Located in an extinct volcano basin at 9,000 feet in the Rocky Mountains is a small town I'll call "Gold Mine City." The places and people described here are real, but their names have been changed to protect the innocent, and the guilty! Since the 1860s, a bank operated in this town to serve the needs of gold miners, businesses and individuals. Quite large in its early years, the size of the bank had dwindled nearly to extinction in the middle to late 1900s.
The bank was operated for its shareholders by three employees; a vice-president, a cashier and a person that served as a teller and a secretary. A small board of directors located in a nearby town had oversight responsibility. In addition to semi-annual visits by auditors from the Controller of the Currency and the FDIC, a CPA firm was hired to perform annual agreed-upon procedures on behalf of the directors. I was the auditor that performed two such "directors' examinations."
Shortly after the last directors' exam, the town was stunned when the vice-president and cashier were found dead on a hillside overlooking the city. Their suicide note confessed nearly ten years of using bank assets to help needy ranchers, widows and poor people in the community! Aside from some operating cash, almost no bank assets remained! Years of audits had been conducted by regulatory auditors along with directors' exams performed by myself and other CPA firm employees. Notes were confirmed, loan files examined, cash accounts confirmed and reconciled, customer deposits were confirmed and supporting ledgers were reconciled by my team revealing only minor discrepancies.
So how did they these men perpetrate this fraud? First of all, many records were fabricated. Perfect loans files were constructed for each fictitious loan. Many loan disbursements and collections were fictitious, the product of a lapping scheme. However, collection systems were established to receive, sign and return all confirmation requests, most in very short turn-around times. Two complete sets of general ledger and supporting records were maintained; auditors saw only the fabricated set. These uneducated mountain folk were very smart!
You are probably asking, how did all the auditors fail to detect this massive fraud? I don't know about the regulatory people but I can answer for myself. I fell prey to the "familiarity threat" recently discussed in the AICPA's Conceptual Framework on Independence. Essentially, this threat occurs when an auditor becomes overly familiar with a client's management or staff personnel. It can happen when a CPA serves a client for a prolonged period of time. As in my case, I liked the bank employees and had developed a personal relationship with them. Because I liked and trusted these men, my professional skepticism was severely diminished. I should have asked some obvious questions:
1. How can any small bank have perfect loan files?
2. How can almost all notes and deposits confirmations be returned without exception?
3. How can such a small bank have very few loan collection deficiencies?
4. How can there be almost no discrepancies from all the procedures performed by auditors?
SAS No. 99 and Practice Alert 98-3 reinforced many lessons learned the hard way by some of us. Auditors must look beyond what we see. We must evaluate what we see with objectivity and high levels of professional skepticism. A challenging, questioning attitude can be our greatest defense. Some call it the auditor's sixth sense. Let down one's guard and there may be no sense at all! Post a comment and share some of your lessons learned.