Home > Risk > Internal Audit and Fraud Risk Management

Internal Audit and Fraud Risk Management

Described as a “joint research report by the Internal Audit Foundation and Kroll” (Kroll is a major investigation firm), Internal Audit’s Role in Fraud Risk Management has some truly excellent content.

It lays out extremely well the IIA’s position and guidance on this important topic. However, Kroll pretty much ignores that and continues with a report that pushes what I assume is its own opinion.

Here are some key points with my comments, but I strongly recommend a careful read with special attention to the IIA’s position laid out in the first three bullets below:

  • While the role of internal audit teams varies significantly across different industries, jurisdictions, and organizations, the predominant role of internal audit is, according to The Institute of Internal Auditors (IIA), “to provide independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” This includes assessing the design and effectiveness of controls in an organization, including controls involving fraud risk management, and providing assurance to management and the board that controls are designed appropriately and function effectively.
  • The IIA set out the following key points in relation to the role of internal audit in fraud risk management:
    • Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls;
    • The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situations. This should include digital data;
    • The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically;
    • The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls; [Note: The IIA needs to update this Standard. The risk of fraud should be considered in the development of the audit plan. As stated, the Standards imply that controls over fraud should be included in every audit, regardless of the level of risk.]
    • Internal auditors should not investigate fraud unless they have specific expertise and experience to do so.
  • In the UK, the Chartered Institute of Internal Auditors takes the view that “internal audit has a role to play in ensuring that management has effective systems in place to detect and prevent corrupt practices within an organization….But it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management. Internal audit’s role includes promoting anti-fraud and anti-bribery best practice, testing and monitoring systems and advising on change where it is needed.”
  • In general, respondents were confident about the effectiveness of their fraud risk management programs, with 54% stating that they felt their organization’s fraud risk management was good, very good, or excellent.
    • Comment: 2.53% said their program was excellent and 16.54% very good. When evaluating on a 5 point scale, even“very good” indicates that there is significant room for improvement. Clearly, almost every respondent needs improvement!
  • 60% of those [where internal audit] had a leadership role [in enterprisewide fraud risk assessments said] they felt their organizations had good or better fraud risk management programs.
    • Comment: This is hardly a positive sign.
  • …the identification and management of other risks can … be enhanced by a stronger mandate for internal audit to drive risk analysis and frame how this feeds into senior management decision-making.
    • Comment: Kroll ignores the IIA guidance and makes this assertion without evidence to support it. However, as I will discuss later, I tend to support a move in this direction in some organizations, with one very significant modification in approach.
  • Of all the teams taking a lead in fraud risk management within organizations, internal audit took the lead most frequently in organizations surveyed, with 41% of respondents stating that the internal audit team was the main leader in fraud risk management. Additionally, 91% of respondents stated that they had at least some involvement in enterprisewide fraud risk assessment.
    • Comment: Kroll did not ask why Internal Audit was taking the lead, only what the barriers were to doing so – a major failing in my opinion. They clearly started with the position that Internal Audit should be the driver, rather than management. They ignored the guidance which very clearly says that the program is a management responsibility.
  • The majority of survey respondents (80%) felt that there were barriers to internal audit involvement in fraud risk management. The most common barriers noted were lack of appropriate resources, lack of mandate and potential conflict of interest, and to a lesser extent the lack of adequate skills to undertake such work.

The lack of mandate is perhaps the area most prevalent in current debate, with approximately a quarter of survey respondents considering this as the largest barrier. It is common in our experience that business leaders do not perceive that it is the primary mandate of internal audit teams to take a leadership role in fraud risk management and operational activity for prevention, detection, and response. The business objectives, structural priorities, and risk appetite of individual organizations will impact whether or not internal audit is the appropriate place for fraud risk management to sit.

  • Comment: Following the IIA Standards and guidance is a barrier, true, and it should be an effective barrier to taking on a management responsibility!

As a retired CAE and CRO, I believe every organization should consider the risk of fraud. The consideration should not only consider the financial impact but, even more so, the potential to affect the achievement of enterprise objectives.

ACFE surveys consistently report every year that, on average, organizations lose about 5% of revenues to fraud of one kind or another. However, that number includes a cost attributed to employees’ use of corporate assets (like doing their taxes on company laptops), theft of time, and so on. So I tend to slice that 5% down in my mind.

Nevertheless, fraud can be a significant source of risk and every organization should complete and then maintain an enterprise-wide fraud risk assessment with appropriate controls and other risk responses in place.

Management’s risk assessment and the related controls and responses should be assessed on a periodic basis by Internal Audit.

The potential for fraud (including cyber breaches) to affect the achievement of enterprise objectives should be a consideration in developing and maintaining the audit plan – in the same was as other sources of business risk.

We should not assume that controls and practices related to fraud must be included in the audit plan or in any audit engagement. That diverts resources and attention from more significant sources of business risk.

Now for the question I said I would come back to.

Should there be, as Kroll says, “a stronger mandate for internal audit to drive risk analysis and frame how this feeds into senior management decision-making?”

