Please ensure Javascript is enabled for purposes of website accessibility

Let’s Discuss: Auditors and The Responsibility to Detect Fraud

When I finally got around to writing about the HP/Autonomy finger pointing party yesterday, the topic of fraud detection by auditors came up as it often does in these scenarios. More specifically, the statement that "audits are NOT designed to detect fraud."  

A friend of Going Concern emailed me later in the day with a question:
So, what should I make of this?
 
 
<<< Section 110, Responsibilities and Functions of the Independent Auditor, paragraph .02, states, "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [footnote omitted]" fn 1 This section establishes requirements and provides direction relevant to fulfilling that responsibility, as it relates to fraud, in an audit of financial statements. fn 2 >>>
GC Friend had a point, and I had written that statement as clear as it needed to be. So I emailed back, explaining further:
What you should make of it is a debate of form over substance, so you're going to get a bit of a walk back here, but just slightly — what I should have written is that audits in substance are not designed to detect fraud, regardless of what auditing standards (i.e. the form) are, because the procedures largely amount to checklists that include awkward conversations between auditors and management and key personnel. 
 
Audit Partner: "So, was there any fraud this year?"
CFO: "Nope."
Audit Partner: "Okay, great. Lunch?"
 
Even under inspection an auditor can point to workpapers and say, "Look, we designed the audit to detect material misstatement due to fraud and performed these procedures. Says so right there." The inspectors will shrug and say, "Yep, says so right there," and go on their way. 
 
But when something like Autonomy happens, everyone wants an explanation as to how something could get by the auditors. It gets by them because their audit procedures are, in substance, not designed to detect the fraud that occurs because usually there is some collusion (as alleged in this case) or something else going on that won't be detected by these cursory methods. The auditors can then claim, quite sheepishly, that they were fooled or misled by management and then roll out talking points about the expectations gap. 
 
Without implementing some kind of supplemental procedures (e.g. forensic auditing) when certain suspicious flags are raised, audits are never really going to be designed to detect fraud.  
I felt pretty good about my retort and GC Friend is the strong-headed type, plus I am an easy person to disagree with so I didn't expect any kind of concession. His response:
Okay, I accept that.
 
My problem with the statement that "audits aren't designed to detect fraud" is that this is the B.S. fallback position of every accounting firm that gets caught with its pants down. It's propaganda when used this way as a defense. Andersen tried it with Enron and Worldcom. Ernst tried it with Healthsouth. Etc.
 
If you're saying "audits aren't designed to detect fraud" as an indictment and a criticism of the profession, I have no problem with that, as long as it's clear to the reader that auditors have a responsibility to try to detect fraud. The auditing standards say so. If the auditors aren't trying to detect fraud, that's a serious problem and probably a 10(b) violation, too, because they say in their opinion letters that they complied with the auditing standards when they did their audits. It's not some expectations-gap B.S. like the Big Four and the AICPA would like the public to believe.
Which I agree with 100%. Again, it's a substance over form debate. Auditors will ALWAYS claim that they performed their duties in accordance with the applicable professional standards. When was the last time you heard an audit firm say, "We pass on GAAS all the time."? Unsurprisingly, it didn't happen today.  
 
Anyway, after a little more back and forth, GC Friend simply sent over this quote from Lawrence Dicksee's "Auditing":
The detection of fraud is a most important portion of the auditor's duties, and there will no be disputing the contention that the auditor who is able to detect fraud is — other things being equal — a better man than the auditor who cannot. Auditors should therefore assiduously cultivate this branch of their functions — doubtless the opportunity will not be long for wanting — as it is undoubtedly a branch that their clients will most generally appreciate."
Something tells me clients would appreciate it. I guess it depends on who the auditor considers to be "their client."
 
But that's a whole other debate. We'll turn this discussion over to the professional opiners now since they may have some thoughts on this.