Professional Skepticism Still Lacking in Audits

The International Forum of Independent Audit Regulators (IFIAR) was established in September 2006 by independent audit regulators from 17 countries, including the Public Company Accounting Oversight Board (PCAOB) from the United States.

IFIAR has issued its third survey of regulatory inspection findings of significant audit firms in their jurisdictions.

The initial survey, released in June 2012, was designed to identify common inspection findings of audit firms on a global basis. 

The following table from the IFIAR survey indicates the major areas regulators identified problems in audit work:

Interestingly, a major factor causing these problems was identified in each of the three surveys to date: the lack of professional skepticism.

As cited in the 2014 report, IFIAR said, “A factor underlying many audit deficiencies is insufficient exercise of professional skepticism during performance of the audit. IFIAR believes that enhancing professional skepticism of practitioners contributes significantly to quality financial statement audits and should be a high priority for audit firms, given the recurrence of audit deficiencies.”

The Government Accountability Office indicates, “Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty.”

In my textbook, Government Performance Audit in Action, we identify professional skepticism as a one of the major characteristics of a good auditor.

Due Professional Care…and Professional Skepticism

The good auditor must exercise due professional care, which requires him or her to be reasonably prudent and competent. Exercising due professional care also requires the auditor to maintain an attitude of professional skepticism. Professional skepticism is an attitude of doubt about the evidence presented to you until you are persuaded as to its validity.

In assessing areas to audit, the auditor must consider issues of materiality, significance, risk, adequacy of internal controls, and situations that suggest fraud, abuse or illegal acts. Exercising due professional care requires consideration of risk and of circumstances that might increase or decrease the likelihood of inefficiency, ineffectiveness, or loss of resources. Therefore, the auditor should keep Murphy’s Law in mind - holding to the preconceived idea that, if something could be wrong, there is a chance something is wrong. This concept is similar to the scientific method used by scientists. A scientist establishes a hypothesis (i.e., a preconceived idea) and systematically tests the validity of it (i.e., gathers evidence). The hypothesis is a tentative assumption made to draw out and test its logical or empirical consequences.

            Professional skepticism influences the type of evidence you may decide to examine before reaching a conclusion. For example, looking at paper documentation in support of an activity may be good for starters, but seeing it with your own eyes (and taking pictures of it) provides much better evidence.

A great example of the lack of professional skepticism is the Dixon, Illinois fraud. Just check out this link to see a partner of a top 10 US audit firm who did not understand what skepticism was in accounting: http://davehancox.blogspot.com/2013/08/dixon-auditors-didnt-pay-attention-to.html

Here is a manager of that same firm who believed an invoice was sufficient evidence of an expenditure and she did not see any need to verify the existence of the capital project: http://davehancox.blogspot.com/2013/08/send-these-auditors-back-to-school.html

These examples of the lack professional skepticism are disturbing. The auditing function is critical to helping assure accountability. People depend on auditors - but too often, auditors let us down.

Here are some documents that might help auditors focus on the concept of professional skepticism. It’s an important topic if we are to save and improve the existing audit functions that oversee vital activities.

Maintaining And Applying Professional Skepticism In Audits – from the PCAOB

Enhancing Auditor Professional Skepticism – from IFIAR’s Global Public Policy Committee (This is an excellent document. I recommend it to every auditor.)

PCAOB Sanctions Five Auditors for Independence and Other Violations

Recently, the Public Company Accounting Oversight Board, that oversees the audits of public companies, sanctioned five auditors for:

• Violating auditor independence requirements. 
• Providing bookkeeping and auditing services to the same client. 
• Allowing an unqualified person to oversee quality control requirements at a CPA firm.
• Failing to properly audit – among other things, the auditor failed to properly plan the audit, appropriately assess risks, evaluate the qualifications and competence of a specialist, perform sufficient audit procedures to assess the reasonableness of assumptions used by the specialist, and appropriately test the company's reported revenue.

I’m concerned that regulators at times pursue borderline issues that do not have much substance behind them. So I looked at the decision behind number 2 – providing bookkeeping and auditing services to the same client. It would seem to be a straightforward standard.

However, the rules that auditors must operate under create a real challenge because there is a fine line between acceptable and unacceptable activities.

PCAOB Rule 3520 discusses Auditor Independence. It says,

            “A registered public accounting firm and its associated persons must be independent of the firm's audit client throughout the audit and professional engagement period.”

