How internal audit can and should help prevent fraud
By Sylvester Shamy
Chairman of the Institute of Internal Auditors New Zealand
and 2016 New Zealand Internal Auditor of the Year
In a typical organisation, recruitment, procurement, contract management and financial processes and controls are usually compartmentalised and managed by Human Resource, Procurement, the business and Finance respectively. It is unsurprising, then, that fraudsters often exploit weaknesses inherent in reliance, assumptions and handover points between business units to perpetrate their fraud.
Internal audit’s key value-opportunity, therefore, is to act as “horizontal connector”. The ability to view the business cross-functionally is often unique to internal audit teams. I referred previously to modern auditing techniques. There can be no better demonstration of this than an auditor “looking across” and taking a “helicopter view”, end-to-end, spanning business units to assess the risk exposure posed by fraud, as opposed to what traditionally has been audits over individual teams and discrete processes.
Moreover, internal audit should focus on, and should advise on, prevention ahead of the need for detection. In other words, ensuring the cultural, architectural and design elements of a robust fraud prevention framework is in place, even before completing detective approaches in the aftermath of a fraud occurrence.
I have drawn on my experience with good practice cultural and framework elements to arrive at the following pointers. This is by no means comprehensive. The reader is encouraged to do their own research into the topic of fraud and fraud prevention.
Nevertheless, I intend for this to be a useful set of minimum standards to bring the various elements together.
These minimum standards should be found in all organisations.
Culture
- There should be clear messaging from the Chief Executive and senior leaders on an organisation’s zero tolerance to fraud and a commitment to anti-fraud behaviour and fraud awareness. This messaging should be formal and with appropriate frequency (an annual reminder as a minimum).
- Organisations may wish to consider confirming this tone with a written declaration of commitment. These might include:
-
- A letter from the Chief Executive to their direct reports that clearly states the organisation’s rules apply equally to them as they do to everyone else
- That matters of concern and/or potential non-compliance should be raised with them, or if preferred, with the organisation’s Chief Internal Auditor
- An instruction from the Chief Executive for all senior leaders to issue similar letters to their own direct reports.
Architecture
- Organisations should maintain a whistle-blower mechanism (phone, email or personal disclosure) that enables employees to report their concerns safely and confidentially.
- The recipient of the disclosure should be knowledgeable in the Protective Disclosure Act, and its practical application in a work setting.
- Mechanisms should exist to ensure and safeguard the independence of the recipient of the disclosure, or alternatively, effectively workflow the disclosure while protecting the integrity of the disclosed information and that of the whistle-blower.
- The recipient of the disclosure should hold an office of sufficient authority (organisational hierarchy, reporting lines and mandate) to reassure the whistle-blower that the disclosure will be safeguarded and pursued.
- Organisations should possess a formal and up-to-date Code of Conduct. Amongst other things this should formalise (in print) the cultural “tone from the top”, including making specific mention of a zero tolerance to fraud, encouraging those with information to come forward and outlining the consequences of fraudulent action (including protecting disclosures under the Act).
- The Code of Conduct should be supported by specific policies on fraud prevention and consequence. Regular and independent internal audit assessments over fraud risk exposure and internal audits over “at risk” end-to-end processes.
- Teams should be encouraged to revisit and discuss, on a regular and cyclical basis, sections of the Code of Conduct, such that the entire document is covered at least once a year.
- A personnel risk assessment should be completed to identify and prioritise personnel security risks. The New Zealand public sector has Personal Security (PERSEC) / Protective Security Requirement (PRS) management protocols to guide this.
· Specific to fraud risk management and identification there should be a regular and cyclical programme of cross-functional or “helicopter view” internal audit reviews, focusing on:
- Confirming the preventative elements (culture, architecture and design) are designed well and operating as intended
- Auditing key controls in end-to-end processes to confirm they continue to be designed properly and operate effectively
- Highlighting fraud indicators. Here, a combination of data mining and Computer Assisted Auditing Techniques (CAATs) can be used. Proxy indicators include:
-
- Frequent changes to vendor bank account details, or changes made shortly after the initial set-up of a vendor
- Cross-referencing vendor bank accounts to employee/contractor bank accounts
- Invoice payments just under delegation thresholds (i.e. instances of invoice-splitting).
Internal Auditors can prevent fraud
Internal auditors are now better equipped than ever with the mandate, knowledge, audit techniques and technology to reduce the occurrence of fraud. Where fraud has been perpetrated, internal auditors now also have the tools to help organisations identify and respond quickly and efficiently in order to minimise the damage.