According to a 2016 ACFE Report, 82% of companies utilize annual financial audits as a common anti-fraud control
According to the AICPA, an external audit is an independent body which performs an audit of the financial accounts, and provides an opinion on whether or not they are a true reflection of the company’s financial position with GAAP. As part of this, external auditors evaluate internal controls put in place to manage risks that could affect the financial accounts, to determine if they are working as intended. They must assert whether financial statements are free of material misstatement, whether due to error or fraud.
How much fraud are external auditors actually uncovering? Surprisingly, it’s just a paltry 4%
Let’s dig deeper into the heart of an external audit - sample testing, which inherently means not every transaction is reviewed. If only a select number of transactions are reviewed, then only a select number of fraudulent ones will be caught.
Here are 3 reasons why sampling is just not enough:
- Auditors use a materiality threshold to identify their sample set, and they use the same threshold year after year, such that employees and management are aware of the amount. The lower dollar value items are hardly every sampled, creating an opportunity for manipulating accounting records or submitting multiple low dollar transactions without the risk of being caught by auditors.
- The inherent limitation with sampling is that all transactions are not tested. Asking auditors to review all transactions would be impossible - due to the sheer size and cost of such a request. However there are 100% real time monitoring solutions for T&E compliance that can be implemented, like AppZen.
- Auditors review transactions on a historical basis - meaning they are often reviewing transactions that occurred 1 year ago. Even if they identify a transaction that lacks supporting documentation, the employee will rarely be able to provide that documentation 1 year after the fact.
So if an external audit is not meant to catch fraud, then what is? Focus on the design, implementation, and maintenance of your internal controls to create a culture of compliance. There are several alternative ways to identify and deter fraud. The first step is to create a continuous monitoring process to review 100% of documents (be that T&E, AP, etc.) as opposed to relying on sampling. Second, a recent report shows 55% of fraud was detected by a tip (39%) or an internal audit (16%). Employees provided over 50% of tips, followed by customers and vendors. Consider setting up a telephone hotline service or online form to encourage reporting suspicious behavior.
By the time your external auditor uncovers fraud it is usually too late to prevent significant financial damage, and almost always too late to prevent the reputational damage that follows. Fraud can never be completely eliminated, but it can be minimized by establishing an environment in which ethical behavior is expected.
About the Author
Meena is an expert in Forensic accounting, FCPA investigations, data analysis, compliance and fraud prevention with 6+ years of experience within PricewaterhouseCooper's Risk and Fraud Consulting Practice. You can reach her at firstname.lastname@example.org