Most mid-size to large organizations rely on internal and external audits as a key preventative measure against fraud. The problem is, many CFOs assume that a routine financial audit will reveal financial anomalies that could be fraud. Unfortunately, quite the opposite is true.
Audits almost never find fraud: external audits find it 4% of the time, and internal 15%, according to the Association of Certified Fraud Examiners’ Report to the Nations.
It is not uncommon to hear from non-accountants who incorrectly assume that a clean audit means there is no fraud on the books. This misunderstanding of the purpose of an audit is one of the main reasons why companies rely on them to detect fraud, when that is, in fact, not their true intent.
An audit is a very specific type of financial engagement that is executed to determine whether a company’s financial statements are “reasonably stated.” And while assessing fraud risk is part of those engagements, the procedures associated with most audits are not sufficient to actually root out and prove fraud.
Here are seven reasons why audits don’t typically find fraud.
1. Auditors are nice. Auditors are rule-followers who hold themselves accountable to high honesty and ethical standards. They wouldn’t dream of doing something the “wrong” way; therefore, they can’t comprehend that seemingly nice people would steal from their employer. If they spot something amiss during a routine audit, and in return were given documents or explanations that resolved the anomaly, it is more likely than not that they will proceed with the explanation without obtaining outside substantive documents or evidence to resolve the aberration. Because they presume honesty, auditors often take the explanations and documents at face value.
2. The nature of an audit isn’t designed to find fraud. During an audit, auditors look at the financial statements of the company (usually the assets and income figures) and calculate what’s called “materiality.” Materiality is the calculated threshold by which, if the information is withheld or misrepresented in the financial statements, it would impact the decisions of the stakeholders who rely on those documents to make economic decisions. Because of this, auditors look at transactions at or above the materiality level. While this is an effective method of making sure financial statements do not contain material errors, it does not lend itself to detecting fraud. Why? Because taken on an individual basis, fraudulent transactions are not typically at or above the materiality level.
3. A sample doesn’t tell the whole story. During an audit, auditors aren’t looking at everything. They gather random samples of transactions to verify that they were correctly recorded and that the internal controls were in place and working. The odds that a random sampling would include a fraudulent transaction among the thousands of available transactions is extremely small. Put simply: an arbitrary sample doesn’t tell a story or show a pattern. It’s akin to finding a needle in a haystack.
4. Fraudsters are clever. In the remote likelihood the auditor spots a questionable transaction, the oddity can often be easily explained away. That’s because fraudsters are clever: they can produce fake documents or pretend the paperwork has been misplaced, appeasing the busy auditor, who, as was pointed out earlier, assumes best intent, never imagining someone would be dishonest.
5. Fraud often looks like a simple error. Most of the time, fraud doesn’t even look like a “red flag.” It often looks like a regular bookkeeping or accounting error. Humans make mistakes, and it’s certainly not uncommon for a transaction to be entered incorrectly. So long as the number of errors doesn’t trigger the threshold of materiality, those inaccuracies will likely not be further investigated.
6. Auditors are constrained by time and budget. Many people are unaware that, in addition to testing transactions and checking internal controls, auditors are also required to conduct excessive due diligence, file copious paperwork, and conduct peer reviews of their audit processes. With competing deadlines and projects stacked back-to-back, in some cases, an auditor may green-light a company’s books even if something didn’t feel quite “right.” It’s not that the audit wasn’t thorough or inaccurate, but rather it’s the limitation of resources and demanding projects that lead to auditors not being as thorough as they might like to be.
7. The Scarlet A. In an ode to Nathaniel Hawthorne’s masterwork, it can be asserted that auditors unknowingly have an invisible scarlet A (for auditor) under their respective suits. Their status as an auditor creates a barrier between themselves and the very people they need to talk to, the whistleblowers. And, as mentioned earlier, auditors are nice. They view themselves as likable, approachable, and friendly. Unfortunately, people often view them as scary, unapproachable, and “out to get them.” The result is that auditors are rarely successful in gaining the trust of the very people who have information that can help them.
Most importantly, though, is the fact that fraudsters are always a company’s most liked and trusted employee. They’ve earned the respect and admiration of their coworkers and supervisors, and often have special privileges and access to company funds. Couple this dynamic with the fact that auditors assume honesty, and the general misunderstanding of what an audit’s purpose is, and it’s easy to see why audits rarely uncover fraud.
Despite this, CFOs need not feel defenseless against fraud. The fact is, management’s due diligence in identifying and assessing risk, addressing known risks with appropriate internal controls and oversight, implementing a hotline, and promoting a culture of honesty can deter or detect the fraudster in the company.
Tiffany Couch is CEO and founder of Acuity Forensics, a forensic accounting firm. She is also the author of “The Thief in Your Company,” a book that explores the financial and emotional impact of fraud on organizations of all sizes. She can be reached at firstname.lastname@example.org.