Since I started my career in the professional practice of audit, there has been a debate about the auditor’s responsibility for detecting fraud. For some reason, the audit profession has shied away from this responsibility. And yet, whenever an incident of fraud is detected, everyone says “where were the auditors?” Henceforth the fraud detection dilemma, auditor’s responsibility, and public expectation.
The only way to properly discuss the care of responsibility via the professional skepticism standard is to cite the applicable professional standard the auditor is adhering to in their audit: PCAOB, AICPA, IIA, ACFE, Yellow Book, etc. However, the intent of this blog is not to write a dissertation regarding a specific standard. Rather, it is a discussion regarding the elements of professional skepticism as it relates solely to detecting fraud in the conduct of an audit.
As stated in my last blog professional skepticism is:
- A component of the auditor's general duty of care that applies throughout the audit.
- An Attitude that includes a questioning mind and a critical assessment of the appropriateness and sufficiency of audit evidence.
- Comprised of three elements — auditor attributes, mindset, and actions.
What does “duty of care” mean?
First, I will identify the legal standard, then cite the audit standard. I think it is important that the auditor understand both perspectives. Hence, improving your audit knowledge.
Cooley on Torts, a legal treatise, describes the obligation for due care as follows:
Every man who offers his services to another and is employed assumes the duty to exercise in the employment such skill as he possesses with reasonable care and diligence. In all these employments where peculiar skill is requisite, if one offers his services, he is understood as holding himself out to the public as possessing the degree of skill commonly possessed by others in the same employment, and if his pretentions are unfounded, he commits a species of fraud upon every man who employs him in reliance on his public profession. But no man, whether skilled or unskilled, undertakes that the task he assumes shall be performed successfully, and without fault or error; he undertakes for good faith and integrity, but not for infallibility, and he is liable to his employer for negligence, bad faith, or dishonesty, but not for losses consequent upon pure errors of judgment. D. Haggard, Cooley on Torts, 472 (4th ed., 1932).
AS 1015: Due Professional Care in the Performance of Work
.01 Due professional care is to be exercised in the planning and performance of the audit and the preparation of the report.
.05 An auditor should possess "the degree of skill commonly possessed" by other auditors and should exercise it with "reasonable care and diligence" (that is, with due professional care).
So, what is the "the degree of skill commonly possessed"? Or, what is the fraud skill that should be commonly possessed by auditors?
There is no single answer to the “skill commonly possessed question.” The skill or competency will vary based many factors such as whether it is an external audit or internal audit. So, is there a common answer to this question for all standards? Yes! The simple answer is the audit objective and the audit scope determine the required skill set. Regardless, auditors of all professions must have the skill to detect errors whether the error is unintentional or intentional. The auditing standards are clear on this matter. I realize materiality impacts the obligation to detect errors, however, materiality is a discussion for another day.
Auditors must have the skill to recognize and detect error, whether the error is unintentional or intentional. I think all auditors would agree with that statement. Unintentional errors are easy, they are visible to the naked eye. So, the challenge is the intentional error. Auditors must understand how someone can disguise a fraudulent transaction to make the transaction look legitimate. I call this the sophistication of fraud concealment.
Which is easier: To see something that you recognize or to see something that you do not recognize? Risk assessment is an important tool within the profession of audit. The purpose is to identify the risks that could cause an error impacting a core business system. How to use risk assessment varies depending on the professional standards. But, the bottom line is the same: Identify risks and determine if internal controls are sufficient to mitigate the risk from occurring.
There are two critical skills auditors must have to achieve the standard: The first is the ability to write a risk statement with sufficient clarity to properly assess internal controls and create a corresponding audit test. High level risk statements sound good in the working papers but provide little direction to the auditor building the audit program. Vague and ambiguous fraud risk statements inhibit the auditor’s ability see something! Let me illustrate my point:
A vague and ambiguous fraud risk statement is “ghost employee”. Does this statement alone provide the auditor with sufficient guidance to build an audit program? Or, should we expect every auditor to be aware of the fifteen permutations of the fraud scheme? Should the auditor understand how a ghost employee is used in an asset misappropriation scheme compared to a corruption scheme? Bottom line: if the auditor does not recognize something, can the auditor see something?
Another example, this one in the revenue cycle.“Bribery and Corruption” schemes. Does this fraud risk statement alone provide the auditor sufficient guidance on how to audit for price fixing committed by management? Interestingly, a quick google search will tell you that price fixing is more common than one would think. For my external auditors, would litigation cause any reporting issues? Bottom line: if the auditor does not understand that something is within their scope, will the auditor see something?
The second skill for risk assessment is what I call “internal control vulnerability assessment.” This is the exact opposite of internal control mitigation. In the vulnerability assessment, the auditor focuses on what circumstances would cause an internal control to intentionally fail. When the auditor focuses only on control mitigation, it causes a phenomenon I call “internal control blindness”. The auditor sees only the internal control and does not see the red flags of fraud. To help the auditor see something, should the audit program list the red flags common to the fraud scheme?
Our profession needs to recognize that fraud happens. The reasons vary, but it simply happens. I will let the criminologist study the reasons why people commit fraud, the behavioral scientists study the professional pressures associated with audit failures, and the psychologists study the cognitive thought process. I suspect they are all contributing factors to audit failure.
We need to recognize that there is both a professional obligation and a legal obligation to detect intentional errors (fraud). Our profession needs to invest in building the “common knowledge” required to detect fraud in the conduct of all audits. Remember, knowledge is gained through study and experience.
Today, this is my recommendation for you and your audit department – ensure that the degree of fraud skill commonly possessed by auditors includes:
- The ability to detect both unintentional errors and intentional errors.
- The ability to write a fraud risk statement that provides clarity to the auditor on how to design the right audit procedure.
- The ability to assess internal control vulnerability and then adapt their audit program accordingly.
- The ability to calibrate their audit program for the sophistication of concealment principle.
- The ability to create fraud test procedures.
There are other skills, which I have discussed in previous blogs, but fraud data analytics is of particular the importance. My next blog will provide recommendations to the audit profession regarding professional skepticism as it relates to fraud detection.