• Big 4

    Auditors and Fraud: Where Does Responsibility Lie in the Wake of the FDIC’s Win Against PwC?

    By | January 30, 2018

    In the waning days of 2017, a judge in Alabama found PwC was negligent in its audit of Colonial Bank. The Federal Deposit Insurance Corporation had sued the firm for failing to detect the fraud at the root of Colonial’s 2009 failure.

    Although Judge Barbara Jacobs Rothstein denied other claims brought by FDIC and the bankruptcy trustee for Colonial Bank, the negligence finding could be a watershed moment for the auditing profession and its duty to design its audits to detect fraud. Firms have long held that there is an expectations gap between what auditing rules require and what the public expects. PwC plans to appeal the ruling.

    Going Concern recently interviewed Brigham Young University Mary & Ellis Professor Mark Zimbelman about these developments. He teaches classes on auditing and fraud examination and focuses his research on preventing and detecting financial statement fraud. He and his son, South Carolina University Assistant Professor Aaron Zimbelman, write about these issues and more on their blog, FraudBytes.

    Ed. note: This interview was conducted via email and has been edited for length and clarity.

    Going Concern: How significant is the judge’s finding against PwC for the FDIC? Can you put it into context?

    Professor Mark Zimbelman: From what I’ve read about the potential monetary significance, this ruling could cost PwC up to $1 billion. Unfortunately, all we can do is speculate at this time, and $1 billion is probably the upper bound, but it will likely be real money.

    As for the significance in terms of legal and professional precedents, it seems the judge has made it clear that auditors must take their responsibility as it relates to fraud more seriously. I think the profession has generally considered fraud to be a secondary issue, even though auditing standards are clear that they are equally responsible for providing reasonable assurance that there are no material misstatements whether they are caused unintentionally (i.e., error) or intentionally (i.e., fraud).

    GC: Why do you think PwC auditors contradicted themselves about designing audits to detect fraud?

    MZ: As I talk to auditors, I’ve found there is a lot of confusion in the profession when it comes to designing audits to detect fraud. I spoke with a new hire from PwC last week who had taken my class on fraud the year before. In my class, I make it very clear that the auditing standards specify that auditors are responsible for providing reasonable assurance that there are no material misstatements due to fraud. However, he was already confused and said he had read the firm’s communication about the Colonial case and thought auditors don’t have responsibility for detecting fraud. Needless to say, I was a bit disappointed that he had forgotten what he learned the year before in my class!

    I believe the confusion is probably a result of a couple of things. First, fraud gets very little attention on most audits. Hopefully, they talk about it in the required fraud brainstorming session, but then they go back to ticking and tying and don’t really look for or talk more about fraud risk. Also, even the fraud brainstorming sessions can be very ineffective. I’ve participated in some of these, and in my experience, most partners simply wanted to go through the motions of the brainstorming session to make sure they can document they followed the standards and met the requirement. Occasionally, a partner really wanted to get something out of the session. He or she wanted to figure out where a material fraud may be occurring and change the audit plan to try to get assurance about fraud. If you’re on a job where the partner is just checking the box for fraud, then you get the implicit message that fraud isn’t important. On the other hand, if you’re working with the partner who takes the brainstorming session seriously, you get a different message.

    Another potential reason for the confusion may be that the standards have a history that may have caused some confusion. Several decades ago, auditors tried to avoid responsibility for fraud and even put it in their engagement letters that they weren’t responsible. The courts and even some members of Congress rejected that, and the expectation gap auditing standard on “irregularities” made it clearer that auditors had responsibility for fraud. However, even using the word “irregularity” in the standards was confusing and probably amounted to an attempt to avoid taking full responsibility for fraud. The first time fraud was clearly described in the standards, and the term “fraud” showed up, was in the 1990s with SAS No. 82. Then around the Enron/WorldCom era, SAS No. 99 clearly stated that auditors are responsible for fraud.

    Another potential reason why some auditors don’t understand they are responsible for fraud is that some of the senior partners in the firms today were managers and staff when Enron and WorldCom took place. They saw what it was like to take samples of single digits of transactions and conclude that a multimillion-dollar balance with hundreds of thousands of transactions was fairly stated. At this time, auditors were aggressively cutting costs. When the rash of frauds resulted around the turn of the millennium, auditors had a wake-up call with SOX, and the PCAOB required them to get serious again. I’ve heard that the pendulum may be swinging back toward less assurance and cost-cutting. If auditors are trying to cut costs, then looking for fraud is a way to do so. Getting assurance related to fraud is definitely harder than that for errors.

