When does an accountant stop being a financial standards upholder and instead become a sort of CSI expert on white collar-crime? It’s a question that can plague even those familiar with rooting out fraud.
“The auditor’s role in fraud detection has had a long history of confusion and controversy,” says Paul Zikmund, a principal with the fraud and forensic services practice of the Solomon Edwards group in Wayne, Pennsylvania.
Despite increasing professional guidance, which has focused more attention on auditor responsibility to detect fraud, “there’s still considerable ambiguity about where the auditor’s responsibility ends and the fraud examiner’s begins.”
It’s a problem for the public as well. Zikmund says there is also a misperception between what the public thinks auditors should do to detect fraud and what auditors are truly responsible for.
“The expectations gap remains because the public expects auditors to discover all types of fraud during the audit, if it exists at all within a company.”
Greg Shields, director of auditing and assurance standards at the Canadian Institute of Chartered Accountants (CICA), agrees.
“That gap has been closed somewhat by the more rigorous auditing standards now in place regarding fraud, but many people continue to believe the auditor is a bloodhound rather than a watchdog.”
What’s more, says Al Rosen, of Toronto-based Rosen & Associates, “enough slack exists in the auditor-designed rules that it’s very difficult to sue an auditor for not catching fraud.”
Rosen adds that, “The CAs’ unwillingness to address financial statement frauds will cause a further deep decline in the credibility of auditors.”
Internal auditors are dealing with a similar expectations gap. Stephen Hack, a partner in Ernst & Young’s risk advisory services practice in Toronto, explains that they, too, have a role to play in fraud detection.
Standards in both Canada and the U.S. require internal auditors to consider the risk of fraud in planning and executing their work, he says.
“In most audits, fraud risk will be one of several risks that are evaluated as part of the business processes under audit. If fraud is suspected, the internal auditor may be asked to perform a forensic audit specifically to detect fraud,” he says. “Under today’s investor confidence legislation, such as Sarbanes-Oxley and Ontario Bill 198, management must have a robust anti-fraud program to safeguard assets and minimize the risk of fraudulent financial reporting.
“In many organizations, the internal auditor takes a leadership role in the implementation and monitoring of the anti-fraud program.”
But internal auditors may not always have the resources or expertise to handle these responsibilities. According to a recently released Ernst & Young Global Internal Audit Survey, “internal audit teams are being stretched further than ever.”
More than one-third of the respondents said they did not have staff trained in fraud prevention and detection. Moreover, the biggest challenge facing internal audit leaders is finding people with the specialist skills to deal with fraud and risk issues.
Nevertheless, says Hack, “employers can reasonably expect internal audit to understand the significant fraud risks inherent in the industry and specific to their company. Further, employers should expect to plan their work with consideration to these fraud scenarios and risks.”
But, when it comes to fraud detection and deterrence, the spotlight is focused much more on the external auditors anyway. According to Zikmund, “if an audit fails to uncover existing fraud, the inevitable question is ‘Where were the auditors?’”
There is no shortage of court cases in which audit firms were found at fault for failing to detect or disclose material fraud, he notes. Not that the auditor is always to blame, he hastens to add.
“But some of the primary reasons that an auditor fails to detect fraud include over-reliance on client representations; failure to maintain an appropriate level of professional skepticism; failure to recognize signs that may indicate a material fraud; lack of experience; personal relationships with clients, or failing to employ various fraud detective techniques during the audit.”
The standards governing auditor responsibilities for fraud seem pretty clear both north and south of the border.
In the U.S., SOX Section 404 asks external auditors to evaluate their clients’ anti-fraud programs and internal controls and to issue an opinion on management’s assessment of internal controls.
Recently released Statement on Auditing Standards 99, “Consideration of Fraud in a Financial Statement Audit,” requires auditors to plan their audits to provide reasonable assurance that financial statements are free of material fraud.
It also provides expanded guidance and recommended procedures for the detection of material fraud.
Statement on Auditing Standards 99 specifies that auditors should adopt an attitude of professional skepticism toward clients, assess the risk of material fraud and how it could be concealed, assess a client’s overall anti-fraud programs and look for red flags that may indicate fraud. Public Company Accounting Oversight Board Auditing Standard 2 reinforces this guidance.
