Should internal audit be expected to find fraud?

27 January 2020

Fraud continues to be on the increase.  The National Economic Crime Centre report for 2018/19 estimated reported losses to fraud in the UK of over £2.2 billion.  A key trend is that 86% of reported fraud is now cyber-enabled as criminals take advantage of technological advances to mask their true identity and location and to make their attempts to defraud organisations and individuals ever more convincing. Fraud is not just an external risk.  70% of fraud is committed by insiders.  This therefore is the most significant threat with some employees being used to support criminal activity or to perpetrate fraud themselves. On occasion, the fraud is of such a high value that the organisation is brought to its knees. 

Management and those charged with governance therefore need to keep their anti-fraud control frameworks under review so that they remain an effective means of preventing, detecting and responding to fraud and are updated regularly to keep pace with new approaches adopted by fraudsters.

Organisations that establish an internal audit function do so in the expectation that it will play a key role. When a fraud is identified, the Head of Internal Audit is therefore likely to be asked to determine why controls did not prevent the fraud arising. A more challenging question that the Head of Internal Audit may need to field is why the work of the internal audit team did not identify the fraud?

Fraud can be very sophisticated and internal audit techniques with their focus on controls cannot be expected to find it in all cases, especially where collusion is involved. However, by bringing their expertise to bear on organisations’ anti-fraud control frameworks, Heads of Internal Audit can ensure that controls are well designed, reflect current fraud trends and are being followed.

The importance of internal audit in fraud detection

International Standards for the Professional Practice of Internal Auditing set out the responsibilities of internal audit. Standard 2120.A2 requires that internal audit activity must evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk. 

Further clarification is provided in the IIA position paper on fraud – Fraud and Internal Audit January 2019. This paper states that internal audit “should consider where fraud risk is present within the business and respond appropriately by auditing the controls of that area, evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk through risk assessment, and audit planning.” 

The focus of internal audit should therefore be upon checking management’s fraud risk assessment and the design and operation of the preventative and detective controls established by the organisation to mitigate the risks identified.

Data reported by the Association of Certified Fraud Examiners (ACFE) indicates that only 15% of fraud is identified by internal audit – suggesting that its value as part of an organisation’s anti-fraud control framework is limited.

However, this statistic is somewhat misleading. Looking at the data in more detail reveals that in most cases (66%) fraud is identified by the detective controls established by management, including whistleblowing arrangements, review and authorisation checks, reconciliations and monitoring controls. By following professional standards, internal audit will have reviewed these controls and recommended improvements to enhance their effectiveness where necessary. Ensuring  management establish effective detective controls should therefore been seen as a key benefit of an internal audit function.

Since 34% of fraud is not currently identified by management controls, the challenge for Heads of Internal Audit is to help organisations improve the detection rates of these controls so that an even higher proportion of fraud is identified without the need to rely upon audit work, police notification, confession or complete accident.

Responding to the challenge

As a starting point, Heads of Internal Audit should reconsider whether their annual plans focus upon detective controls in as much detail as preventative controls and look to satisfy themselves that, if a fraud was taking place, there is a high likelihood that it would be identified by checks such as reconciliations and management monitoring. If management monitoring controls – including data analytics - do not provide the means to identify fraud red flags, Heads of Internal Audit should be making the case for these to be improved. 

Whistleblowing arrangements are also an important means of detection, with many frauds coming to light as a result of a tip off. The opportunity to report concerns needs to be available to suppliers and customers as well as employees. If concerns are rarely reported through an organisation’s whistleblowing arrangements, this may indicate that they do not work effectively, they are not well understood or that it is not believed that any concerns will be taken seriously and treated confidentially.  Heads of Internal Audit should investigate the root cause of this and engage with management to improve procedures and to better communicate the organisation’s commitment to support individuals who have concerns.

Heads of Internal Audit should review the skills of their teams to ensure that when they are testing controls they are armed with sufficient knowledge to identify the signs that a fraud may be taking place. The IIA position paper on fraud sets out the expectation that internal audit should have sufficient knowledge of fraud to:

  • Identify red flags indicating fraud may have been committed
  • Understand the characteristics of fraud and the techniques used to commit fraud, and the various fraud schemes and scenarios
  • Evaluate the indicators of fraud and decide whether further action is necessary or whether an investigation should be recommended
  • Evaluate the effectiveness of controls to prevent or detect fraud.

Heads of Internal Audit should therefore look again at the training provided to their teams, to make sure that they keep up to date with current fraud techniques and schemes and how their presence may be indicated. Data analytics skills and available software may also need to be enhanced to enable more detailed interrogation and analysis of data to be undertaken to identify potential indicators of fraud. This knowledge should be brought to bear on the testing strategies for areas where there is a fraud risk and the potential for a fraud scheme to be in operation considered when evaluating controls.

Increased scrutiny

There has been much debate recently about the respective responsibilities of management and audit in respect of fraud.  Following the review commissioned by the UK Government of the quality and effectiveness of audit, the Brydon Review was published in December 2019.

Brydon recommends that external auditor’s responsibilities are extended to require them to endeavour to detect material fraud in all reasonable ways and to record the steps that they have taken to assess the effectiveness of relevant controls and to detect fraud in their audit report. Brydon also recommends that directors report on the actions that they have taken to fulfil their obligations to prevent and detect material fraud against the background of their fraud risk assessment.

The draft Internal Audit Code of Practice issued by the IIA in July 2019 does not include any substantive revisions to the work required of internal auditors in respect of fraud.  However, it is likely that the work of internal audit will come under greater scrutiny over the coming year as management and external auditors respond to Brydon. By renewing their focus on detection controls and reassessing their strategies, plans and testing approaches to ensure that these continue to provide the level of assurance required by professional standards, Heads of Internal Audit will be well placed to meet the growing expectations of both management and external audit as they seek to discharge their responsibilities.