By looking at the fraud triangle, we would expect that the possibility of fraudulent behavior would increase due to the COVID-19 pandemic. We know that management personnel, more so today than prior to the pandemic, likely have more pressure, opportunity, and ability to rationalize fraud, but nonmanagement employees are also experiencing stressors due to the pandemic that may nudge them toward fraud. The opportunities nonmanagement employees have for fraud may be different, but the impacts of any fraud they commit can be just as severe. The importance of an auditor's professional skepticism is heightened in this environment, and that includes having a questioning mind regarding the possibilities of fraud by nonmanagement personnel.
Let's review how COVID-19 has impacted the fraud triangle and how it may cause nonmanagement employees, in particular, to feel less restrained. Recall that the three elements of the fraud triangle are pressure, opportunity, and rationalization.
Pressure. Many times, it is money that causes pressure to commit fraud. In our current environment, money is still the primary source of pressure, but other pressures, never previously acknowledged, may become more intense. These days, many employees' routines likely have been upset. People may be working from home rather than the office, they may be using different technology while working remotely, their hours may have been reduced, layoffs may have affected their household, and so on. These additional pressures may incentivize employees to behave in ways that they would otherwise not.
Opportunity. During difficult financial times, the opportunity to commit fraud may also increase. Companies may be forced to reduce staff, hire less experienced staff, and/or ask staff to perform multiple duties or duties outside their usual roles. Employees experiencing increased pressure may thus find themselves in positions of unexpected, increased opportunity.
Companies dealing with a slowing or depressed economy may also need to cut costs. If cuts are made to internal audit or compliance resources, anti-fraud policies can be weakened and internal controls can become less effective, increasing opportunity.
Rationalization. When people experience increased pressure and opportunity, they are better able to rationalize their fraudulent behavior. As such, there will be those who see the pandemic as an opportunity to commit fraud. Employees may tell themselves that they are doing it for the good of the company, their fellow employees, their family, or themselves. They may also believe they are less likely to get caught if the current disruption has caused management to focus on larger problems and not their areas.
Given this situation, here are a few areas auditors may want to give greater attention to:
Breakdown of internal controls. Internal controls may be weakened when nonmanagement staff who play key roles regarding internal controls experience increased pressure, opportunity, and rationalization for committing intentional acts. Auditors may want to ask a client questions such as: Has the entity lost key employees who are integral to the internal control process due to cost-cutting or turnover? Due to increased remote work, have normal supervision and management review procedures come to a halt or become less of a priority? Are small tasks, such as reconciliations, being properly performed? What about normal segregation of duties? Are employees being asked to perform several jobs that may weaken review procedures?
Increases in smaller schemes. Changes in working environment and conditions can allow for smaller instances of fraud to occur more often or at a more significant level. Auditors will likely need to have increased diligence in areas where the current environment increases the opportunity for the misappropriation of assets, namely cash.
Specific areas of concern may include:
- Vendor and employee management. With remote work comes less face-to-face interaction, allowing potentially fraudulent behavior to go unnoticed. Are new vendors being created and paid? Are employees hiring fictitious employees and directing salary to themselves?
- Cash activities. Cash activities are commonly an attractive area for misappropriation. Cash theft is one of the easiest frauds to conceal and can rise to a material level if not monitored. Has cost-cutting created a scenario where segregation of duties is not being adhered to? Are those receiving cash making deposits? Are those cutting checks reviewing and reconciling their own work?
- Recording of property, plant, and equipment. The purchasing, disposing, and routine depreciation of property, plant, and equipment can also become material issues during a financial or economic crisis. Employees may experience increased desire to improperly capitalize assets or to use unapproved depreciation techniques to keep expenses down and may have an easier time rationalizing this behavior if they feel it will keep their companies afloat.
These are just a few of the areas of potential concern that, under normal circumstances, might receive less scrutiny. Today, however, they may be an attractive vehicle for committing fraud and should not be quickly dismissed.
What is the auditor's responsibility for identifying such instances? We look to AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, which outlines the responsibility for the prevention and detection of fraud. As paragraph .04 of AU-C Section 240 states, "The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management." According to paragraph .05, "An auditor conducting an audit in accordance with GAAS is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. Due to the inherent limitations of an audit, an unavoidable risk exists that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with GAAS."
Auditors do not provide absolute assurance that fraud is not occurring; however, it is expected that the auditor have a questioning mind, "recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor's past experience of the honesty and integrity of the entity's management and those charged with governance" (AU-C Section 240, paragraph .12).
Therefore, exercise professional skepticism by asking questions when something seems unusual. Consider adjusting your procedures. When performing design and implementation testing, and during procedures over operating effectiveness of internal controls, test differently than you commonly do. Remember that clients become comfortable with routine requests and procedures. Test at a different time or with slightly different procedures.
In addition, keep an eye on management and how they are monitoring the less common areas where fraud may occur as a result of the current environment. How is management addressing the concerns? Are you gaining comfort that management's actions are lowering the fraud risk to an acceptable level? Consider this when designing your response to potential fraud risks.
— Dave Arman, CPA, CGMA, is a manager, audit quality initiative, and Carl Mayes, CPA, is an associate director, both with the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Courtney Vien, a JofA senior editor, at Courtney.Vien@aicpa-cima.com.