By Mark S. Nelson, J.D.
SEC Acting Chief Accountant Paul Munter recently gave a speech in which he spotlighted the internal tensions many auditors encounter regarding fraud detection, which some may de-emphasize as being beyond the auditor’s traditional role or may reduce to an exercise in doing only what is legally required. But Munter suggested that auditors do play a role in fraud detection that is related to their job of reviewing financial statements for material misstatements that may have arisen from either error or fraud.
Attitude. Munter began his speech with some observations about the role of auditors in fraud detection as they seek to exercise professional skepticism in providing reasonable assurance about corporate financial statements.
Munter stated the issue thus: “We find this attitude of focusing on the limits of the auditor’s responsibilities at the outset as opposed to the affirmative requirements with respect to the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud, deeply concerning, as it could impact an auditor’s mindset or their degree of professional skepticism, and may thereby reduce the likelihood of fraud detection and potentially result in dereliction of professional responsibilities to the public trust” (footnote omitted).
Before Munter turned to this more specific observation about auditor attitudes, he had cautioned that the evolving global economic outlook and geopolitical risks could lead to pressures on auditors. Munter warned in both the text of his speech and in a footnote that a “fraud triangle” consisting of “[p]ressure, opportunity, and rationalization” can lead to unethical behavior. Although Munter only alluded to recent enforcement actions in the main text of his speech, he cited a quintet of enforcement matters in a footnote that he suggested advocate for auditors to carefully assess both corporate tone at the top and the effectiveness of internal controls.
Audit risks. Munter said that an auditor’s risk assessment and response is critical to detecting fraud, which he said often requires making a determination about whether a financial misstatement occurred because of intentional or unintentional conduct. According to Munter, auditors must avoid certain biases, such as the “trust but verify” approach to dealing with a company’s managers because such mindset could lead an auditor to discount the possibility of fraud. Auditors, he said, should be especially skeptical of managers who provide audit evidence in circumstances where the timing is questionable. Later in the speech, Munter would posit that mangers are “unique[ly] position[ed]” to engage in fraud.
Other accounting topics that Munter said demand attention by auditors include revenue recognition and accounting estimates. Munter explained that these areas are often linked to fraudulent activity.
Best practices. The auditing standards applicable to public companies are replete with examples of fraud and how to respond to fraud, but Munter suggested that these standards are just starting points. Instead, auditors should refine their approach to meet specific circumstances.
While auditing standards may provide only a non-exhaustive checklist, auditors can do more to ensure that they are following best practices. For example, Munter suggested that auditors compare published information about a company to the information provided by the company’s managers. (By way of observation, SEC staff already do something like this in the context of SEC staff comment letters, where virtually any topic, including accounting topics, may trigger a set of staff comments to a company based on a comparison of publicly available information to information provided by a company in its SEC filings).
Moreover, Munter said auditors should emphasize entity-level controls. Here, Munter suggested that auditors consider whether a company’s ethics code is sufficient and that auditors ensure that a company’s required whistleblower hotline and related corporate culture about reporting alleged accounting or auditing wrongdoing is robust enough that the company has not merely checked a regulatory box.