Fraud Detection Guidance
DoD employees must disclose any known fraud, abuse, corruption, mismanagement, or waste to the appropriate DoD, Federal government, other appropriate official, or hotline. DoD employees are also encouraged to report any suspected irregularities indicating that fraud, waste, abuse, corruption, or mismanagement may have occurred or may be ongoing. Individuals should be able to make all disclosures without the fear of reprisal.
DoD auditors or non-Federal government auditors performing audits1 for the DoD have additional responsibilities. The DoD OIG expects auditors to be proactive in identifying and referring to the appropriate investigative organization known or potential fraud, abuse, or corruption. By maintaining a high level of fraud awareness and appropriately assessing fraud risk during the planning and execution phases, the auditor is better positioned to uncover fraudulent acts. DoD auditors must adhere to their fiduciary responsibilities to the DoD, the Federal government, and the public.
Auditor Responsibilities
Auditors who perform independent audits and attestation engagements of DoD organizations, programs, activities, and functions are required by DoD Instruction (DoDI) 7600.02, “Audit Policies,” to comply with the GAGAS issued by the Comptroller General of the United States. The GAGAS require auditors when performing financial and performance audits and examination-level attestation engagements (work that requires a positive assurance) to:
- identify risk factors (indicators),
- assess the risk associated with those factors (indicators),
- design and perform appropriate steps and procedures to address the risk areas,
- document the process, and
- include information on any potential fraud that might have a material impact on the audited subject matter in the report.
Auditors should design procedures to obtain reasonable assurance of detecting fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, and abuse that could materially affect the audit or examination. For review-level (work that provides negative assurance) and agreed-upon procedures-level (provides no opinion or assurance) attestation engagements, auditors are not required to assess fraud risk factors or design steps to address those risks.
Auditors must perform procedures when they find information or indicators that fraud may have occurred that could materially impact the subject matter under review. In those cases, auditors should determine whether the fraud was likely to have occurred and, if so, determine the effect on the results of the engagement. GAGAS requires auditors to comply with any legal requirements to report known or likely fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse directly to parties outside the audited entity.
DoDI 7600.02, paragraph 6.3, establishes the requirement that auditors shall refer to the appropriate investigative organization any indications of potential fraud or other criminal acts discovered while performing audit work.
Best Practices
Best practices for DoD audit organizations include identifying and assessing potential fraud risks factors during the planning phase for review-level and agreed-upon procedures attestation engagements similar to what the auditor does for other audit services or work. When risk factors are identified during the planning phase, the auditor should discuss with their supervisor or higher-level management whether the requested or planned review-level or agreed-upon-procedures-level engagement is appropriate.
With audit management approval, auditors should discuss with the requestor the fraud risk factors and whether an alternative type of audit or attestation engagement would be more appropriate. When the auditor identifies fraud indicators or other information that strongly points to a high probability of fraud during the planning phase, the auditor, after consulting with their management, should raise their concerns to the appropriate oversight or investigative organization.
Best practices also include designing some steps or procedures to address identified risk factors for a review-level attestation engagement. While DoD auditors are required to comply with GAGAS, other auditing standards may provide insight into best practices or other approaches to assessing fraud risks or identifying fraud indicators. The GAGAS incorporates the American Institute of Certified Public Accountants (AICPA) standards for fieldwork and reporting for financial audits and attestation engagements.
The AICPA auditing standards for financial audits and the GAGAS for financial and performance audits provide specific steps that are not included in the AICPA or the GAGAS for attestation engagements such as inquiring of management about potential fraud. Auditors may find these specific steps useful when considering how to best implement GAGAS for attestation engagements. Similarly, audit organizations may learn about other audit organizations’ approaches and methods for assessing fraud risks and identifying and detecting fraud indicators and adapt best practices when feasible.