Tracy Coenen lists 9 reasons for “Escaping Detection: Why Auditors Do Not Find Fraud”.
If we understand why audits are a poor tool for detecting fraudulent financials, we can improve our chances of finding material frauds.
Check out her post, it will be worth your time.
Here are a few thoughts expanding on her list.
#2 – Predictable Audit Tests
Auditors are notorious for repeating their testing from year to year, focusing on the same accounts or types of transactions, and using dollar thresholds that the audit clients are intimately familiar with. When employees know exactly what risk and accounts the auditors will target, the effectiveness of audit testing goes down.
It isn’t just our tendency to audit with our ol’ buddy, SALY.
Keep in mind that if we really apply the risk assessment model, we need to look at the risks and then design our audit approach. We consider internal controls that are operating & effective and then design the further audit procedures.
If the risks are the same this year as last, as are the effective controls, it makes sense the testing should be amazingly comparable to last year.
If the client’s operations and internal systems are reasonably stable for several years, the audit shouldn’t change much.
If we realize that, we can do something – we can intentionally introduce surprise elements to the audit.
#4 – Working Around Scope and Materiality
An astute observer, such as a fraudster, can figure out scopes. After a few audits, the cutoff for individually significant items would be obvious. The pattern of which warehouses get an inventory observation would be clear.
This gets back to surprise.
We also need to keep in mind non-dollar materiality issues.
It’s one thing if the receptionist pockets a few grand out of the petty cash fund. Quite different if the CFO pays a few grand to his dummy corp for ‘consulting.’
Likewise for a nonprofit, the grant of a few grand to a controversial public advocacy group is okay, but the same amount going to the county supervisor’s campaign is a big problem. Just one transaction for a trivial amount going to the director of the national regulator overseeing your field program in country X is a huge problem. (If your client is working outside the US and you don’t know what FCPA stands for, you need some CPE.)
How can we adjust our audit?
We need to be attentive to the risk of client’s working inside our materiality and scope thresholds.
We also need to be attentive to major dangers visible in that ‘trivial’ transaction that jumped out at us.
#5 – Inexperienced Auditors
The foundational design of the audit model is to send out tons of fresh staff to do the bulk of detail testwork.
When I worked at a small national firm, we often discussed that the senior is probably the person who ought to be performing the disbursement test instead of the brand new person. Looking at a bunch of individual disbursements is a great place to find out how things are really done. It’s a great way to find out some of the weird stuff that happened.
Since I’m intentionally a one-person firm, guess who does all the disbursement tests? Yup. Me.
It is a great idea having someone with experience do that test. Two things I’ve realized.
First, practically everything that gets documented as ‘exceptions’ when the disbursements test is performed by an inexperienced staff person are completely irrelevant. Yeah, the bank cleared two checks that didn’t have a double signature. Whata’ news flash. Yeah, half a dozen checks were endorsed by the bank instead of the payee. That’s normal business, especially for utilities. Yeah, two invoices didn’t have a departmental approval, but it is a recurring monthly service and the controller signed off. Yawn.
Those don’t require a paragraph to dispose of the issue.
The more valuable things found are that the other controls aren’t quite like what you were told. Or that during the disbursement test you go ask the bookkeeper a question on a disbursement and before the checkbook is abruptly closed you notice that all three visible checks are presigned.
Now you have something worth pursuing.
As the article implies, new staff wouldn’t recognize round-tripping or channel-stuffing if it knocked them out of their chair. That’s not a commentary on new staff. That’s a comment on training and experience and supervision.
#6 – Dynamic Business Environment
The rate of change is increasing. It takes a lot of effort to keep up with what’s going on in an industry. Companies are making lots of changes.
All of those factors make it more difficult to find fraud.
I’m not sure how a person could keep current with the accounting, auditing, and tax issues in multiple industries. Yet many CPAs need to do so.
#8 – Needle in a Haystack
Which one of thousands of transactions is the problem?
Which one of hundreds of vendors is the dummy corporation set up by the purchasing manager or the department manager?
As the article says:
The auditors have no idea whether fraud has occurred, what kind of fraud might have been perpetrated, or where it is hidden in the financial statements.
#9 – Use of Estimates
It’s really hard predicting the future. Especially with accuracy to the nearest tenth of a percentage point.
Putting a number on how much warranty expense will be incurred is tough.
How is the market going to move over the next year and which of your inventory products will still be on the shelf in another year? Be specific and give inventory levels for 20 largest products.
Where will GDP be in two quarters out and how will that affect your ten largest receivable balances?
Those are really hard calls even when management is sincerely trying to make a good guess.
And auditors, who don’t have a working knowledge of the industry or specific products or what the Fed chairman will be thinking next quarter, must evaluate those estimates.
Even more difficult as the article points out, is whether patterns will change in the next year in ways that will invalidate past trends and relationships. Has something changed that means past relationships (default patterns, warranty repairs) are already an invalid predictor of the future?
All of these factors create a caution for those reading audit reports. From the article:
Users of financial statements need to understand the inherent limitations in the auditing process. Audits have never been designed to detect fraud, and unless there is a massive change in the business of auditing, they never will detect fraud at a meaningful rate.
Ms. Coenan concludes with some ideas on improving audits. A few of her comments:
Younger auditors need better training and supervision, and classroom work cannot take the place of actual experience in the field.
Audits should use basic techniques like the element of surprise. The auditors should vary their procedures and scopes from year to year…
More time needs to be spent on assessing how fraud could be committed at the company.
Those who know the most about business and financial statements need to be more involved in the field to help auditors learn more.
Her conclusion is that the core business model of the audit industry makes it unlikely we will see an increase in the number of frauds discovered by external auditors:
Audits can be made more effective when it comes to finding fraud, but there will be a cost to doing so. The current financial model for audit firms will not be able to support the above suggestions. There will need to be wholesale changes in the business of auditing if we ever expect audits to find more fraud.
It’s a superb article. If you are an auditor, you oughta’ check it out.