Auditing, Fraud & Black Swans

Normally when I write I have a fair idea on the pros and cons of my viewpoint, and the questions that can be raised on the topic. In this case I would like to say, my thoughts are still in a fluid state and I welcome my readers to share their opinion on this post.

Let me get to the point of the discussion, the title itself is somewhat confusing. I was reading “The Black Swan” authored by Nassim Taleb. I found couple of his statements very relevant to financial statements auditing.

Here is a paragraph from the prologue under the heading –The Bottom Line. This is what got me thinking regarding financial statements auditing, so read carefully.

“Note that I am not relying in this book on the beastly method of collecting selective “corroborating evidence”. For reasons I explain in Chapter 5, I call this overload of examples naïve empiricism successions of anecdotes selected to fit a story do not constitute evidence. Anyone looking for confirmation will find enough of it to deceive himself- and no doubt his peers. The Black Swan idea is based on the structure of randomness in empirical reality.”

Is this not exactly what auditors do when conducting a financial statements audit? An auditor gives an opinion on the financial statements of the company. According to the Indian Companies Act, the financial statements and related documents should “give a true and fair view the state of the company’s affairs as at the end of its financial year and such other matters as may be prescribe”.

Since the auditors are not required to comment on 100% accuracy of the statements, they use various auditing and sampling techniques to find corroborating evidence regarding the fairness of the financial statements. Auditors are not required to look for or detect all frauds. Hence, the sampling techniques are selected based on normal population. Fraud as such is an exception to the rule; an unpredictable event in most industries (except banking and financial services where some level is expected) hence, can be considered a black swan.

Audit techniques are not designed to identify black swans and find a solution for them. They are all focused on a set number of transactions and auditing steps. The macro level views of the situation in not seen though auditors might have a list of inherent risks. Then we are shocked that mass scale fraud of an organization was not detected by the auditors. A post facto analysis in most cases shows that auditors had reasonable ground to suspect fraudulent activities and should have reported the same. Let me give you a couple of examples here to put my point across to you.

The recent Citi Bank Rs 300 crore (USD 67 million) frauds (now estimated at Rs 400 crore). The auditor’s statement by S.R. Batliboi (member of Ernst & Young) states that the organization had adequate risk management procedures and practices. Now Shiv Raj Puri, the rogue operator, during the year did transactions worth Rs 900 crore (USD 201 million). Basically, 1/3 to 1/2 his total transactions were fraudulent. If the risk management systems were in place, then these should have been detected since they were done for more than a year. Can we now from a historical viewpoint say that auditors actually assessed the risk management functions and operations properly before forming an opinion?

In my view, the auditors should have done the following:

  • Conduct an analysis of yearly frauds reported
  • Link them to specific processes and identify the control weaknesses in the processes and technology
  • Assess the various risk management initiatives implemented by the organization in respect to the high fraud risk processes
  • Determine whether they are sufficient to detect and prevent frauds

Without a detailed study, commenting on the adequacy of risk management processes doesn’t really help.

Now let me take another example to show how macro level systemic risks are not connected with auditing of an organization. As we know, in India corruption is high and laws are frequently broken to close business deals. The Corruption Perception Index 2010 issued by Transparency International shows India ranked 87th of the 178 countries listed. The score is 3.3, which comes under highly corrupt countries.

KPMG India Fraud Survey Report 2010 states the following:

“Bribery and corruption is viewed as an inevitable aspect of doing business in India. Bribery and corruption are most rampant in seeking routine regulatory approvals and to win new business from prospective clients.”

The report indicates that 37% bribes are paid to get routine or administrative work done from the government.  Secondly, 38% of the respondents reported that paying bribes is an integral part of doing business.

Now this is interesting data. I am assuming that KPMG sent the survey questionnaire to most of its clients and they responded with the completed questionnaire. Did KPMG link these responses of their audit clients? At least some of the clients who have responded in affirmative would be multinationals. If I deduce further, the multinationals are impacted by the US Foreign Corrupt Practices Act. Has KPMG while conducting the audit found that the clients were paying bribes and reported the same to their global office? Did KPMG India or US report these unethical practices to the concerned authorities? I think nothing was done to relate the information collected in the survey while conducting the audit and no unethical practices were reported.

Under these circumstances is it not right to say that auditors are basically looking for evidence to corroborate that financial statements represent true and fair status? Are auditors really questioning the premise they are evaluating their decisions on? What’s your opinion?

References:

  1. KPMG India Fraud Survey Report 2010
  2. Transparency International Corruption Perception Index 2010
  3. Auditor’s Statement of Citi Bank India March 2010
Advertisements

8 comments on “Auditing, Fraud & Black Swans

  1. Once again I agree with you Sonia. Using Enron again…

    Unrelenting pressure to ‘make the numbers’ was at the root of the Enron scandal. Bethany McLean and Peter Elkind’s “The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron” (2003) quotes a former employee’s description of the process: “Say you have a dog, but you need to create a duck on the financial statements. Fortunately there are specific accounting rules for what constitutes a duck: yellow feet, white covering, orange beak. So you take the dog and paint its feet yellow and its fur white and you paste an orange plastic beak on its nose, and then you say to your accountants, ‘This is a duck! Don’t you agree that it’s a duck?’ And the accountants say, ‘Yes, according to the rules, this is a duck.’ Everybody knows that it’s a dog, not a duck, but that doesn’t matter, because you’ve met the rules for calling it a duck.” (Chapter 10, page 149).

