How you determine which concepts to evaluate to “consider fraud” and how to integrate fraud into your audit program is a challenge that is easily solved if you approach it with the scope and objectives of your audit clearly defined.
The audit plan is the critical starting point for every audit and the fraud audit plan is the critical document for integrating fraud into the audit program. Using the audit standards as a starting point, we should gather information to identify the risk of fraud consistent with the scope and objectives of our audit. The fraud audit process indicates we should make inquiries of management, consider analytics, consider the risk factors (fraud triangle) and consider other information.
For every audit the starting point is the use of the fraud risk universe to define the scope of the audit. Is the auditor searching for fraud in the financial statements, asset misappropriation schemes or corruption in core business systems? The second element is to understand the inherent fraud schemes that can occur in core business systems. For purposes of this blog, we will scope the audit for asset misappropriation and will assume our audit is focusing on fraud schemes that can occur in payroll cycle.
In Payroll, the key inherent fraud schemes in are:
For purposes of this blog we will focus on ghost employees. The risk statement methodology will define the different ghost employee schemes.
A brainstorming session is the starting point for creating your fraud risk statement. Discussions should focus on the logical permutations of a ghost employee, then explore how the those schemes could occur within your company, what are the natural internal control vulnerabilities that might allow the scheme to occur and what are the audit sampling and test procedures to respond to the fraud risk statement.
To illustrate these concepts, we will assume we are auditing a retail location and we will illustrate the concepts using the following fraud risk statement that can occur in the payroll cycle.
As per the structure of a fraud risk statement, for our retail location example our fraud risk statement will be as follows:
A department manager causes a real non-complicit employee that quits employment not to be removed from the payroll for a temporary period of time and that department manager submits time and attendance records for the terminated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of funds.
Any brainstorming session should focus on what internal control factors would be conducive for this fraud scheme to occur or what are the natural control vulnerabilities that exist in your business process. A few considerations or questions are:
The data analytics should link to the fraud risk statement and the vital statistics that allow you to determine the likelihood of the fraud scheme and the potential loss impact due to asset misappropriation scheme.
The fraud risk factors are those conditions identified in assessing the fraud triangle for asset misappropriation: the opportunity; rationalization and pressures.
The opportunity focuses on the fraud prevention and detection controls and the natural vulnerabilities that exist in every business system.
There may be some type of personal pressure that motivates fraud.
Mentally justifying the act of fraud is an important part of the fraud triangle.
Inquires of management should focus on senior management, human resources, payroll and department managers. The questions for senior management and department managers should be focused based the risk factors and then the schemes, whereas the questions for human resources and payroll should focus on the feasibility of the scheme occurring based on their knowledge of the fraud prevention and detection controls and then the fraud risk factors.
As a result of the management inquires, fraud risk factors and data analytics associated with the fraud scheme, the conclusion of the planning stage is to determine whether there is an inherent likelihood that the scheme could occur in your company. It is that simple. There are no absolutes regarding your conclusion; that is the purpose of the audit steps. This first step is all about your fraud audit judgment.
Once you've identified your audit plan, you can move into analytics and data sampling. The audit sampling procedures are simple. In this payroll fraud example, you would select all employees that have terminated in the audit period. From that create two samples, one for direct deposit and one for paper check or debit card. For direct deposit, was there a change in the bank account? If not, then the scheme did not occur as described in the fraud risk statement. For paper checks, there are no further data analytic procedures.
For the audit program, what red flags exist to suggest the fraud scheme may have occurred? For direct deposits, we match the new bank account to the department manager’s bank account or the same bank. For paper checks, we would compare the first check to the last check searching for changes. Is there a change in handwriting; check was negotiated at a check cashing company or check was cashed versus deposited in a bank account. If the red flags are observed, then we would contact the employee and make inquiries as to their departure date.
Creating the fraud audit program is a process driven by the fraud schemes associated with the business cycle. It is a process of gathering information, assessing the information, formulating audit judgement and building your audit program for those schemes that have a high inherent risk of occurring in your business system.
The next stage is creating the fraud risk statement, where the audit team identifies the internal controls; links the controls to the fraud risk and assesses the likelihood and impact in a formalized manner. Creating a fraud risk assessment is an important step in the process. Leonard W. Vona is the authority on fraud risk. Contact him for consulting on your projects. Thereafter, Leonard W. Vona is also available for training on preparing fraud risk statements.