Professional Skepticism Still Lacking in Audits

The International Forum of Independent Audit Regulators (IFIAR) was established in September 2006 by independent audit regulators from 17 countries, including the Public Company Accounting Oversight Board (PCAOB) from the United States.

IFIAR has issued its third survey of regulatory inspection findings of significant audit firms in their jurisdictions.

The initial survey, released in June 2012, was designed to identify common inspection findings of audit firms on a global basis. 

The following table from the IFIAR survey indicates the major areas regulators identified problems in audit work:

Interestingly, a major factor causing these problems was identified in each of the three surveys to date: the lack of professional skepticism.

As cited in the 2014 report, IFIAR said, “A factor underlying many audit deficiencies is insufficient exercise of professional skepticism during performance of the audit. IFIAR believes that enhancing professional skepticism of practitioners contributes significantly to quality financial statement audits and should be a high priority for audit firms, given the recurrence of audit deficiencies.”

The Government Accountability Office indicates, “Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty.”

In my textbook, Government Performance Audit in Action, we identify professional skepticism as a one of the major characteristics of a good auditor.

Due Professional Care…and Professional Skepticism

The good auditor must exercise due professional care, which requires him or her to be reasonably prudent and competent. Exercising due professional care also requires the auditor to maintain an attitude of professional skepticism. Professional skepticism is an attitude of doubt about the evidence presented to you until you are persuaded as to its validity.

In assessing areas to audit, the auditor must consider issues of materiality, significance, risk, adequacy of internal controls, and situations that suggest fraud, abuse or illegal acts. Exercising due professional care requires consideration of risk and of circumstances that might increase or decrease the likelihood of inefficiency, ineffectiveness, or loss of resources. Therefore, the auditor should keep Murphy’s Law in mind - holding to the preconceived idea that, if something could be wrong, there is a chance something is wrong. This concept is similar to the scientific method used by scientists. A scientist establishes a hypothesis (i.e., a preconceived idea) and systematically tests the validity of it (i.e., gathers evidence). The hypothesis is a tentative assumption made to draw out and test its logical or empirical consequences.

            Professional skepticism influences the type of evidence you may decide to examine before reaching a conclusion. For example, looking at paper documentation in support of an activity may be good for starters, but seeing it with your own eyes (and taking pictures of it) provides much better evidence.

A great example of the lack of professional skepticism is the Dixon, Illinois fraud. Just check out this link to see a partner of a top 10 US audit firm who did not understand what skepticism was in accounting: http://davehancox.blogspot.com/2013/08/dixon-auditors-didnt-pay-attention-to.html

Here is a manager of that same firm who believed an invoice was sufficient evidence of an expenditure and she did not see any need to verify the existence of the capital project: http://davehancox.blogspot.com/2013/08/send-these-auditors-back-to-school.html

These examples of the lack professional skepticism are disturbing. The auditing function is critical to helping assure accountability. People depend on auditors - but too often, auditors let us down.

Here are some documents that might help auditors focus on the concept of professional skepticism. It’s an important topic if we are to save and improve the existing audit functions that oversee vital activities.

Maintaining And Applying Professional Skepticism In Audits – from the PCAOB

Enhancing Auditor Professional Skepticism – from IFIAR’s Global Public Policy Committee (This is an excellent document. I recommend it to every auditor.)

PCAOB Sanctions Five Auditors for Independence and Other Violations

Recently, the Public Company Accounting Oversight Board, that oversees the audits of public companies, sanctioned five auditors for:

• Violating auditor independence requirements. 
• Providing bookkeeping and auditing services to the same client. 
• Allowing an unqualified person to oversee quality control requirements at a CPA firm.
• Failing to properly audit – among other things, the auditor failed to properly plan the audit, appropriately assess risks, evaluate the qualifications and competence of a specialist, perform sufficient audit procedures to assess the reasonableness of assumptions used by the specialist, and appropriately test the company's reported revenue.

I’m concerned that regulators at times pursue borderline issues that do not have much substance behind them. So I looked at the decision behind number 2 – providing bookkeeping and auditing services to the same client. It would seem to be a straightforward standard.

However, the rules that auditors must operate under create a real challenge because there is a fine line between acceptable and unacceptable activities.

PCAOB Rule 3520 discusses Auditor Independence. It says,

            “A registered public accounting firm and its associated persons must be independent of the firm's audit client throughout the audit and professional engagement period.”

Under ET section 100 – Independence, Integrity and Objectivity, Rule 101 says, 

“A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council.”

The rules go on to say,

101-3—Performance of other services. A member or his or her firm (“member”) who performs an attest engagement for a client may also perform other nonattest services (“other services”) for that client. Before a member performs other services for an attest client, he or she must evaluate the effect of such services on his or her independence. In particular, care should be taken not to perform management functions or make management decisions for the attest client, the responsibility for which remains with the client’s board of directors and management….

The following are some general activities that would be considered to impair a member’s independence:

• Authorizing, executing or consummating a transaction, or otherwise exercising authority on behalf of a client or having the authority to do so
• Preparing source documents or originating data, in electronic or other form, evidencing the occurrence of a transaction (for example, purchase orders, payroll time records, and customer orders)
• Having custody of client assets
• Supervising client employees in the performance of their normal recurring activities
• Determining which recommendations of the member should be implemented
• Reporting to the board of directors on behalf of management
• Serving as a client’s stock transfer or escrow agent, registrar, general counsel or its equivalent

The examples in the following table identify the effect that performance of other services for an attest client can have on a member’s independence. These examples are not intended to be all-inclusive of the types of other services performed by members.

Impact on Independence of Performance of Other Services
Type of Other Service	Independence Would Not Be Impaired	Independence Would Be Impaired
Bookkeeping	• Record transactions for which management has determined or approved the appropriate account classification, or post coded transactions to a client’s general ledger. • Prepare financial statements based on information in the trial balance. • Post client-approved entries to a client’s trial balance. • Propose standard, adjusting, or correcting journal entries or other changes affecting the financial statements to the client. • Provide data-processing services.	• Determine or change journal entries, account codings or classification for transactions, or other accounting records without obtaining client approval. • Authorize or approve transactions. • Prepare source documents or originate data. • Make changes to source documents without client approval.

So, things aren’t  quite as clear as I originally thought. It would appear the PCAOB allows bookkeeping and auditing to occur, but the member needs to be sure he or she does not cross a line that ultimately will be decided by the PCAOB.

Unfortunately they decided against the auditor in the following case:

http://pcaobus.org/Enforcement/Decisions/Documents/Herring.pdf