I'm an auditor, darn it, not an investigator, right?
Recent professional guidance, such as SAS 99, Consideration of Fraud in a Financial Statement Audit, and Public Company Accounting Oversight Board (PCAOB) Auditing Standard 2, has brought more attention to the auditor's responsibility to uncover the warning signs of fraud, but there is still some ambiguity about where the auditor's responsibility ends and the fraud examiner's begins.
Consider this scenario: A staff auditor reviewed various accrual accounts during a routine audit. He uncovered 10 manual entries made after the quarter's close that lacked sufficient supporting documentation and that significantly reduced the reserve balance for each account. The auditor reviewed the entries in the system and found the same explanation for each reduction: "reduce accrual by $1.5 million, per John Davies, corporate controller." The total amount of reductions came to $15 million, and was material to the financial statements of the company.
The auditor brought this information to the audit manager, who advised him to discuss the entries with the corporate controller. The controller provided verbal support for each entry. The auditor had no reason to disbelieve the controller, so he cited the lack of supporting documentation as an audit finding and completed the report. Six months later, news came out that the controller was adjusting various accrual accounts to manipulate earnings. The auditor was distraught about the situation, and questioned his or her conduct and the audit procedures. The audit manager was asked to explain why the audit team did not pursue the findings and press for supporting documentation. The controller was terminated, and the company underwent an investigation by the Securities and Exchange Commission (SEC). The auditor continued to wrestle with himself: "I'm an auditor, not an investigator….right?" Auditors and forensic accountants share common attributes, but their roles differ significantly. Sometimes it can be difficult for auditors to understand their responsibilities for fraud detection, investigation, and prevention. Generally, companies call in a fraud examiner to conduct an investigation once fraud is suspected, but the auditor is the person who initially finds the red flags of potential fraud.
The auditor's role in fraud detection has a long history of confusion and controversy. In 1892, the widely used auditing textbook A Practical Matter for Auditors, by Lawrence Dicksee, expressed the view that the objective of an audit was the detection of fraud, technical errors, and errors of principle. It stated, "the detection of fraud is the most important portion of the auditor's duties." Shortly thereafter, the auditor's role in fraud detection started to evolve. In an 1895 British court case (London and General Bank), the court ruled that it was the auditor's responsibility to report to shareholders all dishonest acts, but that the auditor could not be expected to uncover all fraud committed in a company, although they should conduct all audits with reasonable care. Fast-forward to the 21st Century. The nature of the auditor's responsibility to detect fraud is still the subject of confusion. For example, a 2003 study of prospective jurors conducted by Camico, a provider of CPA malpractice insurance, found that 74 percent of respondents believe audits are designed to uncover all types of fraud. In fact, according to a 2006 Association of Certified Fraud Examiners (ACFE) Report, Report to the Nation on Occupational Fraud and Abuse, only 12 percent of fraud is initially detected by external auditors, while 50 percent came from employee tips, 20 percent came from internal audits, and 19 percent was detected by internal controls.
The management of public companies is required by PCAOB Auditing Standard 2 to develop and implement internal controls to prevent, detect, and deter incidents of fraud in financial reporting, and Section 404 of the Sarbanes-Oxley Act requires management to assess and report on the effectiveness of those internal controls on an annual basis.
Section 404 also requires external auditors to evaluate their clients' antifraud programs and internal controls, and to issue an opinion on management's assessment of internal controls. SAS 99 requires auditors to plan the audit to provide reasonable assurance that financial statements are free of material fraud. It also provides expanded guidance and recommended procedures for the detection of material fraud. SAS 99 specifies that auditors should adopt an attitude of professional skepticism toward clients, conduct brainstorming sessions to assess the risk of material fraud and how it could be concealed, conduct an assessment of a client's overall antifraud programs, and look for red flags that may indicate fraud. PCAOB Auditing Standard 2 reinforces this guidance.
Internal auditors also play a role in fraud deterrence. Institute of Internal Auditors Standard 1210.A2 requires internal auditors to possess sufficient knowledge to identify the risk indicators of fraud. Internal audit can assist with the prevention and detection of fraud by evaluating the adequacy and effectiveness of internal controls and by participating in the risk assessment process, which is a key step when evaluating whether internal controls are effective.
So, at what point does an auditor cross over the line into the realm of the investigator? No guidance exists that specifically states what steps an auditor must follow when he or she believes there may be a case of fraud. Often, the matter comes down to knowing when to explore and review more data. At this point, depending on the findings, the auditor decides whether to become an investigator. For example, an auditor who uses ratio analysis to detect unusual patterns or trends in account balances may satisfy the established guidelines; while an auditor who uncovers noticeable deviations and fails to conduct additional analytical techniques or audit procedures to determine the cause of the deviations may not.
