Public Accounts Committee on Sept. 21st, 2010

I would start by saying that the risk is not only the risk of fraud; it's also the risk of error, and it's really an assessment of how good are the management controls in place to ensure that the financial reporting is as accurate as possible.

So we would look in certain systems and basically ask what could go wrong--either deliberate or accidental--and then at what controls are in place either to prevent it or to detect if something has happened. Then we would test those controls to see if they are actually functioning as planned.

The question of fraud has actually evolved quite a bit over the last five years or so. In the auditing profession we used to have an assumption that management was acting in good faith. You went into an audit with that almost as accepted practice. Since some of the very large scandals in the U.S., and I would say since Enron, basically, that assumption has gone.

So auditors now have a responsibility to not give any bias, if you will, one way or another as to how management will act, and we have to probe senior management about fraud. We have to ask audit committees and boards of directors about fraud. Are they looking at the procedures that are in place? Have there been cases uncovered? What have they done in these cases?

It is a much more extensive audit and investigation than used to be done in the past, though I think every auditor will tell you that an audit will not necessarily uncover fraud, and that is not the main purpose of an audit. But we certainly have to do much more work under standards now than we ever had to in the past. This has been a change that I think has come in largely because of large corporate scandals and events in the U.S. in particular.

It's important to note that we do not presume that fraud has occurred; it's just that it's one of the risks that we now have to investigate and question. It's a lot through discussion with senior management and to see what kinds of monitoring controls and other controls they have in place. Are they sensitive to the possibility and the risk of fraud in their own organization?

As well, I think our auditors have to be a little more sensitive to some of the signs that could exist--

Oh, oh!

I would just say a couple of things in this area. Auditors have always been expected to have what we call “professional scepticism”. That is, we do look for evidence and support for positions taken or for a set of financial statements to make sure that the figures do have integrity.

The second thing, as Sheila has mentioned, is that particularly with the adoption of the risk-based approach to auditing, where the auditor is forever assessing the risk of material misstatement in a set of financial statements, clearly, fraud and error need to be factored into that consideration. The auditor quite appropriately needs to assess the risk of fraud and error.

If you look at the auditing standard on the auditor's consideration of fraud in a set of financial statements, it actually says that even if the auditor believes that the integrity of the entity you're auditing is of high standing, you should put that view aside in your consideration of the risk of fraud and consider: if this board was up to no good--if I can use that expression--how might they perpetrate fraud in terms of the financial reporting of the state of affairs of that entity?

There's no question that since Enron and other collapses the audit profession has been on notice about seriously considering the risk of fraud. Hence, now in the standards there are firm requirements for discussions amongst the audit team about assessing the risk of fraud and for the discussions that Sheila mentioned, the discussions with the entity management.

It is not to suggest that the organizations are criminals, but it is to try to suggest that the auditor has this obligation to test the risk of fraud and to put in place procedures designed to make sure, when they provide the opinion on the financial statements, that there is only a very slight chance of that opinion being incorrect.

So it is a global move. This risk standard that Canada applies is the same as the international standard, but it's a more recent development.

Not formally on a project. We are, of course, colleagues in international fora, but no, we have not worked together. Some of his staff have worked with us. On the GAO peer review, for example, we worked together, but beyond that, no.

As the committee may be aware, we do our own internal practice reviews each year. We do a very large number, probably somewhere between 15 and 20 audits that we review ourselves. The recommendations that came out of the peer review were not a surprise. The issues that were raised were very similar to the same issues we had found in our most recent practice reviews, so we knew we had work to do in this area.

I think I had mentioned to the committee that I was hoping there wouldn't be any other surprises, and there weren't. We were quite aware that we had to do work in these areas.

There were several areas. I think our practice review results came out in about February or March, so spring, just slightly before. We were aware of the results of some of those practice reviews. We knew we had issues, and some had even been raised in the year before. An issue like documentation, unfortunately, is a common theme that comes up in most practice reviews and peer reviews, so we had started to encourage the teams to better document.

We have made changes to some of our tools where we saw that there were misunderstandings or we could guide people more in how they should be documenting. So there were a number of actions, and that's why you'll see in the update that many of the actions are actually complete, because we had started in the springtime. The peer reviews confirmed to us the necessity to go ahead and put these actions into place.

Of course, the largest project is this whole methodology project, which will come over two years.

Thank you very much.

I'll just make some opening comments and allow my colleagues to assist on the detail. Certainly, just to reinforce, the suggestions were areas where we felt that at the margin improvements could be made. It drew together the experience of the international team. As I say, it reflects our normal--certainly in Australia--approach to reporting to leave the recommendations to the most significant matters and the suggestions to the report itself.

I'll ask my colleague Brandon just to cover off quickly the various areas we thought could be improved.

Thanks very much. It's nice to be here today.

The first one I'll talk about is reporting to management. One of the suggestions we have here is that the OAG could consider ranking the findings it gets from its annual audit work into a risk tier, where things are rated into high, medium, and low risk. In that way it could help consistency of judgments and also inform the people who get the report as to what requires the most attention from them in responding to those issues.

That is put as a suggestion because there's an upside and there's a downside with that. It provides, as I said, an opportunity for consistency of judgment and clarity in reporting, but it also causes in some cases a distraction in terms of reporting processes with the entity that's being audited.

If I could add to Brandon's comments, when that system first came in in our office I was skeptical, as a good auditor, about whether it would be beneficial or not, but I decided to continue the approach. Actually, the effectiveness of it has been remarkable. A lot of the agency heads, with whom I deal on a day-to-day basis, are very alert to our categorization system. We use A, B, and C for our system: A is for the very significant matters that need attention quickly; B is for moderate matters but still important enough for the CEO's attention; and C is for minor and procedural matters. Agency heads in this town do not like the thought of their agency being reported on whether they have these high-level A or B findings, so they are very focused on eliminating them. They see it as a bit of a matter amongst their peers that they should be seen to be running a high-integrity, well-controlled organization, and their shorthand assessment of that is the number of As and Bs the audit office provides in its ranking. It has actually had a much more powerful effect here in Australia than I envisaged in the first place.

We use it, we find it effective, and that's the reason we have just raised it for the OAG to consider.