Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​The Ones You Least Suspect

Internal auditors must be alert to the red flags of fraud, even when they point to the organization’s most trusted employees.

Comments Views

​Anyone who has been exposed to employee fraud knows how unsettling it can be to learn that someone known and trusted has betrayed co-workers and the organization itself. Shocked employees wander the office halls, whispering to each other, “I would never have suspected him of doing something like that.”

And the perpetrator may, indeed, be a likable, friendly person who maintained cordial relationships with colleagues. Even good people occasionally stumble.

Internal auditors are responsible for understanding and assessing the red flags that may indicate that such a stumble is being considered or has already occurred. Proactive recognition and response can go a long way toward protecting the enterprise from the financial and reputational damage a successful fraud can create.

Holding the Line

Fraud represents one of the many risks associated with an unhealthy culture (see “It Starts With Culture” at right), and one that internal audit can address directly in its capacity as the third line of defense. The first line, management, sets, communicates, and models desired values and conduct. The second line, oversight functions such as an ethics office, monitors risks related to employee conduct and compliance with policies and procedures. Internal audit assesses various functions and lines of business and determines whether values and behaviors that drive strategy and good performance are embedded in the organization.

​It Starts With Culture

Fraud is often enabled, even supported, by the culture of the organization, but understanding that culture is often easier said than done. Part of the problem involves coming to agreement on the definition of organizational culture. Most definitions allude to values, attitudes, beliefs, and behaviors — even taboos, symbols, rituals, and myths — that determine how a company’s management and staff interact internally and conduct business transactions. Perhaps the most direct definition is that culture is “how we do things around here.”

Regardless of the definition, ethics undoubtedly plays a significant part in an organization’s culture. Organizational ethics define how the company expects its employees to behave — expectations that are conveyed to employees in written form (policies, procedures, a code of conduct) and behavioral form (tone at the top).

As an ethical concept, tone at the top is frequently cited but not always fully appreciated — even though it is so powerful that its misuse can undermine all the other elements in place to prescribe ethical conduct. Tone illustrates vividly the fact that, when it comes to ethics, what matters most is not what is said, but what is done. One need only glance at Enron’s code of ethics, which called for employees to perform in accordance with “all applicable laws and in a moral and honest manner,” to see the difference between “walk” and “talk.”

Organizations should care about employees’ behavior for a multitude of reasons, but a primary concern is that, when unethical behavior goes unaddressed, it can erode the organizational culture — and anything that damages the culture damages the company. In a 2015 Duke University study, Corporate Culture: Evidence From the Field, more than 90 percent of CEOs and chief financial officers indicated their conviction that improving organizational culture would improve their companies’ value. Why? Because they believe culture influences productivity, creativity, profitability, and growth rates.

Culture is not just a “nice to have”; it ties directly to the bottom line. In a 2017 research report titled, Transforming Attitudes and Actions: How Senior Leaders Create Successful Workplace Cultures, 600 senior leaders — from India, Germany, Indonesia, and the U.S. — were asked about their companies’ culture and its contribution to success. Ninety-two percent say that organizational culture has a high impact on financial performance, so much so that 84 percent report they are currently taking steps to improve the culture in their organizations.

Although this role may be clear to internal auditors, how to approach it may be less apparent. The job can be tackled in many ways, but two objectives should remain paramount: understanding behaviors (red flags) associated with fraud — remembering that no one, even a “good” person, is immune from forces that may lead to misconduct — and considering the possibility of fraud on every audit.

Understanding Behaviors Associated With Fraud Criminologist Donald Cressey’s fraud triangle theory indicates that frauds require three elements: pressure, opportunity, and rationalization. Fraudsters are often experiencing some type of pressure, at work or at home, real or imagined. They seek an opportunity to alleviate the pressure (via misdeed), and they must then be able to justify the behavior to themselves (“I deserve it,” “Everyone is doing it,” “No one will know”). Knowing this chain of events makes it easier to understand how employees who are generally esteemed and respected may suddenly commit fraud. When people faced with a nonsharable financial problem realize they can alleviate that problem through violation of a position of financial trust, and are able to convince themselves that their dishonest actions don’t run afoul of their personal codes of conduct, they make a transition Cressey describes as going from “trusted persons” to “trust violators.”

The fraud triangle’s opportunity element may be easier for internal auditors to identify, as it often arises through a lack of controls. It may be more difficult to discern when someone is feeling pressured — especially because, in some organizations, working under pressure represents the norm. One indicator of pressure may be a sudden change in working hours: arriving early or leaving late may hint at trouble at home or a desire to be alone at the workplace. Or an employee may display a sudden enhancement of lifestyle not commensurate with his or her salary, demonstrated through luxuries such as an expensive car, a high-end watch, an upgraded wardrobe, or an exotic vacation. Fraud may have supplied the original funding for these items, and pressure to maintain them may lead to repeated misconduct. (For additional indicators of potential fraud, see “Red Flags of Unethical Behavior” below)

How do internal auditors balance their responsibility to identify suspicious employee behavior against their need to maintain good relationships? They apply healthy skepticism, which is not an automatic and cynical predisposition to distrust, but the appropriate use of questioning to see beyond the superficial.

Fraud in Every Audit Internal auditors must begin every audit aware that fraud may exist. They cannot assume that a particular area or individual is incorruptible. Even minor ethics violations can spiral into something much bigger and more damaging to the organization, which is why internal auditors must maintain a thorough understanding of codes of ethics, policies, and procedures; organizational structures and defined roles and responsibilities; and compensation policies.

Internal auditors must remember that they are not only auditing processes, they are auditing people. Even good people can — under certain circumstances — commit unethical and fraudulent acts. Practitioners need to understand that, although most people want to do the right thing, definitions of what is “right” can vary, depending on culture and context. To get to the bottom of potential or actual fraud, internal auditors must have probing conversations with employees, gathering pertinent information but avoiding overreliance on their representations.

Trust but Verify

How do internal auditors meet their dual responsibilities of recognizing the red flags of fraud and considering fraud in every audit? They must first open their eyes to the possibility that everyone, in the “right” circumstances, is capable of committing fraud. Then, using this heightened sense of awareness, they can start asking employees appropriate questions and listening carefully to the answers:

  • Do you believe employees of this company behave ethically? If not, do you believe they will be caught? If they are caught, do you believe they will be punished? Why or why not?
  • Do you think transparency exists around the reasons behind key decisions?
  • Do you think compensation is fairly tied to organizational objectives?
  • Are you aware of, or have you noticed, any activity that might indicate that fraud is taking place? Have you noticed any unusual behaviors by other employees, such as a change in lifestyle?
  • Do you think people trust the whistleblower process and have confidence there will be no retaliation against those who use it?

These questions can smooth the path for internal auditors to address tone at the top by enabling them to structure their conversations with senior management around the employees’ perceptions of company ethics.

In addition to questioning, various types of tests can be used to identify red flags. Some typical areas to investigate could include:

  • Vendors with the same contact information as employees or multiple vendors with the same contact information.
  • Pre- or post-dated transactions.
  • Consecutively numbered invoices and invoices in amounts just below the threshold for review.
  • Patterns in the data — as identified by data analytics — that may indicate fraud (e.g., invoice amounts that end in .00, transactions made by upper management, transactions made late in the accounting period).
  • Employees’ use of their mandatory vacation time.
  • Transactions processed outside normal channels. If such transactions exist, some follow-up questions may be useful: How is this transaction normally handled? When is it not done that way? How else could it be done?

Finally, internal auditors can learn quite a bit simply by keeping their eyes open and asking themselves a few questions, such as:

  • Do employees display an unusual degree of deference to leadership?
  • Are values and conduct understood and aligned organizationwide?
  • Does the organization’s culture foster a general sense that what is good for the organization trumps everything else — that results are more important than standards?
  • Do management training and leadership programs stress management’s responsibility to model and advocate for integrity?
  • Do employees appear to suffer unreasonable pressure to perform? Is management trained to identify and minimize the sources of pressure?

Internal auditors’ ability to ask pertinent questions, listen for messages between the lines, watch for both tangible evidence and suggestive behaviors, test objectively and independently, and constantly ask “why?” makes them particularly well-suited to uncovering fraud indicators. Their efforts can go a long way in contributing to the organization’s fight against fraud.

Red Flags Unfurled

Ultimately, instituting a program that places fraud recognition and awareness on the front burner does not require an overhaul in the way internal auditors approach their work. It does, however, require an understanding of the red flags associated with fraud and an acknowledgment that, in every audit, opportunities for fraud, past or present, may exist. And critically, it requires internal auditors to hold on to their inherent trust in people, while recognizing that even those who raise the least suspicion may in fact be quite capable of organizational wrongdoing.

Richard F. Chambers
Deanna F. Sullivan
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors



Richard F. ChambersRichard F. Chambers<p>​Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and CEO of The IIA. </p>



Deanna F. SullivanDeanna F. Sullivan<p>Deanna F. Sullivan, CIA, CRMA, CPA, CFE, CGMA, is principal at SullivanSolutions in Houston.​</p>


Comment on this article

comments powered by Disqus
  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3