Role of Internal Auditor in Fraud Risk Management

Role of Internal Auditor in Fraud Risk Management

Historically, approach towards managing the fraud risk in an organization has been reactive; however, with the increase in the incidence of fraud (due to the pandemic, and in general), the boards of the companies are now more pro-active in discussing and implementing measures to manage the fraud risk for their organization.

With the increase in the risk of the occurrence of fraud which got further accentuated by the global pandemic situation, IA function has to be more proactive, and adaptive, in order to be able to identify, detect and investigate the fraud risks within an organization. Key considerations discussed in our second joint Protiviti and IIA India webinar, for the IA function, to be able to defend an organization against the fraud risk were:

  1. Extensive use of data analytics, artificial intelligence and machine learning models, to identify patterns which indicate fraud scenarios with in an organization;
  2. Use of the Benford Law to detect unusual patterns within the large volumes of random data of natural numbers such as invoice values and payments;
  3. Proper use of bio-metrics to control the misuse of organization assets and resources;
  4. Board level security committees to monitor and control the anti-fraud systems within an organization;
  5. Implementing an independent whistleblowing program to promote transparency and discourage retaliation;
  6. Use of professionals and independent investigation experts to defend against the emergence of the fraud risks.

In addition to the above, the panelists highlighted the risks related to current situation where majority of the work was being performed over vulnerable and sometimes exposed networks at home which needs to be evaluated and proper IT controls need to be put in place to prevent any incidence of cybercrime, data breaches or theft.

Survival during pandemic > Cash Flow and Debt Management > Fraud Risk Management

50% of the  participants believed that the incidences of fraud were increasing in today’s business environment to which the panelists were of the view that the first step to manage the risk is to understand that the risk exists and their control systems should be ready to adapt and change with the current business needs.

Key regulatory changes introduced by the government to reduce the incidence of frauds:

  • Business Framework Level changes;
    • Increased focus on having a well designed and implemented corporate governance framework;
    • Increased and continuous compliance for the businesses in India specially with respect to fraud reporting and management;
    • Continuous reporting of possible frauds to the relevant authorities.
  • Auditor level changes:
    • Auditor to monitor the disposition of the whistle blower complaints and provide a report in the annual financial statements w.r.t., the status of complaints received in an organization during the previous year; and
    • Auditor to declare that the financial statements are free from misrepresentation due to error or fraud – Form ADT-4.
  • Legal Changes:
    • Changes in the definitions to increase the scope and inclusion of companies under the scope of the Prevention of Corruption Act.

Panelists were of the view that the setting up of the National Financial Reporting Authority has made the signatories of the financial statements more responsible and the financial statements more reliable for the stakeholder.

Panelists also indicated that, in some scenarios the increased compliance and changes in the laws have created a hurdles for the companies, and independent agencies to fight fraud and corruption. Investigating a government official under the specific laws may require special permissions from the government creating an unnecessary challenge.

45% of the participants believed that managing fraud risk is not the responsibility of a single person or authority in the organization. The ownership of fraud risk starts from the board for setting up the strategy, the management to operationalize the framework, the IA function to monitor and control the identified, and unidentified risks; and finally it flows down to each individual employees who play a vital role in keeping an eye out for misconducts within an organization.

Internal Audit as a function has a dynamic role in Fraud Risk Assessment within an organization. The role of the IA to manage the fraud risk in an organization is four-fold, as given below:

  1. Prevention – Strong and Independent Internal Audit function
  2. Detection – Develop controls or employee skills which can detect fraud
  3. Investigation – Engaging independent professional and in –house experts to investigate fraud incidents
  4. Response and Prevention – Implementing disciplinary protocols and adapting to upcoming fraud scenarios

Role of an IA is ever changing with the changing business environment and the new risks that emerge for the organization. The job presents certain challenges in combating fraud which panelists believed to be following:

  • Continuing uncertainty in the fraud risk management framework due to the ongoing pandemic;
  • With increased reliance on the internet to run the operations of the companies, the risk of cyber-crime such as phishing, vishing, social engineering, digital espionage, and security breach pose a serious challenge to the IA;
  • Increase in conventional frauds with increased opportunity for the fraudster, due to the pandemic such as fake invoices, counterfeit products, shell companies, and corruption;
  • Data is key in today’s world and securing and guarding it against any attempts of theft or breach is of paramount importance; and
  • IA has to engage fraud management professionals to remain abreast with the continuous changes and challenges presented in the business on a daily basis.

Panelists concurred that fraudster is 10 times ahead of the IA in any company, unconventional measures are the need of the hour to protect the interests of the organization.

In addition to the above, increased focus and new rigor has to be brought in by the IA to manage the conventional frauds prevalent in the business such as corruption, misappropriation of assets, and embezzlement. This can achieved by focusing on:

  • Implementing and revamping the code of business conduct;
  • Careful implementation of the whistle blower hotline;
  • Training employees to identify fraudulent trends and malicious requests; and the most important
  • Tone from the top, in both, a promoter driven or a professionally run company.

Although, the majority of the participants responded that they were aware of the Fraud Risk Assessment exercise within their organization. However, a concerning fact was that 16% of the participants were not sure if such an exercise took place in their organization. As a tool to combat fraud, Fraud Risk Assessment is most effective when information regarding the same is provided to the employees - through specific trainings across the organizations.

Panelists highlighted the fact that the frauds are a common occurrence in both promoter driven as well as the professionally managed companies. However, in a promoter driven environment, a fraud may be very well planned, may not surface for very long time, and is difficult to detect with conventional mechanisms available to the company’s internal governance framework.

Controlling an internal or an external fraud is a multi-faceted exercise. An internal framework has to be well equipped to respond to the requirements of the business along with being ready to change and adaptive.

One more step which panelists believe was a new milestone in combatting fraud is the development of the Forensic Audit and Investigation standards by the Digital Accounting and Assurance Board (DAAB), under the authority of the Council of the Institute of Chartered Accountants of India. This framework work bring consistency, comparability and standardization into the investigation and forensic audit practice in India.

This will help both stakeholder and the investigators as the standards with set expectations from the results of the forensic audit and investigation exercises. It will also help develop the market and make the investigative process more acceptable.

Loading...