Title: Detecting Material Fraud: What to Do and How Far to Go
1Detecting Material FraudWhat to Do andHow Far
to Go
- MSNA
- 2008 Audit and Accounting Conference
- October 3, 2008
- John J. Hall, CPA
- Hall Consulting, Inc.
2Fraud Risk Management
- Type
- Misappropriation / Theft
- Manipulated Results
- Corruption (including Related Party Transactions)
- Significance
- Macro
- Micro
- Systemic
- Readiness Levels
- Prevention / Deterrence
- Early Detection
- Incident Handling
3Fraud by Category 2006 ACFE Study of 1,134 Cases
Asset Misappropriation 150,000
Corruption 538,000
Fraudulent Statements 2,000,000
4ErrorversusIntent to Deceive
Inherent Challenges
5TrustedClients
Inherent Challenges
6For Consideration
Largest threat comes from inside the system
7Management Override
Inherent Macro Risk ???
8Who does the detail workfor the CPA?
Inherent Challenges
9Fees Drive HoursHours Can Drive Quality
Inherent Challenges
10Variables
HI
IV
III
ABILITY
II
I
HI
LOW
ENVIRONMENT
11Fraud Detection Expectations
Government Auditing Standards IIA Practice
Advisory 1210.A2-1 Statement of Auditing
Standards 99
12IIA Practice Advisory 1210.A2-1
Consider fraud risks in the assessment of control
design and determination of audit steps to
perform. While internal auditors are not
expected to detect fraud and irregularities,
internal auditors are expected to obtain
reasonable assurance that business objectives for
the process under review are being achieved and
material control deficiencies whether through
simple error or intentional effort are detected.
13IIA Practice Advisory 1210.A2-1
Have sufficient knowledge of fraud to identify
red flags indicating fraud may have been
committed. This knowledge includes the
characteristics of fraud, the techniques used to
commit fraud, and the various fraud schemes and
scenarios associated with the activities reviewed.
14IIA Practice Advisory 1210.A2-1
Be alert to opportunities that could allow fraud,
such as control weaknesses. If significant
control weaknesses are detected, additional tests
conducted by internal auditors should be directed
at identifying other fraud indicators.
15IIA Practice Advisory 1210.A2-1
- Evaluate the indicators of fraud and decide
whether any further action is necessary or
whether an investigation should be recommended. - Notify the appropriate authorities within the
organization if a determination is made that
fraud has occurred to recommend an investigation.
16SAS 82Consideration of Fraud in aFinancial
Statement Audit
17Public Oversight Board
- Panel on Audit Effectiveness - Recommendations
- Auditors should perform some forensic-type
procedures on every audit to enhance the prospect
of detecting material financial statement fraud - Attitudinal shift in the auditors degree of
skepticism - During this phase, auditors should modify the
otherwise neutral concept of professional
skepticism and presume the possibility of
dishonesty at various levels of management,
including - Collusion
- Override of internal control
- Falsification of documents
18Public Oversight Board
- Panel on Audit Effectiveness - Recommendations
- The key question that auditors should ask is
Where is the entity vulnerable to financial
statement fraud if management were inclined to
perpetrate it? - Auditors should consider incorporating a surprise
or unpredictability element in their tests - Retrospective audit procedures
19Public Oversight Board
- Panel on Audit Effectiveness - Recommendations
- Develop or expand training programs for auditors
at all levels oriented toward responsibilities
and procedures for fraud detection. These
programs should emphasize interviewing skills and
the exercise of professional skepticism, as well
as testing techniques - Using auditors with forensic audit backgrounds to
assist in this training would be beneficial.
Date of Report August 31, 2000
20SAS 99 Consideration of Fraud in a Financial
Statement Audit
- Auditor Responsibilities
- The auditor has a responsibility to plan and
perform the audit to obtain reasonable assurance
about whether the financial statements are free
of material misstatement, whether caused by fraud
or error (AU sec. 110.02)
21SAS 99 Consideration of Fraud in a Financial
Statement Audit
- Auditor Responsibilities
- This statement SAS 99 established standards
and provides guidance to auditors in fulfilling
that responsibility, as it related to fraud, in
an audit of financial statements conducted in
accordance with generally accepted auditing
standards (GAAS).
22SAS 99 v SAS 82
- SAS 99 significantly expands the information
gathering phase beyond the work traditionally
performed. Changes include - Required brainstorming session among the audit
team members to discuss the potential for
material misstatement due to fraud - An increased emphasis on inquiry as an audit
procedure that increases the likelihood of fraud
detection - Expanded use of analytical procedures to gather
information used to identify risks of the
material misstatements due to fraud
23SAS 99 Consideration of Fraud
Required audit team brainstorming session
24The Fraud Triangle
Pressure
Opportunity
Attitude
25- Brainstorming
- What Can Go
- Wrong?
26Financial Results Examples
- Overstatement of Earnings
- Fictitious Earnings
- Understatement of Expenses
- Overstatement of Assets
- Understatement of Allowances for Receivables
- Overstatement of Inventory
- Overstatement of Property Values
- Creation of Fictitious Assets
- Understatement of Liabilities
27PCAOB Observations
- Auditors Overall Approach
- to the Detection of Financial Fraud
- auditors often document their consideration of
fraud merely by checking off items on standard
audit programs and checklists - auditors failed to expand audit procedures when
addressing identified fraud risk factors
28PCAOB Observations
- Auditors Overall Approach
- to the Detection of Financial Fraud
- it appeared that auditors were performing the
proceduresmechanically, without using those
procedures to develop insights on the risk of
fraud with a view toward identifying ways to
modify the audit plan in order to address the
risk.
29PCAOB Observations
- Brainstorming Session and
- Fraud-Related Inquiries
- PCAOB inspectors have
- Identified audits in which the audit team was
unable to demonstrate that brainstorming sessions
were held - Identified audits in which the audit teams
brainstorming sessions occurred after planning
and after substantial fieldwork had begun - Identified audits in which key members of the
audit team did not attend the brainstorming
sessions
30SAS 99 Consideration of Fraud
Introduces Human Psychology into the audit
process
31Professional Skepticism
- Attitude involving two aspects
- Questioning mind
- recognize possibility of fraud
- set aside past experience and beliefs
- despite beliefs re integrity
- Critical assessment of evidence
- not satisfied with less than persuasive evidence
32SAS 99is mostlya state of mind
Auditor Psychology
33- begin (plan) with the
- PRESUMPTION
- that a fraud incident
- has occurred
34Lessons from Psychology
- We self-correct for information that does not fit
our assumptions - Sources of assumptions
- Past history
- Personal experience
- Training and culture
- Our perceptions about staff and volunteers
probably are incomplete - Categories allow us to quickly analyze data
sometimes incorrectly
35SAS 99 Consideration of Fraud
Iterative Process
36SAS 99 Consideration of Fraud
Commission Conversion Concealment
37SAS 99 Consideration of Fraud
Required Skills Communication Technology Forensic
Accounting
38Obtaining Information Needed to Identify Risks
The auditor should perform the following
procedures
- Consider other information that may be helpful in
the identification of risks of material
misstatement due to fraud (para. 34) - Three pages of very specific suggested
inquiries - Paragraph 27 The auditor should be aware when
evaluating managements responses to the
inquiriesthat management is often in the best
position to perpetrate the fraud.
THEREFORE, THEY WILL LIE TO YOU
39Required Skills
Develop or Acquire
- Communication
- Emphasis on brainstorming and expanded use of
inquiry
FRAUD-BASED INTERVIEWING
40Interview versus Interrogation
- Interview non-accusatory, structured,
dialog-based, question and answer, held for a
specific purpose - Interrogation accusatory, held when there is
sufficient evidence to accuse the suspect of
fraud and seek a confession
41Required Skills
Develop or Acquire
- Communication
- Technology
- The impact technology has on the risk of fraud
- Certain required or suggested audit procedures
may benefit from the use of CAATs such as data
extraction
42Required Skills
Develop or Acquire
- Communication
- Technology
- Forensic Accounting
- Assess the risk of material misstatement due to
fraud - Design audit procedures that respond to the
assessed risk of fraud - Determine when a separate fraud investigation
engagement is necessary
43Preventing Fraud Assessing the Fraud
Risk Management Capabilities of Todays
Largest Organizations
www.protiviti.com
44Protiviti Preventing Fraud Report
- Organizations are at different maturity points in
their capabilities to evaluate, mitigate and
monitor fraud risk. - Organizations are struggling to understand what
Fraud Risk Management means in the context of
their daily operations. - Education and awareness are critical issues that
need greater attention in order to successfully
manage fraud risk.
45Managing the Business Risk of Fraud A Practical
Guide July 7, 2008
46Five PrinciplesManaging the Business Risk of
Fraud A Practical Guide
Principle 1
- As part of an organizations governance
- structure, a fraud risk management program
- should be in place, including a written policy
- (or policies) to convey the expectations of
- the board of directors and senior management
- regarding managing fraud risk.
47Five PrinciplesManaging the Business Risk of
Fraud A Practical Guide
Principle 2
- Fraud risk exposure should be
- assessed periodically by the organization
- to identify specific potential
- schemes and events that the
- organization needs to mitigate.
48Five PrinciplesManaging the Business Risk of
Fraud A Practical Guide
Principle 3
- Prevention techniques
- to avoid potential key fraud risk events
- should be established, where feasible,
- to mitigate possible impacts
- on the organization.
49Five PrinciplesManaging the Business Risk of
Fraud A Practical Guide
Principle 4
- Detection techniques
- should be established
- to uncover fraud events
- when preventive measures fail
- or unmitigated risks are realized.
50Five PrinciplesManaging the Business Risk of
Fraud A Practical Guide
Principle 5
- A reporting process should be in place
- to solicit input on potential fraud,
- and a coordinated approach to investigation
- and corrective action should be used
- to help ensure potential fraud is addressed
- appropriately and timely.
51Key Points
- Suitable fraud risk management oversight and
expectations exist (governance) Principle 1 - Fraud exposures are identified and evaluated
(risk assessment) Principle 2 - Appropriate processes and procedures are in place
to manage these exposures (prevention and
detection) Principles 3 4 - Fraud allegations are addressed, and appropriate
corrective action is taken in a timely manner
(investigation and corrective action) Principle
5
52Fraud Risk AssessmentKey Elements
- How might a fraud perpetrator exploit weaknesses
in the system of controls? - How could a perpetrator override or circumvent
controls? - What could a perpetrator do to conceal the fraud?
53ComprehensiveFraud Exposure Analysis
- By functional area
- By position
- By relationship
End Result Fraud Risk Inventory
54Brainstorming Team
- Finance and accounting
- Business unit and operations
- Risk management
- Legal and compliance
- Internal Audit and Inspector General
- External consultants with fraud expertise
Chief Risk Officer
5513 High Opportunity Areas
- Remote locations
- Overseas locations
- Areas not understood well by leaders
- Costs allocated to other cost centers
- New functions or systems
- New products or services
- Areas experiencing rapid growth
- New technology
5613 High Opportunity Areas
- Locations or functions about to be closed or sold
- Areas or locations with a history of problems or
poor performance - Joint ventures or other similar arrangements
- Records are kept by outsiders
- Areas that are politically protected
57Fraud Detection Steps
- Think like a thief
- Use discovery techniques
- Discovery testing
- Interviews
- Monitoring
- Determine the cause of all fraud indicators
surfaced
58Override / CollusionShadow DealsTime
SPECIAL CHALLENGES
59Last Thoughts
- During planning, Think like a thief
- Teach staff what they need to know to be
effective - Look for fraud indicators. Design and perform
discovery based steps - When in doubt, doubt
- Follow up / formally refer all suspicions
60 Further Questions or Comments??
- John J. Hall, CPA
- PO Box 850
- Vail, CO 81658
- Cell (312) 560-9931
- www.hallconsulting.biz
- jhall_at_hallconsulting.biz