Association of Local Government Auditors

Government auditing standards require that we seek out fraud.  Yet, how successful are we at finding fraud? If our job is to find fraud and we consistently fail to do so, what can we do to change?

In this article, we will argue that, while auditors are expected to hunt for and find fraud where it occurs, auditors do not commonly accomplish this function. Finding fraud typically requires specialized training in areas such as forensic auditing. Most financial and performance auditors receive limited theoretical fraud training, but rarely receive practical training in techniques proven effective at finding fraud.

Frankly, we waste time discussing, training, and obsessing over finding fraud when studies show that auditors only find 15% of fraud.  The auditing profession might improve its effectiveness by redirecting its energies toward fraud prevention through improved internal controls. We suggest that the auditing community can make improvements in two ways. First, auditors can increase the level of forensic expertise throughout the auditing community with increased opportunities for specialized training.  Second, auditors can effectively influence fraud prevention by helping organizations improve their internal controls. By gaining the trust of employees and maintaining organizational alliances between auditors and auditees, auditors have the greatest chance of having a role in decreasing fraud.

Why do auditors look for fraud?

Public pressure on the auditing profession to "do our part" in finding fraud is understandable. Unfortunately, when fraud occurs, both the perpetrators and the auditors are blamed because the auditors "should have caught it." The assumption that people make is that it is the role of auditors to find fraud. Indeed, many in the auditing community support this notion.  We conduct fraud training with the implicit assumption that one of us could find the next "smoking gun" of fraud, but fail to question whether we have the ability to successfully find it.

Auditors look for fraud because the Government Auditing Standards (Yellowbook) requires it. GAGAS Standard 6.30 of the 2011 Yellowbook exposure draft states, "In planning the audit, auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives." According to Standard 6.31, if an auditor determines there is a risk of fraud in the system, the auditor should "design procedures to obtain reasonable assurance of detecting such fraud." Therefore, the Yellowbook requires auditors to first perform a risk assessment as part of audit planning, and then to test items in that risk assessment in order to find fraud where it occurs.

Are auditors successful at finding fraud?

The Yellowbook requires that we conduct a fraud risk assessment and few would question the merits of doing so. Because corporate and government fraud is front page news and the public assigns auditors the task of finding fraud, the auditing community has increased fraud training opportunities. Indeed, at the 2011 ALGA conference, nearly 20% of the training hours provided related to the issue of fraud. Training is focused primarily on the fraud triangle (pressure, rationalization, opportunity) or other mechanisms for looking at fraud, but not tools to look for fraud. These topics assist auditors in performing a risk assessment, but they do not help them "design procedures to obtain reasonable assurance of detecting such fraud."  Detecting fraud requires forensic auditing skills that are not commonly taught outside of specialized certification.

Indeed, auditors are rarely the ones who find fraud in organizations. According to the Association of Certified Fraud Examiners' most recent "Report to the Nation on Occupational Fraud and Abuse", only 15% of fraud cases are found by internal auditors in government organizations. Put differently, 85% of the time fraud is uncovered, internal auditors were completely uninvolved. We are not failing to do good audit work.  Audit work simply does not include effective fraud detection methods. 

Thus, the financial and performance auditing professions must make two changes: 1) change the way we train and apply some of the specialized training for forensic auditors to all auditing practices, and 2) change our focus from finding fraud to preventing fraud by helping organizations to strengthen their internal controls. In other words, we need new skills to match what we say we do and we need to change what we say we do to match the skills we have.

Reframing the discussion about internal controls

Strengthening internal controls requires more than just continuing to do what we have always done.  It means building stronger relationships with the organizations we audit.  Auditors can be better advocates for internal controls by changing the way we discuss controls with our auditees. Auditors tend to frame the issue of internal controls with: 1) people are doing bad things; 2) we need to catch bad people doing those bad things; and 3) we need to make sure that no one else can do bad things in the future.  Strong internal controls should accomplish the goal of "catching the bad people" (or mitigating the "opportunity" corner of the fraud triangle).  However, this type of assertion is often met by the auditee with defensiveness or disregard. 

The hard working, dedicated people we audit do not identify themselves or their colleagues with the "bad people" the auditors are looking for. If you question whether our tendency to frame internal controls in this manner has done damage to our professional credibility, ask any non-auditor you know to tell you what they think about IRS auditors.  Chances are they will say (or at least imply) that the auditors make life difficult for "good people".  Our professional skepticism often leads us to assume (or imply) the worst about employees while their professional integrity demands that they defend themselves against such assumptions. Our assertion, coupled with the unavoidable fact that we rarely actually catch people engaged in willfully bad (fraudulent) acts, at best makes our recommendations regarding improved internal controls easy to ignore and, at worst, decreases our appearance of impartiality and thus undermines our professional credibility.

Instead, auditors could make the assumption that internal controls afford management the ability to demonstrate the integrity of their employees and the organization if concerns are raised. Internal controls, in addition to protecting against fraud (either by preventing it altogether or increasing the likelihood of getting caught), also serve the purpose of protecting honest employees from false allegations. We can reframe the discussion to demonstrate how strong internal controls make it less likely that good people and organizations will be accused of fraud that did not and could not have occurred.  Locking one's car door does not imply that the driver is a criminal.  Rather, it makes it more difficult for those who are criminal to victimize the car owner.  Advocating for strengthening internal controls does not, therefore, have to be an accusation of wrong-doing. Instead, it can allow auditors and management to come together to strengthen the organization's ability to both prevent wrong-doing and provide evidence to demonstrate the good work being done. Additionally, given that the majority of fraud is found through tips (46% according to the ACFE), increasing public and employee trust in the auditor's office may increase the likelihood of fraud being reported. After all, the auditing profession's focus on finding fraud does not come from a professional ego, but a genuine desire for better government with the highest integrity.

Conclusion

Auditors do not currently find fraud with any frequency because we do not have the necessary skills to search for and find it when it occurs. We do not have those skills because we are not trained to have those skills. If we want to find fraud, we should change the way auditors are trained, including expertise in forensics as an integral portion of the auditor skill set. If we want to prevent fraud, we should continue the current paradigm of training for skills to advocate for stronger internal controls. However, we should not approach our auditees with the assumption (or desire) that we will find fraud. Through professional introspection we can make the changes we need to help our organizations identify fraud and reduce its occurrence.