In today’s world where corporate scandals often make front-page news, fraud prevention and detection are becoming a priority for management and decision-makers. An alarming fact reported by the Association of Certified Fraud Examiners (ACFE) stated that an average organization loses an estimated 5% of its annual revenue to fraud; hence, fraud is posed as one of the major risk factors facing an organization (both financially and reputationally).
Typically, a large majority of midsize to large organizations consider their internal and external auditors as pivotal for uncovering fraud and taking preventive measures to minimize the risk of loss incurred due to a fraud. However, this does not imply that independent auditors often identify fraud; in fact, the opposite is true in many cases. ACFE’s Report to the Nations points out the fact that auditors rarely find fraud—internal audit detects fraud 15% of the time, while external audit merely 4% of the time.
One reason auditors rarely find fraud is that audits are not designed to detect and/or prevent a fraud from occurring. Audit procedures and rules are more likely to determine whether an organization’s financial statements are fairly stated without any material discrepancies and whether appropriate internal controls are in place. They are not aimed at detecting and remediating a fraudulent occurrence. For instance, organizations exhibiting unethical culture and poor employee behavior are often held responsible for data breaches, whereas there is no relationship between auditors and the conduct of employees, as typical audit rules do not require auditors to consider qualitative and nonregulatory factors. Hence, auditors cannot be held accountable for fraudulent incidents in most cases.
Knowing all this, fraudsters try to take advantage of the gap between an auditors’ limited reach and the organization’s policies and procedures. This makes fraud prevention a mutual responsibility of the board, top-level management and auditors.
The following are some reasons why auditors rarely find fraud:
- The audit universe has its limitations—During an audit engagement, auditors usually evaluate financial statements of the organization or test internal controls that are in place. Most of these audit procedures are aimed at detecting material facts and correcting material errors. Materiality, in this context, is a misstatement/weakness in internal controls over financial reporting that might affect decision-making and profitability of stakeholders. Hence, the audit universe captures transactions and controls that are at or above material level.
- Lack of volatility in audit tests—Generally, auditors are not known to modify their testing methods from one exercise to another; their focus remains set on the specific thresholds of controls and the transactions occurring. This makes audit testing predictable as employees are often aware of the scope of the audit and the opportunities that exist under the auditor’s radar. Adding an element of surprise can be an effective method in detecting and preventing fraud, yet it is not commonly used by auditors.
- Sampling is not enough to capture the whole story—Sampling is widely used for testing transactions in an audit. Auditors collect random samples of transactions to verify that they were correctly recorded and that the internal controls were in place and working at the time. An intrinsic limitation of sampling is that all transactions are not tested, therefore creating a high probability that a fraudulent transaction will not be captured in the auditors’ sample and, therefore, will go undetected.
- Fraudsters might prove clever for inexperienced auditors—Today’s business model for audit enterprises relies on relatively inexperienced auditors to perform a major component of field work. Young and inexperienced auditors often do not know what questions to ask and are usually reluctant to ask difficult questions or challenge management’s decisions. On the other hand, fraudsters can produce fake documents or paperwork to pacify the busy auditor. Simply put, auditors without much experience might not be adept at recognizing suspicious transactions and/or fraudulent documentation.
- Time and budget constraints—Just like any other project or engagement, auditors are also required to meet certain periodic and monetary deadlines. Limitations of resources and tight project deadlines may lead to audits not being as thorough as planned.
- Heavy dependence on internal controls—The scope of testing and the types of audit procedures used are heavily influenced by the assessment of internal controls. Auditors review the organization’s policies and procedures that help ensure accurate processes and financial statements. Internal control deficiencies are often repeated year after year even with increased auditing procedures, while the client continues without addressing those deficiencies.
Editor’s Note: © 2019 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.