New In-House Counsel Duties Under SAS 99

In its continuing effort to respond to high profile fraudulent financial reporting and to strengthen safeguards against fraud and the misappropriation of funds, the American Institute of Certified Public Accountants (AICPA) has issued Statement on Auditing Standards 99: Consideration of Fraud in a Financial Statement. Generally known as SAS 99, the new standard imposes additional requirements on the audit process and applies to audits of 2003 financial statements for both public and private companies. As in-house corporate counsel, you can be affected by this new measure in several ways, most notably in the information you may be required to gather and the questions you may be expected to answer. In addition, certain information gathered under SAS 99 can help public companies meet requirements imposed by the Sarbanes-Oxley Act.

Deeper Involvement in the Audit Process

SAS 99 may well increase your involvement in the audit process. It requires that auditors perform several new procedures to gather more information relating to the risk of fraud, plus a significant increase in the documentation requirements imposed on auditors. The new standard spreads a wider net, involving more departments and employees at more levels in the organization. In an important change prompted by high-level misdeeds, SAS 99 presumes that improper revenue recognition is a fraud risk and requires procedures to guard against management override of controls. Overall, SAS 99 emphasizes professional skepticism in a way that is likely to involve you more than its predecessors did.

The Fraud Triangle

To get a better understanding of SAS 99 and its approach, it is important to understand the “fraud triangle.” Fraud ' whether as fraudulent financial reporting or misappropriation of assets ' may occur when three factors are present:

Incentive. The reason to commit fraud. This can be as simple as greed, which no audit can detect, or more complicated motives, such as a need to meet third-party expectations, such as loan covenants, or to satisfy unrealistic internal budget requirements. Other detectable motives include financial desperation from problems such as gambling debts.

Opportunity. Conditions such as ineffective or easily overridden controls or even the absence of controls allow individuals to commit fraud. Much of SAS 99 deals with establishing whether opportunity exists.

Rationalization. The process of justification, involving such self-justifying statements as “I'll only do it once” or “I'll pay back the money.”

Each of these factors leaves a trail, and the goal of SAS 99 is to provide guidance to the auditor to assist in tracking and evaluating any indications of fraud.

To begin the process, the auditors are required conduct a rigorous analysis of your company's susceptibility to fraud, whether from fraudulent financial reporting or misappropriation of assets. They will attempt to assess specific risks after taking into account the company's antifraud programs and internal controls. Part of this will involve a discussion among audit personnel involved in the engagement about each side of the fraud triangle. The increased scope of examination may include data extracts from accounting software, review of journal entries, and other areas. Auditors may view unexpected changes in account balances, as possible signs of fraud. Working with statistical information that is readily available enables them to watch for unusual variations in operational costs compared with similar entities, as well as for significant differences from prior years.

As part of the audit process, the auditors may communicate with you and others in management. They may ask questions for which you should be prepared, either to respond to the auditors directly or to advise management on the appropriateness of their responses. Auditors may ask questions about actual fraud, such as:

• Are you aware of any actual instances of fraud within the company?
• Do you suspect fraud might be occurring within the company?
• Has any employee ' present or former ' alleged fraud? Has any regulator or other party?

They may also ask about incentives ' the first side of the fraud triangle ' with questions such as:

• Do you know of any conditions ' declining revenues, expected layoffs, fierce market competition ' which might motivate individuals to inflate earnings so as to reach budget goals?
• Does management commit to achieve unduly aggressive or unrealistic goals?
• Do you believe any of the company's employees in specific might be tempted to commit fraud?

They may also ask about opportunity:

• Do you know of any specific risks of fraud?
• If someone were going to overstate or understand net income, how would they do so?
• What internal controls can be bypassed or overridden? Has that happened?
• What departures from GAAP are most common in your industry? At your company?
• Are any of your company's operating locations more susceptible to fraud than others? Why?

