Does Internal Auditing Spend Too Much Time Auditing for Fraud?

Fraud is a major area of focus for some internal audit departments. They use data analytics for fraud prevention, and sometimes that is all they use data analytics for. When the potential for fraud is identified quickly put a team together to investigate.

The reasons for this include an historical focus on fraud (including expectations from management and the board) and a desire to “add value” by detecting fraud and performing investigations.

But, is this historical focus appropriate today? I believe the answer is “perhaps.”

I believe the role of internal auditing is to provide objective assurance and consulting services regarding the effectiveness of the organization’s governance, risk management, and related internal control processes. In other words, I agree with the definition of internal auditing in the International Standards for the Professional Practice of Internal Auditing.

To do that, internal auditing should assess the adequacy of the governance and risk management processes. When these are ineffective, risks (including the risks of fraud) are likely to be less than well managed — and the organization’s ability to achieve its strategies and goals imperiled.

Internal auditing should advocate management’s responsibility for identifying and assessing fraud risks, and for efficient and effective controls to prevent or detect fraud. Internal audit should not, in my opinion, “own” the responsibility for fraud detection. Rather, it should help management ensure appropriate controls to prevent/detect fraud through assurance and consulting services. (It may be appropriate for the chief audit executive to lead a separate Fraud Investigations unit, with the approval of the audit committee.)

Internal auditing should assign resources and prioritize its attention — its assurance and consulting services — based on the level of risk each area represents to the organization. Attention to fraud should be commensurate with the risk it represents. It should not be an automatic area of focus.

Just think of the companies whose (unaudited) risk management processes failed while the auditors were conducting investigations of inventory theft and payments to fictitious vendors.

Let’s face the facts. The Association of Certified Fraud Examiners estimates annual losses through fraud at 7-8 percent (fairly consistent in this range over the years). That includes theft of time (playing on the internet) as well as loss of cash. For how many companies is fraud and theft of assets in the top 10 risks? How many companies include fraud and theft high in their reported risk factors?

So, where fraud is a risk that merits attention I prefer to assess whether management has effective processes and controls to prevent or detect fraud. Those should include fraud risk assessment, as well as controls. (Because of internal audit’s greater proficiency, I don’t have a problem with internal auditing leading or facilitating the fraud risk assessment process).

I include fraud risks with all other forms of risk in my risk assessment process. If it is among the top risks, then it is included in the audit plan. The procedures I perform may include data analytics to test for the existence of fraud and the potential weakness for fraud-related controls.

If it is not among the top risks, I will not perform related procedures.

Do you agree? How do you determine the level of resources to apply to fraud risk relative to supply chain, compliance, hedging, cash management, or other risks?


Posted on May 3, 2010 by Norman Marks

Share This Article:    

  1. Here here!

    Its understandable that IA has a tradition of looking at Fraud, but I believe strongly that we are on a journey here to get greater embedding of Fraud risk identification and management into line management processes. Its in these day to day systems and processes that many anti-fraud activities work.

    This change away from the known and somewhat comfortable and needed world of fraud is not entirely easy and I see some CAEs struggling with there teams to help them shift to a "third line of defence" approach to fraud, that takes a hard look at its materiality from a risk point of view. I agree that fraud should be looked at if it features as a key risk area - and even if it does - its easy to suppose all frauds are key rather than focus on the most significant risks in relation to fraud.

    This journey is the right one for IA to take and - in parallel we must press our colleagues in Finance, Purchasing etc. to step up to play a greater role in this; such a discussion is not always straight-forward but we must remind them that control activities belong to line management processes, not just IA!

  1. Internal control should be set up to control fraud as much as possible but too much time should not be spent on material that is not significant.

  1.  Norman,

    I completely agree with you and I believe that the guidance in the IPPF standards aligns to that as well.  The key is getting management to understand their role in risk.  May is "Internal Audit Awareness Month" and maybe June should be "Risk Responsibility Awareness Month" with a campaign to educate executives and managers of their role.

    With the widening of communications and strengthening of media through technology during a time of economic uneasiness, the markings of fraud, deceit, and ugly business practices are all over the place.  One would think that "fraud" was a new trend.  Truth be told, it's been going on for a very long time.  I don't have statistics, but I would bet it's only the communication of occurrences that increased, not the act of fraud.  Internal Auditors should keep a copy of the IPPF Standards close by to remind themselves of their responsibility and the responsibility of management.

  1. Well written, I really agree with point you made in the tail end of this article. You made mention of including risk fraud in your risk assessment.

    Thanks for sharing.


  1. As a "regular" staff member in my company long before I became an Internal Auditor, I think that employee moral would be adversely affected if Audit was to ignore (for lack of a better word) fraud occuring within the company.  I would be furious, as a staff member, to know that a fraud my co-worker may be committing isn't as big a concern to management as if a department is using the correct mileage rate. Also, I don't think internal audit department needs to "quickly put a team together to investigate" but an individual auditor investigating is usually more than sufficient.

    Besides, occassionally investigating a fraud adds a bit of spice in an otherwise dry profession. Sorry, but it's true.

  1. I agree absolutely. The main point is that the responsibility to manage fraud risk belongs to management and not internal audit. Internal audit can be called upon to help fix control weaknesses that may facilitate fradulent activities. Internal audit can also be proactive in identifying areas of weaknesses that can lead to fraud and offer recomendations on how to fix the problem. However management should own the responsibilty of risk management which should include fraud risk. In cases where this responsibility has been transfered to IA, process owners tend not relax or ignore risks that they are aware of. Furthermore if anything goes wrong, the auditor will take the blame. Its good to remember that auditors can not be everywhere (unlike process owners) and effective audtors use a risk approach to carry out their tasks, meaning that some areas do not have to be covered even though fraud can be committed in these areas.   

  1.  Although I agree that fraud detection and prevention should primarily be the role of line management, in practice it does not get done.  There are a variety of reasons, not the least of which is the lack of training for new managers.  Rarely do you see a manager training program that includes risk management.  Also I have often seen management rationalize that the frauds are unlikely or that if possible are small in value and therefore not worth detecting/preventing.

    By default then, it is IA that tries to determine the extent of fraud by testing and monitoring transactions.  When you do find evidence of fraud, then suddenly management takes action and puts controls in place.  

    I have seen some organizations with a Risk Management department that does some of these analytics.  Personally I think that's the way to go.  

  1. The reason to focus on frauds seems quite simple to me. It is very easy to proof the good work of IA to the Audit Comittee if CAE show them that, for exaple, the cost of some services dropped by 50% because IA found overpriced contracts and the total economy arised from reduced prices was, for example, $50 million. Compared to $1 million IA budget, that's a great performance, now IA is not a cost, but a profit center! (smile) Everyone is happy, IA stuff and CAE got their bonuses. This is a hypothetical situation, but in many companies things work like this.

    And compare this with a good, high qualiy report, made in total accordance with the Standards, on gaps in the controls and/or risk management. "Oh, thats bad, we need to do something with this", many AC members will say. But how to evaluate this information? Did CAE his/her best during the year? Shall he be rewarded or punished? Unclear.

    We shall be aware of the business environment we are working in. It is very common when there are no auditors in AC's, usually those people are the same kind of managers that we are audit. And they often want to see clear, measurable results. Here we come to the conflict of interests in the IA profession: on the one hand we must act according to the Standards, but on the other hand we want promotion, bonuses and respect. So the art of a good CAE in real life is to find balance between those hands.

    PS. Please, excuse me for my bad English.

  1. I think that internal auditing should help management ensure appropriate controls to prevent and detect fraud at a company.

  1. I feel so bad whenever I see companies spending too much resources on processes that would add value to a company's bottom line. Internal Auditing should be a tool to enhance value and not to suck value out of a business. The much hype about Internal Audit have given rise to so many resources being wasted in it without corresponding returns. Well done for writing this piece of wisdom.

Leave a Reply