Where is the beef?
If that phrase doesn’t instantly resonate, take a look at this video. This was an iconic video from the 80s, and people are still asking the question today. (I hope you get my sense of humor.)
The new IIA (Institute of Internal Auditors) Global Internal Audit Standards place a significant emphasis on internal auditors actively assessing and mitigating fraud risk within an organization, requiring them to take a more proactive approach to fraud detection and incorporate a deeper understanding of potential fraud schemes into their audit planning and execution.
I fully agree that having a deeper understanding of potential fraud schemes is fundamental. But what exactly do we mean by that?
(FYI, this will be my last blog on the new IIA standard for a while. Next month, I will discuss a new consideration to be added to your fraud risk assessment.)
So, where is the beef?
I have now read most, if not all the key literature on the topic of fraud risk and fraud risk assessment. Here are some samples of "fraud risk schemes" contained in the various documents I surveyed.
- Fraudulent Disbursements: Billing Schemes or use of phony vendors.
- Inappropriate journal entries.
- Expenses are capitalized.
- Corporate cards are issued inappropriately, resulting in fraudulent expenses.
I interpret these illustrations to be examples of what our profession means by the expression “deeper understanding”. But honestly, what I see is a lot of bun! Let’s take a closer look to see what’s missing.
Gaining a True Deeper Understanding of Potential Fraud Schemes
Let’s first assess "fraud scheme", also referred to as fraud risk, fraud risk statement, or the fraud scenario. Whatever you wish to call it, this is the starting point. In this case, we’re starting with “Fraudulent Disbursements: Billing Schemes or use of phony vendors.”
But what is a phony vendor? What is a billing scheme? I suppose the assumption is that the internal auditor is all-knowing regarding the various permutations of a phony vendor or a billing scheme. Personally, I doubt it.
The definition of fraud has two key terms: “Intentional” and “concealed”. Notice that neither of those words is in any of the above statements from the profession.
Take, for instance, the term “phony vendor.” From my count, there are easily 20 distinct types of phony vendors. As to billing schemes, depending on how you count the schemes, you may have over 50 of them.
Going Deeper
So what does deeper really look like?
Professional Literature example: Fraudulent Disbursements: Billing Schemes or use of phony vendors.
My Example: Accounts payable by acting alone or in collusion take over the identity of a real company in the marketplace, but not on the master file, and cause the real company to be added to the master file accounts payable, process a fake invoice for goods or services not provided, causing the diversion of company funds.
Details matter. Let’s look at another one:
Professional Literature example: Inappropriate journal entries
My Example: Controller intentionally overstates asset by recording a real vendor operating expense incurred from a real vendor through a journal entry as a capitalized expenditure causing capitalized advertising expenses to be materially misstated
There is a difficulty with the statement “deeper understanding”. How many companies are going to realistically document the deeper understanding concept? I understand their intent; however, if the statement is not in your workpapers, then you did not consider the fraud risk.
It is time!
In the movie Lion King: The baboon Rafiki says, "It is time! In my opinion, it is time that the profession provides us with better guidance or better examples of a deeper understanding of fraud risk statements.
Fraud Trivia
Last month’s answers
SOURCE: Feedzai, the global leader in AI-native financial crime prevention, today released its 2025 AI Trends in Fraud and Financial Crime Prevention report, uncovering how generative AI (GenAI) is used in financial fraud. 1. 90 % of the financial institutions surveyed indicate that fraudsters use generative AI, and only 8 % noted that they do not see GenAI being used by criminals.
2. According to the report, 44% of financial professionals report that deepfakes are used in fraudulent schemes, and 56% of professionals cite social engineering, a set of manipulative tactics used by fraudsters to exploit human psychology and trick individuals into revealing sensitive information, as another significant tactic powered by AI.
3. Fraudsters are also utilizing voice cloning techniques, with 60 % of professionals recognizing this as a major concern, followed by 59 % citing SMS and phishing scams powered by AI to deceive victims.
4. Can you name some of the more common techniques for account takeover?
AI-driven fraud tactics, including deepfakes, social engineering, and voice cloning, often result in account takeovers and scams, which, as unauthorized fraud, are generally reimbursable under most circumstances and harder to detect. While deepfakes alone don’t provide direct access to accounts, they play a critical role in building trust during the entrapment stage of scams, where criminals deceive victims into believing they are dealing with legitimate parties.
“We’re seeing scam techniques that feel genuinely human because they’re being engineered by AI with that intention. But now, financial institutions also have to deploy advanced AI technologies to fight fire with fire to combat scams. Today, scams don’t come with typos and obvious red flags—they come with perfect grammar, realistic cloned voices, and videos of people who’ve never existed,” said Anusha Parisutham, Feedzai Senior Director of Product and AI.”
The months Trivia
1. Who invented AI?
2. What country is # 1 in AI, and how much will the country spend in 2025?
3. What is Bill Gates' concern about AI?
4. Who is labeled as the “father” of AI?
5. Who is labeled as the “godfather” of AI?
6. AI romance schemes: How do they work?
