The Fraud Audit E-Book

Contents

Cover

Title Page

Copyright

Dedication

Preface

Chapter 1: What Is a Fraud Audit?

Why Respond to Fraud Risk?

The Fraud Paradigm

Fraud Auditing

Fraud Defined

The Fraud Triangle

Responses to the Risk of Fraud

Summary

Chapter 2: Professional Standards

Overview

Fraud Audit Standards

Summary

Chapter 3: Fraud Scenarios

Key Definitions and Terms

Fraud Risk Structure

Classifying Fraud

Identifying Fraud Scenarios

Fraud Audit Considerations

Summary

Chapter 4: Brainstorming: The Implementation of Professional Standards

What Is Brainstorming?

When to Brainstorm

Summary

Chapter 5: Assessment of Fraud Likelihood

Preparing a Fraud Risk Assessment

Summary

Chapter 6: Building the Fraud Audit Program

Traditional Audit versus the Fraud Audit

Responding to the Risk of Fraud

A Fraud Audit Program

Testing Procedures

Fraud Concealment Effect on the Audit Response

Audit Evidence Issues

Fraud Scenario Examples

Summary

Chapter 7: Data Mining for Fraud

The Art and Science of Data Mining

Strategies for Data Mining

Limitations of Data Mining

Summary

Chapter 8: Fraud Audit Procedures

Basis of Fraud Audit Procedures

Levels of Fraud Audit Procedures

Design of Fraud Audit Procedures

Summary

Chapter 9: Document Analysis

Document Analysis and the Fraud Audit

Levels of Document Examination

Document Red Flags

Brainstorming Sessions and Document Red Flags

The Fraud Audit Program and Document Red Flags

Summary

Chapter 10: Disbursement Fraud

Fraud Risk Structure

Audit Approaches

Summary

Chapter 11: Procurement Fraud

Fraud Risk Structure

Audit Procedures

Summary

Chapter 12: Payroll Fraud

Fraud Risk Structure

Audit Procedures

Summary

Chapter 13: Revenue Misstatement

Fraud Risk Structure

Audit Approach

Summary

Chapter 14: Inventory Fraud

Fraud Risk Structure

Audit Procedures

Summary

Chapter 15: Journal Entry Fraud

Fraud Risk Structure

Audit Procedures

Summary

Chapter 16: Program Management Fraud

Fraud Risk Structure

Audit Approach

Summary

Chapter 17: Quantifying Fraud

Conveying the Impact to Management

Role of Evidence in Calculating a Fraud Loss

Impact on the Fraud Audit

Options for Management

Case Studies

Summary

Appendixes

Appendix A: Fraud Audit Program: Payroll

Background

Key Terms

Fraud Scheme Structure

Overall Audit Approach

Red Flags

Data Mining

Fraud Audit Procedures

Appendix B: Fraud Audit Program: Disbursements

Red Flags

Fraud Audit Procedures

Appendix C: Fraud Audit Program: Procurement

Key Terms

Fraud Scheme Structure

Overall Audit Approach

Red Flags

Cost Mischarging

Fraud Audit Procedures

Appendix D: Fraud Audit Program: Inventory

Inventory Concealment Techniques

Appendix E: Fraud Audit Planning Program: Revenue Recognition

Fraud Risk Structure: Revenue Recognition

Fraud Concealment Strategy

Planning the Revenue Audit

Audit Areas for False Billing Schemes

Audit Areas for Improper Recognition Schemes

Appendix F: Checklist of Inherent Scheme Structure

Entity Structure

Disbursement Chapter

Payroll Chapter

Procurement Schemes

Appendix G: Fraud Audit Matrix

About the Author

Index

Copyright © 2011 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750–8400, fax (978) 646–8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748–6011, fax (201) 748–6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762–2974, outside the United States at (317) 572–3993 or fax (317) 572–4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Vona, Leonard W., 1955–

The fraud audit: responding to the risk of fraud in core business systems / Leonard W. Vona.

p. cm. — (Wiley corporate f&a; 16)

Includes index.

ISBN 978-0-470-64726-4 (cloth); ISBN 978-1-118-09370-2 (ebk);

ISBN 978-1-118-09371-9 (ebk); ISBN 978-1-118-09372-6 (ebk)

1. Fraud investigation—United States. 2. Forensic accounting—United States. 3. Fraud—United States—Prevention. I. Title.

HV8079.F7V66 2011

658.4′73—dc22

2011007524

To my children: Amy, David, and Jeffrey.

Each of you, in your own way, has contributed to this book.

Preface

Someday, I would like professional studies to indicate that auditing is the number one reason for fraud detection; I believe this goal can be accomplished. However, I also believe that we need to recognize that fraud auditing is different from traditional auditing by using all the methodologies of traditional auditing, but just applying them differently.

Fraud auditing is a methodology to respond to the risk of fraud in core business systems. It is a combination of risk assessment, data mining, and audit procedures designed to locate and identify fraud scenarios. It is based on the theory of fraud, which recognizes that fraud is committed with the intent to conceal the truth. It incorporates into the audit process the concept of red flags linked to the fraud scenario concealment strategy associated with data, documents, internal controls, and behavior.

To illustrate the “different” concept, fraud auditing recognizes that the greatest audit procedure in the world will not detect fraud if the sample does not include one fraudulent transaction. Data mining is the audit tool to build a sample. Fraud audit procedures use the authenticity principle versus the evidence principle for designing test procedures. These fraud audit procedures acknowledge the varying degrees of fraud concealment sophistication that the perpetrator intends to commit in the fraud scenario.

My book is intended to share my professional experiences in studying and performing fraud audits. I hope this is the first of many books in the industry to discuss methodologies for responding to the risk of fraud within the professional practice of auditing.

Chapter 1

What Is a Fraud Audit?

The debate is over; auditors have a responsibility to respond to the risk of fraud. The stockholders, board of directors, and management of organizations are looking to their internal auditors to detect fraud before it undermines the vital operations that are referred to herein as the core business systems. Auditing standards now require auditors to respond to the risk of fraud. Phrases such as professional skepticism, identified fraud risk, fraud risk assessment, and fraud audit procedures are now found in use within organizations of all types to meet the current standards. Unfortunately, this change seems to be an agonizing effort for all involved. Just say the very word fraud and everyone seems to react as though someone has contracted the bubonic plague. Therefore, all parties involved in the effective, efficient, and healthy operation of an organization, such as the aforementioned auditors and various stakeholders, need to recognize what fraud is, where it is found, and how it is found. So, when we speak of fraud in the context of auditing, it denotes a distinct body of knowledge, the mastery of which is needed to address the risk of fraud. The title of auditor does not immediately confer knowledge regarding fraud, and it certainly doesn't infer the mastery of identifying the risk. Auditors need to possess this specialized knowledge to solve the difficulties in addressing fraud that perplex the profession. So, fear no more, because you, the auditor, aren't facing a steep climb up a mountain of knowledge all alone. No, the purpose of this book is to give you the guidance, strategy, and tools you'll need to make a safe trip.

The Awareness Theory Methodology (ATM) approach to fraud auditing is at the heart of our discussion of the fraud audit. The objective of “ATM” is to provide a conceptual framework for the fraud audit. Fraud theory (the “T” in ATM) asserts that fraud is a body of knowledge. Understanding the how, why, and where of fraud are critical elements of this body of knowledge. Knowing “how” fraud occurs is dependent upon a logical, rule-based system whereby the auditor identifies the fraud scenarios facing an organization. Consequently, a process must be provided for describing the fraud scenarios inherent to the core business system. The process is commonly referred to as the fraud identification stage. The “why” fraud occurs involves the reasons individuals commit fraudulent acts against an organization. Referring to the quintessential fraud triangle, the reasons for committing fraud relate to pressure and rationalization factors. Knowledge of the typical underlying reasons of why fraud is committed is critical to both building the control environment and enhancing an auditor's awareness to the likelihood of fraud. Last, the question of “where” fraud occurs is the premise of this book, namely, the core business systems. These systems are identified herein as procurement, disbursements, payroll, financial statement reporting, inventories, and journal entries.

The auditor needs a methodology (the “M” in ATM) for building a response to detect fraudulent transactions. The fraud response starts in the planning stage with the brainstorming session and continues with the assessment of fraud likelihood and fraud significance. Included in the response are the steps of audit procedures that will reveal the true nature of the transaction (referred to as building a sample of transactions; also known as data mining), implementation of fraud audit procedures, and the final step of evaluating the audit evidence for qualitative and quantitative considerations. These steps are all essential parts of the overall audit response to the fraud risk.

Finally, there is the awareness (the “A” in ATM) required by the fraud audit approach discussed in this book. The auditor needs to be able to recognize fraud scenario potential among the millions of transactions that exist in today's business systems. Knowing the red flags of fraud and recognizing the potential for fraud scenarios inherent to specific organizational structures is critical to the overall process of finding fraud.

Why Respond to Fraud Risk?

There are many reasons to detect and uncover fraud. The obvious reasons are the substantial monetary sums and industry-wide and international reputations at stake. There are many studies that have been done projecting the cost of fraud to organizations. The range of results is extreme, with some instances resulting in the cost being minimal to those cases where fraud is found to be so rampant that it causes the destruction of an organization. Organizations like Barring Bank and Enron do not exist today because of the fraudulent actions of their employees. The cost of corruption in public contracts has been estimated to exceed one trillion dollars. Examples abound, too, with large companies still in operation, like the fraudulent allegations regarding numerous Fortune 500 companies. Just pick up a newspaper on any given day and in all likelihood there will be a story concerning fraud. The overriding fact is that fraud costs organizations significant monetary amounts and reputation-harmful publicity each year.

However, organizations do not have to accept fraud as a cost of doing business, and they should not live in a state of denial that their existing internal controls will protect them from fraud. Organizations need to realize that a proactive audit approach is necessary in the detection of fraud. Whether this task is embedded in an internal audit or outsourced to an audit firm is a matter of corporate style and, therefore, should not compromise the overall purpose of finding fraud. Therefore, the primary result of rooting out fraud should be both an increase to the bottom line through financial recoveries and the stopping of future losses.

Professionally, the standards are requiring auditors to respond to the risk of fraud within their audit scope. Consequently, not having a response to fraud is a violation of standards. Other than fear, what is preventing the standards from being followed? As with any standards, regulations, policies, and so on, it comes down to interpretation. What continues to be debated is the breadth of the audit response to the fraud risk. Is a questionnaire sufficient to evaluate fraud propensity? Is the awareness of red flags the right approach? Should auditors search for fraud when no overt internal control red flags are evident? Is a site visit to validate the existence of a customer an audit or investigation procedure? These are all good questions that are being debated in the profession. The answers in all probability will eventually be derived from a combination of three things: the actual attempts at applying the audit standards, customer expectations of the auditors' efforts in finding fraud, and the desire of the auditor to detect fraud.

In light of such speculation, this book will focus on the first of these three things, specifically, the techniques that have been tried and proven effective in the detection of fraud. However, given the relevance of the professional audit standards to this discussion, Chapter 2 of this book will provide an overview of the professional audit standards so that the reader can correlate the standards to the processes being discussed.

The Fraud Paradigm

Times have changed. Old problems such as fraud have taken on new attributes because of the technological sophistication of our society. The ease of doing business because of continual technological advances presents opportunities that audit methodologies have not kept up with. We need to think differently about fraud in order to develop a realistic audit approach to fraud risk. There are essential questions that are needed to be asked to close this ever-growing gap.

For example, what is fraud? A simple question, but we still need to be on the same page. As auditors, we need to distinguish the difference between fraud in a legal sense and fraud from an auditor's perspective. We also need to understand the difference between a violation of law and a fraudulent act. From a legal perspective, the act of embezzlement, although a violation of law, is not necessarily a fraudulent act; however, most auditors would consider such an act as fraudulent. Therefore, auditors need a fraud definition that is consistent with the audit process, not the legal system. Words like fraud scenario, intent, concealment, and damages should be defined from an audit perspective versus a legal perspective. In order to find fraud, auditors must know what fraud is within the boundaries of the systems they are working in and not those of the law per se.

Should auditors prove fraud? The answer is no. Auditors are not the trier of fact. From a legal perspective, judges and juries are responsible for making the decision. Internally, the decision rests with management or the audit committee, depending on the organization's policies. Auditors are responsible for conducting audits that identify activity that may violate laws or internal policies. The activity should then be referred to the appropriate investigative body. For an analogy, the audit process is like a grand jury. The opinion of the grand jury and the auditor is that sufficient evidence exists to warrant an investigation. Whether the investigation is conducted by the same person is not relevant; however, it is important to note that there is a distinction between the fraud audit process and the legal investigative process.

Can auditors detect inherent fraud schemes within the audit process? Perhaps the answer is not a simple yes or no. Two critical points center on the sophistication of the fraud concealment strategy and the inherent fraud scheme. For example, the revenue-skimming fraud scheme is the diversion of revenue before the revenue transaction is recorded. By the nature of the scheme, there is no record trail. Therefore, the examination of the books and records will not detect the fraud scheme. The sophistication of the concealment is how the individual hides his or her actions, which can be rated as low, medium, and high. If the person uses his home address for his shell corporation, the audit process should be able to detect that scheme. If the individual uses a series of shell corporations using post office boxes, the audit process may not be able to detect the fraud scenario. Understanding what fraud scenarios are detectable within the audit process is critical to planning the fraud audit. Additionally, if the nature of the fraud scenario is not detectable within the audit process, then logically, the organization needs to strengthen internal controls or rely on allegations of the fraud scenario.

Can you have a complex fraud scheme inherent to an organization? No. Most inherent fraud schemes are fairly simple to understand. It is how individuals conceals their actions and shield themselves from the action that may be complex or difficult to detect. Some might say this is a game of words. Maybe so, but the difference between the action and the concealment strategy is an important distinction to know.

Fraud Auditing

A fraud audit is the process of responding to the risk of fraud within the context of an audit. It may be conducted as part of an audit, or the entire audit may focus on detecting fraud. It may also be performed because of an allegation or the desire to detect fraudulent activity in core business systems. For our discussion purposes, this book will focus on the detection of fraud when there is no specific allegation of fraud.

Fraud auditing is the application of audit procedures designed to increase the chances of detecting fraud in core business systems. The four steps of the fraud audit process are:

Traditional Audits versus Fraud Audits

As stated previously, but worth repeating, auditors today have a responsibility to respond to the risk of fraud. What continues to be debated is how to respond to that risk. The discussion centers around the difference between audit procedures performed in a traditional audit versus those performed in a fraud audit. To understand the differences, we first need to define each audit approach, then compare the two. A traditional audit typically focuses on the adequacy and effectiveness of the internal controls. The process is commonly referred to as a test of internal controls. A Generally Accepted Audit Standards (GAAS) audit of the financial statements would also include substantive tests of the financial accounts comprising them. In contrast, a fraud audit is the application of specific audit procedures to increase the likelihood of detecting fraud in core business systems. It is a proactive approach to detecting fraud, unlike a fraud investigation, which takes a reactive approach. The fraud audit does not test controls, but rather independently affirms the authenticity of the transaction by gathering evidence external to the perpetrator.

The two types of audits can also be compared in terms of the differences in sampling methodology, audit procedures, and the qualitative aspects of audit evidence as follows.

The traditional audit requires selecting a sample using random and unbiased sampling procedures in order to opine on the effectiveness of the internal controls. The fraud audit requires selecting a sample using a nonrandom and bias sampling methodology, based on the fraud data profile, to detect fraudulent transactions. The sampling approach for fraud auditing is commonly referred to as discovery sampling.

In a traditional audit, the audit response is to test controls and examine documentary evidence to verify that the control procedure is operating as designed by management. The resulting conclusion is that controls are or are not operating as management intended. In a fraud audit, the audit response is to perform fraud audit procedures designed to gather evidence independent of company documents. An example can be found by looking at testing in the cash disbursement cycle where the inherent fraud scheme is the use of a fictitious company billing for services not performed. A traditional audit of the cash disbursement cycle relies on the vendor invoice and authorized approval signature. Depending on the controls in place, purchase orders or two levels of approval may be required. The fraud audit does not focus on the controls, but rather on the authenticity of the transaction. In a fraud audit, the auditor will either perform procedures to independently verify if the company exists in the truest business sense or employ a procedure to ensure the vendor is conducting business consistent with that described on the invoice.

Fraud Audit versus Fraud Investigation

The primary distinction between the fraud audit and the fraud investigation is the standards for performing the engagement and the intent of the engagement. The fraud audit is performed under the auditing standards. Whereas fraud investigations are performed using the criminal or civil standards applicable to the jurisdiction, fraud auditing is intended to identify transactions that warrant an investigation. The intent is not to prove fraud, but rather identify the transactions as suspicious. In other words, the transaction has unresolved red flags. The decision tree analysis in Chapter 8 will further elaborate on the concept of a suspicious transaction. Fraud investigation is intended to refute or corroborate the suspicion of fraudulent acts. The law becomes the basis for the methodology and standards. Criminal and civil procedure, rules of evidence, statutes, and burdens of proof are critical element of the investigative process. Even in the fraud investigation, the purpose is not to prove fraud, that obligation is the responsibility of the trier of fact, specifically, either the judge or the jury.

In reality, a fraud audit and a fraud investigation do use many of the same procedures, such as document examination, interviews, and report issuance. In terms of responding to an allegation of fraud, the difference between fraud audit and fraud investigation rests with the eventual Trier of Facts standards. While in regard to the responding to the risk of fraud with no specific allegation of fraud, the difference between audit and investigation seems to balance on the perceived responsibility of the auditor to detect fraud within their audit process.

Fraud Defined

By defining fraud, we hope to establish the scope of the fraud response from an audit perspective. This means that the auditor may adopt the definition as written, or exclude those aspects not relevant to the scope of their audit. However, intent and concealment should never be excluded from the definition. What we are essentially doing in defining fraud from an audit perspective is describing the characteristics of fraudulent acts that differentiate them from similar or like acts. Specifically:

The Fraud Triangle

The fraud triangle explains why people commit fraud. The theory behind it is simple: those with opportunity either rationalize their illicit behavior or are motivated by the pressures to commit the fraudulent behavior. Statement of Auditing Standard 99 requires auditors to understand the fraud risk factors as part of planning their audit response to the risk of misstatement. Understanding the concept is easy; however, applying the concept in the fraud audit is more of a challenge. The following sections describe the components of the fraud triangle, along with the challenges in the practical application of it.

Opportunity to Commit Fraud

Opportunity is an individual's ability to commit a fraud scenario and his or her related experience in committing the scenario. In the audit planning stage, the fraud opportunity should be viewed absent of any internal controls. The goal is to identify all parties that logically have the opportunity to commit the fraud scenario. The parties can be identified through job title or function; for example, from an internal control perspective, it is a person's job duties that provide an opportunity to commit fraud rather than the level of operation presenting an opportunity to commit fraud. Also, the actual opportunity is either direct or indirect. In Chapter 3 we will further discuss fraud opportunity in context of the permutation analysis.

Opportunity also correlates to one's experience in committing the fraud scenario. We have identified four categories of fraud perpetrators and experience levels as follows:

Knowing these categories is useful in understanding how the fraud triangle theory correlates to the tendency for committing fraud. Also, they highlight why internal controls sometimes fail to stop a motivated person from committing the fraudulent activity. Within the fraud audit, the opportunity to commit fraud is the critical consideration, as seen with the experience factors just described. For example, the control owner has the primary opportunity to commit the fraud scenario. Consequently, linking the inherent fraud scheme to the person with the opportunity becomes the basis for identifying the fraud scenarios related to a particular business system. Using the fraud permutation analysis will also bring to light other fraud opportunities that are not considered in a more traditional, control-based audit. Clearly, understanding the fraud opportunities and linking them to an inherent fraud scheme is a critical first step before an audit response can be planned and executed.

Pressures Affecting People or Organizations

The identification of pressures will vary with the nature of the primary classification of fraud. Typically, the pressure is associated with financial reasons. For example, pressures are evident in financial reporting's meeting investors' expectations of more income, leading to asset misappropriations, a primary fraud classification. The key is to understand which pressures correlate to which primary fraud classification, but more on that in Chapter 3. For now, you have to know that an audit, by its nature, generally does not have procedures to accurately gather information that would disclose these issues with any certainty. However, the audit process can create an awareness of behaviors in the workplace indicative of a lifestyle-maintenance issue creating pressure. It is interesting to note that in a subsequent investigation, private investigators would collect information to be used regarding behaviors that relate to vices or other lifestyle anomalies.

Rationalization of Fraudulent Behavior

People rationalize their behaviors. The reasons vary from person to person, but a justification always exists. Fundamentally, rationalization is a conscious decision by the perpetrator to place his or her needs above the needs of others. Even though the ethical decision-making process varies by individual, culture, and experience, rationalization is present. The concept is important in the understanding of why people commit fraud. You can put two employees in the same job duties with the same opportunity to commit fraud. One will take the opportunity and the other will not. How the one who does take the opportunity rationalizes the fraud speaks to the cause and not the opportunity. Therefore, when you think of the practicality of using the rationalization concept to identify fraud, you are limited to being observant to lifestyle behaviors.

Fear of Detection

The reasons for not committing fraud are numerous. Personal integrity, family values, and religious beliefs are just a few of them. One reason, outside the area of virtues, morals, and character, is the fear of detection. There we go talking about fear again, but the fear of being detected is a very significant factor in discussing fraudulent behavior. From an internal control perspective, once pressure and rationalization exceed the fear of detection, people are more prone to committing a fraudulent act. This condition is important to understand, especially when auditors place too much reliance on an internal control's ability to mitigate a fraud risk. This does not mean that internal controls are to be ignored. They are one of the important defenses in preventing fraud. However, in assessing the likelihood of fraud, the fear of detection, or the lack thereof, is an intangible; that is, it is difficult to assess, and therefore is not a part of our discussion of factors mitigating risk in a fraud audit.

Fraud Triangle Premises

The body of knowledge surrounding the fraud triangle is critical to the fraud auditor. The ATM approach to a fraud audit relies on the concepts denoted by the fraud triangle. The triangle as a whole is critical in the planning phase for the recognition of the tendency for fraud within the core business system. In particular, designing the methodology for the data mining, audit procedures, and evidence considerations relies on the fraud opportunity. The following summarizes key considerations regarding the fraud triangle:

Responses to the Risk of Fraud

There are two fundamental approaches to responding to the risk of fraud. The first approach is to test internal controls and be alert to the red flags of fraud. The second approach is to actively search for the existence of fraud scenarios that are occurring in the core business systems and not rely on internal controls. The approach used is dependent on the purpose of the audit and the applicable audit standards.

The methodology for responding to the risk of fraud will vary depending on the professional standards and the purpose of the audit, that is, financial statement audits will apply Generally Accepted Audit Standards. In particular, Statement of Auditing Standards 99 provides guidance to responding to fraud risk in a financial statement audit. The overall purposes can be categorized in the following four groups:

The types of methodologies to responding to the risk of fraud are the following:

Summary

Although the methodology for conducting a fraud audit is different from traditional auditing, the auditor employs many of the same skills and tools. Therefore, fraud audits are a blend of new methodologies and traditional audit tools. Instead of debating whether the procedure is a traditional audit, fraud audit, or fraud investigation, this book will direct its efforts toward what the auditor can do to uncover fraud in the places it is most often found: the core business systems.

Chapter 2

Professional Standards

Every professional football team uses a playbook filled with intricately designed plays made up of X's and O's with arrows and such. No matter how refined or how numerous the plays in the book, it is the execution of them that determines a team's success. As unbelievable as it may first sound, the same can be said of fraud auditing. Without standards, the playbook, as it were, directed at fraud, causes successful results to be happenstance, and who wants to watch a team constantly calling an audible anyway? The standards may seem too broad for practical implementation. How can every possible situation be taken into account? However, like our plays, there needs to be room to adjust to the distinctiveness of the situation, and the tools provided by these standards allow for successful outcomes if executed properly.

The accounting scandals of the past few decades, as well as the recent economic downturn, have left a cloud over the auditing profession. It became apparent that the traditional standards of control testing and the overview of financial statements were not effective in detecting fraud. As a result, some old audit standards were revised and new ones were created. These “playbooks” offer the auditor guidelines, tools, and a solid basis for devising “a game plan” for addressing the risk of fraud.

Overview

Like a professional football team's game plan, whereby a playbook is revised to match a certain opponent, the focus of this chapter's discussion is not on one set of standards, but on standards provided by the Institute of Internal Auditors (IIA), the American Institute of Certified Public Accountants (AICPA), the U.S. Government Accountability Office (GAO), and the International Auditing and Assurance Standards Board (IAASB). Each of these organizations have similarities with regard to fraud audit standards, but the major differences between them is whether the auditors are internal or external; whether the organization is governmental in nature or receiving government funding; or if the organization is international.

For example, the IIA defines fraud as

[a]ny illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

The IIA addresses how boards of directors and senior management may deter fraud. The standards put forth by the IIA provide approaches for management via their annual plans to respond to the risk of fraud. Specifically, these approaches entail management controls over fraud and testing areas prone to fraud. Essentially, information is provided on how organizations can establish their own risk management program, whereby entities need to determine risk management needs based on size and circumstances.

In addition to the standards provided by IIA for internal auditing, the AICPA issued the Statement of Auditing Standards 99 or SAS 99 entitled “Consideration of Fraud in a Financial Statement Audit.” Within this statement fraud is defined as

an intentional act that results in a material misstatement in financial statements that are subject of an audit.

However, it also distinguishes between intentional and unintentional errors. With regard to intentional acts, there are two types of fraud considered: misstatements arising from fraudulent reporting and misstatements from the misappropriation of assets. SAS 99 also incorporates the use of professional skepticism; addresses the fraud triangle elements of pressure, rationalization, and opportunity; and acknowledges the use of interviewing to uncover fraud.

The federal government also issued standards with regard to fraud. The Generally Accepted Government Auditing Standards (GAGAS), or as it is more commonly referred to, the “Yellow Book,” is published by the U.S. Government Accountability Office (GAO). These standards are used to audit government entities or entities that receive government funding. For example, Section 4.10 of GAGAS states that

[a]uditors should design the audit to provide reasonable assurance of detecting misstatements that result from violations of provisions of contracts or grant agreements and could have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives.

The standards are a combination of those from the AICPA and those that the GAO created specifically for government entities; therefore, it is not uncommon for nongovernmental auditors or organizations to use them as well.

Expanding beyond a national level, the IAASB issued a standard entitled: “The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements,” which defines fraud as

“[a]n intentional act by one or more individuals among management, those charged with governance, employees, or third parties involving the use of deception to obtain an unjust or illegal advantage.”

Three primary objectives are targeted by the standard:

Fraud Audit Standards

As reviewed previously, there are four standard-creating entities for fraud auditing, and the following is an explanation of the fraud-auditing standards by each one.

The Institute of Internal Auditors (IIA) and Fraud

Since the IIA is an organization that primarily focuses on the work of internal auditors, it recognizes that an internal auditor's failure to detect fraud can have an irreparable effect on the financial health of an organization. That being said, the IIA is consistently evolving its audit standards to help internal auditors build a “strong fraud program that includes awareness, prevention, and detection programs, as well as a fraud risk assessment process to identify fraud risks within the organization.”

Guidelines Regarding Fraud

The IIA has developed two sets of guidelines in an effort to furnish internal auditors with an updated fraud-auditing methodology. The first set of these guidelines, called “Internal Auditing and Fraud,” provides the internal auditor with guidance in building an audit approach to respond to inherent fraud schemes, while the second set, entitled “Fraud Prevention and Detection in an Automated World,” outlines fraud risk and prevention as it relates to Information Technology (IT). The fraud triangle elements of pressure, rationalization, and opportunity are recognized in these guidelines, providing a basis for designing an effective fraud management program to be used by internal auditors.

A Fraud Management Program

Specifically, a fraud management program consists of several steps or segments, the first of which requires management is to establish a “tone at the top” with a formalized company ethics policy. Given that subordinates tend to mimic the behavior of management, a top-down approach to creating an ethical work environment is needed. Similarly, the establishment of a fraud awareness policy is recommended in order for an organization to understand the nature, causes, and characteristics of fraud. The objective of such a policy is to have fraud awareness become a part of an organization's culture to the extent that everyone, knowing what fraud is, will also realize the risk of pursuing fraudulent behavior.

With clear and cogent policies in place, a step needs to be made to perform a comprehensive and coherent fraud risk assessment. With such an assessment, management gains insight into the overall types of fraud their organization is susceptible to and therefore the fraud schemes inherent to the workings of the organization, and what controls need to be implemented or, in the case of existing controls, strengthened, to prevent occurrences of fraud.

With these major segments in place, the next step in a fraud management program is to initiate ongoing reviews of audit activity within the organization. Are audit procedures being performed based on the fraud risk? If so, then efforts are directed to the prevention and detection of fraud, whereby the organization's culture and its internal controls limit the opportunities for fraud and aid in the detection of fraud, respectively. Such efforts persuade employees to avoid committing fraudulent acts as the chances of detection are high.

The last segment of investigation is composed of practices and resources to fully investigate a potential fraud situation. Having these procedures in place allows internal auditors to respond quickly and efficiently if and when fraud is detected.

IPPF Standards

The IIA's International Professional Practices Framework (IPPF) describes the standards by which an auditor can detect, prevent, and monitor fraud risks while addressing those risks in audits and investigations. These standards are:

Recognition of Fraud

Clearly, the aforementioned standards provide a needed basis for internal auditors in addressing fraud within their auditing duties. However, the ultimate responsibility for fraud deterrence is in the hands of management and the board of directors. The role of the internal auditor with regard to this responsibility is critical in establishing whether the organization's controls are adequate. This determination can be made based on the fraud management program and the IPPF standards.

Consideration of Fraud via SAS 99

AICPA standards with regard to auditing and fraud have certainly evolved over the past few decades as evidenced by the breadth of SAS 99 in relation to previous standards in place to assist the auditor in responding to the risk of fraud. SAS 99 states, “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or by fraud.” Most commonly, these material misstatements are the result of fraudulent financial reporting or the misappropriation of assets. The most recent SAS update at the end of 2002 took into consideration the fraud triangle, thereby clarifying the auditor's responsibility in detecting and reporting fraud. Simply stated, knowing the pressures, opportunities, and rationalization underlying the committing of a fraudulent act, an auditor can implement a professional skepticism about findings that on the surface appear benign.

The importance of professional skepticism is actually addressed in paragraph 13 of SAS 99. Fraud can occur because of the pressures facing a person, such as financial hardship or because of what the person interprets as an easy opportunity to commit fraud. Whatever the reason of the perpetrator, the auditor needs a professional skepticism that maybe all is not what it seems. Regard must be given to pressures, opportunity, and rationalization. Is there something here that would indicate the existence of an environment that would support these fraud triangle elements?

A question arises as to how an auditor develops this professional skepticism if the auditor has experience with only traditional auditing. SAS 99 provides tools, for example, as paragraph 14 states: “Prior to or in conjunction with the information-gathering procedures . . . members of the audit team should discuss the potential for material misstatement due to fraud.” This discussion “should include” brainstorming of ideas and the importance of maintaining the proper mind-set throughout the audit. Chapter 4 of this book provides an in-depth discussion on the use of brainstorming sessions as a manner of information sharing about the client, the industry, past audit findings, and inherent fraud schemes. The general hope is that all the engaged auditors will come out of this meeting with a skeptical mind-set in regard to how the audit is to be approached.

Another tool provided is interviewing. Specifically, at the beginning of the audit, SAS 99 guides the auditor to obtain the information needed to identify the risks of material misstatement due to fraud. This process typically begins with the auditor's inquiring of management and others in the organization what their views are on the risks of fraud. Obviously, the types of answers one does not want to hear are: “Oh, we can't have any problems with fraud here” or “I've personally hired everyone who works here and can vouch for them” or “We have the highest hiring standards of any company, so we don't have those kinds of people here.” In light of such responses, or given that managers or those responsible for the financial reporting will provide false information and deflect such questions if they are involved in a fraud scheme, it is just as important for the auditors to question personnel who are not in management roles or those not involved in financial reporting.

In addition to using interviews in obtaining the information needed to identify the risks of material misstatement due to fraud, SAS 99 directs auditors to consider unusual or unexpected relationships that have come to light using specific analytical procedures. These analytical procedures are part of the planning process, whereby the unusual or unexpected can be identified pertaining to either events, amounts, ratios, trends, revenue, or other items that relate to financial statements. The auditor is also to consider fraud risk factors, specifically, the elements of the fraud triangle. Going back to the interviewing process, an auditor may formulate questions to ascertain pressures, opportunity, or rationalization, but also to uncover revenue recognition, management overrides, and so on. For example, in order to assess any pressure to commit fraud on the part of an employee in a sales department, an auditor may ask: “What impact will your competition have on meeting your goals?” Or if investigating revenue recognition, the auditor may ask the same person: “What type of practice is followed regarding approval or sales?”

Concerning when or if risk is identified, SAS 99 directs the auditor to identify any risk that could lead to material misstatements. To do this identification, a risk assessment must be performed. The question that must be answered by the risk assessment is: “Does this risk associate with a specific account, transaction, or the financial statement as a whole?” It is also important for the auditor to consider the possibility of management overrides of internal controls during this process. After taking into account an organization's programs and controls that pertain to the identified risks, the auditor must question whether the internal controls mitigate the identified risks of material misstatement due to fraud.

Upon arriving at the results of the risk assessment, SAS 99 prescribes that a response be devised. There is no overall response, but rather a collection of them, such as:

As the fieldwork progresses and evidence is collected, the focus should be on situations where there are discrepancies in the accounting records, conflicting or missing evidential matter, or problematic or unusual relationships between the auditor and management. Specifically, discrepancies of accounting records can be transactions that were not properly recorded, records that do not reconcile to the general ledger, or unsupported balances or transactions. Conflicting or missing evidential matter is a distinct situation with missing or altered documents and unexplained reconciling items. Last, problematic or unusual relationships between the auditor and management can result from undue pressure during the audit process, complaints by the management about audit procedures and inquiries, and the management's attempt to control the auditor's access to records.

The extent of SAS 99 continues with the auditor's responsibility to communicate possible fraud to management or an audit committee. If the auditor has determined that there is evidence of fraud, the matter should be brought to the appropriate level of management. In situations of material misstatement, the financial statements should be brought to the attention of the audit committee or the highest level of management. It is important to note that if there is only a slight risk of fraud occurring, the auditor should use his or her professional judgment as to whether to report this risk factor. If the fraud involves potential misappropriation of assets or if the fraud is on a large scale, the auditor should consider consulting with legal counsel before bringing the matter to management. The disclosure of fraud to parties other than management is not part of the auditor's responsibility unless required to comply with certain legal and regulatory requirements, discussions with the entity's previous auditors, subpoenas, or specific rules that apply to organizations that receive federal funding.

The seriousness of these communications, in all cases, makes the SAS 99 requirements on documentation all that more important. Paragraph .83 states the auditor should document the following:

Clearly, the audit team must record all of their work throughout the process, and these records must be detailed in regard to notes, findings, and general observations.

When compared to previous sets of standards, like SAS 82, SAS 99 provides noteworthy recommendations about fraud detection and prevention. For example, the section of SAS 99 that requires the audit team to have a brainstorming session helps auditors approach the audit with the necessary professional skepticism. Another addition in SAS 99, interviewing, gets the auditor away from the one-dimensionality of the numbers by providing a tool, whereby communicating with numerous people in an organization may lead to where the numbers do not result in the identification of fraud. These two additions, as well as the general fundamentals of SAS 99, clearly provide much-needed direction to the auditor in their duties of detecting and resolving issues of fraud.

Government Standards for Fraud Auditing

The GAO's Yellow Book provides a section called “Ethical Principles in Government Auditing,” which sets a tone for ethical behavior throughout the organization by outlining acceptable behavior and expectations for each employee. These ethical principles also provide a foundation, discipline, and structure, as well as the climate influencing the application of Generally Accepted Government Auditing Standards or GAGAS. The standards themselves provide guidance on how to perform financial audits and attestation engagements. They are meant to establish a foundation for the credibility of an auditor's work. Specifically, they emphasize the importance of the independence of the audit organization and its individual auditors, the professional competence of the auditors, and overall audit quality control.

The Yellow Book also provides fieldwork standards for financial audits and attestation engagements. The standards adopted here are those of SAS 99 unless otherwise specified. For example, one of the SAS 99 standards adopted concerns how the auditors must adequately plan for the upcoming audit in order to have sufficient understanding of the entity and its environment. As with the fieldwork standards, reporting standards are those of SAS 99 unless they have been excluded or modified for GAGAS—for example, the requirement that audits must state whether the financial statements are in accordance with GAAP and identifying when GAAP has not been consistently implemented. Although these government standards are SAS 99–reliant, they are modified with those standards created by GAGAS for the auditing of government entities. One example of this modification is the consideration of an entity's previous audits. Auditors can use the information provided by previous audits to determine the nature, timing, and extent of the upcoming audit work; thus, the auditors can see if findings and recommendations from previous audits have been addressed.

Government-specific standards also exist for financial reporting, and, just like the fieldwork standards, they are a combination of modified SAS 99 standards and those specifically created to audit government entities. An example of this specificity occurs when there are deficiencies in internal controls, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, and auditors are then required to obtain and report the views of responsible officials concerning the findings, conclusions, recommendations, and planned corrective actions.

Another section of the Yellow Book pertains to fieldwork and financial reporting standards. It should be noted that, unlike the other sections of GAGAS that are derived from SAS 99, the “Performance Audits” section is exclusive to government auditing. The fieldwork standards for performance audits relate to planning the audit; supervising staff; obtaining sufficient, appropriate evidence; and preparing audit documentation; while the reporting standards for performance audits relate to the form of the report, the report contents, and report issuance and distribution.

International Standards of Auditing (ISAs) and Fraud

Many of the standards set by the IAASB may appear similar with those set by the IIA, AICPA, and GAO in that the auditor is required to have a professional skepticism, that there is discussion between audit team members, risk assessment procedures are required, and interviewing is used. On the audit level, using the ISAs, the auditor conducting an engagement is required to obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. ISAs are in place to recognize that there is an inherent risk of fraud not being detected even though the audit is properly planned and performed.

Summary

Each of the four groups' standards discussed offers a definition or description of fraud as it relates to the professional requirements. The fraud definitions adopted by the four organizations are similar in intent, with the notable difference being the realm of practice. The external auditors focus on those intentional acts resulting in the misstatement of the financial statements, while the internal auditors focus on illegal acts. Obviously, this is not intended as an all-or-nothing statement, but rather a generality. The concepts of intentional acts and concealment of acts are the basis of the standards, regardless of their origin.