<P> SAS 99 provides specific examples of programs and controls for both large and small businesses . The auditor should consider which controls mitigate the identified fraud risks . </P> <P> The standard provides examples of conditions that may be identified during the audit that might indicate fraud . One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel . The auditors must determine whether the results of their tests affect their assessment . </P> <P> The standard requires that any evidence that fraud may exist must be communicated to management and others . The level of severity is insignificant . </P> <P> SAS 99 significantly extends the documentation requirements of the previous standard . Auditors must document: (1) how and when the brainstorming session occurred and who participated, (2) procedures performed to obtain information to identify and assess fraud risk, (3) specific risks of material misstatement due to fraud (must specifically include discussion of revenue recognition) and the auditor's response to those risks, (4) results of the procedures performed to address the risk of management override of controls, (5) conditions and analytical relationships that led to additional audit procedures or other responses, and (6) nature of communications about fraud made to management and others . </P>

Aicpa’s sas 99 consideration of financial fraud in financial statement audit