---

Using Technology to Mitigate Fraud Malpractice Claims

By Richard B. Lanza, CPA-CITP, CFE, PMP

One of the top audit-related malpractice concerns cited today is failure to prevent fraud. This was the focus in the widely publicized WorldCom and Enron cases, and in 35 percent of all audit claims reported to the AICPA’s Professional Liability Insurance program in 2004 (the most recent year available). Unfortunately, malpractice complaints involving fraud are not solely confined to audited financial statements, and need not be materially significant to wind up being damaging to CPAs. CPAs need to be vigilant regardless of the level of engagement, as fraud is at least equally an issue in review, compilation and bookkeeping engagements. Governments and nonprofit organizations, in particular, tend to treat immaterial fraudulent embarrassments as seriously as they do material financial misstatements.

Fortunately for CPAs, there is a wide range of software tools available to help automate the process of fraud detection. A good starting point is www.auditsoftware.net, a site that maintains a comprehensive list of audit software options.

Not So Immaterial

According to the Association of Certified Fraud Examiners’ (ACFE) 2006 study, the median size of an asset misappropriation fraud is $150,000—small enough to be considered immaterial for financial statement audits, and very hard to catch using manual methods, yet still presenting a potential public-relations nightmare for your client. What is most alarming is that, per the study, asset misappropriations/corruption occurs 92 percent of the time, while financial statement fraud occurs only 8 percent of the time. Therefore, while nefarious journal entries to commit fraud can occur, they are not the biggest issue for a CPA looking to detect fraud. Rather, more focus should be placed on what occurs most: the simple act of taking money from the till. Detecting this type of fraud is easier said than done, as the smaller the fraud is in size, the harder to detect using conventional methods.

When in doubt, do not assume that the engagement is low risk, or the issues too minor, or your role in any potential controversy too distant for your firm to escape being implicated in a malpractice claim. The sooner the CPA detects and reports fraud, the more likely their liability will be reduced or eliminated.

Defining ’Reasonably Competent’

For the past several decades, the case of Bancroft v. Indemnity Insurance Co. (1962) has stood as the defining precedent in tax and accounting malpractice. The plaintiff in that case received bad advice, and the court ruled that “Accountants and auditors have the duty to exercise that degree of care, skill and competence that would be exercised by reasonably competent members of their profession under the circumstance.” There is a separate requirement under traditional contract law that amounts to the same thing. Anyone performing a contract is obliged to do so diligently and competently, by the standard of a reasonable person. The basic legal expectation has not changed. But what has changed is what a reasonable, competent professional would actually do. The state of the art in auditing has advanced since 1962. Both internal and external auditors need to take note.

Technological Advancements in Accounting Systems

Advancement first took place in the procedures performed in the engagements. After a study completed by COSO found that, in fully 80 percent of financial statement frauds, the auditor did not gather sufficient evidence to detect the fraud, professional standards needed to be updated. A good starting point was to first allow the word “fraud” to replace the word “irregularities” in standards.Then, from a procedural perspective, the standard of expectation for what should be done in an engagement increased to help a CPA detect fraud.

Other advancements occurred in the use of technology, given that almost all organizations today use computer-based accounting systems. Almost all company records are now computerized, so the auditors’ procedures need to follow suit.

Auditing Standards Catch Up

Increased audit procedures and the ubiquitous nature of computerized records led to the creation of several professional standards. The original Statement on Standards for Accounting and Review Services (SSARS No. 1) was issued by the Accounting and Review Services Committee of the AICPA in 1978. SSARS No. 10, which took effect Dec. 15, 2004, clarified the CPA’s requirement to report fraud in review or compilation engagements. It spells out specific analytical and inquiry techniques that are required in a financial statement review, as well as the requirement to obtain a written representation from management to include their knowledge (or lack of knowledge) of fraud. Nor is SSARS 10 the end. Additional guidance has come in quick succession, in the form of SSARS 12, 13 and 14, all effective Dec. 15, 2005. These extend SSARS requirements to compilation engagements and pro forma statement preparation. They also spell out when and how CPAs must inform management of evidence of fraud.

SAS 99, issued in 2002, updated expectations for how an auditor deals with the possibility of fraud. Among other things, it required brainstorming sessions around fraud, improved risk-assessment planning, increased management inquiries around fraud matters, unexpected audit procedures to mitigate identified risks and improved documentation of the work performed. SAS 99 also specifically listed computer-aided audit techniques (CAATs) as a way to analyze electronic data in the detection process.

SAS 94, issued in 2000, clarified that the auditor needs to understand the manual and automated procedures an entity uses to prepare its financial statements and related disclosures. Auditors are expected to deal with electronic data as required.

The AICPA followed up SAS 94 and SAS 99 with a practice alert in 2003 (PITF 2003-02) that further clarified the data analysis question by specifically listing journal entry tests using CAATs. Chuck Landes, of the AICPA, explained why: “Data analysis tools are coming off the shelf and into the audit. This is most prevalent in auditing journal entries.”

Evolution of Software Auditing Tools

“The need for the tools became apparent when CPAs determined it was difficult to audit the entries without an automated tool,” said Chuck Landes, vice president of professional standards and services at the AICPA. “Again, these systems are generally transaction-focused, so no one is analyzing them for trends and patterns that may highlight fraud. We need to remember that many of the recent headline frauds were journal entries posted multiple times to multiple ledgers. While a manual scanning of the register or a sample may find such an anomaly, the data analysis package has a much better chance.”

While the focus of the audit standards is mainly on financial statement fraud, it is best not to forget that the majority of frauds are misappropriation of assets that are smaller in value. Practically speaking, the only way to detect these “smaller” frauds cost-effectively is with computerized tools that can quickly pour through the details and, hence, detect the proverbial “needle in the haystack.”

As referenced in the Bancroft v. Indemnity Insurance Co. case, in order for a CPA to be considered “reasonably competent” he or she needs to adopt the same procedures that are now practiced by the profession. For example, almost all auditors are now performing the additional procedures set forth in SAS 99. Any auditor not complying would be seen in a juror’s eyes as one not keeping pace with the profession. The same is true for the use of CAATs, as all larger firms are using these tools on every audit, at least to comply with the standards of excellence set forth in PITF 2003-02 around journal entry testing.

Unfortunately, based on research by the author on small and mid-sized CPA firms, such procedures are not taking place in a computerized fashion, except for the occasional audit.

Steps to Mitigating Malpractice Claims

Other Best Practices

Remember to test for circumvention of controls using manual and automated procedures.

When controls are strong, companies unfortunately become too comfortable with them and rarely do they think further on “what can go wrong” in an effort to break the control. As noted above, only 19.2 percent of fraud was detected by internal control, and no one wants to be right only one time in five. Therefore, control tests should focus not only on whether the control exists and is operational, but also on circumvention. For example, journal entry controls could be tested by selecting a sample and ensuring that approval signatures existed on any material entries (as defined by the organization). To test them for circumvention, multiple entries posted to the same account directly under the material threshold could be reviewed in order to determine whether such entries were posted in unison to have a material effect on the account yet not require associated approvals.

From an asset misappropriation perspective, it is common at clients for one person to have a nonsegregation of duties around accounts payable. Nonsegregation of duties could be an employee’s having access to write checks, maintain accounting records and complete the monthly bank reconciliation. This weakness is normally coupled with management’s misguided perception that this trusted employee would never steal from the organization.

While you may include this as a management letter comment, the client may never change, given their lack of employees. As an extra step to show enhanced due diligence, the CPA could execute a data analysis test exporting the vendor payment information and creating a simple Pivot Table in Microsoft Excel, with the rows being each vendor, the columns the month/year of payments, and the cells in between the total payments made to the vendors in the associated timeframes. Such a trend report has an excellent chance of catching the fraud, as it looks at vendor payment data in unexpected ways. Any disproportionately increasing vendor trends could be investigated, or at least reported to management for their review.

Utilizing Technology to Improve Audit Tests

The above journal entry and vendor payment trend tests would be difficult or impossible to complete without the use of a data analysis program. The issues lie in the 1 percent of the transaction activity which begs for the use of digital tools for detection. If your firm is not skilled in these tools, consult with an expert to assist on engagements until you feel comfortable. Another approach is to simply start small and work upward with the tools.

Using software for data analysis has many advantages apart from being the new standard to avoid malpractice. (See the article on page 7 for more specific information on data analysis)

Today, software options range from high-end enterprise data-mining applications costing $250,000 to implement, to easy-to-learn individual laptop tools for $200 or less. There is something out there for everyone. This fact further heightens malpractice risk if the tools are not employed. It is too easy for a juror in a malpractice case to see that tools as simple as Microsoft Excel could have been used to detect the fraud, especially when the tools’ use is specifically identified in numerous audit standards discussed above.

The most common data-analysis tools in audits today are IDEA and ACL. These cost a few thousand dollars to purchase and implement, but they can quickly pay off in terms of data errors corrected, duplicate payments found and embarrassing client complaints averted. They are especially powerful for accessing strange client data formats and building scripts to repeat the same analysis every month or every quarter.

If a few thousand dollars is too expensive for your taste, spreadsheet software remains the most commonly used tool, and it is possible to do a lot of analysis just with Microsoft Excel. Please see www.auditsoftware.net/excel-use.html for a free white paper on how Excel can complete almost any audit test capable of being performed in high-end audit software tools.

Public Perception Is Reality

Right or wrong, the CPA is still perceived as a valid line of defense against fraud, material and immaterial, and therefore needs to detect as much fraud as possible. Ultimately, the only way to avoid being accused of malpractice is not to engage in malpractice. But by being aware, being proactive and utilizing technology, CPAs can be prepared to defend against or totally mitigate these types of claims.

Richard B. Lanza, CPA-CITP, CFE, PMP, is president of Audit Software Professionals, in Lake Hopatcong, N.J., and provides audit technology assistance to companies. He focuses much of his time in developing computerized audit and fraud tests. He can be reached at rich@auditsoftware.net.

Home | Print Story | E-mail Story