Let’s start out with a question: Is the audit profession doing a better job today than 20 years ago in responding to the risk of fraud in audits?
Various studies indicate that whistle blowers and accidents are still the number one reason for detecting frauds while the audit process is still on the bottom of the list. So, I guess the answer to the question is “no!”
I do not, however, think this is a reflection on the people working in the profession but rather the tools, or lack there of, that auditors are using in the audit.
Fraud costs organizations millions of dollars each year. Simply Google the phrase “shell company fraud scheme” and you will discover more news stories than you have time to read. So, if the auditor detects and stops a fraud scheme, the auditor has added real money to the bottom line. Which leads to another question: Do you want to explain to your audit committee that your department did not detect a 63 million dollar fraud?
I believe that by using the right tools, the auditing profession can become the number one reason for fraud detection. In this blog, we’re going to look at some of those tools and the opportunity to use them effectively.
There are four fundamental approaches to integrating fraud into the audit program. Here they are in in order of their effectiveness in fraud detection.
- Prepare a fraud risk assessment that includes creating a comprehensive listing of fraud risk statements that link to the internal controls and rates the control effectiveness. The final determination is the rating of residual risk.
- Perform internal control testing and be alert to the red flags.
- Integrate a fraud test into the internal control testing.
- Create a fraud audit program that includes the use of fraud data analytics and fraud tests.
We’re going to consider the pros and cons of each strategy. As someone who performs fraud audits and routinely teaches classes on fraud auditing, I will also provide my insights and talk about the opportunities to use them. Finally, we will conclude with practical illustration of the four techniques.
Prepare a Fraud Risk Assessment
Pros: It is simple. The auditing profession has used risk assessment in the planning stage for years. Auditors are knowledgeable regarding internal controls.
Cons: It is simple. The technique is not intended to detect fraud. The approach is designed to determine if the organization has the key controls to mitigate fraud. Unfortunately, perpetrators learn how to circumvent internal controls.
Insights: The fraud risk statements in auditors’ work papers are not written to drive the audit program. I.e. Risk of bribery in the purchasing function. The statement does not provide the auditor any direction on how to design an audit test or respond to the risk of fraud. While a seasoned fraud examiner may know what to look for, would an entry level staff auditor?
Opportunities: adopt a methodology to write fraud risk statements. The fraud risk statement should provide clear guidance on how the fraud scheme lives and breathes in the core business systems. Use the fraud brain storming session to discuss how to detect the fraud risk statements versus a general discussion of fraud. Discuss the natural vulnerabilities associated with internal controls that create the fraud scenarios.
Fraud scenarios are “how” someone commits the fraud risk statement through either an internal control weakness or through the natural vulnerabilities. Think of this stage as a system penetration test often used in testing computer system access or as a deep dive on the adequacy of your internal controls. This stage is designed to identify the nooks and crannies where a fraud perpetrator lies and waits.
Perform Internal Control Testing and be Alert to Red Flags
Pros: It is simple. The auditing profession has performed internal control testing since the beginning of time.
Cons: The control test has an inherent flaw regarding fraud. If the fraud perpetrator is the control owner, then testing the existence of the internal control will not detect the fraud scheme. Second, there are many fraud schemes that can occur and fully comply with internal controls. Lastly, there is no documentation in the work papers as to what red flags the auditor should look for in the examination of a transaction.
Insights: The profession is not incorporating actual red flags into the audit program. There seems to be a presumption that the auditor performing the audit step will observe a red flag based on their life experiences. But that is not reliable. For over twenty years in my classes, I have provided seminar delegates a vendor invoice from a real fraud scheme involving a pass through shell company scheme. To date, no one, ranging from the chief auditor to an entry level staff, has identified the five primary red flags.
Opportunities: Identify actual red flags on documents, data and internal controls that link to a fraud risk statement. Include the red flags in the audit program. Discuss the concept of the sophistication of fraud concealment and consider how it impacts your audit program.
Integrate a Fraud Test into the Control Testing
Pros: The auditor is adding an audit step (s) into the preexisting audit program. The audit program will have a documented response to a fraud risk statement.
Cons: Random samples are not designed for fraud detection but rather to offer an opinion on the operating effectiveness of internal controls over a period of time.
Insights: Fraud is a technical skill. Auditors need to improve their knowledge of fraud risk statements and the associated red flags that link to the fraud risk statement. We need to stop debating whether a fraud test is an investigation procedure or an audit step. The key is to focus on the quality of evidence collected through the audit process.
Opportunities: Design a fraud test that targets the fraud risk statement. If the scheme involves a false entity, design an audit step that targets the entity,If the entity is real, then design an audit step that targets the fraud action statement. The intent of the audit step is not to prove fraud but rather the need for a fraud investigation.
Create a Fraud Audit Program
Pros: The most effective audit approach to detect fraud in core business systems.
Cons: Creating a fraud audit program will initially require additional audit time because the concept of fraud testing is a new skill for most auditors.
Insights: As I have said many times, even the world’s best auditor using the world’s best audit program cannot detect fraud unless their sample includes a fraudulent transaction. The fraud audit program is the right tool to detect fraud. Unfortunately, only a handful of audit departments have successfully implemented a fraud audit program.
Opportunities: Allocate the resources to build a fraud data analytics program for your core business systems. Achieving this opportunity is more involved than buying the software. It will include improving your fraud risk assessment, understanding the difference between a control test and a fraud test.
Illustrating the Concepts in the Four Strategies.
Let’s take a look at how these four strategies can be applied. We’ll use the expenditure cycle, which is one of the most commonly targeted business cycles for both internal and external parties to commit fraud schemes that could be material to your organization.
Perform a Fraud Risk Assessment
The following is an example of how to write a fraud risk statement in a procurement audit.
Fraud Risk Statement: False requirements or specifications by corrupting the internal real supplier selection procedures:
- Internal person in collusion with a real supplier -- the bid specifications are written with vague criteria to allow for corruption of the bid evaluation process or vendor selection process.
- Internal person in collusion with a real supplier -- the real supplier bid specifications are written in a vague manner to allow for future product substitution.
The fraud audit program directs the auditor to perform procedures to evaluate whether the specifications are written in a vague manner or consistent with industry standards. These questions need to be asked regarding fraud prevention or fraud detection controls:
How does management approve changes?
How does management monitor changes to procurement?
How robust are controls over receipt of goods?
What about receipt of services?
Who is evaluating vendor questions prior to the receipt of bids?
Is there proper separation of duties between the designs of a specifications and the communications between vendors?
Remember, the goal is to identify the natural control vulnerabilities and the fraud opportunities. The conclusion is whether or not fraud prevention and fraud detection controls are adequately designed.
Perform Internal Control Testing
In the examination of a vendor invoice for tangible goods, add the following step:
Review the vendor invoice line item description as to the numeric description and the alpha description for the following red flags:
- The vendor line item description is missing alpha or numeric description elements. The description is vague.
- The numeric string is less than five positions. It is not consistent with industry standards.
The conclusion is whether or not the vendor invoice adequately describes what your company is purchasing and whether or not that vendor description is consistent with industry standards.
Integrate a Fraud Test into the Audit Program
The following risk statement is included in the fraud risk assessment:
Budget owner acting alone or in collusion with a direct report causes a shell company to be set up on the vendor master file, processes a purchase order or contract, and approves a fake invoice for goods or services not received causing the diversion of company funds.
Fraud Audit Procedure: Review vendor payment history for evidence of a sequential pattern of invoice numbers.
Create a Fraud Audit Program
Using the proceeding fraud risk statement, the following illustrates how to develop a fraud data analytics plan and an audit procedure.
- Develop a fraud data analytics routine to search for all vendors that have a sequential pattern of vendor invoices.
- Perform a site visit of the vendor location to verify the physical existence of a company.
It is time for the auditing profession to become the number one reason for fraud detection. Our profession has the talent to detect fraud, but we need the tools designed to detect fraud risk statements that are lurking in our core business systems. This paper has presented four ways to accomplish this task.
Integrating fraud into our audit program requires a different way of thinking about our audit process. I offer the following goals for senior audit management:
- Recognize fraud auditing as a technical skill.
- Adopt a methodology designed for fraud detection.
- Aggressively invest in building fraud data analytics.
- Educate your audit committee and management on the difference between control testing and fraud testing. The approaches are similar but very different. You will need management support to perform real fraud auditing.