Combating Corporate Fraud and Improving Audit Quality by Collecting Better Evidence (Statement on the Adoption of New Standard for the Auditor’s Use of Confirmation)

Date:
Sep. 28, 2023
Speaker:
Kara M. Stein, Board Member
Event:
PCAOB Open Board Meeting
Location:
Virtual

Remarks as prepared for delivery

Confirmation is the essential process used to obtain audit evidence from third parties. Today, the Board considers a staff recommendation to adopt an entirely new auditing standard governing the use of confirmation. In doing so, the new standard before us re-focuses the auditor on the reason for and importance of the overall objective – to obtain relevant and reliable audit evidence. 

Introduction

Confirmation has been an important standard from the beginning, but over time, many believe it has become cumbersome, onerous, resource-intensive, and paper-heavy. Since the very first auditing standard1, periodic revisions to the process of confirmation focused on the flow of paper from auditor to confirming party and back again. Audit teams would typically delegate control over the cumbersome process to the least experienced members. More experienced members of audit teams held a dim view of the effectiveness and efficiency of confirmations. These factors, along with the existing standard’s prioritization of auditors’ discretion, have led to a check-the-box exercise where the audit objectives seem to be satisfied by the weight of a stack of the paper confirmation responses.2

The staff has developed a standard that emphasizes the conceptual underpinnings of the procedure – to obtain relevant and reliable audit evidence to challenge what management has presented.

Much has changed since the standard was last revised 30 years ago, but one core principle remains: audit evidence from sources external of company management can be invaluable. And importantly, it can stop corporate fraud in its tracks.

The persistent failure to detect corporate fraud continues to trouble investors, audit committees, auditors, regulators, policymakers, and the public. And yet, many long-running corporate frauds would have been cut short if only the auditors confirmed the company’s bank account really held the cash that management said it did.3

Despite a steady flow of recent technologies and innovations, the rate of detection of corporate fraud remains stubbornly unchanged. This is against a backdrop where the schemes and methods of committing fraud remain relatively consistent and costly.

One academic study estimated that corporate fraud destroys over $800 billion in equity value each year and is only detected in one out of three cases.4 Last year, the Association of Certified Fraud Examiners (ACFE) estimated that $4.7 trillion is lost every year due to fraud across the globe. The report also noted that although financial statement fraud schemes are not the most common, they are the most costly. 5

In a survey, 82% of respondents named the independent audit as the number one anti-fraud control measure – and yet, more corporate frauds are spotted “by accident” than by the auditors.6

Without question, the problem of corporate fraud is multifaceted, but when confronted with responsibility to fight against corporate fraud, too often hands are thrown up with disclaimers of “it’s just too hard to find.”

We all have a part to play in the fight against corporate fraud.

Today, the Board is taking a key step in the fight against corporate fraud by prioritizing and, in certain instances, requiring the auditor to verify information with unbiased sources who are not affiliated with management.

For some time, staff in the Office of the Chief Auditor have been considering how to modernize the existing confirmation standards requirements, while preserving the benefits of a process that has been in existence for nearly a century. Today’s standard introduces new requirements to address weaknesses observed through the PCAOB’s inspection and oversight program while minimizing any negative effects.

An Entirely New Standard

I am pleased to see that today’s recommendation is founded on a principles-based framework that can accommodate the dynamic changes in our markets, technological evolution, and their related effects on business practices. Moreover, not only does it accommodate technological changes, but it also invites innovation from audit firms and others.

A New Objective

First, the architecture of the framework relies on a sole objective: “to obtain relevant and reliable audit evidence directly from knowledgeable external sources…” 

The new standard makes clear that when an auditor deploys the confirmation process as an audit procedure, it is a tool to obtain relevant and reliable audit evidence directly from knowledgeable external sources.

By refocusing the objective, the staff have appropriately shifted the emphasis away from the “process” of confirmation to the principle behind the process.

This shift in the objective of the standard should re-direct auditors away from a type of myopia that has plagued the existing standard.

Moreover, the staff has departed from the approach of other audit standard setters who also focus on the confirmation process rather than the principle of gathering high quality evidence. Overall, the standard before us today appropriately recasts the overall objective so that is better aligned with our mission to protect investors. 

Go to the Source

So, let me highlight a few of the most important provisions of the new standard.

Generally, the reliability of evidence obtained by the auditor directly from a knowledgeable source that is independent of the management of the company should be higher than evidence obtained from internal company sources.

The standard makes clear the auditor’s responsibility to determine that the source: 

  • is knowledgeable about the information sought by the auditor;
  • is independent of management (or external of the company)

The new standard captures this concept in the definition of a Knowledgeable External Source (“KES”), which is generally a third party who the auditor determines has knowledge of the information that may be used as audit evidence.

The auditor must consider any factors that would affect the veracity of the information to be sought by the auditor, such as any incentives or relationships with management that could result in inaccurate or misleading information.

Once the auditor selects a knowledgeable external source, the auditor may use the confirmation process to obtain audit evidence or may directly access information maintained by a knowledgeable external source to obtain audit evidence.

The Board’s goal is for the auditor to obtain the highest quality of evidence possible and that may be by directly accessing it at the source. 

"Show me the money"

One of the most key features of the new standard is the unambiguous presumption that the auditor will look outside of the company when auditing cash and accounts receivable.7

False revenue schemes often require corresponding or offsetting manipulations to other accounts, typically accounts receivable. Additional manipulation of the accounts receivable account would be required to reduce the balance in the absence of cash receipts.

Barry Miknow (ZZZ Best) explained in a prison interview after his conviction for the ZZZ Best fraud this important concept:

“Accounts receivable are a wonderful thing for a fraudster like me. They immediately increase profits. But they also do something else—they explain why my company doesn’t have any cash; it’s all tied up in accounts receivable. “

Simply put, the new standard could very well lead to an increase in the detection of fraud by increasing the quality and reliability of the evidence that an auditor needs to obtain for accounts receivable and cash.8

The new standard sets a floor for the auditor in responding to a risk of material misstatement related to cash or accounts receivable, but not a ceiling. Recognizing the vital importance of an auditor’s professional skepticism and professional judgment, the standard requires the auditor to consider seeking information from a knowledgeable external source as an appropriate response to a significant risk of material misstatement related to significant or complex transactions or fraud.9

Moreover, the new standard empowers the auditor with the flexibility to (1) apply new methods to obtain audit evidence directly from a knowledgeable external source; and (2) to respond without limitation to an assessed risk related to any accounts, balances, transactions, or other items related to one or more financial statement assertions. 

“Not Feasible” to Obtain Evidence from an External Source

Additionally, the new standard addresses some of the practical limitations on the use of confirmation. Some counterparties, as a matter of policy, will not respond to an auditor’s confirmation request. In addition, there are times when any response to a confirmation would be suspicious or the reliability of a response would be in question, such as those where company management exerts undue influence over the confirming party or other times when the confirming party should not be trusted.

Accordingly, the standard emphasizes the vital importance of auditor skepticism and professional judgment in light of the facts and circumstances. When the auditor determines that obtaining audit evidence from a knowledgeable external source is not feasible, the auditor discusses the matter with the audit committee and obtains audit evidence from company sources.

The auditor’s determination that it is not feasible to obtain external audit evidence has implications in the audit (such as a potential elevation of the risk of fraud) and in the accumulation of sufficient audit evidence. The amount of audit evidence would need to be greater than when obtaining audit evidence from external sources.

Enhanced Communications

Finally, as I mentioned, the new standard also improves communications between the auditor and the audit committee, particularly when the auditor departs from the presumed confirmation of cash or accounts receivable. If the auditor does not perform confirmation procedures in response to a significant risk of material misstatement for cash or accounts receivable, the auditor must discuss the matter with the audit committee.

In such cases, the auditor should also discuss the matter in the Auditor’s Report. Other PCAOB standards require auditors to communicate critical audit matters (CAMs), which are matters that involve especially challenging, subjective, or complex auditor judgment.10 For example, the auditor’s determination that obtaining external evidence was not feasible and the necessity of performing alternative audit procedures would seemingly present such challenging, subjective, or complex auditor judgments.

In Closing

In closing, I would like to express my thanks to the team for today’s recommendation and the new audit standard. The collective expertise, insightful perspectives, meticulous attention to detail, and rigorous evaluation of options by Dima Andriyenko, Lisa Busedu, David Hardison, Heather Jossem, and Dani Verbeck from the Office of the Chief Auditor has been utterly remarkable.

