Newly minted CPAs typically have limited hands-on auditing experience. They almost always have no training in specialty areas, such as forensics. A term now commonly used—“frauditing”—connotes approaching an engagement with what would be a routine annual audit with the added emphasis of looking for fraud. But how many audits are planned where enough time is devoted to extra procedures to uncover a fraud scheme, especially one cleverly masked?
In addition, although the protection afforded to the public in having audits performed by independent CPAs may be working adequately, based on the occurrence of litigation over the past 40 years, this may not be as robust as we would like. How did the profession get here, and where will it go next?
An Historical Perspective
Doubtless, our profession has evolved since Luca Pacioli’s (Summa de arithmetica, geometria. Proportioni et proportionalita, 1494) publication on the double-entry bookkeeping system used by merchants in Venice, Italy, during the Italian Renaissance. The AICPA has roots back to 1887 when it was called the American Association of Public Accountants. Even prior to that, the British Parliament in 1844 passed the Joint Stock Companies Act, followed in 1900 with the new Companies Act. The first law required the use of audited financial statements to be used by directors to report to shareholders, and the second law required that the auditor be independent.
Since these very early days of the profession, modern auditing has gone through a series of changes in focus. These changes took auditors from a transaction-oriented approach based on internal evidence to what became known as the substantive balance sheet audit, where auditors scrubbed the assets, liabilities, and equity accounts for satisfactory evidential matter. Subsequent to the 1929 U.S. stock market crash and ensuing Great Depression, the Securities Act of 1933 and Securities Exchange Act of 1934 created the SEC and required publicly traded companies to issue audited income statements, as well as balance sheets, emphasizing the fairness of the presentation as the role of the auditor.
Decades later, the major business failures and scandals of the 1970s and 1980s caused independent auditors to take on increased responsibilities, and a new Code of Professional Conduct was created. This was a result of Congressional investigations of the public accounting profession, which focused on the quality of existing auditing standards. For example, Rep. John E. Moss (D-Calif.) chaired a subcommittee that recommended that the SEC play a direct role in setting accounting and auditing standards (Federal Regulation and Regulatory Reform 1976, 51-53). A subcommittee headed by Senator Lee Metcalf (D-Mont.) focused on the Big Eight, the AICPA, and FASB. Two conclusions in the 1,760-page staff study, The Accounting Establishment (1976) were that the Big Eight firms lacked independence from their clients and that they dominate both the AICPA and the process of setting of accounting standards. The Metcalf subcommittee also recommended that the federal government set accounting and auditing standards for publicly traded corporations. No actual legislation was passed as a result of the work performed by these two subcommittees (Stephen A. Zeff, “How the U.S. Accounting Profession Got Where It Is Today: Part I,” Accounting Horizons, September 2003, vol. 17, no. 3, pp. 189-205). As business became more complex, it became too cumbersome to focus on auditing individual transactions. As a result, auditors moved their focus to more of a risk-based approach and conducting procedures to test the reliance on the system of internal controls. Montgomery’s Auditing has long been the main treatise for auditors. Published in 1975, the 9th edition (Robert H. Montgomery, published by John Wiley & Sons) provided practitioners with invaluable insight into helping auditors develop more efficient audit plans, increase the control over audit risk, and recommend comprehensive auditing strategies and methods. Today, assessing risk is the critical driver for the CPA auditor, but can auditors adequately assess all risk closely enough? Can an auditor anticipate every possible “what could go wrong” scenario?
During the mid-1970s, the AICPA established a committee chaired by Manuel F. Cohen to investigate if there was any disconnect between what users expected from an audit and what an audit was designed to accomplish. In 1978, the Cohen Commission concluded that there was a significant gap and it issued a series of recommendations (The Commission on Auditors’ Responsibilities: Report, Conclusions and Recommendations, AICPA 1978). The gap was created in part because the courts have recognized that failure to detect fraud by the independent auditor can indicate a failure to exercise the standard of care that society expects of independent auditors. The SEC has also held that the detection of fraud is an important object of an audit. However, auditors’ responsibility for the detection of fraud as the object of an audit steadily eroded over the years, and from the beginning auditing standards emphasized the limitations on an auditor’s ability to detect fraud. The purpose of the Cohen Commission’s recommendations was to bring to auditors’ attention that they had an affirmative responsibility for the detection of material fraud; it is unclear whether the recommendations achieved what they were intended to. Another committee established by the AICPA in 1977, the Oliphant Committee, proposed that the AudSEC (Auditing Standards Executive Committee) be reformed within the AICPA into a new board called the Auditing Standards Board (ASB). As a result, the ASB was established in 1978 (Ahmed Riahi-Belkaqui, Accounting Theory, 5th ed. pp. 21-22). The ASB along with AudSEC issued 61 standards between 1973 and 1988.
