Three Red Flags of Fraud to Look for During Internal Audits

Guest Blog
With most office workers still toiling from the confines of their home offices and kitchen tables, and some unhappy with their current circumstances, many organizations are concerned about the potential for a rapid rise in fraud.

The global economic contraction has hurt employee morale and has heightened vulnerability to overstep ethical bounds. And with less visibility into what remote workers are doing every day, the crisis has likely also increased the opportunity for employees to commit wrongdoing. These three factors are known as the “fraud triangle,” where rationalization, pressure, and opportunity factor into the likelihood of fraud. COVID-19 has increased the prevalence of all three elements.

So what is internal audit’s responsibility to be on the lookout for fraud? According to the Institute of Internal Auditors’ performance standards: “Internal audit activity must evaluate the potential for the occurrence of fraud.” Although internal auditors are not required to find fraud, they are required to consider the possibility that it is occurring.

Some organizations have mature processes to find fraud during internal audit projects, such as brainstorming ideas and incorporating specific audit steps in their workpapers, while others may only consider the possibility if a red flag is identified. Some internal audit departments may even miss or not follow up on red flags due to a number of factors, such as inexperienced staff members, lack of focus or expertise on the area being audited, or lack of resources available.

So what are some of the markers of fraud that internal auditors should be on the lookout for? The following are three red flags I have personally encountered during my work as an internal auditor. Keep in mind that they are only indicators that fraud could be lurking under the surface, not surefire signs of criminal activity.

1) Employees who try to restrict or question access to vendors
Vendors are one of the best sources of information for internal auditors because conversations with them may not be as “filtered” as interactions with employees and can provide valuable tips. Employees who attempt to restrict access to vendors may be trying to cover up improper activity or conflicts of interest.

During a procurement audit, for example, I had questions on invoices from one of our construction vendors. The property manager from my company was not able to assist with those questions so I sought his approval to contact an employee from the vendor. I requested to meet the vendor employee in person to go over the documentation, as I thought it would be the most efficient way to clarify the issue at hand. Upon learning this, the Property Manager from my company told us to not bother the vendor because he might bill us for his time in answering our questions. Needless to say, I did not stop contacting the vendor. I actually contacted them more. It was within the company’s contractual rights. We had a very clear right-to-audit clause.

Although nothing fraudulent emerged from the scenario described above, in another instance it did. During a security audit in South America, a manager employee told me and a coworker to wait outside the room while he and a vendor, whom we were planning to talk to in the course of the audit, had to address a “last minute emergency.” A couple years later during a follow up audit the same employee was terminated due to fraud. We had our eyes on him from the first audit but didn’t have enough evidence at that time to pursue a full investigation. During the follow up audit, based on initial information obtained by internal audit, our investigation team was able to identify that that employee had ties with a vendor and had coerced another vendor into making improper payments.

2) Employees who have “perfect” answers and are a little too cordial
An attempt to make a good impression on internal auditors by itself is not a red flag of fraud, however if an employee does a little too much or always has the perfect answer, that may signal that the employee is experienced enough and knows what auditors want to hear and may be trying to cover up fraudulent activity.

In a risk management audit in South America my team and I met a manager who had all the right answers, but they seemed almost rehearsed. I remember him being adamant on showing us a spreadsheet that explained how the area he was responsible for was a revenue center and not a cost center. He was so confident on how well he was doing that he suggested that we visit one of the major vendors for our review. We met the vendor for half a day and built good rapport. A few days after our meeting that vendor shared information with us that was detrimental to the manager, indicating wrongdoing. Thinking back it was almost as if the manager was trying to test us. Wrong move.

3) Employees who are overly confrontational or try to belittle the internal auditors
It is not unusual for employees who are being audited to be somewhat confrontational with internal auditors or for a little tension to arise. To some extent, it provides a healthy balance and reminds us to bring our professional skepticism. If an employee is too confrontational, however, to the point of attempting to belittle an internal auditor, the person might be trying to cover up their own shortcomings or misdeeds. When auditees just want to argue about everything, it may be that that they are not doing what they are supposed to be doing.

By far the very worst thing that an auditee ever told me was during an internal audit in Canada. Our team was there for approximately two weeks, looking at an area of our business with approximately $150 million in expenses.

The audit had started off very well. During the planning phase we had done a lot of data analytics, including Benford, Z-Score, horizontal and vertical analysis, online presence tests, and other analytics and testing. Towards the end of the audit I had contacted more than 20 managers and identified expense recovery opportunities in excess of $100,000.

I had a sense of accomplishment and it felt good. However, there was one person who, from the very beginning of the audit, had not been responding to any of my emails. It was one of the last items to be tested from my file. I was already back in the United States and needed to wrap up the audit, so I decided to give her a call.

To my surprise she was extremely confrontational with me. She belittled me and for being with the company for only three years when she had been there for 19 years, and questioned my knowledge and experience. She was very assertive in claiming that I didn’t know what I was doing or talking about.

The conversation could’ve gone even worse but I kept my cool. While I was trying to defuse the tension and focus on the issue at hand, she said some unforgettable words: “All I want is for you to go away.” I had never experienced that in my entire career as an auditor and I had not even been that pushy with her!

After the phone call ended my heart was pounding and I was trying to make sense of what I had just been told. As my emotions were settling down, I  became more and more suspicious of her. Why was she being so confrontational? Was she hiding something? After that call I spent the next few hours scouring through the records of the vendor that she was responsible for. I did not find anything fraudulent, however I did find more over-payments, about $4,000 worth of them.

Instead of getting back to her right away, I slept on it and made sure my numbers were right. The next day I sent her and her boss a message asking if they knew about the over-payments. She instantly became my best friend.

Red flags do not come in the same size, shape or form. They may be an employee trying to restrict access to vendors, an employee who has all the right answers and is too eager to please, or an employee who is confrontational to the point of being unprofessional. Regardless of how those interactions take place we, as internal auditors, have a duty to evaluate them, turn any rocks we believe need to be turned and trust our instincts. Even if our instincts may sometimes be wrong we will never know, until we ask.

Jon Taber, CPA, CIA, CFE, CFF, is a Senior Internal Auditor at Casey’s General Store, based in Ankeny, Iowa.