So, you want to be a fraud auditor?
I have been practicing as a fraud auditor for over forty years. To be honest, for the first twenty, I did not know I was a fraud auditor. I spent the next twenty refining the practice of fraud auditing. So, this blog is intended to provide you the necessary skill set to become a fraud auditor.
it is not my intent to explain each concept in depth. Many of these concepts have been covered in previous blogs. Rather, view this a starting point for identifying the skills that you will need to become a fraud auditor.
Let’s start with a definition of fraud auditing.
Fraud auditing is a methodology to integrate fraud detection procedures into an audit. Let me say that again, “an audit”. It is a combination of risk assessment, data mining, and audit procedures designed to locate and identify fraud risk statements. It is based on the theory of fraud that recognizes that fraud is committed with the intent to conceal the truth. It incorporates into the audit process the concept of red flags linked to the fraud risk statement concealment strategy associated with data, documents, internal controls, and behavior.
My first recommendation to become a fraud auditor is to acquire fraud audit knowledge. Not from a legal sense, but from an audit sense. The legal knowledge may come later. The four key knowledge areas are:
- 1. Understanding the fraud universe.
- 2. Explaining your fraud audit scope (see my next blog),
- 3. Sufficiency of audit evidence for fraud testing. Several of my recent blogs regarding professional skepticism can provide you guidance on this topic.
- 4. Understanding the concept of sophistication of concealment. I would refer you to my series of ten blogs on fraud data analytics.
The second recommendation is the application of fraud auditing. This involves applying the knowledge you have gained through the study of fraud auditing.
The four practice areas are:
- 1. Creating a fraud audit program
- a. Fraud risk statement identification
- b. Fraud risk assessment
- c. Fraud data analytics
- d. Fraud testing
- 2. Calibrating your audit program for the sophistication of concealment.
- 3. Having sufficiency of audit evidence to recommend an investigation.
- 4. Establishing a degree of certainty to arrive at a fraud audit conclusion.
- 5. Writing a fraud audit report.
Where or how do you get this knowledge and practical skills? The knowledge comes from the study and research of relevant topics. The practice comes from just doing it. Using two of the topics, I will illustrate what I mean:
- Understanding the concept of sophistication of concealment
In the search for fraud, there are two people: the perpetrator and the auditor. The perpetrator’s goal is to hide their fraud scheme or create the illusion of propriety. The auditor’s job is to find the fraud scheme or pierce the concealment strategy. An easy example of this is an address. If the perpetrator uses his personal residence address for the entity address, then that is low concealment. If the perpetrator embeds the entity address with an address of a real company, it becomes more difficult to determine that the entity address is fictitious.
Gaining knowledge: Using the components of the fraud risk statement, the first part is the entity identifying information or master file data. To provide an example, learn as much as you can about the type of addresses. I.e. mailbox service; mail forwarding & virtual offices.
Gaining experience: Determining what type of address is on the vendor’s invoice involves internet searching or pretexting via telephone. Most likely, it will require a combination of the two techniques.
- Degree of certainty to arrive at a fraud audit conclusion
What is a fraud audit conclusion? Let me start with what it is not. It is not a legal conclusion. It is not a conclusion of guilt. And, it certainly is not 100% certain. On a simple basis, you have unresolved red flags that cannot be resolved via fraud auditing procedures. The weight of the unresolved red flags is greater than the weight of propriety. For my number lovers, you need to be at a minimum of 51% confident that a fraud risk statement is occurring, but you do not need to be 100% confident. Remember, in the fraud audit our conclusion is that there is either sufficient evidence to perform an investigation or there is not sufficient evidence.
Gaining knowledge: You need to start with understanding the components of the fraud definition. Words like: knowing, misrepresentation, material fact versus extraneous information, intentional, etc. These are the keywords associated with the word “fraud”! I do not expect you to be an attorney, but I do expect you to understand the concepts.
Gaining experience: There is only one way to gain experience, do it. In your next audit, take some transactions and identify any red flag and why you think it is a red flag. Discuss this amongst the team.
Our profession is starting to recognize the concept of fraud auditing. It may not use the term per se, but we are evolving beyond the phrase “consider fraud”! The IIA issued an internal audit competency framework, and one of the knowledge areas is fraud. Under that, they describe three competency levels: awareness; applied knowledge, and expert. They’re following
It is not often that you have the opportunity to be on the ground floor of a new profession. So, what do you want to do?