The last leg of the triangle ' rationalization ' is harder to trace. It is clear that the greater the incentive or pressure to commit fraud, the easier it is to rationalize it. But it is also clear that the tone set by management will weaken or strengthen the likelihood of rationalization. When employees believe management rigorously observes the spirit and the letter of the law, they are less likely to rationalize illicit behavior. Accordingly, auditors may use questions like these to determine the ethical standards within a corporate culture:

• Do you think everybody steals from a company in one way or another?
• Do you agree that people who commit fraud are sometimes justified by extreme conditions?
• What do you think should happen to a person who steals from the cash register?

The answers to these questions are intended to indicate how well management has conveyed its moral and ethical vision. In addition, auditors are alerted to consider attitude changes caused by anticipated layoffs, unfavorable changes in employee compensation or benefits, and the like.

In your role as in-house counsel, you may be asked to provide guidance to other employees about how they should respond to the auditors' questions. Employees may be concerned about endangering their jobs, becoming personally liable for damaging statements, violating confidentiality, or releasing information that might be harmful to the company or to innocent employees. You will need to find ways to help employees resolve these issues while providing the auditors with essential information. Especially delicate will be cases when an employee is believed (or known) to have expensive vices ' such as gambling, drugs, or extramarital affairs ' and coworkers are hesitant to report this situation. Employees may be reluctant to mention legitimate financial pressures, such as unusual medical bills, high alimony, or child support obligations, for fear of creating problems for an innocent individual. Part of your task will be to reassure coworkers that auditors understand the difference between the presence of risk factors and the commission of fraud.

Because SAS 99 aims to provide guidance to the auditors in detecting management fraud and because management often has both the opportunity to commit fraud and the skill to conceal it, SAS 99 also requires auditors to verify responses and eliminate inconsistencies through outside corroboration with vendors, agents, bankers, and others. Furthermore, auditors may seek information from employees at varying levels within the company and from you. A real estate business, for example, could expect questions to be directed to owners, senior management, building managers, building office personnel, internal leasing staff, and bookkeepers, as well as in-house counsel. In particular, you may be asked about any unusual or complex transactions.

Management override of internal controls has historically been a troublesome area, and because of that you may well be asked about your experience with such overrides and your involvement in designing procedures to deal with them.

You can also expect to be asked about the effectiveness with which management has communicated its expectations of honesty, accuracy, and completeness in financial reporting, including any reports of events where employees were disciplined or discharged for unethical behavior.

SAS 99 and the Sarbanes-Oxley Act

The more aggressive inquiries and enhanced skepticism required by SAS 99 can aid public companies in fulfillment of Sections 302 and 404 of the Sarbanes-Oxley Act. Those sections require that CEOs, CFOs, and independent auditors and committees:

• Certify the accuracy of financial statements and disclosures;
• Indicate in each periodic report whether or not there were significant changes in internal controls or related factors since their most recent evaluation and disclose all deficiencies in the design or operation of internal controls;
• Provide auditor's attestation to, and report on, management's assessment of the internal controls and procedures for financial reporting; and
• Report that controls and procedures for financial reporting and disclosure have been evaluated for effectiveness within the past 90 days.

Section 404 explicitly requires an annual evaluation of internal controls and procedures for financial reporting. A corporation must document its existing controls that have a bearing on financial reporting, test them for effectiveness, and report on gaps and deficiencies. Furthermore, the company's independent auditor must issue a report, to be included in the company's annual report, that attests to management's assertion on the effectiveness of internal controls and procedures over financial reporting.

These concerns directly parallel those of SAS 99, and the data it provides can be helpful in fulfilling of Sarbanes-Oxley requirements.

Conclusion

For in-house counsel, the general impact of SAS 99 may be increased involvement in the audit process. SAS 99 is likely to require you to respond to a broader range of questions from both auditors and employees. The results of your increased involvement will be a keener understanding of your company's internal controls and antifraud measures, a clearer view of risk areas, and ' possibly ' facilitated satisfaction of Sarbanes-Oxley requirements.

