The Fraud Disconnect

A shared understanding of where fraud-related responsibilities lie can help internal auditing and management avoid costly short circuits.

Neil Baker
Editor, Internal Auditing & Business Risk

Just what is internal auditing's responsibility for preventing and detecting fraud? That's a thorny question, but one addressed very clearly in The IIA's International Standards for the Professional Practice of Internal Auditing (Standards). In essence, the principle is this: Internal auditing has a role to play, but the primary responsibility falls on management. Although this sounds simple in theory, the problem lies in communicating that message to management.

"There's no question that many managers assume internal auditing is responsible for detecting fraud," says Tom Tobin, an internal auditor working in the Canadian public sector. "That perception is a communication challenge for internal auditing. We may have defined a role for ourselves, but we haven't necessarily communicated it well to stakeholders, or gained the agreement of management."

Other auditors around the world have the same problem. "The view of my audit committee and senior management is that internal auditing is responsible for fraud, even though I have been trying to educate them about that for two years," one uk chief audit executive told attendees at a forum held in London last year. Other leading auditors at the same event said that nobody in their organization wanted to talk about fraud. It was like a taboo. Some called it the "f-word." They were worried that the default management view — that fraud is internal auditing's job — was deep-rooted and nearly impossible to change.

At many organizations, an expectations GAP often exists between management's understanding of internal auditing's responsibilities and the department's own views. Although auditing's fraud role may differ from one organization to the next, many practition-ers have a developed understanding of what their role is in their particular firm. The challenge they face is getting managers to understand where internal audit responsibility for fraud ends and where management responsibility starts, and eliminating the disconnect in between.

THE EXPECTATIONS GAP

Seasoned fraud investigator Andrew Durant has seen many cases where a lack of clarity about internal auditing and management responsibility for fraud has made an organization more vulnerable, or even been a contributing factor, to a fraud. He cites one business where management had specific ideas about the role of internal auditing, which were different from the view auditing had of its own role. This caused problems when the company made an acquisition. Internal auditing reviewed the bought business  and flagged a few problems, "but as far as management was concerned that was it," Durant says. "They didn't see a need to delve any deeper themselves, as internal auditing had said everything was pretty much all right." But Durant, managing director of disputes and investigations at the London offices of Navigant Consulting, says there were significant problems with the new business that internal auditing didn't spot because its methodology was not designed to detect fraud. Eventually, a new financial controller discovered a huge hole in the company's accounts — it was being defrauded to the tune of 2 million pounds per quarter. "When questioned about why it took so long for these problems to come to light, management's response was 'well the external auditors signed the accounts and internal auditing said everything was all right,'" Durant says.

Did the internal auditors fail that company, or did management make incorrect assumptions about the assignment auditing carried out, and about its role more widely? It's impossible to say. One thing, however, is clear: The idea that fraud can just be left to internal auditing doesn't fit with The IIA's Standards. Standard 1210.a2 states that the internal auditor "should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Two related practice advisories flesh out internal auditing's fraud detection role and its fraud investigation role. The first of these discusses the need to be aware of fraud risks and to know about the indicators and flags that suggest a fraud may have been committed, but stresses that "internal auditors are not expected to detect fraud and irregularities."

The IIA-UK and Ireland produced a useful position paper on fraud in 2003. The paper states that "the primary responsibility for the prevention, detection, and investigation of fraud rests with management, which also has the responsibility to manage the risk of fraud." But it also acknowledges that most people think this is what internal auditing does and added: "There is, therefore, an expectations GAP that needs to be managed."

Fraud training consultant Courtenay Thompson has helped many internal auditors to bridge that GAP. "One of our recommendations is that they never say it is not their job to detect fraud," he says. "No one wants to hear 'it's not my job.'"

In fact, if a big fraud occurs in an area of the organization just reviewed by internal auditing, Thompson says it's very likely that others will expect auditors to have detected it. But beyond that, he says, the role internal auditing plays depends largely on what management and the audit committee want it to be. "There are many different roles taken by internal audit departments, ranging from distancing themselves from fraud to taking full responsibility for investigations," Thompson says. "There is no 'one size fits all.'"

Tobin agrees that internal audit involvement should reflect what is needed, but says that the central role described by The IIA should remain largely intact. With regard to his own organization, Tobin says, "We have a definite responsibility to be alert to the possibility of fraud and to be conscious of specific fraud risks in our audit procedures. We are the canaries in the coal mine." Beyond that, he says he believes internal auditing is ideally placed to facilitate fraud risk assessment processes. "In fact," he says, "fraud risk assessments likely won't get done if not promoted by internal auditing." Tobin notes that there is a lot of organizational knowledge and technical expertise resident in the internal audit function that can help the organization combat fraud, without the shop crossing a line of principle drawn by the Standards.

