Most internal auditors dread hearing management ask, “Where were the auditors?” — particularly when it relates to fraud. The moment fraudulent activity is uncovered, organizational stakeholders often blame the auditors even before holding perpetrators accountable. As a result, auditors can find themselves on the defensive and fail to engage in valuable activities such as consulting — they lack trust and fear reprisal in the event of any unforeseen fraud or operational errors in the areas for which they provided services. So rather than covering their organizations against fraud, internal auditors frequently seek to cover their backs. It is time for that to change.
Clinging to a fear-based approach represents a disservice to the organization and its stakeholders, depriving them of internal audit’s expertise and assurance. Auditors need to help ensure systems are established throughout the organization to manage fraud risks effectively. They can accomplish that by addressing several areas.
First, internal auditors need to partner with the board and management to fraud-proof their organizations. Developing relationships with these stakeholders is critical to identifying potential risks, as they possess key information regarding where those risks may lie. Additionally, practitioners need to share their knowledge and ensure stakeholders have the benefit of internal audit’s unique purview of the organization.
They also must help ensure anti-fraud controls are strong and robust. Auditors play an important role in assessing the effectiveness of key anti-fraud controls, such as the presence of an effective code of conduct, whistleblowing system, and external audit selection and oversight process. Auditors should proactively diagnose process weaknesses; they should also push for the implementation of preventive automated controls.
Furthermore, auditors must take governance considerations into account. They should conduct a governance audit with a specific focus on conflicts of interest, segregation of duties, and related-party transactions. They also should audit culture and provide recommendations that can help align the organization’s value system with the behaviors of all stakeholders. Moreover, conducting a thorough assessment of nomination and remuneration policies can enhance the organization’s ability to hire qualified, ethical board members and executives and help ensure remuneration policies do not incentivize fraud.
Although internal auditors are not responsible for identifying a specific fraud, they may be held accountable for not addressing foundational weaknesses that can enable and promote fraud within the organization. Helping to fortify anti-fraud controls and ensure the organization constructs processes with the potential for fraud in mind is essential to organizational health. Once auditors address fraud risk effectively, they can answer the question “Where were the auditors?” with a simple reply: “We were here all along.”