When I finally got around to writing about the HP/Autonomy finger pointing party yesterday, the topic of fraud detection by auditors came up as it often does in these scenarios. More specifically, the statement that "audits are NOT designed to detect fraud."
So, what should I make of this?<<< Section 110, Responsibilities and Functions of the Independent Auditor, paragraph .02, states, "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [footnote omitted]" fn 1 This section establishes requirements and provides direction relevant to fulfilling that responsibility, as it relates to fraud, in an audit of financial statements. fn 2 >>>
What you should make of it is a debate of form over substance, so you're going to get a bit of a walk back here, but just slightly -- what I should have written is that audits in substance are not designed to detect fraud, regardless of what auditing standards (i.e. the form) are, because the procedures largely amount to checklists that include awkward conversations between auditors and management and key personnel.Audit Partner: "So, was there any fraud this year?"CFO: "Nope."Audit Partner: "Okay, great. Lunch?"Even under inspection an auditor can point to workpapers and say, "Look, we designed the audit to detect material misstatement due to fraud and performed these procedures. Says so right there." The inspectors will shrug and say, "Yep, says so right there," and go on their way.But when something like Autonomy happens, everyone wants an explanation as to how something could get by the auditors. It gets by them because their audit procedures are, in substance, not designed to detect the fraud that occurs because usually there is some collusion (as alleged in this case) or something else going on that won't be detected by these cursory methods. The auditors can then claim, quite sheepishly, that they were fooled or misled by management and then roll out talking points about the expectations gap.Without implementing some kind of supplemental procedures (e.g. forensic auditing) when certain suspicious flags are raised, audits are never really going to be designed to detect fraud.
Okay, I accept that.My problem with the statement that "audits aren't designed to detect fraud" is that this is the B.S. fallback position of every accounting firm that gets caught with its pants down. It's propaganda when used this way as a defense. Andersen tried it with Enron and Worldcom. Ernst tried it with Healthsouth. Etc.If you're saying "audits aren't designed to detect fraud" as an indictment and a criticism of the profession, I have no problem with that, as long as it's clear to the reader that auditors have a responsibility to try to detect fraud. The auditing standards say so. If the auditors aren't trying to detect fraud, that's a serious problem and probably a 10(b) violation, too, because they say in their opinion letters that they complied with the auditing standards when they did their audits. It's not some expectations-gap B.S. like the Big Four and the AICPA would like the public to believe.
The detection of fraud is a most important portion of the auditor's duties, and there will no be disputing the contention that the auditor who is able to detect fraud is -- other things being equal -- a better man than the auditor who cannot. Auditors should therefore assiduously cultivate this branch of their functions -- doubtless the opportunity will not be long for wanting -- as it is undoubtedly a branch that their clients will most generally appreciate."