NEWS

Whilst there have been changes in audit requirements in recent years following accounting scandals, the role of the auditor is fundamentally unchanged in respect of fraud. Despite this, a perpetual expectation gap remains between the investing public and the auditors as to who has the exact responsibility to detect fraud.
FACT VS OPINION

NEWS

Where were the auditors?

When an organisation is targeted by a fraudster just who is responsible for uncovering the fraud? SIMON OCONNOR and SASHA CLEAVER discuss.
VERY TIME THERE is a major financial scandal the chorus cries: Where were the auditors? Along with auditors, complaint is also directed at regulators and, on occasion, legislators. In a well-known and oft-quoted phrase, Lord Justice Lopes in Re Kingston Cotton Mills (No. 2) (1896) 2 Ch 279 at 288 stated that an auditor is a watchdog, not a bloodhound: It is the duty of an auditor to bring to bear on the work he has to perform, that skill, care, and caution which a reasonably competent, careful, and cautious auditor would use... An auditor is not bound to be a detective, or, as was said, to approach his work with suspicion, or with a foregone conclusion that there is something wrong. He is a watchdog, but not a bloodhound.

Auditors are paid to give opinions, usually as to whether or not they gained reasonable assurance that the financial statements of an organisation are free of material misstatement (due to fraud or error). To the illinformed user, that may well sound like an opinion on whether the accounts are accurate; however, this is certainly not the case. The key terms within the auditors opinion are reasonable assurance and material misstatement. Reasonable assurance means that sufficient work is complete to take a reasonable view on the accounts as a whole. Material misstatement means a mistake in the accounts that would lead the reader to take a different opinion of the financial statements or the organisation in question had that mistake been corrected. Reasonable assurance is not absolute assurance. Auditors do not have all the facts to hand. In order for auditors to have all the facts to hand, their work is likely to take considerably longer than reasonable assurance requires, due to the need to look at every transaction in some detail, understand each one, and thereafter confirm with some surety that each transaction has been accounted for correctly and reflected in the financial statements of the organisation. There would also be no opportunity for auditors to look at the larger value items only. They would be required to trace every cent including, for example, GST rounding errors or anomalies. As a result, all the facts to hand would lead to absolute assurance and any misstatement, but

24

DECEMBER 2009

NEWS

it might take longer than the financial year itself to complete an audit.
RESPONSIBILITIES WITH FRAUD?

The requirements on an auditor in respect of fraud come from the international standard on auditing ISA (NZ) 240. This standard defines fraud as an intentional act by one or more individuals among management, those charged with governance, employees, or third parties involving the use of deception to obtain an unjust or illegal advantage. Fraud differs from plain theft and, in fact, many other crimes, due to a key element deception. If there has been a burglary, then the victim will usually notice that his window has been broken and DVD player is missing. If there has been a murder, typically a body is found, or at least the victim is noticed as missing. When it comes to fraud, however, deception is paramount. If the deception is badly executed, then the fraud is discovered when it is low value, and hence it is often thought of as a minor issue. As a result, it would certainly be immaterial to the financial statements of the organisation, and hence has no impact on an auditor. If the deception is successful, then the fraud remains hidden, and by definition, the deliberate deception may be good enough to mislead the auditors. Statistics consistently show domestically and internationally that most fraud is carried out by employees of an organisation, and hence it is employees who are responsible for deceiving their co-workers, management, and governance boards. What responsibilities do the auditors have under ISA (NZ) 240? Again, the auditors are seeking reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error. It goes on to say that there are two types of intentional misstatements, or fraud, that are relevant to the auditor. The first is misstatements resulting from fraudulent financial report-

unless the auditor has reason to believe the contrary, the auditor may accept records and documents as genuine. Finally, the main tools available to the auditor are in the testing of systems and controls at the organisation at a conceptual level, ie asking whether they do what they are supposed to do, testing samples of transactions, and also in asking management for further information and explanation in respect of the transactions. The obvious resulting challenge is that the auditor may well unknowingly be talking to the employee carrying out a fraud, who is hence capable enough to hide his actions from his co-workers, management, and governance There is no part of ISA (NZ) board. We would presume 240 that states that the such actions would predicate auditors have any responsibility the employee towards lying to his auditors too. to detect fraud As was reported in NZLawyer recently (Auditors not liable for failure to detect fraud, issue 118, 7 August timing, and extent of the required au- 2009), in one of the last judgments dit procedures. Within this, specific to come out of the House of Lords, consideration is made to fraud risks. Moore Stephens (a firm) v Stone At the time of execution, auditors Rolls Limited (in liquidation) [2009] bring to each organisation a third UKHL 39, Lord Walker of Gestpartys perspective, viewing some ingthorpe stated: On the assumpof the transactions and financial re- tion that the auditors did owe a duty cords cold, and as a result, asking of care to S&R, it was a duty owed to that company as a whole, not to questions others might not ask. According to ISA (NZ) 240, audi- individual shareholders, or potential tors have to approach assignments shareholders, or current or prospecwith professional scepticism and to tive creditors... If the only human recognise that material misstatement embodiment of the company already due to fraud could exist. This scep- knew all about its fraudulent activitical approach combined with a new ties, there was realistically no protecperspective on transactions can some- tion that its auditors could give it. As a result, no matter what writtimes be a powerful tool in the detecten or other representations are protion of fraud. The issues at Otago District Health vided by a company, if the fraud is Board in recent times came to light being carried out by management, initially when an individual from an- explicitly or complicity through lack other DHB came in with a new per- of appropriate oversight, then again spective on existing transactions and the auditors are unlikely to discover relationships and asked some ques- the fraud. tions. However, there is no part of ISA WHERE THE BUCK STOPS (NZ) 240 that states that the audi- So who has responsibility to detect tors have any responsibility to detect fraud? Ultimately, it is the managefraud. In fact, it goes on to say that ment of the company, who are in ing, and the second is misstatements resulting from misappropriation of assets. ISA (NZ) 240 also recognises that owing to the inherent limitation of an audit, there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the ISAs (NZ). Auditors approach their audits carefully, considering misstatement, whether by fraud or error, and plan accordingly to determine the nature,

DECEMBER 2009

25

NEWS

From an accountants perspective, it is not the auditors, but specialist forensic accountants who have the skills and experience in detecting fraud

turn being audited, and thereafter the board itself. In fact, the Companies Act 1993 sets out in section 190 that the board of a company has responsibility to ensure that adequate measures are taken to prevent records being falsified and to detect any falsification. From an accountants perspective, it is not the auditors, but specialist forensic accountants who have the

skills and experience in detecting fraud. It should be there that the expectation lies. Where, in the words of Lord Justice Lopes, the auditor is not bound to approach his work with suspicion, forensic accountants are. They are paid to be the detective, to approach transactions and organisations with some suspicion, with experience suggesting that there may well be a fraud. They are the bloodhounds. So, when the question where were the auditors? is next asked, the simple answer may well be that they were doing their job. The real

question should be what were management and governance boards doing? For information on audit or forensic accounting Special Interest Groups, see www.nzica.com. This article first appeared in NZLawyer, issue 123, 16 October 2009.
Simon OConnor is the Head of Assurance of Ernst & Young New Zealand and Sasha Cleaver is a Senior Manager in Ernst & Youngs Fraud Investigation and Disputes Services team. Sasha can be contacted on sasha.cleaver@nz.ey.com.

Want to access your system anywhere? Home, O ce, Overseas, Anywhere

Simple, upgrade to Merco

Customers General Ledger Web-based PDA Data Cubes Business Intelligence Timesheets SQL

CRM

Suppliers

Business Management GST

Financials Accounting Operational Projects Integrated Personnel Campaign Management

Your all-in-one solution

www.mercoSI.com sales@mercosi.com Phone 09 280 4403

26

DECEMBER 2009

Copyright of Chartered Accountants Journal is the property of Institute of Chartered Accountants of New Zealand and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.