Even after the establishment of these standards, accounting scandals continued in the 1980s. Intense Congressional and public scrutiny of the accounting profession led to the establishment of the National Commission on Fraudulent Financial Reporting (the Treadway Commission) in 1985. In its 1987 report, the Treadway Commission concluded that the “responsibility for reliable financial reporting resides first and foremost at the corporate level” (p. 6). The commission recognized that the auditing profession could not be solely responsible for fraud detection and that the “independent public accountant play[s] a crucial, but secondary role. They are not guarantors of the accuracy or the reliability of financial statements” (p. 6). As a result, recommendations were made for public companies, independent public accountants, and the SEC and others to improve the regulatory and legal environment. The Committee of Sponsoring Organizations (COSO) was born out of this commission; COSO is still the internal control framework that is used by most public companies in the U.S. today.
In the 1980s, there was renewed discussion of the “expectation gap” between what users of financial statements expected and what the auditing profession believed its responsibilities were. In the wake of the Treadway Commission’s report, nine expectation gap SASs were issued in 1988 (SASs 53-61). Collectively, these SASs made auditors aware that the public’s expectations must be considered in performing audits. The standards required auditors to detect illegal acts that could have a material effect on the financial statements and to design the audit to provide reasonable assurance of detecting material misstatements.
In 1997, SAS 82, Consideration of Fraud in a Financial Statement Audit, was issued to further narrow the expectation gap in the face of continued litigation against auditors. This was a major step towards requiring auditors to perform certain procedures relating to fraud in a financial statement. SAS 82 required auditors to consider the presence of fraud risk factors, assess the risk of material misstatement of the financial statements due to fraud, and develop an audit response based on the risk assessment.
In response to the major accounting scandals at Enron, WorldCom, Adelphia, and Tyco, SAS 99, Consideration of Fraud in a Financial Statement Audit, was issued in 2002, superseding SAS 82. This standard increased auditors’ responsibility with respect to identifying material misstatements due to fraud and served to narrow the “expectation gap.” It required auditors to conduct specific fraud-related procedures:
- Conduct “brainstorming” sessions during planning to discuss how and where the financial statements could be susceptible to material misstatements due to fraud;
- Make inquiries of managements about the risks of fraud;
- Consider fraud risk factors;
- Consider the results of analytical procedures in planning the audit;
- Evaluate programs and controls; and
- Assess the risks of material misstatements throughout the audit.
Congress responded to the financial scandals by passing the Sarbanes-Oxley Act of 2002 for public traded companies and their auditors. For example, Title 1 effectively removed self-regulation of the auditing profession and replaced it with independent oversight by the PCAOB. Section 201 prevents audit firms from providing many consulting services to audit clients. Section 404 requires management assessment and external audit firm attestation regarding the effectiveness of internal control over financial reporting.
Auditors’ Responsibilities for Detecting Fraud
Auditing standards have historically held that it is not reasonable to expect auditors to uncover all frauds. As the number of scandals increased, however, users expected that auditors have a responsibility to detect and report material frauds. The PCAOB made it clear that an independent audit provides reasonable assurance to users that financial statements are not materially misstated because of fraud.
In 2010, the Center for Audit Quality (CAQ), issued a paper titled “Deterring and Detecting Financial Reporting Fraud—A Platform for Action” (https://bit.ly/3iZH2Hh). The CAQ concluded that preventing and detecting fraud is not the job of the external auditor alone. Other parties such as management, audit committees, internal auditors, and regulatory authorities all play a key role in mitigating the risk of fraudulent financial reporting.
In 2012 and in 2016 the AICPA issued AU-C 240 and the PCOAB issued AU 316, respectively. Both of these standards (AU-C 240 applying to nonpublic companies, AU 316 applying to public companies) describe management’s responsibilities for preventing and detecting fraud, the auditor’s responsibilities for planning and performing an audit, the role of professional skepticism, fraud risk assessments, and the auditor’s response to identified fraud risks.
Unfortunately, there are many examples of lawsuits filed against audit firms over the past 30 years in connection to audits of public companies. In many of these cases, there were material mis-statements of the financial statements due to fraud. Many of the frauds resulted from management’s desire to manage earnings to show steady year-over-year growth in order to meet its earnings targets and to maintain a healthy stock price. Considering these failures, the public continued to ask: “Where were the auditors?”
In retrospect, many of these frauds were missed by a failure to remain diligent and by not conducting each engagement in accordance with GAAS or the PCAOB standards. Some of the most common violations that we noted over the past 30 years were as follows:
- Failure to maintain objectivity and knowingly subordinating judgment to the client;
- Ignoring key “red flags” that should have caused the auditor exercising an ordinary degree of objectivity and independent judgment to have heightened his or her professional skepticism during the audit.
