Fraud is one of the challenges that face different organizations and sectors. It hinders performance, wastes money and scarce resources, and inflicts damages on the organization, its reputation and its competitiveness. This damage is not restricted to financial losses; it may take other forms as well. It could be a loss in the organization’s performance, its reputation and credibility, and the trust of its investors, which render the organization exposed to many risks. The different stakeholders expect that the management of the organization would manage this risk by developing programs to combat the risk of fraud.
Companies nowadays face the risk of fraud more than any time before as a result of the economic instability, the increasing reliance on information technology and transnational complexity, leading to the existence of pressures, opportunities and justifications for fraud. These three elements constitute the basis of the risk of fraud.
There is increased recognition by the authorities, boards of directors, audit committees and stakeholders of the effective role of internal audit in drawing the attention of the stakeholders to the risk of fraud. Therefore, internal auditors are now required to help organizations in reducing the risk of fraud through the examination and evaluation of the control methods, the role of the organization in the management of the risk of fraud and how effective and sufficient they are. The findings of the ACFE report of 2016 pointed out that the internal audit departments in organizations have played an important role in the detection of embezzlement, misuse of assets and corruption. The cases of fraud detected by internal auditors represent 16.5% vs. 3.8% detected by external auditors for the total cases detected in 2016.
The International Standards for the Professional Practice of Internal Auditing have adopted a development for the role of internal audit in organizations through the provision of an evidence that the organization’s management deals efficiently and effectively with the fraud risk, and an evaluation of the management’s responses to fraud risk within the levels acceptable and approved
by the Boards of Directors, through the Performance Standards which provided for the role of internal audit in the evaluation of the management of the fraud risk in Standard No. 2120.A2, “The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.”
The Standards also clarified the role of the chief audit executive to report to the senior management about the fraud risk in Standard No. 2060, “The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and/or the board.”
Furthermore, the Standards included the attributes necessary for internal auditors through the Attribute Standard No. 1210.A2 which reads “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”
The Deloitte study showed the overall structure of the fraud risk management in the following graph:
From this point, the role of internal audit is reviewed in each stage of the fraud risk management as follows:
- Reduction of the Occurrence of Fraud:
Reduction of the occurrence of fraud is internal control methods designed to reduce the occurrence of fraud risk and misconduct. Despite the efforts of organizations to reduce fraud, there is an inescapable reality, which is the occurrence of fraud, due to the fraud and misconduct committed at different levels of the organization. Therefore, it is necessary to have proper preventive and detective methods.
The Professional Practices issued by the Institute of Internal Auditors explained the role of internal auditors in helping organizations to reduce the fraud risk through the examination and evaluation of the sufficiency and effectiveness of the Internal Audit Systems in organizations, along with their potential exposures to violations, transgression and non-compliance inside the organization. Thus, internal auditors must take the following factors into consideration:
- Control Environment: Evaluation of the aspects of the control environment, conduct of auditing procedures for proactive fraud plans, conduct of necessary investigations, reporting on the audit of fraud cases, and provision of necessary support for corrective actions. In some cases, internal auditors may have hotlines to report any cases or suspicions of fraud.
- Fraud Risk Evaluation: Evaluation of fraud risk management, in particular the management’s actions to identify, evaluate and test potential fraud plans and misconduct, including those involving suppliers and other parties.
- Control Activities: Evaluation of the effectiveness of the design and performance of the fraud-related control methods, ensuring that the audit plans and programs specify the residual risks under the integration of fraud auditing procedures with auditing the possible variations of laws, rules and regulations and their effect on the control methods.
- Information and Communication: Evaluation of the effectiveness of the communication system operation, with the provision of the necessary support to fraud-related training initiatives.
- Follow-Up Activities: Evaluation of the control over software, conduct of investigations, support to the Audit Committee in supervising the fraud-related issues, support to the development of the identification of fraud indicators, employment and training of employees to enable them to conduct auditing of fraud and investigations with adequate expertise.
- Detection of Fraud
Detection of fraud is represented in the internal control methods designed to detect fraud and misconduct when they occur. The existence of sufficient and appropriate detective control methods is one of the strongest deterrent of fraudulent conduct. They are used along with preventive control methods to enhance the effectiveness of the fraud risk management program through the provision of evidence that the preventive control methods are working as planned in the detection of fraud that may occur. Although the detective controls may provide evidence that fraud is occurring, or has already occurred, they are not designed to prevent fraud.
Internal control methods are designed to provide evidence and warnings that fraud is occurring or has already occurred. Effective internal control methods are one of the strongest ways to reduce or prevent fraudulent conduct or procedures. The simultaneous use of detective and preventive internal control methods support the fraud risk management program. Although detective controls may provide evidence for the occurrence of fraud, they do not aim, or are unable, to prevent fraud.
The auditors auditing cases of fraud must be aware of the basic requirements of the detection of fraud. These basic requirements are:
- Specification of the fraud risk in the organization through the examination of the control and operational environment to determine the categories and methods of fraud;
- Evaluation of fraud risk;
- Examination of risks and their occurrence from the perspective of the perpetrator of fraud in order to determine what the control methods are and the manipulation methods that cause the occurrence of fraud;
- Full understanding of fraud indicators and the data that may include these indicators; and
- Readiness for the occurrence of any fraud cases as a result of the indicators, as well knowledge of how to search for these indicators in the data.
When these requirements are fulfilled, it is easy to deter perpetrators, to investigate and report the detected cases, and to develop control methods to detect the repetition of such cases.
The role of internal audit in the detection of fraud through the stages of the fraud risk management is as follows:
- Taking into consideration the fraud risk when evaluating the control methods and the determination of the necessary audit procedures. Whereas internal auditors are not expected to detect fraud and violations, they are expected to give reasonable confirmation that the objectives of the business environment of the operations have been achieved.
- Providing adequate knowledge about fraud cases to determine fraud indicators. This knowledge includes awareness of fraud properties and factors and the techniques used in the commission of fraud.
- Being ready to any opportunity that may allow the commission of fraud such as any weakness in the control methods. If a major deficiency in the control methods has been detected, additional tests must be conducted by internal auditors to specify fraud indicators.
- Evaluating fraud indicators and taking any other necessary procedures or conducting investigations if needed.
- Whistle-blowing and reporting to the competent authorities inside the organization if a fraud case is detected to recommend the conduct of an investigation.
- Response and Investigation:
Response and investigation are represented in the internal control designed to take a remedial and corrective action for the damages resulting from the occurrence of fraud and misconduct.
The role of internal audit must be determined in the investigation process in the internal audit regulations as well as in the fraud-related policies and procedures. This includes collecting sufficient information on specific details and carrying out these necessary procedures to determine whether fraud is committed, who was involved and how it happened. One of the most important outputs of the investigations is the exclusion of innocent people from the circle of doubt or suspicion. Investigation starts with planning and ends with the issuance of a report on the findings of the investigation.
- Investigation Planning
A plan for each investigation process is set according to the procedures of the organization. The team leader in charge in the internal audit department determines the skills, competencies and knowledge required for conducting the investigation procedures through the identification of suitable individuals for carrying out the investigation. Moreover, an assertion must be obtained that there is no potential conflict of interests with those who will be investigated or any employee in the organization.
When preparing the plan of the investigation activities, the team leader must take the following into consideration:
- Collect evidence through surveillance, interviews and any documents;
- Document and preserve evidence without violation to any legal rules in obtaining such evidence;
- Determine the scope and extent to which the organization’s operations are affected by the fraud;
- Specify the methods used in the fraud;
- Evaluate the reasons of the fraud; and
- Identify the perpetrators of fraud.
- Reporting on Investigations
The form of the report, whether oral or written, whether provisional or final, and whether submitted to the Senior Management or to the Board of Directors, differs according to the investigation findings. A formal written report may be issued at the end of the investigation stages, including the reasons for conducting the investigation, the time frame for the investigation, and the notes, conclusions and recommendations necessary to correct and enhance the control methods. The reporting may be required to be written in a way that secures confidentiality of individuals. The requirements of the Board of Directors and executive management must also be taken into account, with compliance with the legal requirements and the policies and procedures of the organization.
