While meeting with a London-based verification client, the subjects of fraud as it relates to GIPS(R) (Global Investment Performance Standards) and Bernie Madoff came up. They are related, in a way.
How did Bernie get away with it? To put it simply he (a) had a very solid reputation on Wall Street and was highly respected, thus any suggestion that he, of all people, would do anything improper seemed ludicrous and (b) he had a "closed system," meaning he did everything for his clients (brokerage, trading, portfolio management, custody); thus, there were no "checks and balances" on what he was reporting.
Over the past five years or so, we've learned of a few asset managers who claimed compliance with GIPS and had been verified, but who also committed fraud. "GIPS verification is not designed to detect fraud." But is that all that we can say? I think not.
If a verifier fails to detect fraud, is that acceptable, given that verification isn't designed for that purpose? I guess it depends on what was going on which perhaps they might have been expected to notice.
At one point in the movie "The Jerk," Steve Martin (Navin) plays a gas station attendant. If you saw the movie, you'll recall that he quickly established that he's not terribly bright. A customer comes in who, as I recall, is Hispanic; he gives Navin a credit card which was obviously stolen (since it had what appeared to be Jewish woman's name). Well, even Navin managed to realize that a crime was occurring.
The television show "Hogan's Heroes" often had Sgt Schultz proclaiming "I see nothing," when the prisoners were behaving in a manner that was beyond what would have normally been allowed.
I wouldn't favor verification being extended to the point where verifiers are expected to detect fraud. However, I think verifiers need to be "on guard" to the possibility that fraud might be committed.
Not all improper behavior is as obvious as Schultz and Navin were confronted with. "Would a reasonable person (or, perhaps more accurately, a reasonably qualified verifier) be expected to discover a problem in the course of their work?" That is what needs to be assessed, in the event fraud is later detected and reported.