Why audits fail

Fraud Magazine spoke recently with veteran auditors Elizabeth Simon, CFE, CPA, and E. Michael Thomas, CFE, CPA, CIA, who tell how they interpret and manage the technical factors, interpersonal dynamics and organizational politics that can interfere with audits. Adding to their insights, economic sociologist Irina Olimpieva, Ph.D., explains how society at large suffers when key social contracts are broken. The bond of trust between auditors and their stakeholders is one such fundamental agreement.

A bond of trust joins auditors with all who depend on the accuracy and completeness of their findings. But venal executives, captured regulators and compromised auditors can subvert that bond, betray confidence and dissipate capital. This article offers key insights and best practices to help CFEs — including those who are auditors — expose and mitigate threats to audit reliability.

On May 20, a federal judge will sentence to jail the last of six senior accounting executives — all CPAs — convicted of fraud for their roles in the audit inspection cheating conspiracy between the federal watchdog agency Public Company Accounting Oversight Board (PCAOB) and KPMG LLP. (See Sarbanes-Oxley Act of 2002 established PCAOB at the end of this article.)

This case reflects the tension between public company auditors and the agencies that regulate them — not just in the U.S. but around the world.  A bond of trust should join auditors with all stakeholders to report accurate and complete findings. And regulators must thoroughly and effectively inspect those findings to protect the public.

The primary purpose of public company financial statement audits isn’t to find fraud but to verify data reported to the U.S. Securities and Exchange Commission (and equivalent regulators in other nations) and to assess the effectiveness of internal controls over financial reporting. Still, when done properly, such audits can shed valuable light on weak controls and overlooked red flags.

Worries about audit quality are far from overblown. From 2013 through 2017, the PCAOB inspected 1,089 Big Four audits. Thirty-two percent (353) received a failing grade. (See the PCAOB’s Firm Inspections Reports.)

The vast majority of auditors, of course, are honest and do their best to verify the accuracy of financial statements. But some, like members of any profession, occasionally succumb to pressure or temptation.

CFEs, many of whom are auditors, are qualified and positioned to help restore trust in audits. Here are two CFEs who tell how to go about it.

Trust and skepticism

“We all want to trust people, especially those we have a business or other relationship with,” says ACFE Regent Emeritus Elizabeth Simon, CFE, CPA, director of ethics and compliance at Cox Enterprises, parent company of cable provider Cox Communications, headquartered in Atlanta, Georgia. “You certainly can’t trust folks who commit fraud, but they don’t exactly advertise their dishonesty,” she adds. “In fact, those best at fraud present a wholesome image many people find hard to disbelieve even when presented with strong evidence of a suspect’s guilt. That’s why professional skepticism must always be top of mind for CFEs when conducting investigations or otherwise looking into the possibility of fraud.”

Simon acknowledges that past fraud cases led her to use the ACFE’s 15 fraud risk assessment templates, which assess exposures ranging from cash larceny schemes to fraudulent financial reports. As a former external auditor, she’s well aware of the challenges faced by those performing such engagements.

“Many external audit teams are staffed by young auditors just out of school,” Simon explains. “They study last year’s audit plan, try to ensure it still makes sense, and follow it again this year. But that won’t uncover subtle schemes that so far have escaped detection.”

Simon believes that a CFE on staff knows more about the organization, its operations and biggest fraud risks than an external audit team does. “Early in the audit, find out whether their plan misses any key risk exposures,” she says. “If it does, the CFE should obtain and share any information that can help in performing a more effective audit.”

A thorough fraud risk assessment is the best way to identify overlooked areas for inclusion in the audit plan, Simon adds. “After performing the assessment, introduce yourself to the external auditors. Explain your analysis, offer to share the relevant templates and ask whether their plan covers the top five fraud risks you’ve identified.”

If the auditors have missed something, they can add another step to look at it. But if they show no interest in reviewing the information you’ve shared, you might want to discuss with company management the possibility that the audit plan is flawed and in need of further evaluation.

Making the case

Even if the external auditors agree to include a fraud risk their plan hadn’t considered, it might be wise to beef up existing controls to prevent that kind of fraud before it occurs. The CFE should then make a strong business case for such controls, as well as for any investigation or mitigation that might also be necessary.

Simon recommends tailoring your proposal to management’s goals and objectives. “In a sales unit, if you suggest controls that will prevent staff from hitting their targets, those goals will be at risk,” she says. “Instead, if you present them as a way to better identify high-quality, long-term customers who’ll pay on time and boost profitability, management will get on board. Adding necessary controls highlights fraud risks and gives auditors coherent indicators to evaluate. And that in itself can help make audits more effective.”

Ethics on the inside

Mike Thomas, CFE, CPA, CIA, is a partner in the Financial Institution Risk Consulting practice in the Atlanta, Georgia, office of Crowe LLP, a global public accounting, consulting and technology firm. With more than 35 years of experience, he specializes in coordinating Crowe’s provision of internal audit, loan review and compliance services to financial institutions in need of outside expertise and bandwidth.

