In accountancy, there are frequent discussions about a principle-based approach to GAAP vs. a rule-based approach. That is an equally valid discussion for fraud auditing. As you read, I hope you will reflect on whether a principle or a rule-based approach would be of more benefit to your organization.
In last month's blog post, we discussed some of the guiding principles of fraud auditing. In this month’s blog we focus on the rules that would correspond with the principles.
Answers to last month’s Trivia
In what year was the first record of an audit being performed?
I will provide two answers:
As early as the 5th and 4th centuries BC, both the Romans and Greeks devised careful systems of checks and counterchecks to ensure the accuracy of their reports. In English-speaking countries, records from the Exchequers of England and Scotland (1130) have provided the earliest written references to auditing. Source Britannica
Modern auditing began in 1844 when the British Parliament passed the Joint Stock Companies Act. For the first time, the act required that directors report to shareholders via an audited financial statement, the balance sheet. Source Lavneet Bansal
Which US State was the first to create the designation of Certified Public Accountant, CPA. In what year? New York State, April 17, 1896. It was called a Certificate of Public Accountancy.
What was the name of the first person to receive an NYS CPA license? Frank Broaker has license # 1.
What was the name of the first person to pass the CPA exam? Joseph Hardcastle, who would go on to become an accounting theorist and an NYU Professor.
In what year were calculators allowed for use in the CPA exam? 1994, Yes, I passed the exam without a calculator.
In Australia, what does the designation CPA stand for? Certified Practicing Accountant
In 1887, the American Association of Public Accountants was created. What is the primary purpose of the organization? Here goes a history lesson: The American Institute of Certified Public Accountants (AICPA) and its predecessors have a history dating back to 1887 when the American Association of Public Accountants (AAPA) was formed. In 1916, the American Association was succeeded by the Institute of Public Accountants, when there was a membership of 1,150. The name was changed to the American Institute of Accountants in 1917 and remained so until 1957 when it changed to its current name of the American Institute of Certified Public Accountants. The American Society of Certified Public Accountants was formed in 1921 and acted as a federation of state societies. The Society was merged into the Institute in 1936 and, at that time, the Institute agreed to restrict its future members to CPAs.
The eventual purpose was to create a uniform CPA exam, which was administered by NASBA. And I thought NASBA was all about CPE. Source: AICPA.
Principles Vs. Rules
Principles are more of a concept while rules provide stricter guidelines. Let's take a look at the principles of fraud auditing along with my corresponding rules.
Principle: Search for an intentional error rather than an unintentional error
Leonard’s rule: Fraud auditing must be designed to search for intentional errors.
An unintentional error is commonly called a mistake. By definition mistakes are not intentional, willful, or concealed. Yes, after the fact someone may try to cover up their goof, (that is a technical term for error). Whereas the intentional error is committed with intent. It is willful. The person has motive and, most importantly, will attempt to conceal their actions.
The auditing standards since 1988, SAS # 053, have called an intentional error by many different terms, such as irregularities or “management fraud, and misappropriation of assets, sometimes called defalcations.”
So, the first rule is to define the intentional errors that an individual can commit in the conduct of their duties with sufficient explanation that would cause an auditor to be able to see the intentional error.
Principle: Rely on the quality of evidence rather than the quantity of evidence.
Leonard’s rule: You judge the authenticity based on where the document was created and where the document is stored. The goal of the fraud auditor is to gather evidence that was externally created and externally stored by the control owner.
The legal definition of authenticity means the act of proving that something is true or genuine. The term “continually used by the courts without apparent difficulty, seems almost to defy precise definition.” Source Black’s Law Dictionary.
Principle: Audit steps are designed to verify the authenticity of the control/document /representations rather than internal representations made by management.
Leonard’s rule: The audit test must gather evidence to affirm the genuineness of the performance of the internal control, the document, or the representation made by management. The mere visual sighting is not sufficient.
Principle: Consider a fraud risk statement rather than consider fraud.
Leonard’s rule: The auditor must define or identify the fraud risk statements that are included in the scope of the audit. The fraud risk statements are the basis for assessing likelihood, sample development, and audit procedure. The thought process and actual audit work will consider fraud concealment as an integral part of the audit program.
Principle: Assessing the likelihood of fraud occurring rather than a residual control/risk assessment.
Before we get to Leonard’s rule, let's consider that these two statements sound synonymous. They are in fact very different. It is truly at the heart of the difference between today’s auditing philosophy and the fraud auditing philosophy.
Residual risk focuses on the design and effectiveness of internal controls. The theory is simple -- if the control is adequately designed and appears to be operating effectively, then it suggests that someone could not perpetrate a fraud scheme. Whereas “assessing the likelihood of fraud occurring” means that the scheme did not occur in the scope period.
Simply stated, one says the fraud risk statement did not occur whereas, the other says it should not occur.
To illustrate the difference between the two concepts, let’s look at the following fraud risk statement:
The manager of a retail store causes a real non-complicit employee that terminates employment not to be removed from the payroll for a temporary period of time and the store manager submits time and attendance records for the terminated employee and changes the bank account for direct deposit causing the diversion of funds.
The fraud audit rule requires the auditor to answer the following questions in the assessment of the likelihood of fraud occurring:
- Are there any terminated employees in the scope period?
- Did any terminated employees have a bank account change?
If there are no terminated employees in the scope period with a bank account change, then the likelihood of that fraud risk statement occurring in the scope period is low.
Leonard’s rule: Every audit must have a component of fraud data analytics. The concept is simple: are there any transactions that are consistent with the data profile of the fraud risk statement? If not, then the likelihood of fraud in the scope period is low or nonexistent. If there are transactions that are consistent with the data profile, then there is a likelihood of a fraud scheme occurring in the scope period.
Okay, having looked at the alternatives, do you want a principle-based approach or a rule-based approach? This seems to be a debate in the profession.
Internal Audit Trivia
Who is the father of modern internal auditing?
In what year was the IIA created? In what city and state was it created? And how many charter members?
The double-entry bookkeeping system was invented in which century?
In which century were internal auditors first noted?
Auditors were employed by kings and merchants for what purpose?
What is known as the roots of internal auditing?
