Auditing and the ‘Expectations Gap’ - Part 6
In this series of blogs, I will aim to provide greater clarity around some key areas where differences in the expectations of auditors and businesses commonly arise.
Whilst I am writing these blogs my mind is constantly drawn back to the start of my accountancy studies, specifically to the concept of the ‘Expectations Gap’ so much so that it is on this that I have based the name of this series of blogs. I think that it is fair to say that while professional accountants understand the expectations gap most would agree that more could and should be done to help our clients, Directors of businesses and others who rely on accounts understand exactly what this is and to try and close this as much as feasibly possible.
In this series of blogs, I will aim to provide greater clarity around some key areas where differences in the expectations of auditors and businesses commonly arise, with a hope that this will help to address some common issues prior to them arising or lead to some potentially significant questions which can form a starting point of further conversations.
Part 6: Watchdogs or Bloodhounds
Fraud and criminal activity are a risk that exist in almost every market sector, and all businesses can likely find one or several areas of their activities which exposes them to these risks. They can arise both externally and internally and often involve several layers of fraudulent actions or collusion between staff or others in order to attempt to conceal the underlying activity. As a result, these kinds of issues are some of the most difficult to find and often go undetected amidst the normal day-to-day course of the business. It’s important therefore for management to be aware of where a statutory audit can help identify and prevent fraud, as well as the limitations on an auditor’s ability to detect such fraud.
Fraud can originate from outside a business such as from suppliers, customers, or through targeted or opportunistic attacks. One of the more complex frauds I have seen recently involved criminals gaining access to the email account of a director, and sending emails purporting to be from that director to staff within their finance team advising of a change in bank details for a customer and requesting for various payments to be made. The most impressive aspect of this fraud was that the email style and language used mirrored exactly how that Director would usually email the finance team, and when comparing the fraudulent emails side by side with genuine ones there was no way to distinguish between them.
Most businesses are aware of the risks posed by fraud and have established controls and systems to try and combat these, such as physical locks and bolts, training of staff and many others. In recent times the reliance on modern technology has seen a significant increase in cybercrime, and businesses have been forced to invest in the additional security of the information now being held virtually. For these types of fraudulent activities which originate outside the business, a statutory audit is generally not a preventative measure due to the fact that an audit is usually annual and the fact that it is often the businesses itself that first detects these activities.
A statutory audit can however help to prevent fraud or deliberate errors originating inside the business, either being carried out by staff, management or on occasion related entities. Knowing that transactions and balances are going to be scrutinised acts as a good deterrent and can also improve the quality of a business’s records by introducing this mind set. There are however inherent limitations on what an audit is able to detect. As mentioned, the annual nature makes it difficult to detect fraud spread across many months or multiple years. Auditors also need to rely on the information provided by a business’s staff and management and, while they are always sceptical of any information or paperwork which appears unusual, there is an unavoidable risk that they will be provided false or misleading information which may go undetected. While an audit can play a part in reducing the risk of fraud and error, it should not be the case that this is the only measure that management rely on to protect a business from these risks.
Audits are not primarily directed at detecting fraudulent activity and they therefore should not be relied upon by businesses to address the risk of this occurring. The audit industry does however play an important role in helping to prevent and monitor fraud on a larger economic scale. Auditors remain uniquely positioned with a great degree of access to businesses records, staff and management, and being trained professionals with critical mind sets, auditors through their work can on occasion identify fraudulent transactions and actions. However, their role can be best described as Watchdogs rather than Bloodhounds. Management remain responsible for ensuring that they are comfortable the businesses is protected against all types of fraud, and for an additional layer of comfort they could also consider engaging an auditor to review their systems to highlight any weakness and offer suggestions for improvement.
Over the course of this blog series we have touched on a number of the key areas that contribute to the ‘expectations gap’ and have hopefully provided answers and more clarity to some questions around these. The aim of this series was not, however, to attempt to fully close the gap, but rather to raise an awareness as to what the key areas and issues are, from covering the differing responsibilities of auditors and Directors in dealing with business risks, through to the inherent limitations of the statutory audit, to the potential audit alternatives and additional options available to businesses.
I hope that through this blog series I have been able to deliver the content in a way which has not only been informative but has also raised some questions or highlighted potential issues which may otherwise not have been queried. In reality, it is by asking these questions and through continuing discussions that it will be possible to begin to close the gap between what an audit actually is and what people understand it to be.
Parts in this series;
• Part 1 “I thought you were doing that” – A consideration of the responsibilities of both parties and importance of communication.
• Part 2 The Limitations of Statutory audits – Highlighting the limitations of statutory audits and some areas that may not be covered by them.
• Part 3 One Size Doesn’t Fit All – A look at alternatives to statutory audit and when they may be of use to both businesses subject and not subject to audit.
• Part 4 A Risky Business – A review of the importance of identifying and mitigating business risks and how these can link with audit risks.
• Part 5 Materiality – An explanation of the principal of materiality, how this is calculated and why it may differ from management’s expectation.
• Part 6 Watchdogs or Bloodhounds – A discussion on the role auditors play in identifying criminal activity, fraud and deliberate errors.
If you have any questions about the above, or would like more information specific to your circumstances, please enter your email address below and we will get in touch: