Internal Audit (IA) departments are a foundational control and serve a vital role in fraud risk management. However, their role in fraud risk management may differ from one organization to the next. Traditionally, the day-to-day management of the fraud risk management program would be housed across the first and second line of defense; consistent with the most recent iteration of the three lines model issued by the Institute of Internal Auditors (IIA). In line with this model, IA’s role in fraud risk management would be related to independent and objective assurance and advice on all matters related to the achievement of objectives. The IIA highlights the following four key areas related to IA’s role in fraud risk management:
- identify red flags that indicate fraud may have been committed.
- understand the characteristics of fraud, the techniques used to commit fraud, and be familiar with various fraud schemes and scenarios.
- evaluate the indicators of fraud and decide whether and investigation or further action is necessary.
- evaluate the effectiveness of controls to prevent and detect fraud.
Following are three ways internal auditors can leverage the Anti-Fraud Playbook to promote and foster effective fraud risk management at their organization:
#1: Know what good looks like
The Anti-Fraud Playbook includes ten plays, organized into five phases, detailed in the graphic below:
Figure 1: Anti-fraud playbook phases and plays
These phases and the underlying plays are the building blocks of an effective fraud risk management program. Whether you are beginning your anti-fraud journey or are looking to enhance current fraud risk management practices, the Anti-Fraud Playbook provides a benchmark for what a good fraud risk management program looks like. Fraud risk management should be tailored to the unique needs of the organization and its individual business units. Not every organization or business unit requires the same level of fraud risk management.
#2: Learn to think like a fraudster
To understand your organization’s fraud risk landscape and identify red flags, internal auditors first must define what type of fraud they should be looking for. Brainstorm fraud scenarios that are specific to your organization’s processes and controls. If someone wanted to commit fraud, how could they do it? What processes or controls would they circumvent? Who would be most likely to perpetrate the fraud and why? Consider both internal and external fraud and think beyond just financial losses.
Thinking like a fraudster can help internal auditors identify risks and better evaluate and align controls to them. Once the internal auditor has a clear picture of the risk landscape, they can deploy analytics to target specific risks. This can help facilitate continuous risk identification and monitoring; further fostering proactive fraud risk management at the organization.
Where fraud has occurred, internal audit should understand how the controls failed and identify opportunities for improvement. It should consider the probability of further errors, fraud, or noncompliance across the organization and reassess the cost of assurance in relation to potential benefits.
#3: Monitor progress
Monitoring and periodic evaluations provide vital insight into the effectiveness of fraud risk management activities and help identify areas for improvement. Business unit owners should be responsible for ongoing monitoring and periodic evaluations that provide vital insight into the effectiveness of their fraud risk management activities.
Internal auditors can help ensure monitoring and evaluations are effective by focusing on two key questions:
- Do monitoring and evaluation activities cover the full spectrum of fraud risk management activities? Internal audit should ensure that the business focuses on outcomes versus outputs — focus on the effectiveness of fraud risk management activities rather than the number of activities taking place.
- Are the results of monitoring and evaluations being used to drive continuous improvement? Let’s say the business surveyed employees within a specific function to determine the effectiveness of recent antifraud training and the results were lower than expected. Internal audit could push the business to improve the training to achieve the desired outcome.
IA provides the independent, objective assurance that your organization needs and provides the fraud risk management program and activities needed to combat current and emerging fraud threats.
Grant Thornton library articles: Fraud and Internal Audit