Are auditors falling down on the job of detecting fraud?

Cydney Posner
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Cooley LLP

Paul Munter, the SEC’s Acting Chief Accountant, seems to think so. In this Statement, Munter expresses his concern that, in conducting audits, auditors are not adequately making use of the “fraud lens”—a focus on the consideration of fraud in the audit—in fulfilling their gatekeeper role. That is, auditors may not be adequately responding to fraud risks and red flags or otherwise exercising “professional skepticism.” It is critical, he said, that auditors evaluate whether the audit has surfaced information that may be indicative of fraud and “how fraud could be perpetrated or concealed by management.” Are auditors exhibiting a type of bias, focusing risk assessments on risks of error and essentially overlooking or minimizing risks of fraud?  In light of Munter’s statement, companies could well find that their auditors may be doubling down on their application of professional skepticism. What’s more, some of Munter’s recommendations may prove useful for companies in establishing their own ethics environments and conducting their own fraud risk assessments.

Perhaps speaking with the current worldwide economic and political uncertainty in mind, Munter observes that “any changes to the macroeconomic and geopolitical environment in which companies operate may result in new pressures, opportunities, or rationalizations for fraud. Areas that have historically been a focus for auditors—the tone at the top of a company and the effectiveness of internal controls—appear to be key factors in either exacerbating or mitigating such pressures, opportunities, or rationalizations for fraud.” Accordingly, auditors have “a significant opportunity” to help “identify and address the precursors of financial reporting fraud.”

In his statement, Munter identifies a number of recent “shortcomings” related to fraud detection:

  • “PCAOB inspections consistently identify areas of concern involving auditors’ application of due professional care and professional skepticism when considering fraud or where the audit response to fraud risks and red flags was insufficient. PCAOB inspection examples of auditor’s deficiencies include auditors not performing substantive procedures that were specifically responsive to fraud risks (e.g., not performing tests of details, or only performing inquiries), performing insufficient journal entry testing, failing to assess and/or identify revenue recognition as a potential fraud risk, and not communicating fraud risks to audit committees.
  • Recent Commission enforcement actions against audit firms and their personnel continue to highlight instances of improper professional conduct by auditors with respect to fraud risks. In these enforcement actions, the Commission alleged that auditors failed to comply with PCAOB standards by, among other things, ignoring red flags and contradictory information and failing to obtain sufficient and appropriate audit evidence.
  • Through OCA’s discussions with stakeholders we have heard particularly troubling feedback that auditors many times frame the discussion of their responsibilities related to fraud by describing what is beyond the auditor’s responsibilities and what auditors are not required to do. We find this attitude of focusing on the limits of the auditor’s responsibilities at the outset as opposed to the affirmative requirements with respect to the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud, deeply concerning, as it could impact an auditor’s mindset or their degree of professional skepticism, and may thereby reduce the likelihood of fraud detection and potentially result in dereliction of professional responsibilities to the public trust.”

Munter advises that audit firms need to establish strong systems of quality controls to support auditors that may face external and internal pressures that can “distract an auditor from appropriately identifying and responding to fraud risks.” For example, audit clients may insist on tight deadlines or apply audit fee pressures; “audit firm or engagement team pressures may include resource constraints, time pressures, budgeting and firm operational metrics, evaluation systems that may inadvertently discourage skepticism among staff auditors, and achieving strong client satisfaction ratings.”

PCAOB auditing standards related to fraud risk require that auditors “set aside any prior beliefs about management’s honesty and integrity.  In distinguishing between error and fraud, intent is a “key point of distinction.” Munter advises that “when considering materiality, auditors should not assume that even small intentional misstatements in the financial statements are immaterial.” Here again, Munter cautions that auditors need to be mindful of biases, such as the mindset of “trust but verify,” which “may represent potential bias if it is anchored in the belief that management is honest and has integrity. Such a mindset may interfere with an auditor’s ability to effectively evaluate signs of fraud when evaluating misstatements or to objectively challenge evidence provided by management.”

Auditors, Munter reminds us, must exercise professional skepticism, “an attitude that includes a questioning mind and a critical assessment of audit evidence.” Skepticism means that auditors should question evidence provided by management when the timing or manner of its production raises suspicions, including “invoices for large amounts with vague descriptions, invoices with related parties with descriptions that are outside of the normal course of business, or ‘new’ evidence provided by management in the late stages of the audit to address a potentially difficult or contentious audit matter. Auditors should avoid any assumptions of honesty, be mindful of potential unconscious biases, and apply the appropriate level of professional skepticism.” In addition, “when performing analytical procedures, auditors should assess whether there are unusual or unexpected transactions or relationships that are identified that may be indicative of a previously unidentified fraud risk.” According to Munter, management “is in a unique position to perpetrate fraud, and instances of fraud often involve management override of controls, including concealment of evidence or misrepresentation of information. Auditors must remain diligent when considering and responding to this risk and remain aware of techniques used by management to circumvent existing controls.” Ultimately, auditors may need to communicate findings to management, the audit committee and the SEC.

When fraud risks have been identified, auditors may need to modify planned audit procedures.  For example, specialists may need to be enlisted, such as, for example, a specialist who can “challenge and evaluate the reasonableness of management’s assumptions.” In addition, Munter cautions, auditors should be particularly alert to financial reporting areas that he identifies as “more frequently related to fraudulent schemes,” including improper revenue recognition, which is a “presumed risk of fraud,” and the intentional misstatement of accounting estimates. PCAOB AS 2401.54 provides examples of audit procedures that might be performed in response to assessed fraud risks related to revenue recognition. With regard to misstatement of accounting estimates, Munter advises that auditors “should perform a retrospective review to determine whether there are indications of possible bias in the development of accounting estimates.”

SideBar

This Spotlight Audit Committee Resource  from the PCAOB offers questions that audit committees may consider asking their auditors to assess how they are responding to the financial reporting and audit risks posed by the current economic environment. With regard to fraud risk, the Resource suggests that the audit committee ask how economic factors (e.g., supply chain disruption, inflation) have influenced the auditor’s risk assessment for the current year’s audit, and whether emerging issues have influenced the nature, timing or extent of procedures the auditor plans to perform to address the risk of material misstatement due to fraud. Audit committees may also consider asking what the audit firm has done to address any recurring audit deficiencies, such as deficiencies related to revenue recognition and accounting estimates, identified by regulators or the audit firm’s internal quality monitoring. The Resource includes many other questions about risk, audit execution, quality control and other matters.

Munter recommends that audit responses should be tailored to the particular risk; auditing standards are not to be used as “an exhaustive checklist.” Auditors should also consider whether publicly available information contradicts information from management. In addition, auditors should assess the company’s control environment, including whether there is a demonstrated commitment to ethics and integrity, beyond simply the existence of a code of ethics: “For example, are employees able to anonymously share their views on the company’s tone at the top through, for example, a culture survey? How are the survey results obtained and shared with leadership?” Does the company have a whistleblower hotline, and does the culture encourage use of it? What is the company’s approach to its own fraud risk assessment? Finally, technology “may provide useful insights to assist with identifying unusual or unexpected relationships or assisting auditors in performing more robust planning analytics.”

SideBar

This 2018  KPMG paper on fraud and whistle-blowing suggests the following questions for audit committees to consider with regard to fraud risk oversight:

  • “Is management taking sufficient responsibility for the fight against fraud and misappropriation? Is the tone from the top unequivocal in insisting on an anti-fraud culture throughout the organisation?
  • Do record-keeping policies and procedures minimise the risk of fraud?
  • Are appropriate diagnostic assessments of fraud risks performed and updated periodically?
  • Are all significant fraud risks properly included in the enterprise risk management approach, linked to relevant internal controls and monitored?
  • Do codes of conduct contain adequate, user-friendly and up-to-date behavioural guidelines in respect of fraud and other misconduct? Are they adopted across the organisation and do they apply evenly to business partners and subcontractors?
  • What is the level of assurance gained related to the effectiveness of anti-fraud controls by management, internal and/or external audit and is it appropriate in the circumstances?
  • Are anti-fraud controls designed to detect or prevent financial reporting fraud from the early stage (i.e. before small adjustments snowball into bigger issues)?
  • Are fraud-tracking and -monitoring systems and fraud response plans in place and are they fit for purpose?
  • Do staff members at all levels have appropriate skills to identify the signs of fraud and do they receive fraud awareness training relevant to their role?”

These questions are suggested regarding whistle-blowing:

  • “Are whistle-blowing policies and procedures documented and communicated across the organisation?
  • Does the whistle-blowing policy ensure that it is both safe and acceptable for employees to raise concerns about wrongdoing?
  • Were the whistle-blowing procedures arrived at through a consultative process? Do management and employees ‘buy into’ the process? Are success stories publicised?
  • Are concerns raised by employees (and others) responded to within a reasonable time frame?
  • Are procedures in place to ensure that all reasonable steps are taken to prevent the victimisation of whistleblowers and to keep the identity of whistle- blowers confidential?
  • Has a dedicated person been identified to whom confidential concerns can be disclosed? Does this person have the authority and statute to act if concerns are not raised with, or properly dealt with, by line management and other responsible individuals?
  • Does management understand how to act if a concern is raised? Do they understand that employees (and others) have the right to blow the whistle?
  • Has consideration been given to the use of an independent advice centre as part of the whistleblowing procedures?
  • In cases where no instances are being reported though the whistle-blowing channel, did management reassess the effectiveness of the procedures?”

Ultimately, Munter concludes, in performing their gatekeeping function, auditors must apply appropriate levels of professional care and professional skepticism so that they may obtain “reasonable assurance about whether financial statements are free of material misstatement, whether due to error or fraud.” 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide