In today’s world where corporate scandals often make front page news, fraud prevention and detection are becoming a priority for management and decision-makers. An alarming fact reported by the Association of Certified Fraud Examiners (“ACFE”) stated that an average organisation loses an estimated 5 percent of its annual revenue to fraud, hence fraud is posed as one of the major risks facing an organisation (both financially and reputationally).
Typically, a large majority of midsize to large organisations consider their internal and external auditors as the pivotal tool for uncovering fraud and taking preventive measures to minimise the risk of loss incurred due to a fraud. However, this doesn’t imply that independent auditors often identify fraud, in fact, the opposite is true in many cases. ACFE’s Report to the Nations advocates the fact that auditors rarely find fraud – internal audit detects fraud 15 percent of the time, while external audit merely 4 percent.
One reason auditors rarely find fraud is that audits are not designed to detect and/or prevent a fraud from occurring. Audit procedures and rules are more likely to determine whether a company’s financial statements are fairly stated without any material discrepancies and whether appropriate internal controls are in place. They are not aimed at detecting and remediating a fraudulent occurrence. For instance, organisations exhibiting unethical culture and poor employee behaviour are often held responsible for data breaches, whereas there is no relationship between auditors and the conduct of employees as typical audit rules don’t require auditors to consider qualitative and non-regulatory factors. Hence, auditors can’t be held accountable for fraudulent incidents in most of the cases.
With all these sanctions in favour of and against auditors, fraudsters somehow try to pierce the gap between an auditors’ limited reach and the company’s policies and procedures. This makes fraud prevention a mutual responsibility of board, top level management and auditors. The following may provide reasons as to why auditors rarely find fraud:
The audit universe has its limitations. During an audit engagement, auditors usually evaluate financial statements of the organisation or test internal controls that are in place. The majority of these audit procedures are aimed at detecting material facts and correcting material errors. Materiality, in this context, is a misstatement/weakness in internal controls over financial reporting that might affect decision-making and profitability of stakeholders. Hence, the audit universe captures transactions and controls that are at or above material level.
Lack of volatility in audit tests. Generally, auditors are not known for modifying their testing methods from one exercise to another; their focus remains set on the specific thresholds of controls and the transactions occurring. This makes audit testing predictable as employees are often aware of the scope of the audit and the opportunities that exist under the auditor’s radar. Adding an element of surprise can be an effective method in detecting and preventing fraud, yet it is not commonly used by auditors.
Sampling is not enough to capture the whole story. Sampling is widely used for testing transactions in an audit. Auditors collect random samples of transactions to verify that they were correctly recorded and that the internal controls were in place and working at the time. An intrinsic limitation of sampling is that all transactions are not tested, therefore creating a high probability that a fraudulent transaction will not be captured in the auditors’ sample, and therefore will go undetected.
Fraudsters might prove clever for inexperienced auditors: Today’s business model for audit firms relies on relatively inexperienced auditors to perform a major component of field work. Young and inexperienced auditors often do not know what questions to ask and are usually reluctant to ask difficult questions or challenge management’s decisions. On the other hand, fraudsters can produce fake documents or paperwork to pacify the busy auditor. Simply put, auditors without much experience might not be adept at recognising suspicious transactions and/or fraudulent documentation.
Time and budget constraints: Just like any other project or engagement, auditors are also required to meet certain periodic and monetary deadlines. Limitations of resources and tight project deadlines may lead to audits not being as thorough as planned.
Heavy dependence on internal controls: The scope of testing and the types of audit procedures used are heavily influenced by the assessment of internal controls. Auditors review the company’s policies and procedures that help ensure accurate processes and financial statements. Internal Control deficiencies are often repeated year after year even with increased auditing procedures, while the client continues without addressing those deficiencies.
Auditors’ Role in Detecting Fraud
The Australian Government’s Auditing and Assurance Standards Board (AUASB) and the Institute of Internal Auditors (IIA) have both issued professional standards that require auditors, when performing an audit, to identify the risks of fraud and to plan audits to address these risks. These include ASA 240 (The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report) and the IIA Standard 1200 (Proficiency and Due Professional Care). The Auditing and Assurance Standards Board (AUASB) is an independent, non-corporate Commonwealth entity of the Australian Government, responsible for developing, issuing and maintaining auditing and assurance standards. The AUASB standards are legally enforceable for audits or reviews of financial reports required under the Corporations Act 2001.
The AUSAB requires auditors to maintain professional skepticism throughout the audit and recognise the possibility that a material misstatement due to fraud exists. Auditors cannot rely upon past experiences of honesty and integrity of management and employees. Auditors should re-assess any document which is believed to be non-authentic.
ASA 240 standard is similar to the IAASB (International Auditing and Assurance Standards Board) standard 240 that is about the auditor’s responsibilities relating to fraud in an audit of financial statements. ISA 240 states that the primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and the management. Thus, auditors’ responsibilities are confined to obtaining reasonable assurance that the financial statements taken are free from material misstatement, whether caused by fraud or error.
As per IIA’s standard 1200 – Proficiency and Due Professional Care, “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.” Its sub-section 1210.A2 further specifies an auditor’s role towards fraud detection – “Internal Auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”
Hence, most of the professional standards around an auditor’s role in fraud detection are confined to material misstatement. Also, auditors might be qualified in assessing risks and identifying where a fraud may occur, but they might not know how to recognise (i.e. identify) the indicators of fraud. Auditors must look at their audit evidence and identify where a fraud might have already occurred or might be occurring — these are the anomalies or red flags of fraud. Unlike CFEs, most auditors have never seen a fraud scheme or are unaware of common red flags.
Way Ahead for Organisations and Auditors
Management and governance, risk and compliance departments need to understand the inherent limitations in the auditing process. It is understandable that audit procedures have never been designed to detect fraud. It is difficult for auditors to detect fraud at a meaningful rate, unless there is a massive change in the business of auditing.
Here are a few ways that can enhance the role of an auditor in fraud detection and prevention:
- Audits should use basic techniques like the element of surprise. The auditors should vary their procedures and scopes from year to year, and surprise procedures should be conducted throughout the year as well as during the audit. More time needs to be spent on assessing high risk areas where fraud could be committed at the company.
- Inexperienced auditors should be provided with better training and supervision that includes actual experience in the field.
- Along with complying with professional standards, auditors can conduct fraud examinations for transactions/controls where an amount of risk is significant.
- An auditor can play a key role in developing a system of fraud indicators, so that suspicious activities are flagged and investigated. Finally, internal auditors should be concerned with violations of the organisation’s policies and procedures even when they do not involve fraud.
Fraud in the APAC Region
In this period of economic uncertainty and heightening regulations, efforts are being undertaken to detect red flags within the APAC region. The ACFE identified areas related to fraud in its “Report to the Nations – Asia Pacific Edition.” Highlighted below are some findings from that report:
- On average, median loss caused by a fraud incident in APAC is US$236,000, and the median duration of a fraud scheme is 18 months.
- In terms of the number of cases globally, asset misappropriation (89 percent) is the most common fraud incident; however, in the APAC region, corruption (51 percent) is the most common incident. In monetary terms, it is financial statement fraud that leads the way with a median loss of US$236,000.
- The role of audit in fraud detection is not so different in Asia-Pacific organisations compared to rest of the world. Internal audit is the second most common fraud detection avenue with 15 percent of fraud cases initially being detected by independent auditors.
- External audit is not as effective, with ability to detect only 4 percent of fraud cases.
- In terms of victim organisations, private companies incur more monetary losses compared to public companies and entities with less than 100 employees are sometimes at greater risk of fraud.
- The manufacturing industry by far is the largest industry impacted by fraud in the Asia-pacific region with 17 percent of cases identified and the highest median loss of US$500,000. The financial services sector and government agencies were the second and third most impacted, respectively.
- Companies in the Asia-Pacific region rely significantly on audit as an anti-fraud control. External audit of financial statements is considered as an anti-fraud control in 93 percent of cases, while in 80 percent of cases companies relied on their Internal audit department to prevent fraud.
- External audit of internal controls over financial reporting systems was identified as reducing incidents of fraud in 28 percent of cases and assisting in faster detection of fraud in 38 percent of the cases.
- Formal fraud risk assessments can decrease the probability of a fraud in 34 percent of cases and lead to faster detection of fraud in 17 percent of cases.
These are specific and significant findings. Therefore, APAC entities need to be cognisant to the risk of a fraud occurring within their environment and ensure that appropriate controls are in place to mitigate the likelihood of a fraud or corruption event.