Home > Risk > The auditor’s responsibility for fraud

The auditor’s responsibility for fraud

October 20, 2021 Leave a comment Go to comments

Today, I want to discuss the topic, first about the external auditor’s role, and then internal auditing role.

XX

Francine McKenna is a lady you should follow[1] (@retheauditors) if you are interested in the external audit profession. She never holds back on her criticisms of the accounting profession, especially the so-called “Big Four”.

Her latest online newsletter is The Dig. That is where she recently wrote a provocative piece, Busting the myth about auditors and fraud.

She asserts that there is a common myth that “The [external] audit is not designed to detect fraud”.

It is very easy to get confused with this topic, and the ‘myth’ is both true and false.

  • True: the external auditors are not required to detect every fraud.
  • False: they are required to perform procedures that will provide a reasonable level of assurance that the financial statements filed with the SEC are free of material misstatements due to fraud.

Francine provides a link to a PCAOB[2] paper from 2012, Consideration of outreach and research regarding the auditor’s approach to detecting fraud. The paper says:

Under PCAOB standards, the auditor is required to plan and perform the audit of the financial statements to obtain reasonable assurance, which is a high level of assurance, about whether the financial statements are materially misstated due to error or fraud. As this wording suggests, these auditor responsibilities are focused on fraud that results in material inaccuracies in, or omissions from, the financial statements.

They use the term, “financial statement fraud”.

The paper continues:

Existing PCAOB auditing standards require the auditor to, among other things, (1) perform procedures to identify fraud risks; (2) plan and perform audit procedures to address those risks, including certain specified procedures to address the risk of management override of controls; and (3) consider fraud in evaluating the results of the audit.

It’s a very useful paper that summarizes existing PCAOB requirements.

Francine provides some additional insights, but one of the challenges is the notion of “reasonable assurance”. The audit firms have defended failures to detect massive financial statement frauds with statements like “management lied to us and withheld information”. Is that reasonable? Probably is sometimes, and probably is not other times.

One myth that Francine doesn’t discuss in her article is whether the external auditors have a clue about what is happening in the business. In my experience, there is a great deal that escapes them, but on the other hand they have very smart people who usually do the best they can.

I will defer to Francine, the PCAOB inspectors, and the courts on whether the firms are obtaining “reasonable assurance”.

XX

One point is clear, though:

The external auditors are NOT responsible for detecting every fraud. They are only responsible for detecting frauds (one or more) that are at least reasonably likely to lead to a material misstatement of the financial statements filed with the SEC.

There are a great many other frauds. For example, the first fraud my audit team uncovered was of the safety numbers. These numbers affected the perception of performance, and therefore the continued employment and compensation of the safety officer and his staff.

At Solectron, my team discovered quite a few accounting frauds that resulted in the misstatement of the results and financial position of different business units. However, they were not material (individually or in aggregate) to the consolidated financial statements; KPMG was an interested observer and, to my knowledge, performed no additional procedures. I was surprised at the time and remain surprised today at their apparent complacency. But as I told the audit committee, I believed that the risk of material misstatement of the consolidated financial statements was not high – especially as we got the units’ financials corrected.

XX

To summarize:

  1. The audit firms are not responsible for detecting immaterial financial statement frauds.
  2. They are also not responsible for anything relating to other types of fraud.
  3. Even when there has been a major financial statement fraud, we shouldn’t leap to the conclusion that the auditors failed. They may have performed everything required of them by the PCAOB or other regulators. Reasonable assurance is not perfect assurance.

XX

What is the internal auditor’s responsibility for fraud?

This is also an area of myth: that it is internal audit’s responsibility to detect fraud.

Let’s get something straight:

Preventing and detecting fraud is a management responsibility.

Similarly:

Understanding the risk of fraud is a management responsibility.

That’s not to mean that internal audit has no role in this.

  1. Internal audit should consider the risk of fraud in its engagement planning.
  2. Internal audit should assess whether management understands fraud risk and has appropriate preventive and detective controls.
  3. Internal audit should also consider the influence of culture and the tone at the top on the possibility of fraud.
  4. Internal audit usually, but not always, has a role in investigating suspected violations of the company’s code of ethics and values.

We should be focused on fraud that could be a significant source of risk to enterprise objectives. In addition, we should be concerned about fraud that:

  • Involves senior management or even the board
  • Affects the health and safety of individuals, whether employees or not. For example, I have seen fraud involving the safety training of contractors
  • Could lead to reputational damage
  • Would be of a magnitude that would be of concern to top management or the board

I suggest that the responsibilities of internal audit in relation to fraud should be discussed with both top management and the board. That could lead to management and the board asking the CAE to take on additional fraud-related responsibilities as a consulting service.

