Creating a Fraud Risk Dialogue

Creating a Fraud Risk Dialogue

Internal auditors can use a carefully crafted questionnaire to help meet their responsibility for identifying the indicators of fraud.

Mark R. Kolman, CIA, CPA, CFE, CISA
Internal Audit Manager, Hillsborough County, Fla.

In defining the internal auditor's role in fraud prevention and detection, The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) states, "The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Conducting a fraud risk interview, using a well-designed and appropriately administered questionnaire, is a good way to address the auditor's responsibility for identifying fraud indicators.

The IIA's Practice Advisory 1210.A2 further states, "Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and effectiveness of the system of internal control, commensurate with the extent of the potential risk exposure in the various segments of the organization's operations." Asking client management and staff questions about potential control weaknesses, operational concerns, their suspicions, and their knowledge of ongoing frauds can provide the auditor with valuable information from those who know the most about the department or organization's operations and people. Informing management during the entrance conference that a fraud risk assessment will be part of the audit sets the stage for asking fraud risk-related questions. The fraud risk questionnaire is an excellent tool for opening the door to discussions and for gathering information about controls, activities, and concerns related to fraud.

THE QUESTIONNAIRE

The fraud risk questionnaire should seek to uncover information about the three components of fraud risk—opportunity, pressure, and justification (see "Developing the Fraud Risk Questionnaire"). Opportunity is the perceived ability to carry out the fraud and not get caught (e.g., because of weak internal controls or a perceived lack of controls). Pressure can result from personal issues, such as financial need due to personal debt, or business issues, such as the need to meet performance targets. And, justification is the rationalization a person uses to carry out the fraud, to convince himself or herself that the act is acceptable (e.g., "I'm only borrowing the money," or "I'm entitled to this money.")

When preparing the fraud questionnaire for a particular audit, the auditor should consider adding questions that would be specific to that organization and to the interviewee's area of responsibility. For example, fraud risk questions for a purchasing function might include:

If someone wanted to ensure that a contract was awarded to a specific vendor, what would he or she need to do to make that happen?
How does the department ensure that products and services are charged in accordance with contract terms?
How does the department ensure that vendors don't collude with each other, sharing information or fixing prices?
What procedures are in place to ensure that an employee doesn't award or manage a contract where he or she has a financial interest in the vendor providing the product or services?

Customizing the questionnaire to address the known types of risks for a particular operation or organization makes the interview process more meaningful to the client and more informative for the auditor.

THE INTERVIEW

A fraud risk questionnaire is most effective in the hands of an experienced and knowledgeable interviewer. A skilled fraud risk interviewer creates an atmosphere of cooperation by establishing a dialogue with the interviewee. Discussing the topic of fraud, particularly when it's related to someone's area of responsibility, is likely to create an uncomfortable mood initially. The auditor should work toward establishing a nonthreatening, information-gathering tone to put the interviewee at ease and encourage open discussion. The auditor who takes on the persona of an interested news reporter will find that many people love to show off their expertise, speak their opinions, and talk about what they know.

The auditor's interview technique should invite the interviewee to provide significant, specific information that expands upon a "yes" or "no" response. Questionnaires that elicit only "yes" or "no" responses may meet the requirement to inquire about fraud, but they may not give the auditor enough information to understand the audited area's risk. Asking the question and then letting the interviewee talk for as long as he or she wants is an effective way of getting the most information. Probing for the reasons behind the interviewee's answers, such as asking why the interviewee feels that way or on what the interviewee's opinion is based, helps provide information on procedures that are working well and areas where things are not working as they should. In addition to revealing fraud risks, answers to these questions may provide information on operational concerns. A well-conducted, candid discussion can give the auditor access to a wellspring of information that others possess about control strengths and possible exposures.

Before conducting the meeting, the auditor should become thoroughly familiar with the interview questions and know enough about the interviewee's job responsibilities to be able to ask appropriate follow-up questions. The auditor should consider reviewing the questions with another audit staff member to become familiar with them and any follow-up points. The interview's success depends on the auditor's knowledge and experience, thorough preparation, mental rehearsal, and skill at establishing rapport with the interviewee.

