Paul Munter, the SEC’s Acting Chief Accountant, seems to think so. In this Statement, Munter expresses his concern that, in conducting audits, auditors are not adequately making use of the “fraud lens”—a focus on the consideration of fraud in the audit—in fulfilling their gatekeeper role. That is, auditors may not be adequately responding to fraud risks and red flags or otherwise exercising “professional skepticism.” It is critical, he said, that auditors evaluate whether the audit has surfaced information that may be indicative of fraud and “how fraud could be perpetrated or concealed by management.” Are auditors exhibiting a type of bias, focusing risk assessments on risks of error and essentially overlooking or minimizing risks of fraud? In light of Munter’s statement, companies could well find that their auditors may be doubling down on their application of professional skepticism. What’s more, some of Munter’s recommendations may prove useful for companies in establishing their own ethics environments and conducting their own fraud risk assessments.
Perhaps speaking with the current worldwide economic and political uncertainty in mind, Munter observes that “any changes to the macroeconomic and geopolitical environment in which companies operate may result in new pressures, opportunities, or rationalizations for fraud. Areas that have historically been a focus for auditors—the tone at the top of a company and the effectiveness of internal controls—appear to be key factors in either exacerbating or mitigating such pressures, opportunities, or rationalizations for fraud.” Accordingly, auditors have “a significant opportunity” to help “identify and address the precursors of financial reporting fraud.”
In his statement, Munter identifies a number of recent “shortcomings” related to fraud detection:
- “PCAOB inspections consistently identify areas of concern involving auditors’ application of due professional care and professional skepticism when considering fraud or where the audit response to fraud risks and red flags was insufficient. PCAOB inspection examples of auditor’s deficiencies include auditors not performing substantive procedures that were specifically responsive to fraud risks (e.g., not performing tests of details, or only performing inquiries), performing insufficient journal entry testing, failing to assess and/or identify revenue recognition as a potential fraud risk, and not communicating fraud risks to audit committees.
- Recent Commission enforcement actions against audit firms and their personnel continue to highlight instances of improper professional conduct by auditors with respect to fraud risks. In these enforcement actions, the Commission alleged that auditors failed to comply with PCAOB standards by, among other things, ignoring red flags and contradictory information and failing to obtain sufficient and appropriate audit evidence.
- Through OCA’s discussions with stakeholders we have heard particularly troubling feedback that auditors many times frame the discussion of their responsibilities related to fraud by describing what is beyond the auditor’s responsibilities and what auditors are not required to do. We find this attitude of focusing on the limits of the auditor’s responsibilities at the outset as opposed to the affirmative requirements with respect to the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud, deeply concerning, as it could impact an auditor’s mindset or their degree of professional skepticism, and may thereby reduce the likelihood of fraud detection and potentially result in dereliction of professional responsibilities to the public trust.”
Munter advises that audit firms need to establish strong systems of quality controls to support auditors that may face external and internal pressures that can “distract an auditor from appropriately identifying and responding to fraud risks.” For example, audit clients may insist on tight deadlines or apply audit fee pressures; “audit firm or engagement team pressures may include resource constraints, time pressures, budgeting and firm operational metrics, evaluation systems that may inadvertently discourage skepticism among staff auditors, and achieving strong client satisfaction ratings.”
PCAOB auditing standards related to fraud risk require that auditors “set aside any prior beliefs about management’s honesty and integrity.” In distinguishing between error and fraud, intent is a “key point of distinction.” Munter advises that “when considering materiality, auditors should not assume that even small intentional misstatements in the financial statements are immaterial.” Here again, Munter cautions that auditors need to be mindful of biases, such as the mindset of “trust but verify,” which “may represent potential bias if it is anchored in the belief that management is honest and has integrity. Such a mindset may interfere with an auditor’s ability to effectively evaluate signs of fraud when evaluating misstatements or to objectively challenge evidence provided by management.”
Auditors, Munter reminds us, must exercise professional skepticism, “an attitude that includes a questioning mind and a critical assessment of audit evidence.” Skepticism means that auditors should question evidence provided by management when the timing or manner of its production raises suspicions, including “invoices for large amounts with vague descriptions, invoices with related parties with descriptions that are outside of the normal course of business, or ‘new’ evidence provided by management in the late stages of the audit to address a potentially difficult or contentious audit matter. Auditors should avoid any assumptions of honesty, be mindful of potential unconscious biases, and apply the appropriate level of professional skepticism.” In addition, “when performing analytical procedures, auditors should assess whether there are unusual or unexpected transactions or relationships that are identified that may be indicative of a previously unidentified fraud risk.” According to Munter, management “is in a unique position to perpetrate fraud, and instances of fraud often involve management override of controls, including concealment of evidence or misrepresentation of information. Auditors must remain diligent when considering and responding to this risk and remain aware of techniques used by management to circumvent existing controls.” Ultimately, auditors may need to communicate findings to management, the audit committee and the SEC.
When fraud risks have been identified, auditors may need to modify planned audit procedures. For example, specialists may need to be enlisted, such as, for example, a specialist who can “challenge and evaluate the reasonableness of management’s assumptions.” In addition, Munter cautions, auditors should be particularly alert to financial reporting areas that he identifies as “more frequently related to fraudulent schemes,” including improper revenue recognition, which is a “presumed risk of fraud,” and the intentional misstatement of accounting estimates. PCAOB AS 2401.54 provides examples of audit procedures that might be performed in response to assessed fraud risks related to revenue recognition. With regard to misstatement of accounting estimates, Munter advises that auditors “should perform a retrospective review to determine whether there are indications of possible bias in the development of accounting estimates.”
Munter recommends that audit responses should be tailored to the particular risk; auditing standards are not to be used as “an exhaustive checklist.” Auditors should also consider whether publicly available information contradicts information from management. In addition, auditors should assess the company’s control environment, including whether there is a demonstrated commitment to ethics and integrity, beyond simply the existence of a code of ethics: “For example, are employees able to anonymously share their views on the company’s tone at the top through, for example, a culture survey? How are the survey results obtained and shared with leadership?” Does the company have a whistleblower hotline, and does the culture encourage use of it? What is the company’s approach to its own fraud risk assessment? Finally, technology “may provide useful insights to assist with identifying unusual or unexpected relationships or assisting auditors in performing more robust planning analytics.”
Ultimately, Munter concludes, in performing their gatekeeping function, auditors must apply appropriate levels of professional care and professional skepticism so that they may obtain “reasonable assurance about whether financial statements are free of material misstatement, whether due to error or fraud.”