This fraud story is simple, but it’s an example of a good point that is often overlooked. For background, in this case someone wrote checks to themselves and recorded them in the accounting ledgers as being paid to other, legitimate vendors or recipients.
When it comes to controls over checks, a good control system will have independent authorization of checks before they are released and a downstream review of bank statement information that will catch anything that bypasses the upstream process. This employee either intentionally bypassed the standard review process for these checks, or the organization had some lapses in their check authorization and bank statement review process that allowed these to be cashed without notice. It goes without saying that the organization could stand to make improvements in these processes.
The point I would like to make about this article relates to how the fraud was ultimately discovered. The article notes that the fraud was discovered at the charity “after an accounting firm found irregularities in its books.” This doesn’t indicate if the accounting firm was performing outsourced accounting services or if they were performing an audit, but let’s assume they were the auditors. During my career I have often heard the refrain that since an organization has an audit, the auditors will catch any fraud that might be going on. I strongly disagree with this notion. Here’s why.
First, the Report to the Nations issued by the Association of Certified Fraud Examiners tells us that frauds were caught by external auditors in only 3% of the cases in their study (nearly 1,500 cases over a two- year period). This ranks among the least frequent and least effective fraud detection tools included in their study.
Financial statement auditors have a responsibility to consider fraud risks in an organization, so you might be wondering why their batting average is so low. The simple answer is that the detection techniques that rank among the most frequent factors leading to a fraud discovery (e.g., anonymous tips/hotlines, internal audit, internal controls, management review) are specifically designed to identify errors and, in the worst case, fraud. That is the lot in life for these controls and their primary purpose. In addition to the design piece, these controls are also functioning on a daily and sometimes 24×7 basis.
On the other hand, financial statement audits are designed to provide assurance that the financial statements and notes are presented in accordance with GAAP and are complete and accurate overall. Auditors are required to consider fraud risks and to keep their eyes peeled for it, but an audit is not designed with a primary purpose of finding fraud. In addition, auditors are usually on-site for one or two weeks out of the year, not nearly every day. The set of controls I mentioned above have more at-bats, so they are bound to have more hits.
Having said all that, I am a big believer that the “perception of detection” is a powerful concept. The fact that people in the organization know that an audit is performed can be a deterrent. The auditor’s sample might include the fraudulent transaction perpetrated by someone and that alone can stop some frauds. While this concept can be powerful, it shouldn’t be the only arrow in an organization’s fraud prevention quiver. This article mentions that this particular fraud was caught by the outside accounting firm, but an organization should implement additional tools in their fraud prevention program. A well-rounded and thoughtful program can be a very valuable process for any organization.