Responsibilities with Respect to Fraud: A Possible Shift?
Nicholas Apostolou and D. Larry Crumbley
FEBRUARY 2008 - Public
companies are required to prepare and issue financial statements
that fairly reflect their performance. The SEC requires companies
whose shares are publicly traded to obtain an audit by an independent
auditor. The audit involves an examination to assess whether the
financial statements and accompanying notes present fairly a company’s
financial position, results of operations, and cash flows in accordance
with generally accepted accounting principles. Once this examination
is made, the auditor is required to render an opinion. According
to the standards adopted by the Public Company Accounting Oversight
Board (PCAOB), AU section 110.02, (Responsibilities and Functions
of the Independent Auditor) states: “The auditor has
a responsibility to plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud.”
fraud continues to be a pervasive problem. The Association of
Certified Fraud Examiners’ (ACFE) 2006 “Report to
the Nation on Occupational Fraud and Abuse” estimated that
a typical organization loses 5% percent of its annual revenues
to fraud, or about $4,500 per employee each year. Pricewaterhouse-Coopers’
2005 “Global Economic Survey” disclosed a dramatic
increase in the number of companies reporting fraud as compared
with its 2001 and 2003 results.
of financial statements almost doubled from 2004 (616) to 2005
(1,195), representing almost 8.5% of U.S. publicly traded companies.
In 2006, restatements totaled 1,420, representing one out of every
10 public companies. The 2006 total is 12 times higher than in
1997, according to statistics compiled by Glass, Lewis & Co.
(2003–2006) and Huron Consulting (1997–2002). The
top three areas responsible for restatements were equity, revenue
recognition, and misclassification.
the number of shareholder class-action lawsuits has trended downward
in the past several years, the settlements have become much larger.
At the peak of Fannie Mae’s restatement efforts, it was
spending $50 million a month on outside accounting services. It
had 2,000 contractors working on restatement-related matters,
along with 400 employees from its controllers’ organization
(Roy Harris, “Say Again,” CFO, April 2007).
involve a lack of adequate internal controls (opportunity), the
need to maintain an expensive lifestyle or pressure to meet goals
(incentive), and the perpetrators’ lack of awareness that
their actions are wrong (self-rationalization) or simple lack
of integrity (see Grace Duffield and Peter Grabosky, “The
Psychology of Fraud,” Australian Institute of Criminology,
no. 199, March 2001). Some fraudsters, however, wish to make fools
of their victims. They take delight in the fraud act itself. Three
Duke Energy employees illustrate how this incentive factor can
work. These employees were charged in April 2004 for allegedly
creating phony electricity and material-gas trades to boost trading
volumes, thus inflating profits in a trading book that was the
basis of their annual bonuses. This trading scheme inflated their
bonuses by at least $7 million between March 2001 and May 2002
(Rebecca Smith, “Former Employees of Duke Charged Over Wash
Trades,” Wall Street Journal, April 22, 2004, p.
awareness of both fraud and the importance of transparent financial
reporting has spurred the concern of regulatory bodies, as well
as the accounting profession. Below is a discussion of two recent
reports regarding the audit function and, more specifically, the
responsibility of the auditor with respect to fraud.
22, 2007, the PCAOB issued a report titled Observations on
Auditors’ Implementation of PCAOB Standards Relating to
Auditors’ Responsibilities with Respect to Fraud (PCAOB
Release No. 2007-001). The auditor’s responsibility is principally
defined in AU section 316 (Consideration of Fraud in a Financial
Statement Audit). In Release 2007-001, the PCAOB emphasized that
it was not changing or proposing to change any existing standard.
Based upon observations made during its inspection of audit work,
the PCAOB believes that a further explication of the standards
that relate to fraud would be constructive. The report can be
divided into five sections:
overall approach to the detection of financial fraud;
brainstorming sessions and fraud-related inquiries;
response to fraud risk factors;
statement misstatements; and
associated with management override of controls.
