Should an independent audit hunt for fraud?

Hockey93 writes:
I just read this short article and found it pretty interesting, yet alarming. The article sums up PWC’s 2011 Global Economic Crime Survey. The survey results show that cyber crime and fraud increased the most from the previous year. 45% of organizations said they had suffered from fraud in the past year and 40% had suffered from cyber crime. Just as an interesting side note, the article also states that they typical fraudster is a women age 31-40 with a college degree, and in the U.S. 40% of internal cyber crime perpetrators were women compared to 19% globally.

My first reaction is that maybe forensic auditors/accountants/IT security experts should become a regular part of an engagement team due to the massive amount of fraud and cyber crime being committed. Although this would increase the cost of an engagement, the increase in cost would most likely be less than the cost of recouping from fraud or cyber crime. According to the article the cost of frauds over $100,000 has increased from 44% to 54% over two years and 10% of respondents reported frauds costing five million or more. 

The internal controls a company has in place to detect and prevent fraud are mainly designed in regards to internally generated fraud. What about externally generated fraud? I think audits should test the controls that a company puts in place to detect and prevent external fraud. If a company has no controls in place, the auditors should help develop a set of controls. This would all be done by the forensic auditors/accountants and is why they need to become a regular part of an engagement team. Although costly, I feel the benefit of adding a forensic component to an engagement team outweighs the cost, especially with the direction the fraud trend is heading.
I also think more rigorous testing should be done in the area of IT internal controls. For the most part internal controls are in place to keep company insiders from doing what they aren’t supposed to. Due to the increase in cyber crime, I think that IT audits should begin placing an emphasis on the controls in place to detect and prevent the clients from suffering from externally generated cyber crimes. I think this should become a major part of an IT audit, rather than just focusing on keeping company insiders from accessing places they aren’t supposed to.

What do you think? 


About Mark P. Holtzman

Chair of Accounting Department at Seton Hall University. PhD from The University of Texas at Austin. Worked at Deloitte's New York Office. BSBA from Hofstra University.


  1. I honestly don't know enough about fraud examination to really understand how intensive it would need to be in addition to an audit and the costs associated. If it is only slightly more, maybe CPA firms can start to offer this as a part of their audit package. If it is too costly though, it would be a hard sell at this point. If the problems with fraud keep increasing, it will eventually have to become a requirement to have an actual fraud examination. I also agree that a heavier emphasis needs to be placed on IT controls. I am currently trying to be placed on some IT audit work since I have a background in IT so I can get a better understanding of the process, but so far the IT walkthroughs that I have done haven't really provided much assurance from my view.

  2. After reading the article and noticing how prevalent fraud is and is still becoming, it is important that companies become proactive so that they are not subject to these cyber crimes. What companies have to discuss is will the cost of having a fraud preventing system implemented outweigh the benefits or vice versa. These cyber crime prevention systems are usually very costly but for all companies it is extremely important because the cost of someone obtaining private company information would greatly outweigh the cost of increasing IT security.

  3. While I think that it would be great to have forensic accountants on an audit engagement team, I feel that this would be extremely expensive for companies and they would not be willing to pay auditors to integrate this aspect into their audit. However, I do feel that more needs to be done with the testing of IT controls given the rise in cyber crimes. According to the article there is low risk and high rewards associated with cyber crimes, therefore companies need to be more aware of the possibility of external fraud. I agree that IT audits should place a greater emphasis on external hackers trying to take advantage of vulnerable companies.

  4. I believe that if the level of risk of fraud is high for certain aspects of an audit, then the engagement team should request the expertise of a forensic accountant. For if they decide on having a forensic accountant throughout the audit process every engagement will blow their budget by just paying for their services since forensic accountants are probably the highest paid. I believe for the "Big-4s" their risk assurance team performs extensive substantive analytical procedures that will detect areas with high risk of fraud. While cyber crime seems to be the new area of vulnerability, the attention given to newly released guidelines for detecting and preventing cyber fraud tends to somewhat deter this type of fraud for there clients.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: