Student Name Brief #5 Use of Audit Software Review and Survey.docx

Student Name Brief #5 Use of Audit Software: Review and
Survey Date
Central Message: Auditing has had to change from “around the
computer” to “through the
computer” due to sources only being available in electronic
form. CAATs and CAATTs improve
efficiency and effectiveness of audits. A variety of standards
and statements were issued because
new guidance was necessary once the growth of IT affected the
nature, timing, and extent of audit
procedures. Continuous auditing is the key to improving the
efficiency and effectiveness of audits.
Author’s Theme: Auditors are advised to use CAATs to gather
evidence so that they can increase
the efficiency of inspection and analytical review. One of the
many statements released on IT, SAS
94, stressed that IT’s impact on internal control is a result of
the nature and extent of the system’s
complexity rather than the size of the firm, which is why
auditing through the computer is
important when testing controls. Auditors can pinpoint the risk
areas and thus have a better idea of

what to inquire when questioning management; improving the
quality of the evidence and thus the
audit. Importance: Advancement in information technology has
a direct impact on business
processes and the audit. Increasingly, auditors are required to
perform audits in computerized
environments; therefore, additional standards are required to
ensure that financial statements
auditors continue to perform high quality audits.
Conclusion/Opinions: (1) The author concludes
that auditing through the computer is important when testing
controls because of the impact IT has
on internal control. GAAS field work #2 supports this because
the IT system is a part of the entity’s
environment, and especially, when it is complex, the auditor
must audit through the computer to
adequately assess internal control risk. (2) Using CAATs can
increase the efficiency of audit
procedures. SAS No. 106 indicates that CAATs allow auditors
to inspect electronic evidence directly.
(3) Auditors should use data analysis from audit software in
order to pinpoint the risk areas and
gain a better idea of what to ask management. AS # 5 states that
risk assessment underlies the

entire audit process, including the determination of significant
accounts and relevant assertions,
selecting controls to test, and determining the evidence
necessary.
Auditing
Article-Briefs
All Briefs are Individual Assignments
Briefs are one (1) page write-ups of selected articles requiring
you to (1) summarize the article with the central message and
the author’s theme; (2) discuss 2 reasons why this is an
important or unimportant topic for the audit profession; and (3)
indicate your agreement or disagreement with 3 of the author’s
conclusions or opinions and support your 3 points with different
auditing standards (PCAOB, ASB, IAASB, ACFE, IIA etc.). Do
not agree or disagree with the standards but agree or disagree
with the author. You may NOT use your textbook as an
authoritative source but your textbook may guide you to the
right source.
The paper specifications are:
1. one page
2. one side
3. standard-sized paper (8 ½ inches by 11 inches)
4. double-spaced
5. one-inch for all margins
6. font-Times New Roman
7. font size > or = 11
We will discuss the articles on the days the briefs are due.
Please submit briefs at the beginning of class. Bring a second

copy or your notes to refer to when the article is discussed.
Briefs are due according to the schedule. Late submissions will
not be accepted. You may email the brief if you will not be in
class.
The Rubric is an integral part of understanding the assignment.
Please see the Rubric for specific information about how the
assignment will be graded.
OCTOBER 2014 / THE CPA JOURNAL12
In
Focus
OCTOBER 2014 / THE CPA JOURNAL 13
A uditors are expected by the public to find financial statement
fraud, eventhough U.S. GAAS has long held that they might not
be able to detect allfrauds. The following discussion draws upon
the experience of an expertwitness in numerous major fraud
cases in order to illustrate situations in
which auditors can—and cannot—reasonably be expected to
detect fraud. Certain fac-
tors can make fraud nearly impossible to discover, even when a
competent GAAS
audit is performed, and certain factors are often present when
auditors should have detect-
ed fraud.
The Auditor’s Role
Most companies and their managers prepare financial statements

that are transparent
and fairly stated; however, in rare cases, individuals succumb to
pressures and oppor-
tunities to commit financial statement fraud. Society has long
believed that the protec-
tor—that is, the “public watchdog” [U.S. v. Arthur Young &
Co., 465 U.S. 805 (1984)]—
against this dishonest minority is the independent financial
statement auditor.
Arthur Levitt, former SEC chairman, articulated the auditor’s
role: “America’s audi-
tors were given a franchise by the Securities Acts of 1933 and
1934 to provide the
public with accurate audited statements of companies. … And
their mission, the rea-
son for all of that, was to protect the public investor from
financial fraud”
(http://www.pbs.org/wgbh/pages/ front
tine/shows/regulation/interviews/levitt.html).
By W. Steve Albrecht and Jeffrey L. Hoopes
Why Audits
Cannot Detect
All Fraud Real
Examples
and
Insights
from an
Expert
Witness

14 OCTOBER 2014 / THE CPA JOURNAL
Likewise, Douglas R. Carmichael, the first
PCAOB chief audit director of professional
standards, stated: “Auditors should recog-
nize that the detection of fraud is clearly
an important objective of an audit. That
has been true for over 60 years, but the
literature of the profession has not
forthrightly acknowledged that objective.
It is important that auditors take AU 316
(SAS 99) seriously and conduct audits in
a manner that makes it probable fraud
will be detected” (http://www.pcaobus.org/
News_and_Events/Events/2003/Speech/
12-12_Carmichael.aspx).
But an expectation gap exists between
what regulators, the public, and investors
believe that a financial statement audit is
intended to do and what the auditing stan-
dards state that financial statement audits
are required to do. Indeed, William R.
Kinney Jr. and Mark W. Nelson indicated
that “bank loan officers, bank regulators,
members of Congress and their staff, the
SEC, GAO, financial writers, financial ana-
lysts, judges, jurors, and ordinary investors
appear to hold auditors responsible for
higher levels of disclosure and greater audit
effectiveness than auditors believe is appro-
priate” (“Outcome Information and the
‘Expectation Gap’: The Case of Loss
Contingencies,” Journal of Accounting

Research, vol. 34, no. 2, Autumn 1996, pp.
281–299). In addition, Marc J. Epstein and
Marshall A. Geiger found that more than
70% of the investing public expected abso-
lute assurance from auditors against mate-
rial fraud in financial statements (“Investor
Views of Audit Assurance: Recent
Evidence of the Expectation Gap,” Journal
of Accountancy, vol. 178, no. 5, 1994, pp.
60–66). Consistent with this belief, audi-
tors are usually sued in class action law-
suits on behalf of the shareholders in cases
of financial statement fraud.
Despite the public’s view of the auditor
as a protector, the accounting and audit lit-
erature state that a company has the prima-
ry duty to design, implement, and maintain
a system of internal controls that provide rea-
sonable assurance that reliable financial
statements can be produced and that audi-
tors have the responsibility to provide rea-
sonable assurance that the financial state-
ments are prepared fairly in accordance with
U.S. GAAP. It is widely understood in the
academic and professional auditing literature
that it is not the auditor’s duty to guarantee
that the financial statements are accurately
represented. This is demonstrated by the lan-
guage used in the audit report that accom-
panies every 10-K filing and many auditing
standards. AU section 316, “Consideration
of Fraud in a Financial Statement Audit”
[originally issued as Statement on Auditing
Standards (SAS) 99, Consideration of Fraud

in a Financial Statement Audit], states that
“even a properly planned and performed
audit may not detect a material misstatement
resulting from fraud.”
Although it is understood that auditors
might not be able to detect all fraud, an
understanding of the factors that make fraud
detection difficult is lacking; thus, this dis-
cussion aims to provide real-world examples
of some of the circumstances under which
a competent GAAS audit might not detect
fraud. These examples are based on 35
separate fraud cases in which one of the
authors acted as an expert witness. At any
stage in reviewing the facts, the author
resigned from the case if he believed the
auditors did not perform a GAAS audit or
should have discovered the fraud (which
occurred several times in these examples).
If he thought the auditor had performed a
competent GAAS audit but was nonetheless
unable to detect the fraud or did not detect
the fraud as early as expected by the plain-
tiffs, he testified for the defense.
Of these cases, 19 involved major inten-
tional manipulation of the financial state-
ments. Nearly all of the other 16 cases
involved a top executive committing a fraud
against the organization so large that not
reporting it—because the fraud was
unknown—resulted in a material misstate-
ment. In all of these cases, the auditors
were sued for not detecting the fraud or for

not detecting it earlier. A fuller understand-
ing of when auditors can or cannot be
expected to detect fraud should guide audi-
tors, expert witnesses, legal practitioners, pol-
icymakers, and the investing public as they
observe instances in which fraud is discov-
ered in a company previously subject to a
financial statement audit and where auditor
negligence is being considered.
Background: Nature of the Audits
There are two types of financial state-
ment-related audits that are performed
today—regular financial statement audits
and fraud audits. [In this article, the authors
assume that financial statements audits
are performed in accordance with GAAS,
because most of the examples are prior to
the Sarbanes-Oxley Act of 2002, when
GAAS was required for audits of both pub-
lic and private companies; however, the
analysis also applies to a PCAOB audit
of a public company or a generally accept-
e d gove rnme nt a uditing sta ndards
(GAGAS) audit of a government entity.
The term “financial statement audit” refers
to an audit that looks at the financial
statements in their entirety, on a sample
basis, with the goal of forming an opinion
as to whether the financial statements, as
a whole, are fairly presented.]
One of the unstated assumptions usual-
ly made by plaintiffs is that the auditor has
performed a fraud audit when, in fact, the

auditor has performed a GAAS audit.
Many such plaintiffs seem unaware that
there are major differences between these
two types of audits. Financial statement
audits involve the examination, usually
on a sample basis, of the entirety of the
financial statements and are performed
according to promulgated standards set
by the PCAOB for public companies and
by the Auditing Standards Board (ASB)
for nonpublic, nongovernmental organiza-
tions. Fraud audits are much more detailed
and look in greater depth at specific ele-
ments that might be misstated. These audits
are designed to detect financial statement
fraud, and they most often only occur after
there is suspicion (predication) of actual
fraud. They are also typically much more
time-consuming and are prohibitively
expensive. Unfortunately, performing fraud
audits is the only way to satisfy the
Unfortunately, performing
fraud audits is the
only way to satisfy the
expectation that financial
statement auditors always
detect material financial
statement fraud.

expectation that financial statement audi-
tors always detect material financial state-
ment fraud.
To illustrate this difference, consider one
of the cases included in this article, where
it was discovered that management had
been intentionally overstating revenues and
assets, resulting in materially misstated
financial statements. The auditors were
sued by the shareholders for failure to
detect the fraud during the three-year
period over which it occurred. The foren-
sic unit of a different Big Four auditing
firm and special counsel were engaged to
conduct a fraud audit, and that audit uncov-
ered the extent of the fraud, how it was
committed, and how it was concealed.
These fraud determinations were made
after the forensic team had spent more than
50 times as much time as the financial
statement audit and charged a fee that
was 70 times higher.
The fraud auditors physically confiscat-
ed all the computers of suspected perpe-
trators, interviewed hundreds of individu-
als, and audited 100% of the transactions
in the suspected accounts. These steps are
neither contemplated by GAAS or PCAOB
auditing standards for a regular financial
statement audit, nor are they feasible for
such audits. (The nonfraudulent accounts
that had been examined by the financial
statement auditors were not examined by
the fraud auditors.) This serves as a good

example of what was stated in the first cod-
ified auditing standard, Statement on
Auditing Procedure (SAP) 1, Extensions of
Auditing Procedure (now superseded),
which stated: “To exhaust the possibility
of all cases of dishonesty or fraud, the inde-
pendent auditor would have to examine
in detail all transactions. This would entail
a prohibitive cost to the great majority of
business enterprises—a cost which would
pass all bounds of reasonable expectation
of benefit or safeguard there from, and
place an undue burden on industry.”
Much of why a financial statement audit
is not able to detect fraud—whereas a fraud
audit is able to do so—centers around the
different nature of these types of audits.
Some of these differences are outlined in
Exhibit 1.
Could the Auditor Have Detected
Fraud?
As mentioned previously, the examples
in this discussion are derived from a set
of cases in which an auditor was sued for
failing to detect fraud or failing to detect
it in a timely manner. These cases ranged
from a fraud of $25 million to misstate-
ments of more than $3 billion. All of the
companies were public, and most of the
auditors were large national firms. The
companies represented different industries,
and most of the cases were documented

in the financial press. Because a nondis-
closure agreement was signed in most
cases, specifics about the firms and their
auditors cannot be disclosed. The remain-
der of this article will focus on the 19 cases
where there was intentional misstatement
of financial statement elements by audit
clients.
In 10 of those 19 cases, it was the
expert’s opinion that the financial statement
audits were conducted in accordance with
applicable standards. In 4 cases, settlements
were reached early, and the level of dis-
covery was insufficient to determine
whether a sufficient financial statement
audit was performed. In 5 cases, the expert
believed the audit was not performed in
accordance with applicable standards.
Exhibit 2 describes situations in which,
in the opinion of the retained expert and
author, the failure to detect fraud does
and does not necessarily constitute an ade-
quately performed financial statement audit.
Based on a detailed examination of evi-
dence discovered in the cases, Exhibit 2
identifies four factors that made it extreme-
ly difficult—if not impossible—for even
a properly designed and performed finan-
cial statement audit to detect a material
fraud:
n The nature of accounting records neces-
sitates sampling
n The use of outsiders to help conceal the
frauds

n Reluctance of people to disclose what
they know
n Forgery and lying.
Nature of accounting records. The first
reason why a well-conducted GAAS
audit did not detect material financial state-
ment fraud was the voluminous nature of
accounting records and the economics of
financial statement audits. In one of the 19
cases, the trial balances maintained at head-
quarters alone filled an entire room, and
most subsidiary locations contained numer-
ous other trial balances as well. There
was no way the auditors could examine all
of them in detail and make sure that
every entry summarized in them had appro-
priate support.
In another case, a large industrial corpo-
ration was audited using proper techniques;
however, the company concealed fraud with-
in vast amounts of data, and the valid ran-
dom samples taken by the auditor simply did
not include fraudulent transactions. This is
a good example of how, even if appropri-
ate sampling techniques yield a high level
of assurance against the presence of materi-
al misstatements, sampling errors may still
exist. With tens of thousands of audits per-
formed annually, this means that even
some properly performed financial statement
audits will fail to detect material frauds. In
one case, the fraudsters hid the fraudulent
transactions in very minor and remote sub-

sidiaries that were beyond the scope nor-
mally examined by the auditors. None of
these fraudulent transactions were material
individually, but cumulatively, they had a
material impact on the financial statements.
Further complicating the nature of audits
is the fact that most large companies are
spread out in various locations. For exam-
ple, Wal-Mart has approximately 4,100
retail stores in the United States and more
than 4,000 units in other countries. While
a single store probably could not commit
a fraud that would be material to Wal-
Mart’s financial statements, the company’s
various divisions could. The audit scope
assumes that errors that fall beyond the
scope of the audit are uncorrelated or ran-
dom; however, collusion among managers
that turns errors into fraud can make this
assumption untrue.
In one of the cases, it was later discov-
ered through a fraud audit that more than
27 different people—many of them divi-
sion controllers and accountants—partici-
pated in committing and concealing fraud
from the auditors. To detect this, the audi-
tors would have had to examine detailed,
division-level records that were well below
their audit scope. General and specific
ledgers and other accounting records for
large companies are voluminous, not lend-
ing themselves to easy detection. This is
especially true when perpetrators conceal
their frauds in ways that are hardest to

detect.
Use of outsiders to help conceal the
frauds. The second reason that even a
properly performed audit will sometimes fail
to detect material financial statement fraud
is that those committing frauds use outsiders
EXHIBIT 1
Key Differences between a Financial Statement Audit and a
Fraud Audit
Financial Statement Audit Fraud Audit
Purpose Provides reasonable assurance that financial
statements, Detects and investigates suspicions or allegations of
fraud.
as a whole, are prepared in accordance with applicable
auditing standards.
Scope Not looking for specific problems, but rather, to issue an
Investigating suspected fraud, often targeting only one or
opinion on the overall financial statements. two accounts; there
is always predication and sometimes
tips (or confessions) about where to look.
Method Financial statement auditors must rely on sampling,
Fraud auditors analyze all transactions that are within
which introduces sampling error. the scope of the audit,
eliminating sampling error.

Procedures Reperformance, analytical analysis, documentation,
GAAS audit procedures, plus surveillance, extensive
confirmation, observation, physical examination, and
interviews, seizure of computers and confiscation of
inquiry, all performed with as little disruption as possible.
records, all performed without forewarning, without
regard to disruption of business, and with the ability to
subpoena records.
Timing Occurs in a predictable and consistent manner, with the
Occurs when there is predication (allegation or suspicion
majority of the audit happening near year-end. of fraud) at any
time during the year, without notice or
warning.
Reason for To see if they are functioning as designed and to To
see where there is a potential for fraud and whether
Testing establish the scope of their audit. In public company
control weaknesses have been abused to help commit
Controls audits, to examine controls as required by section 404
fraud. A lack of controls provides fraud opportunities.
of the Sarbanes-Oxley Act of 2002.
Reliance on There is neither the time nor the resources to
corroborate Fraud auditors rarely, if ever, rely on management
Management all information provided by management. Financial
representations because they already suspect that
statement auditors must often rely on management management
cannot be trusted—that is the reason why
representations because it is infeasible not to do so. they were
engaged.
They neither assume that management is honest nor

dishonest.
Training Performed by CPAs trained in auditing and accounting.
Conducted by Certified Fraud Examiners (CFE) or other
Becoming a CPA requires little specific fraud training similarly
trained professionals. CFEs understand auditing
beyond a basic audit course. CPAs are trained to provide and
accounting, and are also required to be skilled in
a vast array of financial services. forgery identification,
detection and investigation
methods, interviewing, criminal profiling, and how
perpetrators use fraud schemes. CFEs are trained to
detect and investigate fraud.
Exposure to Financial statement auditors are rarely exposed to
fraud. Fraud auditors live on a constant diet of fraud. Detecting
Fraud With 17,000 public companies, and only a few being and
investigating fraud is what they do, and most
investigated for fraud, a GAAS auditor might work an
companies where they are engaged have a high
entire career without ever seeing a financial statement suspicion
of fraud. Investigation is the expectation in
fraud. a fraud audit.
to help conceal them. For example, consid-
er one case that involved collusion by an
unrelated party. The two general partners
of a partnership with more than 5,000 lim-
ited partners had significant personal real
estate concerns that desperately needed cash.

They went to an out-of-state bank and, with-
out authorization from the limited partners,
borrowed millions of dollars, thus incurring
significant debt against the limited partner-
ship’s assets.
B e c a u s e o f t h e t r i p l e - n e t l e a s e s
involved, the financial statement auditors
performed lien searches for unpaid prop-
erty taxes. They discovered liens against
Arizona, Texas, and Alaska properties
held by a bank in a completely separate
state, in which the partnership had no
business activity. The auditors approached
management, which claimed that the com-
pany was thinking about taking out a
line of credit, but the facility never
materialized. To corroborate this expla-
nation, the auditors sent an independent
confirmation to the bank, requesting that
it disclose all loans or other liabilities out-
standing as of December 31 of that year.
In response, the auditors received both a
fax and an original letter dated April 12
of the following year from the president
of the bank:
In response to (name of signer) letter of
January 24 regarding your audit of (named
partnership), please be advised as follows:
(1) (named partnership) has no debt or
obligation outstanding to the bank, and (2)
the bank’s attorneys are in the process of
releasing the collateral liens since it is
the bank’s understanding the borrower
does not intend to utilize its existing line

of credit arrangements.
The auditors relied upon this confirma-
tion and concluded that there was no out-
standing debt. Unfortunately, the confir-
mation was false. In reality, there were sig-
nificant liabilities at year-end that contin-
ued until April 11, at which time they were
removed. On April 12, the date the con-
firmation was signed, there were no
unrecorded liabilities, but on April 13, new
liabilities and liens were recorded. The
bank’s president and executive vice pres-
ident—individuals completely unrelated to
the general partners—had been bribed by
the partners to respond to the auditors and
remove the liens for one day; thus, they
colluded with the general partners to
deceive the auditors.
In this case, the auditors exercised sig-
nificant professional skepticism and sought
outside verification of the liens that cor-
roborated management’s explanations. The
auditors had nowhere else to seek infor-
mation, and there was no one to confirm
whether the information the bank president
had provided was accurate. GAAS and
other auditing standards allow auditors to
accept confirmations as audit evidence.
There comes a time in an audit when exter-
nal auditors must accept representations
that something is as it is stated to be.
Furthermore, even if auditors question con-
firmations, management will usually find

