How Audits Must Change

Auditors face more pressure to find fraud.
Kris FrieswickJuly 1, 2003

Auditors have been on the defensive since Arthur Andersen LLP was shut down in the wake of the Enron scandal. But by this point, with the massive accounting fraud revealed at health-care behemoth HealthSouth Corp., all the remaining Big Four have been tarnished. Today, auditors are fighting a battle on two fronts. On one, they must defend their battered integrity — their very stock in trade. On the other, they are challenged to explain why they should not be expected to find accounting fraud — although they have long maintained that they can’t.

They are faltering own both fronts. “I’ve never seen a time when auditor credibility has been called into question the way it is now,” says Chuck Landes, director of the audit and attest standards team at the American Institute of Certified Public Accountants (AICPA). And with audit-malpractice settlements hitting all-time highs, the courts are making it clear that they do expect auditors to find fraud, regardless of the profession’s insistence to the contrary.

Shaken by the Andersen example, Section 404 of the Sarbanes-Oxley Act of 2002, and the size of the settlements, accounting firms are changing the way audits are conducted. One auditor, PricewaterhouseCoopers, has broken with the pack and stated publicly that auditors must accept more responsibility for finding fraud.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

But by and large, accountants still maintain that if a company wants to commit fraud, the auditors can’t catch it. Asked to define auditors’ responsibility for detecting fraud, Timothy P. Flynn, vice chair for audit and risk advisory services at KPMG LLP, responds by quoting from the AICPA’s 1997 statement on the matter, SAS No. 82: “to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” It’s unreasonable, in other words, to expect auditors to detect any and all fraud.

Many financial executives agree. And proposed changes to auditing practices will encounter an especially well funded and inhospitable political environment. Nonetheless, with the cost of corporate fraud estimated at $600 billion annually — according to the Association of Certified Fraud Examiners — pressure on auditors to reduce this number is going to intensify.

Deja Vu

Sarbanes-Oxley doesn’t mark the first attempt to improve the audit process. During the 1970s, ’80s, and ’90s, a series of commissions — the Cohen Commission in 1978, the Treadway Commission in 1987, the Jenkins Committee in 1994, the Committee of Sponsoring Organizations in 1999, and the Panel on Audit Effectiveness of the Public Oversight Board, or POB in 2000 — issued reports recommending changes. Through the AICPA, the profession vowed to change, and approved new audit-standards language creating more audit-design procedures, tests of controls, and interpretations of accounting standards.

Notably absent were recommendations to view client financial statements skeptically and conduct audits accordingly. Not until 1988 was any AICPA auditing standard written using the word fraud, and not until 2002, when SAS No. 99 was issued, did the institute directly state that auditors should not assume that a client’s management is honestly reporting results.

The POB’s 2000 Panel on Audit Effectiveness, considered the most comprehensive study of the profession ever done, called for auditors to use forensic techniques in every audit, assume the possibility of management dishonesty, and incorporate an element of surprise into audits. After spending two years in committee at the AICPA, the suggestions finally emerged in much-watered-down form as SAS No. 99. For instance, the strongly worded POB report called for auditors to “modify the otherwise neutral concept of professional skepticism and presume the possibility of dishonesty at various levels of management including collusion, override of internal control, and falsification of documents.” It recommends a forensic/fieldwork phase during every audit of a public company. SAS No. 99, in contrast, focuses more on risk assessment than on forensic procedures. “The AICPA was happy with the way things were,” says Arthur Bowman, editor of Bowman’s Accounting Report.

The New Sheriff in Town

The AICPA’s reluctance to make dramatic changes may explain why Congress transferred responsibility for setting standards to the PCAOB. The board’s newly named chief auditor, Douglas Carmichael, who has gone from writing audit standards to testifying as an expert witness against audit firms, calls current auditing standards “a lot of explanation about what an auditor does or might do, and very little about what he is required to do.”

Carmichael’s appointment to the PCAOB has been applauded by a variety of observers. Industry critics love him because they believe he will be less influenced by both corporate finance executives looking to hold down costs and by the industry itself.

Frank Borelli, former CFO of Marsh & McLennan Cos. and chairman of the Express Scripts Inc. audit committee, lauds the appointment as well. “Carmichael is going to make a difference,” he says. “I’m glad to see they appointed someone with that kind of vigilance. That’s the only way we’re going to see if auditors are doing what we want them to do.”

The fundamental question is: What do we want them to do? What is the point of an audit? Auditors and companies contend that the purpose of an audit is to back up a company’s contention that its numbers are “reliable.” “An audit is a test of a company’s records that backs up the company’s representation of the company results,” says Greg Weaver, national managing partner for assurance at Deloitte Touche Tohmatsu. “We’re doing a test of assertions.”

But can auditors be sure results are reliable without testing for fraud? Auditors say it’s not that they don’t want to catch fraud, but since it’s impossible to catch it 100 percent of the time, they shouldn’t be held responsible if they miss it. “We get it right 98 percent of the time,” says Weaver. “But to do 100 percent verification, you’d basically be recreating the records. There’s no way that anyone could do that at a cost the public would consider acceptable.”

History of a Profession

Historically, accounting has been considered a highly professional and trustworthy profession. Firms have always trained new accountants in the audit function, but with keen oversight from senior partners who saw their firm’s integrity riding on every engagement.

At the same time, auditors have always called their customers “clients,” and have worked hard to cultivate them. Partners routinely entertained clients two to three nights a week, and not uncommonly moved on to work in their clients’ firms. But the inherent conflicts of these relationships were kept in check by the firm’s commitment to professionalism.

All that changed as consulting services grew, spurred on by increased IT consulting work in the late 1970s and early ’80s. By the mid-’80s, the AICPA had lifted its ban on advertising. Revenue generation became the foundation on which the partners’ compensation was based. Revenues for management consulting in early 1999 accounted for more than 50 percent of the Big Five’s revenue stream as a whole.

The audit function itself became a commodity service — a loss leader accounting firms offered in conjunction with vastly more lucrative consulting fees. As they competed more aggressively on price, they were forced to shrink the number of procedures performed for the audit. Auditors claim these reductions didn’t harm audit quality, but it often meant they used increasingly computer-based test controls and statistical models, and fewer of the basic, time-consuming auditing practices that could increase the likelihood of finding fraud — site visits to multiple locations, observation of assets, or random sampling at nonmaterial levels.

In addition, junior auditors were often assigned the crucial oversight roles usually filled by senior partners, who were increasingly busy selling to prospective clients. “A lot of the audit changes were [prompted by] competitive proposals based on pricing decisions by management,” says Ellen Masterson, global head of audit methodology at PwC and point person for the firm’s new antifraud auditing initiative, “and as a profession we allowed that to happen.”

Roster of Reforms

The Sarbanes-Oxley provisions that make the auditors report to the audit committee will somewhat increase the distance between management and auditing firm. The act also places far more responsibility for the integrity of the financial statements on audit-committee members, who can be prosecuted by the Securities and Exchange Commission for fraudulently influencing or misleading a company’s auditors. “Uppermost in the [client management’s] mind was reducing the cost of the audit,” says Masterson. “They pressured auditors to do the minimum. Now, with the untold number of fraudulent activities by managers, the minimum is not where we should be. We spent 15 years in a cost-pressured audit situation, and now we have a lot more interest in quality audits by those who hire us — the audit committee.”

With nervous audit committees calling the shots, and with a far-less-accommodating PCAOB about to start dictating standards for auditors, accounting firms are seeing the writing on the wall. PwC is going to implement a program involving the use of extended procedures performed by fraud specialists at a subset of its audit engagements. “For so long we’ve said we’re not responsible for detection of fraud,” says Masterson. “In the court of public opinion, however, that’s not holding true. We recognize that if the books and records don’t reflect the company’s performance, it’s our responsibility.”

Here Masterson is bridging the semantic barrier between “detecting fraud” and “attesting to reliable financial statements.” While her peers might not go quite so far, they are taking the initiative to add forensic (or investigative) capabilities to their audits. KPMG, for instance, added more than 300 “forensic professionals,” including some who trained at the Federal Bureau of Investigation, who will take part in some routine audits. At one recent audit, KPMG ran all the addresses of a client’s vendors to see if any of them matched a list of rental post office box addresses — a hallmark of a fictitious vendor. It found 17 addresses fitting that description. The firm is also launching a pilot program to conduct due-diligence-type reviews on certain audits.

Deloitte is comparing clients’ financial results with those of their industry peers, and taking a closer look at outliers. All the firms are adopting new software programs that will allow them to more quickly run checks for duplicate addresses, duplicate employees, or statistical outliers that may be red flags for fraudulent activity.

They all report spending much more time working with clients to meet the reporting standards set out in Section 404 of Sarbanes-Oxley, which require companies to attest to the internal controls they have in place to deter fraud. They are also dropping more high-risk companies than in previous years, and are subjecting clients to closer scrutiny. In addition, they are stressing the importance of management involvement in creating controls that inhibit fraud, and they are fosterng an institutional intolerance for fraudulent behavior. CFOs report that above all, auditors are becoming far more confrontational and less congenial in their audits.

Meanwhile, new auditor independence rules will remove many of the auditors’ incentives to use audit services as a loss leader and to reduce the number of audit procedures, or overlook questionable accounting treatments. SAS No. 99 encourages auditors to be more skeptical, vary materiality levels, and “start thinking like a fraudster,” says Landes. The standard also goes into great detail about how to structure a risk assessments to identify highest risk areas at a client, and how to structure an audit to best catch material misstatement.

Shoe Leather and Gray Hair

While the new initiatives are impressive and may help catch more fraud, critics say that they don’t go quite far enough because there are still holes in basic audit methodology and structure.

“If insiders are perpetrating fraud, I agree that it is almost impossible to find it,” says Arthur Bowman. “But if there’s a general failure of audit firms, it’s that the individual auditor is not doing his or her job properly. We have too many rules, and we need to get back to principles-based work. It comes down to individuals failing.”

The most damaging failure is that many of the new forensic antifraud measures are targeted at the employee level. According to a recent E&Y survey, although individuals on the company payroll committed 85 percent of the worst frauds, more than half of those company insiders were from the management level.

At the end of the day, management is still writing the check for the audit. Although the new reporting lines mandated by Sarbanes-Oxley may ease this inherent conflict, it’s not likely to go away. Even though they are required to report to audit committees, auditors still spend their days with management.

“It’s not as if auditors are being managed directly day-to-day by the audit committee,” says Jay Morse, CFO of The Washington Post Co., who says he has seen an increase in auditor scrutiny at his company. “Boards don’t have time for that. Most directors don’t have the expertise. The audit committees will get more involved, but taking a strong managerial role just won’t happen.”

Robert Halliday, CFO of Varian Semiconductor Equipment Associates Inc., in Gloucester, Massachusetts, thinks auditors can’t be skeptical if they don’t understand what they’re looking at. “They have so much mechanical work — no one stands back, thinks about it, and asks, ‘Does all this make sense?’” he says. “But auditors can only do that if they have experience or if they know the industry. Gray hair is helpful.”

Under cost pressure, firms put less-senior auditors in charge of tasks more suitable for experienced auditors. “When people say that audit quality has decreased, that’s what they’re talking about — less-experienced people,” says Frank Borelli. “We have to have specialist auditors who know the industry from a high level of experience, and these are the people who should be supervising the audits instead of selling new business.”

Deloitte says it is reviewing its staffing plans for audits, and it now requires two audit-partner reviews for particularly risky engagements. “Every audit is different, and we have to make sure we have the right level of people on the audit,” says Weaver at Deloitte. “There’s no substitute for experienced people.”

Carmichael faults auditors for failing to aggressively implement recommendations in the 2000 POB report that call for more “tests of details” instead of relying so heavily on tests of controls. “Audit firms seem to find ways not to go out to locations, and to do less of the type of work that involves actually counting things, observing physical inventory, doing test counts,” he says. “It’s required, but when a company has multiple locations, it gets complicated.” But this has been a concern for some time. When auditors do test transactions, they frequently only sample above a certain dollar amount, he says, and are too predictable in their approach, “which is a problem more often than I’d like to see.”

Audit firms contend they have always conducted the “shoe-leather work” that is a foundation of the audit process, but some CFOs disagree. “I suspect that in an effort to hold down fees and make the auditing profession more attractive to young people,” says Morse, “they’ve cut out a lot of that type of grunt work. It’s not very appealing, but at some point you have to ask: Did anyone on the audit engagement do anything substantive?”

The Reporting Problem

Some critics of the state of auditing don’t blame the auditors as much as the financial reporting that they have to work with. Walter P. Schuetze, former SEC chief accountant and chairman of two audit committees, says that as long as management is allowed to estimate so much of a financial statement, auditors’ hands will be tied. “The way accounting rules are written, management has control of the numbers,” says Schuetze. “Auditors have no traction to change the numbers.”

He advocates fair-value accounting for all assets and liabilities, thus ensuring that a third party is involved in evaluating the market, not historical, value. With third-party involvement, overstating assets à la HealthSouth would be much more difficult, because someone would verify each item. Barring that change, he adds, auditors must be more diligent in seeking underlying evidence to prove the existence of assets and liabilities “instead of just accepting a copy of an invoice. We need to require evidence,” insists Schuetze. “There’s a difference between evidence and hearsay. If auditors presented a court of law with a lot of the backup material that they base their findings on, they’d get thrown out because it’s all hearsay.”

“Peekaboo” Takes Charge

PCAOB personnel will now take over the peer-review process once administered by the AICPA, says Carmichael. “There’s obviously a need for better training,” he says. “For our inspections, we’ll come in and select audit engagements to review, and we’ll see whether there’s conformity to standards. We’ll be able to tell if they should be giving their people better training and if they’re getting the basics right.”

Even auditors seem pleased that the PCAOB has taken over standards setting. They see an opportunity for the board to mandate a clearly defined “bright line” minimum for the basic audit work that is now recognized as crucial in finding fraud, but that often gets pared back by auditors’ cost concerns. Deloitte’s Weaver states the obvious: “I don’t think there’s any objection by us to doing more-expansive audits. But it needs to be an obligation that is established by the PCAOB. Mr. Carmichael can have a significant influence on what those standards are and apply them consistently across all companies. Then we’ll have an obligation that we must meet, and companies will have to pay for it.”

Talk like that makes CFOs nervous, especially in light of the increased compliance costs associated with Sarbanes-Oxley. Auditors will already have to do more extensive work because of Section 404 of the act (which requires auditors to review and sign off on management’s attestation of internal controls, and is expected to bump audit fees by 35 percent, according to a recent study by Financial Executives International). But CFOs are justifiably concerned that if the PCAOB mandates a more expansive “standard minimum” audit for all companies, it would give auditors carte blanche to charge more for a level of audit quality that they should have been providing all along. “If auditors ask for a massive fee increase, you have to ask, what are you going to be doing differently now that you weren’t doing before?” says Bob Agate, former CFO of Colgate-Palmolive and chairman of the audit committee at The Timberland Co.

For its part, the AICPA has publicly stated that it embraces the work of the new oversight board, and that “it doesn’t matter who comes up with the better mousetrap,” says Landes. Despite statements to the contrary, the AICPA is not making the transition easy. Even after the PCAOB was given authority to set all future audit standards, the AICPA issued an exposure draft for new rules on implementation of Section 404, eliciting a stern rebuke from the SEC, which reminded the association that it was no longer responsible for auditing standards.

The most ironic element of the transition is that the AICPA holds the copyright for all of the auditing standards it has drafted since it began issuing them 60-plus years ago. Until the PCAOB writes its own standards, it must use the ones the AICPA wrote, and some reports indicate that the AICPA is trying to charge the board a fee for their use. Landes wouldn’t comment on the allegation, saying only that “we want to find a satisfactory arrangement that will allow the PCAOB to do the work that is before it. But we’re also cognizant of our members’ interests and the assets of the AICPA.” Critics say that perhaps that was the root of the problem all along.

Dissecting HealthSouth

According to the complaint filed by the Securities and Exchange Commission in U.S. District Court for the Northern District of Alabama against health-care provider HealthSouth Corp. and its former CEO, Richard Scrushy, the company orchestrated a scheme to overstate earnings in order to hit analyst estimates — a scheme concocted in a way to avoid detection by its auditors, Ernst & Young LLP. Between 1999 and the second quarter of 2002, the company overstated income by $1.4 billion by making false journal entries overestimating the amount of third-party insurance reimbursement, and by decreasing expenses.

The firm used the auditor’s own processes against it to perpetrate the fraud, according to the complaint. Executives increased earnings not by boosting revenues directly, which auditors would have been more likely to find, but by reducing a revenue-allowance account that was used to record the difference between gross billings and reimbursement amounts expected from third-party payers. This account, which would then be netted against revenues, has a limited paper trail and is based largely on estimates, and the amounts booked to the account are more difficult to verify. And because HealthSouth executives knew that E&Y did not question fixed-asset additions below a certain dollar threshold, it made random entries to its balance-sheet accounts for fictitious assets worth less than that amount. Senior accounting personnel created false documents to support asset purchases. In this way, the company allegedly overstated property, plant, and equipment by more than $800 million. It also overstated cash accounts by $300 million.

So far, 11 executives, including all five former CFOs, have pleaded guilty to participating in the fraud, which prosecutors believe had gone on since 1986. Scrushy continues to maintain his innocence.

Trouble Enough for All
Fraud cases hit every big-time auditor.
Auditor Case
Andersen Enron
Ernst & Young Global Settlement with RTC/FDIC
Ernst & Young Cendant
Deloitte & Touche Global Settlement with RTC/FDIC
Andersen Baptist Foundation
Ernst & Young Merry-go-round
Price Waterhouse BCCI
Coopers & Lybrand Barings Bank
KPMG Rite Aid
Ernst & Young AIB Group
Anderson Sunbeam
Coopers & Lybrand Maxwell Communications
KPMG Tricontinental
Ernst & Young Depco
Andersen Colonial Realty
Andersen Waste Management
KPMG Orange County
KPMG Oxford Health Plans