Study: Companies Are Bolstering Internal Controls to Combat Cyber Fraud

phishing attacks

A new study finds that organizations are reporting increases in cyber fraud and phishing scams due to rapidly changing work practices as a result of the pandemic. It also found that companies are improving internal controls and providing new resources to internal audit to fight such fraud and they are conducting more data analysis to uncover it.

The research, “Fraud and the Pandemic – Internal Audit Stepping Up to the Challenge,” was conducted by the Institute of Internal Auditors’ Internal Audit Foundation and investigations and risk consulting firm Kroll. The report is based on a recent global survey and focus groups with internal auditors, discussing how the role of internal audit in fraud risk management has changed since the start of the pandemic.

Results show organizations faced increased exposure to cyber, social engineering, and phishing attacks, as well as instances of impersonating senior management in order to embezzle funds. More than half (54 percent) of survey respondents reported an increase in cyber and phishing fraud, while 40 percent say have experienced an increase in fraud relating to asset misappropriation. A smaller, yet meaningful, number of respondents (5 percent) say they have witnessed financial statement fraud.

“We have seen the external, organized threat of fraud, for example through cyberattacks and social engineering, strengthen during the pandemic, with the internal threat becoming increasingly hard to identify and remediate,” said Matthew Weitz, associate managing director of forensic investigations and intelligence at Kroll. “This has driven a rethink of the role of internal audit with many internal auditors stepping up to become more strategic advisors in the fight against fraud.”

Stepping Up Defenses
To fight this increase in fraud and cyberattacks, including phishing scams, organizations are improving internal controls, conducting more training, and taking other risk management measures. According to the survey, 36 percent of respondents said they had devoted additional resources to internal controls, and 29 percent had devoted additional resources to data analytics. “Since the start of the pandemic, business leaders have required internal audit to take a more proactive and flexible continuous assurance approach. The most successful organizations were flexible enough to respond quickly to these circumstances by implementing changes that positioned them for future risk planning,” the report’s authors write.

Other defenses reported by the internal audit respondents include increasing the number of investigations (12 percent) and increasingly adding anti-fraud measures to the company’s enterprise risk management function.

“No aspects of business operations have been immune from pandemic disruption, and we wanted to see precisely how that disruption impacted organizations’ fraud risk management practices,” said Anthony Pugliese, president and CEO of the IIA. “As companies increase investments in new technologies, it’s clear that when the independent internal audit function is actively providing assurances of internal controls and risk management systems, the impact of fraud is reduced.”

Internal Audit’s Role
The study also finds that organizations are increasingly leveraging internal audit to address cyber fraud and phishing attacks. They are also providing additional resources for internal audit to get the job done. Nearly half (45 percent) of respondents said that additional technology resources have been given to internal audit to fight fraud, as well as more training and communication (28 percent), new staffing (15 percent), and investigative resources (12 percent.)

“In general, the participants commented that the role of internal audit in fraud risk management had increased, particularly in the more strategic prevention and detection areas of fraud risk management, rather than the reactive areas that were identified in the 2020 Survey,” the report’s authors write. The research also finds that internal audit was being asked to upskill and provide more direction in certain areas, particularly in cybersecurity, which was driven by the increased risk identified in this area.

This is the second report in The Internal Audit Foundation’s fraud risk management series with Kroll. The first, Fraud Risk Management in Internal Audit, was based on a survey conducted in 2020, before the start of the pandemic.  Internal audit end slug


Joseph McCafferty is editor & publisher of Internal Audit 360°

Leave a Reply

Your email address will not be published. Required fields are marked *