Auditing the auditors

When years of clean audits end up costing investors dearly, industry reform is urgently needed.

SINGAPORE (June 10): The spate of corporate scandals in Singapore has left investors such as Jerry Low disgruntled and disillusioned — and doubtful — about auditors and their work. “They were not able to warn us on Noble [Group’s] dire financial situation. They appeared totally unaware of Midas’ fake accounts. They were unsuspecting of Hyflux’s unrealistic valuation of Tuaspring. Auditors’ unqualified opinion can no longer be relied upon as an indication that everything is okay in the listed company,” Low tells The Edge Singapore.

“From the investor’s perspective, auditors today are acting less like auditors and more like businessmen looking for patronage,” he notes.

Low is not alone in believing that auditors should bear the brunt of the blame when a company goes to the wall. A report by the Association of Chartered Certified Accountants (ACCA) showed that 52% of the Singapore public believe it is auditors who are responsible for avoiding company failures. This is despite the fact that only 31% of the Singapore public could accurately identify what an auditor does.

Auditors have privileged access to company management and are able to delve deeper into a company’s financials than most retail investors ever could. As a result, investors have great expectations of them.

Get the latest Singapore corporate news stories for FREE

This field is required

Enter a valid email address

“In my opinion, the auditors very often fail in their effort to give comfort to investors that they have revealed all the pertinent information and those financials are fairly presented,” says Michael Dee, a long-time critic of the Singapore Exchange, Noble and the Securities Investors Association (Singapore).

However, auditing industry professionals to whom The Edge Singapore has spoken have a different take on their role. They maintain that their job is to carry out a specific scope of work according to recognised accounting standards. In short, their task is not to look for fraud but to see that companies’ financial statements comply with accounting standards.

“People expect auditors to find all errors, but auditors can never find all errors,” a former auditor tells The Edge Singapore. “That’s why it is always stated in the financial statements [that] the job of the auditors is not to detect fraud but to ascertain the reasonableness of the statements.”

Another former external auditor laments that audit firms are often caught between a rock and a hard place. He says an external auditor is very often completely unable to detect efforts, if any, by management to cover up irregularities, despite employing “professional scepticism” while scrutinising the books. “We run audit procedures to meet our audit objectives to give reasonable assurance that nothing material was missed,” he notes. “That is how we answer all those tricky ‘auditor responsibility’ questions. [But] if a company hires a good ex-auditor to manage its books, I assure you that auditors will find absolutely nothing amiss with the books.”

There is clearly an expectation gap in what auditors do and what the investing public think they do. This gap is not necessarily a bad thing for the industry, says Chiew Chun Wee, head of policy, Asean and ANZ, ACCA. “The huge expectations the public has is demonstrative of the value [the audit industry] is either delivering or has the potential to deliver.”

Indeed, as the economy expands and business models get more complex, the public’s expectations of audit professionals are also going to grow. In the light of all that has gone wrong so far, what needs to change?

The main challenges:

Conflict of interest - Audit firms are profit-driven entities, and face pressure to act in their clients’ favour.
Race against time – Pressure to not look too thoroughly at figures in order to get the job done on time.
Great expectations – Investors expect auditors to detect fraud, because they have the access and the ability to. But there is an expectation gap in what auditors do and what the investing public think they do.

Some possible solutions:

Establish an independent escrow authority handle the negotiations and payments and define the auditing scope. Audit reports should then be sent to this central regulatory authority.
Stricter enforcement and actual penalties for auditors that have plainly been negligent, or criminal, in their tasks.
Whistleblowing policy to encourage reporting without the fear of repercussions.

Not finding fraud

On the face of it, an auditor’s job is to ensure that a company’s financial statements represent a true and fair view of the company’s financial performance and position, free from any material bias or error. If the audit uncovers financial fraud, the auditor is expected to report it. This also means the auditor does not expect to purposefully sniff out financial fraud.

“What the auditor is expected to do, and is already doing, is to minimise the risk of material misstatements arising from fraud and error,” says El’fred Boo, associate professor of accounting at Nanyang Business School (NBS). “The auditor is required by the professional standard to assess risks, including fraud risks. If there is fraud, and to the extent that it results in a material misstatement, the auditor is expected to be able to detect the material misstatement when appropriate audit procedures are performed.”

In fact, auditing has not been the primary way of uncovering fraud. In a study by the Association of Certified Fraud Examiners, nearly half of fraud cases are detected by a whistleblower. An internal audit catches fraud 16% of the time; a management review does it only one-tenth of the time. Only 8% of fraud cases were detected by an external audit.

Indeed, an audit may not even be as thorough as a layman expects it to be. As the former external auditor puts it, an audit may include just three out of 10 subsidiaries that a company owns, should they contribute a significant portion of the company’s revenue. Another issue is what counts as “material” to the company. In a company that generates hundreds of millions of dollars in revenue, a few thousand dollars that may have been accounted for wrongly would not be obvious in the broader scheme of things, and therefore could be considered as immaterial by the auditor.

Still, auditors are expected to employ professional scepticism on the job, says Boo. “Even if the auditor is happy with the management’s integrity based on past dealings, [he] nevertheless still needs to watch out for potential misstatements due to fraud,” he explains. “This is important to the auditor, as [his] role is to ascertain the rigour of information presented to [him] and disclosed by the company. An auditor will need to question and pursue the matter until it clears his significant doubts.”

Says ACCA’s Chiew: “It doesn’t mean that you assume the management is out to defraud you. But [do] not let past experience persuade you that the management is always good and great.”

Expectation versus reality

On the ground, insiders tell The Edge Singapore there is pressure to not look too thoroughly at figures in order to get the job done on time. “Sometimes you do find things, but because of the pressure of finishing the job, you just leave it,” a former auditor says.

He also says that, between the time he joined the internal audit department at a Big Four firm and the time he left, half his department had resigned. Yet, the number of projects the department handled remained the same. And the firm continued to hunt for new prospects. He has doubts the remaining employees are able to maintain the quality of their work.

There is also the practice of having less experienced, junior auditors handle most of the work while the senior partners and managers sign off on the reports.

“The work doesn’t happen at the senior level. It’s at the lowest level — they are the ones seeing the documents and making the initial decisions,” says Carl Jenkins, global leader, governance, risk, investigations and disputes at corporate investigations and risk consulting firm Kroll. “A lot of young people fresh out of school are assigned to large companies to do the work. Right off the bat the question is: Are they trained? And are they supervised properly? In an audit firm [where] you have 25-year-olds supervising 21-year-olds, there is no depth of experience.”

Compounding the issue is how some firms are promoting employees, even if it is not justified, as a way to retain them. One former external auditor tells of juniors who were bumped up even though their work was not up to scratch, as the firm scrambled to cope with the turnover rate. However, the former auditor noted that the senior partners did send back substandard work, even if they were on a tight deadline.

Then, there is the cultural factor. Auditors are expected to challenge company management on their findings, and it may be that some are reluctant to question older people.

Nevertheless, firms have to stress to their employees that it is ultimately about doing the right thing, says ACCA’s Chiew. “It is public interest that we are protecting,” he says. “It is not to finish everything in the quickest possible manner. The auditors’ responsibility is to make sure that the job is done well and they will take the time they need to do that.”

Conflict of interest

The biggest issue facing the auditing industry today is conflict of interest, which critics say have resulted in firms being unable or unwilling to find faults.

In the case of Noble’s troubles, critics point to the failure of the commodity trader’s auditor to question what appeared to be outrageous valuations. For instance, the value of the company’s 14% stake in Yancoal Australia, at 50 times market price, was grossly overstated, in Dee’s view. “Now, how does an auditor sign off on that?” he says, referring to EY (Singapore), which had its audit of Noble’s financial statements from 2012 to 2016 reviewed by regulators.

PwC was subsequently brought in as the special auditor take another look at Noble’s books. But Dee then accuses the firm of failing to question whether the company’s commodity contracts were genuine. “Who looks at the contracts and asks if they are real? Why are we letting someone value something that hasn’t happened? Who reviews the judgement on the price and value in the contract?” he asks.

Audit firms are profit-driven entities and are compensated for their audit services. One industry insider tells The Edge Singapore that this has resulted in a company putting undue pressure on its audit firm to act in its favour. An external auditor who was attached to a mid-sized audit firm for three years is sceptical about how independent external auditors can truly be, given that their fees are being paid for by the companies. “I question the true independence of external auditors if they are hired by shareholders, who are also members of the board of directors,” he says.

“The auditors are paid by their clients; there is pressure on audit fees,” says Kroll’s Jenkins. He cites the example of Enron, the largest client of accounting firm Arthur Andersen. The firm, which was indicted for its criminal involvement in covering up billions of dollars in losses at the energy company, collapsed a year after Enron did.

“Do you go back to the client when you see something wrong and say ‘stop’, knowing full well that the client will blow up? Or will you try to bend over backwards to find a way to make something work? Unfortunately, in that situation, they bent over backwards to make something work.”

The failure of Enron led to the enactment of the Sarbanes-Oxley Act in the US. This effectively legislates independence by prohibiting auditors from offering services to their clients apart from audit.

Yet, in the interest of growth, firms here are consultancies that sell a wide-ranging host of other advisory services, albeit through affiliate firms, in a bid to maintain a firewall between the business units. Consulting services generate higher fees than audit, notes Mak Yuen Teen, associate professor of accounting, NUS Business School. “The lessons of Enron are long forgotten and today, the situation is worse than before Enron,” laments Mak.