another way to deceive them.
In this particular case, the auditors, exer-
cising professional skepticism, noticed that
the letter did not refer to the end of the
year (December 31) as the date on which
there were no liens. As a result, they
phoned the bank’s vice president, who per-
sonally confirmed that, although the letter
was dated April 12, there had been no liens
or liabilities on December 31. Once those
colluding with management decided to lie
and deceive, they continued to do so until
the auditors were satisfied. As a result,
the auditor, who had no reason to believe
that the bank president was colluding and
lying, accepted the “independent” repre-
sentations. Even when auditors go the extra
mile, as they did in this case, there is
always one more deception, one more col-
lusion, one more forgery, or one more act
of concealment that can be used to mislead
financial statement auditors. In most cases,
the concealment efforts are directed more
toward the auditors—both internal and
external—than toward anyone else.
Another example of using an unrelated
outsider occurred at a financial institution. In
this case, the institution loaned money to one
entity, Company Y, which subsequently
loaned money to Company X. Company X
then purchased land from the financial
institution. The transaction is shown in
Exhibit 3. Not knowing about these bor-

rowings, the auditors believed that the trans-
action between Company X and the finan-
cial institution had met the requirements of
a 20% down payment under GAAP
[Accounting Standards Codification (ASC)
360-20; SFAS 66, Accounting for Sales of
Real Estate, at the time] for the financial
institution to account for the sale on an accru-
al basis. This unknown transaction between
Companies X and Y would have been very
difficult for the auditor of the financial
institution to detect. The ability of perpetra-
tors to rely on unrelated outsiders to collude,
forge, and use off-book entities makes some
frauds very difficult—if not impossible—to
detect, even when an audit is performed in
accordance with professional standards.
Reluctance of people to disclose what
they know. A third problem that makes
financial statement fraud very difficult to
detect is that company employees and oth-
ers who have knowledge of the fraud often
do not help external auditors—indeed, they
often lie to protect their supervisors or col-
leagues, or they assume that these super-
visors or colleagues know what they’re
talking about. They want to be “team play-
ers” and often don’t understand the serious
consequences of the small part they’re
playing in a much larger fraud.
Another reason for not disclosing suspi-
cious activity is the difficulty in knowing for
sure that a fraud has been committed. The

first reaction of those victimized by fraud is
usually denial. They then generally attempt
to try to convince themselves that fraud could
not be happening at their company, nor could
their trusted coworkers commit fraud; as a
result, they don’t report suspicious activity.
[Research has shown that individuals
Company employees and others who have
knowledge of the fraud often do not help
external auditors—indeed, they often lie to
protect their supervisors or colleagues.
exposed to fraud often go through five dis-
tinct stages: denial, anger, rationalization,
depression, and acceptance (W. Steve
Albrecht and Timothy L. Williams,
“Understanding Reactions to Fraud,” Internal
Auditor, vol. 47, no. 4, August 1990, pp.
45–51).] Even once they feel confident that
something is not right, employees of an
otherwise normal-seeming company are
often hesitant to divulge information that
may indicate fraud because they fear the con-
sequences. Even if they are not implicated,
EXHIBIT 2

Issues in Determining Whether Financial Statement Auditors
Were Negligent
Examples of Situations from the 19 Cases
Voluminous accounting records did not allow finding well-
hidden fraudulent
transactions
Inability to examine all transactions (sampling)
Nature, volume, and location of assets made it impossible to
verify their
existence and value
Dispersed geographic locations with fraudulent transactions
hidden at
subsidiaries that were below the scope of the audit
Recruited outsiders to help them conceal the fraud; auditors
didn’t know these
outsiders were involved or who they were
Outsiders lied to help conceal the fraud
Additional lying by management to cover up outside
relationships
Power exerted by perpetrators to keep people quiet
Denial (normal crisis) reactions of observers
Confidence in perpetrators by coworkers
Fear of consequences, both personally and to the firm

Uncertainty that fraud was really occurring
First-time perpetrators
Forged documents looked real
Management lied
Necessary to accept management representations
How audits are staffed—least experienced auditors most likely
to see red flags
Inadequate GAAP, GAAS, company, or industry knowledge
Insufficient fraud knowledge
Inadequate planning
Insufficient evidence
Inadequate time spent on audit
Failure to corroborate management representations
Not recognizing red flags
Not following up on red flags
Placing too much confidence in management
Not auditing related entities
Accepting bribes
Lack of objectivity

