Auditors face a lot of criticism from regulators, lawmakers and the press. Even auditors themselves admit there are problems in the industry. In our view, however, some criticism is unfair because it fails to recognize the limitations of the audit process.
By necessity, audits are highly structured and performed in painstaking detail. These characteristics, so necessary for checking the veracity of accounts, mean that auditors can get lost in detail, missing the forest for the trees when it comes to fraud detection.
Anyone who has sat through an audit will know that auditors do indeed find problems. When found, companies typically attribute misstatements to human error and they are generally corrected. If management is truly fraudulent, however, they will correct the error and take steps to ensure that similar errors are not found, perhaps by inventing the necessary paperwork.
Typically, the more fraudulent the company, the more complex the accounts, and auditors have limited time to explore this crawl space. While the presence of external auditors undoubtedly deters a significant amount of securities fraud, the reality is that fraudulent activities can be difficult to spot when checking transactions in a piecemeal fashion.
Finding fraud in an audit is like having three hours to solve a 5,000-piece jigsaw puzzle without knowing what the final picture looks like.
Finding fraud in an audit is like having three hours to solve a 5,000-piece jigsaw puzzle without knowing what the final picture looks like.
The key to improving audit quality is to give auditors the tools to better see the bigger picture. These tools exist. Most companies have whistleblower programs, as does the SEC and other regulators. How much better if auditors had access to this information before undertaking an audit.
Fraud detection software, such as that provided by Transparently.AI, can inform auditors about the overall quality of a company’s accounts and can identify areas requiring special attention. With the advent of big data, crime analytics software can map potentially criminal activity. These tools can greatly enhance the big picture view of auditors and they become more powerful each year.
To date, attempts to improve audit quality have relied on changing audit standards on regulation. Each change in the standards has added to the obligations of the auditor and added new processes to be followed.
While undoubtedly important, increased regulation adds to the number of pieces in the puzzle that the auditor must solve. It does not help auditors see the bigger picture. For this reason, regulation alone will not improve audit quality. The solution demands a holistic approach which weighs the costs and benefits of different approaches to improving audit quality, addresses the incentive structure facing auditors and other economic agents, and encourages novel approaches to help auditors see the bigger picture.
A recent article in the FT, “Why don’t auditors find fraud?” provides an example of the unfair criticism directed at auditors. The article is based on the 2024 Report on Occupational Fraud by The Association of Certified Fraud Examiners (ACFE) and laments that auditors uncovered just 3% of occupational fraud in this survey.
The article is unfair because the ACFE report employs a survey method that cannot be generalised to assess auditor performance, because the survey grossly under-represents financial statement fraud, and because few of the asset misappropriation cases in the report would have been considered material by the auditors of public companies at the time the survey was taken.
The report is based on 1,921 cases of occupational fraud across 138 countries. Of these cases, 48% involved corruption. While relevant in frontier economies, corruption is hardly the primary concern of auditors in developed economies.
Furthermore, 89% of the cases in the survey involved asset misappropriation, while only 5% involved financial statement fraud. Since about one in 10 public companies are thought to engage in securities fraud, financial statement fraud is likely grossly under-represented in the survey. Since auditors focus on financial statement fraud, this disadvantages them in the results.
The median loss from asset misappropriation in the ACFE report was $120,000. If we apply the 1% threshold for asset materiality that applied at the time of the survey, this median loss was only material for companies with assets less than $12 million.
If the losses were normally distributed, more than 98% of the misappropriation cases in the survey would not have been material for companies with assets of more than $24 million. In other words, most of the fraud covered in the ACFE report would not have been relevant to auditors until the definition of materiality changed in February 2024.
Of the 3% of fraud uncovered by auditors in the ACFE report, we suspect virtually all involved financial statement fraud because this is what auditors are trained to detect. This simplistic interpretation would suggest that auditors found more than half of the cases involving financial statement fraud.
If so, we’d say “well done,” because financial statement fraud is exceptionally expensive to prove. Those who disagree should try holding their breath until the Wirecard case is resolved. Whereas an audit cycle lasts about three months, investigations to demonstrate guilt by the SEC and other regulators typically run for years and rarely end in conviction or formal acceptance of guilt.
While the ACFE report is an unfair benchmark against which to assess audit quality, the fact remains that virtually everyone shares concern about the dearth of serious fraud exposed by auditors.
Part of the difficulty with assessing audit quality is that audit standards have moved. Moreover, with the advent of whistleblower programs, more fraud is being discovered by companies and regulators. This makes auditors look bad but doesn’t necessarily mean audit quality has fallen.
Audit standards have moved because, as noted, many see audit quality as essentially a regulatory problem. Change the rules to solve the problem.
Prior to 2009, auditors were responsible for obtaining reasonable assurance that financial statements were free from material misstatement, whether due to fraud or error. The materiality threshold was traditionally set at between 0.5% and 1.0% of sales or expenses, between 1% and 2% of assets or 5% to 10% of net profit. So, for example, in a company with sales of $5 billion, the threshold of materiality in sales or expenses might be between $25 million and $50 million; quite a high bar.
Audit standards have moved because many see audit quality as essentially a regulatory problem. Change the rules to solve the problem.
In December 2009, the introduction of the International Standard on Auditing (ISA) 240 tasked auditors to assess the risk of material misstatement due to fraud, to design audit procedures to detect fraud, and to communicate any identified fraud to those charged with governance. ISA 240 reflected broader efforts to address fraud risks in the wake of Enron and the numerous financial scandals of the prior decade.