  • In many organizations, there is no good alternative to Internal Audit when it comes to leading a fraud risk assessment. Even in those situations (typically large companies) where there is a corporate security, investigations, or similar function, they may not have the experience and skills to lead the initiative.
  • Reporting to management and the board that an assessment is not being done, or is being done poorly, when there is no natural individual or function to do so, is pointing to a problem without offering a practical solution. The CAE should point out both the issue and a solution to that issue.
  • Somebody needs to do it, and the board and top management will generally support a CAE who is willing to take the lead.
  • Internal Audit may lead and facilitate the assessment with operating management making the assessment with IA help and guidance. They should make every effort not to be the assessor themselves. As CAE, this is the position I took. If there was nobody else to put the assessment together, I developed a draft after discussions with operating management and used that to elicit and facilitate senior management’s assessment.
  • Internal Audit should not “frame how this feeds into senior management decision-making.” No. Nyet. Nein. Non. Not on your life.

Kroll finishes their Conclusions section (except for their detailed recommendations, with which I disagree) with:

This may be a good opportunity for the internal audit profession to reassess and reconsider where it fits into the broader umbrella of fraud risk management to ensure that internal auditors support their organizations on the road to recovery in the most efficient and effective way.

It is always a good time to step back and reassess prior practice and guidance. But I don’t see it the same way as Kroll.

  1. The IIA should update the Standards to focus time and attention on enterprise risks and the achievement of enterprise The Standard that requires a second risk assessment for every audit is redundant and should be eliminated.
  2. The IIA should make sure that fraud risk is considered and given attention in the audit plan and engagements commensurate with the level of risk to the enterprise and its objectives.
  3. The IIA should engage with regulators to ensure that they do not mandate an excessive level of attention to a relatively low source of risk.
  4. Every organization should consider the level of fraud risk to its objectives and integrate that into their enterprise-wide management of risk (and success).
  5. CAEs should be willing, with board approval, to facilitate management’s fraud risk assessment.
  6. Nobody should be willing to accept an average grade.

What do you think?

  1. August 10, 2020 at 10:06 AM

    Norman, I’ll settle for your point 1: ‘The IIA should update the Standards to focus time and attention on enterprise risks and the achievement of enterprise The Standard that requires a second risk assessment for every audit is redundant and should be eliminated.’
    However, I would prefer this point to read, ‘The IIA needs to update the Standards to focus time and attention on the achievement of the organisation’s objectives, the opportunities which benefit their achievement and the risks which hinder their achievement’.
    I agree that there shouldn’t be a second risk assessment for every audit but every audit should start with an examination of management’s risk assessment, to ensure it complies with the organisation’s standards.

    • Norman Marks
      August 10, 2020 at 10:14 AM

      David, May I suggest a change to the last part of your last sentence?

      I agree that there shouldn’t be a second risk assessment for every audit but every audit should start with an examination of management’s risk assessment, to ensure it meets the organization’s needs.

      Even then, I am not persuaded that this should be part of every audit. It should be done first at the enterprise level (and maybe not every year) and then at business unit level where justified.

      • August 10, 2020 at 10:19 AM

        Norman, isn’t there the danger that management may not have carried out a comprehensive risk assessment? A business unit level audit may be suitable, depending on the size (and location of the unit.

        • Norman Marks
          August 10, 2020 at 10:26 AM

          David, I prefer to start with an enterprise view.

          In any event, I want management to be considering what might happen all the time as part of every decision, and a traditional list of risks doesn’t cut it for me.

          If significant business decisions are being made at a business unit, I would be more interested in the process surrounding those decisions, including understanding what might happen, both positive and adverse.

          It might be necessary to consider how they address sources of significant enterprise risk that occur at a business unit level – but that comes from understanding the enterprise objectives and how they manage them for success.

          I would similarly be concerned with sources of significant enterprise opportunity.

          • August 10, 2020 at 11:34 AM

            Norman, you seem to be concentrating on decisions, which I accept are a major source of risks. Where do you pick up other risks, such as loss of IT systems due to ransomware?

            • Norman Marks
              August 10, 2020 at 11:47 AM

              They are identified if they are a source of risk to objectives (business objectives). They are then subject to decisions about what to do, including how much time and resource to spend on them

  2. August 10, 2020 at 12:12 PM

    I accept that management identify risks to business objectives (personally I’d put them in a list) and then make decisions as to how to much time and resource to spend on them (i.e. what controls to implement). Having made that decision those controls need to be checked by IA (depending on the significance of the risk). So isn’t there always the need to not only look at the decision-making process but also those risks where decisions have been made? Hence the need to record risks and their controls in a list (tied back to business objectives) on which IA can base some of their work and provide an opinion as to whether the controls are operating as detailed in previous decisions?

    • Norman Marks
      August 10, 2020 at 12:14 PM

      What about opportunities? BTW, a response to risk may be to take more!

      I prefer to think about whether they are leading the organization to success than whether they are addressing the things that may harm them.

      • August 10, 2020 at 12:32 PM

        Quite happy to accept the response to a risk might be to accept more (I was once in charge of Credit Control where that happens all the time) and that seizing opportunities is essential. That doesn’t remove the need to also consider risks. Not pursuing opportunities can result in a slow decline, not addressing (some) risks can result in a rapid decline.

  1. August 12, 2020 at 6:28 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: