Why Audits Fail
By: David R. Hancox, CGFM, CIA
David R. Hancox, CGFM, CIA, is director of State Audits in the New York State Comptroller's Office and on the faculty of Siena College. He is the co-author of two books on auditing and is a past president of AGA’s New York Capital Chapter, a Regional Vice President and a member AGA’s Financial Management Standards Board and its Emerging Issues Committee.
The auditing profession faces serious challenges that all of us in the accountability profession must confront and help solve.
In March 2003, the Department of Interior’s inspector general audited the Minerals Management Service’s (MMS) audit offices and discovered an organization challenged by both management and control issues. MMS auditors were responsible for monitoring the annual collection of $6 billion in royalties and fees for minerals produced from federal and Indian lands. In 2008, The IG found pervasive misconduct at one of the program offices. Nearly one-third of the 55-person audit staff accepted gifts and gratuities from oil industry officials with whom they did business.
On Sept. 14, 2008, Lehman Brothers filed for bankruptcy protection. It was the largest company failure in history—far exceeding WorldCom’s, the previous largest business failure. As of Nov. 30, 2007 though, the auditors were saying everything is fine—Lehman got a clean opinion on internal controls and on their consolidated financial position—despite the requirements of SAS 59 that auditors consider an entity’s ability to continue as an ongoing concern.
Repeatedly, auditors have failed to find the significant problems in organizations. According to the SEC, HealthSouth Corp., one of the nation's largest health care providers, overstated its earnings by at least $1.4 billion. As reported in the Wall Street Journal, Michael Vines, a bookkeeper in HealthSouth's accounting department, tried to alert outside auditors and others to the questionable practices in his accounting department, but his concerns fell on deaf ears.
Why aren’t we listening?
We haven’t been listening for years. In the famous Equity Funding fraud uncovered in 1973, the auditors didn’t detect 64,000 phony transactions with a face value of $2 billion, $25 million in counterfeit bonds, and $100 million in missing assets. What does this say about the competence of the auditors or of the credibility of the audit profession?
I’m convinced the auditing profession needs to rethink the way it does business if it is going to find the problems that exist in organizations and meet the needs of its stakeholders. Several challenges need our attention.
Auditor Independence
Most auditors argue that they are independent, but often that independence is impaired by a variety of factors that limit the ability to "call it like it is."
The decision to maintain a client because of the revenue the client's business can generate represents a subtle, but pervasive potential conflict of interest. It is a threat to auditor independence that afflicts all too many public accounting firms. It is a conflict inherent in the system we use to hire auditors.
Our independence also is affected when we allow management to sit in on interviews of agency staff or when we allow agency management to pull existing records from the files without the auditors being present. I have heard from auditors who say they are required to allow management extended time periods to pull records needed for the audit. When this happens, the auditors might as well pack up their bags and go home. Such a situation allows management to cull the records, add data that didn't exist, clear out data that is harmful, and generally sanitize the information going to the auditors.
Assessing Internal Controls
Auditors are very good at assessing control activities—the policies, procedures and segregation of duties that exist. They are reluctant to assess the control environment—including criticizing management’s attitude, philosophy, operating style and competence when necessary. Yet, most major frauds can be traced to the lack of a good control environment—not the lack of control activities. When management overrides the system of control, organizations can fail.
Although the nature of NASA's Columbia disaster and the WorldCom scandal were quite different, the root cause of each—the control environment—was remarkably similar. These events weren't caused by the lack of policies, procedures or segregation of duties. The failures resulted from a flawed control environment where management chose a certain course of action, including overriding otherwise effective policies and procedures.
Auditors’ Ethics
The auditors’ ethics are just as important as the ethics of management. We should be above reproach. In an audit the New York State Comptroller’s Office conducted of an $11 million fraud in a school district on Long Island, the partner of the CPA firm doing the financial statement audit was caught altering agency records to cover up a major scandal. He was trying to protect his reputation because he had been issuing a clean opinion on the financial statements.
When nearly one-third of the staff in the Minerals Management Service’s audit offices accepted gifts and gratuities from oil industry officials with whom they did business, there is a serious problem that affects the credibility of all of us in the accountability profession.
Verifying Transactions
We should never forget the basics of our profession. As we become more technologically proficient, it is easy to think of assets in terms of bits and bytes on a computer. Failing to verify the existence of an asset has been at the heart of many frauds that auditors missed.
In the Equity Funding case, auditors missed the ongoing fraud because they did not follow the basics of auditing. Beyond analytical reviews and examining documentation, a fundamental tenet of auditing is to verify the existence of the asset. If the auditors missed 64,000 phony insurance policies, $25 million in counterfeit bonds, and $100 million in missing assets, they simply weren't doing their jobs. In today’s environment with color copiers, color printers, scanners and access to corporate logos on the Internet, it is even easier to manufacture documents.
Questions
Are we really free from personal, external and organizational impairments related to our audit work, whether government or public? Do you think we too often forget the basics of our profession including assessing controls properly? Are we always verifying the substance of the transactions we review or are we focused on documentation?
Does anyone have any thoughts pertaining to the relevance of single audits. As a program monitor, we find that single audits are not very useful. Simple but significant items, such as the lack of documentation for personnel costs, are hardly ever identified. Grantees billing grants based on pre-determined budget estimates rather than following the A-122 standards is commonly overlooked. Grantees receiving clean audits is very common. However, our monitoring reviews of the same grantees tend to find very significant findings. What is the standard for turnover of auditors?
Posted by: Ron | October 14, 2008 at 11:05 AM
The point about independence is particularly well taken. In local (and state) government auditing, auditors have not been active enough in advocating for the kind of legislation that is needed to enhance independence. As a local government auditor, I've wished that the leadership at the state and federal level, as well as the IIA leadership, would commit energy and resources to supporting better audit legislation. I recently helped update the model legislation recommended by the Association of Local Government Auditors (ALGA); you can find it on their website at governmentauditors.org
Posted by: Ann-Marie Hogan, City Auditor | October 06, 2008 at 05:35 PM
Your point is well taken Mike. I do a lot of speaking to auditors around the country and I hear a similar theme to what you are saying. We play an important role in the accountability process. Many people depend on us and to dilute our efforts is not right. That's why career professionals need to speak out on this issue.
Posted by: Dave Hancox | October 06, 2008 at 08:24 AM
In January 2008, I retired after being a Federal Auditor for 25 years. One thing that I noticed increasingly toward the end of my career was audit management had moved away from being Junk Yard Dogs (as Ronald Regan called the OIGs) to being miquetoast. I had one audit manager tell me he did not want to get the auditee mad because he had to live around them. This shocked me since this manager's boss was in the room and that individual did not see anything wrong with the comment. Years ago there started to be a call to move away from Gotcha Auditing. I contend there was never such a thing just auditors doing what they were paid to do - find the problems and report them. Now it is no longer political correct to report problems that may be embarassing to the auditee - even though it is important that the taxpayers know about the warts of the program. We need to get the profession back to caring more about reporting issues and less about who will not like the report.
Posted by: Mike | October 05, 2008 at 12:00 AM
Thanks for your insight Tom. To support what you're saying about talking with staff at the organization, I remember a joint audit our office did with GAO years ago of a bi-nation Bridge Commission.
The GAO manager and I went to visit the job site and talk with our audit staff. The day before the meeting, the GAO manager arrived at the audit site and visited the three bridges the Commission ran. He climbed the bridges, talked with toll collectors, security staff, maintenance staff and any one else he could find.
Needless to say, the next day, he knew something! He gained knowledge by talking to the people who really knew what was happening.
At Worldcom, one of the accountants who made the improper general journal entries said if the auditors had talked with her, she would have told them what was going on.
Posted by: Dave Hancox | October 03, 2008 at 01:28 PM
Thanks for your insight Tom. To support what you're saying about talking with staff at the organization, I remember a joint audit our office did with GAO years ago of a bi-nation Bridge Commission.
The GAO manager and I went to visit the job site and talk with our audit staff. The day before the meeting, the GAO manager arrived at the audit site and visited the three bridges the Commission ran. He climbed the bridges, talked with toll collectors, security staff, maintenance staff and any one else he could find.
Needless to say, the next day, he knew something! He gained knowledge by talking to the people who really knew what was happening.
At Worldcom, one of the accountants who made the improper general journal entries said if the auditors had talked with her, she would have told them what was going on.
Posted by: Dave Hancox | October 03, 2008 at 01:26 PM
I agree there is the "don't know what you don't know" phenomena but that is an explanation, not an excuse. As a controller and former auditor my advice to auditors is that there is strength in numbers, e.g., Art Hayes' audit huddle approach.
An effective way to find out what you don't know you don't know is conversation. Talk to people and not just management and not just "audit" question. Do you ever ask someone what's it like to work here? Ask people about their policies and processes but also solicit their opinions about them, for example, is this really the way it works or does everyone do it like you.
Do some research outside the auditee. Ask your friends what they think about the organization. Check Google. Read news articles and blogs.
Talk to people outside your huddle, like someone you know in AGA. If I had something I was not really sure on in an audit, I might call Dave or Art just to get their take on it. What do you think? What would you do? What am I missing?
Sometimes it is not even necessarily the answer you get. It is what the anser leads you to thinking about, both the content and the reaction of the person you asked.
I know time is limited but sometimes your gut is talking. Are you listening?
Controllers have the same issue, just from the other side. How do we know what is going on? How do we know what we see or hear is true and reliable?
Finally, independence is as much an issue with controllers as auditors. It is not so much independence in relationship as it is independent in thought and influence.
I want to listen and read but in the end I have to decide what I believe is true even if it is uncomfortable or not conventional wisdom.
This can be especially difficult with people I know and with those who have power or influence over me.
Sometimes the best way to get a clear view is through a spouse or close friend. There is something refreshing about trying to explain something to someone who does not know it like you do and can give you their gut reaction. Then, compare guts.
Posted by: Tom S | October 03, 2008 at 12:36 PM
Your point is well taken Walt. Do auditors have enough knowledge to truly assess the real risks that exist in the organization being audited?
The problem is "You don't know what you don't know!"
Posted by: Dave Hancox | October 03, 2008 at 11:40 AM
I am wondering if we are also seeing the advent of conceptual financial challenges not previously faced. The bundling and re-bundling of "toxic" assets to spread risk, the new financial techniques used by WorldCom - these are things that auditors don't see in college or in other audit situations. What is the proper response to total confusion when faced with these new untested and untried techniques (given that each audit has a time limit)? Always assume they are wrong? Or lower the head and run?
Posted by: Walt Darling | October 03, 2008 at 10:59 AM