He adds that he often hears of audit partners defending the interests of their clients, such as opposing certain regulations that may result in higher compliance costs. “Why do they see it as their business to argue on behalf of their clients if they are supposed to be independent?”

Auditors may also be forced to take on engagements that may be risky, for profit. “This is where commercial considerations may trump the spirit of professional standards,” Mak points out. “One only needs to observe the fact that no matter how bad or risky a client is, there will always be some audit firm that is willing to accept it as a client. I have not seen any listed companies here failing to find a replacement auditor. Some change auditor every year, or nearly every year. These high-risk clients just keep going down the list until they find a firm willing to risk its reputation for the fees.”

Who is responsible?

Auditors today have an increasingly tough job, according to industry practitioners, as technology and new business models make accounting more complex. At the same time, various accounting treatments, particularly those that require the exercise of professional judgement — such as revenue recognition and fair valuation — are making the audit more complex, says NBS’s Boo. Moreover, not all clients are cooperative, and the information given could be “sketchy or messy”, he adds.

Given the challenges in getting a true and fair view of any company’s balance sheet, the former external auditor says he finds it hard to believe any financial statements put out by companies and auditors. He left an audit firm for an internal audit role, as he believes he would be able to institute controls to prevent such accounting mistakes and lapses and fraud.

Ong Hwee Li, CEO of corporate finance services firm SAC Capital, says auditors should be held responsible for not calling out wrong accounting treatments made by the client. Using the example of Hyflux, he says the auditor should have made a stand to classify the perpetual instruments as debt. “The auditor cannot just follow what the client thinks is the right treatment.”

But the fault-finding should really begin with a company’s management, says Daniel Bens, professor of accounting and control at INSEAD. “Whenever we see these failures, we have a tendency to point the finger at the auditors. And sometimes they are to be blamed. But the finger has to be first pointed at the management because they are the ones responsible for putting together the financial statements,” he says.

Bens argues that auditors are only responsible for uncovering financial fraud if they detect hints of it. Other stakeholders have their roles to play: Shareholders are responsible for electing a competent board of directors, who are in turn responsible for keeping checks on the senior management and choosing a qualified auditor.

“The first line of defence is those who are charged with governance. It falls squarely on them,” says Kon Yin Tong, president of the Institute of Singapore Chartered Accountants. “They are all part of the [financial reporting] ecosystem. It is very difficult to sit down across the table to say that, in this case [the blame lies with the] auditors; in that case, [it is with] the management. In all cases, everyone should take a fair share of the blame.” He adds that if the auditors have been following accounting and auditing standards, the scrutiny should then shift to the standards — whether they are “appropriate” and “robust”.

Industry reform

So, should it be the auditor’s responsibility to detect fraud? This would make their job even more onerous and result in the ballooning of audit fees and compliance costs, industry observers say. And even if the role were to change, it would still be difficult to find fraud. The perpetrators of a crime would be careful “not to leave any trail”, Boo points out. And they would most likely collude with others to subvert internal controls. “As an outside party who visits the company a few times at most in a year, the auditor is an unlikely candidate to detect fraud. Even a discovery of fraud by accident ranks higher [in probability] than [discovery by] external auditors,” he says.

Preventing corporate fraud from getting out of hand and eroding faith in the market would need a reform of the audit industry in several ways.

The key is to ensure true impartiality in the audit process. “The auditors are paid by companies that they are supposed to be auditing. There is a structural incentive for not being too hard on clients for fear of losing them,” Dee says.

One way is to have an independent escrow authority handle the negotiations and payments and define the auditing scope. An industry insider proposes a “pool” of audit fees that every company pays into and which is managed by a central regulatory authority. Audit reports should then be sent to this central regulatory authority. “This way, the audit firm is not at the mercy of the client,” he says.

By taking that paying relationship out, auditors can fully play their role with true independence, notes ACCA’s Chiew. “It could be the stock exchange or a state-owned body that collects the fees, based on market cap, and it allocates them to the [audit] firms. You won’t have the perception that they are beholden to their clients [then],” he says.

A rotation of auditors would also be a good way to ensure that clients and auditors maintain a professional working relationship. Currently, only audit partners need to be rotated rather than firms. This could be a way for auditors to remain impartial, according to former external auditors and industry observers.

Secondly, there needs to be stricter enforcement and actual penalties for auditors that have plainly been negligent, or criminal, in their tasks. This would fall within the purview of the regulators. In the UK, for instance, the Financial Reporting Council has meted out tens of millions of pounds in fines on Big Four firms, following numerous audit lapses and scandals.

Investor Low agrees. “No SGX-listed companies’ auditors have been penalised in recent years, despite multiple corporate frauds and failures,” he says. “After Hyflux and Noble, audit opinion no longer matters.”

Says Dee: “There is no procedure for bondholders or investors to hold auditors accountable for the reports they gave that stated that the financials were fine. The auditors are able to hide behind certain rules and practices and absolve themselves of responsibilities — by saying they relied on management’s judgement without testing the judgement independently.”

Consequently, the market regulator needs to be independent of the operator and its commercial interests. “The organisational structure of SGX is to be a profit-making enterprise. But if you regulate aggressively, and other [jurisdictions] are less aggressive, [companies] won’t list on your exchange,” Dee says. “In my view, the regulatory regime was weakened to have more commercial success. I am hopeful that a separation of the regulatory function in SGX would lead to a better outcome.”

Thirdly, since the uncovering of fraud in most of the cases is a result of whistleblowing, perhaps there should be a whistleblowing policy here to encourage reporting without the fear of repercussions. In the US, for instance, there are laws to protect whistleblowers, who also receive a portion of the financial penalties that are levied on the companies after wrongdoing is proven.

Unfortunately, the experience with whistleblowing in Asia so far has not encouraging. “The majority reaction is: ‘Who is making this claim? We want to know who is turning against us,’” says Tadashi Kageyama, regional managing director at Kroll Asia-Pacific.

Fourth, companies need to shore up their internal audit processes to provide the checks and balances needed to uncover and prevent fraud. Internal audit would then become the first line of defence, even before external auditors come in to verify their work.

Finally, it is down to investors to familiarise themselves with the company they own and its financials, and hold the management accountable. — With additional reporting by Trinity Chua and Pauline Wong

Detecting fraud in a company

As obvious as it may seem, the first step in detecting fraud in a company is to compare the numbers, says Carl Jenkins, global leader, governance, risk, investigations and disputes at corporate investigations and risk consulting firm Kroll. He recommends taking a good look at trends, comparing the performance of a company with its peers in the industry and examining the financials of each subsidiary of a company, right down to the individual office.

“You look for trends and you also look at the industry [the company] is in,” says Jenkins. An underperformance or outperformance may be an anomaly or attributed to a bad deal, but it is something to look at. “The next thing we might look at is whether there are any large compensation changes or arrangements in the company,” he adds.

While higher sales should drive higher compensations, one might find that costs of sales are going up because somebody is giving big discounts to increase sales numbers, Jenkins notes. This issue of assumptions also extends to new acquisitions in markets the company has not been in before, with headquarters and subsidiaries being on a different page when recognising revenue or profit. In such cases, looking closely at all the books instead of only a “sample” makes a difference.

Jenkins recalls his experience when he was an auditor looking at the books of an insurance company in the US. “I see stationery and supplies for an office somewhere in the Midwest, and it was US$200,000 when it used to be US$10,000,” he says. It might not have been obvious at the company level. “But I pointed it out. [And it turned out that] there was somebody embezzling funds using that account.”

Vendors should also be scrutinised, he adds, for conflict of interest, or fake invoices and round-tripping. Auditors tend to only check that purchase and delivery orders match invoices. “I was working with a Dutch company and they had set up these fake vendors. If you looked in the phone book or called them, they didn’t exist,” says Jenkins.

With growing complexity in business models, technology is also coming into play. “With the help of computers and artificial intelligence [AI], auditors are able to audit the whole population of transactions. This will increase the chances of detecting material misstatements that may be due to fraud,” says Wang Jiwei, associate professor of accounting (practice) at the Singapore Management University.

Start-ups and large corporations are now looking to produce AI solutions to detect fraud internally. Payment systems company ACI Worldwide, for instance, is building a data model for indicators of fraud.

“The indicators that stand out tend to be breaches of policy. [The person who commits fraud] — whether they are disgruntled or believe they are owed something or [need] access to funds — tests the waters. They test to find out if what they know about vulnerabilities is true; they test the boundaries. They try things that are minor, to build up knowledge and confidence,” says Giselle Lindley, principal fraud consultant at ACI Worldwide.

AI start-up Datavisor has sold applications to combat internal fraud. “Our systems are being used to target internal fraud similar to what happened at Wells Fargo & Co when they were aggressively expanding customers,” says Xie Yinglian, CEO and co-founder. “Sales agents’ performance [was based on the number of] new applications. Some agents brought in customers not qualified for the accounts, but packaged them to help them qualify, [a form of] internal fraud.”

She adds: “It is very hard to manually sift through things to look for fraud. You need an advanced algorithm to look across the data, and correlation to identify that.”

Ultimately, the best teacher is experience. “Very rarely is there fraud or an issue that we haven’t seen before. The numbers and the people might be different, but the [bare facts are the same],” says Jenkins. “Unfortunately, learning from past mistakes is hard, as companies often do not want to go public when fraud has been discovered internally.”