With so many office workers still toiling from the confines of their home offices and kitchen tables, and some unhappy with their current circumstances, many organizations are concerned about the potential rise in fraud. Global economic volatility in 2020 and 2021 have impacted employee morale and productivity, and the crisis has likely increased the opportunity for employees to commit wrongdoing. Internal auditors have a critical role to play in preventing fraud, and three red flags exist that can aid in its detection.
What is the role of internal audit in fraud prevention and detection? According to the Institute of Internal Auditors’ performance standards: “Internal audit activity must evaluate the potential for the occurrence of fraud.” Although internal auditors are not required to find fraud, they are required to consider the possibility that it is occurring.
Some organizations have mature processes to find fraud during internal audit projects, such as brainstorming ideas and incorporating specific audit steps in their workpapers, while others may only consider the possibility if a red flag is identified. Some internal audit departments may even miss or not follow up on red flags due to factors including inexperienced staff members, lack of focus or expertise on the area being audited, or lack of resources available.
What are some of the markers of fraud that internal auditors should be on the lookout for? The following are three red flags I have personally encountered during my work as an internal auditor. Bear in mind that they are only indicators that fraud could be lurking under the surface, and not surefire signs of criminal activity.
1) Employees who try to restrict or question access to vendors Vendors are one of the best sources of information for internal auditors because conversations with them may not be as “filtered” as interactions with employees and can provide valuable tips. Employees who attempt to restrict access to vendors may be trying to cover up improper activity or conflicts of interest.
During a procurement audit, for example, I had questions on invoices from one of our construction vendors. The property manager from my company was not able to assist with those questions so I sought his approval to contact an employee from the vendor. I requested to meet the vendor employee in person to go over the documentation, as I thought it would be the most efficient way to clarify the issue at hand. Upon learning this, the Property Manager from my company told us to not bother the vendor because he might bill us for his time in answering our questions. Needless to say, I did not stop contacting the vendor. Indeed, I contacted them more. It was within the company’s contractual rights. We had a very clear right-to-audit clause.
Although nothing fraudulent emerged from the scenario described above, it did in another instance. During a security audit in South America, a manager employee told me and a coworker to wait outside the room while he and a vendor (whom we were planning to talk to during the audit) had to address a “last minute emergency.” Several years later during a follow up audit, the same employee was terminated due to fraud. We had our eyes on him from the first audit, but didn’t have enough evidence at that time to pursue a full investigation. During a follow up audit, our investigation team identified that that employee had ties with a vendor and had coerced another vendor into making improper payments.
2) Employees who have “perfect” answers and are a little too cordial An attempt to make a good impression on internal auditors by itself is not a red flag of fraud. However, if an employee does a little too much or always has the perfect answer, it may signal that the employee is experienced enough and knows what auditors want to hear. He may be trying to cover up fraudulent activity.
In a risk management audit in South America, my team and I met a manager who had all the right answers. But they seemed almost rehearsed. I remember him being adamant on showing us a spreadsheet that explained how the area he was responsible for was a revenue center and not a cost center. He was so confident on how well he was doing that he suggested that we visit one of the major vendors for our review. We met the vendor for half a day and built good rapport. A few days later, that vendor shared information with us detrimental to the manager and indicating wrongdoing. Thinking back, it was almost as if the manager was trying to test us. Wrong move.
3) Employees who are overly confrontational or try to belittle the internal auditors It is not unusual for employees who are being audited to be somewhat confrontational. To some extent, the tension provides a healthy balance and reminds us to bring our professional skepticism. If an employee is too confrontational to the point of attempting to belittle an internal auditor, he might be trying to cover up his own shortcomings or misdeeds. When auditees just want to argue about everything, it may be an indication that that they are not doing what they are supposed to be doing.
By far the very worst thing that an auditee ever told me came during an internal audit in Canada. Our team was there for approximately two weeks, looking at an area of our business with approximately $150 million in expenses. The audit had started off very well. During the planning phase, we had executed a lot of data analytics and testing, including Benford, Z-Score, horizontal and vertical analysis, online presence tests, and more. Toward the end of the audit, I contacted more than 20 managers and identified expense recovery opportunities in excess of $100,000.
I had a sense of accomplishment and it felt good. However, there was one person who had not been responding to any of my emails. It was one of the last items to be tested from my file. I was already back in the United States and needed to wrap up the audit, so I decided to give her a call.
To my surprise, she was extremely confrontational with me. She belittled me for being with the company “for only three years” (she had been there for 19 years) and questioned my knowledge and experience. She was very assertive in claiming that I didn’t know what I was doing or talking about.
The conversation could’ve gone even worse, but I kept my cool. While I was trying to defuse the tension and focus on the issue at hand, she said some unforgettable words: “All I want is for you to go away.” I had never experienced that in my entire career as an auditor. I had not even been that pushy with her!
After the phone call, my heart was pounding and I tried to make sense of what I had just been told. As my emotions were settling down, I became more and more suspicious. Why was she being so confrontational? Was she hiding something? I spent the next few hours scouring through the records of the vendor that she was responsible for. I did not find anything fraudulent, but I did find $4,000 in over-payments.
Instead of getting back to her right away, I slept on it and made sure my numbers were right. The next day I sent her and her boss a message asking if they knew about the over-payments. She instantly became my best friend.
Red flags do not come in the same size, shape, or form. They may be an employee trying to restrict access to vendors, an employee who has all the right answers and is too eager to please, or an employee who is confrontational to the point of being unprofessional. Regardless of how those interactions take place, as internal auditors we have a duty to evaluate them, turn any rocks we believe need to be turned and trust our instincts. Even if our instincts may sometimes be wrong, we will never know until we ask.
Jon Taber, CPA, CIA, CFE, CFF, is a Senior Internal Auditor at Casey’s General Store, based in Ankeny, Iowa.