Early in his career, Thomas became an internal auditor at a holding company with controlling interests in dozens of individual banks. When the ethical CEO of one of the holding company’s banks retired, a profit-hungry vice president took the reins. Earlier, while heading the bank’s lucrative lending operations, the new CEO had developed a reputation for cutting corners to boost earnings. “His open corruption disturbed a lot of people there,” Thomas recalls. “But no one did anything about it; they loved the fat bonuses he made possible.”

The crooked CEO’s personality and nonexistent ethics permeated the entire organization, which made lying, cheating, and misleading statements and actions standard operating procedure, Thomas says. In numerous audits, Thomas and his colleagues turned up evidence that the CEO misappropriated company assets and padded his expense account with lavish personal items.

When an informant tipped off the internal audit department that the CEO demanded a company car be sold to his housekeeper at a deep discount, Thomas and a colleague spoke to the manager responsible for the bill of sale. The manager told them it was misfiled, but he’d search for it. Before lunch, Thomas’ colleague noticed a pad of blank bills on the manager’s desk and initialed the bottom-right corner of the top bill on the pad. Later, the manager presented them with the “misplaced” bill he’d “finally managed to locate.” The bill not only was backdated with a full-market price and signed by one of the bank’s notaries; it also bore the auditor’s notation from an hour earlier. Still, no matter to whom internal audit reported these and other outrageous findings, no one in the holding company’s C-suite or boardroom would lay a finger on the man running their most profitable portfolio. His corrupt reign finally ended when someone in the bank leaked to local media details of the CEO’s fraudulent charges to his expense account.

“That lit a fire under the board’s seats,” Thomas says. “But they weren’t interested in justice; they simply wanted the press to move on. So, they made the bank’s CEO its vice-chairman, and from there he retired with all his stock options.”

Thomas, still enthusiastic about his profession, but eager to find an organization with robust governance, eventually joined the internal audit consulting practice at Crowe 17 years ago.

“At a recent engagement in which the client outsourced its internal audits to Crowe, the chief audit executive was very competent,” Thomas says. “But this person wanted to climb the ladder fast, so if management told him to bury something, he started digging.” Thomas wouldn’t withhold findings, though, and with his firm’s backing, pulled his audit team off the assignment.

“I can tell in just a few minutes if I’m dealing with someone who’s upfront and wants to do the right thing,” he says. “You can learn a lot by paying attention to how managers and executives take criticism, dole out punishment and react to negative findings. A CFE needn’t be an auditor to do that, and it might reveal information that can help improve audit quality.”

Contract or charade?

Irina Olimpieva, Ph.D., a senior researcher at the Centre for Independent Social Research in St. Petersburg, Russia, recently finished a study of how young students — future members of Russia’s professional elite — react to corruption in their daily lives. In October 2019, she presented her findings at George Washington University’s Institute for European, Russian and Eurasian Studies in Washington, D.C., where she’s a visiting scholar.

“Many young Russians are neither inclined nor prepared to fight corruption,” Olimpieva says. Her study, “To Bribe or Not to Bribe,” assembled focus groups of dozens of university students preparing for careers in law, economics and engineering in three of Russia’s biggest cities: St. Petersburg, Kazan and Rostov-on-Don. Respondents overwhelmingly said paying bribes is the only way to place children in kindergarten, obtain work papers or health care, and meet other common legitimate needs.

“By long-standing Soviet tradition, the state paternalistically upheld the social contract between government and the people,” Olimpieva says. “In return for your labor and loyalty, the state ensured your welfare and safety. But international sanctions and falling energy prices have plunged the Russian economy into a prolonged crisis. The state no longer can afford to provide health, education and retirement benefits. So, people have gradually lost their trust in the government that once was their protector.”

Western observers shouldn’t underestimate the extent to which Russia’s societal predicament could spread. Because corruption exists in all cultures, robust governance institutions and processes are what differentiate the West from Russia and other autocracies. However, when regulators and accounting firms fail to meet their obligations and essential functions like auditing become unreliable, the social contract between our system of governance and citizenry can break down.

Winning the battle

Each day, most auditors in our profession spot and fight threats to audit quality. Fraud examiners in other areas of practice can also pitch in by getting to know auditors and their work. Armed with that insight and the ACFE’s anti-fraud tools, more CFEs can give stakeholders reason to believe, once again, that virtually all audits can be trustworthy.

Robert Tie, CFE, is a contributing writer at Fraud Magazine. Contact him at robertxtie@gmail.com.

---

Sarbanes-Oxley Act of 2002 established PCAOB

“The Public Company Accounting Oversight Board was established by the Sarbanes-Oxley Act of 2002 to oversee the audits of public companies in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.” (See PCAOB 2018 Annual Report, page 1.) Congress passed the act to prevent a recurrence of the devastating accounting scandals at Enron, WorldCom and other giant corporations that collapsed when their auditor-approved financial statements turned out to be wildly and fraudulently inaccurate.”