The Institute of Internal Auditors wants more organizations to put in place anti-fraud controls and decide on the role that internal audit will play.
In a new position paper, “Fraud and Internal Audit: Assurance Over Fraud Controls Fundamental to Success,” the IIA discusses the responsibilities of internal audit in preventing and detecting fraud at organizations. Internal auditors need to have enough knowledge to evaluate fraud risk and how well it’s being managed by the organization. However, as the paper also points out, while some internal auditors may investigate fraud, organizations shouldn’t expect an internal auditor to have the expertise of an expert whose main responsibility is fraud investigation.
Ideally fraud investigations should be conducted by people who are experienced in undertaking such assignments. It’s essential that any fraud investigation be carried by qualified experts to reduce the risk of compromising evidence, accusing someone wrongfully, or undermining any future legal action.
The IIA believes every organization should have an anti-fraud response plan laying out the main policies and investigation methods. The plan should define the role of internal auditors when fraud is suspected and internal controls fail.
Boards of directors and other governing bodies should ask their organizations five important questions:
- Does the organization have a fraud response plan in place that outlines key policies and investigation methodologies?
- Who carries out fraud investigations within the organization?
- Is internal audit tasked with identifying where fraud risk is present, and does it audit controls in these areas?
- When fraud has occurred, does internal audit investigate to understand how the controls failed and how they can be improved?
- Is internal audit tasked to investigate fraud, and, if so, does it possess the proper skill sets to carry out such investigations?
“The threat of fraud is one of the most common challenges to governance that organizations face without regard to size, industry or location,” said the paper. “Having proper internal control procedures in place that include an appropriate response plan is fundamental to battling fraud. Internal audit possesses intimate control knowledge of the organization. A combined assurance approach is key in this regard to understand the gaps in controls to allow for the manifestation of fraud.”