What do we mean by Fraud?
All organizations are subject to risks of fraud. Organizations are focused on risks related to frauds now more than ever, mainly because in the last two decades frauds have led to the downfall of entire organizations, huge investment losses, significant legal costs, imprisonment of key individuals, and loss of confidence in capital markets. The IIA’s IPPF defines fraud as:
“… any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”
According to the IIA “1210.A2”, “Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. It can be perpetrated for the benefit of or to the detriment of the organization and by person outside as well as inside the organization”.
According to the ACFE,” All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth”.
What does Fraud Involve?
According to ISA 240 fraud may involve:
· Manipulation, falsification or alteration of records or documents.
· Misappropriation of assets.
· Omission of the effects of transactions from records or documents
· Recording of transactions without substance.
· Misapplication of accounting policies
Why do people commit Fraud?
Occurrence of the fraud depends on various factors. Fraud Triangle is a common model that brings together a number of these aspects. This model argues that fraud may potentially result from a combination of three factors: motivation, opportunity, and rationalization.
Motivation In simple terms, motivation is typically based on either greed or need. Many people, due to the nature of their job, are exposed to opportunities to commit fraud. Personality and temper, including how frightened people are about the consequences of taking risks, play a role. Some people with good objective principles can fall into bad company and develop tastes for the fast life, which persuades them to fraud.
Opportunity
Fraud is more likely in companies where there is a weak internal control system, poor security over company property, little fear of exposure and likelihood of detection, or unclear policies about acceptable behaviour. Research has shown that some employees are totally honest, some are totally dishonest, but that many are swayed by opportunities.
Rationalization
Many people obey the law because they believe in it and/or they are afraid of being shamed or rejected by people they care about if they are caught. However, some people may be able to rationalize fraudulent actions as:
Necessary – especially when done for the business
Harmless – because the victim is large enough the impact is immaterial.
Justified – because ‘the victim deserved it’ or because I was mistreated.’
Responsibility in relation to Prevention and Detection of Fraud
Management Responsibility for Fraud
According to ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements:
“The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment.
This involves a commitment to creating a culture of honesty and ethical behavior which can be reinforced by an active oversight by those charged with governance. In exercising oversight responsibility, those charged with governance consider the potential for override of controls or other inappropriate influence over the financial reporting process, such as efforts by management to manage earnings to influence the perceptions of analysts as to the entity’s performance and profitability.”
External Auditor’s Responsibility for Fraud
According to ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements:
“An auditor conducting an audit in accordance with ISAs is responsible for obtaining reasonable assurance that the financial statements taken are free from material misstatement, whether caused by fraud or error... (O)wing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements will not be detected, even though the audit is properly planned and performed in accordance with the ISAs”
Although primary responsibility for fraud prevention and detection does not sit with the auditor, ISA 240 does call for auditors to include methods for identifying potential cases of fraud when planning and conducting the audit. It requires auditors to:
Discuss the risk of fraud with management and those charged with governance
Discuss with the audit team the susceptibility of the accounts to material misstatements due to fraud
Consider whether one or more fraud risk factors are present
Perform audit procedures to address the risk of management override
Test journal entries and review accounting estimates for bias
Understand the business rationale for transactions outside the normal course of business
Obtain representations from management
Bear in mind the implications for money laundering reporting (taking care not to tip off the client).
Common Fraud Indicators
The risk of fraud can never be eliminated. However, some of the most common indicators can provide early warning that something is not quite right and increase the likelihood that the fraud will be discovered. These indicators can be divided into business risk, financial risk, environmental risk and IT and data risk.
Business risk
Absence of an anti-fraud policy and culture
Failure of management to implement a sound system of internal control and/or to always demonstrate commitment to it
Lack of financial management expertise and professionalism in key accounting principles, review of judgements made in management reports and the review of significant cost estimates
A history of legal or regulatory violations within the organization
Relation between the management and internal or external auditors is strained
Lack of clear management control of responsibility, authorities, delegation, etc.
Bonuses are linked to ambitious financial results
Inadequate recruitment processes and absence of screening
Unusually close relationships – internal and external
Unhappy employees who have access to desirable assets
Personal financial pressures on key staff
Employees not taking annual leave requirements
Lack of job segregation and independent checking of key transactions
Lack of identification of the assets
Poor management accountability and reporting systems
Poor access controls to physical assets and IT security systems
Poor documentary support for specific transactions such as rebates and credit notes
Large cash transactions
Susceptibility of assets to misappropriation.
Financial risk
Management compensation is highly dependent on meeting aggressive performance targets
Significant pressures on management to obtain additional finance.
Use of tax havens without clear justification
Complex transactions
Use of complex financial products
Complex legal ownership and/or organizational structure
Rapid changes in profitability
Existence of personal or corporate guarantees.
Environmental risk
The introduction of new accounting or other regulatory requirements, including health and safety or environmental legislation, could significantly alter reported results
Highly competitive market conditions and decreasing profitability levels within the organization
The organization operating in a declining business sector and facing going-concern issues
Frequent technological changes may increase the potential for product obsolescence
Significant changes in customer demands.
IT and data risk
Unauthorized access to systems by employees or external attackers
Quick changes in information technology
Users not adopting good computer security practices, e.g., sharing or displaying passwords
Unauthorized electronic transfer of funds or other assets
Manipulation of programs or computer records to disguise the details of a transaction
Compromised business information
Breaches in data security and privacy
Sensitive data being stolen, leaked or lost.