SAS 99 defines fraud as an intentional act that results in a material misstatement in financial statements.
There are two types of fraud considered: misstatements arising from fraudulent financial reporting (e.g. falsification of accounting records) and misstatements arising from misappropriation of assets (e.g. theft of assets or fraudulent expenditures).
The brainstorming session is to be conducted in a manner that models the proper degree of professional skepticism and sets the culture for the entire audit.
This section specifically requires that improper revenue recognition and management override of controls be considered.
SAS 99 provides specific examples of programs and controls for both large and small businesses.
Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor's response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additional audit procedures or other responses, and (6) nature of communications about fraud made to management and others.
For example, it is suggested that auditors consider surprise procedures like showing up unannounced for an inventory count.
Telling clients which locations are going to be audited makes it easier to commit inventory fraud.