ow can CPAs learn to more effectively detect financial statement fraud? One of the best ways is to “profit” from the mistakes of others. The information presented here is based on cases in which the SEC sanctioned auditors for their association with fraudulent financial statements. Enforcement actions against auditors are rare, but the consequences of individual cases can be great and the cases offer the profession an opportunity to learn and grow. While the lessons presented here will be most valuable to practitioners who perform audits, CPAs employed by client companies may also benefit from understanding the process so they can develop realistic audit expectations.
Our analysis is based on a report we completed in 2000 for the AICPA ASB titled Fraud-Related SEC Enforcement Actions Against Auditors: 1987–1997. Our research initially involved 56 cases. However, 11 of those 56 cases involved a bogus audit or auditor where either the audit never took place or a non-CPA posed as an auditor and issued a phony opinion. In the remaining 45 cases the SEC alleged deficiencies in performing one or more “attempted” audit engagements. These cases form the basis for our analysis.
All of the cases involved public companies, most of which engaged in fraudulent financial reporting (or “cooking the books”). Only a few engaged in misappropriation of assets or defalcation (stealing). While the audit deficiencies described here may help CPAs detect or prevent either type of fraud, with private companies—where stealing is the more pervasive risk—auditors face an entirely different set of considerations.
COMMON AUDIT PROBLEMS
The exhibit above highlights the top 10 audit deficiencies the SEC claimed. The most common problem—alleged in 80% of the cases—was the auditor’s failure to gather sufficient evidence. In some instances, this failure was pervasive throughout the engagement; in other instances the allegations were more specific. For example, many of the cases involved inadequate evidence in the areas of
Asset valuation. The auditor did not obtain evidence to support key assumptions.
Asset ownership. The auditor did not obtain evidence to indicate the company owned certain assets.
Management representations. The auditor did not corroborate management responses to inquiries.
Some cases involved the auditor’s failure to examine relevant supporting documents (for example, examining a draft, instead of a final, sales contract) or failure to perform steps listed in the audit program. Overall, this failure contributed to management’s success in overstating assets, the most common fraud technique.
Due professional care. The SEC claimed that auditors failed to exercise due professional care in 71% of the enforcement cases and to maintain an attitude of professional skepticism in 60% of the cases. In general, this failure on the auditors’ part can be found throughout the sanctioned audit engagements.
Applying GAAP. In almost half of the cases, the SEC said the auditors failed to apply or incorrectly applied GAAP pronouncements. Many of the GAAP violations related to unusual assets with unique accounting valuation issues (often described in the lower levels of the GAAP hierarchy).
Audit program design. Planning the audit engagement is crucial to its success. Deficiencies in audit planning were cited in 44% of the cases. Specifically, the auditor failed to
Properly assess inherent risk and adjust the audit program accordingly.
Recognize the heightened risk associated with non-routine transactions.
Prepare an audit program (or inappropriately reused one from prior years).
Audit evidence. Another common deficiency the SEC alleged, present in 40% of cases, involved overreliance on inquiry as a form of audit evidence. The agency cited auditors for failing to corroborate management’s explanations or to challenge explanations that were inconsistent or refuted by other evidence the auditor had already gathered.
Failure to obtain adequate evidence relating to the evaluation of significant management estimates was present in 36% of the cases. The SEC claimed auditors failed to gather corroborating evidence and to challenge management’s assumptions and methods underlying the development of those estimates.
Accounts receivable. The SEC cited numerous deficiencies in confirming accounts receivable (present in 29% of the cases). These deficiencies included
Failure to confirm enough receivables.
Failure to perform alternative procedures when confirmations were not returned or were returned with material exceptions.
Problems with sending and receiving confirmation requests (for example, failing to corroborate confirmations received via fax or allowing the client to mail confirmation requests).
Related parties. Another common problem (in 27% of cases) was the auditor’s failure to recognize or disclose transactions with related parties. The auditor was either unaware of the related party or appeared to cooperate in the client’s decision to conceal a transaction with this party. Such transactions often resulted in inflated asset values.
Internal controls. In 24% of the cases, the SEC alleged the auditors overrelied on internal controls. It said that they typically had failed to expand testing in light of identified weaknesses in the client’s internal controls. In other cases, the auditors seemed to implicitly assume the presence of a baseline level of internal controls, even though the auditor documented that the client essentially had no controls in place.
Based on the deficiencies the SEC found, there are a number of areas that warrant specific attention from CPA firms that do audits and from individual auditors themselves.
Audit issues. The three most common deficiencies all reflect engagement management problems affecting many areas of the audit: a failure to gather sufficient, competent evidence, lack of due care and lack of professional skepticism. In many cases, the best remedy for such problems is for auditors to develop a properly designed and executed quality control system. Such a system creates a culture that encourages all members of the audit team to maintain a baseline acceptable level of performance, regardless of perceived day-to-day engagement and firm pressures.
CPA firms should evaluate their own quality control systems to ensure policies and procedures emphasize the importance of proper audit planning, supervision and review, including timely involvement by engagement and concurring partners. Additionally, firms should reexamine existing quality control procedures to make sure they are detailed enough to assure firm leaders that audit teams are examining appropriate documentation (final documentation, not drafts) and that teams complete all audit program steps. Those procedures should emphasize that auditors should corroborate management representations with additional evidence and not overuse management inquiry as a form of audit evidence.