XX

What do you think?

[1] I consider her a friend, although we rarely have been able to see each other. We live in different parts of the country.

[2] The Public Company Accounting Oversight Board oversees and provides standards for the external auditors of larger public companies with securities registered in the US.

  1. October 22, 2021 at 5:38 PM

    Good post (again), Norman. The fraud you detected in safety numbers resulted in better compensation and employment for the safety department. The risk and consequences go further in today’s landscape.

    Safety data is submitted to OSHA; if the data has been manipulated, the company has submitted false data to the government. Safety performance is a common evaluation factor for companies engaging suppliers; false statements on bid submittals can tip the balance in a close procurement. This results in organizational gain at the expense of competitors. Employees do talk (for example, those who were injured and ignored) and some change companies. Competitors have incentive to call this out. If the company is a government contractor, could False Claims Act apply?

    Workers compensation insurance programs use safety data as a factor in calculating insurance premiums; if the underlying data has been deliberately falsified, where can that go?

    Safety falls under the “S” portion of “ESG”. Capital markets’ interest in ESG performance has exploded. Analysts collect and review data, and rate and rank the companies for inclusion in green investments. No socially responsible investment fund wants a laggard safety performer in their portfolio. Has this data deceived investors?
    Discovery of falsified data can trigger requirements to notify affected parties, such as those noted above. Besides the obvious fix for safety data management in the future, Internal Audit should refer this to legal and subject matter specialists for further investigation and possible corrective measures.

    Second line audit functions (safety, environmental) could play a role – but they are not designed to detect fraud, or to make recommendations to prevent it. This patch is urgently needed.

  2. Joseph Kassapis
    October 22, 2021 at 10:07 PM

    I read all your posts with great interest but in this one interest became disappointment. As an external auditor and an external audit educator I thoroughly disagree with you, about the implications on the degree of external auditor’s responsibility for financial statement / FS-impacting fraud. In scandal after scandal it is shown clearly for those with enough understanding of auditing and objectivity (independence from the big firms) that the firms either knew or should have known or could have known or did not want to know, not to lose the big customer. There is a profound problem, clearly, and the article does not acknowledge it or plays it down. Anybody criticising fiercely the big firms for gross compromise of independence and ethics is clearly right, in my view (over 40 years practising, teaching and training- and STUDYING the profession).

    REASONABLE ASSURANCE is a high degree of Assurance. Enron, Leeman B, AIG, Worldcom, Parmalat, Carilion, and so many others. The same Best (Biggest) firms. Claiming to have had it (RA)/ Choosing Not to See every time. Seeing keeping the Client / keeping the Client happy as more important.

    As or Internal Auditing, the common person will always ask: If they are not there for Fraud, what else are they there for ?

    And please, don’t just think America/North America, and rest of developed world. In our parts where Fraud/corruption is prevalent if not the norm, if not the Auditors – External & Internal – then who ? There is nobody else. And corruption is suffocating whole nations. (With External Auditors anything but on the side of the feeble anti-corruption forces, more at the service of the corrupt forces … – Pandora Papers … )

    • Norman Marks
      October 23, 2021 at 6:20 AM

      Joseph, my post is about the rush to condemn. You have talked about situations where the auditor should have known. In those cases, they should have been indicted and not only paid a huge penalty but barred for life. They did not obtain that reasonable assurance.

      Having worked within global corporations as an executive for decades, I know how easy it can be for management to hide things from the auditor. I would say that in 75% or more of the situations I have seen, the auditors were doing all they could and should. But in 25% (which is a huge number) they were not up to the task.

  3. October 25, 2021 at 2:49 AM

    In the Netherlands, new rulings are under consultation that external auditor should report about fraud and what he has done about it. So even if there is no material misstatement. The argument is that the stakeholders demand this. The background is a number of big fraud cases (not only in the Netherlands, but the big 4 involved) in which the auditor hadn’t mentioned anything about it. There is a lot of discussion about is, f.i. that fraud from a legal perspective must (1) be intended and (2) proven guilty. In many situation when the auditor becomes aware of possible fraud, both points are still under investigation. Who is the auditor to take the position of the judge? The audiotor’s organisation (NBA) is in favour is it should help improve the bad repution of auditors not delivering sufficient qualitity.

    • Norman Marks
      October 25, 2021 at 7:16 AM

      Thank you for sharing

  1. October 20, 2021 at 11:13 AM
  2. October 21, 2021 at 10:08 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: