Digitisation, audit reforms, innovation and intelligent data use are all radically transforming the audit process, including in relation to fraud. Currently, auditors are required to report fraud to the relevant authorities if they come across it in the process of auditing.
The prevention of further corporate scandals linked to audit is essential to ensuring the reputation of the sector and the stability of, and trust in, capital markets. In recent years, firms have been prioritising fraud-related training, driven by heightened expectations among stakeholders, revisions to auditing standards and the planned audit reforms.
John Toon, Technology Strategy Lead, Beever and Struthers, says: “Fraud inevitably is driven by people or a person not acting in the best interest of the company and deliberately covering their tracks. It’s really important to say that, irrespective of the technology, auditors need to be fully aware of how fraud could potentially be perpetrated and to really understand the systems and processes that are in use.”
Many firms are mandating firm-wide fraud prevention training to highlight and hopefully remove false perceptions of fraudsters. In 2020, EY developed a 14-stage scepticism model that considers a range of fraud risk factors, including the conscious and unconscious biases of audit team members.
Firms have also been investing billions in the UK and globally to strengthen audit quality, including the detection of fraud, with a strong focus on AI. Data analytics, such as enhanced journal entry testing and grading journal entries by potential fraud risk, are also allowing audit teams to better focus audit testing.
The ICAEW paper Sharpening the focus on fraud, says: “As well as looking for anomalies in data, analytics are being used in conjunction with more sophisticated AI tools and techniques to assist with the identification of fraud patterns. Comparative analytics are also enabling the recognition of patterns of transactions, for example pre- and post-pandemic, to assess how risk profiles have changed.”
Toon says that data analytics offer a huge opportunity and are in use by his firm and by others to aid in fraud detection. “One of the things that data analytic products do is to turn data into visualisations, so you can spot trends, you can analyse 100% of the ledger, rather than just doing a sample.”
Again, Toon states the importance of people and technology. “Data analytics require individuals using those tools to be appropriately trained and to be able to interpret the data.”
The upside for companies using data analytics tools, says Craig Wright, Partner, Enterprise Risk Services, KPMG, is that, “even if a fraud isn’t detected through data and analytics, if nothing else you get to cleanse your data. When cleansingyour data,you’re able tocreateanenvironment that’s more efficient as a result. Not all internal audit functions adopt data and analytics as a matter of course, but we see the benefits when they do.”
Many frauds are carried out with falsified documents, both electronic and hard copy, so document authenticity tools such as bank confirmations are not only tightening processes but also speeding them up, leaving auditors with more time to apply their professional scepticism and judgement to the audit process.
Document authenticity tools together with data analytics can offer even greater clarity to auditors. Toon says: “You can run your own analytics tools over those open banking tools, and then compare them to the general ledger information that you may have in other products to see if those correlate, and see if you can match all of those transactions together.”
Toon, who also sits on ICAEW’s Data Analytics Community Advisory Group, adds that through open banking, auditors are increasingly able to see not just the payee but also bank account information such as sort code and account number or IBAN. “You can start to analyse that, but that’s very much on the cutting edge of what you could possibly do. The product is still fairly new in the market and not many auditors are using this kind of technology yet.”
Process mining is another increasingly useful tool for internal auditors in the prevention and detection of fraud. Wright says: “Process mining is a great tool that, in the first instance, can identify inefficiencies in a process. For example, take procure to pay. With this, you can input 12 months of transaction data into a tool and very quickly and pictorially, it will show you where the common pathways are, and highlight transactions that stray from the expected path. This also allows internal audit teams to drill into the data in these areas of particular interest to investigate further.”
He adds that businesses should be using these kinds of tools daily. “It will bring about efficiencies as well as comply with the BEIS requirements coming down the line.”
Workflow and practice management tools are not to be underestimated in managing audit timetables, in particular the flow of information between auditors and audited entities during an audit, especially during the closedown period.
Digital invoicing products are also beginning to enter the market, especially in territories such as Australia and New Zealand, but haven’t yet taken hold in the UK. Digital invoicing either can’t be interfered with or, if it is tampered with, there’s an audit trail. The EU has recently announced regulation that will mandate digital invoicing from as early as 2024 for cross-border transactions.
As more companies use open banking payments, this will also minimise the risk of fraud. Payment information and payment details are already pre-built into a request, removing the risk of fraud and error.
Innovative technology aside, firms are also tightening their risk assessments and processes and, increasingly, enhancing fraud detection through audit firm culture and governance, professional education and audit methodologies.
Technology is not a panacea for fraud prevention. As ICAEW finds in its paper: “Audit firms are also aware of the limitations of these tools, and the importance of not underestimating the art of conversation when it comes to detecting fraud.”
Professional scepticism is critical in the fight to detect and prevent fraud, but ultimately it is the responsibility of an organisation’s senior management to ensure the right culture, checks and balances are in place. In the meantime, auditors will continue to apply their expert judgement.