Fraud audit and internal auditors
The IIA standard1210.A2 regarding fraud audit assurance engagements in internal auditor’s work states that :
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
The related practice advisory 1210.A2-1 goes on to state:
Internal auditors are responsible for assisting companies prevent fraud by examining and evaluating the adequacy and effectiveness of their internal controls’ system, commensurate with the extent of a potential exposure within the organization. When meeting their responsibilities, internal auditors should consider the following elements:
1. Control environment. Assess aspects of the control environment, conduct proactive fraud audits and investigations, communicate results of fraud audits and provide support for remediation efforts. In some cases, internal auditors also may own the whistleblower hotline.
2. Fraud risk assessment. Evaluate management’s fraud risk assessment, in particular, their processes for identifying , assessing, and testing potential fraud and misconduct schemes and scenarios, including those that could involve suppliers, contractors and other parties.
3. Control activities. Assess the design and operating effectiveness of fraud related controls; ensure that audit plans and programs address residual risk and incorporate fraud audits; evaluate the design of facilities from a fraud or theft perspectives and review proposed changes to laws, regulations or systems and their impacts on controls.
4. Information and communication. Assess the operating effectiveness of information and communication systems and practices, as well as provide support to fraud related training initiatives.
5. Monitoring. Assess monitoring activities and related computer software, conduct investigations, support the audit committee’s oversight related to control and fraud matters support the development of fraud indicators and hire and train employees so they can have the appropriate fraud audit or investigative experience.
The external auditor should evaluate whether the entity programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation.A company and its management should be involved in or complete the following activities related to fraud:
• Determine key fraud risks as the company.
• Identify programs and controls to prevent and detect fraud, including and appropriate tone at the top.
• Determine the effectiveness of such programs and controls to detect and prevent fraud.
• Investigate and resolve any reported instances of fraud.
Internal auditors, given their objectivity and role within the organization, can be of substantial assistance to management and the audit committee in meeting their responsibilities in matters related to fraud.
In America section 302 of Sarbanes-Oxley requires management to report to the external auditor and the audit committee, at least quarterly any fraud, whether material or not that involves management or other employees who have significant role in internal control.
Internal audit can play a role in assisting management with investigating such reported instances. More importantly internal audit can assist management and audit committee in implementing processes and controls to prevent fraud in the form of education and orientation programs, enhanced internal controls and more robust fraud monitoring systems.
Fraud audit responsibility and internal audit standards