Modern Audits: Getting the job done, and doing it right

By Harsh Jogani, Head of Sales, Confirmation India

In the wake of recent billion-dollar financial frauds such as Wirecard, Luckin Coffee, Cox & Kings, IL&FS, and DHFL, we have witnessed the audit profession's image tarnished and stakeholder trust in auditors eroding. To change this perception, it's time we focus on the quality of audits. Challenging the status quo is a must to overcome century-old, accepted shortcomings in legacy practices.

So how can we improve the quality of work and set the right culture within the organisation? We'll explore that here.

Historically, black-swan events have not only changed the trajectory of governments, economies, and businesses but also altered the very course of history. Early signs of a shift in consumer behaviour and business models are already visible with the recent lockdown of economies globally. As we enter uncharted territory with the second and third wave of the COVID-19 pandemic, and its catastrophic effects on many social, economic, health and political fronts, it has been an eye-opener into how we 'work'.

During this time many of us have had the opportunity to take a step back to "rethink and reconsider" our work and daily routine. Where possible, remote working has become a norm across many small and big businesses. Teams are using digital video platforms to stay connected. In some respects, we are more connected today than we were pre-pandemic.

While these changes may be direct, short-term responses to the crises, how we return to normalcy once we manage to live with or move forward with COVID-19 is a grey area for most of us. What we do know is that many of the work and lifestyle changes will continue to be present and create long-term improvements or disruptions that will shape our ways of working and living for years to come.

So how have auditors around the world approached 'remote auditing'? Previously it was unheard of for an auditor to work remotely due to several factors, security of data being a major concern. However, like many industries, auditing companies around the world have had to adapt to the new ways of working and pivot their workforce to work from home, keeping an openness to evaluating uncharted ideas.

As the audit profession moves to “Remote Auditing” and rewires its old ways of working, this is the opportunity to challenge the status quo and remove age-old impediments or industry-accepted shortcomings by asking two fundamental questions for every audit process followed:

1) Did you get the job done? & 2) Did you do it right?

To understand how we can implement this approach, these two aspects have been plotted (Get the job done and do it right) on a business matrix and explained the approach to analyse one of the most critical audit processes: External Confirmations*.

Let’s look at the four quadrants and evaluate each external confirmation scenario and their possible outcomes.

1) Devil’s Quadrant (Not getting the job done, Not doing it right) 

This position of the devil's quadrant is one where an auditor should never be. An audit firm that skips the external confirmation process and opts for alternative procedures is exposed to high fraud risk. As audit evidence relied upon in such procedures is from an internal source, it can be easily forged or manipulated. These firms should immediately change their approach and start emphasising receiving external confirmations independently.

2)    Good News, Bad News (Getting the job done, Not doing it right) 

If your firm’s practices are in the bottom-right corner of the matrix, you are walking on a tight rope. The good news is that you are gathering documentary evidence. But the bad news is the evidence gathered is not reliable. Such processes or practices are not sustainable in the long term and expose the firm to fraud risk.

Below are a few pertinent scenarios of how this occurs. 

  • The auditor makes the client (i.e. auditee) send confirmation requests to third parties. This results in loss of control over the contents of the package, which could lead to scenarios like confirmation letters not being sent at all, tampering with the contents inserted in the package or sending a confirmation letter with a special note for the responder directly affecting the quality of response.
  • Client prepares confirmation letters or client is marked on the confirmation emails being sent out. In these scenarios, auditors reveal their sampling list and confirmation date to the client making it easy for the client to understand the pattern the auditor is following. Therefore, it eliminates the element of surprise which is very important in audits.
  • Client sends email confirmations marking auditors “cc” on the email. This results in loss of control. For example if the client sends a confirmation to an incorrect email address, the delivery failure notification is only sent to the client, and the auditor, who is marked as “cc”, is not notified.
  • Confirmation response is received via the client. A confirmation response coming through the client could easily result in information being forged or manipulated before being handed over to the auditor (example – Satyam Confirmation Fraud).
  • Proof of origin or responder validation. An auditor could receive a confirmation from a compromised source. (Example – Olympus Confirmation Fraud and Peregrine Financial Group Confirmation Fraud)

The firm's strategy should be to implement stronger processes within the firm. They should aim to move to the top-right corner of the matrix by working on the attributes key to "Doing it right".

3)    The Last Jump (Not getting the job done, Doing it right)

Post the Satyam bank confirmation fraud, many large and mid-size audit firms took note of the lapses in the external confirmation discussed earlier and shifted their focus towards carrying out the confirmation process ‘right’. As a result, there has been a significantly reduced response rate for most of the audit firms. Typically, in the top left section of the quadrant, where an audit firm is trying to do the right things which do not give desired results over a period tends to push the firm back to the bottom right section (Getting it done, Not doing it right).

So, what is the reason for a response rate?

  • Are we designing the confirmation requests, including determining that requests are properly addressed and contain return information for responses to be sent directly to the auditor? (Para A3-A6 of SA 505: External Confirmation)
  • Are we selecting the appropriate confirming party? (Para A2 of SA 505: External Confirmation)
  • Are we sending the requests, including timely follow-up requests when applicable, to the confirming party? (Para A7 of SA505: External Confirmation)
  • Are we using appropriate tools to track and monitor the delivery of the request?
  • Are we making it convenient for the third party to respond? 

If you fall in this section of the quadrant, make sure you assess the above parameters and address areas where you need to work on. The most important thing here is to be patient and keep improvising.

4)    North Star! (Getting the job done, Doing it right)

North Star Quadrant

Obviously, every auditor should aspire to be in the upper right quadrant. The ideal position, where you get the job done and do it right. Auditors that fall in this quadrant are doing the following four things properly:

  • Sending and receiving confirmations independently, 
  • Tracking the delivery of confirmations, 
  • Performing timely follow-ups, and 
  • Validating the source of the response. 

The greatest challenge for auditors in this quadrant is it results in a heavy strain on the firm's resources. It directly results in increased demand of people-hours, low-end administrative work. All of which directly impacts efficiency and profitability due to the higher costs. 

To collectively achieve higher response rates, meet auditing standard requirements and improve efficiency and profitability, technology is key!

An electronic confirmation application, such as  Confirmation, helps accounting firms in digitising and automating the entire external confirmation process. This results in increased efficiencies, being compliant and scalable with zero client interference from preparing and sending confirmations to receiving a completed confirmation back. Not to mention, it enables firms to implement a workflow which “standardises” the audit confirmation process across their organisation. One standard process across all teams allows for consistency and helps firms stay compliant from an auditing standards perspective.

Over the last 2 years we have witnessed the enormity of the COVID-19 pandemic's impact on global economies, financial markets and businesses. This alone has put greater pressure on auditors to do their part in keeping the financial economy healthy and safe from potential fraud risk, during a vulnerable period.

Under the current circumstances, auditors must be agile and know when to recognise that conventional practices may need significant modification to address the challenges and uncertainties arising out of situations like the pandemic. Whilst it is priority to be vigilant and on guard during times like the present, it is imperative that firms always ensure there is no dilution or non-compliance with auditing standards in carrying out audits.

Every audit partner or manager when they review their teams work, they should ask two questions: Did you get your job done? Did you do it right?

*External confirmations are one of the most effective audit processes for identifying fraud risk. It is defined as the process of obtaining audit evidence through a direct response to the auditor from a third party (the confirming party).

In most instances, material financial frauds lead to inflating accounts receivables, eventually resulting in fraudulently inflating bank balances. This is a line item on the balance sheet typically least questioned or doubted by shareholders or analysts. Another material financial fraud carried out by employees is in accounts payables. Simplistically fake vendors and/or invoices are created and submitted to siphon money out of the organisation.