Internal audit and fraud prevention has been a topic of some debate over the years. Whilst some organisations stand firm that it is the duty of internal auditors to be ‘fraud detectives’ and directly involved in prevention measures, others argue that this is, in fact, the responsibility of senior management as the first line of defence.
Some thought leaders have even gone so far as to say that treating internal audit as the organisation’s fraud police creates an unrealistic expectations gap that could have dire consequences for the business.
Not only is fraud on the increase globally, insider threat incidents have increased by 44% since 2020, with a cost of $15.38 million per incident. In some circumstances, fraud is so devastating that it can bring an organisation completely to its knees.
With fraudsters becoming ever more sophisticated in their approach, closer attention must be paid to a business’s anti-fraud control frameworks if it is to remain effective in preventing, detecting and responding to fraud. But with whom exactly does the responsibility for this lie?
The role of internal audit in fraud prevention and detection
In the IIA’s Fraud and Internal Audit position paper, it states that “internal audit should consider where fraud risk is present within the business and respond appropriately by auditing the controls of that area, evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk through risk assessment, and audit planning. It is not internal audit’s direct responsibility to prevent fraud happening within the business.”
The paper then goes on to say that internal audit’s knowledge of fraud should enable auditors to:
- Identify red flags where fraud may have been committed
- Understand the characteristics of fraud, and the specific techniques, schemes and scenarios used to commit fraud
- Evaluate the indicators of fraud and determine whether further action or investigation is necessary
- Review the effectiveness of controls to prevent or detect fraud
Whilst the IIA acknowledges that internal audit professionals should not be expected to have the same level of expertise as specialist fraud investigators, they should, however, use their skills in data analysis to identify trends and patterns that suggest fraudulent activity.
Despite these recommendations, the reality is that every company’s audit committee and board of directors views internal audit differently, and it is usually the combination of external standards and an anti-fraud policy that will determine the precise role of internal audit and its involvement in fraud prevention.
Ultimately, internal auditors must be mindful of fraud risk throughout all audit work whilst remaining alert to red flags and adhering to the organisation’s policies and expectations when it comes to mitigating fraud.
How can internal audit provide and improve fraud assurance?
Fraud is undoubtedly one of the greatest risks to governance that organisations face, irrespective of their industry, size or jurisdiction.
According to Occupational Fraud 2022: A Report to the Nations by ACFE , global losses are likely measured in trillions of dollars. Their study reported a loss of more than $3.6 Billion across 133 countries. Unsurprisingly, a report by Kroll and the IIA revealed that businesses that empower and invest in internal audit improve the effectiveness of their fraud risk management overall.
Internal audit plays a crucial part in not only helping to reduce the financial and reputational impact of fraud but also in preventing detriment to business objectives. As the main port of call to provide assurance on all organisational risks, here are some ways internal audit can respond to the challenge of fraud risks specifically:
Review detection controls
Are you confident in your organisation’s ability to detect fraud early on, or indeed, at all? If not, now is the time to revisit your annual plans to ensure that detective controls are just as stringent as preventative controls, so that if fraud were taking place, there is a high chance it would be identified by checks such as reconciliations and management monitoring. Detection can also extend into whistleblowing arrangements, where a tip-off could stop fraud in its tracks. Internal audit should work with senior managers to ensure that their whistleblowing procedures do not deter employees from coming forward at what could be a business-critical moment.
Provide fraud risk training
We mentioned previously the IIA’s stance on internal audit having sufficient knowledge to identify the warning signs of fraud. Regardless of experience, regular training can enable audit professionals to stay abreast of fraud techniques and schemes as they become more sophisticated in the modern world. Data monitoring and analytics skills should also be considered as part of your L&D regime, as this is becoming increasingly more effective at reducing fraud loss and duration by detecting fraud schemes through unusual trends and patterns. This brings us swiftly to our next point…
Invest in audit management software
A risk-based audit management solution can help to streamline data mining whilst providing a real-time view of information that could highlight instances of fraud. It can also help auditors to:
- Appraise the effectiveness and application of controls and reliability of data
- Ascertain the adequacy of controls for safeguarding assets
- Evaluate compliance with policies, procedures and legal obligations
- Establish a partnership and proactive communication with management
- Promote financial responsibility and accountability at all levels
- Investigate financial improprieties
- Identify and make recommendations for mitigating fraud risks
Find out how the right internal audit solution can help your organisation to spot risks, like fraud, and manage them effectively.
A guide to choosing the right internal audit software for you
Discover how internal audit software can benefit for your organisation, as well as what to look for when choosing audit management software.Download now