Handling of Fraud Risks by Audit Firms in Audited Companies

Handling of Fraud Risks by Audit Firms in Audited Companies Position Paper Publication: May 2022 AFM AFM.nl/frauderisicos

2 Handling of Fraud Risks by Audit Firms in Audited Companies Key Points ❖ Detecting and following up on fraud (risks) in the statutory audit of audited companies is an important responsibility of the external auditor. The auditor must serve the public interest by providing assurance regarding the fairness of reporting to the public and specifically to its end-users. ❖ Although an objective picture is lacking, the accounting sector as a whole appears to be insufficiently developed in detecting and following up on fraud risks. ❖ Based on the analysis performed, three possible root causes emerge: i. Knowledge, skills, and expertise are not always sufficiently present. ii. The auditor's role perception, attitude, and mindset may fall short regarding the detection of fraud (risks). iii. The internal culture of audit firms can be obstructive. ❖ The AFM will make the fraud issue an important theme in the supervision of audit firms in the coming years. The AFM stands for fair and transparent financial markets. Fraud is by definition neither fair nor transparent. Fraud is an important societal problem that is expected to manifest in more areas in the future. It has a potentially large impact on the end-user and can lead to instability and a loss of public trust in the integrity of the financial system. This can also put the justified trust of society in the auditor under pressure. All of this justifies more supervisory attention and intensity for this issue.

3 Handling of Fraud Risks by Audit Firms in Audited Companies Introduction

1. This position paper addresses, from the perspective of the AFM, the role and responsibility of the auditor regarding the detection and follow-up of fraud (risks) in audited companies, the importance of this issue for supervision, and how supervision is specifically structured. This position paper was developed based on internal analyses, discussions with a large number of stakeholders in the chain, and an analysis of recent academic literature. No quantitative research was conducted.
2. As a supervisor of audit firms, the AFM attaches importance to establishing a position on this issue. Fraud is a broad societal problem that is expected to manifest in more areas in the future. Additionally, the AFM's supervisory population increased in size as of January 1, 2022.
3. Fraud is a broad societal problem. It disrupts economic transactions between parties and undermines trust in the integrity of the financial system. Audited companies are primarily responsible for preventing, detecting, and addressing fraud. At the same time, the failure of the external auditor to timely detect and follow up on fraud (risks) in the statutory audit can lead to material damage for the company's stakeholders, particularly for investors and end-users of financial reporting. Furthermore, fraud can have broader market effects in the form of instability and loss of public trust in the integrity of the financial system. Such (large) fraud cases are limited in occurrence, but their impact is significant. There is continuous societal and political attention at the national and international levels for this problem and specifically for the role of the external auditor. Within the accounting sector as well, the definition of the auditor's role and responsibility regarding fraud (risks) has long been on the agenda.
4. It is also expected that due to trends such as sustainability, technological development, and the internationalization of business, the fraud problem will manifest in more areas in the future. Regular license-holding accounting organizations came under direct AFM supervision as of January 1, 2022. The AFM's supervisory population is thus increasing, but at the same time, the AFM currently has limited visibility into the degree of development of regular license holders regarding the detection and follow-up of fraud (risks).

4 Handling of Fraud Risks by Audit Firms in Audited Companies Problem Analysis 5. The auditor must serve the public interest by providing assurance regarding the fairness of reporting to the public and specifically to its end-users. Serving the public interest is an important legitimacy for the statutory status of the accounting profession. The public-societal function of the auditor becomes particularly manifest when a company goes bankrupt or when major fraud leads to losses for investors. 6. From this perspective, detecting and following up on fraud (risks) in the statutory audit of audited companies is an important responsibility of the external auditor. Fraud forms the origin and rationale for the accounting profession. Major fraud by listed companies (Enron, Parmalat, Ahold) was the impetus for the introduction of supervision over reporting and audit firms in the Netherlands. The auditor therefore plays a crucial gatekeeper role in the financial system. This follows evidently from the auditing standards: the auditor must provide a reasonable level of assurance that the reporting is free from material misstatements resulting from fraud and error. The auditor makes a promise to society in this regard. Audit procedures aimed at detecting fraud are therefore an inseparable part of the statutory audit. 7. It is important here that the accounting sector adopts a broad perspective.1 The auditor should not only detect and follow up on risks of fraudulent financial reporting and misappropriation of assets in the statutory audit, but also, for example, risks of corruption, tax evasion, sanctions violations, money laundering, cybercrime, and cartel agreements. This does justice to the complexity of the issue, the increased societal expectations, and the fact that the theme of fraud will become increasingly important in the future and will relate to broader areas. The auditor also fulfills his broad gatekeeper role in the financial system by detecting and following up on fraud risks. 8. Naturally, all parties in the chain of reporting and accountability must take their responsibility to address the societal problem of fraud.2 Audited companies are primarily responsible for preventing, detecting, and addressing fraud. This applies to both large (international) companies and smaller businesses, for example, with a director-majority shareholder structure. Adequately and visibly fulfilling this responsibility places high demands on companies. This includes a good system of internal control and fraud monitoring, a culture based on integrity and constructive challenge, and a clear mandate and strict independence of the internal audit function. Naturally, internal supervisory bodies (supervisory board and audit committee) must also give adequate attention to fraud. It is important that members of the supervisory bodies have sufficient knowledge and skills regarding fraud (risks) to be able to perform their role as internal monitors from the tone-at-the-top and when addressing the board of directors and the external auditor. From the perspective of the end-user, it is also important to report clearly and transparently on the management of fraud (risks) in the management report. An internal control statement, whereby the company management reports on the quality of internal control, would be instrumental here. All of this does not absolve audit firms of their legal and societal responsibility to detect and follow up on fraud risks in the statutory audit. 9. It is difficult to obtain an objective (or quantitative) picture of how well or poorly the accounting sector as a whole currently fulfills this responsibility to detect and follow up on fraud risks in the statutory audit. In other words: the extent of the problem, or the progress in reducing it by the sector, seems difficult to determine exactly. Neither the accounting sector nor the AFM has conducted structured research on this over a longer period to date. Based on discussions with a large number of stakeholders in the chain and an analysis of recent academic literature, the AFM has nevertheless formed a – first – generic image. This generic image does not, of course, do justice to the progress made and experienced by individual audit firms in fulfilling their responsibilities regarding the detection and follow-up of fraud (risks) in audited companies. Furthermore, the AFM currently has limited visibility into the degree of development regarding fraud risk detection of regular license holders who have been fully under AFM supervision as of January 1, 2022. However, a recent thematic investigation by the AFM into the management of corruption risks shows that there is still room for improvement. 10. On the one hand, judging by the initiatives being taken, the sector itself seems aware of its responsibility regarding fraud, and its audit firms are actively working to fulfill this responsibility. The auditor can also never provide 100% assurance. Despite the auditor's efforts, there remains an unavoidable risk of fraud. After all, fraud is caused by conscious behavior and collusion, which are inherently difficult to detect. Confidentiality rules also hinder the auditor to some extent in actively reporting and publicly disclosing fraud (risks) in audited companies. As the Kwartiermakers Toekomst Accountancysector (Pioneers for the Future of the Accounting Sector) rightly state in their latest progress report, this tension field between confidentiality on the one hand and transparency and relevance on the other requires an open discussion that must be held in the coming time. 11. On the other hand, various arguments emerge suggesting that the auditor is not yet sufficiently fulfilling his or her responsibility regarding the detection and follow-up of fraud (risks). Fraud detection must be an integrated part of the statutory audit, in accordance with legal requirements. Both in client acceptance, risk assessment, planning and execution of procedures, and in reporting and the audit opinion. Practically every interviewee – including some sector representatives – states that there is still a performance gap and that the prevailing legislation and regulations are too often insufficiently applied. Detecting and following up on fraud (risks) does not yet seem to be a top priority for all audit firms. Recent academic literature also points in this direction. There seems to be consensus among the interviewees that the problem manifests primarily in the insufficient signaling function of the external auditor and not so much in the follow-up of identified fraud signals. Furthermore, a trend is visible where (especially larger) audit firms apply increasingly sharp risk selection at the gate. This creates the risk that at the system level, the chance increases that fraud risks are not signaled, as high-risk audits end up with audit firms with less fraud expertise and capacity. These concerns, finally, cannot be separated from the numerous inquiry commissions in the Netherlands and abroad that have investigated the role of the accounting sector regarding fraud in recent decades.3

