In this blog, we're going to talk about the Fraud Action Statement, the "what" part of the Fraud Risk Statement, but first the answers to the fraud trivia from the last blog:
What was the first recorded financial collapse? Medici Bank went insolvent in 1494 due to extensive spending. Check out Business Insider’s List of the worst company collapses in history.
Who coined the phrase “White Collar Crime”? Criminologist Edwin Sutherland created the phrase in the 1930s
.Name a CEO of a publicly traded company that lied about their credentials. You may be surprised how many there are.
I selected David Edmondson of Radio Shack. In January 2005, shortly after RadioShack announced that Edmondson would be taking over as CEO, he was arrested in Southlake, Texas, for driving while intoxicated, his third such charge. Edmondson pleaded guilty and was sentenced to 30 days in jail. The incident prompted the Fort Worth Star-Telegram to begin looking more closely at his past. Source Wiki.
Name a CEO who committed a material asset misappropriation scheme. Hint: There may be more than you think. Parmalat, Polly Peck, Tyco plus all the Ponzi schemes.
Name a college football head coach that never played football. George O’Leary, who coached Notre Dame for five days, stated in his resume that he received three letters for playing football. However, the college records showed he never played football. Source NY Times.
What is the relevance of these questions? Professional skepticism is more than just a state of mind, it requires corroboration of the facts, regardless of who is making the statement.
In setting up a fraud audit, we’ve discussed developing the Fraud Risk Statement. This includes the person committing the fraud. The next part is the Fraud Action Statement, an act committed by the person committing the Fraud Risk Statement. The Fraud Action Statement is “what” the person is doing rather than “how” the person is committing the fraud scheme.
In writing the fraud action section of the fraud risk statement, you will need to decide if you want to be high-level or very specific. Regardless of what you choose, your knowledge of the fraud action should be very specific. I think sometimes it is easier to illustrate the concept than try to explain the concept, so let’s look at the expenditure cycle to illustrate the concept of a generic-level description of the fraud action rather than a detailed description of the Fraud Action Statement. Within the expenditure cycle we will use product substitution to illustrate the concept:
First, product substitution refers to the knowing and willful replacement of something, without the purchaser's knowledge or consent. Follow the step-down process starting with a generic description of the Fraud Action Statement to the eventual specific description. We will look at four levels from the most general to the most specific.
Highest (generic) level: Vendor overbills the company.
Second level: Vendor commits a product substitution scheme.
Third level, perpetrated by supplier:
Fraud Risk Statement: Supplier alone (or in collusion with an internal person) commits a product substitution scheme (or provided expired goods) resulting in warranty issues (or internal person receives a bribe for accepting expired goods).
This could be a
Third level, perpetrated by the manufacturer:
Fraud Risk Statement: Manufacturer alone intentionally misstates facts about the composition of their goods resulting in potential legal liabilities costs.
This could include
Third level, perpetrated by a counterfeiter
Fraud Risk Statement: Counterfeiter sells to your company mislabeled refurbished components resulting in damages to company reputation.
This could include:
Fourth level, expenditure specific
Fraud risk statement and expenditure specific.
I would argue that even at the most detailed level, the relevance of the statement needs to coincide with your expenditure area. Think how your fraud risk statement would change if your expenditure was construction compared to food or more specifically, seafood?
Also, think about how your Fraud Risk Statement would change at this level if you changed the person committing the scheme. How is it different if that person is the receiver or senior manager and acts alone or in collusion?
Let’s assume you are preparing a Fraud Risk Assessment for the purchase of seafood. The following examples illustrate a more specific Fraud Risk Statement.
Why, you may ask, did I select sea bass or snapper? Current studies indicate that these two fish may have a mislabeling rate as high as 70%. Knowledge of the product enhances the fraud auditor’s ability to create a fraud risk statement that tells the fraud auditor what to look for and how to create specific red flags.
The Fraud Risk Statement does not specifically state the concealment strategy but certainly infers the concealment strategy. If you think about the preceding examples, they infer that by using a white fish, the end user will not be able to distinguish between the sea bass and the less desirable fish.
Take the first example for instance. Since the label on the box indicates wild catch rather than farm-raised, the receiver will indicate that the physical item matches the purchase order. Accounting will pay the invoice because the purchase order and the receiving report indicate a positive match. The test of internal controls will indicate compliance. But would the fraud auditor be fooled? You will need to ask that question of yourself.
So, at what level should you write your fraud risk statement?
It is not for me to say. I would like you to draw your own conclusions. The factors that I would look for are:
Developing these skills and obtaining knowledge is how we will make audit the number one reason for fraud detection. Next month we will elaborate on how to create fraud risk statements using the payroll core business system.