In my December 2019 blog, I provided eleven statements in the spirit of causing you to think about your audit plan and helping you create a dialog in your company about improving your ability to find fraud risk statements within your audit. In last month’s and this blog, I’m delving deeper into the issues.
Fraud auditing is not the same as a fraud investigation. The only thing that these two concepts have in common is the word fraud.
I believe people working in the fraud investigation business generally have a good understanding of their role and responsibilities for investigating fraud. The ACFE has provided excellent guidance regarding fraud investigation standards. Unfortunately, there is a lack of detailed guidance on exactly what fraud auditing is and how to integrate fraud detection into audit programs. For now, instead of trying to define fraud auditing, I will explain some of the fundamental differences:
- Fraud auditing is based on professional standards followed by the audit organization, whereas fraud investigations are based on the rule of law.
- The starting point for auditing and investigation is different. Fraud auditing is performed as the result of an annual audit plan, whereas investigations are typically performed when the company receives an allegation of wrongdoing.
- Fraud auditing is based on fraud risk statements, whereas fraud investigations are based on the elements of a law.
- The purpose of fraud auditing is to uncover evidence that a fraud risk statement is occurring, whereas fraud investigation is intended to refute or corroborate the allegation.
- The final decision maker in an audit is management, whereas in an investigation, either a judge or jury decides on the outcome.
The methodology for detecting fraud through an audit is different from testing the adequacy and effectiveness of internal controls. I believe this maybe one of the biggest hurdles for our profession.
The fieldwork stage of an audit is about selecting a sample and performing test procedures. This is where the commonality between traditional audit and fraud auditing begins and ends.
In control-based audits, we use phrases like “internal control objective.” We understand the risks associated with the control objective. In fraud auditing, we use the following phrases: fraud risk statement; fraud scenario; fraud schemes; fraud risk, etc.
The methodology for testing the adequacy and effectiveness of internal controls is defined and accepted by the profession. Samples are intended to be random, unbiased and representative of the population. The evidence is the observance of an audit trail that exists in the business system. When an error is observed, there is a tendency to increase the sample size to determine if the error is an isolated error or representative of the population.
Fraud auditing is in its infancy, the methodology is not well understood by the profession. The fraud auditing approach to choosing a sample is based on fraud data analytics. The sample is biased and based on the red flags associated with the fraud risk statement. The sample selection process is based on each fraud risk statement within the scope of the audit. The fraud audit procedure must be calibrated to the sophistication of the fraud concealment. Fraud audit evidence is based on the quality of evidence rather than the quantity of evidence.
Currently there are four strategies used by audit departments to integrate fraud detection into the audit program:
- 1. Do a fraud risk assessment with the fraud scenario approach. There is no change to the field work stage. The focus is on the adequacy of the design of internal controls to mitigate a fraud scenario. The fieldwork methodology follows the traditional internal control approach.
- 2. Use the red flag approach combined with a fraud risk statement approach. The sampling phase is random, but the audit program includes document red flags or control red flags associated with the fraud risk statement.
- 3. Integrate fraud auditing with a fraud risk statement approach. The sampling is random, but a fraud test procedure is added to the test of internal controls.
- 4. Take a fraud audit approach combined with a fraud risk statement. The sampling is based on fraud data analytics, and the test procedure uses a fraud audit test procedure. There is no testing of internal controls.
We need to stop arguing about whether a procedure is an audit procedure or an investigation procedure. Simply stated, both are designed to gather evidence. The argument should be about the “quality” of evidence rather than whether the procedure is audit or investigation.
In all honesty, this statement is simply my frustration. As you may know, I have lectured for almost 30 years on fraud in the auditing profession. In my lecturers, I explain how to find various fraud schemes. Somehow, someone always will tell me that my example is an investigation procedure rather than an audit procedure. So, let me give you an example:
Most every company has a procedure for adding a vendor to the master file. Most procedures include a new vendor form. The form contains information about the vendor and must be approved by a manager before the vendor is added to the master file. The test of internal controls is to ensure the form is on file, properly completed and approved by the required manager.
An example of a fraud audit procedure is to confirm the legal existence of the corporation via the secretary of state or the appropriate government ministry. When I poll my class on whether this is an audit or investigative procedure, 50% of the class will tell me confirming the legal existence is an investigative procedure. Why I ask?
From a pure analysis of the quality of evidence, what is more assuring that the vendor is a legally created company: an internal form or the government registration database?
For a helpful hint, I judge the quality of evidence based on where the evidence is located and who created the evidence. The answer to the two questions is internal or external. So, evidence that is created and stored external to the auditee is the highest form of evidence whereas evidence that is created and stored internally to the auditee is the lowest form.
In my opinion, the investigation procedure versus audit procedure debate should be based on the quality of evidence. Nothing more and nothing less.