The view of an internal auditor on restoring trust in audit and governance
John Webb FCCA & Certified Fraud Examiner considers the importance of the BEIS consultation for internal auditors
It is now proposed that company directors should carry out reviews of the effectiveness of their company’s internal controls and say in their annual report, whether they consider controls to have operated effectively. The statement should go on to disclose the benchmark system used (such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework) and explain how the directors have gained assurance on that statement. Then the audit report should describe the work the auditor is already required to do to understand the company’s internal control systems and to state how that work has influenced the audit but without a formal auditor opinion on the internal controls’ effectiveness being required. Options for doing this are set out and the Government intends that auditors of Public Interest Entities, as part of their statutory audit, report how they concluded that the directors’ statement on action taken to prevent and detect fraud is accurate. Then the auditors should report on the steps they took to detect any material fraud and assess the effectiveness of relevant controls.
CP 382 from the Department for Business, Energy and Industrial Strategy (BEIS) - Restoring trust in audit and corporate governance - Consultation on the Government’s proposals - had a closing date for comments of 8th July 2021. Having read this consultation paper, I applaud the recognition that new reporting and attestation requirements are needed covering internal controls, dividend and capital maintenance decisions and resilience planning. All of this is designed to sharpen directors’ scrutiny and accountability, as well as that of their external auditors.
After Patisserie Valerie called in administrators, I expressed my concerns on how the build up of mis-statement losses had been overlooked. Its parent company Patisserie Holdings had said that ‘The work carried out by the company's forensic accountants has revealed that the mis-statement of its accounts was extensive, involving very significant manipulation of the balance sheet and profit and loss accounts. Among other manipulations, this involved thousands of false entries into the company's ledgers.’
The consultation paper cites the insolvencies of BHS (unlisted) in 2016, Carillion (London Stock Exchange listed) in 2018, as well as Patisserie Valerie (AIM) in 2019. The pattern over decades, has been of too many companies that have had to belatedly issue a series of profit warnings before they collapsed, owing creditors (including unsuspecting employees) very large sums of money. It is extremely rare that things go badly wrong in just one year; later investigations normally reveal a history of cut-off errors or subjective judgments that have favoured the reported profits of those earlier years.
Unless the internal auditors too, thoroughly audit the financial statement process and its output, we remain hostages to fortune as Patisserie Valerie, Carillion plc. and many others have demonstrated.
The current internal control framework for UK companies is weak and vague. The real problem though is that internal controls that were properly designed and appeared to have been operating effectively for years, may be later found to be either defective or too easily circumvented on rare but significant occasions, during or after corporate failure. Thus false assurance has been given over time and relied upon by the Board and others.
One of my very strongly held views based on forty years’ experience as an external auditor, internal auditor and financial services approved person dealing with companies that have experienced major control failures, is that it is more likely in established companies to be control circumvention that exposes a company to poor accounting and fraud rather than weak controls.
We collectively need to get better at challenging the financial statements’ controls, including thorough fraud testing. Fraud auditing and prevention goes beyond noticing red flags and is a lot to do with control override rather than necessarily poorly designed or “ineffective” controls. If controls are effective 99.9% of the time, this is not enough to stop the fraud that occurs at the rate of 1 transaction in every 1,000 (0.1%). Such frauds may be cynically targeted at specific control points and can be supported by manipulation of audit trails. Even if we test to confidence levels of 98 or 99%, why would we expect to detect all large frauds? Particularly if the audit trail has been obscured.
Fraud differs from other operational risks in its deviousness. It targets weaknesses and the systematic and calculated destruction or amendment of audit trails, is frequently a major factor. If risk management procedures are resilient to fraud, then I suggest that they are resilient to most operational risks. So audit for fraud and even if it is not found, error and more benign control breaches or omissions may be. Also, whenever controls fail, we must keep digging until we get to the root cause of the problem.
