Today I want to return to that statement the Securities and Exchange Commission published last week, urging auditors to do better at assessing fraud risk among their clients. There’s more to unpack here, both in how audit firms might try to handle those marching orders and in how companies could address fraud risk themselves.
As you might recall from our first post on this subject last week, SEC acting chief accountant Paul Munter published a statement warning that his team had heard “particularly troubling feedback” that audit firms aren’t especially eager to assess fraud risk. “We find this attitude… deeply concerning,” he said.
Munter then delivered a 2,500-word lecture to the audit world, stressing the responsibility that audit firms have to take fraud risk seriously. My first post explored the risk of bias that might creep into an auditor’s mind, that the client wouldn’t engage in fraud and therefore fraud risk assessments can be slow-rolled; plus several places in corporate financial processes where managers might attempt fraud.
Munter had lots more to say, too. We can start with his comments about fraud and materiality.
Specifically, Munter said, “When considering materiality, auditors should not assume that even small intentional misstatements in the financial statements are immaterial.” He then referred to Staff Accounting Bulletin No. 99, saying, “[Q]qualitative factors may cause misstatements of quantitatively small amounts to be material… A registrant and the auditors of its financial statements should not assume that even small intentional misstatements in the financial statements are immaterial.”
Let’s state that again more simply. Munter is telling people that even small amounts of fraud that are immaterial in dollar terms could still be material issues that investors would want to know about, because the fraudulent transactions suggest deeper problems in the company’s system of internal controls. So auditors should be more diligent in investigating the root cause of every erroneous financial transaction they find, and in assessing internal controls with a cynical eye that assumes management might commit fraud.
At an abstract level, his point makes sense. In practice, however, his point is likely to meet resistance from auditors, who will say they can only do so much to find fraud.
Auditors and Fraud Struggles
Indeed, that already happened when I published my first post on Munter’s statement to LinkedIn. One auditor had this to say:
First, expecting auditors to identify small misstatements goes against the principle of materiality. Second, establishing intentionality would be difficult in the absence of an investigation and auditors are really not equipped to establish intentionality.
Another said the issue is one of expertise; most auditors aren’t trained forensic accountants and investigators, and those are the skills necessary to identify whether a problematic transaction really is fraud or just an error:
Forensic accountants or auditors are better equipped at doing this. There still exists the expectations gap for the auditors to do everything. Considering the volume of work, they have to review within a timeline and the methodology they use, I can’t fault them for not finding enough.
I chatted with one Big 4 audit professional who does work on fraud investigations, who noted that most audit firms operate their anti-fraud and financial audit practices separately. To bring an anti-fraud specialist into an audit, the financial auditor would need to recognize that a specialist is necessary — but that brings us back to the original issue that lots of auditors won’t be able to recognize that need, especially when (a) they’ve been trained to focus on materiality; and (b) they have plenty enough to do just looking for errors in today’s complex financial systems.
Munter did address those issues, although perhaps not in the most useful way. He basically said auditors should think about bringing anti-fraud specialists into the audit when that seems necessary:
An auditor should consider whether the involvement of a forensic specialist is necessary to assist in identifying fraud risks and responding to those fraud risks, or, when fraud risks are identified related to management estimates, whether the involvement of a specialist is necessary to challenge and evaluate the reasonableness of management’s assumptions.
Umm, yes — but telling auditors to keep anti-fraud specialists in the back of their mind doesn’t address the larger questions here about auditors’ skepticism and pro-client bias. Until the PCAOB and the SEC start leaning on audit firms directly, sanctioning them for poor fraud risk assessment, I don’t know that we’re moving in a direction that benefits investors, as much as each side is repeating their talking points and glossing over the practical challenges to make Munter’s (very valid) points work.
Fraud and the Compliance Program
For all you ethics and compliance professionals who’ve stuck with me through all this auditor-focused analysis — rest easy, we have some red meat for you too.
If auditors are going to look more carefully for fraud risk, that means they’ll need to pay more attention to the client’s control environment and entity-level controls. That’s very much in the compliance function’s wheelhouse, since those controls include the whistleblower hotline, ethics training, messages from management, and so forth.
For example, Munter said, while having a Code of Ethics “is a good start, the auditor should evaluate whether the code of ethics is sufficient to demonstrate the issuer’s commitment to integrity and ethical values.. Are employees able to anonymously share their views on the company’s tone at the top through, for example, a culture survey? How are the survey results obtained and shared with leadership?”
Munter also talked about whistleblower hotline operations. Again, he said, having a hotline “is another good start” — but hotlines are required by the Sarbanes-Oxley Act. So does the company have one simply to check that box of SOX compliance, “or does the issuer have a culture that encourages whistleblowers who see something to actually say something? For example, an auditor may want to discuss with the audit committee the nature of the whistleblower hotline’s operation.”
Maybe Munter’s statement will lead to a wave of auditors getting all up in your face this coming audit season about whistleblower hotlines and training; maybe not. (If that does happen, drop me a confidential note at [email protected]!) Regardless, compliance officers can anticipate any increased scrutiny from auditors in two ways.
First, just keep your hotline and training operations effective. That should be a given every year, considering how important they are to the Justice Department and its evaluation of your compliance program should you find yourself in the department’s crosshairs.
Second, look specifically at fraud issues that might come to your attention via the hotline. How are those cases handled? What root causes do you find? And perhaps above all, how do you incorporate any findings about fraud cases into your next round of policy changes and internal control improvements? The better you do at that, the better you’ll be able to answer auditors when they come knocking with their more aggressive fraud risk assessments.