While there have been some major corporate failures as a result of fraud over the past few decades, the figures are very small relative to the overall number of listed companies. These failures nevertheless reinforce the need to do more to discourage and prevent fraud and, where it cannot be prevented, to detect it as soon as possible.
Fraud and forensics
Companies have never been as data-rich as they are today, providing new opportunities to detect material frauds through data mining, analysis and interpretation. Auditors are ideally placed to carry out this role and are increasingly using data analytics to identify unusual transactions and patterns of transactions that might indicate a material fraud.
The use of forensic specialists in the audits of public interest entities (PIEs) may become mandatory in future. In the UK, Brydon’s review suggested that forensic skills and fraud awareness should be part of the formal qualifications and continuing professional development for all auditors. The EY organization supports that recommendation.
Technology is not a panacea, however, and the human element also comes into play. There is an opportunity for all involved – including management and boards, auditors and regulators – to focus more on corporate culture and behaviors to support fraud detection.
Auditors’ professional skepticism and moral courage can be boosted through education and training in topics such as behavioral science, including the concepts of conscious and unconscious bias. These opportunities could have profound implications for auditor education and qualifications, as well as standards and audit regulation in the future.
Companies have never been as data-rich as they are today, providing new opportunities to detect material frauds through data mining, analysis and interpretation.
Collaborative change
When a fraud extends to a broad network across management and third parties, it can take more than a normal audit to find the evidence. So, what can be done to detect fraud as early as possible or even prevent it?
This issue goes far beyond the auditing profession. Large-scale fraud is mostly well thought through and difficult to detect. Auditing is an important check, but it is not the only one. In this context, adopting a “three lines of defense” approach against fraud is useful, comprising: corporate governance; the auditor; and capital markets supervision.
The three lines of defense are ripe for exploration to drive better prevention or detection of fraud. In some cases, the suggestions below draw on best practices or requirements from different countries across the globe, but the public interest would be better served if they were applied more generally.
1. Corporate governance
- PIEs should have a system of strong internal controls over financial reporting that includes fraud risk specifically. This system would set out clear roles for management, board, audit committee and internal audit.
- Management and director certifications on the content of financial statements as well as the internal controls should be explored for PIEs. There should be meaningful consequences for inappropriate certifications.
- Companies could do more to measure and oversee culture and incentives.
- All actors in the corporate governance chain and reporting ecosystem, including auditors, should have strong whistleblower programs in place that both encourage and protect those who report issues.
Related article
2. The auditor
- Auditing standards should be reviewed to provide auditors with a stronger framework to detect fraud. Such a review should examine materiality, level of skepticism, use of forensic specialists, internal controls, access to and use of culture and incentives’ assessments, discussions with audit committees and public reporting.
- External auditors could be required to assess and report on a PIE’s internal controls and risk management processes (including how the company monitors and tests compliance) to boards, regulators and the public.
3. Capital markets supervision
- Minimum corporate governance and reporting standards (including the proposals above) should be a precondition for a listing on a major stock market index.
- In many places, auditors already have red-flag obligations to escalate, or determine whether to escalate, any concerns they have over potential breaches of laws and regulations that may impact the financial statements, to an appropriate authority. Where these obligations exist, they must be clearly enshrined in law or regulation.
The evolving external environment, increasingly complex business models and the sophistication of fraudsters requires a reexamination of how traditional audit procedures approach the risk of fraud.
Maturity of local or regional corporate governance and regulatory systems needs to be considered when deciding how to progress the areas mentioned above. A full cost-benefit analysis would also need to be undertaken.
The evolving external environment, increasingly complex business models and the sophistication of fraudsters requires a reexamination of how traditional audit procedures approach the risk of fraud.
There are clear actions that auditors are already taking to evolve the audit to detect fraud. However, to truly tackle the issue of corporate fraud, actors throughout the three lines of defense must work together. Collaboration is key to improving the prevention and detection of fraud, and ultimately protecting the victims of fraudsters.
Summary
There have been some high-profile corporate failures in recent years as a result of fraud. They reinforce the need for auditors and the broader corporate governance and reporting ecosystem to do more to discourage, detect and prevent fraud. In a new report, the EY organization is setting out a call to action based on three lines of defense: corporate governance; the auditor; and capital markets supervision.
