Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Personal Finance

Business Officer Magazine 10/2001

advertisement 
DETECTING
FRAUD
During a Financial Audit
By Bill Thomas and Juan Alejandro, Jr.
By using the flexibility provided in professional standards,
independent and internal auditors can work cooperatively in the search for fraud during a university financial
audit. This approach can reduce audit costs—both in
terms of fees paid to outside auditors and amounts
invested in the internal audit. Here’s how to implement a
cooperative approach.
Detecting fraud can be a troubling problem during a university’s financial audit. A cooperative strategy between internal
and independent auditors will add to the effectiveness and efficiency of fraud detection activities.
In planning an effective strategy to detect fraud, the internal auditor of a university must be knowledgeable of external
audit standards. These standards include many opportunities
for an internal auditor to be involved in the external audit.
30 • OCTOBER 2001
Framework for Cooperation
The U.S. General Accounting Office (GAO) issues generally
accepted governmental auditing standards of field work and
reporting (GAGAS), which explicitly include all of the generally accepted auditing standards (GAAS) of the American
Institute of Certified Public Accountants (AICPA). This
includes incorporation of all of the statements on auditing
standards (SASs) issued by AICPA. SAS No. 65 pertains to the
internal audit function. SASs that specifically relate to fraud
and compliance auditing are: SAS No. 82, “Fraud in a Financial
Statement Audit”; SAS No. 54, “Illegal Acts by Clients”; and
SAS No. 74, “Compliance Auditing Considerations in Audits of
Governmental Entities and Recipients of Governmental
Financial Assistance.”
GAGAS contain additional field work standards on
communication, internal control evaluation and testing, audit
follow-up, investigating noncompliance other than illegal
acts, documentation of the assessment of control risk for
assertions significantly dependent upon computerized information systems, and working papers. In addition, GAGAS
contain unique requirements related to materiality, fraud and
illegal acts, and internal control.
Figure 1 (see next page), which depicts the relationship
between GAAS and GAGAS, lists procedures that might be
performed either partly or entirely by the internal auditor.
vious audits that could influence the current audit.
Management, ultimately responsible for tracking these findings and recommendations over time, may delegate the task to
the internal audit team. If internal auditors can demonstrate
that they follow-up on their own recommendations, as well as
those of the independent auditor, they will help ensure a more
effective financial reporting process and a more efficient independent audit process.
Evaluating Programs, Assessing Materiality
Assessing Risk
SAS No. 82 requires that, as a part of engagement planning,
the auditor communicate with university executives about
both their understanding of the risk of fraud as well as
whether they have any knowledge of fraud that might have
occurred. SAS No. 74 requires that the auditor obtain an
understanding of the possible effects on financial statements
of laws and regulations that could have a direct and material
impact on the amounts in a university’s financial statements.
GAGAS further specify that independent auditors may find it
necessary to obtain information on compliance matters from
others, such as investigative staff or audit officials.
Within this context, SAS No. 65 suggests that, as a part of
engagement planning, the independent auditor obtain an
understanding of the internal audit function, asking internal
audit employees about their audit plans. This provides an
excellent opportunity for communication between independent and internal auditors. Internal auditors routinely assess
areas of high risk of misstatement, including those resulting
from noncompliance with laws and regulations. For purposes of both the financial statement and compliance, independent auditors might compare their own risk assessments with
those of internal auditors in making the final decision about
the present level of fraud risk.
One of the risk factors for fraudulent financial reporting
identified by SAS No. 82 is failure of management to display
and communicate an appropriate attitude regarding internal
control and the financial reporting process. A specific indicator of such a management attitude is failure to correct past
reportable conditions on a timely basis. GAGAS require that
auditors of recipients of governmental financial assistance follow-up on material findings and recommendations from pre-
During the planning stages of the audit, the independent auditor should ask about any fraud prevention and detection programs that might be in place. SAS No. 82 requires the
independent auditor to
ask the people overseeing
such programs if they
One of the risk
have identified any fraud
factors for fraudulent
risk factors.
