Written by Tracy L. Coenen, CPA, CFF
Even with all the publicity surrounding the issue of financial fraud in the last decade, most auditors, investors, and other professionals still do not “get it” when it comes to detecting fraud. Traditional financial statement audits were never designed to detect fraud.
They audit is simply a process by which auditors check the company’s math and application of accounting rules. Auditors examine a very small percentage of transactions. Fraud is rarely detected by financial statement audits because they are not aimed at doing so. However, sometimes fraud is detected by auditors, and they can increase their chances of finding fraud if they are so inclined. There are opportunities during each financial statement audit to find fraud, if only the auditors are diligent. One of the keys to becoming better at detecting fraud is by understanding why auditors so often do not find fraud.
The issue of finding fraud in audits is important not only for auditors.. Investors and other professionals who use financial statements need to understand the fraud risks to fully appreciate just how unreliable financial statements can be when it comes to the issue of fraud.
The bottom line is that those who are confident that audits will find fraud are fooling themselves. Nothing could be further from the truth. The occasional instance of auditors detecting fraud during a financial statement audit does not mean that audits are effective at detecting fraud.
This article discusses the nine most common reasons why auditors miss fraud that is occurring right under their noses. By highlighting these issues, professionals can better understand the issues related to detecting fraud, and avoid a false sense of security when examining audited financial statements.
Reliance on Internal Controls
The depth of audit testing and the types of procedures used are heavily influence by the assessment of internal controls by the auditors. They are looking at the company’s policies and procedures that help ensure accurate financial statements. The auditors determine whether those controls exist, are adequate, and are enforced.
Based on their assessments of the risk and the controls, auditors will plan their audit work. It is easy to see that any faulty assessments at this stage of the process can be detrimental to the entire audit. If the auditors are not fully on top of the risks, they cannot possibly plan their work to deal with those risks.
Audit clients are often guilty of having deficient internal controls that never get corrected. The auditors tell clients there is a problem, but they continue business as usual. When the next year’s audit begins, the auditors find that none of the problems were fixed. Do they adjust the scope of their audit work accordingly? Often, the answer is no, and so year after year there are deficiencies that are not addressed with increased auditing procedures.
Predictable Audit Tests
Auditors are notorious for repeating their testing from year to year, focusing on the same accounts or types of transactions, and using dollar thresholds that the audit clients are intimately familiar with. When employees know exactly what risk and accounts the auditors will target, the effectiveness of audit testing goes down.
The element of surprise is quite effective in preventing and finding fraud, yet auditors do not often employ this technique. Surprise helps to prevent fraud because employees are never quite sure whether certain accounts or transactions might be selected for testing. They are less likely to engage in fraud because they do not know if the auditors will be looking.
But if the client knows where the auditors will be focusing their attention, it is easy to fabricate documents, make strategic journal entries, or otherwise doctor the accounting records. Think about how simple it is for a company to move inventory from one location to another if it knows ahead of time which facility the auditors will be visiting. Within each facility, consider how easy it is to arrange the inventory to make it appear as if more is on hand than truly exists, especially if management knows which types of items the auditors are likely to count or examine.
Auditors have a tendency to get complacent in their testing. It is too easy to test the same items in the same way from year to year. And how are brand new auditors taught the business of auditing? They are usually told to look at last year’s workpapers and do the same procedures in the current year audit. What better way is there to guarantee that the client will never be surprised by the audit procedures?
Sampling Is Not Enough
The heart of an audit is testing transactions. The auditors select a sample and test those transactions to ensure that they were properly recorded in the accounting system. The inherent limitation in sampling is that all transactions are not tested. And of course, it would not be possible for the auditors to examine all transactions a company enters into in a year.
There is always a good chance that a key transaction will not be part of the auditors’ sample, and therefore will not be examined. So many transactions are untested by the auditors, and that means there is a very good chance that a fraudulent item will not be part of the testing.
Working Around Scope and Materiality
To make matters worse, management knows that the auditors generally choose larger dollar transactions to test. By testing larger amounts, the auditors get greater “coverage” and can test a larger percentage of the dollars. This creates a huge opportunity for someone perpetrating a fraud. If she or he needs to manipulate the accounting records, several smaller entries (instead of one large entry) will most likely never be examined by the auditors.
Auditors are constantly looking at numbers in terms of scope and materiality. Smaller amounts, whether right or wrong, don’t mean a lot in terms of the bigger financial picture of a company. What the auditors often forget, however, is that the issue of materiality is not limited to just the magnitude of the dollars. While a small number may not mean a lot to the company as a whole, the facts surrounding that small number may make it material.
Consider a relatively small theft by the CFO of the company. While the total dollars may fall well below what one would normally consider “material” to the company, the circumstances surrounding the theft make it material. The fact that the company’s top finance professional is stealing suddenly makes the small dollar figure very important, and therefore material.
