The fraud expectation gap
Is an audit designed to detect fraud? Yes and no. Is it an auditor’s responsibility to detect fraud? Also, yes and no. When it comes to detecting fraud, there has long been an expectation gap between what the public expect an auditor to achieve and what an auditor can actually achieve. The frequency with which accountancy firms hit the headlines for failing to detect fraud does little to close that gap.
What is the auditor’s responsibility when it comes to detecting fraud?
An auditor’s responsibilities are clearly set out within International Standard of Auditing 240. This states that an auditor is responsible only for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error.
Often the individuals engaging in the fraud know the audit procedures and can conceal it from the auditors by covering up or avoiding recording transactions.
In fact, the primary responsibility for the prevention and detection of fraud lies with management and those charged with the company’s governance.
Limitations of audits
Due to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements may go undetected, even if the audit is well planned and executed. Such limitations include:
- Scope – audits are designed to detect material misstatements in the financial statements. Non-financial matters are not necessarily part of the scope of an engagement, so wider considerations that may help identify fraud can sometimes be overlooked.
- Sampling – auditors select samples to carry out their audit testing. If there are very few fraudulent transactions or they are immaterial in value, they are unlikely to be identified in the audit.
- Time – auditors can be limited by the time they have available to carry out the audit, meaning that the possibility of detecting fraud becomes diminished.
- Management concealment – auditors rely on information provided by management. It is difficult for an auditor to detect fraud if there has been management collusion or document manipulation.
Use of artificial intelligence (AI) in detecting fraud
Prior to the introduction of AI, audits would be performed using sampling techniques. Random transactions would be selected based on certain identified risk areas identified within the planning stage of the audit and would likely be tapered depending on the value of the transaction.
Ultimately this selection may cover a large portion of the transactions by value, but a small portion of the total number of transactions. Therefore, the chance of detecting fraud amongst the lower value transactions is remote.
However, the chances of detecting fraud have increased to some extent by the use of AI. AI can be used to analyse 100% of the transactions and provide a selection of transactions considered irregular or high risk. This enables an auditor to cover a much wider range of transactions and be more focused in their sample selection.
But AI is not without its limitations. The parameters of the searches are defined by the auditor and dependent on the accuracy of the data set being used. It is then down to the auditor’s professional judgement to consider whether the transactions identified relate to fraudulent activity. Wherever human judgement is required, there is room for error.
AI is clearly an extremely useful tool, but it cannot bridge the expectation gap alone.
Professional scepticism
The International Standard of Auditing 200 defines professional scepticism as an “attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of evidence”.[1]
Professional scepticism should be applied at all stages from the initial engagement process to the completion of the audit. Jeremy Paxman once said that he approached interviews applying the principle ‘why is this person lying to me’. Whilst the approach may be slightly extreme, after all it is an audit, not an investigation, the overarching principle rings true.
Auditors are often speaking with individuals who have a vested interest in the company which is being audited. Indeed, if those individuals themselves are the perpetrators of a fraud, how reliable are their responses likely to be? Applying professional scepticism means not taking management’s explanations at face value and seeking to obtain information independently which may (or may not) support managements assertions.
Professional scepticism can be the best weapon available to an auditor in detecting fraud.
Final word
There is always likely to be an expectation gap between what the public expects an auditor to achieve and what an auditor can actually achieve. Ultimately an auditor’s ability to detect fraud is limited to the scope of the audit and the information and technology available to conduct that audit. However, with new AI techniques and machine learning becoming more readily available, it is not unreasonable for public expectations to grow in accordance with what auditors are now able to accomplish.
The forensic accounting team at Moore Kingston Smith are uniquely placed to provide clarity on these issues. If you have any concerns regarding fraud in your organisation or would like to discuss the issues discussed in this article, please contact Ricky O’Connell.