As we have discussed in previous blogs, the new fraud auditing standards require you to bring a “deeper understanding of potential fraud schemes into their audit planning and execution.”
This year, I have focused on the fraud risk assessment process as both a management tool and an audit tool. The common theme of my blogs is, “Do you understand fraud risk?” I have raised a number of issues that I hope were helpful within your career as an auditor, investigator, risk manager, or senior leader. In this blog, we’re diving into what having a deeper understanding looks like.
The fundamental concepts of creating a fraud risk assessment document are well known and widely published. I have no intention of reiterating the process. But, in a recent project, I was engaged to help the company respond to an internal audit recommendation. The request led me to an exploration and reconsideration of the common approach.
Where is the beef?
If that phrase doesn’t instantly resonate, take a look at this video. This was an iconic video from the 80s, and people are still asking the question today. (I hope you get my sense of humor.)
The new IIA (Institute of Internal Auditors) Global Internal Audit Standards place a significant emphasis on internal auditors actively assessing and mitigating fraud risk within an organization, requiring them to take a more proactive approach to fraud detection and incorporate a deeper understanding of potential fraud schemes into their audit planning and execution.
In the beginning of my career, someone once told me, "People commit fraud, not internal controls." So, if we are to perform a proper analysis of fraud risk, then we need first to assess people. No, I do not mean a psychological profile. To me, it means the opportunity the person has by virtue of the position in the business cycle. Or by their sophistication to conceal the fraud scheme. Or, by understanding the natural vulnerabilities that exist within their business system.
This will be the summer of challenging our profession’s guidance on fraud risk assessment. As you know, last month we raised the question of whether fraud risk assessment is simply an academic process to meet a standard.
Fraud risk assessment is alleged to be an essential part of protecting a company, but is it just an academic exercise?
Please be advised, I will not be providing a job description of a Fraud Auditor. Rather, the thought process that is necessary to find the right person, with the right skill set.
I know this is a good technical question, but I do not know if there is a good technical answer. With that said, my suggestion to the CAE’s of the world would be to look for someone with the “Passion for the subject knowledge of fraud risk.” The passion would be for both the science of fraud risk and the passion for the practical application of fraud auditing. I say this because, with any new profession, the person must have the passion to create, build, and polish the fraud audit approach. I am sure that this person will get pushback from the traditional auditor. I know I have.
Words have power, but words can also create confusion.
One of my personal complaints about the professional literature regarding terms used to describe fraud risk. We use so many terms interchangeably that I believe it creates confusion. Let’s try to cut through that confusion by implementing better definitions.
For instance, what is the difference between a fraud scheme, a fraud scenario, a fraud risk statement and a fraud risk?
And, is the phrase “fraud scheme” the correct phrase for our profession? I raise this question because the new standards use the phrase “fraud scheme”.
