Sunday, May 31, 2009

Understand the role of the external auditor

The role of the external auditor has often been misunderstood. This “expectation gap” has long been explained as being the gap between what the actual requirements and standards required of the auditor and audit process as compared to the expectations of the public as to what an auditor does in the audit process.

It has often been thought that the audit provides certainty as to the accuracy of the financial statements by the auditor undertaking a 100% check of the organisation’s accounts. It has also been thought that auditors should be able to provide early warning if there are solvency problems with the organisation and lastly, it is thought that a primary role of the auditor is to detect fraud.

An example of this can be seen in the BDO Not-for-Profit Fraud Survey 2008. 61% of respondents to the survey gave a reason they did not perceive fraud to be a problem for their organisation was that fraud had not been discovered by the external audit process.

It is important that not-for-profit organisations understand the role of the audit and not to relying solely on the external audit process as a way of detecting fraud. It is also important to consider that auditors, while conducing an audit as per the auditing standards, they are also conducting the audit on a fee paying basis. To undertake an appropriate audit, an appropriate fee is required to be paid.

Auditing standards provide us with guidance as to the auditors’ responsibilities regarding fraud. For example:
  • “The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behaviour which can be reinforced by an active oversight by those charged with governance.” Paragraph 4 of ASA240 (Australian Auditing Standard – The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report)
  • “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements are detected.“ – SAS99 (US Auditing Standard – Consideration of Fraud in a Financial Statement Audit).

Sunday, May 24, 2009

Understand what can and cannot be done to the audit trail of the accounting software

The audit trail of accounting software can be a very useful tool when conducting a fraud investigation, especially when combined with an appropriate and effective IT Policy. An audit trail provides a history of who has accessed the accounting software and what transactions those people have conducted in the accounting software.

An audit trail allows for the examination of access history by users of the software. It shows what users have accessed or attempted to access as well as what those users have changed. An audit trail can also show when someone attempts to by-pass the security that has been put in place. It can act as a method of detecting fraud if people are aware it is reviewed regularly.

Audit trails can also be used as a method of detecting fraud. By reviewing the audit trail it can show patterns of when a person conducts transactions or even potentially turn the audit trail on and off. When fraud investigations have been undertaken, it has been discovered that the audit trail would be turned off and within a short period of time turned back on. During this time the fraudulent transactions were processed.

An organisation needs to understand the security measures attached to the audit trail, if the audit trail can easily be turned on and off and how to protect the data collected by the audit trail.

If the accounting package being used allows, the organisation should have the IT administrator turn the audit trail on and password protect it so that no user of the software can turn the audit trail off or delete transactions within the audit trail.

Sunday, May 17, 2009

Develop appropriate controls over events


Funds are lost due to theft during the hectic operations of a special event.

Methods to Mitigate the Risk

Many not-for-profit organisations run large fund raising events which can involve the receipt of large quantities of cash.
Such an event can provide a hectic time with potential for large quantities of cash to be stolen. To ensure all cash received is properly accounted for during such an event, the following safeguards may be of assistance:
  • Encourage all donations and purchases to be made by credit card.
  • If donations and purchases are made by cash, ensure controls are in place to control the money that is received (eg. having two people receipting the cash).
  • Have a separate person register donations and purchases to the receipt of funds so that the two can be reconciled at a later time.

Saturday, May 9, 2009

Determine if the organisation wants insurance for fraud

Fraud can cause significant financial stress to an organisation, including significant cash flow problems. Obtaining fidelity insurance may help with that problem. Fidelity insurance covers an organisation for losses caused as a result of fraud.

An organisation needs to make an informed decision as to whether it wants to maintain fidelity insurance or not. When considering this issue, questions to consider include:
  • What will the insurer require to enable a payment to be made (ie. Will it require a full investigation to be completed, will the insurer require a conviction?)
  • How long will it take for the insurer to make a payment? The longer the time it would take, the longer the organisation could suffer financial stress as a result of the fraud.
  • What is the excess of the claim and what is the maximum payout?
  • What is excluded from the policy? For example, one policy I saw excluded forgery – this could potentially exclude fraud where an employee forges a signature on an organisations cheque.

Again, an organisation needs to make an informed decision considering the cost of the policy and the benefits that may flow from the policy if a claim is needed to be made.

Sunday, May 3, 2009

Develop and maintain a fraud risk register

Many organisations maintain a Risk Register, but few of these incorporate specific fraud risks and the associated review undertaken for a risk to be placed on the register.

A Fraud Risk Register can usually be developed from the completion of a Fraud Risk Assessment and should incorporate the following:

· A description of the risk;
· Explain the impact of the risk on the organisation if the risk is not mitigated;
· Assessment of the likelihood of the fraud occurring;
· Assessment of the seriousness / consequence of the fraud;
· What actions need to be taken to mitigate the loss;
· Who will be responsible for implementing the actions to mitigate the loss;
· What is the timeline to implement these actions; and
· The checklist for implementing the actions.

A Fraud Risk Register should be updated on a regular basis (preferably on a yearly basis) or at such times as when there is a change in such things as technology (eg. a new computer system) or a change in services provided or grants received.