Busting the myth about auditors and fraud

One question I get all the time is, "Are auditors obligated to detect fraud?"

This morning I was asked to speak on a panel at a conference sponsored by the Polish Audit Oversight Agency.

Our panel was focused on the role of auditors in corporate governance: The auditors role in fraud detection and prevention as “Early Warning System”.  The auditors responsibility is a key factor for the company and its shareholders.

Panelists included Barbara Misterska-Dragan, President of the Polish Chamber of Statutory Auditor (PIBR), Richard Brooks (journalist with the UK’s Private Eye), Prem Nath Sikka, Baron Sikka, a member of the House of Lords who holds the position of Professor of Accounting at the University of Sheffield, and is Emeritus Professor of Accounting at the University of Essex, Katarzyna Szwarc, a representative of the Ministry of Finance and Prof. Krzysztof Jajuga from SGH Warsaw School of Economics.

Moderator Martyna Maciuch from 300Gospodarka asked me:

You are an independent author writing about failures of the auditors to conduct their audit properly and thoroughly. But you also spent years working for auditing companies. Both as a journalist and a former auditor, how do you perceive the role of such companies in creating corporate governance standards? What are the key challenges they encounter? What are the areas in which they fail most frequently?

I won’t repeat my remarks verbatim but they began with a reminiscence of my beginnings as a university trained accountant who also prepared for and passed the Uniform CPA examination. I told the conference that I was taught that auditors are watchdogs, and that they have a public duty, a responsibility to provide reasonable assurance to investors and the markets that financial statements are free of material misstatement due to error or fraud.

Marcin Obroniecki, Chairman of Polska Agencja Nadzoru Audytowego / Polish Agency for Audit Oversight, prepared my remarks for publication in Dziennik Gazeta Prawna, one of the leading Polish newspapers.

He wrote: Hope this will improve the understanding of the audit profession in Poland ! Use the link to read in Polish.

Here is a PDF English translation.

Professional Skepticism Is Necessary
718KB ∙ PDF File
Read now
Read now

When I worked at KPMG and then at PwC, I sadly learned that the firms prioritized pleasing the clients and avoiding legal liability over their public duty. In the nearly forty years since I graduated college and passed the CPA exam, despite the public rhetoric and mountains of marketing materials put out by the Big 4, their priorities are still screwed up. I know that because I teach and speak to current accounting students and those working in the firms and hear about the mantras drummed in at an early stage by the firms that are no more than myths. They serve the firms’ commercial interests rather than their duty to the public and the profession.

Chief among these myths is: The audit is not designed to detect fraud.

The Big 4 auditors used to acknowledge their responsibility to detect fraud. PwC’s former U.S. Chairman Dennis Nally to the WSJ in March 2007:

WSJ: Is it an auditor’s job to try and find fraud? 

Nally: Absolutely. We have a responsibility to perform procedures that are detecting fraud just like we have responsibilities to perform procedures to detect errors in financial statements.

WSJ: You seem pretty certain, but the firms as a whole often eschew some responsibility for finding fraud, especially in court.

Nally: The audit profession has always had a responsibility for the detection of fraud. The debate has always gone toward how far do you carry that, what type of procedures do you have to develop and in what environment. The classic issue becomes the cost benefit of all of that and this is why I think there is this expectation gap.

That all changed when Nally, and his boss, former PwC Global Chairman Sam DiPiazza, were caught flat-footed on the Satyam fraud in India in Dec 2008-Jan 2009.

DiPiazza told the Times of India:

“What we understand is that this was a massive fraud conducted by the (then) management, and we are as much a victim as anyone. Our partners were clearly misled.”

Faced with allegations that PwC India partners were in on the Satyam fraud, now Global Chairman Nally gave a rambling, incoherent interview to Business Today in India in July 2009 — more than six months after the fraud was uncovered by the Satyam CEO not PwC — and reversed his WSJ comments from 2007:

“Many times there is an expectation from the investor community that the auditor is in fact fully responsible for the detection of fraud. Now that is not our job, today.”

The Business Today interviewer doesn’t let up but Nally continues to dodge the question of whether the audit is designed to detect frauds like Satyam:

Interviewer: Your predecessor (Samuel A. DiPiazza, Jr, see interview, BT, March 23, 2008) who was in India a few months back, talked of PwC being a victim of Satyam as much as anyone else. Is PwC a victim?

Nally: “I think what Sam was referring to as being misled was the fact that even the auditor is duped into a process. (Being) a victim means the knowledge we had at that stage was no different than that many others had.”

In another example not long after in April of 2010, the soon-to-be retired CEO of Deloitte Bill Parrett — Parrett’s post-retirement gig on the board of Deloitte audit client Blackstone Group was announced before his retirement was even final — told a reporter at the Toronto Globe and Mail, there are limits to what an auditor can detect – and those limits often fall far short of what investors expect from the process. 

“We’ve always had this expectation gap between what the auditor really can do and what the investing public wants the auditor to do, or wants the audit to represent.”

By this time the financial crisis was in the auditors’ rear view mirrors, a financial crisis that included Deloitte paying settlements for negligence for its audits of Washington Mutual and Bear Stearns, financial firms that failed and were absorbed by JP Morgan.

A judge had even agreed, when allowing the case to go to a trial that never happened, that the Deloitte audit at Bear Stearns was so bad it effectively resulted in “no audit at all.” 

In June of 2011, Helen Thomas of the Financial Times asked PwC Global Chairman Nally:

What about fraud or disingenuous bookkeeping? Surely auditors should rightly find themselves in the line of fire when a case slips through on their watch?

By mid-2011 we are post-Satyam, post- financial crisis and we know all about the issues uncovered at AIG, Goldman Sachs, Lehman, Bear Stearns, Countrywide, and Washington Mutual, to name just a few. There are growing issues at MF Global which will fail on Halloween 2011, Barclays is accused Libor fraud and there had been several “rogue” trader scandals at big banks.

Deloitte client Taylor Bean & Whitaker and PwC client Colonial Bank in Alabama had both already failed in August 2009, after federal regulators found a $3 billion joint fraud involving fake mortgage assets. Several executives from both firms went to prison.

The FT’s Thomas writes that Nally “crossed his arms across his monogrammed shirt, for the first time looking a touch defensive.”

“There are professional standards out there [and] an audit is not designed under those standards to detect fraud,” [Nally] says, pointing out that detecting fraudulent behaviour rests on other indications including a company’s governance, management tone and control systems.

“The reasons it has been done that way is because, while we always hear and read about the high-profile fraud, the number of those situations that you actually encounter in practice is very de minimis.

“You’re not designing an audit for ‘the exception’ because, quite frankly, the cost itself would be prohibitive to all of the capital markets and . . . who wants to pay for that if the benefit isn’t there?” he adds.

The answer to, “Is the audit designed to detect fraud?” is instead a resounding YES.

Dennis Nally, Sam DiPiazza, and Bill Parrett, as well as all of their protégés, have known it for years and years.

On July 2, 2018, Judge Judge Barbara Jacobs Rothstein of the United States District Court for the Middle District of Alabama wrote that the FDIC was "entitled to recover all reasonably foreseeable losses Colonial incurred from its ongoing fraudulent relationship with TBW," and "[t]here can be no real dispute (indeed PwC does not raise one) that it was foreseeable that because PwC failed to detect the fraud, Colonial would continue to fund TBW-originated mortgages, both legitimate and fake.” 

Judge Rothstein had found on December 28, 2017 that PwC had breached its professional duty to exercise reasonable care in performing its audits by failing to plan and perform its audits to detect fraud and failing to obtain sufficient audit evidence that would have led to discovery of the Colonial Bank-TBW fraud.

Judge Rothstein ordered PwC, the former auditor for now-defunct Colonial Bank, “to pay the Federal Deposit Insurance Corp. $625 million in damages arising out of PwC's failure to detect the  ‘massive fraud’ perpetrated by employees of Colonial Bank and Taylor, Bean & Whitaker Mortgage Corporation from 2002-2009, which ultimately led to Colonial Bank's failure.”

It was the largest ever damages award for auditor liability. The two sides eventually settled for $335 million.

