Ohio Auditor of State's website
Search Best Practices

Spotlight: Bringing Fraud into Focus

Don’t Count on Your Annual Audit to Help Spot Fraud – Strong Risk Management Tools Are Needed for 20/20 Vision

By Julia Debes - Public Affairs Staff Writer

While no one wants it to occur, fraud will happen. And it doesn’t discriminate. No organization – large or small, public or private, simple or complex – is immune. From the mailroom to the boardroom, the risk for potential damage from fraud is universal. For 2008 alone, the Association of Certified Fraud Examiners estimates that approximately $994 billion was lost to fraud nationwide.

When it comes to preventing or detecting fraud, however, many organizations don’t recognize the risks they face or don’t believe that fraud warrants a specific risk management program – until it’s too late. Instead, organizations may rely too heavily on financial audits to detect fraud, yet this practice demonstrates a lack of understanding of the risk of fraud and its potential impact.

“They don’t know what they don’t know,” said Kevin Saionzkowski, chief of the Ohio Auditor of State’s Special Audit Section. “They think financial audits will always find fraud.”

Actually, external auditors are at a distinct disadvantage compared to fraud perpetrators. With limited powers and much to examine in a routine financial audit, auditors are not likely to catch all of the fraud that may have been committed. Additionally, perpetrators know exactly what needs to be concealed and who is trying to find it.

According to Saionzkowski, “If you are relying solely on a financial audit to fight fraud, you aren’t going to find it, you aren’t going to prevent it and you are going to increase your risk.”

Unfortunately, many organizations do misinterpret the role of a financial audit. While an auditor will report evidence of potential fraud if it is found during a financial audit, the auditor does not make the final determination if the misstatement was the result of error or if it was the result of fraud. According to the Statement on Auditing Standards (SAS) 99, “…auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements.”

Robert Hinkle, chief deputy auditor in the Auditor of State’s Office, further explained that the biggest misconception is that the Auditor of State is responsible for controls. “Instead,” he said, “our responsibility is to evaluate whether clients have properly designed controls to address risk and have put those controls into operation.”

While auditors cannot opine on the cause of misstatements in financial reports, auditors will work with clients and provide recommendations on how to institute policies and procedures
to prevent or detect fraud.

However, a financial audit is not a guarantee that no fraudulent activity has occurred. According to SAS 99, “…absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud.”

Fortunately, organizations have the ability to prevent, detect and even deter fraud – by having a plan. A fraud risk management plan is a structured framework that details the policies and procedures an organization will use to continually assess their risk of fraud, monitor exposure through prevention and detection techniques and provide a process for reporting fraud. By establishing and maintaining this system of checks and balances within the organizational structure itself, clients can detect fraud earlier or even prevent some fraud from occurring in the first place.

Additionally, each client should customize fraud risk management policies and procedures to fit their organization. The size, complexity, competency of individuals involved in financial transactions and resources available are all important factors in determining how a client manages its risk of fraud.

“You don’t want to boiler-plate it,” Saionzkowski said. “Make the plan specific to your needs.”

One example is segregation of job duties, or ensuring that no one individual handles any transaction from beginning to end. For instance, a very small organization may not be able to hire additional staff in order to ensure segregation of job duties. However, an auditor may suggest a different internal control to help prevent fraud from occurring in this situation. For example, an organization could require multiple signatures on checks, so that even if one person handles the transaction, multiple individuals are overseeing the process.

Even though the overall system may change slightly from organization to organization, some fraud risk management techniques are common to all. Implementation does not have to be complicated. Instead, entities can take big steps by doing simple things.

For example, Hinkle explained, “The most common example of an internal control is one that you have with your family – reconciling with the bank at the end of the month.” This seemingly simple task is just one way that organizations can help identify fraud.

There are two basic types of fraud risk management activities: prevention and detection. According to Managing the Business Risk of Fraud: A Practical Guide, “Prevention encompasses policies, procedures, training and communication that stop fraud from occurring; whereas detection focuses on activities and techniques that timely recognize whether fraud has occurred or is occurring.” While detection methods are designed specifically to find fraud, they also work to ensure prevention methods are working.

It is important to note that developing these policies and procedures is not enough on its own. After a system is set in place, an organization must work to maintain its policies and procedures and take the time to evaluate their effectiveness.

Despite an organization’s best-laid plans, however, it is important to note that fraud still may happen.

“You could run the tightest ship and have the best fraud risk assessment and put all the best practices in place, and you can still have theft,” Saionzkowski said. “There is no silver bullet. No one thing or combination of things will reduce your risk of fraud to zero.”

For that reason, organizations should have a reporting process, directed by professional and legal standards. This investigative process should be consistent, tracked and able to maintain confidentiality. Having a system in place will improve an organization’s chances of recovering losses, minimizing litigation and reducing damage to their reputation.

While some may grumble about the time and effort it takes to develop a fraud risk management plan, according to Managing the Business Risk of Fraud: A Practical Guide, “Preventing and deterring fraud is significantly less costly than confronting the financial, operational and reputational repercussions that can result from fraud.”

The benefits of a fraud risk management plan are numerous, however, not a lot of organizations have one in place. Even if they do have a basic plan, the organization may not fully understand how to best manage their risk of fraud.

“In those entities that recognize fraud risk, their risk management activities do not always demonstrate an understanding of the specific risks and specific steps being taken to manage the risk,” Saionzkowski said.

Within organizations that manage public funds, having such a plan is a crucial commitment to reducing the risk of loss of taxpayer dollars. Nevertheless, an official plan has to start with leadership.

“The very first thing that has to happen is that management has to see that it is valuable and be committed to it,” Saionzkowski said.

From the top down, it is important for organizations to set a tone that managing their risk of fraud is important to improving the way they conduct business, and, according to Chief Deputy Auditor Hinkle, “…to properly care for the assets entrusted to them.”

More simply put, an organization’s leadership has “to be the champions,” Saionzkowski explained. “Otherwise, the rest of the organization is not going to care, and the entire risk management plan will fail.”