THE PROCEDURE

The interview process works best when the auditor follows a consistent, well-organized approach. It's important that the person conducting the interview be fully prepared to manage and conduct all aspects of the interview process.

Scheduling
The auditor should schedule interviews with personnel at various levels of management and staff from the department or organization to provide a good mix of viewpoints. It's best to begin with the most senior position to allow that person to experience the interview process and to know what types of questions the auditor will be asking the rest of the staff. The auditor should be sure to note the name and title or position of all persons interviewed, the date of the initial interview, and the date of the follow-up interview.

The Fraud Risk Questionnaire in Use

The Hillsborough County, Fla., audit department has used a fraud risk questionnaire for more than three years and has seen it produce an assortment of useful information. The auditors have heard about monitoring successes that management has had, including finding employees using the organization's computers to produce and maintain the records for their outside business interests, uncovering field personnel who were attending college courses rather than performing their field duties, and discovering maintenance workers who were using the organization's computers after hours to visit various Web sites. Additionally, the auditors learned about a former full-time professional employee—who came back to work part-time doing clerical tasks—who was still being paid a high professional hourly rate. They learned about an investigation of an alleged kickback scheme and a large contract obligation held by an organization, both about which the organization's external accounting firm had not been informed. They've also learned about thefts of computers and other assets and services. All of this information has been useful in helping the audit department to define its audit scope and develop its audit findings.

Timing
The auditor should arrange to meet privately, one-on-one, with the interviewee, allowing 30 to 60 minutes for the interview. Ensuring that the employee has set aside a specific time to meet with the auditor helps eliminate interruptions that can break the flow of the interview process. The auditor should explain to the interviewee that the interview is taking place, not because of any specific incidents of fraud — if that's the case — but to determine the steps that management should take to ensure that controls are in place to prevent and detect fraud.

Pre-interview Discussion
The auditors should take time to discuss any questions the interviewee may have about the audit or interview process before asking any interview questions. The interviewer should inform the interviewee that there are no "right" or "wrong" answers to the questions. The auditor is looking for the employee's opinion, based on knowledge and experience.

The formal discussion should begin by asking the interviewee for background information on education and work experience. The purpose of asking for this information is to provide support for the person's knowledge and experience and includes questions such as: How long have you been in your current position? What other positions have you held in your department or organization? And, what positions have you held in other departments or organizations?

The Interview
The auditor should read the question to the interviewee and document the response on the fraud risk questionnaire form. The auditor should then ask if the interviewee has any more information to add and, if not, move on to the next question.

The auditor should conclude by asking the interviewee to give his or her perception of fraud risks to the department or organization. Does the employee think that fraud risks are high, medium, or low, and why? This inquiry and the interviewee's response, reasoning, and conclusion should be documented in the questionnaire.

Follow-up
The interviewer should let the interviewee know that the responses will be typed up and that the auditor will meet with the interviewee a second time, one-on-one, in a few days to review them. This gives interviewees a chance to update or clarify their answers. Following that meeting the auditor should update the questionnaire and make an overall analysis of the fraud and operational risks after comparing all of the responses for content, consistencies, and variations.

UNCOVERING RISK

When a fraud risk interview is performed correctly, people understand the type of information the auditor is asking for and why he or she is asking for it. And, as long as they're not participating in a fraud or other misbehavior, they will likely be willing — perhaps even eager — to share their knowledge and opinions.

Conducting these interviews not only helps the auditor do a more thorough job of learning about fraud risks and other concerns, it helps educate managers about exposures and events of which they need to be aware to better carry out their job responsibilities. Documenting these interviews provides the auditor with support of management's fraud risk assessment, knowledge of controls and monitoring successes, and accounts of past problems and how management has dealt with them.

The best clues on where to look for indicators of fraud aren't always in the books and records. The concept of "auditing the business, not just the books" means talking to the people who do the work and who know the business. Asking questions about fraud awareness, fraud risks, and other operational concerns is one of the most effective ways to learn about these issues.

To comment on this article, e-mail the author at mark.kolman@theiia.org.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>