Detecting Fraud in Internal Audit
CA Nikita Thadani

As per The IIA: “Internal auditors support management’s efforts to establish a culture that embraces ethics, honesty, and integrity. They assist management with the evaluation of internal controls used to detect or mitigate fraud, evaluate the organization’s assessment of fraud risk, and are involved in any fraud investigations.”
Although it is management’s responsibility to design internal controls to prevent, detect, and mitigate fraud, the internal auditors play a variety of consulting, assurance, collaborative, advisory, oversight and investigative roles in an organization’s fraud management process.”

This is because fraud negatively impacts organizations in many ways — financially, reputational, and through psychological and social implications — Hence, it is important for organizations to have a strong fraud management program that includes awareness, prevention and detection, as well as a fraud risk assessment process to identify risks within the organization.

Internal Audit helps organisations through its various processes such as internal control techniques, cross checking, data sampling and various other methodologies to mitigate the risk of fraud and also detect the same.

For providing guidance to the internal auditors, the ICAI has also issued 18 “Standards on Internal Audit (SIA)” (check http://www.icai.org/new_post.html?post_id=597&c_id=145), which if followed diligently can help the auditors to work in an organized manner, focussing on key issues and delivering results.

Following are few case studies based on my experience of conducting Internal Audit in both public and private sector, which depict how Internal Audit can play a crucial role in detecting fraud in an organization with reference to the relevant Internal Audit Standards.

Case 1:

In case of Sale of High Value items (such as Gold, Silver and Other precious metals), it is generally recommended to keep a record of booking of the rate of sale and the foreign currency exchange rate, if applicable. Recording is preferably in the form of voice recording of the telephonic conversation (especially in cases, where the commodity is listed in the exchange and the rate varies moment to moment).

Lapse: Breakdown of the recording system, irregular recording due to casual approach, earlier year recordings not preserved for future reference.

Routes to fraud/misappropriation:

If recording is not done, one might show that the sale has been booked at a higher rate to inflate revenue, keep the additional inflated amount outstanding in the debtors account and write it off after years showing non-realization.
Unsecured loan or advance being given to the same party to whom the sale has been made – loan to the extent of the inflated amount. (These are usually related party transactions to inflate revenue)
Detection:

Cross verify the rate of sale from the recording with the rate of the exchange, where the commodity is listed as on that date.
Special emphasis should be put on related party transactions.
Special checking of transactions during the time the recording system was inoperative – High value, related party transactions.
Standards in reference:

SIA 11 – Risk arising out of “Weak Controls” and “Weakness in Information System and Communication”.
SIA 18 – Related Party: Identify “The nature of the relationships between the entity and these related parties”;
“Whether the entity has entered into any transaction with these related parties during the period and, if so, the nature and extent, and the purpose of the transaction”

(Refer Para 7 and 8 of SIA 18)

SIA 10: Look into the “Sufficiency and Appropriateness of Internal Audit Evidence”.
Point 2:

Entering transactions at Back Date. When the volume of transactions is huge, it is very difficult to trace back dated entries, which might be fake.

Routes to fraud/misappropriation:

As per Company’s regulation, all entries were to be made at current dates except for month end transactions. However, it was observed that back dated entries were being made in the system.

Example: This was evident from the fact that BRS when prepared for the month of December,2012, as on 31/12/2012 showed a balance of say, Rs. 15,193,794.15 and when prepared for the same month, as on 08/01/2013 shows a balance of say, Rs. 3,93,794.15/-. This clearly depicts that payment vouchers were entered during the period between 31/12/2012 and 08/01/2013.

Detection:

Check year end/ quarter end high volume or low volume transactions. (In many cases, high value payments are segregated into numerous low value vouchers so as to escape being noticed even if entered in the system at a back date)
Unusual entries of earlier years after the audit is closed.
Generate system reports to find out the date of making the voucher, date of payment and date of entry in the system.
Standards in reference:

SIA 18: Ensuring the objective of “Reliability of Financial Reporting” through the tool of “Monitoring Controls” – continuous supervision and assessment of the internal controls to identify instances of any actual or possible breaches.
SIA 12: Evaluate how well the Internal Controls are in place:
Preventive Controls: Proper authorization, Segregation of duties.

Detective Controls: Variance Analysis, Reconciliation.

Miscellaneous cases:

Whether huge back dated entries have been made manually, due to system not in operation.
Whether Original documents (FD’s, BG’s, Bank Statements, etc) are made available for verification and Confirmations from all the Banks and Third Parties is obtained.
Whether manual challans are compulsorily issued in cases, where system generated challans are prevalent. No delivery is executed without issue of challan.
In cases, where stock is sold against BG, LC, SBLC’s, whether the top management is ensuring that such BG’s and SBLC’s are at par with the market value of the Stock.
(Refer SIA 11 regarding the Control environment ensured by the Top management)

Cross Verification of Daily Business Intelligence Reports/MIS Reports (containing the daily position of Stock purchased and sold against SBLC’s) with the original SBLC documents.
Whether there is proper control over delivery and stock of inventory – especially in case of high value items. For example: delivery of stock to be made only after getting confirmation from the controlling bank in respect of SBLC issued. In most cases, the same is not complied with leading to high risk.
In a particular case, revenue from hallmarking was booked during the period the hallmarking machine was out of order. Hence, it is essential to verify the source of generation of revenue and the authenticity of the same.
(Refer SIA 12 – Evaluate controls over assets by comparing recorded assets with the existing assets at reasonable intervals and take appropriate action is taken with regard to any differences”)

SYMPTOMS OF FRAUD

While conducting internal audit, besides following the internal audit guidelines, procedures, standards and company policies, the auditors should be vigilant and alert in comprehending the atmosphere or culture of the organization and the attitude of the employees at the staff as well as the managerial level so as to be able to detect tendencies of fraud or misappropriation at the initial level.

♣ SYMPTOMS – at the Organisation level

Lack of accountability
Shifting of Responsibility
Unnecessary delay /procrastination in producing documents
Huge expenditure of personal nature split over different accounts/non-segregation of duties
One Upmanship – One person incharge of the whole department
Huge year end expenditure/revenue inconsistent with the average expense/income throughout the year
Physical security of documents not present
Faulty HR mechanism recruiting employees (without authorized proof of identity).
♣PSYCHOLOGICAL/BEHAVIORAL SYMPTOMS (at the level of an individual)

Overconfidence and overtly smart behavior
Blaming others more
Most of the times not available for the auditor/investigator
Overtly sweet and generous
Breaking Office discipline
Weak allocation of responsibilities and confiding most of the work/documents to himself.

(Author can be reached at  thadani.nikita@gmail.com and on mobile  9990952003)