top stories

Introduction

The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the Consultation Paper concerning the role of auditors with respect to fraud.

Executive Summary

• The Consultation Paper is concerned mainly with fraud in relation to listed companies. The issue of fraud and the smaller company needs to be addressed. There is pressure to reduce burdens on business by reducing the amount of regulation for small companies - this may make them an increasingly attractive vehicle for organised crime. Fraud committed by or on smaller entities can have a serious impact on the parties with which they do business, and in aggregate may cause as much economic damage than individual, high profile frauds.
• Management must take a more positive and responsible role in combating fraud. This means that management in all entities should ensure that appropriate internal controls are in place to prevent and detect fraud. In larger entities, adequate resources should be committed to internal audit to provide it with the necessary skills and tools to contribute to fraud prevention, as well as assisting in the identification of frauds which occur.
• In all the examples of frauds given in appendix 1 of the Consultation Paper, the perpetrators were at the highest level of the organisations concerned. We recommend that sanctions against senior executives who commit fraud, or mislead auditors, should be much more severe than is currently the case.
• ACCA considers that auditors must exercise professional scepticism if they are to maximise the possibility of their detecting fraud which has occurred. We recommend that consideration be given to introducing into Auditing Practices Board (APB) Standards some of the principles and procedures contained in the American Statement on Auditing Standards (US SAS) 82. The essence of these procedures is to instil greater discipline and formality into consideration of the risk of fraud at every stage of the audit.
• We consider that the elements of US SAS 82 can be applied in the audit of every size of entity. The extent of the documentation needed will vary, but the principles are the same irrespective of the size of entity being audited.

1.1 The APB Consultation Paper uses information derived from a review of recent major frauds, and so naturally its perspective on the main issues related to fraud and the audit is very much the impact on listed companies and the market in which they operate. We consider that the relevance of fraud to every size of organisation needs to be recognised. Even though the nature of the fraud and motivation may differ between different sizes of organisation (for example, in listed companies increasing pressure may drive management to misstate the financial statements, whereas in smaller entities there may be a wish on the part of the owners to avoid tax), if a fraud has a material impact on the financial statements it should be a matter of concern for the statutory auditor.

1.2 There are several matters which are particularly relevant for the auditor of small entities: · lack of internal audit function; · lack of formal reporting structure (audit committees and/or non-executive directors); and · lack of relevant case studies - the examples in Appendix 1 to the APB paper are all large, high profile cases with which the small practitioner will not identify.

1.3 We recommend strongly that the Board's consideration of the role of external audit in relation to fraud be extended to cover non-listed companies. An issue which should be considered is whether there is a qualitative difference between fraud in or on small companies and that involving listed companies, so that a different audit approach needs to be adopted in this respect.

1.4 Reporting fraud or suspicions of fraud can be problematic in relation to non-listed entities where there is less formal support for the statutory auditor. Small companies, for example, are unlikely to have audit committees or non-executive directors with whom the matter may properly be raised, yet the case may not be clear cut enough for the auditor to report to third parties representing 'the proper authority' as envisaged in paragraphs 49 to 61 of SAS 110. The problem is even more acute where the entity is not operating in a regulated sector. There may be a role for individual professional bodies to develop practical guidance or give other help to members who suspect that fraud may have been perpetrated by the owner-manager of an audit client.

2. Building internal defences against fraud

2.1 It must be recognised that the external auditors may be perceived as the last line of defence against fraud, whereas in reality they are the people with the most limited scope, in terms of time and remit. Auditors have no responsibility to prevent fraud. So far as detection of fraud is concerned, however, SAS 110, Fraud and error, states that "Auditors should plan and perform their audit procedures and evaluate and report the results thereof, recognising that fraud or error may materially affect the financial statements". It follows that, if the financial effect of a fraud is below the level set for audit materiality, or if the fraud is of a nature which does not have a direct impact on the financial statements (such as share price manipulation combined with insider dealing), the auditor will be very unlikely to find the fraud through normal audit procedures.

