Mark was recently interviewed by Going Concern about auditors' responsibilities to detect fraud. Here are a few highlights:
Wednesday, January 31, 2018
Wednesday, January 24, 2018
Auditors aren't that great at detecting fraud and sometimes claim their audits aren't designed to detect it. It looks like they may not be that great at committing it, either (though not for lack of effort).
Monday, January 8, 2018
Tuesday, January 2, 2018
The Wall Street Journal published an article explaining that PricewaterhouseCoopers (PWC) was held responsible for failing to detect fraud in their independent audits of Colonial Bank. Colonial Bank collapsed in 2009 and, according to the Tampa Bay Times, was the sixth largest bank failure in history. The articles estimate that PWC may be responsible for damages totaling hundreds of millions of dollars.
This is an interesting case because the audit firm has had some individuals claim, in court, that auditors are not responsible to detect fraud. The court rejected this claim and said auditors who don't design audits to detect fraud are not following their own auditing standards. Here are some details from the FDIC order related to the case:
“While there are numerous auditing standards that are implicated in this case,...the overarching standard that governed the PWC audits is that: “[t]he auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud.” AU § 110.02; AU § 316. PCAOB Auditing Standard No. 2 states that “[a]lthough not absolute assurance, reasonable assurance is nevertheless a high level of assurance.” Id. at ¶ 17. To that end, a PCAOB 2007 release clarified that “[t]he auditor should, therefore, assess risks and apply procedures directed specifically to the detection of a material, fraudulent misstatement of the financial statements." (emphasis added). The Engagement Letters between PWC and CBG acknowledged this responsibility by stating that PWC would “design [the] audits to obtain reasonable, but not absolute, assurance of detecting errors or fraud.” See, e.g., A4 at 3. Indeed, Mr. Westbrook, one of the PWC audit partners, testified at trial that PWC had a duty to design audit procedures to detect fraud. Tr. 817:25-818:7 (Westbrook). He further testified that if PWC failed to design its audit procedures to detect fraud, it would be a violation of PCAOB standards. Tr. 822: 19-22 (Westbrook).However, PWC voiced a very different tune just a few years ago with respect to another lawsuit that stemmed from this fraud. TBW’s bankruptcy trustee also filed suit against PWC, alleging that PWC breached its duties when it failed to detect the fraud. That lawsuit proceeded to trial in August 2016 before it settled mid-trial. As part of that lawsuit, many of the same PWC engagement partners, audit managers, and audit staff who are involved in this case gave deposition testimony under oath in the TBW trustee’s case. During that testimony, these individuals repeatedly admitted that PWC did not design its audits to detect fraud. For instance, Mr. Westbrook testified that PWC “audits are not designed to detect fraud.” Tr. 358:6-7 (Westbrook) (quoting Westbrook TBW Dep. at 23:7-12). Likewise, Mr. Jackson, the PWC engagement partner, testified that “I would point out that our audit procedures were not designed to detect fraud.” Tr. 1027:1-10 (TBW Dep. at 31:17-20). Similarly, Wes Kelly, PWC’s audit manager for the 2003-2005 and 2008 CBG audits, testified that PWC “did not design audit procedures to detect fraud.” W. Kelly TBW Dep. 45:608 (Ex. P3120). Finally, Mr. Rivers, a PWC audit associate assigned to the CBG audit, testified that PWC had no obligation to look for fraud. Rivers TBW Dep. at 66:17-23.At trial, PWC attempted to explain away this testimony by arguing that these individuals simply meant that PWC was not a guarantor against the possibility of material fraud because the auditing standards recognize that “even a properly planned and performed audit may not detect a material misstatement resulting from fraud.” Ex. A400 at 7-8 (AU § 316.12); Tr. 821:25-822:24 (Westbrook stating that in order to provide a guarantee against fraud, auditors would “need a lot more tools like lie detector tests and subpoena power and guns and badges and all those kinds of things.”). This Court does not find this explanation credible, nor is it consistent with the previous testimony from the TBW trustee’s lawsuit. This Court heard Mr. Westbrook and Mr. Rivers testify for hours and is convinced that these gentlemen are more than capable of saying what they mean. If they had intended to say that PWC audits were not a guarantee against the possibility of material fraud, they would have testified accordingly. However, that was not their testimony. Instead, they clearly stated that PWC had no duty to detect fraud and did not design its audits to detect fraud. The Court concludes that PWC did not design its audits to detect fraud and PWC’s failure to do so constitutes a violation of the auditing standards.
What I find interesting is that practicing auditors admitted that they don’t design their audits to detect fraud even though auditing standards clearly say that auditors are responsible to provide reasonable assurance that there are no material misstatements due to (error or) fraud. Over the past decade, including as recently as 2016, I’ve asked several audiences of auditors to answer the following true-false question: “Auditors have the responsibility to provide reasonable assurance that there are no material misstatements due to fraud.” These auditors range from staff to partners and, on average, about 50% incorrectly answer false. This is pretty disheartening to me...
Unfortunately, my experience suggests that most auditors don’t put in a lot of effort to detect material fraud. Fraud may be discussed briefly in the required brainstorming session but then quickly forgotten as the audit team gets focused on ticking and tying and trying to get some sleep during busy season.
There are many things that auditors could do but, unfortunately, it's rare to find an auditor who is thinking beyond what they did last year. If I were king for a day, I would require auditors to do interviews with lower level people in an organization with the goal of discovering aggressive accounting or business practices. Combining interviews with strategic reasoning would potentially help auditors provide the reasonable assurance they are responsible for. For example, if strategic reasoning leads the auditors to believe revenue recognition and shipping cutoff is ripe for financial reporting fraud, auditors trained in interviewing could meet with shipping / warehouse personnel about the end of the year. Well designed questions could reveal information that could help identify control weaknesses and potential fraud.
In any case, this case and other experiences with auditors reminds me of the 1980s when auditors put it in their engagement letters that they weren’t responsible for providing assurance for fraud. Back then, and now, the courts don’t appear to share that view. In the end, both the auditing profession and audit users end up suffering when auditors are weak in fulfilling this responsibility.