Changing auditors’ responsibility for detecting fraud

This blog gives you the latest topical news plus some informal comments on them from ShareSoc’s directors and other contributors. These are the personal comments of the authors and not necessarily the considered views of ShareSoc. The writers may hold shares in the companies mentioned. You can add your own comments on the blog posts, but note that ShareSoc reserves the right to remove or edit comments where they are inappropriate or defamatory.

by Mohammed Amin MBE FRSA MA FCA AMCT CTA (Fellow).

This article was first published in UKSA’s Newsletter, The Private Investor, and is reproduced with the author’s permission.

The Expectations Gap

After almost every major corporate reporting failure, arguments arise about the “expectations gap”. This is the gap between what shareholders, creditors, employees and journalists think that auditors should be doing, and what auditors consider they are actually required to do.

This expectations gap is particularly acute in cases where there has been fraud. The published financial statements have reported profits that were simply fictitious due to falsification of the accounting records. Quite often it is as basic as cash being reported on the balance sheet that simply does not exist.

Historically, the law has required much less of auditors than the public expect. Audit cases reach our courts surprisingly rarely, and one of the key cases dates back to 1896; Re: Kingston Cotton Mills Co. In that case, Lord Justice Lopes defined an auditor’s duty of care as follows:

“It is the duty of an auditor to bring to bear on the work he has to perform that skill, care and caution which a reasonably careful, cautious auditor would use. What is reasonable skill, care and caution must depend on the particular circumstances of each case. An auditor is not bound to be a detective, or, as was said to approach his work with suspicion, or with a forgone conclusion that there is something wrong. He is a watchdog, not a bloodhound. He is justified in believing tried servants of the company in whom confidence is placed by the company. He is entitled to assume that they are honest and rely upon their representations, provided he takes reasonable care.”

While law and practice have developed somewhat since then, the changes have been insufficient to close the expectations gap.

I believe that the regulators need to set out the responsibilities of auditors much more explicitly.

Small-scale fraud

Small-scale fraud may be committed by junior employee staff (or sometimes senior staff but for small amount of money such as over- claimed expenses) which is immaterial (in the technical sense of that word) with regard to the figures in the published financial statements.

Auditors in my view should never spend any time looking for such fraud. The regulators should make it clear that they are not expected to.

Obviously, if they become aware of it, they should report it to the company’s senior management, but they should have no responsibility for external reporting unless something else gives it significance.

When small-scale fraud should be reported to shareholders

For example, if the CEO, or indeed any other main board director, is falsifying his or her expenses, even by technically immaterial amounts, that casts doubt on whether he or she should continue as CEO or director, and the shareholders clearly need to know about that, if the auditors somehow happen to become aware of it, even though they were not looking for such small-scale fraud.

Large-scale fraud

This is fraud of such magnitude that it has a material effect on the numbers in the financial statements and can indeed threaten the continued existence of the company.

As part of checking the control environment of the company, in my opinion auditors have always had the responsibility of seeing whether there are weaknesses in the control environment that could allow large-scale fraud to be perpetrated by a single individual. That would be a clear system weakness, and I believe that almost all auditors regard it as part of their responsibilities to assess the control systems to ensure that they adequately address this risk.

The most serious problem for auditors, and indeed for companies and their shareholders, is when large-scale fraud is perpetrated collusively by senior management. I have not attempted a historical survey, but my belief is that this accounts for almost all of the major fraud-related audit failures in financial history. (There are of course exceptions, such as the collapse of Barings Bank in 1995, which really do seem to be the responsibility of one rogue individual, albeit assisted by a lack of the internal control systems mentioned previously.)

Such collusive fraud can be very difficult to unravel.

As a partner in Price Waterhouse, I received a free hard copy of the investigation report by Lord Justice Bingham into the collapse of Bank of Commerce and Credit International (“BCCI”) and found it impossible to put it down until I had read every page, it was so well written. It showed just how much effort it took Price Waterhouse, over a period of about three years, to get to the bottom of what was happening in that bank due to the widespread collusion in fraud within BCCI.

To protect themselves against litigation risk, auditors always stress that it is not their responsibility to ferret out such large-scale collusive fraud. However, their messages are not sufficiently clearly put, which is where the expectation gap comes from.

Furthermore, shareholders in general believe that identifying such fraud is the responsibility of the auditor.

Changing the rules regarding large-scale collusive fraud

I consider that auditing standards should impose a categorical responsibility upon auditors to identify whether large-scale collusive management fraud is taking place.

This imposition will result in auditors significantly expanding the work that they undertake, since they would then have to take seriously the risk that most of the senior management personnel with whom they are interacting may be telling them lies.

Auditors would have to use additional technologies, such as electronic interrogation of 100% of transactions. This is already starting to happen anyway due to the greater use of artificial intelligence technologies.

Much more controversially, it would lead to auditors using other technologies such as artificial intelligence to identify lying in oral and written communications from clients and could go as far as requiring CEOs to undertake a lie detector test (either a traditional polygraph, or perhaps new systems currently being developed which use AI to detect when a speaker may be lying) when giving assurances to auditors.

However, if we want auditing standards to be serious about addressing the risk of large-scale collusive management fraud, approaches such as those will need to become standard.

There would of course be a consequent increase in audit fees, but this does not need to be massive. Much more important is the need for a complete change in the trust relationship between the auditor and client personnel. What is needed is for the auditor to regard it as a default working assumption that most of the senior management at the client may be choosing to collusively lie to the auditor.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.