How can internal auditors look for fraud and assess fraud risks while remaining trusted advisors to their audit clients and management? The question is gaining renewed attention, in part because both the new Global Internal Audit Standards from the Institute of Internal Auditors (IIA) and the proposed standards from the International Auditing and Assurance Standards Board (IAASB) include a greater emphasis for auditors on fraud risk.
While balancing these two objectives isn’t always easy, it is possible. Critical steps include transparency, training, and alignment with the organization’s priorities.
Standards Take a New Approach to Fraud
In announcing its proposed standards, the IAASB noted, “Recent corporate failures throughout the world have underscored the benefits of clarifying and enhancing the role of auditors in responding to fraud and suspected fraud as a means of enhancing public trust in financial reporting.”
Because the IASSB standards pertain to external auditors, they shouldn’t directly change internal auditors’ responsibility for assessing fraud risk. However, the increased focus on fraud is likely to trickle down to work performed by internal audit teams, says Deepti Verma, U.S. forensic leader with consulting firm Protiviti. Internal auditors’ approach to fraud detection may need to shift towards a more proactive one, she adds.
In addition, management often “kicks the tires first” with the internal audit department, to help them stay ahead of new external auditor requirements, says Shane Foley, enterprise risk controls leader with PwC’s U.S. cyber, risk and regulatory team. Where possible, internal audit can advise management on remediation steps to reduce last-minute surprises that could impact the financial statement audit, he adds.
The external auditors themselves may ask more of internal audit in terms of understanding the business environment and the corporate governance space, says Joseph Mauriello, director of the Center for Internal Auditing Excellence at the University of Texas, Dallas.
A Fraud-Finding Mandate?
Not surprisingly, the IIA Global Internal Auditing Standards, which go into effect January 9, 2025, will have a more direct impact on internal audit. The word “fraud” is mentioned more frequently in the standards than was the case previously, says Amanda “Jo” Erven, president and founder, Audit. Consulting. Education. LLC.
For instance, Standard 3.1, which focuses on competency, states that: “Internal auditors should develop competencies related to…pervasive risks, such as fraud.” The previous standard stated, in part, that proficiency “encompasses consideration of current activities, trends, and emerging issues, to enable relevant advice and recommendations.”
Similarly, the new Standard 9.4 says the internal audit plan must consider coverage of fraud risk. The corresponding previous standard said, “the internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.”
“The new IIA Standards include the word “must” a lot more than they previously did,” Erven says. This likely indicates that the IIA is upping its stance regarding internal auditors’ responsibility for assessing for fraud and other risks, she adds.
The standards also increase expectations around transparency regarding how internal audit is spending its time and resources, Foley says. A recent IIA article about the standards stated, “Governance structures, mutual expectations between the board and the CAE, and the relationship between the CAE and the board are much more explicit.” This may open the door for more direct conversations between audit, management, and the audit committee regarding how much time is spent directly on fraud related activities versus other high-risk areas, he adds.
Additional Forces Behind the Focus on Fraud Risks
Along with the revised standards, several other macro shifts are prompting an increased emphasis on internal auditors’ role in searching for fraud. One is the ongoing talent shortage, which may mean less attention is devoted to controls, Verma says.
In addition, as technology changes, so does the opportunity and potential forms of fraud, Verma says. For instance, fraudsters are increasingly using artificial intelligence to deploy sophisticated fraud schemes, she says.
Another factors the incidence of fraud. “Over the years, too many articles have asked ‘Where were the auditors?’ when fraud happened,” Erven says. While the typical rationale has been that it’s management’s responsibility to root out fraud, that’s been tested in light of examples, like the missing billions at Wirecard, a German fintech, in which the fraud appears to have been so blatant that even simple tests should have caught it. “That’s prompted many, within both internal and external audit, to begin evaluating this as a profession,” Erven says.
Avoiding the “Cop on the Beat” Perception
Even while assessing fraud risk, internal auditors want to avoid coming across as a “cop on the beat.” If internal audit is seen as too aggressive in their efforts to detect fraud, they may strain relationships with business stakeholders. That can make it difficult to work collaboratively and continue as trusted advisors, Verma says.
Maintaining strong, productive relationships with management and colleagues rests on the way in which internal audit approaches its job, Erven says. When internal audit focuses on the highest risks—which should align with management’s view of the highest risks—they shouldn’t be seen as bad cops, but as assets protecting the organization, she says.
For instance, in a financial institution, purchases of computer paper, file folders and the like are unlikely to pose a high risk of fraud, Erven says. Of course, they can’t be ignored, as illustrated by the case of a public library employee who stole more than a million dollars of printing supplies and resold them online. However, these purchases are likely to warrant fewer audit resources than would be the case for purchases of inventory and raw materials in a manufacturing company.
The goal is a just-in-time audit approach, Erven says. “Be in the right areas, looking at the right risks, at the right time, with the right people,” she says.
Clarify Internal Audit’s Role in Preventing Fraud
Another prerogative is clarifying internal audit’s role when it comes to fraud. Internal auditors are not necessarily responsible for finding fraud, points out Jami Shine, corporate and IT audit manager at QuikTrip Corp., a chain of convenience stores. “We are responsible for identifying fraud risks and providing assurance that (the) controls in place are adequate to mitigate those risks,” she says.
When internal auditors can point out control gaps that leave opportunities for fraud to occur, that’s a positive, Shine says. Internal audit’s recommendations to help prevent fraud also protect the business so the company can achieve its goals. “I don’t see our responsibility to audit fraud risks in opposition to being considered a trusted advisor; I see it as parallel,” she says.
Leverage Data and Analysis
By leveraging technology to monitor anomalous trends in data, internal audit teams can better target their efforts to focus more on critical risks and less on repetitive tasks, Verma says. This helps reduce the “audit fatigue” that can occur when an area undergoes frequent audits, she adds.
Stephen Young, chief compliance officer and vice president, internal audit, with manufacturing firm MacLean Fogg, uses data analytics to efficiently review entire populations of documents and then focus on the outliers. The approach is similar to a quality control program, in which auditors watch for transactions that fall outside established tolerance levels, he says.
Transparency, Training, and Fundamentals
Operating with transparency also helps internal audit maintain strong relationships with management and other colleagues. “There’s no reason that we should hide anything that we’re doing,” says Mark Ruppert, chief audit executive at Northern Arizona University.
Fraud awareness training can also blunt any perceptions of internal audit as a cop on the beat, Ruppert says. In addition to boosting awareness of fraud risks, training can help colleagues better understand how controls protect not only the organization, but the individual. If fraud is found in a department and it becomes clear no controls were in place, employees in the area may face questions and suspicion.
When it comes to building a reputation as trusted advisors, the fundamentals remain important. This includes the skills, competencies, and training for both technical and soft skills, and particularly professional skepticism, says Jessica Rodgers, financial services organization enterprise risk lead with EY. “From talent acquisition to internal training, employees should be provided with the resources to cultivate their abilities to see around corners and bring greater strategic value,” she says.
While the new standards will prompt changes, they also may give the internal audit profession a boost. “The GIA Standards focus on elevating the mandate and stature of” internal audit, Rodgers says. They also encourage collaboration across functions, and as cross-functional work becomes the norm, internal audit teams will increasingly be seen as strategic advisors to the business, she adds. 
Karen Kroll is a finance and business writer based in Minneapolis, Minnesota.