Professional Skepticism… How we can become number one in fraud detection?
If audit desires to be the number one reason for fraud detection, then what does our profession need to do? This blog is written for auditors who desire the audit profession to be the number one reason for fraud detection. I will challenge our current beliefs and methodologies, not to say they are right or wrong but to cause you to think. After all, a key component of professional skepticism is a questioning mind.
To quote a famous Disney movie, Lion King: It is time! The audit profession must improve our skills in fraud detection if we want to truly add value and reduce the cost of fraud. Let’s focus on two of the fraud statistics provided by the ACFE:
Cost of fraud to an organization. Think about how much money the audit function could save the organization if we could cut this statistic in half.
Duration of a fraud before detection. I use the phrase: “increase the perception of detection.” If we could convince perpetrators that they would be caught, wouldn’t they be less likely to commit the act? Think of this strategy as a fraud deterrence control.
For the audit profession, I offer the following suggestions to enhance professional skepticism throughout the audit process:
Auditor’s attributes: Recognize the importance of fraud audit knowledge.
Auditor’s mindset: Understand the difference between pure skepticism and fraud-educated skepticism.
Auditor’s actions: Improve the competency of audit evidence that formulate our opinions regarding the existence of fraud or the lack of existence of fraudulent transactions in a core business system.
So a few thoughts to explain my suggestions for the profession:
In 1979 I was an internal auditor for Cluett & Peabody in Troy, NY. The company was in the apparel business, best known for the arrow shirt brand. I was in the financial audit side of the department. Then an opening occurred in the audit department for an EDP Auditor. Yes, that was the title for an IT Auditor back in the seventies. I remember thinking, how could any auditor be successful without a strong IT knowledge? It was recognized then and now that IT audit was a specialized audit skill. Only someone with IT knowledge could hold the position. Even then, a staff auditor was expected to have a minimum IT knowledge.
I would suggest that the Fraud Auditor is the equivalent of an IT Auditor. Clearly the positions involve different knowledge and different skills but both require a specialized knowledge. We need to recognize the importance of having a specialist that understands how to integrate fraud into the audit process. We could call this person the Fraud Auditor, much like the IT Auditor. Secondly, we need to recognize that all auditors should have minimum fraud audit knowledge and skills. Maybe, just maybe, we need a need a certification in fraud auditing. Today I think, how could an auditor be successful without a strong fraud audit knowledge?
I have been teaching for over 30 years. One of the most common questions from students is whether there is a resource listing of fraud risk statements facing a core business system. I always say no, although I have created such a list for my consulting purposes. It is time for our profession to publish such a list. I have blogs that describe a process for creating fraud risk statements. This could be a starting point, but I think the profession needs to publish a real process for fraud risk identification. The process should be a “how to” rather than a “what to”!
Whenever a major fraud is published, our profession immediately starts the discussion of internal control failure. While there is some truth to the statement that fraud occurs because of control failure, there is also some misrepresentation in that statement. There are many fraud risk statements that can comply with all the stated controls but someone can still commit the fraud scheme. Is this a control failure or the reality of limits on what internal controls can accomplish?
We must also recognize the concept of “internal control inhibitor”. These are the conditions that inhibit a control from operating as designed. Some of the common factors are collusion, management override, management influence, non-performance of a control procedure, human fallibility, and so on. We cannot ignore these conditions. More often than not, these conditions create the illusion of compliance, when in fact the person is committing a fraud scheme.
Audit tests must go beyond the evidence of an internal control, the audit test must go to the authenticity of the representation made by the internal control. In legal matters, attorneys will argue substance over form or form over substance. In my opinion, the traditional test of controls answers the form question but fails to answer the substance question. To detect fraud, auditors will need to answer the substance question.
To understand this concept, I think it is necessary to define a fraud risk statement and a fraud scenario. They are similar, but they are different tools for different jobs.
Fraud Risk Statement: Description of a threat facing the organization that has an element of deceit or concealment.
Fraud Scenario: How someone would perpetrate a fraud risk statement against your organization.
I believe there are four fundamental approaches to integrating fraud into the audit process, as follows:
I will not be presumptuous and suggest which strategy is the right one for your organization. What is important, is that your audit function has a fraud audit strategy. Then and only then can the auditor develop the knowledge and skills to use the strategy in the conduct of an audit.
In writing my third book, I had a realization: Even the world’s best auditor using the world’s best audit program cannot detect fraud unless their sample includes a fraudulent transaction.
Many, many years ago, auditors tested all the accounts. Now auditors examine a percent of the population so small that no one outside the audit profession would ever understand how an auditor could issue an opinion. Sorry, but that is the truth.
Yet, with the power of audit software, we have the ability to examine all the transactions. Right now there are companies that are creating fraud detection software. I think many of these companies are in the infancy stage. What does this mean to us? Well, someone believes that fraud detection software is possible. Personally, I think the audit profession is far better skilled to accomplish the task but if we wait, will companies need auditors?
I have dedicated my career to the field of auditing. So, please do not read my blog as someone who is a malcontent. I believe that auditing is a necessary requirement for companies to maintain proper governance and stewardship of company assets. I also believe it is time for our profession to raise the bar regarding fraud detection. We have very bright and hardworking people in our profession. “It is time” to provide auditors with the proper tools to detect fraud.
So, is a lack professional skepticism the right reason for audit failure or is it the absence of the right audit tools?