    Ironically, Enron’s corporate slogan was “Ask why?” This was exactly what no one did at the time–it just wasn’t safe to–and precisely what everyone bitterly regretted not doing after the event. In 2001 McLean and Elkin had published an article that shook the financial world, “Is Enron Overvalued?” Prior to that most investors saw Texas-based energy trader Enron for what it was on paper, the seventh largest corporation in the United States. McLean and Elkin laid out a case against the price of Enron stock showing that their profit statements were little more than smoke and mirrors.

    The question is how many more Enrons are there out there. My gut feel is that there are lots of them.

    One particularly egregious aspect of this corrupt practice by auditors is the way they channel their bribes through huge IT projects typically for ERP implementation like SAP. Andersen, of course, spun off Accenture but it was too late to save the biggest accounting firm in the world which collapsed as a result of the Enron scandal. Do you think the others are any different, especially now they have absorbed all Andersen’s former employees with their clients? Wikipedia is good on this: http://en.wikipedia.org/wiki/Arthur_Andersen

    • Today appears to be a good day, you agreed with me twice. I would say yes, there are some auditors who refuse to ask the relevant questions.

      I remember earlier in my career I was auditing a bank and my senior reviewed a Rs 10 crore transaction. Her memo read like this “Certain securities were purchased from a certain bank at a certain rate of interest in exchange of certain assets” I am not making up the certains, she wrote a full page memos with certain used where specific information should have been put. Me being the respectful junior wrote in pencil “with certainity I can say everything is uncertain”. My team had a good laugh and I erased it. When the Bombay partner came to review my files, he asked me regarding the specific transaction, since the credit of it was in Bombay books. Later on in Harshad Mehta scam, that transaction was printed in the newspapers. So yes, it can be a combination of lack of knowledge and greed, which can impact an auditors judgment.

      Sonia

  2. Soniam The incident of CITIBANK illustrates thatl auditors, when conducting a fraud risk assessment, should consider all possible fraud risks including acees of info. of bank clients besides assets, or money. Bank employees allegedly used their …access to the contact and personal info. of high net worth clients to perpetrate the scheme. It should have been carefully protected and monitored. Bank must have taken preventive steps i.e informing high networth clients about full range of bank products and services and taking such preventive actions would have reduced the ability of the fraudsters to identify high net worth clients and exploit them with fake bank investment products. It clearly shows that there was lack of risk management process in the organisation which auditors should identified and informed the orgn.

    • Shilpi,

      Thanks for reading the blog. Agree with you completely. Most of the frauds occur because bank employees access customer personal information without business authorization. Access backlogs are normally monitored to check unauthorized access. If that is not being done, as it looks in this case, the employees can conduct frauds over a period of time and remain undetected.

      Yes, definitely, risk management process lapses are there. Don’t know how much the auditors reported on it.

      Sonia

  3. Hello, Sonia. You are mostly right, partly not, I think. On the one hand if a fraud is material it should have been detected anyway. But ISA 200 states following about auditor:
    “Overall Objectives of the Auditor
    11. In conducting an audit of financial statements, the overall objectives of the
    auditor are:
    (a) To obtain reasonable assurance about whether the financial statements
    as a whole are free from material misstatement, whether due to fraud or
    error, thereby enabling the auditor to express an opinion on whether the
    financial statements are prepared, in all material respects, in accordance
    with an applicable financial reporting framework; and
    (b) To report on the financial statements, and communicate as required by
    the ISAs, in accordance with the auditor’s findings.
    12. In all cases when reasonable assurance cannot be obtained and a qualified
    opinion in the auditor’s report is insufficient in the circumstances for purposes
    of reporting to the intended users of the financial statements, the ISAs require
    that the auditor disclaim an opinion or withdraw (or resign)3 from the
    engagement, where withdrawal is possible under applicable law or regulation.”
    So if audit program was designed so that material fraud of 67 mln USD was not detected then it is mistake of audit partner and audit team.
    The second point about bribes is very interesting. I am from Russia originally, we have the same problem in our country. Would like to join you and discuss this issue.

    • Farid,

      Your points regarding fraud in finanical reporting are very valid. In CitiBank case, we came to know because the fraud was reported to the police and customers were also impacted.

      However, in most cases, police cases are not filed for frauds. So these are unreported and undetected. Hence, the magnitutde of the problem can never be discovered.

      Definitely, would love to discuss the bribe issue further.

      Kind regards,

      Sonia

  4. Pingback: thailand auditing

  5. Pingback: flat belly

Comments are closed.