Internal Auditing and Fraud: The Auditor’s Role
AuditNet Survey Examines the Role of the Auditor in Fraud Prevention and Detection
The survey summary and detailed responses are available here
Auditors today are at a crossroads regarding how to incorporate fraud detection into their audit plans.
Leonard W. Vona
SUMMARY
"How could this have happened?" is the usual response when fraud is discovered. "Where were the auditors?" is often the next question. These two responses raise the question of whose responsibility it is to prevent and detect fraud.
The Institute of Internal Auditors (IIA) recently released two new pieces of guidance to help organizations deal with fraud risks. The first guide – Internal Auditing and Fraud – is aimed at increasing the internal auditors’ awareness of fraud and provides guidance on how to address fraud risks during internal audit engagements. The second – Fraud Prevention and Detection in an Automated World – is specific to fraud within the technology environment, and is The IIA’s 13th installment of the Global Technology Audit Guide (GTAG) series.
In December 2009 AuditNet® conducted a survey of the global audit community to examine the auditor’s role in fraud detection and prevention. The results showed that while fraud is a recognized problem experienced by many organizations, there are still obstacles that auditors confront in investigating and detecting fraud.
While the new IIA standards clearly require internal auditors to have sufficient knowledge to evaluate the risk of fraud and the manner in which it’s managed by the organization, almost half (48.3%) of the respondents weren’t aware of the guidance documents. One of the key components of an anti-fraud program involves fraud awareness training, recognizing that fraud prevention and detection is the responsibility of every organization’s stakeholder. And yet almost two thirds (65%) of the respondents indicated that their organization did not have a fraud awareness program in place. This is in stark contrast to the question focusing on management’s tolerance for fraud risk; respondents (72.5%) indicated that management’s tolerance for fraud risk has not diminished over the years. Another key factor in detecting and investigating fraud is having staff trained in this area. The survey results showed that almost 70% did not a staff member who is a Certified Fraud Examiner, a professional designation awarded by the Association of Certified Fraud Examiners after a member demonstrates a detailed knowledge of the fraud examination tools and techniques and related experience. It is possible that staff members with other disciplines and professional certifications such as CIA, CPA, CISA have fraud experience however the CFE is the recognized designation for this specialized area.
Another important facet of fraud detection and prevention is the involvement of the audit committee in setting the tone for the organization. The majority of the respondents reported that the Chief Audit Executive (CAE) has unrestricted direct access to the audit committee. However, almost 40% of the respondents indicated that their audit committee did not include a member with fraud familiarity. This makes the CAE’s job more difficult when discussing fraud related issues with board members who are not fraud aware.
THE SURVEY DETAILS
AuditNet® recently conducted a survey of the global audit community to examine the auditor’s role in fraud detection and prevention.
We received responses from 217 auditors from various industry sectors including banking, energy, government, healthcare, service, and retail. Approximately 54% of the respondents work in departments with fewer than 5 auditors. The next largest department size was between 6 and 10 which was about 26% of the respondents.
Almost 72% of the respondents indicated that their audit department reported to the audit committee
The vast majority of the respondent’s indicated that the CAE has unrestricted direct access to the Audit Committee. This means that when fraud situations are brought forward the CAE has the organizational status to bring these issues to the Board of Directors.
|
Does the Chief Audit Executive (CAE) have unrestricted direct access to the Audit Committee? |
||
|
Answer Options |
Response Percent |
Response Count |
|
Yes |
84.4% |
173 |
|
No |
15.6% |
32 |
|
answered question |
205 |
|
|
skipped question |
12 |
|
However when asked if the Audit Committee had a member who had fraud related experience the following were the results. As almost 40% of the respondents reported that there was no member familiar with fraud could be problematic when discussing these issues with the Board.
|
Does your company’s Audit Committee include a member familiar with fraud? |
||
|
Answer Options |
Response Percent |
Response Count |
|
Yes |
60.2% |
121 |
|
No |
39.8% |
80 |
|
answered question |
201 |
|
|
skipped question |
16 |
|
According to the IIA’s International Professional Practices Framework (IPPF) Standard 1210.A2 states that internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner which it is managed by the organization. They are not expected to be experts however Certified Fraud Examiners (CFE) are the individuals who possess specialized training and experience for this area. When asked whether their internal audit departments included those with the CFE designation less than 1/3 responded yes. They most likely have staff familiar with fraud detection and investigation but it may be worthwhile for the CAE to encourage specialized training as well as pursuit of this recognized certification.
|
Are any of your internal auditors Certified Fraud Examiners (CFE)? |
||
|
Answer Options |
Response Percent |
Response Count |
|
Yes |
30.8% |
65 |
|
No |
69.2% |
146 |
|
Other (please specify) |
7 |
|
|
answered question |
211 |
|
|
skipped question |
6 |
|
The next question covered who internal auditors felt had responsibility for detecting and preventing fraud. Not surprisingly over 53% responded that all employees had this role. Responses were also high for Internal audit and management responsibility. Only 14% responded that external auditors were responsible which is surprising based on the auditor’s requirement to detect fraud under SAS 99.
The IPPF include a standard (1000) where the audit department details their purpose, authority and responsibility in a formal internal audit charter. While not specifically required the responsibility for fraud detection and investigation should be included given that this is now mandated by the IPPF. Of those who responded to the survey 51% indicated that their charter delineated the department's responsibility for detecting fraud against the company.
As a follow up to the above question over 2/3 of the auditors stated that although it was not defined in the charter their responsibility was communicated to them in other ways such as the standards (SAS 99 and IPPF), standard operating procedures and job descriptions.
When asked whether the role of the Internal Audit Department regarding detecting/screening for fraud changed in the last five years 63% responded that it had not. This indicates that although there have been an increased focus on fraud in the media and within the profession they have not made corresponding adjustments. This could indicate that they already felt that they were covering this area or due to the lack of resources could not incorporate this into their audit plans.
As a follow up to the previous question we asked how the role of their department had changed. Forty percent (40%) said that they now incorporate a fraud risk assessment or have specific steps in their audit programs focused on fraud. Twenty two percent (22%) are more proactive in their detection and the same percent (22%) stated that management policy includes responsibility for fraud detection. Eight percent (8%) attributed the introduction of data analysis into their annual and project planning.
We then queried whether the respondents were aware of The Institute of Internal Auditors new guidance on fraud (IPPF Practice Guide (PG) Internal Auditing and Fraud) released in December 2009. The responses were split evenly between those who were aware and those auditors who were not. Also 29.2% of the respondents indicated that they were a member of the IIA.
A recognized best practice for organizations is an established fraud awareness program for employees. Only 35% indicated that their company had established a fraud awareness program. This is a clear opportunity area for auditors to champion an industry recognized best practice. Implementing a fraud awareness program has demonstrated positive results in reducing the occurrence of fraud. On a positive note of those who indicated that their company utilized a fraud awareness program almost three quarters said it was for the entire company. All employees have a responsibility in fraud detection and therefore first class programs include managers as well as staff and professionals.
Regarding whether the survey respondents had experience in auditing for fraud within their organizations over 71% responded affirmatively. This confirms that fraud is still a pervasive problem in organizations and while we did not ask when these frauds occurred it is likely that with the deterioration of the economy occupational fraud has remained constant or increased. When asked what role internal audit played in the fraud occurrence over 87% responded that they were responsible for investigating and working with a team. Only 5% of the auditors responding indicated that they lead the effort. Only one auditor indicated that they detected the fraud. As auditors begin to adopt the new IIA standards we expect that there will be an increase in the frauds detected by audit functions however that does not appear to be the case currently.
The next question asked whether their company was doing enough to prevent fraud. Over 63% of the auditors responded that, in their opinion, their company was not doing enough to prevent fraud. This indicates a gap between audit expectations versus the reality of management perception of the problem. As long as this gap exists management will not be willing to devote the necessary resources to fraud detection and investigation. It is therefore imperative that CAEs communicate the new fraud detection standards to senior management and their Board Audit Committee’s to raise awareness of the auditor’s responsibility.
Auditors provided their ideas as to what their company could do to better protect against fraud. The following chart reflects over 60% of the auditors felt that an employee fraud awareness training program would enhance fraud prevention within their company. When asked for other suggestions auditors indicated more use of data analytics would help.
The final question sought to understand how auditors perceived their company tolerance for fraud risk. Over 72% of the respondents indicated that their company’s tolerance for risk had not diminished in recent years. This goes directly back to the question on whether companies were doing enough to prevent fraud. The responses to the risk tolerance reinforce the idea that management is comfortable with their response to fraud. Those that responded that their company’s tolerance for risk has not diminished may be vulnerable to increased fraud. In looking at the industry breakdown for those companies whose tolerance for risk had not diminished 30% were banks and financial services, 18% government, 10% service industry, 7% utility industry, 7% manufacturing, 5% each healthcare and retail, with various other industries comprising the balance. Those industries where the auditors perceived less risk tolerance were those impacted by the recession. More study is obviously needed in this area to determine how risk is tolerated based on industry classification.
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®