Home' Charter : 1011 Charter Contents 56 Charter I October 2011
Technical focus > Fraud prevention software
All too often there is a story in the press of a
fraud or a major operational failure, particularly
when times are tough. Frequently these
activities are perpetrated by long-term
employees, considered to be above suspicion,
because these employees know how to exploit
any control weaknesses. Most frauds are
detected by accident or by someone informing
– very few by discovery. Increasing the
likelihood of detection through prevention is a
better solution than dealing with an actual fraud
or a signifcant error.
TRUST IS NOT A CONTROL
Fifteen years ago, all data was centrally
stored (which restricted ease of access) and
manipulation tools were relatively crude.
Fast forward to today. We have fountains
of organisational data on multiple sites, on
fle servers, desktops, laptops and smart
phones. This will continue to grow as we
move to cloud computing platforms. Data
is easily accessible in multiple formats,
continuously available and ubiquitous.
Organisational data has moved from isolated
applications to fully integrated enterprise
resource planning (ERP) systems which
typically integrate many different applications
across an organisation, hybrid applications,
spreadsheet systems and a myriad of niche
business systems where data can be stored.
SO WHAT IS THE PROBLEM?
The adequacy of controls across a corporate
environment is often assumed, particularly
when the systems have been acquired and are
showing no obvious signs of malfunction. In
addition, previously established controls may
have since been switched off or modifed
without management’s knowledge, especially
during development or upgrades. The people
involved in the implementation may have
moved on and no one person has an
end-to-end view of the control environment.
The costs and disruption associated with the
requirements of the US Sarbanes-Oxley Act,
which required company management to
report on the adequacy of internal controls over
fnancial reporting and for the auditor to report
on management’s assessment, underline the
diffculties in documenting and maintaining key
Continuous assurance is a vital weapon
in the fight against fraud.
Story Glen Laslett FCA and Gavin Steinberg
controls across a complex organisation.
Control failures often go undetected as the
volume and complexity of the affected data is
too great and it is often held in different
systems. In short, systemic or manually
introduced errors may not be detectable by
cursory or periodic manual examination.
Increasing system complexity and
regulatory emphasis is making it imperative
that organisations gain comfort regarding the
integrity of transactional and system data by
means other than relying purely on controls.
While traditional controls assurance activity
does provide comfort, it is often not enough.
The use of extended transactional review
approaches by external or internal auditors
is limited by either manpower or their ability
to extract and interrogate data. When a
detailed transactional review is performed,
it is often reactive, occurring months after
the transactions in question have been
processed. Effective internal control means
the verifcation of the effectiveness of key
controls must be supported by ongoing and
near-real-time reviews of key data elements.
The output must be available to fnancial and
operational users so that they investigate and
remedy transactional errors and any related
Most audits tend to focus on high-risk
issues and this can be appropriate. But when
transactions are reviewed, they tend to be
reviewed on a sample basis. Experience
shows that fraudulent activity and systemic
errors tend to manifest via small irregular
errors that are not evident in a cursory or
As an example, a payment to a single vendor
with an invalid ABN might be insignifcant in
terms of value and risk, but may be an indicator
of future signifcant fraud or systemic error.
Without identifcation, the operational failures
may go unnoticed until signifcant damage is
done to the organisation, requiring lengthy and
THE CURRENT ENVIRONMENT
A client once remarked to their auditors that they
didn’t consider fraud to be a signifcant risk
across their 250 locations due to their implicit
trust in the integrity of their staff and the good
working conditions provided. They thought that
any occurrence would be rare and insignifcant
in total. Six months later, a $1.6 million stock
fraud by one of their trusted managers was
revealed. The fraud was disclosed by good luck
rather than management diligence or controls.
This long-term employee had used their
knowledge and experience to circumvent key
controls. Importantly, while questionable data
and results were being generated, there was no
coordinated review and the fraud continued
undetected for a lengthy period.
If you are a manager intent on having good
controls or an auditor looking to assess the
controls management has in place in order to
perform risk assessments to develop tailored
THE INSTITUTE'S VIEW
The digital world we live in, characterised by
24/7/365 globalised operations, means
information is now being provided in real
time to a wide range of users. This raises
questions about what assurance could, and
should, be provided over this data stream
to improve its reliability. In conjunction with
leading academics the Institute has
published a thought leadership paper
entitled Continuous Assurance for the Now
Economy (PDF) which looks at the topic of
continuous assurance as an emerging
methodology which needs to be explored. It
focuses on a better match of internal and
external auditing practices with IT systems
that provide stakeholders with more timely
and accurate results.
The leadership paper analyses the trends
in the now economy and recommends six
steps for implementation:
> Establish priority areas
> Identify monitoring and continuous audit
> Determine the process’s frequency
> Confgure continuous audit parameters
> Follow up
> Communicate results.
The paper can be downloaded from the
institute website charteredaccountants.
Links Archive 0911 Charter Sept 1111 Charter Navigation Previous Page Next Page