The Securities and Exchange Commission is urging auditors to do better at assessing fraud risk among their clients — a rather notable statement peppered with keywords such as “gatekeepers” and “protection of investors,” clearly intended to warn audit firms that the agency wants to see improvement here.
The statement came on Tuesday from Paul Munter, the SEC’s acting chief accountant. We don’t know precisely why Munter released his statement now, but it does come after a wave of audit firm inspection reports released in recent weeks by the Public Company Accounting Board. It also follows several enforcement actions the SEC announced last month against audit firms for a variety of offenses.
Regardless, Munter wants auditors to remember that they do have a duty to look for fraud among their clients, in addition to the more widely understood duty to look for errors and risk of material misstatement.
“An auditor should avoid exhibiting bias, which may result from focusing the risk assessment and the related audit response on risks of error and overlooking or failing to identify the fraud risks,” he said. “It is critical that auditors evaluate whether information gathered throughout the audit indicates that one or more fraud risk factors are present and how fraud could be perpetrated or concealed by management.”
Munter went on to say that the Office of the Chief Accountant (OCA) has heard “particularly troubling feedback” from companies and other stakeholders in the financial reporting world that audit firms tend to talk about fraud in terms of what auditors can’t do, or are not required to do.
“We find this attitude… deeply concerning,” Munter said, “as it could impact an auditor’s mindset or their degree of professional skepticism, and may thereby reduce the likelihood of fraud detection and potentially result in dereliction of professional responsibilities to the public trust.”
Yikes. Translated from the polite and genteel language of SEC policy statements, that is Munter telling audit firms to fix their attitude, pronto.
Fraud and Auditor’s Risk Assessment
Much of Munter’s statement explored how auditors should fulfill their responsibility to assess fraud risk. Internal auditors and compliance officers should understand that responsibility too, since it has a direct effect on the demands for evidence that auditors make to your company.
First, let’s remember that auditors are there in your conference room or data warehouse to assess the risk of material misstatement of financial results. Part of that analysis is to determine whether such a misstatement could arise from innocent error or from deliberate fraud. This means auditors need to understand whether the underlying actions that can cause a misstatement are unintentional (suggesting error) or intentional (suggesting fraud).
Given that need, Munter said, auditors should be aware of biases in their thinking that might lead them to spend more time worrying about error and less time worrying about fraud.
“For instance, the mindset of ‘trust but verify’ may represent potential bias if it is anchored in the belief that management is honest and has integrity,” Munter said. “Such a mindset may interfere with an auditor’s ability to effectively evaluate signs of fraud when evaluating misstatements or to objectively challenge evidence provided by management.”
In other words, auditors shouldn’t lull themselves into thinking, “Management would never do that!” Yes, management might. And consequently, financial and internal audit teams dealing with the auditor shouldn’t be outraged at demands for more evidence that your control activities work, even if your tone at the top and control environment seem unimpeachable.
“Don’t they trust us?” you might ask. No, they shouldn’t, Munter is arguing.
In practice, this means auditors should be more skeptical when management provides evidence under “questionable” circumstances. Those circumstances, Munter said, could include:
- invoices for large amounts with vague descriptions;
- invoices with related parties with descriptions that are outside of the normal course of business; “new” evidence provided by management in the late stages of the audit to address a potentially difficult or contentious audit matter.
“Auditors should avoid any assumptions of honesty, be mindful of potential unconscious biases, and apply the appropriate level of professional skepticism,” Munter said.
Other Points to Consider
Munter also mentioned management override of internal controls and management manipulation of accounting estimates as potential avenues of fraud risk. In both cases, auditors should “remain diligent” and “remain aware of techniques used by management to circumvent existing controls.”
Funny enough, we have mentioned the threats of accounting estimates and management override numerous times on this blog. What I said then bears repeating now: internal auditors and compliance officers can combat those threats by establishing policies for rigorous documentation.
There is nothing inherently wrong with management altering estimates or overriding internal controls. Rather, it’s the abuse of those actions that gives rise to fraud; that’s the point Munter is driving at when he talks about actions that are intentional or unintentional.
When management intentionally changes estimates or overrides controls, you want enough documentation to demonstrate that those decisions came from a place of honesty — and, likewise, enough documentation so that questionable decisions will stick out like a sore thumb.
For a long time I’ve argued that you want such policies so that internal whistleblowers will have an easier time raising concerns to, say, the board’s audit committee. They apply just as well to the external auditor, who should be looking for such evidence as part of the fraud risk assessment.
Now, will the SEC and PCAOB follow up on Munter’s exhortations with more rigorous audit firm inspections and, where necessary, enforcement action for poor audit practices? We’ll have to wait and see.