by Alex Movchan & Magdalena Wolska
“People show you who they are,
not by what they say, but by what they do.”
Jane Green, British journalist and writer
Probably, every internal auditor, at least once, had a feeling after the end of the audit engagement, that maybe there was something unnoticed, undiscovered, left “behind the curtains”. You start thinking about it, but nothing concrete really comes up on your mind – the interviews were held, reviews performed, testing completed. It looks like everything was examined properly, but the fear of missing something important just does not come out of the mind. Suddenly a thought comes up out of the blue: “And what, if there was a fraud out there?” Right, missing a fraud is the worst nightmare for an internal auditor. Although the Standards don’t put full responsibility of fraud detection on the internal auditors, but as is written in the Standard 1210.A2: “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization”. What is the trickiest about fraud is that it is like an iceberg – seems to be just a small detail from the first sight, but 95% of an iceberg is hidden beneath the water. And the damage it can cause might be truly unpredictable. If you have any doubts about that, just think about Titanic – the largest ship afloat with 2500 passengers on board, 1 500 of them died, making it one of the deadliest commercial peacetime maritime disasters in modern history. And this tragedy happened because the crew did not manage to identify the iceberg in time.
During the audit engagement, every internal auditor is taking the role of an “iceberg identification” crew. And if somebody still doubts, that fraud is really “an iceberg of modern corporate world”, it’s worth having a look at the “Report to the Nations on occupational fraud and abuse 2016“ prepared by the Association of Certified Fraud Examiners (ACFE), which quantifies annual total loss of companies due to fraud as $ 6.3 billion. ACFE estimates, that the typical organization loses 5% of annual revenues due to fraud. And more than 23% of occupational fraud cases in 2016 resulted in a loss of at least $1 million.
Now, when we’ve ensured that the problem is significant enough and is worth having a closer looks, let’s make a small “understand your enemy” exercise and identify, where are the largest “icebergs of the corporate world” located and what types of them exist. The “Report to the Nations 2016” proves that Europe falls into top 3 locations with the highest median losses due to fraud. And the most harmful types of fraud in 2016 were financial statements fraud, corruption and assets misappropriation, totaling $ 1.3 billion on a global scale.
“But in our company people are honest and no one might even think of committing a fraud” – one might say. Unfortunately, fraud is more a question of possibility to commit it, rather than a question of morale. As the “Fraud Triangle” model shows, occurrence of fraud is dependent on the opportunity, pressure and rationalization.
And while “pressure” and “rationalization” can hardly be controlled by the companies, opportunity to commit the fraud is fully within the control zone. Basically the tools, used by the companies to minimize the opportunity of fraud being committed, are: segregation of duties, proper access rights management, transparency of business processes, existence of Policies and Procedures, implementation of whistle blowing mechanisms etc.
Although, the responsibility for implementing the proper internal controls, including antifraud ones, purely lies on the management side, but assessing of the effectiveness of these controls is a direct responsibility of internal audit. Of course, it is not possible to provide absolute assurance to the stakeholders that fraud will never happen, but a reasonable assurance that the organization’s fraud risks have been managed effectively and that the organization’s goals will be achieved efficiently is undeniably one of the internal audit’s core objectives.
In order to complete this objective effectively within the tight time constraints of the audit engagement, it’s worth paying attention to the small “iceberg parts above the surface of the water”, or fraud related “red flags”, as they are called among forensic auditing professionals.
The most widely known “red flags”, split per the most harmful types of fraud, are as follows:
Financial statement fraud
– Absence of primary documents, supporting booked transactions;
– Access to modify archived files and records with financial data from prior periods;
– Conducting transactions in a form that does not correspond with the content;
– Loss or liquidation of documents and electronic records, containing key information about potentially doubtful transactions;
– Major adjustments in financial reports and budgets.
– The value of personal property and the way of life of an employee do not correspond with the incomes;
– Unreasonable, excessive concentration of key powers in the hands of one person.
– Persons, who have access to book cash transactions in the accounting system, also have physical access to cash;
– Absence of system, disorder in the storage of goods, materials, documents and electronic files;
– Determination of raw material consumption by reverse count;
– The remoteness of production from top management and monitoring services.
Also there is a number of “red flags” that are directly linked with the overall governance style and control environment in the organization, thus concerning all areas and might be a signal of any type of fraud.
Governance and control environment related “red flags”
– Absence of antifraud program and whistle blowing tool in the organization;
– High turnover of Senior management;
– Absence of punishment for identified violations;
– Limiting access of auditors towards staff of the organization;
– Contradictions in explanations or the replacement of one explanation with the others;
– Sudden refuse of the staff to cooperate with the auditor in the course of the engagement.
“There is no one universal approach to managing fraud risk in an organization. The essence of the phenomenon of fraud is dynamic in nature, thus requires a proactive approach from the Management putting right controls in place and timely reacting on potential fraud indicators to achieve reasonable assurance of being in control and having the comfort that business goals of the organization will be achieved.” – Leszek Bartosik, CFE – Senior forensic auditor in Grant Thornton Dubai, UAE.
Living in nowadays informational society there is no lack of information – on the contrary, it’s in high supply. But having correct, well-structured information at the right moment of time is as good as gold. We do believe that going on the next audit engagement each reader of this article would be well informed to keep an eye on the fraud “red flags”, and after the audit engagement would feel confident enough to provide reasonable assurance to the stakeholders, that fraud risks were identified and relative internal controls were properly assessed for effectiveness.
Putting additional focus of internal audit on the fraud “red flags” and providing timely communication with the management on this topic, would increase overall awareness and concern of the management and the staff of the organization regarding proper managing of the fraud risks, putting right internal controls in place and improving general control environment within the organization.
We strongly believe, that these actions would pay off handsomely in the future and would help to establish atmosphere of transparency, cooperation and control awareness within the organization, and on the larger scale to build trustful relationships with all the stakeholders.
1. Institute of internal auditors (IIA) – “International Standards for the professional practice of internal auditing”. (https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf )
2. Association of Certified Fraud Examiners (ACFE) – “Report to the Nations on occupational fraud and abuse 2016“ (https://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf )
3. W. Steve Albrecht -“Iconic fraud triangle endures” – “Fraud magazine” issue for July/August 2014 (http://www.fraud-magazine.com/article.aspx?id=4294983342)
4. Norman Marks – “Internal Audit and Fraud” – “Internal auditor” online magazine- December 1, 2015 (https://iaonline.theiia.org/blogs/marks/2015/internal-audit-and-fraud)
About the authors: Alex Movchan CICA, CIA, CIMA Dip PM, Lean Six Sigma is the President of The Institute for Internal Controls – Ukraine and Belarus chapter and Magdalena Wolska, ACCA is Compliance and Internal Controls Manager.