Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organization and by persons outside as well as inside the organization.
Fraud designed to benefit the organization generally produces such benefit by exploiting an unfair or dishonest advantage that also may deceive an outside party. Perpetrators of such frauds usually benefit indirectly from the fraud, since personal benefit usually accrues when the organization is aided by the act. Some examples include:
- Sale or assignment of fictitious or misrepresented assets.
- Improper payments such as illegal political contributions, bribes, kickbacks, and payoffs to government officials, customers, or suppliers.
- Intentional, improper representation or valuation of transactions, assets, liabilities, or income.
- Intentional, improper transfer pricing (e.g. valuation of goods exchanged between related entities). By purposely structuring pricing techniques improperly, management can improve the operating results of an organization involved in the transaction to the detriment of the other organization.
- Intentional, improper related-party transactions in which one party receives some benefit not obtainable in an arms-length transaction.
- Intentional failure to record or disclose significant information to improve the financial picture of the organization to outside parties.
- Prohibited business activities such as those which violate government statutes, rules, regulations, or contracts.
- Tax fraud.
Fraud perpetrated to the detriment of the organization generally is for the direct or indirect benefit of an employee, outside individual, or another firm. Some examples are:
- Acceptance of bribes or kickbacks.
- Diversion to an employee or outsider of a potentially profitable transaction which would normally generate profits for the organization.
- Embezzlement, as typified by the misappropriation of money, property, and falsification of financial records to cover up the act, thus making detection difficult.
- Intentional concealment or misrepresentation of events or data.
- Claims submitted for services or goods not actually provided to the organization.
Deterrence consists of those actions taken to discourage the perpetration of fraud and limit the exposure if fraud does occur. The principal mechanism for deterring fraud is internal control. Primary responsibility for establishing and maintaining internal controls rests with management. The Internal Audit Department is responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of internal controls, commensurate with the extent of potential risk/exposure in the various segments of the entity's operations. In carrying out this responsibility, The Internal Audit Department should, for example, determine whether: (1) the organizational environment fosters control consciousness; (2) realistic organizational goals and objectives are set; (3) written corporate policies (e.g. code of conduct) exist which describe prohibited activities and the action required whenever violations are discovered; (4) appropriate authorization policies for transactions are established and maintained; (5) policies, practices, procedures, reports, and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas; (6) communication channels provide management with adequate and reliable information; and (7) recommendations need to be made for the establishment or enhancement of cost-effective controls to help deter fraud.
Detection consists of identifying indicators of fraud sufficient to warrant recommending an investigation. These indicators may arise as a result of controls established by management, test conducted by auditors, and other sources both internally and externally.
In conducting auditing assignments, the Internal Auditor's responsibilities for detecting fraud include:
- Having sufficient knowledge of fraud in order to identify indicators that fraud might have been committed. This knowledge includes the need to know the characteristics of fraud and the types of frauds associated with the activities audited.
- Being alert to opportunities, such as control weaknesses, which could allow fraud. If significant control weaknesses are detected, additional tests conducted by internal auditors should include tests directed toward identification of other indicators of fraud. Some examples of indicators are unauthorized transactions, override of controls, unexplained pricing exceptions, and unusually large product losses. Internal auditors should recognize that the presence of more than one indicator at any one time increases the probability fraud may have occurred.
- Evaluating the indicators that fraud might have been committed and deciding whether any further action is necessary or whether an investigation should be recommended.
- Notifying the appropriate authorities within the organization if a determination is made that there are sufficient indicators of the commission of a fraud to recommend an investigation.
Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigating fraud. Also, auditing procedures alone, even when carried out with due professional care, do not guarantee fraud will be detected.
Investigation consists of performing the extended procedures necessary to determine whether fraud, as suggested by the indicators, has occurred. It includes gathering sufficient evidential data about the specific details of the suspected fraud. Internal auditors, lawyers, investigators, security personnel, and other specialists from inside or outside the organization are the parties who usually conduct or participate in fraud investigations. When conducting fraud investigations, The Internal Audit Department should:
- Assess the probable level and the extent of complicity in the fraud within the organization. This can be critical to ensure the Internal Auditor avoids providing information to or obtaining misleading information from persons who may be involved.
- Determine the knowledge, skills, and disciplines needed to effectively carry out the investigation. Assess the qualifications and the skills of the Internal Auditors and the individuals having the appropriate type and level of technical expertise. This should include assurances on such matters as professional certifications, licenses, reputation, and that there is no relationship to those being investigated or to any of the employees or management of the organization.
- Design procedures to follow in attempting to identify the perpetrators, extent of fraud, techniques used, and cause of the fraud.
- Coordinate activities with management personnel, legal counsel, and other specialists as appropriate throughout the course of the investigation.
- Be cognizant of the rights of alleged perpetrators and personnel within in the scope of the investigation and the reputation of the organization itself.
Once a fraud investigation is concluded, The Internal Audit Department should assess the facts known in order to: (1) determine if controls need to be implemented or strengthened to reduce future vulnerability; (2) design Internal Auditing tests to help disclose the existence of similar frauds in the future; and (3) help meet the Internal Auditor's responsibility to maintain sufficient knowledge of fraud and thereby be able to identify future indicators of fraud.
Reporting consists of various oral or written interim or final communications to management regarding the status and results of fraud investigations. A preliminary or final report is desirable at the conclusion of the detection phase. The report should include the Internal Auditor's conclusion as to whether sufficient information exists to conduct an investigation. It should also summarize findings which serve as the basis for such a decision.
Additional interpretive guidelines on the reporting of fraud are as follows:
- When the incidence of significant fraud has been established to a reasonable certainty, the Vice Chancellor for Administrative Affairs and the Chancellor should be notified immediately.
- The results of a fraud investigation may indicate the fraud has had a previously undiscovered significant adverse effect on the financial position and results of operations of an organization for one or more years on which financial statements have already been issued. The Internal Audit Department should inform the Vice Chancellor for Administrative Affairs and the Chancellor of such a discovery.
- A written report will be issued at the conclusion of the investigation phase. It should include all findings, conclusions, recommendations, and corrective action taken.
- A draft of the proposed report on fraud will be submitted to the Chancellor and Vice Chancellor for Administrative Affairs and legal counsel for review. In those cases in which the auditor wants to invoke client privilege, consideration should be given to addressing the report to legal counsel.