As fraud investigations get folded into the internal audit department, some audit shops are tempted to frame a fraud report in the same format and tone as the audit report. The idea couldn’t be more wrong. Fraud and audit reports must be distinct because they are intrinsically different from one another.
Read on for ways to present a full and succinct fraud investigation report using report design, content, and tone.
Design: Fraud Reports with an Edge
From the onset, fraud reports include different information and you want these reports to look distinct, but still look like part of the fleet of reports that internal audit cranks out. For example, you’ll probably need to stay within the font and design conventions of your company, but consider how the following areas can be changed to distinguish the fraud report.
Be specific. Make sure that the first thing your audience reads is “Fraud Investigation Report” so there is no confusion on the purpose of the report.
Enlarge the word Confidential. “Confidential” should be at the top of the report. Make it large and boldface the word. Fraud investigations are typically not shared outside of HR and upper management.
Change the color scheme. If your audit reports have a blue header, consider a different color header for the fraud report. Your company may allow a red or a purple color scheme as an alternative format.
Content: Write to Your Audience
Because investigative reports mainly involve personnel and legal issues, your audience is limited. Your typical fraud audience will be the Chief Executive Officer, Chief of HR, Chief of Law, Chief Audit Executive, and Head of the Audit Committee.
This small and informed audience knows the situation, and they are ready to move forward, so you can skip the internal audit fluff (e.g., scope, background, audit notes, distribution list).
Think of the investigative fraud report as being part of a larger conversation not the beginning of a conversation. Because of the knowledge level of your audience, you can start your report in the middle of the conversation. So, skip the intros and get right to the heart of the investigation.
Design: Keep It Simple and Succinct
Although design might change between different companies, audit reports share roughly the same content. In an audit report, you go through some overarching business items of the audit (e.g., audit dates, background, and scope) along with some optional sections (e.g., distribution list, report rating, and audit notes).
Fraud audit content is completely different. For starters, fraud reports get right to the point. If you are designing a fraud report, consider the following outline as an example:
Page 1 (Cover Page)
Allegations (one paragraph under 70 words, or 3-4 sentences)
Results (2-3 sentences per allegation)
Approach (Single sentence)
Summary of Evidence
Fraud investigation reports are around 4-6 pages (excluding the Appendix). Once you’ve determined the outline for the fraud report, move on to deciding how to write each section of the fraud report.
Content: For Fraud Eyes Only
The outline above looks very different than typical audit reports. Here’s a quick breakdown of what to write in each section and why some sections don’t belong.
Allegations: in typical reports, there are no allegations – you look at a predetermined process or operation. Keith Fletcher is an internal audit manager with more than 20 years experience, specialising in fraud. For Fletcher, allegations keep fraud interesting. “When I did bank secrecy audits, I could often write the report before completing the fieldwork – so mundane. In fraud, we have a specific allegation we’re going in to review. The report and content is always different.”
How many allegations should you include in a fraud investigation? It varies depending upon the situation and the number of people involved.
“If the fraud investigation is about a person,” notes Fletcher, “like someone skims cash, commits payroll fraud, and abuses the company-purchasing card, then we have three allegations: theft, payroll fraud, and misappropriation of assets. However, because the same person commits all of these allegations, the report is still a single investigation.”
Approach: Approach is similar to the audit report scope section; however, approach lists who was interviewed and what the fraud investigative team looked at. In this section, you can also refer the reader to various exhibits and more information located in the appendix portion of the report.
Results: The Results section isn’t long – around 2-3 sentences per allegation. This section will determine whether the allegation was substantiated, unsubstantiated, or inconclusive. Here’s an example of a Results section:
The AR manager skimmed cash beginning January 1, 2018. This resulted in a loss to the system of $xx.
Summary of Evidence: The summary of evidence in fraud reports is the same as the body of the report (the issues) in audit reports. The length of the summary of evidence varies according to the results. If substantiated, the summary of evidence could be from a single page to 3-4 pages.
To organise your summary of evidence section, break it down into sections, or subcategories. Using the example from above, categories could be Theft, Payroll Fraud, and Purchasing Cards.
Content: The Skinny on Recommendation and Risk Assessment
You might think that fraud reports should borrow some sections from the audit report (like risk or recommendations). However, these sections detract from the single purpose of the fraud report: to inform.
Recommendations: After all the investigating, fraud auditors should include their recommendations for action, right? Wrong. “In fraud, we give no recommendations,” says Fletcher, “but we have to provide enough supporting evidence so the recipient can take the information and decide what they need to do.”
Risk: Unlike audit reports that outline the risk of audit issues, the fraud audience has to determine the risk on their own. Fraud investigations trust the audience is already well aware of the risk. For fraud, what once was a risk has often already materialised into a financial, productive, or reputational loss to the company.
Tone: Keeping Your Cool
In audit reports, you have to be a little more... diplomatic. In fraud reports, you get to be candid, and for many, writing frankly is a breath of fresh air.
This candid method presents pros and cons. On the upside, you have very few people reviewing this – and the person being investigated is not a reviewer (yay!), so you get to be blunt. On the downside, you could inadvertently use negative instead of neutral language – especially when the suspect is guilty. You have to allow the facts to stand on their own and keep your tone neutral.
Below is a quick list of tone words you can expect to see in fraud reports that would communicate differently in audit reports.
For a department, so objective in nature, internal audit is oddly also very personal.
After being in audit for 15 years, I am constantly inspired by auditors who love their audit specialties and continue to learn more – even when it comes down to simply subtle but significant differences between two types of reports.