Under ET section 100 – Independence, Integrity and Objectivity, Rule 101 says, 

“A member in public practice shall be independent in the performance of professional services as required by standards promulgated by bodies designated by Council.”

The rules go on to say,

101-3—Performance of other services. A member or his or her firm (“member”) who performs an attest engagement for a client may also perform other nonattest services (“other services”) for that client. Before a member performs other services for an attest client, he or she must evaluate the effect of such services on his or her independence. In particular, care should be taken not to perform management functions or make management decisions for the attest client, the responsibility for which remains with the client’s board of directors and management….

The following are some general activities that would be considered to impair a member’s independence:

• Authorizing, executing or consummating a transaction, or otherwise exercising authority on behalf of a client or having the authority to do so
• Preparing source documents or originating data, in electronic or other form, evidencing the occurrence of a transaction (for example, purchase orders, payroll time records, and customer orders)
• Having custody of client assets
• Supervising client employees in the performance of their normal recurring activities
• Determining which recommendations of the member should be implemented
• Reporting to the board of directors on behalf of management
• Serving as a client’s stock transfer or escrow agent, registrar, general counsel or its equivalent

The examples in the following table identify the effect that performance of other services for an attest client can have on a member’s independence. These examples are not intended to be all-inclusive of the types of other services performed by members.

Impact on Independence of Performance of Other Services
Type of Other Service	Independence Would Not Be Impaired	Independence Would Be Impaired
Bookkeeping	• Record transactions for which management has determined or approved the appropriate account classification, or post coded transactions to a client’s general ledger. • Prepare financial statements based on information in the trial balance. • Post client-approved entries to a client’s trial balance. • Propose standard, adjusting, or correcting journal entries or other changes affecting the financial statements to the client. • Provide data-processing services.	• Determine or change journal entries, account codings or classification for transactions, or other accounting records without obtaining client approval. • Authorize or approve transactions. • Prepare source documents or originate data. • Make changes to source documents without client approval.

So, things aren’t  quite as clear as I originally thought. It would appear the PCAOB allows bookkeeping and auditing to occur, but the member needs to be sure he or she does not cross a line that ultimately will be decided by the PCAOB.

Unfortunately they decided against the auditor in the following case:

http://pcaobus.org/Enforcement/Decisions/Documents/Herring.pdf

80 Million Customers' Personal Information at Risk – What Controls were in Place?

Anthem, Inc. which is headquartered in Indianapolis, Indiana, is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.

Unfortunately, a recent cyber attack has exposed personal information on more than 80 million Anthem customers. This personal information included names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

In responding to this cyber attack the CEO, Joseph R. Swedish, said,

“Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack.”

This is what you would expect a CEO to say in defense of his company. "We were state-of-the-art, but we still got beat!”

But, was Anthem really state-of-the-art when it came to cyber security?

To be state-of-the-art, appropriate controls would need to be in place, reassessed periodically and tested frequently to be sure the controls were working as intended.

Here are some questions an auditor would ask:

• What role did the Board of Directors play in assessing technology risks that confront Anthem?
• Did the Chief Information Officer formally assess the security risks that exist in protecting customer data?
• If so, how frequently was that risk assessment updated?
• Why did the CIO decide not to encrypt sensitive data that Anthem was maintaining in its database?
• How frequently did the CIO do penetration testing seeking to see if outsiders are able to gain access to sensitive data?
• How many staff were assigned to monitoring security alerts?
• How many security alerts occurred each day?
• How long does it take to respond to a security alert and resolve the issue?

These are just some of the many questions that Anthem management should address. But, no control system is infallible and it can only provide reasonable assurance. The reasonable assurance though should be supported by a systematic, on-going process to assure “state-of-the-art information security systems [are in place] to protect your data.” as the CEO claims.

On its web site, the company says,

“The Anthem brand is built on a foundation of trust – it’s the name consumers are most familiar with as a trusted health care partner through our affiliated health plans.” 

That trust is being tested today.

Again, an Auditing Firm Fails to Serve the Public Interest

Again, we’re confronted with a CPA firm that has harmed the auditing profession. 

This time, PricewaterhouseCoopers (PwC) was doing a consulting assignment for the Bank of Tokyo-Mitsubishi (BTMU). The New York State Department of Financial Services investigated the assignment and concluded, "PwC – under pressure from BTMU executives – improperly altered an historical transaction review" (HTR) report submitted to regulators on wire transfers that the Bank performed on behalf of sanctioned countries and entities."

The purpose of the engagement was to ensure that transactions with Iran and other countries under United States sanctions were properly handled:

“[PwC] conducted a Historical Transaction Review ("HTR" ) for BTMU. The HTR analyzed BTMU 's U.S. dollar clearing activity between April 1, 2006 and March 31, 2007. Its purpose was to: ( I) identify any U.S. dollar transactions that potentially should have been frozen, blocked or reported under applicable OFAC [Office of Foreign Asset Control] requirements; and (2) investigate the relevant transaction set for compliance with OFAC requirements.”

PwC claims it did this consulting assignment under Statement on Standards for Consulting Services No. 1 issued by the AICPA. Those standards say the consulting firm should:

“Serve the client interest by seeking to accomplish the objectives established by the understanding with the client while maintaining integrity and objectivity.”

In addition, Article III of the Code of Professional Conduct describes integrity as follows: 

"Integrity requires a member to be, among other things, honest and candid within the constraints of client confidentiality. Service and the public trust should not be subordinated to personal gain and advantage. Integrity can accommodate the inadvertent error and the honest difference of opinion; it cannot accommodate deceit or subordination of principle." 

Unfortunately, PwC allowed the client bank to edit its report and as a result, significant changes occurred between the original draft and the final report.

Originally, the report said:

“While we agree in theory, had PwC know [sic] about these "[deleted Special]Written Operational Instructions" at the initial Phase of the HTR then we would have used a different approach for completing this project.”

The final report, after suggested edits from the bank, said:

                                 

“We have concluded that the written instructions would not have impacted the completeness of data available for the HTR and our methodology to process and search the HTR data was appropriate.”

In an initial draft of the report, PwC included paragraphs from a bank manual outlining “special instructions” employees should follow to ensure that transactions with countries under United States sanctions did not draw attention. PwC deleted those paragraphs in the version of the report sent to regulators, again based on suggested edits from the bank.

From at least 2002 to 2007, BTMU had unlawfully cleared through the Bank' s New York State licensed branch about 28,000 payments, valued at about $100 billion. These improper payments involved Iran, Sudan, Myanmar, and other entities under US sanctions

So as the United States fights terrorist states around the world, PwC does nothing to help our nation while it harms its reputation and the auditing profession.

I wonder what kind of action the accounting profession will take against the PwC employees who failed to follow the Consulting Standards and the Code of Professional Conduct? (See http://davehancox.blogspot.com/2014/08/illinois-takes-no-action-against.html- taking no action by our profession is all too common – even on big publicity events)

The New York State Department of Financial Services fined PwC $25 million and has suspended the firm for 24 months from accepting consulting engagements at financial institutions regulated by the Department of Financial Services.

Here is an example of the edits suggested by the bank - there were several iterations of these edits.

http://www.dfs.ny.gov/about/press2014/pr140818_PwC_Order.pdf

Illinois Takes No Action Against Auditors Found Culpable in Dixon, Illinois Fraud

Prior blogs on this topic:

http://davehancox.blogspot.com/2013/06/incredibly-auditors-miss-53-million.html

http://davehancox.blogspot.com/2013/06/auditors-miss-phony-invoices-would-you.html

http://davehancox.blogspot.com/2013/07/auditor-independence-and-competence-on.html

http://davehancox.blogspot.com/2013/08/send-these-auditors-back-to-school.html

http://davehancox.blogspot.com/2013/08/dixon-auditors-didnt-pay-attention-to.html

http://davehancox.blogspot.com/2013/09/auditors-settle-lawsuit-in-dixon.html

The city of Dixon, Illinois announced on September 25, 2013 it would receive a $40 million settlement from CliftonLarsonAllen, Fifth Third Bank, and Janis Card and Associates for the fraud Rita Crundwell committed and was not detected by the CPA firms or the bank.

I followed up with the Illinois Department of Financial and Professional Regulation to determine if the Department had considered investigating or had taken disciplinary action against the Certified Public Accountants involved in the audits of Dixon, Illinois.

According to the Department's web page:

“The Department’s mission is to protect and promote the lives of Illinois consumers.

We regulate most of the professionals and financial institutions that Illinois families depend on everyday - from banks to veterinarians and almost everything in between. We also work with the licensed professionals, members of the General Assembly, law enforcement officers, consumer groups and concerned public citizens to make sure that unscrupulous businesses and incompetent professionals can't take advantage of their customers and clients.”

According to the Department’s web site, no disciplinary action has been taken against any of the major participants in the Dixon, Illinois audits.

In responding to my Freedom of Information Request, they simply said, “Pursuant to the Act [Illinois Freedom of Information Act], your request does not seek to produce a particular public record.”

Two of the people I inquired about have active licenses, one has an inactive license and one has not renewed his license.

Interestingly, Ronald J. Blaine, one of the partners doing the audits was previously disciplined on February 28, 2000. The reason for the disciplinary action: “[Mr. Blaine] [a]llegedly authorized the issuance of an unqualified opinion on financial statements that may have failed to fully disclose the financial conditions of one company.”

That sounds very similar to what occurred in Dixon, Illinois. The Department though would not tell me the name of the company the partner was auditing for which he was reprimanded.

Another partner, while not disciplined, has allowed his CPA license to become “inactive.” A search on the Internet though shows he continues to use the CPA designation. Here’s one of his web sites:

“For tax preparation in Sterling, Illinois, you can count on Samuel S. Card, CPA at Samuel S. Card, CPA P.C. Samuel S. Card, CPA assists taxpayers and small businesses with taxes in Sterling, Illinois and the surrounding communities. Whether you are an individual or a local business in or around Sterling, Illinois, Samuel S. Card, CPA has years of valuable experience as an IRS registered tax preparer.

Contact Samuel S. Card, CPA, tax filing specialist in Sterling, Illinois, for help with your taxes.”

I called Mr. Card’s office to see if he was still working. A woman answered the phone. When I questioned her if Mr. Card was practicing as a CPA, she indicated he was not. She said he was working as an accountant.

I’m not sure how the Illinois Department of Financial and Professional Regulation can, “make sure that unscrupulous businesses and incompetent professionals can't take advantage of their customers and clients” if there is no “particular public record” available about an investigation into this incredible failure to find a $53 million fraud that occurred over a 22-year period.

Veterans Health Administration Audit Should Be Taken with a Grain of Salt

Here is a copy of the Department of Veteran Affairs audit on its system wide review of access to care. https://dl.dropboxusercontent.com/u/79212257/vaaccessauditfindingsreport.pdf

Unfortunately, this audit has such significant deficiencies it does not meet Government Auditing Standards or the Standards for the Professional Practice of Internal Auditing. It should not have been put forth as an audit.

This report is garnering significant media attention, but it has severe limitations. These include:

• Design of the survey which was intended to provide a very low threshold (i.e., high sensitivity) for eliciting potentially improper scheduling practices.
• VA intentionally designed the survey to be sensitive to non-conforming scheduling policies. As such, the results will group misunderstanding of proper scheduling methodology together with intentional instruction to report alternate waiting times. The sensitivity in the instrument enables VA to identify a broader set of sites with potentially problematic practices.
• The Audit Survey tool itself did not undergo pre-testing to ensure all respondents would understand the intent of each item.
• Certain items on the questionnaire may have been misunderstood.
• Individual questions were not worded to ascertain the reason that policy may have been violated.
• Therefore, findings from this audit cannot be extended to identify deliberate deception, fraud, or malfeasance.
• The scope of the audit precluded independent verification of any narrative statements, though all data collected throughout the Access Audit have been shared with VA’s OIG.
• Furthermore, the audit did identify sites necessitating more intensive management investigations. VHA will ensure that accountability for inappropriate practices is pursued through further investigations to substantiate initial findings. In pursuing accountability, VHA will follow statutory and regulatory due process requirements accorded to all Federal government employees.
• Site audit teams had limited time (90 minutes of pre-survey coaching plus additional document review) for training.
• While site teams were generally knowledgeable about audits, investigations, and consultative visits, not all were experts in all the complexities associated with scheduling and access management.
• Sampling of staff was based on availability.
• Staff selected for interviews may not have been available to complete the requested interview. In these cases, the site audit team selected another candidate.
• Treatment of respondents prior to interview
• In certain instances staff selected for interviews had experienced recent training (e.g., within days of the requested interview). This treatment may have altered results, affecting baseline assessments of understanding of scheduling policies and practices.
• Limited validation of responses
• Survey science includes methodology for internal validation to ensure consistency of responses. This is limited in the audit and where included does not support a high correlation (see 5.1 of this audit results for details).

