Why auditors need to be sent to ‘Fraud School’
It is a question that always arises in the wake of any high-profile fraud: How could this have happened?
Too often, responsibility for fraud is passed along like a hot potato among members of the management team, outside consultants and the board. Ultimately, senior management has the responsibility to detect and prevent fraud. Unfortunately, according to a study of all of the Securities and Exchange Commission accounting and auditing enforcement actions brought between 1998 and 2007, in alleged accounting frauds the CEO and/or CFO was directly involved 89 percent of the time.
What’s even more clear? The financial impact of fraud is significant. According to a paper published by New York University Law School, the annual cost of corporate fraud to investors is in the range of $180 to $360 billion.
The prevalence of fraud in modern corporations is astounding when one considers the architecture that is in place intended to eliminate it. At any sizable public company, there is now a whole “financial reporting value chain” — including internal auditors, outside auditors, the audit committee, controller and CFO — designed to detect fraud and remediate it before it has a material impact on the company’s results.
The role of outside auditors
The investing public often has the impression that a company’s auditor prepares the financial statements on management’s behalf — while in fact the auditor is legally prohibited from doing so. Even the courts often show confusion about this issue, sometimes asserting that auditors have “certified” or guaranteed the accuracy of published financials that investors relied upon.
In the 2006 case of Deephaven v. Grant Thornton, the Tenth Circuit Court of Appeals clarified the role of the auditor: “Auditors do not ‘certify’ a company’s financial statements in the sense that they ‘guarantee’ or ‘insure’ them. Nor do they, by virtue of auditing a company’s financial statements, somehow make, own, or adopt the assertions contained therein.”
Instead, the purpose of the audit is to perform a series of tests that enable the auditor to express its opinion of “reasonable assurance,” not certainty, that the financials are free of error. So, does that mean auditors are off the hook when it comes to fraud? Far from it.
In 2017, the Public Company Accounting Oversight Board modified the responsibilities of the auditor to make it clear that detecting fraud is within the scope those duties: “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.”
The PCAOB has also provided auditors with detailed guidance on how to identify fraud risks, perform supplemental procedures in high-risk areas, and communicate their findings to management, the board and regulators when they do find fraud. Central to the auditor’s “gatekeeper” function is to exercise “professional skepticism” when substantiating and evaluating the reliability of information provided by management.
Some of the tools available to auditors include surprise visits to locations and cash counts, interviews with lower-level employees, analyzing data that is disaggregated to see if there are discrepancies, verifying major customers and distributors, and performing computerized testing of underlying revenue data for irregularities. With the increasing availability of artificial intelligence tools, auditors should be able to flag suspect patterns for further investigation more easily.
Despite these standards for audit diligence, none of the major cases of fraud in the past two decades were first discovered and reported to regulators by the independent auditor.
Even when auditors are well-intentioned, there are certain types of sophisticated fraud that may be difficult to detect without employing specialized forensic audit expertise. For example, collusion between the company and its banks, major customers or government agencies can result in an auditor “confirming” fictional revenue or cash balances. This is a particular risk in developing markets, where counterparties may lack robust internal controls of their own.
Fraud-proofing the stock market
Until the day that greed and mendacity are eliminated from human behavior, it is unlikely that investing in the equity markets will ever be entirely “safe” from the risk of financial fraud.
But there are some structural changes that could be effective in reducing the incidence of fraud across the market cycle through improved education and more transparent disclosure.
Here are a few suggestions:
1. Send auditors to Fraud School. Earning a CPA entails studying for and passing a rigorous test that covers audit procedures, accounting rules, economics, IT, operations and ethics. Conspicuously absent is any specific training on how to detect fraud. Fraud detection should be part of the basic education of every public company audit professional, with requirements for continuing education. Topics should include the conditions that allow fraud to occur, how to perform risk assessments for fraud, how to perform supplemental testing, and when to call in additional resources to authenticate documents or perform forensic testing on computer systems.
Once audit staff has the knowledge and mindset to look for fraud, then they should be empowered with the means to escalate any concerns without fear of retribution if they believe they are not being addressed by the audit partner. Senior partners who have been found to be complicit in fraud should be shown the door and stripped of retirement benefits.
2. Make inspections consumer-friendly. The Public Company Accounting Oversight Board currently conducts regular inspections of auditors to assess the quality of the audits. In 2018, the PCAOB inspected 160 different auditors and looked at over 700 different company audits. The PCAOB issues reports following these inspections that identify the types of audit deficiencies it found, but they withhold much of the detail as long as the firm corrects the issues within 12 months of the report.
In 2017, the PCAOB found that certain firms had deficiencies in 50 to 73 percent of the audits inspected, to the point that the firms did not have sufficient evidence to support their audit opinion. While the PCAOB makes it clear these reports are not designed to provide a “balanced scorecard,” the agency should consider presenting the information in a format that is more useful to investors and audit committees. For example, presenting the trend in the percentage of deficient audits by firm might create strong commercial incentives to reward firms that make the extra investment in audit quality and fraud prevention.
3. Make audit committees accountable. Given the central role that the audit committee has in hiring and overseeing the independent auditor, overseeing the internal audit function and discussing significant accounting decisions with management, greater transparency about how they execute these roles would be valuable to investors. An annual letter from the audit committee to the shareholders on how they defined and discharged these duties would provide helpful insights as to what level of independence and insight is in place. All board members should be provided training on techniques for building a fraud-resistant organization including setting the “tone at the top,” effective internal controls, addressing whistleblower concerns and identifying high-risk behaviors and transactions.
While financial fraud remains the exception among public companies, its consequences to investors’ net worth and to confidence in the fairness of the markets can be devastating. A greater focus on training, transparency and proper alignment of incentives can help make major public company fraud a rare event.
This article is excerpted from a longer piece on “Who is Responsible for Preventing Fraud?” on the MarcumBP blog. The opinions expressed are the author’s own and do not represent the position of Marcum LLP or Marcum Bernstein and Pinchuk.