IN THIS ISSUE
The Institute Updates Its Fraud Detection Practice Advisories
Amended guidance encourages internal auditors to be proactive in fraud detection activities through awareness and audit tests that will improve the likelihood that fraud indicators will be detected.
Organizations are exposed to some degree of fraud risk in any process where human input is required. The degree to which an organization is exposed relates to the risks inherent in the business, the extent to which effective internal controls are present, and the honesty and integrity of those involved in the process. To help practitioners and audit committees understand internal auditing's responsibilities regarding antifraud activities, The IIA amended its Practice Advisory (PA) 1210.A2-1: Auditor's Responsibilities Relating to Fraud Risk Assessment, Prevention, and Detection and PA 1210.A2-2, Auditor's Responsibilities Relating to Fraud Investigation, Reporting, Resolution, and Communication.
The amended PAs discuss the definition of fraud and provide examples of types of fraud, including theft, kickbacks, embezzlement, fraudulent claims for services or goods, and unauthorized use of confidential or proprietary information. They also discuss fraud activities designed to benefit the organization, such as exploiting an unfair advantage to deceive an outside party where the perpetrator may accrue personal benefit, such as bonus payments or a promotion.
The PAs also provide discussion on factors that generally influence fraud such as opportunity, motive, and rationalization. And although auditors may not be able to know the exact motive or rationalization leading to fraud, they are expected to understand the organization's internal control system to help identify opportunities for fraud, as well as to understand potential fraud schemes, the signs that point to fraud, and how to prevent fraud. To help in this effort, the guidance suggests that internal auditors use a risk model to map and assess the organization's vulnerability to these fraud schemes. The risk model should cover all inherent risks to the organization, as well as provide enough detail to identify and cover anticipated high-risk areas.
The PAs further advise that when examining and evaluating the adequacy and effectiveness of an organization's internal control system, practitioners should:
So what is the practitioner's role in fraud detection? To the degree that fraud may be present in activities covered in the normal course of audit work, practitioners have a responsibility to exercise due professional care as specifically defined in Standard 1220 of the International Standards for the Professional Practice of Internal Auditing with respect to fraud detection. However, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Still, tests conducted by practitioners will improve the likelihood that any existing fraud indicators will be detected and considered for further investigation.
Practitioners who are alert to opportunities that could allow fraud — such as control weaknesses, unauthorized transactions, sudden fluctuations in the volume or value of transactions, control overrides, and unusually large product losses — and who evaluate the indicators of fraud are in a better position to decide whether further action is necessary or whether an investigation should be recommended.
The amended fraud PAs are available on The IIA's Web site,
Additional Fraud Resources Available on The IIA's Web site
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.