A federal court has sentenced a former Oklahoma Beef Council (OBC) accountant who was found guilty of embezzling $2.68 million from the Oklahoma Beef Council to 57 months in prison,
The Oklahoman reports. Prosecutors say Melissa Day Morton forged organization checks to steal from the nonprofit trade association from 2009 to 2016. The OBC has filed suit against a local accounting firm that had performed external audits of its finances. The organization alleges the firm's audit opinions were "incorrect and misleading" and did not comply with applicable audit standards.
The twin sides to this story illustrate that management and the auditor could have done more to prevent the theft of $2.68 million by a trusted employee.
For the OBC's management, it is telling that it now has taken steps to prevent this kind of fraud, including contracting with a third-party accounting firm, implementing a five-step financial review process, and instituting an audit/risk committee with an independent audit advisor to the committee. To that list, there are additional measures that the OBC could take, including:
- Human resource management policy and systems changes, including a clear conflict of interest code and anti-fraud policies that clearly communicate expectations of employees and consequences of noncompliance. Another change is stronger emphasis on rotation of staff members in sensitive or responsible positions. In this case, the fraudster had done the same job for at least seven years while she stole the OBC's money.
- Rigorous background/security checks, at least for those in sensitive jobs, not only before hiring but also throughout their employment. These checks should ascertain whether significant unexplained employee lifestyle changes are occurring.
- A tips/whistleblower program that encourages employees to come forward to identify suspicious and potentially fraudulent behaviors without fear of reprisal.
For the auditor, we don't have all of the facts to judge whether the OBC's accounting firm failed to perform its audit work in compliance with audit standards. Moreover, it is debatable whether the OBC demonstrated "management's responsibility to design and implement programs and controls to prevent, deter, and detect fraud," as stated in the U.S. Public Company Accounting Oversight Board's (PCAOB's) Accounting Standard (AS) 2401: Consideration of Fraud in a Financial Statement Audit.
An interesting aspect of this issue, which is increasingly becoming part of large financial fraud cases following the 2008 financial crisis, is the role of the external auditor in finding fraud. PCAOB guidance, Responsibilities and Functions of the Independent Auditor, states in paragraph 2 that: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud."
Much good advice for auditors can be found in the PCAOB's guidance. In particular, two key and balancing points from AS 2401 may be relevant for determining whether the OBC's auditor failed to perform its work within acceptable standards:
- "However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the characteristics of fraud as discussed above may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud." (paragraph 12)
- "Due professional care requires the auditor to exercise professional skepticism.
See AS 1015.07 through .09. Because of the characteristics of fraud, the auditor's exercise of professional skepticism is important when considering the fraud risks. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor's belief about management's honesty and integrity. Furthermore, professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor should not be satisfied with less-than-persuasive evidence because of a belief that management is honest." (paragraph 13)
This second issue is a discussion for another article. What do readers think?