AccelPro | Audit
AccelPro | Audit
On the Auditor's Role in Detecting Fraud
0:00
Current time: 0:00 / Total time: -23:30
-23:30

On the Auditor's Role in Detecting Fraud

With Dennis McGowan, Vice President, Professional Practice, Center for Audit Quality | Interviewed by Jessica Stillman

Listen on Apple Podcasts, Spotify and YouTube

Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Dennis McGowan, Vice President, Professional Practice at the Center for Audit Quality (CAQ).

We have previously had guests — former PCAOB board member Jay Brown and academic Luigi Zingales —  come out strongly in favor of the Public Company Accounting Oversight Board’s proposed changes strengthening auditors’ responsibilities for detecting fraud, known as noncompliance with laws and regulations (NOCLAR). But many in the industry, including the Big Four accounting firms, have serious objections. In this interview McGowan, of external auditor industry group The Center for Audit Quality, lays out his concerns and the approach he would prefer the PCAOB to take. 

This episode also digs into the CAQ’s Anti-Fraud Collaboration and its research findings, the prospect of using AI to better detect fraud, McGowan’s own experience of going through the PCAOB inspection process and how audit firms can continue to be as welcoming as possible to LGBTQ+ professionals.

Listen on Apple Podcasts, Spotify and YouTube


Interview References:


TRANSCRIPT

I. ON THE CAQ’S ANTI-FRAUD COLLABORATION

Jessica Stillman, Host: To get started, I want to talk about the CAQ and your Anti-Fraud Collaboration (AFC). Together with several other organizations, the CAQ co-founded the AFC in 2010. Can you tell me about the project and its aims?

Dennis McGowan: We formed the Anti-Fraud Collaboration in 2010 with three other organizations: the Institute of Internal Auditors, Financial Executives International, or FEI, and the National Association of Corporate Directors. Together, those three different stakeholder groups represent the financial reporting ecosystem.

Our aim is to tackle fraud topics with the idea that it takes all the stakeholders in the financial reporting ecosystem to do their role as it relates to fraud detection. That's why we work with these other stakeholder groups to really drive that messaging home. We each have a responsibility related to fraud, whether it be as auditors, internal auditors, management or corporate directors, or audit committees.

We accomplish this through developing thought leadership, awareness programs, and educational opportunities. Recently, our focus areas have been around five core priorities: culture, fraud, risk, skepticism, and technology.

JS: I understand the Anti-Fraud Collaboration undertook a long research project that looked at SEC enforcement actions to identify the most common types of fraud schemes and what types of companies undertook them so auditors could be aware of high risk areas. What did you find?

DM: Released in January of 2021, we led a project on mitigating the risks of common fraud schemes. The objective was to provide observations on higher risk areas that are susceptible to fraud and offer insights into what companies can do to mitigate those types of fraud risks more effectively. 

We wanted to learn where fraud schemes have occurred and what are some commonalities in them? And then we wanted to create a resource that could help everyone in the financial reporting ecosystem understand what's happened in the past and maybe how to prevent those things in the future.

The scope was 531 enforcement actions against companies, company employees, and external auditors involving accounting or auditing issues where the SEC had issued an AER, an accounting and auditing enforcement release, from January 1st, 2014 through June 30th, 2019. So these were all pre-pandemic. For the purpose of our analysis, we focused on financial statement frauds, and books and records violations to classify common fraud schemes, which narrowed our scope to 204 enforcement actions, from which 140 fraud schemes were identified.

So what were our findings? Common types of financial reporting fraud schemes include revenue recognition, expense timing and categorization, accruals and inventory manipulation. Unsurprisingly, fraud schemes to increase income either through revenue recognition or expense manipulation occurred most frequently. Other commonly manipulated areas included reserves and inventory, along with impairments.

In addition to the top fraud schemes, we identified several other fraudulent schemes and misconduct. The range of issues included non-GAAP measures, misappropriation of assets and company funds, concealment of assets, related party transactions, business combinations and divestitures, material omissions of information and disclosures, and deceiving and or misleading the auditors.