Overall Approach to the Detection of Financial Fraud
316.52 discusses changing the nature, timing, and extent of auditing
procedures needed to address identified risks of material misstatement
due to fraud. These changes are described by the PCAOB as follows:
- The nature
of auditing procedures may require obtaining evidence that is
more reliable or verifiable. For example, computer-assisted
audit techniques might provide corroborative evidence about
- The timing
of substantive tests might need to be adjusted. For example,
substantive testing might be of particular value in assessing
the risk of material misstatement due to fraud on or near the
- The extent
of the procedures employed should reflect the assessment of
the risk of material misstatement due to fraud. For example,
increasing the sample size might be appropriate.
of the PCAOB’s concern, as expressed in Release 2007-001,
is that its inspection teams have observed that auditors often
obtain reasonable assurance of risk mitigation by checking off
items on standard audit programs and checklists. One author of
this article has heard of an external auditor giving the walkthrough
checklist to an employee of the company and asking the employee
to fill it out. Release 2007-001 states that PCAOB standards require
additional documentation to confirm the performance of required
audit procedures. Furthermore, the lack of sufficient documentation
makes it difficult for senior members of audit engagement teams
to properly review the procedures performed by other members.
Finally, the PCAOB inspection teams expressed concern about audit
procedures being applied mechanically, rather than the audit plan
being modified in accordance with risk detection.
Sessions and Fraud-Related Inquiries
316.14–17 discusses how an effective audit team should conduct
an audit. AU section 316.14 discusses auditors’ planning,
including a consideration by the audit team of the potential for
material misstatement due to fraud. The discussion should include
an exchange of ideas or “brainstorming” among team
members about the susceptibility of the financial statements to
material misstatement due to fraud, and the role of management
in perpetrating and concealing fraudulent financial reporting.
This discussion should alert the audit team to how fraud might
be perpetrated and concealed based upon both the general and the
client-specific knowledge of members of the team.
316.15-–16 emphasizes how important it is that audit team
members have a questioning mind. The auditors should be aware
of the management’s incentives to commit fraud as well as
the opportunity for fraud to be perpetrated. This evaluation requires
an awareness of the culture and environment of the firm that might
enable management to
rationalize committing fraud. Furthermore, audit team members
should be diligent in obtaining appropriate evidence to support
316.17 discusses the involvement of audit team members in an engagement.
The PCAOB makes clear that key members of the audit team must
be involved in discussions and brainstorming sessions that evaluate
the potential for material misstatement due to fraud. AU section
316.17 also specifies some factors that will influence the extent
of the audit team’s discussions and how they should occur.
For audits involving more than one location, the PCOAB suggests
multiple discussions with team members in differing locations.
Specialists assigned to the team should be included in brainstorming
sessions that continue throughout the audit.
steps outlined in paragraphs AU section 316.15–17 are critical
to an effective audit. PCAOB inspection teams have, however, noted
instances of failures to comply with the standards. For example,
PCAOB inspectors have “(1) identified audits in which the
audit team was unable to demonstrate that brainstorming sessions
were held; (2) identified audits in which the audit teams’
brainstorming sessions occurred after planning and after substantive
fieldwork had begun; and (3) identified audits in which key members
of the audit team did not attend the brainstorming sessions”
(PCAOB Release 2007-001, p. 5).
Response to Fraud Risk Factors
316.48 describes an auditor’s response to risks of material
misstatement due to fraud in the following ways:
- A response
that has an overall effect on how the audit is conducted—that
is, a response involving more general considerations apart from
the specific procedures otherwise planned.
- A response
to identified risks involving the nature, timing, and extent
of the auditing procedures to be performed.
- A response
involving the performance of certain procedures to further address
the risk of material misstatement due to fraud involving management
override of controls, given the unpredictable ways in which
such an override could occur.
response to risk assessment involves procedures that are not predictable,
such as modifying the assignment of personnel, the degree of supervision,
and selecting auditing procedures. The auditor can respond to
specifically identifiable risks of material misstatement such
as significant related-party transactions (e.g., shifting debt
to special purpose entities, as done by Enron) by changing the
nature, timing, and extent of auditing procedures.
observed instances of auditors “failing to respond appropriately
to identified fraud risk factors” (Release 001, p. 6). The
PCAOB also noticed instances in which there was no evidence that
auditors had considered any associated fraud risk factors for
transactions that the PCAOB considered questionable.
auditor’s procedures detect misstatements in the financial
statements, the auditor should document the nature and effect
of the misstatements (AU section 316.52) and evaluate whether
the misstatements might be indicative of fraud (AU section 316.75).
inspectors noted the improper calculation of the threshold for
posting proposed audit adjustments to a summary schedule (Release
2007-001, p. 7). Because the summary schedule was incomplete,
the PCAOB inspectors noted that certain uncorrected misstatements
were not properly evaluated. Consequently, the auditors failed
to determine whether these departures from GAAP were indicative
Associated with Management Override of Controls
316.08 recognizes that management has a unique ability to perpetrate
fraud as a result of being in a position to directly or indirectly
manipulate accounting records and present fraudulent financial
information. It notes: “Fraudulent financial reporting often
involves management override of controls that otherwise may appear
to be operating effectively.” To address the risk of management
override of controls, AU section 316 requires auditors to perform
certain procedures, such as checking journal entries and other
adjustments and reviewing accounting estimates for possible biases
that could result in material misstatement due to fraud. PCAOB
inspection teams noted cases in which it did not appear that the
auditor had properly addressed the risk of management override
of controls with respect to “top drawer” journal entries
and accounting estimates.
Rite Aid’s management directed its accounting staff to make
improper adjusting entries to reduce cost of goods sold and accounts
payable in every quarter from the first quarter of fiscal year
1997 through the first quarter of fiscal year 2000. These entries
had no substantiation, and were intended purely to manipulate
Rite Aid’s reported earnings. As a result of these entries
alone, Rite Aid overstated pretax income by $100 million in the
second quarter of fiscal year 1999 (www.sec.gov/news/press/2002-92.htm).
specific entries and other adjustments, and the support for them,
auditors should consider several important issues:
risk factors that might help identify specific classes of journal
entries for testing, such as entries made by unauthorized personnel
or personnel who do not ordinarily wake journal entries; or
entries that lack detailed explanations or other supporting
- The characteristics
of fraudulent entries, including entries made at unusual times,
such as nights, weekends, or holidays, and entries made to intercompany
or suspense accounts; and
journal entries that might not be subjected to the same level
of internal control as recurring journal entries—for instance,
entries at the close of quarterly and annual reporting periods
and those that are part of the post-closing process. (Release
2007-001, p. 8).
Most of the
original entries in the WorldCom fraud were initially correct,
but later topside entries moved the expenses into asset accounts.
In the HealthSouth fraud, where there were at least 2,000 ledgers,
most of the fraudulent entries occurred in the intercompany entries.
The major entry was a debit to the suspense account with a credit
to revenues. The suspense account was later closed, and asset
accounts were established with a credit from the suspense account.
The external auditors did not catch on to this financial engineering.
After a fraud,
the forensic work can be expensive. During 2005, 2004, and 2003,
professional fees associated with the reconstruction of HealthSouth’s
financial records and restatement of 2001 and 2002 approximated
$206.2 million and $70.6 million, respectively.
financial reporting often is accomplished by intentionally biasing
assumptions and judgments used to estimate account balances (AU
section 316.63). For example, if the effect of each individual
estimate, although reasonable, were to increase income, the auditor
should further evaluate the estimates taken as a whole. Furthermore,
management can manipulate income by distorting accounting estimates,
such as not recognizing losses due to the asset impairment, or
overestimating estimates in one period so that the estimates can
be reversed in later periods to manage earnings (e.g., cookie-jar
accounting). Examples of such estimates include the allowance
for bad debts, pension estimates, and restructuring reserves.
revealed that “some auditors have failed to test, or failed
to document their testing of, management’s assumptions and
other aspects of issuers’ accounting estimates. The inspection
teams also noted that some auditors failed to assess, or failed
to include in their audit documentation evidence that they had
assessed whether the overstatement or understatement of accounting
estimates indicated a bias in management’s estimates that
could result in material misstatements due to fraud” (Release
2007-001, p. 10).
