Technology's Role in Audit Confirmationsby
One out of two companies experienced business fraud in 2020 with the average victim losing just under $1.5 million per scheme, it’s a growing risk that needs to be on the radar of auditors and in-house financial executives alike. The combination of remote work, relaxed internal controls, and a downturned economy all set the stage for the perfect storm for fraud. So what can CPAs do to help?
Because electronic confirmation solutions are available to help CPA firms detect fraud so much more effectively, they can also serve as a deterrent to would-be fraudsters hoping to circumvent the audit confirmation process.
Just how pervasive is the problem of fraud in today’s economy? Studies indicate that, on average, a company will experience up to six fraudulent events a year, and for those companies that fall victim, the financial impact can be significant. Approximately 13 percent of the victimized organizations said they experienced losses of more than $50 million while another 22 percent were preyed upon for more than $1 million. And these are just the numbers that the public is aware of –– it is estimated that barely one-third of these cases are never even reported to the board.
Fraud is an equal opportunity offender. When large public companies are victims, the news goes global, and the impact is felt across financial markets. However, it is not just public companies. A study by the Association of Certified Fraud Examiners (ACFE) found that private companies account for 70 percent of all fraud cases, while the median loss due to fraud is 23 percent higher in private companies when compared to their publicly traded counterparts.
To that end, regardless of an organization’s size, the impact fraudulent activity can have on the company’s reputation and brand is significant. A loss in shareholder or creditor confidence, and the bad publicity that comes with it, can have a ripple effect that is felt for years to come.
High Profile Confirmation Fraud
Of the recent high-profile fraud cases in the news, many of them have been the result of audit fraud. Luckin Coffee, NMC Healthcare, Commerzialbank, Patisserie Valerie and arguably most notable this past year, Wirecard, have all fallen victim to one of the most basic––yet most prevalent and preventable––fraud schemes simply because auditors are unable to properly verify fraudulent confirmations coming to them from banks, vendors, and other institutions, or because fraudulent confirmations are used to cover up fraud schemes, rather than being fraud schemes themselves.
Auditors have been carrying out third party confirmations to give them assurance as to the existence and value of material balances since the late 1930s. These confirmations provide evidence about key assertions made by the company concerning revenue and collections, particularly the existence and valuation of assets.
SAS No. 67, which lays down the criteria for a proper confirmation, requires direct communication with the third party, a non-biased respondent at that third party, and an independent auditor with a healthy dose of professional skepticism to oversee control of the process. While this seems like a thorough way to confirm financial data, one potential weak area resides with the initial responder contact information provided by the client for the auditors to confirm.
The problem is that it’s also common practice to send confirmations based on client-provided contact information without verifying if the source is a genuine one, making ‘inside jobs’ all too frequent and all the more challenging to catch. There are four common schemes that fraudsters use to bypass the confirmation process by providing false information:
1. Provide false account contact information
In 2005, SmartScript management embezzled more the $2.5 million by simply cutting, pasting, and reproducing official-looking documents that gave auditors bogus contact information and pointed them to confirm information from a fake source.
2. Provide a fake or unauthorized contact name
In the case of Kmart, the auditors were sending and receiving confirmations from the client-provided contact at Coca-Cola. Unfortunately, the person responding wasn’t authorized to make the confirmations and was in on the scheme.
3. Attempt to direct/influence the auditor's authentication process
Fraudsters will oftentimes create fake companies or companies that mimic real ones. A website, a mailing address, and a phone number can all be procured without too much trouble by an industrious fraudster. In 2020, the €1.9 Billion Wirecard fraud fell apart when a reporter tried to visit a location and found that that it didn’t actually exist.
4. Provide fake signatures or difficult to validate signatures
Auditors aren’t necessarily handwriting experts and rarely have the resources to manually confirm individual signatures on confirmations. Scribbling an illegible one or faking a real person's signature––in case the auditors perform a basic employment verification––is an easy way for fraudsters to falsify confirmation documents.
The reality of fraud is that most successful activities are perpetrated, or at least assisted, by employees within the company. It’s estimated that about 5 percent of an organization's revenue is lost to insider fraud each year. That represents a potential total loss approaching $4 trillion annually in the U.S. alone.
Insider fraud usually occurs when three factors collide. When an employee experiences pressure or stress, sees an opportunity, and can create a rationalization for the behavior, they are more likely to commit fraud.
In today’s landscape, the economic downturn provides pressure, the disruption of workflow caused by the COVID-19 Pandemic provides the opportunity, and rationalizations for fraud can be as simple as “trying to provide for my family” or “doing what is best for the company.”
Additionally, it is not always just one insider acting alone. In 2002 for example, at least 14 employees at Health South conspired to create false documents to certify financial statements and hide $300 million in false cash. Owners and executives account for only about 20 percent of fraud cases, but when they do, the impact is ten times more significant than fraud committed by lower-level employees, with a median loss of $600,000.
Reducing Confirmation Fraud Risk with Electronic Confirmations
For decades, the confirmation process has been manual and paper-based. And for just as long, fraudsters have been exploiting holes in this system for their benefit. Secure electronic confirmation solutions typically alleviate many of the issues found with paper ones. This is achieved by using a secure online network maintained by an independent third party where all the responders to confirmations are validated before they can respond to an auditor’s confirmation request. In that sense, it works a lot like an ATM network.
Electronic confirmations are also significantly more efficient because they are more likely to be responded to and in a much shorter timeframe. The typical turnaround for an electronic confirmation is just over 24 hours, with some taking as little as three minutes.
Turnaround for paper confirmations, on average, is close to 21 days. Shortening that window of time significantly reduces the opportunities for fraudsters to exploit the confirmation process.
Another advantage of electronic confirmations is that they create a three-party transaction between the requestor (accounting firm), the authorizer (who is independent of the requester), and the request fulfiller (banks or other confirming entities). This method provides a traceable confirmation path and the means of authenticating the recipient at each stop in the transaction.
Shoring Up Internal Controls
Ultimately, it is poor internal controls that allow financial fraud to flourish. Fraudsters are an industrious lot, and they will test the system and identify weaknesses to exploit. They will go to great lengths to cover their tracks by falsifying documents, creating fake contacts or entities for confirmation, or by exerting influence where they can in the confirmation process.
Implementing stricter controls via an electronic confirmation process can help reduce fraud by providing auditors with a quick, transparent, and documentable way to verify material information and ultimately instill confidence with both internal and external stakeholders to help them ride out this perfect storm.
Josh Newman is Confirmation’s Director of Sales for North America. As part of his role at Confirmation, which is part of Thomson Reuters, Josh leads a team that supports Financial Institutions, Creditors, and Mortgage Auditors helping them digitize operations, increase efficiency, and reduce the risk of fraud.