• Let’s Discuss: Auditors and The Responsibility to Detect Fraud

    By | November 21, 2012

    When I finally got around to writing about the HP/Autonomy finger pointing party yesterday, the topic of fraud detection by auditors came up as it often does in these scenarios. More specifically, the statement that "audits are NOT designed to detect fraud."  

    A friend of Going Concern emailed me later in the day with a question:
    So, what should I make of this?
    <<< Section 110, Responsibilities and Functions of the Independent Auditor, paragraph .02, states, "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [footnote omitted]" fn 1 This section establishes requirements and provides direction relevant to fulfilling that responsibility, as it relates to fraud, in an audit of financial statements. fn 2 >>>
    GC Friend had a point, and I had written that statement as clear as it needed to be. So I emailed back, explaining further:
    What you should make of it is a debate of form over substance, so you're going to get a bit of a walk back here, but just slightly — what I should have written is that audits in substance are not designed to detect fraud, regardless of what auditing standards (i.e. the form) are, because the procedures largely amount to checklists that include awkward conversations between auditors and management and key personnel. 
    Audit Partner: "So, was there any fraud this year?"
    CFO: "Nope."
    Audit Partner: "Okay, great. Lunch?"
    Even under inspection an auditor can point to workpapers and say, "Look, we designed the audit to detect material misstatement due to fraud and performed these procedures. Says so right there." The inspectors will shrug and say, "Yep, says so right there," and go on their way. 
    But when something like Autonomy happens, everyone wants an explanation as to how something could get by the auditors. It gets by them because their audit procedures are, in substance, not designed to detect the fraud that occurs because usually there is some collusion (as alleged in this case) or something else going on that won't be detected by these cursory methods. The auditors can then claim, quite sheepishly, that they were fooled or misled by management and then roll out talking points about the expectations gap. 
    Without implementing some kind of supplemental procedures (e.g. forensic auditing) when certain suspicious flags are raised, audits are never really going to be designed to detect fraud.  
    I felt pretty good about my retort and GC Friend is the strong-headed type, plus I am an easy person to disagree with so I didn't expect any kind of concession. His response:
    Okay, I accept that.
    My problem with the statement that "audits aren't designed to detect fraud" is that this is the B.S. fallback position of every accounting firm that gets caught with its pants down. It's propaganda when used this way as a defense. Andersen tried it with Enron and Worldcom. Ernst tried it with Healthsouth. Etc.
    If you're saying "audits aren't designed to detect fraud" as an indictment and a criticism of the profession, I have no problem with that, as long as it's clear to the reader that auditors have a responsibility to try to detect fraud. The auditing standards say so. If the auditors aren't trying to detect fraud, that's a serious problem and probably a 10(b) violation, too, because they say in their opinion letters that they complied with the auditing standards when they did their audits. It's not some expectations-gap B.S. like the Big Four and the AICPA would like the public to believe.
    Which I agree with 100%. Again, it's a substance over form debate. Auditors will ALWAYS claim that they performed their duties in accordance with the applicable professional standards. When was the last time you heard an audit firm say, "We pass on GAAS all the time."? Unsurprisingly, it didn't happen today.  
    Anyway, after a little more back and forth, GC Friend simply sent over this quote from Lawrence Dicksee's "Auditing":
    The detection of fraud is a most important portion of the auditor's duties, and there will no be disputing the contention that the auditor who is able to detect fraud is — other things being equal — a better man than the auditor who cannot. Auditors should therefore assiduously cultivate this branch of their functions — doubtless the opportunity will not be long for wanting — as it is undoubtedly a branch that their clients will most generally appreciate."
    Something tells me clients would appreciate it. I guess it depends on who the auditor considers to be "their client."
    But that's a whole other debate. We'll turn this discussion over to the professional opiners now since they may have some thoughts on this.


    • me

      Auditors have a vested interest in the status quo. Audits are not designed to detect fraud, were never designed to detect fraud, and likely will never be designed to detect fraud. Yep, the auditors have to consider whether there is the risk of fraud or actual fraud, but beyond that, their responsibilities are very limited. Why would they want to change that and open themselves up to more liability?

    • Southern CPA

      Fraud is a crime. Auditors are not police investigators. They do not spend days tracking down fraud using all available resources. If it’s found, great. But fraud, by nature, is hard to find, because it’s usually hidden well.

      If the purpose of an audit is to find fraud, then perhaps the FBI needs to be involved in every audit.

    • britman 2

      Well then, if auditors are not supposed to detect material misstatements, including fraud, what exactly is the purpose of a financial statement audit? enlighten me, please.

      • Southern CPA

        All frauds are material misstatements, but not all material misstatements are fraud. Material misstatements due to plain ole incompetence should be found, and not finding them would be considered an audit failure.
        Fraud is a seperate category. An audit could certainly be designed to do a better job of detecting fraud, perhaps by bringing in forensic accountants. Or, perhaps by checking every single transaction.
        Now, would the companies (i.e. the shareholders) be willing to pay for that level of an audit?
        I’m not defending the financial statement audit, I think it has a lot of flaws and in many ways is useless. Certainly, the idea of independence is a joke, considering the auditor is paid by the company who is being audited.

        • Guesticle

          All frauds are material misstatements? I’d say that’s BS. All fraud committed by management is material even if it isn’t a big number. But some AP clerk diverting cash to her own bank account probably wouldn’t be material, some fixed asset clerk capitalizing certain expenses to make her department look better probably isn’t material.

        • Guest

          Not all frauds are material misstatements. Remember asset misappropriation is considered fraud; really who hasn’t committed this to some degree? Everybody who uses the company’s bandwidth to view a website that isn’t related to their job or using a company vehicle for personal use is committing asset misappropriation, but it is far from being material that anyone really cares about.

        • Investor

          You could argue all frauds are qualitatively material, but not quantitatively. For example, an executive running through $50k in personal expenses likely isn’t misappropriating a material sum of money, but the act itself is cause for concern for any stakeholder.

        • Barry Mincow

          your first statement is dead ass wrong. sorry.

    • gddogger

      If the “client” is the company, in appearance and in fact, our current system is great for them! But, I don’t think that works very well with the capital markets or the public at large.

      The idea of the company-as-the-client does not allow for full information or full disclosure to the marketplace. In fact, short sellers do a much better job with a BS detector than us auditors! IMHO, the market for internal and external auditors is evolving and may cast us aside because of our company clients paying the bills and our true end customer (the investing and general public) tuning us out.

      The solution for us auditors can be answered by the answer to this question: “Who is our boss?” If it’s the public writ large, then our laws, rules, regulations, and audit mentality must change to confirm with this new reality. If it is the company, then status quo is okay and the public will continue to discount our opinions and move to alternatives.

    • Guest4Ever

      Audits are pointless. If the company pays you, you aren’t independent and we can stop the discussion right there.

      • Another Dumb Comment

        you are certainly a positive person who avoids generalizations.

    • you

      And then, of course, there is reasonable assurance which is not absolute assurance.

    • guesticle

      The standard says…”plan and perform the audit to obtain reasonable assurance that the financial statements are free of material misstatement…” You can actually stop it right there because how the financial statements are materially misstated isn’t relevant in my opinion. The problem becomes that a material misstatement that exists as a result of fraud is most likely going to be the result of management override of controls along with collusion amongst multiple people. When that happens, it’s almost impossible to detect fraud in a timely manner. No system of internal controls can be designed to prevent or detect management override when there is collusion, it’s just not going to happen. Auditors are required to classify management override as a significant risk to the audit and are required to design procedures to detect it, however those procedures are like trying to find a needle in a haystack. You might get lucky, but more times than not, you won’t. Think about an example whereby a client “channel stuffs” and is in cahoots with the customer to sign a confirmation sent by the auditor or enters into a “side agreement” with the Company. No amount of diligence is going to catch that timely. So I would disagree that we aren’t supposed to find fraud, I would just point out that it’s almost impossible to do so in a timely manner.

      I will tell you that I think the PCAOB is actually hampering the efforts of auditors to some extent. All the audit firms really care about anymore is appeasing the PCAOB beast that can never be appeased. Consequently they spend more time doing things they think the PCAOB will want them to do (which may or may not really need to be done) or spend even more time documenting ad naseum why those procedures don’t need to be done, that they don’t have time to focus on what really matters. As an example, I’m a senior manager at one of the Big 4. We’ve written a memo around why something isn’t a risk. We’ve thought through it and documented it to the Nth degree. Anyone that really understands my client’s business would agree, however everyone is so afraid of the PCAOB that we’ve had to have it reviewed and reviewed again. I am about to send this memo to a 6th partner to review, and of course everyone has to put in their 2 cents, so I keep revising something that should have been put to bed months ago and none of the edits are really substantial. It would be funny if it wasn’t so sad, but that’s the environment we live in now. We’ve got to make sure every judgment is 100% bullet proof because we have a regulator that has 1 goal, which is to find fault with your audit. They don’t really care about audit quality, they care about telling us why we aren’t doing quality audits.

      • Southern CPA

        Again, it becomes an issue of resources. It takes time to find a fraud, for the reasons you mentioned. It’s hard to flush out a fraud in the amount of time that is needed to get the audit completed on time, and get the financial statements filed on time. I guess, we could issue audit reports three years after year-end, and that would give plenty of time to find fraud. But do end users want to wait three years for audited financials?

        It comes down to what people want. What companies want. What the government wants. Investors and the government want somethat that is quick, complete, and infallible. Companies want something that is quick and cheap. Right now, the system benefits the companies.
        Are investors willing to shave something off of EPS to pay for a more expensive, more detailed, more complete audit? Are investors willing to have the government oversee all audits, and have companies pay a fee/tax to cover the expense of this enhanced audit? Are investors willing to wait a longer period of time for supposedly “better” information? Does the audit community even have the capacity and the people to dramatically expand audits?
        I have no answers… I just see that we are probably not providing what the investors want.

        • Guesticle

          What would really be beneficial would be to audit to what investors care about, which isn’t GAAP earnings. We spend so much time on asset impairment, as an example, and nobody gives a shit about it. Any impairment gets adjusted out immediately. Lease accounting (capital vs operating), nobody cares. The problem is that GAAP has tried to get so precise with everything but at the end of the day, all it has done is confuse the issue. Hell I can barely understand my clients footnotes, so I know the “users” don’t and probably don’t care to since most of the info is stuff they don’t care about.

          • Southern CPA

            So then… what do the investors care about? (I agree with you that the minuta that auditors spend so much time on, no one cares about).

            • Investor

              Sustainable free cash flow.

      • Autonomy Iceberg

        yep, you hit it right on. the pcaob is busy telling us that we don’t “completely” document our thinking on this issue or that matter but everyone agrees the accounting is proper. so the profession has burned millions of excessive hours, and asked their clients to burn millions more to appease the appetite of the pcaob. it would be a far richer and more effective product if the pcaob could rise above the making the easy shit bullet proof and spend some time on the harder part of any audit, which is detecting fraud.

      • balclutha

        A star partner isn’t going to leave his firm to lead an inspection practice and an up and coming snr manager isn’t going to move to the PCAOB to accelerate their path to the partnership; instead, it’s the down and out auditors that are sick of their firms but not ready for industry and they do carry a chip on their shoulders. It’s on par with why investment bankers think so lowly of their peers at the rating agencies. So you may be correct in claiming they’re more interested in nitpicking than fostering audit quality.

        To the topic of our regulated environment, as the audit firms incessantly worry about PCAOB inspection results, clients increasingly do not see the relevance and value of the incremental audit procedures. This loss of value perception hurts fees when they are needed most to pay for the extra work and the required investment in our quality organizations.

        One way to partially remedy the situation is to subject management to some sort of inspection risk. Say the PCAOB could inspect management’s basis that was used to support signing a 302 certificate. If deemed inadequate, a fine would be assessed. Now I’m sure the fee would be covered partly by those pricey D&O policies, but the risks to their reputation and employment will motivate CFO’s to be more cognizant to the shifting/expanding expectations of the PCAOB. And give us a greater chance to commiserate with our clients.

    • You can count beans and trace them back to their sources, good. But can you adequately question the assumptions behind the accruals? That would be valuable. In all of the 18 years that I sat on the other side of the table from auditors, I only saw that done successfully once. It needs to happen more.

    • Gust

      Oh boy. It’s hard to excuse an alleged fraud of this magnitude and I don’t work for Deloitte – but – you have a potentially collusive fraud that is a) not detected (or I suppose called out – bring on the orange jumpsuits) by the presumably many senior employees not involved who live at the company b) the board of directors including the audit committee and c) an independent due diligence review by a different accounting firm and we expect the poor suckers who go in for a few weeks as outsiders to find it? If it turns out they fucked up an interpretation of revenue recognition or fair value of something, or played some version of don’t know-don’t tell – hey, fair game. But otherwise the jury is out for me.

      • IFRS Wild West

        Deloitte UK will be protected by IFRS. Remember that is “principles” based accounting.

    • SrMgrBig4Audit

      The funny thing is we’re going the exact opposite way due to increased regulation. For example, the PCAOB is focusing in on such details around certain types of controls and essentially forcing firms to perform quasi substantive procedures when testing controls – none of which helps the audit of the actual financial statements.

      We’re watsing so much time on things that don’t matter, when it’s discussed in trainings, not meeting these ever changing threasholds of nonsense is being referred to as “inspection risk”. The extra time we spend on the types of minor matters takes time away from conducting the actual audit.
      The PCAOB employs very intelligent people, however, not very wise, as they cannot understand that all the extra work spent around minor things in such detail takes away from the audit. Their focus is reducing overall audit quality. Looping backto the point of this article, there’s simply no more time beyond conducting the SAS 99 inquires, etc.

    • If profit includes revenue from fraudulent activity then accounts are not true and accurate,end of ! !

    • Can’t Catch This

      The problem is the client has zero responsibility to document and assess possible fraud schemes, and in my 26 years in the profession I have never seen a client take fraud risk in a serious manner. Of course the audit dweebs have a professional responsibility to plan the audit to detect blah blah, but unless the pubic clients are also held accountable to even minimum standards by the SEC (other that the poorly worded FCPA nonsense).

      Anyhow, all the parties (SEC/public clients and PCAOB/audit firms) need to start with a clean sheet of paper and reboot this area.

      • Guesticle

        Well a risk assessment is part of the COSO framework, so they do have that responsibility, of course most have no clue how to do it