Employees indicated reluctance to participate in the survey that was used to draw conclusions "...due to fear they would be subject to disciplinary action due to deviation from national policy."

The report alleges some very significant findings, but does not pin-point who is causing the problem. A good audit would have identified the root cause of the problem. I'd like to know who placed pressure on the schedulers as cited in the following section of the report:

• "Findings indicate that in some cases, pressures were placed on schedulers to utilize inappropriate practices in order to make waiting times (based on desired date, and the waiting lists), appear more favorable. Such practices are sufficiently pervasive to require VA re-examine its entire performance management system and, in particular, whether current measures and targets for access are realistic or sufficient." 
• "Respondents at 90 clinic sites provided responses indicating they had altered desired dates that had been entered. In virtually all cases, they indicated they were instructed by supervisors, but many believed the policy of altering dates was coming from facility leadership. In at least 2 clinics, respondents believed someone else (not a scheduler) was routinely accessing records and changing desired dates in order to improve performance measures."

In addition, the recommendation to re-examine the performance management system is only part of the problem if the real issue is management lacking in integrity. Audits that leave the reader to wonder who is the cause of the problem identified do a real disservice to the good people in the organization being audited. It taints everyone. 

I know this report was issued to meet the demand for accountability, but it should not have been issued under the guise of an audit. It should have been issued as a report on the results of a survey. 

Interestingly, I can't even determine who is responsible for the report other than the Veteran's Health Administration. It's an unsigned report.

CPA Journal Article

Attached is an article I wrote for The CPA Journal in its May 2014 edition. The Journal is a double-blind, peer-reviewed publication of the New York State Society of CPAs. The article is How a $53 Million Fraud Went Undetected for 22 Years - Learning from Past Mistakes.

US Senate Committee finds DHS Acting Inspector General Lacked Independence

The following story is one I’ve heard from other government auditors over many years. Senior staff without the knowledge or skill to do audit related work creating a negative environment that results in watered-down audit reports.

When I encourage staff to speak out, the common refrain is, “I can’t afford to lose my job.” – which is understandable.

It is good to see, in the following instance, that some brave staff did stand up, testified before the US Senate, to bring about change in the senior ranks of an important agency.

LACK OF INDEPENDENCE

The United States Senate Committee on Homeland Security and Governmental Affairs found that Mr. Charles Edwards, the Acting Inspector General of the Department of Homeland Security, jeopardized the independence of that Office. The Committee found, "Mr. Edwards did not understand the importance of independence. [He] communicated frequently with DHS senior officials and considered them personal friends. Mr. Edwards did not obtain independent legal advice. [He] directed reports to be altered or delayed to accommodate senior DHS officials. Mr. Edwards did not recuse himself from some audits and inspections that had a conflict of interest related to his wife’s employment, resulting in those reports being tainted."

What a damning indictment. Based on this report, Mr. Edwards resigned from his position at the OIG and requested and received a transfer to the Office of Science and Technology at DHS.

It is inconceivable to me that he continues to work at the same agency especially after the Committee found, “…that Mr. Edwards asked and received assistance from an employee who worked on his Ph.D. dissertation.”

In addition, “…the Subcommittee did find that there was a widespread belief that Mr. Edwards engaged in those actions and that belief contributed to an office environment characterized by low morale, fear, and general dissatisfaction with Mr. Edwards’ leadership.”

Here are some of the findings from the Senate Committee report.

Lack of Familiarity with OIG Work

Unlike most IGs, Mr. Edwards does not have experience conducting audits, investigations, or inspections, the three main types of work conducted in an Office of Inspector General. For example, when interviewed by Subcommittee staff, Edwards was unable to articulate guidelines that govern briefing details of an ongoing investigation to DHS. Edwards stated, “I don’t know that offhand here.”

Frequent Communications and Personal Relationships with Senior DHS Officials

Mr. Edwards frequently communicated with both the DHS Chief of Staff and the DHS Acting Counsel. In many of these e-mails, Mr. Edwards offered updates on investigations and audits. Mr. Edwards did not include senior members of his staff on many of these emails and they were not aware of these communications. One senior OIG official called the exclusion of involved staff in these e-mail chains “concerning.”

Edwards socialized with senior DHS officials outside of work over drinks and dinner. 

