This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

The Blame Game: where were the auditors?


Companies that uncover fraud are often surprised that the incident occurred in the first place. Whether due to lax internal controls, an ineffective managerial style, or simply the code of ethics that employees adhere to (or not, in this case) when evidence of fraud is found the entire organization is severely impacted and affected.

What is of even greater consequence to the board of directors once an act of fraud has been discovered is that oftentimes, their external auditors were not the ones who discovered it. Sure enough, whether the fraudulent activity is the work of one “underhanded” or “over-trusted” employee, or the great masterminding of the entire operations or finance departments, the question that almost always begs itself when the dust has settled is: “where were the auditors and why didn’t they do their job right?” Other questions such as “how did it happen?” or “why couldn’t it be prevented or detected by the existing setup of internal controls?” and “what went wrong and were controls been performed the way they were designed ?” are all very legitimate and relevant questions that many people skip as they focus primarily on a target to blame.

Why does the finger always point to external auditors? Should they really be blamed if fraudulent activity is not uncovered on their watch? Can responsibility solely be placed on an external and independent body – in this case the external auditors -- or should responsibility be shared with all the stakeholders, primarily those who, by intentional or unintentional negligence, have facilitated the  fraudulent transactions?

Crime scene investigation: fraud

The Association of Certified Fraud Examiners 2012 Report to the Nation states that a typical organization loses 5% of its revenues to fraud annually. The report also states that Asset Misappropriation Schemes are the most prevalent type of occupational fraud, comprising 87% of the reported cases. Other recent surveys have concluded that restatements in financial statements have almost doubled in the past three years; equity, revenue recognition and misclassifications were the most conventional forms of these restatements.

Much like any other crime, motive and opportunity must be present in order for fraud to occur. First identified by sociologist Donald Cressey,* the “Fraud Triangle” adds one more factor to the above two: rationalization, to make up the three ‘points’ of the triangle. Motive in the triangle is represented by Incentive/Pressure, which often stems from a financial need or the need to achieve goals. Opportunity exists when the person committing the fraud sees an internal control weakness, perhaps coupled with overwhelming trust and negligence and, believing that detection will not occur, begins the process of fraud and gradually becomes bolder if the initial act goes undiscovered. Finally, rationalization is the process by which the person committing the fraud justifies the act to himself, allowing him to adjust the perception of what he is doing. Rationalizations may include ruminations such as “I will pay the money back” or the more severe “they don’t pay me enough for my job so I’m only taking what is rightfully mine.”

Fraud is, at times, hard to detect and the best defense against its occurrence is in the strength of a company’s internal controls. It is management’s responsibility to implement internal controls to prevent, detect and deter fraudulent financial reporting, to ensure an adequate “tone at the top” culture and a zero-tolerance policy vis-a-vis fraud. Yet even if all of the above procedures are adequately implemented, fraud can still occur as no system is foolproof and people’s behavior cannot be controlled. What is more important in this case is its frequency and the time lapse until it is detected.

Not an everyday occurrence in any organization, the uncovering of any type of fraud leads to a blame game, whereby management, auditors, regulators and fraud examiners are quick to use each other as scapegoats in order to avoid being in the line of fire themselves. But is anyone really to blame? Enter the expectation gap.

Expectation gap: who should have done what?

The auditing profession has dubbed the discrepancy between what investors expect and what auditors actually do an “expectation gap.” Many investors expect a foolproof audit, with somewhat of a guarantee as to the non-existence -- or absence -- of fraud or misstatements, irrespective of how immaterial they are, whereas audit firms have taken it upon themselves to educate the public as to their actual “role” in the financial statement audit, which does not include guaranteed fraud detection. The audit report -- the single most important deliverable the auditor offers -- further highlights auditors’ limitations in finding fraud.

Because auditors do not examine every transaction or event that occurs in a company’s fiscal year, there is no guarantee that all material misstatements, whether caused by error or fraud, will be detected. Interestingly, the very nature of external auditing precludes the notion that audits are ‘foolproof.’ Audit , along with concepts of materiality and time constraints, prevent the audit / inspection of every account and every transaction conducted by the audited firm, leading auditors to make judgments and decisions dictated by a risk assessment. Consequently, fraud might remain concealed to the external auditors even if a thorough audit is conducted.

As such, closing the expectation gap requires efforts from all involved parties. Management should be held accountable for the effectiveness and reliability of their internal controls, shareholders need to concede the fact that it is neither the auditors’ responsibility, nor capability, to uncover all incidents of fraud.

Finally, the auditors themselves should conduct their audit whilst keeping an eye out for fraudulent activity. This entails investigating further any warning signs and red flags that may appear during the course of the audit and reporting them in a timely manner. Part of the audit scope entails assessing the control environment in place, and its effectiveness, for the purpose of designing the audit approach. Therefore, the objective is not to provide an opinion on the effectiveness of these controls or assessing individuals’ behaviors for indications of fraud.  When all is said and done, audit quality  should remain the practitioner’s main responsibility.

To conclude

Fraud, a significant business risk, continues to be a prominent issue requiring the attention of regulators and the accounting profession alike, due to the challenges it presents. All stakeholders in an organization share the role of uncovering any warning signs and of coming up with counter measures in the event of its occurrence. Auditors, in their capacity as an external, independent body, should apply an attitude of professional skepticism with regards to fraud all the while steering along their primary course of ascertaining whether the financial statements of the company are stated fairly in all material respects.

In response to the initial question posed in this article of “why does the finger almost always point to the external auditors?” the answer is not as clear-cut as it first appeared to be. The common misconception is that external auditors – who are sometimes inaccurately perceived as being some sort of account ‘detectives’ or ‘investigators’ – will likely be able to uncover any fraudulent activity that may occur. That may be true to some extent but the very nature of fraud is collusive, at times preventing even the most experienced professional from uncovering its existence in a timely manner.

That said, the blame game will always exist so long as stakeholders attempt to protect themselves from accusations. Similarly, the expectation gap will always exist for the same reason. A well-known quote that comes to mind is: “When you point your finger at someone, you simultaneously point three fingers back at yourself.” So who is to blame? Everybody and nobody.


by Badr el Hassan, Audit principal, Deloitte Middle East


* Donald R. Cressey (April 27, 1919 – July 21, 1987) was an Americanpenologist, sociologist and criminologist who made innovative contributions to the study of organized crime, prisons, criminology and the sociology of criminal law.


Material on this website is © 2014 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see “About Deloitte” for a more detailed description of DTTL and its member firms.

Get connected
Share your comments


More on Deloitte
Learn about our site