Capital Markets and the Global Economy
in November 2006, Global Capital Markets and the Global Economy:
A Vision From the CEOs of the International Audit Networks
represents the views of the CEOs of the six leading international
audit firms: Pricewaterhouse-Coopers, Grant Thornton, Deloitte,
KPMG, BDO, and Ernst & Young. The Global Capital Markets
report represents a comprehensive discussion of how public
company auditing procedures must adapt to better serve capital
markets around the world. The report identifies six vital elements:
needs for information are well defined and met;
- The roles
of the various stakeholders in those markets (preparers, regulators,
investors, standards setters, and auditors) are aligned and
supported by effective forums for continuous dialogue;
- The auditing
profession is vibrant, sustainable, and provides sufficient
choice for all stakeholders in these markets;
- A new
business-reporting model is developed to deliver relevant and
reliable information in a timely way;
collusive frauds are more and more rare; and
is reported and audited pursuant to globally consistent standards.
identifies no single issue “as the subject of more confusion,
yet is more important, than the nature of the obligation of auditors
to detect fraud—or intentional material misstatement
of financial information by public companies.” The report
emphasizes how essential it is that all parties engaged in business
reporting adopt appropriate procedures and policies to prevent
and detect fraud. However, it claims that there is an “expectations
gap” between what various stakeholders believe should be
done to detect fraud and what auditors are actually doing because
of the fees that companies are willing to pay for audits. The
expectations gap occurs because many investors and policy makers
expect auditors to detect all fraud, and if they do not, the auditors
are “presumed to be at fault.” The report suggests
“a constructive dialogue among investors, other company
stakeholders, policy makers and our own professionals about what
should be done to close or at least narrow the ‘expectations
gap’ relating to fraud.”
As the report
states, SAS 99 (the source of AU 316) and its international counterpart
(IAS 240) provide similar directions to auditors with respect
to fraud. Both require auditors to approach their task with a
healthy degree of skepticism. Furthermore, both present specific
requirements for auditors to follow, which can be summarized as
a company’s internal controls and procedures, and how
these are actually implemented, when planning the audit;
and conducting audit procedures to respond to the risk that
management could override internal controls and procedures;
specific risks where fraud may occur;
whether any misstatement uncovered during the audit may be indicative
fraud-related written representations from management; and
with appropriate managers and the board if the auditor finds
an indication that fraud may have occurred.
Symbol Technologies, Inc., engaged in a number of channel-stuffing
techniques. The company arranged transactions to make it appear
that Symbol was selling products, but it would simultaneously
eliminate the resellers’ obligation to pay for the products.
resellers typically did not need and often could not afford to
pay for the products they ordered, but Symbol negated any risk
to the resellers by granting them contingent payment terms and
unconditional return rights. Furthermore, the resellers did not
have to pay Symbol unless and until they resold the product and
received payment from an end user. The resellers also had the
right to return any unsold product to Symbol at no cost. These
special terms did not appear anywhere in the purchase orders or
resulting invoices, which simply recited Symbol’s standard
“net 45 day” payment terms. Side agreements also superseded
the stock rotation terms that Symbol normally granted to channel
partners in its standard contracts, which did not permit unlimited
returns and in many circumstances charged a restocking fee.
emphasize that even if auditors follow all these guidelines, a
sound audit may not uncover fraud, especially if that fraud is
perpetrated by senior management. Both financial statement fraud
and misappropriation of assets involve intent and deception. Financial
statement fraud is difficult to catch because it is often perpetrated
by highly motivated, clever teams of knowledgeable managers with
the capacity to persuade or intimidate both their own employees
and their auditors. Financial statement audits involve extensive
complexity spread across time, people, geography, and economic
settings (see R.J. Nieschewietz, “Empirical Research on
External Auditors’ Detection of Financial Statement Fraud,”
Journal of Accounting Literature, vol. 19, 2000, p. 236).
At least 40 individuals knew of or were involved in the massive
challenge of detecting fraud, the Global Capital Markets
report offers additional ideas for enhancing fraud detection.
Without embracing any of the ideas, the authors of the report
believe these ideas have sufficient merit and should be debated
all public companies to a forensic audit on a regular basis.
A forensic audit is the most aggressive and costly way to detect
fraud. A forensic audit is a much more detailed audit involving
the evaluation of all company records and the questioning of
all company employees. Public companies would be required to
undergo a forensic audit on a regular basis (e.g., every three
to five years).
all public companies to a forensic audit on a random basis.
A less costly version of the preceding proposal would be to
subject a sample of public companies to a forensic audit on
a random basis. Although this recommendation might uncover fewer
frauds, the possibility of being scrutinized in such detail
could have a significant deterrent effect.
choice-based options. Another possibility would be to enlist
more participants in selecting the intensity of the audit for
fraud. As an example, the report suggests the possibility of
investors deciding on the type of fraud detection effort they
want the auditors to perform. The shareholders could base this
decision on information presented to them regarding the costs
of the different types of audits as well as the historical experience
of the company with respect to fraud. Alternatively, the board
of directors or the audit committee could decide on the intensity
level of fraud detection.
audit may be significantly more expensive and time-consuming than
regular audit work. Whereas a financial audit is a sampling activity
that does not look at every transaction, a forensic audit focuses
on a specific aspect of the books and may examine each item. According
to Jake Poinier (“Fraud Finder,” Future Magazine,
Fall 2004), “[W]hile the average accountant is trying to
make everything add up, a forensic accountant is performing a
detailed financial analysis to find out why everything doesn’t
or shouldn’t add up.”
Horton of the forensic accounting firm L. Horton & Associates
in Kingston, R.I., says that in investigative accounting you are
“looking for one transaction that will be the key. The one
transaction that is a little different, no matter how small the
difference, and that will open the door” (H.W. Wolosky,
“Forensic Accounting to the Forefront,” Practical
Accountant, February 2004.)
DiPasquale, a partner with the Business Investigations Group in
the Parsippany, N.J., office of J.H. Cohn, says that forensic
accounting “is a very competitive field. What is interesting
is that you may be a good accountant, but not a good forensic
accountant. The training and the way you look at transactions
are different” (Wolosky, 2004). Horton suggests that “forensic
accounting is very different from auditing in that there is no
template to use. There are no set rules. You don’t know
when you go into a job how it is going to be” (Wolosky,
When an audit
turns into a forensic investigation, auditors must comply with
the litigation services standards. Although auditors should use
professional skepticism, a forensic accountant is often trying
to establish scienter; that is, trying to prove “intent”
on part of the fraudster. Horton cautions that, unlike auditing,
lower-level staff often cannot be used for a forensic engagement.
“They normally will not spot anything out of the ordinary,
and an experienced person should be the one testifying as well
as doing the investigative work.”
to be a prominent issue commanding the attention of regulators
as well as of the accounting profession. The auditor’s concern
is that the financial statements of a company be stated fairly
in all material respects. Because auditors cannot evaluate every
transaction of a company, they have to make judgments and decisions
dictated by a risk assessment and cost-benefit analysis. Both
regulators and stakeholders are strengthening the role of auditors
in the deterrence and detection of fraud. The discussion above
represents regulators’ current view of auditors’ performance
in detecting fraud as well as a discussion by our most prominent
auditors of their role in fraud deterrence and detection.
Apostolou, DBA, CPA, is the U.J. LeGrange Professor of
D. Larry Crumbley, CPA, Cr.FA, CFFA, FCPA, is the KPMG
Endowed Professor, both in the department of accounting, Louisiana
State University, Baton Rouge, La.