Internal auditors may participate in the following processes as consultants through this stage as long as the effect of these activities on the independence of the internal audit is identified and appropriately dealt with, which may include all or some of the following:
- Providing a document indicating the end of investigation for the suspected who were acquitted;
- Punishing employees according to the company standards, labor laws or employment contracts;
- Requesting voluntary financial compensations from the employee, client or supplier;
- Terminating the contracts of the suppliers involved in the fraud; and
- Reporting the fraud cases to the legal and regulatory authorities and cooperating in the investigations that would be conducted by those authorities.
Therefore, this shows the role of the internal audit in the supervision in order to monitor progress of the investigations to help in ensuring that the organization follows the relevant policies, procedures, and applicable laws and legislation (where the internal audit is not responsible for conducting the investigations), in the identification of misappropriated assets or the assets related to the investigation, as well as in supporting the organization in its legal, insurance and other procedures through the evaluation of and control over the organization’s practices and plans to report on investigations, whether internal or external, and
monitoring the implementation of improvements in the control methods to ensure their efficiency and effectiveness.
The role of internal audit can be summed up in the evaluation of how sufficient the fraud risk management is in the organization through asking the following questions:
- Do the Board of Directors and the Audit Committee have clear responsibilities regarding the fraud risk management?
- Does the organization have a clear anti-fraud strategy, for example a policy that coordinates the ongoing activities to reduce and detect fraud?
- Does the organization conduct through examination for the backgrounds of new potential employees? Are the investigations and inspection of the employees who are promoted to higher positions conducted?
- Is there a process for the documentation of registration, tracking and response to all the allegations or suspicions of a crime (for example reporting violations and fraud hotline)?
- Is there a regular evaluation of the orientations, incentives, pressures and opportunities to commit the crime across the organization?
- Does the organization have categorization for the potential fraud and its effect on the organization through an evaluation of all the types of fraud risk including bribery and money laundering?
- Does the organization evaluate whether the risks are reduced through the existing internal control methods and evaluate the design and effectiveness of such methods (for example, powers, credit, separation of duties, etc.)?
- Are there effective channels to enhance the flow of information with quality whether top down or vice versa across the organization?
- Are training and awareness of cases of fraud and corruption for all employees provided? Is the training regularly held and promoted in the organization?
Are there sufficient, regular and ongoing procedures to ensure that the Senior Management took into consideration how effective the control environment and risk assessment are and how much modification or update the control methods that reduce fraud risk may need?
For more information, please use the following references:
- Association of Certified Fraud Examiners, “Report to the Nation on Occupational Fraud and Abuse“, Global Fraud Study, ACFE, 2016.
- Coderre, D, “Internal Audit Efficiency through Automation“, The Institute of Internal Auditors (IIA), John Wiley & Sons, Inc, 2009.
- Deloitte LLP, “Fraud Risk Management – providing insight into fraud preventive, detection and response“, Deloitte Touche Tohmatsu Private Limited, 2013
- HM Treasury, “Fraud and the Government Internal Auditor”, Crown copyright, London, January, 2012.
- KPMG, “Fraud Risk Management Developing a strategy for prevention, detection, and response“, KPMG forensic, KPMG LLP, 2013.
- Price water house Coopers LLP, “Fraud in a Downturn A review of how fraud and other integrity risks will affect business in 2009“, a limited liability partnership in the United Kingdom, 2009
- The Institute of Internal Auditors (IIA),”Auditor s Responsibilities Relating to Fraud Risk Assessment, Prevention, and Detection“, Practice Advisory 1210.A2-1, The International Professional Practices Framework (IPPF), April, 2006.
The Institute of Internal Auditors (IIA), the American institute of Certified public accountants (AICPA) and Association of Certified Fraud examiners (ACFE), “Managing the Business Risk of Fraud: A Practical Guide“, The IIA, AICPA, and ACFE, 2008