Additionally, I would like to thank our PCAOB colleagues from other offices for their significant contributions, in particular– Mike Gurbutt, Tian Liang, Tasneem Raihan, and John Cook in the Office of Economic and Risk Analysis; and Connor Raso, Annie Yan, and Keisha Patrick in the Office of the General Counsel.

I wish to commend each of you for the forward-looking, principled-based approach incorporated in the new standard. This approach provides auditors with a framework that emphasizes obtaining audit evidence from knowledgeable external sources and offers at least two methods to do so.

I believe this standard should result in better audits that will help investors and the capital markets. The design of the standard and its flexibility from an auditor’s exercise of skepticism and professional judgment invites technological progress and innovation in audit techniques to further the objective of the auditor seeking and obtaining audit evidence outside of the company.

That’s not just good for auditors – that’s good for investors. 

I also believe that this will move the needle in our collective fight against corporate fraud. The fight against corporate fraud and corruption requires auditors to step up and assume more responsibility.  

Auditors now will have a clear obligation to seek audit evidence from knowledgeable external sources when auditing cash and accounts receivable. And if not, audit committees and investors will know.

1 See “New Audit Policy for Safety Urged,” N.Y. Times (May 10, 1939) (“As a possible offset to any future McKesson & Robbins episodes, the American Institute of Accountants announced yesterday that it had adopted a report by a special committee on auditing procedures calling for the corroboration of inventories by actual physical tests. On the question of accounts receivable, the institute went on record as favoring, when amounts involved represented a significant proportion of current assets, confirmation by direct communication with the debtor.”)

2 U.S. auditing protocols and standards placing heavy emphasis on the importance of obtaining independent third-party evidence when performing audits in response to the McKesson & Robbins scandal, the accounting profession adopted its very first auditing standard, Statement on Audit Procedure No. 1, which prescribed confirmation as an audit procedure and mandated its use in audits.     

3 Wirecard’s auditor EY was too gullible, Singapore suspect claims, FT, Aug 1, 2023, “But that never happened as ‘nobody asked to confirm the amount in the bank account with the bank’, Shan said. ‘As an auditor, how could EY simply rely on somebody’s letter and they should have confirmed directly with the bank?”; EY failed to check Wirecard bank statements for 3 years, FT, Jun 26, 2020; If Ernst & Young auditors had done this one thing, they might have uncovered Wirecard’s $2 billion fraud years sooner, Fortune, Jun 30, 2020; EY could have stopped Wirecard fraud earlier, says judge, FT, Jan 19, 2023.

4 Dyck, A., Morse, A. & Zingales, L. How pervasive is corporate fraud? Rev Account Stud (2023). https://doi.org/10.1007/s11142-022-09738-5, (“Combining fraud pervasiveness with existing estimates of the costs of detected and undetected fraud, we estimate that corporate fraud destroys 1.6% of equity value each year, equal to $830 billion in 2021.”)       

5 OCCUPATIONAL FRAUD 2022: A REPORT TO THE NATIONS, Association of Certified Fraud Examiners, (Asset misappropriation is the most common occupational fraud, with 86% of cases falling under this category. These schemes, however, tend to cause the lowest median loss at USD 100,000 per case (see Figure 2). In contrast, financial statement fraud schemes, in which the perpetrator intentionally causes a material misstatement or omission in the organization’s financial statements, are the least common (9% of schemes) but costliest (USD 593,000) category.)      

6 Ibid      

7 PCAOB standards require the auditor to “presume that there is a fraud risk involving improper revenue recognition...” See AS 2110: Identifying and Assessing Risks of Material Misstatement

8 PCAOB Release No 2023-XX, The Auditor’s Use of Confirmation, and Other Amendments to PCAOB Standards, "[T]he new standard may also increase the auditor’s likelihood of identifying potential financial statement fraud. Early detection of accounting fraud is an important aspect of investor protection because such fraud can cause significant harm to investors in the companies engaged in fraud, as well as indirect harm to investors in other companies.”       

9 See Note to PCAOB Rule 3101(a)(3), which states that “(i)f a Board standard provides that the auditor “should consider” an action or procedure, consideration of the action or procedure is presumptively mandatory, while the action or procedure is not.

10 See AS 3101: The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion. CAMs are drawn from matters required to be communicated to the audit committee—even if not actually communicated—and matters actually communicated—even if not required.