FRAUD RISK MANAGEMENT IN INTERNAL AUDIT

In this article we shall discuss the current regulations in India and the steps to be taken by the internal auditor to manage the ‘fraud risk’ and add value to the internal audit function.

In our opinion, frauds may be classified into two types – first, a fraud perpetrated by owners / top management and, second, all cases other than the first one. In case the internal auditor encounters a fraud perpetrated by management, he or she has few options – either become a whistle-blower and report the fraud, or walk away. Each action of the internal auditor will have consequences which he / she may have to decide based on choice and circumstances. Failure to act with integrity and to be just a bystander, or become knowingly or unknowingly a part of the management fraud, has its own set of risks and consequences.

We have a number of cases which have been discussed in the public domain to understand the above, some of the major cases being the ‘Satyam case’, ‘Cox & Kings’ and so on. One major high-profile case cited for an internal auditor to be a whistle-blower is that of ‘Enron’.

FRAUD DEFINITION

As per Webster’s Dictionary, a fraud is (a) deceit, trickery, specifically: intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right; (b) an act of deceiving or misrepresenting.

Fraud is defined by Black’s Law Dictionary as A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment.

Consequently, fraud includes any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means.

Types of fraud

The Association of Certified Fraud Examiners (ACFE) has given the following classification for ‘types of fraud’ which summarises the various types as follows –

Fraud against a company can be committed either internally by employees, managers, officers or owners of the company, or externally by customers, vendors and other parties. Other schemes defraud individuals rather than organisations.

Internal fraud

Internal fraud, also called occupational fraud, can be defined as ‘the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organisation’s resources or assets.’ Simply stated, this type of fraud occurs when an employee, manager or executive commits fraud against his or her employer.

Although perpetrators are increasingly embracing technology and new approaches in the commitment and concealment of occupational fraud schemes, the methodologies used in such frauds generally fall into clear, time-tested categories.

External fraud

External fraud against a company covers a broad range of schemes. Dishonest vendors might engage in bid-rigging schemes, bill the company for goods or services not provided, or demand bribes from employees. Likewise, dishonest customers might submit bad cheques, falsified account information for payment, or might attempt to return stolen or knock-off products for a refund. In addition, organisations also face threats of security breaches and theft of intellectual property perpetrated by unknown third parties. Other examples of fraud committed by external third parties include hacking, theft of proprietary information, tax fraud, bankruptcy fraud, insurance fraud, healthcare fraud and loan fraud.

Fraud against individuals

Numerous fraudsters have also devised schemes to defraud individuals. Identity theft, Ponzi schemes, phishing schemes and advance fee frauds are just a few of the ways criminals have found to steal money from unsuspecting victims.

Regulatory drivers in India necessitating action by internal auditors

Irrespective of the regulations given below, the internal auditor has to work along with management towards building a structure for prevention and / or detection of fraud in an organisation and build fraud prevention and / or detection objectives in the internal audit programmes.

The Companies Act, 2013 has introduced a requirement under sub-section 12 of section 143 which requires the statutory auditors to report to the Central Government about the fraud / suspected fraud committed against the company by the officers or employees of the company. It states, ‘Notwithstanding anything contained in this section, if an auditor of a company, in the course of the performance of his duties as auditor, has reason to believe that an offence involving fraud is being or has been committed against the company by officers or employees of the company, he shall immediately report the matter to the Central Government within such time and in such manner as may be prescribed.’

The procedures for reporting to the Board or the Audit Committee, reporting to the Central Government, replies and observations of the Board or the Audit Committee and reporting to the Central Government with the external auditor’s comments and other procedures are laid out in the law.

Primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and the management. In the context of the 2013 Act, this position is reiterated in section 134(5) which states that the Board report shall include a responsibility statement, inter alia, that the directors had taken proper and sufficient care for safeguarding the assets of the company and for preventing and detecting fraud and other irregularities.

Requirement of CARO 2020 With Respect to Fraud – According to a clause in CARO 2020 with regard to fraud and whistle-blower complaints, an auditor needs to report whether any fraud on or by the company has been noticed or reported during the year; if yes, the nature and amount involved is to be indicated; in case of receipt of whistle-blower complaints, whether the complaints have been considered by the auditor.

The Securities and Exchange Board of India has issued the SEBI (Listing Obligations and Disclosure Requirements) (Third Amendment) Regulations, 2020 w.e.f. 8th October, 2020 whereby, inter alia, in case of initiation of forensic audit (by whatever name called) a listed company is required to make the following disclosures to the stock exchange:

Initiation of a forensic audit along with the name of the entity initiating the audit and reasons for the same, if available; and

Final forensic audit report (other than for forensic audit initiated by regulatory / enforcement agencies) on receipt by the listed entity along with the comments of the management, if any.

This has been included under events which shall be disclosed without any application of the guidelines for materiality. Enhancing disclosure requirements is one more step by the regulator, done with a view to disclose potential financial mismanagement to the stock market and the public at large.

Institute of Chartered Accountants of India (ICAI) to come out with Forensic Accounting and Investigation Standards

The Digital Accounting and Assurance Board of the ICAI has issued Exposure Drafts on Standard on Forensic Accounting and Investigation (FAIS) such as FAIS-110 – Understanding the Nature of Engagement; FAIS-120 – Understanding Fraud Risk, and a number of others. These would naturally be the standard in times to come.

As we can see, the regulators are increasing the regulations with the increase in the incidence of fraud. Since the statutory / external auditors are required to report on fraud they necessarily look to internal auditors and expect them to have fraud prevention and / or detection built into their internal audit programmes.

FRAUD RISK MANAGEMENT BY INTERNAL AUDITOR

We have discussed the regulatory drivers but at the same time the Audit Committee and top management does not like any surprise on this count. It is not unheard of now to look to the internal auditor if any untoward incident is uncovered. It is seen that the questions immediately raised are…

When was this area last internal audited?

What is the size of the incident and for how long is this continuing?

(And many such questions.)

We are sure that the internal auditor also would not like any surprises. Frauds cannot be totally prevented but adequate care can be taken to ensure that unless the fraud is a complex one which would have been difficult to be detected under reasonable circumstances, an internal audit exercise should be able to take care of raising the red flag.

We would classify the action to be taken by the internal auditor in two parts. First, where the internal auditor is independent but part of the top management team and has a consulting role to play. He or she has negotiated the role of internal auditor as a business adviser to the enterprise. The internal auditor would then be part of designing or testing the design of policies / controls on anti-fraud, etc., which we shall discuss below. The second part is where the internal auditor may not be sufficiently high up but would still have to use / build fraud analytics and other tests into the audit programmes.

Where the internal auditor is part of the top management team, he or she would take an active part in designing or testing the design and reviewing the mechanism for anti-fraud controls which would work like a bulwark and deter incidence of fraud or help in raising early warning signals / red flags. Some policies / controls and the mechanisms in place would be –

Code of conduct;

Continuous data monitoring / analysis;

Surprise audits;

Regular system of management review;

Anti-fraud policy;

Fraud training for employees;

Job rotation / compulsory vacation;

Whistle-blower policy and rewards for whistle-blowers;

Proper design and review of key controls in ‘Internal Controls over Financial Reporting’.

For internal controls and risk management, the COSO Internal Control and Risk Management guidelines (both are separate guidelines) would be a good source to start looking at understanding and building internal controls, including building anti-fraud controls. The five components of an internal control framework are: control environment, risk assessment, control activities, information and communication, and monitoring.

Each business would have specific controls but to repeat the generic COSO internal control guidelines would be a healthy starting point to understand, build and review internal controls for an internal auditor.

Let us now move to the second part on operational internal auditing where fraud analytic tests based on data analytics are built into each and every individual programme for the internal auditor.

WHAT IS FRAUD ANALYTICS?

Fraud analytics combines analytic technology and techniques with human interaction to help detect potential improper transactions, such as those based on fraud and / or bribery, either before the transactions are completed or after they occur. The process of fraud analytics involves gathering and storing relevant data and mining it for patterns, discrepancies and anomalies. The findings are then translated into insights that can allow a company to manage potential threats before they occur as well as develop a proactive fraud and bribery detection environment.

Case study of a payroll internal audit using Fraud Analytics

The main objective of Fraud Analytics in Payroll is to test the validity and existence of employees and the correctness of pay elements.

An illustrative listing of Fraud Analytics in Payroll is –

•      Map the payroll transaction file to payroll master file to determine if there are ‘ghost’ employees on record and being paid;

•      Sort employees by name, address, location and other master fields to identify conflict-of-interest scenarios where managers (supervisors) have relatives working for them;

•     Check for duplicate employees in the master list of employees by name, date of birth, address, bank account number, permanent account number (PAN No.) as a combination of fields or even independent field level duplicate checks;

•      Perform a pattern-based fuzzy duplicate match in the master list of employees by name and address to identify potential pattern matches on employee name and address;

•      Compute plant-wise, machine centre-wise, location-wise, correlation score between wage (pay element outgoes) and overtime payments to identify centres with negative correlation scores like falling wage outgoes and rising overtime payouts;

•      Extract all payroll payments where the gross amount exceeds the set grade threshold limits as per masters;

•      Compare time-card (attendance) entries to payroll and check for variances like unaccounted ‘leave without pay’;

•      De-dup checks to identify employees getting the same net pay at multiple locations of the company in the same month;

•      Profile employees who have not availed any leave in the last one year;

•      Isolate individuals continuing to get payroll benefits after retirement;

•      Detect employees getting signing-on bonus payments and leaving before the minimum service period, where signing-on bonus is not recovered;

•      Filter out payroll payments to employees where nil deductions (including statutory deductions) have been made;

•      Employees who have re-joined after leaving and continue to get retirement benefits with standard payroll payments;

•      Inconsistent payroll master allowances within the same groups like grade, designation, location, etc.;

•      Inconsistent payroll master deductions within the same groups such as grade, designation, location, etc.;

•      Capture payments to active employees where leave availed is more than the leave balance on hand;

•     Outliers in payroll payments where the ratio of the highest to the next highest net payroll payment to employees is irregular and excessive;

•     Locate employees getting multiple increments and bonus payments within the same payroll period;

•      Compare vendor addresses / phone numbers and employee addresses / phone numbers to identify conflict-of-interest situations.

 

It is important to note that though fraud analytics plays an important role today in any tests to be performed for an internal audit area like payroll, procure to pay cycle, etc., the other activities like interviews, meetings with vendors and employees, physical verification, etc., play an equally important role. Soft issues like body language of the auditee and dealing with auditees and others to understand the issues at hand for the area under audit, are quite important for an internal auditor.

CONCLUSION

It is clear that the responsibility with regard to fraud prevention and detection is increasing for the internal auditor. The regulators are increasing disclosure requirements and the Audit Committee and top management expect that the internal auditor be on guard to continuously help build and review the controls to prevent any incidence of fraud. In case any fraud incident/s does take place, the management would like to have it detected at an early stage.

A proactive internal auditor has to be on top of all this at all times and would most likely have a good fraud risk management programme to –

– increase the bottom line for the organisation (add value to corporate performance);

– ensure compliance with laid-down policies (internal), laws and regulations (external);

– send a clear anti-fraud message;

– enhance the organisation’s image and reputation; and

– get early warning signals / red flags to take pre-emptive action/s.