• Increased incidence of accounting fraud raises questions about UK audit standards

There is a word that is never heard in polite audit circles. Indeed, the casual observer could be forgiven for thinking that the audit profession does not have a fraud problem. But it does. And that problem is deeply entangled with public and investor anxiety – amid recent UK corporate collapses and accounting scandals – over the quality of modern auditing and the fear that worse is lurking over the horizon.

When it comes to finger pointing, Tim Bush from corporate governance advisers Pensions & Investment Research Consultants (PIRC) is clear auditors bear most of the responsibility: “To put it simply, they have focused too much on words and too little on the numbers. There is a consistent shift away from them looking at the accounting which includes the books and the numbers in them toward a more abstract concept of ‘financial reporting’, which is increasingly concerned with anything but the numbers.”

He says: “You have to ask whether the board engaged with the business or whether they are engaged with the numbers. If they are engaged with the business via false numbers, they have a very big problem. I think we have seen this in recent accounting scandals.”

But whatever his criticisms of company boards, recent accounting scandals and corporate collapses in the UK have underlined Bush’s view that audit has a problem. “Why does the audit profession bang on about audit quality, if it is not an issue?” he asks. “In fact, they set up the Audit Quality Forum in 2004 to address this very problem. Admirable though the move might have been, it is hard to resist the observation that it appears to have achieved the opposite effect.”

But where does the law stand on audit? In the UK, the starting point is the 2006 Companies Act. Section 386 requires companies to keep proper records. Significantly, those records must be sufficient to “disclose with reasonable accuracy, at any time, the financial position of the company at that time.” 

Building on that, section 498 says auditors must “carry out such investigations” to deliver an opinion on whether the accounting records and accounts are adequate. “I would question how often s498 is actually delivered,” says Bush. “There is a constant mantra from the accounting profession that directors have responsibilities, but s498 goes far beyond that. The audit lobby is also quick to point out that an audit is not a forensic investigation into a company. 

“But, if you actually think about the words in s498, if it is not a forensic examination, what is it? Clearly, it is an investigation. The act says the auditor ‘must carry out such investigations as will enable him to form an opinion’, which is not the same as ‘talking to the directors’.”

Over a decade ago, one investor did sound the alarm over the risk of a fatal collision between fraud and global auditing standards. Iain Richards, now head of responsible investment at Columbia Threadneedle Investments, authored a paper entitled Undermining the Statutory Audit.

In that paper, he drew a comparison between the treatment of fraud under UK company law and its treatment under International Standards on Auditing (ISA). He found that although UK company law in no way qualifies what fraud is, that cannot be said of auditing standards. They effectively tell the auditor to focus on those cases of fraud that cause “a material misstatement in the financial statements. (ISA240)”. 

five differences between internal and external audit

Indeed, Richards noted ISA240 helpfully adds that a “subsequent discovery of a material misstatement of the financial statements resulting from fraud does not, in and of itself, indicate a failure to comply with ISAs as the audit test is ‘reasonable assurance’.” 

Richards went on to more-or-less accuse the auditing profession of dodging liability. He wrote: “In relation to audit, in the UK, the Law looks at the consequential loss, from the point when a fraud that harms the company, had it been identified earlier by the auditor, could have been prevented. Against this, the focus of the IFAC-IAASB ISA model is the same as that in the US, where the focus and scope of auditors’ responsibility is only on ‘material misstatement in the financial statements’, ie, in terms of liability, the focus is on the error in the signed-off accounts, not the losses that result.” 

So how hard is it to fool an auditor? Not very, says Mira Makar, a former finance director turned whistleblower. She says: “From at least the 1990s auditors have adopted what a so-called risk-based approach. It went from ‘if I don’t turn up, if I don’t check, I risk being caught out and can lose the roof over my head’ – where risk was delivery risk – to it being about the risk of getting caught defaulting and not being able to blame someone else.” 

This dilution of the audit function, Makar claims, coincided with the compromise of auditor independence – as they hawk their wares in the hope of bagging lucrative consultancy work – and the reluctance of aggrieved parties to sue. 

As for the mechanics of fraud, Makar makes it sound disturbingly easy. Any villain who knows what they are doing, she says, would make sure that they control their employer’s banking function. She also recommends that they volunteer to be company secretary, so that they can intercept any incriminating post.

Perhaps surprisingly, she flags corporate culture as an area to watch: “Fraud experts brought in by senior management – including auditors – often report that chaos and bullying are both classic signs of, and fertile territory for, fraud. And whenever there is a fraud, there is always expected to be more than one person involved, particularly in the cover-up, including where they are not lining their own pockets beyond getting to keep their jobs. That by itself is a huge incentive.”

Unlike external audit, the main purpose of internal audit is to provide independent assurance to a company that its risk management, governance and internal controls are effective. The two differ in four main areas: reporting line, coverage, objectives and responsibility for improvement. 

Setting up an internal audit function might not eliminate fraud, but it would demonstrate a willingness to tackle the problem – as would auditor’s reacquainting themselves with the 2006 Companies Act.