What is the auditor’s responsibility to find and report fraud when conducting a performance audit? “Long before the private-sector accountant fully emerged, U.S. government auditors and comptrollers held posts throughout federal and state government to act as a check on fraudulent and illegal activities by government figures. Preventing and discovering abuse by public officials was the most important function of these early government auditors, as there was no central banking system, no income tax system, and no stock exchanges to oversee. "The comptroller of the United States himself often closely monitored transactions between the federal government and important business-people, politicians and military officers. This government-based auditing, a legacy from the royal accountant tradition in England, created a culture of fraud detection that lives on today in the U.S General Accounting Office (GAO), the investigative arm of Congress that examines the use of public funds and ensures the executive branch’s accountability to the American people.”
Mike Brewster, Unaccountable: How the Accounting Profession Forfeited a Public Trust, (John Wiley & Sons, Inc., 2003) p. 43.
Government auditors have a long history working to detect and prevent fraud. The first set of government auditing standards that the Comptroller General issued in 1972 included the familiar requirement that auditors be alert for situations or transactions that could be indicative of fraud, improper or illegal expenditures or operations, inefficiency, waste, or lack of effectiveness. The 2003 revision uses the word fraud 164 times.
Finding fraud. Conducting a performance audit in accordance with standards provides reasonable assurance – but no guarantee – that auditors will detect illegal acts or fraud related to the audit objective. Field work standards for performance audits require auditors to consider risks of fraud when planning
and conducting the audit (GAS 7.17-7.21), to be alert to situations or transactions that could be indicative of fraud and extend audit steps if a potential fraud could significantly affect audit results (GAS 7.23), and to use professional judgment in pursuing indications of possible fraud so as not to interfere with investigations or legal proceedings (GAS 7.26).
Reporting fraud to officials in the organization. Auditors are required to use judgment in reporting instances of fraud or likely fraud to officials of the audited entity. Auditors should include information in the audit report about the fraud or likely fraud unless public reporting would compromise investigative or legal proceedings or the fraud is not significant (GAS 8.19). If public reporting could compromise proceedings, the auditor should limit the extent of reporting to information that is already part of the public record (GAS 8.26). If the fraud is not significant, the auditor should communicate with management in a separate letter and refer to the letter in the audit report (GAS 8.21). Standards require auditors to document all communications with management or officials of the audited entity about instances of fraud (GAS 8.21).
Reporting fraud to a third party. In some cases, laws or regulations require the audited entity to report fraud directly to outside parties such as a federal inspector general or state attorney general. If management fails to report the fraud as required, the auditor needs to communicate this failure to the
governing body. If the audited entity does not then make the required report as soon as possible, the auditor is required to report the fraud directly to the specified external agency (GAS 8.22-8.23). Auditors should also report fraud directly when they cannot confirm through evidence that entity officials reported the fraud as required (GAS 8.25). Even in cases where the entity isn’t required by law or regulation to report fraud to an external agency, auditors may have a duty under the standards to report instances of fraud to government funding agencies when officials fail to take timely steps to remedy identified fraud or other illegal acts (GAS 8.24).
Reporting requirements are different for internal auditors. Government Auditing Standards note that internal audit organizations – organizations that are independent to report internally to management as defined in GAS 3.27 – do not have a duty to report outside the entity unless required by law, rule,
regulation, or policy (GAS 3.28 and footnote 94).
How does peer review look at fraud-related requirements? Peer reviewers will review policies and procedures for planning audits and conducting fieldwork to see how the organization assesses risk of fraud, follows up on indications of potential fraud, and determines its obligation to report externally to a funding agency or law enforcement. Reviewers will also look at workpapers and talk to audit staff to see what has happened in practice. Did auditors follow the organization’s procedures for assessing risk and following up on indications of potential fraud? Have there been any instances where there was a duty to report externally? If so, how and with whom did the audit organization communicate? Is the communication documented? How did the audit organization verify that external communication has occurred? What is the process for communicating with the governing body if management does not report externally? Remember that the nature and extent of audit organizations’ internal quality control systems will vary.
Peer reviewers will not necessarily expect to see detailed procedures for each aspect of reporting on fraud, but will expect to see that the organization is aware of its responsibilities and has considered how to meet them.
{mos_sb_discuss:8}
Amanda Noble is an Audit Manager with the Kansas City Auditor's Office.
|