If an audit fails to uncover existing fraud, the inevitable question is "Where were the auditors?" There is no shortage of court cases in which audit firms were found at fault for failing to detect or disclose material fraud. The auditor is not always culpable, but some of the primary reasons that an auditor may have failed to detect fraud include over reliance on client representations; failure to maintain an appropriate level of professional skepticism; failure to recognize that an observed condition may indicate a material fraud; lack of experience; or personal relationships with clients.
There is, however, a misperception between what the public thinks auditors should do to detect fraud, and for what auditors are truly responsible.
The Expectation Gap
In a November 2006 report, Global Capital Markets & the Global Economy, the CEOs of the six largest audit firms stated "there is a significant expectation gap between what various stakeholders believe auditors do, or should do, in detecting fraud and what auditors are capable of doing at prices companies or investors are willing to pay." The CEOs point out that fraud detection methods recommended under SAS 99 are not perfect, and that auditors are often restricted in their methods to detect the red flags of fraud. As an example, the CEOs cite the limitation of using indirect means during the audit, such as reviews of anomalies and interviews not conducted under oath, to ascertain if the possibility of fraud exists.
Among the recommendations directed at narrowing the expectation gap, the CEOs proposed a constructive dialogue among investors, other company stakeholders, policy makers, and accounting professionals. Some items for consideration include the following:
- Subject all public companies to a forensic audit on a regular basis
- Subject all public companies to a forensic audit on a random basis
- Let shareholders decide on the intensity of the forensic audit
- Let the audit committee decide on the level of the forensic audit
The CEOs also suggest penalizing those directly implicated for failing to uncover material fraud, rather than the entire auditing firm that employs them.
In contrast to the CEOs' viewpoint, PCAOB believes auditors should do more to detect fraud. In January 2007, PCAOB released a report, Observations on Auditors' Implementation of PCAOB Standards Relating to Auditors' Responsibilities with Respect to Fraud, based on observations made during their inspections of audit work performed by registered public accounting firms. In the report, PCAOB listed some key areas of concern:
- Overall approach to the detection of financial fraud
- Fraud-related inquiries
- Response to fraud risk factors
- Financial statement misstatements
- Fraud associated with management override of controls
PCAOB recommends that external auditors improve their fraud assessment techniques and better document their efforts to detect material fraud. In the report, PCAOB's inspection teams indicated that some auditors still appeared to mechanically check off items on standard audit programs and checklists without gathering additional documentation as evidence of the actual performance of procedures, and that audit planning did not always include brainstorming sessions to assess fraud risk. PCAOB reminds auditors that "careful attention to these requirements is important to best position auditors to detect material misstatements caused by fraud."
Despite the guidance concerning management's and the auditor's responsibilities to deter and detect fraud, the expectation gap is persistent because the public expects auditors to find fraud if it exists at all within a company.
Reducing this expectation gap requires an effort from all parties involved. Shareholders need to learn that auditors are neither capable of, nor responsible for, uncovering all fraud within an organization. Fraud, by its very nature, is collusive, and the essence of fraud is concealment. PCAOB should continue to apply pressure for compliance and oversee auditors' work to ensure they are using the necessary techniques to detect fraud. Auditors face the greatest challenge of all. The warning signs indicating potential fraud must be searched for, investigated, and documented more thoroughly. Auditors also should educate themselves about fraud detection through coursework and training.
Fraud is, and always has been, a significant business risk. All stakeholders share responsibility to uncover fraud and to take measures to reduce the risk of its occurrence. An expectation gap will probably always exist to some degree, but if the incidence of fraud does not decrease, this gap will continue to widen until there is even more government regulation, stricter enforcement actions, and ultimately a system requiring forensic audits on a routine basis. These actions will add to the cost of an audit and create a disruption to the business environment.
By Paul E. Zikmund, CFE, CFD, and Marge O'Reilly-Allen, CPA, PhD
Paul E. Zikmund, CFE, CFD, is a principal with the enterprise risk management and fraud forensic services sector of Solomon Edwards Group LLC in Wayne, Pa. He can be reached at firstname.lastname@example.org.
Marge O'Reilly-Allen, CPA, PhD, is chair of the accounting department at Rider University in Lawrenceville, N.J., and a member of the Pennsylvania CPA Journal Editorial Board. She can be reached at email@example.com.
reprinted with permission from the Pennsylvania CPA Journal