TheCorporateCounsel.net

October 19, 2022

Corporate Culture: Prepare for Your Auditor’s Scrutiny

The SEC’s Acting Chief Accountant Paul Munter published another statement last week to focus on the gatekeeping responsibilities of auditors – this time, in relation to fraud detection. He expressed concern in light of recent developments and conversations that auditors are passing the buck on fraud detection. In his view, that’s not okay, because:

Auditors must plan and perform an audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.

The statement urges auditors not to treat PCAOB Auditing Standard 2401 as an “exhaustive checklist” for fraud risk considerations and related responses. The implication is that maybe that’s been happening.

Mr. Munter identifies “good practices” that presumably go beyond auditors’ current approach to fraud detection. Companies can expect auditors to get nosier about these topics – and possibly others – as auditors work these points into their “New & Improved Fraud Detection Checklist.” His (paraphrased) suggestions include:

– Auditors should consider publicly-available information (including from new sources available during the course of the audit) and objectively evaluate how such information impacts risk assessment and the audit response. For example, auditors should evaluate whether publicly-available information contradicts information received from management.

– Are employees required to annually certify acknowledgement of a code of ethics? That’s a good start, but auditors should also consider whether that is a meaningful demonstration of the company’s commitment to integrity and ethical values. For example, are employees able to anonymously share their views on the company’s tone at the top through, for example, a culture survey? How are the survey results obtained and shared with leadership?

– Is the company’s whistleblower hotline simply a compliance checkbox, or does the issuer have a culture that encourages whistleblowers who see something to actually say something? For example, an auditor may want to discuss with the audit committee the nature of the whistleblower hotline’s operation.

– An auditor should also pay close attention to an issuer’s approach to its own fraud risk assessment as this can provide insight when evaluating the issuer’s control environment.

– Technology plays an increasingly important role in the audit and automated tools and techniques may assist the auditor in applying the fraud lens. Access to granular data and information can increase transparency into underlying transactions, which through the use of technology may provide useful insights to assist with identifying unusual or unexpected relationships or assisting auditors in performing more robust planning analytics.

This is an interesting backdoor nudge from the OCA Staff on corporate culture practices. I guess that as the “bad guys” continue to get more sophisticated, fraud detection has to keep pace – even if it means that code of ethics & whistleblower expectations go beyond what regulations expressly require.

Liz Dunshee