Mitigating risk and delivering assurance by team collaboration between assurance, technical and investigative experts 

Emerging technologies, cloud-based services, and artificial intelligence (AI) have escalated the necessity for professional accounting services to be provided by a multi-disciplined, cohesive team of professionals who integrate unique financial, technical, and investigative expertise and competencies into the assurance process. 

Moreover, regulations such as the Sarbanes-Oxley Act of 2002 (SOX) in the United States, coupled with the rising prevalence of IT, cloud-based and AI risks, have not only made robust enterprise-wide technical and cybersecurity protocols critical, but also have increased the need for assurance services that expand the scope of engagements to encompass these risks.  

Independent third-party audits require integrated technical and IT system risk analysis, in addition to traditional transaction cycle control risk evaluation as it relates to accurate financial reporting. Financial statement audit procedures analyse financial records, transactions, and supporting documents, while simultaneously evaluating the relevance and reliability of the data produced by the company’s systems. Thorough auditing processes bring together risk-assessment professionals, who are experts in auditing, internal controls, and technical systems mapping and evaluation, and, when necessary, investigative professionals who provide a unique perspective including forward looking plans to mitigate risks and investigative reviews, should they be warranted.  

For example, the financial statement audit may uncover anomalies, which are deviations and inconsistencies from expected patterns or norms based on the organisation’s industry and size. Further review would be warranted when these anomalies are suspected of being more than just an oversight and it appears there is intent to manipulate financial statements or misappropriate assets. While anomalies can be one-time, explainable, and correctable occurrences, they often require a deeper review to validate there is not a pervasive issue within the control environment. This collaborative approach is a more thorough assessment of risks for stakeholders of the financial statements. 

A Certified Information Systems Auditor (CISA), specially trained and certified to conduct a detailed assessment of an organisation’s financial and non-financial systems, is a necessary resource in the performance of assurance engagements due to the rising pervasiveness of internal controls based on the use of technology systems. CISAs determine if appropriate process and access controls are in place in the system to ensure data origin and accuracy and mitigate risk and vulnerabilities within the system itself. 

A CISA’s work products may assist in strategically directing assurance professionals to risk-ladened financial environments identified through these tailored audit procedures. Leveraging CISA work products, assurance professionals utilise data-driven advanced analytics to systematically review the accuracy and integrity of financial data and information. This multi-disciplined approach may further help identify unusual patterns in revenue recognition, inventory management, or expense reporting that possibly indicate system or financial manipulation or fraud. 

If internal control gaps and risks are identified and significant anomalies or possible fraud results, then organisational leadership should next ask these questions: How was the risk overlooked by internal leadership? What gaps in the internal controls allowed for the opportunity for anomalies or fraud? How can these internal control failures or gaps be mitigated in the future?  

Mitigating the opportunity for fraud is the responsibility of internal management to properly design and implement internal controls that operate effectively, as determined through extensive internal collaboration and fraud brainstorming that involves risk assessment. Areas subject to significant fraud risk typically relate to those dealing with cash receipts and disbursements, as well as balances subject to significant estimation. The analysis and questions addressed during the planning stages of assurance services generally pertain to these opportunities for fraud to occur. Discussing these opportunities in the early stages of the assurance engagement allows assurance professionals to tailor engagement procedures to address the areas with the highest risk of misstatement or misappropriation.  Relying on the organisation’s internal controls provides management with more accurate, representative, and credible financial information that empowers them to make decisions based on underlying data. 

If fraud was suspected or identified, then the first question in the fraud triangle has been answered: How did the opportunity for fraud exist? Next, the rest of the fraud triangle should be evaluated: What was the motivation of the fraud perpetrator(s)? What was the rationalization used to justify the fraud?  

Financial fraud investigators employ forensic data analysis techniques and investigative interviews to determine the scope, breadth, and nature of the fraud and how it was executed to answer these questions: 

• Motivation: Why did the fraud occur? Was the fraudster living beyond his or her means? Was the fraudster hiding financial purchases from loved ones? 

• Rationalization:  How was the fraud justified? Did the fraudster feel like a victim and the organization owed them something? Did the fraudster believe they were furthering a political agenda? 

Although performing these procedures to specifically identify fraud is outside of scope of traditional assurance engagements, assurance professionals have a professional obligation to assess the overall control environment, make inquiries regarding individuals’ knowledge or suspicion of fraud, and report to those charged with governance of any areas of risk identified. Therefore, assurance professionals, who approach each engagement with an investigative and skeptical mindset, are an incredibly important value-add to organisations, because they have the skillset to identify and discuss a myriad of risks embedded in the client’s operation.   

Financial stakeholders will benefit most when an organisation engages an advisory firm with an integrated team experienced in assurance services, including advanced data auditing techniques, systems mapping, and forensic investigative services. Fraud brainstorming sessions that include all engagement team members, as well as other professionals from within the firm with industry-specific knowledge, will set the stage for the team to ask why a particular process or control exists or doesn’t exist and amplify the effective evaluation of an organization’s financial, control, and operational reporting environment. 

Charles E. Story, III, CPA, CFE, manages complex fraud investigations for public and private entities and leads Rehmann’s background, fire investigation and digital forensics divisions, providing a suite of professional investigative tools to help clients identify and prosecute fraud. Story began his investigative career in 2003 with the Federal Bureau of Investigation as a Special Agent. Prior to the joining the FBI, he was a manager with an international financial services firm in Atlanta, Georgia providing business advisory services leveraging linear programming models. 

Melissa Johnson, CPA, leads Rehmann’s commercial assurance group and works closely with business advisors and client management from the planning stage to completion to determine deadlines for deliverables, plan fieldwork, supervise staff, and ensure each engagement meets the stated objectives. Prior to joining the firm, Johnson was an operations manager for a large national retail company overseeing financial and human resources services, including sales forecasting, labor management, inventory controls and employee performance reviews and retention.