Commercial Bank Fraud Audit Strategies and Methods

The frequent and high incidence of fraud cases in commercial banks has attracted great attention from the State Council, CBRC and commercial banks. Therefore, to strengthen the research of commercial bank fraud audit strategy and methodology, and to continuously improve the ability of commercial bank internal audit organizations to prevent, identify and investigate fraud cases has become an urgent problem for all commercial banks to solve.

I. Types and characteristics of commercial bank fraud

According to the nature of fraud, fraud is divided into two basic types, fraud for the organization's economic interests and fraud to the detriment of the organization's economic interests.

1, fraud for the benefit of the organization. Fraudulent acts for the benefit of the organization mainly include: selling or distributing fictitious or misstated assets; making illegal political contributions, paying bribes, providing kickbacks, paying gratuities to government officials or agents of government officials, customers, suppliers and other improprieties; intentionally misstating or incorrectly evaluating business transactions, assets, liabilities, or revenues; intentionally mispricing transfers (valuation of commodities exchanged between affiliates); engaging in intentionally improper related-party transactions in which one party receives benefits that would not be available in an arm's-length transaction; intentionally failing to record or disclose material information that would help an outside group better understand the organization's finances; engaging in illegal and illicit business activities; tax fraud, and so on.

Combined with the characteristics of commercial banks, it can be found that fraud for the benefit of the organization are mainly in the following areas: (1) interception of intermediary business income, such as handling fee income is not accounted for, agent premium income is not accounted for, leasing fixed assets income is not accounted for, and privately set up a small treasury for the benefit of the collective and so on. (2) Embezzling or privately dividing credit assets, fixed assets, debt-bonded assets, etc., in order to obtain undue benefits for the collective at the expense of the loss of organizational assets. (3) Employing improper means to falsely increase (or conceal) profits, deposits, and other business indicators, in order to seek direct or indirect economic benefits for the organization or to defraud the collective (individual) honor. (4) Dumping of expenses and false listing of expenses to seek improper economic benefits for the organization. (5) Tax evasion, etc.

2, fraudulent activities that endanger the organization. Fraudulent activities that endanger the organization include: accepting bribes and kickbacks; transferring transactions that would, under normal circumstances, bring profits to the organization to employees or outsiders; embezzlement, such as tampering with financial records to conceal embezzlement so that the embezzlement is not easily detected; intentionally concealing (misreporting) matters (or data); and requesting payment for services or goods that are not actually provided to the organization.

Combined with the characteristics of commercial banks, the following main aspects of fraud that harm the organization can be found: (1) Embezzlement, embezzlement, and misappropriation of bank or customer funds. (2) Forgery, fabrication or false invoicing, fraudulent means of bills, letters of credit, bank cards, etc., to obtain bank or customer funds. (3) Impersonation of loans, self-approval of loans, fake mortgage loans, transfer of loans at high interest rates, unlawful granting of loans to related persons, unlawful granting of loans and making private profits from them (or accepting bribes), etc. (4) Illegally absorbing public funds, illegally borrowing funds, and illegally engaging in off-the-books operations. (5) Utilizing the convenience of one's position to engage in money laundering activities. (6) Participating in foreign exchange arbitrage, foreign exchange evasion and fraudulent behavior. (7) Issuing false credit (or deposit) certificates and other behavior. (8) Counterfeiting and altering valuable documents and important blank certificates to obtain funds fraudulently. (9) Intercepting intermediate business income and enriching oneself.

In addition, the type of fraud according to different criteria there are different classifications, mainly: First, according to the subject of fraud, can be divided into senior management fraud and general employee fraud. Second, according to the means of fraud, can be divided into: computer fraud and traditional manual fraud. Third, according to the object of fraud, can be divided into fraud against assets and fraud against liabilities. Fourth, according to the fraud group, can be divided into two or more people of the collective conspiracy fraud and fraud alone.

Second, the new trend of commercial bank fraud

Commercial bank fraud cases are moving toward the "high position, high technology, high case value; the number of grass-roots more, more internal and external collusion, more than the modus operandi, more than the" "three high three more" trend. Development. Commercial bank fraud presents the following characteristics: First, the high quality of fraud perpetrators. From the fraud cases investigated and dealt with in recent years, the fraud perpetrators of high positions, high intelligence, high education trend is obvious. Second, the high-tech fraud technology. In recent years, fraud perpetrators use a large number of high-tech technical means to implement fraud. For example, the use of simulation technology, forged and altered bills, credit cards, currency, etc., to the extent that it is enough to fake; and the use of electronic computer technology for the so-called encryption and program tampering and counterfeiting, etc.. Thirdly, the means are more hidden. The use of high-precision technology to carry out the vouchers and bills of the digging and mending, alteration, almost no traces, difficult to identify the authenticity of; to take "phishing" means, imitation of the Internet banking web page, theft of customer passwords and funds. Fourth, more diversified forms. In the use of multiple accounts, lending accounts, blank checks, stolen checks, imitation signatures, private engraving of official seals, forged accounts, stolen vouchers, cash, public funds, private savings, private vaults, white against the Treasury, the use of currency access and the time difference between the solution of the misappropriation of funds and a series of traditional fraud practices and forms, fraud perpetrators have been carefully selected, refined and transformed, the adoption of high and new technology, to create and invent many new fraud practices and forms. Created and invented many new fraudulent practices and fraudulent forms. Fifth, the field is more extensive and complex. In recent years, all kinds of legal persons of different natures, natural persons collude with each other, against the bank to implement fraud, and the phenomenon of fraud with the bank's internal staff conspiracy is also increasing, making the fraud situation more complex.

Three, commercial bank fraud audit strategy

1, highly concerned about the audited unit of internal control system soundness and effectiveness. Basel Committee on Banking Supervision in the evaluation of the principles of the bank's internal control system clearly states: control activities are most effective only when management and all bank employees will control activities as a necessary part of the day-to-day operations of the bank rather than an add-on. When controls are viewed as add-ons to the day-to-day operations of the bank, they are often considered irrelevant. Therefore, as an internal auditor of a commercial bank, you must start with a scientific evaluation of the internal control system of the audited entity and pay close attention to the soundness and effectiveness of the internal control system of the audited entity; only in this way will you be able to find out whether there are significant systematic deficiencies and potential fraud (cases) in the audited entity and conduct substantive tests to discover fraud clues.

2, pay close attention to the control environment of the audited entity. Control environment refers to the attitude and actions taken by the board of directors and management on the importance of control. The control environment includes the following elements: fairness and ethical values; business management philosophy and style of operation; organizational structure; distribution of authority and division of responsibility; human resources policy and management; and personnel competence. On the basis of a certain understanding of the organization's internal control system, the internal auditors of commercial banks have to further consider, pay attention to and evaluate the organization's control environment and its constituent elements in a comprehensive manner. Through the accumulation of daily work experience, can form a control environment model with the possibility of fraud:

Basel Committee on Banking Supervision evaluation of the bank's internal control system of Principle III, the commercial bank's internal control environment and the atmosphere of the culture of internal control: the bank's board of directors and senior management have the responsibility to improve their own standards of professional ethics and integrity, and to form a culture within the organization, to the The Board of Directors and senior management of the bank are responsible for raising their own standards of professional ethics and integrity, creating a culture within the institution, explaining and emphasizing the importance of the internal control system to all levels of personnel. It is necessary for all levels of personnel in a banking institution to understand their role in the internal control process and to be fully committed to their respective responsibilities in this process.

Combined with the current reality of China's commercial banks, the internal auditors of commercial banks should focus on when evaluating the internal control environment of the audited unit: (1) whether the operation of the Internal Oversight Committee is standardized, and whether the problems identified by the self-regulation of the major business units are collectively studied and seriously implemented and rectified; (2) the management's attitude towards internal audit, the importance attached to the problems identified by the audit (2) Management's attitude towards internal audit, the importance it attaches to the problems found in the audit, and whether the corrective actions are carried out seriously and thoroughly; (3) Whether regular analysis meetings are held on fraud (cases), and whether corresponding countermeasures and measures have been formulated; (4) The fulfillment of the "one job, two responsibilities" by each department, and whether there is any supervisory fault, supervisory blind spot, or supervisory vacuum in the self-discipline supervision.

Through further evaluation of the internal control environment of commercial banks, the use of analysis, comparison and verification of logical relationships, etc., can find doubts and capture clues.

