As the probe into audit firms across the UK continues, the fresh new face of Grant Thornton, David Dunckley, stated in front of committee members that "we're not looking for fraud". It’s a direct statement and there are no mincing his words, but he continues on to state that the detection of fraud is an expectation gap between what clients think they receive, and what work is actually performed.
I personally admire the directness of David's comments and agree that a financial statement audit only helps show that the accounts are reasonable and free from material misstatement. Furthermore, I agree that there is an expectation gap, and this is something we as auditors are solely accountable for; we should never have let this gap occur.
The statement made by David raises a very good question though. Who is ultimately responsible for the detection of fraud? Certainly, as both an internal auditor and financial statement auditor, consideration to fraud is always given throughout an audit, but never do we actively looked for fraud. But should we be expected to? A Partner once told me that you should never look for fraud as it may not even exist. You cannot find something if it’s not there to begin with.
As a financial statement auditor, we would consider what controls were in place and review the design and implementation of the control. Testing would then be performed to understand the operating effectiveness of the control. As part of this, we would consider the potential for fraud to be committed, but we would never check to see if there was fraud. Again, how would you check this, if fraud doesn’t exist?
Roger Darvall-Stevens, Director and national head of Fraud & Forensic Services at RSM Australia mentions in an interview with CPA’s “In the Black” magazine that
“One component of the external audit process is to assess the risk of material fraud and be aware of the potential for it, then take that into account when designing, planning and undertaking an external audit. Testing for fraud risk usually means a multi-million dollar threshold, not transactional, smaller dollar-sized immaterial frauds or multiple fraud methods by a single fraudster”.
The scope to do a full scale review for fraud during an external audit simply does not exist.
The conclusion for our testing during an external audit would often include a yes / no checkbox to the question “Does the opportunity for fraud exist?”. It’s a somewhat redundant question as there is always the opportunity to commit fraud. When there’s a will, there is a way; but just because the control is designed and implemented well, does not mean the opportunity to commit fraud has subsided.
Further, as part of our audit procedures, we would complete a ‘fraud checklist’. Various levels of management would be asked questions such as “have you noticed any other team members going on luxury holidays, purchasing items they would not previously have purchased, and what areas of the business do you think are susceptible to fraud?”. Never, as a financial statement auditor, did these questions yield any positive results for fraud, but nonetheless, they always gave a good laugh and helped pin point people that might be going through a midlife crisis.
Throughout my time as a financial statement auditor, I have come across instances of fraud, but this was only through having open and honest relationships with the client. One involved a system change during the year, and when retrospectively reviewing the controls, we noticed a gap, where the client informed us that the gap did result in fraud. The offending team member was then put on leave without pay pending an investigation. At the time of the audit, the controls were fine, but the honesty of the client helped us to identify this. Another time fraud was identified was simply through reviewing expense transactions. Whilst approval controls were in place, the approver was blindly hitting the ‘approve’ button, effectively allowing another team member to buy a fridge and TV for their house. Whilst we identified the issue, was it actually or issue to detect in the first instance?
As an internal auditor, detecting fraud is not necessarily as rigorous. Again, consideration is given to controls, their operating effectiveness, and general business operating risks. A focus is also placed on awareness and encouraging team members to report suspicious activity or when they think fraud may be occurring. Responsibility for the detection of fraud is almost dispersed across the organisation, with no set team or individual solely responsible for the identification or reporting of fraud.
So, who is responsible for detecting fraud?
At present, everyone has a part to play, but nobody has full responsibility.
I personally do not believe it is responsibility of the financial statement auditor, however the financial statement auditor must make this fact clearer. I also do not think it is the responsibility of Internal Audit, although I do believe there needs to be more work performed by Internal Audit to better detect fraud, or identify increased risks where fraud may be likely to occur.
Ultimately, I believe the onus and responsibility falls to management. Management are responsible for setting KPIs, which can influence or encourage people to commit fraud. Management is responsible for ensure controls are designed and implemented appropriately. Management should also be actively monitoring the effectiveness of controls and updating as necessary. Internal Audit is merely there to review and provide assurance. Not detect fraud.
Management cannot continue to diminish responsibility for fraud and pass blame to other external assurance providers whenever fraud occurs. Management needs to take more accountability for the management and operations for their business.
Whilst everyone can improve in how we manage, detect, and respond to fraud, it is management who I believe have to take more accountability, and management should leverage off the skills of both internal and external audit, but not become reliant on internal and external audit.