How Audits Must Change
Auditors face more pressure to find fraud.
Kris Frieswick, CFO Magazine
July 01, 2003
Auditors have been on the defensive since Arthur Andersen LLP was shut down in the wake of
the Enron scan-dal. But by this point, with the massive accounting fraud revealed at healthcare behemoth HealthSouth Corp., all the remaining Big Four have been tarnished. Today,
auditors are fighting a battle on two fronts. On one, they must defend their battered integrity
— their very stock in trade. On the other, they are challenged to explain why they should not
be expected to find accounting fraud — although they have long maintained that they can't.
They are faltering on both fronts. "I've never seen a time when auditor credibility has been
called into question the way it is now," says Chuck Landes, director of the audit and attest
standards team at the American Institute of Certified Public Accountants (AICPA). And with
audit-malpractice settlements hitting all-time highs, the courts are making it clear that they do
expect auditors to find fraud, regardless of the profession's insistence to the contrary.
Shaken by the Andersen example, Section 404 of the Sarbanes-Oxley Act of 2002, and the
size of the settlements, accounting firms are changing the way audits are conducted. One
auditor, PricewaterhouseCoopers, has broken with the pack and stated publicly that auditors
must accept more responsibility for finding fraud.
But by and large, accountants still maintain that if a company wants to commit fraud, the
auditors can't catch it. Asked to define auditors' responsibility for detecting fraud, Timothy P.
Flynn, vice chair for audit and risk advisory services at KPMG LLP, responds by quoting from
the AICPA's 1997 statement on the matter, SAS No. 82: "to plan and perform the audit to
obtain reasonable assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud." It's unreasonable, in other words, to expect
auditors to detect any and all fraud.
Many financial executives agree. And proposed changes to auditing practices will encounter an
especially well funded and inhospitable political environment. Nonetheless, with the cost of
corporate fraud estimated at $600 billion annually — according to the Association of Certified
Fraud Examiners — pressure on auditors to reduce this number is going to intensify.
Deja Vu
Sarbanes-Oxley doesn't mark the first attempt to improve the audit process. During the
1970s, '80s, and '90s, a series of commissions — the Cohen Commission in 1978, the
Treadway Commission in 1987, the Jenkins Committee in 1994, the Committee of Sponsoring
Organizations in 1999, and the Panel on Audit Effectiveness of the Public Oversight Board, or
POB in 2000 — issued reports recommending changes. Through the AICPA, the profession
vowed to change, and approved new audit-standards language creating more audit-design
procedures, tests of controls, and interpretations of accounting standards.
Notably absent were recommendations to view client financial statements skeptically and
conduct audits accordingly. Not until 1988 was any AICPA auditing standard written using the
word fraud, and not until 2002, when SAS No. 99 was issued, did the institute directly state
that auditors should not assume that a client's management is honestly reporting results.
The POB's 2000 Panel on Audit Effectiveness, considered the most comprehensive study of the
profession ever done, called for auditors to use forensic techniques in every audit, assume the
possibility of management dishonesty, and incorporate an element of surprise into audits.
After spending two years in committee at the AICPA, the suggestions finally emerged in muchwatered-down form as SAS No. 99. For instance, the strongly worded POB report called for
auditors to "modify the otherwise neutral concept of professional skepticism and presume the
possibility of dishonesty at various levels of management including collusion, override of
internal control, and falsification of documents." It recommends a forensic/fieldwork phase
during every audit of a public company. SAS No. 99, in contrast, focuses more on risk
assessment than on forensic procedures. "The AICPA was happy with the way things were,"
says Arthur Bowman, editor of Bowman's Accounting Report.
The New Sheriff In Town
The AICPA's reluctance to make dramatic changes may explain why Congress transferred
responsibility for setting standards to the PCAOB. The board's newly named chief auditor,
Douglas Carmichael, who has gone from writing audit standards to testifying as an expert
witness against audit firms, calls current auditing standards "a lot of explanation about what
an auditor does or might do, and very little about what he is required to do."
Carmichael's appointment to the PCAOB has been applauded by a variety of observers.
Industry critics love him because they believe he will be less influenced by both corporate
finance executives looking to hold down costs and by the industry itself.
Frank Borelli, former CFO of Marsh & McLennan Cos. and chairman of the Express Scripts Inc.
audit committee, lauds the appointment as well. "Carmichael is going to make a difference,"
he says. "I'm glad to see they appointed someone with that kind of vigilance. That's the only
way we're going to see if auditors are doing what we want them to do."
The fundamental question is: What do we want them to do? What is the point of an audit?
Auditors and companies contend that the purpose of an audit is to back up a company's
contention that its numbers are "reliable." "An audit is a test of a company's records that
backs up the company's representation of the company results," says Greg Weaver, national
managing partner for assurance at Deloitte Touche Tohmatsu. "We're doing a test of
assertions."
But can auditors be sure results are reliable without testing for fraud? Auditors say it's not that
they don't want to catch fraud, but since it's impossible to catch it 100 percent of the time,
they shouldn't be held responsible if they miss it. "We get it right 98 percent of the time," says
Weaver. "But to do 100 percent verification, you'd basically be recreating the records. There's
no way that anyone could do that at a cost the public would consider acceptable."
History of a Profession
Historically, accounting has been considered a highly professional and trustworthy profession.
Firms have always trained new accountants in the audit function, but with keen oversight from
senior partners who saw their firm's integrity riding on every engagement.
At the same time, auditors have always called their customers "clients," and have worked hard
to cultivate them. Partners routinely entertained clients two to three nights a week, and not
uncommonly moved on to work in their clients' firms. But the inherent conflicts of these
relationships were kept in check by the firm's commitment to professionalism.
All that changed as consulting services grew, spurred on by increased IT consulting work in
the late 1970s and early '80s. By the mid-'80s, the AICPA had lifted its ban on advertising.
Revenue generation became the foundation on which the partners' compensation was based.
Revenues for management consulting in early 1999 accounted for more than 50 percent of the
Big Five's revenue stream as a whole.
The audit function itself became a commodity service — a loss leader accounting firms offered
in conjunction with vastly more lucrative consulting fees. As they competed more aggressively
on price, they were forced to shrink the number of procedures performed for the audit.
Auditors claim these reductions didn't harm audit quality, but it often meant they used
increasingly computer-based test controls and statistical models, and fewer of the basic, time-
consuming auditing practices that could increase the likelihood of finding fraud — site visits to
multiple locations, observation of assets, or random sampling at nonmaterial levels.
In addition, junior auditors were often assigned the crucial oversight roles usually filled by
senior partners, who were increasingly busy selling to prospective clients. "A lot of the audit
changes were [prompted by] competitive proposals based on pricing decisions by
management," says Ellen Masterson, global head of audit methodology at PwC and point
person for the firm's new antifraud auditing initiative, "and as a profession we allowed that to
happen."
Roster of Reforms
The Sarbanes-Oxley provisions that make the auditors report to the audit committee will
somewhat increase the distance between management and auditing firm. The act also places
far more responsibility for the integrity of the financial statements on audit-committee
members, who can be prosecuted by the Securities and Exchange Commission for fraudulently
influencing or misleading a company's auditors. "Uppermost in the [client management's]
mind was reducing the cost of the audit," says Masterson. "They pressured auditors to do the
minimum. Now, with the untold number of fraudulent activities by managers, the minimum is
not where we should be. We spent 15 years in a cost-pressured audit situation, and now we
have a lot more interest in quality audits by those who hire us — the audit committee."
With nervous audit committees calling the shots, and with a far-less-accommodating PCAOB
about to start dictating standards for auditors, accounting firms are seeing the writing on the
wall. PwC is going to implement a program involving the use of extended procedures
performed by fraud specialists at a subset of its audit engagements. "For so long we've said
we're not responsible for detection of fraud," says Masterson. "In the court of public opinion,
however, that's not holding true. We recognize that if the books and records don't reflect the
company's performance, it's our responsibility."
Here Masterson is bridging the semantic barrier between "detecting fraud" and "attesting to
reliable financial statements." While her peers might not go quite so far, they are taking the
initiative to add forensic (or investigative) capabilities to their audits. KPMG, for instance,
added more than 300 "forensic professionals," including some who trained at the Federal
Bureau of Investigation, who will take part in some routine audits. At one recent audit, KPMG
ran all the addresses of a client's vendors to see if any of them matched a list of rental post
office box addresses — a hallmark of a fictitious vendor. It found 17 addresses fitting that
description. The firm is also launching a pilot program to conduct due-diligence-type reviews
on certain audits.
Deloitte is comparing clients' financial results with those of their industry peers, and taking a
closer look at outliers. All the firms are adopting new software programs that will allow them
to more quickly run checks for duplicate addresses, duplicate employees, or statistical outliers
that may be red flags for fraudulent activity.
They all report spending much more time working with clients to meet the reporting standards
set out in Section 404 of Sarbanes-Oxley, which require companies to attest to the internal
controls they have in place to deter fraud. They are also dropping more high-risk companies
than in previous years, and are subjecting clients to closer scrutiny. In addition, they are
stressing the importance of management involvement in creating controls that inhibit fraud,
and they are fosterng an institutional intolerance for fraudulent behavior. CFOs report that
above all, auditors are becoming far more confrontational and less congenial in their audits.
