7 minute read 18 Nov 2020
Worker taking apple from conveyor belt-in factory

Preventing and detecting fraud: how to strengthen the roles of companies, auditors and regulators

By Marie-Laure Delarue

EY Global Assurance Vice Chair

Agent of change. Passionate about talent. Driver of innovation. Bilingual. Enjoys wine tasting.

7 minute read 18 Nov 2020

A reexamination is needed of how traditional audit procedures approach the risk of fraud.

In brief
  • A new EY report outlines how to enhance the audit to help improve fraud prevention and detection.
  • A “three lines of defense” model can be used to help protect companies from material fraud.
  • Collaboration is key across the corporate governance and reporting ecosystem.

In his 2019 report on audit quality and effectiveness in the UK, Sir Donald Brydon, the former chairman of the London Stock Exchange Group, described the question of fraud as “the most complex and misunderstood in relation to the auditor’s duties.”1

The prevention and detection of fraud within a company is primarily the responsibility of the management under the oversight of those charged with governance. Auditors, along with other members of the corporate governance and reporting ecosystem, also have an important role. 

Currently, auditors are responsible for providing reasonable assurance to shareholders that the financial statements are free from material misstatement, whether caused by fraud or error. Public opinion in many places, however, indicates that auditors are expected to play a role that extends beyond providing this reasonable assurance.2

While there have been some major corporate failures as a result of fraud over the past few decades, the figures are very small relative to the overall number of listed companies. These failures nevertheless reinforce the need to do more to discourage and prevent fraud and, where it cannot be prevented, to detect it as soon as possible. 

As part of ongoing improvement efforts, the EY organization recognizes that it needs to evolve how audits are performed to better address fraud and is committed to leading the profession more widely to address stakeholder questions about the auditor’s role in fraud detection.

A new EY report, Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators (pdf), outlines how to enhance the audit to help improve fraud detection. It describes the actions already taken by the EY organization to refocus and enhance the audit, including the incorporation of increased forensic techniques, and discusses the three lines of defense that could better help to prevent or detect fraud. 

How EY teams are evolving the audit to detect fraud

Drawing on both a skilled talent pool and state-of-the art technologies, the EY organization is developing the auditing process to go beyond standard practice. Some specific developments are identified below, with more detail available in Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators (pdf).

  • Mandating the use of data analytics for fraud testing in audits for all listed entities globally 
  • Using additional internal and external data and information to enable more nimble responses to external risk indicators, such as short sellers and whistleblowers 
  • Using electronic confirmations for audit evidence wherever possible
  • Developing a proprietary fraud risk assessment framework for use with audit committees and those charged with governance
  • Mandating annual fraud training for all audit professionals that incorporates the experiences of EY forensics professionals
  • Requiring the use of forensic specialists in the audit on a targeted-risk basis

Auditors cannot succeed on their own, so the EY organization is setting out a call to action to the corporate governance and reporting ecosystem, including management, boards, audit committees, standard-setters and regulators, to work with auditors on these issues.

While there have been some major corporate failures as a result of fraud over the past few decades, the figures are very small relative to the overall number of listed companies. These failures nevertheless reinforce the need to do more to discourage and prevent fraud and, where it cannot be prevented, to detect it as soon as possible. 

Fraud and forensics

Companies have never been as data-rich as they are today, providing new opportunities to detect material frauds through data mining, analysis and interpretation. Auditors are ideally placed to carry out this role and are increasingly using data analytics to identify unusual transactions and patterns of transactions that might indicate a material fraud. 

The use of forensic specialists in the audits of public interest entities (PIEs) may become mandatory in future. In the UK, Brydon’s review suggested that forensic skills and fraud awareness should be part of the formal qualifications and continuing professional development for all auditors. The EY organization supports that recommendation.

Technology is not a panacea, however, and the human element also comes into play. There is an opportunity for all involved – including management and boards, auditors and regulators – to focus more on corporate culture and behaviors to support fraud detection.  

Auditors’ professional skepticism and moral courage can be boosted through education and training in topics such as behavioral science, including the concepts of conscious and unconscious bias. These opportunities could have profound implications for auditor education and qualifications, as well as standards and audit regulation in the future. 

Companies have never been as data-rich as they are today, providing new opportunities to detect material frauds through data mining, analysis and interpretation.

Collaborative change

When a fraud extends to a broad network across management and third parties, it can take more than a normal audit to find the evidence. So, what can be done to detect fraud as early as possible or even prevent it?

This issue goes far beyond the auditing profession. Large-scale fraud is mostly well thought through and difficult to detect. Auditing is an important check, but it is not the only one. In this context, adopting a “three lines of defense” approach against fraud is useful, comprising: corporate governance; the auditor; and capital markets supervision.

The three lines of defense are ripe for exploration to drive better prevention or detection of fraud.  In some cases, the suggestions below draw on best practices or requirements from different countries across the globe, but the public interest would be better served if they were applied more generally.

1. Corporate governance

  • PIEs should have a system of strong internal controls over financial reporting that includes fraud risk specifically. This system would set out clear roles for management, board, audit committee and internal audit.
  • Management and director certifications on the content of financial statements as well as the internal controls should be explored for PIEs. There should be meaningful consequences for inappropriate certifications. 
  • Companies could do more to measure and oversee culture and incentives.  
  • All actors in the corporate governance chain and reporting ecosystem, including auditors, should have strong whistleblower programs in place that both encourage and protect those who report issues.

2. The auditor

  • Auditing standards should be reviewed to provide auditors with a stronger framework to detect fraud. Such a review should examine materiality, level of skepticism, use of forensic specialists, internal controls, access to and use of culture and incentives’ assessments, discussions with audit committees and public reporting.
  • External auditors could be required to assess and report on a PIE’s internal controls and risk management processes (including how the company monitors and tests compliance) to boards, regulators and the public.  

3. Capital markets supervision

  • Minimum corporate governance and reporting standards (including the proposals above) should be a precondition for a listing on a major stock market index.
  • In many places, auditors already have red-flag obligations to escalate, or determine whether to escalate, any concerns they have over potential breaches of laws and regulations that may impact the financial statements, to an appropriate authority. Where these obligations exist, they must be clearly enshrined in law or regulation.

The evolving external environment, increasingly complex business models and the sophistication of fraudsters requires a reexamination of how traditional audit procedures approach the risk of fraud. 

Maturity of local or regional corporate governance and regulatory systems needs to be considered when deciding how to progress the areas mentioned above. A full cost-benefit analysis would also need to be undertaken.

The evolving external environment, increasingly complex business models and the sophistication of fraudsters requires a reexamination of how traditional audit procedures approach the risk of fraud.

There are clear actions that auditors are already taking to evolve the audit to detect fraud. However, to truly tackle the issue of corporate fraud, actors throughout the three lines of defense must work together. Collaboration is key to improving the prevention and detection of fraud, and ultimately protecting the victims of fraudsters.

Summary

There have been some high-profile corporate failures in recent years as a result of fraud. They reinforce the need for auditors and the broader corporate governance and reporting ecosystem to do more to discourage, detect and prevent fraud. In a new report, the EY organization is setting out a call to action based on three lines of defense: corporate governance; the auditor; and capital markets supervision.

About this article

By Marie-Laure Delarue

EY Global Assurance Vice Chair

Agent of change. Passionate about talent. Driver of innovation. Bilingual. Enjoys wine tasting.