I'm very confused by nature of internal audit. I see lots of talk about the need to have only an "awareness of fraud," meaning an acknowledgement that it exists and to investigate it if it's uncovered, but that's it's not the focus of internal audit. In actual practice there is significant pressure to find fraud (so much so that "professional skepticism" seems to mean to assume the person you're dealing with is committing fraud but you've failed to provide evidence so far) yet there's a lack of guidance on how to uncover fraud, especially in any way to conclusively prove there isn't any in an area being looked at. So how does this all work? If you've tested inventory, and haven't found any problems, how do you then prove there isn't any fraud you failed to uncover so that the audit can be completed in a timely manner?
My understanding of "professional skepticism" is to question elements of the process being reviewed which may include but not limited to the person but also the technology utilized, the documentation files or the results of interaction of all the elements in the company’s operation accordingly. So always just “assuming” that fraud is present may be overwhelming so I like to think of it what could be wrong or what corners could be cut by people. Hopefully from that perspective the nature of the audit could be a bit less confusing