The Auditing Standards Board (ASB) in the US issued a statement on auditing standard 99 (SAS 99), titled ‘Consideration of Fraud in a Financial Statement Audit’ in November 2002. While the statement was developed before the accounting scandals in Enron and Worldcom rocked the US and the rest of the world, it was released around the time the scams started hitting headlines.

The SAS 99 was touted as a fitting response to the perceived inadequacies in its predecessor, the SAS 82, and the ASB made it a priority to try and address the allegations of fraud by management executives and auditors. The new standard became effective for audits of financial statements for fiscal years beginning on or after December 15, 2002 in the US.

Investors and public at large expect auditors to be responsible for detecting management fraud. Most in the accounting profession are often at pains to explain why an audit conducted in accordance with the generally accepted auditing standards (GAAS) will most likely fail to detect fraud-driven material mis-statements of financial statements. Most people from outside the auditor fraternity wonder why it is so difficult to discover fraud or, to put it differently, why is it so tough to spot material mis-statements that were the result of fraud?

There are two prime reasons for this — deception and collusion. It is the auditor's responsibility to plan and carry out the audit. The objective is to obtain reasonable assurance about the existence or otherwise of material mis-statement, caused either by error or fraud. It is the management’s responsibility to design and execute programmes to prevent, dissuade, and detect fraud. When senior management and the people charged with running the governance framework set the tone for ethical conduct, the prospects for fraud are often significantly diminished.

In performance of audits, techniques that test sample populations are employed; analytical procedures are performed on data, and interviews and questionnaires are used to gather data. Fraud may be present but not identified because tests are done on a sample basis, and the fraudulent transaction or event may not be selected for the tests. What some auditors do is that as part of the audit engagement, they use forensic professionals with skills and experience on fraud investigations and fraud prevention, coupled with information technology tools and techniques that enable them to identify transactions that meet potentially fraudulent pre-conditions.

These forensic professionals generate fraud scenarios based on their investigative experience and create hypotheses on how a fraud can occur. These hypotheses are then tested on the data provided by the client. This enables auditors to think beyond the audit of financial statements and focus on frauds, which most organisations are grossly under-prepared to handle. Also, they can trawl the sea of data for potentially red-flagged transactions, or those that have characteristics of a fraudulent transaction. There are instances where companies run tools on their enterprise applications, which monitor transactions on a real time or ongoing basis. This concept is called continuous auditing and monitoring.

Continuous auditing is the collection of audit evidence by an audit/anti-fraud function on IT systems, processes, transactions and controls on a frequent or continuous basis.

However, in the Indian context, only 4 per cent of respondents of a fraud survey indicated use of forensic technology tools as a proactive anti-fraud measure. The survey in 2008 showed that as many as 36 per cent of frauds were detected by the internal audit function of a company. A fair number of frauds were also detected through anonymous letters or by accident, indicating that almost one-third of the frauds were detected due to reasons other than those owing to an organisation’s internal controls.

When one thinks of fraud, one usually thinks of grandiose schemes to steal money by falsifying invoices, bogus contracts or even ghost employees. Fraudulent financial reporting doesn’t need to involve a grand plan or conspiracy. Managements may feel that a mis-statement is appropriate since it is an aggressive interpretation of accounting standards and rules, or that it is an interim mis-statement that will be corrected later.

Misappropriation of assets is the theft of an entity’s assets, where the theft results in the financial statement not being presented in conformity with GAAP. Misappropriation of assets can be classified in the following ways: stealing assets, embezzling or inducing a business entity to pay for goods or services that have not been received or causing an entity to overpay for goods or services actually received.

Because fraud is often concealed, material misstatements due to fraud are difficult to detect. Nevertheless, an auditor may come across events or conditions that point towards incentives/pressures to commit fraud, opportunities to perpetrate fraud, or attitudes/rationalisations to justify a fraudulent action. Such conditions are referred to as fraud risk factors.

Fraud risk factors do not essentially point toward the existence of fraud; however, they are often present in circumstances where fraud exists. Every company, in spite of the best anti-fraud controls, can potentially be struck by fraud; much like a virus striking the best IT networks. The challenge is to balance the price, both financial and otherwise of fraud, vis-à-vis the cost of fraud mitigation.