Reason for Failure
to Detect Fraud
Nature of accounting records
and assets, and economics
of a financial statement audit
Use of outsiders to help
conceal the frauds
Reluctance of people to
disclose what they know
Forgery and lying
Inadequate training and
experience
Poor audit execution
Failure to exercise due care
Lack of independence
Financial statement
auditors failed to
detect fraud, but
were not negligent
Financial statement
auditors were
negligent in
performing a
financial statement

audit
whistleblowers often lose their jobs or see
their companies experience serious financial
and legal problems if material financial state-
ment fraud is found.
Before a fraud audit is conducted, a
fraud is generally already suspected. The
future of current management—and some-
times the company as a whole—is
already in question. The resulting uncer-
tainty and shift in social attitudes toward
disclosure make people more willing to tell
what they know and help the fraud audi-
tors. The unwillingness of knowledgeable
individuals to assist is much more com-
mon in annual financial statement audits
than in fraud audits.
In the authors’ experience, people are
aware of a fraud at different levels, which
can be represented by concentric circles.
The inner circle, which contains the key
perpetrators, usually involves only two or
three individuals, often including the
CEO and CFO. The next circle, which
includes those individuals who were first
recruited to help with the fraud, rarely see
the fraud in its entirety; rather, they are usu-
ally exposed to only a few fraudulent ele-
ments, none of which seems too large or

too egregious. Further removed from the
key perpetrators are those individuals asked
to assist in making suspicious transactions
or other accounting entries in order to help
with the fraud or concealment. These indi-
viduals often do not suspect fraud but,
instead, assume that, even though man-
agement is asking them to do something
unusual, it knows what it is doing; there-
fore, they comply with the illicit requests.
Even further away are those who are not
directly involved in the fraud but who
observe events and accounting entries that
appear questionable. Because these indi-
viduals do not see the entire fraud and are
not actually involved in perpetrating it, they
usually dismiss the questionable actions as
something other than fraud. In addition,
because fraud perpetrators are usually first-
time offenders who cannot be distinguished
from nonperpetrators unless conspicuous
red flags of egregious behavior are
observed, such observers often believe
there is no reason to suspect fraud.
In one of the 19 cases, more than 20
people were recruited to participate in the
fraud; all had college degrees in account-
ing or finance and none had ever partici-
pated in a fraud before. Yet, when asked
to do something very unusual by their
supervisors, they went along without ask-
ing questions. Consider this request made
to one of the company controllers by the
CFO: On a Friday afternoon, the CFO

instructed the division controller to increase
earnings by $105 million by Monday
morning. He didn’t give him any specific
instructions about how to do it. The divi-
sion controller was skeptical about the pur-
pose of these instructions, but he did not
challenge them. He created a spreadsheet
with 210 improper journal entries that he
determined were necessary to fulfill the
CFO’s instructions. This was the first
time the division controller had participat-
ed in making fraudulent entries. He trust-
ed the CFO. More than 20 other people
were involved in overseeing or making
similar entries. Not only did none of these
people tell the external auditors about any
of these fraudulent entries, but they went
to great lengths to hide their actions and to
fabricate documentation to support the
entries if they were questioned.
Forgery and lying. A fourth reason why
auditors may not detect a financial state-
ment fraud is forgery and lying. Although
it isn’t their main purpose, GAAS auditors
are always on the lookout for fraud
symptoms, including analytical symptoms,
internal control symptoms, documentation
or records symptoms, lifestyle symptoms,
behavior al symptoms, a nd tips or
com plaints—anything that could be a red
flag. (For an explanation of the practical-
ity and effectiveness of red flag detection,
see W. S. Albrecht and M. B. Romney,

“Red-Flagging Management Fraud: A
Validation,” Advances in Accounting,
vol. 3, pp. 323–333.) But regardless of how
hard auditors search for fraud symptoms,
they often cannot be expected to find fraud
that involves forgery and lying.
Consider a fraud case involving a com-
pany that tested new drugs for large drug
manufacturers. It would sign contracts to
administer newly developed drugs to par-
ticipants a certain number of times in a lab-
oratory setting. If the drug was to be
administered 10 times, for example, the
arrangement might be that the company
could bill the drug manufacturer after 5 vis-
its and again at the end of the 10th visit.
If the patient dropped out before comple-
tion of the 10th visit, however, no rev-
enue would be earned because the testing
was never completed. The company orig-
inally recognized revenue after the 10th
visit, even though there were billing mile-
stones after the 5th and 10th patient visits.
Unfortunately, the executives wanted to
increase the company’s earnings and stock
price; thus, they decided to commit finan-
cial statement fraud. They first started using
more and more aggressive accounting
methods, switching from recognizing rev-
enue after all 10 visits to every 5 visits, and
then after each visit. When even these
aggressive accounting methods no longer
provided the revenue desired, they started
forging contracts from drug manufacturers.

For example, if a contract stated that the
company would be paid $100 per patient
visit, the executives physically altered the
contract to state that they would be paid
$400 per patient visit. The large number
of contracts and the quality of forgeries
made it difficult, if not impossible, to tell
that they had been altered. Furthermore, the
four members of management who perpe-
trated the fraud—the CEO, CFO, COO, and
controller—all worked in concert to hide
the fraud from the auditor. With this type
of lying and forgery, very few, if any,
GAAS auditors would have detected this
financial statement fraud. Indeed, AU sec-
tion 316 states that auditors are not trained
to be forgery experts. In paragraph 9, it con-
tinues: “Employees or members of man-
agement who misappropriate cash might try
to conceal their thefts by forging signatures.
… An audit conducted in accordance with
GAAS rarely involves the authentication of
such documentation, nor are auditors
Regardless of how hard
auditors search for fraud
symptoms, they often
cannot be expected to
find fraud that involves
forgery and lying.

trained as or expected to be experts in
such authentication.”
In another case, a company headquar-
tered in the Midwest supposedly had
large real estate deposits for future devel-
opment. Title companies located at spe-
cific addresses in other states maintained
these “deposits.” In reality, the title com-
panies’ street addresses given to the audi-
tors were the locations of mailboxes at Mail
Boxes Etc. When the auditors sent confir-
mations to the supposed title companies,
company officers flew to the respective
cities, retrieved the confirmations from the
mailboxes, signed them, and returned them
to the auditors. The auditors who received
the signed confirmations for the deposits
believed that an officer of the title com-
panies had signed them. These forgeries
would have been very difficult for any
GAAS auditor to detect. Despite follow-
ing proper confirmation procedures, the
independent auditors still missed the fraud-
ulent deposits.
A third example of lying and forgery
took place in a large public oil company
that claimed to have large underground
reserves of oil in Puerto Rico, Australia,
and New Zealand. “Independent experts”

attested to all of these reserves, but none
of the oil actually existed. Professional,
well-documented, and consistent forged
documents supported the “existence and
quality” of this oil. In this case, both
organization insiders and outsiders lied and
forged.
Sufficient Financial Statement Audits
Not Performed
Exhibit 2 identifies four factors—which
are not completely independent of each
other—that existed in the financial state-
ment fraud cases where fraud was not
detected, but where, in the author’s opin-
ion, a competent financial statement audit
was not performed:
n Inadequate training and experience of
the auditors
n Poor audit execution—planning, gath-
ering evidence, and examining controls
n Failure to exercise due professional care
n Lack of independence.
In 5 of the 19 cases, the author con-
cluded, after considerable discovery, that
sufficient financial statement audits were
not performed. In 2 of these cases, he
was retained by the defense and resigned
from being an expert witness, and in 3 of
the cases, the plaintiffs retained him after
he had studied the facts of the cases.
Inadequate training and experience.
AU section 210, “Training and Proficiency

of the Independent Auditor,” requires that
auditors have appropriate training and expe-
rience. It is common for the youngest and
most inexperienced auditors to spend the
most time in the field during an audit. As a
result, these auditors are most likely to have
first-hand exposure to fraud symptoms if they
exist. On the other hand, the most experi-
enced auditors typically spend less time in
the field; thus, they are less likely to see any
fraud symptoms. It is critical, then, that all
auditors, including staff, be well trained.
In one case, staff auditors were unaware
of the fraud because they were insuffi-
ciently familiar with the industry. In gath-
ering substantive evidence, they exam-
ined numerous contracts whose figures
were 20 times higher than the industry
standard, all of which had been altered.
When asked about the contract amounts
and when shown numerous industry stan-
dards during the deposition, it was obvi-
ous that the staff auditors had little under-
standing of the industry.
In another case, auditors examined sev-
eral of their client’s large construction pro-
jects. Revenue was being recognized on a
percentage-of-completion basis. But revenue
was being recognized when inventory and
supplies were purchased, not when the mate-
rials were actually used in construction. It
was shown in this case that the auditors’
knowledge of both percentage-of-completion

EXHIBIT 3
Example of a Fraudulent Transaction Made by a Large Financial
Institution That Is
Undetectable to a GAAS Audit
Financial
Institution Company X
Company Y
March 31: Land Sale
March 31: $3.5 Million Down,
$10.5 Million Note
M
ar
ch
3
0:
$
3.
5
M
ill
io
n
N
ot

e
M
ar
ch
3
1:
$
3.
5
M
ill
io
n
N
ot
e
March 30:
$30 Million Loan
May 2:
$30 Million Loan
June 30:
$34 Million Overpayment

accounting and standard practices in the
industry was severely lacking.
Poor audit execution. Fieldwork audit-
ing standards require that audits be prop-
erly planned, that internal controls be
examined, and that sufficient evidence be
obtained. Unfortunately, these fieldwork
standards were violated in at least 4 of
these 5 cases. In one case, only three trans-
actions were examined out of thousands.
In another case, the auditors accepted the
engagement after the end of the year and
promised to have it completed within two
weeks—a time far too short to compile suf-
ficient evidence. Probably the most egre-
gious audit failure involving poor execu-
tion in our sample was a large fraud where
the auditors actually saw several red flags
that fraud was occurring, asked manage-
ment about them, and then accepted man-
agement’s explanations without getting the
corroborating evidence that, in an expert’s
opinion, would have been easily obtain able.
For example, in one case, the company’s
records showed several shiploads of inven-
tory in transport at sea; however, the com-
pany had a policy of shipping all invento-
ry with the identifying term “FOB shipping
point” (indicating that the buyer pays for
the delivery of the goods), which caused
the auditors to question why the inventory
was being recognized as owned. In fol-

