Fraud causes significant losses to investors each year.[1] Frauds that affect issuers and their investors may involve asset misappropriation, financial reporting misconduct, or, more generally, corruption. The Association of Certified Fraud Examiners (“ACFE”) estimates that organizations lose 5% of revenue to fraud each year, an estimated loss of $4.7 trillion on a global scale.[2]
As we have emphasized on many occasions, independent auditors play an important gatekeeper role in supporting high-quality financial reporting and the protection of investors.[3] A critical aspect of this role is an independent auditor’s responsibilities with respect to fraud detection[4] during the financial statement audit, or, in other words, the auditor’s use of the fraud lens.[5] Under existing Public Company Accounting Oversight Board (“PCAOB”) auditing standards, auditors for issuers have a responsibility to consider fraud and to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error.[6] When considering materiality, auditors should not assume that even small intentional misstatements in the financial statements are immaterial.[7] Additionally, Section 10A of the Securities Exchange Act of 1934 (“Exchange Act”) imposes requirements on auditors related to the detection of illegal acts during the audit.
Auditors are gatekeepers and therefore the importance of their responsibilities with respect to the identification of risks of material misstatement due to fraud (“fraud risks”) and the detection of material misstatements in the financial statements due to fraud should not be underestimated. This is particularly true because any changes to the macroeconomic and geopolitical environment in which companies operate may result in new pressures, opportunities, or rationalizations for fraud.[8]Areas that have historically been a focus for auditors—the tone at the top of a company and the effectiveness of internal controls—appear to be key factors in either exacerbating or mitigating such pressures, opportunities, or rationalizations for fraud.[9] This provides auditors with a significant opportunity to support investor protection by helping to identify and address the precursors of financial reporting fraud so that more material misstatements due to fraud are detected by independent auditors.
In this Statement, we (1) discuss the auditor’s responsibilities with respect to fraud, including observations of some auditor shortcomings; (2) highlight how the auditor’s responsibilities are incorporated currently in the PCAOB standards, including the PCAOB’s quality control standards; and (3) provide reminders on good practices.
Observations on the Auditor’s Role
Auditors must plan and perform an audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.[10] The PCAOB auditing standards further require auditors to exercise due professional care, which requires the auditor to exercise appropriate levels of professional skepticism throughout the audit.[11] An auditor should avoid exhibiting bias, which may result from focusing the risk assessment and the related audit response on risks of error and overlooking or failing to identify the fraud risks. It is critical that auditors evaluate whether information gathered throughout the audit indicates that one or more fraud risk factors[12] are present and how fraud could be perpetrated or concealed by management.
We have also recently observed shortcomings related to responsibilities over the detection of material misstatements due to fraud that auditors should keep in mind as they perform their vital role for the public trust.
- PCAOB inspections consistently identify areas of concern involving auditors’ application of due professional care and professional skepticism when considering fraud or where the audit response to fraud risks and red flags was insufficient.[13] PCAOB inspection examples of auditor’s deficiencies include auditors not performing substantive procedures that were specifically responsive to fraud risks (e.g., not performing tests of details,[14] or only performing inquiries[15]), performing insufficient journal entry testing, failing to assess and/or identify revenue recognition as a potential fraud risk,[16] and not communicating fraud risks to audit committees.[17]
- Recent Commission enforcement actions against audit firms and their personnel continue to highlight instances of improper professional conduct[18] by auditors with respect to fraud risks.[19] In these enforcement actions, the Commission alleged that auditors failed to comply with PCAOB standards by, among other things, ignoring red flags and contradictory information and failing to obtain sufficient and appropriate audit evidence.
- Through OCA’s discussions with stakeholders we have heard particularly troubling feedback that auditors many times frame the discussion of their responsibilities related to fraud by describing what is beyond the auditor’s responsibilities and what auditors are not required to do. We find this attitude of focusing on the limits of the auditor’s responsibilities at the outset as opposed to the affirmative requirements with respect to the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud, deeply concerning, as it could impact an auditor’s mindset[20] or their degree of professional skepticism, and may thereby reduce the likelihood of fraud detection and potentially result in dereliction of professional responsibilities to the public trust.
An Auditor’s Responsibilities
Auditing standards and the federal securities laws address an auditor’s responsibilities related to fraud detection. PCAOB AS 2401 generally informs an auditor’s responsibilities as they relate to detecting material misstatements due to fraud when conducting a financial statement audit. However, an auditor’s responsibilities do not end there. An auditor’s consideration of fraud is incorporated into many PCAOB auditing standards. We emphasize that the auditor’s risk assessment and use of the fraud lens is a continual and iterative process that continues until the issuance of the audit report.[21]
Section 10A of the Exchange Act, in pertinent part, requires that each audit have procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts.
