Why don't auditors find fraud?
In “Alice’s Adventures in Wonderland,” Alice asks the Cat:
“Would you tell me, please, which way I ought to go from here?” “That depends a good deal on where you want to get to,” said the Cat. “I don’t much care where —” said Alice. “Then it doesn’t matter which way you go,” said the Cat.
The story illustrates a very important point for everyone: We have to know where we’re going to get anywhere. As fraud examiners, we certainly face that issue. We must know where we’re going when we begin a fraud examination. To help us, we have the Fraud Examiners Manual (FEM) to guide the examination and, as we’ve been trained, we follow the “fraud theory”:
Analyze available data.
Create a hypothesis.
Test the hypothesis.
Refine and amend the hypothesis.
(See “Fraud Examination Methodology” in the online FEM.)
Then, once on the trail, we continue to follow the process of a fraud examination. We know that when our bosses, coworkers, colleagues, clients and the public ask us how we detect fraud, we can answer, “We look for red flags — the anomalies.” Furthermore, as CFEs, our job is to resolve allegations of fraud.
But what about auditors? Laypersons might think it’s auditors’ job to resolve allegations of fraud. For auditors, however, unless they’re performing fraud examinations, resolving allegations of fraud isn’t their job. Yet, invariably, when a fraud scheme is discovered, both the victim and the public believe that auditors should’ve discovered the scheme. Finger-pointing and lawsuits result as human nature dictates everyone wants to know the answer to the question: “How did the fraud occur and not get detected?”
And, of course, the victim wants to recover losses. No matter the type of organization — governmental, nonprofit, private or public entity — the additional questions persist after a fraud is discovered: “Where were my auditors?” or “Why didn’t my auditors discover this scheme?”
So, what is the auditor’s role in detecting fraud?
The American Institute of CPAs (AICPA) and the Institute of Internal Auditors (IIA) have both issued professional standards that require auditors when performing an audit to identify the risks of fraud and to plan audits to address these risks. These include AICPA’s AS 1001.02, AS 1101, AS 2110, AS 2300, and AS 2400, plus the IIA’s standard 1200. The Public Company Accounting Oversight Board (PCAOB), a nonprofit corporation established by the U.S. Congress as part of the Sarbanes-Oxley Act of 2002, publicizes the AICPA standards. (These standards superseded AU Section 316 Dec. 31, 2016, according to the PCAOB website.)
The AICPA requires auditors in an “attest engagement” to provide reasonable assurance in the audit opinion that audited financial statements are free of material misstatements that might be due to error or fraud.
The PCAOB and the Securities and Exchange Commission (SEC) both parrot the AICPA standards. The SEC in its 2016 review of audits of publicly traded companies said, “Assessing and responding to risks of material misstatements due to fraud is a critical component of an audit or attestation engagement.” [See the Center for Audit Quality (CAQ) #8 Alert. The CAQ is affiliated with the AICPA.]
In an audit of financial statements, the AICPA standards say an auditor’s assessment of the risk of material misstatement due to fraud is a cumulative process, which the auditor is supposed to perform throughout the audit. This work results in the auditor making a qualitative analysis, based upon their judgment, whether to look further into the risk of material misstatement due to fraud. The auditor might then conduct additional or different audit procedures to address the identified risks. (See AS 2301.)
Herein lies the problem for most auditors. Although they might be qualified in assessing risks and identifying where a fraud might occur, they don’t know how to recognize (i.e., identify) the indicators of fraud.
Auditors must look at their audit evidence and identify where a fraud might have already occurred or might be occurring — the anomalies or red flags of frauds. Unlike CFEs, however, most auditors have never seen a fraud scheme.
Following process to identify risk factors
Professional standards now require auditors to design an audit to identify factors to look for misstatements in financial statements that might be caused by fraud. The standards give many examples of risk factors. Without question, no auditor can supply the reasonable assurance they’re required to give that financial statements are free of material misstatements due to fraud unless that auditor is trying to detect material misstatements caused by fraud. The auditor has to look for fraud.
According to AS 2110 and AS 2301, during the initial steps when an auditor is planning an audit of financial statements, they must follow a process to identify risk factors. Then they design tests to determine if management had instituted sufficient controls and processes. In this planning stage, the standards require the auditor to consider whether identified risk factors and their examination indicate if misstatements indicative of fraud are evident. If so, the auditor must evaluate their implications.
