IIA Magazine Dec 2016

One potential failure of ERM is that of green-washing, this is when crucial risks are pushed down into the larger collection of more trivial risks. Cybercrime is a current buzz risk. The first line of defence needs to take on better accountability for sound risk management and control.

Investors are pushing for more accountability and transparency behind decision-making. Shareholder activism is playing a big role nowadays.

The EU has released new general data protection regulation (GDPR) which intends to strengthen and unify data protection for individuals within the EU. However, most organizations say that they are not well prepared. Organizations should start preparing for this as it will kick off in May 2018.

Client Feedback. Audit performance can be fine-tuned with the right input from stakeholders. Feedback should aid audit performance. Feedback should be to the point and be specific and timely in order to be effective. Useful feedback can increase audit effectiveness. Feedback can be provided during the opening meeting, during the audit or during the closing meeting. The client should take the opportunity to clarify any concerns that they may have. During the closing meeting, IA needs to present the supporting documents and records. A post-audit questionnaire can be sent to the client after the audit.

Must-have Controls for Small Medium Enterprises. 5 controls can help SMEs protect themselves against cyber breaches. Sometimes, they do not have sufficient resources to deal with threats. Firstly, scan the network quarterly and identify vulnerabilities. Train employees on IT security. Protect sensitive information by inventorizing sensitive business processes and reviewing access to information. Learn to segment the network. Deploy extra protection for endpoints and encrypt the data. Learn to monitor the network, manage service providers, protect smart devices and monitor activity related to sensitive information.

A Holistic Approach to IT Risk. The COBIT framework can help auditors understand and address their organization’s technology risks. IT can be very complex but IA needs to evaluate the full range of IT risks. COBIT is valuable for the whole process, from end to end. The 5 key principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. Internal auditors can use COBIT to understand the nature of IT risks that are unique to their organization.

A Toxic Culture. A department leader creates a hostile work environment by promoting friends and abusing employees and company assets. When many employees leave, there could be a sign of a toxic culture. There was an inadequate internal control system as no one tracked expenses. Critically review turnover data as this is a big red flag. Exit interview results should be reviewed regularly. Access control over reports should be reviewed and approved.

On The Rise. Learning is the key to do well in IA. Get students involved early and you can volunteer as a guest speaker on internal auditing topics. IA an get involved in many projects and act as change agents for the organization. Projects can allow one to build and develop business relationships with stakeholders. One can use data analytics during audit engagements. IA can add as a trusted advisor and perform consulting work. One can learn SQL, which is a tool for managing data. One could take others under their wing and mentor them so that they can grow. Interaction between auditee and IA must be positive. Spread the good word that your team does. IA should be innovative in addressing solutions. It is helpful to distinguish the different roles of EA and IA too. Communication skills are the key for IA’s success.

Growth through challenge. Current and past emerging leaders discuss the tough assignments that helped propel their careers forward. Challenges faced in your career can propel you to be a better auditor. It is good to share with others what are some of the common mistakes. See auditors as people and go in with a customer first mentality. Be client centric. Be prepared when you go for meetings and interviews. Get a mentor, build relationships, learn from your mistakes and learn to network. It is important to preserve independence and objectivity. Influencing mindsets are tough. Building relationships with auditees can be tough when you are new. It is important to have a good audit methodology. The learning curve can be steep especially if the industry is new for you. Some departments are resistant to let the IA perform audits on operations. Talent auditors are always in demand. Once you are good, you can engage the C-suite management easily and without fear. Young auditors are always eager for more opportunities.

It’s all in the delivery. Sharing difficult messages is an unavoidable part of the job for internal auditors. Some audit observations can be difficult to convey. You should always build the relationship before telling the bad news. Telling the bad news right away is unlikely to work. Using weekly updates once the exceptions are noted is the key. Preparation is the key to accomplishing objectives. It is important to be fair and factual. Focus on the process as well as content. If you can, you can tailor the response to the personality of the recipient. During the discussion, one can seek opportunities, offer to help, make it clear and maintain open body language. ‘If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake. Verbal updates are great, but periodic written updates go a long way. Auditors might get into trouble over their poor soft skills. Focus on the problem, include some positives, have a face-to-face meeting etc. The key is not to beat around the bush. EQ is important in helping good delivery. The key is to deliver bad news but still build a good relationship with the auditee.

Breaking Through. Women in business are taking on the barriers to advancement, and that’s good news for everyone. Diversity is good for the workplace. More women need to be in leadership positions. However, women might face issues like lack of support, exclusion, apathy. There needs to be sufficient support from male leaders. Men should be interested in achieving gender equality. Be You. Seize the Moment. Integrate Your Life. Earn Respect. Stay Behind Facts. Be realistic and practical. Forget silos. Think context before issue. Rethink reporting. Aim at destination with gratitude. Women may also face the motherhood penalty.

Mapping Assurance. Internal auditors can facilitate efforts to document the organization’s combined assurance activities. There are a variety of assurance providers. CAE can use an assurance map to co-ordinate assurance activities. It can also aid to prevent gaps in coverage. IA is well positioned to provide combined assurance. The plan should start with the organization’s strategic plan and the key risks that are associated with the strategic objectives. There should be 3 tiers of defence to provide assurance. IA need to assess the quality and quantity of assurance received.

A Winning Pair. Governance and automated controls must work in tandem to achieve maximum results. Good governance is the key. IA needs to access the current risk profile, mitigation activities and residual risks. Good behaviour requires time and employees should receive reminders in order to conduct good behaviour. Desired behaviour ultimately stems from the top.

The High-Performance Audit Team. Today’s complex, evolving business environment demands more of internal auditors. The world is changing and stakeholder expectations are increasing. IA can also rotate and fill other operational positions. An integrated internal audit function can boost performance. There is a strong need to invest in training and learning. Verbal, leadership, communication skills are very important. A high performance team can evolve to meet new challenges and reinvent itself. We also welcome constructive feedback from staff.



IIA Magazine Feb 2017 issue

IIA Feb 2017 Issue

Internal Auditors need to provide maximum return on investment and audit the right things. They need to understand the company’s strategic mission, objectives and KPIs. More auditors need to base their work on the International Standards for the Professional Practice of Internal Auditing.

The 5 emerging threats are (i) global economic uncertainty; (ii) increased regulatory burden; (iii) significant industry changes; (iv) business model disruption; (v) cybersecurity threats. Global economic uncertainty seems to a bigger risk in 2017 as compared to previous years. In the compliance space, with the new US administration, enforcement areas could see some change. Trump could change the legislative, regulatory and executive actions under Obama’s reign.

Although most companies feel that they could detect a sophisticated cyberattack, many of them do not have an adequate communication strategy in the event of a significant attack. Also, some of the BCP might be lacking. The continuous monitoring of cyberattacks is also a challenge.

Data Mining. By leveraging data, internal auditors can address issues beyond the reach of traditional analysis techniques. It involves making use of data which had previously no formulated relationships, patterns. Artificial intelligence, machine learning, statistics and database systems all come into play. Some of the techniques auditors can use are predictive modeling (IF), data segmentation (data clustering), neural networks (artificial intelligence), link analysis (links between records), deviation detection (red flags). The use of email mining can identify red flags in fraud etc. Social network analysis is also possible. IA should continue to look for ways to innovate their audit testing.

Intelligent Assessments. Use cognitive technology to help identify high-risk areas. These are intelligent computer systems that can aid in the performance of risk assessments. For instance, this tool can extract and analyze text from audit reports and analyze trends and high-risk areas. Natural language processing (NLP) has the power to tap into every sentence of every report to churn out more information. The machine will convert text to a certain structure and add meaning to the text and teach the computer to understand audit concepts. Words like ‘fraud’, ‘finding’, ‘auditee’ can be flagged out.

Turning Up the Heat on Fraud. A fraud risk assessment can help auditors take the organization’s ethical temperature. There are many ways to do it, example, through surveys, focus groups, workshops etc. The focus is mainly on fraud risk. It works best in small brainstorming sessions with operational management. Using the ACFE’s Fraud Risk Assessment Tool can be useful as it provides a structured approach. Risk assessment is about identifying where fraud might occur and the potential perpetrators. IA can do surveys to measure the ethical climate and voting can be anonymous. The results of the survey can be discussed with management. If there are high risk areas with fraud risks, IA can pay more attention to them.

The Accidental Discovery. Small or remote locations can be more susceptible to embezzlement, especially when they are not audited regularly. Confront someone after the facts have been reviewed. Look at the big picture. Controls that aren’t operating effectively are as good as them not being there.

Auditing what matters. Add value by selecting audits that contribute to achievement of strategic objectives. Auditors now should start looking at this area. Look at where the company spends the most money, what their main programmes are etc. Find out who is responsible for the strategy and make them IA’s stakeholders. Traditional audit activities can move towards strategy too. IA should use the COSO ERM framework in its entirety. The aim is for IA to a strategic partner to management. Don’t fear failure and find out more from the auditee by talking to them. The trick is to engage with processor owners easy and evaluate control design. IA should do the following: (i) Identify and define the risks; (ii) rate the risks; (iii) address risks in detail. Getting management buy-in is also important. The CAE must convince the AC to highlight the need for a strategic approach. Most IA wants to be a trusted advisor.

Core Principles and the QAIP. The new IPPF in 2015 can be incorporated into the QAIP to show that the IA is aligned with the mandatory IPPF elements. Learn to develop a concept and approach that is easy to understand. Core principles are a mandatory element of the IPPF. IA need to have general conformance with the Code of Ethics and Standards. The 5 steps are (i) establish a maturity framework (ineffective, partially effective, effective, sustainable, world class); (ii) map core principles with the standards and code of ethics; (iii) Define characteristics of maturity in 3 aspects of standards and QAIP characteristics, infrastructure and process characteristics, core principles and specific characteristics; (iv) perform internal and external assessment consistent with requirements of QAIP; (v) Evaluate and report maturity levels for core principles.

Champion of Trust. By modelling high standards of ethical behaviour, IA can help shore up faith in the organizations they serve. How can IA be a trusted advisor that is well respected? One way is via ethical commitment. IA needs to model ethical conduct in everything they do. IA must have the courage to sound off before things get in trouble. Ethical commitment is the key to a well-functioning IA. Ethics should come naturally to all. We also need to build ethical resilience (integrity, courage, honesty, accountability, trustworthiness).

Infusing IT Auditing into Engagements via a three-phase approach. The tech sector is growing at a rapid rate. Internal auditors also need to develop IT-related capabilities. IA needs to think about the future of integrated auditing. For a start, IA can incorporate IT perspectives into current audit engagements. This can involve documenting down what are the IT automated controls. One can also read IT policies or those on change management. One should also identify resources and pinpoint where they are stored (example: servers). Map core IT resources and data to key business objectives. Respond to IT risks and identify audit objectives that can add value. An integrated audit can help in this. In the middle term, IA can build an IT audit team, understand the IT framework like COBIT, perform IT audits and also foster relationships with IT and management. In the long term, IA can leverage on data analytics and obtain professional certifications (like IIA and CISA).

