The best way to protect an organisation from fraud is through a proactive and collaborative approach to fraud risk management.
Fraud risk impacts all organisations regardless of their size, maturity or geographic location. Large fraud schemes have brought down companies and even led to the imprisonment of owners and senior management. When fraud is announced to the market and the public, it may result in irreparable reputation damage and loss of investor confidence. Fraud has also been the reason for the issuance of major regulations such as the U.S. Foreign Corrupt Practices Act of 1977 (FCPA) and the U.S. Sarbanes-Oxley Act of 2002. As a result, today an organization’s stakeholders expect the board and management to adopt a “zero tolerance” approach to fraud.
Managing fraud risks involves the board as well as multiple lines of defense including senior management, compliance, legal, human resources as well as internal audit. There is a shared responsibility between each of these parties in a fraud risk management process. When it comes to internal audit, a global survey by the Institute of Internal Auditors (IIA) showed that over 80% of internal auditors have at least some responsibility for fraud detection and prevention.
Internal Audit Responsibilities During Audit Engagements
An effective internal audit activity can be extremely helpful in supporting a fraud risk management process. Although management and the board are ultimately responsible for fraud deterrence, internal auditors can assist management by determining whether the organization has adequate internal controls and fosters an adequate control environment. To the degree that fraud may be present in activities covered in the normal course of audit work, the IIA’s Standards state that internal auditors have the following responsibilities with respect to fraud risk:
- Due Professional Care (Standard 1220): Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
- Risk Management (Standard 2120): The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
- Engagement Objectives (Standard 2210): Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
Internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. A well-designed internal control system should help prevent or detect material fraud. Tests conducted by internal auditors improve the likelihood that important fraud indicators will be detected and considered for further testing.
- Consider fraud risks in the assessment of internal control design and determination of audit steps to perform.
- Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed.
- Be alert to opportunities that could allow fraud, such as control deficiencies.
- Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program.
- Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended.
- Recommend investigation when appropriate.
A Framework for Managing Fraud Risk
According to the IIA’s publication titled Managing the Business Risk of Fraud: A Practical Guide, “only through diligent and ongoing effort can an organization protect itself against significant acts of fraud”. The key principles to proactively manage an organization’s fraud risk include:
While the principles above may seem straight forward, they must all be present and work together to form an effective fraud risk management process. When one takes a look at the details of these principles, they can include a wide variety of elements such as: code of conduct, fraud awareness training, whistle-blower hotline, fraud risk assessments, anti-bribery and corruption programs, audits of anti-fraud controls, investigations policies and protocols and even data analytics for fraud detection. However, there isn’t a “one size fits all” approach to managing fraud risk. The sophistication of the system and its elements will depend on the size of the company, internal capabilities and the nature of business. But for any form of company proper oversight by the board and audit committee and a positive tone at the top from the CEO and executive management are essential to ensure an effective response to fraud risk.
While the principles above are all important, it is in Principle 2 where internal auditors can add value to the organisation by conducting fraud risk assessments.
Fraud Risk Assessment
The fraud risk assessment is a tool that assists management and internal auditors in systematically and proactively identifying where and how fraud may occur and who may be in a position to commit fraud. A fraud risk assessment also helps a company comply with the IIA’s Standards, identify controls related to fraud mitigation, increase awareness of fraud risks among management & employees and help to assign internal audit resources.
The concept of fraud risk assessments is not an idea that is new to our region. In a survey of heads of internal audit conducted by the UAE Internal Auditors Association, 45% of internal audit heads in the non-financial services sector stated that they carry out fraud risk assessments. But the question on the minds of many internal audit leaders is “Is the fraud risk assessment a duplication of Enterprise Risk Management efforts?” The simple answer is “No”. Traditional risk assessments link risks to the
organization’s key objectives. Fraud can be overlooked. A fraud risk assessment expands upon traditional risk assessment as it focuses on the fraud scheme
rather than based on the audit universe or business objectives.
A fraud risk assessment generally includes five key steps:
1. Identify relevant fraud risk factors. 2. Identify potential fraud schemes and prioritize them based on risk. 3. Map existing controls to potential fraud schemes and identify gaps. 4. Test operating effectiveness of fraud prevention and detection controls. 5. Document and report the fraud risk assessment.
Although organizations do not like dealing with fraud, proper fraud risk management makes good business sense and can help protect organizational value. Companies cannot avoid fraud altogether but they can work to identify it early and reduce any harm it may cause. A proactive approach to managing fraud risk is the best way for organizations to do that. When fraud risk is properly managed and responded to in a company, it sends a very positive message to stakeholders and regulators about how
fraud is not tolerated. Finally, we shouldn’t forget the important role that internal auditors carry out in supporting the fraud risk management process; a role expected by stakeholders and required by the IIA Standards.
1. Responding to Fraud Risk: Exploring Where Internal Auditing Stands, The Institute of Internal Auditors Research Foundation, 2015
2. Managing the Business Risk of Fraud: A Practical Guide, The Institute of Internal Auditors, 2008
3. Risk Management Practices and the Role of Internal Audit, The UAE Internal Auditors Association, 2015
4. Practice Guide: Internal Auditing and Fraud, The Institute of Internal Auditors, 2009.
TO COMMENT on the article, EMAIL the author at firstname.lastname@example.org Risk Management
NABIL AL OUF, CIA, CFE, CRMA, CRBA is Group Head of Internal Audit at Dragon Oil Holdings.