Consider Fraud. What does this really mean?
As you are aware, the auditing standards require an auditor to consider fraud in the conduct of an audit. Depending on the standards you follow, the meaning has different requirements. No, I have no intention of critiquing each standard but rather, I want to critique the phrase “consider fraud”
I started my study by reading reports issued on the topic. I would encourage you to read the report issued by the IIA Research Foundation, sponsored by the Chicago chapter of Internal Auditors “Responding to Fraud Risk: Exploring Where Internal Auditing Stands”. The study was based on 2015 surveys, but the thought process is excellent.
So what is fraud risk?
Let’s start with an assumption: every organization has fraud risk statements occurring in their company. So, how does an auditor consider fraud? I know the simple answer: evaluate the fraud risk factors found in the fraud triangle and prepare a fraud risk assessment. Unfortunately, I do not think it is that simple. So, what is an auditor to do?
I think it is important that every organization start with a definition of fraud risk. I offer the following. (Please note my definitions are written for auditors not the legal community.)
Fraud Risk: An intentional and concealed threat that is designed to cause harm to the organization by exploiting the natural vulnerabilities that exist within our overall internal control structure.
Fraud: A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment (Black’s Law Dictionary).
Threats: Possible danger that someone might exploit a vulnerability in our internal control structure thereby causing monetary or non-monetary harm.
Vulnerabilities: Points in the internal control structure that can be exploited.
To consider fraud, you must know what fraud is! In talking to auditors for the last 30 years, I have reached the conclusion that the word “fraud” is generally not understood by many people. It is often thought of as an act, but in reality, it is all about concealment of the truth. Or, as I like to say, “Creating the illusion of propriety”. Now that we have a common definition, we need a methodology to consider fraud risk
So, how do I consider Fraud Risk?
I would suggest the following methodology for considering fraud. The starting point should be to understand the actors who perpetrate fraud against a company’s business systems. Is the perpetrator an internal actor or an external actor? Starting with the external actor, is the perpetrator known to the company i.e. a vendor or customer or unknown to the company such as an organized crime group?
Who is the internal perpetrator? The CEO or CFO? Senior management? Operating management? Employee in a business system?
Now that we have identified the actors, are we considering fraud committed by an individual or are we considering collusion, management override, or opportunity created by an internal control weakness?
Within the actors, we need to identify who is the perpetrator and who is the victim. I would guess that most auditors would think that the company is always the victim. But if you read last month’s blog you will quickly learn that your company could be the perpetrator.
Now that we have consider the various actors, we should consider the primary categories of fraud: Asset misappropriation; corruption; financial reporting; revenue obtained improperly; etc. Within these categories are we thinking about fraud risk statements or actual crimes such as bribery or money laundering? Is the criminal act committed by the organization, an internal individual, or an external individual?
Now that we have considered the type of fraud, we should consider the impact of the fraud risk as to monetary or non-monetary impact. Monetary impact can result from theft of assets, fines, civil lawsuits or through deferred prosecution agreements with the government. Non-monetary would depend on the organization but adverse publicity would be an example.
So, what is your plan?
If you followed everything I said, in one sense it sounds overwhelming. So, my suggestion is that we consider fraud at three levels: the organization’s fraud risk management program, the chief auditor’s organizational plan for considering fraud risk, and the audit plan for conduct of each audit. For auditors in public practice, the same thought process would occur but in a different context. Since my blog is focusing on auditors, I will not address the organization’s fraud risk management program.
If you are a CAE, how does your audit plan link to the organization’s fraud risk management program? Do you have a strategy for considering fraud risk? Is the strategy focused on fraud prevention or fraud detection? If fraud detection, is the strategy proactive i.e. fraud auditing? Or reactive, i.e. fraud investigation? If fraud prevention, does the organization have a detailed fraud risk assessment? Or will the audit team need to create a comprehensive fraud risk assessment? If fraud prevention, does the organization favor fraud prevention, fraud detection, or fraud deterrence? These are some of the questions the CAE needs to answer before an audit team can properly “consider fraud”.
If you are conducting an audit, how does your audit program link to the CAE’s focus or perspective on fraud risk? Based on the CAE’s plan, the auditor should identify the relevant fraud inherent schemes that correlate to the audit scope.
Consider Fraud! Are we considering fraud in the conduct of an audit?
I assume someone will eventually say that I did not discuss the fraud triangle: opportunity, rationalization, and pressures. I have not for two reasons. First there is enough published on the topic. And second -- this maybe professional blasphemy -- the fraud triangle is about criminology, which as you know, is the study of why people commit crime. I simply accept the fact that people will commit crimes. From a governance perspective, understanding how the fraud triangle impacts the organization may be of value, but I will leave that discussion for another day.
My suggestions for considering fraud risk1. The CAE must have a published strategy for responding to the risk of fraud.
2. The auditor must understand the fraud scope parameters of the engagement.
3. The auditor take the following steps within the scope parameters:
- Identify the inherent schemes associated with the business system.
- Brainstorm on the vulnerabilities associated with the internet schemes.
- Understand the fraud impact.
- Now the auditor is prepared to consider fraud risk!