Breaking Down The Standards. With the right strategy, practitioners can divide conformance into bite-size, easily digested portions. The standards consist of attribute standards (series 1000 to 1322) and performance standards (series 2000 to 2600). Some IA may neglect the attribute standards and focus on the performance standards instead. However, both are very important. IA should perform an assessment of how well they are conforming to the Standards. An external assessment must be conducted once every 5 years. The audit work program needs to be reviewed and approved by the CAE before engagement commencement. Ultimately, conforming and understanding the principles behind the Standards are important.

Auditing Organizational Governance. IA has an integral role to play in improving the organization’s strategic performance. This area is becoming increasingly important in recent years. Governance reviews can help prevent governance failures. Less than 1 in 6 IAs conduct reviews for their organization’s strategy. Sometimes, it might be difficult to conduct a separate governance review. Rather, it might be easier to incorporate it as part of routine audits. One can focus on both the governance structures as well as the organizational culture. Some of the soft controls can include management competence/style; mutual trust and openness; strong leadership; high performance and quality expectations; shared values and understanding; high ethical standards. However, for some of these measures, there are no hard data to analyse. Hence, it is important for IA to read the signs. IA can also provide a more advisory role, which is educating board about developments and trends in the industry and governance best practices. In terms of strategic reviews, IA has much to work on. There is a tendency to focus on weaknesses in financial reporting etc.

Good Governance is All About Quality. The 5 quality rules are (i) customer focus; (ii) management leadership; (iii) Teamwork; (iv) Measurement; (v) Total commitment to continuous improvement.



IIA Magazine April 2017 issue

Business Resiliency is about the organization’s ability to quickly adapt to risk events such as these while maintaining continuous operations and safeguarding its employees, assets, and brand equity.

Malware, Ransomware and man-in-the-middle attacks are common security issues for organizations

Some organizations lack a clear risk management program and that is a problem. Lack of resources, complexity and inability to get started are some of the reasons cited.

  1. Communication errors/ misinformation over company performance through channels other than financial reports; 2. Environment, health and safety is an area which is high risk, but not many IA covers this.

Cyber risks are also a main area where IA needs to be concerned about.

Learn to work smart and not harder. Employers should 1) acknowledge the problem; 2) appreciate the employee; 3) identify the root cause; 4) define the roadblock; 5) Devise a solution (training, resource allocation, process improvements); 6) Circle back. Guiding an employee well will result in an increase in productivity and morale.

The Data Museum. IA can compile organizational data in structured exhibits. Auditors need to use data warehousing principles to clean the data and structure it once that it is ready for analysis. Before storing data, consider the following: relevance, reliability; reusability; rarity. For instance, SQL can be used to extract, transform and load the data. Learn to run SQL statements. As for audit tools, auditors can use data visualization and advanced reporting techniques. Use a relational database and start small. Ensure that there are audit trails and logs.

The Many Facets of Risk. Risk is always multi-faceted. Look at the product and market research life cycle. It is important to do the strategy and competitive analysis like via SWOT, Porters’ 5 forces etc. Financial Management like NPV calculations aid in project-making decisions. Operations Management is about maintaining the optimum amount of inventory, like the EOQ method. Forecasting sales and demand is also a risk. Human resource risks and quality management risks are also possible. IA can act to cross-pollinate risks via mathematical or management methods.

Life of Luxury (Embezzlement). When too much power, accounting and budgeting etc, resides with the head, too much risks exists and there is potential fraud risk. There were too many over budgeted accounts in this case. Also, a person spending excessively or leading a lavish lifestyle will arouse suspicion. There are many lessons that the IA can learn: include riskier businesses in the IA plan; question how beneficial is the whistle-blowing hotline; an audit on payroll can detect payment to ficitious persons/ other people; review the acceptable use policy for all corporate-issued credit cards.

Resilience Through Crisis. Organizations all need to overcome crises and emerge stronger. The BP oil-spill PR was handled badly. IA can audit the crisis management plan. A crisis team should be cross-functional and with each goal clearly defined. IA should also be part of the team to ensure that the team is addressing the appropriate issues. The team should identify potential crises and IA can chip in. Next, a comprehensive crisis plan should be developed. Effective communication is the key and there must be a plan to inform stakeholders quickly. It is also important to have a spokesperson to handle the media etc. General templates can be used for media statements. Experts can be used as well. Crisis simulations should be conducted, like table-top exercises etc. IA should be the observer in all simulations. After the crisis, the crisis management team should evaluate the effectiveness and the performance of the plan.

Hit the Ground Running. The trend is to convert interns in IA into the permanent establishment as they already understand some of the company’s operations. One option is to transfer existing staff to IA. Interns who perform well stand to be converted. Interns are also less costly and can be used during peal-periods. There needs to be a significant investment in developing a good internship programme. There needs to be a plan all along. When you plan, it is important to prepare a job description, program budget, hiring plan and schedule. Provide guidelines for the interns to do work and make the audit project interesting for them. Teach them soft skills in the audit. Give them real assignments. Stretch them and ensure that they can contribute and make their internship meaningful.

