The International Standards for the Professional Practice of Internal Auditing are clear: Internal auditors must possess the knowledge, skills, and competencies needed to carry out their responsibilities. Some internal auditors also have the knowledge and skills to carry out a fraud examination effectively, but most do not. And in an upcoming position paper, The IIA emphasizes that internal auditors should not be expected to have the expertise of those professionals whose primary responsibility is to investigate fraud. The IIA believes fraud investigations are best carried out by those experienced to undertake such assignments.
Hopefully, your organization has a fraud response plan that assigns specific duties and responsibilities. But if not, don't automatically assume that, as an internal auditor, you should undertake a fraud investigation single-handedly or that you should lead a fraud investigation team yourself.
We all need to be familiar with the indicators of fraud, and we need to be able to evaluate anti-fraud controls. But few internal auditors are fully equipped to be fraud investigators. An interrogation is very different from an audit interview, and there can be great risk between reviewing evidence and contaminating it. When fraud is suspected, a simple mistake can easily become a costly and career-limiting move.
I have seen too many instances during my career where well-intentioned internal auditors inadvertently damaged the chances of a successful fraud investigation because they were either careless or simply didn't understand the risks of their actions. I always cautioned my teams to be careful not to "break the eggs" when they came upon a potential fraud during the course of an internal audit. From my experience, the following are just a few types of mistakes that internal auditors can make when they encounter evidence of fraud.
- Do not discuss the situation with anyone who does not have a need to know. Even the existence of an investigation should be kept confidential. Keep in mind that the scope of an occupational fraud is often bigger than it first appears, and you may not yet have identified everyone who is involved in the crime. Our profession's Code of Ethics requires confidentiality, and it's not appropriate to chat about new or ongoing investigations even with other internal auditors.
- Do not make accusations or rush to judgment. The evidence may appear to indicate that someone has committed a crime, but accusations can lead to charges of slander, libel, or wrongful termination. It should rarely be an internal auditor's job to accuse anyone of fraud, so contact your supervisor before saying something you might later regret.
- Do not disrupt operations. If you do, you may tip off potential fraudsters that they are under suspicion. Your actions may cause them to destroy important evidence, to warn accomplices, or to take other actions that can undermine an investigation.
- Do not disturb a potential crime scene or do anything that might contaminate or destroy digital evidence. Internal auditors are good at examining evidence, but special care must be taken during investigations. For example, it may seem appropriate to examine a suspect's computer records or to make a backup copy of his or her files. But computer forensics experts never perform analysis on original media. Simply by turning on a suspect's computer, opening a file, or making a backup, you are changing digital time stamps and hash values, potentially compromising important evidence. At times, action is unavoidable: It may be necessary to isolate a computer to prevent connections into and out of the system, for example. But preserving digital evidence is tricky. Unless you have specialized training in computer forensics, call for help before proceeding.
- Do not fail to swiftly alert legal counsel and human resources professionals. It's likely your fraud response plan states that it's necessary to brief legal counsel and a human resources (HR) representative before a formal investigation is launched. HR input can be especially important if termination or other disciplinary actions might result from the investigation. Depending upon the circumstances, your organization may be required to make disclosures about criminal activities to regulators, law enforcement, clients, shareholders, or other parties. Legal counsel can help to ensure that regulatory requirements are not overlooked; and attorney-client privilege can help protect your organization from disclosure of details that it might not want to make public immediately.
- Do not assume you should perform interrogations. When performed with expertise, interrogations can be an excellent source of information. Without that expertise, an investigation can be irreparably damaged. Internal audit interviews and discussions often employ collaborative approaches that are not necessarily appropriate during investigations; but an accusative approach can also be a big mistake. Nobody wants a hostile or defensive suspect.
- Do not neglect your files. It's never a good idea to leave internal audit workpapers unsecured, but when fraud is involved, keeping documentation safe and confidential is particularly important. Having a copy of a document is not as good as having the original.
Fraud investigations can be high-risk engagements. If you think there is a possibility of fraud, don't break the eggs. You should not take any action that might tip off potential fraudsters or compromise evidence so that it can't be investigated later. I don't mean to imply that internal audit should never be involved in fraud investigations, but if the internal auditors are not fully trained investigators, it's time to seek help from specialists. A wise internal auditor understands the limits of his or her own knowledge and knows when to ask for help.
I look forward to your thoughts on this important subject.