PROMOTING AWARENESS

Ron Reigle, vice president of corporate compliance and internal audit at gaming company Pinnacle Entertainment Inc., says his team takes a proactive role in fighting fraud. Reigle is a certified fraud specialist and a certified fraud examiner, and his staff includes certified fraud examiners as well. They cover fraud risk in every audit assignment. "Our team is trained to look for the red flags of fraud all the time," he says. They also conduct routine fraud investigative audits that look specifically for fraud.

Reigle works hard to emphasize the importance of fraud prevention and detection throughout the company. He invests in training to keep his team up to date on fraud issues, and he routinely circulates articles about fraud. When the organization set up a fraud hotline in 2003, Reigle visited all of its operations to discuss fraud prevention and detection with managers and staff — talks that they were required to attend. "We also have a fraud video that we show to all new hires," he says. "We show from day one that we have a zero tolerance."

The internal audit shop also plays an important anti-fraud role at paint manufacturer Benjamin Moore, says Director of Internal Audit Adam Gelles. "Our company is engaging in a more proactive process to prevent fraud or ensure its timely detection," Gelles says. The introduction of the U.S. Sarbanes-Oxley Act of 2002 has improved fraud awareness, but more widely, the need to tackle fraud seems to have caught on, he says. His company encourages managers to consider how they would feel if adverse actions, such as a fraud, made the front-page business news. The critical next step for the organization, he says, will be to further explore and consider implementing enterprise risk management, so that managers have the processes and tools they need to be more proactive in their assessment of, and response to, risk as a whole, which would include fraud.

Internal auditing also has an active fraud role at retailer JC Penney, where the issue is fast moving up management's agenda, says Director of Audit Denny Beran. In the last few years, the organization has become more proactive in seeking out frauds and promoting fraud awareness among its staff and management. "Fraud potential and impact is addressed in the annual risk assessment of the auditable inventory for planning purposes, and fraud risk assessments are conducted periodically," Beran says. "Looking ahead, we anticipate that operating management will place additional demands on internal auditing to evaluate the adequacy of fraud controls, assist in heightening fraud awareness levels, and participate in potential fraud reviews and investigations."

SUPPORT FROM THE TOP

As the demands on internal auditing at these and other organizations increase, it seems more important than ever to be clear about where the shop can be responsible for fraud, and where it can't. As is so often the case, this is an issue where internal auditing needs to look to the highest levels of the organization for support.

"Internal auditing has to establish its role within the organization, and this starts at the top," Tobin says. "There has to be a dialogue among the chief audit executive (CAE), senior management, and the audit committee to ensure respective roles and responsibilities are clear and accepted." The first role of CAEs is marketing, Tobin argues. "They have to promote what internal auditing can do for the organization, while at the same time ensuring that boundaries are clear and expectations for internal auditing are realistic and appropriate. At the working level, audit team leaders need to ensure in their communications with operational managers that respective responsibilities and expectations are clear and understood."

At JC Penney, for example, the internal audit shop runs fraud awareness training for managers. When fraud is discovered, internal auditing briefs managers on what went wrong and any lessons to be learned, with an emphasis on the control breakdowns that allowed fraud to occur and continue without detection.

The best strategy, Thompson says, is for the chief executive officer (CEO) to produce a written policy stating that management is responsible for knowing the exposures to fraud in their areas and for detecting suspected wrongdoing. "This should not be done by the chief financial officer or the CAE," he says. "It is a CEO responsibility, and five minutes from the CEO is worth many audit reports and thousands of hours of Sarbanes-Oxley work."

In practice, few companies have such a statement, Thompson says. When he runs fraud awareness training for managers, Thompson tells them to get these words in writing from the CEO. "It's usually a real eye opener," he says. "Most say this responsibility has not been well defined in their organizations." Moreover, Thompson recommends emphasizing what management's responsibility is, rather than stating what internal auditing's role isn't. That approach makes it easier for the internal audit shop to work out the best way to help management, he says.

COMMUNICATION IS KEY

Dave Coderre, a manager of continual auditing in the Canadian federal government and a leading authority on fraud issues, agrees that management misunderstandings about internal auditing's fraud role occur when the responsibilities are not clearly defined and communicated. "A fraud policy — which clearly articulates the role that management, auditing, and every employee plays with respect to fraud prevention and detection — should be in place," he says. "At the beginning of every audit, management should be informed of the scope and objectives of the audit — with a clear statement of what auditing will be doing with respect to fraud risks."

There are other reasons why managers get the wrong idea about what the internal auditors are supposed to be doing. Finely worded principles about where the professional boundaries lie will make sense to some, but not others.

"Managers come from diverse backgrounds, including operations, marketing, and administration and accounting," says Durant. "I think the latter might have some knowledge of what internal auditing's role is and what management's role is, but those from other backgrounds may not."

The answer, he says, is "communication, communication, communication." Yes, a clear policy statement from the board is vital, but not enough on its own. Internal auditing should get out into the business and explain what its role is. "It is better to be talking to management," he says, "rather than sitting in one room thinking management is dealing with the issue when management is sitting in a different room thinking the same about internal auditing." Auditors should find ways to work directly with management, helping managers to perform their fraud role. "That way it is not all about abrogating responsibility, but working with management to help them fulfill their responsibility," Durant says. "The auditors can make it clear that they are there to help, but not to take on the role." At Benjamin Moore, for example, Gelles is looking at making wider use of control self-assessment to help management realize they are ultimately responsible for implementing controls and that his internal audit shop is there to assess the existence and effectiveness of controls.

Durant also suggests that internal auditors run fraud risk management workshops, aimed at helping managers to write their own risk action plans. "This would make it clear that internal auditors are the facilitators and managers are the ones who are going to take responsibility," he says. When Durant runs this kind of event, he always tries to get a member of the board to introduce the objectives of the workshop and to wrap it up with a talk about how management takes fraud seriously. "This is all very subtle, but firmly puts management at the forefront," he says.

Simple communication makes a real difference, Thompson says. "Most executives, when hearing the 'it's management's job' speech, have a major belief change and buy into the idea," he says. "Usually management merely needs a bit of education and reinforcement from the chief executive."

Other auditors agree that once managers have their responsibilities explained, they are happy to fulfill them. It's not that managers are ducking the issue — although the crooked ones may be; it's just that they are often overwhelmed with other responsibilities. "Awareness of fraud risks and managers' responsibilities is extremely low," Tobin says. "Managers are generally aware that they are responsible for internal controls, but for the most part they have never given fraud much thought. I've found that when managers receive some training on fraud risks and controls, the potential consequences of fraud incidents, and the respective roles of managers and internal auditing, they are quite open and accepting."

THE GOVERNANCE CONNECTION

Frontline communication and training are clearly important, but Coderre also stresses the importance of putting fraud in a wider context. The most important step an internal auditor can take, he says, is to ensure the issue of fraud responsibility is addressed in the governance structure of the organization and its risk management activities. "In the past, management has focused on operations, often to the exclusion of controls, fraud, and other activities," Coderre says. "Today however, there is increased pressure for management to take responsibility for enterprise risk management. An important aspect of risk management is the identification and mitigation of the risk of fraud."

An effective approach — for fraud and wider misconduct — has three primary objectives: prevention, detection, and response, says David Luijerink, director in fraud risk management at KPMG Forensic. "The challenge for companies is to adopt a comprehensive and integrated approach that enables all of the organization's control criteria in these three areas to work together," he says. Internal auditors can play a significant role in this effort. They can request that senior management provide clear direction to management about fraud prevention and detection responsibilities, he says, but they can also write their own action plan — one that establishes how internal auditing will engage senior and line management on this issue, and how they will measure success. This plan and subsequent updates could then be reported to the audit committee.

More fundamentally, companies need to take a strategic approach to fraud risk management by aligning corporate values with performance, Luijerink says. "Fraud risk management must become part of the corporate culture. The board, senior management, internal auditing — in fact all employees — have a role to play to ensure that the company is enacting and achieving ethical and responsible business practices."

And he stresses that fraud prevention cannot be a one-off event. Companies need to view fraud risk management as an ongoing process and should continuously evaluate the effectiveness of their risk strategy and controls.

Sound easy? In theory, it seems an organization that wants to manage fraud risk effectively needs just three things: A clear and comprehensive governance structure, an active and supportive board, and a cadre of managers who are aware of their responsibilities and have the resources and skills to fulfill them. If an organization ever achieved that level of excellence, the internal audit shop could virtually pack up and go home, or at least forget about fraud risk. Until then, they'll continue to perform their unique and carefully nuanced role: helping management to combat fraud, while explaining that they can't do the job for them.

To comment on this article, e-mail the author at neil.baker@theiia.org .

 

The Fraud Disconnect
The much that internal auditors can do is make recommendations aimed at strengthening the internal control environment. A heightened internal control set-up, coupled with prudent risk management and best governance practices would substantially limit the organisation’s exposure to fraud. With every incident of fraud, internal audit’s recommendations, ideally, should reinforce the control environment such that recurrence of similar type occurrences is prevented or promptly detected and arrested. One may thus infer that the chances of fraud being perpetrated diminish with every occurrence. We however do not operate in an ideal environment; fraudsters will always have new tricks up their sleeves. Both management and internal audit should at all times strive to be a step ahead of the fraudsters. In my view, management bears the greater responsibility in managing this risk known as fraud.
Posted By: Mark Otonglo
2010-12-20 7:51 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP