You are probably reading this because another huge financial scandal is threatening to destroy the economy and you are wondering why auditors fail to detect fraud.
First of all, we auditors don’t appreciate being told that we failed!
Secondly, it isn’t reasonable to lay the onus on auditors. Yes, I know you want someone to blame, but I just can’t let you scapegoat us anymore!
I guess we auditors should be flattered that you think we are so powerful and omnipresent that we can use our x-ray vision to uncover the dastardly deeds of every villainous fraudster, but the truth is we are just a tiny little battalion of professionals fighting an uphill battle. The Certified Fraud Examiners estimate that $4.5 trillion is lost to fraud every year. Yes, trillion with a T.
In the hopes that you will never blame us again, I will share a few reasons why auditors fail to detect fraud:
- Fraudsters purposely deceive us.
- We don’t audit what you think we are auditing!
- Management is responsible for preventing and detecting fraud, not us!
- Auditors are seriously outnumbered.
- And even though we perform all kinds of fancy procedures to uncover fraud, they don’t really work!
1. Fraudsters purposely deceive us.
Fraudsters are sneaky. They figure out the gaps in controls and then do everything they can to cover their trail. They want to keep the assets they stole and are adept at inventing creative ways to trick an unsuspecting auditor into believing that everything is okay.
Consider this story: An auditor visited an oil refinery every year to ensure that the gallons of oil that the company claimed existed actually existed. Every summer, the auditor climbed to the top of tank that was four stories tall (yes, auditors put themselves in physical danger for you!) and stuck a broomstick into the tank as a dipstick. And every summer, the auditor concluded that since he found oil on the broomstick, the tank was full of oil.
That poor, deceived auditor. He didn’t realize that the auditee had filled the tank with water and just enough oil to cover the broomstick. If only that auditor had made Italian salad dressing just once, he would have realized that oil floats. But, the sad truth is that most auditors prefer ranch dressing. 🙂
2. We don’t audit what you think we are auditing!
I bet you think auditors are working to uncover wrongdoing in every corner of your organization.
Hello! Come on! Auditors cannot – and do not – look at everything.
Auditors sample. Auditors visit – at best – infrequently. And on top of that, auditors don’t like their audit projects to have birthdays, so they limit the scope and objectives of each visit.
For instance, let’s say an auditor wants to know if a state sponsored nursing home in Tuscaloosa has installed fire alarms. And let’s say that in order to verify that alarms have been installed, the auditor asks the accounting clerk at this nursing home to send the auditor a copy of the invoice and a picture of the fire alarm proving that the alarm was installed. The clerk sends the invoice and the picture, the auditor thanks them for helping, and that is the end of the audit.
But what if this same accounting clerk in Tuscaloosa has been writing checks to herself and selling the prescription drugs that she stole from the nursing home pharmacy out of the back of her car in a dark alley? The auditor is obviously not going to see that craziness because cash and drugs are not part of the auditor’s audit objective and scope, but someone working at the home should. And that gets me to my next point…
3. Management is responsible for preventing and detecting fraud, not us!
It is not the auditor’s job to uncover every whacky employee behavior. That is management’s job.
Management is responsible for establishing the controls that prevent fraud.
Here is what the Green Book (Standards for Internal Control in the Federal Government) has to say about that:
OV2.14 Management is directly responsible for all activities of an entity, including the design, implementation, and operating effectiveness of an entity’s internal control system.
4. Auditors are seriously outnumbered.
So on top of people lying to us, thinking we should be looking at things we don’t look at, and trying to lay their responsibility on us, we are seriously, seriously outnumbered.
Maybe you’ve heard of the student to teacher ratio? A private school might boast of one teacher for every 15 students so that every precious, little student gets the personal attention they deserve.
Well, there is no way auditors can give every corner of an organization or every employee the attention they deserve. It isn’t uncommon for an auditor to be outnumbered 1000 to 1.
And don’t you think that somewhere in that 1000, there is gonna be one bad kid – excuse me, fraudster – who is stirring up some trouble and bypassing controls?
5. And even though we perform all kinds of fancy procedures to uncover fraud, they don’t really work!
But you know what? Even against all odds, we auditors still give it the old college try. The AICPA and the GAO mandate a number of due diligence steps in their auditing standards that are intended to help the auditor detect fraud within their limited audit scope.
In my experience, however, auditors very rarely uncover fraud with these procedures. Why? Refer to reasons 1-4.
Here is a summary of the procedures if you are interested:
- Define the audit objective.
- Ask pointed questions of employees and organizational leaders: how could fraud occur in their organization and did fraud occur?
- Consider factors that could move someone to commit fraud.
- Brainstorm fraud risk with the audit team.
- Filter the fraud risks from the brainstorming session for magnitude and likelihood.
- Apply existing internal controls and rate the strength of controls.
- Test key controls.
- Respond to risks that are not adequately controlled by performing audit tests to verify that fraud did not occur.
Per the Certified Fraud Examiner’s 2020 Report to the Nations, 49% of known frauds are uncovered from tips, accident and confessions. Internal and external audits – combined – find only 19% of known frauds.
And those five reasons are just some of the reasons why auditors fail to detect fraud.
So what good is an auditor, then?
At this point, you might be saying to yourself, “So, if an auditor isn’t working to uncover fraud, what are they doing? What good are they anyway?”
Thank you! Because if you are asking the question, my snarky little article has done its job. You now (hopefully) will stop blaming auditors for fraud that is not their fault or their responsibility.
What auditors ARE good at is giving leaders and the public independent, objective assurance that something is true. You don’t want to trust that crazy fraudster in the Tuscaloosa nursing home to tell the truth about installing fire alarms, do you?
And auditors are also experts when it comes to controls that you can put in place (pause to notice that wording there: that YOU can put in place) to make sure fraud doesn’t strike you or those you love. If you are nice to them, and stop blaming them for things they can’t control, maybe your auditors will deign to share their knowledge with you.
As always, thanks for reading!
For More Info:
An Auditor’s Responsibilities for Fraud in the Government Environment
The Little Book of Local Government Fraud