Fraud is a major area of focus for some internal audit departments. They use data analytics for fraud prevention, and sometimes that is all they use data analytics for. When the potential for fraud is identified quickly put a team together to investigate.
The reasons for this include an historical focus on fraud (including expectations from management and the board) and a desire to "add value" by detecting fraud and performing investigations.
But, is this historical focus appropriate today? I believe the answer is "perhaps."
I believe the role of internal auditing is to provide objective assurance and consulting services regarding the effectiveness of the organization's governance, risk management, and related internal control processes. In other words, I agree with the definition of internal auditing in the International Standards for the Professional Practice of Internal Auditing.
To do that, internal auditing should assess the adequacy of the governance and risk management processes. When these are ineffective, risks (including the risks of fraud) are likely to be less than well managed — and the organization's ability to achieve its strategies and goals imperiled.
Internal auditing should advocate management's responsibility for identifying and assessing fraud risks, and for efficient and effective controls to prevent or detect fraud. Internal audit should not, in my opinion, "own" the responsibility for fraud detection. Rather, it should help management ensure appropriate controls to prevent/detect fraud through assurance and consulting services. (It may be appropriate for the chief audit executive to lead a separate Fraud Investigations unit, with the approval of the audit committee.)
Internal auditing should assign resources and prioritize its attention — its assurance and consulting services — based on the level of risk each area represents to the organization. Attention to fraud should be commensurate with the risk it represents. It should not be an automatic area of focus.
Just think of the companies whose (unaudited) risk management processes failed while the auditors were conducting investigations of inventory theft and payments to fictitious vendors.
Let's face the facts. The Association of Certified Fraud Examiners estimates annual losses through fraud at 7 percent to 8 percent (fairly consistent in this range over the years). That includes theft of time (playing on the internet) as well as loss of cash. For how many companies is fraud and theft of assets in the top 10 risks? How many companies include fraud and theft high in their reported risk factors?
So, where fraud is a risk that merits attention I prefer to assess whether management has effective processes and controls to prevent or detect fraud. Those should include fraud risk assessment, as well as controls. (Because of internal audit's greater proficiency, I don't have a problem with internal auditing leading or facilitating the fraud risk assessment process).
I include fraud risks with all other forms of risk in my risk assessment process. If it is among the top risks, then it is included in the audit plan. The procedures I perform may include data analytics to test for the existence of fraud and the potential weakness for fraud-related controls.
If it is not among the top risks, I will not perform related procedures.
Do you agree? How do you determine the level of resources to apply to fraud risk relative to supply chain, compliance, hedging, cash management, or other risks?