In recent years there have been several high profile cases of fraud perpetrated by employees. When internal fraud is detected it is not uncommon for management to look for a party to blame and, the most common question tends to be, “Where were the auditors?”

There is a common misconception that the procedures performed by an auditor to support his/her opinion is designed to detect any and all fraud which may have occurred in the business.

It is important to note that audits are not designed with the primary aim of detecting fraud; however, it is possible for the auditor to uncover fraud when performing their audit procedures, although this is not guaranteed and depends on the information supplied, sampled and/or tested. 

Although an auditor is required to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether due to fraud or error, the primary responsibility for preventing and detecting fraud rests with Management and those charged with governance. Due to the rules governing an auditor’s independence, they are not and cannot be part of management, which means they are not responsible for the prevention and detection of fraud at a company.

Responsibility for implementing effective systems of internal control in order to reduce the occurrence of fraud lies solely with Management. This involves a commitment from Management to create a culture of honesty and ethical behavior, segregation of duties and ensuring a strong tone is enforced with regards to policies and that procedures and sanctions are in place for employees who disregard them. The “tone at the top” is extremely important as a perception that Management lacks ethical business conduct, can filter down to employees, and may result in fraud if the opportunity or incentive to commit fraud presents itself. 

Fraud can translate into significant losses for companies, and every organisation should have a plan in place to prevent and detect fraudulent behaviour. Companies need to be proactive in preventing fraud and not wait until fraud is discovered before taking action; sometimes this is just too late. Smaller companies may be more susceptible to fraud as the fraud prevention policies and procedures may not be as sophisticated or robust as those of larger companies.

While it is not the auditors’ responsibility to prevent and detect fraud, they are still required to design and perform adequate audit procedures to assess the risk of material misstatements of the financial statements due to fraud. If fraud is discovered during the audit, this should be reported to the appropriate level of Management. The auditor should consider what implication this would have on other areas of the audit, and whether it would constitute a reportable irregularity. Lastly, the auditor should consider what effect the fraud would have on the financial statements as well as the auditors’ report.

Another reason instances of fraud, especially those that do not result in a material misstatement of the financial statements, may not be discovered by the auditor is that the fraud often involves complicated and well-designed schemes designed to hide it. The risk of the auditor not detecting fraud by Management is higher because senior staff may be in a position to override policies and procedures and pass unauthorised or inappropriate journals entries. The risk of Management override will vary from entity to entity, but is present none the less.  Furthermore, collusive fraud is more difficult to detect, because it involves two or more parties working together.  Collusion can cause the auditor to believe the audit evidence is persuasive, when in fact, it is false. For example, if one employee has permission to make a transaction and another employee has the permission to approve the same transaction this could result in fraud if they collude with each other, making it almost undetectable to the auditor. 

While audits are performed under very strict and effective standards, there is an unavoidable risk that some misstatement of the financial statements may go undetected. 

Companies should not rely on the auditors to find fraud, and should look at ways to put preventative measures in place. There are many preventative measures which Management can put in place to minimise the risk of fraud, these are some examples:

• Sufficient segregation of duties
• Strengthen internal control policies and procedures
• Institute a code of conduct for all employees
• Perform background checks on all employees before hiring
• Be actively involved in the day-to-day running of the business
• Incorporate passwords and user ID’s
• Implement a “whistle-blower” hotline
• Limit access to important data
• Educate employees about fraud
• Implement an internal audit function

It is important that Management acquires a thorough understanding of the true comfort they are obtaining from the audit that no fraud has taken place. You are encouraged to discuss this with your auditor in order to determine what further measures are appropriate for your business to safeguard your assets.