Definition of Fraud
Fraud encompasses a wide range of irregularities and illegal acts characterized by intentional deception or misrepresentation. The IIA’s International Professional Practices Framework defines fraud as: “… any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”
Why Do People Commit Fraud?
Frauds can be committed by an employee at any level within an organization, as well as by those outside the organization.
There are three common characteristics of most frauds:
- Pressure or incentive — the need the fraudster is trying to satisfy by committing the fraud.
- Opportunity — the fraudster’s ability to commit the fraud.
- Rationalization — the fraudster’s ability to justify the fraud in his or her mind.
Fraud is a business risk that executives, especially chief audit executives (CAEs), have had to deal with for a long time. Numerous headlines have highlighted corporate scandals and wrongdoing that demonstrate the need for organizations and governments to improve governance and oversight. How to address fraud risk within an organization effectively and efficiently is a major topic of concern for boards of directors, management, business owners, internal auditors, government leaders, legislators, regulators, and many other stakeholders. And in many cases, new laws and regulations from around the world have forced organizations to take a fresh look at this longstanding problem. Fraud negatively impacts organizations in many ways including financial, reputation, psychological, and social implications. According to various surveys, monetary losses from fraud are significant. However, the full cost of fraud is immeasurable in terms of time, productivity, and reputation including customer relationships. Depending on the severity of the loss, organizations can be irreparably harmed due to the financial impact of fraud activity. Therefore, it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection subprograms, as well as a fraud risk assessment process to identify fraud risks within the organization.
An effective fraud management program includes the following:
- Company ethics policy — “tone at the top” from senior management.
- Fraud awareness — understanding the nature, causes, and characteristics of fraud.
- Fraud risk assessment — evaluating the risk of various types of fraud.
- Ongoing reviews — an internal audit activity that considers fraud risk in every audit and performs appropriate procedures.
- Prevention and detection — efforts taken to reduce opportunities for fraud to occur and persuading individuals not to commit fraud because of the likelihood of detection and punishment.
- Investigation — procedures and resources to fully investigate and report a suspected fraud event.
Internal Audit Involvement
So how can internal auditing best serve as a resource and play an integral role in fraud prevention and detection? The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (Standards) pertaining to fraud and the internal auditor’s role in detecting, preventing, and monitoring fraud risks and addressing those risks in audits and investigations include:
IIA Standard 1200: Proficiency and Due Professional Care 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
IIA Standard 2120: Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
IIA Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
In addition to several Practice Advisories that The IIA has issued regarding fraud, IIA Standards also require CAEs to include significant risk exposure and control issues, including fraud risk, in the periodical report to senior management and the board.
Although management and the board are ultimately responsible for fraud deterrence, an effective internal audit activity can be extremely helpful in addressing fraud issues. Internal auditors evaluate risks faced by their organizations based on audit plans and testing, and need to be alert to the signs and possibilities of fraud. When external auditors focus on misstatements in the financial statements that are material, internal auditors are often in a better position to detect the symptoms that accompany fraud as they usually have a continual presence within the organization, providing them with a better understanding of the organization and its control systems. Specifically, internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of internal controls. In addition, they may assist management in establishing effective fraud prevention measures by knowing the organization’s strengths and weaknesses and providing consulting expertise.
There are various approaches that the CAE may use in considering fraud while conducting internal audit activities.
- Auditing management controls over fraud. This includes policies, awareness practices, tone at the top, board and senior management governance (the control environment), as well as related practices, such as risk assessment, assessing the adequacy of preventive and detected controls in managing fraud risk within organizational tolerances, incident management, investigations, and recovery practices. Internal auditing should allocate resources to fraudrelated activities in line with the risk of fraud relative to other organizational risks.
- Auditing to detect likely fraud by testing high-risk processes, with the intention of looking for indicators of fraud, within the organization and with external business relationships. For example, testing payroll for phantom employees, or testing vendor invoices for overcharges, matching vendor addresses with employee addresses to detect fictitious vendors, or reviewing databases for duplicate transactions.
- Considering fraud as part of every audit. For example, brainstorming about fraud risk, evaluating fraud controls, designing procedures that consider fraud risks, or evaluating errors to determine whether they could be an indication of fraud. The cumulative results may provide perspective on whether management’s awareness and risk management programs have been implemented effectively across the organization.
- Consulting assignments help management identify and assess risk and determine the adequacy of the control environment for process reviews, new business ventures, or information technology (IT) applications.
Facilitation of management’s self-assessment is another example of evaluating fraud risk, ensuring controls are in place to mitigate those risks, and who is monitoring results. As a part of its International Professional Practices Framework (IPPF), The IIA has issued “strongly recommended” guidance in the form of a Practice Guide regarding the role of internal auditing in fraud prevention and detection. Titled Internal Auditing and Fraud, the guidance is aimed at increasing the internal auditor’s awareness of fraud and provides guidance on how to address fraud risks on internal audit engagements. It also serves as a general guidance to help internal auditors comply with professional Standards regarding fraud.
Fraud and Technology
Thanks to unrelenting technological advancements, virtually everything we encounter is embedded with technology. Regardless of the industry or enterprise, IT is critical to maintaining a competitive edge, managing risks, and achieving business objectives; and organizations worldwide are allocating vast resources to vital technological projects. But as technology is advancing, so are schemes to commit fraud. The broad definition of fraud mentioned at the beginning of this article accommodates the fraud risks, exposures, and threats encountered within IT departments since frauds are enabled by the use of technology. Technology enables fraudsters to commit and conceal traditional fraud schemes more easily, and the reliance on automated tools to help perpetuate these schemes provides new challenges in the detection and prevention of fraud.
However, technology is also a tool that can help prevent and detect fraud. Advances in technology are increasingly allowing organizations to implement automated controls to help prevent and detect fraud. Technology also allows organizations to move from static or periodic fraud monitoring techniques, such as detective controls, to continuous, real-time fraud monitoring techniques that offer the benefit of actually preventing fraud from occurring. Numerous advanced analytical software packages are now available to assist in data analysis. Additionally, computer forensic technology and software packages are available to assist in the investigation of where computers are used to facilitate the fraud, or to identify red flags. By using technology to implement realtime fraud prevention programs and advanced detection tools, organizations can reduce the time it takes to detect fraud, thereby reducing its cost.
It is imperative that auditors stay ahead of fraudsters in their knowledge of technology and available tools. With readily available software, using computers to isolate accounting fraud clues not only makes sense, it is an absolute necessity if auditors are to help fulfill their duty of independent oversight. Despite the fact that many internal audit organizations are faced with tight budgets, limited staffing, and extended workloads, today’s audit professionals are expected to take a proactive role in helping organizations manage fraud risks by ensuring that appropriate controls are in place to help prevent and detect fraud. To this end, internal auditors require to have appropriate skills and technological tools should be available to help them maintain a successful fraud management program that covers prevention, detection, and investigation.
All audit professionals — not just IT audit specialists — are expected to be increasingly proficient in areas such as data analysis and the use of technology to help them meet the demands of the job. In addition to evaluating the adequacy of internal controls, a challenge for internal auditors is to look beyond the controls and find loopholes in systems where fraud could occur. With an understanding of the relationships among different IT systems and applications, internal auditors can apply their critical thinking to identify high-risk areas and drill down to specific transactions.
The IIA on Fraud Prevention Using Technology
The IIA recently published the newest issue of its Global Technology Audit Guide (GTAG) on fraud. Written in straightforward business language to address a timely issue related to IT management, control, and security, the GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices. GTAG 13: Fraud Prevention and Detection in an Automated World provides an overview of techniques for effectively engaging with teams and management to assess the risks related to fraud, given the advancements in technology. It’s considered “strongly recommend” guidance under The IIA’s IPPF, and includes the following:
- An explanation of the various types of data analysis to use in detecting fraud.
- A variety of IT fraud risks.
- A technology fraud risk assessment template.
Internal audit practitioners can use this authoritative guidance to strengthen their knowledge of the integration of technology and fraud. It is intended as a supplement to The IIA’s Practice Guide, Internal Auditing and Fraud, and to inform and provide guidance to CAEs and internal auditors on how to use technology to help prevent, detect, and respond to fraud. The resources mentioned here are available from The IIA at www.theiia.org.