​Internal Audit and Fraud Risk​

Comments Views

​Are internal au​ditors obsessed with fraud?

Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"

There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?

Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?

In fact, few organizations are brought down or even materially impacted by fraud.

Let's consider some sources of risk that may be found at many, if not most, organizations:

  • The effectiveness of risk management.
  • The quality of information used in decision-making.
  • Strategy-setting.
  • The decision to acquire or divest a business.
  • The ability to develop and introduce successfully new products and services.
  • The ability to identify the value of and then deploy new technology.
  • Cybersecurity.
  • Customer satisfaction and product/service quality.
  • Marketing.
  • Hiring, retention, and development of people.
  • The effectiveness of the management team.
  • The effectiveness of the board.
  • The ability of IT to meet the needs of the business.
  • The completion of major projects on time and within budget.
  • Efficient procurement.
  • Management of the sales pipeline.
  • Sales contracting.
  • Revenue recognition.
  • Tax.


Now where would fraud risk rank among these ​ and I am sure your organization would have other high-risk areas?

Have a look at the following from The IIA:


Can you find the word​ "fraud" in any of the above?

Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.

If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.

I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.

Our work should be driven by risks to the enterprise as a whole, what I refer to in my book, Auditing That Matters, as enterprise risk-based auditing.

Do you agree or disagree?

I welcome your comments.​


If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.


The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • MNP_Natonal Can Conf_July2017_Blog 1
  • LockPath2_July2017_Blog 2
  • IIA TRN-OnsiteWebAd_July2017_Blog 3