To give an example of a fraud I investigated (I was an IT tech working on the accounts system for a law firm).
Law firms hold money in trust for their clients - for instance, when you buy a house, you transfer money to your lawyer, they transfer it to the seller's lawyer, the seller's lawyer then hands it to the seller. This works as a kind of escrow process so you can't sign the contract and then not actually pay and end up with both money and house (yes, you'd get sued and lose, but that takes time and costs money).
Typically, you pay in the value of the house, plus banking fees, plus your lawyer's fees and then the lawyer does all the final calculations, realised they overcharged you on sales tax, and sends $10.43 back to you or some similarly trivial amount of a several-hundred-thousand-dollar transaction.
For various reasons, the law firm can end up not being able to send the money back (e.g. your bank account changed, or you sent money from an account that can't accept it back or they mailed you a check and you forgot to pay it in). By law, they have to try repeatedly for a period of time to get it back to you and then after that they have to pay it to either the government or to charity (depending on the state/country they are in).
So, our villain gets given a job to do: he has to go through all the accounts that have positive balances after the completion of the work for more than four but less than five years. He then has to try to contact the rightful owner of the money, and try to return it to them; if he can't return it to them, then he has to record that and when it hits the five years, it gets transferred to the government.
He does the proper process to try to contact people, and then for half the people where he failed to contact them, he records that he did contact them, they had new bank details, he enters the new bank details and transfers the money. To his own bank account. For the other half, they get transferred to the government.
For three years, he gets away with this, until an audit report picks up that his bank account has the third highest number of transactions on it. My very small participation in this is that I coded that audit report. An accountant notices this account, checks who it belongs to, and the next day, the police arrive and arrest him at his desk for fraud.
Remember that the money was money that no-one knew existed. There was vaguely a sense that there was some money like this, but no-one specific had a claim to specific chunks of it. The people he was actually returning it to had just not realised it was there, the government didn't know it was there. And it was several thousands of pounds. No-one was catching him for living beyond his means because it turned out he was a gambling addict and was just losing it all as soon as he stole it.
It really is a case of: so, what should you be auditing for? You probably haven't thought of everything.
The optimal level of fraud is, in fact, zero, but the optimum amount of defense against fraud is less than the amount of defense that would reduce fraud to zero.
To give an example of a fraud I investigated (I was an IT tech working on the accounts system for a law firm).
Law firms hold money in trust for their clients - for instance, when you buy a house, you transfer money to your lawyer, they transfer it to the seller's lawyer, the seller's lawyer then hands it to the seller. This works as a kind of escrow process so you can't sign the contract and then not actually pay and end up with both money and house (yes, you'd get sued and lose, but that takes time and costs money).
Typically, you pay in the value of the house, plus banking fees, plus your lawyer's fees and then the lawyer does all the final calculations, realised they overcharged you on sales tax, and sends $10.43 back to you or some similarly trivial amount of a several-hundred-thousand-dollar transaction.
For various reasons, the law firm can end up not being able to send the money back (e.g. your bank account changed, or you sent money from an account that can't accept it back or they mailed you a check and you forgot to pay it in). By law, they have to try repeatedly for a period of time to get it back to you and then after that they have to pay it to either the government or to charity (depending on the state/country they are in).
So, our villain gets given a job to do: he has to go through all the accounts that have positive balances after the completion of the work for more than four but less than five years. He then has to try to contact the rightful owner of the money, and try to return it to them; if he can't return it to them, then he has to record that and when it hits the five years, it gets transferred to the government.
He does the proper process to try to contact people, and then for half the people where he failed to contact them, he records that he did contact them, they had new bank details, he enters the new bank details and transfers the money. To his own bank account. For the other half, they get transferred to the government.
For three years, he gets away with this, until an audit report picks up that his bank account has the third highest number of transactions on it. My very small participation in this is that I coded that audit report. An accountant notices this account, checks who it belongs to, and the next day, the police arrive and arrest him at his desk for fraud.
Remember that the money was money that no-one knew existed. There was vaguely a sense that there was some money like this, but no-one specific had a claim to specific chunks of it. The people he was actually returning it to had just not realised it was there, the government didn't know it was there. And it was several thousands of pounds. No-one was catching him for living beyond his means because it turned out he was a gambling addict and was just losing it all as soon as he stole it.
It really is a case of: so, what should you be auditing for? You probably haven't thought of everything.
The optimal level of fraud is, in fact, zero, but the optimum amount of defense against fraud is less than the amount of defense that would reduce fraud to zero.
I bought the book this morning and should have it finished sometime next week.