Association of Local Government Auditors

Fraud Detection is often associated with data mining, ACL, and Benford's Law.  All of these are innovative and effective methods for detecting fraud, some of which I've incorporated in my own projects.  However, the Association of Certified Fraud Examiners (ACFE) listed tips as the most common detection method in every Report to the Nations Study since 2002.  In the 2010 Report to the Nations, over 40% of reported frauds were detected by a tip and over 13% were detected by Internal Audit.  These statistics suggest that marketing your fraud hotline and planning audits to adequately assess the risk of fraud are critical to detecting fraud in an organization. This article will provide some insight on both of these fraud detection methods.

Marketing the Fraud Hotline

Several years ago an employee wishing to report several violations of our City Code was referred to our department through his human resources representative.  During our initial meeting, we informed him of our role in the City and the various methods for reporting fraud, waste, or abuse.  His reply was, "This is great!  You should let employees know what you do because no one knows you exist." 

While this was difficult to hear, the employee had a point.  A hotline that doesn't ring does not equate to assurance that you have an organization free from fraud, waste, or abuse.  Instead, it means that employees are simply not reporting the fraud, waste, and abuse that are occurring.  In our case, although allegations were regularly streaming in, it was clear that we weren't doing a good enough job reaching out to all employees.

It is true that employees may not report fraud, waste, or abuse due to the fear of retaliation.  However, they also may not report it simply because they're not aware of your organization's reporting methods.  Audit's role in dealing with retaliation is often limited to keeping informant information confidential to avoid the potential for retaliation; however, there's a lot an audit organization can do to ensure employees know where to report fraud, waste, and abuse.

Many organizations touch on reporting fraud during new employee orientation, but it shouldn't end there.  An audit organization must continue to reinforce what constitutes fraud, waste, and abuse and what to do about it if employees see it occurring. 

Audit organizations can also take advantage of the following opportunities for keeping employees aware of their role in fraud detection:

• Mandatory ethics training
• Human Resources newsletters/communications
• Back of Audit business cards
• Specialized business cards just for the hotline
• Organization Intranet site
• Partnering with Human Resources and/or your Ethics Officer

Another aspect that is often overlooked is ensuring your employees have multiple avenues available to them to report fraud, waste, and abuse.  In our organization, besides a fraud hotline, we also maintain an online reporting form and an email account dedicated to this cause.  Whenever possible, we also provide employees and citizens with our direct contact information and the ability to notify us directly if they like.  Finally, we always stress that even if the identity of the informant is known, the informant can still choose to remain anonymous. 

Planning Audits to Detect Fraud

If our function is the second most common method of detecting fraud, we auditors have a great responsibility to dedicate time and resources towards identifying potential fraud, waste, and abuse.  As I mentioned earlier, data mining using advanced software programs and Benford's Law certainly have their place.  However, I also believe that these methods are somewhat narrowly focused, require significant investments in training and preparation to be effective, and are often most useful during fieldwork as opposed to planning.  In my opinion, implementing a robust fraud planning process during each and every audit is a more effective route to identifying fraud, waste, and abuse in an organization. 

Both the Yellow and Red Books have become more explicit over the years regarding the auditor's responsibility related to fraud.  Both contain requirements for the auditor to:

• Assess potential fraud risk as part of planning,
• Evaluate and conduct testing related identified fraud risks, and
• Report identified fraud.

The rest of this article will focus on the planning phase, and the fraud risk planning process we've developed in Austin.  Previously, our audit teams conducted a meeting amongst themselves to brainstorm possible frauds related to the audit objectives.  This meeting typically involved useful discussion, but the primary result was meeting the standards rather than identifying potential fraud.  While this type of fraud risk planning process can be useful, there is significant room for improvement.  Over the last few years, we've developed a process that continues to meet the standards, but is more focused on achieving the intent of the standards: identifying fraud risk.

The Process in Detail

The foundation of the process we've developed is leveraging the expertise of your organization's investigative group.  In Austin, that group is the City Auditor's Integrity Unit.  Audit shops that don't have an internal investigative unit can execute this process just as easily.  Even though they may not have investigative responsibilities, many auditors possess the expertise necessary to accomplish much of this process.  In addition, organizations maintain investigative groups in a variety of departments, which your audit shop can use as a resource.  The following are some possibilities:

• Office of the Inspector General
• Human Resources Department
• Law Department
• Law Enforcement Entity
• Ethics Office

Once the investigative group is identified, the process below can be considered. 

1. Request and review prior allegations and investigations relative to the auditee.
2. Meet with the investigative group to discuss the allegations/cases in further detail and brainstorm potential fraud risks and planning steps to address those risks.
3. Conduct planning steps based on identified risks in Step 2.
4. Meet with investigators to discuss planning results related to fraud risks (relevant to the audit objectives and scope). Develop fieldwork steps focused on fraud risk controls and detection of fraudulent transactions/events.
5. Auditors conduct fieldwork steps prepared in Step 4 (It is sometimes helpful to have an investigator assist in the completion of the fraud related fieldwork steps).
6. Meet with the investigative group to discuss fieldwork results and determine next steps.
7. Refer any significant fraud, waste, or abuse to the appropriate investigative authority.
8. Auditors report on identified fraud within the audit scope and objectives.

This process may appear voluminous and time demanding, but the results far outweigh the costs.  Our audit teams have identified numerous areas vulnerable to fraud throughout the City of Austin and have made recommendations to address those risks.  In addition, several audits have identified allegations of fraud, which were referred to our investigative group for successful investigation.  In one instance, an auditor even obtained an unexpected admission.  Beyond the direct fraud related results, our staff has also benefited in other ways.  Our investigative staff now has more audit related experience and our auditors have broadened their fraud expertise by approaching the audit from a fraud risk perspective.