A fraud has been committed at a corporation, and someone is to blame. If the thief is like most others, she or he has nothing to show for the theft. There is no money to recover and there are no assets to seize.
What’s the next best thing? Look for deep pockets! The auditors have professional liability insurance, so they’re a perfect target.
There’s just one problem: Audits are not designed to detect fraud. The procedures aren’t likely to find fraud. The rules don’t require the auditors to detect fraud. So why on earth are companies and shareholders trying to hold auditors responsible for the bad behavior of employees?
Well the fact of the matter is that someone must take the blame, and it’s logical to blame the independent auditors, especially if those doing the blaming don’t really understand what an audit is all about. At every step of the engagement, the auditors typically remind company management that the responsibility for fraud is on the company.
The company must set up policies and procedures to prevent fraud. The company must properly monitor employees to make sure that transactions are properly authorized and recorded. The company must make sure that fraud isn’t occurring. Management is responsible for oversight of its own employees and processes.
There are times during traditional audits when the auditors have the opportunity to detect fraud. But there are two questions that must be asked:
- Could the auditors have detected the fraud?
- Should the auditors have detected the fraud?
The first question is fairly straightforward. If you examine the audit procedures objectively, do you see that fraud could have been detected during the audit? Many times, the answer is “no.” That is, the people within the company engaging in fraud did such a good job of covering their misdeeds that the audit procedures had almost no chance of finding the fraud.
Employees become familiar with the audit process and the type and magnitude of transactions that the auditors will typically examine. They go out of their way to cover a fraud by ensuring that the books are doctored in such a way that the auditors won’t ever look at the transactions related to the fraud.
The second question is not so straightforward, and can be quite subjective. Even if the audit could have found the fraud, it may not necessarily mean that the auditors should have found the fraud.
Suppose an auditor examines some accounting entries, comparing copies of invoices to the accounting records, and determines that the numbers match one another. What if a copy of an invoice was altered? The face of the document appeared fine to the auditor. No discrepancies were noted during the normal audit procedures. Nothing indicated that the auditor should ask for more documentation. In this case, it is not reasonable to believe that the auditor should have found the fraud.
This is a very simplistic example, but it illustrates the point nonetheless. While the auditor could have found the fraud with the examination of additional documentation, the auditor probably did enough work under the circumstances to fulfill her or his responsibility. (Remember that audits involve testing and sampling a small number of transactions, and not examining all of a company’s transactions and documentation.)
In contrast, suppose an auditor examines accounting entries and compares them to copies of invoices. Several of those invoices do not match the accounting records. The auditor doesn’t know it yet, but the invoices don’t match because a fraud has occurred, and the fraud will be revealed if the auditor asks for additional supporting documentation. In this case, the auditor probably should find the fraud. The evidence is available and several discrepancies have come to light.
The real world is not always so straightforward, however. There is a lot of judgment involved in auditing the books and records of a company. Auditors only test a very small number of transactions, and they use their judgment in determining whether to ask more questions or require more documentation.
Companies and their shareholders cannot and should not rely upon traditional audits to find fraud. If they do, they will likely end up very disappointed, as audits never have (and probably never will be) designed to detect fraud.