Surprisingly, however, less than half of respondents (42%) conduct surprise audits. So, numerous organizations have an opportunity to add this highly effective tool to their antifraud arsenal.
Cost of financial misstatement
Financial statement fraud happens when “an employee intentionally causes a misstatement or omission of material information in the organization’s financial reports.” Examples include a salesperson who prematurely reports sales to boost commissions or a controller who books fictitious revenue to hide theft — or lackluster financial performance.
These types of schemes can be costly. The ACFE’s survey found that the median loss from misstated financial results is roughly $593,000.
Element of surprise
Routine financial statement audits don’t provide an absolute guarantee against financial misstatement and other fraud schemes. In fact, external audits were the primary detection method in just 4% of the cases reported in the ACFE study. Although a financial statement audit serves as a vital role in corporate governance, the ACFE advises that it shouldn’t be relied upon as an organization’s primary antifraud mechanism.
By comparison, a surprise audit more closely examines the company’s internal controls that are intended to prevent and detect fraud. Here, auditors aim to identify any weaknesses that could make assets vulnerable and to determine whether anyone has already exploited those weaknesses to misappropriate assets. Auditors show up unexpectedly — usually when the owners suspect foul play, or randomly as part of the company’s antifraud policies — to review cash accounts, bank statements, expense reports, payroll, purchasing, sales and other areas for suspicious activity.
The element of surprise is critical. Announcing an upcoming audit gives wrongdoers time to cover their tracks by shredding (or creating false) documents, altering records or financial statements, or hiding evidence.
Perpetrators are likely to have paid close attention to how previous financial statement audits were performed — including the order in which the auditor proceeded. But, in a surprise audit, the auditor might follow a different process or schedule. For example, instead of beginning audit procedures with cash, the auditor might first scrutinize receivables or vendor invoices. Surprise audits focus particularly on high-risk areas such as inventory, receivables and sales. In the course of performing them, auditors typically use technology to conduct sampling and data analysis.
Big benefits
In the ACFE survey, the median loss for organizations that conducted surprise audits was $75,000, compared with a median loss of $150,000 for those organizations that didn’t perform this measure — a 50% difference. This discrepancy is no surprise in light of how much longer fraud schemes went undetected in organizations that failed to conduct surprise audits. The median duration in those organizations was 18 months, compared with only nine months for organizations that performed surprise audits.
Such audits can have a strong deterrent effect as well. While surprise audits, by definition, aren’t announced ahead of time, companies should state in their fraud policies that random tests will be conducted to ensure internal controls aren’t being circumvented. If this isn’t enough to deter would-be thieves or convince current perpetrators to abandon their schemes, simply seeing guilty co-workers get swept up in a surprise audit should do the trick.
Additional investigation
As with financial statement audits, an auditor’s finding of suspicious activity in a surprise audit will likely require additional forensic investigation. Depending on the type of scheme, an auditor might conduct interviews with suspects and possible witnesses, scour financial statements and records, and perform in-depth data analysis to get to the bottom of the matter.