After a series of thought-provoking blogs, I thought it was time to write a practice blog. I hope you find it helpful in your next audit.
Professional standards are very clear about the importance of managing your audit based on its objectives and scope. Whether you are auditing financial statements, core business systems, operational audits, internal controls, or contracts, you are required to consider fraud in the conduct of your audit. This blog will provide you with the questions you must be able to answer to determine the scope of your audit.
To illustrate, let’s assume you have been asked to audit the payroll function.
Step one: Who is the victim and who is the perpetrator?
The victim is your company, and the perpetrator is an operations manager. This assumption indicates that payroll employees are not the perpetrator
You could include both the payroll function and the operations manager. That would, however, expand your scope.
Step two: What is the primary type of fraud?
The primary type of fraud is asset misappropriation.
Step Three: What is the secondary type of fraud?
The secondary type of fraud is the theft of monetary funds from the issuance of a payroll payment.
Step four: What type of entities are the focus of your audit?
The type of entity (employee) is a false employee, known as a ghost employee. What is a ghost employee? My definition: a payroll payment is disbursed in the name of a real or fictitious person who does not perform services. The types of ghost employees that are included in the scope of the engagement are:
- A fictitious employee that occurs by creating an identity for a person who does not exist in real life. The person committing the scheme in essence creates an identity for the fictitious employee.
- A real but not complicit employee. The person committing the scheme takes over the identity of a person either temporarily or permanently.
- A real not complicit person who is not an employee but added to the human resource database.
The types of ghost employees that are excluded from the scope of the engagement are:
- A real employee who is complicit in the fraud action. In payroll, complicit is defined as the real employee who receives the payroll payment.
- Ghost employees who are receiving a payroll payment as a bribe. The reason they are not included is that the primary type of fraud being considered is asset misappropriation rather than corruption.
Step five: What is your fraud action statement?
All ghost employee schemes involving asset misappropriation schemes have the same fraud action statement: Paid for services not performed.
Step six: How do you plan to integrate fraud into your audit program?
There are four strategies for integrating fraud into your audit program:
- Prepare a fraud risk assessment.
- Perform internal control testing and be alert to the red flags.
- Integrate a fraud test into the internal control testing.
- Create a fraud audit program that includes the use of fraud data analytics and fraud tests.
You should include the selected strategy into your work paper.
Step seven: What is your time period?
The time period will correlate to your strategy. If you select strategy one, you will focus on the internal control vulnerabilities based on the current date of the audit. Typically, the test period for determining internal control effectiveness will be based on a cycle or a limited time period. If you select strategy two or three, then you will need to identify the time period for your testing. If you select strategy four, I generally recommend a twelve-month period.
Step eight: What is the purpose of the audit?
This is an important question! Is the purpose of your audit: adequacy of internal controls to mitigate ghost employees? Internal control effectiveness? Uncover ghost employee schemes? The answer will guide everything else you do.
Illustration of scope work paper regarding fraud
In considering fraud in payroll, our audit will focus on asset misappropriation schemes involving the theft of monetary funds committed by an operations manager. The fraud schemes will focus on ghost employee schemes through the use of fictitious employees. The objective of the audit is to uncover the following fraud risk statements that may have occurred in the last twelve months:
- Budget owner causes a fictitious person to be set up on the employee master file, the budget owner submits time and attendance records for the fictitious person causing the diversion of funds.
- Budget owner in collusion with a temporary agency submits invoices listing persons who did not provide services causing the diversion of company funds.
- Budget owner causes a real non-complicit person to be set up on the employee master file. The budget owner or payroll submits time and attendance records for the real non-complicit person for work not performed causing the diversion of funds.
- Budget owner or payroll function causes a real non-complicit employee who terminates employment to not be removed from the payroll for a temporary period of time and then submits time and attendance records for the terminated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of funds.
- Budget owner or payroll function causes a real non-complicit employee who terminates employment to not be removed from the payroll for a permanent period of time and then submits time and attendance records for the terminated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of funds.
- Budget owner or payroll function causes a properly terminated employee to be reactivated on the employee master file. The budget owner or payroll submits time and attendance records for the reactivated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of company funds.
I hope you found this practical illustration to be helpful. Now for your homework, why is the following fraud risk statement not include in the scope of your audit work?
- Payroll function causes a payroll payment to be issued in the name of an employee who is not on the human resources database.
I will provide my answer in next month’s blog.