Fraud awareness for auditors: Up-skilling and precision reporting
Internal fraud is massive in scale yet worryingly underestimated. Ian Ross gives his opinion on whether Internal Audit should have a role in detecting and investigating fraud
The International Standards for the Professional Practice of Internal Auditing set out the responsibilities of Internal Audit. Standard 2120.A2 requires that internal audit activity must evaluate the potential for the occurence of fraud and how the organisation manages fraud risk. The IIA position paper on fraud - Fraud and Internal Audit - states that Internal Audit "should consider where fraud risk is present within the business and respond appropriately by auditing the controls of that area, evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk through risk assessment, and audit planning." The focus of Internal Audit should therefore be on checking management's fraud risk assessment and the design and operation of the preventative and detective controls established by the organisation to mitigate the risks identified. But should Internal Audit have a role in detecting and investigating fraud? Ian Ross gives his opinion.
The annual Report to the Nations (Association of Certified Fraud Examiners, 2022) concluded that $3.6 billion was lost to internally to 'occupational fraud.' What reasons are there for these astronomical losses to this gratuitous criminality?
There are many, but they include:
- The errant perception of the audit role
- Disparate numbers and constructs of definitions of fraud
- Underestimating the fraudster enemy.
Added to disentangling the above, this piece offers a fresh uptake on counter-fraud up-skilling.
First: The Role Identity Dilemma. Fraud is a crime that eats companies alive, year in, year out. So why is fraud and its detection subtly side-lined in audit frameworks and 'talked out' of the role? Instead of the disclaimer-first approach, why not apply the audit skill-set to reduce fraud? Enquiring in detail, observing carefully, and examining systematically. Checking (up) on, probing, delving into, exploring, researching, considering, studying, analysing, scrutinising, inspecting, surveying, checking, sifting, winnowing, going through (with a fine-tooth comb) information and data. Yet …
Of course, auditors cannot be expected to 'audit' against every fraud, such as the crooked Financial Director who can manipulate software to remove peer checking of payments so he can line his pockets. But cases like Enron and TESCO detected by auditors, and, triggering needful new laws (such as Sarbanes Oxley 2002) gratifyingly means that auditing standards do not state that ‘detecting fraud’ is something you must not do.
The variables of definitions of fraud cause uncertainty. But we can codify them into a conceptual working definition that retains key legal constituents: *
- Fraud: strategic intention to create in the mind of the other person, a false perception of reality, resulting in unequivocal loss or gain. (Ross & Shepherd, 2015) *
- Fraud cannot be committed by 'mistake' or 'error' and do not confuse negligence with 'withholding' information.
The Enemy Within
The mind of the internal fraudster combines astuteness, perceptiveness, and business acumen; inexorably linking with a criminal tendency that has a scary capability: to adapt and attack.
But are staff under pressure with ridiculous sales targets? This narcissistic management entity does create fraud and Cressey (1939) with his ‘fraud triangle’ had it right.
Or, is it the pathological rule-bender who crosses the line? Fraudsters are keenly aware of:
- Audit plans (and are able to alter accounts to pass an audit)
- New company auditors being trained in the same way as experienced auditors.
The judicious fraudster knows when to stop one scheme and start another. Maybe a conspiratorial activity is also going on with multi-offenders?
So let us dispense with these hackneyed clichés:
- Fraud is 'complex'
- 'Fraudsters don’t follow rules' (which is exactly what many of them do)
In every case of fraud without exception, there is a combination of 'Knowledge Detail' (identities, locations, relationships, roles, routines), and 'Time and Event' detail (actions, interactions, conversations, meetings). Correlate these, extract evidence, and see either a pattern, a spontaneous 'single hit', or, a multiplicity of frauds running simultaneously.
These examples illustrate:
- Skimming, is 'off the books' crime when an offender intercepts incoming payments and deducts a 'commission' by skimming off a percentage and then falsifies accounting records.
- Invoice fraud. When an employee sets up fake invoices to pay themselves or a third party from the company’s accounts.
- Data Violation. 'Data as the new cash' has become one of the most attractive targets a business possesses. Data theft and 'mismanagement' may not seem like a 'typical' fraud but this sphere of activity widens to bribery scenarios also.
‘Upskilling’. The Forensic in Fraud Detection
Detecting fraud (like those above) starts with addressing two basic tasks:
- Knowing where to start
- Knowing when to stop.
As simple as this sounds these two points can be mutually exclusive. Has fraud definitely happened, or is it 'suspected'? But there is a third dimension for auditors creating an opinion or conclusion about compliance of processes, transactions, or 'other information' that leaves the internal auditor in a place of uncertainty: Where does suspicion end and proof begin? 'Red flags' mean different things to different people.
Solution? Understand the 'journey' from information to evidence. It is dangerous to adopt an attitude of having 'no evidence' without looking for it, or to the opposite extreme of inventing it. If for example you carry out an 'unannounced' audit based on information of confirmed fraud (maybe from a whistleblower) the worst thing you can do is to go bowling in looking for 'damning evidence.' How would you quantify it if you believed you found it? Avoid that indifferent approach. De-construct the information you have in a reverse-logic order and arrive at a base point that will tell you if the fraud has de-facto happened? If it has, you can probe into 'how much,' 'how often', and, who it is.
'Detection' to an auditor implies discovery and reporting onwards.' Investigation implies end-to-end case management. Most auditing policies fall within the former.
