Auditing for Internal Fraud

Auditing for Auditing for Internal FraudInternal Fraud

History of Fraud History of Fraud LegislationLegislation

1985 – The Treadway Commission was 1985 – The Treadway Commission was formed to inspect, analyze, and make formed to inspect, analyze, and make recommendations regarding the recommendations regarding the increase in fraudulent corporate increase in fraudulent corporate financial reporting.financial reporting.

1987 – Completed the study and made 1987 – Completed the study and made recommendations for 1) public recommendations for 1) public companies, 2) independent public companies, 2) independent public accountants, 3) the SEC, and 4) the field accountants, 3) the SEC, and 4) the field of education for the accountant.of education for the accountant.

Recommendations for Recommendations for Public AccountantsPublic Accountants

Improved recognition of the public Improved recognition of the public accountant’s responsibility for detecting accountant’s responsibility for detecting fraudfraud

Required procedures to mark high-risk Required procedures to mark high-risk fraudulent financial reporting areasfraudulent financial reporting areas

Improved audit qualityImproved audit quality Clearer communication in written audit Clearer communication in written audit

reportsreports Reorganization of the Auditing Standards Reorganization of the Auditing Standards

Board of the AICPABoard of the AICPA

SAS 54 (1998)SAS 54 (1998)

The auditor should be alert to the The auditor should be alert to the existence of illegal acts while performing existence of illegal acts while performing tests such as:tests such as:

Reading minutes of the meetings of the Reading minutes of the meetings of the organizationorganization

Performing substantive testingPerforming substantive testing Analyzing large payments for servicesAnalyzing large payments for services Reviewing commissions and fees paidReviewing commissions and fees paid Examining litigation and claims pendingExamining litigation and claims pending

COSO Report (1992)COSO Report (1992)

Designed to clarify the objectives and Designed to clarify the objectives and definitions of what internal controls definitions of what internal controls entailed, and clarify what objectives entailed, and clarify what objectives they include, such as:they include, such as:

Effectiveness and efficiency of Effectiveness and efficiency of operationsoperations

Reliability of financial reportingReliability of financial reporting Compliance with applicable laws and Compliance with applicable laws and

regulationsregulations

SAS 99 (2002)SAS 99 (2002)

Defines two types of fraud:Defines two types of fraud: Misstatements arising from Misstatements arising from

fraudulent financial reporting fraudulent financial reporting Misstatements arising from Misstatements arising from

misappropriation of assetsmisappropriation of assets SAS 99 outlines key risk factors in SAS 99 outlines key risk factors in

both types of fraud, which include:both types of fraud, which include:

Risk Relating to Fraudulent Risk Relating to Fraudulent Financial ReportingFinancial Reporting

Financial stability or profitability is Financial stability or profitability is threatenedthreatened

Significant declines in customer demand Significant declines in customer demand and increasing business failure in and increasing business failure in industry/economyindustry/economy

Recurring negative cash flowsRecurring negative cash flows Excessive pressure on management to Excessive pressure on management to

meet financial targetsmeet financial targets Significant related party transactions or Significant related party transactions or

unusual/highly complex transactionsunusual/highly complex transactions

Risk Relating to Fraudulent Risk Relating to Fraudulent Financial Reporting (cont)Financial Reporting (cont)

Significant bank accounts or operations in Significant bank accounts or operations in tax-haven jurisdictions where there appears tax-haven jurisdictions where there appears to be no clear business justificationto be no clear business justification

Complex or unstable organizational structureComplex or unstable organizational structure Inadequate or ineffective internal controlsInadequate or ineffective internal controls Management failing to report known Management failing to report known

reportable conditionsreportable conditions Repeated attempts by management to justify Repeated attempts by management to justify

inappropriate accounting on the basis of inappropriate accounting on the basis of materialitymateriality

Risk Factors Relating to Risk Factors Relating to Misappropriation of AssetsMisappropriation of Assets

Personal financial obligations may create Personal financial obligations may create pressure on management or employees with pressure on management or employees with access to cash or other assets able to be stolenaccess to cash or other assets able to be stolen

Known or Known or anticipated future layoffsanticipated future layoffs Large quantities of cash or inventory items Large quantities of cash or inventory items

small in size with high valuesmall in size with high value Inadequate segregation of dutiesInadequate segregation of duties Inadequate record-keeping with respect to Inadequate record-keeping with respect to

assetsassets Lack of complete and timely reconciliation of Lack of complete and timely reconciliation of

assetsassets

Fraud Risk DiscussionsFraud Risk Discussions

SAS 99 requires that, as part of the SAS 99 requires that, as part of the planning phase of an audit, the audit team planning phase of an audit, the audit team must discuss what areas the entity’s must discuss what areas the entity’s financial data may be open to fraud risk. financial data may be open to fraud risk. Professional skepticism is key.Professional skepticism is key.

This discussion should include all team This discussion should include all team members, and help uncover areas that members, and help uncover areas that may become an issue during the audit, or may become an issue during the audit, or special high-risk areas that require more special high-risk areas that require more procedural scrutiny to detect fraud.procedural scrutiny to detect fraud.

Obtain Risk Identification Obtain Risk Identification InformationInformation

This process includes making inquiries of This process includes making inquiries of management and others within the management and others within the organizationorganization

Considering the results of analytical Considering the results of analytical procedures performed in planning the procedures performed in planning the audit (ProfitCents analysis, ratio analysis, audit (ProfitCents analysis, ratio analysis, and review of the trial balance etc.)and review of the trial balance etc.)

Looking for the existence of fraud factors Looking for the existence of fraud factors (see earlier slides for fraud factors)(see earlier slides for fraud factors)

Risk AssessmentRisk Assessment Based on the three conditions that create fraud Based on the three conditions that create fraud

(incentives/pressure, opportunity, and (incentives/pressure, opportunity, and attitude/rationalization) the auditor should attitude/rationalization) the auditor should assess the specific risk of the audit to be assess the specific risk of the audit to be performed using personal judgment on the performed using personal judgment on the following factors:following factors:

The type of risk that may existThe type of risk that may exist The significance or magnitude of the riskThe significance or magnitude of the risk The likelihood it will result in material The likelihood it will result in material

misstatementmisstatement The pervasiveness of the risk (account specific or The pervasiveness of the risk (account specific or

pervasive to the financial statements as a whole)pervasive to the financial statements as a whole)

Evaluate Audit EvidenceEvaluate Audit Evidence The auditor is required to continually reassess The auditor is required to continually reassess

risk of material misstatement throughout the risk of material misstatement throughout the audit against the cumulative results of audit against the cumulative results of analysis performed. Relevant factors include:analysis performed. Relevant factors include:

Transactions not recorded in a complete or Transactions not recorded in a complete or timely mannertimely manner

Unsupported or unauthorized balances or Unsupported or unauthorized balances or transactionstransactions

Altered or missing documentsAltered or missing documents Inconsistent, vague, or improbable responses Inconsistent, vague, or improbable responses

to inquiryto inquiry Denial of access to records, facilities, Denial of access to records, facilities,

employees or vendorsemployees or vendors

Communication about Communication about Fraud to Management or Fraud to Management or

OthersOthers If the auditor determines credible If the auditor determines credible

evidence exists that fraud has occurred, evidence exists that fraud has occurred, the matter needs to be brought to the the matter needs to be brought to the attention of company management. In attention of company management. In HEB this is done through the lead partner HEB this is done through the lead partner on the audit, and should be brought to his on the audit, and should be brought to his attention before any other action is taken.attention before any other action is taken.

The possibility exists that outside entities The possibility exists that outside entities will need to be told about the fraud due will need to be told about the fraud due to subpoena or other legal or contractual to subpoena or other legal or contractual requirements.requirements.

Documentation of Fraud Documentation of Fraud ConsiderationConsideration

Each step of the audit process needs detailed Each step of the audit process needs detailed documentation, including:documentation, including:

Audit team discussions regarding fraud or Audit team discussions regarding fraud or fraud riskfraud risk

The procedures performed to obtain fraud The procedures performed to obtain fraud assessment and risk identificationassessment and risk identification

Results of procedures performed to address Results of procedures performed to address the risk of management override of controlsthe risk of management override of controls

Other conditions and analytical relationships Other conditions and analytical relationships that caused the auditor to believe that that caused the auditor to believe that additional audit procedures should be additional audit procedures should be performedperformed

The Fraud TriangleThe Fraud Triangle

The fraud triangle seeks to explain The fraud triangle seeks to explain what must be present for fraud to what must be present for fraud to occur. There are three basic things occur. There are three basic things that must be present in order for that must be present in order for fraud to occur: opportunity, fraud to occur: opportunity, incentive, and ability to rationalize. incentive, and ability to rationalize.

Fraud Triangle Point #1:Fraud Triangle Point #1:OpportunityOpportunity

Opportunity in the fraud triangle is Opportunity in the fraud triangle is simple. In order for fraud to occur, simple. In order for fraud to occur, there has to be an ability to commit there has to be an ability to commit fraud. For instance, a cashier can steal fraud. For instance, a cashier can steal money out of the cash register because money out of the cash register because it is there. If the cashier was required it is there. If the cashier was required to drop all cash into an underground to drop all cash into an underground safe to which he did not know the safe to which he did not know the combination, opportunity would not combination, opportunity would not exist. exist.

Fraud Triangle Point #2:Fraud Triangle Point #2:IncentiveIncentive

In order for someone to perpetrate fraud, there In order for someone to perpetrate fraud, there has to be an incentive. Take the same cashier has to be an incentive. Take the same cashier above. Say he is able to access the cash in the above. Say he is able to access the cash in the cash register. Will the cashier gain anything by cash register. Will the cashier gain anything by taking the cash? The money could act as an taking the cash? The money could act as an incentive that entices the cashier to perpetrate incentive that entices the cashier to perpetrate fraud by stealing the cash out of the cash register.fraud by stealing the cash out of the cash register.

Incentive has also been called Incentive has also been called “pressure”. Pressure can come in the forms of “pressure”. Pressure can come in the forms of peer pressure, living a lavish lifestyle, a drug peer pressure, living a lavish lifestyle, a drug addiction, and many other aspects that can addiction, and many other aspects that can influence someone to seek gains via financial influence someone to seek gains via financial fraud.fraud.

Fraud Triangle Point #3:Fraud Triangle Point #3:RationalizationRationalization

Rationalization is the grayest area in the Rationalization is the grayest area in the fraud triangle. Opportunity and incentive exist fraud triangle. Opportunity and incentive exist or they don’t. Rationalization depends on the or they don’t. Rationalization depends on the individual and the circumstances they are individual and the circumstances they are facing. If the cashier feels he is underpaid, facing. If the cashier feels he is underpaid, he/she could rationalize stealing money by he/she could rationalize stealing money by feeling that it is owed to them. On the other feeling that it is owed to them. On the other hand, the store owner could be like family to hand, the store owner could be like family to the cashier, in which case, stealing the money the cashier, in which case, stealing the money would feel wrong. In that case, the cashier would feel wrong. In that case, the cashier would not likely steal from the cash register. would not likely steal from the cash register.

Types of Asset Types of Asset Misappropriation SchemesMisappropriation Schemes

Skimming – Employee steals customer paymentsSkimming – Employee steals customer payments Cash larceny – Employee steals cash receiptsCash larceny – Employee steals cash receipts Billing schemes – various false disbursementsBilling schemes – various false disbursements Expense reimbursements – fraudulent claimsExpense reimbursements – fraudulent claims Check tampering – Theft of funds using checksCheck tampering – Theft of funds using checks Payroll – inaccurate compensationPayroll – inaccurate compensation Cash register disbursements – false register entriesCash register disbursements – false register entries Cash on hand – theft of petty cash/cash on handCash on hand – theft of petty cash/cash on hand Non-cash misappropriation – theft of other assetsNon-cash misappropriation – theft of other assets

Benford’s LawBenford’s Law

Benford's law, also called the first-digit Benford's law, also called the first-digit law, states that in lists of numbers from law, states that in lists of numbers from many (but not all) real-life sources of many (but not all) real-life sources of data, the leading digit is distributed in a data, the leading digit is distributed in a specific, non-uniform way. According to specific, non-uniform way. According to this law, the first digit is 1 almost one this law, the first digit is 1 almost one third of the time, and larger digits occur third of the time, and larger digits occur as the leading digit with lower and lower as the leading digit with lower and lower frequency, to the point where 9 as a first frequency, to the point where 9 as a first digit occurs less than one time in twenty. digit occurs less than one time in twenty.

Benford’s LawBenford’s Law

This test can be used in Excel fairly This test can be used in Excel fairly easily to see if distributions are easily to see if distributions are random or not. random or not.

2010 ACFE Report to the 2010 ACFE Report to the Nations on Occupational Nations on Occupational

Fraud and AbuseFraud and Abuse Estimates that the typical organization loses Estimates that the typical organization loses

5% of its annual revenue to fraud, totaling 5% of its annual revenue to fraud, totaling $2.9 trillion annually worldwide$2.9 trillion annually worldwide

Median loss is $160,000 with almost 25% of Median loss is $160,000 with almost 25% of frauds totaling over $1 million.frauds totaling over $1 million.

Average fraud lasts 18 months before Average fraud lasts 18 months before detectiondetection

Asset misappropriation represent 90% of Asset misappropriation represent 90% of cases but were least costly at $135,000 on cases but were least costly at $135,000 on average. Financial statement fraud schemes average. Financial statement fraud schemes were only ~5% of the total, but averaged were only ~5% of the total, but averaged more than $4 million in losses.more than $4 million in losses.


Fraud (cont)Fraud (cont) Small organizations are Small organizations are

disproportionately victimized by fraud, disproportionately victimized by fraud, typically due to the lack of strong anti-typically due to the lack of strong anti-fraud controls such as segregation of fraud controls such as segregation of duties and tip hotlines.duties and tip hotlines.

High level perpetrators cause the High level perpetrators cause the greatest damage to their organizations. greatest damage to their organizations. Frauds committed by owners/executives Frauds committed by owners/executives average 3 times more costly than average 3 times more costly than manager committed fraud, and 9 times manager committed fraud, and 9 times higher than employee fraudhigher than employee fraud


Fraud (cont)Fraud (cont) 80%+ of frauds were committed by 80%+ of frauds were committed by

individuals within accounting, individuals within accounting, operations, sales, upper management, operations, sales, upper management, customer service or purchasing.customer service or purchasing.

85%+ of fraudsters in the study had 85%+ of fraudsters in the study had never been previously charged or never been previously charged or convicted for fraud-related offenses.convicted for fraud-related offenses.

The most common red flags were living The most common red flags were living beyond their means (43% of cases), and beyond their means (43% of cases), and experiencing financial difficulties (36% of experiencing financial difficulties (36% of cases).cases).


Fraud (cont)Fraud (cont) Tips are by far the most common way fraud is Tips are by far the most common way fraud is

uncovered, representing about 40% of frauds. uncovered, representing about 40% of frauds. The next highest methods are management The next highest methods are management review (15%) and internal audit (14%). review (15%) and internal audit (14%). Accidental discovery is 4Accidental discovery is 4thth most common at 8%. most common at 8%.

The ACFE report recommends that all The ACFE report recommends that all businesses, including small businesses, have a businesses, including small businesses, have a fraud hotline. This can be done either through fraud hotline. This can be done either through phone or email, but must be anonymous in phone or email, but must be anonymous in order to be useful. There are 3order to be useful. There are 3rdrd party hotline party hotline services available.services available.


Fraud (cont)Fraud (cont) The most common methods of fraud for The most common methods of fraud for

small businesses are billing frauds, small businesses are billing frauds, check tampering, corruption, and check tampering, corruption, and skimming.skimming.

Lack of internal controls is given as the Lack of internal controls is given as the biggest weakness in small businesses biggest weakness in small businesses that contributes to fraud. We have the that contributes to fraud. We have the opportunity to help clients improve opportunity to help clients improve internal controls and prevent future internal controls and prevent future fraud.fraud.

SummarySummary SAS 99 outlines currently required audit SAS 99 outlines currently required audit

procedures as including:procedures as including: Fraud risk discussions before auditsFraud risk discussions before audits Risk identification through inquiry and analysisRisk identification through inquiry and analysis Risk assessment tailored to each auditRisk assessment tailored to each audit Evaluation of audit evidence throughout the Evaluation of audit evidence throughout the

audit, reassessment of audit risk with new infoaudit, reassessment of audit risk with new info Communication about fraud to managementCommunication about fraud to management Documentation of fraud considerationDocumentation of fraud consideration Small businesses tend to have different types of Small businesses tend to have different types of

fraud than larger businesses, and lack of internal fraud than larger businesses, and lack of internal controls is typically the root cause.controls is typically the root cause.

Economy & Finance

Auditing for Internal Fraud