Auditor obligations under ISA 240 were further broadened in July 2017, when the International Ethics Standards Board for Accountants (IESBA) introduced the so-called NOCLAR obligations. NOCLAR refers to non-compliance with laws and regulations. Under NOCLAR, auditors have an obligation to uncover breaches relating to fraud, corruption, money laundering, securities markets, and public health and safety.
Regulators and the various accounting supervisory bodies expected a substantial increase in fraud discovery by auditors in the wake of the introduction of ISA 240 and NOCLAR. When fraud discovery failed to improve, the International Auditing and Assurance Standards Board (IAASB) launched an investigation to uncover the reasons.
The solution, as before, will be to impose stricter obligations on auditors.
On February 6, 2024, the International Auditing and Assurance Standards Board (IAASB) announced a revision to ISA 240, further strengthening auditor duties regarding uncovering fraud.
Most importantly, the definition of materiality was changed. Misstatements, whether due to fraud, error or omission, are now considered to be material if “there is a substantial likelihood that, individually or in the aggregate, they would influence the judgement made by a reasonable user based on the financial statements.”
As with NOCLAR, the new definition of materiality will have major ramifications. Under the new definition, a misstatement must be judged as material if it induces just one investor to sell or buy a company.
The difficulty with this definition is that investors lie on a spectrum. Along this spectrum, the marginal investor is indifferent between holding the stock or selling. Even the slightest event, such as a minor misstatement, will change the marginal attractiveness of an investment causing the marginal investor to sell or buy the stock.
Under the new definition of materiality, auditors are potentially on the hook for absolutely everything...
Mathematically, everything is material for the marginal investor. Thus, under the new definition of materiality, auditors are potentially on the hook for absolutely everything from an economic and hence a legal perspective.
As a consequence of this new definition of materiality, auditors will need to dive into even smaller transactions, potentially getting even more lost in the detail.
To be sure, the governing bodies that set audit standards are aware of the problems we have discussed and are moving to address these issues.
On 23 April, 2024, the IAASB announced seven proposed changes to the ISA 240. The most important is item 1, which aims to ”set a clear and affirmative description of the auditor’s responsibilities relating to fraud in an audit of financial statements and to reduce the ambiguity between the inherent limitations of an audit and the auditor’s responsibilities by decoupling the two concepts.”
It remains to be seen what “decoupling” will mean if the proposals are accepted in June. Presumably it means that auditors will have to produce two types of audit statements, one for the accounts and one for fraud.
The inherent limitations of an audit alluded to in Item 1 include the limitation we already discussed plus the fact that a traditional financial statement audit is not designed to detect the additional kinds of fraud envisioned under NOCLAR.
Auditors are trained to verify transactions and to look for the five kinds of securities fraud: premature revenue recognition, fictitious sales, inflated asset values, timing mismatches, and the concealment of liabilities and other obligations.
Finding other kinds of fraud will require a different skill set, different tools and enhanced access to different information. At a bare minimum, auditors should have access to information from whistleblower programs and we think they should be using advanced software solutions.
One important “limitation” impacting an audit is the quality of the practitioners performing it.
One important “limitation” impacting an audit is the quality of the practitioners performing it. Once considered the pinnacle of the accounting profession and a highly prized career path, the UK head of PwC recently noted that audit had become unattractive to recruits and it was increasingly difficult to retain skilled practitioners.
We don’t doubt it: Widespread criticism has diminished the status of the profession; regulatory changes have added to an already onerous workload, especially for new joiners; and liability risk from fines and litigation has risen exponentially. Litigation risk should rise even more as a consequence of the changed definition of materiality.
If the quality of human capital engaged in the audit profession has fallen, this could be a key reason for declining audit quality.
Audit quality is an economic problem and needs an economic solution. As the primary gatekeeper, auditors are fighting with one hand behind their backs by not having access to whistleblower information. The technology exists to allow such information to be securely shared, so that auditors can work alongside regulators.
In addition to defining responsibilities the governing bodies need to ask other questions: What is the optimal level of fraud from a cost-benefit perspective? What is the most efficient way to fight fraud? How should the various players, including auditors, be incentivised to uncover fraud? Should companies be allowed to choose their auditor or should auditors be assigned, especially to companies that are deemed high risk?
One major challenge for audit quality lies in the reality that smaller companies, far and away, are the main offenders when it comes to accounting fraud. However, the average audit fee paid by smaller US public companies in 2022 was just $533,000 versus $5.6 million for larger filers.
The latest ACFE report suggests that the median cost of financial statement fraud in 2023 was $766,000. If we assume that 10% of companies engage in financial fraud, the median expected cost of financial statement fraud cost per company is $76,600.
We are far from confident in this number but, using it as an example, we can ask the following question: if an auditor were to spend an additional $76,600 per client, do we believe that 100% of financial statement fraud would be uncovered?
Audit quality, like any economic endeavour, is subject to diminishing returns.
The answer is an unequivocal “no,” because audit quality, like any economic endeavour, is subject to diminishing returns.
Herein lies the problem with relying on regulation alone to improve audit quality: This approach, however much it improves audit quality, might not uncover more fraud because it is pushing against a wall of diminishing returns. This is why new means of assessing financial account quality should be explored.
Not to bang the drum too hard, but AI software can provide an independent and unbiased assessment of financial statement quality. If corroborated by whistleblower data, then auditors will have a solid bone to chew. High-risk companies, as perhaps verified by the government regulator, should pay considerably more for an audit than low-risk companies and should lose discretion over their choice of auditor, thus providing incentive for auditors to uncover more fraud.
This, combined with more rigid audit standards, might be the easiest way to protect investors from loss and auditors from litigation.