Are internal auditors obsessed with fraud?
Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"
There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?
Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?
In fact, few organizations are brought down or even materially impacted by fraud.
Let's consider some sources of risk that may be found at many, if not most, organizations:
- The effectiveness of risk management.
- The quality of information used in decision-making.
- The decision to acquire or divest a business.
- The ability to develop and introduce successfully new products and services.
- The ability to identify the value of and then deploy new technology.
- Customer satisfaction and product/service quality.
- Hiring, retention, and development of people.
- The effectiveness of the management team.
- The effectiveness of the board.
- The ability of IT to meet the needs of the business.
- The completion of major projects on time and within budget.
- Efficient procurement.
- Management of the sales pipeline.
- Sales contracting.
- Revenue recognition.
Now where would fraud risk rank among these
— and I am sure your organization would have other high-risk areas?
Have a look at the following from The IIA:
Can you find the word "fraud" in any of the above?
Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.
If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.
I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.
Our work should be driven by risks to the enterprise as a whole, what I refer to in my book,
Auditing That Matters, as enterprise risk-based auditing.
Do you agree or disagree?
I welcome your comments.
If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.