We all know that fraud is alive and well in today’s society.  On a daily basis, it seems, we hear unpleasant fraud statistics and read eye-catching news headlines about new fraud schemes or deceptions.  Indeed, businesses today are no less vulnerable to fraud than before.

Because of its ever-presence in today’s business world, a new trend of fraud auditing is becoming more and more popular.  So, what is it?  In essence, fraud auditing is a two-phase exercise.  First, one designs a fraud risk assessment to identify areas where a company may be susceptible to fraud.  Second, in response to findings of this assessment a monitoring and reporting program is put in place as a tool for management oversight.

Preventive vs reactive measures

When I was a former Big 4 auditor I incessantly heard complaints from my clients about audit fees being too high.  Indeed, financial statement audits can be expensive because they are designed to cover all aspects of the financial statements.  In contrast, fraud auditing doesn’t have to be expensive.

Moreover, as a preventive measure, one of the benefits of fraud auditing is that the cost of such an assessment can in large part be determined by the company’s management.  Conversely, as it relates to reactive measures, the cost will depend greatly on the motivation by the company for having the fraud audit conducted in the first place.  Examples of motivations imposed on a business may include: response to fraud already identified within the company, restatement of financial statements, or a decision to bolster internal controls because of restrictions imposed by a regulator, to name a few.

We can probably agree that human nature tends to be more reactive than proactive at different phases of life, such as wellness and personal finance.  In a similar vein, too often companies wait to respond to fraud risks until they manifest themselves through fraud or abuse.  Said another way, companies often do not perceive sufficient value in conducting a meaningful fraud risk assessment and, therefore, they wait until the stakes are much higher.  Oh, how relevant today is Benjamin Franklin‘s famous adage that “an ounce of prevention is worth a pound of cure!”

Consideration examples

Next, I wish to give some definition to the look and feel of a fraud risk assessment.  Depending on the nature and extent of a fraud audit, following are some examples for consideration to begin to understand risks and exposure:

  1. Domination of management by a single person or small group.  This gets at the heart of the tone within an organization.  Regardless of the extent of internal controls (even at the transactional level), if there is management domination by one or a few individuals, this can have a pervasive effect on the organization as a whole.
  2. A practice by management of committing to analysts, creditors, or other third parties to achieve aggressive or unrealistic forecasts.  One can see that being overly aggressive can be an area of risk and exposure.  Conversely, for businesses not beholden to outsiders (such as creditors or investors) this, of course, is irrelevant.
  3. Ineffective communication, implementation, support, or enforcement of the entity’s ethical standards by management or the communication of inappropriate ethical standards.  This really goes without saying. If management doesn’t enforce its own rules, then why have them in the first place?
  4. Recurring negative cash flows from operations while reporting earnings and earnings growth.  Financial pressures placed on management to generate favorable results should be considered when assessing the adequacy and effectiveness of business performance reviews.
  5. Rapid growth or unusual profitability, especially compared to that of other companies in the same industry.
  6. Significant, unusual, or highly complex transactions, especially those close to the period end.
  7. Significant related-party transactions not in the ordinary course of business.  A review of an entity’s financial statements or records can reveal the nature and extent of transactions with related parties.
  8. Recurring attempts by management to justify marginal or inappropriate accounting based on materiality.  Although this one may be difficult to assess, an effective fraud audit should incorporate inquiries of multiple company personnel at varying levels within an organization.
  9. Restrictions on the limitation of access to people, information, or communication by the board of directors or those charged with governance.  

I adapted the above points from the PCAOB’s AU 316, Consideration of Fraud in a Financial Statement Audit.  Although the above list is not exhaustive, it can be a good start to identify areas of heightened risk exposure for a company.  Equally important is that AU 316 was specifically designed to apply to external auditors in connection with the performance of financial statement audits.  Despite this, I believe the principles and guidance within this AU can apply to a variety of circumstances and not just financial statement audits.

Checklisting

It seems that in more recent years auditors have gravitated more toward a “checklist” mentality to discharging of their professional duties.  I believe this is heavily influenced by feedback from regulators.  Of course, checklisting has its place within a professional service engagement to mitigate legal and regulatory exposure.  However, as one can gather from my post above, it is important to exercise professional judgment by inserting a healthy degree of flexibility between checklisting activities and allowing free thinking and creativity.  After all, thinking through the “what ifs” of a situation is always an effective way to identify areas of risk and exposure.  To add to this thought, because risk factors can vary greatly depending on the industry and company-specific factors, it is imperative to tailor the nature and extent of a fraud audit to the needs of an organization.

Less rigorous is still better than nothing

In ideal circumstances companies want to get to the right answer from the beginning.  While this sounds good, the reality is that, as I touched upon earlier, many businesses do not place fraud auditing as an area of focus until they are forced to.

One way to assist companies in overcoming the resistance to a full blown fraud audit is to perform a less rigorous fraud risk assessment.  As a valuable resource the Association of Certified Fraud Examiners (ACFE) offers a Fraud Prevention Check-up.  While I recommend any such assessment be performed with the assistance of experienced professionals familiar with the issues, this check-up exercise could, in theory, be performed by the business itself.  In any case management should take the assessment seriously, standing ready to take action should there be cause for concern.  Additionally, I strongly recommend that, if possible, general counsel be aware of and participate in this process for legal protection to the company.

Altogether, companies that take seriously their obligations to protect company assets and stakeholder value should equally take seriously their oversight and monitoring of financial fraud risks.  Fraud audits provide an excellent means of fulfilling these obligations.

Photo credit

Published by

Kevin Rasmussen

My name is Kevin Rasmussen. I am a forensic and litigation consulting professional with over a decade of experience advising clients and attorneys on accounting, litigation, internal controls and auditing-related matters. I enjoy writing about forensic and general accounting and financial reporting issues and providing insights into the application of financial accounting and auditing principles.

Leave a Reply

Your email address will not be published. Required fields are marked *