How often have you noted significant anomalies during an audit or investigation, only to learn that each area of concern had a legitimate explanation? However objectively we approach a given task, it's natural for our thoughts to bend to incongruities captured in raw data. What we can't justify immediately, we often suspect irrationally and leap headfirst into an auditor's nefarious abyss: What are they hiding, how can we reveal it, and when do we expose the truth?
Most auditors have likely either witnessed or participated in this behavior at one point in their career. But are we doing enough to address it? Given the speed of technology, ease of communication, vulnerabilities of data, and general lack of privacy, it's imperative that internal auditors look before they leap. We need to understand that any needless, careless, and unsubstantiated conversations, communication, and banter may have adverse consequences.
An audit investigation executed some time ago serves as an excellent example of why our professionalism, objectivity, and investigative skills are critical for accuracy and accountability — and necessary to avoid jumping to conclusions.
The Fraud That Really Wasn't
The assignment involved an audit of a foreign third-party service provider, prompted by a tip that something was amiss. Initially, the auditors looked at numerous data points. They began with low-hanging fruit — the invoicing process.
A query of the provider's invoicing revealed common irregularities, including absence of information, lack of agreed rates, omission of details for charges, and the appearance of inflated charges. As the team gathered and analyzed more data, the lead auditor discovered numerous redundant invoices with differing sums.
The team also found that there was no current contract with the service provider, and that the provider did not maintain a physical office in the country. What's more, the review had revealed an invoicing discrepancy of nearly $3.5 million. The audit team, certain they had uncovered a major fraud, embarked on fanatical "gotcha" quest: The communication was lively, the chatter was loud, and the conspiracy theories ran wild.
The hastily drawn conclusion: A shell company had been formed with intent to defraud. The auditors informed management, affected departments, and legal. Everyone was on alert.
Case solved? Not exactly. Management realized the chaos had compromised the audit's integrity and objectivity. The scope had been lost, conclusions weren't confirmed, and costs were bloating. The audit was then reassigned.
The incoming team was tasked with performing the same audit. However, it had no vested interest in either party, and it wasn't exposed to the prior atmosphere. The goal was simple: Conduct a comprehensive audit and investigation (per the original scope), sequester noise, analyze the facts, and find the disconnects, if any.
The new team confirmed that invoicing was, indeed, a mess, noting the same issues as the previous auditors. But how it got to that point had yet to be explored.
The auditors found zero omission of key metrics on the service provider's invoices. However, they did notice a limitation in the amount of data the client's accounts payable system could process. The service provider was unaware of this issue, and the accounts payable team never questioned the lack of substantiating evidence.
The internal auditors then met with the service provider's accounting team, which showed them a spreadsheet it used to create and calculate invoices. Upon close examination, internal audit found that the spreadsheet's calculation formulas were incorrect.
The auditors also found that the client's invoicing receipt system did not allow the service provider to tag an original invoice for errors. Instead, invoices were cancelled and reissued under a new date and number. The difference in amounts spotted by the previous auditors was due to the fluctuation of the foreign exchange rates at the time of resubmittal. Moreover, the service provider was performing work based on an expired contract — of which neither the client nor the provider was aware.
Lastly, the provider's lack of a physical office in the country where the work was performed and sourced proved to be a nonissue. The provider used a shared office space that had no impact on its day-to-day operations.
With these details revealed, reports were then filed and accusations of fraud were put to rest. The service provider relationship remained fully intact; case closed. And of course, this outcome differed vastly from the gloomy picture depicted by the original auditors.
Don't Trigger a False Alarm
It's imperative that we remind ourselves — as well as new colleagues, trainees, and graduates — about the importance of differentiating fog and smoke, and prematurely yelling "fire." As internal auditors, we must conduct business in the most objective and professional manner. When we panic, our clients panic.
There will always be red flags — poring over an area long enough inevitably reveals them. How we approach, analyze, and communicate issues is what can often differentiate a legitimate finding from a false alarm.