• PAGE ONE
• INDEX
• HOME

Skeletons in the cupboard

David G. Coderre on how auditors can track fraud

PROGRAMMES and practices designed to prevent fraud can reduce its occurrence, but they will not eliminate it. Even companies with excellent deterrence programmes are still at risk of fraud. A study by KPMG reported that 63 per cent of companies had exper ienced at least one incident of fraud in the last two years (KPMG Peat Marwick Thorne, Fraud Awareness Survey, March 1992). Given that the median loss from some types of fraud exceeds $200,000, even one act of fraud can be highly expensive. When the pote ntially negative impact on employee morale and shareholder confidence is factored into the equations the costs can be devastating.

If audit is to contribute to the detection of fraud, it is essential that auditors understand how to build audit programmes that address this goal. Such programmes rely heavily on the evaluation of the control environment and the auditor's knowledge of t he organisation's exposures.

Good awareness programmes and internal controls can help prevent crimes of opportunity. Employees not tempted by weak controls, and not encouraged by poor management practices, are less likely to engage in illegal activities.

However, there is an ironic side to good controls. The successful prevention of fraud -- or at any rate the lack of symptoms -- may leave some organisations overly complacent. It is easy to forget the negative effects of fraud when you are not e xperiencing them. Therefore the value of deterrence programmes is never more widely agreed upon than when such programmes are allowed to erode, a fraud occurs, and it is eventually detected. The prompt detection of renewed fraud then reaffirms the need for prevention programmes, and the value of audit.

However, a failure to detect fraud will be seen (perhaps unfairly, if controls were allowed to lapse) as a significant shortcoming. But until this happens, the company finds itself in the position of wondering, ``Is no news good news -- or not?'' The onu s on audit and management is strongest of all at such times, to remain vigilant and to maintain the controls. No news is good news provided controls are properly kept up.

Audit managers should recognise that keeping up a system of strong controls, and ensuring that senior management maintains a firm corporate fraud policy, are each as important as the vigorous search for frauds that have already occurred.

Let us discuss the preconditions for detecting fraud, the investigation and reporting of fraud, and the role of internal controls. This material is applicable both to audit and fraud investigation. Even though fraud investigators may only be called upon to examine cases of known fraud, a general knowledge of controls is essential to their work.

Detecting fraud

Auditing is generally concerned with the evaluation of controls for the efficient and effective use of company resources. Sound internal controls are an essential part of any defense against fraud, but they may not be working as intended or may no longer be adequate. Reorganisation, business re-engineering, and downsizing can seriously weaken or eliminate controls, while new information systems can present additional opportunities to commit or conceal fraud. Auditors must also be constantly aware that m andated controls nominally in effect may be poorly enforced or otherwise irrelevant.

Auditors and fraud investigators must be conversant with the preconditions for detecting fraud, which can be broken into three basic steps:

* determining the organisation's risk of fraud by studying its operational and control environments;

* thoroughly understanding the symptoms of fraud; and

* being alert to the occurrence of these symptoms.

Once these preconditions are met, it becomes easier to:

* investigate and report detected frauds; and

* create new controls to detect any reoccurrence.

Determining the exposure to fraud

The first step is to examine the operational environment and its internal controls, to identify where weaknesses and deficiencies can leave the company exposed to fraud. The system of internal controls must be evaluated and tested to ensure it is working as intended. Processes control points, key players, and risks must be carefully reviewed. Fraud is largely a crime of opportunity, so the opportunities must be found and, if possible, eliminated.

Two widely distributed audit standards address exposure concerns directly. The Statement on Internal Auditing Standards (SIAS 3), Deterrence, Detection, Investigation and Reporting of Fraud, requires auditors to have sufficient knowledge of possible frau ds to be able to identify their symptoms. Auditors and investigators must be aware of what can go wrong, how it can go wrong, and who could be involved.

The AICPA developed SAS 82, Consideration of Fraud in a Financial Statement, to assist auditors in the detection of fraud. It defines risk factors for fraudulent financial reporting and theft, and can be used as a basic model for assessing the risk of fr aud in these areas. The risks outlined for fraudulent financial reporting include factors such as management conditions, the competitive and business environment, and operational and financial stability.

