As high-profile fraud cases continue to make headlines and the Coronavirus Crisis heightens concerns about fraud, a new survey could help internal auditors understand fraud risk management at their organizations.
The report, “Fraud Risk Management in Internal Audit,” takes a deep look at internal audit’s role in identifying and mitigating fraud. The survey, which was conducted by the Institute of Internal Auditors, examines several facets of fraud and the new risks that have been created by the current business environment and many employees still working from home. The report comes on the heels of another recent report by the IIA on fraud, A Blueprint for Managing Corporate Fraud.
The report concludes that internal auditors have a responsibility to include fraud risk in audit plans and should assess the internal controls meant to prevent fraud. The chief audit executive also has a responsibility to assess fraud risk exposure across the organization and help oversee its management. Internal auditors should only investigate fraud, however, if they have the expertise and experience to do so, the report cautions.
The survey was distributed to internal auditors globally and yielded 704 responses. The questionnaire, consisting of 14 total questions, sought to answer four key questions:
1. To what extent does the involvement of internal audit in fraud risk management impact the perceived effectiveness of the fraud risk management process?
The survey found that most respondents were confident about the effectiveness of their fraud management systems. More than half (54 percent) said their systems were good, very good, or excellent. In organizations where the internal audit team was part of the strategic management of fraud, the risk management system was also more likely to be strong. The connection was especially true when the internal audit teams had leadership roles within enterprise-wide fraud assessments. Among internal auditors with leadership roles in combating fraud, 60 percent said their organizations have good or better fraud management systems.
2. Where does responsibility for strategic fraud risk management lie within the organization, and what role does internal audit have in prevention, detection, and investigation of fraud?
According to the survey respondents, internal audit took the lead most often in fraud risk management, with 41 percent of respondents answering that the internal audit team was the main leader in fraud risk management. Around 91 percent of respondents said that they had at least some involvement in enterprise-wide fraud risk assessment. Almost half of respondents thought that internal audit was not part of strategic enterprise-wide decision making, however, showing that although internal audit is involved, the function does not always feel empowered to influence key decisions.
Internal auditors also said that they have a strong level of influence in all three operational areas of fraud management, prevention, detection, and response.
3. What are the challenges and barriers to internal audit’s involvement in managing fraud risk?
Most respondents said that internal audit is limited in taking too big a role in fraud management, with 80 percent reporting that the function faces barriers to involvement. The most common barriers are a lack of resources, lack of mandate, potential conflict of interests, and, to a lesser extent, lack of skills to undertake such work.
A quarter of respondents listed the lack of a clear mandate as the primary barrier to internal audit involvement in fraud risk management. Many business leaders do not think that internal audit should have a primary role in fraud risk management. The role internal audit can take in fraud management depends on the business objectives, structural priorities, and risk appetites in the individual organizations, say respondents.
Conflict of interest was also a strong concern for internal auditors. Audit needs to find a balance between providing an independent check on business activity and assuming responsibilities for fraud management.
4. What are the trends in investment in fraud risk management?
Fraud risk management remains on the forefront of business leaders’ concerns. The majority of respondents said investment in fighting fraud has either stayed the same or increased. Investment in internal audit teams, however, is much more varied.
Large organizations tend to have larger audit teams, but 15 percent of the organizations with more than 50,000 employees only have audit teams of 15 people or less. Internal audit also faces resource shortages, especially among large- and medium-sized organizations (organizations with more than 10,000 staff) with internal audit teams of less than 25 people.
Internal audit teams also lack the needed skills to manage fraud risks, say respondents. Data analytical skills are ever more important as more data is being collected and used than ever before, and the ability to manage and understand complex and disjointed datasets can help fraud detection and investigation. Auditors also need to understand third-party relationships and identify risks from collusion and collaborative frauds. With the rise in cyber-attacks, an understanding of IT systems will also prove valuable to internal auditors.
Internal audit’s role in organizational fraud risk management varies across organizations, but the core knowledge of the organization and access to data come from internal audit, even if an external party is brought in to investigate. Internal audit has a role in fraud management and with charting the changing landscape of fraud in uncertain times. Based on the survey, internal audit needs to reassess its role in fraud management and help structure the company’s response to provide the most value as a function.
Stephanie Liu is assistant editor of Internal Audit 360°