When plaintiffs’ lawyers build their case against an auditor for malpractice or aiding and abetting fraud, they often start by reviewing the audit program.
- Was the audit program developed according to Generally Accepted Audit Standards (GAAS)? (In April 2003, the PCAOB adopted certain preexisting standards as its interim standards. Pursuant to Rule 3200T, Interim Auditing Standards consist of generally accepted auditing standards, as described in the AICPA’s Auditing Standards Board’s Statement of Auditing Standards No. 95, as in existence on April 16, 2003, to the extent not superseded or amended by the Board.)
- Did the audit team follow their own policies and procedures when accepting the client engagement and developing the audit program?
- Did the tests performed match the risks and controls identified and prioritized as most important?
- Were all questions answered and results documented?
- Did the auditor fully utilize all resources available – internal experts for their client’s industry, business activities and accounting issues – and follow their advice when given?
- Did the auditor consciously, deliberately, with scienter, “forget” to do certain tests or ignore the results of any tests?
The recent wave of corporate fraud is raising a harsh question about the auditors who review and bless companies’ financial results: How could they have missed all the wrongdoing?
One little-discussed answer: a big change in the way audits are performed.
Consider what happened when James Lamphron and his team of Ernst & Young LLP accountants asked executives of [HealthSouth] if they were aware of any significant instances of fraud, the executives replied no. In their planning papers, the auditors wrote that HealthSouth’s system for generating financial data was reliable, the company’s executives were ethical, and that management had “designed an environment for success.”
As a result, the auditors performed far fewer tests of the numbers on the company’s books than they would have at an audit client where they perceived the risk of accounting fraud to be higher. That’s standard practice under the “risk-based audit” approach now used widely throughout the accounting profession…A look at the risk-based approach also helps explain why investors continue to be socked by accounting scandals, from WorldCom Inc. and Tyco International Ltd. to Parmalat SpA… Just because an accounting firm says it has audited a company’s numbers doesn’t mean it actually has checked them.
In a September 2003 speech, Daniel Goelzer, a member of the auditing profession’s new regulator, the Public Company Accounting Oversight Board, called the risk-based approach one of the key factors “that seem to have contributed to the erosion of trust in auditing.” Faced with difficulty in raising audit fees, Mr. Goelzer said, the major accounting firms during the 1990s began to stress cost controls. And they began to place greater emphasis on planning the scope of their work based on auditors’ judgments about which clients are risky and which areas of a company’s financial reports are most prone to error or fraud…”
There are so many hard working, earnest, intelligent audit professionals who try their gosh-darndest to do a good job. But in spite of these herculean efforts, fraud happens.
BTW: Dan Goelzer is now the Interim Chairman of the PCAOB.
I’m hard on the audit firms, in particular and specifically on their leadership, because they never learn. I believe that this perpetual ignorance is by design not default.
You might think something about the auditors’ approach might have changed after the flood of frauds and scandals leading to the Sarbanes-Oxley Act of 2002. Instead, everybody expected Sarbanes-Oxley to change the auditors’ entrenched attitudes and conscious effort to do as little as possible, for as much money as possible while evading liability for the inevitable result – more fraud by corporate executives.
Take a look at each of the Big 4 audit firm methodologies – heavily marketed on their websites and in the new Transparency Reports mandated by the recent adoption of the Eighth Company Law Directive in the European Union.
Ernst & Young was auditor of Lehman Brothers, of several Madoff feeder funds, of Bally’s and of a few messy situations in Hong Kong. In all cases, EY’s defense is their dependence on judgment when deciding who to believe, what to test and whether an accounting treatment complies with standards:
The Ernst & Young Global Audit Methodology (EY GAM) provides a global framework for the application of consistent thought processes, judgments and audit procedures to all audit engagements.
One of the cornerstones of the methodology is making (and reconsidering and modifying, when appropriate, throughout the audit) risk assessments and then determining the nature, timing and extent of audit procedures based on those risk assessments. EY GAM is based on International Standards on Auditing (ISAs) and is supplemented with local content developed by individual member firms to comply with the local auditing standards and regulatory or statutory requirements of the countries in which the member firms practice.
Ernst & Young’s audit methodology is organized into interdependent phases designed to focus on the client’s business and financial statement risks and how those risks affect our audit of the financial statements.
KPMG is the auditor of New Century Financial where, like Lehman, a bankruptcy examiner accused KPMG of malpractice and potential complicity in the fraud. KPMG faces a $1 billion dollar suit for allegedly ignoring its own experts for the sake of the big audit fee.
KPMG is also auditor for Citigroup. Citi’s former executives apologized to a US Congressional Committee on Thursday of last week for their huge losses and the need for a government bailout:
The Financial Times, April 8, 2010: Chuck Prince and Robert Rubin on Thursday apologised for Citigroup’s severe losses on mortgage-related securities but insisted that there was nothing wrong with the company’s risk management ahead of the financial crisis. Both men also claimed there was a widespread belief within the bank that their holdings of mortgage-related securities were safe investments, but the congressional commission on the financial crisis did not appear convinced.
Take a look at which steps come first at KPMG when planning audits.
The Global Services Centre develops and maintains KPMG International’s Audit Methodology, which includes all the requirements of the ISA. It is also responsible for developing and maintaining the supporting KPMG International Audit Manual and electronic tools…methodology serves as the foundation of financial statement audits conducted by member firms…KPMG International’s Audit Methodology uses the following workflow:
- Perform risk assessment procedures and identify risks
- Determine planned audit approach
- Understand accounting and reporting activities
- Evaluate design and implementation of selected controls
- Test operating effectiveness of selected controls
- Assess control risk and risks of material misstatement at the assertion level
- Plan substantive procedures
- Perform substantive procedures
- Consider if audit evidence is sufficient and appropriate
- Perform completion procedures, including overall review of financial statements
- Perform overall evaluation
- Form an audit opinion
- Communicate to those charged with governance (e.g., the audit committee) our responsibilities under applicable auditing standards, an overview of the planned scope and timing of the audit, and significant findings from the audit
I’m assuming KPMG asked Mr. Prince and Mr. Rubin their opinion of the bank’s risks when planning the audit. Mr. Prince and Mr. Rubin either played dumb or attempted to deceive. KPMG obviously audited in the wrong direction. Citi has never received a “going concern” opinion in spite of being technically insolvent before their bailout.
KPMG was either dumb or complicit in Prince and Rubin’s deception. If the auditors have insufficient knowledge, competence and independence to ascertain complex risk on their own, then they’ll continue to be “duped.” I’m giving KPMG credit, for now, for being dumb and lazy as opposed to actively aiding and abetting a potential fraud at Citi.
I don’t give the same benefit of the doubt to PwC when it comes to Satyam. I’ve written extensively about this case. PwC makes all kinds of excuses for why they should not be held responsible for this fraud as a firm, either in India or in the United States. But the fact is, the two Price Waterhouse India partners who conducted this “audit” were in jail for over a year and the stench of their negligence and potential complicity reminds me of the five-day old vindaloo in my fridge. How can the new PW India Chairman deny their involvement in the fraud, if not at least via negligence?
It doesn’t help that their public relations efforts in this fiasco have been atrocious.
Here we have PwC Chairman Dennis Nally:
Q: What role did the auditors have to play?
A: You are into an interesting debate and discussion because what is the role on a professional standards for the detection of a fraud. That is one of the areas that has been the focus not only on Satyam but a broader profession wide issue and we certainly welcome that debate.
I think there is an expectation out there in the public that auditors uncover every single fraud that they are involved with and that is not what professional standards call for but there is the public perception that that is what we are there to do. I define that as the expectation gap. If that is the expectation then we need to make sure that we are focused on the right kind of procedures, the right kind of standards, the right kind of reporting which is quite frankly really different than what we do today.
PwC International has appointed a new Chairman of the India practice, an Indian imported from Singapore, to bring a “quality in everything we do,” can-do attitude back to India. Unfortunately, in this video, Mr. Banerjee stumbles over issues such as 1) Bank confirmations – “too hard to get in India,” 2) Assignment of partners – one of the Satyam partners was also involved in previous fraud, Global Trust, and 3) Involvement of other PwC member firms in the Satyam audit – US? Europe? UK?
It’s easy to see how PW India may have short cut, by default, good audit practices. They claimed, for example, that independent confirmations were not required under Indian audit standards. Too bad for PwC this was a global client, a NYSE-listed client, an audit practice under PCAOB inspection jurisdiction and, therefore, bound not only by the global audit methodology that PwC International is supposed to be enforcing but by GAAS.
Let’s look at PwC’s Global Audit Methodology.
A top-down, risk based audit approach
The PricewaterhouseCoopers (PwC) Audit starts with a broad understanding of your business. We then consider the risks your company faces, the way management controls these risks and the degree of transparency in your company’s reporting to stakeholders.
PwC’s approach is based on the following core elements:
- The ability to be constantly adaptable to your growth and changing needs.
- Proactive issue identification and timely, collaborative resolution—with management as a critical component of the process… “end to end.”
- Our global audit methodology is used on all audit engagements regardless of location to ensure uniformity and consistency in approach.
- A relentless commitment to continuous improvement.
Other key points of our global audit methodology include:
- Approximately 74,000 PwC auditors in the PwC member firms around the world use a single, global audit methodology that is designed to comply with all provisions of the International Standards on Auditing (ISAs) and align with new standards as necessary.
- Our audit methodology is also updated at least annually to reflect quality improvements from our internal improvement review process.
This globally consistent approach to the audit means that regardless of location, PwC professionals can understand and evaluate your business using a single language and common methods. In turn, that enables a uniform level of quality in all our audits.
We shall see if the courts agree that all Satyam investors received a “uniform level of quality” from PwC in the audit of Satyam “regardless of location” or if the PW audit partners were “constantly adaptable” and too accommodating of “management as a critical component of the process…”
How can I say this delicately?
For every PCAOB and SEC sanction and $1 million fine lodged – chump change, Starbucks money for their partners – there’s an example of Deloitte thumbing their nose at the regulators.
Despite the high standard that Deloitte holds you to — higher than the SEC, PCAOB, and the AICPA, we might add — this happened, “Based on our own reviews and that of the PCAOB, we believe compliance with our independence policies is not what it should be, and the PCAOB has, in fact, questioned our commitment to adhere to our own policies. This is clearly not acceptable.”
Our contributor Francine McKenna reminded us that Deloitte didn’t think too much of the PCAOB’s report from last year, “They [are] the same firm that famously responded to the PCAOB’s latest inspection report, ‘How dare you second guess us?‘”
And then there’s the case of Deloitte appointing a guy who is currently under SEC sanctions for Delphi as their IFRS initiative leader.
One of the best cases of the PCAOB being on top of a Deloitte case of auditor negligence is American Home. Although PCAOB would not admit it publicly, I pretty much found the inspection where they called the auditor, Deloitte, out on this case. Unfortunately, these warnings were ignored.
Let’s look at Deloitte’s bright, shiny new US Transparency Report and see what they say about their global audit methodology and quality standards:
Engagement Risk Assessment
The audit engagement risk assessment begins during the client acceptance/continuation process and is designed to continue on an ongoing basis throughout the engagement….The risk assessment process is based on an understanding of the entity and its environment and includes factors such as internal controls, financial statement elements that require significant judgment, prior year adjustments, and major changes in earnings, among others. The risk assessment also considers the results from Deloitte Radar (DDAR), a software tool that uses publicly available data and proprietary quantitative techniques to provide an indication of each public client’s susceptibility to business failure and financial statement fraud. The final result of the risk assessment process is an audit approach tailored to the specific risks identified for each client…
The Deloitte & Touche LLP audit approach is risk based and includes a risk assessment, as described above, designed to evaluate the risks of material misstatement of the financial statements and to assist in the planning of the audit….We have implemented enhancements to address the matters raised in the [PCAOB] inspection findings, including programs already underway that are designed to:
• Enhance our risk-based audit methodology by allowing implementation of the new global audit methodology one year earlier than originally planned.
• Strengthen professional skepticism skills through mandatory professional skepticism workshops for audit partners and directors.
So if not a top-down, risk-based approach, then what?
Don’t get me wrong. An understanding of the client, their environment, typical risks, industry trends, history, executive knowledge and competence, “tone at the top”, control environment and unique challenges is essential. Audits should be customized to the client, and changed and adjusted each year or more often as conditions change.
But look at the real focus in these methodologies:
- Asking the client what they think the major risks are instead of putting experience and expertise at work, hands-on, to identify those risks independently and objectively.
- Pleasing management.
- Saving the client time and money.
- Building repeatable, routine, non-varying cookie-cutter, box checking approaches that allow the firm to use their leverage model – cheaper, less experienced auditors who produce forms and paperwork rather than ideas, questions, challenges and someday suspicions, hunches, occasional allegations and answers.
The audit firms are loathe to be in an adversarial, challenging relationship with the management of their clients. They are bending over backward again to please them. The main reason why this happens is the way audits are bought and paid for – by the Audit Committee but directly by the company and driven largely by customer relationships with management instead of with the true client, the shareholders.
Can that change right away? Maybe. Others have vehemently advocated for it.
But it’s the auditors’ approach that needs to change now to reduce fraud.
Auditors need to go back to the basics, from the bottom- up, messy details and all.
“The problem is that there’s not a lot of evidence that auditors are very good at assessing risk,” says Charles Cullinan, an accounting professor at Bryant College in Smithfield, R.I., and co-author of a 2002 study that criticized the re-engineered audit process as ineffective at detecting fraud. “If you assess risk as low, and it really isn’t low, you really could be missing the critical issues in the audit.”
Even before the recent rash of accounting scandals, the shift away from extensive line-by-line number crunching was drawing criticism. In an October 1999 speech, Lynn Turner, then the SEC’s chief accountant, noted that more than 80% of the agency’s accounting-fraud cases from 1987 to 1997 involved top executives. While the risk-based approach was focusing on information systems and the employees who fed them, auditors really needed to expand their scrutiny to include top executives, who with a few keystrokes could override their companies’ systems.
An Ernst & Young spokesman, Charlie Perkins, says the firm “performed appropriate procedures” on the contractual-adjustment account.
At an April 2003 court hearing, Ernst & Young auditor William Curtis Miller testified that his team mainly had performed “analytical type procedures” on the contractual adjustments. These consisted of mathematical calculations to see if the account had fluctuated sharply overall, which it hadn’t. As for the balance-sheet entries, prosecutors say HealthSouth executives knew the auditors didn’t look at increases of less than $5,000, a point Ernst & Young acknowledges.