The Patrolman and the Detective

WolvesA distraught CEO said to me not long ago, referring to his CFO,  “How could she have been stealing money like this for so long and we not know about it?  We have an audit each year?”  A very good question in the circumstances and one that is, unfortunately, very typically asked after a fraud has occurred.  The overwhelming majority of corporate managements do the right thing when it comes to everyday financial management and reporting; still there are some that do not.  Complicating matters, as illustrated by the case of my client CEO, is the fact, according to the SEC, that the majority of large and complex frauds are perpetrated by top management, the very people charged with responsibility for the efficiency and effectiveness of the company’s financial operations. An SEC report, recently in the financial news, confirms this observation.  A review of the commission’s enforcement actions during the period 2009 through 2012 found that 157 of the 227 enforcement matters involved charges against at least one senior manager.  In these cases, charges were brought against 75 board chair persons, 111 chief executive officers, 111 presidents, 105 chief financial officers, 21 chief operating officers, 16 chief accounting officers and 27 vice presidents of finance.

To answer my CEO’s question, first consider the difference between the auditor and the forensic accounting investigator (or dialectical auditor); the financial auditor performing his or her annual financial statement audit is concerned that the company’s financial statements are fairly stated in all material respects.  Accordingly, our auditor’s responsibility is to design and implement audit procedures of sufficient scope and depth to detect material deficiencies in the statements, essentially, without regard to the source or origin of the deficiency.  Financial auditors are charged with (1) making appropriate, reasonable efforts to detect material misstatements in financial statements and (2) causing management to correct material misstatements or misrepresentations before the statements are shared with the company’s investor and user communities.  The forensic accounting investigator or dialectical auditor, on the other hand,  has a largely separate set of concerns based on a different role that calls for different tools, different thought processes and different attitudes. The forensic accounting investigator’s concern is not with reaching a general opinion on the reliability of financial statements taken as a whole but is at a much more granular, scientific level, with a detailed development of hypotheses based on factual information, derived from both documentary and testimonial evidence, about the who, what, where, when, how and why of a suspected or known impropriety.

Although neither the financial auditor or the forensic accounting investigator is a law enforcement officer, think of them, for purposes of answering our CEO’s question,  as the patrolman (the financial auditor) and the detective (the forensic accountant). A patrolman, working a particular shift, circulates through the community inspecting its visible elements for signs of improper behavior.  So to with the financial auditor, who selects a sample of transactions to support her opinion on the financial statements and, based on those results, decides whether or not to examine more.  The detective (the forensic accountant) doesn’t patrol; s/he is called in once a crime is suspected or observed.  These related  but differing activities, routine patrolling (the annual financial audit) and the detective’s criminal investigation, can be balanced with relative ease.  If greater deterrence is needed, the use of more patrol officers covering more territory more often is the solution.  Similarly, if there are many crimes or if there is a highly complex, long on-going situation to investigate (as with my CEO) then assigning more detectives, or in the financial context, more forensic accounting investigators, is the solution.

Our CEO has to be made to see that the annual financial audit alone cannot realistically prevent financial frauds or prevent employees (especially trusted, higher level employees) from looting corporate assets.  Financial auditing alone, especially under the heightened awareness created by  SAS 99, may deter some frauds and detect others, but it’s unlikely that auditors using the traditional audit concepts of selective testing to obtain reasonable, not absolute, assurance that financial statements are fairly presented, will always identify material misstatements caused by fraud.  We can only call the detective when we know the crime has been committed.

Comments are closed.