Last month I introduced the concept of integrating fraud testing in your audit program. The blog discussed the pros and cons of the four approaches and offered advice to the CAEs. This month, I will discuss the four strategies and explain the “how to” for the auditors in the field. I will use a payroll fraud risk statement to illustrate the concepts. Please remember, I consider myself a practitioner first and a blogger second.
Quick refresher on fraud risk
In our profession, we use many terms interchangeably. Fraud risk, inherent fraud risk, fraud scheme and fraud scenario, etc. The Fraud Audit, Inc. methodology offers the following definitions:
- Fraud Risk Statement: Description of a threat facing the organization that has an element of deceit or concealment. The statement is what drives the audit program.
- Fraud Scenario: How someone would commit a fraud risk statement against your organization. The key is to understand the internal control vulnerabilities that exist in your system of controls.
Summary of the four approaches:
- Perform a fraud risk assessment with the fraud scenario. There is no change to the field work stage. The focus is on the adequacy of the design of internal controls to mitigate a fraud scenario. The fieldwork methodology follows the traditional internal control approach. The difference is the focus on internal. It’s about control vulnerability rather than risk mitigation.
- Use the red flag approach combined with a fraud risk statement approach. The sampling phase is random, but the audit program includes document red flags or control red flags associated with the fraud risk statement.
- Integrate fraud test procedure within the internal control approach. The sampling is random, but a fraud test procedure is added to the test of internal controls.
- Use the fraud audit approach driven by the fraud risk statement. The sampling is based on fraud data analytics, and the test procedure uses a fraud audit test procedure. There is no testing of internal controls.
Practical Illustration of the four approaches
Remember, in the fraud audit world, the goal is not to prove that fraud occurred but rather that there is or is not creditable evidence to suggest that the fraud risk statement is occurring. The recommendation is the performance of a fraud investigation.
Your work-papers would list each fraud risk statement within the audit scope. Personally, I prefer the fraud risk statement to be listed in the audit program. The auditor would then document exactly what evidence would be gathered to support their conclusion. We will use the following fraud risk statement to illustrate the four approaches:
Budget owner or payroll function causes a fictitious person to be set up on the employee master file, the budget owner or payroll submits time and attendance records for the fictitious person causing the diversion of funds.
Perform a fraud risk assessment with the fraud scenario
The process starts with the fraud risk statement. Then the auditor identifies how a person could commit the fraud risk statement. Normally auditors want to identify internal controls and discuss fraud mitigation. I refer to this as control blindness because the auditor only sees the control versus the fraud opportunity. The auditor needs to ask questions such as:
Do we have situations in which an employee is hired by a budget owner and bypasses Human Resources?
Can payroll cause the issuance of a payroll check without the employee being in the Human Recourses data base?
Use the Red Flag Approach
Look at a random sample of 25 employees. The testing approach is the traditional internal control approach, but the audit program will list specific red flags that the auditor should look for. Since the fraud risk statement is a fictitious employee, the auditor could examine documents associated with establishing that an employee is a real person. Two potential red flags:
- There is not a driver’s license on file for the employee on the I-9 form
- The copy of the driver’s license on the I-9 forms shows has signs of alteration.
If either red flag is observed, then the auditor would need to gather additional evidence to determine if the employee is real or fake. It is that simple.
Integrate fraud test procedure
The fraud test procedure, also called the authenticity audit procedure, includes gathering evidence that was created external to the “person committing” and stored external to the person committing. The audit program still tests the internal controls but includes a procedure to determine that the employee is real.
- Determine that employee has a building access card and security log shows that the card has normal usage.
Use the fraud audit approach
The fraud audit requires a fraud data analytics plan and a fraud test procedure. In prior blogs we have discussed fraud data analytics. I will not attempt to repeat those discussions in this blog.
Our fraud data analytics will search for employees with missing data that would normally be found in the Human Resources data base. The sample will be all employees that meet the missing data element requirement. This is a significant difference from the random selection of 25 employees. In fraud data analytics, your sample is determined by the fraud data analytics routine rather than a predetermined number. In theory, the sample size can range from zero to all employees.
The fraud test will focus on establishing that the employee is a real person rather than a fake person. The audit procedure is to physically meet the person and examine the person’s government issued identification.
However, the more sophisticated perpetrator may have recruited a real person who has real identification. Therefore the previous fraud test would have failed to detect the fictitious ghost scheme. That is why, I always prefer the “evidence of work performance” procedure. This simply involves looking at the productivity of the person in question. It takes a little more work, but it makes it more difficult for the perpetrator to fool the auditor.
Integrating fraud into your audit program requires a different way of thinking about the audit process. I offer the following suggestions to staff auditors
- Learn how to write fraud risk statements that clearly define the audit step.
- Select one of the four strategies and start to apply it in your audits. Practice truly makes perfect.
- Learn how to design fraud audit steps.
- Become the champion of fraud audit in your department.