In theory, auditors are a formidable opponent to corporate criminals seeking to cover up their misdeeds.

Armed with professional skepticism and the authority to interrogate data and employees, both internal and external auditors could reasonably be expected to be on the forefront of uncovering illegal activity.

Sketchy accounts payable journal entries, for example, could be a tip-off that a company is paying bribes to government officials—triggering an FCPA investigation—or kickbacks to a competitor, which could lead to a price-fixing investigation.

Major financial frauds, like overstating revenues or manipulating the balance sheet, also live within the lines of financial statements. Considering how closely auditors scrutinize such files, it seems only logical they might stumble across illegitimate payments, tampering, forgery, or evidence of some other form of money-related crime and ferret it out.

In reality, that’s rarely the case, audit experts say. Among the fraud cases that come to light, internal auditors discover it approximately 14 percent of the time, according to a recent survey by the Association of Certified Fraud Examiners, while external auditors uncover the misdeeds in just 3 percent of cases (5 percent at larger companies), which is less often than it is discovered by accident.

Rarer still is it that an auditor would go outside the company or directly to regulators with their findings, despite the fact external ones are legally required to do so in certain cases. That’s not to say that external auditors are looking the other way or casting a blind eye to fraud. Instead, auditors generally follow their protocols, raise the issues with management or the audit committee or both, and then ensure that someone else is doing the appropriate investigating.  

Escalate, Not Investigate

The applicable law governing external auditors and investigations is Section 10A of the 1934 Securities Exchange Act. That section, created in 1995 as part of the Private Securities Litigation Reform Act and amended by the Sarbanes-Oxley Act, requires auditors to consider any potentially illegal act they come across in their audit, whether or not it is perceived to have a material effect on the client’s financial statements.

They are to first determine whether it is likely an illegal act has occurred, then estimate the financial effect (including potential fines), and then “as soon as is practicable” inform management about the issue, ensuring the audit committee hears about it as well. If—after an unspecified period of time—the auditor believes it is a material issue and management is not taking action, the audit firm must issue a 10A report to the board, send the report to the Securities and Exchange Commission, and resign from the engagement.

“A company’s compliance and internal audit should be the first line of defense against corruption, not part of the problem.”
Kara Novaco Brockmeyer, Chief, Foreign Corrupt Practices Act Unit, SEC Enforcement Division

The Public Company Accounting Oversight Board Audit Standards 316 and 317 also address the issue of illegal acts by clients, including financial statement fraud. While these standards stress that financial auditors are not usually equipped to determine whether non-financial activities are illegal, they also set out detailed protocols for what to do when things don’t seem right. The first step is to talk to the managers at the level above those involved in the suspicious behavior, or to the audit committee in the case of senior management. If the auditor is not satisfied with the response, he or she should ask the client to arrange for discussions with the client’s legal counsel or other specialists, and then “apply additional procedures” such as comparing supporting records with accounting statements to see if they match up.

If the activity still appears to be illegal and management does not take the allegations seriously, then the auditor must consider resigning. As for informing the SEC or other regulators, however, the standards advise auditors to be cautious. “Disclosure of an illegal act to parties other than the client’s senior management and its audit committee or board of directors is not ordinarily part of the auditor’s responsibility, and such disclosure would be precluded by the auditor’s ethical or legal obligation of confidentiality,” the standards read, except in circumstances such as when a subpoena is served.

The Company’s Response

Generally speaking, companies respond quickly to an auditor’s concern with some form of an internal investigation, attorneys say. “Most public companies today take this very seriously, and they know they have to at least get things cleaned up between them and their auditor,” says Jason Hille, a partner in the Milwaukee office of law firm Foley Lardner. “There is really no opportunity to sweep it under the rug.”

Auditors then stay apprised of the investigation without being directly involved, says Tim Hedley, who is often involved in forensic accounting investigations as global fraud risk management leader for KPMG. “They know the work plan and what inquiries and document reviews we’re doing as we go along, and then the conclusions we come to,” he says.

The SEC does not make public the 10A letters that auditors may file in disagreement with management’s responses. The most recent GAO report on 10A letters, completed in 2003, found that just 29 such letters had been filed between 1996 and 2003.

For their parts, the SEC and PCAOB rarely levy the sanctions against auditors for failing to find or disclose fraud or other illegal activity. One of the highest-profile cases in the past decade involving these issues occurred in 2011, when both authorities charged five of PwC’s India affiliates for failing to verify forged bank deposits of client Satyam, a large Indian company that was charged with overstating revenues by about $1 billion. PwC India settled the charges, paying $6 million in SEC penalties and $1.5 million in PCAOB penalties. Beyond that, most 10A-related cases have targeted very small CPA firms.

To some extent, the lack of action is understandable, given the scope of auditing. “Auditors are tasked with making sure the financial statements don’t have any material omissions or mis-statements,” says Hille. “If you see something marked ‘special payment,’ that might be a yellow flag, but for every 10 [illegal payments], you probably have 10,000 transactions that were legitimate.”

That could change with the use of Big Data-style analyses, but not likely very much. “Auditors will use analytics and technology during the course of an audit, but normally audit procedures are not designed to detect illegal acts,” says Hedley. Something like filtering accounts payable to spot suspicious anomalies and trends would only occur under “very specific facts and circumstances,” not necessarily as a standard part of an audit.


Below is an excerpt from the Securities Exchange Act of 1934 explaining audit requirements.
(a) IN GENERAL—Each audit required pursuant to this title of the financial statements of an issuer by a registered public accounting firm shall include, in accordance with generally accepted auditing standards, as may be modified or supplemented from time
to time by the Commission—
(1) procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts;
(2) procedures designed to identify related party transactions that are material to the financial statements or otherwise require disclosure therein; and
(3) an evaluation of whether there is substantial doubt about the ability of the issuer to continue as a going concern during the ensuing fiscal year.
(1) INVESTIGATION AND REPORT TO MANAGEMENT—If, in the course of conducting an audit pursuant to this title to which subsection (a) applies, the registered public accounting firm detects or otherwise becomes aware of information indicating that an illegal act (whether or not perceived to have a material effect on the financial statements of the issuer) has or may have occurred, the firm shall, in accordance with generally accepted auditing standards, as may be modified or supplemented from time to time by the Commission—
(A)(i) determine whether it is likely that an illegal act has occurred; and (ii) if so, determine and consider the possible effect of the illegal act on the financial statements of the issuer, including any contingent monetary effects, such as fines, penalties, and damages; and
(B) as soon as practicable, inform the appropriate level of the management of the issuer and assure that the audit committee of the issuer, or the board of directors of the issuer in the absence of such a committee, is adequately informed with respect to illegal acts that have been detected or have otherwise come to the attention of such firm in the course of the audit, unless the illegal act is clearly inconsequential.
Source: Securities Exchange Act of 1934.

Some of the most spectacular financial disasters, however, have strongly implicated auditors, and regulators have not always taken action. Consider Lehman Brothers, whose meltdown and subsequent bankruptcy fueled the financial crisis that began in 2009. One catalyst was the fact that the bank improved its balance sheet through the use of so-called Repo 105 transactions that temporarily removed some debt to minimize the firm’s leverage.


In his lengthy report, unsealed by the courts in 2010, bankruptcy examiner Anton Valukas, head of law firm Jenner Block, notes that Lehman’s auditor, Ernst & Young, “did not evaluate the possibility that Repo 105 transactions were accounting-motivated transactions that lacked a business purpose.” Instead, the firm merely confirmed the fair value of such assets and assessed how well they adhered to the accounting standard at hand. Even when a credible whistleblower told E&Y officials that the firm had used $50 billion in Repo 105 transactions to manipulate the balance sheet the previous quarter, the auditors did not mention it at an audit committee meeting the next day. Valukas concludes “there is sufficient evidence” to support claims that Ernst & Young “was professionally negligent in allowing [the audit] reports to go unchallenged.”

While Ernst & Young faced plenty of private litigation about its role, plus a lawsuit from the New York Attorney General’s office that is still ongoing, neither the SEC nor the Department of Justice has brought charges against the audit firm.

Inside Jobs

Internal auditors are often held to a higher standard than external ones, since “they are more plugged in” to the company’s operations, notes Hille. One of the best-known examples of how powerful their investigations can be is Worldcom, where then-vice president of internal audit Cynthia Cooper uncovered systematic financial fraud in her review of capital expenses. Other companies, including Avon, have more recently noted that internal audit findings have triggered investigations.

Internal audit executives who fail to escalate problems appropriately have also faced public fire from regulators. When the SEC brought FCPA charges against medical device manufacturer Biomet in 2012, for example, officials made special note of the fact that internal audit had rigorously documented illegal payments to doctors and government officials in countries such as Argentina, Brazil, and China, but failed to sound adequate alarm bells. “A company’s compliance and internal audit should be the first line of defense against corruption, not part of the problem,” said Kara Novaco Brockmeyer, chief of the FCPA enforcement unit, in the press release accompanying the charges.  

As with external auditors, however, the main duty of the corporate auditor is to escalate a problem, not bring it directly to authorities. “Most large companies have a protocol, and everyone pretty much knows what their roles are when internal audit stumbles on a fraud,” says Richard Chambers, president and CEO of The Institute of Internal Auditors. Internal audit’s role, however, is not typically to bring issues to regulators. In the “extraordinarily unlikely” event that management or the audit committee was unwilling to report a crime that internal audit was aware of, auditors “would have to weigh their actions very carefully and would probably want to engage their own counsel.”