A Return to Roots: The Auditor’s Role in Uncovering and Reporting Illegal Acts

Remarks as prepared for delivery


Today, the Board considers a staff recommendation to replace the current interim standard on the auditor’s role in detecting and reporting potential illegal acts. That recommendation is contained in a Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments

The currently effective standard, AS 2405, Illegal Acts, became part of the Board’s standards in 2003 when the Board absorbed on an interim basis the generally accepted auditing standards of the American Institute of Certified Public Accountants (AICPA).1 

The current interim standard was originally drafted in 1977 and last revised in 1988. It does not take fully into account a series of unfortunate events, including the failure of more than 745 financial institutions during the savings and loan crisis; the “Numbers Game”2 and “earnings management” problems of the 1990s;  the seeming prevalence of accounting fraud that included the misdeeds of Enron and WorldCom, and Adelphia and Tyco at the beginning of this century, matched with over 900 corrections or restatements of financial reports; or the collapse and/or rescue of nine major financial institutions in 2007 and 2008, including Lehman Brothers, that sparked a global financial crisis. 

Further, the current standard does not reflect the passage of the Sarbanes-Oxley Act,3 which created a new framework for corporate responsibility, and fundamentally changed the auditor - issuer relationship.4

In Sarbanes-Oxley, Congress also established a new era of investor protection through the creation of the PCAOB. It gave the PCAOB the drafting pen for audit standards, with instructions “to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.”

 The proposed standard we are considering today is at the heart of the Board’s mission. It covers ground that Congress intended us to cover when it enacted Sarbanes-Oxley.           

The Auditor’s Important Role and Special Responsibility – a Public Trust

For hundreds of years, the practice of auditing has embodied a public trust. The auditor’s report on the cost of the Greek Parthenon was actually chiseled on a marble column of the Acropolis. The Roman Senate would conduct a hearing of account when one auditor succeeded another. In fact, the word “audit” is derived from the Roman’s practice of the hearing of account (in Latin, “audire”).5

The essential qualities of an auditor have endured the centuries. One of the first auditing manuals in the US described the functions of the auditor plainly: 

“The Lawyer’s duty is first of all to [the client] …; but the Public Accountant has only one duty to [the] client and to the Public… [to tell] the truth, the whole truth, and nothing but the truth.”6

This was true when it was written over 100 years ago (1905), and it is true today.

The Congressional response to the Great Depression had to take into account a growing population of investors.7 The response included novel ideas: a framework for regulation by disclosure and a reliance on independent third-party auditors.

The proposal for the government to employ a corps of government auditors to check the veracity of company reports was unseated by a late bidder:  Colonel Carter, one of the most influential and recognized leaders of the accounting profession, in testimony before a Senate committee, successfully presented a vision8 of independent auditors, rather than government auditors, as vital to assuring the accuracy and fairness of public company financial statements. This concept was incorporated into the new securities laws “so as to afford event greater protection to investors.”9

As U. S. Senator Jack Reed stated in a Senate hearing after the 2008 Financial Crisis: this function of the auditor gives rise to a “special responsibility--not a unique or sole responsibility but a special responsibility--a public trust....”10

 Auditing, like any profession, has evolved over the centuries to meet the changing environments, but with a particularly important constant: “A Public Trust.”

 Our action today reflects continued recognition of the public trust inherent in the auditor’s role.

The Proposal

Today, the Board considers a staff recommendation for a new standard, that, if adopted, would clarify the auditor’s responsibilities for identifying, evaluating, and reporting potential illegal acts, known as “non-compliance with laws and regulations,” or NOCLAR.

The staff’s proposal modernizes the standard in an elegant way, focusing on the critical thinking of the auditor. The approach that the staff has taken is straightforward – the auditor’s duty to detect material misstatements should also include detection of noncompliance with laws and regulations, including fraud. Such an approach clarifies the auditor’s responsibility to identify material misstatements in a company’s financial statements-- whether due to error… or due to fraud…, or due to NOCLAR.11

The staff has developed a standard that incorporates the PCAOB’s current risk assessment framework to maximize and empower auditors’ professional skepticism and judgment in approaching NOCLAR.

