In this episode of THE SAMPLE, Leita Hart-Fanta, CPA discusses the three big steps in auditing for fraud detection.
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
Transcript
In this episode, let’s talk about what it means when we say we’re auditing for fraud detection. We have a responsibility under AICPA and Yellow Book standards – performance audit standards, financial audit standards in the Yellow Book – to do some due diligence procedures for fraud, and they’re very specific about what those auditing for fraud detection procedures are. In general, I call this the audit trifecta. We are asked to go through a series of three basic steps whenever the GAO or the AICPA want us to use our brain; for instance, when we’re assessing risk for the whole project or planning our entire project.
Also, when we are assessing our independence, we go through this trifecta. And when it comes to fraud, we go through this trifecta too. The bigger steps are: gain an understanding, assess risk, and then respond to those risks. But when it comes to fraud, both sets of standards, AICPA and the GAO, are very specific on exactly what you need to do and document that you’ve done this stuff.
So, they want you to ask some very specific questions. Let’s go to this first orange box over here. Some very specific and almost rude questions of key players that are relevant to your audit subject. If you’re doing a financial audit, of course, you talk to the accounting folks. If you’re doing a performance audit, you talk to the programmatic folks and you come just shy of accusing them of committing fraud.
You say things like, “If fraud were to occur here, what would that look like?” Then you consider influences. You consider what kind of pressures they’re under, that could encourage them or allow them to commit fraud. And then you brainstorm with your team. You sit down with them and you brainstorm all these possible ideas. Once you do that, you need to filter through those ideas.
We’re going to move to the blue box now. You filter through those ideas and decide which ones are actually probable. You rank them for magnitude and likelihood. And then you consider whether they have any controls in place to prevent these frauds. And if you’re still going, “I don’t know. I think this fraud is probable or could actually happen,” then you do some testing to make sure that fraud is not occurring, right? So here is the AICPA quote about fraud.
Now this is the general quote. Here’s what the AICPA says. Now, of course they have bailiwick over financial audits, but know that the GAO in the Yellow Book copies what the AICPA says here. The AICPA is the leader when it comes to fraud literature for auditors. The leader for fraud literature in general is the Certified Fraud Examiners, right? But here is what they want you to do when it comes to fraud. And notice, again, it’s that three-step process: gain an understanding of the subject, assess risk, and then respond to the risk that you identified.
Now, if you are following performance audit standards in the Yellow Book, you’re actually not required to ask the rude questions. If you’re doing a financial audit under the Yellow Book, you are. If you’re following just flat out AICPA standards, you are. But under Yellow Book performance audit standards, you are not required to ask the rude questions, although it’s a pretty good idea to do that.
Here are the Yellow Book quotes that I’ve highlighted regarding auditing for fraud detection. There are only four paragraphs that address fraud in the Yellow Book, Performance Audit Standards. Notice I’ve highlighted gather and assess information, which is step one in the trifecta in order to assess risk, which is the second step of the trifecta. And then alter your audit procedures or extend your audit steps and procedures, to address that fraud (possibility that you came up with in your brainstorming, in your risk assessment).
Here are another couple of paragraphs and it defines fraud in the first paragraph up there, 8.73. 8.74 says you may obtain information through discussion with officials. Whenever the yellow book uses the word may, it means you don’t have to do it. And this is saying you don’t have to ask those rude fraud questions that are recommended by the AICPA. This is optional, but it’s a good idea.
I also want to point out something else. I’m going to take one of those same paragraphs we just looked at and highlight a different sentence, because I want you to know that you are not responsible for fraud across the entire organization, but only within the context of your audit objectives.
And that’s why you’re going to want your audit objectives to be as tight and clear as possible, because you just want to work within the boundaries of your objective, and not be responsible for auditing for fraud detection across the entire entity. So that was the audit trifecta. In future videos, I’m going to talk to you about how you can make sure that your fraud brainstorming is actually complete, and that’s with something called the fraud tree.
I’ll introduce that in a future video. We also want to address the classic fraud triangle, which actually helps you with discussing influences, but also with filtering risk for magnitude and likelihood. And then of course, we’ve got our old friend, the COSO model when it comes to controls, and I’ve already done a few videos about our friend, the COSO model. Each of these steps has a spot where we can refer either to the standards or to one of these models, and in future videos I’ll be talking about the fraud tree and the fraud triangle.
Would you like to learn a little bit more about auditing for fraud detection and earn some CPE at the same time? Check out our fraud bundle for more information; it’s available on the website and it’s over 20 hours of continuing education credit, three different courses. We cover the fraud tree, the fraud triangle, the audit trifecta and the COSO model.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me leita@yellowbook-cpe.com and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info:
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: