The Library: Detecting Fraud with Software

Is your firm doing enough to mitigate fraud malpractice claims?

Expectations are rising and professional standards are becoming more stringent as to the level of work effort. Ensure your firm is doing enough in their review, compilation, and audit engagements by following these guidelines.

Step 1. Understand where fraud malpractice liability can occur.

The top malpractice concern cited today is failure to prevent fraud. This was the focus in the widely publicized WorldCom and Enron cases, and in 35 percent of all audit claims reported to the AICPA's Professional Liability Insurance program in 2004 (the most recent available year). Unfortunately, malpractice complaints involving fraud are not only confined to audited financial statements, and need not be materially significant to wind up being damaging to the CPA. CPAs to be vigilant regardless of the level of engagement as fraud is at least equally an issue in review, compilation, and bookkeeping engagements. Governments and nonprofit organizations in particular tend to treat immaterial fraudulent embarrassments as seriously as they do material financial misstatements.

As the governments and nonprofits determined, material frauds in financial statements are only the tip of the iceberg. According to the Association of Certified Fraud Examiners' (“ACFE”) 2006 study, the median size of an asset misappropriation fraud is $150,000—small enough to be considered immaterial for financial statement audits, and very hard to catch using manual methods yet, all the while presenting a potential public relations nightmare for your client. What is most alarming is that, per the study, asset misappropriations/corruption occurs 92% of the time while financial statement fraud occurs only 8% of the time. Therefore, while nefarious journal entries to commit fraud can occur, they are not the biggest issue to a CPA looking to detect fraud. Rather, more focus should be placed on what occurs most: good ole' taking money from the till. This is easier said than done as the smaller the fraud in size, the harder to detect using conventional methods. However, as later explained in this article, technology can be used to super-power a CPA to detect fraud.

The morale to take away is that, when in doubt, do not assume that the engagement is low risk, or the issues too minor, or your role in any potential controversy too distant for your firm to escape being implicated in a malpractice claim. The sooner the CPA detects and reports fraud, the more likely their liability will be reduced or eliminated. It is next to impossible to bring a fraud claim against the CPA who first found and reported it to management. This is clearly one of the best “get out of jail free” cards available to the CPA.

2. Understand how “reasonably competent” means adopting new standards that call for increased procedures and the use of technology.

For the past several decades, the case of Bancroft v Indemnity Insurance Co. (1962) has stood as the defining precedent in tax and accounting malpractice. The plaintiff in that case received bad advice, and the court ruled that “Accountants and auditors have the duty to exercise that degree of care, skill and competence that would be exercised by reasonably competent members of their profession under the circumstance.” There is a separate requirement under traditional contract law that amounts to the same thing. Anyone performing a contract is obliged to do so diligently and competently, by the standard of a reasonable person. The basic legal expectation has not changed. But what has changed is what a reasonable, competent professional would actually do. The state of the art in auditing has advanced since 1962. Both internal and external auditors need to take note.

Advancement first took place in the procedures performed in the engagements. After a study completed by COSO found that in fully 80 percent of financial statement frauds, the auditor did not gather sufficient evidence to detect the fraud, professional standards needed to be updated. A good starting point was to first allow the word “fraud” to be used in standards which replaced the word “irregularities”. Then, from a procedural perspective, the standard of expectation for what should be done in an engagement increased to help a CPA detect fraud.

Other advancements occurred in the use of technology given almost all organizations today use computer-based accounting systems. Gone are the days when auditors could examine manually prepared cash-receipt journals and check registers, trace monthly totals to handwritten entries in the general ledger (noting erasures or changes) and examine manually prepared worksheets combining general ledger accounts for the first pencil draft of the financial statements. All of these records are now computerized so the auditors procedures need to follow suit.

These two trend,: increased procedures and the ubiquitous nature of computerized records, led to the following professional standards:

Compilation and Review Standards

The original Statement on Standards for Accounting and Review Services (SSARS No. 1) was issued by the Accounting and Review Services Committee of the AICPA in 1978. SSARS No. 10, which took effect December 15, 2004, clarified the CPAs requirement to report fraud in review or compilation engagements. It spells out specific analytical and inquiry techniques that are required in a financial statement review, as well as the requirement to obtain a written representation from management to include their knowledge (or lack of knowledge) of fraud. Nor is SSARS 10 the end. Additional guidance has come in quick succession, in the form of SSARS 12, 13, and 14, all effective December 15, 2005. These extend SSARS requirements to compilation engagements and pro forma statement preparation. They also spell out when and how CPAs must inform management of evidence of fraud.

Audit Standards

SAS 99, issued in 2002, updated expectations for how an auditor deals with the possibility of fraud. Among other things, it required brainstorming sessions around fraud, improved risk assessment planning, increased management inquiries around fraud matters, unexpected audit procedures to mitigate identified risks, and improved documentation of the work performed. SAS 99 also specifically listed computer-aided audit techniques (CAATs) as a way to analyze electronic data in the detection process.

SAS 94, issued in 2000, clarified that the auditor needs to understand the manual and automated procedures an entity uses to prepare its financial statements and related disclosures. A key phrase from the standard reads: “However, when information technology is used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.” Auditors are expected to deal with electronic data as required.

The AICPA followed up SAS 94 and SAS 99 with a practice alert in 2003 (PITF 2003-02) that further clarified the data analysis question by specifically listing journal entry tests using CAATs. Chuck Landes of the AICPA explained why. “Data analysis tools are coming off the shelf and into the audit. This is most prevalent in auditing journal entries. . . . The need for the tools became apparent when CPAs determined it was difficult to audit the entries without an automated tool.” According to Chuck Landes, “Again, these systems are generally transaction-focused, so no one is analyzing them for trends and patterns that may highlight fraud. We need to remember that many of the recent headline frauds were journal entries posted multiple times to multiple ledgers. While a manual scanning of the register or a sample may find such an anomaly, the data analysis package has a much better chance.”

While the focus of the audit standards is mainly on financial statement fraud, we must not forget that the majority of frauds are misappropriation of assets that are smaller in value. Practically speaking, the only way to detect these “smaller” frauds cost-effectively is with computerized tools that can quickly pour through the details and hence, detect the proverbial “needle in the haystack”.

As referenced in the Bancroft v Indemnity Insurance Co. case, in order for the CPA to be considered “reasonably competent” he or she needs to adopt the same procedures that are now practiced by the profession. For example, almost all auditors are now performing the additional procedures set forth in SAS 99. Any auditor not complying would be seen in a jurors eyes as one not keeping pace with the profession. The same is true for the use of CAATs as all larger firms are using these tools on every audit, at least to comply with the standards of excellence set forth in 2003-02 around journal entry testing. Unfortunately, based on research by the author of small and mid-sized CPA firms, such procedures are not taking place in a computerized fashion, except for the occasional audit.

3. Introduce better practices to reduce your malpractice liability.

Improved engagement management – Be clear with clients

As the saying goes, the best defense is a good offense. The first step in protecting yourself is to talk over the issue of fraud, their responsibilities in its detection, as well as, your responsibilities with the client. With this new understanding, draft a more explicit engagement letter that makes the respective duties crystal clear.

Help your clients to improve their internal control

The first line of defense against fraud is an organization's own rules - the ACFE's survey found that a strong percentage of frauds (19.2%) are found by the rigorous application of internal control. Other detection methods that should be suggested to clients include whistle-blowing hotlines (34% detected through hotlines) and internal audits (20.2%). The management letter is a superb medium to define and communicate any weakness in clients' controls while also reducing the CPAs' risk in any later lawsuits.

Be more diligent in the engagement

Now is the time to rethink your audit process from top to bottom, incorporating the new auditing standards to your engagements. Here are some key requirements that should be considered, depending on the engagement:

• Maintain professional skepticism.
• Avoid undue reliance on management representations with little or no independent verification.
• Stay aware of suspicious information/transactions, and following up to resolve concerns.
• Report suspicious transactions or activity to the business owner or board of directors.
• Consider all available information in determining the nature and timing of work to be done.
• Ensure adequate management supervision during audit field work.

Follow-through is critical as insurance claims are made wherein the auditors addressed weaknesses in internal control in management letters to the client, but then didn't change their audit plans in subsequent years to address those risks. One source for learning about what frauds can occur at your clients is to see the ACFE's Report to the Nation study ( http://www.acfe.com/fraud/pub.asp ) as referenced various times in this article. It lists a plethora of statistics with one of the most useful cuts of the data being a list of the most occurring frauds by industry. The use of such external information presents to any jury a professional that is willing to ensure they are keeping pace with what is happening in the industry in order to best position themselves to detect fraud.

Remember to test for circumvention of controls using manual and automated procedures

When controls are strong, companies unfortunately become too comfortable on them and rarely do they think further on “what can go wrong” in an effort to break the control. As noted above, only 19.2% of fraud was detected by internal control and no one wants to be right only one time in five.

Therefore, control tests should focus not only on whether the control exists and is operational but also for circumvention. For example, journal entry controls could be tested by selecting a sample and ensuring that approval signatures existed on any material entries (as defined by the organization). To test then for circumvention, multiple entries posted to the same account directly under the material threshold could be reviewed in order to determine whether such entries were posted in unison to have a material effect on the account yet not require associated approvals. A comprehensive list of journal entry tests can be seen at http://www.auditsoftware.net/rap-reports.html .

From an asset misappropriation perspective, it is common at clients for one person to have a non-segregation of duties around accounts payable. Non-segregation of duties could be the employee having access to write checks, maintain accounting records, and complete the monthly bank reconciliation. This weakness is normally coupled with management's misguided perception that this trusted employee would never steal from the organization. Unfortunately, these small businesses continue to suffer disproportionate fraud losses (The median loss suffered by organizations with fewer than 100 employees was $190,000 per the ACFE study which was higher than the median loss in even the largest organizations).

While you may include this as a management letter comment, the client may never change given their lack of employees. As an extra step to show enhanced due diligence, the CPA could execute a data analysis test exporting the vendor payment information and creating a simple Pivot Table in Excel with the rows being each vendor, the columns being the month/year of payments, and the cells in between the total payments made to the vendors in the associated timeframes. Such a trend report has an excellent chance of catching the fraud as it looks at vendor payment data in unexpected ways. Any disproportionate increasing vendor trends could be investigated or at least reported to management for their review.

Utilize technology to improve audit tests and comply with standards

As seen in the above journal entry and vendor payment trend tests, it would be difficult or impossible to complete them without the use of a data analysis program. The issues lie in the 1% of the transaction activity which begs for the use of digital tools for detection. If your firm is not skilled in these tools, consult with an expert to assist on engagements until you feel comfortable. Another approach is to simply start small and work upward with the tools. Today, your options range from high-end enterprise data mining software costing $250,000 to implement, down to easy-to-learn individual laptop tools for $200 or less. There is something out there for everyone (see www.auditsoftware.net for a comprehensive list of audit software options). This fact further heightens malpractice risk if the tools are not employed. It is too easy for a juror to see that tools as simple as Microsoft Excel could have been used to detect the fraud, especially when the tools' use is specifically identified in numerous audit standards discussed above.

The most common data analysis tools in audits today are IDEA and ACL. These cost a few thousand dollars to purchase and implement, but they can quickly pay off in terms of data errors corrected, duplicate payments found, and embarrassing client complaints averted. They are especially powerful for accessing strange client data formats and building scripts to repeat the same analysis every month or every quarter. “During the past few years we have seen rapidly increasing use of ACL for fraud detection by external audit. Much of this has been driven by SAS 99 – we have seen several of the large firms develop comprehensive suites of ACL tests that analyze vast volumes of journal entries to detect indicators of financial statement fraud.”, notes John Verver, Vice President Professional Services for ACL Services, Ltd.

If a few thousand dollars is too expensive for your taste, spreadsheet software remains the most commonly used tool and it is possible to do a lot of analysis just with Microsoft Excel. Please see http://www.auditsoftware.net/excel-use.html for a free whitepaper on how Excel can complete almost any audit test capable of being performed in high-end audit software tools. To automate these procedures in Excel (saving CPAs time in the field), an excellent add-on tool is ActiveData for Excel, which builds specific auditing test functions directly into the familiar Excel menu. The cost is $199 and while there is CPE-worthy training you can purchase through their website, they also have a host of free videos that explain how to use practically all of the software's functions.

Using software for data analysis has many advantages apart from being the new standard to avoid malpractice. Among these advantages are the following:

• Large quantities of data can be accessed and tested in a fraction of the time otherwise necessary.
• Data can now be imported and combined from almost any computer system easily.
• Accuracy testing covers complete data files, rather than just a few selected transactions.
• Data analysis is not only good for detecting fraud, but errors as well.
• When employees and management both know that data analysis is being performed, it deters fraud on every level.
• Advanced methods help support any increase in audit fees.

Rightly or wrongly, the CPA is still perceived as a valid line of defense against fraud, material and immaterial, and therefore, needs to detect as much fraud as possible. Ultimately, the only way to avoid being accused of malpractice is not to engage in malpractice. Be aware, be proactive, utilize technology and you will be ready than ever to face this kind of claim.

Richard B. Lanza, CPA-CITP, CFE, PMP, President of Audit Software Professionals., in Lake Hopatcong , N.J. , provides audit technology assistance to companies. He focuses much of his time in developing computerized audit and fraud tests. Lanza is the founder of the free Web site, www.auditsoftware.net. His e-mail address is: rich@auditsoftware.net .