In my December 2019 blog, I provided eleven statements in the spirit of causing you to think about your audit plan and helping you create a dialog in your company about improving your ability to find fraud risk statements within your audit. In the next four blogs, January – April, I will elaborate on them.
Finding fraud in an audit is easier than you think.
I was at a conference sitting at a round table. I made the preceding statement at my table. I was fascinated by the disagreement that the individuals at my table had with my comment. I decided to sit and listen rather than debate.
Remember this phrase throughout my next four blogs, words and there meaning are important.
To start this conversation, I am not talking about auditors who are responding to a fraud allegation. That is easy. I am talking about auditors seeking to detect fraud schemes with no overt starting point. So, why is it easier than you think? Or, what does my statement really mean?
To start, auditors do not render legal opinions. So, I suppose my statement is false from a literal reading of the phrase. However, I am not writing for a law journal, I am writing to auditors of the world. Now that we have defined the audience, let’s see if my statement is makes sense.
From an audit perspective, the statement should read: there is or is not creditable evidence that a fraud risk statement is occurring in our core business system. What does this mean? There are three important parts to this statement.
The first part, “creditable evidence” implies a degree of certainty. Is the degree of certainty 100% or is it less? Individuals wearing the auditor’s hat need to understand that it is not their job to prove fraud with 100% degree of certainty. Not even our legal system requires 100% certainty. The phrase beyond a reasonable doubt is the key phrase in most legal systems.
Let’s look at the second part, “that a fraud risk statement is occurring.” Does this say that the individual is committing fraud or that the individual is committing a fraud risk statement? In fact, the auditor opinion should be that an individual committed a “fraud risk statement,” which is a term of art in the auditor’s profession.
To illustrate, consider the disbursement fraud scheme of false billing. Should an auditor be able to make a statement that vendor ABC, Inc. is a shell company and has billed our company for services not rendered or should the statement be that there is creditable evidence that ABC, Inc., is a shell company and has billed our company for services not rendered?
Lastly, what is the action that the auditor wants from management? Should the action be an investigation performed by an individual with the qualifications to perform an investigation? Or should the action be an internal control recommendation?
Now that we have a common understanding of the phrase “Finding fraud in an audit is easier than you think,” it’s important to understand that every business system has common fraud risk statements. When the auditor designs a sampling approach based on the red flags of the fraud risk statement, then the auditor is improving the odds of locating the transaction. The term of art for the sampling approach is called “fraud data analytics”. When an auditor designs a fraud audit procedure based on the authenticity principal, then the audit procedure should be able to pierce the concealment strategy used by the perpetrator. In its truest sense, “fraud” is all about concealment.
So, I believe my statement makes sense in the context of an auditor who uses a fraud auditing methodology. However, when the auditor is performing an internal control audit, the fraud detection statistics would suggest my statement could be misleading.
“Fraud” may be one of the most misunderstood or misused words in the audit profession. After you look at the legal definition of fraud, ask yourself: Are we really preparing a fraud risk assessment or an asset misappropriation risk assessment or corruption risk assessment, etc. Remember, words are important.
If you read the auditing standards, in particular SAS # 99, you understand that the statement references Black’s Law Dictionary as a source for understanding the term “fraud”. The auditing standards, GAAS, also introduced the concept of the “fraud triangle” Other standards suggest that we consider “fraud” as part of or audit planning. The fraud word surrounds the profession, but do we have a common understanding of what the word means and how we use the concept in day-to-day auditing?
What does the word fraud mean to the auditing profession? Like everyone else, I went to the internet to find the true meaning of the word. I also used old school research techniques; I used a paper copy of a book called a thesaurus to identify words associated with the word, fraud.
My research suggested words like deception dishonesty, imposter, fake, trickery, deceit scheme, counterfeit, or my favorite “snake oil”. If you decided to look at the legal sources for a definition, you would find similar words, just used in a different context.
From my perspective, fraud is how the perpetrator conceals their actions or, said another way, how the perpetrator creates the illusion that the transaction is legitimate. Or, more importantly how the individual by-passes all the internal controls that an organization maintains. The key is to understand how to use fraud in the design of an audit plan. Then finding fraud becomes easier.
In my series on fraud data analytics, I discuss the concept of calibrating your audit procedure to the sophistication of the concealment strategy. In this way, you understand what your audit procedure can and cannot detect. Business systems are driven by documents; these documents are both paper and electronic. The auditor should understand fraud concealment and look for signs of fake documents.
To use a quote from Lion King, “It is time!” The auditing profession needs to provide an authoritative definition of the word “fraud” for auditors. Maybe, just maybe, it is time to explain how to use the fraud word throughout the audit process versus to consider a nebulous theory of fraud.
How the auditor describes fraud risk is often too vague or general to be useful.To illustrate, here is an actual fraud risk statement from a real company: “The risk of internal parties committing fraud or misconduct”. Unfortunately, I can provide you with many more examples.
Zap, you are an auditor; therefore, you understand everything about fraud. Sorry, it does not work that way. Let’s be clear. The purpose of a fraud risk statement is to provide a clear communication of what exactly the auditor should look for!
In an earlier blog, I provided guidance on how to write a fraud risk statement. I would encourage you to read about that and then adopt a method for how to write a fraud risk statement. To illustrate, this is an example of a fraud risk statement you would find in our fraud risk register.
Budget owner acting alone or in collusion with a direct report causes a created shell company to be set up on the vendor master file, processes a purchase order or contract and approves a fake invoice for goods or services not received causing the diversion of company funds.
A properly written fraud risk statement will provide a sufficient enough description of the fraud risk to allow the auditor to properly plan the audit. If our profession is going to become the number one method of fraud detection, then we need to understand what fraud is, what the fraud looks like and how to find it. So, I ask you, does the following fraud risk statement help you in the design if an audit plan:
An internal person may commit fraud or misconduct.
