This short article (http://www.macroresilience.com/2013/12/04/how-to-commit-fraud-and-get-away-with-it-a-guide-for-ceos/) reinforces my view that audits should focus more on understanding and evaluating the logic and parameters fed into any automated system (or even a manual process for that matter), and only then ensuring that it is taking action and producing reports as expected. If not, it will just be a case of GIGO. (It reminds me of an ex-colleague who would diligently run a spelling and grammar check. Sadly, his English was so poor that he had no clue what edits to accept or reject, so he would simply accept all suggestions.)
In addition, for the audit process — whether it involves people in Business/ Operational Risk, internal/ external Audit or Compliance — it will help to implement a continuous audit on the entire system (not just on the output), thus ensuring that algorithms are not tweaked just before or after an audit.
I will have more to say about fraud in a future post — a case I observed — it seemed so easy!