Backdoor Payroll Theft of Withholdings

This relatively unknown fraud can be dangerous

The Theft

Gertrude, the payroll clerk, intentionally overpays state withholding taxes by $25,000. She then amends her own W–2 so that it includes the excess payment (the $25,000 is added to her state withholding total). Once Gertrude files her personal state tax return, she receives an extra $25,000. In effect, she is using the state government as a funnel for theft.

In this business, Gertrude processes payroll, files all related payroll tax reporting information, makes payroll withholding payments and records payroll entries in the general ledger—not uncommon in a smaller organization. Also, no second person reviews the W-2s before mailing.

Backdoor Payroll Fraud

Picture is courtesy of AdobeStock.com

The Weakness

One person is performing all payroll functions, so her actions are not visible to anyone else. Also, no second person–in addition to Gertrude–is reviewing the W-2s before filing.

The Fix

Have someone outside the payroll department review and mail the W-2s. (If the W-2s are returned to the payroll clerk, she could change them.)

Key Fraud Survey Insights from the ACFE’s 2016 Report to the Nation

You can only stop fraud when you know how it occurs

If you are to prevent fraud, you must first know how it occurs. Every two years the Association of Certified Fraud Examiners issues its fraud survey titled Report to the Nation. Below you’ll see key fraud survey insights from the 2016 study.

Key Fraud Survey Insights

Key Fraud Survey Insights

  • A typical organization loses 5% of revenues in a given year as a result of fraud
  • The median loss for all cases was $150,000
  • 23% of the cases involved losses of more than $1 million
  • Asset misappropriation occurred in more than 83% of cases
  • Of the asset misappropriation cases, billing schemes and check tampering schemes pose the greatest risk
  • The median duration of the frauds was 18 months
  • Schemes that lasted more than five years caused a median loss of $850,000
  • In 94.5% of the cases, the perpetrator took some efforts to conceal the fraud (usually creating or altering documents)
  • 39% of the cases were detected by tips
  • Whistleblowers are most likely to report fraud to their direct supervisors (20.6% of cases) or company executives (18%)
  • Approximately two-thirds of the cases targeted privately held or publicly owned companies
  • Corruption is more prevalent in larger organizations
  • Check tampering, skimming, payroll, and cash larceny schemes are twice as common in small organizations when compared to larger organizations
  • Fraud is most prevalent in the following industries: Banks, governments, manufacturing 
  • The presence of anti-fraud controls correlates with both lower fraud losses and quicker detection (33% to 50% more quickly)
  • The most prominent weakness is a lack of internal controls (cited in 29.3% of cases)
  • The perpetrator’s level of authority is strongly correlated with the size of the fraud
  • More occupational frauds originate in the accounting department (16.6%) than in any other business unit
  • The more individuals involved in an occupational fraud scheme (collusion), the higher the losses tend to be
  • For schemes with five or more perpetrators, the median loss was $633,000
  • One of the more common red flags was the fraudster was living beyond his or her means
  • Only 5.2% of perpetrators had previously been convicted of a fraud-related offense
  • In 40.7% of cases, the victim organizations decided not to refer their fraud cases to law enforcement

How to Lessen Segregation of Duties Problems in Two Easy Steps

Fraud prevention in two easy steps

Darkness is the environment of wrongdoing.

Why?

No one will see us–or so we think.

As you’ve seen many times, fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment of theft. What’s the solution? Transparency. It protects businesses, governments, and nonprofits. And while we desire open and understandable processes, often businesses have just a few employees that operate the accounting system. And many times they alone understand how it works.

It is desirable to divide accounting duties among various employees, so no one person controls the entire process. This division of responsibility creates transparency since multiple eyes see the accounting processes–but this is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that fixing the problem is too costly. But is this true? Can we create greater transparency and safety with simple procedures and without significant cost?

Yes.

Below I propose two processes to reduce fraud:

  1. Bank account transparency and
  2. Surprise audits.

1. Bank Account Transparency

Here’s a simple and economical control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners since only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

One set of eyes on an accounting process is not a good thing. So how can we shine the light?

Fraud Prevention

Picture courtesy of DollarPhoto.com

Second Person Sees the Bank Statements

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person, and let the bookkeeper know that the other person will review bank activity.

Even the appearance of transparency creates (some) safety.

Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of reviews enhances safety. I am not recommending that you don’t perform the review, but if the bookkeeper even thinks someone is watching, fraud will lessen.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs) but involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA or performed by someone other than the bookkeeper–such as a board member.

Segregation of Duties

Picture courtesy of DollarPhoto.com

Adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as the following:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be inspected but distinct enough that an actual review occurs with regularity (thus the need to specify the minimum number of times the review will be performed).

Sample Inspection Ideas

Here are some sample inspection ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Review two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (to see that the report was appropriately created)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not be caught.

Again multiple people seeing the accounting processes reduces the threat of fraud.

Shine the Light

The beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement but nevertheless powerful. So shine the light.

What other procedures do you recommend for small entities?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

Disbursement Fraud Audit Tests: Five Powerful But Simple Ideas

Here are five fraud tests you can use on your audits

You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”

You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”

The staff member sheepishly responds, “I’m not sure.” 

You remember a blog post addressing how fraud can sting auditors, and you think, “What can we do?”

disbursement fraud audit tests

Picture from AdobeStock.com

Five Disbursement Fraud Tests

Here are five disbursement fraud tests that you can perform on most any audit.

1. Test for duplicate payments

Why test?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer commonly does not examine supporting documentation and the payee name.

How to test?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names

Why test?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes may be used).

The check-signer will not recognize the payee name as fictitious.

How to test?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors

Why test?

The accounts payable clerk may add a fictitious vendor (one in which no similar vendor name exists, as we saw in the preceding example).

The fictitious vendor address? You guessed it: the clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How to test?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the businesses to check for validity; if necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

4. Compare vendor and payroll addresses

Why test?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How to test?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees

Why test?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How to test?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).

Your Ideas

Those are a few of my ideas. Please share yours.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. Check it out on Amazon by clicking here. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.

Have you ever desired to become a fraud prevention champion? In this half-day course, we will peer into real-life governmental fraud cases and see how they occurred. You will leave the class with practical fraud prevention steps for any national, state or local government. The course location is the Capital Hilton Hotel in Washington DC.

Date:August 9, 2017
Time:8:00-11:35 a.m.
Event:Charles Hall Speaking at AICPA Governmental Accounting and Auditing Update Conference
Topic:How to Become a Super Fraud-Prevention Champion
Sponsor: AICPA
Public:Public
Registration:Click here to register.

The Balance Sheet Audit Approach: Slaying a Sacred Cow

Why the risk based audit approach is better

Sacred cows make great steaks. Richard Nicolosi.

Risk-based audit standards have existed for years, but I still see a resistance to risk assessment procedures. Why? A reliance on the traditional balance sheet audit approach. I think many auditors prefer to test a bank reconciliation (ticking off each cleared transaction) to interviewing the company’s CFO. They enjoy the certainty of vouching payables (yep, the invoice agrees with the payable detail) and disdain the difficulty of walking a transaction through the accounting system. Regardless, many CPA firms struggle to slay the sacred cow of balance sheet audits.

What is a Balance Sheet Audit?

So what is a balance sheet audit approach?

It’s the examination of period-end balance sheet totals (the results of accounting processes) rather than the accounting processes themselves. For example, the auditor might confirm receivables and not perform a walkthrough of billing and collections. The balance sheet audit approach lacks any significant focus on the income statement.

While it is true that nailing down (or “beating up”) the balance sheet provides helpful audit evidence, there are some downsides.

The Downside of Balance Sheet Audits

So what are the weaknesses of a balance sheet audit approach?

First, the balance sheet approach does not address the income statement. Consequently, income statement line items may be misclassified (e.g., expenses netted with revenues). If the balance sheet is correct, net income (the result of revenues and expenses) is correct. But revenues and expenses can still be misclassified. (I once saw grant revenue of $300,000 netted with related grant expenses resulting in a $0 impact to revenues and expenses.)

Secondly, and more importantly, the balance sheet audit method does not address the possibility of theft (and some forms of fraudulent reporting of revenues and expenses). Sure we can confirm cash and reconcile the balance to the general ledger. So what? If someone steals $1 million in cash receipts (or $10 million or whatever number you want to use), the balance sheet approach may not address the risk of theft.

The same is true if the CFO steals money by cutting checks to himself (or to fictitious vendors). The accounts payable balance can be reconciled to a detail, and a search for unrecorded liabilities can be performed–typical balance sheet audit steps–but these procedures don’t address theft.

Finally, audit standards require walkthroughs, fraud inquiries, planning analytics, and an understanding of the business. Without these steps, we cannot truly understand audit risks that lie hidden in accounting processes.

balance sheet audit

Picture from AdobeStock.com

The Upside of Risk-Based Audits

I still believe that auditors can save time using a risk-based audit approach.

Understanding the business and its processes requires time, but doing so can lead to a leaner audit. You can decrease some substantive procedures when you know where your risks are. We can also mitigate audit risk (because we know what the risks are).

And this is the beauty and logic of risk-based audits. We determine where the risks are, and then we perform procedures to address those risks. We cease to blindly focus on the balance sheet. 

Less time, less risk.

Sounds good to me–but slaying a sacred cow is necessary. I like my steaks medium rare. How about you?

Agree or disagree? Please let me know.

Wire Transfer Theft: How to Prevent It

How to steal $6.9 million in less than an hour

In one of the easiest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to another account in Austria. The wire transfer originated with the fax of a letter (which took less than an hour to create). Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late. The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned her husband in; he later came back to the states of his own volition (after his wife gave him an earful). He went to jail. I guess, after a few boat rides down the Danube, he missed his family.

Preventing wire transfer theft

Picture from AdobeStock.com

Wire Transfer Theft is Easy

It’s easy for an accounting clerk (or other authorized company official) to wire funds and to cover their tracks with a journal entry – too easy in many cases. If a company  accountant or official has the ability to (1) wire funds by himself and (2) make journal entries without a second-person review, then the organization has left the fraud door wide open. Such a situation is not uncommon in small businesses, nonprofits and governments.

As you think about wire transfers, consider that they can be originated with a fax, a phone call, a personal visit to the bank, or a computer. Determine how your bank handles wire transfers and craft your internal controls based on those dynamics.

Wire Transfer Internal Controls

Organizations should do the following to mitigate wire transfer fraud:

  1. Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
  2. Require two persons to consummate all wire transfers to external parties (the most important control in my opinion)
  3. If the wire transfer request is by phone or by fax, require the bank to call your organization back before the wire transfer is consummated
  4. The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are keyed into the bank software as a part of the transfer request)
  5. Restrict the bank accounts from which a wire transfer can be made (the organization may want to limit external wire transfers to just one bank account)
  6. Restrict certain bank accounts so that wire transfers can only be made to other bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
  7. Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
  8. Require sufficient documentation for all wire transfer journal entries; require a second-person review of these journal entries
  9. Consider using a dedicated computer for all wire transfers; do not use this computer for any other purpose (malware is often picked up by computers as they visit Internet websites)
  10. Use all bank-provided wire transfer controls
  11. Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO

Use Fraud Prevention Controls Offered by Banks

Not using controls offered by banks may make your organization liable should funds be stolen by hackers. One company sued its bank when hackers took $440,000 from its bank account with a wire transfer; the judge ruled against the company because it had opted out of control procedures offered by the bank. Also make sure your company uses appropriate firewall and antivirus protection.

Closing Words

If one person can make external wire transfers and journal entries to record those transactions, you have the makings of wire fraud–soon you may see that employee on Facebook, riding down the old Danube.

Video from Gary Zeune

You can see a news video about the nonprofit fraud mentioned above at Gary Zeune’s website: The Pros and The Cons. (If you have not heard Gary speak about fraud, you should do so. He does a great job.)

The AICPA Consulting Standards: Another Arrow in Your Quiver

Many CPAs don't know that these standards exist, but they can be quite helpful

I find that many CPAs aren’t aware of the AICPA Consulting Standards. So, here’s a post about them.

Are you ever asked to perform an atypical engagement (e.g., creating a schedule of water losses for a city)–and then you wonder “what professional standards should I follow?”

Audit standards? No, you’re not opining on anything.

Maybe the compilation and review standards? No, a schedule is not a financial statement.

How about agreed upon procedures? Well, no again–AUPs normally include tests and conclusions.

We need another arrow in our quiver!

AICPA Consulting Standards

Picture from AdobeStock.com

Most CPAs are familiar with compilation and review standards (Statement on Standards for Accounting and Review Services – SSARS) and audit standards (Statement on Auditing Standards – SAS) and even attestation standards (Statement on Standards for Attestation Engagements – SSAEs – commonly used for agreed upon procedures), but many are not familiar with the consulting standards (Statement on Standards for Consulting Services – SSCS).

Why?

I’m not really sure. But I seldom see consulting standard CPE classes. Yet many services are subject to this guidance.

AICPA Consulting Standards Primer

You might call the AICPA Consulting Standards the CPA’s swiss army knife.

AICPA Consulting Standards

What services fall under the consulting standards?

The consulting standards specifically address six areas:

  1. Consultations – e.g., reviewing a business plan
  2. Advisory services – e.g., assistance with strategic planning
  3. Implementation services – e.g., assistance with a merger
  4. Transaction services – e.g., litigation services
  5. Staff and other support services – e.g., controllership services
  6. Product services – e.g., providing packaged training services

CPAs often provide consulting services such as the following:

  • Consultations with regard to complex transactions
  • Fraud investigation services
  • Internal control services
  • Bankruptcy services
  • Divorce settlement services
  • Controllership services
  • Business plan preparation
  • Cash management
  • Software selection
  • Business disposition planning

When can I use the consulting standards?

Usually when the information will not be provided to a third party.

When performing work under the consulting standards, you are not attesting (providing comfort) on the work performed. Usually, you need to follow the SASs, SSARS, or SSAEs if you are attesting (providing comfort to an outside party).

Characteristics of a Consulting Engagement

  • Generally nonrecurring
  • Requires a CPA with specialized knowledge and skills
  • More interaction with client
  • Generally performed for the client (usually, no third party sees the information)

Consulting Work Paper Requirements

Consulting work paper requirements are minimal. Nevertheless, documentation is always wise.

The understanding with the client can be oral or in writing (I recommend the latter).

The consulting standards do not require the CPA to prepare work papers, but you should do so anyway – the work papers are the link between your work and your report. Also the general standards of the profession, contained in the AICPA Code of Professional Conduct, apply to all services performed by members. The general standards state:

Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.

Consulting Reports

The report content and format are up to you and your client.

No Opinion or Accountant’s Report

For consulting engagements, the CPA does not issue an opinion or any other attestation report (e.g., accountant’s report on agreed-upon procedures ).

Subject to Peer Review?

Are products created using the Consulting Standards subject to peer review? No.

Where Can I Find the AICPA Consulting Standards?

You can see the consulting standards here.

Photos above are courtesy of iStockphoto.com.

The Little Book of Local Government Fraud Prevention

Whether your government is small or large, this book provides guidance in reducing theft

Do you desire to fight fraud in governments? Or maybe you are just curious about how fraudsters get away with their wily schemes. See my book The Little Book of Local Government Fraud Prevention. You can purchase it on Amazon as a paperback. Also, the ebook is available as a Kindle download.

Local Government Fraud Prevention

Fraud occurs in local governments in a multitude of ways, yet many cities, counties, school systems, authorities, and other public entities are ill-prepared to prevent or detect its occurrence. Why is this so? Some governments place too much reliance on annual audits as a cure-all, but clean audit opinions don’t mean that fraud is not occurring. And some governments fail to understand how vulnerable they are–until it’s too late.

Why is local government fraud so common? Many small governments don’t have a sufficient number of employees to segregate accounting duties. It is also these smaller governments that place too much trust in their accounting personnel. This combination of a lack of segregation of duties and too much trust in key employees often leads to significant losses from theft.

The Little Book of Local Government Fraud Prevention provides several real-life stories of fraud. The stories will inform you about how local government employees steal. Then I provide you with prevention techniques to assist you in mitigating fraud risks. In one story, for example, the book shows how a single municipal employee stole over $53 million dollars, all from a city of just 16,000 citizens.

If you audit governments, you will find this book helpful in pinpointing common areas where governmental fraud occurs. The book also includes fraud audit checklists and fraud detection procedures. Whether you are an internal or external auditor, you will find fresh ideas for prevention and detection.

The Little Book of Local Government Fraud Prevention will assist you if you are a:

1. Local government accounting employee
2. Local government elected official
3. Local government auditor
4. Local government attorney
5. Certified Public Accountant
6. Certified Fraud Examiner

Even if you don’t work with governments, you’ll find this book useful. I provide fraud prevention steps for transaction cycles such as billing and collections, payables and expenses, payroll, and capital assets.

Together we can bring down the risk of fraud and corruption in our local governments. Come join the team. We’ll all be better for it.

If you don’t desire to spend money on the book, here’s a free list of controls.

The What and Why of Auditing: The Auditor’s Responsibility for Fraud

What is an auditor's responsibility for fraud in a financial statement audit?

What is an auditor’s responsibility for fraud in a financial statement audit? Today, I’ll answer that question. Let’s take a look at the following:

  • Auditor’s responsibility for fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 
Auditor's Responsibility for Fraud

Picture is from AdobeStock.com

Auditor’s Responsibility for Fraud

I still hear auditors say, “We are not responsible for fraud.” But are we not? We know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. But auditors often turn a blind eye to it.

Turning a Blind Eye to Fraud

Why do auditors not perceive fraud risks? 

Here are a few reasons:

  • We don’t understand fraud, so we avoid it
  • We don’t know how to look for control weaknesses
  • We believe that auditing the balance sheet is enough

Think of these reasons as an attitudea poor one—regarding fraud. This disposition manifests itself—in the audit file—with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (even after known theft occurs)
  • Performance of walkthroughs do not occur 
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though new control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching certain financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

Auditor's Responsibility for Fraud

Picture is from AdobeStock.com

The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.

Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures—discussed above and in my prior postprovide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what why are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.

What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.

The Auditor’s Responsibility for Fraud

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for fraud?” Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

The What and Why of Auditing: A Blog Series About Basics

Have you been following my series of posts: The What and Why of Auditing? If not, you may want to review the prior posts:

Also subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process.