Essay title - Financial Statement Organisation
Problem Statement:
Companies and organisations that are hit with employee fraud, including embezzlement, asset misappropriation, and financial statement manipulation are often surprised that the incident occurred. Even more surprising to executives and boards of directors is the fact that their auditors didn't find the fraud sooner, or didn't find it at all. After all, isn't that what auditors are supposed to do?
In one case, the bookkeeper for a non-profit organisation was stealing for several years and cleverly covering her tracks. Bookkeeper didn't let the checks get too large, and he divided the check amounts between many accounts so that the entries in each account would be very small. Bookkeeper knew that if the amounts were small enough, they probably would not be carefully examined during the annual audits.
Bookkeeper was right, and his scheme worked until an auditor found a problem with the bank reconciliation. That problem led to further investigation, which ultimately uncovered the fraud. One could say that the fraud was discovered by accident. The board of the directors wondered why the auditors didn’t find the fraud sooner, since it had been ongoing for at least three years.
The answer was simple. The auditors followed the rules, but those rules aren't always effective at uncovering a situation that is purposely disguised by a dishonest employee.
The bookkeeper used what she knew about the accounting process and the year-end audit to escape detection. Bookkeeper knew that management wasn't checking his work or monitoring the bank account. By utilizing small-dollar transactions, recording false transactions in the accounting system, and discarding canceled checks, he successfully beat the system and ran off with hundreds of thousands of dollars.
Definition of Auditor
Audits and reviews are procedures performed on the financial statements of a company, for the purpose of determining whether the financial statements include any material misstatements. Misstatements are essentially wrong numbers due to numerical errors, fraud, or errors in interpreting the accounting rules. Misstatements are material if they are large enough to make a difference to a user of the financial statements, such as a bank or investor.
Auditors utilize sampling techniques to test certain transactions during the performance of an audit or review, since it would be nearly impossible and too expensive to test every single transaction. The sampling may be aimed at the largest items or the items on the financial statements that pose the most risk of misstatement. If material errors in the financial statements are discovered, the auditors will direct management to correct them.
So how does fraud fit into the idea of material misstatements? Misstatements can be caused by either error or fraud. Auditors have some responsibility for the detection of both errors and frauds that are material, but this responsibility is not absolute. Auditors give "reasonable" assurance that material misstatements have been uncovered, but not total assurance.
Errors are much more likely to be discovered during an audit than are fraud. Fraud schemes are crafted to purposely exploit the accounting system and controls, and therefore it is more difficult for an auditor to find them. Since auditors are not all-knowing beings, the assurance that the financials statements are correct can only be "reasonable" assurance and not total assurance.
Auditing Rules
It is important to understand the guidance given to auditors on the topic of fraud. Accountants performing audits in the United States follow Generally Accepted Auditing Standards (GAAS) in their performance of audits. Additional guidance is provided in the Statements on Standards for Auditing and Review Services (SSARS) and Statements on Auditing Standards (SAS). These sets of authoritative guidance outline the responsibilities that auditors have for finding fraud while performing audits and reviews. Following rules are established to detect fraud.
- CONSIDERATION OF FRAUD IN A FINANCIAL STATEMENT AUDIT
Rule SAS number 99 for consideration of fraud in a financial statements audit became effective in late 2003. This statement directs auditors to use professional skepticism and to consider that a fraud could have occurred and could materially affect the financial statements. The auditors must consider and identify the risk of fraud, and must continuously evaluate evidence throughout the audit to determine whether or not there are any fraud indicators.
SAS no. 99 describes a process in which the auditor (1) gathers information needed to identify risks of material misstatement due to fraud, (2) assesses these risks after taking into account an evaluation of the entity’s programs and controls and (3) responds to the results. Under SAS no. 99, you will gather and consider much more information to assess fraud risks than you have in the past. The SAS no.99 can be represented by the fraud triangle shown below.
1.1 Professional Skepticism
SAS no. 99 reminds auditors they need to overcome some natural tendencies—such as over reliance on client representations—and biases and approach the audit with a skeptical attitude and questioning mind. Also essential: The auditor must set aside past relationships and not assume that all clients are honest. The new standard provides suggestions on how auditors can learn how to adopt a more critical, skeptical mind-set on their engagements, particularly during audit planning and the evaluation of audit evidence.
1.2 Discussion among Engagement Personnel
SAS no. 99 requires the audit team to discuss the potential for a material misstatement in the financial statements due to fraud before and during the information-gathering process. This required “brainstorming” is a new concept in auditing literature, and early in the adoption process firms will need to decide how best to implement this requirement in practice.
1.3 Obtain Information to Identify the Risks of Fraud
SAS no. 99 significantly expands the number of information sources for identifying risks of fraud. It provides guidance on obtaining information from Management and others within the organisation, analytical procedures, consideration of fraud risk factors.
Other sources:
1.4 Identity and Assess Fraud Risks
SAS no. 99 requires auditors to assess fraud risks, but one of the problems practitioners have had with the previous standard on fraud is that they mistakenly believed “assessment” to mean they should describe the risk as high, medium or low.
1.5 Considering the Entity’s Antifraud Programs and Controls
Once auditor has identified specific risks of fraud, he should consider the entity’s programs and controls that mitigate or exacerbate his identified risks of material misstatement due to fraud. SAS no. 99 provides examples of programs and controls in large and small businesses. A new document, entitled Management Antifraud Programs and Controls, is included as an exhibit to SAS no. 99.
The SAS no 99 can be briefly described by the following flow chart:
- International Auditing and Assurance
Standards Board (IAASB) issued ISA 240 The Auditors Responsibility to Consider Fraud in an Audit of Financial Statements. A media release announcing the release of the revised ISA 240 stated that “auditors (are required) to be more proactive in considering the risk of fraud in the audit of financial statements” (IAASB, 2004a). The title of ISA 240 has been changed to exclude error. Previously the title included both fraud and error. This is an indication of the growing importance of fraud detection as an objective of a financial statement audit.
- AUS 210
Under AUS210 (2004), management will be required to provide the auditor with a signed declaration that includes:
• An acknowledgement of management's responsibility for the implementation and operation of control systems designed to prevent and detect fraud or error
• A statement that management considers unadjusted errors as immaterial to the financial statements.
• A statement that management has disclosed to the auditor all significant facts relating to any frauds or suspected frauds.
• A statement that management has disclosed to the auditor the results of its assessment of the risk that the financial report may be materially misstated as a result of fraud make no mistake, this is not merely a standard for the audit profession; management - including executives and directors of boards - will need to comply with these new rules.
Management will need to sign on the dotted line verifying that they have taken all reasonable steps to prevent and detect fraud.
- STATEMENT ON STANDARDS FOR ACCOUNTING AND REVIEW SERVICES
The American Institute of Certified Public Accountants (AICPA) recently issued SSARS number 12 (2005), "Omnibus Statement on Standards for Accounting and Review Services." This applies to reviews, rather than audits. Reviews provide less assurance on the financial statements, as the review procedures are typically less thorough and less detailed than audit procedures. This statement dictates that during a review, the auditor is not required to assess the risk of fraud or develop plans specifically to identify fraud.
The guidance for auditors is continuously evolving as the accounting profession acknowledges that fraud is becoming a bigger issue for clients. All of this alphabet soup can be boiled down to the fact that it is management's responsibility, not the auditor's, to prevent and detect fraud. The auditors must consider fraud throughout their procedures, but they do not have an absolute responsibility for the detection of fraud.
- Expectation Gap
If the guidance on fraud is so clear from the perspective of the auditor, why does there seem to be an expectation gap between the auditors and the clients? Regardless of whatever guidance exists, clients are inclined to mistakenly expect that auditors can, must, and will find fraud if it exists within the company. The client sometimes fails to acknowledge that the auditors clearly outline their audit and review responsibilities with engagement letters. Those letters usually state that the auditors provide reasonable assurance that they will detect material misstatements, but not absolute assurance.
The client also often does not consider the fact that immaterial frauds may never be found. If a fraud is not large enough to "make a difference" in the financial statements, then it stands to reason that it most likely will not be detected. Detecting an immaterial fraud would be like finding a needle in a haystack.
The expectation gap boils down to misconceptions on the part of the client. Management and employees wrongly believe that reviews and audits can and should always detect fraud. Auditors also bear some responsibility for the expectation gap, and they might consider addressing this issue verbally with the client. That discussion should echo the engagement letter and address any concerns or unrealistic expectations held by the client.
4.2 Audit Alternatives
Executives, attorneys, and board members may be left asking themselves why they pay for audits if the procedures aren't going to detect all the potential problems with the numbers. Audits and reviews have their place in the business world, as they help companies identify risky areas of the financial reporting process, and they hopefully find material errors and frauds.
Since reviews and audits can only provide limited (but not absolute) assurance on the numbers, they are only one part of a company’s financial picture. If management wants to go a step further, they will look beyond audits and reviews.
Internal control reviews with a "focus on fraud" can help prevent fraud. They probably won't detect old frauds, but the involvement of an anti-fraud professional during the review of controls will help the company identify areas of the company most at-risk for fraud.
The next step is the development of procedures specifically designed to prevent fraud. This requires management to take a proactive stance against fraud. Since management cannot fully rely on audits and reviews to detect fraud, the better alternative is to shore up controls so that the opportunities for fraud are decreased.
At the end of the day, the responsibility for fraud prevention and detection is on the company's management. Executives and manager must clearly understand the inherent limitations of audits and reviews, and recognize that they cannot and will not detect all frauds. Audits and reviews should not be avoided or discarded, but management is advised to add proactive fraud prevention measures to help the company maintain better control over the potential for fraud.
Critical Review of Rules Established for Auditor’s Responsibility
Johnson, 2004, states that expanding auditor’s duties in relation to fraud detection merely recognises forces in play with the American Institute of Certified Public Accountants (AICPA) issuing a standard in October 2002 expanding the guidance to auditors for detecting material fraud in an effort to restore investor confidence and confidence in financial reporting (Johnson, 2004, pp.157-158).
I would like to say that there is, in fact, now a clear market expectation to this effect – that is, that auditors are bloodhounds, not just watchdogs. Simply put, the market expects auditors to pick up instances of fraud (Lucy, 2004, p.15).
In the past it has been argued that auditors have limited responsibility to detect fraud and thus auditors are watchdogs rather than bloodhounds. The reference to bloodhounds indicates that fraud detection was not a primary objective of the financial statement audit. However Lucy is suggesting the auditors’ responsibility for fraud is increasing whereby auditors have to actively undertake work to consider detecting fraud and thereby become more of a bloodhound.
Conclusion:
The guidance for auditors is continuously evolving as the accounting profession acknowledges that fraud is becoming a bigger issue for clients. All of this alphabet soup can be boiled down to the fact that it is management's responsibility, not the auditor's, to prevent and detect fraud. The auditors must consider fraud throughout their procedures, but they do not have an absolute responsibility for the detection of fraud.
By following some key principles, company directors and management can put in place a program to prevent and detect fraud that will provide the necessary assurance come audit time. The ten principles to creating a fraud free zone are:
Executive buy-in - Strong support and direction from the executive team is essential
Risk assessment - conduct an organisation-wide assessment to determine high risk fraud areas.
Planning - put a fraud control plan into place to prevent and detect fraud
Communication - ensure entire organisation is aware of responsibility to prevent and detect fraud.
Education - educate staff on how to prevent and detect fraud
Reporting - make it easy for employees to report suspected fraud
Confidentiality - guarantee the confidentiality of employees who report fraud
Code of conduct - develop a code of conduct for honest and ethical behavior
Investigate - call in the experts to investigate fraud
Zero tolerance - let employees, shareholders, suppliers, contractors and customers know that fraud will not be tolerated.
Having the right methodology to identify, stamp out and prevent fraud is not just good practice anymore…it is essential.
References:
- International Auditing and Assurance Standards Board (IAASB), 2003, ISA 200 - Objective and General Principles governing an Audit on Financial Statements, February, October, www.ifac.org
- International Auditing and Assurance Standards Board (IAASB), 2004a, IAASB Calls on Auditors to Take Greater Action to Consider Fraud in an Audit and to Establish Rigorous Quality Control Processes. February, www.ifac.org
- International Auditing and Assurance Standards Board (IAASB), 2004b, ISA 240 (Revised) - The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements, February, www.ifac.org
- Johnson R., 2004, “The future of auditing and corporate governance”, in Johnson R (ed), Readings in Auditing, John Wiley & Sons Australia, Ltd,Brisbane, pp.150-164
- Lucy Jeffrey, 2004, FSR, CLERP 9 and surveillance programs: ASIC priorities over the next 12 months, www.asic.gov.au
- Panel of Audit Effectiveness, 2002, Report and recommendations, Public Oversight Board, 31 August, www.pobauditpanel.org
- http://www.thefreelibrary.com/SSARS+No.+12Omnibus+Statement+on+Standards+for+Accounting+and...-a0138859825
- http://www.deloitte.com/dtt/article/0,1002,cid%253D12617,00.html
- http://www.sequenceinc.com/index.php?option=com_content&task=view&id=119&Itemid=41
- http://www.aicpa.org/pubs/jofa/may2002/mont.htm
- http://www.johnwiley.com.au/highered/applyingias/lecturer-res/currentaffairs/2004-11/2004-11-03.pdf
