Fraud Auditing, Detection, and Prevention Blog

What is an Entity in Fraud Risk Auditing and Why Does it Matter?

Sep 14, 2022 11:44:41 AM / by Leonard W. Vona

The answers to last blog's trivia:

Nick worked in the Singapore office: Internally what was the slang term for the Singapore office? Fortress Singapore. FYI, this is not a reflection on Singapore the country but the management in the Singapore office.

What was the name of the account Nick used to process his unauthorized trades? 88888

Why did the auditors fail to detect the unauthorized trades? The illicit stock trades were recorded in the 88888 account. The IT department was told that the 88888 account was an error-clearing account, therefore no need to print the 88888 account on the stock trading register.

What event caused Nick’s fraud scheme to become visible? An earthquake in Japan caused the market to go in a different direction than his expectation causing the losses to become larger than he could conceal.

Why is this important to the auditing profession? My guess, since the auditors were auditing around the computer, they did not know about the 88888 account. Fraud data analytics would have had the opportunity to detect these trades. At least, I hope.

Studying historical cases of fraud provides great learning opportunities.

Fraud Risk Universe: Understanding the Entity Structure

In my last blog, I introduced the fraud risk structure underlying the Science of Fraud Risk. This structure supports the effort to make fraud auditing the number one reason for fraud detection. In this blog, we’re going to do a deeper dive into a key element of the fraud risk structure – the entity.  Understanding what we mean by “entity” is vital to writing the fraud risk statement.

What an entity is not

Over the years, I have concluded that the phrase entity has caused confusion with my readers. So, let me start by saying what an entity is not. The entity is not your organization; it is not the person committing the fraud risk statement nor is the victim of the fraud risk statement.

What an entity is

An entity refers to a person or organization possessing separate and distinct legal rights. Source: Cornell Law School Legal Information Institute.

What is an entity in a core business system?

An entity in a core business system describes the individual or business that either serves or supports the business system. I.e., in accounts payable, the entity is a vendor. In payroll, the entity is an employee. In an inventory system, the entity is a tangible good, etc.

What is an entity in a fraud risk statement?

An entity is a person (payroll) or organization (vendor) that the fraud action statement is associated with, in the fraud risk statement. The entity data resides in the master file, which provides identifying information i.e. the entity address, telephone number, etc.

We start by describing the entity as either real or false. Then we identify the permutations consistent with the core business system. To illustrate the permutation concept, we will start with vendor permutations:

False Entity (vendor)

Fictitious entity, a vendor that does not legally exist. The false entity may either be a shell corporation or an individual operating in the name of a business. Fictitious vendors go by various names: shell, paper, fake to name a few.

Assumed entity, occurs when someone takes over the identity of a real not complicit entity. It may be a dormant vendor; a real vendor on either a temporary basis or a permanent basis or a real not-complicit vendor that exists in the marketplace.

Hidden entity: maybe a real company operating under two or more names or vendor numbers. The two companies may be real standalone companies with common or beneficial ownership and operate under one physical structure or the companies may be a fictitious. There are several permutations of the hidden entity scheme, including:

  • A real company operating under two or more names or numbers. The companies may be two real standalone companies with a common or beneficial ownership and operate under separate physical structures.
  • A real company that has decentralized billings in your master file multiple times. The hidden entity uses the real company’s name but with a different address or bank account.  
  • A company using a variation of a real company’s name; however, unlike the other hidden entity schemes there is only one entity in your master file, the real entity is not involved.
  • A shell company with the sole purpose of the second company creating the illusion of a second company for whatever purpose.
  • A real vendor with multivendor numbers. For some reason, it is very common to find the same vendor or customer in your database two or more times. When a real company has two or more numbers, it creates opportunities that should not exist with good master file internal controls.


The hidden entity may have other purposes including functioning as a sub-contractor, creating false bids, meeting government quotas for preferred vendors, or whatever scheme for which the perpetrator needs two or more organizations.

Real Entity (vendor)

Vendor that is complicit in the fraud risk statement

  • Real company operating alone
  • Real company in collusion with an internal person
  • Real company in collusion with another real company
  • Real company extorted by an internal person
  • Real company extorting an internal person


A vendor that is not complicit in the fraud scheme

In this permutation, the fraud action statement is more important because the vendor is real and not complicit in the scheme. As an illustration, goods may be purchased with the intent to divert and sell the goods. Yes, the same action could be linked to a complicit vendor.

Now let’s illustrate the same concept using employees in the payroll system. I will be brief; my goal is to illustrate the similarities of the entity permutation analysis as we go from business system to business system.

Fictitious employee
  • Fictitious entity, an employee that does not legally or physically exist. Often referred to as a ghost employee.
  • Assumed entity, occurs when someone takes over the identity of a real not complicit employee. Similar to the assumed vendor, the takeover may occur on a temporary basis or a permanent basis.

Real Employee
  • Real employee complicit in the fraud risk statement
  • Real employee not complicit in the fraud risk statement

Why is it important to understand the entity permutation?

First and foremost, possessing knowledge of permutations is the science of fraud risk. Simply put, when you see something, you can say something. More importantly, it provides the specifications for building your fraud data analytics and fraud audit procedures, the art of fraud auditing.

Historical Fraud Trivia: Equity Funding Corporation

  • What industry was Equity Funding in?
  • What fraud risk statement occurred in Equity Funding?
  • How did the fraud become known?
  • How many employees were involved in the cover-up?
  • Is it true that the auditors went to jail?
  • What does Equity Funding have in common with Bernie Madoff?
  • What does Equity Funding have in common with ZZZ Best?
  • What does Equity Funding have in common with Barings Bank?
  • What court case associated with Equity Funding has been termed historic in helping define insider trading?
  • Why is all of this important?

Demystifying Fraud eBook CTA

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.