Auditors already consider the applicable legal and regulatory environment when conducting an audit, but the current standard does not require the auditor to plan or perform audit procedures for NOCLAR.  It states:

“[N]ormally, an [audit] in accordance with generally accepted audit standards does not include audit procedures designed to detect illegal acts.” 

The Auditor’s Report is the auditor’s only means of communication to the investor. An opinion of fair presentation, in all material respects, is a green light for reliance. But that currently comes with an embedded hidden caveat. There may be undetected material misstatements due to NOCLAR, which the auditor does not have responsibility to find.

Under today’s proposal, the hidden caveat is removed, as the auditor’s focus will be on possible material misstatements of the financial statements-- regardless of anticipated effect (direct or indirect).

I am pleased that the staff has recommended that the Board propose a new presumption: that an audit in accordance with PCAOB standards should include audit procedures designed to detect noncompliance with laws and regulations, including fraud.

The staff’s recommendation simplifies and strengthens the auditor’s responsibility in a conceptually sound manner. Under the proposal, the auditor’s duty to detect material misstatements is the same-- whether due to error, noncompliance with laws and regulations, or fraud.

I am also pleased that the staff’s recommendation has eliminated the outdated and hard-to-justify categorization of illegal acts into “direct” and “indirect” buckets.

Both auditors and investors agree that the current judgmental splitting of laws into categories of so-called “direct” and “indirect” effects on the financial statements is a source of confusion.12 The primary purpose of this categorization was to bifurcate the auditor’s duty to identify and assess illegal acts, particularly rejecting any responsibility for the detection of so-called “indirect” effect laws.

However, staff research has indicated that laws considered to have “indirect effects” on the financial statements, such as the prohibition of bribery of foreign officials by domestic companies, evasion of anti-money laundering statutes and protocols, false and misleading disclosures, and environmental contamination, among others, can and have led to substantial fines and penalties.13 And that may be part of the problem. The parsing of laws and regulations may have caused a lack of emphasis, or diminution of attention, to certain laws and regulations.

So, I am pleased that the current proposal simplifies the auditor's work by removing this distinction: the auditor must do sufficient work to be reasonably assured against material errors of either commission or omission.

When companies collapse nearly overnight or when years of intentional acts of noncompliance are revealed, calls for “Where Were the Auditors?” can always be heard.

For example, many of us remember the scandal of bank employees at Wells Fargo creating millions of phony accounts to meet outlandish sales and incentive targets. The conduct went undetected and unabated for years. When the scandal became known, the company lost $7.8 billion in stock valuation. The company’s auditor told U.S. Senators who were questioning the accounting that “the potential impact” of the “unethical and illegal conduct” “would likely be insignificant.”  Moreover, the auditor noted, “improper sales practices do not implicate the effectiveness of internal controls” as “not every illegal act has a meaningful impact on a company’s financial statements or its system of internal controls over financial reporting.”14

However, the bank paid a high price, as did its investors. The company settled a number of federal enforcement actions, which included a deferred prosecution agreement related to criminal offenses, administrative cease-and-desist proceedings finding violations of the anti-fraud provisions of the federal securities laws, another administrative proceeding with findings of unfair or abusive practices, and payment of over nearly $5 billion in monetary sanctions.15 Several former executives have also settled federal charges, including fraud.

Recently, the Bank recently agreed to settle the related shareholder lawsuit for $1 billion “that will help compensate hundreds of thousands of investors — state employees, nurses, teachers, police, firefighters and others — whose critical retirement savings were impacted by Wells Fargo’s fraudulent business practices.”

Today’s proposal, if adopted, would make it clear that indications of noncompliance with laws and regulations should not be dismissed by the auditor just because management is aware of the matter, or because the effects on the financial statements are not “direct” effects.16

I am especially pleased that the first paragraph in today’s proposed standard makes clear that a PCAOB-registered auditor has a fundamental obligation to investors that includes:

  • Identifying and evaluating information indicating that noncompliance with laws and regulations, including fraud, has or may have occurred; and
  • Making appropriate communications to management and the audit committee about such information.

The staff designed the proposed standard to reduce the risk of an auditor failing to detect a material misstatement in a number of ways.  First, the standard requires the auditor to apply an iterative risk assessment process that includes information sources external to the company. The improved risk assessment should result in the identification of additional risks of material misstatement, if present, for which the auditor is responsible for designing and implementing an audit response.

Second, since 1988, companies have focused on strengthening the control environment and utilizing an integrated framework that includes a company’s values.17 The proposed standard replaces an auditor needing to merely understand the control environment, with the requirement that the auditor evaluate and obtain evidence of effectiveness.

Third, the staff’s recommendation includes new required communications by the auditor to the audit committee. Over the last 35 years, audit committees have become increasingly involved in the oversight of the financial reporting process and of the external auditor, a role now required by provisions of the Sarbanes-Oxley Act requiring that the audit committee select and oversee the auditor, that it be composed of independent directors, and that the issuer disclose whether the audit committee contains at least one financial expert.t  Audit committees are often now involved in areas of significant risk, including emerging risks, cybersecurity, as well as enterprise risk management.

There have also been dramatic changes in the financial reporting and auditing environment since the standard was first written in the 1970s. The digital revolution continues to revolutionize business. Gone are the filing cabinets and document storage rooms. Gone are the fax machines. A collection of computer servers provides almost limitless data storage, data analytics, nearly instantaneous communications, such as email, virtual video meetings, and e-documents, and new tools like ChatGPT.

Technology in both corporate reporting and in the audit provides an unprecedented opportunity for automated tools, techniques, and visualizations of transactions and events. Technology will provide auditors with a new lens into the fraud triangle.18 Today, audit firms are using technological tools to perform full population testing, to search for anomalies, and to discover relationships and patterns because of their ability to ingest increasingly granular data.19

One global audit network firm noted:

“Companies have never been as data-rich as they are today, providing new opportunities to detect material frauds through data mining, analysis and interpretation.”20

Another global audit network firm said it is using:

“[A] revolutionary bot that uses AI and machine learning to ‘x-ray’ a business, analysing billions of data points in milliseconds, seeing what humans can’t, and applying judgement to detect anomalies in the general ledger…21

It examines every uploaded transaction, every user, every amount and every account to find unusual transactions (indicating potential error or fraud) in the general ledger, without bias or variability...”

These technological tools can increase analysis and forensics, and, through machine learning, identify exceptional behavior in contracts or other processes.

The continued strengthening and testing of the effectiveness of internal controls over financial reporting also provides the auditor with additional information and more opportunities to uncover noncompliance activity, including fraud.

Appropriately, today’s staff recommendation does not require the PCAOB-registered auditor to perform a “compliance audit.”22 Some audit firms advise companies on how to establish world class ethics and compliance programs– to ensure compliance with laws and regulations. However, when performing an audit, the auditor’s role is simply to provide reasonable assurance – not absolute assurance -- that the financial statements are free of material misstatement.

Consequently, I believe that this proposed standard, if adopted, will provide a right-sized approach to increase the likelihood that auditors will identify and respond to risks of misstatement  material to the financial statements by using  the umbrella of risk assessment, by considering the information the company is publishing as well as the information about the company that is generated outside of the company, and by using a holistic approach to challenge management instead of cordoning off potential sources of misstatements.

There are 65 questions in the proposal, and I am interested in all comments regarding today’s proposal. In particular, I hope that commenters will provide answers to the following questions:

7 - 15. Are the proposed audit procedures sufficiently clear? Should the procedures include digital forensics? Are there others?

30 - 36. Are the proposed auditor communication requirements sufficiently clear? Should there be others? To whom should the communications be made? What should be included?

39 - 41. Are there auditor reporting considerations or additional requirements that should be included?  What is the consideration/requirement and why?

46 - 50. Are there additional requirements that should be made for interim (quarterly) reviews?

I want to acknowledge the hard work of the dedicated team that worked on this project. In particular, I want to thank Lisa Calandriello. She is unmatched in both her work ethic and in her constant patience with my team.

I also want to thank Jessica Watts, Kevin Lombardi, and Michael Shimansky from the Office of the Chief Auditor. From the Division of Enforcement and Investigations, Rebecca Mealey; from the Office of the General Counsel, Connor Raso and Michael Ungar; and from Office of Economic and Risk Analysis, John Cook, Tian Liang, and Federico Garcia.

In conclusion, the staff’s recommendation for a proposal for a new auditing standard is a reduction in complexity and a return to first principles. It holds true to the basic precepts of auditing that were expressed so aptly by Robert Montgomery over one hundred years ago: The auditor's responsibility is to detect noncompliance or questionable acts that the exercise of professional skill and care would normally uncover.

I am also reminded what a plainspoken federal judge once wrote:

 “Surely investors would consider the involvement of officers of a company in complex and wide-ranging schemes to inflate the company's income to be material even if the scheme had not yielded substantial results.”23

And that’s precisely the point.

The standard we are proposing today is a great step forward for auditor responsibility and empowerment, and for the protection of investors and the markets. I am pleased to be able to support it, and I look forward to the public’s comments. Thank you.

1 Shortly after its inception, the Board adopted the existing standards of the American Institute of Certified Public Accountants (AICPA), as in existence on April 16, 2003, as its interim auditing standards. See Establishment of Interim Professional Auditing Standards, PCAOB Rel. No. 2003-006 (Apr. 18, 2003) (adopting Rule 3200T, Interim Auditing Standards); see also Statement of Dan Goeltzer, PCAOB Acting Chair, “We are calling these requirements interim standards, and the rules implementing them will be denoted by the letter “T” to emphasize that they are temporary. The standards are, in a sense, written in disappearing ink.”

2 A. Levitt, “The Numbers Game,” Speech Delivered at the NYU Center for Law and Business, New York (Sep 1998).

3 See Pub.L. 107–204, 116 Stat. 745.

4 See also The Private Securities Litigation Reform Act ("PSLRA"), which included provisions authored by then Representative (now Senator) Ron Wyden to “provide assurances to Congress and the public that illegal and irregular activities…would be discovered and reported to the proper regulatory authorities.” See preamble of H.R. 4886, The Financial Fraud Detection and Disclosure Act of 1995, 99th Cong., 2nd Sess, which, among other things, lists procedures to be followed by auditors in connection with detecting reporting of illegal acts.

5 Brown, R. G., "Changing Audit Objectives and Techniques," The Accounting Review (October 1962), 696-703’, see also Lance Elliot Lagroue, Pliny the Younger when governor of Bithynia-Pontus around 110 CE “Accounting and Auditing in Roman Society”, , (2014) , “I am now examining the finances of the town of Prusa, expenditure, revenues, and sums owing, and finding the inspection increasingly necessary the more I look into their accounts; large sums of money are detained in the hands of private individuals for various reasons, and further sums are paid out for quite illegal purposes. I am writing this letter, Sir, immediately after my arrival here.” (Emphasis added)

6 Lawrence Dicksee & Robert Montgomery, Auditing, A Practical Manual for Auditors (1905)

7 For the Protection of the Public, American Institute of Accountants (1930) "Journal of Accountancy, December 1930, Vol. 50 Issue 6 [whole issue]," Journal of Accountancy: Vol. 50: Issue. 6, Article 10., “The investing public which was originally a small section of the nation has spread to include folk in all walks of life. Men, women and even children engaged in gainful occupations find themselves in a position to spare from their earnings something for storing away against the rainy day…. [T]hey are entitled to have placed before them complete information in a way which they can understand.” An accountant [] stands in an…impartial position. [The accountant] is supposed to present facts irrespective of the effect of their presentation.”

8 Colonel Arthur Hazelton Carter, then President of the New York State Society of CPAs and Managing Partner of Haskins & Sells, proposed that the draft legislation be revised to require that “the accounts pertaining to such balance sheet, statement of income and surplus shall have been examined by an independent accountant and his report shall present his certificate wherein he shall express his opinion as to the correctness of the assets, liabilities, reserves, capital, and surplus as of the balance sheet date and also the income statement for the period indicated.”

91933 Senate Hearings, p. 55.; see also J.M. Landis, Liability Sections of the Securities Act Authoritatively Discussed, an address before the Eleventh Annual Fall Conference of the NYS Society of CPAs, October 30, 1933.

10 Hearing Before the Subcommittee on Securities, Insurance, And Investment of The Committee On Banking, Housing, And Urban Affairs United States Senate, One Hundred Twelfth Congress, First Session, On Examining The Role Of The Accounting Profession In Preventing Another Financial Crisis, April 6, 2011;

U.S. vs. Arthur Young & Co. [465 U.S. 805 (1984) :

“An independent certified public accountant performs a different role from an attorney whose duty, as his client's confidential adviser and advocate, is to present the client's case in the most favorable possible light. By certifying the public reports that collectively depict a corporation's financial status, the independent auditor assumes a public responsibility transcending any employment relationship with the client. The independent public accountant performing this special function owes ultimate allegiance to the corporation's creditors and stockholders, as well as to the investing public. This "public watchdog" function demands that the accountant maintain total independence from the client at all times and requires complete fidelity to the public trust.”

Shortly after the passage of the Securities Act, SEC Commissioner and a lead drafter of the Act, James Landis, offered his views that a public accountant should “[remember] always…that the public interest and the protection of investors must be the guiding consideration.”J.M. Landis, Liability Sections of the Securities Act Authoritatively Discussed, an address before the Eleventh Annual Fall Conference of the NYS Society of CPAs, October 30, 1933.

11 Legal precedent further illustrates the role of the auditor:

The auditor “did not design its audits so as to enable it to detect fraud, and (2) …did not obtain sufficient competent evidence… [] to sign the [] audit reports.”  The auditor’s “failure to uncover the fraud allowed the fraud to continue” whereby “fraudsters falsified accounting records and manipulated wire transfers.” See Colonial Banc Group Inc. v. PricewaterhouseCoopers LLP, No. 11-cv-746, 2017 WL 8890271 (M.D. Ala. Dec. 28, 2017).

“From the standpoint of a reasonably prudent auditor, it is foreseeable that the failure to discover that the Bank has lost hundreds of millions of dollars and is hopelessly insolvent will result in a continuation of those losses.” Grant Thornton, LLP v. FDIC, 535 F. Supp. 2d 676 (S.D.W. Va. 2007), aff’d, 435 F. App’x 188 (4th Cir. 2011)

Bd. of Tr. of Cmty. Coll. Dist. No. 508, Cty. of Cook v. Coopers & Lybrand, L.L.P., 803 N.E.2d 460, 472 (Ill. 2003) (upholding jury verdict that because the auditor failed to detect the treasurer’s violation of investment policies, the plaintiff could not take steps to correct those violations, resulting in losses on those investments—the “Board could have ended those investment practices and the later investments that ultimately resulted in the claimed losses would not have occurred”);

Stroud v. Arthur Andersen & Co., 37 P.3d 783, 792 (Okla. 2001) (upholding jury verdict awarding damages to client because auditor issued flawed audits and client made several business decisions to its detriment in reliance on the flawed audits).