In November 2012 the PCAOB published a very useful, and at the time very brave Appendix to a discussion document distributed at a PCAOB Standing Advisory Group meeting. The agenda item for the meeting was, “Consideration of Outreach and Research Regarding the Auditor’s Approach to Detecting Fraud”.

This PCAOB document, and Judge Rothstein’s decision in FDIC v. PwC,  should be the last word on whether the auditor has an obligation under law to design the audit to detect fraud and illegal acts at their audit clients.

The appendix provides a detailed overview of auditors’ obligations under existing PCAOB standards to design and perform the audit to detect fraud — from engagement acceptance and continuance to reasons to resign an audit and covers Section 10A of the Securities and Exchange Act of 1934 which requires auditors to report to the SEC when, during the course of a financial audit, an auditor detects likely illegal acts that have a material impact on the financial statements and appropriate remedial action is not being taken by management or the board of directors.

In 2016, SEC Enforcement Director Andrew Ceresney made a speech that highlighted the accounting fraud cases he’s overseen and the role of gatekeepers like the external auditors for step up to their obligations under the law:

First, like audit committee members, auditors need to demand objective evidence and investigation when they come across situations which suggest inaccuracies in the company filings.  Second, national office personnel need to be the bulwark against client pressure.  We charged three national office personnel in this case who failed in their roles.  And finally, audit firms must not retreat from demanding an internal investigation unless they obtain evidence that dispels the issues that led them to request such an investigation in the first place. 

In 2013 Ceresney was co-Director of SEC Enforcement. He made similar comments:

As the Supreme Court noted nearly 30 years ago in U.S. v. Arthur Young & Co., 465 U.S. 805 (1984), auditors play a crucial role in the financial reporting process by serving as the “public watchdog.”  So, it is important that we carefully monitor their work and ensure that they fully comply with their professional obligations.  If there is a significant restatement or if we learn about improper accounting from a whistleblower, our proactive efforts, or the media, then you can expect that we will scrutinize not only the CEO, CFO and Controller, but also the engagement partner, engagement quality reviewer, and the auditing firm as a whole. 

Here’s another statement from Dan Guy, PhD, CPA who served more than 18 years at the AICPA as Director of Auditing Research, VP Auditing, and VP Professional Standards and Services until 1998. Now he acts as an expert witness in cases primarily involving accountants’ malpractice on both plaintiff and defendant sides.

On June 3, 2008 Guy testified before the US Department of the Treasury Advisory Committee on the Auditing Profession (ACAP) Panel on Firm Structure and Finances:

“…after numerous attempts to clearly state in auditing standards that the auditor has a responsibility to design and perform the audit to detect material fraud (including direct effect illegal acts), many auditors still disavow that responsibility. Unfortunately, these gross misunderstandings are frequently presented in expert testimony before juries. To illustrate, in one of the largest audit fraud cases in US history, I recently had to address a statement by a highly paid expert that auditing standards were not designed to detect collusive management fraud. Of course, that contradicts AU 316 (both current and prior versions) and, if the statement were true, audits performed by CPAs would be worthless.” 

Why do auditors “miss” frauds at their clients?

Professor Guy told ACAP in 2008 that these are the most common reasons that auditors fail to detect material financial statement fraud:

Failure to exercise professional skepticism as mandated in AU 230, “Due Professional Care in the Performance of Work.”

Failure to maintain independence and to avoid conflicts of interest because of a lack of recognition of ethical issues and how to resolve those issues.

• Making the bad assumption that management is honest and accepting less than persuasive audit evidence based on that belief. Auditors over rely on inquiry to client personnel as a form of audit evidence.

• Over reliance on management representations without obtaining, as required by AU 333,“Management Representations,” competent supporting audit evidence.

Failure to recognize, document, and respond to fraud risk factors or red flags that are set out in AU 316, “Consideration of Fraud in a Financial Statement Audit.”

• Over reliance on PBCs (documents prepared by client) as audit evidence without sufficient testing to underlying books and records.

• Use of electronic and written audit programs and other audit-firm produced checklists in a mechanical or rote manner with a “fill-in-the-blank” mindset.

• Failure to understand GAAP and properly apply GAAP to client facts and circumstances that govern material transactions and account balances.

© Francine McKenna, The Digging Company LLC, 2021