The 2010 Association of Certified Fraud Examiners (ACFE) Report to the Nations noted that the median length of time to discover fraud is 18 months. During that time, respondents of the survey estimated an average loss of five percent of their annual revenue. External auditing was the control used by most of those surveyed; however, it was determined that external audits weren’t overly effective at detecting fraud (less than five percent of the schemes were uncovered by the external audit) or at limiting the losses of fraud.
It is important to remember that the purpose of an external audit is not to detect fraud, so they should not be relied upon exclusively for fraud detection. Additionally, external audits would more commonly identify financial statement fraud rather than occupational fraud. Occupational fraud can be defined as the use of one’s occupation for personal enrichment through the deliberate misuse or misappropriation of the employing organization’s resources or assets. Occupational fraud can be as simple as stealing company supplies or manipulating timesheets (if used) and can even ultimately elevate to financial statement fraud.
Management’s expectations are that controls are in place and working year-round, but during a recent internal audit webinar it was noted that controls typically work their best around the time of an audit and then their effectiveness decreases shortly after. They don’t return to their peak performance until it’s time for your next audit (referred to as the “Yo-Yo effect”). The idea then becomes that if you can shorten the time between monitoring visits, your controls would be working at their most effective level more often.
Larger dealership groups often have an internal audit function, whether it be a true internal group or an outsourced accounting firm. Depending on the size of your group, this may result in as little as one extra audit during the year and usually four at most. The downside of these periodic audits is that they are usually based on data that is at least one month old. To truly be aware of what is happening in a store, management needs to know what is happening right now, not what happened one month or six months ago.
Continuous Auditing and Continuous Monitoring
There are two types of continuous work that can be done: continuous auditing and continuous monitoring. Both can be of great use and can help an internal audit function respond to the demands of management by more quickly identifying emerging risks as they occur within a dealership. Both can also help organizations operate more efficiently and can eliminate or reduce the “Yo-Yo effect.”
Distinguishing between continuous auditing and continuous monitoring can be quite confusing (the terms are often used interchangeably), even if just looking at the definitions. Continuous auditing means there is an auditing process that examines accounting practices continuously throughout the year, which is usually technology-driven and designed to automate error-checking and data verification in real time.
Continuous monitoring is the application of automated tools to continuously access key business process transactions and controls. While there are similarities between the two, such as the use of automated tools and sometimes similar results, continuous auditing is often more time-consuming and expensive. This process requires more hands-on time from your audit teams because essentially, standard auditing activities are performed on a more frequent basis to provide the assurance that policies and controls are working as intended. This might be more feasible for single-point stores or small dealership groups with five to 10 stores, as this would allow for a higher number of audits at each store during the year.
On the other hand, the primary goal of continuous monitoring is to give you frequent analysis of near-real-time financial and nonfinancial data (Note: Near-real-time ideally refers to the previous day’s operations). To ensure that the controls in place are functioning as designed to prevent errors and fraud, automated tools monitor business transactions and identify those that produce unexpected results. Continuous monitoring is a process that, when in place, works every day to find exceptions in your data. It can help improve the bottom line by more quickly identifying exceptions in transactions as they occur.
The primary difference between continuous auditing and continuous monitoring relates to the ownership of the function. Continuous auditing would primarily relate to your audit function, such as your internal audit department. This group can audit any automated or manual control that is routinely repeated throughout your dealership.
The continuous monitoring process is considered to be a management function, as managers are the ones responsible for ensuring effective controls and processes are in place. This process can often identify results from business transactions that are relevant to management, but might not be a concern to your internal or external audit function. Considering that many dealers don’t have an internal audit function, or sometimes even an external audit function, continuous monitoring is the tool that offers more bang for your buck.
Examples of Continuous Monitoring
Let’s look at two common issues that routinely occur within the parts and service departments and the impact that a continuous monitoring system would have if implemented.
Example One: Parts customers who have credit with the dealership typically have established credit limits. Dealerships, however, typically have a policy that the parts manager can override that limit with the permission of the controller or general manager. It is fairly common for parts managers to make that decision without obtaining the proper permission, essentially overriding the credit limit on their own authority. If the aging of the receivable doesn’t become a problem, accounting may never know of the credit override unless it is identified during an internal audit, sometimes months later. With a continuous monitoring system in place, the override would be found the next day.
Example Two: Every customer who purchases a part from your parts department doesn’t always pay the same amount. It is fairly common for certain customers to have discounts in place based on the volume of purchases. A parts counterman may find that they are able to apply these discounts to other customers at smaller amounts without being detected. If a relative or friend comes into the store, the counterman could potentially provide an unapproved discount to the customer, knowing that it won’t be detected. What if gradually they continue to increase that discount more and more without detection? Each time this discount is used, the employee is taking away money that should have been earned by the dealership. Over time, this lost balance could range from a few hundred dollars to a few thousand. With a continuous monitoring system in place, this unauthorized discount could be found the next day.
The ACFE report indicated that less than 30 percent of the companies surveyed implemented surprise audits, but those companies that did tended to have lower fraud losses and detected frauds more quickly. The most important element that a surprise audit offers is the perception of detection. Generally speaking, occupational fraud perpetrators only commit fraud if they believe they will not be caught. This is also one of the primary goals of continuous monitoring, that employees become aware their transactions are being monitored each day and become less likely to override or manipulate the controls surrounding their job function.
The measurement of your results should be based on your ability to show sustainable remediation. This means that to be effective, your monitoring system must first detect the exception and then distribute the exception to management to resolve the issue and refine the control so that the likelihood of recurrence is minimized. In short, the goal is to eliminate the “Yo-Yo effect.”
Vol. 8, Issue 3