Fabricated Documents April 7, 2016
Posted by Audit Monkey in The Joy & Pain of Internal Audit.Tags: dodgy auditees, fabricated documents
trackback
I’m aware that I haven’t posted here in a while but I’ve been hanging out on goingconcern.com and the forum. I’ve enjoyed some of the banter and conversations and its been nice to hangout, albeit across many servers and network cables, with some like-minded peers. Nevertheless, I’ve just had a random thought and wondered if any other auditors had encountered the following problem.
During one review, I noticed that the reconciliations (whatever, I think it was CPD returns) had been completed retrospectively to be compliant. I could tell as the production date of the document didn’t marry up to the date the document was signed, i.e. the signature date was before the date of production. In another incident, a Project Management Team had produced documents to demonstrate they were managing the project properly, e.g. completing tasks against the project milestones. (Note, I wasn’t party to this episode, but I’m sure you get the gist.)
My question is, what does the Auditor do in these circumstances when documents have been forged to demonstrate compliance? In the first example, I actually let it go because the risk was negligible and the Banker concerned was quite a character! I said “Hold on, there’s a slight dating mismatch here; do you have an explanation?”, to which he replied “Well, you know what it’s like; a client calls and asks about their portfolio and before you know it in all the melee and confusion, you lose track of time and you don’t know what you are signing!”
But in all seriousness, what happens if it’s a big multi-million pound IT transformation and project? Surely you have to do the dirty and report that key deadlines haven’t been met? What would you do in these circumstances? I would be interested to hear.
Audit Monkey's Blog 
Monkey,
I think it always needs to be documented in the workpapers, regardless of whether it makes the audit report. You can put in the client’s response and say that the risk didn’t warrant creating an observation because of X, but audit discussed Y with the client and stated Z.
And it it’s a BIG project and the risk is high, that’s what audit managers are for. They make the call, and you take direction from them.
I haven’t been involved in anything huge, but I have seen audit managers afraid to take on some smaller items. I argued my case and lost, wrote it up, and the audit manager edited my workpaper according. Such is life.
If it was big and the audit manager didn’t address it the way I think it should be addressed, I’d escalate. I’ve escalated some smaller things before, but nothing was big enough to create a stink over.
In my previous life as a security manager, I was involved in some larger items, and escalated some items up to the CIO. Some I won, some I lost. But the important thing was I kept my integrity and slept well at night.