Companies and organizations that are hit with employee fraud, including embezzlement, asset misappropriation, and financial statement manipulation are often surprised that the incident occurred. Even more surprising to executives and boards of directors is the fact that their auditors didn’t find the fraud sooner, or didn’t find it at all. After all, isn’t that what auditors are supposed to do?
In one case, the bookkeeper for a non-profit organization was stealing for several years and cleverly covering her tracks. She didn’t let the checks get too large, and she divided the check amounts between many accounts so that the entries in each account would be very small. She knew that if the amounts were small enough, they probably would not be carefully examined during the annual audits.
She was right, and her scheme worked until an auditor found a problem with the bank reconciliation. That problem led to further investigation, which ultimately uncovered the fraud. You could say that the fraud was discovered by accident. The board of the directors wondered why the auditors didn’t find the fraud sooner, since it had been ongoing for at least three years.
The answer was simple. The auditors followed the rules, but those rules aren’t always effective at uncovering a situation that is purposely disguised by a dishonest employee.
The bookkeeper used what she knew about the accounting process and the year-end audit to escape detection. She knew that management wasn’t checking her work or monitoring the bank account. By utilizing small-dollar transactions, recording false transactions in the accounting system, and discarding canceled checks, she successfully beat the system and ran off with hundreds of thousands of dollars.
Audits and reviews are procedures performed on the financial statements of a company, for the purpose of determining whether the financial statements include any material misstatements. Misstatements are essentially wrong numbers due to numerical errors, fraud, or errors in interpreting the accounting rules. Misstatements are material if they are large enough to make a difference to a user of the financial statements, such as a bank or investor.
Auditors utilize sampling techniques to test certain transactions during the performance of an audit or review, since it would be nearly impossible and too expensive to examine every single transaction. The sampling may be aimed at the largest items or the items on the financial statements that pose the most risk of misstatement. If material errors in the financial statements are discovered, the auditors will direct management to correct them.
So how does fraud fit into the idea of material misstatements? Misstatements can be caused by either error or fraud. Auditors have some responsibility for the detection of both errors and frauds that are material, but this responsibility is not absolute. Auditors give “reasonable” assurance that material misstatements have been uncovered, but not total assurance.
Errors are much more likely to be discovered during an audit than are fraud. Fraud schemes are crafted to purposely exploit the accounting system and controls, and therefore it is more difficult for an auditor to find them. Since auditors are not all-knowing beings, the assurance that the financial statements are correct can only be “reasonable” assurance and not total assurance.
It’s important to understand the guidance given to auditors on the topic of fraud. Accountants performing audits in the United States follow Generally Accepted Auditing Standards (GAAS) in their performance of audits. Additional guidance is provided in the Statements on Standards for Auditing and Review Services (SSARS) and Statements on Auditing Standards (SAS). These sets of authoritative guidance outline the responsibilities that auditors have for finding fraud while performing audits and reviews.
SAS number 99, “Consideration of Fraud in a Financial Statement Audit,” became effective in late 2003. This statement directs auditors to use professional skepticism and to consider that a fraud could have occurred and could materially affect the financial statements. The auditors must consider and identify the risk of fraud, and must continuously evaluate evidence throughout the audit to determine whether or not there are any fraud indicators.
The American Institute of Certified Public Accountants (AICPA) recently issued SSARS number 12, “Omnibus Statement on Standards for Accounting and Review Services.” This applies to reviews, rather than audits. Reviews provide less assurance on the financial statements, as the review procedures are typically less thorough and less detailed than audit procedures. This statement dictates that during a review, the auditor is not required to assess the risk of fraud or develop plans specifically to identify fraud.
The guidance for auditors is continuously evolving as the accounting profession acknowledges that fraud is becoming a bigger issue for clients. All of this alphabet soup can be boiled down to the fact that it is management’s responsibility, not the auditor’s, to prevent and detect fraud. The auditors must consider fraud throughout their procedures, but they do not have an absolute responsibility for the detection of fraud.
If the guidance on fraud is so clear from the perspective of the auditor, why does there seem to be an expectation gap between the auditors and the clients?
Regardless of whatever guidance exists, clients are inclined to mistakenly expect that auditors can, must, and will find fraud if it exists within the company.
The client sometimes fails to acknowledge that the auditors clearly outline their audit and review responsibilities with engagement letters. Those letters usually state that the auditors provide reasonable assurance that they will detect material misstatements, but not absolute assurance.
The client also often does not consider the fact that immaterial frauds may never be found. If a fraud is not large enough to “make a difference” in the financial statements, then it stands to reason that it most likely will not be detected. Detecting an immaterial fraud would be like finding a needle in a haystack.
The expectation gap boils down to misconceptions on the part of the client. Management and employees wrongly believe that reviews and audits can and should always detect fraud. Auditors also bear some responsibility for the expectation gap, and they might consider addressing this issue verbally with the client. That discussion should echo the engagement letter and address any concerns or unrealistic expectations held by the client.
Executives, attorneys, and board members may be left asking themselves why they pay for audits if the procedures aren’t going to detect all the potential problems with the numbers. Audits and reviews have their place in the business world, as they help companies identify risky areas of the financial reporting process, and they hopefully find material errors and frauds.
Since reviews and audits can only provide limited (but not absolute) assurance on the numbers, they are only one part of a company’s financial picture. If management wants to go a step further, they will look beyond audits and reviews.
Internal control reviews with a “focus on fraud” can help prevent fraud. They probably won’t detect old frauds, but the involvement of an anti-fraud professional during the review of controls will help the company identify areas of the company most at-risk for fraud.
The next step is the development of procedures specifically designed to prevent fraud. This requires management to take a proactive stance against fraud. Since management cannot fully rely on audits and reviews to detect fraud, the better alternative is to shore up controls so that the opportunities for fraud are decreased.
At the end of the day, the responsibility for fraud prevention and detection is on the company’s management. Executives and manager must clearly understand the inherent limitations of audits and reviews, and recognize that they cannot and will not detect all frauds. Audits and reviews should not be avoided or discarded, but management is advised to add proactive fraud prevention measures to help the company maintain better control over the potential for fraud.