A Proactive Response to Fraud Risk and Fraud Detection - The Fraud Penetration Study

One of the few truly proactive approaches to fraud prevention and detection, a Fraud Penetration Study is the application of specific audit procedures to increase the likelihood of detecting fraud in a core business system. Unlike the traditional audit approach, the Fraud Penetration Study does not focus on controls or control effectiveness, but rather the authenticity of the transaction.

There are six steps to the Fraud Penetration Study: Risk Identification, Scenario Development, Concealment Analysis, Scoping, Data Mining, and Fraud Analysis.

• Fraud risk identification starts with understanding the types of fraud risk. The starting point is accepting the concept of inherent fraud schemes. Once this concept is accepted, the auditor must understand how the scheme would occur in the specific business system; often times referred a fraud scenario.


• The fraud scenario is built from understanding the variations of the scheme based on the opportunities for fraud, entities involved, internal controls in place, and business processes currently performed. In essence, the fraud scenario is how the inherent fraud scheme would occur in a company’s business process.


• After the fraud scenario is developed, the auditor must identify and understand the common concealment strategies used to hide the fraud in this scenario. Common fraud concealment strategies are false documents, false representations and false approvals. The auditor should identify the red flags associated with the concealment strategies.


• The structure of the fraud scenario defines the audit scope for the audit plan. The audit plan may have several fraud scenarios, but each fraud scenario needs its own data mining plan and its own fraud audit procedures. Also, the audit plan provides the auditor with the necessary information to find and reveal the fraud scenario.


• Using a data mining tool like ACL(1) or IDEA(1), a sample of vendors would be selected consistent with the fraud data profile for the identified fraud scenario. Building the fraud data profile is the most important step in the fraud audit process. The goal is to select a biased and discreet number of transactions that are more likely to be fraudulent on which fraud audit procedures can be performed.


• The purpose of the fraud audit procedure is to gather evidence that is created and stored external to the perpetrator to form the basis of the Fraud Analysis. The procedure should be designed to pierce the concealment strategy. In the false billing scheme, the weakness of the concealment strategy is that the vendor does not exist. If the auditor develops an audit procedure to show that the entity does not exist, the concealment strategy will be unveiled, and the fraud exposed.

Using this methodology, you will find out if there is fraud in your business and if done well, you will find it within the first 3 days of analysis.

---

1 ACL is a registered trademark of ACL Corporation and IDEA is a registered trademark of Caseware IDEA.