Auditors and investigators must be aware of all types of exposure. When planning audit programmes, close attention must be given to identifying the areas of greatest exposure and determining steps to assess the related risks. For example, it is well unde rstood that the purchasing function is an area of serious risk for fraud (M. V. Cerullo, M. J. Cerullo and T. Hardin, `Auditing the Purchasing Function', Internal Auditor, December 1997, pp. 58-64), yet fewer than 30 per cent of audit organisations condu ct regular audits in this area. Obviously, auditors cannot afford to ignore such areas as purchasing, where the risks of fraud are well known. Understanding and evaluating such risk factors can focus scarce audit resources on the areas of greatest exposu re to fraud.

Understanding the symptoms of fraud

Common characteristics or symptoms of fraud include unauthorised transactions, cash overages or shortages, unexplained variations in prices, missing documentation, and excessive voids or refunds. Auditors should not be satisfied with a generic checklist of possible symptoms of fraud, but must identify the characteristics of fraud applicable to their operating environment.

An effective approach is to develop a list of symptoms for each type of exposure identified during the planning stage of an audit. This could include such items as adjusting entries in the inventory files, a trend of increasing amounts of deposits in tra nsit, unexplained variances, or correcting entries in the general ledger files.

Once typical symptoms have been outlined, auditors must determine the most efficient way of detecting their presence -- generally, by computer analysis. A study of audit working papers to evaluate the methods used to identify financial errors found that computer assisted audit techniques were the single most effective method used by audit teams (Hylas and Ashton, Accounting Review, 1982) -- even before the advent of interactive auditing.

In addition to the symptoms of fraud in the financial books or application system, auditors must be alert to other external symptoms. Fraud committed for personal benefit can be related to personal financial difficulties. Some of the possible signs of fr aud for personal benefit are:

* living beyond one's means;

* compulsive gambling or stock speculation;

* drug or alcohol abuse; and

* high personal debts or losses.

While it is unlikely that a routine audit would identify such signs, auditors should be aware of them and where possible investigators should search for them. These red flags will almost always be present in cases of fraud for personal benefit. However, despite the presence of red flags, fraud remains difficult to predict and may not fit the standard profile. While the `red flags' cannot be ignored, auditors and investigators must tread carefully. The presence of these signs does not signify that fraud has occurred, but that there is a risk of it occurring. It is the purpose of the audit or investigation to determine if it has.

Being alert to the symptoms of fraud

While not all fraud can be prevented, early detection and quick, appropriate action can reduce losses. Developing a list of symptoms for each specific type of exposure identified in planning the audit will help. That list can then be carried into the aud it and applied with careful scrutiny to spot symptoms of fraud in its early stages.

Remember, the presence of symptoms does not mean fraud exists, and the absence of symptoms does not mean that everything is all right. It is important to determine the underlying causes of the symptoms and deal with them.

Where symptoms are present, those committing fraud may have a ready, plausible explanation for each question raised by the auditor; such explanations must all be verified, especially those that are in any way questionable. Given that fraud often occurs w hen there is a longstanding weakness in the controls, the person committing the fraud may not believe that the explanation will be questioned, or that it will be independently verified. There are many examples of fraud detected by auditors who would not settle for ``we've always done it that way,'' and who refused to accept the initial plausible explanations provided by the perpetrators.

Fraudulent activity can easily wind up ignored because of time constraints -- ``We only have two weeks to review the operations of the branch office.'' Fraud investigations can also be derailed by interference by the perpetrators -- ``If you are g oing to waste my time with trivial issues involving the petty cash, I'll report to senior management that you were responsible for our performance targets not being met this month.'' However, due professional care requires auditors to approach the r eview of the symptoms of fraud with a healthy degree of scepticism and with diligence and determination. Auditors should perform their review in a manner that ensures the completeness and confidentiality of the investigation, and the r esults obtained.

The IIA's SIAS 3, Deterring, Detecting, Investigating and Reporting Fraud, addresses this, stating that auditors are responsible for the evaluation of the indicators that fraud may have occurred. Auditors should consciously decide when and if additional action is necessary.

Internal auditors who determine that there is a weakness in the control framework cannot ignore the problem simply to comply with time schedules. Once a weakness has been identified, auditors have additional responsibilities. SIAS 3 defines audit's respo nsibilities for detecting fraud, and includes the requirement to conduct additional tests, if control weaknesses are present. Therefore, it is incumbent upon the auditor to analyse the company's exposure to various risk factors and plan and perform audit s to assess these risks. Further, as the audit is performed, the audit programme should be adjusted based on the results obtained.

With the increase in electronic applications supporting the business environment, auditors must be creative in identifying ways in which data could be manipulated or unauthorised users could gain access. The complexity of the environment requires thoroug h thinking-through of audit plans. Once the risks have been isolated, the auditor can identify and assess controls to mitigate them.

The auditors at Freddie Mac take this approach one step further. All the possible risks are listed, after which specific audit objectives and procedures are identified for each (Douglas E Prawitt and Marshall B. Romney, `Emerging Business Technologies', Internal Auditor, February 1997, pp. 25-32). The matching of risks with audit steps ensures that exposures are properly considered and addressed by audit.

The latest standards by the IIA and the AICPA provide auditors and fraud investigators with guidance to increase their ability to detect fraud and abuse.

Using audit software commands and functions, either proactively (to head off fraud) or reactively (to investigate), it is possible to examine millions of transactions to detect the few that show the symptoms of fraud. This focuses audit attention on the areas of highest risk.

Investigating and reporting instances of fraud

A fraud investigation is primarily concerned with collecting and analysing evidence to assess allegations of specific wrongdoing. This differs from a more general evaluation of internal controls, which does not presume a fraud has taken place. After a th orough evaluation of the control framework, the weaknesses and fraud exposures identified may prompt a fraud examination -- but they also may not.

Once the symptoms of fraud are found and additional tests have indicated that there is a strong possibility of fraud, the review enters the formal investigation phase. There must now be a clear understanding of:

* who will conduct the investigation;

* whether or not legal authorities and regulators will be involved;

* who will determine the scope of the investigation;

* how the results will be communicated; and

* who will determine the corporate response if the activity is proven to be fraudulent.

The first source of answers to these questions should be the corporate fraud policy, but prudence dictates that these answers be confirmed at the start of the investigation. If the organisation does not have a fraud policy, or the policy is unclear on th ese points, audit should seek immediate written guidance and clarification. Failure to do so may result in senior management being caught unaware by stakeholders and the press, and auditors being blamed later. It may also place audit in a position of def ending the actions or omissions of the investigating team to senior management. The early clarification of the process to be followed will ensure that all parties are on side, aware of what is happening and what will be done with the results.

Once the investigation is complete it is important to publicise the results. Companies that are successful in deterring fraud tend to have strong prosecution policies that are not only consistently and equitably applied, but also well publicised. The fea r of public exposure and punishment are great deterrents. Results of the investigation can also be used later, possibly anonymously, as an educational tool for auditors, fraud investigators, and other employees.

Internal controls for fraud detection

The final step in the fraud detection process is the implementation of internal controls to prevent it from recurring. Unless steps are taken to address the weakness that allowed the fraud to occur, additional fraudulent activity will almost certainly en sue. To determine the risk of future losses, audit and management must clearly understand both the effects of the fraud, and how it occurred. Audit should focus on key questions such as:

* Were specific controls compromised? If yes, how?

* Are additional or different controls required to address the exposure?

* Are there preventative measures that can be taken and monitoring systems that could be established?

* Is the problem systemic, or localised in the area where the fraud occurred?

* Where else in the organisation could this occur and what needs to be done to ensure it does not?

With these questions as a starting point, research can develop controls that minimise the risk of future occurrences. While the ultimate goal is the safety and security of financial and non-financial assets, care and common sense must be exercised to ens ure that efficiency is not compromised. The cost of the control must be evaluated against the scale of possible loss or damage to the organisation. On the other hand, if an activity cannot be effectively controlled except at a disproportionate cost, it m ost likely should not be undertaken in the first place!

The implementation phase must be predicated on the clear understanding that new controls will have not only the concurrence of audit, the investigations group, and management, but also the agreement and commitment of those who will apply them. This is cr ucial.

Once the new controls are in place, audit must perform follow-up tests to be sure that they are being applied, are working, and are sufficient to prevent future criminal activity.

(Edited extracts from Fraud Detection -- Using Data Analysis Techniques to Detect Fraud. Book courtesy: ACL Services Ltd, Canada. Web: www.acl.com)