Professional Skepticism… How we can become number one in fraud detection?
If audit desires to be the number one reason for fraud detection, then what does our profession need to do? This blog is written for auditors who desire the audit profession to be the number one reason for fraud detection. I will challenge our current beliefs and methodologies, not to say they are right or wrong but to cause you to think. After all, a key component of professional skepticism is a questioning mind.
To quote a famous Disney movie, Lion King: It is time! The audit profession must improve our skills in fraud detection if we want to truly add value and reduce the cost of fraud. Let’s focus on two of the fraud statistics provided by the ACFE:
Cost of fraud to an organization. Think about how much money the audit function could save the organization if we could cut this statistic in half.
Duration of a fraud before detection. I use the phrase: “increase the perception of detection.” If we could convince perpetrators that they would be caught, wouldn’t they be less likely to commit the act? Think of this strategy as a fraud deterrence control.
For the audit profession, I offer the following suggestions to enhance professional skepticism throughout the audit process:
Auditor’s attributes: Recognize the importance of fraud audit knowledge.
- Recognize the position of fraud auditor as a skilled position.
- Identify the necessary fraud knowledge to meet the standard of “Duty of Care” in the conduct of an audit.
- Create a professional certification for fraud auditing.
Auditor’s mindset: Understand the difference between pure skepticism and fraud-educated skepticism.
- Create a comprehensive encyclopedia of fraud risk statements for core business systems.
- Provide real guidance on “how to” integrate fraud testing into the audit program.
- Understand internal control’s logical limitations in regard to fraud prevention and fraud detection.
Auditor’s actions: Improve the competency of audit evidence that formulate our opinions regarding the existence of fraud or the lack of existence of fraudulent transactions in a core business system.
- Provide practical guidance on “creditable audit evidence” in regard to intentional errors (fraud).
- Provide guidance on how to calibrate audit procedures for the sophistication of fraud concealment.
- Improve audit sampling for fraud detection by investing heavily in fraud data analytics.
So a few thoughts to explain my suggestions for the profession:
Create the position of fraud auditor
In 1979 I was an internal auditor for Cluett & Peabody in Troy, NY. The company was in the apparel business, best known for the arrow shirt brand. I was in the financial audit side of the department. Then an opening occurred in the audit department for an EDP Auditor. Yes, that was the title for an IT Auditor back in the seventies. I remember thinking, how could any auditor be successful without a strong IT knowledge? It was recognized then and now that IT audit was a specialized audit skill. Only someone with IT knowledge could hold the position. Even then, a staff auditor was expected to have a minimum IT knowledge.
I would suggest that the Fraud Auditor is the equivalent of an IT Auditor. Clearly the positions involve different knowledge and different skills but both require a specialized knowledge. We need to recognize the importance of having a specialist that understands how to integrate fraud into the audit process. We could call this person the Fraud Auditor, much like the IT Auditor. Secondly, we need to recognize that all auditors should have minimum fraud audit knowledge and skills. Maybe, just maybe, we need a need a certification in fraud auditing. Today I think, how could an auditor be successful without a strong fraud audit knowledge?
Create a comprehensive encyclopedia of fraud risk statements for core business systems
I have been teaching for over 30 years. One of the most common questions from students is whether there is a resource listing of fraud risk statements facing a core business system. I always say no, although I have created such a list for my consulting purposes. It is time for our profession to publish such a list. I have blogs that describe a process for creating fraud risk statements. This could be a starting point, but I think the profession needs to publish a real process for fraud risk identification. The process should be a “how to” rather than a “what to”!
Recognize internal control limitations
Whenever a major fraud is published, our profession immediately starts the discussion of internal control failure. While there is some truth to the statement that fraud occurs because of control failure, there is also some misrepresentation in that statement. There are many fraud risk statements that can comply with all the stated controls but someone can still commit the fraud scheme. Is this a control failure or the reality of limits on what internal controls can accomplish?
We must also recognize the concept of “internal control inhibitor”. These are the conditions that inhibit a control from operating as designed. Some of the common factors are collusion, management override, management influence, non-performance of a control procedure, human fallibility, and so on. We cannot ignore these conditions. More often than not, these conditions create the illusion of compliance, when in fact the person is committing a fraud scheme.
Audit tests must go beyond the evidence of an internal control, the audit test must go to the authenticity of the representation made by the internal control. In legal matters, attorneys will argue substance over form or form over substance. In my opinion, the traditional test of controls answers the form question but fails to answer the substance question. To detect fraud, auditors will need to answer the substance question.
Integrate a fraud audit process into our traditional audit testing
To understand this concept, I think it is necessary to define a fraud risk statement and a fraud scenario. They are similar, but they are different tools for different jobs.
Fraud Risk Statement: Description of a threat facing the organization that has an element of deceit or concealment.
Fraud Scenario: How someone would perpetrate a fraud risk statement against your organization.
I believe there are four fundamental approaches to integrating fraud into the audit process, as follows:
- Perform a fraud risk assessment with the fraud scenario approach. There is no change to the field work stage. The focus is on the adequacy of the design of internal controls to mitigate a fraud scenario. The fieldwork methodology follows the traditional internal control approach.
- Use the red flag approach combined with a fraud risk statement approach. The sampling phase is random, but the audit program includes document red flags or control red flags associated with the fraud risk statement.
- Integrate fraud test procedure within the internal control approach. The sampling is random, but a fraud test procedure is added to the test of internal controls.
- Use the fraud audit approach driven by the fraud risk statement. The sampling is based on fraud data analytics, and the test procedure uses a fraud audit test procedure. There is no testing of internal controls.
I will not be presumptuous and suggest which strategy is the right one for your organization. What is important, is that your audit function has a fraud audit strategy. Then and only then can the auditor develop the knowledge and skills to use the strategy in the conduct of an audit.
Improve our sampling methodology for fraud detection.
In writing my third book, I had a realization: Even the world’s best auditor using the world’s best audit program cannot detect fraud unless their sample includes a fraudulent transaction.
Many, many years ago, auditors tested all the accounts. Now auditors examine a percent of the population so small that no one outside the audit profession would ever understand how an auditor could issue an opinion. Sorry, but that is the truth.
Yet, with the power of audit software, we have the ability to examine all the transactions. Right now there are companies that are creating fraud detection software. I think many of these companies are in the infancy stage. What does this mean to us? Well, someone believes that fraud detection software is possible. Personally, I think the audit profession is far better skilled to accomplish the task but if we wait, will companies need auditors?
I have dedicated my career to the field of auditing. So, please do not read my blog as someone who is a malcontent. I believe that auditing is a necessary requirement for companies to maintain proper governance and stewardship of company assets. I also believe it is time for our profession to raise the bar regarding fraud detection. We have very bright and hardworking people in our profession. “It is time” to provide auditors with the proper tools to detect fraud.
So, is a lack professional skepticism the right reason for audit failure or is it the absence of the right audit tools?