Leadership · Insight · Knowledge

Welcome to the Institute of Internal Auditors New Zealand, the professional body for internal auditing

About UsJoin Us

What is internal audit?

Internal audit is a dynamic profession that provides independent assurance that an organisation's risk management, governance and internal control processes are operating effectively Essentially, Internal Auditors help organisations to succeed.

Read More

Membership benefits

Join our professional community and access a range of local and international benefits to expand your thinking, knowledge and networks.

Learn MoreJoin Now

Events & training

Connect with other internal audit, risk and assurance professionals and grow your knowledge and skills with a range of online and local events.

Find out more

Subscribe to newsletters

Subscribe to monthly IIA NZ Newsletters here

Subscribe

home | News & Media | news archive | June-2017

The fundamentals of fraud and how organisations and internal audit can prevent and detect this

 

The fundamentals of fraud and how organisations and internal audit can prevent and detect this

By Sylvester Shamy
Chairman of the Institute of Internal Auditors NZ
and 2016 NZ Internal Auditor of the Year

I remember a moment of bemusement as an undergraduate at university when, during a lecture on auditing, our Professor asserted that fraud in its purest form is almost impossible to prevent and that once perpetrated is very difficult to identify. It followed, then, that audit’s role was less to prevent or detect but instead help the organisation to respond, including as much as possible, reducing its risk of recurrence.

As I sit here now recalling that “truism” I still require a digestive moment to process the depth of that message and its implication.

Fresh out of university and into professional practice I was educated on the realities of fraud sophistication, and therefore why, as a consequence, audit could never be expected to identify and highlight all instances of fraud. This caveat was enshrined in our engagement contracts with audit clients.

Admittedly, this was before the wide use of computer-assisted audit techniques (CAATs), data mining, information intelligence and their technology-enabled cousins. The audit profession was also, at that time, largely backwards glancing— “the rear-view mirror, not the windscreen” as someone once explained to me.

Thankfully, times have changed. But fraud, its preconditions and the motivations of its perpetrators, has not. Auditors are now better equipped than ever to combat this, and we have modern auditing techniques to assist us in this endeavour.

By its very definition—illegal acts that are characterized by deceit, concealment or violation of trust—fraud is broad in practice. There is a myriad of frauds that can, and are, committed against individuals on a daily basis. Phishing schemes, online lotteries, targeted emails, identity impersonation, credit card theft; the list goes on and on.

My focus in this article is on corporate fraud, which can be less sophisticated than fraud targeting individuals, but with potentially greater consequences both in financial and emotional terms. This article examines its preconditions. In the next issue of Transparency Times, I will discuss the many ways in which internal audit can help organisations prevent and detect corporate fraud.

The preconditions for a fraud


The Fraud Triangle

The fraud triangle is a framework designed to explain the reasoning behind an individual’s decision to commit workplace fraud. The three stages, categorised by the effect on the individual, can be summarised as pressure, opportunity and rationalisation, illustrated in the diagram above.

The theory is that a combination of demand side (pressure and rationalisation) and supply side (opportunity) dimensions are needed for fraud to be perpetrated. To elaborate:

  • Pressure—fraudsters often face financial pressure to pay off debts or to support their lifestyles. This is hardly unique. We all have financial commitments that need to be met. The fraudster however, is able to rationalise their actions.
  • Rationalisation—often, the rationalisation is less about committing the act of fraud (i.e. acknowledging the immoral action) and more about: convincing oneself either that:
    • the assets being misappropriated are minor (e.g. “The company has lots of money and this will not be missed”)
    • that the crime is a victimless one (“It’s not like I’m stealing money from a person”), or would be the last in the chain
    • that the individual is entitled to the assets (“I pay my taxes, do really good work and I’m underpaid and undervalued”).

Usually, it’s a combination of the above.

If there’s one thing internal audit can admit defeat on, it’s changing human nature, or at the very least being able to positively influence those with a predisposition to commit crime. Audit can and should however, influence the third dimension:

  • Opportunity—here, fraudsters are often aided by weaknesses in organisational processes, especially around recruitment, procurement, contract management and financial management.

Design—processes and controls

A way to prevent fraud is for recruitment, procurement, contract management and financial processes to be designed and stress-tested from an end-to-end perspective, as opposed to siloed design and evaluation.

Base minimum anti-fraud mechanisms should be incorporated into key processes, including:

  • Pre-employment identity vetting and screening checks should be implemented.
  • Due diligence should be performed over new vendors to confirm no relationship exists with existing staff and/or contractors. This should include a Companies Office check against the vendor’s directors and shareholders.
  • Similarly, a cross-reference check should be performed on vendor bank accounts against employee and contractor bank accounts before the vendor is created in organisational systems.
  • A relationship/conflict declaration should be completed by all staff directly involved in the sourcing and creation of each new vendor with proper processes to manage any identified issues.
  • A change to vendor details, such as their bank account, should only be accepted when supported by a bank deposit slip and matched to the vendor invoice. Each instance of change should trigger an employee/contractor bank account cross-reference check.
  • A contract’s manager should be different to the contract’s approver, to ensure independent oversight and monitoring.
  • Organisational systems should be designed to identify, hold and escalate all instances of delegation breaches on a one-up basis.
  • Wherever possible, and especially for large value purchases (per item or cumulatively), the authoriser of goods and services should similarly be independent from the contract manager and approver. This authoriser should be satisfied that goods and services have been received prior to authorising the payment of the invoice. This accountability should be clearly outlined.
  • Regular vendor performance reviews should be performed, prioritised by performance track-record and expenditure volumes, and these should be conducted by staff independent of vendor set-up, approval, management and invoice authorisation responsibilities.

Final words

Fraud may be impossible to completely prevent. Internal auditors are a wonderful cadre of professionals, but we still lack the requisite mind-reading and mind-bending powers that would enable us to mitigate fraud’s “Pressure” and “Rationalisation” preconditions. However, with proactive organisational support we can reduce the “Opportunity”.

MoST Content Management V3.0.9220