The
Fraud Files
Why didn’t
our auditors find the fraud?
By
Tracy L. Coenen
Jan.
25, 2006
 |
| Tracy
L. Coenen
|
Companies
and organizations that are hit with employee fraud, including
embezzlement, asset misappropriation, and financial statement
manipulation are often surprised that the incident occurred. Even
more surprising to executives and boards of directors is the fact
that their auditors didn’t find the fraud sooner, or didn’t
find it at all. After all, isn’t that what auditors are supposed
to do?
In
one case, the bookkeeper for a non-profit organization was stealing
for several years and cleverly covering her tracks. She didn’t
let the checks get too large, and she divided the check amounts
between many accounts so that the entries in each account would
be very small. She knew that if the amounts were small enough,
they probably would not be carefully examined during the annual
audits.
She
was right, and her scheme worked until an auditor found a problem
with the bank reconciliation. That problem led to further investigation,
which ultimately uncovered the fraud. You could say that the fraud
was discovered by accident. The board of the directors wondered
why the auditors didn’t find the fraud sooner, since it had
been ongoing for at least three years.
The
answer was simple. The auditors followed the rules, but those
rules aren’t always effective at uncovering a situation that
is purposely disguised by a dishonest employee.
The
bookkeeper used what she knew about the accounting process and
the year-end audit to escape detection. She knew that management
wasn’t checking her work or monitoring the bank account.
By utilizing small-dollar transactions, recording false transactions
in the accounting system, and discarding canceled checks, she
successfully beat the system and ran off with hundreds of thousands
of dollars.
Auditing
Defined
Audits
and reviews are procedures performed on the financial statements
of a company, for the purpose of determining whether the financial
statements include any material misstatements. Misstatements are
essentially wrong numbers due to numerical errors, fraud, or errors
in interpreting the accounting rules. Misstatements are material
if they are large enough to make a difference to a user of the
financial statements, such as a bank or investor.
Auditors
utilize sampling techniques to test certain transactions during
the performance of an audit or review, since it would be nearly
impossible and too expensive to test every single transaction.
The sampling may be aimed at the largest items or the items on
the financial statements that pose the most risk of misstatement.
If material errors in the financial statements are discovered,
the auditors will direct management to correct them.
So
how does fraud fit into the idea of material misstatements? Misstatements
can be caused by either error or fraud. Auditors have some responsibility
for the detection of both errors and frauds that are material,
but this responsibility is not absolute. Auditors give “reasonable”
assurance that material misstatements have been uncovered, but
not total assurance.
Errors
are much more likely to be discovered during an audit than are
fraud. Fraud schemes are crafted to purposely exploit the accounting
system and controls, and therefore it is more difficult for an
auditor to find them. Since auditors are not all-knowing beings,
the assurance that the financials statements are correct can only
be “reasonable” assurance and not total assurance.
Auditing
Rules
It’s
important to understand the guidance given to auditors on the
topic of fraud. Accountants performing audits in the United States
follow Generally Accepted Auditing Standards (GAAS) in their performance
of audits. Additional guidance is provided in the Statements on
Standards for Auditing and Review Services (SSARS) and Statements
on Auditing Standards (SAS). These sets of authoritative guidance
outline the responsibilities that auditors have for finding fraud
while performing audits and reviews.
SAS
number 99, “Consideration of Fraud in a Financial Statement
Audit,” became effective in late 2003. This statement directs
auditors to use professional skepticism and to consider that a
fraud could have occurred and could materially affect the financial
statements. The auditors must consider and identify the risk of
fraud, and must continuously evaluate evidence throughout the
audit to determine whether or not there are any fraud indicators.
The
American Institute of Certified Public Accountants (AICPA) recently
issued SSARS number 12, “Omnibus Statement on Standards for
Accounting and Review Services.” This applies to reviews,
rather than audits. Reviews provide less assurance on the financial
statements, as the review procedures are typically less thorough
and less detailed than audit procedures. This statement dictates
that during a review, the auditor is not required to assess the
risk of fraud or develop plans specifically to identify fraud.
The
guidance for auditors is continuously evolving as the accounting
profession acknowledges that fraud is becoming a bigger issue
for clients. All of this alphabet soup can be boiled down to the
fact that it is management’s responsibility, not the auditor’s,
to prevent and detect fraud. The auditors must consider fraud
throughout their procedures, but they do not have an absolute
responsibility for the detection of fraud.
Expectation
Gap
If
the guidance on fraud is so clear from the perspective of the
auditor, why does there seem to be an expectation gap between
the auditors and the clients?
Regardless
of whatever guidance exists, clients are inclined to mistakenly
expect that auditors can, must, and will find fraud if it exists
within the company.
The
client sometimes fails to acknowledge that the auditors clearly
outline their audit and review responsibilities with engagement
letters. Those letters usually state that the auditors provide
reasonable assurance that they will detect material misstatements,
but not absolute assurance.
The
client also often does not consider the fact that immaterial frauds
may never be found. If a fraud is not large enough to “make
a difference” in the financial statements, then it stands
to reason that it most likely will not be detected. Detecting
an immaterial fraud would be like finding a needle in a haystack.
The
expectation gap boils down to misconceptions on the part of the
client. Management and employees wrongly believe that reviews
and audits can and should always detect fraud. Auditors also bear
some responsibility for the expectation gap, and they might consider
addressing this issue verbally with the client. That discussion
should echo the engagement letter and address any concerns or
unrealistic expectations held by the client.
Audit
Alternatives
Executives,
attorneys, and board members may be left asking themselves why
they pay for audits if the procedures aren’t going to detect
all the potential problems with the numbers. Audits and reviews
have their place in the business world, as they help companies
identify risky areas of the financial reporting process, and they
hopefully find material errors and frauds.
Since
reviews and audits can only provide limited (but not absolute)
assurance on the numbers, they are only one part of a company’s
financial picture. If management wants to go a step further, they
will look beyond audits and reviews.
Internal
control reviews with a “focus on fraud” can help prevent
fraud. They probably won’t detect old frauds, but the involvement
of an anti-fraud professional during the review of controls will
help the company identify areas of the company most at-risk for
fraud.
The
next step is the development of procedures specifically designed
to prevent fraud. This requires management to take a proactive
stance against fraud. Since management cannot fully rely on audits
and reviews to detect fraud, the better alternative is to shore
up controls so that the opportunities for fraud are decreased.
At
the end of the day, the responsibility for fraud prevention and
detection is on the company’s management. Executives and
manager must clearly understand the inherent limitations of audits
and reviews, and recognize that they cannot and will not detect
all frauds. Audits and reviews should not be avoided or discarded,
but management is advised to add proactive fraud prevention measures
to help the company maintain better control over the potential
for fraud.
Tracy
L. Coenen CPA, MBA, CFE is the president of Sequence Inc, a forensic accounting
firm with offices in Milwaukee and Chicago. She is a nationally-recognized expert
on fraud and financial investigations, and can be reached at tracy@sequence-inc.com
or 414.727.2361.
