In recent years, a number of high-profile fraud cases have made the headlines. Every business is susceptible to fraud in some shape or form and the outcome of these frauds can have varying levels of impact, including financial loss, reputational damage and in the worst cases can even threaten the survival of the organisation. Questions have been raised in a number of recent media reports about why the fraudulent activity was not discovered as part of routine external or internal audits. This has sparked criticism of the audit profession and a broader debate around the respective roles of auditors and management in fraud prevention and detection.
The headlines relating to these cases demonstrate the gulf between the public’s perception of the scope of a statutory audit and an auditor’s actual responsibilities according to auditing standards. They also highlight the need for companies to take a more proactive approach to fraud risk management that incorporates prevention as well as detection. So how can senior management gain assurance as to the veracity of the financials with which they are presented and where does this responsibility lie?
Perception vs. duty
There is a common public perception that it is the job of the external (statutory) auditor to detect fraud, highlighted particularly in recent cases where auditors have faced parliamentary enquiries in the UK and civil lawsuits worldwide for negligence claims. The auditors frequently proffer the defence that an external auditor’s role is to challenge the presentation of the financial statements of the organisation, to verify that these statements are aligned with internal records and accounting data of a company and to provide an opinion for outside stakeholders that the financial statements materially reflect the true position of the organisation. The substance of the enquiries and civil claims for negligence focus on the key question that, particularly in cases involving multi-million-dollar fraudulent misstatements of results for many years, how this can possibly escape the auditor’s attention?
In practice, the detailed work in an external audit is often done by junior members of staff who may not have the experience or scepticism to identify areas which to the experienced eye would indicate a red flag of fraudulent activity. This is no real defence, however, as the partner is the one putting the name of the audit firm on the accounts. It is often argued that external auditors can find themselves in a challenging position due to the potential conflict of interest between fostering a good client relationship and therefore extending their contract and their role to question the business. Another caveat that the external auditor might give is that it is not the responsibility of auditors to vouch for the authenticity of information supplied (beyond doing standard checks, for example testing completeness of data). Should company employees provide misleading or false information or records, this is not always likely to be picked up. The employees know a lot more about the business than anyone else – so if they are determined to present a false image, they are the ones who know how to do it.
The scope of an internal audit role is more varied and should be driven by the inherent risks within the business; it is by nature largely focussed on controls testing rather than specific anti-fraud projects. However, mature internal audit teams are the effective drivers of discussions about fraud risk and if given the right reporting structure can be a key part of the checks and balances which management should be implementing.
While both internal and external auditors should investigate fully or escalate any suspicions of fraud or “obvious red flags”, ultimately the responsibility of preventing and detecting fraud sits with the board and senior management of an organisation. They need to be confident that the organisation is aware of the fraud risks they face and how they are evolving, and that all relevant functions that have responsibility for oversight have input into the fraud risk assessment; including sales, legal, compliance, finance and audit. It is only then that an effective proactive detection programme can be designed.
In today’s era of heightened public awareness and instant news, companies cannot afford to become complacent and instead need to take a proactive approach to mitigating fraud risk to ensure it isn’t happening right under their noses.
Compliance is often treated as a ‘tick-box’ exercise – following business protocols, checking against lists of criteria and assuming its job is then complete. However, as the recent high profile fraud cases demonstrate, this is not enough. Firms need to consider not just the form of transactions or records but also their substance and for this to be assessed on an ongoing monitoring basis. It is important to continue to ask the question – does this make sense?
To address these issues effectively, senior management and boards need to implement processes and procedures across the entire company which proactively consider risks specifically from a fraud perspective. Prevention is fundamentally always better than cure, as once the money is out of the door, it is often too late.
Taking a proactive approach consists of deploying a number of complementary tools. One key tool which is being used more frequently is data analytics – to have a continuing analysis and monitoring of internal data sets, from which companies can obtain a clearer picture of their relationships with third parties and identify patterns in fund flows and changes to these patterns which could indicate fraud risk. The best fraud prevention programmes will also consider potential workarounds and mechanisms that could be put in place to bypass structured controls and allow fraudulent activity to occur. By thinking outside the box and considering where information could be manipulated or disguised and how company assets might be embezzled, organisations are likely to be better at identifying suspicious activity.
Whilst it is fundamental that companies put these measures in place, they are ultimately only as strong as their weakest (human) link. As such, the board needs to create and foster a culture that goes beyond just compliance, and instead empowers employees to question activities and seek the truth. Fraud commonly happens in the mid- to lower-levels of business operations, so the senior management team needs to lead from the front and ensure its values are filtered down throughout the entire organisation, regardless of where in the business they originate.
By taking a proactive approach that incorporates technology, and creating a culture of compliance, these risks can be mitigated at the heart of the company. In today’s fast-paced, sophisticated business environment, it is important that companies constantly remain on the front foot when it comes to managing fraud risk, and there is certainly no room for complacency. It has been proven that companies cannot outsource the detection of fraud to their auditors and nor should they; it is management’s responsibility to take ownership of their business and the financials that reflect it, and they themselves should seek assurance of the veracity of the financial statements, in the interests of their shareholders and the other stakeholders who rely on transparency and clarity of the performance of the business.
Matthew Weitz is the Associate Managing Director of Business Intelligence and Investigations at Kroll.