Internal auditors must have sufficient knowledge to evaluate fraud risk and how it is managed by the organisation.
NAIROBI, Kenya, Nov 7 – Public sector organisations are tackling a wide range of issues, escalating expenditure, procurement irregularities, weak revenue streams, increased demand for public services and weak governance.
These can be worsened by fraud and corruption, which can cause financial losses, reputational damage and erode employee morale. As the demand for transparency and the government’s war on corruption intensifies, internal audit functions can play a more significant role in supporting the fight against fraud.
Preventing and detecting fraud
The Institute of Internal Auditors (IIA) defines the role of internal audit with regards to fraud as providing objective assurance to the Board and management that fraud controls in place in the organisation are sufficient for identifying fraud risks and are functioning effectively.
This definition is commonly accepted across the profession. The definition recognises that we should not confuse the role of internal audit with that of management. Management’s role is to establish and maintain an effective system of internal control to prevent, deter and detect fraud.
Incidences of fraud may be detected by internal audit and some internal auditors may have a role in investigations but they should not be solely relied upon by management to prevent and detect fraud, nor should they be seen as the primary investigator of incidents. To be effective, the role of
To be effective, the role of internal audit must be clearly defined, agreed with stakeholders and captured in the Internal Audit Charter. This includes internal audit’s responsibilities with regard to preventing and detecting fraud.
Understanding fraud risk
Internal auditors must have sufficient knowledge to evaluate fraud risk and how it is managed by the organisation. They are not expected to have the expertise of a person whose primary responsibility it is to detect and investigate fraud.
Various models are available to help understand fraud risk. One of the commonly used models is the ‘fraud triangle’. This model argues that fraud generally occurs when three conditions are present:
Pressure – the need for committing fraud (for example a non-sharable financial problem, either personal or business related);
Rationalization – the mind-set of the fraudster that justifies them to commit fraud; and
Perceived opportunity – the situation that enables fraud to occur (often when internal controls are weak or non-existent).
Fraud risks should be considered when undertaking internal audit risk assessments, developing audit plans and determining the scope of internal audit reviews. Internal audit resources should then be prioritised in the areas of highest risk to be most effective.
Internal audit can also support the organisation in understanding fraud risk such as by holding workshops to increase awareness and supporting fraud risk assessments. These workshops also help to raise the profile of anti-fraud measures.
Alert to potential indicators of fraud
When undertaking audit work, internal auditors should also be alert to indicators of fraud. Indicators are useful but should be used with caution; someone’s behaviour or profile may ‘tick all the boxes’ but they are not a fraudster. Conversely, someone may tick none of the boxes but still commit fraud. However, some common ‘red flag’ behaviours include:
- Dominant/aggressive personalities or people with too much control;
- Resistance to change or a preference for working alone;
- Close relationships with suppliers and protectiveness of those relationships;
- Generally evasiveness or defensiveness if questioned;
- Lack of transparency and supporting documentation;
Lifestyle audits
Some organisations are conducting lifestyle audits to help identify fraud by assessing whether or not individual income is consistent with lifestyle.
Such an approach should be used with caution; such audits should only be undertaken where other indicators exist and evidence can be gathered lawfully to contribute to a wider investigation. Lifestyle audits may also prove disproportionately burdensome when audit resources are constrained. Auditors should, however, maintain awareness of lifestyle as another key indicator of fraud.
Assessing controls in place to mitigate fraud risks
As with any audit review, internal auditors should assess both how controls are designed (does the control in place mitigate the fraud risk?) and the operation of controls (are controls operating in practice?). Control deficiencies often provide the opportunity to perpetrate a fraud. Auditors should be aware of the implications of control deficiencies and raise practical recommendations to help reduce the opportunity to commit fraud.
Control deficiencies often provide the opportunity to perpetrate a fraud. Auditors should be aware of the implications of control deficiencies and raise practical recommendations to help reduce the opportunity to commit fraud.
Internal audit functions can also increase their chances of detecting fraud using data analytics tools that review 100 percent of transactions to highlight those with certain characteristics that are questionable. The PwC Global Economic Crime Survey identified that the most serious cases of fraud are increasingly detected using these techniques.
The PwC Global Economic Crime Survey identified that the most serious cases of fraud are increasingly detected using these techniques.
Professional scepticism and the Code of Ethics
Professional skepticism is the ability to apply a questioning mind and undertake critical assessment (of audit evidence presented, for example). By demonstrating skepticism throughout the audit process, the likelihood of uncovering fraudulent activity is increased.
By demonstrating skepticism throughout the audit process, the likelihood of uncovering fraudulent activity is increased.
To support internal auditors in developing and applying professional skepticism there should be constructive challenge within the audit team, effective oversight of audit work and independent review. Auditors should also undertake self-evaluation of their ability to be objective and independent in their work, identifying any threats and implementing safeguards.
Objectivity is one of the four key elements of the internal auditor’s professional Code of Ethics. The others are Integrity, Confidentiality and Competence.
Auditors should always apply these key principles for them to be effective in delivering their role and to help fight fraud.
In conclusion, internal audit functions can assist management by significantly contributing to the fight against fraud and corruption. Internal auditors can assess controls in place to mitigate fraud risk, helping to strengthen the control environment and thus reduce the opportunity to perpetrate fraud.
They can also help to uncover fraud. However, the most effective tool for preventing and detecting fraud is culture and the whole organisation must be united in the war on corruption.
Sydney Ondari is a Manager in the Risk Assurance Team at PwC Kenya
