Fraud Detection and Prevention

Chapter 11 11.1 GROWING CONCERNS ABOUT MANAGEMENT FRAUD The scandals at Enron, WorldCom, Adelphia, and others that came to light about the time of the enactment of the Sarbanes-Oxley Act (SOA) were all examples of financial fraud by senior corporate officers. Fraudulent activity can occur at all levels of an organization, but in the mid-2002, just days before and after the enactment of SOA, corporate officers appeared to be the real troublemakers in this slew of financial frauds. Despite the publicity condemning these senior corporate officers as the real troublemakers, fraud can take place at all levels. Just as a CEO, in cooperation with the CFO, may fraudulently manipulate earnings to boost reported corporate profits and their individual bonus compensation, a manager or even staff-level employee may take some fraudulent action for personal gain or just to get even with someone because of job frustration. The effective modern internal auditor needs to recognize potential fraudulent business practices as part of any audit and should recommend controls and procedures to limit exposure to this fraudulent activity. and internal auditors often find themselves very involved in fraud-related issues. When a fraud is discovered in the organization, internal audit is often one of the first resources called on to conduct an investigation to determine the extent of the fraud. In other situations, internal auditors discover a fraud in the course of a scheduled audit and then investigate and report the matter to the corporate consul or other legal authorities. However, both internal and external auditors historically have not regularly looked for fraud as part of their scheduled audits. 11.2 RED FLAGS: FRAUD DETECTION FOR AUDITORS An employee of an organization who has been embezzling money over an extended time period may be caught through some slip-up that reveals the fraud. After such a fraud is discovered, it is often easy to look at the situation after the fact. It is easy to analyze the facts after a fraud has been discovered as a lesson learned, but auditors and management should look for indicators of possible fraudulent activities in advance with a skeptical eye. They should look for what are called red flags. Red flags are normally the first indications of a potential fraud. Someone sees something that does not look right and then causes even a low-level investigation to be initiated. Auditors are often the very first people to become involved. auditorsshould always be skeptical in their reviews and be aware of such warning signs. When an auditor sees evidence of one or more of these or other red flags, it may be time to dig a little deeper. Unfortunately, internal auditors often fail to detect fraud for one of the following reasons:

Unwillingness to Look for Fraud. Too Much Trust Is Placed on Auditees Not Enough Emphasis Is Placed on Audit Quality Fraud Concerns Receive Inadequate Support from Management Auditors Sometimes Just Fail to Focus on High-Risk Fraud Areas
The following list represent red flags that may be warning signs for evidence of financial fraud: Lack of written corporate policies and standard operating procedures Based on interviews at multiple levels, lack of compliance with organization internal control policies Weak internal control policies, especially in the division of duties Disorganized operations in such areas as purchasing, receiving, warehousing, or regional offices Unrecorded transactions or missing records Counterfeit or evidence of alterations to documents Photocopied or questionable handwriting on documents Sales records with excessive voids or credits Bank accounts not reconciled on a timely basis or stale items on bank reconciliations Continuous out-of-balance conditions on subsidiary ledgers Unusual financial statement relationships Continuous unexplained differences between physical inventory counts and perpetual inventory records Bank checks written to cash in large amounts Handwritten checks in a computer environment Continuous or unusual fund transfers among company bank accounts Fund transfers to offshore banks Transactions not consistent with the entity's business Poor screening procedures for new employees, including no background or reference checks Reluctance by management to report criminal wrongdoing Unusual transfers of personal assets Officers or employees with lifestyles apparently beyond their means Unused vacation time Frequent or unusual related-party transactions Employees in close association with suppliers Employees in close relationship with one another in areas where separation of duties could be circumvented Expense-account abuse such as managers not following established rules Business assets dissipating without explanation

To help detect fraud, auditors need to have an understanding of why people commit fraud. An organization can have the red flag environment described in the previous section, but it will not necessarily be subject to fraudulent activities unless one or more employees decide to engage in fraud. Fraud detection is much harder when there is collusion among multiple persons. While the detection of major frauds involving senior management participation are difficult to uncover, fraud that occurs at lower levels in the organization are often easier to detect with a proper level of auditor investigation. 11.3 PUBLIC ACCOUNTINGS NEW ROLE IN FRAUD DETECTION The external auditors responsibility for the detection of fraud in financial statements has been an ongoing but contentious issue over the years. The very first AICPA Statement on Auditing Standards is SAS No. 1. Despite continuing pressure for change, AICPA audit standards regarding the external auditors responsibility for fraud did not change until 1997 when this responsibility for fraud was restated in SAS No. 82. Moving to present times with Enron, WorldCom, and a host of others, concerns about fraudulent financial reporting has certainly changed. Given SOA and the new PCAOB, it was perhaps too late, but in December 2002 the AICPA

released SAS No. 99 on the auditors responsibility for detecting fraudulent financial reporting. With this new standard, the external auditor has become responsible for providing reasonable assurance that the financial statements are free of material misstatement, whether caused by error or fraud. We have used our italics here, because this is a major change in external auditors responsibilities. SAS No. 99 calls on financial auditors to take an attitude of professional skepticism regarding possible fraud. Putting aside any prior beliefs as to managements honesty, the audit team should exchange ideas or brainstorm on how fraud could occur in the organization they are about to audit. SAS No. 99 also recognizes that management is often in a position to override controls in order to commit financial-statement fraud. The auditing standard calls for auditors to test for management override of controls on every audit. SAS No. 99 calls for a major external audit emphasis in detecting fraud, including procedures that external auditors are expected to perform in every audit engagement.
Risk Factors Relating to Misappropriation of Assets Risk factors that relate to misstatements arising from misappropriation of assets are also classified according to the three conditions generally present when fraud exists: incentives/pressures, opportunities, and attitudes/rationalizations. Some of the risk factors related to misstatements arising from fraudulent financial reporting also may be present when misstatements arising from misappropriation of assets occur. For example, ineffective monitoring of management and weaknesses in internal control may be present when misstatements due to either fraudulent financial reporting or misappropriation of assets exist. The following are examples of risk factors related to misstatements arising from misappropriation of assets.

INCENTIVES/PRESSURES
A. Personal financial obligations may create pressure on management or employees with access to cash or other assets susceptible to theft to misappropriate those assets. B. Adverse relationships between the entity and employees with access to cash or other assets susceptible to theft may motivate those employees to misappropriate those assets. For example, adverse relationships may be created by the following: _ Known or anticipated future employee layoffs _ Recent or anticipated changes to employee compensation or benefit plans _ Promotions, compensation, or other rewards inconsistent with expectations

OPPORTUNITIES
A. Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are the following: _ Large amounts of cash on hand or processed _ Inventory items that are small in size, of high value, or in high demand _ Easily convertible assets, such as bearer bonds, diamonds, or computer chips _ Fixed assets that are small in size, marketable, or lacking observable identification of ownership B. Inadequate internal control over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following: _ Inadequate segregation of duties or independent checks _ Inadequate management oversight of employees responsible for assets, for example, inadequate supervision or monitoring of remote locations _ Inadequate job applicant screening of employees with access to assets _ Inadequate record keeping with respect to assets _ Inadequate system of authorization and approval of transactions (for example, in purchasing) _ Inadequate physical safeguards over cash, investments, inventory, or fixed assets _ Lack of complete and timely reconciliations of assets _ Lack of timely and appropriate documentation of transactions, for example, credits for merchandise returns _ Lack of mandatory vacations for employees performing key control functions _ Inadequate management understanding of information technology, which enables information technology employees to perpetrate a misappropriation _ Inadequate access controls over automated records, including controls over and

review of computer systems event logs

11.4 IIA STANDARDS FOR DETECTING AND INVESTIGATING FRAUD

IIA Professional Standards on due professional care and scope of work cover fraud in a very general sense, as discussed in Chapter 12, Internal Audit Professional Standards. An internal auditor will be concerned about such matters as the possibility of wrongdoing and should consider evidence of any improper or illegal activities in an audit. However, the standards that provide specific guidance on fraud seem to follow the older external audit standards just discussed. Recognizing that it may be difficult to detect fraud, the revised 2004 IIA standard 1210.A2 provides the guidance, with our italics noted: The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. This is recognition that internal auditors may not have the expertise for uncovering fraud issues. The IIA has not taken the strong position on detecting fraud that the AICPA has. An early 2004 search to the IIA Web site using the key word fraud just does not produce the same wealth of material as is now found on the AICPA site. There are references to articles on fraud in older issues of the IIA publication, The Internal Auditor, but not much more. Other fraud-related articles are listed but are only available to IIA members. The previously referenced practice advisory is an example. The IIA also has special conferences on the topic, but the AICPA is taking a stronger professional lead here in providing guidance to auditors. The IIA, along with the AICPA, ISACA, the Association of Certified Fraud Examiners, Financial Executives International, the Institute of Management Accountants, and the Society for Human Resource Management, have collaborated and sponsored some fraud guidance material published as a supplement to SAS No. 99. Other professional organizations that participated in reviewing and developing fraud guidance include the American Accounting Association, the Defense Industry Initiative, and the National Association of Corporate Directors. However, the AICPA is clearly taking a lead role here, and interested professionals should visit the AICPA Web site (www.aicpa.org/antifraud).

11.5 FRAUD INVESTIGATIONS FOR INTERNAL AUDITORS

Fraud-related investigations cause an internal auditor to operate differently than he or she does during normal financial or operational internal audits. In any fraud-related review, an auditor should have three major objectives: 1. Prove the Loss. Fraud-related reviews usually start out with the finding that someone stole something. The internal auditled investigative review should assemble as much relevant material as necessary to determine the overall size and scope of the loss. 2. Establish Responsibility and Intent. This is the who did it? step. As much as possible, the audit team should attempt to identify everyone who was responsible for the matter and if there was any special or different intent associated with the fraud action. 3. Prove the Audit Investigative Methods Used. The investigative team needs to be able to prove that their fraud-related conclusions were based

on a detailed, step-by-step investigative process, not just an uncoordinated witch hunt. The review should be documented using the best internal audit review processes. Of particular importance is that all documents used need to be secured. 11.6 INFORMATION SYSTEMS FRAUD PREVENTION PROCESSES Information systems or computer fraud covers a wide range of issues and concerns. In todays business environment information systems are virtually always a key component of any modern financial- or accounting-related fraud. Because information systems support so many areas and because they cross so many lines in the organizations, we can think of computer fraud in multiple dimensions ranging from the minor to significant fraudulent activities: Improper Personal Use of Computer Resources. Internet Access Issues Illegal Use of Software Computer Security and Confidentiality Fraud Matters Information Theft or Other Data Abuse Computer Fraud Embezzlement or Unauthorized Electronic Fund Transfers Individuals with a fraudulent intent are finding new ways to violate established automated controls, and skilled professionals are finding ways to detect and protect against this fraudulent activity. A related computer systems fraud detection area is computer forensics, the detailed examination of computers and their peripheral devices, using computer investigation and analysis techniques for finding or determining potential legal evidence in a fraud situation. We have used computer forensics here as an example of new technologybased techniques for fraud detection. The use of firewall software to protect a system or user from entering transactions or accessing systems beyond a fixed region is another example. Virus protection software is a third. A full discussion of the computer fraud aspects of these and other areas is beyond the scope of this book. The internal auditor must just realize that computer fraud is a large and complex area. 11.7 FRAUD DETECTION AND THE AUDITOR Internal auditors need to give greater consideration to fraud in their audit work as well. They have always been involved in some level of fraud investigation work when called on by management, but fraud detection and prevention considerations needs to become a more significant component of every internal audit. Internal auditors perhaps need to enter a new internal audit engagement by asking themselves some questions about where an auditee might commit a fraudulent act. Internal auditors should retain a level of skepticism about the potential for fraud in their ongoing work assignments.