The current business model for audit firms (and the one that has been in place for decades) relies on relatively inexperienced auditors to do the bulk of the field work. While this may make economic sense in terms of controlling the costs of audits, it is a terrible practice from a quality control standpoint.
Young auditors often do not know what questions to ask, and are usually reluctant to ask difficult questions or challenge management’s assertions. They are easily manipulated, influenced, and misled because of their inexperience. They often lack a true understanding of business and financial statements, as these are things that take time to learn in the real world.
Most auditors lack an in-depth understanding of fraud schemes and how they are carried out. If asked to explain a common fraud scheme like round-tripping or channel-stuffing, most inexperienced auditors will be speechless. Simply put, they’re not adept at recognizing suspicious transactions and fraudulent documentation.
Those who have the knowledge to identify problems and ask difficult questions spend very little time in the field. They are best equipped to zero in on fraud, yet they provide little hands-on supervision of the inexperienced auditors.
Dynamic Business Environment
Gone are the days when a company’s business changed little from year to year. Mergers and acquisitions, development of new products and services, and constant strategic planning all mean that business is changing faster than ever. Comparing the financials of a company from year to year becomes nearly impossible because of all the changes.
Yet auditing has not really changed much over the years. The businesses are harder to audit and the fraud risks are changing, but the audit process has been slow to catch up. The right audit approach 20 years ago is not still the right approach today, yet many facets of audits are largely the same.
Fraud perpetrators know that auditors cannot keep up with all the changes in their businesses, and they can easily exploit this. Auditors are at the mercy of management, and find out about things only if they ask the right questions that elicit truthful answers. It is easy to see how auditors can be duped because of their lack of knowledge.
What happens when auditors fin an “exception” in their audit testing? When is the exception deemed serious enough for action? The audit work following the discovery of an exception can sometimes be inadequate. It’s difficult to say just how much additional testing should be done after a problem is found in the accounting records.
One of the most basic instances of inadequate follow-up occurs when the audit client is unable to produce documentation to support a transaction. Who is to say that the missing documentation is simply an error, rather than something more sinister? Auditors are often quick to select alternative transactions for testing when documentation can’t be located, but this creates an opportunity for a perpetrator of fraud.
Managers and executives engaging in fraud are often adept at using social engineering to manipulate the auditors. They can appear cooperative, and even are agreeable to adjustments the auditors may suggest, particular if this cooperation keeps the focus off other areas of the financial statements which contain evidence of fraud.
Needle in a Haystack
When it comes to fraud, management has a significant advantage over the auditors. Management knows exactly where the fraud is hidden, while the auditors are left looking for a “needle in a haystack.” The auditors have no idea whether fraud has occurred, what kind of fraud might have been perpetrated, or where it is hidden in the financial statements.
The odds are stacked heavily in favor of the person committing the fraud. It is bad enough that the auditors do not know what they should be looking for, but things are made even worse if the perpetrator takes into account the above audit limitations.
For example, it is fairly easy to hide fraud in an account with a high volume of small transactions. What happens if the auditor is fortunate enough to discover one of these fraudulent transactions? Who is to say that it might be an honest mistake? The auditor might talk herself or himself out of inquiring further.
Use of Estimates
Critical parts of a company’s financial statements are often based on the judgment of management, which has to use its knowledge of the business to make estimates. Unfortunately, management’s judgment and estimates are difficult to audit. For example, the company may need to make estimates related to the costs of providing service to customers who have purchased items under warranties. It will be difficult for the auditor to evaluate these estimates, as they usually do not have in-depth knowledge of the business and the warranty issues.
Auditors are at the mercy of management, the holders of all the information. Management may be aware of business changes that invalidate historical methods of estimating certain items, but unless it tells the auditors about these changes, the auditors most likely will not be aware of them.
Making Audits More Effective
Users of financial statements need to understand the inherent limitations in the auditing process. Audits have never been designed to detect fraud, and unless there is a massive change in the business of auditing, they never will detect fraud at a meaningful rate.
Helping auditors get a better understanding of the business they are auditing is key to performing more effective audits. Younger auditors need better training and supervision, and classroom work cannot take the place of actual experience in the field.
Audits should use basic techniques like the element of surprise. The auditors should vary their procedures and scopes from year to year, and surprise procedures should be conducted throughout the year as well as during the audit. More time needs to be spent on assessing how fraud could be committed at the company.
Those who know the most about business and financial statements need to be more involved in the field to help auditors learn more. Inexperienced auditors need the support of the more experienced auditors so they can confidently ask difficult questions and challenge suspected methods or transactions.
Audits can be made more effective when it comes to finding fraud, but there will be a cost to doing so. The current financial model for audit firms will not be able to support the above suggestions. There will need to be wholesale changes in the business of auditing if we ever expect audits to find more fraud.