The idea that public companies should undergo periodic forensic audits designed to detect fraud failed to excite a panel of audit experts during a meeting of the Public Company Accounting Oversight Board’s Standing Advisory Group. Most members of the panel seemed unconvinced that a companywide forensic audit would be cost-effective — or, indeed, effective at all.
“There is a general lack of understanding regarding forensic procedures and their application, and this lack is not limited to the public at large,” said Brad Preber, managing partner for Grant Thornton’s Western Region Economic Advisory Practice. Preber argued that “there are no generally recognized standards to perform a ‘forensic audit,’” and cautioned that if the approach is one of “open the books and see if you can find anything,” the results will be “outrageously expensive and [will raise] significant issues of potential liability because you are searching for something that you aren’t sure exists.”
David Landsittel, a former partner at Arthur Andersen and a member of the working group that has drafted several fraud-related accounting standards currently on the books, agreed that the definition of a forensic audit is murky, noting that the very word “forensic” had been left out of accounting standards in the past in order to avoid confusion.
The panel discussion, held Thursday afternoon in Arlington, Virginia, was inspired at least in part by a report released in November by the Global Public Policy Symposium, a working group made up of the CEOs of the world’s six largest public accounting firms. Titled “Global Capital Markets and the Global Economy: A Vision from the CEOs of the International Audit Networks,” the report described an “expectations gap” between what various stakeholders believe auditors do (or should do) to detect fraud and what audit networks are actually capable of doing — at least at the prices companies or investors are willing to pay.
That report offered a number of options for addressing that expectations gap, everything from requiring companies to undergo a full forensic audit perhaps every three to five years to instituting random forensic audits to giving shareholders the option of voting on the intensity of the “fraud-detection effort” they want to authorize and pay for.
The panel was particularly unenthusiastic about the first option. “There is a lot of value in applying forensic-auditing tools and techniques to the financial-statement audit; there is a lot of value in [bringing] the skeptical mindset you [apply to] a forensic setting to a financial-statement audit,” said Dana Hermanson, a professor of accounting at Kennesaw State University. “But to me the notion of the periodic 100 percent forensic audit doesn’t make as much sense as some of the other alternatives.”
Hermanson argued that a forensic auditor, much like a police officer, can’t simply be asked to “investigate” a company’s financial accounting. Like the forensic pathologists in the popular television drama “CSI,” they need a body before they can start investigating a crime. In Hermanson’s view, the job of a forensic auditor is to answer a specific question about suspicious activity. Presented with a company’s books and told to do a forensic audit, he said, most would begin by asking what they were supposed to be looking for — a question impossible to answer when no illicit activity is suspected.
Not everyone saw it that way. Toby Bishop, a Chicago-based partner in the Forensic and Dispute Services practice of Deloitte Financial Advisory Services, conceded that “there is no generally accepted definition of a forensic audit,” but said companies are becoming more aware of the value of that type of audit.
“A market is slowly developing,” said Bishop, “in which audit committees, boards of directors, or senior management push for forensic accountants to be retained apart from the audit, to address risks or concerns in certain operational areas even if fraud is not known to have taken place.” He said that while the current focus is most often on potential employee, vendor, or customer frauds, the same tools and techniques could be used to “enhance the effectiveness of financial-statement audits in deterring and detecting material fraud.”
Bishop was the sole panelist to defend the idea of periodic forensic audits of public companies as being potentially useful, arguing that just because nothing in particular is suspected, it doesn’t mean that a forensic auditor wouldn’t know how to begin. “It is possible to go looking in the most likely places for the largest potential issues,” he said. While there is no guarantee that a forensic audit would uncover all forms of fraud, “the mere fact [that someone] looked in the most likely placesÂ can give additional assurance that there are no skeletons in those most likely places.”
The option of random audits “could create a high level of fraud deterrence at a total cost much lower” than that of mandatory periodic forensic audits, he added.
There’s no official proposal on forensic audits before the PCAOB, and a January report based on the board’s audit inspections contained a reassuring message: it was not “changing or proposing to change any existing standard, nor is the board providing any new interpretation of any existing standards.” Bear in mind, though, the fallout that followed a similar report, in December 2005. The topic: internal controls and Section 404.