    It’s my opinion that a well-done audit will require a significant percentage of the effort directed at detecting fraud. This percentage is likely to be at least 20% and probably less than 50%, but from what I’ve heard, it appears that the effort now is probably in single digits in terms of percentage points. If auditors only spend, say, 20-30 hours of effort thinking about fraud on a 1,000-hour job, then it sends a message to the staff that fraud isn’t important and implies they aren’t responsible to look for it. I don’t know that this is the case on most audits, but this seems to be a reasonable approximation based on what I’ve heard from auditors who I’ve talked to. Many associate level auditors don’t think they do anything to look for fraud.

    GC: You co-wrote a paper about ten years ago that found that intervening audit planning with strategic reasoning and brainstorming helps auditors modify their work in response to fraud risk. Have you seen any evidence that firms are using these tactics today?

    MZ: They are required to conduct the fraud brainstorming session and, as I mentioned earlier, I’ve participated in some of these. However, I haven’t seen any evidence that the firms have made much of an effort to engage in strategic reasoning. I may be out of the loop though—at least I’d like to think some auditors are trying to think strategically.

    GC: Is there anything happening today that causes you to be optimistic about auditors detecting fraud in the future?

    MZ: I think blockchain technology has the potential to make it much easier to detect fraud. I am no expert in this area but, given my limited understanding, I could envision a future world where all transactions are documented in a public ledger and verification of balances, etc. becomes largely automated. In such a scenario, it would be much more difficult to create fictitious asset balances, such as accounts receivable, inventory or cash. Of course, we are still a long way away from that world, but things can change very quickly. If businesses used blockchain technology, then someone brighter than me could quickly develop a way to verify everything with a high level of assurance. It may be someone like Google who forces changes on the environment, however. I was recently told by a member of the PCAOB that leaders of the big firms are concerned that a tech company like Google could come in and disrupt the auditing world.

    GC: What prevents most partners from prioritizing the consideration of fraud? Is it the business relationship? Are they not equipped with the skills to imagine how fraud could occur in different contexts? Or is it something else?

    MZ: I believe there are probably a couple of things going on. First, as I mentioned earlier, there is a mistaken belief on the part of auditors, including partners, that they are not responsible for providing assurance for fraud. I’ve asked audiences of practicing auditors to answer the following true/false question: “Auditors are responsible for providing reasonable assurance that there are no material misstatements due to fraud.” About half of them answer “false” which is obviously wrong. As discussed in the Colonial case documents, some of the PWC auditors testified that they didn’t have this responsibility. That sort of confusion is a major reason why fraud isn’t a bigger priority.

    I also think it’s much more difficult to figure out what to do to look for fraud. Some of it is a lack of training but also it is just a lot easier to look for errors than it is for fraud. We had Cynthia Cooper [former Vice President of Internal Audit and whistleblower at WorldCom] speak at BYU [recently] and she commented that she thinks sampling ought to be outlawed on audits because we have the ability to do so much more with technology. We can sift and sort and screen transactions like she and her team did and discover what’s in the company’s books, but it means we need to do new things and think outside the box. Sampling is a lot easier but sampling won’t usually find fraud because fraud is often in a few transactions. I personally think sampling has a place in auditing for errors and there are also some times when it can help for fraud, such as in the HealthSouth case where the client was posting over a hundred thousand transactions each quarter but all of them were under the auditor’s scope. If the auditors would have stratified their population and taken a sample of those small items, they should have caught that fraud.

    Overall, I think auditors, like most humans, are resistant to change and prioritizing fraud would be a big change. Also, significant changes in audit services need to be universal or auditors who are trying to get serious about fraud will get pushback from some clients. I would like to see the PCAOB require auditors to do more for fraud. They’ve talked about it a lot but they haven’t done much yet. First on my list of changes would be to change the interviewing requirements. I would require auditors to spend significant amounts of time thinking about where fraud may be occurring using strategic reasoning and then think about who, in the lower levels of the company, might be involved in the fraud.

    Cynthia Cooper mentioned that some WorldCom employees had decided that if Cynthia would ask them about the transactions that they were going to tell her what was happening. Financial statement fraud usually requires a team to carry it out and, in most cases, there are some people on the team who want to stop and would like someone to ask them about it. The two WorldCom employees who keyed over 50 journal entries had gone so far as to write their resignation letters but they never resigned because of financial pressures. If the external auditor would have talked to them and asked them some good questions such as: “Have you ever been asked to do anything unusual or that you were uncomfortable with?” or “Have you ever been asked to post any entries that seemed to lack sufficient support?” they may have pointed the auditors toward the fraud.

    I personally think the skills needed to make these changes in audit procedures are not that hard to learn but someone needs to push the profession into widespread changes. The PCAOB is likely the best hope for this but the courts may beat them to it, as in the Colonial case.

    GC: How well does the academic community prepare future auditors to think more critically about fraud? What, if anything, should change?

    MZ: I think academia could do a better job preparing future auditors in the area of detecting fraud. The typical auditing course and textbook has very little in the way of teaching auditors how to think strategically and critically about fraud. Because the auditing standards are largely focused on detecting errors (e.g., the audit risk model and sampling are not really suitable for thinking about fraud), audit courses are also largely focused on detecting errors. I think the profession needs to change in order to get academia to change. We tend to supply what the profession wants of us. Again, significant change in the profession is most likely to take place if standard setters, such as the PCAOB or ASB, make substantive changes.

    GC: Detecting fraud requires a certain mindset. What role, if any, does psychology play in the training of an auditor to be better equipped to consider the possibility and potential for fraud?

    MZ: Academic models of the mindset that auditors need in order to detect fraud is best characterized in the economics literature on game theory. However, as in many areas of economics, the assumptions that economists make about human rationality are unrealistic. That’s where psychology comes in. Over the past few decades, an area of research that studies the intersection of psychology and game theory has provided some interesting insights. This research is known as behavioral game theory. The goal of this research is to help us understand how people actually behave in a strategic setting, such as that of detecting fraud. It shows that we have some pitfalls that we need to be aware of and provides some insights into how we can think more like the economists assume we think. I believe the training of auditors to help get in the proper mindset should definitely incorporate the insights that behavioral game theory research has to offer—especially as it applies to auditing.

    Image: iStock/Masuti

    • Elcontable

      Good interview, I have to agree with the professor. Most of the auditors dont take seriously the fraud assesment, in my two cents opinion, mainly because the partner dont take it very seriously either.

    • PwC Guy

      This always annoys the crap out of me. We design procedures to detect material misstatements. Period. It doesn’t matter whether it’s due to fraud or error. If the fraud is big enough to cause the financials to be materially off, then we should be catching it. If it’s not big enough to cause that, then who gives a F. Sampling is not supposed to find any examples of fraud, it is supposed to find MATERIAL fraud or errors. Only the people who don’t understand how risk works, the general public and that judge apparently, would freak out about trivial fraud. Investors don’t care if it doesn’t actually affect the financials.

      The reason more fraud-related audit work isn’t done is plain and simple. No partner wants to do more fraud procedures to find trivial stuff, because it means more hours booked on that job and less profit for them. They can’t turn around and pass that cost on to their clients, because no client will pay higher audit fees so their auditors can do more work to get to the same result. Once it becomes officially mandated to perform more extensive fraud procedures, the audit engagement partners will happily enforce it because they can tell their clients, “Gee, we’re so sorry we had to raise our audit fees. It’s not our fault, the government is making us do more work. Blame them, not us!”

      And thinking that those were good questions? Seriously??? Those are boilerplate fraud inquiries, which every single audit team is required to ask, and they never, ever, actually detect fraud. It’s not like the incredibly intimidating interns or staff, who are reading those Q’s off a printed off checklist, cause people to just breaks down and confesses to committing fraud.

      One final note and then my rant is done. Before Academia worries about teaching students to detect fraud, how about teaching them to actually do some auditing. Seems like 99% of students coming out of an audit class learned about the various audit reports that can be issued, and a couple other high-level but ultimately impractical nuggets of information, and have to learn everything on the job. Before you tell us to do a better job, maybe you should try to do the same.