Internal audit has to be ready for the risk fraud brings and prepared to uncover and eliminate it. Yet, a simple audit can unexpectedly turn into a complex investigation.
Experienced auditors recognize that fraud encompasses a wide range of irregularities and illegal acts and look for the intentional deception or misrepresentation that provides cover. They may even have an effective fraud management program, including a company ethics policy supported by top management, fraud awareness, ongoing reviews by internal audit, and prevention and detection methods.
The next step, investigation, is critical. To truly address fraud, internal audit must know the risks of investigating fraud and when to hand that off to a skilled investigator.
One thing we know for sure is that fraud is relentless. When times are good, fraud creeps in as growth pushes processes and controls to the breaking point. When times are bad, fraud takes hold as employees use their trusted positions to take what they think they deserve. Undertaking an investigation of these reports that results in a conviction requires a good understanding of computer forensics, electronic discovery procedures, and evidence and document preservation. Not every internal auditor is ready for or understands the risk investigation brings. Internal audit leaders need to recognize this and train their teams accordingly.
The procedures and resources needed to fully investigate and report a suspected fraud event have grown given the digital world we live in today. Computer expertise has to be an integral part of internal audit's skills to investigate fraud: Email communication is omnipresent, evidence is stored electronically, encryption is hi-tech, and handheld devices hold data that might not be found anywhere else.
While specific procedures will differ depending on the situation, internal audit must be prepared to:
- Gather evidence through surveillance, interviews, or written statements.
- Collect and store evidence critical to understanding the misconduct and proving supporting conclusions.
- Determine the techniques used to perpetrate the fraud.
- Chronologically record all reports, documents, and evidence in a detailed log, including such things as hard copies and electronic forms of computer files, financial records, phone records, vendor information, public records, news articles, and social media posts.
- Interview personnel and witnesses involved, and then the accused individual after applicable evidence has been obtained.
- Know the rights of persons within the scope of the investigation.
- Be responsible that the process is handled consistently and prudently.
- Assess the complicity of the fraud throughout the organization, which can be critical to not destroying or tainting crucial evidence.
- Adequately secure evidence collected, maintaining chain-of-custody procedures appropriate for the situation.
Failure to perform any of these tasks, among others, could undermine the entire investigation. That is why it is critical for auditors to know the red flags for potential fraudulent or criminal activity, and to understand their responsibility to step back and let trained investigators take over if they don't have the necessary expertise. Some audit departments are resourced with skilled investigators, but most will have to look externally for the expertise needed. Here are a few things to keep in mind if potential fraud pops up during an audit:
Trust your instincts. If something feels wrong, it often is. I'm not recommending that every gut feeling leads to criminal activity, but if your instincts tell you something isn't right, take it seriously and seek guidance, if necessary.
Don't wait. Communicate when red flags are noticed. If you have skilled investigators internally, you hopefully are communicating with them regularly. Even if you don't have them, keep your leaders in the loop and bring in skilled investigators as early as possible. It's better to err on the side of caution than to risk spoiling the investigation and missing the opportunity to stop a criminal due to a technicality.
Don't confront the suspects. This should be a no-brainer, but it happens. In a typical investigation, the suspect is the last person you talk to, and then only after you've gathered all the information you can and know precisely what steps you need to take.
Be clear on roles and responsibilities. This is particularly important if continuing to audit related areas in parallel to the investigation. Everyone involved needs to know what everyone else is doing to ensure no one mistakenly undermines the investigation.
Audits can turn into investigations quickly. It is critical that all auditors are trained to recognize the red flags and have access to leaders and experts who can guide them through the appropriate next steps. Internal audit leaders must develop, or hire, the appropriate investigative skills on staff or have the ability to bring in external experts when needed. In the end, we all want to end fraud in our organizations and, as with all risks, we must be able to leverage the right resources at the right time.
That's my point of view, I'd be happy to hear yours.