The legend says it’s Internal Auditors. Fact is they aren’t because they can’t be.
But folklore does not require a rethink, and professionalism doesn’t come cheap and doesn’t always make sense to the traditionally attuned.
Moreover, the mere thought of being behind the discovery of a fraud is tempting for even the internal auditors; elevates their stature and makes them sought after besides any monetary gains that might come their way. It is mainly because successful fraud detection would be the most significant direct and tangible outcome amongst all internal audit interventions.
So what are the internal auditors responsible for in the context of fraud? Let’s see what the Institute of Internal Auditors has to say about what the internal auditors should be doing:
|
DOs |
Rationale |
|
Detecting, preventing and monitoring fraud risks and addressing these risks in audits and investigations |
The audit planning is always risk based and so is the audit approach. The audit approach is desired to be designed in a manner that it considers the possibilities of fraud risks being present, identifies these risks, helps address these risks to prevent them from materializing and monitoring the behavior and shift in these and other emerging fraud risks. |
|
Audit and evaluate effectiveness of controls to prevent or detect fraud, evaluate potential for fraud occurrence and how the risks are being managed |
Testing controls efficacy against risks and fulfillment of objectives for which controls are designed is a core component of any audit engagement. |
|
Identify red flags indicating fraud may have been committed and decide whether further action is necessary or whether an investigation should be recommended |
Reviewing data and trends to identify patterns and anomalies is a key requirement when auditing an area as it benefits the auditor more than clients; by strategizing audit energies on areas needing greater focus. The auditors are then required to decide about the nature and significance of probabilities and impacts of the red flags and to escalate the matter and make a call for a specific probe to rule out fraud. |
|
Understand the characteristics of fraud and the techniques used to commit fraud, and the various fraud schemes and scenarios. |
The audit engagement planning is required to be dynamic and evolving to adjust for identifying and evaluating the causation of fraud when it has occurred and numerous other likely scenarios. |
|
Identify how controls designed to manage fraud risks failed and the opportunities for improvement |
As part of their engagement completion and closure, it is imperative that an elaborate advisory be issued on how the controls designed to manage fraud failed and how these could be improved / replaced considering the cost and benefit analysis. |
And what the internal auditors should not be doing:
|
DONTs |
Rationale |
|
Designing controls to prevent fraud from happening |
Auditors do not design controls; they can only give advisory on controls. If they start designing controls, they can never evaluate such controls in any audit engagement. |
|
Investigating fraud |
Fraud investigations require expertise not generally available within the audit teams. Whilst it can be developed, however investigations in fraud may put the auditor’s independence at stake and the auditors won’t be able to review the investigation process. Furthermore, investigations also require adequate trainings to deal with their humanistic fallout. |
|
Committing to responsibilities when expertise to perform these is not available. |
Not just in frauds but for all engagements required to be conducted professionally, auditors cannot and should not pledge to do work they’re not trained or skilled to do. |
Now that we have gone through the requirements of the Institute of Internal Auditors around fraud and internal audit in detail, a seemingly grey area might have left you scratching your heads; the difference between being able to detect and prevent fraud and being able to detect, prevent and monitor fraud risks. Let’s take it head on then!
Simply put, risk is the potential of anything happening and that’s why it has been defined as the effect of uncertainty on objectives by the ISO. The objective in this context means preventing a fraud from happening and detecting it when it happens. And controls help accomplish this objective by managing the risk. Professionally the auditors are required to help improve risk management and controls so that objectives are accomplished.
Thus, auditors review fraud risk identification, assessment and mitigation processes to provide adequate and reasonable assurance that new and emerging risks are being detected and their evolution is being monitored, risk assessment is being conducted in accordance with established criteria and regular risk management system health monitoring is being done as desired.
Furthermore, the auditors test the controls to check their operation as intended and help improve their design to improve their efficacy. Thus, auditor’s approach is still quite a holistic approach to fraud prevention, detection and monitoring while keeping the audit independence intact.
This independence is a key requirement and if you notice correctly, i.e., read between the lines of the rationale given above, it is the reason for the DOs and DONTs! Only this independence can really improve the systems in an unbiased manner.
So, what could be the answer to the first question; why internal auditors can’t be expected to prevent or detect fraud?
Well, the answer lies in two further questions; what do controls in the context of fraud do? AND who is responsible for designing and implementing controls?
Controls prevent, detect and monitor fraud. And controls are designed and implemented by management. Management is the first line and has the ownership and operational responsibility for the systems and processes that encounter fraud in real time.
Auditors are not in the driving seat, so they cannot be expected to prevent or detect fraud!