SEC official advises auditors shift mindset on fraud detection

Paul Munter, acting chief accountant at the SEC, issued a statement Tuesday highlighting auditors’ responsibilities in fighting fraud, including his office’s recent observations of shortcomings in the area. Among the deficiencies he noted was auditors framing discussions of their responsibilities related to fraud by describing what they are not required to do instead of what they can provide—an approach Munter labeled as “particularly troubling.”

“We find this attitude of focusing on the limits of the auditor’s responsibilities at the outset as opposed to the affirmative requirements with respect to the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud, deeply concerning, as it could impact an auditor’s mindset or their degree of professional skepticism and may thereby reduce the likelihood of fraud detection and potentially result in dereliction of professional responsibilities to the public trust,” he said.

External auditors have long had a spotty track record of embracing their role in exposing wrongdoing. Regulators have paid renewed attention to the matter in recent years, with the Wirecard fraud scandal in Germany serving as an example where criticism was levied against the auditor—EY—for not doing more to spot the misconduct.

In his statement, Munter noted Public Company Accounting Oversight Board (PCAOB) standards require auditors to exercise due professional care and skepticism throughout an audit. The PCAOB in its inspections often identifies deficiencies in these areas. Another common shortcoming is auditors ignoring red flags and failing to obtain sufficient audit evidence—allegations the SEC levied against accounting firm Friedman in a $1.5 million enforcement action last month.

To avoid SEC scrutiny and ensure compliance with PCAOB standards related to detecting material misstatements because of fraud, Munter offered the following best practices:

• Avoid using examples of fraud risk considerations included within auditing standards as an exhaustive checklist. “Audit responses should be tailored to the identified fraud risk and dynamic to changing business environments,” he said.
• Consider publicly available information during an audit and evaluate how such information impacts risk assessment and the audit response.
• Devote time and resources to assessing the issuer’s entity-level controls. “This would include assessing whether the organization demonstrates a commitment to integrity and ethical values,” said Munter, who added auditors should evaluate a business’s code of ethics as well.
• Ensure company whistleblower hotlines are appropriately implemented and not just checking the box.
• Review the issuer’s approach to its own fraud risk assessment.
• Implement technology to assist in investigating fraud. “[R]emember that the use of technology is most effective when combined with sound professional judgment and other audit procedures that do not lend themselves to the use of technology,” said Munter.

Munter also advised auditors keep a “questioning mind” during the course of their work and “set aside any prior beliefs about management’s honesty and integrity.” Biases serve to negatively affect auditors in their determination of whether uncovered misconduct is intentional or unintentional.

Questionable forms of evidence include invoices for large amounts with vague descriptions, invoices with related parties with descriptions outside the normal course of business, or materials provided by management in the late stages of an audit to address a potentially difficult or contentious matter, said Munter.

“Auditors should avoid any assumptions of honesty, be mindful of potential unconscious biases, and apply the appropriate level of professional skepticism,” he said.