When a company uncovers internal fraud, their first question is ‘Why didn’t the auditor catch that?’ The simple answer, is that the purpose of an audit is not to detect fraud and companies are misunderstanding the nature of an external audit.
According to the AICPA, an external audit is an independent body which performs an audit of the financial accounts, and provides an opinion on whether or not they are a true reflection of the company’s financial position with GAAP. As part of this, external auditors evaluate internal controls put in place to manage risks that could affect the financial accounts, to determine if they are working as intended. They must assert whether financial statements are free of material misstatement, whether due to error or fraud.
How much fraud are external auditors actually uncovering? Surprisingly, it’s just a paltry 4%
Let’s dig deeper into the heart of an external audit - sample testing, which inherently means not every transaction is reviewed. If only a select number of transactions are reviewed, then only a select number of fraudulent ones will be caught.
Sampling is also a key part of the forensic audit process, for the same 3 reasons listed above. I’ve spent significant time selecting transactions based on several key data points - including high dollar value, payment method, regular month end submissions (T&E or AP), suspicious employee/vendor, geographic location, etc. Looking at T&E compliance specifically, auditing expenses for fraud involves examining a copious amount of expense documentation with hopes of finding the ‘smoking gun,’ all the while understanding that not ALL smoking guns will be identified.
So if an external audit is not meant to catch fraud, then what is? Focus on the design, implementation, and maintenance of your internal controls to create a culture of compliance. There are several alternative ways to identify and deter fraud. The first step is to create a continuous monitoring process to review 100% of documents (be that T&E, AP, etc.) as opposed to relying on sampling. Second, a recent report shows 55% of fraud was detected by a tip (39%) or an internal audit (16%). Employees provided over 50% of tips, followed by customers and vendors. Consider setting up a telephone hotline service or online form to encourage reporting suspicious behavior. By the time your external auditor uncovers fraud it is usually too late to prevent significant financial damage, and almost always too late to prevent the reputation damage that follows. Fraud can never be completely eliminated, but it can be minimized by establishing an environment in which ethical behavior is expected.