In addition to their inherent professionalism, the major audit firms have massive economic incentives to perform good audits.
The reason is that a corporate collapse which is associated with inadequate auditing has serious negative consequences for the audit firm concerned:
The nightmare situation that auditors are always concerned about is collusive management fraud.
Large company internal control systems are designed to make it very difficult (in practice) or impossible (the aspiration) for a single individual to enter into fraudulent transactions and to falsify the company’s record keeping. Such systems typically involve one person having to initiate transactions and a second person having to approve them.
For particularly significant transactions, there may be multiple levels of approval required. Consider, for example, the approvals required before a large company pays £1 billion from its bank accounts to a third party.
The problem for auditors comes when there is collusion inside a company. When several senior personnel decide to conspire together to enter into fraudulent transactions or to falsify the company’s accounting to hide commercial losses, they are able to override any system of internal control.
How does an auditor discover that this is happening?
He or she may be presented with impeccably tidy accounting records, which are attested to not just by one individual but by all the senior management. Discovering the existence of such collusive management fraud is very challenging, and normal auditing procedures are generally not designed for this purpose.
Accordingly, for decades, auditors have attempted to educate the public to understand that routine auditing is not designed to identify collusive management fraud. While judges ruling on litigation against auditors are often understanding of the problems faced by auditors in such situations, the public in general is not.
This gap, between the expectations of the public and what auditors believe to be their role is known as “the expectations gap.”
I recently decided that the only way to close this gap is to fundamentally redefine the purpose of auditing, if necessary by statute, to make it clear that auditors are required to identify collusive management fraud.
In the article, I also briefly covered the auditor’s responsibility in the case of “small scale fraud” and when it matters from the auditor’s perspective.
The article was first published in the October 2020 issue of “The Private Investor” which is the house magazine of the UK Shareholders’ Association. It was then reproduced with my permission in the on the website of the UK Individual Shareholders Society, ShareSoc. I am a member of both bodies.
You can read it below.
Below that is a short section on the applicable UK auditing standard.
Mohammed Amin MBE FRSA MA FCA AMCT CTA(Fellow)
Editor's note: although Amin is a member of UKSA’s Policy Team, he is writing in a personal capacity.
After almost every major corporate reporting failure, arguments arise about the “expectations gap.” This is the gap between what shareholders, creditors, employees and journalists think that auditors should be doing, and what auditors consider they are actually required to do.
This expectations gap is particularly acute in cases where there has been fraud. The published financial statements have reported profits that were simply fictitious due to falsification of the accounting records. Quite often it is as basic as cash being reported on the balance sheet that simply does not exist.
Historically, the law has required much less of auditors than the public expect. Audit cases reach our courts surprisingly rarely, and one of the key cases dates back to 1896; Re: Kingston Cotton Mills Co. In that case, Lord Justice Lopes defined an auditor's duty of care as follows:
"It is the duty of an auditor to bring to bear on the work he has to perform that skill, care and caution which a reasonably careful, cautious auditor would use. What is reasonable skill, care and caution must depend on the particular circumstances of each case.
An auditor is not bound to be a detective, or, as was said to approach his work with suspicion, or with a forgone conclusion that there is something wrong. He is a watchdog, not a bloodhound.
He is justified in believing tried servants of the company in whom confidence is placed by the company. He is entitled to assume that they are honest and rely upon their representations, provided he takes reasonable care."
While law and practice have developed somewhat since then, the changes have been insufficient to close the expectations gap.
I believe that the regulators need to set out the responsibilities of auditors much more explicitly.
Small scale fraud may be committed by junior employee staff (or sometimes senior staff but for small amount of money such as over-claimed expenses) which is immaterial (in the technical sense of that word) with regard to the figures in the published financial statements.
Auditors in my view should never spend any time looking for such fraud. The regulators should make it clear that they are not expected to.
Obviously, if they become aware of it, they should report it to the company’s senior management, but they should have no responsibility for external reporting unless something else gives it significance.
For example, if the CEO, or indeed any other main board director, is falsifying his or her expenses, even by technically immaterial amounts, that casts doubt on whether he or she should continue as CEO or director, and the shareholders clearly need to know about that, if the auditors somehow happen to become aware of it, even though they were not looking for such small scale fraud.
This is fraud of such magnitude that it has a material effect on the numbers in the financial statements and can indeed threaten the continued existence of the company.
As part of checking the control environment of the company, in my opinion auditors have always had the responsibility of seeing whether there are weaknesses in the control environment that could allow large-scale fraud to be perpetrated by a single individual. I believe that almost all auditors regard it as part of their responsibilities to assess the control systems to ensure that they adequately address this risk.
The most serious problem for auditors, and indeed for companies and their shareholders, is when large-scale fraud is perpetrated collusively by senior management. I have not attempted a historical survey, but my belief is that this accounts for almost all of the major fraud-related audit failures in financial history. (There are of course exceptions, such as the collapse of Barings Bank in 1995, which really do seem to be the responsibility of one rogue individual, albeit assisted by a lack of the internal control systems mentioned previously.)
Such collusive fraud can be very difficult to unravel.
As a partner in Price Waterhouse, I received a free hard copy of the investigation report by Lord Justice Bingham into the collapse of Bank of Commerce and Credit International (“BCCI”) and found it impossible to put it down until I had read every page, it was so well written. It showed just how much effort it took Price Waterhouse, over a period of about three years, to get to the bottom of what was happening in that bank due to the widespread collusion in fraud within BCCI.
To protect themselves against litigation risk, auditors always stress that it is not their responsibility to ferret out such large-scale collusive fraud. However, their messages are not sufficiently clearly put, which is where the expectation gap comes from.
Furthermore, shareholders in general believe that identifying such fraud is the responsibility of the auditor.
I consider that auditing standards should impose a categorical responsibility upon auditors to identify whether large-scale collusive management fraud is taking place.
This imposition will result in auditors significantly expanding the work that they undertake, since they would then have to take seriously the risk that most of the senior management personnel with whom they are interacting may be telling them lies.
Auditors would have to use additional technologies, such as electronic interrogation of 100% of transactions. This is already starting to happen anyway due to the greater use of artificial intelligence technologies.
Much more controversially, it would lead to auditors using other technologies such as artificial intelligence to identify lying in oral and written communications from clients and could go as far as requiring CEOs to undertake a lie detector test (either a traditional polygraph, or perhaps new systems currently being developed which use AI to detect when a speaker may be lying) when giving assurances to auditors.
However, if we want auditing standards to be serious about addressing the risk of large-scale collusive management fraud, approaches such as those will need to become standard.
There would of course be a consequent increase in audit fees, but this does not need to be massive. Much more important is the need for a complete change in the trust relationship between the auditor and client personnel. What is needed is for the auditor to regard it as a default working assumption that most of the senior management at the client may be choosing to collusively lie to the auditor.
In the UK, auditing standards are currently set by the Financial Reporting Council ("FRC"), although that body is due to be replaced by the Audit Reporting and Governance Authority ("ARGA").
The auditing standard relevant to fraud is "The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements", ISA (UK) 240 Revised June 2016 (Updated January 2020), which can be downloaded alongside other UK auditing standards from the FRC page "Current Auditing Standards."
The FRC is currently carrying out a "Consultation on revised auditing standard (ISA (UK) 240) for the auditor's responsibilities relating to fraud." I believe that the proposed revisions will improve the situation, and have been involved with colleagues at the UK Shareholders' Association in formulating our response to the consultation to ensure that the auditing standard is improved as much as possible.
If you wish to respond to the consultation yourself, the deadline is 29 January 2021.