2.2 Efforts in larger entities should be concentrated on strengthening internal controls and encouraging an effective internal audit function. To be effective, internal audit must have the resources, status and organisational independence to investigate all evidence of fraud, as well as testing the security of operations where a risk of fraud has been identified. Internal controls must be designed to protect assets and ensure the integrity of the accounting records.

2.3 Management must take a more positive and responsible role in relation to fraud. All except the smallest entities, with few employees, should have a clear, formal policy for preventing fraud within the organisation and this should be made known to all staff. One aspect of the policy should be the treatment of staff who are proved to have committed a fraud: irrespective of seniority or length of service, proven fraudsters should be prosecuted, and details of the prosecution published. Many companies are too lenient with the perpetrators of fraud, either because they consider that a prosecution would be expensive and time-consuming, (and possibly risking a counter-claim of unfair dismissal or discrimination), or because they do not want the adverse publicity which might accrue from a court case.

2.4 There is a danger that an anti fraud policy which concentrates on 'material' theft or malpractice will actually encourage fraud. In some organisations, there is tacit acceptance of a certain level of 'seepage' or minor misappropriation of company assets. We believe that there should be no tolerance of fraud and related malpractice by staff, however small the amounts involved, although as far as fraud by third parties is concerned, there may be a point at which the costs of prevention would be more than the amount of money which would have been lost through theft.

2.5 It is also the case that strong internal control and a clear anti-fraud policy provide the best defence: most criminals are deterred from attacking well defended targets, or from attacking any targets if they know there is a strong chance that they will be caught.

2.6 It has been suggested that external auditors bear an unfair proportion of the blame when a company is found to have been the subject of a fraud. Despite the fact that directors are legally responsible for safeguarding their companies' assets, and for the preparation of accounts which are free from material misstatement, it is often the auditors who are faced with large claims for damages. In the examples given by APB in Appendix 1 to the Consultation Paper, all the frauds or malpractice were perpetrated at the highest level of management. There should, therefore, be more severe sanctions against directors who abuse their position.

3. US SAS 82: Consideration of Fraud in a Financial Statement Audit

3.1 The tone of the Consultation Paper may be unduly pessimistic. There is possibly a tendency to say that the majority of frauds are undetectable simply because frauds have not been discovered - or have only been discovered by chance - in the past. We should try to improve professional scepticism on the part of external audit staff at all levels, and thus auditors' ability to detect frauds which have taken place.

3.2 It is not possible to engender a spirit of professional scepticism simply by issuing professional standards which require auditors to consider the possibility that fraud may have affected the financial statements of the enterprise being audited. But the disciplines required by US SAS 82 can encourage a more critical attitude. The risk factors listed as examples in paragraphs 16 to 25 of the SAS provide a useful reference point and many are universally relevant.

3.3 For a listed company, the documentation of the risk factors required by US SAS 82 may be extensive, and the assessment would have to be carried out by senior staff, but the additional time and cost is likely to be small in relation to the total audit fee, and the work could pay dividends. In the case of a smaller company, the documentation could be much simpler, and it might be possible to develop a checklist tailored to the circumstances of each client to reduce the amount of time spent on this aspect of planning and recording the assignment.

3.4 Similarly, a requirement for the auditor to consider whether misstatements found in the course of detailed testing are the result of error or fraud is sensible. Staff do need to test whether or not the explanation of an apparent error may be accepted at face value, and the US SAS gives useful guidance on this point.

B Comments on issues raised specifically by APB

B1. Do you think this paper summarise the main issues related to fraud and the audit? If not, what other factors should APB take into account?

1.1 The paper provides a very useful summary. As we have stated in our general comments, however, we consider that more attention should be given to the question of fraud in relation to smaller entities.

1.2 Another issue which could usefully be considered is the role of audit committees. The effectiveness of audit committees has been called into question in the US recently because of the number of public companies reporting material financial misstatements due to officers' misfeasance. It is argued that the widespread occurrence of management fraud is indicative of serious flaws in the current arrangements. A recent report, authorised by the Securities and Exchange Commission, noted that many audit committees included non-accounting professionals and people with a clear conflict of interest. We recommend that audit committees should include one or more accounting professionals and other independent representatives, where this is not already the case.

