Fraud Detection is not Just by the Numbers
Audit professionals should, by now, be knowledgeable of Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit. Professional standards mainly focus on fraud detection procedures, but beyond this, the standards available for the auditor to consider once fraud has been detected are limited. This article focuses on practical audit issues once an auditor identifies misstatements due to potential fraud.
SAS 99 classifies fraud misstatements into two categories: those arising from fraudulent financial reporting and those from misappropriation of assets. The primary factor that distinguishes a fraudulent misstatement from an error is whether the underlying action is intentional or not. Yet, SAS 99 states that "intent is difficult to determine," "an audit is not designed to determine intent," and "fraud is a broad legal concept, and auditors do not make legal determinations of whether fraud has occurred." Therefore, judgment is critical after the potential fraud determination is made, and this is where Generally Accepted Auditing Standards (GAAS) provide limited practice guidance.
In the event of potential fraud, the auditor must determine whether the effect is material or not. This may involve extending audit procedures, as well as the consideration of what other aspects of the audit may be impacted.
"If the auditor believes the misstatements are or may be the result of fraud, but the effect is not material..., the auditor nevertheless should evaluate the implications, especially those dealing with the organizational position of the person involved." SAS 99 assists with judgment and prompts the auditor to consider the impact upon the audit as a whole, such as with the following:
- Can the auditor determine the fraud is isolated to an area that is not material to the financial statements?
- If material, can the auditor determine if the fraud is isolated and can be reasonably controlled in a complete population of transactions, subject to extended analysis?
- If immaterial in an isolated area, does the matter involve senior management? The auditor must consider if the fraud is indicative of a more pervasive problem that would require reassessment of management's integrity.
If the auditor determines the misstatement is due to fraud and is material, or the auditor has been unable to make a determination, the following guidance is provided:
- Obtain additional evidential matter.
- Consider impact upon other audit areas.
- Discuss the issue, including the approach for further investigation, with the appropriate level of management.
- Consider suggesting client consult counsel.
- Explore withdrawal if audit tests indicate significant risk of material misstatement due to fraud, and communicate the reasons for such action.
- Consider consulting with accounting firm's counsel.
Ultimately, professional standards require auditors "to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud."2
SAS 99, however, concedes that "considering the nature of the audit and the characteristics of fraud, absolute assurance is not attainable." In fact, any experienced fraud investigator will tell you it is unlikely that the full extent of a fraud will ever be determined considering the intentional concealing or disguising of information.
Recent events, new legislation, and new professional guidance have increased client expectations with respect to an auditor's responsibility to detect fraud. Consequently, the judgment exercised by an auditor who is confronted with potential fraud is now additionally critical. The standards note that even a properly planned audit performed in accordance with GAAS may not detect a material misstatement, so the auditor must address client expectations with effective communication. Management must understand the nature and limitations of the audit and what its responsibilities are with respect to financial statements and fraud.
Moving from theory to practice, below are two examples of fraud that were created to demonstrate two types of misstatement.
Financial Reporting / Kick Backs: While performing sales cut-off testing at a division of a client, the auditor comes across selected transactions that include a sale to a customer that is recognized as being a major vendor, based upon evaluation of business concentrations in another audit area. The situation appears unusual, and the sale amount is deemed material.
Relevant documentation for the transaction is requested. The documentation includes evidence of subsequent payment of the related receivable after the year-end date. The shipping documentation, however, was not provided, and analysis indicates there are no shipping records. Despite payment evidence, there is no evidence that any product was delivered.
Further analysis is extended, and the company's vendor invoice file is requested. The auditor identifies several "special service project" invoices submitted to the client for payment. These invoices are less detailed than others in the file and are not supported by approved purchase orders or receiving documents. The total amount of the special projects is identical to the amount of the sale transaction initially questioned.
The findings are discussed with the divisional CFO, who provides inadequate explanations. After contacting the appropriate management at the parent company, the auditor meets again with the divisional CFO and indicates an investigation is being considered. At this point the CFO comes clean.
Motivated by job security concerns, the CFO, in concert with his divisional CEO, developed a scheme to increase sales to attain a budgeted revenue goal. The CFO chose a major vendor, wishing to protect significant legitimate business, to facilitate a kickback scheme. The CFO would periodically direct the vendor to bill the division for special projects, payable within 30 days. Thereafter, the CFO would coordinate and generate a fictitious sale to the vendor company for an amount equal to the special project purchases, which had already been paid to the vendor. Within 30 days of the fictitious sale invoice date, the vendor would remit payment, or "kick back" the same amount of funds to the division. At the end of the cycle, the scheme leaves the vendor/customer company whole from a cash perspective and the division has recognized fraudulent sales, allowing it to attain the budgeted sales goal.
Misappropriation / Embezzlement: While performing year-end physical inventory procedures for a medical supply company, auditors identify a material unfavorable variance, or shortage, between the perpetual records and the lower physical count for certain test kits. The audit manager brings the matter to the audit partner and is told to make further inquiries of client personnel.