The Subcommittee obtained e-mails where Mr. Edwards told the DHS Chief of Staff that he truly valued his friendship and that his “support, guidance and friendship has helped me be successful this year”. The Subcommittee also obtained an e-mail to the DHS Acting Counsel where Mr. Edwards wrote “Your friendship, support and advice means so much to me. There are many blessings to be thankful for this year, but one of the best is having a friend like you.”

Lack of Independent Legal Advice

By law, an IG can only obtain legal advice from his own or another IG’s counsel. This restriction recognizes that legal advice from an agency’s General Counsel compromises the independence of the OIG.

The Counsel to the IG stated he was “cut out of some of the major decision-making.” He also informed the Subcommittee that he was not given access to Mr. Edwards’ calendar and his direct reporting relationship with Mr. Edwards ended.

Four former OIG officials told the Subcommittee that Mr. Edwards would go to the DHS Office of General Counsel for advice. The Subcommittee also reviewed an e-mail from Mr. Edwards to the DHS Acting Counsel which appears to contain a request for legal assistance, stating: “I really need some legal help….Please help me for the next four months.”

Improper Alteration or Delay of Reports

There are numerous reports discussed in this section, I would encourage the reader of this blog to read the Committee full report to see what occurred, but here is one part, “OIG officials told the Subcommittee that Mr. Edwards did not consult with his Assistant IG (AIG) for Audits or the Counsel to the IG prior to making this change. According to the Counsel to the IG, this was “entirely inappropriate.” Moreover, the changes were made after the final draft was given to DHS, which was “inappropriate,” and “irregular.”

Tainted Audit Reports

The Subcommittee received allegations that OIG audit reports were tainted due to a conflict of interest presented by the employment of Mr. Edwards’ wife in the Program Accountability and Risk Management office of DHS.

Because of the appearance of a conflict of interest, the OIG had to temporarily remove four audit and two inspection reports from its website and amend them to include a modified independence statement.

ABUSE OF AGENCY RESOURCES

Assistance with Pursuit of a Ph.D.

The Subcommittee determined that Mr. Edwards abused agency resources by asking a staff member to work on his Ph.D. dissertation.

Mr. Edwards’ Acting Chief of Staff provided assistance to Mr. Edwards with his dissertation over a period of at least eight months, from September 2011 to April 2012. During this period, the Acting Chief of Staff said she worked on the dissertation at work and at home, both during and after business hours. This work included research, editing, and proofreading. In total, the Acting Chief of Staff estimated that she spent approximately 20-25 hours assisting Mr. Edwards with his dissertation. The Subcommittee was unable to verify the accuracy of this estimate. The Acting Chief of Staff was allowed to telework while working on Mr. Edwards’ dissertation. Mr. Edwards also appeared to offer to delegate the Acting Chief of Staff’s official duties to other OIG employees to allow her to focus on his dissertation.

Assistance with Employment at Capitol College

The Subcommittee identified at least 15 occasions between September 2011 and March 2012 in which Mr. Edwards asked for or received assistance from a member of the OIG’s technology staff. On one occasion, Mr. Edwards sent the employee a 96 slide PowerPoint presentation and asked her to “do the notes for each slide.” The employee also assisted Mr. Edwards in drafting guidance documents for student assignments and on substantive matters for class tests. This assistance was provided during both official and non-official hours.

Office Environment

During the Subcommittee’s investigation, current and former OIG employees repeatedly reported that Mr. Edwards had created a hostile work environment. One official characterized the office as a “toxic, totally dysfunctional and oppressive” work environment characterized by low morale, paranoia, and fear. Another official described the atmosphere of the OIG as one of “[c]omplete terror,” such that “there were times that [they] couldn’t even get up out of bed, [they were] so emotionally scared, drained.”

Many employees told the Subcommittee they wanted a change in leadership. According to one official, the OIG staff “want to have a legitimate Inspector General in place to get us back on track.” Another called the office “the worst agency” and said that it has been “run into the ground” under Mr. Edwards’ leadership. Reasons include Mr. Edwards’ reluctance to “seek out advice or guidance from anybody with experience” and that the “people … he surrounds himself with … do not have the background or the experience to be useful to him.”

According to one OIG employee, more experienced senior officials refrained from criticizing Mr. Edwards out of fear of repercussions. The Subcommittee was told that “[Mr. Edwards] has a very limited idea of loyalty and people whom he can trust, and if you ever disagree with him, he no longer trusts you.”190 The result, according to multiple OIG officials, has been a steady exodus of agency staff. 191 One OIG official told the Subcommittee that Mr. Edwards’ management style was “my way or the highway, and if you don’t like it, I will either put you on admin[istrative] leave or I’ll make sure that you leave.”

Conclusion

The US Senate Committee’s report was the result of allegations coming from whistle blowers. I hear of similar allegations in other agencies and I always tell staff to think through a strategy that can result in change. I encourage all government auditors to read this report and to see what is possible.

http://www.hsgac.senate.gov/download/staff-report-from-chairman-mccaskill-and-ranking-member-johnson-to-cigie-regarding-investigation-into-the-former-acting-dhs-ig

Problem Audits are Worldwide

"Problem audits" aren't just a U.S. problem.

Big accounting firms are producing deficient audits around the world, according to a new survey of 30 countries' audit regulators—mirroring the experience in the U.S., where regulators have found deficiencies in more than a third of audits by major accounting firms that they have inspected in recent years.

This is from the Wall Street Journal's April 10, 2014 edition: 

http://online.wsj.com/news/articles/SB10001424052702303603904579492440320387248?KEYWORDS=Audit&mg=reno64-wsj

Here is the report:

https://www.ifiar.org/IFIAR/media/Documents/IFIARMembersArea/MemberUpdates/IFIAR-Inspection-Survey-9-April-2014_1.pdf

Livent creditors awarded $85-million due to auditors’ negligence

From the Globe and Mail

An Ontario judge has awarded $85-million in damages to the creditors of long-defunct theatre company Livent Inc., ruling the firm’s auditors at Deloitte & Touche were negligent in their reviews of the company’s 1997 financial statements.

http://www.theglobeandmail.com/report-on-business/livent-creditors-awarded-85-million-due-to-auditors-negligence/article17845004/

Officials Duped Out of $100 Million – Auditors Were No Help at Fletcher Asset Management

Three Louisiana pension funds invested a combined $100 million in 2008 in Fletcher Asset Management. Each of the three funds invested from 3.9 percent to 8.6 percent of their assets in Fletcher's scheme after the firm made a pitch promising to deliver every investor's dream: high returns with low risk.

In fact, the arrangement promised a guaranteed 12 percent return on their money. If the return dipped lower, the difference supposedly would be made up by $50 million put up by a third-party investor.

This week, the Trustee in Fletcher’s bankruptcy said the value of the assets in Fletcher were worth less than $8 million. Fletcher had valued the fund at $352 million.

It’s hard to have sympathy for public pension officials who are gullible enough to fall for a high guaranteed rate of return. The Municipal Employees' Retirement System of Louisiana actually had no policy on credit risk or interest rate risk – fundamental risks that should have been assessed before investing.

Despite this naïve approach to managing public funds, the pension officials should have been able to depend on the auditors to ferret out any wrong-doing on the part of Fletcher Asset Management. Unfortunately, the auditor team failed again to properly carry out its audit responsibilities and as such, failed to alert the public to the significant short-comings in Fletcher’s financial statements.

Based on the Trustee’s investigation, investors were victims of a fraud defined by:

• the extensive use of wildly inflated valuations, 
• the existence of fictitious assets under management, 
• the improper payment of excessive fees, 
• the misuse of investor money, 
• and efforts wrongly to deny the Louisiana Pension Funds a key benefit of their investment agreement – mandatory redemption of their investment under certain circumstances.

The Funds were also victims of an environment where self-interest all too often trumped fiduciary obligations.[1]

The Trustee went on to say,

“Auditors, too, failed to exercise adequate professional skepticism when reviewing valuations; failed to insist on adequate disclosure of related party transactions involving [Alphonse Fletcher] and his family, Citco, and Unternaehrer; and failed to require disclosure of redemption obligations which would have caused a collapse of the Funds.”[2]

There were numerous red flags that ought to have been readily apparent to the administrators and auditors for the Funds. These red flags included: 

• Manager-controlled pricing of customized investments, supported by a valuation agent lacking adequate experience and independence; 

• Massive subscriptions into the Funds in November and December 2008 (following the collapse of Lehman Brothers) from the FAM-controlled Richcourt Funds, when both the administrator and auditor knew that the Richcourt Funds had suspended net asset values (“NAVs”) and redemptions and imposed gating on investors; 

• Repeated massive sudden gains in multiple investment positions; 

• Multiple transactions in major positions at values that were inconsistent with the mark-to-model valuations; 

• Valuation reports that did not meet minimum industry standards; 

• Guaranteed minimum investor returns for certain investors; 

• Absence of any down months over 127 months from June 1997 through December 2007; 

• Fund complexity; 

• Lack of timely issuance of annual audited financial statements; 

• Lack of timely reporting and communications to investors, including delays in receiving monthly and weekly financial data from the investment manager in order to calculate NAVs; Backdating corporate and transaction documents; 

• Ascribing value to non-exercised contract rights to buy securities without actually investing in them; 

• Mismatch between the terms of the investment vehicle and the underlying investments; and 

• Continued inflows and outflow over short time periods from affiliates and related entities.

These red flags should have caused the administrators and auditors to have investigated, disclosed and stopped. None did.[3]

The Trustee identified a number of auditing standards that were not complied with by the auditors. The Trustee said,

“To arrive at their opinions and discharge their duties, Grant Thornton and Eisner were required to plan and perform their audits in accordance with generally accepted auditing standards (GAAS). These standards prescribe the minimum threshold conduct for an auditor. The Trustee reviewed, among other evidence, the accountants’ work papers and deposition testimony, and concluded that the audits performed failed to comply with GAAS. Grant Thornton and Eisner failed to qualify their audit opinions appropriately to acknowledge that the financial statements were materially misstated and should not have been relied on by those receiving them. In this regard, it is important to remember that the audience for these audits was not only the Funds, but also the investors to whom the various audits were addressed.

Grant Thornton or Eisner (or both) violated the following GAAS:

• General Standard No. 1, which requires the auditor to “have adequate technical training and proficiency to perform the audit.”

• General Standard No. 2, which requires the auditor to “maintain independence in mental attitude in all matters relating to the audit.”

• General Standard No. 3, which requires the auditor to “exercise due professional care in the performance of the audit and the preparation of the report.”  Due professional care requires the auditor to exercise professional skepticism. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence.

• Standard of Field Work No. 3, which requires the auditor to “obtain appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements.”

• Standard of Reporting No. 1, which requires the auditor to state whether the “financial statements are presented in conformity with generally accepted accounting principles (GAAP).”

• Standards of Reporting No. 3, which requires that “when the auditor determines that the informative disclosures are inadequate, the auditor must state so in the auditor’s report.”

I’ll examine these in more detail in future blogs.

     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-0906764851584171"
     data-ad-slot="8133153944">

---

[1] Page 4, Trustee’s Report and Disclosure Statement, Fletcher International, LTD., Issued 11/25/13, Case No. 12-12796 (REG). US Bankruptcy Court Southern District of New York

[2] Ibid. Page 8

[3] Ibid. Page 10

NY Times: Accounting World, Still Resisting Sunlight

Here is an interesting article in the New York Times. 

Floyd Norris reports, "The accounting business has sometimes had an attitude of — how shall I put it? — contempt for those who would regulate it. The people who run the major firms know best, and regulators should yield to their superior judgment."

http://nyti.ms/1d3hQrO

Forged Documents – Get Two Out of Prison - Were Risks Assessed?

Two Florida inmates walked out of prison based on forged documents authorizing their early release from life sentences. This is an impressive prison escape and it shows the importance of an appropriate internal control system.

In a letter addressed to Florida's Circuit Court judges, Michael Crews, secretary of the Department of Corrections, writes the department would require verification of any future order from a sentencing judge that results in early release of an inmate.

The inmate will not be released until verification is received, Crews writes. "In light of the potential for fraudulent use of court papers, we believe that the additional step of providing verification of sentence modification court orders is an important safeguard in ensuring the integrity of the judicial process…"

The letter follows after the convicted murderers, Joseph Jenkins 

and Charles Walker

checked in as required by Florida law with a jail after they gained their freedom from the Franklin Correctional Institution in Carrabelle, Florida.

As I've written in previous blogs, forged documents are easy to produce. Clever individuals who understand the systems in place, and where weaknesses exist, can exploit that system.

While there will be legislative hearings on this case, based on my experience, it is likely the Department of Corrections did not formally assess the risk of this type of escape and design control systems to assure the risk was mitigated.

Here is one the forged document related to Joseph Jenkins release: