have no
with appropriate management,
affect on audit.
senior management, and the
b. If higher-level management is
involved, result may be indicative of
c. Attempt to obtain additional
a more pervasive problem.
evidence whether fraud has
c. Reevaluate assessment of risk and
occurred and its effect.
effect on nature, timing, and extent
d. May suggest that client consult
with legal counsel.
Consider withdrawing if evidence
indicates significant risk of material
misstatement due to fraud.
Material or 13
possible fraud Yes Report directly to audit committee.
If it has continuing control implications, consider if
No it is a "reportable condition" that should be
reported to senior management and the audit
Bring to Communication of possible fraud to parties other
attention of an than the client may be required:
appropriate a. To comply with legal and regulatory
level of requirements.
management. b. To a successor auditor.
c. In response to a subpoena.
d. To a funding agency involving governmental
Document the a. Discussion among engagement personnel in audit planning.
auditor's b. Procedures performed to obtain information necessary to identify and
consideration assess the risks of material misstatement due to fraud.
of fraud. c. Specific risks of material misstatement due to fraud that were identified
and a description of the auditor's response to those risks.
d. If the auditor has not identified improper revenue recognition as a risk of
material misstatement due to fraud, the reasons supporting the auditor's
e. The results of the procedures performed to further address the risk of
management override of controls.
f. Other conditions and analytical relationships that caused the auditor to
believe that additional auditing procedures or other responses were
required and any further responses the auditor concluded were
appropriate to address such risks or other conditions.
g. The nature of the communications about fraud made to management,
the audit committee, and others.
The Sarbanes-Oxley Act of 2002
Update to Rittenberg & Schwieger
Auditing: Concepts for a Changing Environment
“Concepts for a Changing Environment” is a theme that is both appropriate to the
textbook and is descriptive for the year 2002. It is likely that there has not been a year
that has impacted the profession as much since the events that led to the enactment of the
Securities Act of 1933 and the Securities & Exchange Act of 1934.
This brief supplement provides an overview of the Sarbanes-Oxley Act of 2002 and the
impact of the act on the conduct of audits and the nature of the auditing profession. The
full implications of the Sarbanes-Oxley Act will not be known for some time as many of
the Act’s provisions called for further study to be followed by rules to be implemented by
the SEC. Further, it would be a mistake to look at the Sarbanes-Oxley Act in isolation
without considering the other changes that were already underway in the profession. This
supplement is organized to provide:
• An overview of the audit failures that led to the implementation of the Sarbanes-
• An overview of SEC initiatives already underway that were impacting the
• A brief overview of the major provisions of the Sarbanes-Oxley Act and the
implications for the auditing profession.
OVERVIEW OF AUDIT FAILURES
The major failures were Enron and WorldCom, both Arthur Andersen clients. There
were other accounting and audit failures associated with companies such as Tyco, Qwest,
Adelphi (cable company), Waste Management, Micro Strategy, and Xerox, just to name a
few. The failures affected all of the Big 5 public accounting firms. Thus, while there
may have been unique problems with Arthur Andersen, many in Congress, the
profession, and certainly the investment public perceived that the problems in the
profession were more widespread than Enron, WorldCom, and Arthur Andersen.
What were these problems or trends that heightened the public’s awareness of the
profession? There were at least six major trends that had been addressed by the SEC and
others, but not to the extent evident in the Sarbanes-Oxley Act. These trends included:
• An increase in “form over substance” in making accounting judgments.
• Auditors recognized management as the “client,” not the stockholders. (Of
course, management had the power to hire and fire the audit firm.)
• Management of earnings became an accepted part of management.
• Boards of directors were not independent and were not strong.
• Management consulting had grown rapidly for two decades and was larger and
more profitable than audit and assurance services.
• Audit partners were rewarded on growth and profitability; relationship
management became an important component of partner compensation.
The previous three Chief Accountants of the SEC had written articles decrying the
decline of professionalism and citing numerous instances in which the accounting that
had been okayed by the public accounting firms did not pass the “smell test,” in other
words, the accounting just did not make common sense. Finally, the SEC under the
leadership of Arthur Levitt decided that change had to be made. In a speech in
September of 2001, Chairman Levitt cited numerous problems with the profession and
appointed a Blue Ribbon Commission to improve accountability by improving the
effectiveness of audit committees. Levitt cited major concerns with:
• “Cookie jar reserves” used by firms to manage earnings.
• Revenue recognition that did not meet fundamental earnings criteria.
• Creative accounting for mergers and acquisitions that did not reflect economic
• A reliance on stock-based compensation that put increased pressure on meeting
Chairman Levitt was concerned that public accounting firms did not have either the
aptitude or the desire to say NO to client accounting that pushed all the bounds of
reasonableness. Rather, he perceived an environment in which client’s said: “show me
where the Standards would prohibit the proposed accounting.” Instead, he wanted an
environment in which auditors would make independent judgments on the economic
substance of transactions and require accounting that was consistent with such judgment.
However, the SEC was looked upon as the last hurdle to get over. Rather than auditors
exercising independent judgments, it became acceptable to wait and see if the SEC said
no. In essence, the profession was failing to perform its primary task – to make
independent judgments to ensure that the financial statements presented the fairest picture
possible, within the constraints of GAAP.
The SEC was not the only agency that had concerns with the profession. The Public
Oversight Board (POB), a quasi-independent board that had broad oversight over the
profession (but no real power), had established a commission to look at the audit process.
The POB was concerned that the profession was “cutting corners” to make audits more
cost effective and thus allow audit partners to be compensated at levels comparable to
their consulting partners. Specifically, the POB had concerns that:
• Analytical review was being used inappropriately to replace substantive audit
• Audit firms were not thoroughly evaluating internal control and applying
substantive procedures to address weaknesses in control.
• Audit documentation, especially related to the planning of the audit, was not up to
• Auditors were ignoring warning signals of fraud and other problems.
• Auditors were not providing sufficient warning to investors about companies that
might not continue as “going concerns.”
The POB issued a comprehensive analysis of these problems shortly before the major
audit failures of 2002. Most of the report reiterated the existence of the problems and
suggested actions to be taken by the profession and by individual audit firms.
Finally, the Independence Standards Board (ISB) had been developed and was looking at
a number of issues relating to audit independence. The ISB had issued a couple of
pronouncements aimed at improving auditor independence, but it had not addressed any
of the major issues that many perceived were potential problems; most notably the rising
dependence on management consulting and internal audit outsourcing. Further, there was
some criticism of the ISB in that two of its members were managing partners of Big 5
firms and a third, Barry Melancon, was the Chair of the AICPA (recently named by
Business Week magazine as one of the ten worst managers of the year 2002).
Within the profession, most of the other forces at play were reinforcing the concerns of
the SEC. First, the Emerging Issues Task Force (EITF), a constituent-based task force,
continued to issue more detailed, technical accounting rules. Ultimately, one of the
EITF’s rules contained an obscure paragraph that was used by Enron to justify the arcane
accounting for the Special Purpose Entities (SPEs) that were used to cover up their real
results. Second, the peer review process initiated by the AICPA relied on one big firm
reviewing the processes of a similar big firm. None of the firms were willing to give
other than an unqualified report to another firm, or criteria did not exist that would justify
such reports. Third, accounting firms circulated papers citing innovative ways to account
for transactions. For example, Arthur Andersen circulated a “white paper” that described
revenue recognition for communications companies that essentially swapped line
capacity with each other (provided that the trades were separated by a small amount of
time; this procedure later became known as “round tripping”). Fourth, accounting firms
were aggressively pursuing new products, particularly in the tax area, where they could
be compensated based on the value-added to the client. Stated another way, they were
looking to see contingency-based products where the firm would be a compensated a
specific percentage of the tax-savings realized by the client. This led to some public
accounting firms recommending that clients like Stanley Tools incorporate outside of the
U.S. to gain tax advantages while maintaining their headquarters and most of their
operations in the U.S. to take advantage of the protection of our business environment.
