By Peter Miller
Audit’s role in fraud detection seems to be one of those areas where no one is quite in agreement as to what it should be. Some organizations have specialized assurance roles dedicated to fraud detection and others turn to the internal audit department to fulfill this role. To help clarify internal audit’s role in this area, The IIA has issued a number of standards that relate directly to internal audit’s role in fraud detection within the IIA’s International Professional Practices Framework (IPPF). The IPPF includes the following:
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
1220.A1 – Internal auditors must exercise due professional care by considering the:
2060 – Reporting to Senior Management and the Board – The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and the manner in which the organization manages fraud risk.
2210.A2 – The internal auditors must consider the probability of significant errors, fraud, non-compliance, and other exposures when developing the engagement objectives.
Further to this, The IIA has just released two very useful bits of guidance on the subject. The first body of work comes out of the IIA’s Professional Issues Committee, (PIC). Knowledgeable PIC members and other contributors have created a comprehensive Practice Guide, “Internal Auditing and Fraud.” The purpose of this Practice Guide is to increase the internal auditor’s awareness of fraud and provide guidance on how to address fraud risks on internal audit engagements. It expands on the IIA standards listed above.
The other practice guide is the new Global Technology Audit Guide (GTAG) from the IIA’s Advanced Technology Committee, “Fraud Prevention and Detection in an Automated World. This GTAG talks about how technology can be used to detect and prevent fraud and increase internal audit’s capacity to provide assurance in this troublesome area. Both practice guides are available for download by IIA members from theiia.org. If you have any questions about either of these practice guides, give me a shout – I was lucky enough to be on the teams that produced these.
Find out more: ACL Blog