IN THIS ISSUE
According to Mike
Who Said You Can't Audit for Fraud?
MICHAEL PIDZAMECKY, CFE, CMA
I attended a recent fraud conference where there was, shockingly, much talk about fraud. Personally, I find it ironic that when we read or talk about fraud, it's always about what happened in this scheme or that scheme. The key message here is that it always seems to be after the fact. Many of us who are auditors — external or internal — say we do not audit for fraud. Rather, we audit an organization's internal controls and processes. In completing such a review, we make sure that reasonable and effective controls are in place to prevent fraud, but there is never absolute assurance. Yes, we may get lucky and discover fraud during a review, but not because of a planned audit review.
Well guess what? I am going to challenge this notion and say that we — auditors, fraud examiners, management, lawyers, controllers, or whomever — actually can audit for fraud in an effective and efficient manner. You probably are shaking your heads thinking, "Mike is really stretching the use of self-assessment. There is no way you can identify and audit specific frauds taking place in your organization by just sitting and talking around a table." Well, I want you to know that you can. In fact, one of this issue's feature articles, "A Practical Guide to Assessing Fraud Risk in Your Organization," discusses using self-assessment workshops to identify potential fraud.
In traditional risk and control self-assessments, we gather information and people to analyze what is taking place in the organization. We have them look at the business, as well as its objectives and processes, through interviews and workshops. In doing so, we develop an understanding and an enterprisewide view of what risks the organization faces, and analyze them to determine if and how they might impact our ability to achieve our various strategic and business objectives.These risks can have negative consequences, in which case we develop internal controls and processes that will mitigate them to an acceptable level for us to achieve our goals. In some cases, we find that the risks are extremely trivial and we are using entirely too many resources trying to control them. And, in other cases, we find that a risk is an exploitable business opportunity that when managed, properly, may provide new economic or social benefits to the organization.
Using the same techniques for risk and control self-assessment, you can identify fraud risks that threaten your organization. By analyzing the hundreds of fraud schemes that could affect their business, organizations can zero in on the most potentially damaging or probable frauds that can be or are taking place. These fraud schemes are determined by brainstorming potential fraudulent situations that are common to all organizations and those specifically attributed to your particular industry or organization.
To help you get started, here are two general examples that could be included in anyone's assessment:
- Intellectual property theft by employees. Employees may commit theft for their own personal gain while employed or after leaving a company by selling information to competitors.
- Side letter agreements. The Securities and Exchange Commission's Staff Accounting Bulletin: No. 101 – Revenue Recognition in Financial Statements requires a definitive sales or service agreement. However, customer-vendor relationships often change. For example, a company enters into an arrangement, but later makes changes in a written or oral agreement that is executed outside normal control and reporting channels. The real terms of the deal are not represented in the official contract — a document often used when making business decisions, valuations, or investments.
An actual audit of potential or real fraud can now take place because you know where, when, why, and how it can be or is happening. Once you have your list of schemes, follow the same process you would use for other self-assessment reviews — you determine the probability and impact such schemes will have on your organization. If they rate high, start auditing to find out if it's too late or if you are just in time to stop it.
As you can see, there is no reason for any organization not to be proactive in auditing for fraud. A fraud self-assessment is a perfect tool to help you and your management team audit potential fraud loopholes in controls and processes long before they become reality and your company is talked about at the next fraud conference.
Michael Pidzamecky, CFE, CMA, is a private consultant who works with CSA and ERM processes. Pidzamecky has developed several self-assessment approaches, presented sessions for IIA courses and conferences, and written questions for The IIA's Certification in Control Self-assessment exam.