The firm’s “tone at the top.” Another means of reducing office-wide audit problems is to address the attitudes at the firm’s highest levels. Here are some values a CPA firm’s managing partners should clearly communicate to their employees. Firms should
Define “client” to include not only management but also the entity’s board of directors, audit committee, stockholders and the investing public to ensure the audit team considers all affected parties throughout the engagement.
Signal to their audit teams that providing high quality audit services is a top priority and that the firm does not view such services as a commodity. A firm can do this by emphasizing the importance of audit quality in training programs and annual performance reviews.
Encourage all personnel to maintain an attitude of professional skepticism that focuses on the importance of the auditor’s role in protecting the public interest and maintaining strong capital markets. A firm can accomplish this by conducting periodic engagement-wide team meetings to discuss concerns about management integrity issues and by highlighting for staff members the risks of not being skeptical.
Performance measurement and compensation. Audit firms can benefit from closely examining their performance measurement and compensation systems. In many of the fraud cases, it appeared auditors simply chose not to pursue identified audit issues, perhaps fearing the time spent investigating those issues would hinder career advancement or result in penalties during salary and bonus reviews because they ran overtime budgets or missed client-imposed deadlines.
A clear message should be part of all personnel decisions (hiring, retention and promotion) that the firm values high quality audit services and that all other considerations—including time budgets, firm administration, development of nonaudit services and other practice development issues—are secondary. Firms also need to carefully evaluate whether fee and deadline pressures will have an impact on the audit team’s ability to deliver a high quality audit.
GAAP violations. CPA firms that perform audits can take a number of steps to reduce the incidence of GAAP violations among audit personnel, including
Requiring specific internal firm consultation with technical A&A partners or industry specialists when certain accounting issues arise.
Expanding the coverage of technical accounting topics and industry-specific requirements in firm-sponsored training courses to ensure audit personnel understand the nuances of GAAP, particularly those involving unique industry issues.
Ensuring that firm personnel understand the provisions of SAS no. 69, The Meaning of Present Fairly in Conformity With Generally Accepted Accounting Principles in the Independent Auditor’s Report [GAAP hierarchy]. Implementing this recommendation might require the firm to develop or purchase guidance on implementing GAAP’s more obscure aspects.
Audit planning. Auditors can best remedy audit planning deficiencies by promoting more extensive and timely involvement by partners—both engagement and concurring—and managers in planning the engagement. Such involvement increases the likelihood the auditor will correctly assess risks (both inherent and control) and modify the firm’s audit approach (nature, extent and timing of tests) as appropriate. Involving the audit team partner and manager during the planning phase will help ensure that audit plans emphasize careful scrutiny of nonroutine transactions, particularly those recorded near yearend—when management sometimes records inappropriate transactions.
Management estimates. At a minimum, auditors need to carefully review the underlying data, assumptions and methods a company’s management used to develop financial statement estimates. An adequate review hinges on auditors with an appropriate level of both general and industry-specific expertise being involved. In cases of particularly complex or unusual estimates, specialists may be needed.
Confirming accounts receivable. CPA firms need to ensure their audit teams are effectively handling the confirmation process. Firms should remind team members to
Confirm accounts receivable (unless conditions under SAS no. 67, The Confirmation Process, suggest confirmations would not be effective).
Confirm an adequate portion of the receivables.
Maintain control of the confirmation process.
Employ alternative procedures when confirmations are not returned or exceptions exist.
Related-party transactions. To increase the likelihood of detecting related-party transactions, the auditor should:
Prepare a list of related parties, continually updating it throughout the engagement and distribute it to all audit team members.
Make inquiries of management regarding the existence of related-party transactions.
Confirm with the counter-party the nature and existence of material or unusual client transactions, including whether a relationship exists between the counter-party and the client or its management.
Once the auditor uncovers a related-party transaction, he or she has two additional responsibilities: 1) closely examine the transaction to make sure that it occurred and is correctly valued and 2) ensure the GAAP requirements (see FASB Statement no. 57, Related Party Disclosures ) are satisfied.
Reliance on internal controls. In the SEC cases, auditors sometimes relied too much on internal controls by either failing to expand testing after discovering internal control weaknesses or assuming a baseline level of internal control existed even in the absence of any controls testing. This finding has implications for firm policy and quality control procedures, which should explicitly note the prohibition in professional standards against placing any reliance on controls unless they have been adequately tested. In addition, firms should more closely link internal control evaluations to substantive audit testing (the nature, timing and extent of such tests).
BETTER AUDITS, LESS FRAUD
As financial and economic pressures tighten for corporate executives, it is more important than ever for auditors to develop sound fraud-detection audit techniques. The audit deficiencies alleged by the SEC between 1987 and 1997 are, in our view, issues the profession and individual firms can effectively address. The recommendations included in this article may help firms reduce the chance of undetected material financial statement fraud as they strive to continually improve fraud risk assessment tools. The audit deficiencies the SEC identified also have important implications for standard setters as they seek to strengthen professional standards related to the auditor’s fraud detection responsibilities.