Using SAS 99 in Performance Audits

April 2006

By Sefton Boyars

Imagine one of the real audit disasters. Your organization just completed a performance audit and issued a clean report. A short time later, fraud is discovered. You and your organization are embarrassed. The audit standards state that audit tests do not guarantee the discovery of fraud, and that undiscovered fraud does not necessarily indicate a failure of the auditor. However, the media and legislative bodies are not as forgiving. You are likely to be pilloried in the press.

Can we preclude such an occurrence? No!

However, we may be able to mitigate the damage if we can show that we took the risk of fraud seriously and that we made a genuine effort to detect it. One way to do this is to go beyond the minimum audit requirements and to utilize the steps contained in SAS 99 when conducting performance audits.

We must use the AICPA Statements on Audit Standards for financial audits. We are not mandated to utilize them for non-financial audits, but we can often use concepts from the AICPA standards when we conduct performance audits. I believe that this is particularly germane when we consider the risk of fraud.

Government Audit Standards, commonly known as the Yellow Book, require auditors to identify the risk of fraud or illegal acts and to design audit tests to provide a reasonable assurance of detecting it. It states:

7.17 Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant to the audit objectives and assess the risk that illegal acts or violations of provisions of contracts or grant agreements could occur. Based on that risk assessment, the auditors design and perform procedures to provide reasonable assurance of detecting significant instances of illegal acts or violations of provisions of contracts or grant agreements.

It further states:

7.22 When auditors identify factors or risks related to fraud that they believe could significantly affect the audit objectives or the results of the audit, auditors should respond by designing procedures to provide reasonable assurance of detecting fraud significant to the audit objectives. Auditors should prepare audit documentation related to their identification and assessment of and response to fraud risks.

While the Yellow Book has some suggestions for considering and detecting fraud, it does not have as extensive a set of procedures as SAS 99, “Consideration of Fraud in a Financial Statement Audit.” For this reason, I believe that performance auditors should look to SAS 99 for guidance. SAS 99 describes a process for gathering information regarding the risk of fraud, assessing those risks, and conducting tests that reflect your assessment.

Professional Skepticism. SAS 99 emphasizes a concept already included in the Yellow Book, professional skepticism. The auditor must assume neither that the auditee is honest nor that the auditee is dishonest. The auditor should gather and document persuasive evidence regarding the reliability of information provided by the auditee.

Discussions Regarding Fraud. Before starting fieldwork, the auditors must discuss the risk of fraud. That discussion should include a brainstorming session on the risks of misappropriations or of material misstatements in the financial statements due to fraud. (This is the first time I can recall the term “brainstorming” in a SAS.) As performance auditors, we may not be concerned with the financial statements, but we can easily translate that concern to the subject of our audit.

For example, we may be reviewing client eligibility for services. If so, we can brainstorm the possibility of an entity deliberately misrepresenting certain persons as being eligible when they were not. Or we can think about the possibility of “ghost” recipients (who show up in the records, but who do not really exist).

Similarly, our audit objective may be to determine the effectiveness of a social program. In that case, we can consider the likelihood of the entity wanting to make the program look more successful than it really is. Entities have many reasons to inflate their results, including survival, increased funding, prestige and pay raises.

The SAS requires that discussions about fraud continue throughout the audit. The auditor with final responsibility for the audit, usually the one who signs the report, must be satisfied that there has been sufficient communication about fraud during the audit. The audit team should hold regular meetings to discuss any indications of fraud or the potential for fraud.

Making Inquiries of Management and Others. The SAS requires auditors to make inquiries of management and others about the risks of fraud. Too often, I have seen instances of auditors asking whether management is aware of any fraud. That question is virtually useless.

SAS 99, and common sense, suggest much more useful questions. We should ask management which areas or activities are most susceptible to fraud, what internal controls they have installed to address the specific fraud risks and how they monitor those controls. The SAS requires the auditor to inquire directly of the audit committee for its insights on fraud risks. In the government arena, there may be fewer audit committees. However, the auditors may still be able to talk with internal auditors, Board of Supervisors, etc.

SAS 99 points out that management may override the internal controls. Such overrides are relatively common in the governmental and nonprofit arenas. The SAS states that the auditor should consider management overriding controls as a separate risk. Overrides always contain the possibility of fraud.

Considering the Results of Analytical Tests. The SAS states that auditors should consider whether their analytical tests yielded any unexpected results that could be indicative of fraud. While analytical tests are mandatory for financial audits, they are not for performance audits. In my experience, auditors often under-utilize analytical tests in performance audits.

An auditor can conduct analytical tests in virtually every performance audit. If the audit objective is to determine program effectiveness, the auditor can compare results over time, compare results to other similar organizations or compare results to certain standards. Similar tests are possible in audits designed to assess compliance, efficiency, economy, etc. Analytical tests do not give us answers, but they do raise excellent questions. We should carefully review the results of the analytical tests to see if any point to fraud.

Predictability of Audit Procedures. The SAS advises auditors to incorporate an element of unpredictability in their tests. That requirement argues against “canned” audit programs. At the very least, we should make some adjustments in each audit to vary some of the steps (or selection procedures) to prevent the auditees from being able to anticipate the items tested.

Summary. This article cannot include all of the requirements of SAS 99. I have tried to concentrate on specific provisions that would significantly impact performance auditors. Given the high level of interest that fraud generates, I strongly recommend that all performance auditors read SAS 99 and incorporate its recommendations in their audits.

--------------------------------------

Sefton Boyars, CPA, CGFM, CIA, CFS, retired in 1996 from a 35-year career as a government auditor and audit manager. He had been the Regional Inspector General for Audit for the U.S. Department of Education for 16 years at the time of his retirement. He currently teaches continuing education classes for many organizations, including federal, state and local governments, professional associations and Management Concepts, Incorporated. He received AGA’s National Education and Training Award for 1998.