AUDIT DUEL Series: Are Auditors Responsible for Detecting Fraud?

AUDIT DUEL Series: Are Auditors Responsible for Detecting Fraud?

I recently engaged Emmanuel Johannes in the AUDIT DUEL series by Jon Taber (the AUDIT 15 FUN host). To listen to the debate on the Apple podcast,?click?here. To listen to it on Spotify, click?here.

The question was, are auditors responsible for detecting fraud? It was a yes-no question! Therefore, the answer should either be positive or negative. However, the internal audit community may not learn anything from true or false responses by the debaters! Also, there will never be enough time to express detailed opinions in such a debate.

As an Internal Audit Fundamentalist??, I desire to drive conversations that will help internal auditors understand the basics of the internal audit profession and make improved decisions based on the context of their circumstances. Many people would have predicted my response based on my International Professional Practices Framework (IPPF) experience and advocacy for good internal audit practice, but how many junior internal auditors and aspiring CIAs will learn if I responded with yes or no and the conversation ends there? Therefore, this piece is for educational purposes.

Are auditors responsible for detecting fraud? It depends on different factors! The factors are not far from agelong conventions and general expectations not based on the expertise of internal auditors, best practice-related standards, guidance, frameworks, and available information provided by professional bodies. After sharing different perspectives that may not result in a yes-no response, I will conclude with the expected affirmative or dissenting opinion.

Let us start with the definition of key terms related to this discussion.

  • Internal Audit (Audit) is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” – IPPF?
  • Fraud is "any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain." - AICPA, ACFE, IIA
  • Fraud risk is “the probability that fraud will occur and the potential severity or consequences to the organization when it occurs." - IPPF
  • Fraud detection "focuses on activities and techniques that promptly recognize timely whether fraud has occurred or is occurring." - AICPA, ACFE, IIA
  • Auditing for fraud “is an audit designed to proactively detect indications of fraud in those processes or transactions where analysis indicates the risk of fraud to be significant.” - IIA CIA Learning System V6

The response to the question will differ based on where an internal auditor is in the evolution of internal auditing.

Unlike doctors, lawyers, nurses, or farmers, it is challenging to explain internal auditing to people in simple terms. Therefore, accounting, internal control, management, board, or stakeholder-oriented professionals will answer the question differently. The answer to the question will also be different based on agelong conventions and general expectations of various stakeholders that internal auditors serve. Therefore, internal audit responsibilities for fraud detection may depend on diverse legal and cultural environments!

Because organizations differ by purpose, size, complexity, and structure, the role of internal auditing in detecting fraud may depend on the importance an organization attaches to the function. An organization must indicate that it is determined to have an effective fraud prevention and detection control system in place to reasonably fight fraud. Without this, there is not much internal auditing can do! Since we cannot assign roles and responsibilities to ourselves, it will depend on the assigned role in the approved audit charter and the fraud policies and procedures of the organization.

In practice, many internal audit functions are responsible for risk management or enterprise risk management(ERM), internal controls, compliance and related first-line and second-line responsibilities for managing risks to achieve organizational objectives without appropriate safeguards against impairment of independence and objectivity. In organizations where internal audits are responsible for actions to achieve entity objectives, including managing risk, internal auditors will most likely have responsibilities for fraud detection. You can guess the response of the internal auditors in such an environment to the same question. However, based on recognized global best practices, standards, guidance and frameworks on governance, risk management, and control, the management of organizations should have overall responsibilities for enterprise risk management, including preventive and detective controls to fight fraud! Therefore, if the board and management take responsibility for effective risk management, internal controls, and fraud risk management program, for example, based on COSO internal control or ERM frameworks, responsibility for fraud detection will differ.

All the stakeholders of an organization have different responsibilities for maintaining an effective internal control system against fraud.

The available information from the Association of Certified Fraud Examiners (ACFE) has revealed over time that internal audit has not been the best fraud detection mechanism for organizations.

In the ACFE Occupational Fraud 2022: A Report to the Nations?, Certified Fraud Examiners (CFEs) estimate that organizations lose 5% of revenue to fraud each year. Forty-two (42%) per cent of the detected fraud incidents were through tips. That is nearly three times as many cases as the second most common detection method (internal auditing at 16%). More than half of the leads came from employees. According to the same report, external auditors detected four per cent (4%) of the fraud cases. In my career, I have uncovered more significant errors, noncompliance, and fraud incidents as part of an entity-wide internal control mechanism not related to internal audit roles than as an internal auditor. So, are auditors responsible for detecting fraud? You should decide!

I didn't start with the IPPF position on this debate as expected because the Framework is not adopted by a majority of practising internal auditors. To some internal auditors, the IPPF is for developed countries and it cannot be implemented in their current environment.

According to the International Standards for the Professional Practice of Internal Auditing (Standards), internal auditors have a supporting role in detecting fraud. Below is the related guidance provided by the Standards.

  • Attribute Standard 1210.A2 (Proficiency): "Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud."
  • Attribute Standard 1220.A1 (Due Professional Care): “Internal auditors must exercise due professional care by considering the probability of significant errors, fraud, or noncompliance.”
  • Performance Standard 2060 (Reporting to Senior Management and the Board: "The chief audit executive (CAE) must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board."
  • Performance Standard 2120.A2 (Risk Management): “the internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.”
  • Performance Standard 2210.A2 (Engagement Objectives) requires internal auditors to “consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives”.

The standards and the approved risk-based audit plan have significantly limited the supporting role of internal auditing to the identification of fraud risks and timely recognition of the occurrence of significant errors, fraud, or noncompliance at the engagement (assurance or consulting) level!

The Institute of Internal Auditors (IIA) position paper titled Fraud and Internal Audit said, "the risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls." For example, if a means by which control is achieved (e.g., human resource (HR) policies and practices) is faulty, and the internal auditors lacked the proficiency or did not apply due professional care to identify fraud risk or uncover potential fraud during HR-related engagements, then it's a goal! The organization can only hope that other internal control mechanisms specifically implemented to detect fraud will uncover any existing fraud before any material harm occurs.

The IIA's practice guide titled Internal Audit and Fraud said "most fraudulent schemes can be avoided with basic internal controls and effective audits and oversight." The requirements of the US Sarbanes-Oxley Act of 2002 (as an example) place internal controls over financial reporting responsibilities on both management and independent accountants (external auditors), however, the law does not specifically address the role of internal auditors.

Therefore, the internal audit function whose role is partly in monitoring the internal control systems to fight fraud (according to COSO Internal Control-Integrated Framework) is not responsible for detecting fraud beyond the evaluation of fraud prevention and detection controls at entity, process, or transaction-level in the performance of audit engagements. Detecting fraud must be the collective effort of all stakeholders.
Harriet Akua Karikari CA, MBA, Bcom, HND

AFIIA West Africa Vice Chairperson

1 年

Very interesting topic

NATHANIEL JANDE MBA, B.Sc. FWAIA, ACMAN, ACCM

Internal Audit & Control, Compliance, Enterprise Risk Management, Cost Management/Management Accounting Professional.

1 年

Thank you Mr. Alaba Awolaja. You actually did justice to the debate with your elucidating analysis. Fraud detection may not be the major responsibility of Internal Audit, however if a professional Internal Auditor does his/her job diligently according to the professional standards set out in the IPPF standards as you have succinctly pointed out, there is no way he/she will not detect some fraud. To commit fraud, in most cases would require breaching existing procedures, processes, laws, regulations, policies etc. So in the process of auditor carrying out reviews, he can discover these breaches and be prompted to dig further and discover fraud in the process, even though his/her major objective was not finding fraud. My final submission is that, though internal auditors can and do detect fraud in the course of their job as required of them by IPPF standards, fraud detection should not be taken as the responsibility of internal auditors as some employers do. This should be the responsibility of fraud professionals specially trained to do so.

Chidubem (Dube) I.

CIA | CISA | ACA | MSc. | CC (ISC2) | ISMS LA | Risk Consulting | Technology Risk | Business Intelligence | Project Management

1 年

Good debate Alaba! I like the way you have synthesized your argument on this topic. While the IPPF standard is clear on the internal auditor’s role in relation to fraud detection, I am of the opinion (based on my experience) that a prudent auditor with eye for details will always maintain skepticism to ensure that to a great extent, nothing is missed out while upholding due professional care as postulated by the standards. With this perspective in mind, even though the standard has not explicitly stated it is the internal auditor’s duty to detect fraud, it comes naturally in the process of planning the engagement. Regardless of how we perceive this, it all boils down to the experience of the internal auditor and the extent of due diligence he/she is willing to go to ensure that no form of malfeasance is taking place in the area under review. We can go on and on on this and assess this topic from different angles. A very hot topic indeed.

Dana Lawrence

Governance Leader in Tech x Financial Services

1 年

Great topic and discussion! Thanks for sharing Alaba Awolaja!

CA. Anuj Arya

Chartered Accountant ,Audit & Assurance ,Internal Audit ,Direct & Indirect tax

1 年

It is in the Audit if you see any Red Flag or other or Unusual should report. But Internal Audit and Forensic Audit two different aspects to the same one is preventive or other is detective or corrective. Bothe are specific. Both the audit process has different task .

要查看或添加评论,请登录

社区洞察

其他会员也浏览了