Best Practice in Carrying Out a Fraud Audit, and Why Automation Can Help

Kezia Farnham

Taking a structured approach to identifying fraud within your business — a.k.a. carrying out a fraud audit — is the recognized best practice for detecting potential frauds and finding ways to prevent them. Fraud costs U.S. businesses in a big way: it’s estimated that internal theft creates losses for U.S. businesses of up to $50 billion a year.

A fraud audit, or fraud risk audit, can be a vital tool in your lines of defense against these losses. But how should you conduct a fraud audit? What are the most effective audit procedures to detect fraud? And can automation help to make your fraud audit procedures more efficient and effective?

 

Definition of a Fraud Audit

What is a fraud audit? It’s a detailed examination of a business’s financial records, designed to uncover any fraudulent activity.

A fraud audit is more detailed and granular than a normal audit, as the sums of money can be smaller than the standard materiality threshold that determines areas of interest in a general audit. It might involve more interviews with employees to identify behavior that may be indicative of current or future fraud.

Technically speaking, as Accounting Tools points out, a fraud audit is “a consulting service, rather than a type of audit, since the outcome does not involve giving an opinion on a client's financial statements.”

 

Why Do People Commit Fraud?

If you are carrying out a fraud investigation audit, it helps to explore why fraud occurs.

When looking at reasons for and the likelihood of fraud, the 10-80-10 rule is interesting. This rule breaks down the population into:

  • 10% that would never commit fraud
  • 80% that might commit fraud, given the right combination of rationalization, opportunity and incentive (see below for more detail on these three elements of the Fraud Triangle)
  • 10% that are actively seeking out opportunities and ways to commit fraud

The Fraud Triangle

As AGA notes, “To fight fraud one must not only realize that it occurs, but also how and why it occurs.”

The fraud triangle was developed to examine just this.

What is the fraud triangle? It pinpoints three elements that must be present for fraud to occur — and as a result, enables auditors to identify conditions ripe for fraud. The three elements are:

Rationalization (sometimes referred to as Justification or Attitude); the reasons fraud perpetrator uses to justify their fraud. This might include perceived unfair treatment by the employer.

Opportunity. A fraud can only happen when there is the opportunity to commit it. This opportunity may present as a result of changed circumstances (for instance, a more responsible or less overseen role), weakness in internal controls, or a corporate ethos of poor governance, ethics and compliance.

Incentive (sometimes termed Pressure or Motivation). The impetus for fraud can be pressure to meet targets; for instance, to achieve a financial incentive, or because of external shareholder or stakeholder expectations. It can be very personal; the need to pay off debts, resource addictions or help family members with similar issues.

The fraud triangle pinpoints three elements that must be present for fraud to occur, and as a result, enables auditors to identify conditions ripe for fraud. Three elements of the fraud triangle include: rationalization, opportunity and incentive.

 

The Importance of Internal Audit in Fraud Detection

The role of internal audit in fraud detection is often debated. How much should internal auditors be accountable for detecting fraud?

The Institute of Internal Auditors (IIA) believes that “Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls.”

Putting these internal controls in place tends to sit with the business; fraud detection, though, usually rests with audit teams.

The Institute also notes that:

“Consistent with The IIA’s International Standards for the Professional Practice of Internal Auditing on proficiency (1210.A2), internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization.”

Auditors are therefore accountable for fraud risk management and evaluation.

External auditors, as well as their internal counterparts, are often in the spotlight on fraud detection and prevention. But Ed Anderson, partner at law firm Browne Jacobson, argues that doing so misplaces responsibility:

“They are not forensic accountants, who deal with cases of fraud in their daily jobs. Most auditors will never encounter it in their career and have a fundamentally different mindset.”

This misconception of what auditors do can unfairly place expectation on auditors to identify fraud. In fact, there is a move towards fraud detection falling within the directors’ and management’s remit, and away from the audit team, influenced in part by the Sarbanes-Oxley Act, which places directors front and center on governance, risk and compliance.

 

How Can Audit Teams Detect Fraud?

Increased training and a focus on fraud are two areas that Accountancy Age identifies as essential if auditors are to “dial up” their focus on fraud. Growing auditors’ skillsets and changing mindsets are highlighted as two areas that will help.

Importantly, there’s a distinction between fraud detection and fraud prevention.

Auditors may be able to identify fraud, or the potential for it, but Mike Suffield, director of professional insights at the Association for Chartered Certified Accountants (ACCA) believes that it’s not “at all reasonable or even possible to place responsibility on auditors to prevent fraud.”

Internal audit and fraud prevention may often be conflated, but we should be wary about overstating the potential for internal audit teams to prevent fraud, as opposed to simply detecting it.

 

How Automation Can Help Fraud Detection

There are several ways data analysis can be used to automate fraud detection, and therefore to bolster your overall fraud risk prevention.

Data is central to controls testing; having adequate data helps auditors and management to spot warning patterns that might pre-empt or indicate fraud. Forensic data analysis — interrogating this data effectively — enables you to make use of:

  • Statistical analysis, which identifies any transactions outside the norm of what is expected
  • Analytic tests for specific circumstances that indicate a high probability of fraud
  • Data comparisons across different databases and systems
  • Automation via specialist fraud audit software can make this data analysis more robust, more comprehensive and more systematic.

Automate Fraud Detection to Improve Risk Management

Today’s internal audit teams aren’t just concerned with carrying out the traditional, cyclical audit process. The audit function is pressured to become more agile, strategic and unimpeachable.

Technology plays a key role here, helping internal audit teams do their job more efficiently, effectively and with greater relevance to the board and leadership. As a result, helping internal audit to elevate themselves beyond a compliance function to a trusted business partner.

Find out how to do more with less. Download 5 Steps for Introducing Audit Software Into Your Organization and discover actionable steps to introduce automation to your organization.

Related Insights
Kezia Farnham Diligent
Kezia Farnham
Kezia Farnham, a Senior Manager at Diligent, has spent several years working in the B2B SaaS sector. Her expertise in equipping governance, risk, audit, compliance and ESG professionals with key insights into sustainability, cybersecurity and the regulatory landscape helps them stay ahead of an increasingly challenging business environment.