Certainly, your first-point encounter with fraud is almost always with documents and systems. Transforming the day-to-day processes into evidential mechanisms is not difficult:
Direct evidence (testimony) provides context to an item of real or 'primary' evidence such as when an auditor finds missing pages from invoices needing explanation. Or is it all about accounting numbers? The journey has started, and what you have is an element needful of further investigation but probably not enough yet for a case to answer.
Primary Evidence is an original item or object material to those facts (a primary exhibit, akin to a murder weapon). Such as:
- Forged Contracts
- Insurance claim forms
Likewise, data recovery from an IT accounting system. Data would need underpinning testimony that the system was working properly.
That last point may seem like a minor issue or menial formality but can be a massive evidential pit-fall. Take the Post Office scandal. In that appalling miscarriage of justice innocent people went to prison for fraud because of idiotic management reliance on a flawed IT accounting system. Raw, system-generated data needs to be authenticated to a forensic standard before it can be called 'evidence.' Not just 'signed off’ by a manager.
Documentary evidence can vary in how it is classified. Information in documents is what it is. Any tangible evidence (of fraud) has to be inferred from it.
Meaning, inference-based evidence from facts can be clear, or, raise needs to challenge facts. If an 'eye witness' observes a person leaving an office, then that is undoubtedly a fact. But to embroider that fact with comments like the person 'must be the one committing fraud' is not a fact but evidenceless conjecture. Defence lawyers quickly pounce on 'evidence' that has doubts around its veracity caused by clumsy interpretation of facts and reliance on loose inferences. Narrow the meaning of inferences and consolidate them into a grade of evidence of fraud that cannot be argued to mean anything else.
- This is where you can really dominate detail. Scrutinise those who tinker around with dates and slide facts into fake narratives, especially in emails. But care must be exercised to avoid layering up of facts which can become 'lost' along the way.
Circumstantial evidence can be very good evidence. It should not be underestimated. Circumstantial evidence can be effective in conspiratorial or collusive conduct between a network of internal fraudsters. Perhaps six of them faking invoices, but they 'clam up' and refuse to co-operate with an investigation? You have sufficient evidence to make a report to have a decision made on all of the parties. Do not stop and allow the fraud to go on (and incentivise others) because you believe you don’t have 'hard proof' like in journalist-speak.
Data violation has a multi-faceted modus operandi. If there is definite fraud, a constructionist approach to detection can be used by applying a 'capability test' * to the audit. This is not making a list of 'likely suspects.' But making in-roads by creating tangible characteristics of potential offenders. For instance:
- Is to establish the business capability of the offender needed.
- Is to apply other profiling attributes. IT skills? High literacy levels?
- Is to pitch the level of experience, rank, position in the business.
- Is to establish that your thief is being selective.
- Is to establish where the offender strikes. (Finance office, procurement?)
The 'capability test' is not accusing anyone. This method is in contrast to when 'suspects' are already identified but the crime(s) themselves are not yet clear.
- There is NO 'objective setting' in detecting fraud. (Look what happened in the Post Office case…)
- You are unlikely to have a written confession. The skill is to establish knowledge that only the fraudster can have.
- The 'detection' is to establish a case to answer by measuring and weighing the evidence, then making informed decisions on the evidential strength of the case.
Radiate confidence and ability in having:
- Precision legal knowledge of both your substantive and procedural law.
- Clinical investigative ability. Avoiding classic pitfalls: Groupthink, cognitive bias
- Understanding of, and Prioritising Evidence.
Verbal reporting means assertion. In purveying fraud narratives don’t get wrapped up in generalized management repartee. Deal in specifics:
B - BUILD a sense of continuity of the case
R - REAFFIRM your focus on the evidential metrics
I - INVOLVE the correct people in decisions/create shared ownership
A - ACKNOWLEDGE you may not have all the answers
R - REPORT objectively, whereby you can justify every word.
Written reports: An effective 'fraud' report is to re-state the scenario but in the fraud issues they pose. If you have established missing revenue evidentially then there can be no dispute – provided you are unflinchingly objective and don’t edit out parts of it.
For the written report, a practical framework is the IDEA method: *
I - IDENTIFY the exact fraud conduct in plain language
D - DEFINE the exact elements of the company policy violated (citing the underpinning law)
E - EXPLAIN how the fraud was committed:
- Spell out the points where misrepresentation took place and how it was conveyed (by forged documents, withholding information).
- Spell out why the conduct cannot be by error. Infer this from facts.
- Signpost the report with time and event detail and what other case facts generate percipient evidence of fraud.
A - APPLY a brief, rounded summary.
- State any technical points which you had validated and verified before reporting.
- Do not exaggerate facts or try to personally influence the final outcomes.
And so …
This piece avoided repetition of the morass of fraud prevention 'tips' but rather to break stereotypes and encourage a coruscating review of how we can both detect and report fraud – without fear or favour!
Ian Ross, PhD, MSc, FCMI, ACFS, ACIArb
- 'Listed expert' to the Cour pénale internationale (The International Criminal Court of Justice (‘ICC’) The Hague.
- Director of Financial Crime Management & Mediation, DETECTA EUS Academy, Bilbao.
- Trainer and Assessor for the International Association of Auditors (IIA. UAE Chapter)
- Fellow: Chartered Management Institute (CMI)
- Accredited Counter Fraud Specialist
- Chartered Institute of Arbitrators (CIArb) - Associate
Has delivered over 1000 hours of professional training. Has carried out extensive audits of AML and related investigative procedures.
Published author of 4 books