Many years ago, the IT auditor was created. In fact, I was an IT auditor in 1979. For the last 40 years, however, I have been a fraud auditor. Unfortunately, unlike IT, the profession does not recognize the title of fraud auditor.
In my opinion, it is time for the title of Fraud Auditor to be created and recognized by the profession. Auditors are not born with fraud risk or fraud audit knowledge or fraud skills. I suspect that college courses are not designed to provide this knowledge. If the profession is serious about a “more proactive approach to fraud detection” it is time to recognize that this will require auditors to develop and gain a new set of skills. I recommend that every audit department invests in human fraud risk intelligence.
Internal Audit Standards 2025: Fraud Responsibilities
To start this series, I searched “new IIA standards and fraud responsibilities summary” and here is what the AI provided.
“The new IIA (Institute of Internal Auditors) Global Internal Audit Standards place a significant emphasis on internal auditors actively assessing and mitigating fraud risk within an organization, requiring them to take a more proactive approach to fraud detection and incorporate a deeper understanding of potential fraud schemes into their audit planning and execution; this aligns with the broader responsibility of the internal audit function to support strategic objectives and contribute to the organization's overall success beyond just financial controls.”
In January, I discussed the concept of “mitigating fraud risk”. This month I will discuss the concept of a “more proactive approach to fraud”
Vona’s History of Proactive Approach to Fraud Detection
Typically, I start with an internet search, This time, I will start with my own book.
My first book, copyright date 2008, was the first book dedicated to fraud risk. I also wanted to be the first to publish a book on fraud auditing, so I wrote The Fraud Audit Responding to the Risk of Fraud in Core Business Systems, published in 2011. I never thought it would take fourteen years for our profession to use the words “proactive approach to fraud detection”. But here we are.
I suppose, without putting myself on a float in the Macy Day parade, you could say I am the father of Fraud Auditing. My son once told me I created my own profession. Enough accolades!
Excerpt from my book The Fraud Audit: Responding to the Risk of Fraud in Core Business Systems
“A fraud audit is the process of responding to the risk of fraud within the context
of an audit. It may be conducted as part of an audit, or the entire audit may
focus on detecting fraud. It may also be performed because of an allegation or
the desire to detect fraudulent activity in core business systems. For our
discussion purposes, this book will focus on the detection of fraud when there
is no specific allegation of fraud.”
Fraud auditing is the application of audit procedures designed to increase
the chances of detecting fraud in core business systems.
If you search my web site for fraud auditing topics, you will find numerous blogs on the topic.
How to Conduct a More Proactive Approach to Fraud Detection
To say, we are searching for fraud is just simply too broad, and technically incorrect. Fraud auditing is not a forensic audit. The word forensic has a specific meaning in the legal profession. Nor is fraud auditing a fraud investigation, that is designed for the legal system. Just ask the ACFE.
According to my definition, fraud auditing is the audit process of gathering audit evidence to offer opinions on whether there is credible evidence that a statement of fraud risk is occurring in a company business system. If yes, then the audit recommendation is to perform an investigation. If not, can we offer recommendations for fraud prevention, detection, or deterrence internal controls? You will find the same basic approach in Statement of Auditing Standards 99.
Starting the Proactive Approach to Fraud Detection
Every audit starts with an objective and scope. In fraud auditing, the objective is the statement of fraud risk that you have included in your scope. Let me illustrate the concept using a ghost employee statement of fraud risk:
Budget owner causes a fictitious person to be set up on the employee master file, the budget owner submits time and attendance records for the fictitious person causing the diversion of funds.
Now, let's convert the statement of fraud risk to an audit objective:
Determine if a ghost employee is receiving payroll payments.
The question before you is how to detect a ghost employee within the context of an audit. FYI, we have written several blogs on this subject.
Building a Proactive Fraud Audit Approach
We recommend four different approaches to a proactive fraud audit approach. We believe that the likelihood of detecting fraud increases in descending order with approach one being the least likely and step four being the most likely to detect a fraud risk statement.
1. Perform a risk assessment with the fraud scenario approach. There is no change to the fieldwork stage. The focus is on the adequacy of the design of internal controls to mitigate a fraud scenario. The fieldwork methodology follows the traditional internal control approach.
2. Use the red flag approach combined with a fraud risk statement approach. The sampling phase is random, but the audit program includes red flags or control red flags associated with the fraud risk statement.
3. Integrate fraud test procedures within the internal control approach. This approach is similar to the red flag approach, except we gather a higher level of qualitative audit evidence in order to formulate your opinion. The sampling is random, but a fraud test procedure is added to the test of internal controls.
4. Use the fraud audit approach driven by the fraud risk statement. The sampling is based on fraud data analytics, and the test procedure uses a fraud audit test procedure. There is no testing of internal controls.
Here are the variables to consider for each approach:
1. Whether to use a fraud scenario or a state of fraud risk statement to define your audit objectives.
2. Sampling approach is either random and non-biased or focused and biased towards the statement of fraud risk.
3. The sample is either selected through fraud data analytics or a manual selection process.
4. The audit test is either a test of internal controls or the use of a fraud audit procedure.
5. Fraud audit procedure is based on the authenticity approach versus control approach. The authenticity approach gathers evidence that is created and stored externally to the control owner. It is the highest-rated audit evidence.
6. The opinion is whether there is credible evidence to suggest that a fraud risk statement has occurred statement is occurring versus the internal controls operating effectively.
You must understand that fraud auditing or a proactive approach to fraud detection is a different way of thinking. Yes, you will plan, understand internal controls, select a sample, perform test procedures, create workpapers and write a report. But your success in this endeavor will be based on your ability to understand that a proactive fraud detection approach is simply a different way of thinking about the audit process. Good luck!
Etymology of the word fraud
1. What is the earliest known use of the noun “fraud”? 1650’s
2. Oxford English dictionary earliest evidence for fraud is from around? The earliest known use of the noun fraud is in the Middle English period (1150—1500)
3. Who was the person that first used the word fraud per the Oxford English dictionary? Robert Mannyng
4. What was his occupation? Poet and historian.
5. How many synonyms can you name for the word: fraud? 188 words per one web site.
6. There are nine meanings listed in OED's entry for the noun fraud, one of which is labelled obsolete. Which is obsolete? Remember, I told you first that fraud is every changing body of knowledge. The verb fraud, I.e. “do defraud” Or a trap or snare? Crazy huh!
Fraud Trivia
“The art of forging literary and historical documents is nearly as old as writing itself. Two thousand years ago, early practitioners put reed pens to papyrus to mimic the writing of Socrates and other ancient authors whose work was highly valued. Today, the motive of most forgers remains the same—create something "priceless," then find a sucker willing to pay an exorbitant price. Yet as this collection of famous fakes illustrates, sometimes the forger's aim is not profit but power”. Source to be disclosed in March Blog.
Can you list some of the more famous diaries that seem to be forgeries?