lowing up with management, they received
oral representations that these shipments
were unusual and were going to commu-
nist countries where governments would
not pay shipping costs. The auditors did not
examine production reports, shipping
records, purchase/sales invoices, vessel
records, or any other documents. Doing so
would have quickly revealed a lack of such
records, indicating that the ships did not
exist and the inventory was fictitious.
Failure to exercise due professional
care. AU section 230, “Due Professional
Care in the Performance of Work,” requires
that auditors exercise just that: due pro-
fessional care. Even though the authors
focused on other areas of negligence, the
cases above also illustrate situations where
due professional care was not exercised. In
another, more extreme case, one asset and
one liability on the financial statements
accounted for more than 95% of total assets
and total liabilities. The accounts, repur-
chase agreements, and reverse repurchase
agreements were not only the largest
accounts, but they were also recorded at
exactly the same amount three years in a
row. Clearly, the auditors should have
asked, “Why would one asset and one lia-
bility account for more than 95% of all
assets and liabilities?” And, even more
importantly, “Why would the total amount
of the two accounts (essentially the receiv-
ables and payables on the balance sheet)

be the same three years in a row?”
Unfortunately, the auditors did not
understand repurchase agreements and
reverse repurchase agreements, and they
did not understand that they were the com-
pany’s payable and receivable accounts. As
it turns out, the amounts were only the
same because of a large receivable from
an unaudited, related entity. The receivable
was described in detail in a note to the
financial statements that turned out to be
fictitious. Auditors cannot detect all mate-
rial financial statement frauds, but there is
no excuse for not catching fraud because
of a failure to exercise due care.
Lack of independence. AU section 220,
“Independence,” requires that auditors be
independent and fair. Lack of independence
ranges from cases where auditors are
willfully complicit in the fraud to those
where auditors might not be completely
independent. Serious cases are relatively
easy to prove. The more difficult cases
are those where auditors are not completely
independent and their mental state has been
changed, perhaps even at an unconscious
level, allowing frauds to go undetected.
This expert witness experienced an
example of the most egregious form of
independence violation, where an auditor
became explicitly complicit in the fraud. It
was a case in which neither the audit
partner nor his team caught a fraud that

had been going on for three years; how-
ever, in the fourth year, the CEO asked the
audit partner to help the company retain a
certain client that also happened to be a
client of the auditor. The auditor respond-
ed that doing so would represent a conflict
of interest and violate his firm’s indepen-
dence policies. At that point, the CEO con-
fided in the audit partner that the firm had
been committing fraud for three years and
that failure to retain the client would expose
the fraud. The CEO told the young audit
partner that he would either help the com-
pany get through the “short-term” problem
or that the auditor could tell his fellow part-
ners that he had failed to catch a fraud for
three consecutive years, thus ending his
public accounting career. The audit part-
ner chose not to reveal the fraud, accept-
ed a bribe, and proceeded to staff the audit
engagement with what he referred to as
“incompetent” members of the firm. This
clearly violated independence rules. The
several-hundred-million-dollar fraud was
discovered when the CEO died unexpect-
edly of a heart attack. In this case, the audi-
tor was negligent for several reasons,
including a lack of independence, essen-
tially becoming a fraudster himself.
Closing the Expectation Gap
The investing public, as well as lawmak-
ers, juries, regulatory agencies, and others,
often expect auditors to detect all material

financial statement fraud; however, the audit-
ing standards do not, and have never, indi-
cated that detecting all material financial
statement fraud is possible. This expecta-
tion gap often results in costly auditor liti-
gation, even when a financial statement audit
has been conducted in accordance with
professional standards.
This article aimed to provide a general dis-
cussion, based on real-life examples, of when
auditors can and cannot realistically be
expected to uncover financial statement fraud.
The authors recognize the inherent weakness
that the conclusions about the quality of audits
were those of the retained expert/author.
Other experts might have disagreed with the
author in these cases. To the extent the author/
expert’s opinions are correct, this article
should help expert witnesses, legal practi-
tioners, policymakers, and the investing pub-
lic as they observe instances in which fraud
is discovered in a company previously sub-
ject to a financial statement audit and in cases
where the auditors’ negligence is being
con sidered. q
W. Steve Albrecht, PhD, CPA, CFE, CIA,
is the Andersen Alumni Professor in the
Marriott School of Management and a
Wheatley Fellow at Brigham Young
University, Provo, Utah. Jeffrey L.
Hoopes, PhD, CPA, is an assistant pro-
fessor in the Fisher College of Business,
Ohio State University, Columbus, Ohio.
The authors appreciate the financial

sup port of the Marriott Sc hool of
Management, the Wheatley Institution, and
the Fisher College of Business. This arti-
cle has also greatly benefited from the
comments of Doug Prawitt.
Copyright of CPA Journal is the property of New York State
Society of CPAs and its content
may not be copied or emailed to multiple sites or posted to a
listserv without the copyright
holder's express written permission. However, users may print,
download, or email articles for
individual use.

Student Name Brief #5 Use of Audit Software Review and Survey.docx

Recommended

Recommended

More Related Content

Similar to Student Name Brief #5 Use of Audit Software Review and Survey.docx

Similar to Student Name Brief #5 Use of Audit Software Review and Survey.docx (16)

More from emelyvalg9

More from emelyvalg9 (20)

Recently uploaded

Recently uploaded (20)

Student Name Brief #5 Use of Audit Software Review and Survey.docx