1.3 We also consider that the role of internal audit is understated in the paper. The role of internal audit is fundamental in public organisations. It is common practice for the internal audit department to report periodically to an audit committee, and for the department to have a responsibility to make a risk assessment of the operating environment of the company. Where this is the case, internal audit should design and develop their audit plan to ensure that weaknesses in the control environment are identified. Internal audit has a duty to report on the control environment and report all frauds. In addition, the external auditors should work closely with internal audit if they have any suspicion that fraud may have occurred.

1.4 Auditor independence is a key issue which needs to be addressed, since it underlies the quality of 'professional scepticism' which is essential to external auditors' awareness of the risk that fraud may have affected the financial statements. In listed companies where there is an audit committee, the executive directors should not take part in the selection of the external auditors. Safeguards need to be established to prevent the necessary working relationship and trust between auditors and directors becoming too close and uncritical on the part of the former.

1.5 Although it raises other issues, which would have to b addressed, one way of enhancing auditor independence that could be considered is to increase auditors' security of tenure. Auditors need to be able to ask for all the information they consider necessary, from any member of staff they consider best placed to provide that information, without fear of offending senior management. If auditors could not be removed from office (except in specified, exceptional circumstances) within, say, five years of their initial appointment, it would be easier for them to take tough decisions when fraud was suspected, particularly if members of senior management were involved.

1.6 Audit firms themselves should balance the need to provide staff with varied experience for training purposes, with the importance of developing teams whose members have a thorough knowledge of the client. Quality control procedures may need to be reviewed to ensure that work is not skimped under time pressure, or that possible indicators of fraud are not overlooked.

1.7 The audit approach has moved away from detailed testing of transactions and assets, including third party confirmations, to place more emphasis on analytical techniques. This is inevitable, given the size of the largest audit clients and the pressure to keep audit fees to acceptable levels. It must be recognised, however, that even a small degree of latitude can destroy the effectiveness of analysis as an audit tool. Professional guidance should recognise that analytical procedures need to be supported by tests of detail in nearly all cases.

B2. Is the current balance between avoiding unnecessary constraints on business and preventing/detecting fraud appropriate?

2.1 We consider this question to be rather 'closed', both in suggesting that constraints are "unnecessary", and in assuming that the answer will be 'yes', and so lead in to the next question. Experience in the UK, as in the US, suggests that the current constraints on businesses are ineffective, rather than unnecessary.

2.2 We do not believe that the current balance is appropriate. Fraud continues to grow and the publicity of recent cases in the US involving public companies having to restate their financial statements due to material fraud has led the public there to question the methods, techniques and value of the external audit. The audit profession has to regain public confidence that an independent audit has a reasonable expectation of detecting misstatements arising from fraud or error which are material to the financial statements. The auditors must plan the audit to assess the possibility of fraud, and test the operation of internal controls by performing walkthroughs of the various processes and applications. Audit software tools are now readily available to perform tests on whole populations without adding significantly to audit time or costs.

2.3 The other side of the equation, that of corporate governance and controls, also needs to be addressed. Management is responsible for ensuring that the control environment is sound, so that fraud is prevented where possible, and detected where it does occur. There should not be a question of 'unnecessary constraints', since all controls should be designed and implemented by management to achieve corporate goals. On the contrary, the costs associated with implementing good internal controls should be seen as a factor in doing business.

B3. If yes, is there a need to rebalance public expectations in the light of the paper's comments regarding the likelihood of auditors detecting management fraud?

3.1 We are doubtful about the outcome of any attempt to rebalance public expectations, given apparently widespread scepticism about the ability of auditors to take a robust and independent stand in the face of alleged management fraud. There is always the difficulty that, in seeking to 'educate' public expectations, the profession could be seen as patronising and seeking to avoid its public interest responsibilities.

3.2 What is clear, is that the need to detect fraud is fundamental to the audit profession as well as to the economy as a whole. The public should be aware that, when an independent audit is performed, audit procedures are designed so as to give a reasonable expectation of detecting misstatements arising from fraud or error which are material to the financial statements. Materiality needs to be more clearly defined and explained, so that the public understands the distinction between fraud and material fraud. A consensus for a definition of materiality is critical both in the conceptual and legal framework.

3.3 We also recommend that the auditors' report contain a clearer definition of what constitutes 'reasonable assurance' than is currently the case. The report should also explain what is involved in the auditors' "assessment of the significant estimates and judgements made by the directors in the preparation of the financial statements …", that is, the extent to which the auditors have relied on directors' representations concerning certain disclosures.

B4. If no, what actions set out in sections 3, 4 and 5 of the Paper would you support?

4.1 So far as section 3 is concerned, we agree that auditing standards need to be reviewed, to take account in particular of the risk of fraud by senior management. The table in appendix 3 provides a good starting point.

4.2 We recommend that consideration be given to introducing elements of US SAS 82 into a revised SAS 110. It is, unfortunately, too early to tell whether the implementation of SAS 82 in the US has resulted in an improvement in the rate of fraud detection by external auditors. On the other hand, a requirement for a formal fraud risk review at the planning stage, incorporating areas such as assessment of management, the control environment, financial conditions, share performance and the overall business environment, must improve the effectiveness of the audit process. We consider the suggestion that audit costs might be increased significantly, and reports delayed as a result of the proposed extension of technical requirements, could be taken as an excuse for inaction. As we have argued in paragraph B 2.2 above, the costs need not be significantly higher, and should be outweighed by the benefits arising from audits which are better planned and carried out.

4.3 Revision of SAS 110 along the lines suggested could usefully be supported by providing more information and training for practitioners on the nature of frauds and fraud indicators, for example through case histories.

4.4 On section 4, we regard the role and effectiveness of audit committees to be crucial in respect of listed companies. We agree that external auditors should be required to report to audit committees where they exist, and to boards where they do not, on the adequacy of controls to prevent and detect fraud.

4.5 We recommend that management representation letters highlight directors' responsibilities for establishing controls to prevent fraud and to detect fraud which has occurred. The representations should also include acknowledgement of the directors' statutory responsibility not to mislead the auditors.

4.6 We agree that forensic fraud reviews should be encouraged. In listed and other large public companies, such reviews could be carried out by the internal audit department, in collaboration with the external auditors.

4.7 We consider that there needs to be a review of corporate law and governance, in relation to the issues raised in section 5. In particular, we agree with the suggestion in paragraph 5.3 that there needs to be statutory and regulatory reinforcement of the directors' role in respect of fraud. Measures within organisations for the prevention and detection of fraud are the key to controlling the impact of fraud on the economy.

4.8 A further recommendation in section 5 concerns arrangements for audit changeovers. We understand that there is a requirement in the US for all changes in audit appointments to be explained to shareholders. As paragraph 5.18 points out, UK company law only requires auditors to make a statement where they consider that there are matters connected with their ceasing to hold office which should be drawn to the attention of members or creditors of the company. A requirement for both the company and the auditor to make a statement in connection with the change of auditor, whatever the circumstances, might act as a disincentive for management to threaten the auditor with removal if the latter was attempting to investigate a suspected fraud.

B5. Can you suggest any additional action that could be taken to prevent or detect management fraud?

5.1 We have recommended elsewhere that organisations should be encouraged to strengthen their internal audit departments by giving them enhanced status and greater independence. Recent legislation designed to give greater protection for whistleblowers should also help to increase the opportunities for fraud detection. However, this remains a difficult area because statutory auditors do not have the powers of the police, Customs and Excise, or the Inland Revenue to investigate possible indicators of fraud, and because even the best designed internal control system may be susceptible to management override.

B6. Do you believe investors and the business community are prepared to bear the costs, financial and otherwise, that would be involved in implementing any recommendations?

6.1 We consider that investors and the business community would be prepared to bear additional costs if they saw benefits accruing in the form of both less material fraud, and swifter detection of those frauds which did occur. In any case, as we have already argued, the costs of a strengthened internal audit function and more focused external audit procedures need not be significant in the context of total corporate expenditure. The profession and business leaders should weigh the potential increase in costs against the interests of shareholders and the economy at large - and undertake the reforms needed to fight fraud.

Back to top