Management challenge has been of particular focus during the audit reform agenda of the past few years. The Financial Reporting Council (FRC) says it believes that challenge of management is a major struggle for firms.
“The most significant quality issues identified by the FRC over a number of years involve the inconsistent application of professional scepticism and challenge, resulting in the poor application of professional judgement,” it states in its recent publication, What Makes a Good Environment for Auditor Scepticism and Challenge. “Displaying this mindset and behaviour forms the foundation of a high-quality audit.”
When it comes to fraud, auditors need to consider the integrity and ethics of management, internal controls, and the plausibility of explanations regarding any irregularities, explains Jan Babiak, Audit Committee Chair for the Bank of Montreal and Walgreens Boots Alliance, and Senior Independent Director at private Australian engineering company GHD Group.
“I want the question of fraud to be on everyone’s mind,” she explains. “Not to be cynical, but to think: if someone wanted to perpetrate a fraud, how would they go about doing it? Would it be easy in this system? If so, what internal control risk does that focus on? The audit standards make it clear that you've got to have a presumed risk of management override. I think there should also be a presumed risk of opportunity for fraud.”
It is not, and never should be, the auditor’s job to find all of the frauds within an organisation. Large organisations have whistleblower lines and other measures to deal with smaller, more manageable instances of fraud. The focus for auditors, says Babiak, should be on management, which has the ultimate responsibility for tackling fraud within the organisation.
The management mindset can often be quite trusting, says Babiak. While not a bad thing, it can sometimes blind managers to opportunities for fraud as they cannot believe their colleagues are capable of it.
Babiak recalls one of the first frauds she was ever involved with: a computer fraud perpetrated by a popular member of staff who ran the general ledger for the company. She was inputting a higher amount for the company’s utility bills and putting the difference into her bank account. Babiak looked into the other members of staff that had access to the system and realised that the IT director had access to everything with no oversight whatsoever. “When I raised this, the response was: ‘He would never do that.’ There's a tendency on management to trust. We need to make sure that we're not distrusting – trust, but verify.”
Auditors are drawn to assessing processes; it’s what they’re trained to do, says Jock Lennox, Audit Committee Chair of Barratt Developments plc and Chair of the Audit Committee Chairs’ Independent Forum (ACCIF). But that needs context to effectively challenge management, he says: “It's far easier to understand and get an assessment of whether someone really understands what they're doing by speaking to them, rather than following some sort of paper trail.”
Babiak broadly agrees that auditors tend to be less equipped to deal with the people side of an audit through their usual qualifications: “We’re trained how to deal with all kinds of things, but no one trains us in how to identify a psychopath or a well-equipped liar. We naturally tend to assume that everyone is like us, which is basically honest.”
Lennox wants auditors to have an independently determined view on what the business is trying to do, the risks that it faces and how it controls those risks. That should guide the evidence that the auditor wants to see to satisfy themselves that the organisation has properly reflected its operations and performance. “Through that process, they will be challenging management. But if you focus on purely challenging management without thinking through the core of what you're trying to do, I'm not sure that's an effective model,” he says.
Approaching an audit with an independent, inquisitive mindset should naturally generate a degree of challenge, says Lennox. The auditor is seeking to understand what is happening and using their experience and knowledge to assess whether they agree with management’s interpretation of that. “It's very important that the auditor has their own view, which they establish, so that challenge is substantive and founded as opposed to challenge for challenge sake.”
It’s also important that auditors are getting the support they need from more senior auditors and partners. Babiak recalls another time, as a first-year auditor, where she questioned the cash-in-hand nature of plane sales at a small airport, only to be told by a manager that she was too cynical. A few years later, it was revealed that fraud, money laundering and other criminal activity was taking place within the organisation. “It’s about recognising that everyone has that obligation to dissent and everyone should be listening,” she says.
“I would like to see auditors that are more comfortable getting away from their process and technology,” adds Lennox. “That should be the support rather than the raison d’être. I want them to try to understand the personal motivations of the people responsible for the businesses that they're auditing.”