Internal Audit and the fight against fraud
There is no denying the impact that fraud has in achieving the objectives of an organization, this is the case for both the private and public sector. Internal audit is a key assurance provider in the fight against fraud, even though it is not the function’s responsibility to detect fraud. In fact, the International Standards for the Practice of Internal Audit (IPPIA) requires Internal Auditors only to be able to assess the risk of fraud and not necessarily to detect fraud. This is key as fraud prevention and detection is primarily the responsibility of management, who need to put adequate and effective controls in place to reduce the risk of fraud to an acceptable level. Internal Audit has a responsibility to assess the adequacy and effectiveness of the controls that management has put in place and provide guidance in areas within the organisations that are susceptible to fraud and then make recommendations of the controls that can be put in place to reduce the risks.
The main aim of any internal audit review is to enhance the operations of the entity, however there is no denying that the fraud element needs to be considered. The Internal Auditor needs to understanding fraud and its elements. In the South African Law, fraud is defined as “the unlawful and intentional making of a misrepresentation which causes actual and or potential prejudice to another”. The Prevention and Combatting of Corrupt Activities Act provides guidance in that fraud activities have elements of illegality through violation of a legal duty or a set of rules and dishonesty, designed to achieve an unjustified result.
In terms of the standards (IPPIA), the internal audit approach is designed to place more emphasis on high-risk areas, which naturally implies that internal auditing will not necessarily detect all errors, fraud and irregularities. This implies that, while internal audit may identify certain areas of departure from the key controls, internal audit procedures alone, even when carried out with due professional care, will not guarantee that all instances of fraud and errors will be detected. Therefore, solely an internal audit review cannot be relied upon to disclose all matters of fraud, misappropriation or other irregularities that may exist.
In providing practical guidance on fraud and the role of internal audit. Below is a case scenario, from a real organisation, where internal audit services have been provided and solutions have been offered:
Case Study: Practical Involvement of Internal Audit on Fraud
The client was in the process of reviewing its entire control environment and had insufficient controls relating to fraud. Following the procurement audit conducted, a client was made aware of its weak controls relating to fraud prevention and detection, a key recommendation that came from the internal audit team was that the client implement fraud identification measures which included the documentation of a fraud prevention plan as well as an establishment of a fraud prevention hotline, managed outside of the institution. This was so as to retain independence and allow for anonymity of those reporting fraud issues.
Numerous cases were reported to the fraud hotline, this were submitted to internal audit, the risk office and the Chairperson of the audit and risk committee (a subcommittee of the board) if there was no conflict of interest identified in what is being reported. The issue was the number of cases that were reported and the cost implications of investigating all of them. Internal Audit became a key tool to determine whether what was reported required an investigation to be conducted or not and whether this can be done internally or required the assistance of an external forensic person to investigate.
In conducting this preliminary review, internal audit would follow a three steeps process:
- Firstly; determine the factual accuracy of what was reported. This would be done through collecting evidence and substantiating what has been reported.
- Secondly; confirm if there was a breach in process or if what has been reported meets the criterion to be classified as fraud based on the fraud elements as defined.
- The last step would be to determine whether the case can be investigated internally or needs to be referred to forensic investigators, after a cost-benefit analysis of the case.
The decision on whether to investigate internally or externally would be made by the audit and risk committee after looking at the Internal Audit’s reports from the preliminary investigation. This meant that the power to decide whether to investigate or not would lie with the audit and risk committee, and not internal audit.
This level of involvement by Internal Audit in the analysis of what is being reported in the fraud hotiline assisted a lot as internal audit was more aware of the fraud risks that the organization was facing and helped in future planning of the related reviews and making recommendation of stringent controls. Internal audit was able to follow up on cases where there was a breach in controls as most of the tipoffs pointed out to deficiencies in the control environment and following up on corrective actions recommended following the tip-off investigations.
It should be noted however, that for organizations with risk officers, the fraud hotline cases can also go to the risk officers who would then perform a preliminary assessment and assign cases for internal audit reviews in a consultation basis after discussion with the Audit and Risk Committee.
Conclusion
From the above scenario and according to the guidance provided by the standard, internal auditors have the following role with regards to fraud.
- Understand fraud and its elements, characteristics of fraud and the techniques used to commit fraud, as this would enable the internal audit team to identify red flags relating to fraud
- Adopting a pro-active approach to providing management support in detecting, preventing, and monitoring fraud risks and evaluate the effectiveness of controls to prevent or detect fraud
- Evaluate the indicators of fraud and decide whether further action is necessary or whether an investigation should be recommended
- Review control systems once an investigation has been completed to identify any weaknesses which contributed to the fraud; and if necessary, make recommendations for remedial action.
- Reporting the results of fraud investigations, actions that have been taken to manage fraud risks and the effectiveness of the fraud risk management programme to appropriate Management and through the Audit Committee.
- Provide a source of information to Management as appropriate, regarding instances of fraud, corruption, unethical behaviour and irregularities.