During most audits, the team actively assesses specific risks and controls, performs tests, and documents their work. Auditors rarely look for fraud, and most auditors only have a basic understanding of fraud red flags. With limited knowledge, it is hard to expect a typical internal auditor to recognize fraud red flags unless these are explicitly detailed in the controls they are testing. This article will review the basics of recognizing fraud and introduce the idea of customizing fraud models for specific scenarios.
Awareness Training Is Key
For anyone to recognize fraud, they first need to know how a fraud looks. Internal auditors should be able to identify red flags indicating fraud may have been committed and understand the most common fraud schemes and scenarios. The typical starting point for awareness training is understanding the fraud triangle.
The Fraud Triangle
In an audit, the fraud triangle helps you identify who will most likely commit fraud. The three sides of the traditional fraud triangle are pressure, opportunity, and rationalization. Most red flags are derived from these three categories as illustrated below.
- Pressure is a financial incentive that motivates someone to commit fraud. For example, a person might be under financial pressure because they have lost their job or have a gambling addiction.
- Opportunity is the ability to commit fraud without being detected. For example, someone might have the opportunity to commit fraud because they have access to sensitive financial information or because they are in a position of authority.
- Rationalization is the way that someone justifies their fraudulent behavior to themselves. For example, someone might rationalize their fraud by telling themselves they are only borrowing money and will pay it back.
In the traditional model, all three elements of the fraud triangle must be present for fraud to occur. If there is no pressure, no opportunity, or no rationalization, then fraud is unlikely to happen.
Customizing the Fraud Triangle
The fraud triangle has been the basis for most evaluations for almost 70 years. With so much change in technology, business, and society, we should revisit the model to see what changes may be needed for our modern environment. To provide a basic framework for evaluating fraud risk and to look for fraud red flags, we need targeted, situation-specific models to help auditors in the field know where to focus their efforts. For example, if considering cybersecurity and fraud, we can rework the triangle to include motivation, technical capability, and rationalization.
- Motivation looks different in cyber fraud. The fraudster may not be motivated by personal gain. It could be done out of boredom, the need for a challenge, or to promote a political idealism.
- Technical capability replaces opportunity. Traditional opportunity describes a person placed in a trusted position with access to resources. In a cyber scenario, specialized technical skills, hardware, software, and possibly financial backing are needed.
- Rationalization is also tweaked in this model. The fraudster could rationalize the crime by saying any open door is an invitation or that wealthier nations and organizations have it coming.
In this example, an audit team involved in a cybersecurity audit can use a modified model that guides their fraud awareness toward a more refined target. Like the traditional model, all three elements will need to exist.
Recognizing Fraud Is Only the First Step
While developing a custom fraud model can guide your audit team during an engagement to identify potential fraud, this is only the first step. Recognizing fraud red flags requires more testing and interviewing to understand the root cause. A red flag does not always equal a fraud, only the possibility of a fraud. In recognizing fraud, auditors need to understand when to keep digging and when to stop. Depending on your role and your organization, your duty related to fraud is likely to take your testing up to a point where you need to hand off an investigation to professional fraud examiners. By incorporating red flag awareness, applying what we know about fraud to custom models, and continuing to specialize in control evaluation, internal audit will remain one of the most important resources within our organizations in the fight against fraud.