The initial findings indicate that the issue warrants further analysis. The auditors inspect the prior year inventory work papers, noting that a similar shortage existed with the same inventory. At that time, however, the amount was deemed immaterial, no inquiries were made, and an inventory adjustment was posted to account for the shortage.
The auditors then request accounts payable, purchasing, and inventory receiving records for the test kit purchases. The accounts payable department provides a report of recorded payments to the single vendor and the related invoice file. The auditors are not given the receiving documents, which are maintained by the warehouse supervisor. The auditors directly request them from the supervisor, and are told the documents will be provided the following week. After two weeks of repeated follow up, no receiving documents are provided and the warehouse supervisor is on medical leave.
Working with the documentation available, the auditors review the vendor file looking closely at the invoices. They detect that payee names and addresses are inconsistent on certain invoices, which were authorized for payment by the warehouse supervisor. The auditors then request the cancelled checks for payments made to the vendor. They notice that some of the checks bear endorsement stamps and deposit markings typically expected, while others have a different endorsement and notations indicating negotiation at a local check cashing agency. The auditor determines that the warehouse supervisor generated fictitious purchases by creating and authorizing fraudulent vendor invoices. Accounts payable then processed payments to named payees at certain addresses controlled by the warehouse supervisor, who then personally negotiated the checks at a check cashing agency.
Analysis of the Issues
The steps taken and the judgment exercised by the auditors, as presented in the examples, can serve as reference for how one could proceed based upon the facts and circumstances in each instance. However, due to the unique nature of fraud, there is no standard checklist of audit procedures to reference. Having read through the two fraud cases, consider how easy it can be for auditors to not detect that fraud had occurred. In the first example, for instance, what if the linkage of the customer and vendor name was never recognized; or in the second example, what if the manager did not bring the issue to the partner, but rather independently accepted the explanations to a few follow-up inquiries directed to the warehouse supervisor. The auditor must rely upon skill and experience, and exercise sound judgment, to determine what steps to take when faced with potential fraud.
As noted previously, a properly conducted audit still may not detect material fraud. The nature of the kickback scheme, for example, is not easy to identify in the context of normal audit procedures. Frequently such schemes are identified outside the audit context and brought to the client's attention by an outside party.
Consider the examples, and think about how you, as an auditor, plan an audit, design procedures, and perform on audit engagements. Evaluate how your audit approach could detect the kickback and embezzlement frauds and what judgments you would make regarding extended audit procedures. How far should the financial statement auditor extend audit procedures or investigate potential fraud that has been detected? The auditor is responsible for the initial discovery of material fraud and extending procedures to make a reasonable determination of the financial statement impact. Once the auditor starts down this investigative or forensic road, there are a number of professional issues that need to be considered. Where does the auditor draw the line between financial statement audit procedures and other forensic or consulting type procedures? Does the auditor have the requisite experience to properly opine on the financial statements? Does the auditor possess independence in mental attitude? GAAS guidance is vague and limited in these areas.
Clearly auditors are required to investigate instances of potential fraud to assess the effect on the financial statement as well as the impact upon the audit engagement as a whole. The judgment exercised in deciding upon the nature and extent of audit procedures to be extended requires careful consideration. Issues may arise that are not addressed in GAAS. For example:
- At what point do extended audit procedures become a separate forensic investigation, which typically includes procedures not ordinarily performed in an audit of financial statements? Considering GAAS - which include requirements regarding adequate technical training and proficiency as an auditor - does the same skill set qualify the financial statement auditor to conduct a forensic investigation?
- If procedures do not expand beyond those necessary to issue an opinion, and the auditors conclude they have the competencies to perform the procedures, then the auditors can complete the work and remain independent. However, auditors must be aware that they may subsequently lose their independence if they agree to take on a role as an expert witness or serve as an advocate for the client.
- If financial statement auditors conduct separate forensic investigations, have they now accepted responsibility that adds additional audit risk that they are not qualified to address? Before conducting a "forensic" investigation beyond SAS 99 requirements, auditors should consider all of the issues that could arise, the relevant professional standards, and the potential increase in audit risk coupled with professional liability exposure.
Auditors are well aware that they operate in a litigious environment, especially with SAS 99 and Sarbanes-Oxley now in the mix. When potential fraud is detected and auditors have properly extended audit procedures in accordance with GAAS to assess the financial impact, auditors should discuss the findings with the appropriate level of management. Auditors should consider suggesting that the client retain a forensic examiner to conduct a complete and separate fraud investigation if the auditors determine that either they lack the skill to perform such an investigation or, in their judgment, independence could be impaired as a result of additional work.
A finding of fraud within a financial statement audit raises more questions than are answered by the applicable professional guidance. Ultimately, the answers must be based on the facts and circumstances of each unique encounter. There is no simple checklist that provides the right answers or paths to take. Reasonableness and auditor judgment must carry the day.
Reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of Certified Public Accountants. Francis C. Brulenski, CPA, and Ricardo J. Zayas, CPA, CFE, CVA, are both principals at Nihill & Riedley PC in Philadelphia. Brulenski can be reached at email@example.com. Zayas can be reached at firstname.lastname@example.org.