You see the headlines in the news all the time. “Some employee from some business or public entity has stolen a considerable sum of money”. At some point the spokesperson for the business or public entity will admit that their annual audit failed to find the fraud. The public uproar will cry “Why? How could this have happened? Why wasn’t an audit conducted? Why wasn’t management watching?”. To understand audit failures, you first need to understand what an audit actually is.
According to Michael Powell in “The Audit Society: Rituals of Verification” an audit is defined as “a systematic and independent examination of books, accounts, statutory records, documents and vouchers of an organization to ascertain how far the financial statements, as well as non-financial disclosures, present a true and fair view of the concern.” Financial audits are performed to ascertain the validity and reliability of information, as well as to provide an assessment of a system’s internal controls. Unfortunately, because of constraints of both time and cost, an audit seeks to provide only reasonable assurances that the statements/opinions formed from the audit are free from material error.
So why aren’t audits catching fraud? Simply because, they are not designed to. Fraud is hidden, it is not easy to find. In its 2018 Report to the Nations, the Association of Certified Fraud Examiners (ACFE) found that the average duration a fraud runs prior to being detected is 16 months. An auditor is basically following a “canned” checklist of items to look for. Therefore, if the auditor does not know what to look for, how are they going to find it? If audit’s have been completed in previous years, there is a good chance the auditor is following the previous year’s audits. Also, audits are often conducted by inexperienced junior level staff being supervised by a rather busy and inattentive accountant who is simply signing off on what the junior level staffer has performed. Finally, audits are expensive. Accounting/Auditing firms are trying to come in under bid, and the customer is trying to provide whatever basic information is needed to keep the cost down.
The audit failure problem has gotten so out of hand that in the March 20, 2014 Journal of Accountancy, Jay Hanson (a board member of the Public Company Accounting Oversight Board) took offense to the term “audit failure” and asked that the PCAOB stop using the term. In a blog post on his website addressing audit failures, Pat McDonnell suggests that “occurrence is an admission of failure to perform to the expectations of those relying on the profession”. Further, many Public Accounting firms have been levied fines from the Security and Exchange Commission (SEC) for audit failures. In October 2016 Ernst & Young (EY) agreed to pay $11.8 Million to settle charges related to an oil company that used deceptive income tax accounting to inflate earnings.
What can a business or public entity do to ensure that their annual “audit” find and detect the occurrence of fraud? The first thing they need to do is realize that the “audit” is not designed to detect and find fraud. In order to do that, they will need to conduct a financial forensic examination. What is a financial forensic examination? According to the ACFE this is where accounting knowledge and investigative skills are combined using litigation and investigative techniques. This is a wide-ranging field covering everything from financial data analysis, maintaining and reviewing documentation, business valuation, tracing funding sources and many other investigative techniques. I will stress, this is something that an audit does not do. A financial forensic examination is more intensive, more detailed and more time consuming than an audit could ever hope to be under current standards enforced by the American Institute of Public Accountants (AICPA).
Why don’t businesses and public entities require a financial forensic examination instead of an audit? That is a good question. The word “audit” has become as generic as “Kleenex” or “Coke”. When setting up the business entity, or bidding on a contract there are often generic legal terms used, which could very well be where the “audit” requirement comes from. It is up to the due diligence of the entity organizers to step up, pay attention and require this important internal control in their organizations. Because of this, the organizers assume that an “audit” will cover a full financial forensic examination. They only come to realize that this is not the case when they have often become the victim of theft, fraud, embezzlement or other financial crimes.
The cost to a business to not cover these bases can run into a significant financial figure. Going back to the ACFE’s 2018 Report to the Nations the medial loss per case was $130,000.00. That does not include the cost to investigate the case, prosecute those that committed the crime, and then repair the reputation of the organization. Honestly, who wants to donate money to a non-profit organization that allows, even unknowingly, an employee to steal from them? Recovery from such a loss can oftentimes cause businesses to shut their doors for good. While a financial forensic examination is going to initially cost more than an audit in most cases, it is going to save your organization significantly in the long run simply because of the losses associated with audit failures.
If you are concerned about your business or organization after reading this report, you should be. It is up to management, ownership or the Board of Directors to implement change to the financial supervision of the organization to ensure that the opportunity to commit fraud is at a minimal level. There is no 100% system to prevent fraud. An audit can be a valuable tool in the fraud prevention tool belt provided that the auditor knows what they are looking for and have knowledge of the industry they are auditing. However, the audit is not the be all, end all, stop gap of fraud prevention many people think it is. Organizations absolutely need to start requiring that a financial forensic examination be conducted.