When making inquiries of the auditee's personnel regarding the fraud issues listed above, including whether they have first-hand knowledge of fraud:

Transcription

1 TOPIC: Inquiries Regarding Fraud Risks OFFICE: Auditor STATE: MI DATE: 5/29/13 QUESTION / ISSUE: Paragraph 6.30 of the 2011 Yellow Book notes that auditors may obtain information regarding risks of fraud that are significant within the context of the audit objectives through discussions with officials of the audited entity, or through other means, to determine the susceptibility of the program to fraud, the status of internal controls the audited entity has established to prevent and detect fraud, or the risk that officials of the audited entity could override internal control. In addition, AU Sections through (AU-C ) establish fraud risk assessment procedures in a financial statement audit, including the requirement to make inquiries of management and others within the entity. When making inquiries of the auditee's personnel regarding the fraud issues listed above, including whether they have first-hand knowledge of fraud: Do your auditees permit unfettered access to personnel, and allow you to interview their staff one-on-one, without auditee supervisory or management personnel present? Has an auditee ever restricted your access to their personnel to conduct SAS 99 interviews? Has an auditee ever required that a representative of management to be present when auditors ask auditee personnel about these fraud issues? If so, can you provide a brief description of what occurred? Also, would you consider restricted or controlled access a scope limitation, and, if so, would you modify your GAGAS compliance statement within a performance audit report? Finally, please describe what process your office follows to conduct interviews regarding fraud risks. State Arizona Connecticut 1. Yes, in almost all cases we have no problems with being able to speak with auditee personnel without interference. At times we have been questioned about why we might need to speak with someone but have been able to give adequate explanation and interview those we needed to. 2. No. 3. No. 4. I believe this would depend on the situation, how important the access to the individual was to the audit, and whether the auditee could provide a reasonable explanation for restricting or controlling the access. This somewhat depends on the auditee. In general, we let management know that we will be asking individuals questions about fraud as we gain our understanding of controls. We also let them know the questions we will ask and interview management with those same questions. Then, as auditors are speaking with individuals from various departments, etc., they may ask them the questions or ask to speak with others from various levels. 1. When we initially implemented relevant procedures, there was some resistance on the part of employees at most agencies, especially line staff. They felt they were being asked to blow the whistle on fellow employees, many of which were in the same bargaining units or their supervisors. We modified our engagement letters to inform the agencies that these interviews were part of our normal audit procedures and that we expected cooperation to make employees that we select available to be interviewed. 2. There have been very few, if any, times when we have been prevented from conducting an interview, but there have been times in which we had to conduct the interview with union reps or supervisors present. At a minimum, we would replace that selection with another employee. When we are not able to Inquiries Regarding Fraud Risks 1

2 interview employees alone, we attempt to reach out to that employee at a later time and offer the opportunity for that employee to speak to us. 3. This used to be an issue, but after management has been through the process themselves, they have become more relaxed about the interviews. We felt it necessary to conduct the interviews as best we could, whether the employee was alone or not. 4. We would not consider restricted access a scope limitation unless we were unable to get any access to a number of selected employees. In the instances where they were with a union rep or supervisor rather than being alone, we would regard that as sufficient. The process does vary to a small extent by supervisor. But our engagement letters mention the need to do these interviews, so agencies know up front. And they have been through this for years now. We select a sample of employees to interview, always including where applicable the CFO, the HR director, the internal auditor, procurement director, and legal counsel. In addition, we reach out to line staff trying to get a cross section of employees. We schedule meetings and have a predetermined set of questions that our staff are supposed to be able to answer based on the interviews. We do have 2 sets of questions, one directed at management and the other to staff. In the current legislative session, we have introduced a bill that would exempt these interviews from FOI statutes. While we try to keep the interviews anonymous, up to now the records of these interviews were open to the public. We would provide, if asked, a list of those interviewed and the results of the interviews, but we would not link the names to the results. When an agency head actually suggested that they would be interested I seeing the results of the interviews, our management team huddled for a solution. We believe that exempting the interviews will increase the value of them because employees may feel more free to talk. Delaware Georgia After the interviews are conducted, our staff are required to come up with audit procedures to review for any issues that are alleged. 1. Yes and if we have specific concerns we will request interviews after hours depending on the circumstances. 2. No, this would be a scope limitation. Again, if an issue is sensitive and we have concerns or concerns are expressed by the employee, we will make arrangements to do a confidential interview at the employee s convenience. 3. No, we have not had any unreasonable requests regarding fraud interviews. This may have to do with our investigative work and our subpoena power. 4. Yes as mentioned above and we would describe the restriction in the report or related findings. However, AOA is not known to stop or give into requests for modification of our procedures and is fairly adept at completing the work without opting for a scope limitation. We would do so if needed and under financial audit have had this discussion with management. This is documented throughout our Fraud and Investigative Manual and in our templates which AOA is willing to share upon request with interested State Auditors. 1. Typically, our auditees provide unfettered access to personnel. 2. Presently, we have not had an instance where our access to entity personnel has been seriously limited. 3. During our initial implementation period for the SAS 99 requirements, we had instances where management requested to be involved in our meetings. However, upon further discussion and explanation of the spirit of the SAS 99 Inquiries Regarding Fraud Risks 2

3 Kansas Massachusetts requirements, the management typically understood why this would not be appropriate. 4. Yes we would consider restricted or controlled access a scope limitation. If this occurred, we would modify our reports to indicate that we believed management materially restricted/controlled access. Ideally, we want all interviews to occur in person. Some of our divisions have predefined questions and auditee contacts to be interviewed, such as Presidents, Superintendents, CFO, CIO, Audit Committee members, Internal Auditors, etc... We also instruct each of our auditors to ask additional questions based on entity specific circumstances. As our auditors gain a greater understanding of the entity and the environment through walkthroughs, they typically ask specific questions related to fraud, such as management override of controls, and they have the flexibility to identify additional entity personnel to interview based on any specific circumstances that may arise. 1. Our law gives us access to all books, accounts, records, files, documents and correspondence, confidential or otherwise, of any person or state agency subject to the legislative post audit act or in the custody of any such person or state agency. Although that law does not specifically apply to access to agency personnel, the state s whistleblower law says that No supervisor or appointing authority of any state agency shall prohibit any employee of the state agency from discussing the operations of the state agency or other matters of public concern, including matters relating to the public health, safety and welfare either specifically or generally, with any member of the legislature or any auditing agency. Also, our policy directs that Auditors should have unrestricted and unmonitored access to all agency employees. If the agency wishes to appoint a coordinator or primary contact person, that person s role should be to facilitate, not limit, access. So the short answer is: they may not have to allow us access to agency staff, but if they tried they d most likely get serious pushback from us. 2. N/A: we don t do SAS 99 interviews. 3. Can t recall that this has happened. 4. If management prevented or controlled our access to personnel, we certainly would have an internal discussion about whether it constituted a scope impairment. Given the law, our policies, and the general culture of cooperation with the agencies we audit, I m not sure this would ever come up. 1. Most auditees provide unfettered access to personnel, however some auditees have a liaison (e.g. Controller) who receives all audit requests, coordinates all meetings, and is present at all audit meetings that occur (including SAS 99 inquiries). 2. To the best of my knowledge, we have NOT had any situations where auditees have restricted access to personnel selected for SAS 99 interviews. 3. Yes, see answer to question #1 above. 4. If an auditee restricted or controlled access to an individual selected for a SAS 99 interview, we would consider modifying the GAGAS compliance statement, depending on the circumstances. Some of the factors we would consider are: What is the individual s title and role? Does NOT meeting with this individual interfere with the achievement of our audit objectives? Do we need information from this individual in order to complete our audit? Are there suspicions that this individual is aware of or committing fraud? Is this individual involved with or responsible for assessing fraud risk and/or completing the auditee s fraud risk assessment? Inquiries Regarding Fraud Risks 3

4 Below is an excerpt from our Audit Policy Manual which explains required fraud procedures. OSA Audit Policy Manual states: The audit team begins the fraud risk assessment with: 1) Team Discussion of the Risk of Fraud (see Exhibit 15). The purpose of this document is to facilitate the discussion of fraud risk by the audit team, and document the results of this brainstorming session in identifying potential risk areas that are significant within the context of the audit objectives. The next step in the fraud risk assessment process is: 2) Inquiries of Management about the Risks of Fraud (see Exhibit 17). The purpose of this document is to facilitate the gathering of evidence about the risks of fraud at the entity by making certain inquiries of management and others with specific roles in the organization. The auditor should then consider whether the information gained from these inquiries is consistent among respondents, whether it indicates a risk of fraud, and how management addresses the potential risk of fraud. (Note: Auditors should use professional skepticism when making inquiries of management and assessing management s response.) Once these steps have been completed, the auditor can then complete the 3) Auditor Assessment about the Risks of Fraud Significant to the Audit Objectives (see Exhibit 18). This form summarizes the results of the above documents, and allows the auditor to then assess whether procedures appear to be in place and whether they address the potential fraud risk that are significant within the context of the audit objectives. Further, the auditor can then identify additional procedures needed to reduce the risk of fraud to an acceptable level. Minnesota Mississippi New Hampshire Attached is an excerpt from the Massachusetts OSA Audit Policy Manual which includes types of questions typically asked of individuals participating in SAS 99 interviews. 1. Yes, we have unfettered access to auditee personnel. 2. If they have, it has been resolved, and was not an issue. 3. See above (would be very rare if at all). 4. We would consider it a scope limitation, and this would potentially modify our opinion on the financial statements. We do a risk assessment, and then select auditee staff that have direct involvement in an area identified (such as accounting duties, or cash collection). We rotate who we interview from year to year to get a different perspective. 1. Yes Also, this is spelled out in our engagement letter that management will provide unrestricted access to persons within the agency from whom we determine it necessary to gain audit evidence. 2. No 3. No 4. Yes 1. Auditees do provide unrestricted one-on-one access, although on rare occasion agencies have tried to have a second person from the agency present. We object is such cases and have not had anyone refuse one-on-one access after hearing our objection. 2. We do not conduct SAS 99 interviews per se, but questions about fraud are routinely asked in interviews. We have not had access to personnel restricted, including questions about fraud. During our entrance conference, we make Inquiries Regarding Fraud Risks 4

5 North Carolina Puerto Rico special note of the fact we will be asking agency personnel about fraud and explain why we do so. 3. As noted above, on rare occasion, agencies have tried to restrict one-on-one access, but after voicing our objections and the reasons why, we have been granted one-on-one access. If so, can you provide a brief description of what occurred? When this did occur, the agency was concerned that the person we wanted to interview may not have been the most knowledgeable of the subject matter and was concerned about giving the auditors incomplete or erroneous information. We then explained our need for unrestricted access under auditing standards and that we were very capable of discerning information we obtained from a variety of sources, even conflicting information. 4. The possibility of a scope limitation would have to be considered given the unique circumstances of each audit, as would a modification of the GAGAS compliance statement. AU-C , , and 705.A8 et al are also instructive for financial statement audits. Interviews can either be structured or not. In a typical structured interview for a performance audit, two auditors are present, one of which is the primary interviewer while the second auditor focuses on taking notes. Fraud risk questions are generally included with questions about an individual s responsibilities, but may also be asked when questioning about a specific process and its susceptibility to fraud. Structured interviews are generally not conducted for financial audits, but questions about fraud are asked when performing work to understand the entity and its control environment. 1. Yes. 2. A few may have tried, but not successfully. Our state law grants us complete access to persons and records, so legally the clients can t prevent us from interviewing staff. 3. A few may have tried, but not successfully. See below. 4. We would consider this to be a scope limitation. I don t think we have had to report as such in regards to fraud interviews. We have on at least one occasion reported a scope limitation due to limitations on other access: Our answers are based on our experience conducting compliance audits. 1. Yes, by law they are required. 2. Yes 3. Yes. As a general rule our Office does not allow the presence of other persons during the interview or in a sworn statement, unless it determines that the presence of a person is necessary and does not adversely affect the investigation. If the presence of a person is allowed that person would not be able to answer the questions addressed to the interviewee, cannot make statements nor interrupt the interview process. 4. Yes. As part of our planning process we take into consideration the results of the internal controls evaluation and what the management said in the planning interview. If we believe that fraud risk exists then we proceed to a deeper interview. The process is described below. Before the interview: Know in detail the facts of the matter under investigation. Review the case file diligently and carefully to ensure that no relevant and valuable information is ignored. Inquiries Regarding Fraud Risks 5

6 Identify the questions, and what are the missing elements to complete the investigation. Develop a theory of the case or an idea of how the events occurred. Try to test it and verify that the theory is consistent with the information obtained so far. It is advisable to diagram the names of witnesses and suspects to help us visualize their possible involvement with the case under investigation. Obtain an understanding of the entity. Get the names of the employees and officials who have occupied positions and the periods that have occupied them. Prepare a list of people we want to interview. Get as much information from witnesses, such as their education and professional experience. Start the interviews with the employee or official of lower hierarchy and more willing to cooperate. In this way you get a wider knowledge, which will help to formulate subsequently the right questions to more vulnerable witnesses. Interview one witness at a time, to prevent the testimony of one influence that of other witnesses. If possible, ascertain the degree of information that the interviewee knows in relation to the matter under investigation and to what information he has or may have access to. Organize in advance the documents that will be shown to the witness during the interview. Prepare a questions guide for the interview, but do not have to adhere strictly to it. The questions can be formulated in chronological order, according to documents shown, by transactions or events, or a combination of the above. Select the time and place for the interview. In the case of a cooperating witness, the best place for the interview could be at work. This will facilitate access to documents, and possibly make him feel more comfortable. In the case of a hostile witness or suspect the interview should be out of their workplace, preferably in our Office. The Office offers an atmosphere of seriousness and respect. Place the chair on which the interviewee will sit in a way that allow the interviewer to observe the behavior and body movements (demeanor) of the interviewee. During the interview: Usually the interview is divided into three phases: opening, questioning and closing. Here are some aspects to be taken into consideration in each: Opening Introduce yourself. Before starting the interview, explain the rules to be observed during the interview and ask the witness to identify himself. Observe the reactions of the witnesses to the initial questions, so you can anticipate the behavior of the witness before sensitive questions. Listen to the tone of voice to determine if there are any limitations on speech that might lead to an adjustment in the way of carrying out the interview. Interrogation Point your line of questioning in accordance with the purpose of the interview and the theory of the case and maintain a natural rhythm questions and answers. Pose a question at a time; they should be short and simple. Start with general questions and then proceed to the specific. Do not discuss the answers of the witness, nor show any reaction to them. This will allow the witness to tell what he knows of the story without interruption. Inquiries Regarding Fraud Risks 6

7 Utah Make sure you understand each answer, if not clear, ask them to explain it at the time. Separate facts from inferences. Avoid leading questions and those requiring Yes or No answers. Instead use open-ended questions to get more information, for example, and then what did you do? Avoid compound questions, with premises too complicated. Do not include more than one topic or issue for each question, or questions that require more than one answer or a complex answer. Do not change to an upcoming issue until you are satisfied that the witness said all he knows about the subject asked. Do not allow the witness to divert its attention to issues irrelevant to the investigation. A witness may unexpectedly change the topic of conversation to another that has no relationship. Usually this is indicative of hiding something. It is for the interviewer to interrupt politely and diplomatically the issue and directs the witness to the subject under investigation. Ect Closure Review your notes and check was missing for asking. Clarify any questions that have arisen, particularly on the documents that the witness to bring to the interview, If appropriate, ask if there are other documents or other witnesses that may be useful to the case. Validate in summary the most important facts that were offered by the witness. From time to time we have a client who tries to limit access to their personnel or to only allow access under their supervision. We do consider this a scope limitation and therefore have never permitted it to happen. If it did happen we would modify our reports. As a result, we require and get unrestricted access. Inquiries Regarding Fraud Risks 7

8 MARCH 2013 REVISION EXHIBIT 17 PURPOSE INQUIRIES OF MANAGEMENT ON FRAUD RISK This form was designed to guide auditors in conducting fraud inquiries of management and others, and to provide a template for auditors to document any fraud risks identified as a result of these inquiries. INSTRUCTIONS MASSACHUSETTS To gather evidence about the risks of fraud at the entity, the auditor should make inquiries of the following parties within the entity: 1) management, 2) those charged with governance, 3) appropriate internal audit personnel (where applicable), 4) employees involved in processes / units significant to the audit objectives, 5) others within the entity. Note: Examples of others within the entity to whom the auditor should consider directing these inquiries include: Employees with varying levels of authority within the entity, including, for example, entity personnel with whom the auditor comes into contact during the course of the audit (a) in obtaining an understanding of the entity s systems and internal control, (b) in observing various procedures, or (c) in obtaining explanations for fluctuations noted as a result of analytical procedures; Operating personnel; Employees involved in initiating, recording, or processing complex or unusual transactions or billings, or a significant related party transaction; and In house legal counsel. The auditor may use this form multiple times during an audit to document fraud related inquiries of individuals at the entity. The auditor should also consider whether the information is consistent among respondents. 1

9 MARCH 2013 REVISION EXHIBIT 17 INQUIRIES OF MANAGEMENT ON FRAUD RISK MASSACHUSETTS AUDITEE NAME: AUDIT NUMBER: AUDIT PERIOD: INQUIRIES OF MANAGEMENT Interviewee s name: Title: 1. Are you aware of actual or suspected fraud affecting the entity? 2. Are you aware of any allegations of fraud (e.g., received any communications from employees, former employees, analysts, regulators, funding or oversight agencies, or others)? 3. Do you have a process for identifying and responding to risks of fraud, and determining which contracts, balances, transactions, or disclosures are susceptible to those risks? 4. Are you aware of any inappropriate or unusual activities relating to the processing of journal entries and other adjustments? 5. Have you reported to those charged with governance, or other appropriate personnel, on how the entity s internal control serves to prevent, deter, or detect material misstatements due to fraud? (If Yes, obtain a copy.) Yes, No, N/A (If Yes, please document the circumstances) 2

10 MARCH 2013 REVISION EXHIBIT 17 INQUIRIES OF MANAGEMENT ON FRAUD RISK MASSACHUSETTS Describe your understanding of the risks of fraud at the entity, including any specific fraud risks the entity has identified or account balances, classes of transactions, or disclosures for which a risk of fraud may be likely to exist: Describe programs and controls that the entity has established to mitigate fraud risks the entity has identified, or that otherwise help to prevent, deter, and detect fraud: Describe how such programs and controls are monitored within the entity: Describe the nature and extent of monitoring of operating locations or business type activity segments, where applicable, and whether there are particular units for which a risk of fraud may be more likely to exist: Describe whether and how management communicates to employees its views on business practices and ethical behavior: 3

11 MARCH 2013 REVISION EXHIBIT 17 INQUIRIES OF MANAGEMENT ON FRAUD RISK Based upon the above inquiries, we identified fraud risks that will be summarized at Auditor Assessment about the Risk of Fraud (Exhibit 18). MASSACHUSETTS Yes No : Performed by: Reviewed by: Date: Date: 4