Updated November 11, 2022
In today’s world, where corporate scandals often make front-page news, fraud prevention and detection are becoming a priority for management and decision-makers. An alarming fact reported by the Association of Certified Fraud Examiners (ACFE) stated that an average organisation loses an estimated 5% of its annual revenue to fraud. Hence, fraud is posed as one of the major risks facing an organisation (both financially and reputationally).
Typically, a large majority of midsize to large organisations consider their internal and external auditors as the pivotal tools for uncovering fraud and taking preventive measures to minimise the risk of loss incurred due to fraud. However, this doesn’t imply that independent auditors often identify fraud. In fact, the opposite is often true. The ACFE’s 2022 edition of Occupational Fraud: A Report to the Nations points out that auditors rarely find fraud — internal audit detects fraud 16% of the time, while external audit identifies it in only 4% of cases.
One reason auditors rarely find fraud is that audits are not designed to detect and/or prevent fraud from occurring. Audit procedures and rules are more likely to determine whether a company’s financial statements are fairly stated without any material discrepancies and whether appropriate internal controls are in place. They are not aimed at detecting and remediating a fraudulent occurrence. For instance, organisations exhibiting unethical culture and poor employee behaviour are often held responsible for data breaches, whereas there is no relationship between auditors and the conduct of employees, as typical audit rules don’t require auditors to consider qualitative and nonregulatory factors. Hence, auditors can’t be held accountable for fraudulent incidents in most cases.
Knowing all this, fraudsters try to take advantage of the gap between an auditor’s limited reach and the company’s policies and procedures. This makes fraud prevention a mutual responsibility of the board, top-level management and auditors.
The following are some reasons why auditors rarely find fraud:
- The audit universe has its limitations. During an audit engagement, auditors usually evaluate financial statements of the organisation or test internal controls that are in place. The majority of these audit procedures are aimed at detecting material facts and correcting material errors. Materiality, in this context, is a misstatement/weakness in internal controls over financial reporting that might affect decision-making and profitability of stakeholders. Hence, the audit universe captures transactions and controls that are at or above a material level.
- Lack of volatility in audit tests. Generally, auditors are not known for modifying their testing methods from one exercise to another; their focus remains set on the specific thresholds of controls and the transactions occurring. This makes audit testing predictable, as employees are often aware of the scope of the audit and the opportunities that exist under the auditor’s radar. Adding an element of surprise can be an effective method in detecting and preventing fraud, yet auditors do not commonly employ this strategy.
- Sampling is not enough to capture the whole story. Sampling is widely used for testing transactions in an audit. Auditors collect random samples of transactions to verify that they were correctly recorded and that the internal controls were in place and working at the time. An intrinsic limitation of sampling is that not all transactions are tested, which creates a high probability that a fraudulent transaction will not be captured in the auditors’ sample, and therefore will go undetected.
- Fraudsters might prove clever for inexperienced auditors. Today’s business model for audit firms relies on relatively inexperienced auditors to perform a major component of fieldwork. Young and inexperienced auditors often do not know what questions to ask and are usually reluctant to ask difficult questions or challenge management’s decisions. On the other hand, fraudsters can produce fake documents or paperwork to pacify the busy auditor. Simply put, auditors without much experience might not be adept at recognising suspicious transactions and/or fraudulent documentation.
- Time and budget constraints. Just like any other project or engagement, auditors are also required to meet certain periodic and monetary deadlines. Limitations of resources and tight project deadlines may lead to audits not being as thorough as planned.
- Heavy dependence on internal controls. The assessment of internal controls heavily influences the scope of testing and the types of procedures auditors use. Auditors review the company’s policies and procedures that help ensure accurate processes and financial statements. Internal control deficiencies are often repeated year after year, even with increased auditing procedures, while the client continues without addressing those deficiencies.
Auditors’ Role in Detecting Fraud
The Australian government’s Auditing and Assurance Standards Board (AUASB) and The Institute of Internal Auditors (The IIA) have both issued professional standards that require auditors, when performing an audit, to identify the risks of fraud and to plan audits to address these risks. These include ASA 240 (The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report) and The IIA Standard 1200 (Proficiency and Due Professional Care). The AUASB is an independent, non-corporate Commonwealth entity of the Australian government, responsible for developing, issuing and maintaining auditing and assurance standards. The AUASB standards are legally enforceable for audits or reviews of financial reports required under the Corporations Act 2001.
The AUASB requires auditors to maintain professional scepticism throughout the audit and recognise the possibility that a material misstatement due to fraud exists. Auditors cannot rely upon past experiences of honesty and integrity of management and employees, and they should reassess any document which is believed to be nonauthentic.
The ASA 240 standard is similar to the International Auditing and Assurance Standards Board (IAASB) standard 240, which is about the auditor’s responsibilities relating to fraud in an audit of financial statements. ISA 240 states that the primary responsibility for the prevention and detection of fraud rests both with those charged with governance of the entity and with management. Thus, auditors’ responsibilities are confined to obtaining reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error.
Per The IIA Standard 1200 — Proficiency and Due Professional Care, “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.” Subsection 1210.A2 further specifies an auditor’s role toward fraud detection: “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”
Hence, most of the professional standards around an auditor’s role in fraud detection are confined to material misstatement. Also, auditors might be qualified in assessing risks and identifying where fraud may occur, but they might not know how to recognise (i.e., identify) the indicators of fraud. Auditors must look at their audit evidence and identify where fraud might have already occurred or might be occurring — these are the anomalies, or red flags, of fraud. Unlike certified fraud examiners, most auditors have never seen a fraud scheme or are unaware of common red flags.
The Way Ahead for Organisations and Auditors
Management and governance functions, and risk and compliance departments need to understand these inherent limitations in the auditing process. It is understandable that audit procedures have never been designed to detect fraud. It is difficult for auditors to detect fraud at a meaningful rate, unless there is a massive change in the business of auditing.
Nevertheless, there are a few tactics that can enhance the role of an auditor in fraud detection and prevention:
- Audits should use basic techniques, like the element of surprise, for example. Auditors should vary their procedures and scopes from year to year, and surprise procedures should be conducted throughout the year as well as during the audit. More time needs to be spent on assessing high-risk areas where fraud could be committed at the company.
- Inexperienced auditors should be provided with better training and supervision that includes actual experience in the field.
- Along with complying with professional standards, auditors can conduct fraud examinations for transactions and controls where the level of risk is significant.
- Auditors can play a key role in developing a system of fraud indicators so that suspicious activities are flagged and investigated.
- Auditors should exercise professional scepticism when considering the risk of fraud. External auditors in particular must conduct their work with a mindset that recognises the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the company and the auditor’s belief about management’s integrity. Auditors should never be satisfied with less-than-persuasive evidence because of a belief that management is honest.
- Finally, internal auditors should be concerned with violations of the organisation’s policies and procedures even when they do not involve fraud.
Fraud in the APAC Region
In this period of economic uncertainty and heightening regulations, efforts are being undertaken to detect red flags within the APAC region. The ACFE identified areas related to fraud in its Report to the Nations – Asia-Pacific Edition. Highlighted below are some findings from that report:
- On average, median loss caused by a fraud incident in the Asia-Pacific (APAC) region is US$236,000, and the median duration of a fraud scheme is 18 months.
- Globally, asset misappropriation (86%) is the most common fraud incident; however, in the APAC region, corruption (57%) is most common. In monetary terms, financial statement fraud leads the way globally, with a median loss of US$593,000.
- The role of audit in fraud detection is not so different in APAC organisations compared to in the rest of the world. Internal audit is the second most common fraud detection avenue, with 22% of fraud cases initially being detected by independent auditors and 36% by whistleblowers or through anonymous tips.
- External audit is not as effective, detecting only 4% of fraud cases.
- During the COVID-19 pandemic, organisational staffing changes and operational process changes accounted for a significant 12% increase in occupational fraud.
- In terms of affected organisations, private companies incur more monetary losses compared to public companies, and entities with fewer than 100 employees are sometimes at greater risk of fraud.
- The banking and financial services industry was the largest industry impacted by fraud globally and accounted for the highest median loss of US$1,739,000. Government and manufacturing sectors were the second and third most impacted, respectively.
- APAC companies rely significantly on audit as an anti-fraud control. External audit of financial statements is considered an anti-fraud control in 88% of cases, while in 82% of cases, companies relied on their internal audit department to prevent fraud.
- External audit of internal controls over financial reporting systems was identified as reducing incidents of fraud in 73% of cases.
- In particular, two controls — job rotation and mandatory vacation policies, and surprise audits — were associated with at least a 50% reduction in both median loss and median duration. Interestingly, these are among the least common controls implemented, with only 25% of organisations having job rotation and mandatory vacation policies and only 42% using surprise audits, indicating that numerous organisations have an opportunity to add these highly effective tools to their anti-fraud programs.
- Other controls with notable reductions in both measures include proactive data monitoring and analysis and formal fraud risk assessments.
These are specific and informative findings. APAC entities need to be cognisant of the risk of a fraud or corruption event occurring within their environment and must ensure that appropriate controls are in place to mitigate the likelihood of such events. This assertion applies to companies in other regions as well.
Read additional posts on The Protiviti View related to fraud.