Government Auditor Responsibilities for Detecting Fraud
Know and identify the risk factors (Red Flags or Indicators) of FraudUnder the "Fraud Triangle" theory, fraud is likely to be present when there are "Opportunities" or weaknesses in internal control, "Pressure" or conditions that facilitate fraudulent behavior, and "Rationalization" or excuses used by fraudsters to justify their behavior to themselves and others. By knowing what risk factors and indicators are present in a program or an organization, auditors can properly assess the amount of risk or probability that undesirable behaviors are occurring. These "red flags" do not guarantee that fraud is present, but they do indicate a higher risk that fraud could be present. Conversely, an absence of "red flags" does not ensure that fraud is absent: what could be happening is that fraudsters have successfully obscured or falsified the indicators so that they only appear to be within normal limits on casual inspection. Auditors must go beyond taking documents at "face value" if they suspect that there is pressure/opportunity to commit fraud.
Design audit steps / test internal controls to reasonably assure that fraud is not presentAfter considering the possibilities of management overriding controls and other risks that may indicate fraudulent activity, auditors need to ask direct questions regarding the "tone at the top" and whether employees are aware of any illegal activitities, including whether the employee has committed fraud. The questions should be asked in a non-adversarial manner; however, auditors must also be prepared to preserve evidence and document any affirmative responses when asking the question, "Have you committed fraud against this organization?" Sometimes detecting fraud can be effectively accomplished by asking a direct question and waiting silently for an explanation.
In any interview where fraud is indicated, auditors should coordinate with legal/investigative agents to properly give suspects their rights, document evidence and obtain sworn statements/testimony when appropriate. There are no perfect internal controls, so every IC system should be separately tested to ensure they work