3. Highly concerned about the division of job duties and potential conflicts of interest in the internal control system. The Basel Committee through a large number of global banking case investigation concluded that: an important reason for the loss of funds in banking cases is the lack of due division of responsibilities. Having one person with conflicting responsibilities (e.g., simultaneously responsible for the management and execution of a transaction) creates an opportunity for that person to access valuable assets and manipulate financial data for personal gain or to conceal losses. Therefore, in daily auditing, seemingly trivial job separation and regular rotation system, behind which there is likely to lurk a large conflict of interest and serious fraud (case) risk, even if not in possession of sufficient evidence of fraud, but also to the audited unit risk alerts, because this is not only the system requirements, but also to prevent fraud (case), to eliminate the opportunity for fraud is the key. In this regard, the internal auditors of commercial banks must pay great attention and vigilance.

4, pay close attention to fraud signs (signals). Fraud occurs, the perpetrator will often leave some traces, which requires internal auditors to carefully observe, serious inquiries, in-depth investigation and forensics. First, the signs (signals) of employee fraud are: overspending on purchases or extravagant lifestyles; unexplained mood swings or complex unusual behavior; low psychological tolerance for stress; the ability to rationalize their theft; the ability to take advantage of weaknesses in internal controls in order to cover up their own fraud; unwillingness to take time off from work or work away from their posts; a large number of chargebacks and wipes in personally handled operations; and a working Chronic low morale; abnormal intimate relationships with customers; signs of heavy personal debt; obsession with gambling, *; failure to provide or timely provision of relevant information or physical objects required for audit inspections under various excuses, etc. Second, the signs (signals) of organizational fraud are: loss or destruction of accounting records or related documents; too many "cancellations" or "refunds"; unusual or repetitive transactions; a large number of adjustments or eliminations; unrealistic performance forecasts or appraisals; long-term low morale of employees; and the financial and management of the company. Chronic low morale; frequent changes in the head of the finance department or key personnel; increasing bad and doubtful debts; unusual connected transactions; intentional misstatement or misappraisal of business transactions, assets, liabilities, or revenues; rumors of conflicts of interest; excessive financial pressure or unrealistic business metrics; etc.

These are some of the reasons why it is important to have a clear understanding of the business environment and how it is affected.

Through the soundness and effectiveness of the internal control system of the audited entity, the control environment, the division of duties and responsibilities and potential conflicts of interest, signs of fraud (signals) and other four aspects of the comprehensive analysis and judgment, and combined with the appropriate use of fraud auditing methodology, focused on substantive testing, it is possible to find timely clues and evidence of fraud.

Fourth, the commercial bank fraud audit methods

Fraud audit methods are many, in addition to the routine audit of some of the methods used such as monitoring the disk, inquiries, on-site observation, field investigations, and other methods, but also the use of some special auditing methods:

Analytical review (measurement). It refers to some important ratios or trends of the audited unit, including the investigation of abnormal changes in these ratios or trends and their differences from the expected amounts and related information.

Correspondence. Refers to the method of sending a letter of inquiry to a third party in the name of the audited entity in order to corroborate the matters contained in the accounting records of the audited entity and to prevent the audited entity from making false statements.

Red flag flag method. That is, the probability of fraud occurs in a relatively high link expressed in words, the equivalent of inserting a red flag to attract attention, as the focus of suspicion and investigation of fraud.

Manufacturing error method. Is aimed at internal control weaknesses and easy to fraud damage links, to take the manufacture of real errors in order to observe whether they pass through the control system practice, in order to observe the control system to produce the possibility of fraud and its extent.

Patch checking method. Refers to the fraud perpetrators to cover up their behavior, often destroy part or all of the books, vouchers, in this regard, the auditor should be based on the principles of accounting (borrowing must be credited, borrowing and crediting must be equal) to take the internal and external adjustments, to make up for the destruction of books and vouchers, and then check the books to discover the facts of the fraud.

Tracking method. It is in accordance with the flow of funds and account processing procedures, accounting records and the direction of funds to conduct retrospective tracking checks. Can be designed through the business flow chart, the flow of funds table and other methods to find out the ins and outs of the funds.

Computer fraud audit methods. The use of computer fraud in many ways, there are tampering with input and output, tampering with program settings, tampering with data files, set up "program backdoor", set up logic bombs, computer viruses, computer Trojans (steal user passwords for online banking), hacker invasions and attacks, and so on, then investigate and prevent computer fraud methods. There are many ways to investigate and prevent computer fraud, such as physical control, logical control, firewalls, antivirus software installation; software review method, change the machine review method, dark box review method and so on.

Prevention methods. It refers to the use of employee background information checks, comprehensive evaluation of internal control and a variety of special audit inspections to promote the gradual improvement of the internal control system of the audited unit as a means of preventing the occurrence of fraud.