Meanwhile, new auditor independence rules will remove many of the auditors' incentives to
use audit services as a loss leader and to reduce the number of audit procedures, or overlook
questionable accounting treatments. SAS No. 99 encourages auditors to be more skeptical,
vary materiality levels, and "start thinking like a fraudster," says Landes. The standard also
goes into great detail about how to structure a risk assessments to identify highest risk areas
at a client, and how to structure an audit to best catch material misstatement.
Shoe Leather and Gray Haire
While the new initiatives are impressive and may help catch more fraud, critics say that they
don't go quite far enough because there are still holes in basic audit methodology and
structure.
"If insiders are perpetrating fraud, I agree that it is almost impossible to find it," says Arthur
Bowman. "But if there's a general failure of audit firms, it's that the individual auditor is not
doing his or her job properly. We have too many rules, and we need to get back to principlesbased work. It comes down to individuals failing."
The most damaging failure is that many of the new forensic antifraud measures are targeted
at the employee level. According to a recent E&Y survey, although individuals on the company
payroll committed 85 percent of the worst frauds, more than half of those company insiders
were from the management level.
At the end of the day, management is sitll writing the check for the audit. Although the new
reporting lines mandated by Sarbanes-Oxley may ease this inherent conflict, it's not likely to
go away. Even though they are required to report to audit committees, auditors still spend
their days with management.
"It's not as if auditors are being managed directly day-to-day by the audit committee," says
Jay Morse, CFO of The Washington Post Co., who says he has seen an increase in auditor
scrutiny at his company. "Boards don't have time for that. Most directors don't have the
expertise. The audit committees will get more involved, but taking a strong managerial role
just won't happen."
Robert Halliday, CFO of Varian Semiconductor Equipment Associates Inc., in Gloucester,
Massachusetts, thinks auditors can't be skeptical if they don't understand what they're looking
at. "They have so much mechanical work — no one stands back, thinks about it, and asks,
'Does all this make sense?'" he says. "But auditors can only do that if they have experience or
if they know the industry. Gray hair is helpful."
Under cost pressure, firms put less-senior auditors in charge of tasks more suitable for
experienced auditors. "When people say that audit quality has decreased, that's what they're
talking about — less-experienced people," says Frank Borelli. "We have to have specialist
auditors who know the industry from a high level of experience, and these are the people who
should be supervising the audits instead of selling new business."
Deloitte says it is reviewing its staffing plans for audits, and it now requires two audit-partner
reviews for particularly risky engagements. "Every audit is different, and we have to make
sure we have the right level of people on the audit," says Weaver at Deloitte. "There's no
substitute for experienced people."
Carmichael faults auditors for failing to aggressively implement recommendations in the 2000
POB report that call for more "tests of details" instead of relying so heavily on tests of
controls. "Audit firms seem to find ways not to go out to locations, and to do less of the type
of work that involves actually counting things, observing physical inventory, doing test
counts," he says. "It's required, but when a company has multiple locations, it gets
complicated." But this has been a concern for some time. When auditors do test transactions,
they frequently only sample above a certain dollar amount, he says, and are too predictable in
their approach, "which is a problem more often than I'd like to see."
Audit firms contend they have always conducted the "shoe-leather work" that is a foundation
of the audit process, but some CFOs disagree. "I suspect that in an effort to hold down fees
and make the auditing profession more attractive to young people," says Morse, "they've cut
out a lot of that type of grunt work. It's not very appealing, but at some point you have to
ask: Did anyone on the audit engagement do anything substantive?"
The Reporting Problem
Some critics of the state of auditing don't blame the auditors as much as the financial
reporting that they have to work with. Walter P. Schuetze, former SEC chief accountant and
chairman of two audit committees, says that as long as management is allowed to estimate so
much of a financial statement, auditors' hands will be tied. "The way accounting rules are
written, management has control of the numbers," says Schuetze. "Auditors have no traction
to change the numbers."
He advocates fair-value accounting for all assets and liabilities, thus ensuring that a third party
is involved in evaluating the market, not historical, value. With third-party involvement,
overstating assets à la HealthSouth would be much more difficult, because someone would
verify each item. Barring that change, he adds, auditors must be more diligent in seeking
underlying evidence to prove the existence of assets and liabilities "instead of just accepting a
copy of an invoice. We need to require evidence," insists Schuetze. "There's a difference
between evidence and hearsay. If auditors presented a court of law with a lot of the backup
material that they base their findings on, they'd get thrown out because it's all hearsay."
"Peekaboo" Takes Charge
PCAOB personnel will now take over the peer-review process once administered by the AICPA,
says Carmichael. "There's obviously a need for better training," he says. "For our inspections,
we'll come in and select audit engagements to review, and we'll see whether there's
conformity to standards. We'll be able to tell if they should be giving their people better
training and if they're getting the basics right."
Even auditors seem pleased that the PCAOB has taken over standards setting. They see an
opportunity for the board to mandate a clearly defined "bright line" minimum for the basic
audit work that is now recognized as crucial in finding fraud, but that often gets pared back by
auditors' cost concerns. Deloitte's Weaver states the obvious: "I don't think there's any
objection by us to doing more-expansive audits. But it needs to be an obligation that is
established by the PCAOB. Mr. Carmichael can have a significant influence on what those
standards are and apply them consistently across all companies. Then we'll have an obligation
that we must meet, and companies will have to pay for it."
Talk like that makes CFOs nervous, especially in light of the increased compliance costs
associated with Sarbanes-Oxley. Auditors will already have to do more extensive work
because of Section 404 of the act (which requires auditors to review and sign off on
management's attestation of internal controls, and is expected to bump audit fees by 35
percent, according to a recent study by Financial Executives International). But CFOs are
justifiably concerned that if the PCAOB mandates a more expansive "standard minimum" audit
for all companies, it would give auditors carte blanche to charge more for a level of audit
quality that they should have been providing all along. "If auditors ask for a massive fee
increase, you have to ask, what are you going to be doing differently now that you weren't
doing before?" says Bob Agate, former CFO of Colgate-Palmolive and chairman of the audit
committee at The Timberland Co.
For its part, the AICPA has publicly stated that it embraces the work of the new oversight
board, and that "it doesn't matter who comes up with the better mousetrap," says Landes.
Despite statements to the contrary, the AICPA is not making the transition easy. Even after
the PCAOB was given authority to set all future audit standards, the AICPA issued an exposure
draft for new rules on implementation of Section 404, eliciting a stern rebuke from the SEC,
which reminded the association that it was no longer responsible for auditing standards.
The most ironic element of the transition is that the AICPA holds the copyright for all of the
auditing standards it has drafted since it began issuing them 60-plus years ago. Until the
PCAOB writes its own standards, it must use the ones the AICPA wrote, and some reports
indicate that the AICPA is trying to charge the board a fee for their use. Landes wouldn't
comment on the allegation, saying only that "we want to find a satisfactory arrangement that
will allow the PCAOB to do the work that is before it. But we're also cognizant of our members'
interests and the assets of the AICPA." Critics say that perhaps that was the root of the
problem all along.
Sidebar: Dissecting HealthSouth
According to the complaint filed by the Securities and Exchange Commission in U.S. District
Court for the Northern District of Alabama against health-care provider HealthSouth Corp. and
its former CEO, Richard Scrushy, the company orchestrated a scheme to overstate earnings in
order to hit analyst estimates — a scheme concocted in a way to avoid detection by its
auditors, Ernst & Young LLP. Between 1999 and the second quarter of 2002, the company
overstated income by $1.4 billion by making false journal entries overestimating the amount
of third-party insurance reimbursement, and by decreasing expenses.
The firm used the auditor's own processes against it to perpetrate the fraud, according to the
complaint. Executives increased earnings not by boosting revenues directly, which auditors
would have been more likely to find, but by reducing a revenue-allowance account that was
used to record the difference between gross billings and reimbursement amounts expected
from third-party payers. This account, which would then be netted against revenues, has a
limited paper trail and is based largely on estimates, and the amounts booked to the account
are more difficult to verify. And because HealthSouth executives knew that E&Y did not
question fixed-asset additions below a certain dollar threshold, it made random entries to its
balance-sheet accounts for fictitious assets worth less than that amount. Senior accounting
personnel created false documents to support asset purchases. In this way, the company
allegedly overstated property, plant, and equipment by more than $800 million. It also
overstated cash accounts by $300 million.
So far, 11 executives, including all five former CFOs, have pleaded guilty to participating in the
fraud, which prosecutors believe had gone on since 1986. Scrushy continues to maintain his
innocence.
Trouble Enough For All
Fraud cases hit every big-time auditor.
Auditor
Case
Andersen
Enron
Ernst & Young
Global Settlement with
RTC/FDIC
Ernst & Young
Cendant
Deloitte & Touche
Global Settlement with
RTC/FDIC
Andersen
Baptist Foundation
Ernst & Young
Merry-go-round
Price Waterhouse
BCCI
Coopers & Lybrand
Barings Bank
KPMG
Rite Aid
Ernst & Young
AIB Group
Anderson
Sunbeam
Coopers & Lybrand
Maxwell Communications
KPMG
Tricontinental
Ernst & Young
Depco
Andersen
Colonial Realty
Andersen
Waste Management
KPMG
Orange County
KPMG
Oxford Health Plans
Source: AccountingMalpractice.com
© CFO Publishing Corporation 2003. All rights reserved.