PCAOB Says Auditors Should Sharpen Fraud Detection
The report emphasizes that one of the key purposes of the audit, and an important point of concern of the PCAOB, is to “detect material misrepresentations caused by fraud.” The report reviews at considerable lengths the steps that auditors should be taking in planning and performing the audit to test for the possibility of fraud.
Among the more interesting discussion points is the PCAOB’s concern based on its recurring inspection observations that some audit teams are not designing their audit procedures based on an audit team “brainstorming session" to identify possible company-specific fraudulent practices. Essentially, the auditors are required to put themselves in the shoes of the would-be fraudsters, and imagine how they might go about defrauding the company, so that the auditors can then design tests to see if any of these things are actually happening. The report identifies a number of other procedural and substantive shortcomings that the PCOAB has observed (for example, failing to test for the possibility that management is overriding financial controls), but the failure to design audit tests based on company-specific fraud-imagination brainstorming is one of several apparently serious concerns.
Consistent with the PCAOB’s prior practices and statutory constraints, the PCAOB does not identify the auditors or audits on which its observations are based. As The D & O Diary has previously observed (here), the PCAOB could (and arguably should) consistent with its statutory constraints provide numerical information that would afford greater insight into how serious these problems are. For example, in connection with how many audit inspections were these concerns noted? On what percentage of the PCAOB’s inspections did these kinds of concerns arise? And, even more specifically, were there any inspections on which these concerns were noted where fraud was later found to have occurred but was not detected by the auditors? Without this kind of information, it is basically impossible to assess how serious these concerns are, and whether or not there might be fraud (and if so, how much) that is going undetected by the auditors. That said, the PCAOB is to be commended for compiling the observations and issuing the release, as it undoubtedly will have the salutary effect of focusing auditors' attention on the need for targeted fraud detection procedures.
Hat tip to the AAO Weblog (here) for the link the to the PCAOB release.
To Catch a Thief?: Anyone who doubts the need for creative application of audit procedures actively designed to detect fraud may want to read the story (here) from the front page of today’s Cleveland Plain Dealer. This story might not have made the national press but here in snowy Cleveland it is pretty big news. According to the story, the former head of the international lending unit of KeyCorp will plead guilty to embezzling $40 million from the bank over the course of 9 years.
The official fabricated loans in the name of real European banks and then took the money himself. He used subsequent loans to cover earlier loans. He got caught when he used one of the European lines of credit to pay his personal credit card bill, and it came to the attention of another bank employee. (Coincidentally, the WSJ.com Law Blog has an account, here, of a separate embezzlement scam involving the former NBC Treasurer that was also detected because the bad guy used the embezzled funds to pay a personal credit card bill.)
According to the news report, the KeyCorp embezzlement scheme escalated in 2004 when the official developed a relationship with a younger woman he met while traveling, for whom he purchased multi-million dollar homes and a 12-carat engagement ring. (The official was married to another woman at the time; unsurprisingly, they divorced after the embezzlment and the use of the embezzled funds came to light.)
Auditors who want to jumpstart their brainstorming session about possible fraud may want to contemplate the apparent ease with which this individual evaded detection for 9 years and scammed his (publicly traded) employer.