I knew the title would catch your attention. But, I think it is a fair question for discussion. After all, a questioning mind is the cornerstone of professional skepticism.
Did you know that the lack of professional skepticism is cited as one of the main reasons for audit failure? The Cambridge English Dictionary defines audit failure “as a situation in which an audit wrongly states that a company's accounts are correct when they contain mistakes or false statements.”I think it is too simple to blame professional skepticism for audit failure. The inference is that a person, the auditor, failed in some aspect of their audit. But could it be that the audit profession failed the auditor by not providing the right methodology for integrating fraud audit procedures into the audit program? I think this is a vital question to discuss.
My next two blogs will address the issue of professional skepticism and how to reduce audit failures associated with fraud. As part of this process, I have researched internet articles, studies, and opinions regarding the importance of professional skepticism. Unfortunately, I found a lot of words but extraordinarily little substance. Common words used by authors to detect fraud are: robust, vigorous, vigilant, critical, and probing. These are all good words, but they are truly ambiguous in regard to fraud detection. Instead of talking about what auditors should do, the profession should discuss how to integrate fraud into the audit program.
What is Professional Skepticism?
The framework for auditor objectivity and professional skepticism is reflected in PCAOB professional standards. The standards demand the appropriate application of professional skepticism throughout the audit process and emphasize that professional skepticism is:
- A component of the auditor's general duty of care that applies throughout the audit.
- An attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence.
- Composed of three elements — auditor attributes, mindset, and actions.
In this blog, we will discuss these three elements of professional skepticism: auditor attributes, mindset, and actions. For each element, I will cite the standard, then discuss that standard, and lastly provide my recommendations.
AU 230.07 “The auditor uses the knowledge, skill and ability called for by the profession of public accounting to diligently perform, in good faith and with integrity, the gathering and objective evaluation of evidence.”
AU 210.01 states that the “audit is to be performed by a person or persons having adequate technical training and proficiency as an auditor.”
Consistent with The IIA’s International Standards for the Professional Practice of Internal Auditing on proficiency (1210.A2), internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization.
If you have read enough of my blogs, you should know that I think definitions are important for a mutual understanding. So, according to the Cambridge English Dictionary knowledge is: “understanding of or information about a subject that you get by experience or study, either known by one person or by people generally.”
I believe the knowledge of fraud is the foundation of building effective professional skepticism for detecting fraud. This is what I call “educated” skepticism. Using the Cambridge definition, the foundation of knowledge comes through the “study” of fraud audit theory. In contrast there is knowledge through experience -- what I call the art of fraud audit knowledge. The two concepts are quite different but both very important. The audit profession needs to recognize fraud audit knowledge as a skill set that required for the audit team.
The starting point is understanding that fraud by itself is about deceit, concealment and misrepresentation. Black’s Law dictionary provides the auditor with an authoritative definition. To evaluate fraud risk, the auditor must understand how to use the fraud risk universe methodology to identify fraud risk consistent with the scope of the audit. The next area of knowledge is the auditor’s ability to write a fraud risk statement that facilitates the development of an audit program designed to gather competent evidence that would detect a fraud scheme. Now to integrate fraud into the audit step, the auditor must understand the concept of sophistication of fraud concealment as it relates to fraud detection and how to calibrate the competency of audit evidence to the sophistication of concealment. This should be considered as the foundation of fraud knowledge for all auditors. It is the starting point of knowledge. Many of these concepts are discussed in my prior blogs.
AU 230.09 Mindset “… neither assumes that management is dishonest nor assumes unquestioned honesty…” Mindset is important, but it maybe overrated. Yes, we need to have this attribute. But mindset without fraud knowledge is a lot like the Henny Penny story about Chicken Little who runs around yelling “The sky is falling” when an acorn falls on its head. Clearly, Chicken Little did not understand the red flag.
If the audit evidence is directly linked to the fraud risk statement and the evidence is calibrated to the sophistication of concealment consistent with the level of risk assumed by the auditor, then fraud will become evident through the performance of an audit procedure. Yes, that is a mouth full, but think about the logic of the statement. Fraud is about concealment, therefore the audit procedure must be able to pierce the fraud concealment strategy. Therefore, the burden shifts from a “mindset” to the sufficiency of audit evidence.
(AU 230.08) “Gathering and objectively evaluating audit evidence requires the auditor to consider competency and sufficiency of the audit evidence…” The response to this standard varies by the type of audit whether it be financial statement, operational, or internal control, etc. With that said, competency of evidence is the key to detecting fraud rather than sufficiency of evidence. To determine the competency, the auditor most understand the relevance and reliability of the audit evidence. So, what does this mean?
Relevance is the relationship between the fraud risk statement and the documentation (evidence), whereas reliability is whether the evidence is credible and not created or altered by the perpetrator of the fraud risk statement.
Start with a simple fraud risk statement, such as the practical illustration below. Create a list of audit evidence that you could consider in formulating an opinion. Rate the evidence based on a simple process of considering where the evidence is stored and who created the evidence. Is it internal or external? The key to competency is externally created and externally stored audit evidence.
A practical illustration
You are building an audit program for the expenditure cycle, in essence accounts payable. You are assigned to test new vendor internal controls. The traditional test would be to ensure that a new vendor form was properly completed, properly approved, and with no overt anomalies. So, what is wrong with that test procedure regarding the detection of fraud? Is it auditor attributes (knowledge), mindset, or actions?
The failure is in the action component of professional skepticism regarding credible evidence.
The evidence was created by the internal employee and therefore, the audit procedure accepted the lowest form of evidence from a reliability perspective because the evidence was internally created and internally stored. From an internal control perspective, is it truly reasonable for an auditor to think that the approver had sufficient knowledge to determine that the new vendor was a real vendor in the marketplace, since the company operates in a global environment? So, what should be done?
If the auditor wants to detect fraud in the new vendor procedure test, then the auditor needs to gather reliable evidence that the vendor is a real vendor in the marketplace. That means the evidence gathered must be externally created and externally stored apart from the internal control owner.
Your action plan for reducing audit failures should be investing in yourself:
- 1. Knowledge of fraud audit theory. Until you have a strong understanding of fraud theory, you are relying life experiences.
- 2. Knowledge regarding the sufficiency of audit evidence as it relates to fraud detection. If the audit evidence is not credible and does not relate to the fraud risk statement, you will be tricked.
- 3. Knowledge regarding the red flags that are associated with the fraud risk statements in your audit. Otherwise, you will be Chicken Little.
- FYI, the next blog will discuss:
- Component of the auditor's general duty of care that applies throughout the audit.
- Attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence.