Raise the red flag: a recent study examines which SAS No. 99 indicators are more effective in detecting fraudulent financial reporting

Internal Auditor, Oct, 2005 by Glen D. Moyes, Ping Lin, Raymond M. Landry, Jr.

SINCE ITS INTRODUCTION IN 2002, STATEMENT ON Auditing Standards (SAS) No. 99: Consideration of Fraud in a Financial Statement Audit has raised expectations for fraud-detection audits to new heights. The standard supersedes the American Institute of Certified Public Accountants' SAS No. 53 and SAS No. 82, which first identified red flags of possible fraudulent activity and required external auditors to detect fraud that may result in a material misstatement of the financial statements. Published in 1988, SAS No. 53 described 14 red flags, and SAS No. 82 added 25 red flags in 1997. SAS No. 99 increases the number of red flags to 42, extensively revises the existing indicators, and requires auditors to consider the risk of a possible material misstatement due to fraud. One accounting Web site, AccountingMalpractice.com, describes the change as switching auditors' focus from "I believe management" to "I don't believe management" and strongly hints that any auditor who fails to recognize these fraud warning signs could be held negligent.

Although SAS No. 99 specifically applies to external auditors, the fraud risk factors that the standard lists provide critical information and guidance internal auditors can use to identify fraudulent activity, as recommended by The IIA's International Standards of Professional Practice of Internal Auditing (Standards). Also, because internal auditors often assist the external auditors in conducting financial audits, they share an interest in the fraud-detecting effectiveness of red flags. In addition, the need to comply with the U.S. Sarbanes-Oxley Act of 2002 has given internal auditors greater access to internal data to detect fraud. A consensus rating of the SAS No. 99 red flags can give internal auditors valuable insight into these risk factors.

Both SAS No. 53 and No. 82 categorized red flags into three groups: "management characteristics," "industry conditions," and "operating characteristics and financial stability." SAS No. 99 takes a different approach, aligning risk factors with Agency Theory conditions. Applying this theory to financial reporting, management--the shareholders' agent--may provide incomplete information in financial reports to further its own interest, rather than looking out for the best interests of shareholders. In this case, management or employees must have incentives or be under pressure to commit fraud, opportunities must be available for fraud to occur, and there must be telltale signs of employee rationalization of fraud.

[GRAPHIC OMITTED]

MEASURING EFFECTIVENESS

With the increased number of red flags in SAS No. 99, auditors must determine the best way to rank their effectiveness to determine which are best suited for fraud audits. Should auditors rely more heavily on certain flags and ignore others, or are they equally weighted? Should auditors agree on the relative weight of these red flags? To answer these questions, researchers at the University of Texas-Pan American in Edinburg surveyed internal auditors' opinions of the relative importance of the SAS No. 99 red flags.

In the summer of 2004, the researchers posted their "Red Flags" questionnaire as a flash survey on The IIA's Global Auditing Information Network Web site and invited 1,800 internal auditors to participate. Respondents were asked to rank the fraud-detecting effectiveness of each SAS No. 99 red flag on a six-point scale, ranging from "not effective" (1) to "extremely effective" (6) (see "Red Flag Effectiveness by Category," this page). The questionnaire was available online for approximately four months and produced 77 usable responses from internal auditors--a 4.2 percent response rate. Participants averaged 14.9 years of internal audit experience, and more than three-fourths were vice presidents or directors of their organization's internal audit function. Thirty-eight percent were certified internal auditors, and 55 percent were certified public accountants.

Survey respondents tended to have extensive experience using red flags for fraud detection. Most participants rated themselves as somewhat or mostly effective at using red flags to identify fraudulent activity. Eighty-one percent of respondents had completed continuing professional education courses on fraud detection and red flags.

Based on the survey responses, researchers computed an overall average effectiveness rating of 3.93 for all of the SAS No. 99 red flags. The effectiveness ratings of individual flags varied widely; the most effective red flag, restriction on audit, was rated almost twice as effective as the least effective indicator--new accounting, statutory, or regulatory requirements. Researchers used the Student's T-test statistical technique to classify the red flags into "more effective," "effective," and "less effective" categories (see "Effective Red Flags," this page, and "Less Effective Red Flags" on page 50). SAS No. 99 classifies these indicators into three categories: incentive/pressure, opportunity, and attitude/rationalization.