In my December 2019 blog, I provided eleven statements in the spirit of causing you to think about your audit plan and helping you create a dialog in your company about improving your ability to find fraud risk statements within your audit. In January and February and this blog, I’m delving deeper into the issues.
Using random sampling for a fraud detection process should be called the “trip across fraud” technique. Yes, that is sarcasm. If you want to be relevant in the fraud detection discussion, we must incur the cost of fraud data analytics.
To repeat a quote from my book, Fraud Data Analytics Methodology, “Even the world’s best auditor using the world’s best audit program cannot detect fraud unless their sample includes a fraudulent transaction.” That is why fraud data analytics is so essential to the auditing profession in today’s world.
A hundred years ago, auditors would examine all of the accounts and transactions of an organization. As corporations grew in size and complexity, however, auditors examined fewer and fewer of the corporation’s financial transactions. The sheer cost of having auditors examine every transaction was clearly cost prohibitive. Over time, the profession created methodologies to audit large multinational organizations. This approach relied on internal controls. The assumption was that properly designed internal controls would mitigate the opportunity for people to commit fraud. Therefore, we did not need to examine every transaction recorded in a company’s general ledger.
But we know that the internal controls are not flawless, and fraud still occurs. So what are our options?
It is time! Through the use of computer technology and software, the auditing profession can once again examine every transaction. Life is truly a circle. Fraud data analytics is clearly the starting point to uncovering fraud in core business systems. However, I emphasize, “The starting point.” Fraud data analytics is all about creating a sample of transactions that have a higher probability of including a fraudulent transaction.
Over the last year, we have published a series of blogs that discusses our fraud data analytics methodology. I encourage you to read them.
Real fraud auditing requires less time than a traditional internal audit of internal controls. Currently, the general perception is that fraud auditing takes more time than a traditional audit. This seems to be one of the barriers to implementing fraud auditing.
It is important to note that I am making a few assumptions when I say that real fraud auditing takes less time than a traditional audit. For starters, I am not talking about including fraud auditing into the current test of internal controls. Clearly, that would add time to the existing audit process. Rather, the statement compares a standalone fraud audit of a core business system to a traditional audit of internal controls of a core business system. So, what are some of the other assumptions?
- The comparison is of an experienced fraud auditor to an experienced traditional auditor.
- The auditor is using a fraud auditing methodology.
- The department has created fraud audit programs.
- The auditor has technical competence in the use of fraud data analytics.
- The auditor has access to the necessary data within the company such as being able to compare the human resources data base to the vendor data base.
- The audit department has the necessary budget resources to perform fraud audit authenticity procedures.
So, why does fraud auditing require less time?
First, with the proper use of fraud data analytics, it is conceivable that you have a sample size of zero. If no transactions meet the red flag criteria of the search, then fraud data analytics is suggesting that the fraud risk statement did not occur in your scope period. If no transactions are identified, then it takes zero time to perform the testing.
It is my experience that control testing can have many control or document exceptions. Each exception requires follow up, explanation and documentation. Fraud testing, conversely, tends to be more cut and dry. For instance, one of our tests for a shell company is a telephone call verification. The audit procedure is to determine whether the call is answered in a business professional manner. Think about it. Either the telephone is or is not answered in the way you would expect a real company to answer the telephone. If yes, you are finished, if not, you are linked to the next procedure.
In reality, some of the work does not require extensive experience. For instance, one of the vendor tests is to compare the Secretary of State vendor incorporation date to the date of the first invoice. If the first invoice date is within 90 days of the incorporation date, then you have a fraud audit exception. Does this test require a 10-year CPA, CFE, CIA? Or could the procedure be performed by a high school student?
Remember, the conclusion of the fraud audit is whether there is a need for a fraud investigation. Said another way, there is a logical conclusion to the fraud audit. Either the transaction has unresolved red flags, or the transaction does not have unresolved red flags.
So, what does your audit department need to do?
- Implement a logic-based methodology to create fraud risk statements for your clients.
- Invest in the use of true fraud data analytics.
- Select a fraud audit strategy and train your department in how to use the methodology. This training must include everyone, including the CAE.
- Build fraud audit programs for your core business systems.
- Recognize that the fraud auditor has a technical skill, much like your IT Auditor.
- Understand that there is a learning curve to implementing fraud auditing.