Gadzooks, man! Where was the auditor!?
But every now and again, we hear about someone who's gone to work to fleece as much out of their organisation as they can.
There was a case of suspected fraud in the news this week – a subcontracted course provider who charged their students for an 18-week course and dished out the course completion certificates after a day.
So now, my team waits for the media queries, the quoted comments from elected representatives, asking where the auditor was. Why didn't the appointed auditor identify and prevent that suspected fraud?
Because that’s not what they do.
Having the right controls in place to minimise the opportunities for fraud is, and always has been, the job of the people running the organisation.
What does the auditor do, then? They don’t specifically look for fraud, but they do generally look at the organisation’s controls. The auditor's primary focus is the information in an annual report that, by law, has to be audited. This includes the financial statements, and sometimes it’s also the service performance information.
The auditor should know the organisation well. They think about the major risks facing that business, and the wider environment in which the business operates. They think about the amount of money the business is working with, and decide on "materiality" – an amount that's big enough to matter, given the sums involved. Based on all of that, they plan how much to delve into, and where to focus.
There’s no way an auditor can ever look at everything, and that's not what's expected. The auditor's job is to provide assurance to people outside the organisation. In their professional judgement, do they think that readers can rely on the financial and service performance information that an organisation has reported?
Auditors take a sceptical and informed look at enough of the reported information – including a bit of drilling down into how reliable that information is and how effective any checks and controls are – to give the reader of the annual report a level of assurance that the information fairly reflects the organisation's finances and performance.
As they do their work and drill down into selected bits of an organisation's operations, auditors sometimes spot potential weaknesses.
In a well-run organisation, the management team and governing body pay attention to the auditor's reports and findings. If an auditor says that certain controls aren't up to scratch or operating as they should, organisations with effective management teams take steps to strengthen the controls.
It will be interesting to hear whether a management control wasn't working or wasn't followed to allow this latest case. I bet there will be a quite a few senior managers in the public sector keen to know what the enablers were, so they can check and tighten their own prevention measures. Thankfully, on the whole, our public sector is pretty good at that.