Importance of a Strong System of Quality Controls
A strong system of audit firm quality controls enables individual auditors to successfully perform their responsibilities with respect to fraud in the audit. Auditors may face pressures from various sources, both internal and external, during the audit. External pressures by the audit client may include management insisting on tight deadlines[22] or applying audit fee pressures.[23] Internal audit firm or engagement team pressures may include resource constraints, time pressures,[24]budgeting and firm operational metrics, evaluation systems that may inadvertently discourage skepticism among staff auditors,[25] and achieving strong client satisfaction ratings. These pressures can distract an auditor from appropriately identifying and responding to fraud risks thereby reducing the likelihood that the auditor will detect material misstatements in the financial statements resulting from fraud.
PCAOB standards require audit firms to establish a system of quality control[26] that, when effectively designed and implemented, can promote and enhance the application of professional skepticism in the face of these and other pressures. For example, setting a proper tone at the top and personnel management policies that emphasize assigning the right personnel with the necessary competencies is critical in supporting auditors in exercising professional skepticism, among other things. Importantly, a strong tone at the top of the audit firm[27] that supports and encourages an auditor’s focus on their responsibilities for identifying and responding to fraud risks is foundational to establishing the professionally skeptical mindset auditors need to fulfill their professional responsibilities with respect to the detection of material misstatements resulting from fraud.
Risk Assessment and Responses
PCAOB auditing standards related to the auditor’s assessment of and response to risks incorporate requirements for identifying and responding to fraud risks and evaluating audit results.[28] Those standards include having a questioning mind when discussing the potential for material misstatements due to fraud among key engagement team members, and require auditors to set aside any prior beliefs about management’s honesty and integrity.[29]
A key point of distinction between a material misstatement that arises from fraud or error is whether the underlying action was intentional or unintentional.[30] As such, auditors should be aware of biases that may impede their ability to gather and objectively evaluate audit evidence. For instance, the mindset of “trust but verify” may represent potential bias if it is anchored in the belief that management is honest and has integrity. Such a mindset may interfere with an auditor’s ability to effectively evaluate signs of fraud when evaluating misstatements or to objectively challenge evidence provided by management. Professional standards have long held that due professional care requires the auditor to exercise professional skepticism. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence.[31] Auditors should be skeptical of evidence provided by management when the timing or manner in which such evidence is produced is questionable. This may include, invoices for large amounts with vague descriptions, invoices with related parties with descriptions that are outside of the normal course of business, or “new” evidence provided by management in the late stages of the audit to address a potentially difficult or contentious audit matter. Auditors should avoid any assumptions of honesty,[32] be mindful of potential unconscious biases, and apply the appropriate level of professional skepticism.
When responding to identified fraud risks, auditors should modify planned audit procedures to be specifically responsive to the assessed fraud risk.[33] However, auditors should not default to merely increasing sample sizes, but rather should exercise their professional skepticism when determining which types and amount of audit procedures to apply in response to the assessed fraud risk.[34]
Auditors should also apply their professional skepticism when considering whether the involvement of specialists is necessary when identifying or responding to fraud risks.[35] An auditor should consider whether the involvement of a forensic specialist is necessary to assist in identifying fraud risks and responding to those fraud risks, or, when fraud risks are identified related to management estimates, whether the involvement of a specialist is necessary to challenge and evaluate the reasonableness of management’s assumptions.
It is critical for auditors to be alert to financial reporting areas that may be more frequently related to fraudulent schemes, such as improper revenue recognition and the intentional misstatement of accounting estimates.
- Improper revenue recognition is a presumed risk of fraud[36] and a broad sweeping identified risk of “fraudulent revenue recognition” is most likely insufficient for auditors to be able to design an effective audit response to address the risk.[37]
- Auditors also should perform a retrospective review to determine whether there are indications of possible bias in the development of accounting estimates.[38]
Auditors should continually reassess fraud risks throughout the audit, including when evaluating the audit results and determining whether they themselves have obtained sufficient appropriate audit evidence. For instance, when performing analytical procedures, auditors should assess whether there are unusual or unexpected transactions or relationships that are identified that may be indicative of a previously unidentified fraud risk.
Management is in a unique position to perpetrate fraud, and instances of fraud often involve management override of controls, including concealment of evidence or misrepresentation of information.[39] Auditors must remain diligent when considering and responding to this risk and remain aware of techniques used by management to circumvent existing controls. Additionally, if an auditor believes that an identified misstatement might be indicative of fraud, they should perform procedures to obtain additional audit evidence and evaluate the related implications.[40] This includes fulfilling their responsibilities to communicate such matters to management, the audit committee, and the SEC, as required.[41]
Good Practices
Auditors should avoid using the examples of fraud risk considerations and related responses included within the auditing standards as an exhaustive checklist. Audit responses should be tailored to the identified fraud risk and dynamic to changing business environments if auditors are to fulfill their professional responsibilities to consider fraud and to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error.
In addition, auditors should consider publicly-available information (including from new sources available during the course of the audit) and objectively evaluate how such information impacts risk assessment and the audit response.[42] For example, auditors should evaluate whether publicly-available information contradicts information received from management.
Auditors should also devote sufficient time and resources to the assessment of the issuer’s entity-level controls.[43] An auditor is required to obtain an understanding of the issuer’s control environment.[44] This would include assessing whether the organization demonstrates a commitment to integrity and ethical values. Issuers might attempt to support such commitment by pointing to the existence of a code of ethics and annual employee acknowledgement of such. A code of ethics is required by NYSE and NASDAQ, and while its existence is a good start, the auditor should evaluate whether the code of ethics is sufficient to demonstrate the issuer’s commitment to integrity and ethical values. For example, are employees able to anonymously share their views on the company’s tone at the top through, for example, a culture survey? How are the survey results obtained and shared with leadership?
Another aspect of the issuer’s entity-level controls is the existence of a whistleblower hotline through which the audit committee receives and addresses formal complaints related to accounting and auditing matters. For companies listed on an exchange, a whistleblower hotline or other means of anonymously reporting questionable accounting or auditing matters is required by the Sarbanes-Oxley Act of 2002[45] and is another good start; however, has the issuer simply checked the box on the requirement, or does the issuer have a culture that encourages whistleblowers who see something to actually say something? For example, an auditor may want to discuss with the audit committee the nature of the whistleblower hotline’s operation.
An auditor should also pay close attention to an issuer’s approach to its own fraud risk assessment as this can provide insight when evaluating the issuer’s control environment.[46]
Technology plays an increasingly important role in the audit and automated tools and techniques may assist the auditor in applying the fraud lens. Access to granular data and information can increase transparency into underlying transactions, which through the use of technology may provide useful insights to assist with identifying unusual or unexpected relationships or assisting auditors in performing more robust planning analytics.[47] That said, it is important to remember that the use of technology is most effective when combined with sound professional judgment and other audit procedures that do not lend themselves to the use of technology.[48]
While these examples of procedures are by no means an exhaustive list, they illustrate that the auditor’s responsibilities with respect to fraud are not limited to the explicit requirements within PCAOB AS 2401.
Conclusion
Auditors serve an important gatekeeping and investor protection function by helping to verify that issues are promptly identified and addressed so that the auditor has obtained reasonable assurance about whether financial statements are free of material misstatement, whether due to error or fraud. The value of the audit and the related benefits to investors, including investor protections, are diminished if the audit is conducted without the appropriate levels of due professional care and professional skepticism. Therefore, we remind auditors to fulfill their professional responsibilities by applying an appropriate fraud lens throughout the audit, including understanding the relationship between PCAOB AS 2401 and other auditing standards as it relates to identifying and responding to the risk of fraud in the audit so that the auditor has obtained reasonable assurance that there is not a material misstatement to the financial statements caused either by fraud or error.
ENDNOTES
[1] This statement represents the views of the staff of the Office of the Chief Accountant (“OCA”). It is not a rule, regulation, or statement of the Securities and Exchange Commission (“SEC” or the “Commission”). The Commission has neither approved nor disapproved its content. This statement, like all staff statements, has no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person. “Our” and “we” are used throughout this statement to refer to OCA staff.
[2] See ACFE, Occupational Fraud 2022: A Report to the Nations (Apr. 1, 2022), available at https://legacy.acfe.com/report-to-the-nations/2022/.
[3] See, e.g., Paul Munter, Acting Chief Accountant, The Critical Importance of the General Standard of Auditor Independence and an Ethical Culture for the Accounting Profession (June 8, 2022); Paul Munter, Acting Chief Accountant, Statement on OCA’s Continued Focus on High Quality Financial Reporting in a Complex Environment (Dec.6, 2021); Paul Munter, Acting Chief Accountant, The Importance of High Quality Independent Audits and Effective Audit Committee Oversight to High Quality Financial Reporting to Investors (Oct. 26, 2021).