Comeau v. Rupp, 810 F. Supp. 1172, 1176-79 (D. Kan. 1992) (The accountant’s failure to disclose the deleterious effect of prior risky loans bore a sufficient causal relationship to the ultimate injury (losses from similar risky loans purchased from the same source as the previous loans) to support a finding of proximate cause).

12 American Institute of Certified Public Accountants. Private Companies Practice Section, "Expectation gap standards: progress, implementation issues, research opportunities." (1992), “The most frequently identified difficulty… is in classifying a law or regulation as direct or indirect. Since this classification determines the auditor’s responsibilities, any difficulty is worrisome. If, indeed, the direct/indirect categorization is problematic, alternatives should be proposed and discussed.”

Auditing Symposium X: Proceedings of the 1990 Deloitte & Touche/University of Kansas Symposium on Auditing Problems, pp. 147-156; “As the AICPA industry committees have attempted to develop guidance about illegal acts for industry audit and accounting guides, it has become apparent that distinguishing direct effect from indirect effect illegal acts is a challenging practice problem.” The “issue of differentiating direct effect illegal acts from indirect effect illegal acts [is left] largely to auditor judgement.”)  “Certain provisions of the tax code affect the manner in which an entity's tax provision is measured. They have a direct effect on the financial statements. Other provisions relate to the accurate completion and timely filing of tax forms. The effect of violations of these provisions is indirect.”; “It’s clear that the auditor could design procedures to obtain reasonable assurance of detecting violations of certain laws and regulations that might have an indirect effect on the entity’s financial statements.”

13 Last year, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) obtained nearly $1 billion in total fines and penalties related to Foreign Corrupt Practices Act (FCPA) violations, a so-called indirect effect law, making 2022 one of the top 10 highest grossing years with regard to enforcement penalties in the 45-year history of the FCPA. Overall, the SEC filed 760 enforcement actions and assessed $6.4 billion in penalties and disgorgement on behalf of the investing public.

One month ago, the SEC announced the largest-ever award to a whistleblower whose information and assistance leading to the disgorgement of more than $4 billion in ill-gotten gains. To date, the SEC’s Enforcement actions from whistleblower tips have resulted in more than $6 billion in financial remedies. Last year, the SEC received over 12,300 complaints, tip, and referrals related to noncompliance with laws and regulations.

14 Letter to Senators Warren, Hirono, Sanders, and Markey from Lynne M. Doughtie, CEO, KPMG LLP (November 28, 2016).

                See also Prior to 2015, OCC Missed Opportunities to Analyze and Address Inappropriate Sales Practices at Wells Fargo, Office of the Inspector General, Department of the Treasury (Sep 2020).

                Report and Recommendation – Executive Summary, In the Matter of Carrie Tolstedt, Former Head of the Community Bank Claudia Russ Anderson, Former Community Bank Group Risk Officer James Strother, Former General Counsel David Julian, Former Chief Auditor Paul McLinko, Former Executive Audit Director Wells Fargo Bank, N.A. Sioux Falls, South Dakota, U.S. Department of the Treasury, Office of the Comptroller of the Currency (Dec 2022), noting, among other things, the failure to “determine which laws or regulations were implicated” constituted unsafe or unsound practices and violation of fiduciary duties; “concealing [material facts] from federal banking examiners,” failing to escalate known issues relating to ineffective controls, misleading regulators…,” “failing to report the absence of any assurance that those controls were effective”

15 U.S.C. § 78m(b)(7). The books and records provisions of section 13(b) of the Exchange Act originally were passed as part of the Foreign Corrupt Practices Act ("FCPA"). See also Rule 13b2-1 under the Exchange Act, 17 CFR 240.13b2-1, which states, "No person shall, directly or indirectly, falsify or cause to be falsified, any book, record or account subject to Section 13(b)(2)(A) of the Securities Exchange Act."

15 See Consumer Financial Protection Bureau Fines Wells Fargo $100 Million for Widespread Illegal Practice of Secretly Opening Unauthorized Accounts “(Sep 2016);” Wells Fargo Agrees to Pay $3 Billion to Resolve Criminal and Civil Investigations into Sales Practices Involving the Opening of Millions of Accounts without Customer Authorization”;” OCC Issues Prohibition Order, Fines Former Wells Fargo Executive $17 Million in Settlement” (March 2013)

16 Testimony of Anton Valukas, Lehman Examiner, before Committee on Banking, Housing, & Urban Affairs

Subcommittee on Securities, Insurance, and Investment, United States Senate (Apr 2011), “So to review the bidding, Lehman’s senior executives weren’t responsible because they relied on the auditors and other executives. The auditors weren’t responsible because they relied on the executives and the lawyers. And the lawyers relied on the executives. But the public—who rely on the financial statements—who do they get to rely on?”; “[T] he auditor must realize that, regardless of [previous] positions[s]…of reporting to managers or to owner-managers, [the auditor] must recognize fully [the] responsibility to public investors by including activities of management [] within the scope of work and reporting [] to investors.”

17 Originally formed in 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private-sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. In 1992, COSO released its Internal Control – Integrated Framework, which has become the most widely used framework for designing, implementing, and conducting internal control and assess the effectiveness of internal control.  The Sarbanes-Oxley Act requires management of public companies to assess the effectiveness of the internal control of issuers for financial reporting, and Section 404(b) requires a publicly held company’s auditor to attest to, and report on, management’s assessment of its internal controls.

18 PCAOB audit standards require auditors to identify the risks of material misstatement that may be due to fraud.  The most widely used model for assessing the risk of fraud, which is sometimes referred to as the “fraud triangle,” involves the interaction of the following three factors:  pressure, opportunity, and rationalization. See Jack Dorminey, A. Scott Fleming, Mary-Jo Kranacher, Richard A. Riley, Jr., The Evolution of Fraud Theory, 27 Issues in Accounting Education 555-579 (2012).

                Auditors have “tended to view fraud-related audit procedures as a compliance exercise rather than an important part of the audit,” based upon a presumption that fraud is unlikely to arise. Financial Reporting Council, “Audit quality thematic review: Fraud risk and laws and regulations” (2014); UK BEIS, “Restoring trust in audit and corporate governance” (2021)

19 Forbes, “The Intersection of Technology and Quality in the Audit” (Oct 2022), “By using bots trained to execute rules-based business processes and identify data anomalies, auditors can identify deviations across an entire population of transactions—not just a representative sample.”

Journal of Accountancy, “Embracing technology in the audit” (Feb 2022), “[A]uditors can more effectively perform risk assessments, design more appropriate procedures, and investigate anomalies that might have gone undetected if the audit relied on sampling rather than a full analysis.”

20 EY, “Preventing and detecting fraud:  how to strengthen the role of companies, auditors and regulators” (Nov 2020), https://www.ey.com/en_us/assurance/preventing-and-detecting-fraud-how-to-strengthen-the-roles-of-companies-auditors-and-regulators

21 PWC, “Harnessing the power of AI to transform the detection of fraud and error”, https://www.pwc.com/gx/en/about/stories-from-across-the-world/harnessing-the-power-of-ai-to-transform-the-detection-of-fraud-and-error.html; see also PWC, “ Our Financial Crimes Unit brings together the full breadth of PwC’s technology, regulatory, and investigative experience with the work of over 2,000 global financial crimes professionals in cybersecurity, anti-money laundering, sanctions, fraud, and anti-bribery/anti-corruption to create an adaptive, comprehensive approach that reflects that of major financial institutions and government agencies.”


22 In a compliance audit, a type of attestation engagement, the auditor has an affirmative obligation to conclude whether an entity or part of an entity is following the rules or requirements (e.g., “has complied”).    

23 SEC v. COLLINS AIKMAN CORP, 524 F. Supp. 2d 477, 496 (S.D.N.Y. 2007).