Fraud Auditing, Detection, and Prevention Blog

Applying Knowledge to a Fraud Audit

Mar 17, 2022 6:03:55 PM / by Leonard W. Vona

Last month’s trivia questions and answers

Besides the fraud triangle, what other shapes are used to describe the theory of why people commit fraud.

 The fraud diamond and the fraud pentagon.

 In what year did Dr. Cressy publish the fraud triangle?

This is an interesting question because there seem to be conflicting thoughts on this subject. With that said, I will say the study was never published by Dr. Cressey, based on what I believe is a reliable source. This does not diminish the importance of the fraud triangle, it is just interesting trivia.

Making Audit the Number One Reason for Fraud Detection

This blog is part of a continuing series regarding making audit the number one reason for fraud detection. This requires acquiring knowledge and a good place to start is with the IIA Competency framework. Last month we discussed the “awareness competency,” mentioned in the framework, and this month we will move on to the applied knowledge level. For ease of reference, the IIA competency states:

Applied Knowledge: Evaluate the potential for fraud and how the organization detects and manages fraud risks; recommend controls to prevent and detect fraud and educate to improve the organization’s fraud awareness.

What is the difference between knowledge and applied knowledge?

  •  Crowe’s 2019 survey by the U.K. University of Portsmouth estimates worldwide annual fraud costs $5.127 trillion
  • McKinsey and Company, 2018 report, estimates more than half of U.S. Government losses to fraud, waste, and abuse go undetected
  • PWC, 2020 survey, 47 percent experienced fraud (second highest in 20 years)

You may wonder why I suddenly quoted various fraud statistics? Well, if the studies are right, it begs the question: Are we as a profession properly applying our fraud knowledge in the conduct of an audit?

So what is the difference between knowledge and applied knowledge is more in how the knowledge is used rather than the knowledge itself. Applied knowledge is aimed at practical solutions to real-world, existing problems while ‘pure’ knowledge is the collection of information for its own sake and without regard to its immediate usefulness. Source: Richard O. Colestock

 Let’s discuss the phrase “evaluate the potential for fraud” and how the organization detects fraud. To consider fraud, the auditor will need to understand the science of fraud. In last month's blog, we discussed this concept as we talked about red flags. In this month’s blog, we discuss how to apply the knowledge of fraud to the detection of fraud in an audit.

Applied knowledge: Evaluate the potential for fraud

There are different schools of thought on how an auditor should apply the concept of “evaluate the potential for fraud.” Let’s look at using two of the most common, the fraud triangle and the use of data analytics.

First, let’s consider the popular approach for audit planning, the fraud triangle. It requires the auditor to gather information regarding the opportunity, pressure, and rationalization for individuals who might commit fraud. The science aspect of this would require the auditor to study the science of criminology. The application of this concept would require the auditor to assess whether control owners and staff are exhibiting the behavioral aspects of personal pressures or behavior that might justify rule-breaking.

Next, let’s look at the use of data analytics. The fraud data analytics planning reports are designed to tell the fraud auditor the probability that a fraud risk statement is occurring in the business systems. The reports are generally not sufficiently detailed to identify a fraud risk statement or cause an investigation. The probability is based simply on the fact that transactions exist in the data set that are consistent with the fraud data profile for the fraud risk statement. The science is being able to develop the fraud data profile -- the applied knowledge is being able to create the report and then review the report.

Applied Knowledge / Practical Application

Let us assume you are tasked with conducting an audit of your payroll function. You are in the planning phase of the audit. What reports should you create to assess the predictability of fraud? (For simplicity, we will assume all employees have worked for 12 months, paid monthly and there are no hourly employees.)

The science of fraud tells me that the primary fraud risk statements in payroll are ghost employee schemes, overtime schemes, disguised compensation, and false adjustment schemes. Let’s take a closer look at false adjustment schemes. For this, we will need analyze gross pay, net pay and withholding fields.

By employee, summarize gross earnings by earning code providing frequency and aggregate dollars. The report is designed to predict the likelihood of a false adjust scheme in gross payroll. Assuming the payroll earnings code of “one” denotes regular earnings, then we are searching for employees with earnings codes other than “one.” First, we should exclude all employees with only an earning code of “one.” Then we should summarize the remaining employees by providing the frequency of earning codes other than “one” and the associated aggregate payroll dollars. 

If all employees only have an earning code of “one,” this suggests that a gross pay false adjustment scheme is not occurring.

By employee, summarize gross earnings and net pay. Calculate a dollar difference and percentage of net pay to gross pay. The report is designed to predict the likelihood of a false adjust scheme in net payroll. The auditor is searching for employees with a high percentage of net pay to gross pay. So, if no employee has a high percentage of net to gross, this would suggest a net payroll false adjustment scheme is not occurring.

By employee, search for a negative number in the withholding field. The report is designed to predict the likelihood of a false adjust scheme in the withholding field. Remember a negative number causes addition to net pay versus a subtraction for net pay. So, if no employee has a negative number in a withholding field, then this would suggest that a false adjustment withholding scheme is not occurring.

Did we consider fraud? Yes, we did!

We identified an inherent fraud scheme that could occur in every payroll system. We used fraud data analytics to interrogate the payroll database for data patterns consistent with the inherent scheme. Our reports did not identify any employees with a data pattern consistent with the risk statement.

Now it is decision time, based on the three reports should we test for false adjustment schemes? I would suggest that the auditor at this level of competency would understand that the planning reports did not provide any results suggesting that a false adjustment scheme is occurring. So, yes, we did consider fraud. However, there is no need to test for a false adjustment scheme. At least in my opinion.

Fraud Trivia Quiz

How much more money is laundered in fiat currencies than in cryptocurrency?

What percentage of system-generated alerts against money laundering resulted in false positives?

According to money laundering statistics of 2020, what percent of laundered money goes undetected?

FYI, I have selected these statistics for a reason, please ponder the questions to understand why they are important to our profession.

Demystifying Fraud eBook CTA

Topics: Fraud Data Analytics, Fraud Risk Identification, Fraud Auditing, Fraud Based Approach, Fraud Triangle

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.