What's important to take away is that there was rarely a single root cause for each matter, as each scheme typically encompassed multiple issues. The study also identified a significant number of fraud schemes that involved misleading or inaccurate financial statement disclosures, material weaknesses, and internal controls, and unsupported journal entries.

JS: What does that mean for auditors day-to-day in their work? Is this just a red flag to look more carefully at these areas, or does this research suggest anything else that they should change about their approach, practice or procedures?

DM: I think the research arms auditors and others in the financial reporting ecosystem with information about what's happened in the past. To me as an auditor, the areas where fraud was uncovered were probably not all that surprising—it’s not surprising to hear that revenue recognition was a top area. But I do think that as you think about planning your audit and where maybe a fraud may occur, looking at some of this historical information may be helpful. This is just another resource out there that can give you more information.

II. ON AI AND FRAUD DETECTION

JS: I know AI is one area the CAQ has also looked at in relation to fraud. How do you see these new AI tools helping auditors detect and prevent fraud?

DM: Recently the AFC developed a fraud and emerging technology series to spotlight drivers of innovation and major disruptors that are redefining the future of financial reporting audit and risk management. This series really aims to hone in on key technological developments that are most relevant to the financial reporting ecosystem. And to your excellent point, AI is definitely dominating the conversation these days. So our resource examined what are the implications of AI and one of its most known applications, machine learning within the context of mitigating fraud risks?

It's exciting to think about how some of those algorithms can help predict where a transaction is more unusual. For example, this weekend, I was out of town and the bank alerted me that I was withdrawing money from a location that it didn't expect.

But I think as companies are using this technology, it probably introduces new risks to the financial reporting process as well. Auditors need to be vigilant as to how those new technologies could be affecting the books and financial statements. As they're thinking about new areas that could be a source of a fraud risk, they certainly should be thinking about these new technologies.

JS: Where are we in the process of adoption for AI for fraud detection? Are a lot of auditors already using these tools? Are firms just starting to explore the possibilities?

DM: I don't know specifically whether firms are using this technology across their entire practices just yet, but I think certainly the largest of firms have the intention to develop different technologies, different collaborations with tech partners. 

I don't know that they've all been focused specifically on fraud. Some of them are more broad than that. But certainly as the technology matures, I would expect to see more auditors using AI in the execution of their audit. I don't think we're there yet, but I certainly think we all recognize the opportunity for using these technologies as it relates to fraud.

JS: What do you think, again, the takeaway is for the average day-to-day auditor? Is it just to be open to these tools, to be thoughtful about them? Is there any advice you'd pass along?

DM: I think first and foremost is thinking about how the company you're auditing may be using these technologies and what does that mean for ICFR? What does that mean for fraud risks within that company? That's job number one. And then I think the second is to be open to how this technology could be harnessed in fraud detection as part of executing the audit.

III. ON THE PCAOB’S NOCLAR PROPOSAL  

JS: You recently wrote a piece for Bloomberg where you talk about your own experience with the PCAOB inspection program. What lessons or insights did you gain as an auditor from going through that process?

DM: Living through an inspection taught me the importance of continuous improvement. An inspection can be extremely intimidating because your work is being evaluated, and we make really important decisions through the execution of our audit. I was trying to do the right thing from start to finish on my audit. And now inspectors are looking at your work papers and evaluating those judgments that you made and perhaps disagreeing with something you did or didn't do.

It stings when you get a comment form because I'd worked really hard on that audit. It was important to me that we get to the right answer. But I think when I stepped back and realized we could learn from it and then take those learnings and apply it to future audits, that was a positive outcome. That's the lesson I at least took from my own experience and I would encourage other auditors going through it to view the process that way too.

JS: The CAQ, along with some 200 other stakeholders, submitted a comment letter expressing concerns about the proposed amendments to PCAOB auditing standards related to companies’ noncompliance with laws and regulations. Can you lay out for me your concern about the proposed change?

