The executive summary to our upcoming publication, Sharpening the Focus on Corporate Fraud – An Audit Firm Perspective, starts with the truism that trust is hard won and easily lost. We could have added that auditors seem to have been in a perpetual state of catch-up on this issue. The words ‘trust’ and ‘audit’ are invariably linked with words such as ‘building’, ‘rebuilding’ and ‘restoring’, often associated with corporate collapse and fraud.
In the UK and Europe, the debate on fraud is dominated by discussions about the failings of auditors. Auditors are portrayed as indifferent and venal. In the US, there is perhaps more nuance, partly because of the focus of securities legislation and investor protection through the Securities and Exchange Commission (sec.gov) and maybe because of a profession less dominated by the Big Four.
The balance of power
We believe that more balance is needed in this debate in the UK and a fuller appreciation of the ongoing effort made by auditors to improve their chances of detecting fraud. As Sir Donald Brydon noted in his December 2019 independent review into the quality and effectiveness of audit, we need to remember that directors and management have the primary responsibility for preventing and detecting fraud.
In late 2021, we interviewed auditors to learn more about the reality of fraud deterrence and detection within the larger firms. No firm sets out to miss a fraud and they have for several years been exploring the behavioural, logistical and other impediments to the timely auditor apprehension of fraud. The advent of analytics and artificial intelligence is adding a whole new dimension and expectations are high. Aims, objectives and plans have been introduced to effect change both within the firm and in the wider financial reporting ecosystem.
Audit firm culture: not like it used to be
Of particular interest is the change reported by all firms in audit firm culture. This includes an acknowledgement that auditors need to be able and willing to speak out when the ‘client’ – some firms now discourage use of this term – is pressurising auditors towards the end of an audit to meet deadlines. Being able to challenge and being open to challenge, including challenge from more junior members of the team, is key.
One interviewee noted that when engagement teams ask management difficult questions, it is important that team members know they can reach out and be supported by the firm, in doing the right thing. Encouraging greater mutual respect and support between audit team members is part of an intergenerational shift of attitudes.
Another interviewee noted that their firm has a good track record of pushing back sign-off where necessary without losing any clients. Delays to sign-off can be tricky for clients because they have committed to deadlines, but ultimately management understand why auditors may need to do this.
Process, IT and project management tools are also giving management fewer places to hide. Project management tools help avoid late surprises because they provide the audit team with an overview of the audit’s progress at any point in time. This means that firms can better communicate their expectations and highlight any failures by management to provide auditors with what they promised.
Current techniques used to manage the audit closedown include formal processes, such as pre-sign off declarations for audit teams to complete, challenge from central internal risk panels within the firms, and formal and informal encouragement of certain behaviours to recognise and embed good practice and to signal support from the firm.
Fraud and UK SOX: will it make any difference?
Our fraud publication is clear on whether UK compliance with requirements akin to those of the US Sarbanes-Oxley (SOX) regime will make a difference.
In ICAEW’s view: “Strengthening the UK’s internal control framework for companies and the accountability of those responsible could go a long way towards creating a more effective financial reporting system. It would give companies and auditors another weapon in their fight against fraud.”
The firms are clear, too: “Based on their US experience, evaluating and reporting on internal controls has the potential to improve financial reporting, strengthen the corporate governance regime, enhance investor confidence and reduce the risk of fraud.”
But we caution against underestimating the costs. The resources required to implement internal controls reporting for the first time are significant, especially for companies with different systems in different locations. The financial and logistical implications of transitioning to SOX-style reporting will involve a steep learning curve for companies and auditors, and it would not be quick, easy or cheap. For the firms, significantly increased resources, education and training will be needed to build capacity. Currently, only 25 of the UK’s largest companies with dual listings have experience of the SOX regime and the audit reform proposals might well extend to smaller listed companies.
Finally, we presented a series of recommendations for consideration by audit firms, executive and non-executive directors, government and audit regulators. In these, we set out what more we believe can be done, and what can be done differently, by all stakeholders, to better deter and detect fraud, and thereby reduce the risk of disorderly failure.
Despite the fact that UK audit reform did not form a main part of the 2022 Queen’s speech, we hope that the important work that went into the proposals will not be lost. We therefore also set out what we think stakeholders can and should be doing now, in preparation for the proposed reforms.
Actions for audit firms
Recommendations include suggestions that audit firms should consider greater specialist involvement, such as forensic experts, at all stages of the audit, including the risk assessment stage, on a risk-assessed basis. Currently, they are generally called on when a fraud risk has already been identified. We suggest that firms do more to embed fraud-related learnings across the firm and widen the scope of the risk assessment. We suggest they prepare for change by considering the implications of management and auditor reporting on internal controls over financial reporting, and by engaging with investors in developing an audit and assurance policy.
Actions for companies
When it comes to companies, we suggest they revisit the current approach to fraud risk management and re-evaluate the overall company ethos. They should make more effort to understand auditors’ concerns. We suggest they prepare for change by considering the value of evaluating and reporting on internal controls over financial reporting and developing an audit and assurance policy, as suggested in the audit reform proposals.
Actions for government and audit regulators
Government and audit regulators should involve all stakeholders in a debate about fraud risk management. We suggest that more is done to uphold and enforce existing sanctions against those who mislead auditors, and that consideration is given to how sanctions generally fit into an improvement regime. We suggest that regulatory agencies could do better by sharing more and better quality examples of best practice on fraud risk management and fraud deterrence and detection.
Last, but not least
Auditors deserve to be heard better than they are in the debate on fraud. The perception that they are only interested in the subject if they believe they can make money out of enhanced requirements is unfounded, but it does sometimes lead them to stay out of that debate. We hope this publication will help redress that imbalance.