Here Masterson is bridging the semantic barrier between “detecting fraud” and “attesting to reliable financial statements.” While her peers might not go quite so far, they are taking the initiative to add forensic (or investigative) capabilities to their audits. KPMG, for instance, added more than 300 “forensic professionals,” including some who trained at the Federal Bureau of Investigation, who will take part in some routine audits. At one recent audit, KPMG ran all the addresses of a client’s vendors to see if any of them matched a list of rental post office box addresses — a hallmark of a fictitious vendor. It found 17 addresses fitting that description. The firm is also launching a pilot program to conduct due-diligence-type reviews on certain audits.
Deloitte is comparing clients’ financial results with those of their industry peers, and taking a closer look at outliers. All the firms are adopting new software programs that will allow them to more quickly run checks for duplicate addresses, duplicate employees, or statistical outliers that may be red flags for fraudulent activity.
They all report spending much more time working with clients to meet the reporting standards set out in Section 404 of Sarbanes-Oxley, which require companies to attest to the internal controls they have in place to deter fraud. They are also dropping more high-risk companies than in previous years, and are subjecting clients to closer scrutiny. In addition, they are stressing the importance of management involvement in creating controls that inhibit fraud, and they are fosterng an institutional intolerance for fraudulent behavior. CFOs report that above all, auditors are becoming far more confrontational and less congenial in their audits.
Meanwhile, new auditor independence rules will remove many of the auditors’ incentives to use audit services as a loss leader and to reduce the number of audit procedures, or overlook questionable accounting treatments. SAS No. 99 encourages auditors to be more skeptical, vary materiality levels, and “start thinking like a fraudster,” says Landes. The standard also goes into great detail about how to structure a risk assessments to identify highest risk areas at a client, and how to structure an audit to best catch material misstatement.
Shoe Leather and Gray Hair
While the new initiatives are impressive and may help catch more fraud, critics say that they don’t go quite far enough because there are still holes in basic audit methodology and structure.
“If insiders are perpetrating fraud, I agree that it is almost impossible to find it,” says Arthur Bowman. “But if there’s a general failure of audit firms, it’s that the individual auditor is not doing his or her job properly. We have too many rules, and we need to get back to principles-based work. It comes down to individuals failing.”
The most damaging failure is that many of the new forensic antifraud measures are targeted at the employee level. According to a recent E&Y survey, although individuals on the company payroll committed 85 percent of the worst frauds, more than half of those company insiders were from the management level.