Fraud in an audit environment – the ultimate “Expectation Gap”
Since the turn of the millennium there has been a noticeable increase in high-profile corporate frauds, that in some cases have even led to a corporate failure.
Given the wide range of stakeholders that are affected when such events occur, the inevitable questions asked are:
- Should (or could) the auditor have identified it? and;
- If they could have reasonably been expected to, what other actions could they have taken, and would that ultimately have changed the outcomes?
For auditors’ this has long been referred to as the ‘expectation gap’. This expectation gap is realistically comprised of the gaps between:
- What the public expects and what auditors are required to do: While the public may expect an auditor to be acting as the ‘bloodhound’ by actively checking all of the accounting records to find any and all fraud, this is not the auditor’s role.
- What auditors are required to do and what they actually do in practice: regulators often identify failings in audit work in relation to the application of professional scepticism and the focus on challenging management
It is important to remember that there are inherent limitations of an audit, which mean that there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with auditing standards. (ISA (UK)240.5).
So, who is responsible for what?
The primary responsibility for the prevention and detection of fraud rests with those charged with governance and management of the entity. As such, management should have a strong control environment which reduces the opportunity for fraud to take place and enhances the chances of any fraud being detected.
The auditor’s responsibility is restricted to obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. Auditors may however identify deficiencies in controls during their procedures that the company can use to review their processes and may assist them in identifying where fraud could occur.
What do auditors do?
While auditors do investigate the financial records of an entity, it is not feasible for them to review everything. Auditor’s instead focus their efforts, through an understanding of the entity, on areas where the financial statements are at most at risk of material misstatement, be that due to fraud or error. Ultimately however, procedures are performed on a sample basis, with those results being used to provide evidence over the entire relevant “population” (be that a specific account balance or entire class/type of transaction).
Given that auditors cannot be reasonably expected to review all the financial records and that fraud is, by its very nature, difficult to detect (due to the intentional concealment and deception by those involved), particularly when there is collusion between more than one party, there can never be a guarantee that an audit will identify all fraud where exists, even if the fraud is material. Detection of fraud involving management is even more difficult than identifying employee fraud, as management has greater opportunity to both commit and conceal fraudulent activities.
While an auditor is alert to the risk of fraud, it is only considered insofar as it may impact their primary focus, being that fraud may result in a material misstatement in the financial statements. Auditor’s exercise ‘professional scepticism’ throughout their work (an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence). Audits are however not designed with a primary focus of detecting and/or preventing fraud from occurring. Audit procedures are designed with an emphasis on determining whether an entity’s financial statements are materially accurate due to discrepancies either in the application of the relevant financial reporting framework or whether appropriate internal controls are in place and have operated accordingly.
Where frauds do occur, they are most likely to be identified by the entity’s management, unless they are the perpetrators, and therefore auditors have a presumed risk of fraud caused by risk of ‘management override of controls’. This requires the auditor to be aware of the risk that any control used by an entity to deter and detect fraud could be bypassed by those ultimately charged with the responsibility of creating and enforcing them. Consequently, auditors should not be satisfied that evidence they have obtained is sufficient and appropriate simply because of a belief that management will be honest in response to any and all enquiries.
What can auditors do better?
There are steps auditors can take to enhance the role they play in fraud detection and prevention. Implementing changes now would also pro-actively prepare themselves for the upcoming enhanced UK auditing standards (for audits of periods commencing on/after 15 December 2021) which clarifies what the auditor needs to do to obtain ‘reasonable assurance’ over the risk of fraud. This being a higher level of assurance than required by international standards. Certain aspects auditors should be considering now include the following:
- Adjusting their techniques to introduce an element of unpredictability to the audit. In many cases, auditors perform procedures with a similar scope and purpose to the preceding periods. They should:
- vary the type and scope of their procedures. If fraudsters are aware of where the auditor will look before they do, it makes the concealment that much easier.
- vary the timing of procedures. If the audit is always performed at the same time of year, does this give the fraudster a ‘window’ in which they know they need to ‘cover their tracks’ and so always be ‘on hand’ to assist/divert the auditor?
- Ensure that there is sufficient focus/attention given to areas of the financial statements identified as having a higher risk of fraud.
- Considering who performs audit procedures relating to fraud. Detailed audit procedures are generally performed by the more inexperienced members of the engagement team. Questions to ask include:
- Should procedures over fraud risks be conducted by more senior team members?
- Do teams need to be provided with better training and supervision on fraud matters?
- Rather than just simply being content with complying with professional standards, auditors could consider conducting specific examinations of transactions/controls where the level of fraud risk is significant. These examinations can then focus on potential frauds and, if one exists, the possible extent of its impact on the entity, rather than just the impact it may have on the material accuracy of the financial statements.
- Review and consider deficiencies in internal controls not just for where controls could be improved for the sake of improving the ‘audit trail’ (the documentation that supports each transaction in the financial records), but also in developing a system of fraud indicators, so that suspicious activities are more likely to be flagged and investigated.
- Expand the use of technology, including data analytic tools. These tools allow auditors to analyse large data sets, in full, rather than on a sample basis, for any unusual or unexpected activity. However, as with all tools, auditors need to ensure they are sufficiently trained on how to use them to:
- appropriately indicate fraud risk areas;
- use their knowledge of the client to understand what data to analyse and what will require investigation; and
- how to appropriately enquiry and obtain evidence over, the exceptions reported by the tools for further inspection.
Topical challenges related to fraud
The nature, scope and form of fraud is always changing and so auditors, along with management teams, need to be aware of how, where and when fraud could occur in their business. The recent COVID-19 pandemic, for example, has presented fraudsters with a wide-range of new opportunities, including fraudulent claims in respect of government support schemes.
With many businesses moving to remote working, and now transitioning back to hybrid working, traditional controls and systems/processes that may have been in place for years have been forced to adapt to these new ways of operating. Management teams and auditors should therefore be vigilant and alert to these risks and re-assess any new processes for deficiencies to ensure that any increased fraud risks are identified and discussed. Management continue to have primary responsibility for the detection and prevention of fraud and pro-active assessments of systems, and the sharing of that knowledge, will assist their auditor in identifying specific risks of fraud, that may impact on the financial statements. This empowers the auditor to be able to appropriately adjust their audit strategy/response to address those risks.
Fraud could happen in any entity and to think ‘it cannot happen to me’ gives those intending to commit fraud even greater opportunities to do so. Constant vigilance is paramount. The auditor can also form a component of this monitoring system and act as a valuable deterrent by presenting an additional detection risk to those that may consider fraudulent acts.
Ultimately it is management’s role to put in place the systems and controls that deter and prevent fraud from occurring. While an auditor may give a different perspective and assessment of an entity’s systems and results, fraud poses a constantly evolving challenge to businesses of all sizes.
While auditors are a useful deterrent, they shouldn’t be held accountable for fraud in most cases. While auditors are alert to the risk of fraud, auditors are inherently limited to reviewing only the evidence they have obtained for the purposes of issuing their audit opinion.
Businesses should ask themselves, at the very least when changes to their operations are introduced, “if I was going to commit a fraud, how could (or would) I do it?”. In the constant battle against fraud “Knowledge is power”. Armed with the knowledge of how your business may be susceptible to fraud, and sharing this information with your auditor, we can all take pro-active steps to not only mitigate the risk of it occurring at all, but also improve the chances of detecting it when it does.
So the next time a fraud occurs in an audited company, the first question you should ask isn’t “why didn’t the auditor identify the fraud?”, but rather “how/why did management (and the company) allow it to happen?”.
Find out more
If you would like further guidance or to discuss in more detail fraud in an audit environment, please contact your local MHA member firm.