The International Standards of Auditing (ISA) 240 lays out the auditors’ responsibilities relating to fraud in an audit of financial statements. According to this standard, the primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. While it is a common misconception to assume it is the duty of the auditor to identify fraud, the auditor must comply with the relevant standards to perform the audit with the required level of competence and due care to ensure the highest possibility of detecting fraud.
The primary objective of an external audit is to ensure the financial statements are free of material misstatements. Such misstatements can arise from fraud or error. ISA 240 recognises the fact that audit procedures that are effective for detecting error may not necessarily be effective in detecting fraud. This is because fraud frequently entails complex mechanisms to conceal fraudulent activity and circumvent controls. An inherent risk of fraud being unnoticed exists, as the detection of fraud does not necessarily only depend on an auditor’s knowledge but on other factors, such as the expertise of the perpetrator, the control or authority they maintain, or the extent of collusion.
With the increased implementation of audit analytics (data analysis for audit), fraud analytics has also been introduced for both fraud prevention, as well as fraud detection. Owing to the sheer volume of data generated within a fiscal period, an auditor cannot be expected to manually scrutinise each line item processed and assess its impact. This is where the true benefit of data analysis can be realised. Data analytic tools allow the auditors to apply their knowledge and exercise professional scepticism to large datasets and assess its nature against a series of predetermined risk criteria. The use of data analytics on its own can in no means uncover fraud, however, it can assist the auditor in identifying potential indicators of fraud or highlight unusual patterns that may otherwise go unnoticed.
At RSM South Africa, a series of audit robots have been developed that assess each transaction and assign a risk rating based on the results of that test. Every record within a dataset is evaluated against each robot to determine the overall risk associated with each line. The total risk rating per record can then be used to identify higher risk transactions which could potentially result in a material misstatement due to fraud or error.
According to ISA 240, the auditor is responsible for maintaining professional scepticism throughout the audit, considering the potential for management override of controls. Using a typical general ledger as an example, these robotic procedures can be useful in identifying the capturer and approver of a transaction, the date and time and even the possible material impact in the financial statements. This can be particularly important in the case of manual journals processed which is the most common form of management override of controls. This approach does not only identify individual high-risk transactions but can also be summarised to determine high risk users, accounts, and even financial statement areas.
While the use of data analytics is best suited for big data, powerful analytics can also be performed on relatively small data tables such as master data. Potential duplicate suppliers, employees or bank accounts can be easily identified which could also be an indicator of fraud. Enhanced fuzzy duplicate (almost identical) testing can be used to discover minute discrepancies to determine even the slightest manipulation of data. Data analytics is not a substitute for an auditor’s professional judgment; however, it enables the auditor to discover those items that are disguised in large data sets or concealed through more advanced fraudulent acts.
Data analytics also introduces the possibility of applying advanced statistical models and analyses for fraud detection. One such example is Benford’s Law. Frank Benford’s law provides an expectancy of leading digits in any population. Using this model, potential fraudulent or fictitious entries may be identified due to its non-conformity with this law. For example, if a fraudster processes fictitious payments by generating random amounts, the leading digit in these amounts will unlikely fall within the expectancy probabilities according to Benford’s law and thus these amounts will be highlighted as anomalies.
The application of data analytics for ISA 240 has the potential for significant contribution, as it satisfies the standard’s objective of identifying and assessing the risks of material misstatement due to fraud. These analytics can be implemented for a reactive or proactive approach. At year end, analytics can be performed to identify any exceptions or unusual items that may have occurred during the year. Its use for continuous audit and monitoring allows for the opportunity to detect exceptions on a timely basis which can be used to highlight any unusual activity as soon as they occur and possibly terminate any ongoing fraud. Despite these capabilities, the human element remains a crucial factor. Ultimately, the responsibility of responding to these suspected instances of fraud rest with experience and professional scepticism of the auditor.
No data analysis discussion can be complete without the mention of false positives and false negatives. False positives are a positive result of an indicator/condition that exists when in fact no such condition exists and false negative being the opposite. If the analytic code or rule is very broad, false positives can exist which might end up resulting in a high number of exceptions. This will become overbearing and resource intensive to investigate and thus result in possible sinister activity going undetected. It is also important to note that due to the inherent sensitive nature and impact of fraud analytics, a false positive might result in more negative consequences than having not done anything at all, which might affect the reputation and relation with the auditee.
In conclusion, the implementation of fraud analytics is not without its obstacles, however, the potential benefits allow us to incorporate the core principles of ISA 240 in a functional and meaningful way to ensure the risk of fraud was considered appropriately for each audit. With the global increase in financial crimes perpetrated by internal and external parties, the benefits of the use and investment of such techniques will be enjoyed by both auditors, as well as those charged with governance in an entity.
Salim Mohamed
Data Analyst, Johannesburg