Exposure Draft of SIA 280, Fraud and Irregularities

SIA 280 provides internal auditors with guidance on identifying, assessing, and reporting fraud and irregularities within an organization. While management and the board hold primary responsibility for fraud prevention, internal auditors evaluate fraud risks, test internal controls, and detect red flags indicative of potential fraud or non-compliance. The standard emphasizes understanding the nature and characteristics of fraud, including financial misstatements, asset misappropriation, cyber fraud, and irregularities resulting from control weaknesses. Fraud risk assessments involve evaluating business processes, functional areas, historical fraud instances, whistleblower complaints, and regulatory requirements to prioritize audit focus and strengthen detection mechanisms.

Internal auditors are expected to use structured procedures such as analytical reviews, data analysis, interviews, and review of high-risk transactions and audit trails. Any suspected fraud must be promptly reported to senior management or the Audit Committee, and, if legally required, to relevant authorities. Auditors must maintain professional skepticism, confidentiality, and adherence to ICAI’s Code of Ethics, ensuring credible and evidence-based reporting. SIA 280 also provides guidance on evaluating the effectiveness of anti-fraud measures, recommending improvements, and escalating concerns where management response is inadequate, ensuring audit conclusions remain objective and reliable.

The Institute of Chartered Accountants of India

Standard on Internal Audit
(SIA) 280
Fraud and Irregularities

1. Introduction

1.1 Fraud and irregularities can significantly impact an organization’s financial stability, reputation, and operational effectiveness. Internal auditors play a key role in assessing fraud risks and evaluating the adequacy of controls designed to prevent and detect fraud. However, the primary responsibility for fraud prevention and detection rests with management and those charged with governance.

1.2 This Standard provides guidance on the role of internal auditor in identifying, assessing, and reporting fraud and irregularities to ensure that such risks are effectively managed and mitigated.

1.3 This standard should be read with

1. Applicable legal and regulatory requirements and guidance.

2. ICAI’s Code of Ethics, ensuring that internal auditors uphold integrity, objectivity, and confidentiality.

3. Forensic Accounting and Investigation Standards (FAIS) issued by ICAI which provides comprehensive overview of the domains of Forensic Accounting and Investigations.

1.4 Scope: This Standard applies to all internal audit engagements and requires internal auditors to evaluate fraud risks, assess internal controls, and report fraud-related observations in compliance with professional standards.

When an internal auditor identifies a red flag indicative of potential fraud, non-compliance, or control weaknesses, the internal auditor is required to promptly report the matter to the appropriate level of management and, where applicable, to those charged with governance, in accordance with the internal audit charter and professional standards.

Whether further investigation is to be undertaken by the internal audit function depends on the nature and materiality of the red flag, as well as the scope of authority delegated to the internal audit function by the audit committee or the board. If the red flag warrants a detailed inquiry and the internal auditor is mandated to proceed, the investigation must be conducted in accordance with the Forensic Accounting and Investigation Standards (FAIS) issued by the Institute of Chartered Accountants of India (ICAI).

2. Effective Date

2.1 This Standard shall be applicable for internal audits commencing on or after a date to be notified by the Council of ICAI.

3. Objectives

3.1  The objectives of this Standard are to ensure that internal auditors:

• Understand the nature, characteristics and implications of fraud and irregularities.
• Identify fraud risk indicators and assess the effectiveness of fraud prevention and detection controls.
• Assess entity’s systems and processes through walkthroughs to identify control gaps, inefficiencies and potential fraud risks.
• Apply appropriate audit procedures to identify and detect fraud-related red flags-patterns of irregularities.
• Evaluate the robustness of the entity’s Anti-fraud Policy and make recommendations, therein.
• Understand the specific techniques and schemes used to commit fraud.
• Communicate and report fraud-related findings to the appropriate levels of management and the Audit Committee.
• Determine fraud Response plan and whether further corrective action or investigation is necessary.

4. Requirements

4.1 Understanding Fraud and Irregularities (Refer Para. A1)

• Fraud involves intentional acts of deception, concealment or violation of trust to gain an unfair or unlawful advantage. It includes, but is not limited to, financial misstatements, asset misappropriation, insider trading, supply chain irregularities, fund diversion, corruption and cyber fraud.
• Irregularities refer to unintentional errors or non-compliance with policies and procedures that may indicate weak internal controls.
• Internal auditor shall identify the reason for fraud or concealment of facts i.e. Pressure or Opportunity or Rationalization or capability.
• Internal auditors shall develop an understanding of fraud risks relevant to the organization’s industry, operations, financial reporting processes.

4.2 Fraud Risk Assessment (Refer Para. A2)

• Internal auditors shall evaluate the organization’s fraud risk management framework, including fraud detection and prevention controls.
• Internal auditors shall evaluate fraud risks across business cycles (e.g., Procure-to-Pay, Order-to-Cash) and functional areas (e.g., procurement, HR, IT, finance). Use of a fraud risk register, regular fraud risk brainstorming workshops, and external intelligence sources (e.g., regulatory watchlists, whistleblower complaints) is encouraged.
• Fraud risk assessments shall, inter alia, consider the following factors:
  • Organizational structure, control and governance environment.
  • Past instances of fraud and identified control weaknesses.
  • Regulatory and legal compliance requirements.
  • Fraud vulnerability in key financial and operational processes. (including data and technology)
  • Analysis of whistleblower complaints.
  • Evaluation of issues raised in Ethics hotline/ Committee.
  • Adverse reporting by auditors, fraud-reporting under applicable legal framework.
  • Factor in significant findings from statutory, internal, and forensic audits—especially instances flagged under SA 240 (The Auditor’s Responsibilities Relating to Fraud in an audit of financial statement). Also consider reports mandated under Section 143(12) of the Indian Companies Act.
  • Assessment and testing of prevention and detection controls.
• Internal auditors shall conduct fraud risk brainstorming sessions to identify potential fraud schemes and control gaps at regular intervals. They shall utilize their skills in data analysis to identify trends and patterns that suggest fraudulent activity.

4.3 Audit Procedures for Detecting Fraud (Refer Para. A3)

• Internal auditors shall incorporate fraud detection techniques into their audit approach, including:
  • Analytical procedures: Identifying unusual financial trends, duplicate or ghost accounts and anomalies and data analytics throughout the audit process.
  • Data mining and Data analysis: Detecting patterns indicative of fraudulent activities through review and continuous monitoring of reports from business applications, digital forensics capabilities, and use of AI (predictive modelling), machine learning, digital capabilities and ERPs (both financial and non-financial), , external documents like invoices, agreements, scanning of employee emails (where applicable) etc.
  • Interviews and inquiries: Engaging with employees, management, whistleblowers, and using social engineering techniques to uncover potential fraud or behavioral red flag analysis.
  • Review of high-risk transactions: Examining journal entries, vendor payments, and related-party transactions for inconsistencies.
  • Review of Delegation of Authority: Identifying Segregation of Duties conflict e.g. Purchase department is responsible for Receipt of Material / GRN and entry in ERP.
  • Review of Audit Trail: Identifying anomalies which may lead to some corruption or misstatements in financial data.
• Provide recommendations for mitigating fraud risks.
• If fraud is suspected, internal auditors shall gather sufficient and appropriate evidence before forming conclusions.
• Internal Auditor shall also:
  • Assess the effectiveness of whistleblower mechanisms.
  • Review investigation processes for whistleblower reports and significant red flags.

4.4 Reporting Fraud and Irregularities (Refer Para. A4)

• Internal auditors shall promptly highlight suspected fraud cases to appropriate senior management and wherever needed, the Audit Committee/ Board.
• Wherever there is a legal requirement of reporting of fraud to any appropriate regulatory or other authority, same should be complied with.
• Fraud-related reports shall be factual, objective, quantified and supported by evidence.
• If fraud is confirmed, internal auditors may assist in evaluating corrective measures and recommending improvements to fraud risk controls.

4.5 Professional Skepticism and Ethical Considerations (Refer Para. A5)

• Internal auditors shall maintain professional skepticism and be alert to potential fraud indicators.
• They shall adhere to ICAI’s Code of Ethics and ensure confidentiality when handling fraud-related matters.
• If management does not take appropriate action on reported fraud risks, internal auditors shall escalate concerns to the Board or Audit Committee.

*****

Application and Other Explanatory Material

A1.Understanding Fraud and Irregularities (Refer Para. 4.1):

• Fraud may be internal (employee fraud) or external (vendor, customer, or cyber fraud). Internal auditors must stay updated on emerging fraud risks relevant to their industry.
• Not all irregularities are fraudulent; however, recurring control violations may indicate potential fraud risks.

A2. Fraud Risk Assessment (Refer Para. 4.2):

• A robust fraud risk assessment helps to identify vulnerabilities and strengthen fraud prevention mechanisms.
• High-risk areas include, inter alia, procurement, materials management and inventory, payroll, revenue recognition and IT systems.
• Brainstorming sessions can assist internal auditors in anticipating fraud schemes and scenarios within different business processes.

A3. Audit Procedures for Detecting Fraud (Refer Para. 4.3):

• Data analytics, predictive modelling and continuous monitoring enhance fraud detection capabilities.
• Employee interviews must be conducted professionally with due care to protect identity, ensure confidentiality and objectively to encourage truthful disclosures.

A4. Reporting Fraud and Irregularities (Refer Para. 4.4):

• Fraud reporting must follow an objective and structured approach, ensuring timeliness, confidentiality and regulatory compliance.
• If fraud is confirmed, a comprehensive report must be prepared, detailing evidence, impact, and recommended corrective actions. This report must be brought to the notice of the senior management immediately and it must be presented to the Audit Committee.
• Internal auditors shall track management’s response to fraud findings to ensure timely implementation of corrective measures.
• Internal auditors shall involve all levels of management and process owners of the entity.

A5. Professional Skepticism and Ethical Considerations (Refer Para. 4.5):

• Internal auditors must maintain independence and impartiality while investigating fraud cases or suspicion red flag.
• If management disregards fraud risks, auditors shall escalate concerns to appropriate higher authorities.