When a CFE identifies an anomaly, they know how to drill down in their examination to investigate those indicators. For example, medical school teaches a budding physician the same process. The physician will examine our body to identify anything unusual (an anomaly) to offer a cure. Likewise, auditors must be taught to do the same things to comply with their standards.
Failures precipitated accounting malpractice cases
My work in dozens of accounting malpractice cases where auditors failed to identify fraud has proven that auditors must be trained to see how a fraud scheme is perpetuated.
In a recent case where I was a testifying expert for the plaintiffs who were suing an accounting firm for accounting malpractice for their failure to identify a massive fraud scheme, one of the plaintiff’s attorneys asked me, “Are all auditors just dumb?” The answer is really simple — of course not! Accounting students in college have to study extremely hard and pass rigorous examinations. We were the ones staying home studying and working our accounting problems while other students were out socializing.
In fairness to the attorney’s question to me about the ability of auditors to identify fraud, I’ve observed some rather foolish things in lawsuits against CPAs. For example, I’ve seen when auditors failed to, among other things:
Perform assessments to determine risk factors.
Perform procedures identified in their planning.
Test controls where they observed risks identified as significant.
Test controls or perform walkthroughs of significant accounts.
Properly supervise assistants who weren’t or were properly trained.
Clients of auditors whose work falls below established standards probably will sue them. And courts might hold the auditors responsible for substantial damages. However, if auditors are trained to identify fraud schemes and perform their examinations in accordance with their plans, they’ll likely identify possible frauds.
Unfortunately, for the investing public and business stakeholders, fraud schemes both large and small continue to proliferate. In spite of laws such as SOX and the new Committee of Sponsoring Organizations (COSO) model (see the Fraud Magazine Online Exclusive, “Joining forces to manage fraud risk: The ACFE partners with COSO,” October 2016), organizations aren’t detecting fraud.
Professional standards don’t mandate that auditors resolve fraud or allegations of fraud unless they’re conducting a fraud examination. However, they could dramatically improve their abilities to ascertain the indicators, where they possibly exist and then apply further audit procedures (such as calling in an expert) to offer reasonable assurance that financial statements are free of misstatement due to fraud.
ACFE founder and Chairman Dr. Joseph T. Wells, CFE, CPA, wrote on this subject in his classic book, “Corporate Fraud Handbook: Prevention and Detection,” that identifies and details approximately four dozen fraud schemes in The Fraud Tree.
ACFE Anti-Fraud Education Partnership
The ACFE’s mission is to train investigators how to detect, investigate and to resolve allegations of fraud, and the ACFE has been true to that mission. For years, the ACFE — through its Anti-Fraud Education Partnership — has offered higher-education institutions free materials for academics who want to teach the basics of fraud examination. (Learn more about the partnership.) As of publication, 300 colleges and universities are taking advantage of this program.
Now we need to encourage educators who aren’t on board to consider teaching dedicated fraud examination 101 courses. At the least, academics should consider teaching their accounting students the auditor’s requirement to look for and identify fraud, and how to recognize signs of ongoing fraud schemes.
How do you think an accountant, auditor or investigator who’s never received anti-fraud training at ACFE events or in college feels when tasked with the responsibility to look for fraud? Professional standards have mandated a requirement to “look” and to “plan” an audit for fraud, and educators at universities must teach these requirements.
In the anti-fraud community, the ACFE has been instrumental in training fraud examiners how to spot indicators and investigate fraud. I continue to proudly play a role in that training. In my presentation at the 29th Annual ACFE Global Fraud Conference in June 2018, I asked my classes if after hearing a story of the perpetuation of a fraud at another organization, did they have a sinking feeling that such a scheme might be occurring at their entity? Even worse, that they had missed it? Everyone acknowledged they’d experienced this genuinely frightening feeling. How about you? Have you given this some thought?
Seeing the red flags, identifying fraud
Auditors must dramatically improve their abilities to identify fraud schemes. They have to know how to identify fraud indicators and probable schemes. Professional standards don’t mandate that auditors resolve fraud or even allegations of fraud — unless they’re conducting fraud examinations. However, auditors must know the red-flag indicators or anomalies, continuously look for those anomalies and apply further audit procedures — such as calling in experts — to offer reasonable assurance that financial statements are free of misstatement due to fraud. Organizations that follow these procedures will decrease fraud, save money and restore organizational reputations.