As we have discussed in previous blogs, the new fraud auditing standards require you to bring a “deeper understanding of potential fraud schemes into their audit planning and execution.”
Last month, we discussed how to achieve a deeper understanding of fraud risk. We used a ghost employee scheme to illustrate the concept. This month, we will discuss how to incorporate that deeper understanding into your work. For ease of reference, I will provide the fraud risk statements:
Store manager takes over for a limited time the identity of an employee who has departed the workplace. The store manager causes hours worked to be entered into the timekeeping system for the departed employee and subsequently diverts the departed employee’s wages.
Or,
Store manager takes for a limited period of time the identity of an employee prior to their first scheduled work week. The store manager causes hours worked to be entered into the timekeeping system for the new employee and subsequently diverts the departed employee’s wages.
Develop Your Audit Plan
Now we will discuss how to plan and execute your audit to properly respond to the risk of fraud. In my way of thinking, our audit plan has three components.
- 1. Perform a fraud risk assessment
- 2. Select a sample of transactions through the use of data analytics
- 3. Perform an audit procedure to gather evidence regarding the likelihood of the fraud risk occurring at the retail site.
Before you read any further, this is meant to be an easy illustration on how to bring a deeper understanding of potential fraud schemes into your audit planning and execution. Whether you are auditing journal entries, revenue recognition, corruption schemes, or any asset misappropriation scheme, the thought process is the same.
Perform a fraud risk assessment
I suspect most auditors would conclude that internal controls are sufficient to mitigate the fraud risk statement in this blog. Or, risk and exposure is minimal, therefore they would pass on further review. But is it? The manager at the store has complete override control to keep the departed employee on the payroll system. Due to the nature of continual turnover, the manager has a continual supply of departed employees. The only real question is how the manager obtains the misappropriated funds. If paid by paper check, it is easy divert the check. If paid by direct deposit, then the manager would need to change the bank account information.
Here is where practical knowledge is invaluable. I had a case where the store manager was in collusion with a manager at a bank. The bank manager would set up the bank account in the employee's name, then the bank manager would divert the payroll funds in a 50/50 relationship with the store manager.
So, each employee had a unique bank account number; the only anomaly was that all diverted payroll payments occurred at the same bank. This is why you need to consider the sophistication of the concealment theory.
Now, in the traditional risk assessment, most likely, the auditor would conclude that the fraud risk would have minimal financial impact. The auditor is most likely right if the fraud risk statement is only occurring at one location. However, there is another train of thought to consider: if the manager is stealing from payroll, is the manager stealing elsewhere? I understand both sets of reasoning.
Select a sample of transactions
For fraud detection, our sampling methodology is a focused and bias sample approach rather than a random selection of employees. The focus is based on the elements of the fraud risk statement; the bias is only selecting the payroll transactions that meet the criteria of the fraud risk statement.
The sample selection is simple. The first pass is to look all terminated employees. Next, separate them into two samples – those paid with a paper check and those paid with direct deposit. Remember, our fraud risk statement is a temporary takeover scheme rather than a permanent takeover scheme.
You will need to exercise your judgment as to direct deposit or paper check. Within both populations, you will need to understand what the next criterion would be; this will help you shrink the sample population. Personally, I would use job titles to shrink the population. I would select those employees who must sign into the sales register system. This way, you have evidence of work performance or the lack of work performance.
Perform an audit procedure
If paid with a paper check, then compare the first payment to the last payment for a change in endorsement or change in the location of where the check was deposited or cashed.
If paid with direct deposit, we would look at the documentation supporting the change in bank account. Second, we would compare the new bank account to the manager’s bank account. Lastly, we would look to see whether all payments went to the same bank or financial institution.
Depending on the employee job duties, try to validate work performance up to the termination date.
Leonard’s Fraud Audit Rule
If you truly understand the fraud risk statement, then designing the audit procedure is a “piece of cake’.
Fraud Trivia
- Which AI technology is used to create realistic but fake videos or images of individuals?
c) Deepfakes - What is a behavioral biometric that AI can use to identify a legitimate user and prevent fraud?
b) The user's typing speed and patterns. - If you receive an unexpected request for money from a family member via a phone call, what is the best first step to take?
- c) Verify the request by contacting the person or institution directly through a known, trusted channel.
- In AI-generated text, what might be a sign that the content is fraudulent?
a) c) Factual claims or statistics that cannot be verified. - What is the primary advantage of using Machine Learning for fraud detection?.
b) It can learn from historical data
Let's try something different this month; For my runners: MARATHON TRIVIA
1. In which country & city does the marathon cross two continents?
2. What was my son’s place in the 2012 Boston Marathon?
3. What is the oldest annual marathon?
4. What is the folklore that started the marathon?
5. What is the age of the oldest person to run a marathon? Youngest?
6. Why is the Marathon 26.2 miles?