Underlying Causes 12. Inadequate detection and follow-up of material fraud (risks) in the statutory audit can have significant impact on the respective audit firm and/or the individual external auditor. Think of financial repercussions (fines, damages), but also administrative (enforcement by supervisors) and sometimes even criminal consequences. Against the background of the concerns outlined above, the question arises why these incentives apparently do not always work adequately. What are the underlying causes, what problems does the external auditor encounter in practice? 13. Based on the analysis performed, three possible root causes emerge: i) knowledge, skills, and expertise are not always sufficiently present; ii) the auditor's role perception, attitude, and mindset may fall short regarding the detection of fraud (risks); and iii) the internal culture of audit firms can be obstructive.

(i) Knowledge, skills, and expertise are not always sufficiently present. Specific bottlenecks here relate to: insufficient fraud risk analyses, where fraud risks are insufficiently recognized and fraud signals are insufficiently picked up; sometimes insufficient in-depth knowledge of the client, business model, sector, and the environment in which it operates; insufficient knowledge of laws and regulations and auditing standards; too little look at behavioral and cultural signals within audited companies; lack of experience with fraud cases; sometimes insufficient diverse expertise in audit teams; and finally, the inherent complexity of adequately detecting and following up on fraud risks via group audits of internationally operating companies.

(ii) Role perception, attitude, and mindset may fall short regarding the detection of fraud (risks). The auditor's starting point is generally often trust in the company rather than healthy skepticism. The auditor naturally wants to confirm (assumes the best) and may be insufficiently equipped to assume the worst (fraud). Underlying this can be the conviction that the client does not commit fraud and acts with integrity. Here arises the risk that confirmation bias manifests: the auditor unconsciously searches for confirmation of what he or she expects. The targeted search for and follow-up of fraud (risks) requires, however, a fundamentally different attitude and mindset from the auditor than the continuous improvement of the average quality of statutory audits (that is: the regular detection and correction of shortcomings in reporting). Possibly, a certain form of overconfidence also plays a role here ('I know my client, I will certainly see fraud'). Another factor is that a longer-lasting relationship with the same client carries risks of operating on autopilot and that the personal relationship makes it inherently more difficult to raise fraud signals.

(iii) The internal culture of audit firms can be obstructive. Specific bottlenecks here relate to: negative internal incentives (time pressure and limited capacity, being blamed for not signaling fraud earlier); possibly an inherent tendency within audit firms to 'minimize' missed frauds, due to, for example, the impact on reputation and financial consequences – here the behavior of the company (preferring not to 'air dirty laundry') may possibly reinforce the behavior of the audit firm; insufficient space or a safe environment to raise fraud risks within audit firms as a member of an audit team; compliance pressure, whereby a focus on good file formation and a fear of making mistakes can prevent a professionally critical and independent view of fraud, and real fraud risks may possibly be overlooked.

What can auditors (firms) do? 14. What can the accounting sector do to further contribute to effective detection and follow-up of fraud in the statutory audit in accordance with legal requirements and societal expectations? 15. First and foremost, the current laws and regulations provide an adequate basis for the auditor to fulfill his or her role as a gatekeeper regarding a broad understanding of fraud, and it is up to the accounting sector to comply with this in letter and spirit. It is not primarily the AFM's task to define exactly how the accounting sector should deal with the theme of fraud. The International Auditing and Assurance Standards Board (IAASB) has also placed the topic of fraud on the agenda for 2022-2023 with the goal of establishing an updated auditing standard in 2024. 16. The AFM can largely agree with the change initiatives underway – partly instigated by the NBA – such as more transparency, more attention for fraud detection in training and continuing education, and the targeted use of forensic expertise. More transparency in the audit report on which audit procedures the external auditor has performed to detect fraud is an important step. At the same time, the AFM sees important advantages from the perspective of the end-user if the auditor also begins to report on the results of these procedures in the audit report. Furthermore, the AFM sees opportunities in the broader application in the sector of the systematic integrity risk analysis (such as, for example, the SIRA). Also, the mandatory use of forensic expertise at various stages of the audit and ensuring technical support through consultation and the establishment of fraud panels can contribute to the timely detection and adequate follow-up of fraud (risks). This also applies to thematic internal investigations, a focus on the theme of fraud from the engagement-specific quality assessment, and file coaching for high-risk clients. Areas for improvement regarding the development of the professionally critical attitude could include creating more constructive challenge and checks & balances in the statutory audit in case of fraud signals; giving more attention to contra-indications and opposing audit information (which addresses confirmation bias by placing less focus solely on audit information aimed at confirming that figures and/or assertions are correct); specifying risks (especially regarding management override of controls: where can management commit fraud?); and further focusing on quality control reviews within firms.

What will the AFM do? 17. Overall, the AFM will make the fraud issue an important theme in the supervision of audit firms. The AFM stands for fair and transparent financial markets. Fraud is by definition neither fair nor transparent. There is concealment involved, and it creates information asymmetry between companies and the end-users of reporting. Fraud is an important societal problem that is expected to manifest in more areas. It has a potentially large impact on the end-user and can lead to instability and a loss of public trust in the integrity of the financial system. This can also put the justified trust of society in the auditor under pressure. Underlying this is also the conviction that deliberate deception and fraud are a more serious problem than unconscious errors in reporting. Fraud can indeed be a manifestation of a larger integrity problem in the culture of a company. Although an objective picture is lacking, the sector as a whole also appears insufficiently advanced in adequately detecting and following up on fraud (risks), despite years of attention to fraud. All of this justifies more supervisory attention and intensity for this issue. 18. This means that the AFM will carry out a range of supervisory activities in the coming years. In line with the AFM's supervisory approach to the accounting sector, the supervisory activities regarding the fraud issue will address the three levels of quality: the quality-oriented culture, the system of quality management within audit firms, and the quality of the statutory audit. The supervisory activities will thus address the related underlying causes of the fraud problem. Through a combination of exploratory or testing investigations, a better image can be obtained, such as of the role perception, attitude, and mindset of the external auditor in detecting fraud risks, or the degree of constructive challenge within the audit team. Another relevant research topic concerns the extent to which the elements in the quality management system – such as technical consultations at the internal fraud panels – ensure effective follow-up of fraud risks. It also seems desirable to gain sharper insight into the quality level and effectiveness of the fraud risk analysis and the execution of audit procedures regarding fraud risks.

1 In line with EU Regulation 537-2014, Article 7: (...) a statutory auditor who or an audit firm that performs the statutory audit of the financial statements of an entity of public interest, suspects or has reasonable grounds to suspect that irregularities, including fraud relating to the financial statements of the audited entity, may have occurred or have occurred, he/she informs the audited entity thereof and requests it to investigate the matter and take appropriate measures to address these irregularities and prevent their recurrence. 2 Audited company (Board of Directors, Supervisory Board/Audit Committee, Internal Audit Department), external auditor, law enforcement agencies, and AFM. See also: nba-publishes-recommendations-for-directors-and-supervisors-of-organizations-for-the-prevention-and-detection-of-fraud 3 Among others, the US Senate (1977) and the Treadway Commission (1987) in the US, the Brydon report (2019) in the UK, and the MCA (2020) and CTA (2020) reports in the Netherlands. Also the IAASB in a recent discussion paper (2020).