Canada provides somewhat less guidance, but it is equally clear. CICA Handbook Assurance Section 5135, “The Auditor’s Responsibility to Consider Fraud,” which came into effect in January 2006, tells auditors to assess the risk of material misstatement in a company’s financial statements due to fraud and use that assessment to design and perform audit procedures that will give them a reasonable chance of detecting any such misstatements.
“Auditors need to exercise professional skepticism throughout the audit,” Shields explains. “This means that they cannot assume that management and those charged with governance have acted with honesty and integrity in the current period, regardless of the auditor’s past experience in auditing the entity.”
Auditors also have to find out what management has done to assess the risk of fraud, and the processes and controls management has implemented to mitigate the risk of fraud.
“In some cases,” says Shields, “one or more members of management may be the perpetrators of the fraud, so the auditor has to assess the risk of management override of the controls over fraud that have been put in place. The auditor also has to obtain an understanding of how those charged with governance have exercised oversight of management’s processes for identifying and responding to the risks of fraud.”
Shields adds that auditors have to perform analytical procedures to determine whether there are particular trends and relationships that may indicate a risk of material misstatement due to fraud.
“In particular, they have to perform analytical procedures regarding revenue. Material misstatements due to fraudulent financial reporting often result from an overstatement of revenues, for example, through premature revenue recognition or recording fictitious revenues, or an understatement of revenues, for example, through improperly shifting revenues to a later period.
“Section 5135 states that the auditors ordinarily presume that there are risks of fraud in revenue recognition and consider which types of revenue, revenue transactions or assertions may give rise to such risks, including those involving year-end revenue and income.”
Canada’s Auditing and Assurance Standards Board will be adopting the equivalent International Standard on Auditing (ISA) as CAS 240, to go into effect in December 2009.
According to Shields, although there will be no fundamental changes as a result, “this new standard is more specific. It will have 36 requirements (Section 5135 has 28). For example, the current standard states in its guidance material that, when an entity has an internal audit function, the auditor will ask the internal auditors about their knowledge of actual, suspected or alleged fraud. Most auditors would likely decide to undertake this procedure. However, the new standard makes performance of this step mandatory.”
Shields believes that one way to close the expectations gap would be to change the current standards to require financial statements to be more forensic in nature.
“Further evolution of the financial statement audit in that direction is possible. For example, there are continuing advances in the use of information technology to design and perform, in a cost-effective way, more powerful analytical procedures aimed at detecting fraud.”
Rosen says that financial statement frauds directed at deceiving creditors and shareholders are rarely pursued in civil law cases in Canada “for fear of partially invalidating insurance policies.”
But, he notes, in the U.S., they are often pursued in both civil and criminal cases. According to Rosen, “Canadian police and regulators essentially ignore financial statement frauds, which is extremely unfortunate for investors. But, investors are now starting to revolt.
“In my opinion, the CAs in Canada are exceedingly vulnerable in these financial statement situations, because they typically would have audited the ‘cover-up’ numbers,” which he attributes to “the exceedingly loose accounting in Canada that allows executive ‘theft’ – through inappropriate bonuses, etc. – to be buried somewhere in the financial statements, where detection would be close to impossible.”
In any case, he says, many complex frauds tend to be ignored because “police, in effect, demand air-tight cases before charges get laid and auditors have various cop-outs, such as engagement letter denials or management letter delegation of responsibility away from auditors.”
Rosen adds that he believes “failure to deal with financial statement fraud is likely to be a major ‘death blow’ (to the profession).
“New entities will have to arise in Canada to replace the auditors, but with greater obligations on the newcomers.”
When will that happen?
“It’s getting much closer. What with the Nortel and income trust shenanigans resulting in the billions of dollars of investor losses, the role of auditors in society is into a toss-up,” he says. “Serious revamping must occur and very soon.”
Shields thinks a better option might be to change the expectations of users of audited financial statements “so that such expectations more closely reflect the realities of today’s financial statement audit. Standard setters will continue their communication efforts with that objective in mind.
“However, this is likely to continue to be an uphill battle,” he continued. “It is sometimes hard to get people to buy into the concept that detecting fraud can be very difficult, particularly when complex schemes, with the collusion of members of management, are used to conceal information from the auditor.”
And, Shields concludes by saying that, “financial statements users, like everyone else, are trying to cope with information overload.
“Making a concerted effort to better understand the limitations of a financial statement audit, particularly with respect to fraud detection, is likely to be relatively low on the priority list of many people.”