Auditors have been on the defensive since Arthur Andersen LLP was shut down in the wake of the Enron scandal. But by this point, with the massive accounting fraud revealed at health-care behemoth HealthSouth Corp., all the remaining Big Four have been tarnished. Today, auditors are fighting a battle on two fronts. On one, they must defend their battered integrity — their very stock in trade. On the other, they are challenged to explain why they should not be expected to find accounting fraud — although they have long maintained that they can’t.
They are faltering own both fronts. “I’ve never seen a time when auditor credibility has been called into question the way it is now,” says Chuck Landes, director of the audit and attest standards team at the American Institute of Certified Public Accountants (AICPA). And with audit-malpractice settlements hitting all-time highs, the courts are making it clear that they do expect auditors to find fraud, regardless of the profession’s insistence to the contrary.
Shaken by the Andersen example, Section 404 of the Sarbanes-Oxley Act of 2002, and the size of the settlements, accounting firms are changing the way audits are conducted. One auditor, PricewaterhouseCoopers, has broken with the pack and stated publicly that auditors must accept more responsibility for finding fraud.
But by and large, accountants still maintain that if a company wants to commit fraud, the auditors can’t catch it. Asked to define auditors’ responsibility for detecting fraud, Timothy P. Flynn, vice chair for audit and risk advisory services at KPMG LLP, responds by quoting from the AICPA’s 1997 statement on the matter, SAS No. 82: “to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” It’s unreasonable, in other words, to expect auditors to detect any and all fraud.
Many financial executives agree. And proposed changes to auditing practices will encounter an especially well funded and inhospitable political environment. Nonetheless, with the cost of corporate fraud estimated at $600 billion annually — according to the Association of Certified Fraud Examiners — pressure on auditors to reduce this number is going to intensify.
Sarbanes-Oxley doesn’t mark the first attempt to improve the audit process. During the 1970s, ’80s, and ’90s, a series of commissions — the Cohen Commission in 1978, the Treadway Commission in 1987, the Jenkins Committee in 1994, the Committee of Sponsoring Organizations in 1999, and the Panel on Audit Effectiveness of the Public Oversight Board, or POB in 2000 — issued reports recommending changes. Through the AICPA, the profession vowed to change, and approved new audit-standards language creating more audit-design procedures, tests of controls, and interpretations of accounting standards.
Notably absent were recommendations to view client financial statements skeptically and conduct audits accordingly. Not until 1988 was any AICPA auditing standard written using the word fraud, and not until 2002, when SAS No. 99 was issued, did the institute directly state that auditors should not assume that a client’s management is honestly reporting results.