We're continuing with my thought process of looking behind curtains in fraud risk, but with a slight change. This time, we're looking behind a new curtain.
I’ve announced before, but to repeat in case you haven’t heard, I’ve had the opportunity to present a new approach to fraud risk assessment at a conference in Dubai. I have found that professionally speaking at a conference always provides me with the opportunity for research and reflection.
That reflection led me to this month’s blog -- a look at the professional standards that provide guidance in performing our jobs. I am not evaluating any specific set of standards, but rather focusing on the guidance related to how auditors should respond to fraud in the conduct of an audit. Specifically, the preparation of a fraud risk assessment in the conduct of an audit or how risk managers should document statements of fraud risk in their fraud risk assessment.
Based on my research I have determined that there is insufficient guidance in both the professional standards and the various guidance documents in how to describe a Statement of Fraud Risk. This leaves you with two dilemmas:
- At what level should you describe fraud risk?
- At what level should you understand fraud risk?
Describe a Fraud Risk Statement
At what level you describe fraud risk really depends on the use of the fraud risk statement. Are you preparing an enterprise-wide fraud risk document, planning an audit, investigating fraud, performing fraud data analytics, etc? To better understand, let me provide two examples regarding vendor overbilling:- A real supplier acting alone overbills the company by increasing the prices or cost of the invoice and the company employee approves the increase based on a false pretense causing the diversion of company funds.
- A budget owner or a senior member of management provides a real complicit supplier with advance information on future changes to the purchase requirements listed on the bid documents providing the real complicit supplier an unfair competitive advantage in the bidding process. After the purchase order is issued to the complicit vendor, the budget owner or senior member of management allows or causes changes to the original purchase commitment that may or may not cause a change to the purchase order total amount. The changes allow the real complicit supplier to invoice for items with higher margins than originally stated in the bid response. This could include:
- Change line-item quantities with no change to the original purchase order amount
- Change the items purchased allowing the supplier to provide inflated prices on the changed item (product mix) within the original purchase order amount
- Change line-item quantities and increase the purchase order amount
- Change product mix and increase the purchase order amount
The complicit vendor provides a kickback to the budget owner in consideration of the advance communication of information, which results in a corruption scheme and an overbilling fraud scheme
Both statements of fraud risk involve vendor overbilling. I would call the first statement a high-level description and the second statement a detailed description of a statement of fraud risk. Both statements are effectively a description of vendor overbilling. So, which one is right?
To the best of my knowledge, there are no professional standards that would provide an answer. There is nothing out there to guide us on which statement meets a professional standard and which does not or whether both are okay.
Understand a Fraud Risk Statement
The next question is at what level should you “understand fraud risk”. I would suggest you review the IIA competency framework. Are you at at a basic knowledge level, intermediate, or advanced? You should also review the duty of care standard. With all that said, how are you holding yourself out: CFE? CPA? CIA? It seems to me your professional credentials would cause your clients to believe that you have a superior knowledge of fraud risk.
Let’s take one more look at the conundrum of documenting versus understanding
If you were conducting an audit of the payroll function and you Googled fraud in payroll, one of the common schemes would be “Ghost Employee Scheme”. I want you to ask yourself, is this description sufficient for your risk assessment or your audit program?
I would say no.
First, I think the expression “ghost employee” is effectively a slang term. It seems that some literature indicates that ghost employee schemes date back to the Industrial Revolution. All the ghost employee literature talks about a fictitious person. But as you can see, there are many permutations of a ghost employee. A few examples:
1. Fictitious employee occurs by creating an identity for a person that does not exist in real life. The person committing the scenario in essence creates an identity for the fictitious employee.
2. Assumed identity employee occurs by taking over the identity of a person for either a temporary or permanent time period. In payroll, this could be a reactivated employee.
3. Assume identify of a real person who is not complicit in the scheme and is added to your human resource database.
4. Real employee is complicit in the fraud action. In payroll, complicit is defined as the real employee receives the payroll payment.
5. Real employee is not complicit in the fraud action. In payroll, not complicit is defined as the real employee does not receive the payroll payment. The payment is diverted to the perpetrator.
6. The scheme may also occur as a form of a bribe payment versus an asset misappropriation scheme.
Yes, there are so many possibilities. To further complicate the subject, this doesn’t even take into consideration the person committing the scheme, the reason for the ghost employee, or the sophistication of concealment.. If we stay focused on the traditional view of a ghost employee, our understanding of how an employee can be used to misappropriate company funds is very limited.
In my opinion, our profession needs to provide better guidance on how to describe a Statement of Fraud Risk. Now, whether you are an auditor or a risk manager you need to enhance your knowledge of fraud risk. Keep in mind, the describe versus understand dilemma.
Fraud Trivia:
1. Which decade did fraud risk assessment start to become a concept?
2. What caused the responsibility of fraud prevention and detection shift from auditors to management?
3. “Codifying corporate governance best practices", started in which country?
4. “Comply or explain" principle” originated in which corporate governance document
5. Which came first the chicken or the egg, or in this case which was first: fraud risk or fraud risk management?
6. For my academics: fraud risk is ontologically different from the event of fraud. True or false?
Answers from last month's trivia:
1. Audits are often rushed, rely heavily on factory management for information, and lack meaningful worker input, leading to a distorted picture of actual working conditions. True
2. Companies prioritize appearing compliant with minimum standards rather than actively working to improve worker welfare. True
3. Workers are often afraid to report issues due to fear of retaliation, and the auditing process does not provide adequate mechanisms for workers to raise concerns directly. True
4. Even when problems are identified, companies often fail to adequately address them or ensure lasting improvements. True
I am guessing you know the answers before I posted the answers.
