Thoughts on Auditing: August 2013

Please refer to : Send These Auditors Back to School

NOTE: The information in this blog comes from indictments and depositions in the civil trial of the auditors for Dixon Illinois. The case is currently on trial. The final verdict will determine the guilt or innocence of the defendants. I’ve taken factual statements from these documents.
*****************************

One of my concerns with the auditing profession (which I’ve been a part of for more than 39 years) is, “Do we pay attention to the past? Do we pay attention to why prior frauds occurred, what was the cause of the frauds, and why did the auditors not detect it?”

Many of the past frauds I’ve studied identified similar mistakes made by the auditors in the Dixon fraud. Too bad the Dixon auditors also didn’t study the past.

Another source of information to aid auditors in areas that need attention is the inspection reports now issued by the Public Company Accounting Oversight Board (PCAOB).

In February 2013, the PCAOB issued Release No. 2013-001, its Report On 2007-2010 Inspections Of Domestic Firms That Audit 100 Or Fewer Public Companies.

Some of the areas the PCAOB identified are applicable to the Dixon fraud. These include:

A lack of technical competence in a particular audit area;
A lack of due professional care, including professional skepticism;

Insufficient testing of the completeness and accuracy of source documents;

Ineffective or insufficient supervision,
Ineffective engagement quality reviews.

The report authors go on to say:

“The consideration of the risk of material misstatement due to fraud is an integral part of the audit under PCAOB standards. PCAOB standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud….

“Inspections staff have identified deficiencies relating to firms' consideration of fraud in a financial statement audit that include firms' failures to: (a) sufficiently test journal entries and other adjustments for evidence of possible material misstatement due to fraud, including assessing the completeness of the listing of journal entries and other adjustments that is [sic] used for testing purposes; (b) consider the risk of material misstatement due to fraud relating to revenue recognition or indicate why revenue recognition would not be considered a fraud risk; (c) make inquiries of the audit committee, management, and others as to their views about the risk of fraud; (d) conduct a brainstorming session by members of the engagement team to discuss fraud risks, (e) obtain an understanding of the issuer's controls over journal entries and other adjustments, and (f) assess the risk of management override of controls.

“Firms should design and perform audit procedures that address the fraud risks, including reassessing risk and adjusting procedures as appropriate during the audit. The auditor should exercise professional skepticism, and conduct the audit engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present”

Unfortunately, in the Dixon fraud we had a partner who claims he didn’t know about the concept of professional skepticism.

They also had an audit manager who didn’t think examining a check could help tell if fraud had occurred.

Again, these statements are made under oath and are in a pending court case. It’s just one more piece of evidence that the auditing profession has a long ways to go to ensure it is providing appropriate accountability to the people who are depending on the audit work done.

http://davehancox.blogspot.com/2013/06/incredibly-auditors-miss-53-million.html

http://davehancox.blogspot.com/2013/06/auditors-miss-phony-invoices-would-you.html

http://davehancox.blogspot.com/2013/07/auditor-independence-and-competence-on.html

http://davehancox.blogspot.com/2013/08/send-these-auditors-back-to-school.html

http://davehancox.blogspot.com/2013/08/dixon-auditors-didnt-pay-attention-to.html

http://davehancox.blogspot.com/2013/09/auditors-settle-lawsuit-in-dixon.html

Please refer to : Incredibly, Auditors Miss a $53 Million Fraud in Dixon, Illinois

NOTE: The information in this blog comes from indictments and depositions in the civil trial of the auditors for Dixon Illinois. The case is currently on trial. The final verdict will determine the guilt or innocence of the defendants. I’ve taken factual statements from these documents.

Please see: http://davehancox.blogspot.com/2013/07/auditor-independence-and-competence-on.html

*****************************************

Who Did the Audit?

One of the questions being addressed in the civil trial taking place on the Dixon, Illinois fraud is: who did the audit?

Clifton Larson claims they were only doing compilation work and it was Janis Card and Sam Card that were responsible for the audit. Sam Card claims he only signed off on the audit report and it was Clifton Larson’s responsibility to do the actual audit work.

Mr. Cards statements are supported by billing records showing Clifton Larson billing for audit work. Clifton billed $37,000 in 2012 and Card billed for $7,000 – you can draw your own conclusions as to who did the audit work.

Here is a response from the deposition of Mr. Card:

[i]

Misunderstanding Audit Concepts

The audit manager at Clifton Larson, who was doing the work at Dixon, made the following statements in her deposition:

No wonder the auditors couldn’t find the fraud!

Knowing how to read a check is a fundamental skill for an auditor and it is a way to assess whether a fraud may have occurred or not.

Years ago, I was examining checks at Utica Psychiatric Center from patient accounts. I noticed large checks supposedly made out to the patients relatives after the patient passed away. In examining the back of the checks, I noticed many of the checks were cashed at the same local bank, by the same teller and that the signature of the endorsers were similar. This discovery ultimately lead us to the business office employee who was stealing from the patient accounts.

Now, let’s look at an actual check the audit manager from Clifton Larson had access to in Dixon, Illinois. Here is a $250,000 check made out to Treasurer – not to any specific treasurer such as Treasurer, State of Illinois.

The back of the check is the real give away! The endorsement shows it is being deposited into the Fifth Third Bank in Dixon, Illinois.

This particular account number (which was available to the audit manager) was for an account that Rita Crundwell had established as a City account that only she had access to and only she knew about. There were many checks like this.

These checks were supported by phony invoices from the State of Illinois to reimburse the State for capital project expenditures that were a shared city/state responsibility.

So the audit manager had several clues this might be a fraudulent check:

A vague payee,
An endorsement that doesn’t match the payee,
An endorsement that shows it is going to an account in Dixon, Illinois – not the Illinois State Treasurer,
And it is a rounded dollar check, as were many of the similar fraudulent checks

Simply examining the checks could have exposed this fraud. It is a basic task auditors should do during the course of an audit.

Examining the Underlying Transaction

In addition to examining the check, it is important for an auditor to actually verify the substance of the underlying transaction – did we get what we paid for?

But incredibly, the Clifton audit manager believes an invoice is sufficient evidence for an expenditure. If she truly believes this, than no fraud would ever be uncovered by an auditor. Most fraudulent transactions I’ve uncovered were supported by phony documents.

In her deposition, she said:

So the audit manager believes an invoice is sufficient evidence of an expenditure and at no time did anyone go out to physically examine the capital project to see if Dixon got what it paid for.

This simple step would have uncovered the fraud.

Missing Records

In addition, the phony invoices Rita Crundwell created did not have the normal supporting documentation including a corresponding purchase requisition or evidence of proper city approval.[ii]

The Auditors Knew about the Fraudulent Bank Account

Bank confirmations are a standard part of the audit process. The auditor is seeking to determine from an independent source (the bank) what accounts are owned by the entity being audited and what are the balances in the account. Confirmations are not typically part of a compilation process and thus further support the fact that Clifton Larson was doing an audit, since Clifton did the bank confirmation.

In 2010, the Bank disclosed the existence of the fraudulent account Rita Crundwell had established yet the auditors did not act on that information.

Conclusions

Auditors have a critical role to play in the public accountability process. Understanding the basics of the auditing profession is important for auditors. Unfortunately, for many reasons, the fraud in Dixon, Illinois was never uncovered by the auditors. It would appear from the public record though, the auditors had many opportunities to in fact find the fraud and bring it to an end.

Unfortunately, that didn’t happen.