Top-Down Versus Bottom-Up: A Flawed Approach To Audit Risk Assessment

When plaintiffs’ lawyers build their case against an auditor for malpractice or aiding and abetting fraud, they often start by reviewing the audit program.

  • Was the audit program developed according to Generally Accepted Audit Standards (GAAS)? (In April 2003, the PCAOB adopted certain preexisting standards as its interim standards. Pursuant to Rule 3200T, Interim Auditing Standards consist of generally accepted auditing standards, as described in the AICPA’s Auditing Standards Board’s Statement of Auditing Standards No. 95, as in existence on April 16, 2003, to the extent not superseded or amended by the Board.)
  • Did the audit team follow their own policies and procedures when accepting the client engagement and developing the audit program?
  • Did the tests performed match the risks and controls identified and prioritized as most important?
  • Were all questions answered and results documented?
  • Did the auditor fully utilize all resources available – internal experts for their client’s industry, business activities and accounting issues – and follow their advice when given?
  • Did the auditor consciously, deliberately, with scienter, “forget” to do certain tests or ignore the results of any tests?

The recent wave of corporate fraud is raising a harsh question about the auditors who review and bless companies’ financial results: How could they have missed all the wrongdoing?

One little-discussed answer: a big change in the way audits are performed.

Consider what happened when James Lamphron and his team of Ernst & Young LLP accountants asked executives of  [HealthSouth] if they were aware of any significant instances of fraud, the executives replied no. In their planning papers, the auditors wrote that HealthSouth’s system for generating financial data was reliable, the company’s executives were ethical, and that management had “designed an environment for success.”

As a result, the auditors performed far fewer tests of the numbers on the company’s books than they would have at an audit client where they perceived the risk of accounting fraud to be higher. That’s standard practice under the “risk-based audit” approach now used widely throughout the accounting profession…A look at the risk-based approach also helps explain why investors continue to be socked by accounting scandals, from WorldCom Inc. and Tyco International Ltd. to Parmalat SpA… Just because an accounting firm says it has audited a company’s numbers doesn’t mean it actually has checked them.

In a September 2003 speech, Daniel Goelzer, a member of the auditing profession’s new regulator, the Public Company Accounting Oversight Board, called the risk-based approach one of the key factors “that seem to have contributed to the erosion of trust in auditing.” Faced with difficulty in raising audit fees, Mr. Goelzer said, the major accounting firms during the 1990s began to stress cost controls. And they began to place greater emphasis on planning the scope of their work based on auditors’ judgments about which clients are risky and which areas of a company’s financial reports are most prone to error or fraud…”

Behind Wave of Corporate Fraud:  A Change in How Auditors Work:  ‘Risk Based’ Model Narrowed Focus of Their Procedures, Leaving Room for Trouble

Jonathan Weil, The Wall Street Journal, March 25, 2004.

There are so many hard working, earnest, intelligent audit professionals who try their gosh-darndest to do a good job. But in spite of these herculean efforts, fraud happens.

BTW:  Dan Goelzer is now the Interim Chairman of the PCAOB.

I’m hard on the audit firms, in particular and specifically on their leadership, because they never learn. I believe that this perpetual ignorance is by design not default.

You might think something about the auditors’ approach might have changed after the flood of frauds and scandals leading to the Sarbanes-Oxley Act of 2002. Instead, everybody expected Sarbanes-Oxley to change the auditors’ entrenched attitudes and conscious effort to do as little as possible, for as much money as possible while evading liability for the inevitable result – more fraud by corporate executives.

Take a look at each of the Big 4 audit firm methodologies – heavily marketed on their websites and in the new Transparency Reports mandated by the recent adoption of the Eighth Company Law Directive in the European Union.

Ernst & Young was auditor of Lehman Brothers, of several Madoff feeder funds, of Bally’s and of a few messy situations in Hong Kong. In all cases, EY’s defense is their dependence on judgment when deciding who to believe, what to test and whether an accounting treatment complies with standards:

Ernst & Young Audit Methodology

The Ernst & Young Global Audit Methodology (EY GAM) provides a global framework for the application of consistent thought processes, judgments and audit procedures to all audit engagements.

One of the cornerstones of the methodology is making (and reconsidering and modifying, when appropriate, throughout the audit) risk assessments and then determining the nature, timing and extent of audit procedures based on those risk assessments. EY GAM is based on International Standards on Auditing (ISAs) and is supplemented with local content developed by individual member firms to comply with the local auditing standards and regulatory or statutory requirements of the countries in which the member firms practice.

Ernst & Young’s audit methodology is organized into interdependent phases designed to focus on the client’s business and financial statement risks and how those risks affect our audit of the financial statements.

KPMG is the auditor of New Century Financial where, like Lehman, a bankruptcy examiner accused KPMG of malpractice and potential complicity in the fraud. KPMG faces a $1 billion dollar suit for allegedly ignoring its own experts for the sake of the big audit fee.

KPMG is also auditor for Citigroup. Citi’s former executives apologized to a US Congressional Committee on Thursday of last week for their huge losses and the need for a government bailout:

The Financial Times, April 8, 2010: Chuck Prince and Robert Rubin on Thursday apologised for Citigroup’s severe losses on mortgage-related securities but insisted that there was nothing wrong with the company’s risk management ahead of the financial crisis. Both men also claimed there was a widespread belief within the bank that their holdings of mortgage-related securities were safe investments, but the congressional commission on the financial crisis did not appear convinced.

Take a look at which steps come first at KPMG when planning audits.

KPMG Audit Methodology

The Global Services Centre develops and maintains KPMG International’s Audit Methodology, which includes all the requirements of the ISA. It is also responsible for developing and maintaining the supporting KPMG International Audit Manual and electronic tools…methodology serves as the foundation of financial statement audits conducted by member firms…KPMG International’s Audit Methodology uses the following workflow:


  • Perform risk assessment procedures and identify risks
  • Determine planned audit approach

Control Evaluation

  • Understand accounting and reporting activities
  • Evaluate design and implementation of selected controls
  • Test operating effectiveness of selected controls
  • Assess control risk and risks of material misstatement at the assertion level

Substantive Testing

  • Plan substantive procedures
  • Perform substantive procedures
  • Consider if audit evidence is sufficient and appropriate


  • Perform completion procedures, including overall review of financial statements
  • Perform overall evaluation
  • Form an audit opinion
  • Communicate to those charged with governance (e.g., the audit committee) our responsibilities under applicable auditing standards, an overview of the planned scope and timing of the audit, and significant findings from the audit

I’m assuming KPMG asked Mr. Prince and Mr. Rubin their opinion of the bank’s risks when planning the audit.  Mr. Prince and Mr. Rubin either played dumb or attempted to deceive. KPMG obviously audited in the wrong direction. Citi has never received a “going concern” opinion in spite of being technically insolvent before their bailout.

KPMG was either dumb or complicit in Prince and Rubin’s deception. If the auditors have insufficient knowledge, competence and independence  to ascertain complex risk on their own, then they’ll continue to be “duped.” I’m giving KPMG credit, for now, for being dumb and lazy as opposed to actively aiding and abetting a potential fraud at Citi.

I don’t give the same benefit of the doubt to PwC when it comes to Satyam. I’ve written extensively about this case. PwC makes all kinds of excuses for why they should not be held responsible for this fraud as a firm, either in India or in the United States. But the fact is, the two Price Waterhouse India partners who conducted this “audit” were in jail for over a year and the stench of their negligence and potential complicity reminds me of the five-day old vindaloo in my fridge. How can the new PW India Chairman deny their involvement in the fraud, if not at least via negligence?

It doesn’t help that their public relations efforts in this fiasco have been atrocious.

Here we have PwC Chairman Dennis Nally:

Q: What role did the auditors have to play?

A: You are into an interesting debate and discussion because what is the role on a professional standards for the detection of a fraud. That is one of the areas that has been the focus not only on Satyam but a broader profession wide issue and we certainly welcome that debate.

I think there is an expectation out there in the public that auditors uncover every single fraud that they are involved with and that is not what professional standards call for but there is the public perception that that is what we are there to do. I define that as the expectation gap. If that is the expectation then we need to make sure that we are focused on the right kind of procedures, the right kind of standards, the right kind of reporting which is quite frankly really different than what we do today.

PwC International has appointed a new Chairman of the India practice, an Indian imported from Singapore, to bring a “quality in everything we do,” can-do attitude back to India. Unfortunately, in this video, Mr. Banerjee stumbles over issues such as 1) Bank confirmations  – “too hard to get in India,” 2) Assignment of partners – one of the Satyam partners was also involved in previous fraud, Global Trust, and 3) Involvement of other PwC member firms in the Satyam audit – US? Europe? UK?

It’s easy to see how PW India may have short cut, by default, good audit practices. They claimed, for example, that independent confirmations were not required under Indian audit standards.  Too bad for PwC this was a global client, a NYSE-listed client, an audit practice under PCAOB inspection jurisdiction and, therefore, bound not only by the global audit methodology that PwC International is supposed to be enforcing but by GAAS.

Let’s look at PwC’s Global Audit Methodology.

A top-down, risk based audit approach

The PricewaterhouseCoopers (PwC) Audit starts with a broad understanding of your business. We then consider the risks your company faces, the way management controls these risks and the degree of transparency in your company’s reporting to stakeholders.

PwC’s approach is based on the following core elements:

  • The ability to be constantly adaptable to your growth and changing needs.
  • Proactive issue identification and timely, collaborative resolution—with management as a critical component of the process… “end to end.”
  • Our global audit methodology is used on all audit engagements regardless of location to ensure uniformity and consistency in approach.
  • A relentless commitment to continuous improvement.

Other key points of our global audit methodology include:

  • Approximately 74,000 PwC auditors in the PwC member firms around the world use a single, global audit methodology that is designed to comply with all provisions of the International Standards on Auditing (ISAs) and align with new standards as necessary.
  • Our audit methodology is also updated at least annually to reflect quality improvements from our internal improvement review process.

This globally consistent approach to the audit means that regardless of location, PwC professionals can understand and evaluate your business using a single language and common methods. In turn, that enables a uniform level of quality in all our audits.

We shall see if the courts agree that all Satyam investors received a “uniform level of quality” from PwC in the audit of Satyam “regardless of location” or if the PW audit partners were “constantly adaptable” and too accommodating of  “management as a critical component of the process…”


How can I say this delicately?

For every PCAOB and SEC sanction and $1 million fine lodged – chump change, Starbucks money for their partners – there’s an example of Deloitte thumbing their nose at the regulators. :

Despite the high standard that Deloitte holds you to — higher than the SEC, PCAOB, and the AICPA, we might add — this happened, “Based on our own reviews and that of the PCAOB, we believe compliance with our independence policies is not what it should be, and the PCAOB has, in fact, questioned our commitment to adhere to our own policies. This is clearly not acceptable.”

Our contributor Francine McKenna reminded us that Deloitte didn’t think too much of the PCAOB’s report from last year, “They [are] the same firm that famously responded to the PCAOB’s latest inspection report, ‘How dare you second guess us?‘”

And then there’s the case of Deloitte appointing a guy who is currently under SEC sanctions for Delphi as their IFRS initiative leader.

One of the best cases of the PCAOB  being on top of a Deloitte case of auditor negligence is American Home. Although PCAOB would not admit it publicly, I pretty much found the inspection where they called the auditor, Deloitte, out on this case. Unfortunately, these warnings were ignored.

Let’s look at Deloitte’s bright, shiny new US Transparency Report and see what they say about their global audit methodology and quality standards:

Engagement Risk Assessment

The audit engagement risk assessment begins during the client acceptance/continuation process and is designed to continue on an ongoing basis throughout the engagement….The risk assessment process is based on an understanding of the entity and its environment and includes factors such as internal controls, financial statement elements that require significant judgment, prior year adjustments, and major changes in earnings, among others. The risk assessment also considers the results from Deloitte Radar (DDAR), a software tool that uses publicly available data and proprietary quantitative techniques to provide an indication of each public client’s susceptibility to business failure and financial statement fraud. The final result of the risk assessment process is an audit approach tailored to the specific risks identified for each client…

The Deloitte & Touche LLP audit approach is risk based and includes a risk assessment, as described above, designed to evaluate the risks of material misstatement of the financial statements and to assist in the planning of the audit….We have implemented enhancements to address the matters raised in the [PCAOB] inspection findings, including programs already underway that are designed to:

• Enhance our risk-based audit methodology by allowing implementation of the new global audit methodology one year earlier than originally planned.