In its continuing effort to respond to high profile fraudulent financial reporting and to strengthen safeguards against fraud and the misappropriation of funds, the American Institute of Certified Public Accountants (AICPA) has issued Statement on Auditing Standards 99: Consideration of Fraud in a Financial Statement. Generally known as SAS 99, the new standard imposes additional requirements on the audit process and applies to audits of 2003 financial statements for both public and private companies. As in-house corporate counsel, you can be affected by this new measure in several ways, most notably in the information you may be required to gather and the questions you may be expected to answer. In addition, certain information gathered under SAS 99 can help public companies meet requirements imposed by the Sarbanes-Oxley Act.

Deeper Involvement in the Audit Process

SAS 99 may well increase your involvement in the audit process. It requires that auditors perform several new procedures to gather more information relating to the risk of fraud, plus a significant increase in the documentation requirements imposed on auditors. The new standard spreads a wider net, involving more departments and employees at more levels in the organization. In an important change prompted by high-level misdeeds, SAS 99 presumes that improper revenue recognition is a fraud risk and requires procedures to guard against management override of controls. Overall, SAS 99 emphasizes professional skepticism in a way that is likely to involve you more than its predecessors did.

The Fraud Triangle

To get a better understanding of SAS 99 and its approach, it is important to understand the “fraud triangle.” Fraud ' whether as fraudulent financial reporting or misappropriation of assets ' may occur when three factors are present:

Incentive. The reason to commit fraud. This can be as simple as greed, which no audit can detect, or more complicated motives, such as a need to meet third-party expectations, such as loan covenants, or to satisfy unrealistic internal budget requirements. Other detectable motives include financial desperation from problems such as gambling debts.

Opportunity. Conditions such as ineffective or easily overridden controls or even the absence of controls allow individuals to commit fraud. Much of SAS 99 deals with establishing whether opportunity exists.

Rationalization. The process of justification, involving such self-justifying statements as “I'll only do it once” or “I'll pay back the money.”

Each of these factors leaves a trail, and the goal of SAS 99 is to provide guidance to the auditor to assist in tracking and evaluating any indications of fraud.

To begin the process, the auditors are required conduct a rigorous analysis of your company's susceptibility to fraud, whether from fraudulent financial reporting or misappropriation of assets. They will attempt to assess specific risks after taking into account the company's antifraud programs and internal controls. Part of this will involve a discussion among audit personnel involved in the engagement about each side of the fraud triangle. The increased scope of examination may include data extracts from accounting software, review of journal entries, and other areas. Auditors may view unexpected changes in account balances, as possible signs of fraud. Working with statistical information that is readily available enables them to watch for unusual variations in operational costs compared with similar entities, as well as for significant differences from prior years.

As part of the audit process, the auditors may communicate with you and others in management. They may ask questions for which you should be prepared, either to respond to the auditors directly or to advise management on the appropriateness of their responses. Auditors may ask questions about actual fraud, such as:

• Are you aware of any actual instances of fraud within the company?
• Do you suspect fraud might be occurring within the company?
• Has any employee ' present or former ' alleged fraud? Has any regulator or other party?

They may also ask about incentives ' the first side of the fraud triangle ' with questions such as:

• Do you know of any conditions ' declining revenues, expected layoffs, fierce market competition ' which might motivate individuals to inflate earnings so as to reach budget goals?
• Does management commit to achieve unduly aggressive or unrealistic goals?
• Do you believe any of the company's employees in specific might be tempted to commit fraud?

They may also ask about opportunity:

• Do you know of any specific risks of fraud?
• If someone were going to overstate or understand net income, how would they do so?
• What internal controls can be bypassed or overridden? Has that happened?
• What departures from GAAP are most common in your industry? At your company?
• Are any of your company's operating locations more susceptible to fraud than others? Why?

