Fraud is not a recent phenomenon associated to some highly-publicized cases of financial fraud from the last two centuries. It can be found early in the history of our world as men have made use of tricks, manipulation, and deceit in order to acquire money, land, goods, or trust, with the overall objective of making profit. The creation of accounting and audit are connected in economic history with the desire, especially on the part of the state to contain and prevent stealing and misrepresentation in their finances.
Fraud is a business risk that executives, especially chief audit executives (CAEs), have had to deal with for a long time. Numerous headlines have highlighted corporate scandals and wrongdoing that demonstrate the need for organizations and governments to improve governance and oversight. How to address fraud risk within an organization effectively and efficiently is a major topic of concern for boards of directors, management, business owners, internal auditors, government leaders, legislators, regulators, and many other stakeholders. And in many cases, new laws and regulations from around the world have forced organizations to take a fresh look at this longstanding problem. Fraud negatively impacts organizations in many ways including financial, reputation, psychological, and social implications. According to various surveys, monetary losses from
Frauds are significant. However, the full cost of fraud is immeasurable in terms of time, productivity, and reputation including customer relationships. Depending on the severity of the loss, organizations can be irreparably harmed due to the financial impact of fraud activity. Therefore, it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection subprograms, as well as a fraud risk assessment process to identify fraud risks within the organization.
The fraud negatively affects an economy as a whole, by causing huge financial losses, weakening social stability, threatening democratic structures, leading to a loss of trust in the economic system, or corrupting and compromising economic and social institutions. Until not long ago, the companies did not considered fraud prevention as a main objective within their organization’s system of internal control. The action for fraud prevention was considered an implicit component within the general objectives, of compliance, of the internal controls, and therefore not seen as a structured program, with clear and explicit aims regarding fraud prevention and detection. Furthermore, in the past, the shareholders, the board of administration, and the management tended to deal with fraud cases as mere anomalies resulted from the faulty functioning of the internal controls that only occurred rare. As a result of the numerous famous fraud cases discovered at the beginning of the 21st century within some of the most prestigious multinational companies, this vision regarding fraud prevention has radically changed. Nowadays, fraud is considered to be one of the most important risks that an organization is exposed to, having a close connection to market, credit, judicial or reputational risks.
Internal Audit Involvement
So how can internal auditing best serve as a resource and play an integral role in fraud prevention and detection? The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (Standards) pertaining to fraud and the internal auditor’s role in detecting, preventing, and monitoring fraud risks and addressing those risks in audits and investigations include:
IIA Standard 1200: Proficiency and Due Professional Care 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
IIA Standard 2120: Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
IIA Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
In addition to several Practice Advisories that The IIA has issued regarding fraud, IIA Standards also require CAEs to include significant risk exposure and control issues, including fraud risk, in the periodical report to senior management and the board.
Although management and the board are ultimately responsible for fraud deterrence, an effective internal audit activity can be extremely helpful in addressing fraud issues. Internal auditors evaluate risks faced by their organizations based on audit plans and testing, and need to be alert to the signs and possibilities of fraud. When external auditors focus on misstatements in the financial statements that are material, internal auditors are often in a better position to detect the symptoms that accompany fraud as they usually have a continual presence within the organization, providing them with a better understanding of the organization and its control systems. Specifically, internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of internal controls. In addition, they may assist management in establishing effective fraud prevention measures by knowing the organization’s strengths and weaknesses and providing consulting expertise.
Responsibilities in Fraud Prevention
The internal audit refers to a permanent review of the economic activity of an entity; an independent activity of assessing on behalf of the economic entity’s management that involves examining the financial, accounting, and other kind of operations concerning the services as a whole; an evaluation of tasks and conformity of the accounting entries, reports, assets, capitals, and results; or an attestation or certification of financial accounting documents. The responsibilities concerning fraud prevention within an organization are divided between the executive board, the audit committee, and the internal audit. Firstly, the executive board has the final responsibility for implementing the mechanisms of detecting and preventing a fraud early on. The members of the executive board are those who should offer explanations in case of discovering certain cases of fraud.
The role of the internal auditor depends, of course, on his professional training and practical abilities, as well. In practice, the role of the internal audit can include a varied set of responsibilities: supporting the management in establishing auditable anti-fraud mechanisms; facilitating the assessment of fraud and reputational risks at the level of an organization and its business process; assessing the connections between fraud risks and internal controls; auditing frauds; supporting the specialists in fraud investigation; supporting the efforts to rectify deficiencies; and reporting to the audit committee the problems regarding anti-fraud mechanisms, fraud and reputational risks assessment, or fraud cases and suspicions.
Fraud Prevention and Detection
A code of conduct correctly applied represents one of the most important mechanisms of communicating to the employees the acceptable standards in their activity and to draw attention to the commitment the management undertook in order to respect the entity’s integrity (a clear organizational structure, the formulation of a policy concerning the conflict of interests, the existence of a department of internal audit). As well, a carefully planned program of communication and training will increase the employees’ understanding of their obligations regarding the controls conducted on professional fraud and transgression (for example, regular discussions on professional ethics or setting up a hotline for fraud reporting). Another method of fraud prevention and detection refers to recognizing the early warning signs of a possible fraud. The management of an entity must take notice of different warning signs that emerge: changes in an employee’s behavior, changes in one’s lifestyle, drug/alcohol or gambling addictions, discrepancies about taken leave, etc. In this sense, the management can set up a confidential support system for his employees that can include family counseling, addiction counseling and aid, or financial counseling. An important action in fraud prevention and detection is the establishment of an appropriate internal control system tasked exactly with this responsibility. It should aim to: respect the principle of separating functions (no function should allow an employee to execute a whole cycle of transactions, i.e. an employee should not have the authority to execute both front office and back office activities); examine the staff on their qualifications, competence, education, previous jobs, regular evaluations of their performances, taken leave; access the public resources to compare the accounting data to their physical existence; properly investigate the employees and third parties, especially in cases of authority positions in the process of financial reporting. The means of proactive data analysis concerning the acts of fraud (such as searching information in databases in order to identify connections between different persons, screening the employees’ background in terms of convictions, financial incidents, loans, etc.) can help to detect possible frauds and professional transgressions that may otherwise continue to go on unnoticed by the management. Furthermore, a complex assessment of fraud and professional transgression risks can help the management to better understand the unique risks that their company faces, to identify the gaps and deficiencies in their controls, and to formulate a plan to identify the appropriate resources and procedures of control. Another aspect that could prevent fraud refers to the attitude towards fraudsters. An important step in creating a culture of intolerance towards fraud is to act consistently when an economic infraction is discovered. In this way, the staff understands what are the consequences of a possible involvement in a fraud and that its detection is certain and inevitable thanks to the efficient system of control and risk management. Such an attitude can lead to the dissuasion of most wrongdoers. It is also essentially to demonstrate to the employees that all wrongdoers will be equally treated, regardless of the position they hold in the company. Lastly, the reaction a company has when detecting a fraud is as well of importance, as it should act in a manner of publicly disclosing the fraud and professional transgression.
From those presented above, we can draw an opinion ‘without reservations’ (to use a term from the field of auditing) that all entities need internal audit for business efficiency in the sense of a good management of its patrimony, of reducing costs (in an organized framework) while maximizing profit, and of achieving medium and long-term objectives. Furthermore, this activity should not be regarded strictly as an activity generating expenditures, but rather from the perspective of the benefits it entails in countering fraud and especially in increasing future added value