The city of Dixon, Ill., whose former comptroller embezzled almost US $54 million, is suing its long-time accounting firm for failing to detect the fraud, claiming it missed red flags such as bogus invoices, according to the Telegraph Herald (Dubuque, Iowa). The firm audited Dixon's books and performed duties such as check processing while the firm's personnel prepared the former comptroller's tax returns. Although the firm officially resigned as Dixon's auditor in 2005 so it could keep other city business after the city received federal funds that required an independent auditor, the lawsuit claims the firm continued to conduct and get paid for the annual audit, while hiring a certified public accountant from a nearby town to sign off on the work. The CPA also is a defendant in the suit.
This case illustrates several costly missed opportunities and potential misunderstandings of audit-related roles and responsibilities of which auditors and management should take note.
Although the article does not describe what kind of audit regime and function the city of Dixon has in place, it is fundamentally important for organizations to establish an internal audit charter or equivalent framework that clearly specifies the responsibilities of management and internal audit. The IIA has long maintained guidance that clarifies the responsibilities of the auditor. For example, the Model Internal Audit Activity Charter (Word file) states: "The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal process, as well as the quality of performance in carrying out assigned responsibilities to achieve the organization's stated goals and objectives." It also clarifies that "internal auditors will have no direct operational responsibility or authority over any of the activities audited.
Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor's judgment." Internal audit and management must establish and agree on performance expectations during audit engagements. Again, the rigor of an internal audit regime is there to help by establishing a plan for audits, including a risk assessment that ought to include the risk of fraudulent activity, along with scoping and audit assessment criteria.
After reviewing several audits (available publically online) conducted on behalf of the city of Dixon, it appears to me that the accounting firm's emphasis was providing assurance on the accuracy and adequacy of controls over financial reporting but less so on compliance and potential fraud. For example, one report explicitly states that the "effectiveness of management's internal controls over compliance" was not assessed. But it also seems that management did not have in place even basic controls over approvals and monitoring of significant expenditures and false invoices submitted by the former comptroller.
Another troubling issue is the kind and scope of audit work performed by the accounting firm, particularly after 2005 when it resigned as Dixon's official auditor. Several of the public reports I reviewed, including the firm's methodologies and disclaimers, suggest the work completed was focused on the city's financial statements and did not include the kind of detailed testing required to detect fraudulent activity. A useful distinction here might be made between an "audit" versus a "review" level of assurance regarding the criteria assessed; the latter term is used in some international jurisdictions, including Canada, to indicate that the work completed was based on limited testing of evidence related to the audit criteria set.