An audit client discovers, through an inside tip, an employee fraud and you, the audit engagement partner, receive the following phone call:
“George, we just found out our controller has stolen about $70,000 per year for the last three years. Since you guys have been doing our audit, I thought I’d call and discuss what we need to do.” The caller does not verbally say it, but he intimates, “where were you guys?” and “how are you going to resolve this?”
Your first thought is this amount is immaterial, and you begin to explain that audits are not designed to detect immaterial fraud – the first time your client has ever heard these words. It sounds technical, evasive, and hollow. Your client is thinking, “what did I pay you for?” as you are reading his mind and thinking, “not for this.”
The first mistake: Not clearly explaining to your client what an audit is, and, more importantly, what it is not.
The Association of Certified Fraud Examiners’ (ACFE) biennial fraud survey notes that most frauds have a life of about 18 months before they are detected, and less than 10% of frauds are detected by external audits. Even if the external auditor is performing the engagement in accordance with generally accepted auditing standards, the procedures are designed to detect material fraud, something your client needs to know before you start the audit.
Your client files a claim with his insurance company in order to recoup the stolen funds, and, at this point, the insurance company contacts you and asks, “may we have a copy of your internal control letter?” You’ve known all along that there were significant deficiencies in controls, but you’ve been afraid to communicate the weaknesses in writing, knowing that doing so might jeopardize your relationship with management (the guys and gals who hired you).
The second mistake: Not communicating all significant weaknesses and material weaknesses in writing.
Now things go from bad to worse: the insurance company sues your firm and subpoenas your work papers as they prepare to take you to court. The insurance company’s attorney obtains copies of your fraud work for the last three years, and he notes that the three respective audit files have the same fraud inquiry form. All three annual fraud forms reflect your CPA firm interviewed the same two management personnel who noted, “the company has high ethical standards and there are no known ways to commit fraud.” No other fraud work exists in the files.
In the deposition, the insurance company’s attorney asks you four times, “did you perform any fraud tests other than inquiring of management?” Now you wish you had.
The third mistake: Inquiring of the same personnel year after year and not performing an annual fraud test (at least one).
You now resolve to do the following on all future audits:
- Resolved – I will explain to my client that an audit does not address immaterial fraud.
- Resolved – I will communicate all significant control deficiencies and material weaknesses in writing.
- Resolved – I will perform at least one new fraud test each year (and those tests will relate to control weaknesses noted in planning walk-throughs and inquiries); additionally, I will perform fraud inquiries of different personnel each year.
If you need fraud-test ideas, I will offer some detailed suggestions in my next blog post.
Learn from the CPA Scribo newsletter!
Get my free weekly accounting and auditing digest with the latest content.