Internal
auditors, under the direcfinancial reporting
tion of the audit committee, are logical candidates
identified by SAS
for establishing and
No. 82 is failure of
maintaining fraud prevention and detection
management to display
programs. If no such
program exists, the indeand communicate an
pendent auditor should
appropriate attitude
work in cooperation with
the internal audit team to
regarding internal
establish one.
Both
GAAS
and
control and the
GAGAS require auditors
financial reporting
to assess both aggregate
and
account-balance
process.
materiality thresholds as
a part of engagement
planning. In the financial audit of a university that receives
grant assistance, auditors may set lower materiality levels than
in audits in the private sector because of the public accountability, legal and regulatory requirements, and visibility and
sensitivity of the program. For compliance audits under
Office of Management and Budget Circular A-133 of the
NACUBO BUSINESS OFFICER • 31
Figure 1
COORDINATION OF INDEPENDENT AND INTERNAL AUDITORS
FOR FRAUD DETECTION IN THE COMPLIANCE AUDIT
GAAS
GAGAS
Procedure
Planning:
Inherent risk assessment
SAS No. 82, para. .11-.22
SAS No. 65, para. .05, .23
SAS No. 74, para. .03 -.07
4.6.3 Pre-engagement
communication
4.7–4.10 Audit followup
4.14–4.15 Auditors’
understanding of possible
fraud and of laws and
regulations
Communication between independent
and internal auditors regarding
preliminary fraud risk assessments.
Internal auditors follow up on material
findings or recommendations from
previous audits.
Internal auditors provide insight into
laws and regulations to which entity is
subject.
2.
Planning:
Evaluation of fraud
prevention and detection
programs
SAS No. 82, para. .24
3.
Planning:
Materiality assessments
SAS No. 47, para. .03-.07
SAS No. 65, para. .20
SAS No. 74, para. .17
4.6.2 Materiality assessments
Internal auditors set lower materiality
thresholds than those of independent
auditors, potentially adding efficiency as
well as effectiveness to total audit effort.
4.
Planning:
Understanding internal
control, assessing control
risk, and documenting
assessment
SAS No. 82, para. .06, .08,
.16-.27, .31-.32, .39
SAS No. 65, para. .12-.16,
.24 - .27
SAS No. 74, para. 10, .11,
17
4.21–4.30 Internal control
4.35–4.38 Working papers
Internal auditors monitor compliance with
laws and regulations of the entity and
sub-recipients of federal financial support.
Internal auditors prepare working papers
that can be reviewed and used by
independent auditors.
5.
Substantive testing:
Response to risk
assessment
SAS No.
SAS No.
SAS No.
SAS No.
4.12–4.20 Fraud, illegal acts
and other noncompliance
Internal auditors follow up or assist CPA
with investigating fraud indicators
(including possible illegal acts) or
instances of noncompliance, and
performing additional tests, if necessary.
6.
Substantive testing:
Conducting and
documenting substantive
tests
SAS No. 82, para. .29-.37
SAS No. 65, para. .15, .17,
.23-.27
SAS No. 74, para. .12-.20
4.7, 4.10-4.11 Audit followup
4.35–4.38 Working papers
Internal auditors perform substantive
tests related to fraud in appropriate risk
and materiality settings. Internal
auditors perform tests of compliance
with federal grant programs.
Internal auditors prepare working papers
that can be reviewed and used by
independent auditors.
Audit Stage
1.
82, para. .26-.32
65, para. .14-.15
54, para. .07-.15
74, para. .17
Collaborate on establishment of fraud
prevention system that can be
monitored by internal audit, with
periodic evaluation by independent
auditor.
Single Audit Act of 1984, auditors are required to use a complex combination of materiality and risk-based approaches to
determine which federal programs are major programs that
require an audit.
If the independent auditor of a university has evaluated the
objectivity and competence of internal auditors and found
they meet or exceed the standards set forth in SAS No. 65, the
two groups might agree to let the internal audit team, under
the independent team’s supervision, set a low materiality
threshold for their activities in the compliance audit. This
would allow the independent audit team to justify higher
thresholds for their work, thus resulting in greater efficiency
in the audit and, in all likelihood, lower overall fees.
For example: A private university receives both major and
non-major federal grants and contracts. The independent
32 • OCTOBER 2001
auditor decides that the internal audit team will select random
samples of both major and non-major grant programs at interim periods throughout the year to test for noncompliance with
grant or contract stipulations, as well as fraud, using a relatively low materiality threshold. The internal audit work
reveals no significant deviations from compliance with grant
agreements. The independent auditor would be justified in
setting a relatively high materiality threshold, performing less
extensive tests only at year end and only on major programs.
Understanding Internal Controls
Weak controls and poor management attitude toward controls
are listed as prominent risk factors for both fraudulent financial
reporting and misappropriation of assets under SAS No. 82.
For this reason, both GAAS and GAGAS require that, during
the planning stage of the audit, independent auditors obtain a
sufficient understanding of internal controls to be able to determine the nature, timing, and extent of audit tests to be performed. In this area, GAGAS also require that the auditor
understand controls over compliance with applicable laws and
regulations to which the entity might be subject. As a part of
the evaluation of compliance with laws and regulations, SAS
No. 74 requires that the auditor consider the adequacy of a primary recipient’s system for monitoring sub-recipients. In addition, the auditor should consider the possible effect on the
program of any noncompliance identified by the primary recipient or the auditors of sub-recipients.
Internal auditors can be an integral part of the control system of a university that receives government grant support.
Independent auditors can use internal audit tests of compliance in assessing control risk. Suppose, for example, that a
university receives a major grant from the U.S. Department of
Education. To assist in satisfying grant objectives, the university has established sub-recipient agreements with a local technical college, a community college, a local not-for-profit
organization, and the local city government. The university, as
the primary recipient, has responsibility for ensuring subrecipient compliance with the grant agreement. The internal
audit division monitors the process, including site visits to the
administrative offices of each sub-recipient, testing expenditures for compliance with the agreement, ensuring that program objectives are being met, and reviewing the amounts and
sources of matching funds.
As another example, internal auditors perform annual
reviews of major systems of the university involving grant
expenditures. The independent auditor relies on these reviews
to reduce substantive testing of transactions in these major
systems. Internal auditors who specialize in information technology design and execute computer programs to assess system security can monitor compliance with controls over both
e-commerce and electronic funds transfer.
One of the most time consuming jobs on any financial
audit is documenting the work. SAS No. 82 requires that the
auditor document the risk assessment for fraud in the working papers, identifying both risk factors and the response to
those factors. GAGAS require that working papers contain
sufficient information to enable an experienced auditor with
no previous connection to the audit to ascertain that the evidence supports the auditors’ significant conclusions and
judgments. One of the most obvious ways to cut costs on the
independent audit engagement is to use internal auditors to
prepare pro-forma working papers, as well as to conduct
appropriate audit tests under the independent auditor’s
supervision.
SAS No. 65 stipulates that the independent auditor should
perform procedures to evaluate the quality and effectiveness of
the internal auditors’ work. In so doing, he or she should consider whether the working papers adequately document work
performed, including evidence of supervision and review, and
whether the conclusions drawn from the working papers are
appropriate. The independent auditor should test the work
performed by internal auditors, either by re-examining some
of the same transactions or by examining similar transactions
and comparing results for consistency.
Responding to Fraud Risk
SAS No. 82 permits a broad range of responses to fraud risk
assessment. The independent auditor’s response should be
conditioned on the type of fraud (e.g., fraudulent financial
reporting or misappropriation of
assets) as well as the particular
financial statement account balThe independent
ances and assertions that may be
auditor should test
involved.
According to SAS No. 65,
the work performed
some procedures performed by
internal auditors may provide
by internal auditors,
direct evidence about material
misstatements in assertions
either by re-examining
about specific account balances
some of the same
or transactions. The standard is
clear, however, that the indetransactions or by
pendent auditor should not
relinquish his or her judgment
examining similar
to the internal auditor and that
evidence personally obtained
transactions and
by the independent auditor is
comparing results
considered more competent
than evidence obtained through
for consistency.
the internal auditor. When
making judgments about the
effects of the internal auditor’s
work on his or her procedures, the independent auditor
should consider materiality, risk of misstatement, and degree
of subjectivity involved in evaluating the evidence that supports the assertions.
If specific information comes to the auditors’ attention that
provides evidence about possible noncompliance that could
have a material indirect effect on the financial statements,
NACUBO BUSINESS OFFICER • 33
GAGAS require auditors to
apply audit procedures
specifically directed to
determining whether that
noncompliance
has
occurred. Because of the
operational nature of their
Bill Thomas
work, internal auditors
may become aware of noncompliance with laws such
as the Environmental Protection Act or the Americans with
Disabilities Act, the effects of which are indirectly related to
the financial statements in the current period. Although noncompliance might not demand an immediate response from
the independent auditor, the effects of these instances might
eventually produce material contingent liabilities and thus
have material impact on the financial statement. In such cases,
internal auditors may follow-up or assist the independent
auditor in investigating instances of noncompliance, performing additional tests if necessary.
Two examples of internal audit substantive tests that independent auditors might rely on include:
•
•
Internal auditors of the university ensure accountability of
fixed assets purchased with federal funds by performing
periodic fixed-asset inventories to verify existence. As a
result, the independent auditor does not perform an
inventory to verify existence of fixed assets.
Internal auditors of the university, on an interim basis,
search for unauthorized bank accounts by mailing confirmation letters to area banks requesting information
on any account with the university’s account number,
name, or other reference that indicates an institutional
affiliation.
Developing a Cooperative Strategy
To develop a cooperative audit strategy, the university’s audit
committee and internal audit director must have a proactive attitude and the university must be willing to take certain steps:
• The audit committee should be thoroughly informed
about the necessity and benefits of a properly aligned
and trained internal audit department and be willing
to commit necessary resources to accomplish these
objectives.
• The board should consult standards of appropriate
authoritative bodies, such as AICPA, GAO, or Institute of
Internal Auditors, to obtain needed information.
• The board should remove organizational barriers that
34 • OCTOBER 2001
•
•
•
inhibit autonomy and
objectivity of the internal
audit
function
and
redraw
organization
charts, if necessary, to
reflect these changes.
• To achieve competency,
Juan Alejandro, Jr.
the board should examine
staffing in the internal
audit department. All
persons hired to perform internal audit work should possess appropriate credentials, which might include certified
internal auditor, certified fraud examiner, certified public
accountant, or certified management accountant.
The university should allocate to the department an adequate budget to maintain the competency of its internal
audit staff members by providing resources for them to
attend continuing professional education in topics such as
governmental accounting and auditing and fraud prevention and detection techniques.
During planning meetings with the independent auditor,
the audit committee should present evidence about the
organizational autonomy of the internal audit function.
They should also present a roster of qualified internal
audit staff, along with their professional resumes reflecting credentials, continuing professional education, and
experience.
The audit committee should stress maximum involvement
of the internal audit function, while maintaining adherence to professional standards.
After taking these steps, the internal audit director and
independent audit engagement partner should then work out
the details of the engagement. Throughout the engagement,
the internal audit director should stress professionalism and
adherence to the highest standards on the part of internal audit
staff. He or she should also elicit feedback from the independent auditor in charge of the engagement about the performance of internal audit staff and move quickly to correct any
identified problems.
Author Bios Bill Thomas is the J. E. Bush Professor of
Accounting in the Hankamer School of Business at
Baylor University, Waco, Texas. Juan Alejandro, Jr. , is
Baylor’s director of internal audit and management
analysis.
E-mail bill_thomas@baylor.edu, juan_alejandro@
baylor.edu.
Related documents
Case
Case
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Mystery Fraud Training Outline
Mystery Fraud Training Outline
Green Impact Auditor
Green Impact Auditor
Task I Which assumptions and principles do these sentences refer to?
Task I Which assumptions and principles do these sentences refer to?
Auditor Reporting ppt
Auditor Reporting ppt
grp-2
grp-2
Download
advertisement