Overview

A study by the Association of Certified Fraud Examiners, “Report to the Nations on Occupational Fraud and Abuse 2016 Global Fraud Study” noted that frauds initially detected by external auditors .accounted for approximately 3.8 percent of all global fraud cases. Most frauds were initially detected by tip (39.1 percent), by management review (13.4 percent), by internal audit (16.5 percent), and by accident (5.6 percent).¹ These rankings of how fraud was initially detected are consistent with other studies conducted by national public accounting firms during the past two decades.

Historically, many corporate and other stakeholders have believed that the external auditor is responsible for the detection of fraud—regardless of the dollar amount. This expectation gap between these stakeholders' beliefs about the auditor's role and the external auditor's professional responsibility with regard to fraud was narrowed somewhat by the issuance of professional standards in the 1980s.

These standards evidently did not sufficiently diminish the expectation gap as additional standards were issued over the next two decades in an attempt to close this gap. The current guidance provided to external auditors that addresses external auditors' and management's responsibilities with regard to fraud is contained in AU-C section 240, Consideration of Fraud in a Financial Statement Audit. This standard states that

The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, places a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment.

Fraud is defined in this standard as an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a misstatement in financial statements that are the subject of an audit. There are two classifications of misstatements due to fraud: those arising from fraudulent financial reporting and those arising from misappropriation of assets. Historically, approximately 10 percent of all fraud cases have been due to fraudulent financial reporting. However, these frauds account for the majority dollar value of all fraud. This type of fraud is usually committed by senior management, involves collusion, and often involves the creation of fictitious journal entries. Approximately 90 percent of frauds involve misappropriation of assets, are generally perpetrated by employees, and account for between approximately 10 percent and 20 percent of the dollar amount of all fraud. These frauds are perpetrated using various means, such as creating fake vendors, stealing inventory, and padding the payroll.

AU-C section 240 provides additional guidance to assist external auditors in closing the expectation gap and increasing the likelihood of detecting material misstatements due to fraud. The guidance includes having the audit team brainstorm about fraud, exercising a higher degree of professional skepticism, performing inquiry about fraud, using more robust analytical procedures, and performing audit procedures in areas that historically were often the source of misstated financial statements (such as revenue, estimates, and journal entries).

Has this standard closed the expectation gap? Critics of the public accounting profession might argue that, based upon the findings of numerous studies, external auditors are still only detecting 3 percent of all frauds; the expectation gap is as wide as it ever was and external auditing standards have not had an impact on closing the expectation gap. The public accounting profession presents an alternative argument and states that the purpose of a financial statement audit is to render an opinion on historical financial statements—not to provide a guarantee of detecting immaterial or material fraud. AU-C section 240 defines external auditors' responsibilities with regard to fraud:

An auditor conducting an audit in accordance with GAAS is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. Because of the inherent limitations of an audit, an unavoidable risk exists that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with GAAS.

Audit procedures that are effective for detecting an error may be ineffective for detecting fraud.

It is important to stress the last sentence—that audit procedures that are effective for detecting an error may be ineffective for detecting fraud. Forensic investigators have developed procedures that increase the likelihood of detecting fraud; however, even forensic investigators know that there is no guarantee that their procedures will detect fraud. It is relevant to distinguish some differences between external audit and forensic procedures. These are discussed in the following text.

Differences Between External Audit and Forensic Procedures and Principles

The following is an example of a difference between audit and forensic procedures and principles:

•     The external auditor establishes a dollar amount of materiality for the financial statements. If financial statement misstatements are above this materiality amount then the auditor will provide an opinion other than unqualified (clean opinion).² Financial statement materiality is used to determine sample sizes, audit procedures, and tolerable misstatements by individual financial statement line item. For example, if financial statement materiality is $500,000 and the auditor determined that $10,000 would be tolerable for misstatements to accounts receivable, then accounts receivable would be considered fairly stated if it is misstated by less than $10,000. The remaining $490,000 of materiality could essentially be reallocated to other financial statement line items when determining tolerable misstatements. One commonly used audit procedure to assess if errors in an account are greater than tolerable misstatement (and, thus, that the account is not fairly stated) is the use of statistical sampling.

      External auditors often use a statistical sampling method called monetary unit sampling (MUS), to select items for testing. This sampling method is biased toward selecting physical units with large recorded balances. For example, if the tolerable error was $10,000 and a particular account receivable had a balance greater than $10,000, then this account would be selected and the audit procedure performed (such as sending a positive confirmation). Although each dollar within the population is subject to being selected, larger-valued accounts have a greater probability of being selected for detailed testing.

      For example, an accounts receivable account might have a zero balance. However, this could be an account with a customer with whom the client conducts a large volume of business. The real balance of the account could be over $100,000, but due to a posting error, the account balance may depict the amount owed to the client as zero. This account, with a zero balance, generally would not be selected to receive a confirmation by the external auditor.

      A possible fraud example could be that the real account receivable is $100,000, but the client's customer paid the bookkeeper a kickback to write off the account (or give a discount for early payment when the payment was not received within the discount period).

      MUS most likely would not select an account that has a small balance. Forensic investigators might be interested in an account or item with a small balance, as a perpetrator might be testing the system with a small dollar amount of fraud to see if he or she is detected. If the perpetrator is not detected, then he or she might have an increased confidence of not being detected and initiate a much larger fraud using the same technique that was employed to steal the smaller dollar amount.

•     External auditors gather evidence to test a single hypothesis that does not change: Do the financial statements (of a particular entity at a particular date), present fairly in all material respects, the financial position, results of operations, and cash flows (for the period ended) in conformity with accounting principles generally accepted in the United States of America (or other principles)?

      A forensic investigator might begin with an initial hypothesis that changes as the investigation proceeds. For example, a large grocery store chain conducted a physical inventory monthly. Each month the inventory per the physical count at one location was consistently less than the amount per the books. The first hypothesis was that inventory was being received in the rear of the store (warehouse area), marked as received, but then the warehouse personnel took the inventory back out the rear door. After a month-long surveillance (unknown to the warehouse employees, security cameras had been installed), it was determined that this hypothesis should be rejected. A second hypothesis was postulated—that customers or employees (or both) were eating the inventory (food) while they were in the store. After another month of surveillance by mystery shoppers (another form of surveillance),³ it was concluded that this hypothesis was not supported by the evidence. Next, it was hypothesized that the cashiers were in collusion with customers and were either recording grocery items at lower prices than were contained on the grocery items or were not even recording the grocery items. Mystery shoppers again were used as a means of surveillance but did not detect any wrongdoing. This hypothesis was also rejected. The forensic investigator was becoming frustrated with his inability to solve the inventory shortage mystery.

      How was the fraud detected? The forensic investigator decided to visit other grocery store locations to see if any receiving, warehousing, or sales procedures were different from the store location that was experiencing the inventory shortage. The forensic investigator entered another store location and was stunned. The store he was visiting only had seven cash register stations. The store that was experiencing the loss had eight cash register stations.

      Why did the store experiencing the inventory shortage have an additional cash register station? The store manager had constructed a cash register station and bought a cash register. All sales that were conducted at the store manager's cash register station went into her pocket. The corporate office was expecting seven cash register tapes, and that is the number they received. The store manager was responsible for counting each cash register clerk's cash and other receipts, balancing to daily sales, making the deposit, and sending daily reports to the corporate office for the store's daily sales journal entry. The store manager had inadequate separation of duties between access to assets (counting the cash and making the deposit), independent reconciliation (reconciling the cash register clerk's cash and other receipts), and sending daily reports to corporate office for the store's daily sales journal entry (bookkeeping).

•     External auditors generally rely upon traditional analytical procedures to highlight possible fraud. These analytical procedures include the extensive use of ratio analysis, such as working capital ratio or inventory turnover. An analysis of these ratios might provide evidence of a misstatement that, upon investigation, could be fraud.

      Forensic investigators also use traditional analytical procedures and apply other analytical procedures in unique ways. For example, in the preceding grocery store case, the forensic investigator used a frequency distribution to assess if the components of the daily deposit at the store location where the fraud was occurring were similar to all other store locations' deposit components. When this analytical procedure was used it was found that the daily deposit at the suspect store contained more checks than cash. The store manager would substitute the checks received in the fraudulent register with cash received in other registers. A review of the composition of the deposit raised a major red flag.

•     External auditors use internal control questionnaires and standard audit programs that stress detective procedures. Often these detective procedures are not performed in a timely manner. This is one reason why shareholders are frustrated with external auditors' inability to find fraud. Because external auditors primarily use detective procedures, external auditors tell the client what and how much was stolen after it was stolen.

      As an example of a common detective procedure consider a common question on an internal control questionnaire: Does the client have an independent employee reconcile the bank account monthly? A “yes” response would be consistent with a system that possesses strong internal controls. Yes, it would be discovered that cash was stolen up to a month or more after it was stolen. Is this a timely detection of a cash embezzlement? Most likely not.

      A forensic professional would ask why the bank account is reconciled monthly. Why not daily? If a system has errors or fraud occurring, is it not better to learn about the problems sooner rather than later? Is it not better to fix the system that allows the errors or fraud sooner than later before additional errors or fraud can occur? It is entirely feasible for most entities to reconcile their bank account daily by accessing their bank account online. The entire process should not take over a minute or two if the entity has standard off-the-shelf bookkeeping software or a spreadsheet program like Excel. A daily, rather than a monthly, bank reconciliation would provide for a more timely detection of cash defalcations. A principle in this case is, if the entity employs detective controls and the detective control can be performed sooner rather than later, then perform it sooner.

      Again, the forensic professional would note that the external auditors' procedures and internal controls within many accounting systems are primarily detective. For example: The bank account is reconciled (detective). A physical inventory is taken (detective). Accounts receivable statements are mailed to customers (detective). Payroll reports are reviewed for reasonableness (detective).

      The forensic professional stresses that the system and procedures should include, in addition to detective controls, preventive controls. For example, if there is inadequate separation of duties (assume this weakness cannot be mitigated) with regard to access to the entity's operational bank account (which contains more cash than is needed for the current month's expenses), then the company would be encouraged to only keep enough cash in the operational bank account to cover the current month's budgeted expenses, and establish strict controls over the transfer of cash from the bank account that contains most of the entity's cash to the operational bank account.⁴ A preventive control would then be in place with regard to the operational bank account. If a perpetrator was to steal funds from the operational bank account, the amount of cash that is subject to the risk of misappropriation is limited to one month's budgeted expenditures. Forensic professionals would state, in this example, that a preventive control principle is, if you cannot decrease the risk of fraud or error, decrease the amount that is exposed to the risk. Stratify the account and put additional controls over the portion of the account that is material. In the example, because the risk due to inadequate segregation of duties cannot be mitigated, then the amount of cash exposed to this risk is reduced. The overwhelming portion of the entity's cash is kept in a separate bank account that requires additional procedures to transfer funds to the operating account. A material weakness in the internal control may be reduced to an insignificant control deficiency.

      There are numerous other examples of preventive controls to decrease the likelihood of fraud by following the preceding principles. For example, in a jewelry store, the lower-priced items are typically on display in a locked glass cabinet. The higher-priced items are kept locked in a vault with access restricted to a limited number of authorized employees. The risk of the higher-priced items being stolen is greatly reduced.

      Another example is a bank's vault cash. Many banks do not keep a large amount of vault cash in the vault, which is accessible to many authorized employees. Oftentimes, the largest amount of the vault cash is kept inside a safe-deposit box inside the vault with access to a small number of authorized personnel.

      The forensic professional does not belittle the need for detective controls. Rather, it is stressed that there should be a combination of preventive and detective controls. Detective controls should catch misstatements in case the preventive controls fail. For example, a manual payroll system might require an independent employee to compare all employee paychecks against the payroll register. However, due to human fatigue, the reviewer may not notice that a transposition error was made in a check and that an employee received a check that was greater than the amount in the payroll register. In this example, the preventive control—comparison of payroll checks with the payroll register before the payroll checks are distributed—did not work. The detective control — reconciliation of the bank account to the payroll register—would detect this error, as the reconciliation would be out of balance by the difference in the recorded amount of the employee's payroll check in the payroll register and the actual amount on the check. If a separate payroll bank account was used, then this account would be overdrawn by the amount of the difference between what was recorded and the actual amount of the check. The bank would contact the entity concerning the overdraft (again, a detective control).

      A forensic principle in this case is, Use a combination of preventive and detective controls in your internal control systems.

•     Forensic professionals use many evidence-gathering techniques that are not typically used by external auditors. For example, surveillance is often used to obtain evidence. If an individual is aware of the surveillance, then surveillance is a preventive control. If the individual is not aware of the surveillance, then the surveillance is a detective control.

      There are numerous types of surveillance. The most familiar type is the use of cameras. A large cheese manufacturer has a webcam in the warehouse to determine if employees are working and if inventory is being stolen. A large construction contractor has webcams at many job sites—to detect ghost employees and to assess if invoices received for construction materials correlate with the deliveries viewed on the webcam.

      There are also other types of surveillance. For example, a bookkeeper using an off-the-shelf accounting package can be told: “Don't worry if you make a mistake, as the system records everything you do” (even fraud!).

      A large distributor with its own fleet of trucks has GPS systems installed on the trucks to monitor deliveries. Additionally, there is a system to report if the driver exceeds a certain speed limit.

•     An audit of financial statements generally covers a period of one or two years. A forensic investigation may cover substantially more years—particularly in cases that involve collusion or inadequate segregation of duties.

•     The audit of financial statements requires that evidence be gathered to provide “reasonable assurance.” The forensic investigation requires that evidence be gathered in accordance with legal standards of evidence.

•     The external auditor of the financial statement sets the scope of work to be performed. A forensic investigator's scope in many cases is oftentimes determined by the attorney who engaged the forensic investigator.

The preceding are some of the differences between external auditors' and forensic professionals' procedures and principles. Hopefully, the reader has learned, despite the “general public's” perception, that audit procedures are not designed to specifically detect fraud. Rather, audit procedures are designed to obtain evidence concerning the fairness of presentation of historical financial statements. It is relevant to reiterate the external auditors' responsibility with regard to fraud:

An auditor conducting an audit in accordance with GAAS is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error.

However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the characteristics of fraud as discussed previously (internal and external collusion, forged signatures, and more) may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud.

Many external auditors have tried to address this expectation gap with their clients and entity shareholders by including specific wording in their management representation letters and also in their opinions specifically addressing their responsibility related to the detection of fraud.

Summary

Several studies that address the initial detection of fraud were reviewed. Most frauds are discovered by tip. The expectation gap between what stakeholders believe external auditors' responsibilities are with respect to fraud and the actual responsibility of external auditors was discussed. Differences in an external auditor's and a professional forensic professional's procedures and principles were reviewed.

It is important to stress that audit procedures that are effective for detecting an error may be ineffective for detecting fraud.