IN THIS ISSUE

Third Quarter 2006 • Vol. 10 • No. 3

Print Article Print Entire Issue

The Institute Updates Its Fraud Detection Practice Advisories

Amended guidance encourages internal auditors to be proactive in fraud detection activities through awareness and audit tests that will improve the likelihood that fraud indicators will be detected.

Organizations are exposed to some degree of fraud risk in any process where human input is required. The degree to which an organization is exposed relates to the risks inherent in the business, the extent to which effective internal controls are present, and the honesty and integrity of those involved in the process. To help practitioners and audit committees understand internal auditing's responsibilities regarding antifraud activities, The IIA amended its Practice Advisory (PA) 1210.A2-1: Auditor's Responsibilities Relating to Fraud Risk Assessment, Prevention, and Detection and PA 1210.A2-2, Auditor's Responsibilities Relating to Fraud Investigation, Reporting, Resolution, and Communication.

The amended PAs discuss the definition of fraud and provide examples of types of fraud, including theft, kickbacks, embezzlement, fraudulent claims for services or goods, and unauthorized use of confidential or proprietary information. They also discuss fraud activities designed to benefit the organization, such as exploiting an unfair advantage to deceive an outside party where the perpetrator may accrue personal benefit, such as bonus payments or a promotion.

The PAs also provide discussion on factors that generally influence fraud such as opportunity, motive, and rationalization. And although auditors may not be able to know the exact motive or rationalization leading to fraud, they are expected to understand the organization's internal control system to help identify opportunities for fraud, as well as to understand potential fraud schemes, the signs that point to fraud, and how to prevent fraud. To help in this effort, the guidance suggests that internal auditors use a risk model to map and assess the organization's vulnerability to these fraud schemes. The risk model should cover all inherent risks to the organization, as well as provide enough detail to identify and cover anticipated high-risk areas.

The PAs further advise that when examining and evaluating the adequacy and effectiveness of an organization's internal control system, practitioners should:

• Consider the control environment.
• Evaluate management's processes for identifying, assessing, and testing for potential fraud.
• Assess the design of fraud-related controls.
• Review the operating effectiveness of information and communication systems and practices.
• Assess fraud-monitoring activities and related computer software.
• Support the development of fraud indicators.
• Hire and train employees so the audit group can have the appropriate fraud audit or investigative experience.

So what is the practitioner's role in fraud detection? To the degree that fraud may be present in activities covered in the normal course of audit work, practitioners have a responsibility to exercise due professional care as specifically defined in Standard 1220 of the International Standards for the Professional Practice of Internal Auditing with respect to fraud detection. However, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Still, tests conducted by practitioners will improve the likelihood that any existing fraud indicators will be detected and considered for further investigation.

Practitioners who are alert to opportunities that could allow fraud — such as control weaknesses, unauthorized transactions, sudden fluctuations in the volume or value of transactions, control overrides, and unusually large product losses — and who evaluate the indicators of fraud are in a better position to decide whether further action is necessary or whether an investigation should be recommended.

The amended fraud PAs are available on The IIA's Web site,
http://www.theiia.org/index.cfm?doc_id=4299.

Additional Fraud Resources Available on The IIA's Web site

• Standard 1220 — Due Professional Care, http://www.theiia.org/?doc_id=1595.
• IIA Fraud Repository, http://www.theiia.org/?doc_id=4673.
• Fraud articles in Internal Auditor magazine, http://www.theiia.org/index.cfm?act=iia.internalAuditor:
  – June 2006, "Will History Repeat Itself?"
  – April 2005, "A Proactive Approach to Fighting Fraud."
  – April 2004, "Uncovering Fraud."