A new survey published by Kroll and the Institute of Internal Auditors (IIA) puts a spotlight on just how vital a role internal audit plays in the effectiveness of a company’s fraud risk management processes.
“The purpose of the survey was to try to understand what internal auditors’ views are regarding their own role at their own organizations in assessing fraud risk and preventing, detecting, and investigating fraud,” Jordan Strauss, a managing director in the Business Intelligence and Investigations practice at Kroll, said on a recent Webinar discussing the results. Due to current economic pressures, which traditionally leads to fraudulent behavior, “we should be expecting a pretty serious increase in pressure from all our organizations to demonstrate results while protecting revenue centers,” Strauss said.
It’s against this backdrop that Kroll and the IIA released their survey, “Fraud Risk Management in Internal Audit,” which garnered responses from over 700 internal audit professionals across the globe and across industries. According to the findings, most respondents expressed confidence overall in the effectiveness of their fraud risk management programs, with 54 percent stating they felt their organization’s fraud risk management was good (35 percent), very good (16.5 percent), or excellent (2.5 percent).
IIA: The role of internal audit in fraud risk management
The Institute of Internal Auditors published a position paper on how internal audit can play an optimal role in fraud risk management. The key takeaways of that position paper are that:
- Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls.
- The organization should have a suitable fraud prevention and response plan in place allowing effective limitation of, and swift response to, the identification of fraud and management of the situation, and that this should include digital data.
- The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically.
- The risk of fraud should be included in the audit plan and each audit assignment should evaluate the adequacy of anti-fraud controls.
- Internal auditors shouldn’t investigate fraud unless they have the specific experience and expertise required to do so.
Source: Institute of Internal Auditors
That only 2.5 percent of respondents rated their program as excellent “shows within the internal audit profession that there is always room for improvement,” said Matthew Weitz, associate managing director in the Business Intelligence and Investigations practice at Kroll.
When asked which team leads fraud risk management overall, the most common answer was internal audit, followed by a “combination” of internal audit, compliance, executive, legal, and operational management. Compliance ranked third overall.
Notably, the more internal audit played a key role in the strategic management of fraud, the more effective and robust respondents perceived their organization’s fraud risk management processes to be. For example, respondents who said internal audit was “extremely involved” in the enterprise-wide assessment of fraud risk were far more likely to perceive their organization’s fraud risk management processes as “excellent” or “very good.” Comparatively, respondents who said the internal audit team was “minimally involved” or “not involved” were more likely to perceive their organization’s fraud risk management processes as “fair” or “poor.”
“In our experience, having a clear strategy of how to address fraud risk is key to having an effective fraud risk management process,” Weitz said. “As part of this, enterprise-wide fraud risk assessments can help to ensure that the risks of fraud are considered holistically and across the organization, and internal audit can be ideally placed to facilitate this process.”
At multinational conglomerate Siemens, for example, “there are two main processes … that have an impact in addressing fraud risk,” explained Philip Ankel, a partner in Siemens’ Controlling and Finance Assurance (CFA) practice, North America, on the Webinar. “One is our ERM process, essentially a bottom-up analysis of the risks facing the company. That process is driven at the CEO level with various stakeholders in that process. At the end of the day, that rolls up into a global analysis of what the biggest risks are facing Siemens, some of which are in the fraud space.”
The CFA group participates in those conversations “and also looks to those risks when thinking through what our global audit plan ought to be,” Ankel said. “Third-party agents on behalf of Siemens is a risk that bubbles up every year and one that we look at in our annual audit plan.”
Likewise, Siemens’ compliance department conducts a parallel analysis of the compliance risks facing the enterprise. This is another area where the CFA group participates in the process, providing data and results from audit work, Ankel added.
Fraud prevention and detection
The Kroll/IIA survey findings further revealed those who felt internal audit played a leading role in preventing, detecting, or investigating fraud also indicated internal audit was a significant or major contributor to driving strategic change in their organizations (70 percent of respondents).
“A holistic fraud risk management process is a cycle of prevention, detection, and response,” Weitz said. Preventative activities include communicating the message, defining roles and responsibilities, and designing and implementing specific controls that deal with fraud risk or the broader risk management process. The detection element is identifying instances where preventative controls have been breached through proactive monitoring and response activities have to do with remediation and reporting.
According to the survey findings, internal audit teams were more involved in leading investigative activities, in comparison to the prevention and detection of fraud (35 percent, compared to 14 percent and 19 percent, respectively), in which they play more of an engagement role. Detection is an area where internal audit can take more of a lead, because of their broad access to relevant data and the many areas of the business, Weitz said.
Internal audit barriers
Regardless of the extent of internal audit’s role in managing fraud risk or organization size, most internal audit survey respondents reported facing some sort of barrier that hinders their involvement. The most common barriers noted were lack of resources (33 percent), lack of mandate (23 percent), potential conflicts of interest (21 percent), and a lack of adequate skills (11 percent).
“A holistic fraud risk management process is a cycle of prevention, detection, and response.”
Matthew Weitz, Associate Managing Director, Kroll
Among those respondents who said internal audit was “minimally involved” or “not involved” in enterprise-wide fraud risk management, the biggest barrier they cited was lack of mandate, followed by limited resources. Limited resources aren’t just a barrier for small companies (fewer than 10,000 employees)—15 percent of respondents in large organizations with more than 50,000 employees reported having internal audit teams of fewer than 15 people.
There really isn’t a right answer to how big an internal audit team needs to be to play an effective role in fraud risk management. Siemens, for example, has roughly 200 professionals in its overall assurance group, but the company also has a range of different businesses around the world, with different business models and different ways in which it implements the use of technology. All of these factors can impact the size of an internal audit team. “A simple, smaller organization in one location with one market likely doesn’t require the same breadth of the audit function,” Ankel said.
What specific skill sets are required for the internal audit team may also vary from organization-to-organization. The survey does, however, describe some examples of skill sets that best aid fraud risk management today, including:
- Data processing and analytics: Mining data and providing factual analysis frequently falls to internal auditors, so being able to gather, interrogate, and analyze disparate data sets is key to having an effective fraud risk management program and being able to timely detect red flags that may signal fraud.
- Analysis of relationships: Being able to properly understand the nature of third-party relationships and touchpoints is key to efficiently identifying and detecting collusion or other fraud.
- IT infrastructure knowledge: With the increasing prevalence of cyber-attacks and data breaches, knowledge of IT systems is key for internal auditors and others with responsibility for fraud risk management.
Overall, as Kroll and the IIA noted in the survey, these results indicate that for internal audit teams to be truly effective in fraud risk management and to assume a more proactive role, they must have buy-in from senior management, adequate resources, and the right skill sets while maintaining their independence from business decision-making to allow for objective audits.