Very early in the pandemic, auditors started to realise the potential scale of fraud relating to government support schemes. For example, even when staff were sent home, it wasn’t difficult to spot furloughed staff who still appeared to be working. HMRC estimates that around £3.5bn has been claimed fraudulently or paid out in error. Chancellor Rishi Sunak has announced a new HMRC taskforce of 1,000 investigators to tackle the issue.
With the spotlight on auditors when it comes to fraud – rightly or wrongly – there are expectations that auditors are required to police this type of fraud. The recent BEIS paper on audit and corporate governance reform outlines several proposals around material fraud, including requirements for auditors of public interest entities to report on the work they’ve undertaken to conclude that directors’ statements on preventing and detecting material fraud are accurate. This aims to address the ‘expectation gap’ between what auditors do with regards to fraud and what the general public thinks they do.
“There is a belief out there that auditors are supposed to go looking through the accounts for furlough fraud with a fine-tooth comb, but there is no requirement for them to do anything of the sort unless they have reason to believe that it may be to be material to the accounts,” says Katharine Bagshaw, ICAEW’s Manager, Audit Standards. “In many cases, it isn’t.”
Vital social cues lost when auditing remotely
Spotting where fraud may be relevant to the audit takes a lot of experience, but often it also takes conversation. Staff will tell auditors that things aren’t right while they are based on the client’s premises. Social cues and body language can tell auditors when someone is not being honest with them. These elements are somewhat lost when auditing remotely. “It’s much harder to detect a toxic atmosphere on a Zoom call than it is when you’re wandering around a building,” says Bagshaw.
Geoff Swales, a director in PwC’s audit risk and quality function, has been looking at audit methodologies to ensure auditors can detect material fraud while working remotely. More audits were being performed with some remote working even before the lockdown. In those cases, auditors were reliant on clients to send them reliable, accurate and complete information. That has increased significantly during the pandemic.
“Some testing is always required to ensure the reliability of the information we receive,” he says. “In a remote environment, if it's being downloaded from a computer system by the client, you could go on a video call and actually watch them do it, for example. In some cases, we might be able to confirm from a third party that it is appropriate data, so there are things we can do to check the reliability of information that we've been provided with.”
Often, evidence is collected from different departments in an organisation, which also allows comparison from different internal sources. Some cases allow for some basic integrity checking, and auditors may be able to gain remote access to the client’s systems.
“If it’s a third party invoice the client has received and they've scanned it in, we might look to understand their scanning processes. How do they make sure their scanning processes are reliable? That may well be sufficient.”
Any bigger doubts might involve reaching out to third parties with the client’s permission to check invoice details. It all comes down to the potential risk and the level of concern about the integrity of information. The big question is: what information is now being provided electronically that the auditors would rather receive physically?
Preparation and planning
As a result, remote audits require a bit more preparation to ensure that auditors get all the information they need. More advanced planning is required to mitigate any restrictions that might get in the way of the audit. Physical inventory observation has particularly required this extra preparation. Virtual inventory counting started as a novelty, but auditors are getting used to it, says Swales. “It’s becoming established practice in the current environment and will continue after the current environment ends, in some cases.”
Some audit firms are using drones for stock checks in outside locations. PwC is using a set up of more than one camera, one doing the detail count and another surveying the warehouse to ensure no tampering is going on. Technological advances could also allow more remote access to client systems, giving auditors the chance to directly interrogate the data. Some work needs to be done to ensure cybersecurity risks are addressed, but any issues in that area will be overcome, says Swales. “Not only have we had to adapt, but all of our clients have been adapting at the same time. It has been quite challenging, but I get the impression that the profession as a whole has risen to the challenge.”
What about the people side of professional scepticism? It can be hard to replicate, but auditors are getting better at reading people over Zoom or Teams, says Swales. “But it’s not quite the same thing.“If you were in the same room as someone, would they be more confident in being open about something than in a video conference? I don't know. There is clearly that risk. Perhaps you'll overhear something or see something, or someone will tell you something when you wouldn’t necessarily glean that same information from a series of video calls. So we have to think about that.”
To an extent, it means auditors need to be more interrogating and challenging in their questioning and closely observing and listening to the responses to detect any telltale signs that they’re holding something back. “It's perhaps not quite so easy, but it can be done. Scepticism is a fundamental part of what we do and we should be used to doing that. Whether you question someone in person or via video, you should be able to get to broadly the same answer.”
Ultimately, when it comes to the external pressure on auditors to address fraud, the profession needs to maintain a sense of pride in the work that it does. Audit regulators cannot be seen to go easy on audit, but in the mad switch to remote working, some things will have fallen through the cracks in a lot of companies. How the regulators – and auditors – should address that, and if they should address it at all, is the big question as we look to the next reporting season.