Planning to find fraud
Audit plans have to be designed to find fraud. Here's help for your team on fraud brainstorming: delving into the details, thinking like a fraudster and using the knowledge of the processes to increase awareness of where frauds may be hiding.
"Routine exams failed to uncover the scam," the indictment claimed. The scam represented possibly the largest potential loss to the National Credit Union Share Insurance Fund (NCUSIF). The frauds, which ran through a single credit union, resulted in more than $170 million in potential losses, involving bribery, money laundering, fraudulent loans, corruption, kickbacks and even a Ponzi scheme (Credit Union Journal, June 27, 2011).
When the big frauds hit, it doesn't take long for others to ask "where were the auditors?" In this instance, the NCUSIF inspector general noted that "numerous red flags were present for many years," including those spotted by examiners. The IG stated that examiners only performed "their required minimum procedures." Board meeting minutes indicate that the audit reports identified no outstanding issues about the credit union operations.
The question beckons: Did the auditors properly prepare and plan to find fraud? Could effective fraud brainstorming have helped uncover these schemes much sooner?
"If you don't know what you're looking for, how will you know when you've found it?"
This sums up the advantage of thinking about fraud before conducting an audit. An audit plan that's not designed to find fraud may occasionally by chance find it. However, the fraud detection business shouldn't be built on luck or hope but on proactive, planned and decisive measures.
In most of the published auditing standards and expectations for auditors, identifying fraud goes hand and hand with the key words "plan" or "planning." The American Institute of CPAs, the Institute of Internal Auditors and the U.S. Government Auditing Standards all refer to proper audit planning and consideration of fraud schemes.
The "Statement on Auditing Standards No. 99: Consideration of Fraud," also referred to as SAS 99, specifically requires fraud brainstorming sessions when reviewing financial statements. Unfortunately, merely having a sentence in the audit scope that states "the audit staff will remain vigilant for fraud during the course of the audit" isn't enough.
In recent years, the phrase "the auditors failed to uncover the ongoing fraud scheme" has unfortunately been appearing more and more frequently. Satyam, Tyco, Olympus, Madoff and Healthsouth are just a few of the recent large frauds in which auditors and investigators missed the warning signs.
Finding fraud is difficult. We all know that. We're constantly reminded at every audit, fraud and accounting conference we attend that fraud is inherently hidden. Deception, alteration, fabrication and the destruction of documents seems to be the norm for all fraudsters, yet qualified anti-fraud professionals still fall for and/or fail to identify their schemes. Did the fraud fighters properly plan and brainstorm for fraud?
Fraud brainstorming is more than sitting around a table for an hour talking about how fraud could occur. It involves delving into the details, thinking like a fraudster and using the knowledge of the processes to increase awareness of where frauds may be hiding.
When broken down into its parts, fraud brainstorming encompasses: assembling the right people; assessing the process(es), players, data and environment; developing fraud schemes and audit procedures based on these schemes; and developing fraud triggers.
ASSEMBLING THE RIGHT PEOPLE
For the most part, the audit team members will be the primary individuals involved in a fraud brainstorming session in advance of an audit so the objectives will remain relatively confidential. This also will minimize the possibility that the target group gets wind of the impending audit, especially steps designed to detect fraud. Therefore, carefully manage and safeguard the inclusion of others in this process.
CFEs in a fraud brainstorming session will bring investigative minds and skill sets to the session. On the other hand, don't include management in the session. An auditor must assume that any employee in the target group could be committing fraud, including management. If they're involved in the session, they could tip off the unknown fraudster. And be careful about including employees of the area being audited, such as an ethics or compliance specialist or human resources professional. Though they could be valuable additions, they could leak important information.
ASSESSING THE PROCESS(ES)
The audit staff clearly identify the process(es) that the brainstormers will review during the audit so they can identify the right fraud risks. Consider the following:
Assess the complexity of the process' moving parts. The more complex a process, the greater the chance that fraud will slip through the cracks and crevices.
Number of transactions
The more transactions, the easier fraudsters can hide their crimes. Pay close attention to those processes that generate significant numbers of transactions, and design fraud detection tests accordingly.
Number of dollars, both large and small
Auditors may be drawn to focus on the high-dollar transactions that are above a certain threshold. But a significant fraud scheme could be occurring just under established thresholds. In some instances, the smallest transaction could be the indicator of a large, ongoing fraud.
Manual vs. automated systems
Discover if a process is manual or automated. Manual processes may allow for employees' manipulation. Understand the "touch points" in an automated system in which employees can enter, change and extract data.
New systems vs. legacy systems
New and legacy systems can pose separate unique risks and challenges when you're trying to detect fraud. A new system may cause confusion, operator errors, manual workarounds and breakdowns of existing controls in peripheral systems. A potential fraudster waits for this sort of turmoil and opportunity.
Auditors who have been routinely auditing legacy systems for years with the same checklists and test steps may have become lax and overlook large frauds committed by longtime employees.
Process control by non-employees — outsourced or contractors
If contractors or non-employees have access to processes, audit staff should assess what frauds they could be committing. Lack of daily oversight and control and lack of their definitive reporting structures to the company could keep these non-employees out of sight and out of mind.
Previous process issues, gaps and errors
Consider and identify other issues involved in a process or group to help paint a more accurate picture of possible fraud schemes:
Many audit steps have historically worked to identify those situations that could arise from a direct override of process controls. But, the auditor, during the fraud brainstorming process, should also assess instances in which there could be "soft" or indirect overrides. A routine audit may simply look at a CFO's access to the financial data and the ability to make unauthorized changes, such as a direct overoveride capability. However, a finance manager who'll make any changes to the accounting system based on the CFO's direction, without question, could be a situation in which the CFO has an indirect override capability to alter the financials. Evaluating indirect override capability requires assessing the influence of the decision makers and the willingness to act without question.
- What have been the previous audit findings and responses from management regarding this process or group?
- Repeated findings?
- Management pushback?
- Lack of implementation of audit recommendations?
- Has the process or group received any fines from state, local or federal agencies?
- Has the process or group been involved in any lawsuits, complaints or injunctions?
- Has the process or group been responsible for any issues that have affected the health or operation of the company?
- Have there been investigations into this area, whether conducted by internal investigators, legal counsel or external agencies?
- Process override or edit capabilities, direct and indirect
For full access to story, members may sign in here.
Not a member? Click here to Join Now.