UK_YCORP_IA_1

This article was first published in the April 2016 UK edition of Accounting and Business magazine.

Fraud is a significant business risk that threatens both profits and reputation. Its discovery often causes extreme disruption within the victim organisation, with senior managers demanding explanations and looking for someone to blame. 

Where better to start than with the internal auditors – everyone knows their job is to prevent and detect fraud, right? So what on earth have they been doing? Although unfair, this question is likely to be posed and to prove uncomfortable. 

Auditors are not particularly good detectives. Statistics show that frauds last 18 months on average and are more likely to be uncovered by a tip-off, management review or accident than by an audit. What’s more, neither internal auditors nor managers are likely to view fraud as a high priority until a disaster actually occurs, although attitudes change very quickly when that is the case. 

Responding to fraud risk: exploring where internal auditing stands is a 2015 report by the Institute of Internal Auditors (IIA) Research Foundation. It highlights the gaps of perception, expectation and skill around fraud that exist in many organisations and which could have serious consequences for the company and its internal audit function. 

The starting point for effective internal audit is for an entity to decide and articulate its expectations of the function.

Standards and policies 

Fraud is not the primary focus of auditing. The IIA defines internal auditing as ‘an independent, objective assurance and consulting activity’ that adds value to an organisation’s risk management, control and governance processes. 

The IIA’s standards include several requirements about fraud. Internal auditors must:

  • have sufficient knowledge to evaluate the risk of fraud and how it is managed, but are not expected to have the expertise of someone whose prime responsibility is detecting and preventing fraud
  • evaluate the potential for fraud to occur and how the organisation manages fraud risk
  • consider the probability of significant fraud when setting objectives.

Companies’ audit committees and senior managers may expect additional work from internal audit, such as data analytics and fraud investigations. It is the combination of external standards and internal policy that determines the precise role of internal audit in responding to fraud risk within each organisation. This should be stated clearly in the audit charter and the anti-fraud policy. 

The baseline is clear: internal auditors should always consider the risk of fraud when planning their work, be alert to red flags during engagements, and respond in line with the organisation’s policies and expectations.

Risk assessments and controls

Effective fraud risk management depends on devolving responsibility throughout the business. Internal auditors should be proactive and help to educate at all levels – in particular, by encouraging and facilitating periodic fraud risk assessments. Time spent here will add value to the business by raising awareness and identifying threats, thereby minimising potential losses. 

Internal auditors should incorporate the results of these risk assessments into their planning. By targeting the high-risk areas identified (such as cybercrime threats and procurement vulnerabilities), proactive anti-fraud work can be undertaken that is both proportionate to business needs and valuable.  

In addition, there are many generic controls that help to prevent, deter and detect frauds. They include segregation of duties, delegation of authority, and physical and IT security measures. Research by the Association of Certified Fraud Examiners (ACFE) highlights the importance of a number of specific anti-fraud controls (see table).

Responsibility for implementing these controls resides with management. Internal auditors assess them – do they exist, are they operating efficiently and effectively – and promote improvements. For example, they should champion fraud awareness training for managers and staff, monitor the programme and be prepared to facilitate the training themselves if needed.

Failure of detection is an important part of the perceptions gap. Nothing undermines internal auditors’ reputations more than the belief that they ‘missed’ a fraud. In reality, fraud schemes are hidden and so are difficult to detect. The performance of the detective controls is crucial here; their effectiveness will largely determine an organisation’s ability to uncover fraud quickly and thereby minimise losses. 

Internal auditors should consider focusing on the following issues:

  • ACFE identifies the tip-off as the most important fraud detection method. Internal auditors need to consider whether an open culture exists in their organisation – are employees willing to come forward with their concerns? They should then assess the adequacy of the company’s whistleblowing procedures and monitor how the disclosures are handled.
  • Data monitoring and analysis is becoming more effective at reducing fraud loss and duration. The use of data analytics increases the likelihood of detecting fraud schemes (for example, fictitious employees and suppliers) and raising red flags (such as duplicate payments or invoices, unusual trends, patterns and timing of transactions, etc). Data analytics requires an investment of time and resources, so it might be more applicable to larger organisations. But internal auditors should encourage the use of new technology wherever possible, including in their own work. Data mining software will not only improve their chances of detecting fraud but will also promote more efficient auditing generally. 
  • Surprise audits are a traditional form of control that are frequently underused today. They can be effective in deterring or detecting fraud, and internal auditors should consider their potential in specific circumstances, such as in areas of high risk or where reasonable suspicion exists.   

The right skills 

Few internal auditors have fraud-related qualifications. While such qualifications enhance credibility they are not key in assessing fraud risk or being alert to red flags. The key for internal audit is to ensure the team has the skills to discharge its responsibilities effectively. The options here are to recruit, train or hire.   

Some large enterprises recruit experts, such as certified fraud examiners or investigators, to improve their fraud risk management. Others prefer professional development, supplementing the experience and business knowledge of their existing team with training in relevant areas such as technology and data mining. Technical investigation training – understanding and applying the evidence rules, interviewing under conditions of stress – is essential where internal auditors are expected to investigate fraud. 

Finally, specialist forensic accountants can always be hired if needed.  

This three-stage approach is proportionate and proactive, but implementing it takes courage from both management (time and money are required) and internal auditors (persistence is needed in sensitive and challenging conditions).

It is often easier to avoid dealing with fraud or even talking about it, but this is a mistake – gaps of perception, expectation and skill will develop and there is danger in these gaps. Fraud is like a mushroom: it thrives in the dark. 

Steve Giles is an independent consultant, lecturer and author specialising in corporate governance, risk management, internal audit and ethics

Swipe to view table

Anti-fraud controls

Preventative  Detective
Management review Whistleblowing hotlines 
Staff vetting and supplier due diligence  Data mining and data analytics
Fraud awareness training Surprise audits