How do fraud exams and external audits differ?


By John Dubiel, CPA/CFE, CFE, CVA

As both a certified public accountant and a certified fraud examiner, I have clients ask me all the time about the difference between a fraud or forensic examination and a regular external audit.

shadow of magnifying glass

My initial answer is that you may need one (external audit) depending on financing requirements, and the other will be necessary when fraudulent activity is detected (fraud or forensic examination).

One of the major differences I deal with continuously is that external audits are planned in advance and usually during the same time period each year. The client’s staff assists in preparing the information, schedules and account balance reconciliations needed to determine the validity of the account balances.

Fraud examinations are spontaneous in a majority of cases, usually coming, of course, at the most inappropriate time in a fraud examiner’s schedule. I can’t detail the number of weekends, nights and holidays that I’ve had interrupted with the words, “I think we have someone stealing from the company.”

Time is critical when fraud occurs. Unless you are actually engaged in performing a forensic audit, looking for waste or internal control weaknesses in the client’s systems, there is no time to plan out a fraud examination in detail beforehand. In most cases, covert activities must be used by the fraud examiner to negate detection by the perpetrator before evidence is destroyed.

In an external audit, the auditor begins with a risk assessment of the client’s system to determine where the risk is in such areas as cash, inventory, accounts payable, etc. The auditor uses this risk assessment to focus the external audit.

In a fraud examination, that focus or direction has usually been determined for me by the client. The clients have, in most cases, performed an evaluation of the situation themselves after detecting fraud.

In a substantial number of cases, the client has determined who has committed the fraud as well as where the fraud has occurred. I establish a hypothesis about the fraud and/or the individual who committed it. Next, through interviews and review of specific documentation, I go about substantiating the hypothesis by identifying the different ways the fraudster might be taking advantage of weaknesses in the internal control system.

In an external audit, you still conduct interviews and review specific documentation, and you may even depend on analytical review procedures. But you are substantiating a specific account balance that is included in the aggregate determination of the financial statements’ reasonableness and fairness overall.

Another way a fraud examination differs from an external audit is in the way the work results report is used. An external audit report is usually prepared for a specific individual, financial institution or group of individuals, such as shareholders. The external audit report is a narrative attesting to the financial results and disclosures of a company. In very rare occasions, the audit report may be used in a civil proceeding.

However, a report resulting from a fraud investigation is almost always used as the basis for stating evidence in a civil or criminal proceeding. I start every investigation with the mindset that the findings documented in my report will be used in a court proceeding to substantiate the hypothesis developed to help determine the guilt or innocence of the perpetrator.

Keep in mind that a fraud examination report does not provide a conclusion as to whether an individual or group
actually committed the fraud. It attests to the methods used to commit the fraud and states only the evidence obtained. A certified fraud examiner is prohibited from concluding directly about a perpetrator but funnels the reader to arrive at a common-sense result based on the evidence presented. Thus, we have the similarity between an audit report and a fraud examination report – the apprehension of conclusions.

An audit report doesn’t state the “absolute correctness” of the financial representation of a company. Similarly, a fraud examination report doesn’t determine a conclusion as to the guilt or innocence of the perpetrator. Of the two reports, the fraud examination report is the more definitive.

An external audit is not designed to search for fraudulent activity in the accounting records. If fraud is detected, the auditors have a responsibility to report it to management. An assessment is then made about the impact on the fair presentation of those financial statements. Materiality of the total fraud or the transactions is used to determine the steps taken and additional procedures needed to attest to the fairness of the financial statements.

A fraud examination’s sole purpose is to detect the expected or alleged fraud and report on the evidence uncovered and the methods used to perpetrate the fraud. Materiality on the size of transactions rarely guides your steps taken in a fraud examination.

Keep in mind that if fraud is discovered during an external or internal audit, it will usually necessitate a fraud examination. However, the reverse is not true – the performance of a fraud examination will not necessitate the performance of an external audit.

Although there are many differences between an external audit and a fraud examination, there are some similarities. These include the following:

  • Both engagements require an engagement letter.
  • A certified public accountant and a certified fraud examiner each must abide by a Code of Ethics.
  • Both engagements arrive at their end results through the use of interviews, analytical review procedures and review of supporting documentation.
  • Both engagements enlist the use of a blend of accounting, auditing and financial detective techniques to arrive at their end results.
  • Both engagements enlist the use of reports that state, in narrative format, the procedures performed, evidence examined and results of the accountant’s testing or findings.
  • Both reports are used by outside third parties – an audit report usually to fulfill financing requirements and the fraud report to use during prosecution, to recover stolen funds or to fulfill the requirements of an insurance company for collection on fraud policies.
  • Both engagements could recommend additional or new preventative internal controls or ways procedures can be strengthened as a by-product of the engagements.