Climbing the Scale. Turn to maturity models. Maturity models can rank from 1 to 5. They can be expanded into many business areas nowadays. Maturity models can be more meaningful than a simple pass/fail. Using this can convey a more positive collaborative tone too. Acknowledge what the client is doing already to improve processes and controls. A maturity model also focuses more on processes than people and seems more non-threatening. The models you can use are CMMI, C2M2, COBIT, P3M3, RMM, TMMi etc. Develop a dynamic risk assessment approach. IA should provide both assurance and insight. One can use the ISO standardized frameworks to compare the organization’s maturity level against. At times, the highest level of maturity might not be required as a lot of resources will be required. Maturity models can be very judgemental indeed. To succeed, IA needs to choose the correct model and be flexible when applying it. Build the best model and find a project champion if possible.

From the Same Playbook. IA needs to align its work with the organization’s strategy. There are debates as to whether IA should provide assurance around risks affecting company strategy. It depends on the CAE. However, not all top executives will want to discuss strategy with the CAE. There can be a disconnect as IA usually does not audit the latest transformations and developments in the company. Some IA prefer to audit compliance, which they are more familiar with. Two big risks are not having effective strategy or not executing them properly. CAE should think like CEOs and think through different perspectives and figure out how to maximize shareholder value. IA can perform gross profit margin analysis etc. There needs to be a balance between strategic-level audits and compliance based audits. Have discussions with management and the audit committee on strategy. It is for IA to look into strategy risks and the risks of entering any particular strategy.

Three Lines in Harmony. A Centralized testing model will enable the 3 lines of defence to rely on each others’ work. Front-line management is the first line of defense, risk/compliance functions are the second line of defense, internal audit is the third line of defense. It is important to co-ordinate so as to ensure all areas are covered and there are no duplications. Relying on others can also provide an increase in efficiency. Ensure that there are proper service agreements if there is a centralized testing unit. Automatic testing preferred and desired. There is a need to document the risk framework.

Signature Audits. Auditors should try to identify and respond to emerging risks. Most IA confirm concerns already identified by management. IA can do a mystery shopper role, or perform simulations to test controls. IA now need to be more innovative and curious. Signature Audits refer to thinking out of the box to design appropriate test procedures (example: penetration testing or social engineering). IA can identify best practices or try to circumvent processes rather than test them.


Audit Analytics by Sean Elrington

Data analytics is useful for good governance as it provides better assurance as compared to manual sampling. Is the need to hire consultants necessary for straight-forward audit tests? It can help recover unnecessary spending. There may be resistance from the other departments if audit wants to perform 100% checks. There are still auditors which do not use data analytics.

Common Objections to Using Audit Analytics. Some auditors are too busy to learn and to change. The data may not be readily available. In addition, the cost has to be justified. Some are too intimidated by change. You need an understanding of ERP, database structures, views, tables etc. The benefit is that you might save time for data analysis. How will analytics help audit productivity? As it requires less man-hours, analytics can be useful. Although in the short-run, probably more work will be required. If the error is systematic, testing 100% of the population might not be very useful. In such cases, it will be better just to test a few samples and fix the control first. Analytics is here to stay.

Questions that the IT manager will ask you. Why can’t the auditors use Excel? Excel has its limitations on data size. Random sampling is not a good way to detect fraud. Data can be amended easily in excel and it does not have much data security. Sorting can be slow and Excel lacks functions like Benford’s Analysis. Modern audit software have data logs too. It is good to host the data on a server especially when there are multiple users. If you rely on the IT department to generate data for you, there is a risk that the data could be manipulated before being provided to you. There is an issue of how much access that an audit should be given. Data should be obtained from production and not the data warehouse. In the data warehouse, bad data might have been removed already. Application controls rely on passwords and roles to work. Relying on the controls in the ERP system might not be useful when there is collusion. Data might be present from different systems and auditors can’t simply draw the data from one ERP system.

Considerations when choosing audit software. Some of the functions that are heavily used are extract, join, relate, summarize, stratify, classify and age. Continuous monitoring is a lot more expensive and complicated. Is training a big consideration? Do you need to write your own scripts? Or can you buy scripts? What is your required return on investment? Will learning the software help the auditors in their career development? How much technical support is needed? What are the server requirements?

Analytic Software Tools. Picalo is a free tool that can be downloaded online. Some of the other software besides Excel are TopCATTs, Arbutus Software, IDEA, Monarch, Picalo, ACL. ACL usually requires a lot of training before users will know how to use.

Testing for Duplicate Payments. One can test both exact and fuzzy matches. There are multiple reasons why this might occur. First, you have to ensure that there are no duplicate vendors by scrutinizing the vendor’s details. For exact match testing, you can use ‘Substring’; ‘Include’; ‘Exclude’; ‘Alltrim’ formulae to remove dashes, hyphens etc. Testing should be performed on fields like Invoice Number, Vendor Number, PO Number, Date, Amount etc. Deconstruction techniques are used for Fuzzy matches. They use techniques like Soundex, Soundslike, HEX etc. Some of the algorithms are Levenshtein distance, Metaphone etc.

P2P Vendor Analytics. Some of the objectives are 1) vendor master file is correct; 2) employees are not vendors; 3) no duplicate or unused vendors. Match vendor information with employee information. Check out vendor addresses to ensure that they are not mail drop addresses used by delivery services. Sort the number of vendors by payments per year. Use a vendor name fuzzy match. Find vendors with missing fields to check whether the vendor master is well-kept or not.

Purchase Card Analytics. Objectives are 1) only authorized employees are using cards; 2) card purchases are acceptable. Try and detect transactions by authorized card-holders. Find cardholders not in employee master file. List top spenders by department. Find transactions in excess of authorization limits. Identify weekend and holiday purchases.

FCPA analytics. Objectives are 1) test that there are no suspicious payments made to individuals or entities; 2) verify that gifts received are permitted. Identify payments made to high risk countries. Identify cash payments. Identify unusual gifts. Identify credit card spending with unusual Merchant Category Codes. Find unusual vendors, like PEPs etc. Flag out payments with the words ‘facilitate’. Match to watch-lists, world-check etc.

P2P Payment Analytics. Objectives: 1) POs are unique and properly filled; 2) SODs are working; 3) controls to match invoice and PO amounts are accurate. Detect split purchases. Find duplicate payments. Find POs that were raised late. Look out for people who can create and approve their own POs. Look out for unauthorized purchasers. Ensure that there is approval for all POs. Compare a list of payments to prohibited vendor lists.

GL Analytics. Objectives: 1) Only authorized employees are making GL entries; 2) GL entries are acceptable. Detect duplicate GL entries. Look for suspicious wordings like ‘park’; ‘temp’; ‘reverse’; ‘suspense’. Detect GLs made at odd timings. Detect payment voucher and look out for approvals etc. Look out for frequently changed or reversed accounts. Find temporary accounts.

Healthcare Analytics. Objectives: 1) procedures billed to the correct code; 2) appropriate charges are billed to correct account; 3) reasonable timeline of patient activities.

Fraud Facts. Whistle-blower hotlines are a great way to detect fraud. Some level of fraud might be acceptable. It depends on the organizational culture. It is not the auditor’s responsibility to detect fraud. Look out for transactions with fraud symptoms. In general, there are two types of fraud: 1) Fraudulent financial reporting and 2) misappropriation of assets. It is hard to distinguish whether it was an honest mistake or fraudulent. The top from the top must be correct.

Common Business Frauds. You might need the help of a skilful financial auditor to deconstruct fraudulent financial reporting. Financial fraud is a very serious matter. Misappropriation of assets often involve kickbacks. Multiple payees could be an issue. Duplicate payments are a potential source of fraud too. A shell company could be used to deliver fictitious services. Detect maintenance which has been performed too frequently. Physical inspection of works/goods can help. Look out for defective delivery of goods/services by having good IC over the receipting of goods and services. See how often different employees reject or accept goods based on their quality. Inaccurate pricing is one of the type of risks too. Contract rigging means awarding to the lowest bid, but later subsequently changing the product specs so that the contractor will have to deliver more and thus can earn more money. Check contracted projects over their original budgets. Contract rigging is difficult to detect if you are not familiar with the goods. Bid rigging is very difficult to detect. Ensure that there are no phantom employees or contractors. Look out for invalid employees’ wages.

Interesting Fraud Stories. The fraud triangle occurs when there is 1) opportunity; 2) motivation; 3) rationalization. Don’t let non-trained employees do the accounts. Do not let the salespeople collect the cash. Be wary of bribery to win contracts etc.


Local Government Fraud Prevention by Charles Hall

How to Prevent It, How to Detect It?

This is written for both the layman and the fraud examiner. It will cover various areas of operations. Beware of the opening of secret bank accounts that are not on the books. Beware of only 1 authorised signatory. Look out for fictitious invoices. Catch fraud before it becomes large-scale in nature.

An Overview.  Who steals? Most frauds are committed by middle age males. Those committed by management results in a large loss. The fraudster is usually someone who is good at work and have been with the company for a long period of time and given high responsibility. Opportunity is a key element of fraud. To prove fraud, you must prove intent. Errors are different from fraud. Abuse of company’s assets is possible. There are 3 main fraud categories: asset misappropriation, corruption, financial statement fraud. There is fraud detection and prevention. Prevention is the more effective measure. Theft is the most common type of fraud in the government (cash or non-cash). FS fraud is very rare for public entities as they do not have incentive to cook the books. This book focuses on asset misappropriation and corruption. Frauds usually last for 18 months before detection. Corruption is very serious and leads to large losses. Government is fraud is serious as you are ultimately stealing from the taxpayers. Money is tempting, even to the best of people. The Fraud Triangle (Rationalization, Incentive, Opportunity). There must be all 3 for the audit to occur. SOD is important as it gets rid of the opportunity. People in financial distress have greater incentive to steal. Be wary of round-dollar vendor cheques. It is alarming when records go missing.

Fraud prevention. It is the responsibility of management to develop a good internal control structure. External auditors do not give an opinion on internal controls. Their definition of materiality is different from IA. Audit is not a cure-all as it is more detective in nature. SOD is very effective. 1 person should not be allowed to perform more than 1 function: 1) custody of assets; 2) reconciliation; 3) authorization; 4) book keeping (CRAB). If can’t have SOD, institute a level of review. Write down the names of people performing each of the tasks. Use it for any other transaction cycle. It is possible to use a checklist to assess IC. A sound whistle-blower programme is important. It is more effective than hiring auditors for fraud detection. Use a whistleblowing program that happens all the time. Look out for red flags. Decrease in revenue is a potential red flag. Hire a fraud specialist before fraud occurs. Addressing Fraud is the responsibility of the management. Perform periodic surprise audits on areas with control weaknesses.

Transaction Level Fraud Prevention. Theft can occur in the cash receipting process (Decentralised Cash Collections, Cash Drawers, Elected Officials and Collections, Check-for-cash substitution). Do not have so many cash collection points. It is important to document, immediately, any receipt of cash. A cash drawer should be assigned to a single person. All payments in a day must be reconciled to the receipts issued. All receipts must be accounted for. Understand the normal cash drawer activity. The supervisor must review the entries if one person handles cash and then keys in the transaction. This must happen daily. Cash must be deposited in the bank on a frequent basis. Employees sometimes steal rebates or refund cheques and convert them to cash. It is a must to record on each receipt the amount of cash or check payment received. End of the day – reconcile the daily amount of cash and cheques from the cash drawer to the daily receipts summary for each type of receipt (cash, cheque etc). For disbursement fraud, money is stolen from cheques, electronic payments etc. Bribes are one way. Bribes harm organizations indirectly. The vendor is usually the one who bribes government officials. The aim is to get the purchaser to buy something he doesn’t need and get him hooked. All gifts must be declared. Look at trends of payment to vendors over the years. Beware of fictitious vendors. You need to know how vendors are created and the review process. For example, you can send the cheques to your own home. However, the fraudster must be able to create a signed cheque or wire funds. A forged cheque is also possible. The payment must also be posted and it goes unnoticed. You cannot add vendors and authorize payments. This is a conflict of interest. One should ascertain the new vendor by calling them. If you can edit old vendor’s address, it is possible too. Access rights must be properly assigned. Altering cheque payees is one way of fraud. For cheques that are altered, it usually doesn’t have a corresponding invoice. Invoices should be stamped paid so that there will not be duplicate payments. The accounting clerk can trick the check signer to sign the cheque for a second time. Make sure there is stamped paid. Wire Transfer fraud is also possible. For wire transfer fraud, if you can wire funds yourself and then make entries without review, this is a recipe for fraud. Establish call-back procedure and at least 2 signatories for wire transfers to external parties. Payroll fraud is an area that needs scrutiny too. Look out for the payroll cheque review process. Detect ghost employees. Another way is to inflate pay rates and hours worked. Look at overtime trends etc. Most external auditors perform analytical procedures and not detailed control testing. Jet engine parts can be stolen. Conduct periodic inventories of capital assets. Audit existing, additions and removals of capital assets. Nip it in the bud. Accountability is critical to prevent theft. Assets must be inventorised and there must be a capitalisation threshold. Construction fraud is possible: 1) Kickbacks from the contractor to awarding officials; 2) over-billing; 3) deficient materials and cutting corners. The SO should be hired by the government to act for them and perform quality checks. This SO should be given access to the sites and records. The work should be performed in the government’s interest. The cost of the monitoring agent is a good investment.

Detect Fraud. How do you detect it? There are a large variety of fraud schemes. A leave of absence is good as another employee can perform the work and suspect any wrongdoings. If you have money, hire a fraud specialist. All receivable adjustments must be authorised. Confirm cheques received and keep a log. Search off-the-book theft of receipts. Investigate revenue differences. Do a walkthrough of the documents. There are 6 disbursement fraud tests. 1) Test for duplicate payments; 2) Review the AP Vendor File; 3) Check for fictitious vendors; 4) Compare vendor and payroll addresses; 5) Scan all cheques for proper signatures and payees; 6) Review checks falling just below the approval limit.

Procure Fraud-Related Audit Services. What is an audit about? Is fraud occurring? What is the damage? You can prepare an RFP for fraud-related services. You can pay to get a GAAS audit, forensic audit or internal control review. Some smaller governments are not audited.

Audit and CPA. Audit using the balance sheet approach. Fraud can sting auditors. Balance sheet approach is the examination of period ending balances, just as using confirmations to confirm balances. However, the weakness to this is that the income statement may be mis-classified. Auditors can save time using a risk-based audit approach. You need to explain what a fraud is and that it is not auditor’s responsibility to detect fraud. Any fraud tests must be performed. An IC weakness can be classified as 1) material weakness; 2) significant deficiency; 3) other deficiencies. Be careful of material weaknesses. Auditors can use checklists when performing their audit.


41 Ways to Improve the Audit Industry

Note: The following ideas are those which I feel might benefit the Audit Industry and lead to better job satisfaction for all. I have taken practical matters, such as cost and manpower issues, into consideration.

  1. Develop an updated centralized database of all Management Letter Points (MLPs). There is also a need to categorize them based on the various functions of a financial institution. Staff who raised the MLPs should bear the responsibility of uploading them to the MLP database after audit closure. During the off-peak season, staff are encouraged to read all the MLPs thoroughly as it will aid in their fieldwork.
  2. Try to provide comprehensive audit document request lists to the client at least a few days before commencement of the fieldwork and also to pre-empt what documents you may need from them (potential follow-up questions; based on previous similar audit engagements).
  3. Request for a slightly bigger audit room at the client’s premises in order to accommodate the documents that the client will send. This is also useful in view of any additional staff going to help out on the engagement.
  4. Remind the MAS officers-in-charge early of the need to approve our appointment as auditor for banks. Also, aim to conduct a discussion meeting with them as soon as possible.
  5. Aim to read the walkthrough + client’s policies and procedures before fieldwork. Identify the controls from your readings (PY walkthrough) even before conducting the walkthrough with the client.  Identify circumstances in which the client controls might fail and how the client can adequately address them (mitigating controls etc). Figure out what are the industry best practices and if possible, benchmark the client controls against the best practices.
  6. Fix the fieldwork dates with the client at least a few weeks in advance. It would be useful to give the client a warning about the fact that if they choose to go on leave during the fieldwork, it will hamper our audit progress and lead to an inefficient audit.
  7. Arrange for a fieldwork duration which is based on how much audit work is there to be performed. The fieldwork length should be sufficient so that audit work quality will not be compromised by staff rushing through their sections and performing shoddy work.
  8. Hiring more staff will ensure that engagements will have better staffing. Staff can then be more detailed in their fieldwork testing and this in turns, leads to better audit assurance over the financial statements/other reporting.
  9. Management should constantly negotiate for higher fees (by citing additional regulatory requirements, identifying cross-selling opportunities etc). There is also a need to redesign audit procedures so that it is more focused on the key risk areas and less focus is placed on the less material areas.
  10. Encourage managers to visit the client premises more often in order to build and maintain client relationships and also to address any audit issues that the audit team might face. The client would also be pleased to chat with someone more experienced.
  11. Try to factor in more time for audit fieldwork (especially for new clients) and also perform a thorough review of the predecessor’s audit documentation. More staff are needed to be booked for this file review process.
  12. Commence the interim audit early (like early August) so that it will be less difficult to meet the deadlines moving forward. The staff trak should be updated earlier so that at least some fieldwork can be completed in August. Trainings should be conducted in the month of July, if possible.
  13. Superiors can provide words of encouragement or by saying things like ‘Well Done! Thanks for the hard work!’ to their associates. Also, superiors can treat their juniors to desserts/snacks/meals as this is a good way to boost team morale. Superiors should also periodically ask whether the associates have any problems/questions about their work. This is due to the fact that shy associates might keep problems to themselves. Do not create a climate of fear.
  14. Try to reduce the amount of administrative work by hiring more general non-audit staff to take care of dispatch work; folding of confirmation letters; raising of billing; issuing and drafting of engagement letter etc. Issue out engagement letters only when there is a change in the SSAs or when the engagement letter template has a material change from last year.
  15. Often, there are delays in issuing the financial statements because the typists are over-worked and take quite some time before they put through any amendments. The solution is to hire more typists in order to prevent a bottle neck situation from occurring.
  16. Often, there are delays in issuing the financial statements because the printing room administrators are over-worked and take quite some time before they check through the financial statements and print them. Also, the printing machine is unreliable and tends to break down. The solution is to hire more printing room administrators in order to prevent a bottle neck situation from occurring.
  17. Management should try and emphasize the goals and vision of our department on a bi-annual basis in a clear and coherent way. In this manner, the staff’s goals can be aligned to management’s and this will lead to less unhappiness on the ground.
  18. Staff should be allowed to request for a change in portfolio if they feel that they not progressing with their current ones. Staff who request for changes just after the promotion period should be given a higher chance of success.
  19. An increase in annual bonus payout would also lead to better staff retention and happiness.
  20. It would be good if audit firms are more transparent and start to disclose the firm’s financial statements to employees. Better transparency would lead to better accountability as well. Besides, audit firms can serve as role models to the industry by providing model IFRS disclosure in their financial statements.
  21. The counselor should strive to meet up with their mentees at least 4 times a year (every quarter). This can be used as a tool to track the staff’s development over the past quarter. This would ensure that the staff feels valued and has ample opportunity to voice out any concerns. Often, people are too shy and will not approach the counselor directly. Therefore, it would be very helpful if the counselor makes the effort to reach out and know their mentees.
  22. An annual review of the audit documentation/firm’s processes should be conducted. This is to necessary to streamline the firm’s processes for a more efficient audit the next year.
  23. There should be an emphasis towards the use of less manual working papers and a move towards more of an e-audit. An e-audit is more environmentally friendly and achieves the same level of audit assurance.
  24. Less admin work for audit staff could result if for instance, the firm’s processes have been streamlined and there is hiring of more general non-audit staff to perform some of the administrative duties.
  25. More empowerment can be given to staff. This could in terms of less micro-management by superiors. Staff can be given more responsibility if they want to bestow it upon themselves.
  26. Better autonomy can be given to staff in the workplace. During the off-peak season, for instance, staff can be allowed to conduct trainings (both audit and non-audit) if they want to share their own knowledge with others.
  27. Get associates to provide feedback on seniors’ performance (360degrees feedback). Similarly, seniors can give feedback on managers. These feedbacks can play a small role in their annual KPI assessment.
  28. Staff can choose to master in a specific number of regulations (Banking Act, SFA etc). These staff can then help out with the annual FSI training slides.
  29. New joiners (and subsequently staff at the end of each year) should be allowed the freedom to choose which sub-industry they would like to work on (funds, banks, commodities, insurance, capital market licenses etc). For those who do not want to specialize yet, they can fall under the general track.
  30. Annual Excel and Bloomberg courses should be conducted by management to staff. Most staff are not familiar with useful excel formulas and Bloomberg functions. It will be helpful to give them a formula sheet listing down the commonly used formulas.
  31. Upper management should talk to staff more to find out how they are doing. This could be done through the conducting of quarterly feedback sessions over breakfast etc, to understand concerns of the staff.
  32. In early July, a light hearted ‘End of Audit’ sharing session can be conducted for both staff and management to share any interesting findings they have uncovered during their audit.
  33. Staff should be engaged earlier and should be more be more involved in the preparing of regulatory checklists for the next financial cycle.
  34. It would be more ideal if there is at least 1 more printer in the department as FSG Q4 and Q6 break down too frequently.
  35. The wearing of ties for gentleman on weekdays is not exactly value-adding. Wearing of ties can be uncomfortable and might adversely affect the performance of staff’s work.
  36. Inter-department games are fine but there should not be any mentor league games. Personally, I do not see much interaction going on between the different mentor groups during the competition as well. The building of the car in the Soap-Box Derby is a waste of staff’s time and resources as the car has to be disposed after the race and does not serve any meaningful purpose.
  37. Aim to develop a culture whereby everyone is willing to help one another in difficult times and cover each other’s back. Management can emphasis on this point when they talk to staff.
  38. It would be good if staff have to clear less administrative review points and instead focus more on the audit work. Often, these administrative points provide little value to the client and do not provide additional audit assurance.
  39. More frequent rewards can be provided to staff, apart from the annual bonus. Rewards can take the form of holding more department outings/lunches and even through the use of words of encouragement.
  40. It is important to ensure that a new senior/manager is plotted before the previous one leaves the engagement. This is crucial in ensuring a smooth handover of duties and better audit efficiency.
  41. Noted the existence of an unhealthy completing-everything-at-the-last-minute culture. Everyone should strive to submit work/review work on a timely basis so as to avoid any client complaints and cause unnecessary stress to others.


– The End –




30 Reasons Why You Should Stay in Audit


  1. ‘A person who has opportunities for play can always choose a workaholic life.’ – Martha Nussbaum. A career in audit provides a workaholic life.
  2.  You are already comfortable with the audit approach, and the steps needed to be done from the inception of the audit to the signing of the FS.
  3. Audit provides a good learning curve, with new processes or client developments each year. In addition, the financial reporting standards keep evolving (as you realized from audit excellence training and regulatory updates for GFSI people).
  4. Audit provides good networking opportunities with clients and exposure to different types of businesses/industries.
  5. Audit is dynamic in a sense too, where unknown surprises from either your manager/client might surface. This provides excitement in your life. 
  6. Audit allows you to meet new and young male/female colleagues who are of your age group. Therefore, from a networking standpoint, this is another benefit. You may not have the chance to meet such people outside the firm.
  7. Your bosses seem to be understanding and reasonable. Leaving might not guarantee a better life outside. 
  8. Audit has long hours. However, I am sure that you still have the passion/fire within you for it. 
  9. Given your position in Audit, you will be able to soon take up the challenge of leading a team and managing an engagement. You may not have the ability to exhibit your leadership qualities outside. 
  10. Audit allows you to progress fast and soon be able to delegate work and manage your associates. 
  11. Leaving without a job is risky as you not know when you will be able to find something suitable. Leaving with a job is a big step into the unknown lol. 
  12. Even though you might have better hours if you leave audit, you might be bored with too much free time
  13. Audit is a good place to develop qualities like managing stress, efficient time management, soft skills etc. 
  14. In audit, your work matters to not only the client, but to the various stakeholders that the client has dealings with. 
  15. Audit work is value-adding in that sense. 
  16. When you leave, it might be difficult to integrate in the new environment as your colleagues might be of an older generation and there might be lapses in communication.
  17. After earning too much money, you will become obsessed and devoted to achieving more of it. As a result, you will soon distance yourself from society. 
  18. You have already established a strong network of friends in the firm. Although you might be able to meet new people outside the firm, they may not be as friendly and warm
  19. By leaving, you are indirectly affecting your friends’ motivation for work
  20. ‘I learned that it pays to hang around with people better than you are, because you will float upward a little bit. And if you hang around with people that behave worse than you, pretty soon you’ll start sliding down the pole. It just works that way.’ Warren Buffett
  21. ‘Being relatively unmoved by rewards gives you the incalculable power to go your own way. It’s up to you to use that independence to good effect.’ Susan Cain
  22. ‘Getting your brain wired into little goals and achieving them, that helps you achieve the bigger things you shouldn’t be able to do. It’s not just practicing the specific thing. It’s always making things more difficult than they should be, and never falling short, so that you have that extra reserve, that tank, so you know you can always go further than your goal. For me that’s what discipline is. It’s repetition and practice.’ David Blaine
  23. ‘Success is conditional – but it’s within your reach as long as you have the discipline to try, try again.’ Roy F. Baumeister & John Tierney
  24. ‘The most difficult phase of your life is not when no one understands you. It is when you don’t understand yourself.’ Anonymous
  25. ‘The more the body suffers, the more the spirit flowers… Breaking the comfort zone seems to be the place where I always grow.’ David Blaine
  26. I have seen colleagues quit and choose to return to DT subsequently! It makes you wonder why they chose to quit in the first place!
  27. ”If clouds are blocking the sun, there will always be a silver lining that reminds me to keep on trying…most people lose the ability to see silver linings even though they are always there above us.’ Matthew Quick
  28. ‘‘The motto I have always lived by in life is to be passionate in whatever you dodon’t do things half-heartedly. Passion will be the fuel to carry you through and help you overcome most of the challenges you will face in life’s journey, be it in work, family or other areas. Learn to enjoy and smell the roses along life’s journey.’ DTT SG Audit Partner
  29. ‘Fortunately, it doesn’t matter. No one has a 5.0 in real life. In fact, when you finish school, the whole notion of a GPA just goes away. When you’re in school, every little mistake is a permanent scratch in your windshield. But in the real world, if you’re not swerving around and hitting the guard rails every now and then, you’re not going fast enough. Your biggest risk isn’t failing, it’s being too comfortable.’ Drew Houston, CEO of Dropbox.
  30. Audit provides an exciting, yet challenging life!

PS: Please treat this list seriously! 😀