Should Internal Audit Be Responsible for Detecting Fraud?

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Internal auditors love fraud: detecting it and investigating it. The majority of boards and top management expect internal auditors to dedicate a fair portion of their time to auditing for fraud and performing investigations as needed.

But should the internal audit department be responsible for detecting fraud? Should they allocate a large portion of their audit resources to engagements that focus on the risk of fraud or theft? 

While I fully support internal audit involvement in investigating potential fraud, I would like to suggest that organizations need to rethink the role of internal audit in detecting fraud.

Management should be responsible for the system of internal controls, including the ability to prevent and, as necessary, detect potential theft and fraud. Internal audit should only take on any part of this management responsibility with the prior and formal approval of the audit committee. In such cases, the responsibility of internal audit should be limited (in my opinion) to a secondary role in detection while management remains responsible for the primary detection role and fully responsible for prevention.

What do I mean by a secondary role? Management should always be responsible for detection that can be performed in the normal course of business, as part of such functions as payroll, procurement, accounts payable, and inventory management where there is a greater likelihood of theft of fraud simply because of available liquid assets.

Internal audit can play a role where they are like the sweeper on a football team (soccer for Americans). They can use analytics and similar tools to sweep up any potential theft or fraud that has evaded the preventive and detective controls of management. If and when internal audit detects a fraud or theft, they should work with management to strengthen their defenses.

How much time should internal audit allocate to the detection of fraud?

In my opinion, the board and management should expect internal audit to allocate resources consistent with the risk of fraud or theft, while considering the ‘opportunity cost’: what risk areas are they unable to address because of the time spent on fraud.

Where the risk of fraud is high, meaning that there is an unacceptable likelihood of a level of theft or fraud that would be significant to the operation of the business, internal audit should spend more time. But when there is very little likelihood of such a significant fraud or theft, it may well be appropriate to leave this area without internal audit detection in place.

It is important, when assessing fraud risk, to consider not only the immediate size of any loss of assets but also such factors as:

  • The potential for a theft or fraud to impact customers, such as when finished goods inventory meant for customers is stolen, or when raw materials necessary for manufacturing are taken.
  • The potential for the fraud or theft to impact financial reporting.

  • Whether undetected fraud or theft is likely to grow from small beginnings into something of significant impact to the business.

  • The potential impact on employee morale and the culture of the organization.

Internal audit can also contribute their expert knowledge by helping management with a fraud risk analysis. I prefer this to be a management responsibility, just as risk assessment in general is a management responsibility. But internal audit may have more understanding and be more capable at some organizations to perform the fraud risk assessment for management. This should not be kept within internal audit, but shared with — and owned by — management so they can ensure the right preventive and front-line detective controls are in place.

I think many internal audit departments spend too much time on fraud detection when it should be a management responsibility. As a result, they are limiting their ability to address risks that are far more significant to the organization’s ability to surpass its objectives and create value.

What is your view?

Posted on Jul 20, 2013 by Norman Marks

Share This Article:    

  1. At last! A challenge to the internal audit obsession with fraud. You are right, Norman, the risk of fraud must be placed alongside other risks. How many organizations fail as a result of fraud? A few. How many organizations fail as a result of bad board decisions? Many. Yet, as you say, internal auditors spend too much time on fraud detection. I believe internal auditors should spend more time examining the controls around strategic risks, such as those covering board decisions, information presented to the board and major expenditure (such as advertising). This is where internal audit can add real value. However there is one impact of fraud we can't ignore - the emotional impact - you mention the potential impact on employee morale. As a result, the directors may give as much emphasis to the audit of a small subsidiary, or the employee social club, as they will to the audit of much more significant risks. Further, when a fraud occurs additional controls are often thrown at the systems. These controls are often ineffective and inefficient but no-one dares raise objections because of the emotions surrounding the fraud. Many years are then spent delicately removing these unnecessary controls, which often cost more than the original fraud! I think it is therefore necessary for internal auditors to consider this emotional impact when examining and recommending controls which are specifically aimed at preventing and detecting fraud. It is likely that a certain amount of inefficiency and duplication may have to be tolerated for these controls.
  1. No doubt, risk-based internal audit will ensure focused activity for internal auditors, and save cost.  But to the extent that internal audit is a management 'tool', management is at liberty to use that tool as it deems fit.

    In discharging its responsibility for efficient running of the organization, management can, and should, deploy internal audit to any activity - fraud detection, special investigation invloving fraud and irregularities, review of operaions (financial and otherwise) for greater efficiency, etc.  And this is one of the areas internal audit can be distinguished from external audit.



  1. Okechukwu, do you really think management should be able to dictate what internal audit does? That is hardly an independent and objective activity that reports to the board. 

  1. I agree wholeheartedly. I used to be an internal auditor for a very large school district. Over 75% of my time was devoted to auditing student fund raising activities. Admittedly, there were tens of millions of dollars being raised, primarily in cash across the district. However, the Board and Senior Administration resisted implementing some very easy to use fund raising tracking software which would have allowed me to virtually automate the process using IDEA/ACL. What a shame that they left so much risk exposed because they didn't want to ruffle teacher's feathers and implement a very easy to use software that was very well developed and widely used in other large school districts.
  1. Norman,  very thought provoking.  

    As an internal auditor and fraud investigator I feel that the iss issue is one of balance.  Some audit shops tend to focus too far one way and not enough the other.  

    I would also add that the risk from fraud is often not the loss of assets, but rather perception, and this can be devasting to a Board and Executives particulary when times are sensitive (election time, company restructure, etc).  

    I also find that a good fraud investigation can, if done properly, add positiviely to the audit role and control environment by not just finding if there is guilt or not and the value of the loss, but also identifying non compliances, risks, poor governance and opportunities for improvement.    


  1.  The answer to this title is YES, you cannot possibly argue otherwise. Management relies heavily on Internal Audit to spot fraud especially in post audit of transactions even though they have weak control set-up. that's the very essence of putting up a cost center called Internal Audit. Oftentimes when management is first to spot a problem, the first question is always thrown at Internal Audit, why an exception was not detected, or the weakness in the audit procedures, note "audit procedures" not the policy.

    While there's no arguing re Management Responsibility, and independence, almost always, the ideals are far from the twists and complexities auditors encounter in actual practice.

    This proviso is only good in the Charter but cannot be raised without reservation whenever confronted with undetected fraud issue by management, do we expect the Chief Audit Executive to raise this up in defense of an inadequate audit procedure as originally provided and approved by management?

    Management may grant you total independence by firing you for sleeping on the job. bottomline is it is part of Value Added Service to appraise the internal controls and recommend changes/ improvements to it, where if management fails to appreciate, safest way is to keep including the exceptions brought by the new procedure in every report.

    just my opinion.

  1. IA must focus on the risk of BIG frauds: shareholders expect the least from IA, and Barings Bank should always haunt our minds. To do so: perform CAAT. Audit without CAAT is not a full Audit But IA should not waste time with risk of small frauds - which become Management's obsession, courtesy of a "talibanesque" interpreting SOX and FCPA. So Norman's analysis is fully accurate, although under a bit of a bold heading.
  1. Frankly, if the right hand can work with the left, the work is much more efficient. Every organization has a different balance between the fraud team and management. The key is to work together in your unique circumstances to get the optimal value for your time.

Leave a Reply