DM: This proposal was pretty historic in that two CPA board members did not vote in support of putting that proposal out there. I think the concerns that they included in their remarks when they didn't support the proposal certainly resonated with auditors.

Auditors are willing to do more as it relates to their responsibility to identify where a company is noncompliant with laws and regulations. What the extent of that work should be is where we don't necessarily fully agree with what was proposed. The scope of what was proposed seemed extremely broad when we think about what the auditor is responsible for today.

Now perhaps that wasn't the intent of the PCAOB, and that's where the comment process is so important. Stakeholders can provide their input and then the PCAOB can take that input and determine what to do in any final standard they set. But I think as proposed terms reasonably have a material effect on the financial statements as it relates to non-compliance with laws and regulations, it seems like a threshold that is broader than what we deal with when we think about the risk of material misstatement to the current period financial statements. That's where the scope is probably the primary concern.

Second, auditors aren't lawyers, and so are you putting the auditor in a position where they need to employ a lot of different legal experts to evaluate potential instances of noncompliance?

Third, we were also concerned about the problem that we're trying to solve. There wasn't really a study of what the costs and benefits of the proposal were. This fundamental shift in what the auditor is required to do feels like there should be some sort of study that attempts to quantify the costs as well as those benefits.

We're not the only ones that opposed the proposal. I think the majority of the comment letters we've looked at, close to 80%, were not in support of the proposal. And while almost 80 percent were not supportive, only 25 to 30% of the letters provided recommendations. It's difficult. What does the PCAOB do with all of those comment letters if there weren't specific recommendations? How do they address concerns?

To me, the takeaway is that we need a multi-stakeholder dialogue to figure out, what do investors want the auditor to do with respect to noncompliance with laws and regulations? And then, what's possible? What's cost effective to do in the current construct of the audit of the financial statements? 

Because some board members and audit committee members that I've spoken to about the proposal, have concerns like, Is the auditor going to be super distracted by trying to implement a standard like this, that they take their eye off the ball as it relates to the audit of the financial statements as we know it? And that would be really bad for audit quality. We need to calibrate the art of the possible for what an auditor can do to meet what investors are looking for.

JS: I hear you very much that this requires a dialogue between all the stakeholders, but from where you sit at the CAQ on the external auditor side, what approach would you prefer to see the PCAOB take to accomplish the aim of better attention to fraud detection? Do you have a proposal or direction in mind?

DM: One of the things we said in our comment letter was that part of the NOCLAR proposal did define noncompliance with laws and regulations to extend to fraud and they also have a project on their midterm agenda related to the auditor's responsibility with respect to fraud procedures. And so I think that this NOCLAR standard needs to be contemplated in conjunction with whatever winds up getting proposed as it relates to fraud procedures or an updated fraud standard, given they're so interrelated.

That's one thing. The other thing is there were changes around some of the risk assessment, changes which better integrated the auditor's consideration for when noncompliance could have a material impact to the financial statements. We were supportive of some of those considerations.

Some of the other suggestions we had in our letter had to do with better connecting this standard to the risk assessment standards, so that it's clear that you're dealing with instances of noncompliance that would have a material impact on the financial statements and not on a broader population.

But it's tough, and that's why I think we probably weren't able to provide as many recommendations in our letter as I'd like given the complexity of what was proposed. We'll need to do some more work with the profession and our task force members to understand what really is the art of the possible here. 

It was clear from one of our first task force calls on the proposal with our member firms that they recognize that the PCAOB standard around illegal acts has not been updated in some time, and businesses have changed and the international standards have changed. And so certainly they’re supportive of a modernization of the standards, but there needs to be a modernization that is going to help improve audit quality.

JS: While all these very complex discussions are taking place between stakeholders and standard setters, from the perspective of the auditor, do you agree that there's an overall need for a greater focus on fraud prevention? Is that something you'd urge auditors to take a harder look at these days?

DM: When you think about the current environment, we've been living in uncertain times since 2020. There's always been something in the external environment happening that's unprecedented that auditors need to be thinking about. When you think about the risk assessment process, I don't envy auditors and what they've had to do these last several years.

Not to suggest that auditors are ever on autopilot, but I do think in more static times, there's probably not huge changes to your risk assessment each year. You probably have a really good understanding of where your risks of material misstatement are in a particular audit from year to year. There may not be tremendous change in them unless the company itself is going through some big changes itself that introduced new risks. But when I think of the last several years, it's not even just what a company is doing strategically that could be having an impact on your risk assessment, it’s what's happening in the external environment.

What's really hard when it comes to executing on your responsibility as an auditor related to fraud is, how often is the auditor finding fraud? And it's not because auditors can't find fraud. A CFE study that came out last year said 4% of frauds were identified by the external auditor, and I think there's a lot of criticism around why isn't that number higher?

I would suggest that we wouldn't want it to be higher. Companies have really good systems in place today where you have either: internal audit, a management team, the board…they're playing out their roles so that frauds are discovered before even the external auditor has a chance to find it. That doesn't mean that the auditor shouldn't always remain professionally skeptical and constantly be thinking, throughout the audit, Where does something seem off? That's why skepticism is one of the core areas the AFC has always been focused on.

So what I would say to auditors out there getting ready for their year-end audits, is to not forget about that responsibility. And I think that auditors do take that responsibility very seriously. But I also think you can lose sight of it because fraud doesn't happen all the time.

JS: We recently interviewed Luigi Zingales from the University of Chicago and Jay Brown, an ex-member of the board of the PCAOB, who also noted that 4% number is low. But they said auditors may be a bit asleep at the wheel and need to be woken up. So it's very interesting to get the opposite perspective: actually, it's low because fraud is being caught in other ways.

IV. ON DIVERSITY IN THE AUDITING PROFESSION

Can you walk us through how you found your way into working in the audit space and how you got where you are today?

DM: I followed a pretty traditional path to being an auditor. I studied accounting at LaSalle. I pursued internships with PwC, where I worked for 10 years in their audit practice. I started my career in the Philadelphia office, and then got asked to participate in a client pursuit in the Atlanta market, knowing that if we were successful in that pursuit, I was going to have to move to Atlanta.

We won the work and it was a super rewarding experience to be on such a large pursuit of a client, win that client, and then move to a new office to help be part of the process of onboarding that new client.

Then, seven years ago I found my way to the Center for Audit Quality. I'm just so lucky to work with the leaders in all of the largest accounting firms. I'm very aware of the competition between firms, but that competition gets checked at the door when they meet for CAQ task force or committee meetings, and we really get to talk about exciting things that the profession is facing and how do we, as a profession, tackle those issues.

JS: I saw on your LinkedIn, and elsewhere, several posts celebrating the contributions of LGBTQ+ folks. Have you found the field to be welcoming to the LGBTQ+ community? And do you have any advice on how leaders and companies can make sure their workplaces are as welcoming as possible to diverse talent?

DM: I think this is a profession that doesn't just accept LGBTQ+ professionals, they celebrate them. And I know I felt that when I worked at PwC, and I continue to feel that way when I think about all of the firms’ initiatives and what they do around diversity. So I think this is absolutely a welcoming profession.

My advice to other leaders is to make sure that you're putting LGBTQ+ folks in positions of leadership. It's important for younger professionals to see those that are like them in leadership positions, so they see they can be leaders themselves someday. I know that's been helpful to me, seeing that there are folks in leadership at the largest of these firms that are LGBTQ+. I just encourage them to continue to do that.

Listen on Apple Podcasts, Spotify and YouTube.

This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on October 23, 2023.

AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.

JOIN NOW

Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.

If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.

AccelPro | Audit
AccelPro | Audit
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your everyday job performance and make your career goals achievable. How? By connecting with a group of experienced Audit professionals.
You’ll get the knowledge and advice you need to navigate your changing field. You’ll hear deep dives with experts on the most important Audit topics. You’ll give and receive advice on how to make difficult job decisions. Join now to accelerate your career: https://joinaccelpro.com/audit/