> Auditors insist that their services cannot be treated as a guarantee that accounts are truthful, and note that sophisticated frauds are by their nature difficult to spot.
As someone who knows nothing about this area, I don't understand why audits won't always detect fraud.
I would naively assume that auditors have access to all financial accounts and records of cash flows and they make sure they all add up and are categorized correctly. And that if fraud is happening, there will necessarily be numbers that don't add up.
So what am I missing? Do they not have access to all accounts and statements? Is it just a top-level glance at the numbers because there isn't enough time/money to scrutinize everything? Or can the numbers all add up but there's still fraud?
Is there anyone here who can give an example of something fraudulent that is hard to catch?
Auditors have access to all the financials, but they only audit a statistically significant sample, because it would be incredibly expensive to audit every transaction.
Fraud can be easily detected if one employee is committing it. Fraud is substantially harder to find if two employees are involved, specifically 2 employees involved in internal controls.
For instance, if you have a policy that all checks paid over $10k require 2 signatures from corporate officers, it’s easy to catch a check with one officer forging the name of a second in order to siphon money to his 3rd party shell company.
But if both officers make a shell company, they can post the check as usual, and the check would pass auditor checks unless they looked into the specific corporation being paid, which may be out of scope if it’s a relatively small transaction.
Ultimately, you don’t need assurance that the financials don’t have fraud, you want assurance that they’re materially correct. Whether the company lost 10k to fraud or waste or incompetence is almost irrelevant for the investor, because the company has 10k less money. Obviously they’d prefer it not be due to fraud, but the impact on the financials is more or less the same.
Your comment was the first in this comment section where everything was coherent and on point. While everyone else is spitballing, you hit the nail on the head. I was not surprised at all that you revealed you’re a CPA because the accuracy of your comment perfectly conveys your credentials. Funny how things like that can come through.
Curious, this seems like a good place to deploy AI tooling. If I’m involved in internal controls, I’ll know what the auditors look for.
If an AI can augment the auditors to find more suspicious transactions such as to companies with no employees, or conflicts of interest - I could probably find more fraud.
Ex-IT Auditor and I agree. I was screaming for automation in the audit process for years and nobody would listen. Many of the employees are burnt-out and hate their jobs. My prediction is that governments will decide to audit companies using some kind of AI and report back any findings to shareholders, while ensuring correct taxes are paid. Big 4 has 5 years max to pivot their business or they're going to die.
> Ex-IT Auditor and I agree. I was screaming for automation in the audit process for years and nobody would listen.
Honestly, this seems like a lose-lose for decision makers:
- automation reduces billable hours, a net loss to the auditor
- automation finds more fraud, a net loss to the person who hired the good auditor
Of course, shareholders would appreciate less fraud, but have no seat at this particular table.
I’m very excited to see how technology impacts financial reporting in the future. We’re rapidly approaching a point where every single transaction could be audited in real time with software, and the details of each transaction automatically scrutinized.
"Excited" is one way of putting it. If we had any chance of this working or ending well, we wouldn't get daily or weekly posts here on HN of people having their Stripe/AWS/PayPal/Google accounts banned. Look forward to "Your company has been locked, please contact your auditor AI to get no help whatsoever"...
But that's the exact opposite to the economics of consulting esp at these big companies. The goal is to get as many low cost employees doing the most amount of high bill work as possible to make the most profit. Automation or ai would just lower what you can charge by removing 1000 hours per year of a college grad making 50-90k while charging at 500k a year for them. And you need these rates to cover for the highly paid sales leads and project leads as well as profits. You'd have no good way to pay your high bill rate applied scientist.
But why does cost not matter on the contract? A few reasons, one being is these are hourly contracts and the consultants know the customer has to finish the project. there will be more money. Second the customers are picking one of these companies on rep. If they fire the consultants they just rotate through the rest of the big five. There's no real incentive for the big five to change their model with customers who are making decisions based on who sponsors the golfer they like. Just like how every VC used svb, go with who you know.
This is why I left consulting. Every good shop gets wooed by the siren song of butts in seats economics. After consulting I've moved to where I sonetimes have to damage control projects from the big 5 and other high end large tech consultants on code. They're all doing the same thing if they get that big.
We had 2 recently with nationally renowned consultants where the provided heads couldn't use basic shell scripts or basic cloud cli, all at a senior DevOps bill rate. I ended up interviewing several of them and the only one of them id trust was their senior principal architect (5% time) who I'd put as a Jr/sr sysde/sde at our co. We fired the consultants. Luckily we only wasted money, our pm, and a few hours of my time.
Beware any company that competes with beer and insurance companies for commercial slots.
As a subject of some of those audots, and as being responsible for a subset of relevant processes, I can confirm. I'd just add that, at least under SOX audits, also the internal controls are audited. And if those controls are laclong, that is a, potentially major, audit finding as well.
> Or can the numbers all add up but there's still fraud?
Yes, of course. Consider that you've set up a separate company and you intend to steal money from your employer. You've got a buddy in accounts payable that you're in cahoots with. You get set up as a vendor, you send invoices to the company, they pay them, and you never deliver anything. The company's numbers add up. They pay vendors for services all the time. Whether the vendors are real, the contracts are legitimate, and the expected services were provided isn't on the account statements.
Wirecard was the other way around. Send invoices to companies that don't exist, and transfer the earnings to a bank account that does not exist either. Don't forget to pay taxes of couse. Get bonus payments and earn nicely on rising stock prices.
Version two of this fraud is you do supply something, but it's either a) something the company doesn't actually use, so you can provide a stand-in, knowing it will be stocked and later destroyed, b) something worthwhile that you've bought and marked up with help, etc.
Right--this is a demonstration of how an audit is more than looking at double-entry accounting statements and "seeing if the numbers add up." That's the point of my post.
Someone was CFO at two companies and the auditors only checked the year end balance against his falsified statements. So he transferred money from the other company temporarily to make them match.
"""To avoid detection, Morgenthau doctored African Gold’s monthly bank statements
by, for example, deleting his unauthorized transactions and overstating the available account balance in any given month by as much as $1.19 million. [...]
Morgenthau knew that African Gold’s auditor would confirm directly with the bank the actual account balance as of December 31, 2021, as a part of its year-end audit. [...]
Morgenthau deposited more than half a million dollars of Strategic Metals’ funds into African Gold’s bank account on December 31, 2021, because he knew that African Gold’s auditor would confirm the account balance as of that date, in connection with African Gold’s year-end audit.
"""
Interesting. I guess that is the inherent flaw of all audit methods which predominantly check the paperwork, while rarely venturing out into the real world. With sufficiently bad actors, the whole paperwork can be doctored and completely untethered from reality. Such bad actors need to only make a plausible Potemkin village for the controllers in selected spots where they are expected to verify if reality matches presented paperwork.
Enron was doing similar trick by selling buildings to another business entity, and buying them back after the audit. I might not have all the details correct but it was the same type of shenanigans. :-)
So, Wirecard claimed to make huge profits. Now, the auditors would expect to see a pile of cash in the accounts. However, Wirecard claimed to expand rapidly by purchasing other companies in Asia. Those, then, booked most of the "profits" and were the assets on the book. Wirecard produced bank statements from the Philippines claiming that they had $2bn cash sitting there. So, to the auditor, the numbers added up, and the whole story was somewhat coherent. It's just that the foreign businesses and that cash didn't actually exist.
Which, to be clear, is a failure of the auditor. We don't need auditors to make sure the numbers add up; the whole point of double-entry bookkeeping is "the numbers always add up".
Plenty of things aren't necessarily evidences. Just because you have access to account statements telling you you got a bunch of money coming in from person X for provision of service Y and a matching contract doesn't mean that the contract has been fulfilled or that the service was worth the money.
Same with picking a supplier - there are processes in place that try to assess quality, speed, price, effort, etc, but in the end it's humans making decisions, humans with bias and the ability to lie and make untrue statements as to how they made their decision.
Then there are the usual money laundering techniques, eg art dealing. You could easily spend a few million $$ on art for, say, a big office. And the VP's niece might be an artist that can demand that on the open market.
>>Is there anyone here who can give an example of something fraudulent that is hard to catch?
Someone in control of the checkbook at a medical facility who starts a shell company with some innocuous sounding name (i.e. Smith's Medical Supply) and and regularly submits bills in low enough amounts that they don't raise concerns - which of course is relative to the size of the company - but say you run a practice that has $50M in annual revenues, it would be quite easy to send in bills for supplies that only amount to 1-2K per invoice over a long period of time.
This kind of thing happens a lot, and without actually contacting every single vendor, verifying they are real, and verifying every thing that was purchased, can be very difficult to root out - especially with supplies that get used up, as opposed to hard assets they are supposed to be around for a while.
When the numbers are small enough, nobody even bothers to verify them - even though over years they can add up to a significant amount of losses.
I hear about stories like this all the time - it is pretty common.
That would hopefully be caught by internal controls and internal audit but would be of relatively little interest to an external auditor like EY. The figures are small enough to be immaterial, meaning they don't significantly affect the accounts. The external auditors would be more likely to scrutinise big contracts and related party transactions involving senior management.
It’s hard to grasp how complex accounting can be for companies. EY is not auditing small businesses, these are large multinational companies and per audit guidelines they likely just audit random samples of accounts. It’s not as simple as let’s pull a listing of all bank accounts and make sure everything ties. The actual effectiveness of audits is a different conversation.
Just because you have access to the entire source code of Linux kernel, doesn't mean you'll be able to find all the bugs in it. Sometimes the numbers may add-up but it is the patterns which may be suspicious. Automation like sanity checks/pattern matching etc (+ ML now a days) would help a great deal but even then it is not a guarantee.
Bad analogy. Auditors have conflict of interests and risk losing clients if they keep asking too many 'wrong' questions. Reputable ones will refuse to sign the final audit. Less reputable ones will even help clients cook the book.
It's more akin to you being denied Linux maintainer privilege if you keep finding bugs and annoy Linus in the forum. Which is hardly the case (heh).
Most of the others replying here are generally saying fraud is missed because it's complicated; however, in my opinion, it's because the auditors don't know anything else other than "do the numbers add up". Once the numbers do add up, they stop there.
The vast majority of auditors are only 3 year or less years out of school. They don't even know how a corporation is run at that point, so how are they supposed to catch anything suspicious.
I expect that EY does not have access to numbers and any account information. You give away as least information as you can because you cannot just trust auditing team from some 3rd party not to use that data in collusion with your competitors.
What I expect they do have access to is documentation for procedures and processes. They audit for example if all procedures are written down and check proofs for procedures that were done by employees.
So it is like you have to clean the toilet and you have procedure that whoever cleans the toilet signs list. Every end of the shift manager checks the list and checks toilet if it is clean.
Fun part is having signed list for a day does not tell you that for half of the shift employee was only signing the list but did not do any cleaning and you might have dozens of customers seeing how terrible dirty toilet was.
Quite the opposite, EY as an aidotor has, and is supposed to het, access to any financially relevant data, documents and transactions they need to their job. That includes, among other things, invoices to customers, suppliers, inventory data and transactions, bank statements, credit card data, contracts with clients and suppliers and so on and so forth. That is actually part of a financial auditors job and responsibility. Yryong to minimize data access is exactly what Wirecard did, and EY accepted for some reason. Which absolutely not normal, it is in fact a major red flag.
but the tl;dr is that auditors don't provide "insurance", they provide "assurance", specifically reasonable assurance.... that the accounts are "true and fair"
or to be put it in even simpler terms, they can't guarantee something fishy did or didn't happen, the transaction scope is just too much, they will "try their best" and do enough of a check to say if anything fishy pops put.
> Is it just a top-level glance at the numbers because there isn't enough time/money to scrutinize everything?
yes you hit the nail right on the head. Of course things have changed, govt have put their own requirements in addition to auditing standards, but still that's an adequate summary.
the more through of a check, the more difficult, time consuming and expensive it becomes, and at some point the fraud becomes cheaper than the audit.
but even more importantly is the mentality. There is a phrase we were taught "Auditor is a watchdog and not a bloodhound" that kind of explains what auditors are supposed to do.
----
i left the field but i'll try to answer to the best of my ability
In crypto the auditing process is somewhat more sophisticated. They scan the contract for similarity to known scams and analyze it for possible backdoors. They also do due diligence on the promoter of the contract ("fully doxxed").
In reality of course all this work could have been replaced by def is_fraud():return True
And the accuracy would probably increase. Crypto fraud has the beautiful property that the people being defrauded actively defend the fraudsters. Moreover, in a lot of cases it isn't technically fraud since the contract is upfront about what it does but at the same time it is very exploitative but that doesn't matter to crypto people
how do you technologize intent-detection? maybe chatgpt-x could do it, but that's the crux.
i am NOT haying pattern recognition won't help, search for audit software and you will see each of the big four has specialized software. (here is EY's: https://www.ey.com/en_gl/audit/technology)
the problem is the issue of perverse incentives, IMHO. Audit takes a butt load of time and money, and disrupt business while they do their thing, and pays peanuts frankly... and audit firms earn more from associated services, contracts which they can earn if they don't bother the management too much.
yes, there are a dozen caveats and stuff, but frankly, the issue comes down not to technology but to people. The same network of people are in the few audit firms, and the spin out to join companies sometime later, who hire the same few audit firms, and so on.
As someone who knows nothing about this area, I don't understand why audits won't always detect fraud.
I would naively assume that auditors have access to all financial accounts and records of cash flows and they make sure they all add up and are categorized correctly. And that if fraud is happening, there will necessarily be numbers that don't add up.
So what am I missing? Do they not have access to all accounts and statements? Is it just a top-level glance at the numbers because there isn't enough time/money to scrutinize everything? Or can the numbers all add up but there's still fraud?
Is there anyone here who can give an example of something fraudulent that is hard to catch?