When a company uncovers internal fraud, their first question is ‘Why didn’t the auditor catch that?’ The simple answer, is that the purpose of an audit is not to detect fraud and companies are misunderstanding the nature of an external audit.
According to a 2016 ACFE report, 82% of companies utilize annual financial audits as a common anti-fraud control
According to the AICPA, an external audit is an independent body which performs an audit of the financial accounts, and provides an opinion on whether or not they are a true reflection of the company’s financial position with GAAP. As part of this, external auditors evaluate internal controls put in place to manage risks that could affect the financial accounts, to determine if they are working as intended. They must assert whether financial statements are free of material misstatement, whether due to error or fraud.
How much fraud are external auditors actually uncovering? Surprisingly, it’s just a paltry 4%
Let’s dig deeper into the heart of an external audit – sample testing, which inherently means not every transaction is reviewed. If only a select number of transactions are reviewed, then only a select number of fraudulent ones will be caught.
Here are 3 reasons why sampling is just not enough:
1. Auditors use a materiality threshold to identify their sample set, and they use the same threshold year after year, such that employees and management are aware of the amount. The lower dollar value items are hardly every sampled, creating an opportunity for manipulating accounting records or submitting multiple low dollar transactions without the risk of being caught by auditors.
2. The inherent limitation with sampling is that all transactions are not tested. Asking auditors to review all transactions would be impossible – due to the sheer size and cost of such a request. However there are 100% real time monitoring solutions for T&E compliance that can be implemented, like AppZen.
3. Auditors review transactions on a historical basis – meaning they are often reviewing transactions that occurred 1 year ago. Even if they identify a transaction that lacks supporting documentation, the employee will rarely be able to provide that documentation 1 year after the fact.
Sampling is also a key part of the forensic audit process, for the same 3 reasons listed above. I’ve spent significant time selecting transactions based on several key data points – including high dollar value, payment method, regular month end submissions (T&E or AP), suspicious employee/vendor, geographic location, etc. Looking at T&E compliance specifically, auditing expenses for fraud involves examining a copious amount of expense documentation with hopes of finding the ‘smoking gun,’ all the while understanding that not ALL smoking guns will be identified.
So if an external audit is not meant to catch fraud, then what is? Focus on the design, implementation, and maintenance of your internal controls to create a culture of compliance. There are several alternative ways to identify and deter fraud. The first step is to create a continuous monitoring process to review 100% of documents (be that T&E, AP, etc.) as opposed to relying on sampling. Second, a recent report shows 55% of fraud was detected by a tip (39%) or an internal audit (16%). Employees provided over 50% of tips, followed by customers and vendors. Consider setting up a telephone hotline service or online form to encourage reporting suspicious behavior. By the time your external auditor uncovers fraud it is usually too late to prevent significant financial damage, and almost always too late to prevent the reputation damage that follows. Fraud can never be completely eliminated, but it can be minimized by establishing an environment in which ethical behavior is expected.