Fraud Auditing, Detection, and Prevention Blog

Let me introduce a new model for assessing fraud risk mitigation. Before you read my blog, remember sarcasm is good, if it makes you think. Remember our theme, to look behind the curtain. The curtain is the current professional audit standards.

First, let’s discuss the historical approach to assessing fraud risk mitigation. I think a picture can be worth a million words:

Now for the million words:

Evaluate susceptibility of a company or process to fraudulent activity, considering only the inherent characteristics of the business and its operations, without considering any internal controls that might be in place to mitigate that risk; essentially, it's the potential for fraud to occur naturally within a system due to its design or inherent vulnerabilities.

Let me tell you what I like about the old approach: The word vulnerabilities. I prefer natural vulnerabilities, but I will take what I can get.

Let me tell you what I do not like about the old approach. “Without considering any internal controls”. This is simply dumb. If internal controls are the fence that protects the assets, then logically if there is no fence, the assets will go missing. The process almost forces the auditor to rank the likelihood as high.

If you remember the audit standards from the old, old days (the 90s) , auditors would rank the likelihood of error as high, ignore internal controls, and increase substantive testing. At some point, the process evolved and now auditors are required to evaluate internal controls. But do they?

The current audit standards force auditors to consider and test the effectiveness of internal controls. However, if the controls appear to be operating, we could arrive at a low residual fraud risk. Also, I think, there is an inherent pressure to find a way to suggest that the likelihood of fraud occurring is low. After all, high likelihood is bad, and low is good. Right? Another story for another day.

If the residual risk of fraud is high, then do we need additional controls? or should the auditor perform audit tests designed to detect fraud? The confusion just goes on!

Now let me tell you what is really bad about the old process. It focuses on documentation rather than understanding fraud risk. It focuses on compliance with a standard rather than understanding fraud risk. Should I go on ranting? So, what is the solution?

The solution: the new way to assess fraud mitigation

Let's start with the phrase “inherent characteristics of the business and its operations”. If you understand this phrase and understand the business, then you can tell me which statements of fraud risk are relevant and which are not. I.e. there may be 20 different variations of a ghost employee, but many of them just would not be relevant to your business. So, let's evaluate the relevant permutations rather than all the permutations.

In this process, we assess the likelihood of fraud from occurring based on the adequacy of the design of the internal control. Then we would assess the effectiveness of the internal control by determining if the control is operating as designed by management. It is a two-step process, but to be honest, it is as old as the hills. If you know Joel Cramer, you can thank him for those two questions.

Now that we understand what isn’t effective. Let me introduce my model for understanding and assessing the adequacy and the effectiveness of the internal controls.

If you have read my prior blogs, you know that there is a difference between a statement of fraud risk and a fraud scenario. To properly assess the likelihood, you start with the statement of fraud risk.

1. 1. Through brainstorming, determine how and where the statement of fraud risk could occur in your business environment. If this was an IT security review, you might call this IT penetration review: “a simulated cyber-attack against your computer system to check for exploitable vulnerabilities”.
2.  
3. 2. Understand how someone could perpetrate the statement of fraud risk in your business environment. I describe this as the “how and where” stage. A more eloquent way of stating this step is to understand the natural vulnerabilities that exist in your business environment.
4.  
5. 3. Understand the concealment strategies used by perpetrators. Let me say it a different way, how to create the illusion that a transaction appears to comply with your internal controls. Remember, a key strategy in mitigating a fraud risk to ensure your internal controls are superior to the fraud concealment strategies.
6.  
7. 4. Acquire the necessary business knowledge. In my last blog, we discussed the importance of business knowledge. I said, and I will repeat myself, the absence of business knowledge in the fraud risk assessment process makes your assessment an academic exercise to create the illusion that your audit complied with a standard. Harsh right?
8.  
9. 5. Consider how a statement of fraud risk could occur in your company and go undetected.
10. Rank the likelihood of the statement of fraud risk from occurring in your business environment based on the internal controls, the fraud concealment strategies and your business knowledge.
11.  

If you follow this process, at a minimum, you will enhance your understanding of how fraud risk can occur in your company. As an auditor, you will be better prepared to respond to the risk of fraud in your audits.

Rudolph the Red-Nosed Reindeer Trivia

This year is the 60 anniversary of the show, it was aired on NBC.

1. When Rudolph's nose gets brighter, why is this a fraud indicator?
2. Who created the story of Rudolph?
3. In what year was it created?
4. What department store was responsible for creating the story?
5. Why was the story created?
6. What was the budget for creating the Rudolph movie?

Answers to last month's trivia

1. Which decade did fraud risk assessment start to become a concept?       1980’s
2. What caused the responsibility of fraud prevention and detection shift from auditors to management? My answer: it depends on whom you ask. I say this because in the 80’s auditing standards stated management was responsible. But juries kept blaming the auditors.
3.  
4. “Codifying corporate governance best practices", started in which country? U.K.
5. “Comply or explain" principle” originated in which corporate governance document. U.K.

The "comply or explain" principle is a regulatory approach where companies are expected to either adhere to a set of guidelines or, if they choose not to comply, publicly explain why they deviated from the standard, essentially allowing the market to judge their reasons for non-compliance rather than facing direct legal penalties for not following the rules; this approach is often used in corporate governance practices, giving companies some flexibility while still holding them accountable for their decisions. I like this approach!

1. Which came first the chicken or the egg, or in this case which was first: fraud risk or fraud risk management?

Well, fraud risk has been with us since the start of the world. In the recent years, COSO issued its first Fraud Risk Management Guide in 2016, which was later updated to include more focus areas and republished in 2023

1. For my academics: fraud risk is ontologically different from the event of fraud? True.

Fraud risk refers to the potential for a fraudulent act to occur, which is a possibility, while the event of fraud is the actual act of deception taking place, making it a concrete reality; essentially, one is a potential threat, and the other is a realized occurrence.