Why Auditors Rarely Find Fraud

Anthony Hodgkinson, Director Protiviti Forensic, Australia

In today’s world where corporate scandals often make front page news, fraud prevention and detection are becoming a priority for management and decision-makers. An alarming fact reported by the Association of Certified Fraud Examiners (“ACFE”) stated that an average organisation loses an estimated 5% of its annual revenue to fraud, hence fraud is posed as one of the major risks facing an organisation (both financially and reputationally).

Typically, a large majority of midsize to large organisations consider their internal and external auditors as the pivotal tool for uncovering fraud and taking preventive measures to minimise the risk of loss incurred due to a fraud. However, this doesn’t imply that independent auditors often identify fraud, in fact, the opposite is true in many cases. ACFE’s Report to the Nations points out the fact that auditors rarely find fraud – internal audit detects fraud 15% of the time, while external audit merely 4%.

One reason auditors rarely find fraud is that audits are not designed to detect and/or prevent a fraud from occurring. Audit procedures and rules are more likely to determine whether a company’s financial statements are fairly stated without any material discrepancies and whether appropriate internal controls are in place. They are not aimed at detecting and remediating a fraudulent occurrence. For instance, organisations exhibiting unethical culture and poor employee behaviour are often held responsible for data breaches, whereas there is no relationship between auditors and the conduct of employees as typical audit rules don’t require auditors to consider qualitative and non-regulatory factors. Hence, auditors can’t be held accountable for fraudulent incidents in most of the cases.

Knowing all this, fraudsters try to take advantage of the gap between an auditors’ limited reach and the company’s policies and procedures. This makes fraud prevention a mutual responsibility of the board, top-level management and auditors.

The following are some reasons why auditors rarely find fraud:

  • The audit universe has its limitations. During an audit engagement, auditors usually evaluate financial statements of the organisation or test internal controls that are in place. The majority of these audit procedures are aimed at detecting material facts and correcting material errors. Materiality, in this context, is a misstatement/weakness in internal controls over financial reporting that might affect decision-making and profitability of stakeholders. Hence, the audit universe captures transactions and controls that are at or above material level.
  • Lack of volatility in audit tests. Generally, auditors are not known for modifying their testing methods from one exercise to another; their focus remains set on the specific thresholds of controls and the transactions occurring. This makes audit testing predictable as employees are often aware of the scope of the audit and the opportunities that exist under the auditor’s radar. Adding an element of surprise can be an effective method in detecting and preventing fraud, yet it is not commonly used by auditors.
  • Sampling is not enough to capture the whole story. Sampling is widely used for testing transactions in an audit. Auditors collect random samples of transactions to verify that they were correctly recorded and that the internal controls were in place and working at the time. An intrinsic limitation of sampling is that all transactions are not tested, therefore creating a high probability that a fraudulent transaction will not be captured in the auditors’ sample, and therefore will go undetected.
  • Fraudsters might prove clever for inexperienced auditors. Today’s business model for audit firms relies on relatively inexperienced auditors to perform a major component of field work. Young and inexperienced auditors often do not know what questions to ask and are usually reluctant to ask difficult questions or challenge management’s decisions. On the other hand, fraudsters can produce fake documents or paperwork to pacify the busy auditor. Simply put, auditors without much experience might not be adept at recognising suspicious transactions and/or fraudulent documentation.
  • Time and budget constraints. Just like any other project or engagement, auditors are also required to meet certain periodic and monetary deadlines. Limitations of resources and tight project deadlines may lead to audits not being as thorough as planned.
  • Heavy dependence on internal controls. The scope of testing and the types of audit procedures used are heavily influenced by the assessment of internal controls. Auditors review the company’s policies and procedures that help ensure accurate processes and financial statements. Internal control deficiencies are often repeated year after year even with increased auditing procedures, while the client continues without addressing those deficiencies.

Auditors’ Role in Detecting Fraud

The Australian government’s Auditing and Assurance Standards Board (AUASB) and The Institute of Internal Auditors (The IIA) have both issued professional standards that require auditors, when performing an audit, to identify the risks of fraud and to plan audits to address these risks. These include ASA 240 (The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report) and The IIA Standard 1200 (Proficiency and Due Professional Care). The AUASB is an independent, non-corporate Commonwealth entity of the Australian government, responsible for developing, issuing and maintaining auditing and assurance standards. The AUASB standards are legally enforceable for audits or reviews of financial reports required under the Corporations Act 2001.

The AUASB requires auditors to maintain professional skepticism throughout the audit and recognise the possibility that a material misstatement due to fraud exists. Auditors cannot rely upon past experiences of honesty and integrity of management and employees. Auditors should re-assess any document which is believed to be non-authentic.

ASA 240 standard is similar to the International Auditing and Assurance Standards Board (IAASB) standard 240, which is about the auditor’s responsibilities relating to fraud in an audit of financial statements. ISA 240 states that the primary responsibility for the prevention and detection of fraud rests both with those charged with governance of the entity and with management. Thus, auditors’ responsibilities are confined to obtaining reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error.

Per The IIA Standard 1200 – Proficiency and Due Professional Care, “Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.” Sub-section 1210.A2 further specifies an auditor’s role toward fraud detection: “Internal Auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”

Hence, most of the professional standards around an auditor’s role in fraud detection are confined to material misstatement. Also, auditors might be qualified in assessing risks and identifying where a fraud may occur, but they might not know how to recognise (i.e., identify) the indicators of fraud. Auditors must look at their audit evidence and identify where a fraud might have already occurred or might be occurring — these are the anomalies, or red flags, of fraud. Unlike certified fraud examiners, most auditors have never seen a fraud scheme or are unaware of common red flags.

The Way Ahead for Organisations and Auditors

Management and governance functions, and risk and compliance departments need to understand these inherent limitations in the auditing process. It is understandable that audit procedures have never been designed to detect fraud. It is difficult for auditors to detect fraud at a meaningful rate, unless there is a massive change in the business of auditing.

Nevertheless, there are a few ways that can enhance the role of an auditor in fraud detection and prevention:

  • Audits should use basic techniques, like the element of surprise, for example. Auditors should vary their procedures and scopes from year to year, and surprise procedures should be conducted throughout the year as well as during the audit. More time needs to be spent on assessing high-risk areas where fraud could be committed at the company.
  • Inexperienced auditors should be provided with better training and supervision that includes actual experience in the field.
  • Along with complying with professional standards, auditors can conduct fraud examinations for transactions/controls where the level of risk is significant.
  • Auditors can play a key role in developing a system of fraud indicators, so that suspicious activities are flagged and investigated.
  • Auditors should exercise professional skepticism when considering the risk of fraud. External auditors in particular must conduct their work with a mindset that recognises the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the company and the auditor’s belief about management’s integrity. Auditors should never be satisfied with less-than-persuasive evidence because of a belief that management is honest.
  • Finally, internal auditors should be concerned with violations of the organisation’s policies and procedures even when they do not involve fraud.

Fraud in the APAC Region

In this period of economic uncertainty and heightening regulations, efforts are being undertaken to detect red flags within the APAC region. The ACFE identified areas related to fraud in its “Report to the Nations – Asia Pacific Edition.” Highlighted below are some findings from that report:

  • On average, median loss caused by a fraud incident in APAC is US$236,000, and the median duration of a fraud scheme is 18 months.
  • In terms of percentages globally, asset misappropriation (89%) is the most common fraud incident; however, in the APAC region, corruption (51%) is the most common incident. In monetary terms, financial statement fraud leads the way, with a median loss of US$236,000.
  • The role of audit in fraud detection is not so different in Asia-Pacific organisations compared to rest of the world. Internal audit is the second most common fraud detection avenue with 15% of fraud cases initially being detected by independent auditors.
  • External audit is not as effective, detecting only 4% of fraud cases.
  • In terms of victim organisations, private companies incur more monetary losses compared to public companies, and entities with less than 100 employees are sometimes at greater risk of fraud.
  • The manufacturing industry by far is the largest industry impacted by fraud in the Asia-Pacific region with 17% of cases identified and the highest median loss of US$500,000. The financial services sector and government agencies were the second and third most impacted, respectively.
  • Companies in the Asia-Pacific region rely significantly on audit as an anti-fraud control. External audit of financial statements is considered as an anti-fraud control in 93% of cases, while in 80% of cases companies relied on their internal audit department to prevent fraud.
  • External audit of internal controls over financial reporting systems was identified as reducing incidents of fraud in 28% of cases, and assisting in faster detection of fraud in 38% of the cases.
  • Formal fraud risk assessments can decrease the probability of fraud in 34% of cases and lead to faster detection of fraud in 17% of cases.

These are specific and informative findings. APAC entities need to be cognisant to the risk of a fraud occurring within their environment and ensure that appropriate controls are in place to mitigate the likelihood of a fraud or corruption event.  This assertion applies to companies in other regions as well.

Add comment