As we have discussed in previous blogs, the new fraud auditing standards require you to bring a “deeper understanding of potential fraud schemes into their audit planning and execution.”
Last month, we discussed how to achieve a deeper understanding of fraud risk. We used a ghost employee scheme to illustrate the concept. This month, we will discuss how to incorporate that deeper understanding into your work. For ease of reference, I will provide the fraud risk statements:
Store manager takes over for a limited time the identity of an employee who has departed the workplace. The store manager causes hours worked to be entered into the timekeeping system for the departed employee and subsequently diverts the departed employee’s wages.
Or,
Store manager takes for a limited period of time the identity of an employee prior to their first scheduled work week. The store manager causes hours worked to be entered into the timekeeping system for the new employee and subsequently diverts the departed employee’s wages.
Now we will discuss how to plan and execute your audit to properly respond to the risk of fraud. In my way of thinking, our audit plan has three components.
Before you read any further, this is meant to be an easy illustration on how to bring a deeper understanding of potential fraud schemes into your audit planning and execution. Whether you are auditing journal entries, revenue recognition, corruption schemes, or any asset misappropriation scheme, the thought process is the same.
I suspect most auditors would conclude that internal controls are sufficient to mitigate the fraud risk statement in this blog. Or, risk and exposure is minimal, therefore they would pass on further review. But is it? The manager at the store has complete override control to keep the departed employee on the payroll system. Due to the nature of continual turnover, the manager has a continual supply of departed employees. The only real question is how the manager obtains the misappropriated funds. If paid by paper check, it is easy divert the check. If paid by direct deposit, then the manager would need to change the bank account information.
Here is where practical knowledge is invaluable. I had a case where the store manager was in collusion with a manager at a bank. The bank manager would set up the bank account in the employee's name, then the bank manager would divert the payroll funds in a 50/50 relationship with the store manager.
So, each employee had a unique bank account number; the only anomaly was that all diverted payroll payments occurred at the same bank. This is why you need to consider the sophistication of the concealment theory.
Now, in the traditional risk assessment, most likely, the auditor would conclude that the fraud risk would have minimal financial impact. The auditor is most likely right if the fraud risk statement is only occurring at one location. However, there is another train of thought to consider: if the manager is stealing from payroll, is the manager stealing elsewhere? I understand both sets of reasoning.
For fraud detection, our sampling methodology is a focused and bias sample approach rather than a random selection of employees. The focus is based on the elements of the fraud risk statement; the bias is only selecting the payroll transactions that meet the criteria of the fraud risk statement.
The sample selection is simple. The first pass is to look all terminated employees. Next, separate them into two samples – those paid with a paper check and those paid with direct deposit. Remember, our fraud risk statement is a temporary takeover scheme rather than a permanent takeover scheme.
You will need to exercise your judgment as to direct deposit or paper check. Within both populations, you will need to understand what the next criterion would be; this will help you shrink the sample population. Personally, I would use job titles to shrink the population. I would select those employees who must sign into the sales register system. This way, you have evidence of work performance or the lack of work performance.
If paid with a paper check, then compare the first payment to the last payment for a change in endorsement or change in the location of where the check was deposited or cashed.
If paid with direct deposit, we would look at the documentation supporting the change in bank account. Second, we would compare the new bank account to the manager’s bank account. Lastly, we would look to see whether all payments went to the same bank or financial institution.
Depending on the employee job duties, try to validate work performance up to the termination date.
If you truly understand the fraud risk statement, then designing the audit procedure is a “piece of cake’.
1. In which country & city does the marathon cross two continents?
2. What was my son’s place in the 2012 Boston Marathon?
3. What is the oldest annual marathon?
4. What is the folklore that started the marathon?
5. What is the age of the oldest person to run a marathon? Youngest?
6. Why is the Marathon 26.2 miles?