So, let’s start out with a question: Is the audit profession doing a better job today than it was 20 years ago in responding to the risk of fraud in audits? Various studies indicate that whistleblowers and accidents are still the top reasons for detecting frauds and that the audit process is still on the bottom of the fraud detection list. So, I guess the answer to that question is: No! I don’t think this fact is a reflection on the people working in the auditing profession, but rather the tools that auditors use in the audit.

Fraud costs organisations millions of dollars each year. Simply Google the phrase “fraud scheme,” and you will discover more news stories than you have time to read. If auditors do not detect and stop a fraud scheme, they have cost their organisation real money. So, another question for you: Do you want to explain to your audit committee why your department did not detect a $63 million fraud?

There are four fundamental approaches to integrating fraud detection into the audit program. I have listed the techniques in order of their effectiveness:

  1. Prepare a fraud risk assessment, which includes creating a comprehensive listing of fraud risk statements that link to the internal controls and rate the controls’ effectiveness.
  2. Perform internal control testing, and be alert to the red flags.
  3. Integrate a fraud test into the internal control testing.
  4. Create a fraud audit program, which includes the use of fraud data analytics and fraud tests.

Now that I’ve listed the four strategies, I’ll discuss the pros and cons of each strategy and—as someone who performs fraud audits and routinely teaches classes on fraud auditing—provide insights on these strategies. I’ll then discuss the opportunities I see to make the audit profession the number one reason for fraud detection. Finally, I’ll offer some practical illustrations of the four techniques.

Prepare a Fraud Risk Assessment

Pros: It is simple to create fraud risk assessments. The auditing profession has used risk assessment in the planning stage for years, and auditors are knowledgeable regarding internal controls.

Cons: It is simple to create fraud risk assessments. This technique is not intended to detect fraud; it is designed to determine whether the organisation has the key controls to mitigate fraud. Unfortunately, perpetrators learn how to circumvent internal controls.

Insights: Currently, the fraud risk statements in auditors’ work papers are not written to drive the audit program. For example, let’s say an auditor is considering the risk of bribery in the purchasing function. The fraud risk statement does not provide the auditor with any direction on how to design an audit test or respond to the risk of fraud. While a seasoned fraud examiner may know what to look for, an entry-level staff auditor will not.

Opportunities: Adopt a methodology for writing fraud risk statements. The fraud risk statement should provide clear guidance on how the fraud scheme lives and breathes in the core business systems. Use the fraud brainstorming session to discuss how to detect the frauds detailed in the fraud risk statements. The fraud risk statement provides a focal point for the conversation, generating much more meaningful discourse than a general discussion of fraud. Discuss the natural vulnerabilities associated with your internal controls.

Perform Internal Control Testing, and Be Alert to Red Flags

Pros: Internal control testing is simple. Auditors have performed internal control testing since the auditing profession began.

Cons: When it comes to fraud detection, the control test has an inherent flaw. If the fraud perpetrator is the control owner, then testing the existence of the internal control will not detect the fraud scheme. In addition, many fraud schemes can occur while fully complying with internal controls. Lastly, auditors do not document in the work papers what red flags they look for in the examination of a transaction.

Insights: The auditing profession is not incorporating actual red flags of fraud into the audit program. There seems to be a presumption that the auditor performing the audit step will observe a red flag based on his or her life experiences. This is not true. For over 20 years in my classes, I have provided seminar delegates with a vendor invoice from a real fraud scheme involving a pass-through shell company scheme. To date, no delegate, whether a chief auditor or an entry-level staff member, has identified the five primary red flags related to the invoice.

Opportunities: Identify actual red flags on documents, data, and internal controls that link to a fraud risk statement and document them in the audit program. Discuss the concept of the sophistication of fraud concealment, and consider how it impacts the audit program.

Integrate a Fraud Test into the Control Testing

Pros: The auditor is adding an audit step (or steps) into the pre-existing audit program. The audit program will now have a documented response to a fraud risk statement.

Cons: Auditors commonly use random samples for audit testing purposes. However, random samples are not designed for fraud detection but rather for offering an opinion on the operating effectiveness of internal controls over a period of time.

Insights: Fraud is a technical skill. Auditors need to improve their knowledge of fraud risk statements and the associated red flags that link to each fraud risk statement. We need to stop debating whether a fraud test is an investigation procedure or an audit step. Instead, we should focus on the quality of evidence collected through the audit process.

Opportunities: Design a fraud test that targets the fraud risk statement. The fraud test rules: (1) If the scheme involves a false entity, design an audit step that suggests the entity is false; (2) If the entity is real, than design an audit step that targets the fraud action statement. The intent of the audit step is not to prove fraud but rather to prove the need for a fraud investigation.

Create a Fraud Audit Program

Pros: This technique is the most effective audit approach to detect fraud in core business systems.

Cons: Creating a fraud audit program initially requires more audit time because the concept of fraud testing is a new skill for most auditors.

Insights: The fraud audit program is the right tool to detect fraud. Unfortunately, only a handful of audit departments have successfully implemented a fraud audit program. Most internal audit departments are still focused on control tests, which often do not help in the detection of fraud.

Opportunities: Allocate the resources to build a fraud data analytics program for your core business systems. To accomplish this, you must do more than just buy the software. You must also improve your fraud risk assessment and understand the difference between a control test and a fraud test.

Illustrating the Concepts in the Four Strategies

The expenditure cycle is one the most commonly targeted business cycles for both internal and external parties to commit fraud schemes that could be material to an organisation. Below, I will illustrate how to incorporate the four strategies in detecting various types of fraud in the expenditure cycle.

Fraud Risk Assessment

In a procurement audit, the fraud risk statement is written as follows:

Fraud Risk Statement

  • False requirements or specifications
    • By corrupting the internal real supplier selection procedures           
      • Internal person in collusion with a real supplier
        • The bid specifications are written with vague criteria to allow for corruption of the bid evaluation process or vendor selection process.
      • Internal person in collusion with a real supplier
        • The real supplier bid specifications are written in a vague manner to allow for future product substitution.

The fraud audit program then directs the auditor to perform procedures to evaluate whether the specifications are written in a vague manner or in a manner consistent with industry standards.

Perform Internal Control Testing

In the examination of a vendor invoice for tangible goods, the auditor should perform the following internal control test:

  • Review the vendor invoice line item description as to the numeric description and the alpha description.
  • Look for:
    • Missing alpha or numeric description
    • A numeric string with less than five positions

Integrate a Fraud Test into the Audit Program

Let’s assume that the following fraud risk statement is included within your audit scope.

  • “Budget owner acting alone or in collusion with a direct report causes a shell company to be set up on the vendor master file, processes a purchase order or contract, and approves a fake invoice for goods or services not received, causing the diversion of company funds.”

The auditor can then link the fraud risk statement to the audit procedure below.

  • Fraud audit procedure: Review vendor payment history for evidence of a sequential pattern of invoice numbers.

Create a Fraud Audit Program

Using the preceding fraud risk statement, the auditor can then develop a fraud data analytics plan and an audit procedure, such as the following:

  1. Develop a fraud data analytics routine to search for all vendors that have a sequential pattern of vendor invoices.
  2. Perform a site visit of the vendor location to verify the physical existence of a company.


It is time for the auditing profession to become the number one reason for fraud detection. Our profession has the talent to detect fraud; what we need now are the tools designed to detect the fraud risk statements lurking in our core business systems. This blog has presented four ways to accomplish this task.

Integrating fraud into our audit program requires a different way of thinking about our audit process. I offer the following goals for senior audit management:

  • Recognise fraud auditing as a technical skill.
  • Adopt a methodology designed for fraud detection.
  • Aggressively invest in building fraud data analytics.

Educate your audit committee and management on the difference between control testing and fraud testing.