The Auditor’s Responsibility for Fraud: The Why and How Guide

What is an auditor's responsibility for fraud in a financial statement audit?

What is an auditor’s responsibility for fraud in a financial statement audit? Today, I’ll answer that question. Let’s take a look at the following:

  • Auditor’s responsibility for fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 
Auditor's Responsibility for Fraud

Picture is from AdobeStock.com

Auditor’s Responsibility for Fraud

I still hear auditors say, “We are not responsible for fraud.” But are we not? We know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. But auditors often turn a blind eye to it.

Turning a Blind Eye to Fraud

Why do auditors not perceive fraud risks? 

Here are a few reasons:

  • We don’t understand fraud, so we avoid it
  • We don’t know how to look for control weaknesses
  • We believe that auditing the balance sheet is enough

Think of these reasons as an attitudea poor one—regarding fraud. This disposition manifests itself—in the audit file—with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • The auditor does not perform walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

Auditor's Responsibility for Fraud

Picture is from AdobeStock.com

The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.

Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures—discussed above and in my prior postprovide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.

What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.

The Auditor’s Responsibility for Fraud

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for fraud?” Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

The What and Why of Auditing: A Blog Series About Basics

Have you been following my series of posts: The What and Why of Auditing? If not, you may want to review the prior posts:

Also subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. 

Ten Most Popular CPA Scribo Blog Posts for 2016

10 most shared posts during 2016

Well, 2016 is in the books for CPA Scribo.

Here are the top ten 2016 posts (starting with number 10 and moving to number 1)–based on your social shares.

CPA Scribo

Picture from AdobeStock.com

Top 10 CPA Scribo Posts

 

10. Assessing Audit Control Risk at High (and Saving Time)

9. Getting More Done with My Favorite Accountant’s Device

8. How Honest People Steal

7. A List of Online Resources for CPAs

6. How to Add Value to Audits

5. How to Steal by Double Paying a Vendor

4. 25 Ways Fraud Happens

3. How $16 Million was Stolen from a Bakery

2. Seven Deadly Audit Sins

and drum roll…..

1.  Why Should Auditors Perform Audit Walkthroughs

Your Ideas for 2017

If you have an accounting or auditing idea that you’d like for me to address in 2017, please let me know–post a comment. Thanks.

Have You Checked Out “The Pros and The Cons” Web Site?

Gary Zeune offers interesting perspectives on white collar crime

If you’ve never seen The Pros and The Cons website, you should. My friend, Gary Zeune, provides fraud prevention information from the perspective of white collar prevention specialists–and from the dark side (those who steal).

The Pros and The Cons

Picture is from AdobeStock.com

Understanding how fraudsters think and act may be your greatest asset in stopping theft.

Gary provides fraud prevention articles, books, and videos on his website. He has a wealth of knowledge and a strong network of Pros and Cons working with him. If you haven’t heard Gary speak, seek out the opportunity to do so. You can contact Gary at gzfraud@TheProsAndTheCons.com. He and Dennis Dycus (who also works with Gary) are two of my favorite white collar crime speakers.

Gary provides online CPE classes, so if you need some interesting fraud prevention classes here at year-end, check his website out here.

Key Highlights from the 2016 Fraud Survey: Association of Certified Fraud Examiners

The Association of Certified Fraud Examiners conducts a biennial fraud survey titled Report to the Nations on Occupational Fraud and Abuse.

Fraud Survey

Picture from AdobeStock.com

Key Fraud Survey Statistics

Here are some statistics from the 2016 report:

  • The most common detection method is tips — 39% of fraud was detected by tips
  • The median loss per fraud case is $150,000
  • 41% of fraud cases are not referred to law enforcement (mainly due to fear of bad publicity)
  • The typical organization loses 5% of its revenue to fraud
  • Large organizations are more apt to use antifraud programs than small ones
  • Banking, governments and manufacturing suffer the largest losses (and in that order)
  • The average fraud exists 18 months before detection
  • Fraud schemes lasting more than 5 years caused a median loss of $850,000
  • 82% of the entities in the survey underwent audits
  • 95% of the time the fraudster took efforts to conceal the theft
  • Fraud losses increase with the number of people involved in the theft
  • Most fraudsters are first-time offenders (with only 5% having been previously convicted of theft)
  • The typical fraudster is:
    • Male (69%),
    • Middle-aged (30 to 50 years of age),
    • Educated (60% had college degrees), and
    • Works with the organization for a number of years
  • 19% of the frauds involved owners or executives resulting in median losses of $703,000
  • Only 8% of the frauds were committed by an employee with less than one year of employment
  • Billing schemes such as fictitious vendors continue to cause significant losses
  • 23% of the fraud cases were for more than $1 million dollars

See the complete ACFE survey here.

See my fraud prevention book on Amazon here.

I am looking forward to speaking the the Georgia Association of School Business Officials in Augusta, Georgia on November 8th. We’ll review a few school fraud cases and then look at how to prevent thefts in local school systems.

Date:November 8, 2016
Time:9:00 a.m. - 4:00 p.m.
Event:Charles Hall providing fraud prevention class at the Georgia Association of School Business Officials Conference
Topic:Prevention of Fraud in Local Schools
Public:Private

I will be speaking at the Georgia Government Finance Officers’ Conference on October 4, 2016. My presentation is titled “Steal Like a Boss,” a tongue-in-cheek view of how fraudsters think and act. Hope to see you there.

Date:October 4, 2016
Time:2:20 p.m.
Event:Georgia Government Finance Officers' Conference
Topic:Steal Like a Boss
Sponsor: Georgia Government Finance Officers
Venue: Evergreen Marriott Conference Resort | Stone Mountain GA
Public:Public

25 Ways Fraud Happens

Here's a list of common thefts

To prevent fraud, we must know how it happens.

Fraud Prevention

Picture is from AdobeStock.com

25 Ways Fraud Happens

Here’s a list of common company thefts:

  1. Collection clerk steals cash prior to recording it
  2. Collection clerk steals cash after recording a customer receipt; he voids the receipt and adjusts (writes down) the customer’s account
  3. Collection clerk places a personal check (for $5,000) in the cash drawer and takes an equivalent amount of cash; the clerk leaves the check in the drawer for months—in effect the clerk has an unauthorized loan
  4. The cash collections supervisor steals cash after receiving funds from collection clerks but before the money is deposited; she adjusts the related bank reconciliation by the amount stolen
  5. The person opening the mail steals checks before they are receipted; these amounts had not previously been recorded as a receivable
  6. Employees steal capital assets (knowing that no one performs periodic inventories)
  7. Employees use company credit cards for personal purchases but code the transactions as company expenses
  8. Accounts payable clerks cut checks to themselves (or to an accomplice) but record the check as company expenses; the check signatures are forged
  9. Accounts payable clerks establish fictitious vendors using their own addresses, a P.O. Box, or that of an accomplice; payments are made to the fictitious vendor and covered up with fictitious invoices; the checks are signed electronically as they are printed
  10. Accounts payable employee intentionally double-pays an invoice, then requests that the vendor refund the extra payment (with the refund going directly to the payable clerk)—check is converted to personal use
  11. Payroll personnel increase the pay rate—in the master pay rate file—for themselves or for friends working in the company
  12. Payroll personnel pay themselves (or friends) twice for each payroll
  13. Payroll personnel purposefully overpay withholding taxes and inflate the withholding amount on their own W-2, resulting a tax refund that includes the excess payments
  14. Purchasing department personnel are bribed by a vendor; the vendor recoups the bribe costs by inflating its subsequent invoices
  15. State, city, county elected officials are bribed; the vendor recoups the bribe costs by inflating its subsequent invoices
  16. Vendors give favors (e.g., free vacations) to those with the power to buy—commonly called a gratuity; vendor recoups the cost of the favors by inflating its subsequent invoices
  17. CEO orders accounts payable staff to make payments to himself (with an implied threat); payments are coded in a manner that hides the payment
  18. Money is wired by the CFO to the CFO but is recorded as a legitimate expense using a journal entry
  19. Money is wired to the CFO who then leaves the country without trying to cover up the theft
  20. The CEO or CFO makes payments to someone who is threatening their life or is blackmailing them; the expense is coded as legitimate
  21. A secret bank account is opened in the name of the business by the CFO but the sole authorized check signer is the CFO; checks are made from a legitimate business bank account to the secret bank account; the CFO writes checks to himself from the secret account
  22. A sales person steals rebate checks that belong to the company; she deposits the checks into her personal bank account by writing “pay to the order of…” on the back of the check
  23. The payables clerk writes a manual check to himself and then records the check with a journal entry that reflects a legitimate vendor
  24. The CFO inflates revenue at year-end with fictitious journal entries; stock prices go up; the CFO sells personally-owned company stock, then the CFO reverses the year-end accruals
  25. The inventory clerk steals stock and covers the theft by altering the inventory records

Fraud Brainstorming for Auditors

In performing your fraud brainstorming, consider printing out this list and seeing if any of these thefts are relevant to your audit.

City Manager Pockets Cash from the Sale of Excess Property

Day 30 of 30 Days of Fraud

The Theft

Is it possible to convert large pieces of excess property to cash–all without anyone knowing? Apparently yes.

Two men, Alfred Ketzler (the city manager) and Alfred Fabian, were found guilty of wire fraud and theft from the city of Tanana, Alaska.

Illegal sales of government property

Picture is courtesy of AdobeStock.com

Department of Justice Indictment Press Release

So what happened?

First, the Department of Justice stated “Ketzler would acquire surplus federal property that was stored at several different locations without notifying the mayor of Tanana or the city council for the city of Tanana of the federal excess and surplus property obtained on behalf of the city of Tanana.”

The Department of Justice went on to say “that Fabian, for his part, would transport federal excess and surplus property obtained on behalf of the city of Tanana to storage locations in and around Fairbanks, Alaska, including his own residence.”

Finally, the indictment stated that once the excess property was received, Ketzler would sell the equipment to individuals and businesses, telling them the property belonged to the City of Tanana. He asked that the checks be made out to him personally. The indictment continued by saying Ketzler would deposit the checks in his personal account and make payments to Fabian.

The indictment stated that the men received approximately $122,000 in illegal funds.

The property sold included:

  • Trucks
  • Fork Lifts
  • Bulldozers
  • Other industrial equipment

Department of Justice Sentencing Press Release

A June 2014 Department of Justice press release stated:

Anchorage, Alaska – U.S. Attorney Karen L. Loeffler announced today that two Fairbanks men were sentenced on Friday, June 6, 2014, in federal court in Fairbanks after being found guilty of wire fraud and theft from a local government receiving federal funds.

Alfred Richard Ketzler, Jr., also known as “Bear” Ketzler, 57, of Fairbanks, Alaska, was sentenced to 16 months in prison to be followed by two years of supervised release by Chief U.S. District Court Judge Ralph R. Beistline. Ketzler pled guilty in March 2014. Ketzler has already paid restitution to the City of Tanana in the amount of $116,500.

Alfred McQuestion Fabian, 62, of Fairbanks, Alaska, was sentenced to six months in prison to be followed by two years of supervised release by Chief U.S. District Court Judge Ralph R. Beistline. Fabian pled guilty in March 2014.

The Weakness

The city may have had appropriate inventory controls (the DOJ press releases did not say). Most noteworthy, this case appears to reflect a circumvention of controls. The city manager had the power and ability to consummate transactions that were (apparently) not recorded on the city’s records. The indictment states that Ketzler did not provide the city with appropriate notice of the receipt and sale of the excess property. Also the payments received were not recorded on the city’s books.

The Fix

Organizations should do all they can in the hiring process to bring people in that are honest. How? Background checks and the calling of references are critical.

It is imperative that all property be included in inventory—as soon as title transfers to the city. And, obviously, all payments should be made to the city (in this case) and not to individuals. A receipt should be issued to the payor that details the reason for the payment, the amount, and who made it.

How a Tax Commissioner Walks Away with $800,000

Day 29 of 30 Days of Fraud

The Theft

Some twenty years ago, I was working on an audit of a county tax commissioner’s office. We were noticing differences in the receipts and the cash collections.

Theft of cash

Picture is courtesy of AdobeStock.com

So one day I walk into the Tax Commissioner’s office. As I step in, I see several thousand dollars of cash laying on her desk. So, I remarked to her, “Haven’t made a deposit lately?” She laughed and said, “No, I’ve been too busy lately.”

I thought to myself, “Strange. She knows we’re here for the annual audit, and she has all this undeposited cash in open view. It’s as though she has no fear.”

The next day a gentleman comes into the room where we (the auditors) were working and whispers to me, “The Commissioner has a cocaine habit.” I did not know the fellow, so I wondered if the assertion had any merit. Regardless, this was shaping up to be an interesting audit.

Our audit disclosed unaccounted-for funds of over $300,000 in the year one. Year two, the differences continued and exceeded $500,000. After three years, the unaccounted-for amount was in the $800,000 range.

Why was she not removed? Tax Commissioners are elected in Georgia, so the only person that could remove her was the governor. The local county commissioners could not dismiss her.

Finally, the FBI was brought in. But even they could not prove who was stealing the money. Why? The tax office had two cash drawers and eight clerks. All eight worked out of both drawers. So when cash went missing, you could not pin the differences on any one person.

In addition, the books were a disaster, postings were willy-nilly. There was no rhyme or reason–what I call “designed smoke.”

The tax commissioner eventually went to prison for tax evasion. She made the mistake of depositing some of the stolen cash into her personal bank account, and the Feds were able to prove she had not reported the income.

The Weakness

The primary weakness was the lack of design in the collection process. Two or more people should never work from one cash drawer. Deposits were not timely made (and in many cases, not made at all). And then the books (mainly the tax digest) was not appropriately posted as collections were received.

The Fix

The primary fix was to remove the tax commissioner.

Next, each cash drawer should be assigned to only one person at a time.

Cash receipts should be written and the tax digest should be posted as tax payments are received.

Finally, deposits should be made daily.