You can find a news article about fraud every day. When fraud is so rampant, it seems logical that auditors should uncover fraudulent activity more often. Internal auditors are even expected to consider fraud risks in their audits, but they are rarely equipped for this task. We are not surprised that according to the ACFE’s Report to the Nations, internal auditors have uncovered 16% or fewer fraud schemes annually. More frauds are reported via whistleblowers than through frauds uncovered during an internal audit. This article will share the main reason so many auditors miss fraud and two simple ways to apply fraud detection to every audit.
Why Auditors Miss Fraud
We do not find fraud simply because we are not actively looking for fraud red flags. Nearly every audit begins with the assumption that statements are factual instead of looking for deception. As a profession, we have repeated that managing fraud risk is a management function, not audit’s responsibility. However, the organization and stakeholders expect us to look for fraud, and despite a lack of training and the low identification of fraud, we are still the second-highest source for fraud detection. Imagine what we could do if we focused on fraud in every audit. To better perform fraud detection, we need to train all auditors in technical and soft skills related directly to fraud detection.
Learn at Least One Analytical Test
Unfortunately, internal audit teams are limited in what they can accomplish with spreadsheets, lack funding for an analytics solution, and lack the time to develop their data analytics skill sets. Today, there are low/no-code analytic solutions to make it easier than ever. If you have never used analytics, the most straightforward test is Benford’s Law. Using this test on large data sets, like expenses, is a quick way to look for abnormal patterns. You can also use analytics to review transactions processed on weekends, off hours, and holidays when people are not typically working. Without getting too deep into the math behind Benford’s Law, it basically says that a large set of numbers has a predictable number of transactions that start with the number one through nine. For example, too many transactions falling in a range like $40-$49 is a red flag that someone might create false information. When this red flag shows up, we can take a deep dive into those transactions instead of randomly looking at everything. Analytics tools are designed to analyze the data for you so you know where to look.
The Power of Conversation
The power of conversation is even more effective than analytics. Having open conversations with the people you are auditing can point you to where fraud could happen. Think of it as a chance to gather tips straight from the source. To start, remember to avoid diving right into an interview. No one likes to be interrogated. Start the conversation with small talk. Usually, you can open by asking about someone’s pictures on their desk (or Zoom background). Help to set a calm environment so people are more comfortable just talking. Then, as you start asking about people, processes, and systems, keep a list of common red flags in mind and direct some questions around those topics. It is very common for people to open up about things other people on their team are doing that make them uncomfortable. Remember to listen to what they say and not rush to your next question. A simple conversation can consistently uncover fraud by improving your listening skills and always keeping red flags in mind.
Every Audit Has Red Flags
An interesting thing happens when you actively look for fraud red flags – you have a great chance of finding them. Most audits, if you know where to look, will reveal fraud red flags that require more testing. Red flags indicate fraud (not proof of fraud) that points you in the direction your testing should take. With data analytics, you can narrow down vast amounts of data to test the right transactions. With active listening, you can pick up more nuances that may point to fraud, or sometimes, people will even tell you outright that something appears suspicious. These two simple strategies will change how you approach your audit work and allow you to incorporate fraud detection techniques in every audit.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.