Fraud Is Back (on Internal Auditing's Radar)!

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

I first noticed the faint drum beat around internal auditors reengaging on fraud about a year ago. In recent weeks, the drums have become almost deafening. For example, last week, the South Florida Chapters of The IIA and the Association of Certified Fraud Examiners held a joint full-day conference focused on fraud, and more than 230 local professionals turned out to participate. Later today, The IIA will host a one-hour webcast for North American members on “Taking Fraud Awareness to the Next Level: The Risk Universe, Technology, and Internal Audit’s Role.” More than 7,000 internal audit professionals have registered for the event — making it the largest single professional development event The IIA has ever hosted.

So what is going on? Is fraud on the rise, or are internal auditors refocusing on this enduring risk after several years of having their attention diverted to U.S. Sarbanes-Oxley Act of 2002 compliance and financial control assurance? The answer is probably both. There is little doubt that the current economic crisis creates greater financial pressures on management, employees, and vendors. Such pressures have historically given rise to greater fraud risks. However, it is also true that fraud has not been viewed by internal auditors as a risk not warranting the levels of coverage traditionally seen. So in many respects, “everything old is new again,” and internal auditors are reengaging in fraud prevention, detection, and investigation.

Last month, The IIA hosted a roundtable of chief audit executives (CAEs) from leading North American companies to explore internal auditing’s role in fraud prevention and detection. The participants agreed that fraud risks are increasing in the current economy. Some fraud schemes that roundtable participants believe are on the rise are: 

  • Technology fraud.
  • Cyber security.
  • Industrial espionage.
  • Intellectual property theft.
  • Strategic fraud.
  • Leakage of mergers and acquisition intelligence.
  • Check schemes.
  • Vendor and contract fraud.
  • Bid fixing.
  • Fraud related to employee benefit programs.

Last December The IIA published an excellent Practice Guide titled Internal Auditing and Fraud. This guide discusses fraud and provides general guidance to help internal auditors comply with professional standards. To help organizations and internal auditors combat fraud, the guide discusses:

  • Fraud awareness (e.g., reasons for and examples of fraud and potential fraud indicators).
  • Fraud roles and responsibilities.
  • Internal audit responsibilities during audit engagements (e.g., execution responsibilities and communicating with the board).
  • Fraud risk assessment (e.g., identifying relevant fraud risk factors and mapping existing controls to potential fraud schemes and identifying gaps).
  • Fraud prevention and detection.
  • Fraud investigation.
  • Forming an opinion on internal controls related to fraud.

The guide also includes reference material, questions to consider, and a fraud risk assessment template.

Additionally, a companion Global Technology Audit Guide (GTAG) was published on Fraud Prevention and Detection in an Automated World. And The IIA’s latest Knowledge Alert, Emerging Trends in Fraud Risks (PDF) provides CAEs and other internal auditors with thought-leadership pertaining to the role of internal auditors in fraud risk management. These valuable resources are available at no cost to IIA members by following the links embedded in the titles above.

In the coming weeks and months, we will continue to focus on this important topic. In the meantime, I encourage you to share your thoughts on internal auditing’s role in fraud prevention and detection, as well as specific fraud schemes/risks that you believe are on the rise.

Posted on Mar 24, 2010 by Richard Chambers

Share This Article:    

  1. The extent to which internal audit should be involved in fraud prevention and detection is an interesting one. For example:

    1. It is management's responsibility to have controls that provide reasonable assurance that fraud will either be prevented or detected.
    2. Many would assert that internal audit should not be responsible for fraud detection, but should instead focus on assessing whether management's processes and controls to prevent or detect fraud are adequate to the task.
    3. It is also a matter of debate whether internal audit functions focus too much on fraud and too little on assessing management's processes for managing risks, and providing guidance through consulting services to build an effective risk management process.
    4. I wonder whether the level of internal audit involvement in fraud detection is consistent with the level of risk that fraud represents to the organization. Where is fraud risk relative to supply chain risk, cash flow and credit risk, etc? Is internal audit focused on its traditional role instead of where the greatest risks to the business lie?
  1. One of the interesting phenomena when you make a comment with a series of questions is that people assume or infer your position. So, let me take the mystery out.

    I believe the role of internal audit is to provide objective assurance and consulting services regarding the effectiveness of the organization’s governance, risk management, and related internal control processes. In other words, I agree with the definition of internal auditing in the Standards.
    To do that, internal audit should assess the adequacy of the governance and risk management processes. When these are ineffective, risks (including the risks of fraud) are likely to be less than well managed  – and the organization’s ability to achieve its strategies and goals imperiled.
    Internal audit should assign resources and prioritize its attention -  its assurance and consulting services - based on the level of risk each area represents to the organization. Attention to fraud should be commensurate with the risk it represents. It should not be an automatic area of focus.
    Just think of the companies whose (unaudited) risk management processes failed while the auditors were conducting investigations of inventory theft and payments to fictitious vendors.
  1. I may have been at fault myself at a prior company, a few years ago. I was new to the company and focused on fixing SOX and the financial reporting process (which had major flaws; for example, not a single employee involved in financial reporting, from analyst to CFO, had a CPA or equivalent) plus investigating procurement fraud (which led to firing the IT management team in China). The adequacy of financial reporting was an issue consuming the board, external auditors, and top management. We joked that we had restated every SEC filing except the proxy – and came close there as well. But, I realized too late that the (unaudited) engineering and product development area was going to drive the company into the ground through its inability to deliver the right product, with the right cost, at the right time.

    I also separate financial statement fraud by senior management, which is much less common than some assert, from other fraud, which is very common. The external auditors have the primary responsibility for auditing the financial statements and assessing the risk of related material fraud – not the internal auditors. However, internal auditors should not abdicate the area entirely, especially when their closeness to operations and understanding of the business should lead them to suspect financial statement error or fraud.
  1. I believe that internal audit has a responsibility for reporting to the audit committee any deficiency in the external audit team. For example, if they can see that the team has insufficient experience or technical knowledge, or is failing to address areas of higher risk, this should be brought to the attention of the external audit partner and the audit committee if not addressed. (See my blog on the lessons we should learn from Lehman.)

    But let’s face the facts. The ACFE estimates annual losses through fraud at 7-8% (fairly consistent in this range over the years). That includes theft of time (playing on the internet) as well as loss of cash. For how many companies is fraud and theft of assets in the top ten risks? How many companies include fraud and theft high in their reported risk factors?
    So, where fraud is a risk that merits attention I prefer to assess whether management has effective processes and controls to prevent or detect fraud. Those should include fraud risk assessment, as well as controls. (Because of internal audit’s greater proficiency, I don’t have a problem with internal audit leading or facilitating the fraud risk assessment process). Only if justified based on the risk level, facts and circumstances – including support from the audit committee and top management – would I ask internal audit to take on fraud detection.
  1. If internal auditorss war the watchdog of organization governance, who then watches the auditors? More likely the reply would be the audit committee or an independent body, which may not have the standard audit expertise to audit auditors.

    What happens now if an internal auditor is involved in preparing misleading audit or management report?

    Is there any particular legal violation? If so, what is the law that regulate misconduct by internal auditors?

Leave a Reply