Strengthen professional skepticism skills through mandatory professional skepticism workshops for audit partners and directors.

So if not a top-down, risk-based approach, then what?

Don’t get me wrong. An understanding of the client, their environment, typical risks, industry trends, history, executive knowledge and competence, “tone at the top”, control environment and unique challenges is essential. Audits should be customized to the client, and changed and adjusted each year or more often as conditions change.

But look at the real focus in these methodologies:

  • Asking the client what they think the major risks are instead of putting experience and expertise at work, hands-on, to identify those risks independently and objectively.
  • Pleasing management.
  • Saving the client time and money.
  • Building repeatable, routine, non-varying cookie-cutter, box checking approaches that allow the firm to use their leverage model – cheaper, less experienced auditors who produce forms and paperwork rather than ideas, questions, challenges and someday suspicions, hunches, occasional allegations and answers.

The audit firms are loathe to be in an adversarial, challenging relationship with the management of their clients. They are bending over backward again to please them. The main reason why this happens is the way audits are bought and paid for – by the Audit Committee but directly by the company and driven largely by customer relationships with management instead of with the true client, the shareholders.

Can that change right away? Maybe. Others have vehemently advocated for it.

But it’s the auditors’ approach that needs to change now to reduce fraud.

Auditors need to go back to the basics, from the bottom- up, messy details and all.

From Jonathan Weil’s 2004 article (courtesy of the vast resources curated by Professor Bob Jensen):

“The problem is that there’s not a lot of evidence that auditors are very good at assessing risk,” says Charles Cullinan, an accounting professor at Bryant College in Smithfield, R.I., and co-author of a 2002 study that criticized the re-engineered audit process as ineffective at detecting fraud. “If you assess risk as low, and it really isn’t low, you really could be missing the critical issues in the audit.”

Even before the recent rash of accounting scandals, the shift away from extensive line-by-line number crunching was drawing criticism. In an October 1999 speech, Lynn Turner, then the SEC’s chief accountant, noted that more than 80% of the agency’s accounting-fraud cases from 1987 to 1997 involved top executives. While the risk-based approach was focusing on information systems and the employees who fed them, auditors really needed to expand their scrutiny to include top executives, who with a few keystrokes could override their companies’ systems.

An Ernst & Young spokesman, Charlie Perkins, says the firm “performed appropriate procedures” on the contractual-adjustment account.

At an April 2003 court hearing, Ernst & Young auditor William Curtis Miller testified that his team mainly had performed “analytical type procedures” on the contractual adjustments. These consisted of mathematical calculations to see if the account had fluctuated sharply overall, which it hadn’t. As for the balance-sheet entries, prosecutors say HealthSouth executives knew the auditors didn’t look at increases of less than $5,000, a point Ernst & Young acknowledges.

Main page photo source: Solomon Dubnick Gallery

39 replies
  1. David
    David says:

    Lehman buys tens of billions in subprime mortgages and can’t unload them (as collateralized debt obligations) before the housing market crashes. And, they also bought a REIT that they were trying to syndicate and the value of REITs declined? How difficult was it to identify risk?

  2. Sara McIntosh
    Sara McIntosh says:

    Hello Francine,

    What an excellent post. As you outline, the best way to manage risk or catch a fraud, is to assume that the risk/fraud exists–not to act as if there is nothing to be concerned about, even if that is your belief based on judgment or any other fool’s excuse for not doing the highly detailed, bottoms-up audit work.

    Thank you also for the very nice plug to my post “Massages Gone Wild” where you correctly indicated me as one of the “Others vehemently advocating” for a change to the whole structure of how audits are bought and paid for.

    It’s just ridiculous to expect auditors to report negatively on their clients–the companies they are supposedly auditing. If they made a regular habit of doing that they could expect to be out of business a whole lot quicker than any pile of lawsuits could take them down–even billion dollar ones.

    And I agree that even assuming zero fraud, and setting aside auditor laziness, as you outline above, “Building repeatable, routine, non-varying cookie-cutter, box checking approaches that allow the firm to use their leverage model – cheaper, less experienced auditors who produce forms and paperwork rather than ideas, questions, challenges and someday suspicions, hunches, occasional allegations and answers.” is a major cause of audit failures. My novel, Shell Games, (available at fictionally depicts just how blindfolded the auditors (of a client called Lemon Brothers) were as they tried to review tens of billions in subprime mortgage securities . . . .

    Thanks again for being such a beacon of light on all the issues with our fundamentally flawed “public” accounting / audit system, and the Big Four Public Accounting firms that keep robbing us blind as they help their clients continue their financial rapes of our taxpayers and blind, innocent “investing public.”

    Happy Sunday!

    Ciao for Now,

    Sara McIntosh

  3. Norman Marks
    Norman Marks says:


    I beg to differ with your conclusion – as I read it.

    I believe the top-down and risk-based approach is correct and appropriate. However, its application may be flawed.

    For example, you quote Deloitte as saying: “The audit engagement risk assessment begins during the client acceptance/continuation process and is designed to continue on an ongoing basis throughout the engagement”. Note that last phrase – the risk assessment is not a ‘once and done’ exercise. It needs to continue and it also needs to be more than a simple exercise of asking executives whether they have knowledge of frauds.

    The new (draft) risk standards from PCAOB bring this home, as do the requirements of SAS 99.

    In my opinion, based on experience as head of internal audit and working with CPA firms for many years, the major reasons the external auditors mistakenly risk assessment are:

    1. They are not expert in assessing the adequacy of the tone at the top and the rest of the control environment. This has been the root cause of many frauds. They don’t do enough to understand how executives are incented, how pressure is put on financial and operational management to ‘make the number’, how financial management’s performance is assessed, how ethics is communicated and reinforced throughout the organization, etc.

    2. They place insufficient reliance and don’t do enough to build a bond with the internal audit team – who are closer to the business, its management, and its results. Many external auditors don’t really read and talk to the internal auditors about their risk assessments and the results of audits.

    3. Management is often able to hide fraudulent transactions or estimates from the auditors. This is an inherent risk. The staff who actually talk to the accountants and others involved in day-to-day activities are junior and inexperienced. The partners and managers are, in general, not as proficient as they believe they are. Most internal auditors would join me in assessing the external audit partners and senior managers as arrogant beyond their competence – with notable but too few exceptions. Arrogance and ignorance breed incompetent or at least blissfully unaware audit procedures.

    4. The auditors may spend too much time focusing on areas where the risk of error (fraudulent or not) is low or even non-existent. The auditors would benefit from realignment of their scarce resources.

    5. Oversight from the audit committee is often insufficient to identify gaps in the external auditor’s approach. The audit committee does not have the depth of experience and understanding to probe the audit firm’s risk assessment. While management has more, their involvement is minimized by the external auditor – who is afraid of being led astray.

    6. When auditors detect a control or other weakness, they don’t have the experience or understanding of the business to ask the right questions and continue unraveling the string. They are much more focused on the technical aspects of the accounting rules. I have seen situations where they did not inform the internal auditors of an issue for months, when the internal auditors would have been able not only to ask the right questions but to add this new information to concerns they already had.

    7. As I said at the beginning, the risk assessment has to continue throughout the year. When the auditors don’t do this, and adjust as new data comes to light, there is a problem.

  4. Richard_A
    Richard_A says:

    The flaw in the risk assessment process is not so much “Top-Down Versus Bottom-Up”. The flaw is more the appearance that the audit firm management’s approach to risk assessment places greatest weight on the verbal representations/claims by client senior management than on other evidence of risk. The representations by client senior management were then used to justify not doing audit procedures in order to keep fees within acceptable ranges to retain the clients, rather than determining what audit procedures were necessary in order to arrive at an appropriate opinion of the clients’ financial position and fairness of the financial statements. Those of us who weren’t present when the audit partners made their decisions can’t know whether or not the treatment was deliberate and willful, or just the result of consistent sloppy practices resulting in a slow, but continuous erosion of professional judgment and skepticism in assessing audit risk.

    In my primary area of activity, internal audit and risk management, standards require that the audit risk assessment include consideration by the audit management and staff, based on their experience, of all ways in which frauds or control failures could occur in the auditee organization, including frauds and failures that could be initiated by auditee management. We are to consider the representations and statements of auditee management. However, considering that virtually all major frauds that have damaged the financial position or resulted in the failure of organizations have been initiated and perpetuated by management, those statements are not to be given primary or sole consideration. As I understand current international and US auditing standards, there is a similar requirement in the external auditing risk assessment standards. Unfortunately, senior executives of client organizations look and act like the senior partners of external audit firms. It is easier to accept at face value statements made by people who are at the same status level, have the same educational background, participate in the same community organizations, etc., than to think that those people could be doing wrong. However, historical evidence shows clearly that senior executives do engage in wrong doing frequently enough that their claims of ethical behavior and low risk of questionable accounting procedures should be discounted. Unfortunately, appearances are that the audit firms’ management doesn’t seem to learn from experience and can’t distinguish between the firms’ financial interest in keeping a client and receiving fees and its responsibility to the public. And this time the responsibility was not just to the investing public, because people at all levels of the economy have suffered serious consequences as a result of the failure of the audit firm partners to exercise due care in assessing risk, determining audit procedures, and reporting the serious problems existing in their clients’ financial condition. Audit management failure was not the cause of the economic problems, but it was clearly a significant contributing factor.

  5. Ken Biddick
    Ken Biddick says:

    Good comments @3 and 4. A basic element of audit planning is the development of expectations of performance for the target entitiy. Auditors are required to have an understanding of the industry and how the entity performs in that space. When the auditor makes their inquiries to mangement, those responses should be guaged against what the auditor has already assessed reguarding the entities performance. The risk assessment at this stage is to determine if management is responding within those expectations or seems to be telling good stories. This first pass needs to be performed by experienced partner level auditors. Fortune 1000 company audits are not about asset misappropriation (employee theft/embezzlement), they are about financial reporting issues which are generally schemes developed from the top. There are plenty of third party assessment tools available to help the auditor develop their expectations prior to the inquiry of management. Comments by @3 and 4 point out that internal audit is another first pass level of inquiry to guage both managements stories and the auditor expectation. The auditors assessment after these inquiries determines their level of skepticism and how the audit needs to be staffed. Clearly if skepticism is high a more experienced team is required to handle what is likely to be a more adverserial engagement.

    The unfortunate reality of auditing is that you need to match-up your staff to the level of the players. It is a game and auditors need to recognize that they are the officiating team. Auditor’s are there to make sure the game is played inside the rules and they need to stop the game and even eject players that consistently and flagrantly abuse those rules.

  6. Timothy Hediger
    Timothy Hediger says:

    In my experience as a Director of Internal Audit, I have found that talking with long-term employees – whether on the manufacturing floor or in Accounts Receivable – will tell you more about a company’s risk than performing any audit or risk assessment. As much as these people can be derided by the “smartest in the room”, it is often these smart people that don’t have a clue that their companies/enterprises are often built on quicksand. Again, these employees may not know the right-sounding word for Partners or Management; but, if you listen to them carefully, they tell a story that often can be corroborated – with exceptions being made for the occasional “ax-grinder”.

    In other words, if an Auditor or Management understands the risk, they can understand the limitations and opportunities of making a profit for their enterprise. I know of very few Accounting or MBA programs that teach their students risk management for their business decisions. This is the case for financial, operational, or compliance risk. Simply put, this is the reason I try my absolute best to listen to the line-workers because Management’s decisions often are on the grunt-workers.

    THE BOTTOM LINE: Auditors of all stripes need to look at risk bottom-up to be able to effectively audit top-down. This is because, as described above, Management can make risky and fraudulent decisions; this is not an inherent risk, this is a detection risk. You have to know where to look.

  7. Tenacious Truman
    Tenacious Truman says:

    Ken @ #5 —

    “A basic element of audit planning is the development of expectations of performance for the target entitiy. Auditors are required to have an understanding of the industry and how the entity performs in that space.”

    Yeah that’s the theory. But the reality is that the staff is heavily weighted toward the most junior “young adults” possible to find, because using such maximizes engagement margin. Also, let’s be honest and admit that once a client is in hand, the engagement partner is too often assigned based on internal firm politics rather than industry (or audit) expertise.

    In my many years of “Big 4” experience, I never once saw lack of industry knowledge/experience keep a partner from bidding, or performing, either outsourced internal or external audits. And only once did I see engagement margins sacrificed in order to bring in senior/experienced staff who knew what was what. (That one time was when a PCAOB review was expected.) Sure, often there were a few token hours handed-out for “consultations” — but the vast majority of the budget was reserved for 1st and 2nd year staff who did the heavy lifting on the audits. And those young people, no matter how smart and hard-working they were, knew zip about the industry they were auditing. Totally clueless.

    I think FM has hit the nail on the head. The current methodology is one of two reasons for audit failure. The other reason is the rise of the accounting salesperson, creating a culture where sales & revenue & profit are more important than quality.

    — Tenacious T.

  8. David
    David says:

    THe problem is that the risk areas change. At one point, holding mortgages was not considered risky. So it wouldn’t be a focus of the audit under this approach. If the staff isn’t smart enough to continually make adjustments to pick up the new risks, then the auditor can really get burned with this approach.

  9. David
    David says:

    “The problem is that there’s not a lot of evidence that auditors are very good at assessing risk,” says Charles Cullinan, an accounting professor at Bryant College in Smithfield, R.I., and co-author of a 2002 study that criticized the re-engineered audit process as ineffective at detecting fraud. “If you assess risk as low, and it really isn’t low, you really could be missing the critical issues in the audit.”

    I guess Mr. Cullinan’s comments were very accurate.

  10. Anonymous
    Anonymous says:

    ITS FINALLY THE INVESTORS WHO NEED TO LEARN TO READ ANNUAL REPORTS……So many a times I have seen my friends complain that they have lost money in a stock, then I ask them if they knew the company’s business, there answer is no. They even dont know as to what’s the difference between cash flow and income statement. I guess this is a huge wakeup call for everyone to start understanding at least the basics of Financial statements. For instance just consider the case of PALM. The dreaded PDA maker. People are still hopeful that it will shine some day. But even a guy with basic Math knowledge will get the following point.

    if we analyze the company’s Cash flow statements from 1998 to 2008 we get the following figures.

    1. Company has generated $108mn in cash from operation.
    2. Has invested $550mn
    3. Has generated $828mn by financing.

    The company has solely been in business because the whole world is buying there story and ready to finance them…….

  11. frankD
    frankD says:


    well, with the benefit of more than twenty years gone by, i can say my prediction has come about, but first let me say this – if an auditor does NOT actually observe a physical count, there is NO possible way that auditor can attest to the actual quantity as a FACT, and this is an inherent risk and obvious weakness in relying on alternative methods such as statistical sampling, therefore rules are required to allow that auditor to pretend an actual count was performed

    okay, back to my prediction – if you give someone an opportunity to devise a gimmick, such as fill a warehouse with empty boxes and pretend an inventory exists inside those boxes, sooner or later, some audit client will try it, and if the financial GAIN to that audit client is LARGE enough, others competing in that audit clients business will do the same and in turn their auditors will miss it also

    and now to my prediction – if the gimmick is LARGE enough and the financial GAIN is spread throughout with no real oversite, the auditors will find a way to bless it, even if they find out about it !

    the fact that carl bass was marginalized by the institutional culture created at arthur andersen means everyone involved with a vested interest in the results of their audit client, enron, took an active role to DISPROVE that the empty boxes were empty and did indeed contain inventory although NO one ever suggested to do an actual physical inventory observation

    if you give someone an opportunity to devise a gimmick, it will succeed if it is LARGE as initially no single individual has the weight to contradict the crowd and ultimately the financial GAIN means no one will care to upset the gravy train

    a hedge or a derivative or a short position or an exotic financial obligation meant to provide some type of counterbalance as insurance are ALL potentially important and even necessary financial transactions and related positions to buy trade and sell BUT without a level playing field also an opportunity for someone to devise a gimmick – well, over the last twenty years they did – as no one can properly VALUE these positions

    so it doesn’t matter that the boxes in the warehouse are empty anymore as a VALUE can be given to any financial devise or position, real or imagined, empty or not, as quantity is as irrelevant apparently as ownership or toxicity or risk or materiality

    no wonder audit reports contain so much legalese – exotic words have to exist to explain that no one really knows why those boxes are empty but everyone is making a financial GAIN so let us just rely on trusting all those exotic financial transactions and value calculations that reveal all this is kosher

    twenty years ago, well, we were just boringly going out and actually counting the boxes and checking their contents think we were doing a social service for the financial foundation of an industry that relyed on figures being factual and not guesstimates or simply made up

    AUDIT RISK ASSESSMENT means finding the correct words to use to say you did something as an auditor that has nothing at all to do with quantity or quality or value or potential imparement loss of ASSETS or identifying or evaluating liabilities and obligations of LIABILITIES including guarantees and obligations not currently identifiable or even existing and at the same time NOT get sued for doing nothing substantive to uncover or even look for defects BUT be able to render an opinion while attesting to nothing

    anyway be well


  12. frankD
    frankD says:

    “…..I’m assuming KPMG asked Mr. Prince and Mr. Rubin their opinion of the bank’s risks when planning the audit. Mr. Prince and Mr. Rubin either played dumb or attempted to deceive. KPMG obviously audited in the wrong direction. Citi has never received a “going concern” opinion in spite of being technically insolvent before their bailout…..”

    well, it has been my opinion that these types of comments are exactly the reason the audit field is behind the eight-ball at every turn and should just fess up to the facts that you are ALL in it together for financial GAIN, and yes, everyone involved participated to some extent in the continued hypocracy of it unless, of course, they quit the work and went on to something else

    i mean does anyone believe these women comming forward in this tiger woods thing were other than hookers ? but inevitably what do they all say ? and don’t they all say the same thing ?… ” I THOUGHT HE LOVED ME ” or ” HE TOLD ME HE LOVED ME “…..yeah right they all did it for LOVE !

    KPMG, prince, rubin, citi et al ALL knew the score and all had financial GAIN and ALL continued to participate again and again, over and over, in riskier and riskier behavior (sound familiar to tiger’s transgressions ?)

    well, combine the ingredients of a ton of money, a pinch of ego, a tablespoon of plausable deniability then bake in living beyond ones means then finally sprinkle with justifiability and less lucrative alternatives and there you have everyone on board

    again, i must mention carl bass of arthur andersen, and if you don’t know that story you won’t see how these big scams are self-perpetuating and all inclusive, auditors AND client management

    anyway be well


  13. frankD
    frankD says:

    and in cnclusion………………………..”the deregulation so keenly sought by the financial services industry has made activities legal that by any common-sense standard should be criminal. But the sponsors of this toxic trade did bother to make sure they had a powerful friend”

    there it is and anything else is just marketing puffery or delusionally disconecting with reality


  14. Robert Cohn
    Robert Cohn says:

    I am sorry, I’ve never seen a risk based audit during my tenure at PwC. I can’t tell you how many times I have seen a risk realted to rights/obligations for income statement items, really? People who are 1 rated think this? Why does PwC make us call and verify a confirmation was sent after the fact when we receive a fax. Who is going to send it at the same moment we requested it? Why can’t I just go in and see a clients detailed statement of investments through their bank – why must I send a paper confirmation to receive something that says the same thing? Oh wait, those are procedures I did for “LOW RISK AREAS”.

    And controls – I can’t tell you the number of clients I have seen where people just documented “No controls reliance” (on non-SEC jobs) so they didn’t even document any controls. And did this make it into a letter to the audit committee?

    Seriosuly, nobody is perfect, so why would a client care. Nobody does eveything right 100% of the time.

    All Big 4 firms are the same.

    The SEC should be able to fine $10,000 for every mistake in an audit – something doesn’t tie to the trial balance, oops, $10,000. They should hire people on a contingency basis to audit the firms audits – and everytime something isn’t follow, a fine, of which they keep a %. I would be a millionaire in a year!

  15. Anonymous
    Anonymous says:

    Is everyone piling on Lehman and New Century only because their checks bounced?

    Isn’t Goldman (and god knows who else) still doing pretty much the same thing? The only difference is Goldman’s checks are still clearing and everyone is still getting paid. I think Sarbanes said there was nothing wrong with Enron while they were making money.

    Before Enron’s money wasn’t there, it was. Unless the activity is nailed while in progress, isn’t this all just a lot of hot air?

    -side note-

    Francine, congradulations on single-handedly saving the New York Times!

  16. I Just Work Here
    I Just Work Here says:

    I am a manager at a Big 4 firm. If any of you reading this are in a position to purchase or influence financial audit services at your company, AND would like to switch from a top-down approach to a bottom-up approach, then I would be happy to make that happen. Let’s get in touch.

    However, I hope you can stomach the bill.

    I am going to need to meet with every one of your “long term” employees. I don’t care what area they are in or how limited their role is. I have to assume that fraud is always happening, and hey, after working so long in the company I am sure each of them know something worth while. You have been doing business for 30 years in 10 5 countries? Wow! I bet you have a lot of long term employees for me to talk to. I am also going to disregard your control mechanisms in place and substantively test every aspect of your business. I know that goes against SOx, and even common sense, but those could be empty boxes sitting in your DC and I am going to need to check every one. I know you do that already, and that you test the control and have evidence to support that fact, but I don’t trust you.

    I also know that you are very concerned about getting a quality audit. So here is what I am going to do for you. I am going to take all my Seniors and Associates off this engagement and replace them with Managers and Directors. I know, I know… the Staff all have Masters Degrees from top Universities where they each excelled in their studies… but you just get so much more quality with the more experienced Managers and Directors. Oversight and augmentation just arent enough when dealing with “kids.” After all, Quality is Job 1 for this bottom-up audit, so I am sure you wont mind that these Managers and Directors.. with all that experience… well they are going to tripple the cost. You see, I don’t have as many Managers and Directors to go around so they are more expensive… you know… supply and demand. They are also more experienced and little older so they want to make more money than those “kids” right out of school so I can’t just decide to pay them less. See the thing is, when I pay them less they all go to work for you… so they dont have to work as many hours or travel as much. Oh that reminds me, this Audit team is getting pretty big. I am going to need to bring in some people from out of town, you don’t mind travel expenses do you?

    I don’t know about you but this sounds like a Win-Win situation to me. This is going to be the best audit ever!


  17. anony
    anony says:

    “..the vast majority of the budget was reserved for 1st and 2nd year staff who did the heavy lifting on the audits. And those young people, no matter how smart and hard-working they were, knew zip about the industry they were auditing. Totally clueless.”

    I remember when I was a first year at my big 4, I often asked the second years and seniors on the engagement whether they read up on any industry publications outside of work (you know, to stay in tune with what’s trending in the client’s industry). Their response was somewhere along the lines of “nahh…you don’t need to worry about doing any of that in this line of business” or “I should but I don’t think it’s necessary, but you can read up on those things if you’d like. It certainly can’t hurt”. My big 4 usually would have portals on the internal site that exclusively contained a wealth of industry news feeds and trends that impacted the firm’s clients operating in that industry. I was amazed at how even seniors and managers never bothered with those resources as they casually told me “man, when was the last time I even checked that thing”. I thought I was only one who figured that in order to have an adequate understanding of the client’s business and properly assess risk, it helps to know something (anything) about the industry in which the client operates. If seniors and managers don’t make the effort to stay on top of industry trends, how could one expect that of 1st and 2nd year staff?

  18. frankD
    frankD says:


    in response to I JUST WORK HERE,

    not to be argumentative, but didn’t the S E C have available the resources and inside whistle-blowers and certain outside analysis at their disposal against Madoff at least ten or twelve years ago to at least smell smoke ? (it seems inconceivable that no one confirmed who was clearing all that trading – what would that have taken a telephone call or two ?)

    and in fact, wasn’t the Enron audit team of Arthur Andersen an advocate and supporter for its clients agressive and fraudulent accounting ? Didn’t the Arthur Andersen audit culture marginalize Carl Bass who on many occasions was the counterbalance voice of reason against many of those client transactions ?

    an engineer will tell you anyone can build a bridge completely of stone that will survive the ages but it takes a skilled educated experienced craftman engineer to build one that is just strong enough using just the right amount of material and labor to do the job

    meanwhile yes i also once took your position so i can tell you i have become verse in its attributes as well as its incompleteness and inaccuracy

    the trick is to have a healthy honest approach and not have everyone drinking from the same punch bowl – it wasn’t only a handful of audit failures and more to the point it was over a number of years – there are certain things that i would agree cannot be avoided for a few consecutive years audits but once you are the auditor in the three to five consecutive years plus range, well, i would take a look at your subsequent events testing for one because by then the results are in on prior years and that fact is hard to ignore – year five you should know if year one or two are not kosher

    BTW do you remember what started the rock rolling downhill on Enron ? well historical fact is Skilling quit the week he was to sign the corporate TAX return – coincidence right ?

    back in the day we would start the audit by looking to see what make model and year car every client employee was driving

    anyway i probably would have gone along with the punch bowl crowd myself, so i guess i’m starting to sound hypocritical, but i decided twenty years ago that not knowing what a derivative was or that it took nobel lauriates to calculate the current value of an option future, well, i moved to florida and played golf over the past twenty years

    and no i’m still not able to define derivative

    anyway be well


  19. frankD
    frankD says:


    and as an aside i guess i can recommend everyone see the movie THE STING

    when rating agencies contribute by issuing triple-A (public testimonial) quality to the market (the dupes a/k/a investors) as a housekeeping seal of approval on exotic positions (marketed as Colateralized and Secured and Debt-Obligations) and sold by brokers (commissionable in the fifty percent range) who are attracting gigantic flows of funds (again commisionable feeders who do nothing but literally “pass the buck”) whereas rising VALUE is based on emotions and psychology factors (such as greed and avarice) and then bless by the unsuspecting (auditors?) – clank ! wait stop the music – go to black

    see whoops there it is quid pro quo qui erot demonstratum – the auditors were part of the problem ! the grease on the wheels of financial machinations

    if you see that movie maybe it will become clearer but please enough with the i didn’t know routine, or if you insist, well okay – welcome back to this planet


  20. frankD
    frankD says:


    mr marks

    isn’t the real issue VALUATION ?

    i can see your list as it pertains to detection and observation but what if everyone agrees on the contractual text of an exotic transaction BUT no one knows how to VALUE it ?


  21. David
    David says:

    The CPA is not in the business of measuring risk or trained to understand risk.

    John Malloy probably said it best that dress was very important for an auditor because nobody has any idea whether they know anything or not, and, therefore, appearance (the subject of John Malloy’s book) was what was most important for an auditor. In other words, looking good is more important than anything else for an auditor because that is the major way that the auditor makes an impression.

    A major problem: Because an auditor is just supposed to be checking other people’s work. If the other person’s work is correct, if the auditor is organized enough to do complete a checklist and he or she has a good appearance, then it looks like he is competent. It’s kind of like that Peter Sellers” movie “Being There.” You can be a Chauncey Gardener and keep your job as an auditor if you just look and act the part until a Worldcom, Enron, Madoff feeder fund or Lehman Brothers exposes you.

    So basically you have these MBAs at the banks constantly scheming to inflate income to inflate their bonuses and they are going against auditors who really aren’t that sharp and generally haven’t been tested. Its a complete mismatch.

  22. Rod G
    Rod G says:

    Some of the comments that I have read here are to me just defensive Bull, that sound all high-minded and independent; but that is the point, an independent audit that the actual users of these services can take and put some reliance & make decisions on, and not just the people/company paying for it. Wow what a concept; but it sure looks like it has been lost by many in this profession. The big 4 have become/are a mirror of the too big to fail big banks and the Wall St. firms, where profits and the bonus culture rules; but where the backseat has now become independent work and the rules of professional practice. It sure sounds to me like this may have spread a lot further than the Big 4, which is really sad and very troubling.

  23. Tenacious Truman
    Tenacious Truman says:

    anony @ 21 —

    You are correct that seniors and managers also too often lack necessary industry knowledge. When I wrote my post @ 8, what I was thinking was that they would be on the same engagement for a few years and would absorb some industry knowledge, simply through time on the job. That was an assumption — possibly an optimistic one.

    Obviously the worst case is where the partner as well as Sr. Manager(s) and Managers all lack the requisite knowledge and experience to shape and tailor audit procedures to match risk. My experience is that the good audit teams are aware of their lack of industry knowledge and work to get it. But experience can only be gained through experience, and that takes time.

    — Tenacious T.

  24. I Just Work Here
    I Just Work Here says:

    Frank D,

    I don’t think you are helping Francine’s argument against top-down-risk-based audits with your comments. Many of the examples you are citing are from a time BEFORE firms switched to the “Risk Based” approach.

    Then your statement about building a bridge that fits “just right” for the job is actually supporting a “risk based” approach. How do you think the engineer determines what “just right” is? He assesses the risks, and engineers a bridge to meet them.

    The “Risk Based” approach is the right one in an audit. The issue is more around how that approach may be executed by certain audit teams. Companies simply do not want to pay for a bottom-up audit, and nor should they. A bottom-up audit has too much waste, cost, and puts too much burden on the employees of a company.

    Personally the approach I think that works best is risk based with a healthy dose of auditor skepticism.

  25. frankD
    frankD says:


    RE your post above #25

    that reminds me of what one of my audit professors once said “i am often asked how do you know when you’ve done enough testing and i would say that point is reached when you have fourteen pounds of workpapers”

    prof brown, although he was retired from a big 8 at the time i had his audit class at pace univ, he was at some stage president of the new jersey society of CPA’s and would also remind us that once the audit was completed, the audit team should head for the most remote undisclosed location possible until the day report was issued publicly

    on the other comment, well, the auditors are as capable and educated and motivated as management personnel, however, management will always have the benefit of any doubt and in the end the client as the one picking up the tab will always call the tune – meanwhile, yes i did experience a perverse pleasure, as asst controller of a major non-union hotel operation, i was asked by upper executives to appease the labor unions, so i devised a scheme to overpay workers comp insurance and then get a year end refund, the refund with the corporate treasurer as payee was then paid out to union leadership in exchange for kid glove handling at the non-union operations level, thereby hiding a slush fund from our big 8 auditors

    so yes the auditor may in fact be in position to be duped and maybe the sudit funtion is so toothless that it is a meaningless financial excercise the fact of the matter is it can no longer remain relevant in its current watered dwon value and diminished utility

    anyway thats enough from me here

    be well


  26. IJustWorkHere
    IJustWorkHere says:

    FrankD… that last post explains a lot. There are too many people out there that are willing to do whatever “upper executives” ask of them. Its precisely because of that we need auditors in the first place. Sounds like you are more of the problem than the solution.

    Its also true that there are people in audit firms that are willing to do whatever the Partner asks. Thats why things like this blog exist. My issue is that too often (not always) this blog holds audit firms to an unrealistic standard, and rarely gives credit where it is due.

    What do I know though?


  27. David
    David says:

    I don’t accept the bridge analogy discussed here.

    A more apprpriate analogy is that if you are 95% certain that there is no material misstatement in the financial statements, and you need to do triple your sample to get to 99%, is it worth doing so? Probably not.

    But I think the problem is that the auditors weren’t even close. If a company reported a profit of $1 billion and actually had a profit of $500 million, that is a material misstatement. If the company should have reported a loss of $2 billion and instead reported a profit of $1 billion, I can’t see this as a failure to do tests. The problem is that whatever tests were performed weren’t performed competently.

  28. frankD
    frankD says:

    i just work here,

    in regard to your statement, “sounds like you are more of the problem than the solution”, yes i agree – that is why i quit – my example merely was to illustrate how easy it is, however, now the compensation amounts are astronomical so it isn’t as easy today as it was for me to walk away but i saw then that the whole financial industry game was probably rigged

    and yes, the partner at the firm may be the problem, for excample as at arthur andersen partner on enron, so of course the staff needs to either play that part or part company and people making good money will have a difficult time quitting

    so today you have one lying (the client) and the other swearing to it (the auditor) – so my bigger point is the auditor has become part of the problem and the entire financial excercise completely irrelevant

    some say the only reason auditors are used today is so duped investors have another entity to sue for recovery and clients do “shop” audit firms and so you see the liars and cheats become the rainmakers and that gives them the cover they need and round and round the circus travels

    not that this sentiment didnt exist back in my day but it was limited to pink sheet entities publicly traded and audited but known to be bogus totally at the other end of the spectrum of the blue chip entities – but even back then it was all considered prostitution only that some operated from the penthouse and others operating from the outhouse and all others somewhere in between

    the whole thing is gambling and thereby gaming the system is the idea of the entire industry foundation – and the auditors either go along to get along or will be replaced by some other rating procedure

    it’s easier today to find an honest afgan police officer

    anyway be well


    I TOLD YOU SO says:

    Many of these comments are arguing about individual trees in a forest fire.

    Look what is happening to Goldman today. Where were these iinquiries 1 year ago?

    While the attention value is to get philosophical about Lehman, Goldman was pulling the
    roe chambeau right in front of everyone.

  30. frankD
    frankD says:


    PS on risk based discussion here i would hold that any time you do not physically observe firsthand the event or transaction any thing else designed to do less, statisitcal sampling for example, the real RISK is “will you miss something ?” it never made sense to me anyway that calculating materiality to explain away additional testing could be relied upon if you dont know the value of all the missing pieces

    moreover i can see one year or so audit results being deficient with the benefit of hindsight but if an audit firm has five or eight years of consecutive audit procedures experience on any client it is IMPOSSIBLE for any surprises to exist on issues that have been in question during that period IF the audit has been performed adequately

    with this compiled experience and insight to the client then the “engineer” can build an efficient bridge using reduced resources to pinpoint and focus on material valuation and recognition issues

    my guess is that the same way the SEC was deficient and sitting on its hands so were the audit firms relying more on confusing words and contradicting positions to avoid being sued rather than any real testing and inquiry and meaningful attestations – everyone was drinking from the same punchbowl

    but i do appreciate why someone would want to defend their position but i think the size and scope and quantity of major AUDIT FAILURES indicate the industry foundation was rotten to the core and the entire structure, regardless of the words used to explain it away, was simply a co-conspirator willingly aiding and abetting in the mud – or else there would have been mass employee defections from the audit firms

    otherwise one is just looking for a new excuse to explain the defect as to be expected

    anyway thats all i need to say


  31. Narcisse Dansou
    Narcisse Dansou says:

    Francine makes some very good points here. I have no professional experience in the area of audit however I do have an accounting degree. Additionally, I am friend with some audit staff professionals and they sometimes give me the low down on how they operate in the field. The truth is some audit firms are only concerned with completing the audit engagement at the lowest cost possible. It seems to be all about maximizing profit. It is also about keeping clients very happy. Audit staff members try not to do anything to upset clients because the latter are potential future employers… we all know about the revolving door…
    In a nutshell, accounting firms put on themselves so much pressure that they are unable to conduct their audit engagement with a healthy level of independence. Auditing firms should be setting the tone throughout the engagement and not a company’s management. With all that said, I believe Norman Marks makes some very valid points when he questions the arrogance and incompetence of some of the audit staff professionals.
    All in all, this is a very nice and informative piece of writing that generated, I must say, a very constructive debate on ways to improve auditing procedures andmake them more effective.

Trackbacks & Pingbacks

  1. […] of the profession. Requirements such as use of experts, supervision of foreign member firms, and fraud risk assessment are already in the auditing standards but not being enforced. It’s a business issue. They reduce […]

  2. […] Enron”.  Some called it “Mini-Madoff”. The fraud was really quite simple and is more like Parmalat – with its false bank account balance confirmations – than the off-balance sheet sophistication […]

  3. […] Delphi and GM have an up close and personal relationship. GM’s audit team probably provides the training ground for Delphi’s audit team.  Both engagement teams belong to the Automotive practice group at Deloitte and operate out of the same geographic area.  Just like in the PwC relationship with AIG and Goldman Sachs, it defies credulity that the team leadership wouldn’t talk to each other and to their industry experts about approach, methodology, and proper GAAP.  In fact, it’s required by their audit methodology and audit risk management policies. […]

  4. […] 4 audit firms don’t bother looking for fraud. Why? First, it takes time and money to perform a detailed fraud risk analysis (SAS 99). But instead of supporting fraud risk analyses, in the post-SOX 404 environment, CFOs are […]

  5. […] the same vein, Francine McKenna’s got a doozy of a post up on top-down approaches to risk and why they’re far from ideal (okay, her language is […]

  6. […] one of the Big Four would fail. It hasn’t happened. Yet.I wonder if that is about to change. Her analysis of problems among the Big Four represents a masterclass in all that seems wrong with the profession – or at least the Big […]

Comments are closed.