The last leg of the triangle ' rationalization ' is harder to trace. It is clear that the greater the incentive or pressure to commit fraud, the easier it is to rationalize it. But it is also clear that the tone set by management will weaken or strengthen the likelihood of rationalization. When employees believe management rigorously observes the spirit and the letter of the law, they are less likely to rationalize illicit behavior. Accordingly, auditors may use questions like these to determine the ethical standards within a corporate culture:

• Do you think everybody steals from a company in one way or another?
• Do you agree that people who commit fraud are sometimes justified by extreme conditions?
• What do you think should happen to a person who steals from the cash register?

The answers to these questions are intended to indicate how well management has conveyed its moral and ethical vision. In addition, auditors are alerted to consider attitude changes caused by anticipated layoffs, unfavorable changes in employee compensation or benefits, and the like.

In your role as in-house counsel, you may be asked to provide guidance to other employees about how they should respond to the auditors' questions. Employees may be concerned about endangering their jobs, becoming personally liable for damaging statements, violating confidentiality, or releasing information that might be harmful to the company or to innocent employees. You will need to find ways to help employees resolve these issues while providing the auditors with essential information. Especially delicate will be cases when an employee is believed (or known) to have expensive vices ' such as gambling, drugs, or extramarital affairs ' and coworkers are hesitant to report this situation. Employees may be reluctant to mention legitimate financial pressures, such as unusual medical bills, high alimony, or child support obligations, for fear of creating problems for an innocent individual. Part of your task will be to reassure coworkers that auditors understand the difference between the presence of risk factors and the commission of fraud.

Because SAS 99 aims to provide guidance to the auditors in detecting management fraud and because management often has both the opportunity to commit fraud and the skill to conceal it, SAS 99 also requires auditors to verify responses and eliminate inconsistencies through outside corroboration with vendors, agents, bankers, and others. Furthermore, auditors may seek information from employees at varying levels within the company and from you. A real estate business, for example, could expect questions to be directed to owners, senior management, building managers, building office personnel, internal leasing staff, and bookkeepers, as well as in-house counsel. In particular, you may be asked about any unusual or complex transactions.

Management override of internal controls has historically been a troublesome area, and because of that you may well be asked about your experience with such overrides and your involvement in designing procedures to deal with them.

You can also expect to be asked about the effectiveness with which management has communicated its expectations of honesty, accuracy, and completeness in financial reporting, including any reports of events where employees were disciplined or discharged for unethical behavior.

SAS 99 and the Sarbanes-Oxley Act

The more aggressive inquiries and enhanced skepticism required by SAS 99 can aid public companies in fulfillment of Sections 302 and 404 of the Sarbanes-Oxley Act. Those sections require that CEOs, CFOs, and independent auditors and committees:

• Certify the accuracy of financial statements and disclosures;
• Indicate in each periodic report whether or not there were significant changes in internal controls or related factors since their most recent evaluation and disclose all deficiencies in the design or operation of internal controls;
• Provide auditor's attestation to, and report on, management's assessment of the internal controls and procedures for financial reporting; and
• Report that controls and procedures for financial reporting and disclosure have been evaluated for effectiveness within the past 90 days.

Section 404 explicitly requires an annual evaluation of internal controls and procedures for financial reporting. A corporation must document its existing controls that have a bearing on financial reporting, test them for effectiveness, and report on gaps and deficiencies. Furthermore, the company's independent auditor must issue a report, to be included in the company's annual report, that attests to management's assertion on the effectiveness of internal controls and procedures over financial reporting.

These concerns directly parallel those of SAS 99, and the data it provides can be helpful in fulfilling of Sarbanes-Oxley requirements.

Conclusion

For in-house counsel, the general impact of SAS 99 may be increased involvement in the audit process. SAS 99 is likely to require you to respond to a broader range of questions from both auditors and employees. The results of your increased involvement will be a keener understanding of your company's internal controls and antifraud measures, a clearer view of risk areas, and ' possibly ' facilitated satisfaction of Sarbanes-Oxley requirements.