Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Jay Brown, Lawrence W. Treece Professor of Corporate Governance at the University of Denver and a former Public Company Accounting Oversight Board (PCAOB) board member.
When the PCAOB released its priorities for inspections in 2023, fraud topped the list. Why is the audit field’s regulatory body focusing more on fraud now? What does that mean for practitioners in the trenches? And what steps can responsible auditors take to ensure they're following best practices when it comes to fraud detection?
We turned to Jay Brown, a former PCAOB board member who left the organization in 2021 to return to his former work as a professor of corporate governance. He spoke to AccelPro Audit about the chasm between investors’ and auditors’ expectations regarding fraud detection, his view of the current PCAOB leadership and nuts and bolts advice for practicing auditors.
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Jay Brown’s University of Denver Sturm College of Law profile.
4:41 | Fox, Brian. Only 4% of fraud is caught by outside auditors. It’s time for accounting to change its approach. (22 July, 2020). Fortune.
8:22 | AS 2401: Consideration of Fraud in a Financial Statement Audit. PCAOB.
8:36 | Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations, PCAOB Release No. 2023-003, PCAOB Rulemaking Docket Matter No. 051. (6 June, 2023). PCAOB.
10:09 | Munter, Paul. The Auditor’s Responsibility for Fraud Detection. (11 October, 2022). Security and Exchange Committee.
12:08 | Brown, Jay. The Future of Audit Oversight. (15 January, 2021). PCAOB.
13:01 | H.R.7245 - PCAOB Whistleblower Protection Act of 2022.
14:05 | PCAOB Board.
22:01 | Americans for Financial Reform.
22:09 | Consumer Federation of America.
Supplemental Materials:
PCAOB Staff Virtual Roundtable on NOCLAR Proposal. (6 March, 2024). PCAOB.
Wright, Robert. EY claims success in using AI to find audit frauds. (3 December, 2023). Financial Times.
TRANSCRIPT
I. ON AUDITORS’ RESPONSIBILITIES AROUND FRAUD
Jessica Stillman, Host: Let's set a baseline on the issue of fraud. When we hear people talking about an auditor's responsibility for uncovering fraud, what do people mean? What does the term fraud cover?
Jay Brown: You would think that would be an obvious question with an obvious answer, but it's more complicated when you step back and think about it. And it sometimes depends on who's asking the question. Let’s take Enron, for example. They cook the books, everything was fraudulent, and you couldn't rely on the financial statements. We all know that's fraud. But there's a continuum. What about, for example, a company that is managing their earnings so every quarter on the last day of the quarter, they've managed to find just enough revenue to meet the forecasts of the analysts? Or what about somebody that's making assumptions on the value of long term assets or cashflow or something like that, but it's inconsistent with their public statements? In all of these cases, of course, the financial statements can be wrong. And I think in all of these cases, auditors have a role to play in making sure that kind of behavior doesn't happen.
JS: We hear a lot about the role of auditors in detecting fraud. What would you say are auditors responsibilities for detecting fraud?
JB: Let's start with this: auditors are going to always remind us that they don't guarantee the accuracy of financial statements. We just give reasonable assurance, but it's reasonable assurance that the financial statements are free from material misstatements due to error or fraud. If you're uninitiated and you're listening to that, it sounds like, gosh, fraud gets equal billing. I imagine the auditor must spend a lot of time on both of those things. And of course it's not equal billing.
The PCAOB sets the standards for what auditors have to do in an audit. There is a standard that says, here's what you need to do in terms of detecting fraud. If you ever read it, it's actually kind of a good read. The standard says, “Look, here's where there's a lot of possibility of risk of fraud, revenue recognition, management estimates.” It says, “Auditors, you should be thinking about when management is under pressure to commit fraud. How might they conceal things?” It says “You should maybe do a surprise inspection of inventory, or maybe you should talk to suppliers,” and things like that.
But when you dig into that standard more deeply, what you realize is these things are phrased as examples. Or it will say, “You may want to consider these things.” In other words, they're suggestions; they're not requirements. Really, in that standard, there's hardly anything that's required.
Brainstorming sessions, that's actually in a different standard, but you have to do those. You have to test the general ledger. You have to implement unpredictable procedures in an effort to find fraud, but that's pretty much it. So what auditors do, it's mostly a matter of judgment. And they mostly decide on their own what they want to do.
JS: Given that so much is left up to the auditor's discretion, do you think auditors are doing an adequate job in detecting fraud?
JB: If you ask the investor community, I think there would be quite a few people in that community that would just give you a flat no, and the thing that they would point to most often is studies that show that when fraud is uncovered at a corporation, who uncovered the fraud? It's almost never the auditor. I think the number that I've seen is that in 4% of the cases, it's the auditor. The auditor is supposed to be digging around and giving you reasonable assurance that the financial statements don't have misstatements due to fraud, yet it seems like they never catch the fraud.
JS: Are investors right in your opinion that auditors aren't living up to their expectations?
JB: Let me answer it this way because I think to definitively say right or wrong is not always easy, but structurally, there is really no glory in looking deeply for fraud if you're an auditor. There just isn't, because if you look too hard and you find some things, there can actually be a downside to that. But if you don't look as deeply as maybe you could, and it turns out there's a fraud later, you have a ready made answer to that, and that is, “Look, the fraud's concealed. I looked, but I can't find things that were hidden from me.” Sometimes, of course, that's exactly right, so the incentives to really dig deep for fraud are not there.
—
II. WHY THERE IS OFTEN NO GLORY IN LOOKING FOR FRAUD
JS: You just said that there are downsides to looking for fraud. Can you talk a little bit more about what you mean?
JB: When we think about looking for fraud, it's not going to be that somehow an auditor pushes against the door, walks in and, there's a full blown fraud right in front of the auditor's face. What really happens is they find anomalies or red flags that suggest that maybe there's fraud going on. Then, of course, you have to follow up if you find these things. If you don't follow up, and they're reflected in your work papers, and it turns out later there's fraud, then you can get tagged with liability because you saw these red flags and you didn't do anything.
But let's think about that follow up process. One of the things that may mean is some very inconvenient conversations with management. You find some things that look like red flags. You sit down with the CFO. Now the CFO is probably the person that ensured that you would get this position, right? They’re either the one that hired the auditor or maybe had a hand in who the engagement partner was. Over the course of an audit, a lot of times there will be cost overruns, and you have to go back to the CFO and say, “Hey, do you mind paying me extra?” So you're sitting down with this person, and you're essentially saying, “Did you commit fraud?” or, “Did somebody in your reporting line commit fraud?” It's not exactly the preferred conversation to set the tone for the relationship.
JS: No, it sounds quite awkward.
JB: Doesn't it? So they don't want to do it unless they really have to.
And then if you find these red flags and it's late in the audit process, you've got a tight timeframe where you've got to get this work done. Your resources are stretched; people are working long hours. And now suddenly, you found these things, and you've got to run them down. That might mean more delay, more expense. If you're a senior manager on that audit and you've got overruns and you've got delays, it's not advantageous for your career in the firm.
What's the solution? Well, one solution is don't find the anomalies to begin with. Then you don't have to have the inconvenient conversations, and you don't have to have these potential problems with the audit. But if you do find them, the easiest approach: paper the file. Just find as much evidence as you can that supports management and move on. Structurally, and I'm not pointing the finger at anybody in particular here, there's just no incentive to really dig deeper.
JS: Given those structural disincentives for deeply investigating fraud that you just outlined, what do you think should be done to bridge the gap between investors' expectations and auditors' expectations?
JB: Expectation gaps, let me just talk about that for a minute because I've thought about it quite a bit. Are there expectation gaps, and then who is the one with the mistaken expectations, right? That's always the question.
Let me just give you an example. So the PCAOB put out a proposed standard that's designed to say, here's what the auditor’s responsibilities are with respect to looking for illegal acts, fraud, regulatory non-compliance and things like that. It's called the NOCLAR proposal.
In that proposal, the PCAOB said that one of the things auditors ought to do is step back, look at the company they're auditing, whether it's an oil company, it's a pharmaceutical company, whatever it is, right? Step back and see what are the kinds of legal violations, concerns, regulatory noncompliance that are common either to the company or common to the industry that can result in material misstatements in the financial statements. You don't have to look at everything, but you have to look at the things that might lead to false financial statements. Then you integrate those risks into your audit plan.
If you go look at the letters at the PCAOB, the audit firms went ballistic over this requirement. There are words in there like impossible, unreasonable, way beyond what could be expected of an auditor. Now, if you go and look at the letters from the investors, there's also an expression of shock at this requirement. But the shock is, you mean you have to require this? They're not already doing it? You mean a firm that is saying, “I'm giving you reasonable assurance that the financial statements are accurate and free from material misstatements isn't already looking to see if there are legal violations that could have a direct or indirect effect on the financial statements?” It's a pretty stark divide and it gives you an idea of what investors expect versus what firms think they really should be doing.
JS: What specific steps would you recommend auditors take in their everyday working lives in regards to being more cognizant or more proactive about detecting fraud?
JB: Paul Munter is the Chief Accountant over at the SEC, and he gave a speech about the auditor role in detecting fraud. It’s a good speech and I certainly recommend that people in the area read it. But one of the things he did was bring up best practices, which are not requirements.
He listed a bunch of them. One was, you should look at all the external, publicly available information on the company you're auditing. It could be a short seller report; it could be an analyst report; it could be the financial press. I assume the idea is that something in the publicly disclosed information might give you some insight into potential risks or problems within the company.
He also said, as an auditor, you should look at the internal culture with respect to fraud. How does the company deal with fraud? Because if there's fraud, it's starting at the company. How do they handle it? How do they deal with and encourage whistleblowers? Then he suggested you should take these results and talk to the audit committee about it.
Those are best practices. But I think it's a bit shocking that they're not mandatory requirements that you do in every single audit. But because they're best practices, the firms can do them if they want.
If I were talking to auditors, here are some ideas that I would have: first of all, there's no silver bullet. You need to dig deeper and be more willing to challenge management when you find these red flags and anomalies.
I'll point out that there's a lot of talk about technology, particularly AI. If you're doing full population testing—looking at things on a more granular basis—you could run AI programs. And presumably if there were red flags and anomalies that were not readily apparent, maybe AI could pick them up. You could do that, but I don't really hear of that taking place.
You have to do unpredictable procedures, the whole idea being that if management wants to commit fraud and they want to hide it, you need to be looking at some non traditional areas, doing some things that are unpredictable that might catch them. They have to be unpredictable because if management knows where you're going, they'll just hide it where you're not going.
I gave a speech when I was at the PCAOB, and there's academic literature that says, in a lot of cases, the unpredictable procedures have become predictable because you do the same thing. If you're testing, say, an account 10 times, your unpredictable procedure is you test it 15 times, or something like that. I think that auditors should think genuinely about what it means to do something really unpredictable that might really catch somebody.
I would hope that if auditors collectively have more tough conversations with management, it would become a normal part of the audit process, and maybe CFOs and other managers would take it a little less personally and it would become easier to do it. I would hope that the firms would become a little bit more supportive of the PCAOB's efforts to clarify their obligations in this area.
And then, though this may be far afield, there's a whistleblower bill that would give the PCAOB whistleblower authority, and I wouldn't mind seeing that get adopted.
JS: Nothing seems to be flying through Congress, unfortunately. But can you give a little more detail? What changes would it make if it did go through?
JB: I think it would allow the PCAOB to provide payments to whistleblowers. The SEC can do that, and there have been payments made by the SEC in the hundreds of millions of dollars to whistleblowers. It's based on the amount of money that the regulator collects, but if people come forward and they identify something and they're the reason why the regulator found the misbehavior and brought an action, there's effectively compensation to the person that brought the claim forward. PCAOB does not right now have that authority.
—
III. WHY THE PCAOB IS FOCUSING ON FRAUD NOW
JS: You spent three years at the PCAOB as a board member, so I'd love to talk about their role and responsibilities in improving auditors' ability to detect fraud. What would you like to see from the PCAOB's perspective?
JB: Let me start with, I think that the PCAOB has really extraordinary leadership right now. You have Erica Williams, the chair; you've got Kara Stein, a former SEC commissioner. Tony Thompson came from the CFTC, and George Botic, who was the director of the Division of Inspections, became a board member. I think these folks, collectively, get it and understand that if auditors are doing a better job in detecting fraud, it's good for investors, of course, foremost, but it's also good for auditors. It raises their stature. It gives people greater confidence in them and in the financial statements.
These people get it. I'll give you two examples. One of them is delineating what the inspectors were going to look for. Pretty much 50% of what the PCAOB does is inspect audit firms. There are some audit firms that get inspected every year. Some of them get inspected every three years. When they go in, they're making sure that audits are done properly, at least as far as they can in a relatively short inspection. They list items that have particular importance or emphasis in the inspection process. At the top of the list this year was fraud procedures, so they're targeting it. They're going to look at it.
The second thing is that they have changed the inspection report. The report is the result of the inspection of the auditor, and there's a portion of that report that's made public. What they've done is they've changed that report to make it clear that if they find deficiencies in the way auditors are looking for fraud, they're going to make it public in that report. That really wasn't being done before. Now it will be.
And if you go back to Justice Brandeis, who was one of the founders, at least philosophically, of the federal securities laws, he said, “Sunlight is the best disinfectant.” In other words, you make it public, and that's going to cause people to change their behavior. The PCAOB, by making deficiencies in fraud procedures public, is going to really encourage firms to step up their game. These are very important steps forward, and I'm sure there are going to be more.
JS: Why is the PCAOB ramping up its focus on fraud right now? Is this just a long overdue update that they're getting to, or is there some reason that fraud has become a particular focus right now?
JB: The PCAOB was created in 2002; it’s a Sarbanes-Oxley creation. Congress made it absolutely clear there's a singular mission to protect investors and the public. At one level they're looking at standards and particularly things like NOCLAR that they view as important to investors and the public.
But there's another reason. When the PCAOB was created, they needed a set of standards that they could look at and then enforce, make sure auditors were doing it. What they did was adopt the standards that were in place at the time, and those standards were written in the seventies and the eighties. They were, even then, probably out of date, and also they were written at a time when there wasn't much investor input into what those standards said. They were pretty industry friendly.
They adopted them in ‘03, committed to post haste rewriting them, and then promptly got so caught up in so many other things, because it's a busy organization, that those standards didn't get rewritten. Maybe half of them weren't rewritten.
I think they recognize you can't still have standards from the seventies and eighties. What they're doing is emphasizing, as they update, the ones that are the most important to investors.
—
IV. ON MOVING INTO A REGULATORY OR POLICY ROLE
JS: In these conversations, we always finish off by talking about the guest's own career trajectory. You've spent most of your career as a professor focused on securities and corporate law. But you also spent time at the PCAOB. Can you talk a little bit about how you ended up on the regulatory side of things and what the experience was like for you?
JB: I've been teaching for decades as a law professor, and so to get to a stage in my career where I could actually implement thoughts and ideas that I had been writing about for a long time was quite a privilege.
When I got over there, it was funny. I did hear from some staff members indirectly, what's the SEC doing putting a law professor on the PCAOB board? Do we really need an academic? I was the first one and I think I'm still the only one that's been appointed, but the benefit to having an academic, if you do it right, is you can step back and look at what the organization is doing from a broader perspective.
One of the things I did when I was there was give a lot of speeches and work on how the PCAOB needs to be more transparent. It's just not transparent enough in its mission and what it does. It really needs to do more to make the public aware of what it's doing and I think that being an academic really enabled me to see that issue and then make it very public. And the organization's becoming a bit more transparent. I think there's been some progress on that front.
JS: Within the audit profession are there any sort of misconceptions about regulators, their role, or how they operate that you'd like to clear up?
JB: Within the audit profession, I think everyone, auditors of public companies, auditors of broker dealers, they all know about the PCAOB. But outside of the audit profession, almost no one has heard of the PCAOB. I had to explain to my kids what I was doing, and I'm still not sure they fully get it.
But I looked it up one time and, the PCAOB, they have more people than the Commodities Futures Trading Commission, another government regulator, and they have a budget that's bigger than the Federal Trade Commission, so the PCAOB is not exactly small; it's more hidden.
I think that it needs to be better known to the non auditor community. It needs to stop flying under the radar. Now, again, I think they've been taking steps in that direction. They created a new position called the Investor Advocate. Saba Qamar, who was appointed to that position, is doing a remarkable job at reaching out and helping make the PCAOB be better known, but there's certainly a lot more to be done.
JS: Is there anything else you'd like to say to auditors in regards to fraud detection and their responsibilities?
JB: I would say, don't let the fear or the inconvenience of finding red flags interfere with your need to go out and explore that stuff. I personally believe, if you find these anomalies, rather than creating more risk of liability, if a fraud eventually comes up and you say, “Look at all the extra steps we took; look at all the things that we did,” that's going to be a defense that you worked harder and did more.
I can't think of anything that's more important to investors. I also can't think of many things that could be more important to attracting people into your firm than if they know you're really committed to the public interest and you're going to redouble your efforts with respect to looking for fraud.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on October 26, 2023.
Listen on Apple Podcasts, Spotify and YouTube
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
