There tends to be a fair amount of confusion when it comes to a fraud risk identification approach versus an experience-based approach – in no small part because within the industry it’s not uncommon to see terms used interchangeably – but here we set out to create a list of universal definitions intended to clarify how and why you might use this approach.
For an international traveler, the ability to speak the local language is critical in order to communicate. Likewise, it is important that your entire audit team speaks a common language when it comes to fraud. So many fraud words are used interchangeably – fraud risk, fraud scenario, inherent fraud risk, identified fraud risk, fraud risk statement – the likelihood of confusion within your team only increases as the interchangeable terminology increases.
This blog post will better define and create an approach to fraud risk identification when it comes to the fraud audit. We will look at:
- Common misconceptions
- The five components of a fraud risk statement
For the purposes of this blog, fraud risk identification relies on you as an auditor identifying the permutations for each element in a fraud risk statement. By doing so, the number of fraud risk statements for a business system can easily be mathematically calculated.
Fraud Risk Statement: Definition
From an audit perspective, and at its most basic, a fraud risk statement is an audit tool used by forensic accountants and fraud investigators. A properly written fraud risk statement should be your starting point of fraud risk assessment process, the design specifications for fraud data analytics, and the basis of creating an audit test. A fraud risk statement could actually be known more accurately as an asset misappropriation statement or a corruption statement – as this is essentially what it is – but in the fraud profession, the correct term is fraud risk statement.
A fraud risk statement is not how the fraud is concealed or how a perpetrator benefits from a committing a fraud risk statement. It is also not:
- Bribery fraud risk: A bribe is how the person benefits from committing a fraud risk statement, the fraud conversion statement.
- False document scheme: A false document is how a perpetrator creates the illusion that the transaction is real, the fraud concealment statement.
- Fraud concealment: This is correlating fraud red flag analysis to the fraud risk statement. Sometimes describing some aspect of the concealment helps your team understand the fraud risk statement. This is an element of style versus methodology.
Using a universal naming system is the best way to improve your processes. So, while some people may use these terms interchangeably, and while the ‘bribery fraud risk statement’ may help with fraud awareness, these terms do not provide an auditor with the necessary description to design a fraud audit program and so are not fraud risk statements.
An Additional Note on Fraud Risk Statements
There is often some element of misunderstanding between a fraud risk statement and how a scheme occurs – indeed many believe the two to be identical although this couldn’t be further from the truth.
The fundamental difference between a ‘how’ statement (sometimes known as natural internal vulnerabilities or internal control deficiencies) and a fraud risk statement quite stark. The ‘how’ of a scheme describes the actions taken in a story while a fraud risk statement is a hypothesis. While the ‘how’ statement can describe how a perpetrator committed a scheme and can be part of a fraud risk statement, the risk statement is a postulation to be tested and is used when building your fraud audit plan.
The Five Components of a Fraud Risk Statement
So how can you create a fraud risk statement that will provide fraud auditors with the necessary elements to build their fraud audit program? The fraud risk statement has five elements and should be written in the following order:
- Person committing
- The type of entity
- Fraud action statement
- Fraud impact statement
- Fraud conversion statement
This starts with a generic description such as Accounts Payable Function or Budget Owner. The generic description then changes to the specific control owner as the internal auditor gains an understanding of the business process involved. As a rule, we do not list specific names but rather company titles. In a more complex discussion, the “person committing” element needs to consider access and the impact of the internal control inhibitors on the person committing analysis.
- Direct access
- Indirect access is when a person with authority causes another person with direct access to process, execute, or record a transaction. For example, a budget owner approves an invoice for payment causing the accounts payable person to record and pay the invoice.
- Internal control inhibitors are those actions that cause an internal control system to fail. The most common internal control inhibitors are collusion, management override and a person failing to properly perform a control procedure.
Type of entity
Type of entity should start with looking into the business system. In the expenditure cycle the entity is a vendor, in payroll, the entity is an employee, in revenue the entity is a customer, and so on. There are two types of entities to consider; false or real. A more advanced understanding of shell companies would start with the following list:
- Created false vendor: standalone scheme;
- Created false vendor: Pass thru scheme;
- Assume identify of dormant vendor on master file, for a temporary basis.
- Assume identify of dormant vendor on master file, for a permanent basis.
- Assume identify of a real vendor not complicit vendor in the marketplace.
- Hidden shell company, a real company operating under two or more names.
- Similar name spelling Shell Company. There are two variations:
- The name of the company matches the abbreviation of a real known company. I.e. the Internal Revenue Service or I.R.S. The shell company is the International Recognition Service
- The false company has a slight misspelling of the real company “Google” false company is “Goggle.”
- Embedded Shell Company. There are vendors that may appear in your accounts payable multiple times because the corporation has many billing locations and payment locations. The embedded shell company has the same spelling of the real not complicit company
- The temporary or onetime payment shell company may act a created shell or a variation of previously listed shell companies.
In creating the fraud risk statements, the shell company must also be adapted to your industry, the vendor industry and how the shell company may be used in the fraud action statement. To illustrate the concept
- The statement needs to be adapted to the industry. I.e. in a construction audit, the pass thru maybe a sub-contractor that is legally owned by the general contractor with the intent to inflate contract costs.
- The statement needs to be adapted to the intended use of the shell company I.e. in a FCPA scheme management maybe using the company to conceal bribes
- Disguised government preferred vendors. I.e. a contractor creates a shell company to provide the illusion of meeting contract requirements.
- The simple shell company is used for simple false billing schemes
- The complex shell company is used for the pass-through fraud schemes. The pass-through scheme has over 10 variations
Fraud Action Statement
This is the act carried out by the person committing the scheme. Focusing on disbursement fraud schemes, the primary category of acts are: false billing; pass-thru schemes, overbilling and disguised expenditure schemes. Each primary category has multiple subcategories. To illustrate, the overbilling could occur through price inflation, short shipment, false charges, false add-on charges or product substitution schemes.
The product substitution could occur through a fitness scheme, knock off scheme, counterfeit scheme or manufacturer scheme. The manufacturer scheme could occur through chemical composition, country of origin, etc. The key is to write the fraud action statement with the proper level of detail so that the audit team can ensure all fraud risks are mitigated and the audit program responds to all the fraud schemes facing your company
This describes either the monetary or the non-monetary impact on the organisation. As a matter of style, we defer to the reader to create their own writing style for the impact statement.
Sometimes this is known as believability statement. It is not uncommon that if the reader of the fraud risk statement does not understand how the perpetrator benefits from the scheme, the reader may dismiss the scheme as theoretical rather than reality. Hence this statement is essential. While the conversion statement is not necessary to create the audit program, it will tell the reader whether the financial conversion occurred on the company books or off the company books.
If the fraud conversion occurs on the company books, then the fraud auditor has access to the necessary records to link the fraud scheme to the perpetrator. Off the book schemes will eventually require a legal action to obtain the necessary records to link the loss to the perpetrator unless you obtain a confession.
Going Beyond Basics
Upon the creation of all the necessary fraud risk statements (remembering each of these should match a particular fraud scheme), your team will be able to properly create their fraud audit plan and test each statement. Using a uniform understanding of what is a fraud risk statement and its place in your fraud audit program will create a more efficient approach to prevention and detection.
This article was previously published on Fraud Auditing Inc.'s blog.