From the perspective of global anti-bribery compliance, whether the FCPA, UK Bribery Act, or other anti-bribery regimes are involved, international lawyers, accountants, consultants, and other providing advice must be sensitive to the obligations of U.S. auditors under Statement of Auditing Standards (“SAS”) No. 99. SAS No. 99 applies regardless of whether an entity is subject to the accounting and record-keeping provisions of the FCPA.
SAS No. 99 requires management to disclose its “[k]nowledge of fraud or suspected fraud involving (1) management, (2) employees who have significant roles in internal control, or (3) others where the fraud could have a material effect on the financial statements.”[1] Management is also required to report its “knowledge of any allegations of fraud or suspected fraud affecting the entity received in communications from employees, former employees, analysts, regulators, short sellers, or others.”[2]
Among the risk factors to be taken into account are whether the entity has “[s]ignificant operations located or conducted across international borders in jurisdictions where differing business environments and cultures exist.”[3] Risk of material misstatements due to fraud may vary among operating locations or business segments of an entity. As a result, an auditor is required to identify the risks related to specific geographic areas or business segments, as well as for the entity as a whole.
An auditor should evaluate whether an entity’s “programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation.”[4] This would include compliance programs designed to prevent, deter, and detect fraud and programs designed to promote a culture of honesty and ethical behavior. In addition, specific controls designed to mitigate specific risks of fraud must also be evaluated. The evaluation should determine whether the programs and controls mitigate the identified risks of material misstatement due to fraud or whether there are deficiencies that may “exacerbate” the risks.[5]
[1]AU § 333.06 (1997 ed.).
[2]Id.
[3]Id.
[4]Id.
[5]Id., § 316.06.