Beyond our obvious consideration of the inherent fraud risks in each of the company or sector activities (and products) and testing the related controls, what are other elements of fraud auditing? Well I would suggest reviews of:
- The management and reporting of errors, exceptions, outliers and red flags, occasions of retrospective transaction or static data approvals
- Belated correction of errors and their root cause analysis
- Detailed studies of internal audit and internal investigation reports
- Understanding of reconciliation breaks and suspense account re-allocations
- Whistleblowing reports.
I am not alone in finding that Benford’s Law analyses may be very efficiently applied across whole data sets, to search for anomalies and data patterns that are unnatural and which may indicate suspicious activity. This may be much more reliable than traditional control compliance testing based upon relatively small samples. Not only can this analysis be truly effective and insightful but it has been recommended by the Association of Certified Fraud Examiners for twenty five years or more.
There is a good opportunity with this consultation to address an old chestnut on the distinction between “internal controls” and its subset of “internal financial controls.” If the Directors’ Statement could cover all aspects of the company’s internal control and risk management procedures, I believe this is preferable to it being restricted to “the internal controls over financial reporting.” Most key controls have potential financial consequences, whether or not they are defined as “internal financial controls.”
The FRC evidences in the consultation paper, a pervasive presumption by auditors that fraudulent financial reporting is unlikely to arise and thus fraud - audit procedures have been largely a mere compliance exercise. This explains some of the past failures to detect serious accounting mis-statements and fraud as it built up over time and before it accumulated to catastrophic levels. The supporting Brydon Review finding that external auditors’ skillset needs to change radically (if they are to be at all effective in detecting fraud) and that forensic accounting training must therefore become a part of both their qualification and continuous development, is entirely logical. I strongly believe that this is necessary but not sufficient and quality assurance over the assessment of internal financial controls should also be significantly tightened. For the relative importance of financial statement fraud I refer to the ACFE: "2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc." [1]
This report studied the costs and effects of occupational fraud. Amongst its findings was that, of the three categories of occupational fraud, financial statement fraud schemes were the least common (10% of schemes) but by far the costliest category: -
- Asset misappropriation fraud most cases median loss $100,000
- Corruption median loss $200,000
- Financial statement fraud 10% of cases median loss $954,000
Owners/executives accounted for only 20% of the frauds in their study but the median loss in those cases (USD 600,000) far exceeded the losses caused by managers and employees. Fraud losses tend to rise in line with authority levels and it is suggested that owners/ executives are generally in a better position to override controls than their lower-level counterparts and often have greater access to an organization’s assets.
The Association of Certified Fraud Examiners found that four anti-fraud controls were associated with a 50% or greater reduction in both fraud losses and duration: a code of conduct; an internal audit department; management’s certification of financial statements; and regular management review of internal controls, processes, accounts, or transactions.
This consultation may be our best opportunity to be instrumental in long lasting improvements in various governance and financial reporting duties. Importantly, in supporting rigorous annual reviews of the effectiveness of company’s internal controls, auditor’s opinions on those controls (including dividend and capital maintenance reporting and attestation requirements). Specifically this is a chance to mandate, for the first time, thorough and consistent fraud testing and to get to grips with the risk and indicators of control override and circumvention.
If forensic accounting training can be required (going beyond the simple design of anti-fraud controls), alongside strong quality assurance over the assessments of internal financial controls, then auditors in the future will be far better equipped to unearth financial statement fraud, before it collapses under its own weight taking large corporates with it. This would significantly reduce the risk of auditors of the likes of Patisserie Valerie again arguing that uncovering fraud is not the role of accountants or to say “we’re not looking at the future, we’re not giving a statement that the accounts are correct … we are looking in the past and we are not set up to look for fraud.”
Please note, the author is writing in a personal capacity and the views expressed above do not necessarily reflect those held by ACCA.
With thanks to the Association of Certified Fraud Examiners, Inc. for:
[1] 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.
Copyright © John Webb 2021