Vous êtes sur la page 1sur 4

How Audits Must Change

Auditors face more pressure to find fraud.


Kris Frieswick, CFO Magazine
Auditors have been on the defensive since Arthur Andersen LLP was shut down in the wake of the Enron scan-dal. But by this
point, with the massive accounting fraud revealed at health-care behemoth HealthSouth Corp., all the remaining Big Four have
been tarnished. Today, auditors are fighting a battle on two fronts. On one, they must defend their battered integrity their
very stock in trade. On the other, they are challenged to explain why they should not be expected to find accounting fraud
although they have long maintained that they can't.They are faltering on both fronts. "I've never seen a time when auditor
credibility has been called into question the way it is now," says Chuck Landes, director of the audit and attest standards team
at the American Institute of Certified Public Accountants (AICPA). And with audit-malpractice settlements hitting all-time
highs, the courts are making it clear that they do expect auditors to find fraud, regardless of the profession's insistence to the
contrary.Shaken by the Andersen example, Section 404 of the Sarbanes-Oxley Act of 2002, and the size of the settlements,
accounting firms are changing the way audits are conducted. One auditor, PricewaterhouseCoopers, has broken with the pack
and stated publicly that auditors must accept more responsibility for finding fraud.But by and large, accountants still maintain
that if a company wants to commit fraud, the auditors can't catch it. Asked to define auditors' responsibility for detecting fraud,
Timothy P. Flynn, vice chair for audit and risk advisory services at KPMG LLP, responds by quoting from the AICPA's 1997
statement on the matter, SAS No. 82: "to plan and perform the audit to obtain reasonable assurance about whether the financial
statements are free of material misstatement, whether caused by error or fraud." It's unreasonable, in other words, to expect
auditors to detect any and all fraud.Many financial executives agree. And proposed changes to auditing practices will
encounter an especially well funded and inhospitable political environment. Nonetheless, with the cost of corporate fraud
estimated at $600 billion annually according to the Association of Certified Fraud Examiners pressure on auditors to
reduce this number is going to intensify.
Dj vu
Sarbanes-Oxley doesn't mark the first attempt to improve the audit process. During the 1970s, '80s, and '90s, a series of
commissions the Cohen Commission in 1978, the Treadway Commission in 1987, the Jenkins Committee in 1994, the
Committee of Sponsoring Organizations in 1999, and the Panel on Audit Effectiveness of the Public Oversight Board, or POB
in 2000 issued reports recommending changes. Through the AICPA, the profession vowed to change, and approved new
audit-standards language creating more audit-design procedures, tests of controls, and interpretations of accounting
standards.Notably absent were recommendations to view client financial statements skeptically and conduct audits
accordingly. Not until 1988 was any AICPA auditing standard written using the word fraud, and not until 2002, when SAS No.
99 was issued, did the institute directly state that auditors should not assume that a client's management is honestly reporting
results.The POB's 2000 Panel on Audit Effectiveness, considered the most comprehensive study of the profession ever done,
called for auditors to use forensic techniques in every audit, assume the possibility of management dishonesty, and incorporate
an element of surprise into audits. After spending two years in committee at the AICPA, the suggestions finally emerged in
much-watered-down form as SAS No. 99. For instance, the strongly worded POB report called for auditors to "modify the
otherwise neutral concept of professional skepticism and presume the possibility of dishonesty at various levels of
management including collusion, override of internal control, and falsification of documents." It recommends a
forensic/fieldwork phase during every audit of a public company. SAS No. 99, in contrast, focuses more on risk assessment
than on forensic procedures. "The AICPA was happy with the way things were," says Arthur Bowman, editor of Bowman's
Accounting Report.
The New Sheriff In Town
The AICPA's reluctance to make dramatic changes may explain why Congress transferred responsibility for setting standards
to the PCAOB. The board's newly named chief auditor, Douglas Carmichael, who has gone from writing audit standards to
testifying as an expert witness against audit firms, calls current auditing standards "a lot of explanation about what an auditor
does or might do, and very little about what he is required to do."
Carmichael's appointment to the PCAOB has been applauded by a variety of observers. Industry critics love him because they
believe he will be less influenced by both corporate finance executives looking to hold down costs and by the industry itself.
Frank Borelli, former CFO of Marsh & McLennan Cos. and chairman of the Express Scripts Inc. audit committee, lauds the
appointment as well. "Carmichael is going to make a difference," he says. "I'm glad to see they appointed someone with that
kind of vigilance. That's the only way we're going to see if auditors are doing what we want them to do."
The fundamental question is: What do we want them to do? What is the point of an audit? Auditors and companies contend
that the purpose of an audit is to back up a company's contention that its numbers are "reliable." "An audit is a test of a
company's records that backs up the company's representation of the company results," says Greg Weaver, national managing
partner for assurance at Deloitte Touche Tohmatsu. "We're doing a test of assertions."
But can auditors be sure results are reliable without testing for fraud? Auditors say it's not that they don't want to catch fraud,
but since it's impossible to catch it 100 percent of the time, they shouldn't be held responsible if they miss it. "We get it right
98 percent of the time," says Weaver. "But to do 100 percent verification, you'd basically be recreating the records. There's no
way that anyone could do that at a cost the public would consider acceptable."
History of a Profession
Historically, accounting has been considered a highly professional and trustworthy profession. Firms have always trained new

accountants in the audit function, but with keen oversight from senior partners who saw their firm's integrity riding on every
engagement.
At the same time, auditors have always called their customers "clients," and have worked hard to cultivate them. Partners
routinely entertained clients two to three nights a week, and not uncommonly moved on to work in their clients' firms. But the
inherent conflicts of these relationships were kept in check by the firm's commitment to professionalism.
All that changed as consulting services grew, spurred on by increased IT consulting work in the late 1970s and early '80s. By
the mid-'80s, the AICPA had lifted its ban on advertising. Revenue generation became the foundation on which the partners'
compensation was based. Revenues for management consulting in early 1999 accounted for more than 50 percent of the Big
Five's revenue stream as a whole.
The audit function itself became a commodity service a loss leader accounting firms offered in conjunction with vastly
more lucrative consulting fees. As they competed more aggressively on price, they were forced to shrink the number of
procedures performed for the audit. Auditors claim these reductions didn't harm audit quality, but it often meant they used
increasingly computer-based test controls and statistical models, and fewer of the basic, time-consuming auditing practices that
could increase the likelihood of finding fraud site visits to multiple locations, observation of assets, or random sampling at
nonmaterial levels.
In addition, junior auditors were often assigned the crucial oversight roles usually filled by senior partners, who were
increasingly busy selling to prospective clients. "A lot of the audit changes were [prompted by] competitive proposals based on
pricing decisions by management," says Ellen Masterson, global head of audit methodology at PwC and point person for the
firm's new antifraud auditing initiative, "and as a profession we allowed that to happen."
Roster of Reforms
The Sarbanes-Oxley provisions that make the auditors report to the audit committee will somewhat increase the distance
between management and auditing firm. The act also places far more responsibility for the integrity of the financial statements
on audit-committee members, who can be prosecuted by the Securities and Exchange Commission for fraudulently influencing
or misleading a company's auditors. "Uppermost in the [client management's] mind was reducing the cost of the audit," says
Masterson. "They pressured auditors to do the minimum. Now, with the untold number of fraudulent activities by managers,
the minimum is not where we should be. We spent 15 years in a cost-pressured audit situation, and now we have a lot more
interest in quality audits by those who hire us the audit committee."
With nervous audit committees calling the shots, and with a far-less-accommodating PCAOB about to start dictating standards
for auditors, accounting firms are seeing the writing on the wall. PwC is going to implement a program involving the use of
extended procedures performed by fraud specialists at a subset of its audit engagements. "For so long we've said we're not
responsible for detection of fraud," says Masterson. "In the court of public opinion, however, that's not holding true. We
recognize that if the books and records don't reflect the company's performance, it's our responsibility."
Here Masterson is bridging the semantic barrier between "detecting fraud" and "attesting to reliable financial statements."
While her peers might not go quite so far, they are taking the initiative to add forensic (or investigative) capabilities to their
audits. KPMG, for instance, added more than 300 "forensic professionals," including some who trained at the Federal Bureau
of Investigation, who will take part in some routine audits. At one recent audit, KPMG ran all the addresses of a client's
vendors to see if any of them matched a list of rental post office box addresses a hallmark of a fictitious vendor. It found 17
addresses fitting that description. The firm is also launching a pilot program to conduct due-diligence-type reviews on certain
audits.
Deloitte is comparing clients' financial results with those of their industry peers, and taking a closer look at outliers. All the
firms are adopting new software programs that will allow them to more quickly run checks for duplicate addresses, duplicate
employees, or statistical outliers that may be red flags for fraudulent activity.
They all report spending much more time working with clients to meet the reporting standards set out in Section 404 of
Sarbanes-Oxley, which require companies to attest to the internal controls they have in place to deter fraud. They are also
dropping more high-risk companies than in previous years, and are subjecting clients to closer scrutiny. In addition, they are
stressing the importance of management involvement in creating controls that inhibit fraud, and they are fosterng an
institutional intolerance for fraudulent behavior. CFOs report that above all, auditors are becoming far more confrontational
and less congenial in their audits.
Meanwhile, new auditor independence rules will remove many of the auditors' incentives to use audit services as a loss leader
and to reduce the number of audit procedures, or overlook questionable accounting treatments. SAS No. 99 encourages
auditors to be more skeptical, vary materiality levels, and "start thinking like a fraudster," says Landes. The standard also goes
into great detail about how to structure a risk assessments to identify highest risk areas at a client, and how to structure an audit
to best catch material misstatement.
Shoe Leather and Gray Haire
While the new initiatives are impressive and may help catch more fraud, critics say that they don't go quite far enough because
there are still holes in basic audit methodology and structure.
"If insiders are perpetrating fraud, I agree that it is almost impossible to find it," says Arthur Bowman. "But if there's a general
failure of audit firms, it's that the individual auditor is not doing his or her job properly. We have too many rules, and we need
to get back to principles-based work. It comes down to individuals failing."
The most damaging failure is that many of the new forensic antifraud measures are targeted at the employee level. According
to a recent E&Y survey, although individuals on the company payroll committed 85 percent of the worst frauds, more than half
of those company insiders were from the management level.

At the end of the day, management is still writing the check for the audit. Although the new reporting lines mandated by
Sarbanes-Oxley may ease this inherent conflict, it's not likely to go away. Even though they are required to report to audit
committees, auditors still spend their days with management.
"It's not as if auditors are being managed directly day-to-day by the audit committee," says Jay Morse, CFO of The
Washington Post Co., who says he has seen an increase in auditor scrutiny at his company. "Boards don't have time for that.
Most directors don't have the expertise. The audit committees will get more involved, but taking a strong managerial role just
won't happen."
Robert Halliday, CFO of Varian Semiconductor Equipment Associates Inc., in Gloucester, Massachusetts, thinks auditors can't
be skeptical if they don't understand what they're looking at. "They have so much mechanical work no one stands back,
thinks about it, and asks, 'Does all this make sense?'" he says. "But auditors can only do that if they have experience or if they
know the industry. Gray hair is helpful."
Under cost pressure, firms put less-senior auditors in charge of tasks more suitable for experienced auditors. "When people say
that audit quality has decreased, that's what they're talking about less-experienced people," says Frank Borelli. "We have to
have specialist auditors who know the industry from a high level of experience, and these are the people who should be
supervising the audits instead of selling new business."
Deloitte says it is reviewing its staffing plans for audits, and it now requires two audit-partner reviews for particularly risky
engagements. "Every audit is different, and we have to make sure we have the right level of people on the audit," says Weaver
at Deloitte. "There's no substitute for experienced people."
Carmichael faults auditors for failing to aggressively implement recommendations in the 2000 POB report that call for more
"tests of details" instead of relying so heavily on tests of controls. "Audit firms seem to find ways not to go out to locations,
and to do less of the type of work that involves actually counting things, observing physical inventory, doing test counts," he
says. "It's required, but when a company has multiple locations, it gets complicated." But this has been a concern for some
time. When auditors do test transactions, they frequently only sample above a certain dollar amount, he says, and are too
predictable in their approach, "which is a problem more often than I'd like to see."
Audit firms contend they have always conducted the "shoe-leather work" that is a foundation of the audit process, but some
CFOs disagree. "I suspect that in an effort to hold down fees and make the auditing profession more attractive to young
people," says Morse, "they've cut out a lot of that type of grunt work. It's not very appealing, but at some point you have to
ask: Did anyone on the audit engagement do anything substantive?"
The Reporting Problem
Some critics of the state of auditing don't blame the auditors as much as the financial reporting that they have to work with.
Walter P. Schuetze, former SEC chief accountant and chairman of two audit committees, says that as long as management is
allowed to estimate so much of a financial statement, auditors' hands will be tied. "The way accounting rules are written,
management has control of the numbers," says Schuetze. "Auditors have no traction to change the numbers."
He advocates fair-value accounting for all assets and liabilities, thus ensuring that a third party is involved in evaluating the
market, not historical, value. With third-party involvement, overstating assets la HealthSouth would be much more difficult,
because someone would verify each item. Barring that change, he adds, auditors must be more diligent in seeking underlying
evidence to prove the existence of assets and liabilities "instead of just accepting a copy of an invoice. We need to require
evidence," insists Schuetze. "There's a difference between evidence and hearsay. If auditors presented a court of law with a lot
of the backup material that they base their findings on, they'd get thrown out because it's all hearsay.
"Peekaboo" Takes Charge
PCAOB personnel will now take over the peer-review process once administered by the AICPA, says Carmichael. "There's
obviously a need for better training," he says. "For our inspections, we'll come in and select audit engagements to review, and
we'll see whether there's conformity to standards. We'll be able to tell if they should be giving their people better training and if
they're getting the basics right."
Even auditors seem pleased that the PCAOB has taken over standards setting. They see an opportunity for the board to
mandate a clearly defined "bright line" minimum for the basic audit work that is now recognized as crucial in finding fraud,
but that often gets pared back by auditors' cost concerns. Deloitte's Weaver states the obvious: "I don't think there's any
objection by us to doing more-expansive audits. But it needs to be an obligation that is established by the PCAOB. Mr.
Carmichael can have a significant influence on what those standards are and apply them consistently across all companies.
Then we'll have an obligation that we must meet, and companies will have to pay for it."
Talk like that makes CFOs nervous, especially in light of the increased compliance costs associated with Sarbanes-Oxley.
Auditors will already have to do more extensive work because of Section 404 of the act (which requires auditors to review and
sign off on management's attestation of internal controls, and is expected to bump audit fees by 35 percent, according to a
recent study by Financial Executives International). But CFOs are justifiably concerned that if the PCAOB mandates a more
expansive "standard minimum" audit for all companies, it would give auditors carte blanche to charge more for a level of audit
quality that they should have been providing all along. "If auditors ask for a massive fee increase, you have to ask, what are
you going to be doing differently now that you weren't doing before?" says Bob Agate, former CFO of Colgate-Palmolive and
chairman of the audit committee at The Timberland Co.
For its part, the AICPA has publicly stated that it embraces the work of the new oversight board, and that "it doesn't matter
who comes up with the better mousetrap," says Landes. Despite statements to the contrary, the AICPA is not making the
transition easy. Even after the PCAOB was given authority to set all future audit standards, the AICPA issued an exposure draft
for new rules on implementation of Section 404, eliciting a stern rebuke from the SEC, which reminded the association that it
was no longer responsible for auditing standards.

The most ironic element of the transition is that the AICPA holds the copyright for all of the auditing standards it has drafted
since it began issuing them 60-plus years ago. Until the PCAOB writes its own standards, it must use the ones the AICPA
wrote, and some reports indicate that the AICPA is trying to charge the board a fee for their use. Landes wouldn't comment on
the allegation, saying only that "we want to find a satisfactory arrangement that will allow the PCAOB to do the work that is
before it. But we're also cognizant of our members' interests and the assets of the AICPA." Critics say that perhaps that was the
root of the problem all along.
Sidebar: Dissecting HealthSouth
According to the complaint filed by the Securities and Exchange Commission in U.S. District Court for the Northern District
of Alabama against health-care provider HealthSouth Corp. and its former CEO, Richard Scrushy, the company orchestrated a
scheme to overstate earnings in order to hit analyst estimates a scheme concocted in a way to avoid detection by its
auditors, Ernst & Young LLP. Between 1999 and the second quarter of 2002, the company overstated income by $1.4 billion
by making false journal entries overestimating the amount of third-party insurance reimbursement, and by decreasing
expenses.
The firm used the auditor's own processes against it to perpetrate the fraud, according to the complaint. Executives increased
earnings not by boosting revenues directly, which auditors would have been more likely to find, but by reducing a revenueallowance account that was used to record the difference between gross billings and reimbursement amounts expected from
third-party payers. This account, which would then be netted against revenues, has a limited paper trail and is based largely on
estimates, and the amounts booked to the account are more difficult to verify. And because HealthSouth executives knew that
E&Y did not question fixed-asset additions below a certain dollar threshold, it made random entries to its balance-sheet
accounts for fictitious assets worth less than that amount. Senior accounting personnel created false documents to support asset
purchases. In this way, the company allegedly overstated property, plant, and equipment by more than $800 million. It also
overstated cash accounts by $300 million.
So far, 11 executives, including all five former CFOs, have pleaded guilty to participating in the fraud, which prosecutors
believe had gone on since 1986. Scrushy continues to maintain his innocence.
Trouble Enough For All
Fraud cases hit every big-time auditor.
Auditor

Case

Andersen

Enron

Ernst & Young

Global Settlement with


RTC/FDIC

Ernst & Young

Cendant

Deloitte & Touche

Global Settlement with


RTC/FDIC

Andersen

Baptist Foundation

Ernst & Young

Merry-go-round

Price Waterhouse

BCCI

Coopers & Lybrand

Barings Bank

KPMG

Rite Aid

Ernst & Young

AIB Group

Anderson

Sunbeam

Coopers & Lybrand

Maxwell Communications

KPMG

Tricontinental

Ernst & Young

Depco

Andersen

Colonial Realty

Andersen

Waste Management

KPMG

Orange County

KPMG

Oxford Health Plans

Source: AccountingMalpractice.com