Fraud Risks

Overview

Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. On the other hand, error is an unintentional mistake which causes damage or injury.

The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one resulting from error.

According to 2020 PwC’s Global Economic Crime and Fraud Survey, the top fraud types, perpetrated internally or externally, are the following:

Customer Fraud
Cybercrime
Asset Misappropriation
Bribery and Corruption
Accounting/Financial Statement Fraud
Procurement Fraud
Human Resources Fraud
Deceptive business practices
Anti-Competition/Anti-Trust Law Infringement
Money Laundering and Sanctions
Intellectual Property (IP) Theft IP
Insider/Unauthorized Trading
Tax Fraud
Other

The top external perpetrators are customers, hackers, vendor or suppliers while the top internal perpetrators are middle management, operations staff, and senior management.

The risk of the auditor not detecting a material misstatement resulting from management fraud is greater than for employee fraud, because management is frequently in a position to directly or indirectly manipulate accounting records, present fraudulent financial information or override control procedures designed to prevent similar frauds by other employees.

Course Objectives

After studying this module, you should be able to

Interpret fraud risks and types of frauds and determine whether fraud risks require special consideration when conducting an engagement
Evaluate the potential for occurrence of fraud (red flags, etc.) and how the organization detects and manages fraud risks
Recommend controls to prevent and detect fraud and education to improve the organization's fraud awareness
Recognize techniques and internal audit roles related to forensic auditing (interview, investigation, testing, etc.)

Course Materials

Asset Misappropriation

Asset misappropriation is steeling cash or other assets (supplies, inventory, equipment, and information). The theft may be concealed by false or misleading records or documents for example.

Misappropriation of assets can be accomplished in a variety of ways including:

Embezzling receipts (for example, misappropriating collections on accounts
receivable or diverting receipts in respect of written-off accounts to personal
bank accounts).
Stealing physical assets or intellectual property (for example, stealing
inventory for personal use or for sale, stealing scrap for resale, colluding with
a competitor by disclosing technological data in return for payment).
Causing an entity to pay for goods and services not received (for example,
payments to fictitious vendors, kickbacks paid by vendors to the entity’s
purchasing agents in return for inflating prices, payments to fictitious
employees).
Using an entity’s assets for personal use (for example, using the entity’s assets as collateral for a personal loan or a loan to a related party).

Common examples of cash theft are cheque kiting and lapping of receivables.

In cheque kiting, a check is kited when a person writes an insufficient funds check on an account in one bank and deposits the check in another bank. The second bank immediately credits the account from some or all of the amount of the check, enabling the kiter to write other checks on that (nonexistent) balance. The kiter then covers the insufficiency in the first bank with another source of funds. The process can proceed in a circle of accounts at any number of banks. Kitting exploits the delay between

depositing a check in one bank account and
clearing the check through the bank on which it was drawn.

This practice is only possible when manual checks are used. The widespread use of electronic fund transfers and other networked computer safeguards make electronic kiting difficult.

In lapping of receivables, a person with access to both customer payments and account receivable records steals a customer’s payment. The shortage in that customer’s account is then covered with a subsequent payment from another customer. The process continues until

a customer complains about his/her payment not being posted,
an absence by the perpetrator allows another employee to discover the fraud, or
the perpetrator covers the amount stolen.

Misappropriation of assets is often accompanied by false or misleading records or documents in order to conceal the fact that the assets are missing or have been pledged without proper authorization.

Fraudulent Financial Reporting

Fraudulent financial reporting involves intentional misstatements including omissions of amounts or disclosures in financial statements to deceive financial statement users. It can be caused by the efforts of management to manage earnings in order to deceive financial statement users by influencing their perceptions as to the entity’s performance and profitability. Such earnings management may start out with small actions or inappropriate adjustment of assumptions and changes in judgments by management. Pressures and incentives may lead these actions to increase to the extent that they result in fraudulent financial reporting. Such a situation could occur when, due to pressures to meet market expectations or a desire to maximize compensation based on performance, management intentionally takes positions that lead to fraudulent financial reporting by materially misstating the financial statements. In some entities, management may be motivated to reduce earnings by a material amount to minimize tax or to inflate earnings to secure bank financing.

Fraudulent financial reporting may be accomplished by the following:

Manipulation, falsification (including forgery), or alteration of accounting
records or supporting documentation from which the financial statements are prepared.
Misrepresentation in, or intentional omission from, the financial statements of events, transactions or other significant information.
Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure.

Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively. Fraud can be committed by management overriding controls using such techniques as:

Recording fictitious journal entries, particularly close to the end of an accounting period, to manipulate operating results or achieve other objectives.
Inappropriately adjusting assumptions and changing judgments used to estimate account balances.
Omitting, advancing or delaying recognition in the financial statements of events and transactions that have occurred during the reporting period.
Concealing, or not disclosing, facts that could affect the amounts recorded in the financial statements.
Engaging in complex transactions that are structured to misrepresent the financial position or financial performance of the entity.
Altering records and terms related to significant and unusual transactions.

Corruption

Corruption is an improper use of power. It often leaves little accounting evidence. These crimes usually are uncovered through tips or complaints from third parties. Corruption often involves the purchasing function. Any employee authorized to spend an organization’s money is a possible candidate for corruption.

Fraud Red Flags

Red flags are conditions that indicate potential fraud. These are the signs that point to fraud. Red flag can be anything that strongly suggests that an unethical or suspicious event has taken place or is a situation that would enable fraud to take place without detection.

On the other hand, the fraud triangle is a framework designed to explain the reasoning behind a worker’s decision to commit fraud. It describes three factors that are present in every situation of fraud.

Examples of Red Flags are the following:

Discrepancies in the accounting records, including:

Transactions that are not recorded in a complete or timely manner or are
improperly recorded as to amount, accounting period, classification, or entity
policy.
Unsupported or unauthorized balances or transactions.
Last-minute adjustments that significantly affect financial results.
Evidence of employees’ access to systems and records inconsistent with that necessary to perform their authorized duties.
Tips or complaints to the auditor about alleged fraud.

Conflicting or missing evidence, including:

Missing documents.
Documents that appear to have been altered.
Unavailability of other than photocopied or electronically transmitted documents when documents in original form are expected to exist.
Significant unexplained items on reconciliations.
Unusual balance sheet changes, or changes in trends or important financial
statement ratios or relationships – for example receivables growing faster than revenues.
Inconsistent, vague, or implausible responses from management or employees arising from inquiries or analytical procedures.
Unusual discrepancies between the entity's records and confirmation replies.
Large numbers of credit entries and other adjustments made to accounts receivable records.
Unexplained or inadequately explained differences between the accounts receivable sub-ledger and the control account, or between the customer statements and the accounts receivable subledger.
Missing or non-existent cancelled checks in circumstances where cancelled checks are ordinarily returned to the entity with the bank statement.
Missing inventory or physical assets of significant magnitude.
Unavailable or missing electronic evidence, inconsistent with the entity’s record retention practices or policies.
Fewer responses to confirmations than anticipated or a greater number of responses than anticipated.
Inability to produce evidence of key systems development and program change testing and implementation activities for current-year system changes and deployments.

Problematic or unusual relationships between the auditor and management, including:

Denial of access to records, facilities, certain employees, customers, vendors, or others from whom audit evidence might be sought.
Undue time pressures imposed by management to resolve complex or contentious issues.
Complaints by management about the conduct of the audit or management intimidation of engagement team members, particularly in connection with the auditor’s critical assessment of audit evidence or in the resolution of potential disagreements with management.
Unusual delays by the entity in providing requested information.
Unwillingness to facilitate auditor access to key electronic files for testing through the use of computer-assisted audit techniques.
Denial of access to key IT operations staff and facilities, including security, operations, and systems development personnel.
An unwillingness to add or revise disclosures in the financial statements to make them more complete and understandable.
An unwillingness to address identified weaknesses in internal control on a timely basis.

Other

Unwillingness by management to permit the auditor to meet privately with those charged with governance.
Accounting policies that appear to be at variance with industry norms.
Frequent changes in accounting estimates that do not appear to result from changed circumstances.
Tolerance of violations of the entity’s Code of Conduct.

Fraud Prevention and Detection

The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behavior which can be reinforced by an active oversight by those charged with governance. In exercising oversight responsibility, those charged with governance consider the potential for override of controls or other inappropriate influence over the financial reporting process, such as efforts by management to manage earnings in order to influence the perceptions of analysts as to the entity’s performance and profitability.

Fraud prevention involves action to discourage fraud and limit the exposure when it occurs. The principal mechanism for preventing fraud is internal control. Primary responsibility for establishing and maintaining internal control should rest with management.

There are several ways to detect fraud. Some of the common ways are whistleblowing hotline, internal tip-off, external tip-off, by accident, law enforcement investigation, change of personnel/duties, corporate security, risk management, external audit, and internal audit.

Internal and External Audit. Internal auditors are more successful in identifying serious frauds than external auditors. Internal and external auditors are, in general, not required to detect fraud. However, the internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. On the other hand, external auditors are expected to detect material misstatement whether due to fraud or error. In certain instances, such as when the external auditor determines that fraud risk factors are present, he is required to perform procedure designed to detect fraud.

Whistleblowing is the act of reporting wrongdoing or suspected wrongdoing outside of the normal chain of command. To encourage people to share problems, the whistleblowing system needs to be confidential and anonymous. It may include a phone number to call or a specific person to contact. It is also possible that the whistleblowing process may be facilitated by a third-party entity.

The Board should establish a suitable framework for whistleblowing that allows employees to freely communicate their concerns about illegal or unethical practices, without fear of retaliation and to have direct access to an independent member of the Board or a unit created to handle whistleblowing concerns. The Board should be conscientious in establishing the framework, as well as in supervising and ensuring its enforcement.

A suitable whistleblowing framework sets up the procedures and safe harbors for complaints of employees, either personally or through their representative bodies, concerning illegal and unethical behavior. One essential aspect of the framework is the inclusion of safeguards to secure the confidentiality of the informer and to ensure protection from retaliation. Further, part of the framework is granting individuals or representative bodies confidential direct access to either an independent director or a unit designed to deal with whistleblowing concerns. Companies may opt to establish an ombudsman to deal with complaints and/or established confidential phone and e-mail facilities to receive allegations.

Forensic Auditing. When auditing skills are applied to situations that have potential legal implications and/or consequences the engagement is called Forensic Auditing. It is performed when it has been determined that something inappropriate might have happened and there is a need to investigate that situation in more depth.

Interrogation. In an interrogation, the internal auditor seeks confirmation or ideally a confession. Usually, interrogations are done after evidence has been collected and there is a strong suspicion of fraud or unethical behavior.

A confession is a complete acknowledgement of wrongdoing by the accused. In an admission, the accused party acknowledges committing a certain act, but he or she does not confess that there was intent, nor does the accused party confess to the accusation.

At least two people should conduct an interrogation: an experienced individual leads the interrogation and a second person takes notes and is a corroborating witness.

There will most likely be legal counsel involved in both the preparation for the interrogation and its execution to make certain that the company does not place itself at risk of being sued.

A fraud-related interrogation differs significantly from a normal interview. The purpose of a typical interview is to gather facts. In an interrogation, the internal auditor has already gathered pertinent facts and is seeking confirmation.

The internal auditor should guide the conversation from the general to the specific.

Open questions are generally used early in the interrogation, and closed questions are used later as the auditor comes closer to obtaining a confession. For example:

Open questions: “Describe your role in the vendor approval process.”

Closed questions: “Do your personally verify the existence of every vendor who seeks approval?”

Normal interviewing methods regarding nonthreatening tone and close observation of body language apply.

The employee should not be allowed to return to his/her normal work area upon completion of the interrogation. Because employee is now alert to the fraud investigation, he might be tempted to destroy valuable evidence.

References

Reading materials you may use in this course are the following: