Fraud in the audit department: a CAE looks to restore his team's credibility after a member of the staff is caught embezzling company funds

Internal Auditor, April, 2007 by Eelco R. Van Wijk, Timothy R. Holmes

BILL IS THE CHIEF AUDIT EXECUTIVE (CAE) for Namnetics, a publicly traded medical supply company in central California with annual revenues approaching US $1.5 billion. The company has manufacturing and distribution facilities in five U.S. states and in Mexico. Namnetics' audit department consists of Bill, two managers, and eight staff auditors.

One of Bill's worst nightmares has just come true: A member of his audit team has just been arrested for fraud and embezzlement. The suspect, Cheryl, is internal auditing's most senior manager and has been with the department for nine years. Before moving to auditing, she was a supervisor in accounts payable (AP).

During her tenure as AP supervisor, Cheryl used her system access to set up recurring vouchers that automatically paid several nonexistent vendors. The payments repeated every month, with amounts ranging between US $500 and $700. In total, the vendor payments came to around US $45,000 per year. Further investigation showed that Cheryl had set up the fictitious vendors several years before the payments began, when she worked in the AP department's vendor maintenance area. Moreover, the scam had been in place for 11 years. Her misdeeds came to light when someone at the company set up a new vendor with the same name as one of the fictitious vendors, and an alert clerk tagged the vendor for further review.

Bill has just been reprimanded by the chief financial officer (CFO), not only for employing Cheryl, but also for neglecting to detect the scam during the audit department's AP reviews. Cheryl was one of the cornerstones of the audit department--she maintained several audit certifications and had been under consideration for promotion. The CFO is concerned that this long-term breach will discredit the entire audit department and possibly affect Namnetics' external audit signoff on U.S. Sarbanes-Oxley Act of 2002 Section 404 work.

Bill wonders what he can do to restore the department's reputation. Is there anything he could have done that would have exposed Cheryl earlier? Does the blame for this incident reside solely with his department?

MICHAEL DWORNICKI

Director of Internal Audit infoUSA Inc.

The CFO's worries about external audit Section 404 signoff are well-founded. Obviously, this scam created a serious credibility problem for the CAE and his department. Fraud within an audit department is exceptionally disturbing and embarrassing, and restoring the reputation of the department will take an incredible amount of management skill and fortitude. Unfortunately, all of Cheryl's work is suspect and may have to be re-performed. Hopefully, Bill and the CFO can show there is ample reason to believe that all other work within the department can be trusted.

Bill can salvage internal auditing's reputation by demonstrating that the work it has performed is of sufficient quality. For example, Bill could arrange for peer reviews and recheck each department member's background. He may also want to investigate whether there were any clues in Cheryl's prior behavior to indicate that something was amiss. Did she appear to live beyond her means? Did she show any signs of having financial problems? Do any of Bill's other employees display such behaviors?

The CFO's concern about internal auditing's failure to discover the scam is more problematic, and several questions pertaining to the AP audits must be answered. The duration of the scam raises serious concerns within both internal auditing and the AP department. If adequate controls over recurring voucher authorizations existed, the scam should have come to light during previous AP audits. Therefore, Bill needs to know Cheryl's level of involvement in those previous engagements. Clearly, she would have had a strong motivation to avoid bringing to light any weaknesses in the AP department.

The primary control over authorization of recurring vouchers rests in the AP department. Fortunately, an employee became alert to the scam due to a duplicate vendor name. But in the future, at least one other control process can be used to help root out fraudulent vendors--the purchasing department should be required to review vendor performance annually. If certain vendors are not supplying any goods or services, this may be an indicator of fraud. AP and purchasing can also periodically match vendor tax numbers with employee numbers and look for additional duplicate vendors and invoices.

BRIAN PRESTON, CPA

Internal Audit Manager

Seaboard Corp.

Bill should conduct extensive internal quality assessments of the audits performed by Cheryl--particularly those that involved reviews of the AP process. In addition, he should interview the other auditors who participated in AP engagements to evaluate the specific procedures performed and determine whether anyone else may have been involved in the fraud.

In terms of corrective action, Bill should incorporate fraud-specific procedures into the standard audit program. Fraud risk factors should be considered during the risk assessment phase of each project to ensure adequate testing coverage of fraud-prone areas. He should also distribute a list of fraud red flags to the audit staff, as well as a fraud questionnaire, for use on each engagement.