Auditing regulators are exploring whether it’s possible for the routine audit of financial statements to borrow a few moves from the forensic-accounting playbook and more effectively detect or deter fraud.
The Public Company Accounting Oversight Board convened a panel of forensic-accounting experts to address the Board’s Standing Advisory Group recently about how forensic-audit practices might be incorporated into the routine financial-statement audit. They explored the feasibility of a range of suggestions offered in a November 2006 report by the six leading global accounting firms calling for some measure of forensic audits to become a regular part of the audit process.
Hermanson
Dana Hermanson, an accounting professor at Kennesaw State University, said a forensic audit differs from a general audit of financial statements in that it begins with a specific question. “The scope of a forensic audit is to fix blame or answer a question. A forensic audit seeks proof, not reasonable assurance,” he said. “You need a body in order to trigger a forensic audit. You need a red flag, an intense sense that something is wrong to trigger a forensic audit. What’s the allegation?”
The November report called for either periodic forensic audits of all public companies, perhaps every three to five years, or random forensic audits. Hermanson, however, questioned whether those options are workable. “There’s a lot of value in using the skeptical mindset of a forensic audit in a financial statement audit,” he said. “But to me, the notion of periodic 100 percent forensic audits doesn’t make as much sense as some of the alternatives.”
Toby Bishop, a forensic accountant and partner with Deloitte Financial Services, said forensic-accounting tools available today can make the routine financial-statement audit more effective at detecting fraud, or at least defining the risk of fraud.
Bishop
For example, Bishop said, tools can identify unusual links in data that merit further study, such as when a vendor address matches an employee address. Analytical tools also can search email records for key words or identify hidden or deleted information, he said. He said Deloitte employs computer analysis of a high volume of transactions to identify anomalies worth investigating.
The market has been slow to adopt such tools, Bishop said, for a variety of reasons—including a general lack of awareness that they exist and concerns about the added cost. In addition, he said, attorneys have concerns about whether auditors will be held to a higher standard of assurance if they employ more sophisticated technology, and privacy issues might arise when financial-statement auditors might access employee email.
Still, there may be some benefit in regulators exploring the path. “With appropriate guidance, [forensic tools] could be deployed to assist financial statement auditors in detecting more fraud,” he said. “The CEOs of the international audit networks encourage you to consider actions that could accelerate this activity and better protect investors.”
PAPER
An excerpt from the SAG meeting on Feb. 22 follows.
Consideration of Forensic Audit Procedures for Public Companies
In November 2006, the Global Public Policy Symposium, comprising the CEOs of
the six largest accounting firms, released a paper titled Global Capital Markets and the
Global Economy: A Vision From the CEOs of the International Audit Networks
("November 2006 Paper"). The paper states that “...there is a significant ‘expectations
gap’ between what various stakeholders believe auditors do or should do in detecting
fraud, and what audit networks are actually capable of doing, at the prices that
companies or investors are willing to pay for audits.” Additionally, the paper states that
"[w]hat is sorely needed is a constructive dialogue among investors, other company
stakeholders, policy makers and our own professionals about what should be done to
close or at least narrow the 'expectations gap' relating to fraud."
The November 2006 Paper outlines the following ideas for improving fraud
detection at public companies:
A forensic audit on a regular basis – The most aggressive, but also most
costly and intrusive, way of rooting out fraud would be to require all public
companies to undergo a forensic audit on a regular or periodic basis (e.g.,
every three or five years);
A forensic audit on a random basis – A less onerous and less costly
version of the forensic audit proposal would be to subject public
companies to a forensic audit on a random basis; and
Other "choice-based" options – For example, one possibility would be to
let shareholders decide on the intensity of the fraud detection effort they
want auditors to perform. Shareholders could be assisted in making this
decision by disclosure in the proxy materials of the costs of the different
levels of audits, as well as the historical experience of the company with
fraud. A different choice model would be to rely upon boards, or audit
committees, to decide on the level of fraud detection intensity.
Forensic audits can be performed to achieve various objectives and can include
a variety of different procedures. The ability of a forensic audit to provide better fraud
detection than a financial statement audit would, of course, depend on the nature and
extent of procedures performed. As discussed below, auditors currently perform some
procedures in the financial statement audit that could be considered forensic in nature.
Current Forensic Audit Procedures in an Audit of Financial Statements
In 1998, the then Chief Accountant of the SEC asked the Public Oversight Board
(“POB”) to examine recent changes in the audit process, and suggested the creation of
a panel to perform this review.8/ On August 31, 2000, the POB’s Panel on Audit
Effectiveness ("PAE") issued its report and recommendations. Included in the report
was the introduction of a "forensic-type fieldwork phase." The report stated:
Not unlike the traditional planning, interim, final and review phases of
audits, this new forensic-type phase should become an integral part of the
audit, with careful thought given to how and when it is to be carried out. A
forensic-type fieldwork phase does not mean converting a generally
accepted auditing standards ("GAAS") audit to a "fraud audit." Rather, the
characterization of this phase of a GAAS audit as a forensic-type phase
seeks to convey an attitudinal shift in the auditor's degree of skepticism.
Furthermore, use of the word phase does not mean that the work cannot
be integrated throughout the audit.
The PAE recommended that during this forensic-type phase auditors should
modify the otherwise neutral concept of professional skepticism and presume the
possibility of dishonesty at various levels of management, including collusion, override
of internal control, and falsification of documents.
Source
Standing Advisory Group Meeting: Panel Discussion—Forensic Audit Procedures (Feb. 22, 2007)
Jeff Steinhoff, a director with the U.S. Government Accountability Office, said financial statement auditors need more training in forensic accounting to enhance their approach, especially as more sophisticated technology becomes available and data mining becomes more feasible. “You’re not going to find something if you’re not looking for it,” he said. “The typical auditor doesn’t think in these terms.”
Hermanson said universities are offering more forensic training, and it’s popular coursework with students. However, he added students often leave such courses charged up to find fraud, then lose their zeal as they audit one clean company after another.
Trott
Ed Trott, a member of the Financial Accounting Standards Board, said audit regulators should consider some kind of program that would evaluate “tone at the top” and the risk of management override of internal controls to perpetuate fraud.
“To me, the biggest type of fraud, the most meaningful, is management override, and the tone at the top leads to management override,” he said. He questioned whether the PCAOB has considered the potential effectiveness of such a program. “That’s where you’re going to get the bang for the buck, especially in preventing financial statement frauds.”
Niemeier
PCAOB member Charles Niemeier referenced a report that said 83 percent of frauds involve management override of controls, especially top-side, post-closing journal entries. “Is that something you focus on when you talk to audit teams about how to make sure there isn’t a fraud taking place?” he asked Bishop at the SAG meeting.
“Absolutely,” Bishop replied. However, auditors are engaged in a “constant battle of wits” with fraudsters, he said. When auditors were instructed under Statement of Auditing Standards No. 99 to pay more close attention to the risk of fraud, “it upped the game for fraudsters in their training camp,” Bishop said. “They decided no longer to pass single journal entries. Now it’s multiple smaller journal entries. It may seem like a simple area to look at, but they know that you’re coming. The whole purpose of fraud is to fool.”
Turner
Lynn Turner, managing director of research for Glass Lewis & Co. and a former chief accountant for the Securities and Exchange Commission, said the PCAOB should convene a panel of fallen executives who have committed fraud. “When you sit down and talk to them, you get a tremendous insight about how they were able to fool the auditors,” he said. “If you want to know how to prevent fraud, I suggest you talk to those who have done a pretty good job at it.”
Related briefing papers, resources, and Compliance Week coverage can be found in the box above, right.
No comments yet