Internal auditors have always had a role to play in the detection and prevention of fraud. A recent paper from the Institute of Internal Auditors (IIA) looks to shed some more light on just what that role is and how internal audit teams can do a better job at fighting fraud.
The new paper, “Fraud and Internal Audit: Assurance Over Fraud Controls Fundamental to Success,” describes specific internal audit responsibilities regarding fraud prevention and detection. “Internal auditors must have sufficient knowledge of fraud to evaluate fraud risk and the manner in which it is managed by the organization,” says the IIA. However, the paper also points out that, while some internal auditors may investigate fraud, organizations should not expect an internal auditor to have the expertise of a person whose primary responsibility is fraud investigation.
Fraud investigations are best carried out by those experienced to undertake such assignments. It is essential that any investigation is undertaken by qualified individuals to reduce the risk of compromising evidence, accusing wrongfully, or undermining prospective legal actions.
Who’s Job Is Preventing Fraud?
The paper restates the IIA’s long-held position that it is not internal audit’s direct responsibility to prevent fraud from happening within the business. “This is the responsibility of management as the first line of defense,” the paper states. But that doesn’t mean internal auditors are off the hook when it comes to finding and thwarting fraud.
Internal audit should consider where fraud risk is present within the business and respond appropriately by auditing the controls of that area, evaluating the potential for the occurrence of fraud, and examining how the organization manages fraud risk through risk assessment and audit planning.
“Internal audit should use its expertise to analyze data sets to identify trends and patterns that might suggest fraud and funding abuse,” the paper states. “Where the experience is not available within the internal audit team, the organization should consider recruiting or engaging resources with sufficient knowledge or expertise.”
Anti-Fraud Response Plan
According to the position paper, every organization should have an anti-fraud response plan that outlines key policies and investigation methodologies. The plan should make clear the role of internal audit when there is suspected fraud and associated control failure.
The paper also provides key questions that boards of directors and other governing bodies should ask their organizations regarding fraud:
- Does the organization have a fraud response plan in place that outlines key policies and investigation methodologies?
- Who carries out fraud investigations within the organization?
- Is internal audit tasked with identifying where fraud risk is present, and does it audit controls in these areas?
- When fraud has occurred, does internal audit investigate to understand how the controls failed and how they can be improved?
- Is internal audit tasked to investigate fraud, and, if so, does it possess the proper skill sets to carry out such investigations?
Fraud Risks Always Present
Some recent cases have emerged that should remind internal auditors to strengthen internal controls and identify high-risk areas. For example, an accountant at a Canadian software company committed a $5 million fraud in which she purchased thousands of Apple electronics and approved her own p-card purchases. In another case, internal auditors uncovered a large fraud at a Ugandan palm oil company. And, of course, many universities are still reeling from the admissions scandal that has impacted several higher education organizations.
“The threat of fraud is one of the most common challenges to governance that organizations face without regard to size, industry, or location,” the paper states. “Having proper internal control procedures in place that include an appropriate response plan is fundamental to battling fraud.” 