Contrary to what many think, the typical audits of financial statements do entail certain responsibility for the detection of fraud. The author examines the differences between the conventional audit and the fraud audit, addressing some common misapprehensions and emphasizing some similarities. In his opinion, it is the duty of all auditors to be on the lookout for fraud.
* * *
When an auditor has failed to detect a massive mis-statement of financial statements caused by fraud, the defensive refrain is often that “an audit of financial statements is not a fraud audit.” In this author’s view, this comparison improperly implies that an auditor of financial statements has no responsibility to detect fraud and erodes the public’s confidence in the quality and usefulness of independent audits. It can also mislead those evaluating the auditor’s conduct after a major undetected fraud, such as boards of directors and audit committees considering reappointment, judges and juries deciding liability, and even audit firms themselves evaluating their own culpability and determining whether firm policies and procedures ought to be revised.
There is even greater significance for the integrity of the audit process; if the audit team’s view is that detecting fraud is not really an auditor’s job, then compliance with the requirements of auditing standards on fraud detection may become a rote exercise and not a focus of the audit. The purpose of this article is to clarify the true differences between an audit of financial statements and a fraud audit, and to dispel some of the myths that surround comparisons of them. This article is not an attempt to fully explain or even summarize all aspects of fraud examinations and audits; rather, the focus is to explain how the responsibility to detect fraud differs between the two services.
The Auditor of Financial Statements Has a Fraud Detection Responsibility
It is indisputable that an auditor of financial statements has a fraud detection responsibility. Auditing Standard (AS) 1001, Responsibilities and Functions of the Independent Auditor, clearly states that “the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected.” A fair reading of this conceptual description of responsibility is that the auditor is required to obtain reasonable assurance that frauds which materially misstate the financial statements are detected. In other words, it is clearly a responsibility related to detection.
The auditing standards describe reasonable assurance as a “high level of assurance” that is obtained when the auditor has obtained sufficient appropriate evidence to reduce the risk that financial statements are materially misstated to an “appropriately low level” (AS 1015.10 and 1101.2). In other words, there should be an appropriately low level of risk that a fraud which materially mis-states the financial statements will not be detected.
Some auditors maintain that they have no responsibility to detect fraud. It is true that the auditor is not responsible for detection of all fraud; for the auditor to have any detection responsibility, the fraud must misstate the financial statements, and the misstatement must be material. The only other relevant stipulation is that the level of assurance of detection is not absolute, and the auditor is not necessarily at fault just because the audit failed to detect a material misstatement. No professional, however, provides a guarantee of success in providing a professional service, including the service that is sometimes mistakenly called a “fraud audit.”
The two organizations that establish auditing standards in the United States—the PCAOB and the AICPA—have highlighted the importance of the auditor’s fraud detection responsibility. The PCAOB, for example, has stated that “the auditor’s responsibility with respect to detection of a material misstatement caused by fraud is an important focus of the Board … the auditor should … assess risks and apply procedures directed specifically to the detection of a material, fraudulent mis-statement of financial statements … the detection of a material misstatement in the financial statements caused by fraud is an essential element of an audit” (PCAOB Release 2007-001, Observations on Auditors’ Implementation of PCAOB Standards Relating to Auditor’s Responsibilities With Respect to Fraud,Jan. 22, 2007, http://bit.ly/2CX6DeE). The AICPA’s Board of Directors has also stated that “the public looks to the independent auditor to detect fraud, and it is the auditor’s responsibility to do so” (Meeting the Financial Reporting Needs of the Future: A Public Commitment from the Public Accounting Profession, June 1993).
Key Differences Between Auditors and Fraud Examiners
The “fraud audit” is not a defined term or defined professional service; what is likely meant by this term is a fraud investigation or examination. The Association of Certified Fraud Examiners (ACFE) explains that the term “fraud examination” “refers to a process of resolving allegations of fraud from inception to disposition, and it is the primary function of the anti-fraud professional” (2017 Fraud Examiners Manual). Earlier (pre-2014) editions of the manual contained an oft-cited chart comparing an audit of financial statements to a fraud examination. That chart compared auditing versus fraud examination on the basis of timing, scope, objective, relationship, methodology, and presumption. This comparison’s primary shortcoming was its failure to probe how the two services differ with respect to responsibility for fraud detection or acknowledge the auditor’s own detection responsibilities. For example, the objective of an audit was described as “expressing an opinion on financial statements or related information,” while a fraud examination’s goal was “to determine whether fraud has/is occurring and to determine who is responsible.” These descriptions are accurate as far as they go, but omit that auditing has the objective of detecting material misstatement of the financial statements caused by fraud. Because both services involve some level of responsibility for fraud detection, a meaningful comparison must differentiate the services within that area of overlap.
No professional provides a guarantee of success in providing a professional service, including the service that is sometimes mistakenly called a “fraud audit.”
It is not that the fraud examiner and auditor perform similar services, or have equivalent responsibility for fraud detection; the services are distinctly different, and are planned and performed to accomplish unique purposes. Rather, both have a responsibility to detect fraud, and the differences in the nature of that responsibility do not provide an excuse for an auditor’s failure to obtain reasonable assurance of detecting a material misstatement due to fraud.
The Fraud Examiners Manual advises that “fraud examiners should begin a fraud examination only when there are circumstances that suggest a fraud has occurred, is occurring, or will occur, and they should not investigate beyond the available predication.” In other words, a fraud examination is undertaken when a fraud is known, alleged, or suspected. An audit of financial statements is undertaken with a different mindset; suspicion of fraud is not necessary. The audit team is required to identify how and where the financial statements may be susceptible to material misstatement due to fraud, and the auditor is directed to “conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present regardless of any past experience with the entity” (AS 2401.13–.18).
The notion that the auditor was not required to perform procedures directed at detection of fraud unless circumstances aroused the auditor’s suspicions that fraud was occurring was articulated in auditing standards in 1960, was reversed to an extent in 1977, and consigned to the dustbin of history in 1988. The conceptual description of the level of fraud detection responsibility has not changed since then, but the performance requirements directed specifically at detection of fraud have increased. For example, many of the required procedures in current auditing standards are forensic in nature and similar to those used by fraud examiners: “Such procedures involve the performance of substantive tests of the application of methods and techniques that presume dishonesty at various levels of management, including override of controls, falsification of documents and collusion” (Forensic Services, Audits, and Corporate Governance: Bridging the Gap, AICPA Discussion Memorandum, July 15, 2004, http://bit.ly/2EC3JwB).
The basic goal for most fraud examinations is to determine whether fraud occurred, and if so, who perpetrated it. A particular engagement may, however, have additional goals, such as to establish and secure evidence to be used in a criminal or other disciplinary action or to provide proof to recover losses from an insurer (2017 Fraud Examiners Manual). The objective in an audit of financial statements is to determine whether they are free of material misstatement, regardless of whether that misstatement is intentional or not; in other words, a fraud examiner’s priority is proving the nature and extent of a particular fraud, but an auditor’s focus is detecting material misstatements. Implicit in this difference are several other naturally resulting differences related to scope, methodology and professional standards, and the relationship to stakeholders.
An auditor’s scope is the complete set of financial statements presented, but a fraud examiner’s is established by the specific allegations of fraud, targeted to specific accounts implicated by the predication, and has the objective of resolving the allegations by obtaining evidence that proves or disproves fraudulent activity. The boundaries or extent of a fraud examiner’s investigation may be limited to a specific subject matter, department, or geographic area at issue (2017 Fraud Examiners Manual). An auditor’s selection of significant accounts to examine is based on the assessment of the risks of material misstatement caused by either fraudulent activity or unintentional misstatement. Accordingly, an auditor’s work is significantly affected by the concept of materiality, but a fraud examiner’s scope is not so constrained. In addition, in areas of the financial statements that are judged to be less susceptible to material misstatement due to fraud, an auditor is more likely to select a representative sample to reach audit conclusions.
Methodology and applicable professional standards.
The auditor of a public company’s financial statements is required to adhere to all applicable PCAOB standards, and may be subject to a PCAOB disciplinary proceeding for failure to meet those standards, as well as actions by other regulators or private parties (PCAOB Rule 3100 and PCAOB Release 2003-009). For all other entities, the applicable auditing standards are those issued by the AICPA. Because audit reports on financial statements of nonpublic entities typically represent that the auditor complied with AICPA auditing standards, alleged violations of those standards may be subject to disciplinary actions by the AICPA, state boards of accountancy, other relevant regulators, and private litigation.
The ACFE has issued a Code of Professional Ethics for fraud examiners and a Code of Professional Standards, but fraud examiners need not represent conformity with these standards in their reports, nor is the issuance of a written report mandatory (2017 Fraud Examiners Manual). Members of the AICPA who provide fraud examination services are also expected to adhere to relevant rules of the AICPA Code of Professional Conduct and the consulting standards, but these guidelines lack the specificity and detail of auditing standards.
The distinction between an audit and a fraud examination is sometimes presented in engagement letters in a misleading manner.
A significant aspect of the role of professional standards with respect to fraud detection responsibilities is that an auditor cannot contract away responsibility to adhere to the auditing standards. When an auditor represents that the audit has been performed in conformity with auditing standards, no provision in an engagement letter can alleviate the duties imposed by the standards. In contrast, a fraud examiner can reach an understanding with the client (or employer) about the scope and limitations of the fraud examination that limits the area at issue and establishes the boundaries or extent of the investigation (2017 Fraud Examiners Manual).
The distinction between an audit and a fraud examination is sometimes presented in engagement letters in a misleading manner. Audit engagement letters typically state that there is some risk that an audit in accordance with auditing standards may not detect a material misstatement caused by error or fraud. This is accurate because, as alluded to earlier, an auditor does not obtain absolute assurance. Sometimes, however, this statement is followed by a statement that if the client wants assurance of fraud detection, additional fraud services can be provided. This second statement is misleading because it implies an audit does not provide any assurance of detection of material misstatements caused by fraud. It is also misleading concerning the nature of a fraud examination engagement, because it incorrectly implies that a fraud examination is an all-purpose search for any and all fraudulent activity. Furthermore, a fraud examination is not a guaranty that provides assurance that fraud will be detected. The ACFE, for example, recommends that a fraud examination engagement letter state, “We cannot provide assurances that fraud, if it exists, will be uncovered as a result of our examination” (2017 Fraud Examiners Manual).
Relationship to stakeholders.
An auditor of financial statements has a unique relationship with a wide group of stakeholders. The SEC has stated that the federal securities laws make independent auditors “gatekeepers” to the public securities markets and has endorsed the Supreme Court’s formulation that the independent auditor assumes a public responsibility and owes “ultimate allegiance” to the investing public (SEC Release 33-7870, November 2001).
CPAs have generally viewed the Supreme Court’s characterization of the independent audit as involving a public responsibility as applicable to audits of both public companies and of other entities (see, e.g., Advisory Panel on Auditor Independence, “Strengthening the Professionalism of the Independent Auditor,” AICPA, 1994). The AICPA Code of Conduct expects CPAs to “serve the public interest” and “honor the public trust,” and the AICPA’s auditing standards acknowledge that the purpose of an audit of financial statements is to provide users with an opinion that “enhances the degree of confidence that users can place in the financial statements” (AUC-200.04).
Fraud examiners have a different relationship to stakeholders; they are engaged by the defrauded organization, and that organization sets the extent of the investigation. The fraud examiner reports the results of the investigation to those designated by the contract with the client; the examiner’s report may be oral or written, and is tailored to the needs of the party requesting the report. Fraud examiners’ reports submitted in judicial or administrative proceedings may be used by parties outside of the client, such as attorneys, defendants, plaintiffs, witnesses, juries, judges, or the media. Thus, fraud examiners do have public interest responsibilities when their reports are used by parties other than the client. Nevertheless, the large variety of users of audited financial statements who depend upon those statements for economic decision making significantly distinguishes fraud examinations from audits.
There are several matters that are often cited as important differences between fraud examinations and audits that are matters of degree only, and not fundamental distinctions.
The differences between audit techniques and fraud examination techniques are not nearly as great as commonly stated or assumed. The auditing standards regarding confirmation of receivables and observation of inventories were initially adopted in response to a major undetected collusive fraud (Statement on Auditing Procedure 1, “Extensions of Auditing Procedure,” 1939, http://bit.ly/2DIdSbR). The current auditing standard on auditors’ responsibility for detection of fraud has many required procedures directed specifically at fraud detection, including brainstorming possible ways the auditor can be deceived in order to plan an appropriate response and performing procedures intended to detect the occurrence of management override and revenue-related fraud.
Forensic Procedures Recommended in Auditing Standards
- Obtaining evidential matter from independent sources outside the entity such as public record information (AS 2401.52 and AU-C 240.A76).
- Contacting outside sources, such as major customers and suppliers, orally in addition to sending written confirmations (AS 2401.53 and AU-C 240.A76).
- Performing procedures, such as observing inventories or counting cash on a surprise or unannounced basis or at unexpected locations (AS 2401.53 and AU-C 240.A76).
- Testing an entire population instead of a sample using computer assistance (AS 2401.52 and AU-C 240.A7).
- Assigning forensic specialists to the engagement (AS 2401.50 and AU-C 240.A39).
- Performing a computerized match of the vendor list with a list of employees to identify matches of addresses or phone numbers (AU-C 240.A76).
- Performing a computerized search of payroll records to identify duplicate addresses, employee identification or taxing authority numbers, or bank accounts (AU-C 240.A76).
The above-mentioned chart found in prior editions of the Fraud Examiners Manual cites the procedures of interviews, review of outside data, and document examination as the fraud examination techniques that differ from audit techniques. Auditors, however, should be aware that “interviewing is both an art and a rational technique that is fundamental to effective auditing” (Phillip L. Defliese, Kenneth P. Johnson, and Roderick K. Macleod, Montgomery’s Auditing, Ninth Edition, Ronald Press, 1975). Inspection of documents and use of outside data are also common audit procedures. Furthermore, there are many examples of specific procedures recommended in auditing standards that are also techniques commonly used in fraud examinations.
Attitudes or stances.
Some of the common statements about differences in attitude or stance between auditing and fraud examination concern adversarial and nonadversarial relationships, professional skepticism, and document authentication. These are not distinct differences, but rather matters of degree that are natural consequences of the key difference of the requirement of predication for fraud examinations.
The audit process is said to be nonadversarial, and fraud examinations, because they involve efforts to affix blame, are said to be adversarial. An audit is essentially adversarial in the planning process and, in some circumstances, in performing procedures and evaluating evidence.
Both the auditor and the fraud examiner are required to exercise professional skepticism (2017 Fraud Examiners Manual). The auditor does not assume honesty or dishonesty, but maintains the mindset that fraud is always possible. Fraud examiners begin assignments with the belief that someone is committing fraud and maintain that belief unless the evidence shows no signs of fraudulent activity. This belief, however, is directed at the perpetrators of frauds, not the defrauded organizations.
Neither fraud examiners nor auditors are expected to be document experts, but they may need to consult an expert document examiner to determine authenticity if they recognize possible alteration or falsification (2017 Fraud Examiners Manual). Because fraud examiners begin their assignments only when there is predication, they may be more disposed to using an expert document examiner. Auditors, however, should better understand what genuine documents look like, so that circumstances in which there is a need for document examiners would be more apparent.
Both auditors and fraud examiners are on notice to expect concealment by fraud perpetrators. Again, because a fraud examiner’s work is based on predication, the need to be alert for indications of concealment and creative in response is second nature for fraud examiners. Auditors, however, also need to be aware that collusion, false documents, and misleading responses to inquiries are normal methods of concealment of material mis-statements due to fraud. For example, the PCAOB has observed that because fraud usually involves deliberate concealment and may involve collusion with third parties, the auditor should assess risks and apply procedures directed specifically to the detection of a material, fraudulent mis-statement of financial statements (Release 2007-001, http://bit.ly/2CX6DeE). To respond effectively to risks of concealment, auditors must emphasize the vulnerability to fraud if management or employees, alone or in collusion with third parties, were inclined to perpetrate it, and not solely the likelihood that fraud has occurred. Auditors are also expected to recognize that audit procedures effective for detecting misstatement caused by error may not be effective in detecting those caused by fraud. This awareness should affect the selection of audit procedures and items to which the procedures are applied.
No Excuses, No Guarantees
That an audit of financial statements is not a fraud examination is no excuse for an auditor’s failure to detect fraud. An audit is not a guarantee of the accuracy of financial statements, but auditors must plan and perform the audit to obtain reasonable assurance the financial statements are not materially misstated by fraud. If the purpose of an audit is to detect fraudulent material misstatements, and the purpose of a fraud examination is, by definition, to detect fraud, what is the difference? That question should now be clearly answered.
Adversarial Attitudes Reflected in Auditing Standards
- Identify how and where the financial statements might be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets could be misappropriated (AS 2401.14 and AU-C 240.15).
- Consider factors that might create incentives/pressures for management and others to commit fraud and opportunities to do so—the same fraud triangle used by fraud examiners (AS 2401.15 and AU-C 240.15).
- Be continually alert for information or other conditions that indicate a material misstatement due to fraud may have occurred (AS 2401.16 and AU-C 240.22).
- Presume that improper revenue recognition is a fraud risk (AS 2401.41 and AU-C 240.26).
- Address the risk of management override in every audit and perform prescribed procedures designed to detect whether override has occurred (AS 2401.42 and .57-.67 and AU-C 240.32).
- Keep in mind that management has a unique ability to perpetrate fraud and cause manipulation of accounting records and present fraudulent financial information (AS 2401.08 and .57 and AU-C 240.31).
- Whenever the auditor has determined that there is evidence that fraud may exist, consider the organizational position of the persons involved (AS 2401.75-.79 and AU-C 240.35-.36).
The two professional services of fraud examination and audit are distinctly different services, but both professionals have responsibilities related to fraud detection. A valid comparison of the two has to focus on how exactly they differ with respect to that key responsibility. The aim of the fraud examination is to resolve allegations of fraud by determining whether fraud occurred and who perpetrated it, and to report findings that may be used in a legal action or to recover fraud losses. An auditor’s fraud detection responsibilities are not triggered by suspicion of fraud; an auditor must have the mindset that fraud is always possible. An audit is planned and performed using the concepts of materiality and focusing on material misstatement. A fraud examination is not constrained by materiality or whether material misstatement results. The fraud examiner is hired by the potentially defrauded organization and owes primary responsibility to the party who engaged him or her even though outside parties may see and use the report in certain circumstances. The auditor is usually engaged by the audited entity, but owes primary allegiance to the investing public.
The professional standards applicable to an audit and a fraud examination differ in many respects, including the fact that the standards for a fraud examiner provide guidelines (which may be further limited by a contractual agreement), but auditing standards include many requirements that are unconditional or presumptively mandatory. Other differences that are sometimes described as differentiating an audit from a fraud examination are actually not nearly as significant, and differ only in degree. It is this author’s hope that auditors will stop using the empty excuse that an audit is not a fraud examination, and recognize that they have a responsibility for fraud detection that, although not absolute, is an essential responsibility that has to be aggressively pursued.