The CEOs of the six international audit firms do not feel that current fraud detection efforts are adequate. They state that there is an "expectations gap" when it comes to material fraud and the ability of auditors to uncover it at reasonable cost They believe "it is useful to consider additional ideas for enhancing fraud detection" ("Global Capital Markets and the Global Economy: A Vision from the CEOs of the International Audit Networks," November 2006, www.cybsoc. org/CEO_Vision.pdf).
The current fraud audit approach is predicated on the belief that specific identified fraud risks- red flags- help predict the overall risk of fraud. Both the 2007 U.S. auditing standard on fraud, the AICPA's SAS 1 13 (AU section 316, Consideration of Fraud in a Financial Statement Audit), and the international auditing standard on fraud, the International Auditing and Assurance Standards Board's ISA 240 (The Auditor's Responsibility to Consider Fraud in an Audit of Financial Statements), focus on auditors deterrnining if red flags are present.
The basic concept is that the presence of identified fraud risks should result in stronger audit procedures than if no identified fraud risks were present. In other words, there is a diagnostic value to identifying fraud risks, because they will help determine if the overall fraud risk is different from the default belief about it.
The audit approach of looking for red flags to help determine specific engagement fraud risk is analogous to medical doctors using a diagnostic test to screen for the presence or absence of a disease. If the test result is positive, then a physician might decide to treat the patient for the disease. The key word here is "might."
In making the decision, an informed physician would consider both the true-positive rate and the true-negative rate from the diagnostic test: The true-positive rate is the frequency with which patients with the disease test positive for it. The truenegative rate is the frequency with which healthy patients test negative for the disease. These test rates might convince a physician to start treatment for a disease or they might convince a physician to order additional tests.
An examination of the diagnostic value of fraud red flags based on current audit research shows that red flags are very limited in terms of assessing overall risk of financial fraud. Auditing standards setters may want to rethink the approach taken by current fraud standards. Auditors should not unnecessarily be crying wolf.
Bias in Current Red Rag Approach
The U.S. auditing standards point out more than 40 possible financial fraud risk indicators but only three possible mitigating factors. The international auditing standards also list a similar 40-plus financial fraud risk factor but have no direct discussion of possible mitigating factors.
There is clearly an imbalance in the discussion of positive versus negative risk indicators. This asymmetric consideration of risk indicators introduces a bias toward identifying positive risk indicators. This could result in auditors overestimating overall fraud risk if they do not appropriately consider negative risk indicators.
T. Jeffrey Wilks and Mark F. Zimbelman comment on this as follows: "The current audit environment seems more concerned with missing an existing fraud than with the costly investigation of a nonexistent fraud" ("Decomposition of Fraud Risk Assessments and Auditors' Sensitivity to Fraud Cues," Contemporary Accounting Research, Fall 2004).
Auditors are reasonably effective in identifying fraud red flags. Research by Lynford Graham and Jean C. Bedard indicates that one red flag was found in 83% of the audits examined, and that the average for their sample was 3.5 per client ("Fraud Risk Factors and Audit Planning," International Journal of Auditing, March 2003, vol. 7, no. 1). Their results were supported by an article by Theodore J. Mock and Jerry L. …