A Primer for Brainstorming Fraud Risks

There are good and bad ways to conduct brainstorming sessions.

AUDITORS MUST INCORPORATE BRAINSTORMING sessions to identify fraud risks in the planning stages of their audits, as mandated by SAS no. 99, and use them periodically throughout the process.

INNOVATIVE THOUGHTS ARE CRITICAL to the generation of high-quality ideas. Consequently, leaders should tell team members to assume there are no constraints to addressing the issue. Participants will generate more nontraditional ideas if they are freed of the mental baggage that comes with real-world constraints (for example, time pressures or other assignments).

IN ADVANCE OF A GROUP’S MEETING, team members can be assigned homework that starts their creative juices flowing. The session will proceed more smoothly and be more productive if everyone already has given thought to possible fraud risks.

LEADERS SHOULD ENCOURAGE team members to share all ideas no matter how unusual they seem. Participants must feel free to speak openly without fearing a loss of standing or credibility. Thus, setting a “zero tolerance” for criticism is essential.

AGREEING ON KEY CONCLUSIONS ABOUT fraud risks will increase the likelihood of successful application of the group’s ideas. Leaders should encourage participants to constructively discuss and evaluate all of the shared ideas to arrive at a consensus.

LEADERS SHOULD USE RECOMMENDED brainstorming basics and techniques to get the best results, especially when guiding engagement team members who are new to such sessions. All are geared to encourage participants to generate as many ideas as possible.

MARK S. BEASLEY, CPA, PhD, is associate professor of accounting at North Carolina State University, Raleigh. He is a member of the AICPA antifraud committee and education subcommittee, as well as the Association of Certified Fraud Examiners. His articles are widely published in accounting literature. His e-mail address is mark_beasley@ncsu.edu . J. GREGORY JENKINS, CPA, PhD, is assistant professor of accounting at North Carolina State University, Raleigh. His articles on accounting subjects are published in various academic and professional journals. His e-mail address is greg_jenkins@ncsu.edu .

uditors are required by SAS no. 99, Consideration of Fraud in a Financial Statement Audit, to conduct a “brainstorming” session in every audit. Its purpose is twofold: to consider fraud risks that may be present and to emphasize the importance of professional skepticism throughout the entire audit process. Key members of the audit team—from the lead partner or manager in charge of the engagement all the way down to new staff—meet during the planning stages and during the course of the audit to exchange ideas about how and where they believe the entity’s financial statements may be susceptible to material misstatements due to fraud and to discuss how management could perpetrate and conceal fraudulent financial reporting or misappropriate assets. This article will discuss how audit team leaders can avoid the pitfalls inherent in brainstorming sessions and employ the best practices for maximizing the benefits.

When carefully planned and managed, brainstorming can lead to many high-quality ideas about possible fraud risks audit team members wouldn’t likely generate individually. A brainstorming session that ignores best practices, however, might quickly give way to inefficiencies and distractions that ultimately could muddy the audit team’s ability to focus on relevant fraud risks. That kind of deterioration can hinder key audit decisions, leading the team down dangerous paths—for example, to incorrect conclusions concerning which fraud risks are present, confusion on how to respond to a disjointed list of identified risk issues or lack of “buy-in” to the brainstorming process.

WResearch has shown that auditors are much more likely to correctly identify fraud risk conditions if the audit team engages in open-ended, nontraditional considerations of them. Responses from numerous stakeholders, such as forensic accountants, internal auditors, external auditors and other fraud experts, have reaffirmed the benefits of auditors engaging in such discussions.

The difficulty auditors face in assessing fraud risks partially stems from the fact that most of them have never encountered a material fraud during their careers; thus, they may be less effective when assessing fraud risks on their own, which makes group exploration all the more valuable in identifying them. A barrier to disseminating critical information can be the engagement partner’s or manager’s failure to share information about a client’s honesty and integrity with the engagement team. So, in part, brainstorming sessions prompt the more experienced auditors to share their insights with less experienced team members and, in turn, encourage those who are less experienced but have recent first-hand knowledge of client processes to provide their insights to the senior members.

Even though brand-new team members may not have information specific to the client to contribute, these sessions provide an excellent opportunity for them to become familiar with pertinent information that could affect their professional skepticism during their first year on the engagement. And, new team members bring a fresh perspective to the process by sharing insights from other client experiences. In any case, the brainstorming requirement mandates that all key audit team members must engage in dialogue. (See “ Auditors’ Responsibility for Fraud Detection, JofA , Jan.03, page 28, for a discussion of the brainstorming requirement of SAS no. 99.)

Four common pitfalls can hinder an audit team’s brainstorming effectiveness: group domination, “social loafing,” “groupthink” and “groupshift.”

Group domination is one of the most corrosive problems. Because the goal of a brainstorming session is to have audit team members share thoughts and ideas, one or two participants dominating the process can quickly squelch the creative energies of the group as a whole, reducing the likelihood the team will identify any actual fraud risks.

Audit teams are especially susceptible to this pitfall because of their traditional hierarchical structure. Senior team members may intimidate less experienced staff who look to them to lead the discussion. Other team members may defer to those assigned to lead the audit planning, believing they have had an opportunity to think in more detail about potential fraud risks. Furthermore, as in any group setting, there may be one or two vocal individuals with great confidence in their own ability and a determination to present their views. If any of these conditions are present, the intended benefits of fraud risk brainstorming—an exchange of ideas among the entire team—may never materialize.

Cyber Aids
To learn more about effective brainstorming and electronic brainstorming software, see these resources available on the Internet:

“Brainstorming Prior to the Audit,” http://antifraud.aicpa.org/Resources/Auditors/

“Brainstorming—Generating Many Radical Ideas,” www.mindtools.com/brainstm.html .

“Electronic Brainstorming and Collaboration,” www.wirthlin.com/approach/electronic.phtml .

GroupSystems.com, www.groupsystems.com/products.htm .

“Preparing for a Successful Brainstorming Session,” www.brainstorming.co.uk/tutorials/ .

“Process Guide #1: Brainstorming,” http://projects.edtech.sandi.net/ .

“The Step by Step Guide to Brainstorming,” www.jpb.com/creative/brainstorming.php .

Social loafing, also called free-riding, is another potential pitfall of brainstorming activities. It occurs when participants disengage from the process, expecting that other team members will pick up the slack. Given their size and geographic dispersion, large audit teams may be particularly susceptible. Other reasons for such “loafing” may include the “why bother” feelings that stem from group domination, the absence of compelling incentives to actively participate in the discussion and an individual’s failure to make a sufficient personal investment in the group’s task. It may be that members of the engagement team are juggling numerous client engagements or some team members may be working on a specific aspect of the engagement, such as IT or tax specialty work and thus may “check out” when the discussion does not directly address their specific aspect of the engagement.

Fear of losing credibility also may prevent individuals from participating. If individuals feel they need to protect their standing, they will be less likely to voice an unpopular idea or opinion. This may be a problem for less experienced audit staff members or others recently assigned to the client engagement. They may feel unqualified to speak openly about engagement-specific risks or be reluctant to do so in front of more experienced engagement team members, who eventually will play a role in their performance evaluations. Such self-censuring behavior can hinder a group’s ability to handle the complex nature of the fraud-risk-assessment process—the very type of problem for which “outside the box” thinking is critical.

Groupthink is another pitfall to avoid. This phenomenon occurs when team members become so concerned with reaching consensus that they fail to realistically evaluate all ideas or suggestions. Audit teams can be particularly susceptible to this as auditors generally are very sensitive to time/budget pressures. Thus, they quickly may align with the group’s view of fraud risks in an effort to complete the task efficiently. Also, because the brainstorming requirement is new, there may be a lack of “buy in” that prompts team members to embrace the group’s views quickly in order to move to other tasks perceived as being more critical.

Groupshift is the fourth pitfall. While a purpose of brainstorming sessions is to help the audit team collectively arrive at conclusions about fraud risks, team leaders must exercise caution to avoid allowing the team to take an extreme position on fraud risk. For example, a group whose members generally are conservative might shift toward a more conservative position while a group of risk-takers might lean toward even riskier positions. With the recent emphasis on fraud detection, there is some cause for concern audit teams will assume the risks are high in all engagements.

There are costs of such overreacting. For example, if there is an overrated risk of fraudulent activity within inventory, an auditor may expand audit procedures related to inventory observation, inventory pricing, and cutoff, leading to excessive and unnecessary audit work. Worse yet, an auditor may rush to judgment and accuse client personnel of wrongdoing without the proper basis for doing so. Given groupshift’s potential impact on audit effectiveness and efficiency, all audit teams should be concerned about it.

Brainstorming team leaders can avoid the pitfalls described above by following these guidelines.

Assign homework. The discussion leader should inform participants well in advance of a scheduled meeting that they will discuss fraud risks so each team member can focus on coming up with ideas about how and where the entity is susceptible. Distributing the meeting’s agenda (see the example) will also provide greater context for participants to think about possible fraud risks and will further inform them about what to expect during the brainstorming session. Circulating meeting agendas in advance can be particularly helpful in larger audit engagements with several team members. In contrast, a small firm with only four audit personnel might not need to circulate an agenda before a brainstorming session because it has agreed upon a common agenda to be used across all engagements.

The leader should encourage team members to use the experiences and knowledge obtained during previous audits and recent interactions with the client. Also, he or she should stress that the assignment should not be overly time-consuming; members can be formulating ideas as they perform their day-to-day tasks. Leaders should ask individuals to come to the meeting with a list of their ideas. If leaders believe it would help members who are shy about speaking at meetings, the lists prepared in advance can be discussed or distributed without identifying the preparer.

Fraud Risk Brainstorming Meeting Sample Agenda

Both large and small firms use various forms of fraud checklists and other assessment tools for accumulating and assessing fraud risk indicators. Some firms complete those checklists as part of the client acceptance or continuance procedures or just prior to the brainstorming session. Thus, part of the assigned homework may include completion of the checklists or other tools in advance of the meeting. Checklist topics may provide a useful framework for beginning the brainstorming discussion. And, the brainstorming discussion may lead to other useful insights that help update initial checklist responses.

Establish ground rules. The leader should establish a strong foundation for brainstorming sessions by communicating fundamental ground rules before a session begins: Do not criticize others’ ideas, let each person speak, and try to build on others’ ideas. Audit team members should know what to expect of themselves and others. It is particularly important that all participants feel their input is valued and their voice will be heard. The leader also should make certain that participants understand how the session will proceed and how ideas generated during the meeting will impact the audit.

Some firms schedule stand-alone meetings to conduct the brainstorming sessions. This is most common for large or complex engagements. Other firms allow the brainstorming discussions to be part of a larger initial planning meeting, particularly when the audit engagement is relatively straightforward. When the sessions are part of a larger meeting, the engagement leader should ensure that sufficient time is allocated to this component of the meeting agenda.

Set the tone. At the beginning of a meeting, the leader should genuinely encourage all audit team members, including less experienced staff, to express any idea no matter how unusual it may seem. Because not everyone enters the brainstorming activity with a similar level of knowledge or experience with the client or willingness to share ideas about fraud risk in an open-ended fashion, it is important to establish a comfortable environment. There is no substitute for having the engagement leader stress to the audit team the importance of the brainstorming session, emphasizing that every idea is valued and everyone has something to contribute to the discussion. Demonstrated genuine involvement by the engagement leader will go a long way towards setting the stage for all team members to engage in the activity.

Take a “zero tolerance” stance on criticism. The leader must make it clear that no criticism about any issue presented will be allowed while the group is generating ideas about fraud risks. Imagine the reaction of a new staff person whose manager laughs or rolls her eyes at that individual’s suggestion. Any perception of criticism can quickly shut down a team member’s willingness to participate. Criticism also may negatively affect the efficiency of the brainstorming activity by diverting attention from the risk assessment process to other subjects. With a “zero tolerance for criticism” expectation, the team is less likely to fall prey to the pitfalls noted. Open-mindedness, not conformity, should be the meeting’s goal.

Encourage more not less. Participants should make every effort to generate as many ideas as possible about how and where the entity may be susceptible to fraud and how management might conceal its actions. The greater the number of ideas about potential fraud risks, the more likely the group will accurately identify and assess relevant fraud risks and develop appropriate audit responses to them. If idea generation about fraud risks within a particular business process (for example, inventory management) or account (investments) begins to wane, the leader should shift the discussion to another business process (purchasing) or account (receivables) or rephrase the current question to get the group thinking differently. So, if the group is discussing how receiving personnel might steal inventory and the brainstorming process begins to slow, the session leader might ask participants to think about how purchasing personnel could misappropriate inventory (for example, redirecting inventory orders to unauthorized locations). Reframing issues from different perspectives can be a valuable technique for increasing the number of ideas generated about a particular fraud risk.

Credit the group, not individuals. It is important for the leader to assign credit for ideas generated to the group as a whole rather than to a contributing member. Recognizing group ownership of ideas is more likely to increase the team’s interest and its commitment to its goals than when individuals are rewarded personally.

Manage group size and composition. When determining which members to include in individual brainstorming sessions, team leaders must not only include the ones who will be key to the discussion at hand, but also understand how group size might affect the outcomes. Thus, the number of people participating in sessions may vary across an engagement.

The size of the group affects the structure of the session: Smaller groups (seven or fewer individuals) tend to complete tasks more quickly and reduce the potential for group domination or social loafing; larger groups (twelve or more individuals), on the other hand, are better problem solvers and idea generators because there are more individuals thinking about fraud risks. However, large groups tend to deter certain individuals from participating. Therefore, for some very large engagements, the leader may find it advisable to divide the engagement team into subgroups, perhaps along the client’s business segments, for detailed brainstorming about fraud risks in those segments. Later, representatives from each subgroup can convene to discuss the risks identified at the segment level and to brainstorm about consolidated risks.

For example, when engagement personnel are located in multiple offices, one national firm conducts an initial brainstorming conference call with engagement leaders in various locations working on the client engagement. Subsequent to that conference call, each local engagement leader then conducts brainstorming sessions with his or her engagement personnel. Fraud risk issues identified in local office sessions are discussed in a follow-up conference call involving key engagement leaders from all offices serving the client.

There are a number of well-defined brainstorming techniques. Here are three that team leaders might find appropriate for auditors.

Open brainstorming is an unstructured technique auditors can use in which discussions follow very few rules and procedures. In this type of brainstorming, individuals share ideas as they come to mind in a kind of free-for-all. Although this approach often is used, it is erroneous to assume that merely forming a group to share ideas is all one needs to generate a large number of high-quality ideas about fraud risks. In fact, if the brainstorming basics discussed above are ignored, open brainstorming’s unstructured environment can result in a degenerating process in which only one or a few individuals participate.

If audit teams decide to use this approach, it is best to have someone not participating in the brainstorming session record ideas. This might be a new staff person on the engagement who has little knowledge about the client’s business and environment and who will benefit by better understanding.

Round-robin brainstorming is a structured technique characterized by a session that begins with a period of no talking during which team members engage in silent “self-brainstorming,” or “brainwriting,” to form their ideas. The team, informed of the issues, assigned homework well in advance of the meeting and knowing they have to make a list of their ideas in priority order, will be more responsive to sharing with the group. After the brainwriting phase, each individual presents his or her ideas. One way to do this is to have members post their lists on a wall or bulletin board for all to see. This can be particularly useful if people are reluctant to speak up. And, it is efficient since all participants share in the process.

Round-robin brainstorming eliminates the problem of group domination because each team member has a turn, participation is equal and otherwise quiet individuals have a chance to speak. Of course, the structure this method imposes has a downside—a possible loss in creativity and spontaneity. Generally, round-robin brainstorming results in fewer ideas, and group members may feel less connected to the group’s mission if there is little time for “freewheeling.” Consequently, a leader can increase idea generation and encourage a higher level of interaction if members are allowed to express additional ideas after the last individual has been heard.

Electronic brainstorming is an increasingly popular technique that combines open brainstorming with software technology. Team members are told well before they gather, either in one room or from remote locations via an electronic link, to think about potential fraud risks. Electronic brainstorming begins when a participant or session leader presents an idea about a potential fraud risk to the group. In contrast to round-robin brainstorming, team members can share ideas as they come to mind. There is no need to wait for a turn to “speak” because the technology eliminates the problem of “talking over one another.” Specifically, participants silently share ideas by typing them into a computer, which quickly displays them on everyone’s monitor or a projection screen. Some technologies also provide participants with periodic feedback about the number and types of ideas to help reduce the likelihood of social loafing due to the anonymous and silent nature of this technique. Idea generation continues until the group has exhausted all of its ideas. Then the brainstorming software assists the team with the discussion and consolidation of its ideas.

Electronic brainstorming generally shortens meeting times, increases idea generation and reduces the possibility of personalizing ideas because an idea’s author remains anonymous. Group size ceases to be a limiting factor as well. Current technology eliminates many coordination and communication problems, allowing reasonably large groups to have virtual meetings in which participants may or may not be in the same location as long as there is access to the appropriate software. So, this technique may be a tool for large, multinational client engagements where audit team members are globally dispersed.

Of course, there are disadvantages to electronic brainstorming. One of the most obvious is the loss of social interaction; while face-to-face teams are often less efficient, the nonverbal cues present in such settings help build trust and collegiality among team members. Because electronic brainstorming allows for idea generation and sharing in an anonymous setting, individuals may not receive the credit they feel they are due. Consequently, some group members will feel that there is no incentive to participate and will coast on the ideas of others.


Antifraud and Corporate Responsibility Resource Center, http://antifraud.aicpa.org/ .

Practice Aid: Fraud Detection in a GAAS Audit—SAS No. 99 Implementation Guide by Michael J. Ramos, AICPA, 2002 (# 006613JA).

Audit Risk Alerts: Most provide guidance about fraud-related risk in specific industries.

Audit and Accounting Guides: Most provide industry-specific guidance on SAS no. 99 compliance.

CPE: Fraud and the Financial Statement: Auditor Responsibilities Under the New SAS (available in text, video or DVD).

For information about these products or to place an order, go to www.cpa2biz.com or call 1-888-777-7077.

Ultimately, the information gathered during the brainstorming session should be combined with that obtained through other planning activities to identify the risks of material misstatements due to fraud. Thus, before leaving the brainstorming session, team members need to clarify, refine and achieve consensus on conclusions about initial fraud risk ideas.

Some firms have the team classify fraud risks in one of two categories: risks affecting the overall engagement and risks affecting a specific account or class of transactions. Other methods of summarizing fraud risks involve classifying them along the three conditions of the fraud triangle of incentive/pressure , opportunity , and rationalization/attitude . By grouping ideas related to these three concepts, the team will be focusing on conditions that ultimately may indicate high fraud risk. That is, the team may be more likely to identify areas in which incentives are excessive and opportunities exist for individuals whose attitudes enable them to rationalize fraud.

The engagement leader should assign someone responsibility for documenting the results of this discussion and any necessary follow-up procedures. For example, if the audit team believes there is an increased risk of fraud related to the client’s revenue recognition, it will document that additional targeted procedures will be performed, which might include specific analytical procedures for revenue accounts by product line, inquiries of sales and operations personnel about side agreements, or specific revenue cut-off procedures at year-end.

The risks identified and the related responses must be documented in the audit files along with information about how and when the brainstorming discussion occurred, the audit team members who participated and the subject matter discussed. The sample meeting agenda on page 36 provides a nice starting point for documenting this information in the audit files. An audit file memo or spreadsheet-based summary from the brainstorming meeting that categorizes information along the three components of the fraud triangle can be updated and modified as further fraud risk information is gathered through other SAS no. 99 information-gathering activities (for example, inquiries of management, consideration of fraud risk factors and performance of analytical procedures). A spreadsheet that contains columns of auditor responses alongside the columns for each of the fraud conditions identified can easily organize the key conclusions drawn from the brainstorming session.

Keep in mind that many auditors have never encountered a fraud in their clients’ businesses and may need encouragement to explore the subject.

As with any group dynamic, there will be people who want to take over and others who will let them do it. The team leader has to strike a balance between them.

The leader should be prepared to try different techniques to elicit ideas from a group.

Leaders should set clear ground rules and the tone for the group. Participants are more likely to generate high-quality ideas if they know what is expected of them and understand the rules of the activity.

A word of caution is appropriate. While certain aspects of the team’s planned audit responses will be evident to management, the session leader should emphasize to team members that there is a need to avoid disclosing information about such responses to preserve the confidentiality of the auditor’s procedures. For example, a surprise inventory count would lose much of its value if management were to know in advance of its timing and location.

Audit teams should also make certain their consideration of fraud uses a closed loop. One firm that we spoke with completes the loop this way: A brainstorming session is held during planning to identify fraud risks and develop procedures to address them. Then, during the wrap-up phase of the audit, a fraud checklist is completed to ensure no risks were overlooked and that appropriate procedures were performed. Of course, the loop is not complete unless everyone on the audit team is aware of the brainstorming session and its outcome. So, be sure to provide the results of the session to any team members who do not attend the session. Written memos can be circulated among team members or links to electronic audit files can provide easy sharing of key fraud risk information among engagement team personnel.

Auditors no longer have a choice of whether to brainstorm about the possibility of fraud; SAS no. 99 requires them to do it. Brainstorming sessions can generate ideas about how and where fraud can occur, but they must be carefully planned and managed to ensure their effectiveness. Several easy-to-use brainstorming basics and implementation techniques can go a long way to avoid potential pitfalls. Regardless of the approach taken, it is vitally important that the audit team engage in an open and free exchange of ideas about where fraud may be present and how the audit team can respond .


Click-through nexus: Pushing the boundaries of sales tax compliance

Sales and use tax compliance has been complicated by nexus expansion. In this report, we provide an overview of this issue and include a handy state-by-state summary of click-through nexus or notification requirements.


News quiz: Making allowances for the kids and the economy

Recent news gives CPAs insight into Americans’ attitudes about children and money and gauges outlook on the economy. See how much you know about recent news and reports with this quiz.


Auditing risks in culture

Cultural flaws can seriously damage an organization. Here’s how internal auditors can reduce risks by embedding culture audits into existing audit programs.