[tdons]

An auditor was fooled while he was in the room watching while the ceo downloaded bank account statements (pages 10/11 of https://www.justice.gov/usao-sdny/press-release/file/1317641...):

  d. As  part  of  its  due  diligence  process,  the  Audit  Firm had an employee
     (the “Auditor”) conduct a physical site visit at NS8’s offices in Las Vegas,
     Nevada.  The Auditor was directed by a more senior Audit Firm employee to have
     someone from NS8 log in to the online portal for each NS8 bank account, display
     the current account balance, and download monthly bank statements for fiscal
     year 2019.
  
  e. Based  on  my  interview  with  a  member  of  the  NS8 finance department
     (“Finance Employee-1”), I have learned, among other things, that on or about
     March 11, 2020, Finance Employee-1 and ROGAS met with the Auditor in ROGAS’s
     office.  The purpose of that meeting was for ROGAS and Finance Employee-1 each
     to log into the online portals for the bank accounts to which they had access
     (for ROGAS, the Revenue Bank Account) and download monthly account statements
     for the Auditor.  During that meeting, Finance Employee-1 logged into the online
     portal for the Expense Bank Account -- to which  Finance Employee-1  had  access
     -- and  downloaded  monthly  account statements.  Finance Employee-1 understood
     that ROGAS was doing the same for the Revenue Bank Account during the meeting.
  
  f. Late in the evening on or about March 11, 2020, the Auditor  emailed  another
     employee  as  follows:    “Attached  please  find the bank statements and
     screenshots that I observed [Finance Employee-1] and Adam [ROGAS] download this
     afternoon.”  Attached to  that  email,  among  other things,  were  the
     Fraudulent  Bank  Statements for the Revenue Bank Account for the period from
     January 2019 through February 2020.

[PeterisP]

The whole concept of "have someone from NS8 log in to the online portal for each NS8 bank account, display the current account balance, and download monthly bank statements for fiscal year 2019." seems kind of weird and even ridiculous.

In the audits I've seen, the standard procedure to get the same information would require the company to authorise the auditors so that they could get a written confirmation of the funds directly from the bank or whoever holds the assets or debt. You would not trust the account statements that the company gives you, you would get the same (hopefully) account statements yourself. Accepting that watching a company employee log in some site is equivalent to getting an official confirmation from that outside third party is .... interesting. The whole point of an audit is to verify if everything that the company shows you is actually true instead of looking at what they show you and believing it.

[pge]

Thanks for the link - interesting reading. It looks like he modified the PDFs from the bank which is pretty sneaky, since most people assume PDFs are inviolable (this topic has come up on HN before). In my experience, auto-generated PDFs from reporting systems are fairly easy to manipulate (for the record, I have only done so for automated data extraction, not to change the document!).

[maxden]

Sounds like they might have used the CEOs computer and perhaps he has a modified PDF report ready, downloaded the actual report but provided the altered version.

Agree with the other comments, the auditor should get the reports independently or use their own laptop to login/get the report.