Attention to the risk of significant errors and fraud is a recurring theme throughout The IIA’s International Professional Practices Framework. For example, under mandatory Attribute Standard 1220.A1, internal auditors must exercise due professional care by considering the “probability of significant errors, fraud, or noncompliance.”
In the public and private sectors, errors that slip through normal business cycles are likely unintentional. Fraud is defined in the Standards Glossary as, “Any illegal act characterized by deceit, concealment, or violation of trust” and therefore entails intentionality on the part of the wrongdoer. The dichotomy between what is an unintentional error and what is an intentional fraud may not always be clear cut.
Some audit methods seem better suited to finding errors and fraud than others. Audit methods that rely on representations by management, and by which auditors gain confirmation that controls have operated as intended — such as interviews, control self-assessment checklists, walk-through tests, transaction sampling, and analytical review of reasonableness — can be vulnerable to confirmation bias. Such conclusions could be uncontroversial, but risk internal audit’s reputation if significant errors or fraud come to light at a later date.
Error and fraud can be further obscured by insufficiently negotiated remedial actions at closing meetings with audit clients (see “When Recommendations Go Unaddressed”). Experience over many years suggests the timely completion of agreed-on actions sometimes linger unfinished, or are implemented less diligently than what internal audit intended. It follows that confirmation bias in fieldwork, combined with under-negotiated and then poorly implemented remedial actions, can conspire to hide the possible existence of significant errors and fraud, which occur more frequently than might be expected. One way to minimize the risk of providing false assurance and boost internal audit’s value to the board is to search for the very errors internal controls are intended to prevent.
Looking for Errors
Pursuing significant error and fraud requires hypothesizing about what potentially could occur. Ideally, this is done by harnessing multi-industry experience and creative thinking — starting with the worst conceivable scenarios — and then planning audit fieldwork with the foreknowledge that actual findings may differ from what was hypothesized.
Error detection methods include:
- Cross-matching data that is not normally matched, such as cell phone metadata and building access data.
- Using data mining.
- Using Benford’s Law to highlight unusual transaction deviations.
- Interrogating email content.
- Listening to personnel who may be willing to divulge information about how controls have been bypassed.
Internal audit has an edge in that it normally has data mining tools at its fingertips; a network of trusted contacts across the organization who can be valuable sources of information; and a wide view of end-to-end processes; whereas, many employees are limited to the restricted perspective of their own department. By leveraging these advantages, internal audit can see what may be invisible to others.
It is easier to persuade management of the impact of a weak control if an actual error with a quantifiable impact is found as compared to surmising about an unproven control failure with the potential to cause a negative financial impact. Internal audit has a strong argument for process improvement and management has a weakened defense if an actual error or multiple errors are tabled for discussion at the closing meeting.
Through hypothesizing error and fraud scenarios in our audit planning across various organizations, my internal audit team has been able to boost its reputation for findings that translated into fast management responses, material dollar recoveries, and, in more than a few cases, personnel changes that were long overdue.
Case No. 1. By seeking deposit limit exceedances, internal audit found £75 million (US$99 million) in treasury deposits at a British infrastructure services company intended to maximize bank interest, but that significantly exceeded board-approved deposit limits with those financial institutions. Management had elevated its own self-interest in maximizing revenue-based personal bonuses while circumventing the board’s risk appetite. Management self-interest has been a frequently observed bias that has come to light in error-seeking audits.
Case No. 2. Internal auditors found AU$60 million (US$47 million) in a single bank account at an Australian transport company earning zero interest, owing to management’s inattention to value-for-money. The board agreed the money should have been invested at low risk across several institutions for interest earnings of at least AU$900,000 (US$705,000) per year. In both Case No. 1 and Case No. 2, the lack of a treasury report concealed from the board how funds in treasury were stewarded, resulting in the discovery of material cash held in the wrong places.
Case No. 3. By constructing numerous error hypotheses before and during fieldwork, internal audit found £8 million (US$10.5 million) in erroneous overcharges by maintenance subcontractors of a British engineering company. There were approximately 50 separate error and fraud findings hidden in aggregated lump-sum claims for payment that client management had signed off with inadequate due diligence checks before payment approval. Although multiple management sign-offs had occurred up to the CEO, each had assumed the manager below had performed detailed checks on the subcontractor charges. Once internal audit quantified the overcharges, nearly all were recoverable without any need for lawyers. A surprise dividend arising from this audit was that when the engineering company’s CEO was subsequently promoted to a more senior CEO position at a larger firm, he took the chief audit executive (CAE) with him.
Case No. 4. When reviewing the general ledger for unmanaged assets, £4 million (US$5.3 million) in overdue, uncollected debt was found at the British subsidiary of a U.S. parent company. The debt had escaped credit control’s attention as it was from nonroutine customers that fell outside normal business, therefore bypassing routine debtors reporting. Yet 50 percent remained collectible, resulting in a £2 million (US$2.6 million) windfall cash inflow and a cleaner balance sheet.
Case No. 5. Accounts payable had failed to detect AU$2 million (US$1.6 million) in duplicate payments to suppliers across different clients in retail, transportation, government, and engineering. Although the accounts payable systems were capable of detecting the duplicates before payment, unbeknownst to senior management, those system warnings had been switched off or were ignored by local supervisors. Internal audit used its knowledge of the controls that should have been in place to independently perform data mining checks specifically targeting undetected duplicates. To our surprise, dozens were found. Management recovered the overpaid amounts from the suppliers and switched back on the inbuilt accounts payable system controls.
Case No. 6. Internal auditors uncovered AU$1 million (US$788,000) in fraudulent sick leave and unrecorded annual leave by employees of an Australian transport company by hypothesizing that vacation fraud was possible and seeking errors through cross-matching payroll data to cell phone usage, vehicle usage, and building entry data. At first, management tried to argue that internal audit had breached privacy regulations by analyzing the whereabouts of employees. But the CAE proved that use of the organization’s own telecommunications metadata to investigate employee whereabouts during work hours was allowable under local privacy regulations. The audit concluded not only that employee culture was in need of repair, but also that the supervisory culture was abysmal, resulting in several management changes. This impacted favorably on workforce productivity, balance sheet leave liabilities, and overtime costs, which had been incurred as a direct result of employees taking false leave over many years.
Case No. 7. In a case reflecting significant error and fraud, internal audit found motor vehicle usage policies that were poorly written and weakly applied at two separate companies. Moreover, the outside leasing companies had stacked risks and rewards of lease charges in their own favor. As a result, motor vehicles were being used fraudulently for nonbusiness purposes, the parent organizations were unaware of driver license cancellations because of nonexistent driver declarations, vehicle accident rates were worsening with consequent increases in insurance premiums because of unchecked driving records, and the leasing companies were charging unwarranted end-of-lease penalties. Although the companies could not recover past costs, they each avoided AU$1 million (US$780,000) in annual future costs through policy and control improvements resulting from the audit.
Case No. 8. Sometimes error and fraud come to light through internal audit’s network of contacts. A vague but critical tip-off from a concerned staff member disclosed that the chief financial officer (CFO) shared proprietary board information with an IT firm bidding on multimillion-dollar contracts, and that the CFO was a director and shareholder of that IT firm. Audit confirmed the related-party connection with the securities regulator, and then used its charter access rights to study the CFO’s emails and cell phone records to verify the passing of proprietary information. In doing so, new, unexpected wrongdoings also came to light. The company terminated the CFO, fixed its conflict of interest procedure, recovered some historic costs, and stopped multimillion-dollar future overspend.
These cases illustrate the diversity of policy, risk management, system, procedural, and contractual failings that are discoverable through seeking significant errors and fraud when planning and executing audits.
Appreciation of internal audit’s role and reputation as the board’s champion improved noticeably across the organizations when hard-to-dispute evidence of material error was tabled for discussion. Remedial actions followed quickly. Often, before the audit report was issued, controls were improved, costs were recovered, future costs were avoided, and — in the worst cases — offenders moved on.
Boards prefer it when errors are discovered early through internal audit’s error-seeking vigilance rather than after the event by public whistleblowing, external audit, regulators, or the media. Even if an error-seeking methodology finds no wrongdoing, that in itself is a strong, albeit not absolute, form of assurance on the effectiveness of controls.