Finally, the AICPA had established itself more as a trade association than as a
professional organization serving the public interest. For example, the AICPA has
consistently lobbied for most of its practitioners, especially those with smaller firms, be
exempt from restrictive rulings proposed by the SEC. Further, the AICPA embarked on a
campaign to establish a new, non-accounting and non-audit based credential, to establish
the holder’s expertise in global affairs and consulting. The new credential, sometimes
referred to as XYZ or Cognitor, went down to resounding defeat by the membership of
the AICPA, many of whom felt it abandoned the roots and public trust foundation of the
Some supporters of the profession likened the problems of 2002 to the “Perfect Storm.”
While this may be an exaggeration, there were a number of analogies. However, in the
view of many, it was not like the “Perfect Storm” depicted in the movie because the
events that were taking place were not one-time events. The problem is that the
profession did not seem to see all the warning signs that existed.
An overview of these events is shown in Figure 2 below.
The Accounting Profession and the
SEC Criticism of
Accounting and POB Criticism
Audit of Audit
THE ACCOUNTING PROFESSION
Please the Client Promote Consulting Services
Technical Accountants – Push the Limit of Accounting
Innovative Tax Products – Value Added Billing (contingencies)
Partners promoted on Sales Basis and ability to ‘Manage the
New Services – Accounting and Internal Audit Outsourcing
Failure of Independence
Companies, Board Criticism
especially of the
SEC Enforcement Actions
on Accounting and
Thus while there were many critics that were sending “caution” signals to the profession,
the profession continued to see only the green light of continued progress. There was a
mistaken sense that changes in the legal environment had protected the auditor and that as
long as a technical accounting treatment could be justified, there was little threat to the
The SEC was warning the profession of potential problems. For the most part, the
majority of practicing professionals believed the warnings were not justified because the
majority of practitioners continued to practice with the highest level of integrity and were
willing to say NO to clients. Nonetheless, clients continued to be aggressive and pushed
firms for friendlier treatments of accounting issues, or for disclosures that may be
technically accurate, were less than forthcoming.
The SEC issued four major pronouncements that had already set into action many of the
concepts that were reinforced in the Sarbanes-Oxley Act. They were:
• Issuance of SAB 99 on materiality.
• Issuance of SAB 101 on revenue recognition.
• Revision of the Commission’s Rules on Auditor Independence.
• Formal endorsement of Blue Ribbon Commission recommendations
strengthening audit committees.
SAB 99 reinforced the basic definition of materiality. The SEC expressed their view that
auditors had neglected the “qualitative” aspect of materiality and had focused too much
on rules of thumb, such as a 5% of net income view. The SEC applied the concept of
materiality to not only the numbers in the financial statement, but to the clarity of
disclosures and the accounting choices made to portray the financial results. In essence,
the SEC challenged the accounting profession to enforce its own concepts of materiality
and to look at issues from an objective investor’s viewpoint.
The SEC chose to issue this statement after reviewing a number of SEC enforcement
actions against companies that had pushed the limits of revenue recognition. The
enforcement action covered both dot.com companies such as Priceline.com as well as
other companies that had frequently used “channel stuffing” as a method to enhance
either quarterly or yearly income. (In the Priceline.com situation, the company had
chosen to record revenue for the full amount of the ticket issued even though the
company was acting more like a travel agent that provided services through matching a
product with a customer.) The SEC encouraged the profession to focus on the nature of
the earnings process and suggested that the commission earned, not the value of the
airline ticket, was the real measure of revenue. The SEC noted that channel stuffing was
used to boost revenue to meet “earnings guidance” provided to Wall Street. The SEC
noted that there were frequently signs that channel stuffing had taken place such as
returns of merchandise after year-end, or smaller sales in the next quarter.
As in SAB 99 on materiality, the SEC was urging the profession to enforce its own
accounting concepts. Essentially, the SEC urged the profession to go back to its basic
principles recognizing revenue that:
• met the earnings principle,
• was realized,
• reflected the principal revenue-producing activities of the organization.
The SEC again encouraged the profession to exercise its independent judgment following
broad principles rather than assisting clients in structuring transactions that met technical
The SEC felt strongly that the profession needed to be reminded of the basic principles
underlying auditor independence. They started with three basic principles, which have
been expanded to a fourth after the issuance of Sarbanes-Oxley. Those principles are:
• A public company auditor, in order to be independent, should not audit its own
work (as it would if it provided internal audit outsourcing services, financial
information systems design, appraisal or valuation services, actuarial services, or
bookkeeping services to an audit client).
• A public company auditor should not function as part of management or as an
employee of the audit client (as it would if it provided human resources services
such as recruiting, hiring, and designing compensation packages for the officers,
directors, and managers of an audit client).
• A public company auditor, to be independent, should not act as an advocate of
its audit client (as it would if it provided legal and expert services to an audit
client in judicial or regulatory proceedings).
• A public company auditor should not be a promoter of the company's stock or
other financial interests (as it would be if it served as a broker-dealer, investment
adviser, or investment banker for the company).
Following these general principles, the SEC identified nine services that should not be
performed by public accountants, or should be performed with some restrictions. These
nine services included:
• Bookkeeping or other services related to the accounting records or financial
statements of the audit client.
• Financial information systems design and implementation.
• Appraisal or valuation services, fairness opinions, or contribution-in-kind reports.
• Actuarial services.
• Internal audit outsourcing services.
• Management functions or human resources.
• Broker or dealer, investment adviser, or investment banking services.
• Legal services and expert services unrelated to the audit.
• Any other service that the Public Company Accounting Oversight Board
(PCAOB) determines, by regulation, is impermissible.
The SEC initially mandated public disclosure of the amount of fees paid to public
accounting firms, including a separation of audit fees, consulting fees related to
systems design, and other consulting fees. This provision was strongly opposed by
the public accounting profession, but the data were compelling to the public. In many
instances the fees paid to public accounting firms were not only larger than the audit
fees, but sometimes significantly larger – even ten times larger in one case. Enron
was often cited as a case in point where consulting revenue exceeded audit revenue.
Further, Enron was a case in which the internal audit work was outsourced to the
external audit firm, leaving many to question whether the internal auditors could have
possibly given the Board of Directors an independent evaluation of either controls or
The SEC subsequently encouraged the large public accounting firms to jettison their
consulting arms and concentrate on building back the public trust. Two of the Big 5
firms had done so prior to the enactment of the Sarbanes-Oxley Act.
PricewaterhouseCoopers sold its consulting division to IBM in 2002 and Deloitte &
Based on public documents, it is also questionable whether or not Enron’s Board was sufficiently
independent that it would have been interested in truly independent evaluations.
Touche completed plans to spin-off its consulting arm into a separate publicly held
company in 2003.
Strengthen Audit Committees and Boards
The SEC endorsed the recommendation of the Blue Ribbon Commission on Audit
Committees and subsequently endorsed the ruling requirements of the NYSE to
strengthen the role of audit committees. The SEC has also pushed for greater
independence of board members. One of the major recommendations was to make the
audit committee the real client of the auditors with the sole authority to hire or fire the
independent external auditor. Further, the audit committee had the sole responsibility to
approve or disapprove of any non-audit services performed by their external auditors.
The audit committee was required to report the judgments formally in an annual report.
THE SARBANES-OXLEY ACT OF 2002
The storm hit when Enron failed and declared the largest bankruptcy in U.S. history. It
sank the ship when WorldCom became the largest bankruptcy in U.S. history. In both of
these companies, the operational failures were covered up with clever accounting frauds
that were not detected by the public accounting firms. The press, Congress, and the
general public continued to ask why such failures could have occurred when the public
accounting profession was given the sole license to protect the public from financial
fraud and misleading financial statements.
The Sarbanes-Oxley Act is comprehensive. It is important to understand that while it
contains many provisions, a good part of the Act represents a work in progress. It has
mandated the GAO and the SEC to conduct numerous studies of the accounting
profession and the nature of financial reporting and to report back to congress with their
recommendations. We will cover the nature of the studies to be performed as well as the
specific actions taken in the Act.
The legislators were concerned that more independent information was needed on several
fronts before specific legislation could be implemented. For example, there is a great
deal of controversy as to whether part of the problem was due to an increased tendency
towards “rule-based accounting.” On the other hand, there are equally compelling
questions on whether or not the profession is equipped to ensure that consistent
judgments reflecting economic reality will be made under a “principles-based” approach
to accounting. The specific studies, along with the Act’s section number are as follows:
• Section 207 – Study of Mandatory Rotation of Registered Public Accounting
• Directs the GAO to conduct a study and review of the potential effects of
requiring the mandatory rotation of registered public accounting firms and report
its findings to Congress within one year of enactment date.
• Section 701 – GAO Study and Report Regarding Consolidation of Public
• Directs the GAO to conduct a study and report its findings to Congress within
one year of enactment date that would examine the reasons for the consolidation
of accounting firms since 1989. The legislation notes that the public accounting
profession went from eight major multinational firms to only four. Legislators
want to know the economic reasons for the change as well as the implications for
protecting the public.
• Section 702 – Commission Study and Report Regarding Credit Rating
• Directs the SEC to conduct a study and report its findings to Congress and the
president within 180 days of enactment date regarding the role, importance and
impact of rating agencies in the marketplace. This study clearly expresses the
notion that the problem is not uniquely confined to the audit profession. There
continue to be concerns with Wall Street, investment houses, and conflicts of
interest within securities firms.
• Section 703 – Study and Report on Violators and Violations
• Directs the SEC to conduct a study and report its findings to Congress within six
months of the enactment date regarding the proliferation of violations of securities
laws and the penalties therefore.
• Section 704 – Study of Enforcement Actions
• Directs the SEC to conduct a study and report its findings to Congress within
180 days of the enactment date, that would review and analyze all enforcement
actions by the SEC involving violations of reporting requirements imposed under
the securities laws, and restatements of financial statements, over the five-year
period preceding the enactment date to identify areas of reporting that are most
susceptible to fraud.
• Section 705 – Study of Investment Banks
• Directs the Comptroller General to conduct a study and report the findings to
Congress within 180 days of the enactment date regarding the role of investment
banks and financial advisors in the collapse of the Enron Corporation and Global
Major Provisions of the Act
There are major provisions of the Act that will affect the nature of the public accounting
profession and the nature of financial reporting for some years to come. Some of the
major provisions include:
• Establishment of a Public Company Accounting Oversight Board with broad
powers, including the power to set auditing standards and choose whether or not
to set accounting standards,
• Requirement that the CEO and CFO certify the financial statements and the
disclosures in those statements.
• Requirement that companies provide a comprehensive report on internal controls
over financial reporting and that their auditors report on internal controls.
• Audit Committees be given expanded powers as the “audit client” and must pre-
approve any non-audit services by public accounting firms. Audit committees
must also report publicly.
• Audit Committees must have at least one person who is a financial expert and
must disclose the name and characteristics of that individual. Other members
must be knowledgeable in financial accounting as well as control.
• Partners in charge of audit engagements, as well as all other partners or managers
with a significant role in the audit, must be rotated off the engagement every five
• There must be a “cooling off” period before a partner or manager can take a high-
level position in a client without jeopardizing the independence of the public
• Increased disclosure of all “off-balance sheet” transactions or agreements that
may have a material current or future effect on the financial condition of the
company. The SEC is required to study the nature of such agreements and/or
transactions and develop improved accountability.
By far, the most compelling part of the Act is the establishment of the Public Companies
Accounting Oversight Board (PCAOB). This Board will ultimately determine the nature
of auditing and accounting, including responsibilities for detecting fraud and other
financial misdeeds. The PCAOB is to have five members, three of whom cannot be
CPAs. The PCAOB has the ability to make choices including:
• Setting of auditing standards. It can choose to set them or it can rely on an
independent standard setting body. Historically, auditing standards have been set
by the Auditing Standards Board of the AICPA .
• Setting accounting standards. The PCAOB can choose to set accounting
standards, provide oversight of the FASB, or choose some other body such as the
International Accounting Standards Board to set accounting standards. The SEC
has so far endorsed the FASB but has suggested that there be more cooperation
between the FASB and IASB.
• Set standards for the reports on internal control and/or risk management.
• Perform quality review of public accounting firm performance and recommend
penalties, including censure, if the firms fail to perform at required levels.
• Establish quality control standards for the conduct of audits of public companies.
The PCAOB is off to a rough start because of controversy over the nomination of its first
chair, William Webster, and the subsequent resignation of the SEC Chair, Harvey Pitt.
However, as of January 2003, it has an Acting Chair and is moving forward on many
issues before it.
Other Provisions of the Act
As noted earlier, many of the other provisions of the Act pertain to the investment
community, especially investment bankers. The following is a broad summary of the
major provisions of the Act along with the section number. We will continue to provide
updates as the Act is implemented.
Title 1 – Public Company Accounting Oversight Board
• Section 101 – Establishment of Board
• Establishes an independent, non-governmental accounting oversight board to
oversee the audit of public companies that are subject to the securities laws in
order to protect the interests of investors and further the public interest in the
preparation of informative, accurate, and independent audit reports for companies
whose securities are available to public investors.
• The board shall be made up of five full-time members, only two of which will
be certified public accountants. The SEC will appoint members of the Board for a
term of five years, with one term set to expire each year. Board members will
serve no more than two terms, regardless of whether they were consecutive terms.
• Section 102 – Registration with the Board
• Within 180 days of establishment, public accounting firms will be required to
register with the Board in order to perform audit functions for public companies.
• Section 103 – Auditing, Quality Control, and Independence Standards and
• The Board will establish, through the adoption of standards, quality control
standards and ethics standards to be used by registered public accounting firms in
the preparation and issuance of audit reports for any issuer.
• The Board will require: (a) registered accounting firms to maintain audit-related
material for at least seven years; (b) concurring or second-partner review of all
audit reports; and (c) that audit reports describe the scope of the auditor’s testing
of the internal control structure and procedures of the audit subject.
• Section 104 – Inspection of Registered Public Accounting Firms
• The Board will conduct a continuing program of inspections of registered
accounting firms – every year for firms that provide audit reports to more than
100 issuers annually and once every three years for firms that provide audits to
fewer than 100 issuers annually. Reports of deficiencies will be reported to the
SEC and made available to the public.
• Section 105 – Investigations and Disciplinary Proceedings
• Gives the Board the authority to conduct investigations, gather testimony and
produce documentation through the power of subpoena. Provides the Board with
the power to suspend auditors, revoke the registration of accounting firms or
impose other penalties for noncompliance in an investigation.
• Monetary penalties for violation of Board rules or securities law are capped at
$100,000 for an individual and $2,000,000 for an entity.
• Section 107 – Commission Oversight of the Board
• Gives the SEC oversight and enforcement authority over the Board and its
• Section 108 – Accounting Standards
• Gives the Board the authority to adopt accounting standards. As noted earlier,
the Board seems to be willing to work with the FASB and others to establish
accounting standards and principles. Many of the members, to date, have
expressed a strong preference for “principles-based standards.”
• Section 109 – Funding
• Establishes that the Board will be funded through fees from private industry.
This is a major change. Part of the fees to register as a public company will be
used to support the full scope of the PCAOB activities.
Title II – Auditor Independence
• Section 201 – Services Outside the Scope of Practice of Auditors
• Prohibits any registered public accounting firm from providing non-audit
services contemporaneously with audit services. Non-audit services include:
o Bookkeeping or other services related to the accounting records of
financial statements of the audit client.
o Financial information system design and implementation.
o Appraisal or valuation services, fairness opinions, or contribution-in-kind
o Actuarial services.
o Internal audit outsourcing services.
o Management functions or human resources.
o Broker or dealer, investment advisor, or investment banking services.
o Legal services and expert services unrelated to the audit.
o Any other service that the Board determines, by regulation, is
• Section 202 – Pre-approval Requirements
• Requires that the issuer’s auditing committee approve all audit and non-audit
services provided to an issuer.
• Section 203 – Audit Partner Rotation
• Prohibits a registered public accounting firm from providing audit services to an
issuer if the lead audit partner, or the audit partner responsible for reviewing the
audit, have performed audit services for that issuer in each of the five previous
fiscal years of that issuer.
• Section 204 – Auditor Reports to Audit Committees
• Requires accounting firms to report to the audit committee of the issuer the
methods, practices and policies behind the audit work.
Title III – Corporate Responsibility
• Section 301 – Public Company Audit Committees
• Allows the SEC to direct the national securities exchanges and national
securities associations to de-list any issuer that is not in compliance with Title III
of this Act. Establishes that the audit committee of an issuer shall be responsible
for appointment and oversight of any audit work performed by an accounting
• Section 302 – Corporate Responsibility for Financial Reports
• Requires the principal executive officer or officers and the principal financial
officer or officers, or persons performing similar functions to certify annual and
quarterly reports to the SEC. Directs the SEC to publish related rules within 30
days of enactment.
• Section 303 – Improper Influence on Conduct of Audits
• Prohibits an issuer from providing false or misleading information about the
financial condition of the issuer to an accounting firm conducting an audit for the
• Section 304 – Forfeiture of Certain Bonuses and Profits
• Requires executives of an issuer to forfeit any bonus or incentive based pay or
profits from the sale of stock, received in the 12 months prior to an earnings
Title IV – Enhanced Financial Disclosures
• Section 401 – Disclosures in Periodic Reports
• Requires rulemaking from the SEC to require that all annual and quarterly
financial reports filed with the SEC fully disclose off-balance sheet transactions
that may have a material current or future effect on the financial condition of the
• Requires the SEC to issue final rules to require that pro forma financial
information included in any periodic or other report filed with the SEC pursuant
to securities law, does not contain an untrue statement of a material fact.
• Requires a study by the SEC to examine the use of special purpose entities.
• Section 402 – Enhanced Conflict of Interest Provisions
• Prohibits personal loans from issuers to executives, with some limited
• Section 403 – Disclosures of Transactions Involving Management and
• Requires directors, officers and principal stockholders to file a statement with
the SEC when they sell stock, or obtain new stock from the issuer in question.
Statements must be filed at the time of registration of such security on a national
securities exchange or by the effective date of a registration statement; within 10
days after he or she becomes such beneficial owner, director or officer; if there
has been a change in such ownership, within two days of the initial acquiring of
such security, i.e. security-based swap agreement.
• Section 404 – Management Assessment of Internal Controls
• Directs the SEC to issue rules requiring that annual reports filed with the SEC
shall state the responsibility of management for establishing and maintaining
adequate internal control structure and procedures for financial reporting; and
contain an assessment of the effectiveness of such internal controls.
• Requires public accounting firms also report on internal controls of the client.
• Section 406 – Code of Ethics for Senior Financial Officers
• Directs the SEC to issue rules that require issuers to publicly disclose whether or
not, and if not, the reason therefore, that issuer requires senior financial officers to
sign a code of ethics.
• Section 407 – Disclosure of Audit Committee Financial Expert
• Directs the SEC to issue rules to require each issuer to disclose whether or not,
and if not, the reasons therefore, they require at least 1 financial expert to serve on
their audit committee.
• Section 408 – Enhanced Review of Periodic Disclosures by Issuers
• Requires the SEC to review disclosures made to the SEC on a regular and
systematic basis for the protection of investors. Such reviews shall include a
review of an issuer’s financial statements.
• Section 409 – Real Time Issuer Disclosures
• Requires each issuer to give rapid and current disclosure in plain English
regarding material changes in the financial condition or operations of the issuer.
Title V – Analyst Conflicts of Interest
• Section 501 – Treatment of Securities Analysts by Registered Securities
Associations and National Securities Exchanges
• Requires the SEC to adopt rules that are reasonably designed to address conflicts
of interest that can arise when securities analysts recommend equity securities in
research reports and public appearances.