[4] See PCAOB AS 2401, Consideration of Fraud in a Financial Statement Audit, paragraph .12.
[5] In the context of this statement, the phrase “fraud lens” is intended to highlight a focus on the consideration of fraud in the audit.
[6] See PCAOB AS 2401.01.
[7] See Staff Accounting Bulletin (“SAB”) No. 99, Materiality (Aug. 12, 1999). SAB No. 99 highlights that qualitative factors may cause misstatements of quantitatively small amounts to be material. For example, SAB No. 99 emphasizes that a registrant and the auditors of its financial statements should not assume that even small intentional misstatements in the financial statements are immaterial.
[8] Pressure, opportunity, and rationalization are three factors that make up what is sometimes referred to as the “fraud triangle.” The fraud triangle is a theory that explains the factors that lead to fraud and other unethical behavior. See Jack Dorminey, A. Scott Fleming, Mary-Jo Kranacher, Richard A. Riley, Jr., The Evolution of Fraud Theory, 27 Issues in Accounting Education 555-579 (2012).
[9] Recent Commission enforcement actions reinforce this point by describing circumstances where companies may have exhibited a poor tone at the top, absent or insufficient internal controls including management override of controls, high-pressure environments, business challenges, and a lack of adequately experienced personnel. See, e.g., In re Eagle Bancorp., Inc., SEC Release No. 95505 (Aug. 16, 2022) (settled order); In re Synchronoss Technologies, Inc., SEC Release No. 34-95049 (June 7, 2022) (settled order); In re Baxter International Inc., SEC Release Nos. 33-11032 and 34-94294 (Feb. 22, 2022) (settled order); In re WEX Inc., SEC Release No. 34-93753 (Dec. 13, 2021) (settled order); In re Advanced Drainage Systems, Inc., SEC Release No. 34-83612 (July 10, 2013) (settled order).
[10] See PCAOB AS 1001, Responsibilities and Functions of the Independent Auditor, paragraph .02. Additionally, legal precedent also illustrates that external auditors assume a public responsibility to design audits to detect material misstatements due to fraud. See Colonial BancGroup Inc. v. PricewaterhouseCoopers LLP, No. 11-cv-746, 2017 WL 8890271 (M.D. Ala. Dec. 28, 2017).
[11] See PCAOB AS 1015, Due Professional Care in the Performance of Work, paragraphs .01 and .07.
[12] See example fraud risk factors within the Appendix to AS 2401.
[13] See, e.g., PCAOB Staff Inspection Briefs and Staff Previews of Inspection Observations, available at https://pcaobus.org/resources/staff-publications.
[14] Auditors should perform substantive procedures, including tests of details, for significant risks.See PCAOB AS 2301, The Auditor’s Responses to the Risks of Material Misstatement, paragraph .11. For example, a test of details may include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
[15] When performing substantive procedures, inquiry alone does not provide sufficient appropriate evidence to support a conclusion about a relevant assertion. See PCAOB AS 2301.39. In addition to inquiry, examples of substantive procedures may include inspection, observation, confirmation, recalculation, reperformance, and analytical procedures. See also PCAOB AS 1105, Audit Evidence, paragraphs .13-.21.
[16] See PCAOB AS 2110, Identifying and Assessing Risks of Material Misstatement, paragraph .68.
[17] See PCAOB AS 2401.79-.81.
[18] In this context, “improper professional conduct” refers to the meaning within Section 4C of the Exchange Act and Rule 102(e) of the SEC’s Rules of Practice. See 15 USC 78d-3; 17 CFR 201.102(e).
[19] See, e.g., In re CohnReznick LLP, SEC Release No. 34-95066 (Jun. 8, 2022) (settled order); In re Steven C. Avis, CPA, and Steven W. Hurd, CPA, SEC Release No. 34-95071 (Jun. 8, 2022) (settled order).
[20] Academic research finds that auditors’ mindsets affect their abilities to detect and respond to fraud risks. See Tim D. Bauer, Sean M. Hillison, Mark E. Peecher, Bradley Pomeroy, Revising Audit Plans to Address Fraud Risk: A Case of “Do as I Advise, Not as I Do,” 37 Contemporary Accounting Research 2558-89 (2020).
[21] Planning the audit includes establishing the overall audit strategy for the engagement and developing an audit plan, which includes, in particular, planned risk assessment procedures and planned responses to the risks of material misstatement. Additionally, planning is not a discrete phase of an audit but, rather, a continual and iterative process that might begin shortly after (or in connection with) the completion of the previous audit and continues until the completion of the current audit. See PCAOB AS 2110.05.
[22] See Robert L. Braun, The effect of time pressure on auditor attention to qualitative aspects of misstatements indicative of potential fraudulent financial reporting, 25 Accounting, Organization and Society 243-59 (2000).
[23] As a reminder, management should not be involved in negotiating audit fees as this is a discrete and explicit responsibility of the audit committee. See Section 10A of the Exchange Act [15 U.S.C. 78j-1].
[24] See In re Richard J. Bertuglia, CPA, SEC Release No. 84419 (Oct. 12, 2018) (settled order).
[25] See Joseph F. Brazel, Scott B. Jackson, Tammie J. Schaefer, Bryan W. Stewart, The outcome effect and professional skepticism, 91 The Accounting Review 1577-99 (2016).
[26] See PCAOB Quality Control sec. 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, paragraph .03.
[27] A firm’s tone at the top has a significant effect on auditors’ behaviors. See Wayne Tervo, L. Murphy Smith, Marshall Pitman, Dysfunctional Auditor Behavior: The effects of tone at the top on supervisors’ relationships, Research on Professional Responsibility and Ethics in Accounting 47-77 (September 2013).
[28] See PCAOB Release 2010-004, Auditing Standards Related to the Auditor’s Assessment of and Response to Risk, available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/rulemaking/docket_026/release_2010-004_risk_assessment.pdf?sfvrsn=6326eac2_0.
[29] See PCAOB AS 2110.52 and AS 2301.07.
[30] See PCAOB AS 2401.05. AS 2401.05 provides a definition of fraud for purposes of that standard.
[31] See PCAOB AS 1015.07; see also In the Matter of Lam D. Ha, CPA, SEC Release No. 34-90010 (Sept. 25, 2020) (settled order).
[32] The auditor neither assumes that management is dishonest nor assumes unquestioned honesty. See PCAOB AS 1015.09.
[33] See PCAOB AS 2301.13-14.
[34] Refer to example responses to assessed fraud risks at PCAOB AS 2401.53-.67.
[35] See PCAOB AS 2301.07 for considerations of when it may be appropriate to use the work of an auditor-employed specialist or an auditor-engaged specialist. See also Appendix C of PCAOB AS 1201, Supervision of the Audit Engagement, and PCAOB AS 1210, Using the Work of an Auditor-Engaged Specialist, for requirements for an auditor using the work of an auditor-employed specialist and an auditor-engaged specialist, respectively, in performing an audit of financial statements.
[36] See PCAOB AS 2110.68.
[37] See examples of audit procedures that might be performed in response to assessed fraud risks related to revenue recognition at PCAOB AS 2401.54.
[38] See PCAOB AS 2401.63-.65.
[39] See PCAOB AS 2401.08; see also PCAOB AS 2110.69.
[40] See PCAOB AS 2810, Evaluating Audit Results, paragraphs .20-.23.
[41] See responsibilities under PCAOB AS 2401.79-.81A, PCAOB AS 2405, Illegal Acts by Clients, and Section 10A of the Exchange Act [15 U.S.C. 78j-1].
[42] The auditor’s risk assessment is a continual and iterative process. See PCAOB AS 2110.74 and PCAOB AS 2301.46.
[43] See PCAOB AS 2110.22-.36.
[44] See PCAOB AS 2110.23-.25.
[45] See Section 301 of the Sarbanes-Oxley Act of 2002, which added Section 10A(m)(4) of the Exchange Act [15 U.S.C. 78j-1(m)(4)]; Rule 10A-3(b)(3) of the Exchange Act [17 CFR 240.10A-3(b)(3)]. Specifically, the rules of each registered national securities exchange and registered national securities association must prohibit the initial or continued listing of any security of an issuer if the issuer’s audit committee does not establish procedures for the confidential, anonymous submission of concerns about questionable accounting or auditing matters by employees.
[46] See, e.g., COSO principle 8 for examples of considerations that make up a robust fraud risk assessment, and related points of focus including that the organization considers various types of fraud, assesses incentives and pressures, assesses opportunities, and assesses attitudes and rationalizations.
[47] See PCAOB AS 2110.46-48.
[48] See Helen Brown-Liburd, Hussein Issa, Danielle Lombardi, Behavioral Implications of Big Data’s Impact on Audit Judgment and Decision Making and Future Research Directions, 29 Accounting Horizons 451-68 (2015).
This statement was issued on October 11, 2022, by Paul Munter, acting chief accountant of the U.S. Securities and Exchange Commission.