Uncategorized

SAS 99 and the Fraud Standard: How It Evolved into AU-C 240 and the Audit Fraud Framework

SAS 99 was the AICPA fraud standard that rewired how auditors think about fraud, and its framework lives on today in AU-C 240. Issued in 2002 in the wake of Enron and WorldCom, Consideration of Fraud in a Financial Statement Audit gave auditors the fraud triangle, the mandatory brainstorming session, the rebuttable presumption that revenue recognition is a fraud risk, and required testing of journal entries. The standard number is retired, but the framework is the one every non-issuer auditor still applies.

Key takeaways

  • SAS 99, Consideration of Fraud in a Financial Statement Audit, was issued by the AICPA Auditing Standards Board in 2002 and is now codified, with its framework substantially intact, in AU-C 240 (AICPA SAS No. 99; AU-C 240).
  • The standard builds on the fraud triangle: incentive or pressure, opportunity, and rationalization or attitude, the three conditions generally present when fraud occurs (AU-C 240.A1, Appendix A).
  • It requires the audit team to hold a brainstorming discussion about how and where the financial statements might be susceptible to material misstatement due to fraud (AU-C 240.15).
  • It establishes a rebuttable presumption that improper revenue recognition is a fraud risk, and it treats management override of controls as a risk present in every audit (AU-C 240.26, .31).
  • It requires the auditor to test the appropriateness of journal entries and other adjustments for evidence of possible material misstatement due to fraud (AU-C 240.32).

What is SAS 99?

SAS 99 is Statement on Auditing Standards No. 99, the AICPA Auditing Standards Board’s fraud standard issued in October 2002. Its title is Consideration of Fraud in a Financial Statement Audit. It superseded SAS No. 82 and was the profession’s direct response to the wave of accounting scandals at the turn of the millennium that exposed how passively auditors had been treating the risk of fraud.

The standard distinguishes two types of misstatement arising from fraud. Fraudulent financial reporting is intentional misstatement or omission of amounts or disclosures designed to deceive financial statement users, such as overstating revenue or hiding liabilities. Misappropriation of assets is the theft of an entity’s assets, often accompanied by false records to conceal it. The auditor’s responsibility is to obtain reasonable assurance that the financial statements are free of material misstatement, whether caused by error or fraud.

SAS 99 reframed fraud consideration as an active, continuous part of the audit rather than a checklist at the end. It required the auditor to gather information to identify fraud risks, assess those risks, design responses, and exercise professional skepticism throughout. As part of the AICPA clarity project, SAS 99 was recodified as AU-C Section 240, which carries the same title and preserves the framework. So while practitioners still say SAS 99 out of habit, the operative citation for a non-issuer audit today is AU-C 240.

Why SAS 99 matters

SAS 99 matters because it changed the auditor’s mindset from assuming honesty to applying professional skepticism. The pre-SAS 99 posture treated management as truthful unless evidence suggested otherwise. SAS 99 required the auditor to plan and perform the audit recognizing that material misstatement due to fraud could exist regardless of any past experience with the entity or any belief about management’s integrity. That shift in default assumption is the most important thing the standard did.

The fraud triangle gave auditors a structured way to think about where fraud lives. When all three conditions are present, fraud is more likely: a pressure or incentive to commit it, an opportunity created by weak controls or override ability, and a rationalization that lets the perpetrator reconcile the act with their self-image. Auditors use the triangle to identify and evaluate fraud risk factors during planning, and the same model underpins how forensic specialists frame an investigation, which is why the triangle appears throughout our forensic accounting coverage.

The standard also matters because it named the two areas where fraud most often hides. Improper revenue recognition carries a rebuttable presumption of fraud risk, because revenue is the line most often manipulated to hit targets. Management override of controls is treated as a risk in every audit, because the people who design and run the controls are the ones positioned to defeat them. These are not abstractions. They map directly onto the warning signs catalogued in our guide to financial statement fraud red flags.

How SAS 99 works (the requirements)

The fraud consideration runs through the whole audit, from planning to the final review. AU-C 240 organizes it into a sequence of required steps.

Professional skepticism

The auditor maintains professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist regardless of the auditor’s past experience with the entity’s honesty and integrity (AU-C 240.12 through .14). This is the attitude that animates every other requirement.

The brainstorming discussion (AU-C 240.15)

Members of the engagement team discuss the susceptibility of the entity’s financial statements to material misstatement due to fraud. The discussion sets aside any belief that management is honest and considers how and where the financial statements might be vulnerable, how management could perpetrate and conceal fraudulent reporting, and how assets could be misappropriated. The discussion is required and is documented.

Risk assessment procedures

The auditor performs procedures to obtain information used to identify the risks of material misstatement due to fraud: inquiries of management, those charged with governance, internal audit, and others; consideration of fraud risk factors; analytical procedures; and consideration of other information (AU-C 240.17 through .24). Fraud risk factors are events or conditions that indicate an incentive or pressure, an opportunity, or a rationalization, the three elements of the fraud triangle.

The presumption of revenue recognition risk (AU-C 240.26)

The auditor presumes that there are risks of fraud in revenue recognition and evaluates which types of revenue or assertions give rise to those risks. The presumption is rebuttable: if the auditor concludes that revenue recognition is not a fraud risk in the circumstances, the auditor documents the reasons for that conclusion.

Responses to assessed fraud risks

The auditor designs responses at the overall financial statement level, such as assigning more experienced staff and adding unpredictability to procedures, and at the assertion level for identified fraud risks (AU-C 240.28 through .30). Identified fraud risks are treated as significant risks.

Management override and journal entry testing (AU-C 240.31, .32)

Because management is uniquely able to override controls, the auditor addresses that risk on every audit regardless of any specific assessment. The required procedures include testing the appropriateness of journal entries recorded in the general ledger and other adjustments, reviewing accounting estimates for bias, and evaluating the business rationale for significant unusual transactions. Journal entry testing targets entries that are unusual in nature, posted at period end, made to seldom-used accounts, or otherwise outside the normal flow.

The fraud triangle and the auditor’s response

Fraud triangle element What it means Example risk factor Auditor response under AU-C 240
Incentive or pressure A reason to commit fraud, often financial or performance pressure Debt covenants near breach, aggressive earnings targets, equity compensation tied to results Heightened skepticism over revenue and earnings-sensitive estimates; consider risk at the financial statement level (AU-C 240.24)
Opportunity A situation that allows the fraud to be committed and concealed Weak segregation of duties, dominant CEO, significant related-party transactions Test controls or shift to substantive procedures; address management override on every audit (AU-C 240.31)
Rationalization or attitude A mindset that lets the perpetrator justify the act History of regulatory issues, known disregard for controls, strained management-auditor relationship Factor into the brainstorming discussion and overall risk assessment; increase unpredictability (AU-C 240.15, .28)
Revenue recognition (presumed risk) Revenue is the line most often manipulated Bill-and-hold arrangements, channel stuffing, cutoff manipulation Presume a fraud risk unless rebutted and documented; design specific responses (AU-C 240.26)
Management override (always present) Management can defeat otherwise effective controls Top-side journal entries, late adjustments, estimate bias Mandatory journal entry testing, estimate review for bias, scrutiny of significant unusual transactions (AU-C 240.32)

The triangle is not a scoring system. It is a lens for identifying where the three conditions coincide, because that is where fraud risk concentrates. The two rows at the bottom of the table are the standard’s non-negotiables: revenue is presumed risky until proven otherwise, and management override gets tested on every engagement.

Worked example: applying the fraud framework to a revenue scheme

Assume an auditor is planning the audit of Meridian Software for the year ending December 31, 2025. The company has a December bonus pool tied to hitting an annual revenue target, and the sales team has wide latitude over contract terms. Here is how the AU-C 240 framework runs.

Brainstorming (AU-C 240.15). The team discusses how Meridian could overstate revenue. The bonus pool is a pressure, the sales team’s latitude is an opportunity, and a culture of hitting the number at all costs is a rationalization. All three elements of the triangle line up around year-end revenue.

Presumed revenue risk (AU-C 240.26). The auditor does not rebut the revenue presumption. Cutoff and the existence of recognized revenue near year end are identified as fraud risks and treated as significant risks.

Risk factors and inquiry. The auditor inquires of sales operations and finance and learns that several large contracts were signed in the last week of December with unusual side letters granting extended acceptance periods. Side letters that modify the arrangement are a classic mechanism for premature recognition.

Response. The auditor designs procedures responsive to the fraud risk: examining the actual signed contracts and any side agreements, confirming terms directly with customers, testing whether the performance obligations were satisfied before year end, and evaluating cutoff in detail (AU-C 240.30). The auditor also adds unpredictability by testing transactions the company would not expect to be selected.

Management override (AU-C 240.32). Independently of the revenue work, the auditor extracts the full population of journal entries and selects entries that are large, posted at period end, made to revenue or to seldom-used accounts, or recorded by unusual users. Suppose the auditor finds a $400,000 top-side entry posted on December 31 with a vague description that increased revenue. The auditor investigates the business rationale and the supporting documentation.

Evaluation. If the side letters and the top-side entry indicate revenue was recognized before the performance obligations were satisfied, the auditor evaluates the misstatement, considers whether it indicates fraud, and communicates with those charged with governance (AU-C 240.40). If management is implicated, the auditor reconsiders the integrity of other representations and the reliability of other evidence.

The example shows the framework working as designed: the triangle flags where to look, the revenue presumption forces specific work, and mandatory journal entry testing catches the override that the revenue procedures might miss.

Recent changes (effective dates, superseding standards)

SAS 99 as a numbered statement is retired. Its content was recodified in the AICPA clarity project and now lives in AU-C 240, which carries the same framework. The number people still cite refers to the framework, while the operative standard is AU-C 240.

Common pitfalls under this standard

Frequently asked questions

Is SAS 99 still in effect?
The framework is, but the numbered statement is not the operative citation. SAS 99 was recodified as AU-C 240 in the AICPA clarity project. Auditors of non-issuers apply AU-C 240, which preserves the fraud triangle, brainstorming, revenue presumption, and journal entry testing from SAS 99.
What is the fraud triangle?
It is the set of three conditions generally present when fraud occurs: incentive or pressure to commit fraud, opportunity to carry it out and conceal it, and rationalization or an attitude that justifies it. Auditors use it to identify fraud risk factors during planning (AU-C 240, Appendix A).
Why is revenue recognition a presumed fraud risk?
Because revenue is the financial statement line most frequently manipulated to meet targets. AU-C 240.26 establishes a rebuttable presumption that improper revenue recognition is a fraud risk. The auditor can rebut it only by concluding and documenting that it does not apply in the circumstances.
What is management override of controls?
It is the ability of management to defeat controls that otherwise operate effectively, for example by recording top-side journal entries or manipulating estimates. AU-C 240.31 treats it as a risk on every audit, and AU-C 240.32 requires specific procedures, including journal entry testing, to address it.
What is the difference between SAS 99 and AU-C 240?
They are the same framework. SAS 99 was the 2002 statement; AU-C 240 is its recodified location after the clarity project. When someone cites SAS 99 today, they are almost always referring to the requirements now found in AU-C 240.
How is SAS 99 different from PCAOB AS 2401?
SAS 99 and its successor AU-C 240 govern audits of non-issuers under AICPA standards. PCAOB AS 2401 is the parallel fraud standard for audits of issuers. Both descend from the same 2002 reform and share the fraud triangle and the focus on revenue and management override, but they are maintained by different bodies.
Does the auditor guarantee fraud will be detected?
No. The auditor obtains reasonable, not absolute, assurance that the financial statements are free of material misstatement, whether from error or fraud. Fraud involving collusion or forgery can evade even a properly designed audit, which AU-C 240 acknowledges.
What journal entries does the auditor target?
Entries that are unusual in nature or amount, posted at or near period end, made to seldom-used or unrelated accounts, recorded by users who do not normally make them, or lacking adequate description or support. These characteristics flag the entries management override most often uses (AU-C 240.32).

Bottom line

SAS 99 was the post-Enron fraud standard that made fraud consideration an active, skeptical part of every audit, and its framework now lives in AU-C 240. The fraud triangle directs where auditors look, the brainstorming session forces the team to imagine how the entity could be defrauded, the rebuttable revenue presumption and the always-present management override risk define the two highest-risk areas, and journal entry testing is the mandatory procedure that catches the override others miss.

Sources and methodology

AICPA Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (2002), recodified as AU-C Section 240, including AU-C 240.12 through .14 (professional skepticism), .15 (engagement team discussion), .17 through .24 (risk assessment procedures and fraud risk factors), .26 (presumption of improper revenue recognition risk), .28 through .30 (responses to assessed risks), .31 (management override), .32 (journal entry testing, estimate review, significant unusual transactions), .40 through .42 (communication), and Appendix A (the fraud triangle and examples of fraud risk factors). Interaction with AU-C 315 as revised by SAS 145, effective for periods ending on or after December 15, 2023. PCAOB AS 2401 is the parallel issuer standard. See also our learn hub, the financial statement fraud red flags guide, our forensic accounting coverage, and the companion explainer on PCAOB AS 2401.