- Failure to use the work of a specialist in the proper manner;
- Failure to respond to client-imposed scope limitations;
- Undue reliance on management representations when there is no supporting evidence;
- Failure to obtain an understanding of the internal control structure when planning the audit to determine the nature, timing, and extent of tests to be performed;
- Ignoring important risk factors in the planning stage and development of audit strategy;
- Failure to change the audit strategy as new information became known during the audit;
- Failure to increase the extent of testing or to perform alternate procedures after uncovering problems in a specific audit area;
- Failure to obtain sufficient competent evidential matter; and
- Lack of adequate supervision or proper understanding of the client’s business and operations.
While these are clear examples of violations of professional conduct and guidance, not every fraud uncovered will be due to the auditors missing the mark. The expectation gap is a derivative of the common misconception that auditors are responsible for identifying every instance of fraud. But the fact remains that unless a matter is considered to have a material impact on the financial statements, it is not the auditor’s responsibility to design procedures to identify immaterial frauds.
In the case of the highly publicized Wells Fargo cross-selling scandal, the auditors stated that they performed their procedures to address potential material misstatements in the financial statements. As part of those procedures, auditors must rely on assertions or representations made by management, yet fraud is often concealed and rationalized by the very same management who must provide these assertions; this creates the proverbial “Catch-22.”
While the standard audit opinion from a decade ago provided boilerplate language, with the evolution and implementation of CAMs, auditors must provide more information for users to consider over time. This will enhance understandability, timeliness of information, and insight into financial statement considerations for financial statement users.
Notably, the tools used for record-keeping have become immeasurably more sophisticated over the past 90 years. Today’s auditors perform a risk-based audit approach, whereas decades ago, the tick-and-tie transaction-based and substantive audit was the gold standard. With more businesses delving into complicated transactions, the potential for fraud has mushroomed. Auditors are now asked to do more and say more to the public, and this trend will certainly continue. But as regulators and the public continue to ask auditors to provide more information, are audits slowly trending towards forensics? Will there be a need for forensic specialists on audit engagement teams?
The fundamental difference between an audit and forensic examination is the breadth of scope on which the professional must opine or evaluate. A standard audit will opine on the financial statements taken as a whole and incorporate sampling, whereas a forensic examination can focus on a very specific, often esoteric, aspect of the business and can require an analysis of every transaction in an account. While it would not hurt to incorporate more forensic procedures into an audit, under current auditing standards the cost associated with having a more expansive audit would rise significantly. And while cost plays a significant factor in decision making, is that the appropriate barometer against which to measure benefit? As a matter of public opinion, there are mixed reviews depending upon who you ask. And opening this Pandora’s box raises more questions, such as “who should bear that cost,” and “is the expense worth the benefit of reducing mounting unease amongst public users?”
Where is the Profession Headed?
It is difficult to predict where the road of the auditing profession and regulations will lead in the coming decades. But in the current environment there are steps that auditors can take today to enhance quality, decrease unpredictability, and differentiate firms from peers. One opportunity arises within the training of newly minted CPAs and engagement planning. Often, walkthrough meetings and fraud inquiries are performed by less experienced engagement team members. These meetings may even be the only times in which the engagement team has contact with various process owners outside of finance. One approach to enhancing planned audit procedures to address fraud risks would be to train junior level staff in forensics, especially those responsible for conducting walkthrough meetings or inquiries of management. This would enhance their ability to interpret warning signs or issues that may be the precursor or indicator of larger issues.
In addition to supplemental training, reconsidering the process of selecting walkthrough transactions could provide an added benefit to the team. Auditors now have advanced tools at their disposal to analyze large volumes of data. By using a data specialist or dedicating time to analyze data patterns prior to executing procedures, the engagement team can attempt to isolate and identify unusual transactions and select some of these unusual transactions for walkthroughs. This will give the team a chance to understand what happens when “some things go wrong” or a transaction doesn’t follow the expected operating pattern. These anomalies may give further insight into what could go wrong, as opposed to simply brainstorming independent of the data.
The risk assessment process is meant to be fluid and reevaluated throughout the progression of the audit. The current standards afford auditors room to be creative (a word often thought not to exist in accounting). For the most part, auditors have proven to be good at following the rules and checking the boxes, but significant changes in the profession are often driven by third parties and regulators. To excel and differentiate in a world where technologies including blockchain and AI will continue to grow, auditors will need to innovate, specialize, and think outside the box in order to remain relevant and meet the needs of the public in the future—all while being careful to “mind the gap” along the way.