There tends to be a fair amount of confusion when it comes to a fraud risk identification approach versus an experience-based approach – in no small part because within the industry it’s not uncommon to see terms used interchangeably – but here we set out to create a list of universal definitions intended to clarify how and why you might use this approach.
For an international traveller, the ability to speak the local language is critical in order to communicate. Likewise, it is important that your entire audit team speaks a common language when it comes to fraud. So many fraud words are used interchangeably – fraud risk, fraud scenario, inherent fraud risk, identified fraud risk, fraud risk statement – the likelihood of confusion within your team only increases as the interchangeable terminology increases.
This blog post will better define and create an approach to fraud risk identification when it comes to the fraud audit. We will look at:
For the purposes of this blog, fraud risk identification relies on you as an auditor identifying the permutations for each element in a fraud risk statement. By doing so, the number of fraud risk statements for a business system can easily be mathematically calculated.
From an audit perspective, and at its most basic, a fraud risk statement is an audit tool used by forensic accountants and fraud investigators. A properly written fraud risk statement should be your starting point of fraud risk assessment process, the design specifications for fraud data analytics, and the basis of creating an audit test. A fraud risk statement could actually be known more accurately as an asset misappropriation statement or a corruption statement – as this is essentially what it is – but in the fraud profession the correct term is fraud risk statement.
A fraud risk statement is not how the fraud is concealed or how a perpetrator benefits from a committing a fraud risk statement. It is also not:
Using a universal naming system is the best way to improve your processes. So, while some people may use these terms interchangeable, and while the a ‘bribery fraud risk statement’ may help with fraud awareness, these terms do not provide an auditor with the necessary description to design a fraud audit program and so are not fraud risk statements.
There is often some element of misunderstanding between a fraud risk statement and how a scheme occurs – indeed many believe the two to be identical although this couldn’t be further from the truth.
The fundamental difference between a ‘how’ statement (sometimes known as natural internal vulnerabilities or internal control deficiencies) and a fraud risk statement quite stark. The ‘how’ of a scheme describes the actions taken in a story while a fraud risk statement is a hypothesis. While the ‘how’ statement can describe how a perpetrator committed a scheme, and can be part of a fraud risk statement, the risk statement is a postulation to be tested and is used when building your fraud audit plan.
So how can you create a fraud risk statement that will provide fraud auditors with the necessary elements to build their fraud audit program? The fraud risk statement has five elements and should be written in the following order:
This starts with a generic description such as Accounts Payable Function or Budget Owner. The generic description then changes to the specific control owner as the internal auditor gains an understanding of the business process involved. As a rule, we do not list specific names but rather company titles. In a more complex discussion, the “person committing” element needs to consider access and the impact of the internal control inhibitors on the person committing analysis.
Type of entity should start with looking into the business system. In the expenditure cycle the entity is a vendor, in payroll the entity is an employee, in revenue the entity is a customer, and so on. There are two types of entities to consider; false or real. A more advance understanding of shell companies would start with the following list:
In creating the fraud risk statements, the shell company must also be adapted to your industry, the vendor industry and how the shell company may be used in the fraud action statement. To illustrate the concept
The statement needs to be adapted to the industry. I.e. in a construction audit, the pass thru maybe a sub-contractor that is legally owned by the general contractor with the intent to inflate contract costs.
This is the act carried out by the person committing the scheme. Focusing on disbursement fraud schemes, the primary category of acts are: false billing; pass thru schemes, over billing and disguised expenditure schemes. Each primary category has multiple sub categories. To illustrate, the overbilling could occur through price inflation, short shipment, false charges, false add on charges or product substitution schemes.
The product substitution could occur through a fitness scheme, knock off scheme, counterfeit scheme or manufacturer scheme. The manufacturer scheme could occur through chemical composition, country of origin, etc. The key is to write the fraud action statement with the proper level of detail, so that the audit team can ensure all fraud risks are mitigated and the audit program responds to all the fraud schemes facing your company
This describes either the monetary or the non-monetary impact on the organization. As a matter of style, we defer to the reader to create their own writing style for the impact statement.
Sometimes this is known as believability statement. It is not uncommon that if the reader of the fraud risk statement does not understand how the perpetrator benefits from the scheme, the reader may dismiss the scheme as theoretical rather than reality. Hence this statement is essential. While the conversion statement is not necessary to create the audit program, it will tell the reader whether the financial conversion occurred on the company books or off the company books.
If the fraud conversion occurs on the company books, then the fraud auditor has access to the necessary records to link the fraud scheme to the perpetrator. Off the book schemes will eventually require a legal action to obtain the necessary records to link the loss to the perpetrator, unless you obtain a confession.
Going Beyond Basics
Upon the creation of all the necessary fraud risk statements (remembering each of these should match a particular fraud scheme) your team will be able to properly create their fraud audit plan and test each statement. Using a uniform understand of what a fraud risk statement is and its place in your processes will create a more efficient approach to prevention and detection.
At Fraud Audit Inc., we have over 38 years of diversified experience when it comes to fraud. Contact us today to talk through your needs when it comes to creating fraud risk statements and obtaining fraud risk registers. We can better empower your team to approach fraud.