Chapter 1

Fraud Theory

Auditors today are at a crossroads regarding how to incorporate fraud detection into their audit plans. Sarbanes-Oxley, Public Company Accounting Oversight Board (PCAOB) regulators, and the professional standards of auditing are requiring auditors to give greater consideration to incorporating fraud detection into their audit plan. Companies’ boards of directors, management, and the public are asking why is fraud occurring and going undetected in our business systems. Auditors are asking themselves whether fraud can be detected when there is no predication or allegation of a specific fraud.

Traditionally, the auditing profession had two fundamental ways to deal with the fraud question:

Historically, the profession relied on evaluating the adequacy and effectiveness of internal controls to detect and deter fraud. Auditors would first document the system of internal controls. If internal controls were deemed adequate, the auditors would then test those controls to ensure they were operating as intended by management. The test of internal controls was based on testing a random, unbiased sample of transactions in the business system. Conventionally, audit standards stated that auditors should be alert to the red flags of fraud in the conduct of an audit. Study after study indicates that the lack of professional skepticism is a leading cause for audit failure in detecting fraud.

In one sense, the search for fraud seems like a daunting responsibility. However, fraud in its simplest form should be easy to find. After all, the key to finding fraud is looking where fraud is and has been. This book focuses on the use of fraud auditing to detect fraud in core business systems. Fraud auditing is a proactive audit approach designed to respond to the risk of fraud. Essentially, the fraud audit approach requires auditors to answer these questions:

• Who commits fraud, and how?
• What type of fraud are we looking for?
• Should fraud be viewed as an inherent risk?
• What is the relationship between internal controls and fraud opportunity?
• How is fraud concealed?
• How can we incorporate the fraud theory into our audit approach?
• What are the ways fraud auditing can be used to detect fraud?

BUILDING FRAUD THEORY INTO THE AUDIT PROCESS

Fraud auditing is similar to, but different from traditional auditing in several ways. Typically, an audit starts with an audit plan, whereby, risks are identified through a risk assessment, controls are linked to the risks, sampling plans and audit procedures are developed to address the risk(s) identified. The audit steps are the same regardless of the system(s) being targeted. Throughout the process, the auditor must have an understanding of the system(s) being audited. For example, to audit financial statements, auditors must understand generally accepted accounting principles (GAAP). In the same way, to audit a computer system, auditors must understand information technology (IT) concepts.

Using the Fraud Risk Assessment

If the steps are the same, then what feature makes fraud auditing different from traditional auditing? Simply, the body of knowledge associated with fraud. The fraud theory must be built into the audit process. Specifically, during the audit planning stage, auditors must determine the type and the size of the fraud risk. By performing a fraud risk assessment, the identified fraud risk is associated with the core business systems. As in the traditional audit, controls are linked to the risk, but in this circumstance it is the fraud risk that is targeted. By incorporating the fraud theory in the fraud risk assessment, the concealment strategies employed by the perpetrator(s) are also considered. Auditors rely on the red flags of fraud to prompt awareness of a possible fraudulent event, known as the specific fraud scheme. The sampling plan is used to search for the transaction indicative of the specific fraud scheme. Then, the audit procedure is designed to reveal the true nature of the transaction.

The Principles of Fraud Theory

Although the fraud risk assessment is a practical tool, there are principles upon which fraud auditing is based that auditors should know before initiating a fraud audit plan. These principles are as follows:

• Fraud theory is a body of knowledge.
• Fraud is predictable to the extent of how it will occur in a specific situation, not necessarily in the actual occurrence.
• The key to locating fraud is to look where fraud occurs.
• If you want to recognize fraud, you need to know what fraud looks like.
• People commit fraud, not internal controls.
• Fraud risk and control risk have similarities. However, fraud risk differs from control risk by containing the elements of intent and concealment.
• Fraud audit procedures must be designed to pierce the concealment strategies associated with the fraud scheme.
• Fraud audit procedures must validate the true economic substance of the transaction.
• Fraud audit comments differ from the traditional management letter or internal audit report.

ATM : AWARENESS, THEORY, METHODOLOGY

Fraud is like an ATM machine at a bank. Both are designed to withdraw money. ATM machines enable users to withdraw money from banks. Fraud is the withdrawal of funds from an organization. The funds may be embezzled directly, siphoned off through kickback schemes, or be the result of inflated costs due to bribery and conflict of interests. The fraud audit approach requires awareness, theory, and methodology (ATM) to detect fraud. Successful auditors need:

Awareness of the red flags of fraud:

• Fraud concealment strategies
• Sophistication of the concealment strategy
• Indicators of fraudulent transactions

Theory provides an understanding how fraud occurs in a business environment:

• Fraud definitions
• The fraud triangle

Methodology designed to locate and reveal fraudulent transactions. The methodology employed in designing a fraud audit program consists of the following stages:

• Define the scope of fraud to be included and excluded from the audit program.
• Verify compliance with the applicable professional standards.
• Develop the fraud risk assessment including:
  • Identify the type of fraud risk.
  • Identify business processes or accounts at risk.
  • Internal controls are linked to the fraud risk.
  • Concealment strategies revealed using the red flags of fraud.
  • Develop a sampling plan to search for the specific fraud scheme.
  • Develop the appropriate fraud audit procedures.
• Write the fraud audit report.
• Understand the fraud conversion cycle.
• Perform the fraud investigation.

The search for fraud is built on both awareness and methodology; however, both items are predicated on auditors having a sufficient knowledge of the science of fraud, hence the fraud theory. Auditors are not born understanding fraud. The awareness needs to be incorporated into the audit plan through audit team discussions during the planning stages. Audit programs must incorporate a methodology that responds to the identified fraud risks existing in core business systems.

Theory

The “T” in ATM stands for theory, specifically, fraud theory. Given that the knowledge of fraud theory is needed by auditors in order for “awareness” to be incorporated into the audit plan and for a “methodology” to be established, the specific elements of fraud theory need to be discussed as a first step.

Definitions

Inherent to the process of searching for fraud is having a clear definition of fraud to be incorporated into the fraud risk assessment. Throughout the process, a thorough understanding of the fraud theory is critical to an auditor’s success in preventing, detecting, deterring, and prosecuting fraud.

Auditors need to understand that fraud is an intentional and deliberate effort by the perpetrator to conceal the true nature of the business transaction. Fraud perpetrators have varying levels of sophistication, opportunity, motives, and skills to commit fraud.

The fraud risk assessment starts with a definition of fraud and the type of fraud facing organizations. The assessment can be based on a legal definition, an accounting definition, or the author’s definition specifically designed for fraud risk assessments.

The Legal Definition

• A known misrepresentation of the truth or the concealment of a material fact to induce another to act to their detriment.
• A misrepresentation made recklessly without the belief in its truth to induce another person to act.
• A tort arising from a knowing misrepresentation, concealment of material fact, or reckless misrepresentation made to induce another to act to their detriment.
• Unconscionable dealing especially in contract law. The unfair use of power arising out of the...