What did the Livent fraud teach us about IT audits, frauds, and financial audits in general?
Livent was a Canadian theatre company which imploded in a massive accounting scandal in the 1990's which we learned about in university as a case study in how not to do several things on an audit.
The people involved are heading off to prison, at the end of a lengthy and drawn out legal proceeding, but that's okay because I only now noticed this article in Canadian Business shed some light on the IT side of things.
During one audit in 1996, computer experts from Deloitte & Touche –
the accounting firm that audited Livent’s financial statements – spent
at least 28 hours evaluating the company’s information systems, but
failed to detect the changes, the court heard. Any inquiries from the
auditors about changes were referred to Eckstein, Cheong said. A
Deloitte report on Livent’s computer systems, however, noted the
company’s lack of data security and warned: “The lack of sufficient
logical security may result in unauthorized access to programs or data.”
What this article doesn't explain is that 28 hours is nothing on a job that big - simply judging from the size of the loss that ensued in the scandal. The number of hours spent and the conclusion point to one fact: the Deloitte IT auditors no doubt correctly identified the IT system as an unreliable black hole which should not be trusted.
I'm reading heavily between the lines to say this, since there's no mention regarding whether Deloitte discussed the problems inherent in how edits to Livent's financial software were made, but these edits allowed the accounting staff to quickly override the normal "accounting controls" that are present in a standard accounting program to prevent frauds half a billion dollar fiasco.
But if you have a company of any respectable size, 28 hours represents, at most, three full days of work.
A likely interpretation of "A life in the day of Deloitte's IT auditor at Livent" is as follows:
- 7 a.m. - Wake up
- 8 a.m. - Finish breakfast, head to Livent's offices
- 9 a.m. - Arrive at reception, announce arrival for 9 a.m. meeting, have a seat.
- 10 a.m. - Ask receptionist if client contact is in the office. Find out they're "in a meeting" but will see you shortly.
- 11 a.m. - Client contact comes out, after having been yelled at by accounting department for not introducing additional changes to hide massive fraud fast enough.
- 11:05 a.m. - Client contact meets with you in office, go over list of data requests needed to do audit.
- Noon - Lunch
- 1 p.m. - Obtain settings from the Lawson accounting software
- 1:02 p.m. - Note that critical systems are unlocked and can be manipulated at will
- 1:03 p.m. - Grit teeth.
- 1:04 p.m. - Realize the two-week-long job is going to be a lot easier, since you can go home today and announce a complete failure of IT controls.
- 1:05 p.m. - Do happy dance mentally.
- 1:10 p.m. - Start writing memo documenting findings. It's the 1990's so you may or may not have access to an internet connection, let alone a cell phone.
- 3 p.m. - Meet again with client contact, announce preliminary findings.
- 3:01 p.m. - Client says "duh, we know that."
- 3:10 p.m. - Pack and and go back to Deloitte office to meet with IT audit manager.
- 4 p.m. - IT audit manager not on site. Finish up memo, print it, and leave it on their desk to discuss tomorrow. Or e-mail it, I don't know what the state of IT was in audit firms 12 years ago, to be honest.
You'll notice that my imaginary scenario doesn't even account for a full 8 hours. Well perhaps they spent two days at the Livent offices, or they had an assistant come with them, which would double the amount of time "spent" on the audit.
Where were the investors' angels?
Whatever the scenario, 28 hours would include time spent by the IT audit partner, as well as the aforementioned manager, reviewing the findings, preparing a report, and basically communicating to the financial auditors that whatever came out of that accounting system could not be trusted, so they had better do a good job of testing things in a higher-risk environment.
Unfortunately the results of the ICAO disciplinary hearing against the Deloitte partners involved in this case indicates that there were problems.
Ironically the follow up article, which reports that the partners' appeal failed, and their conviction was upheld reveals that it was a failure of professional skepticism when dealing with some issues that were out in the open that was the problem - they were discussed among four partners in fact.
Interesting for people who believe that the Big Four people always stick together in defiance of what's right no matter the circumstances, note that in this case one of the partners successfully defended himself by pointing out his disagreement with the other three:
"(Dr.) Peter Chant, a fourth Deloitte auditor, was charged with misconduct but
was found not guilty of any wrongdoing after testifying before the ICAO
panel that he had tried— but ultimately failed— to convince the firm to
resign the Livent account."
An incredibly experienced auditor - he even has a doctorate! - who serves as a good example of why it's worth standing up for yourself and what's correct. Wow.