Internal Audit (IA) departments are a foundational control and serve a vital role in fraud risk management However, their role in fraud risk management may differ from one organization to the next since fraud risk management is an art, not a science. Traditionally, the day-to-day management of the fraud risk management program would be housed across the first and second line of defense; consistent with the most recent iteration of the three lines model
issued by the Institute of Internal Auditors (IIA). In line with this model, IA’s role in fraud risk management would be related to independent and objective assurance and advice on all matters related to the achievement of objectives. But what does this look like in practice? The IIA highlights the following four key areas
related to IA’s role in fraud risk management:
- Identify red flags that indicate fraud may have been committed.
- Understand the characteristics of fraud, the techniques used to commit fraud, and be familiar with various fraud schemes and scenarios.
- Evaluate the indicators of fraud and decide whether and investigation or further action is necessary.
- Evaluate the effectiveness of controls to prevent and detect fraud.
Still, there is no one-size-fits-all approach. To help organizations build strong, effective fraud risk management programs, Grant Thornton and the Association of Certified Fraud Examiners (ACFE) published the Anti-Fraud Playbook
, which helps clarify and operationalize the concepts set forth in the Fraud Risk Management Guide
(the Guide) published by COSO and the ACFE.
Following are three ways internal auditors can leverage the Anti-Fraud Playbook to promote and foster effective fraud risk management at their organization:
#1 Know what good looks like
The Anti-Fraud Playbook includes ten plays, organized into five phases, detailed in the graphic below:
These phases and the underlying plays are the building blocks of an effective fraud risk management program. Whether you are beginning your anti-fraud journey or are looking to enhance current fraud risk management practices, the Anti-Fraud Playbook provides a benchmark for what a good fraud risk management program looks like. Armed with this insight, internal auditors can understand its organization’s fraud risk management strengths, its opportunities for improvement, and can translate those insights into informed, actionable findings to help foster effective fraud risk management across the organization.
Tip: fraud risk management should be tailored to the unique needs of the organization and its individual business units. Not every organization or business unit requires the same level of fraud risk management. For example, business units with limited fraud exposure or those that are willing to accept more fraud risk might not need the same level of fraud risk management as others.
#2: Learn to think like a fraudster
To understand your organization’s fraud risk landscape and identify red flags, internal auditors first must define what type of fraud they should be looking for. This requires a concept we call ‘thinking like a fraudster’. Brainstorm fraud scenarios that are specific to your organization’s processes and controls. Don’t just focus on what you’ve already seen. Think outside the box. If someone wanted to commit fraud, how could they do it? What processes or controls would they circumvent? Who would be most likely to perpetrate the fraud and why? Consider both internal and external fraud and think beyond just financial losses.
Thinking like a fraudster can help internal auditors identify risks and better evaluate and align controls to them. Once the internal auditor has a clear picture of the risk landscape, they can deploy analytics to target specific risks, as shown in the expense reimbursement example. This can help facilitate continuous risk identification and monitoring; further fostering proactive fraud risk management at the organization.
For example, consider expense reimbursements, a common area for fraud. What analytic tests could IA implement to identify employees who are fraudulently trying to claim personal expenses as business expenses?
Tip: Where fraud has occurred, internal audit should understand how the controls failed and identify opportunities for improvement. It should consider the probability of further errors, fraud, or noncompliance across the organization and reassess the cost of assurance in relation to potential benefits.
#3: Monitor progress
- Identify business travel with departures on Friday or Saturday.
- Compare travel location and expense-incurred location.
- Isolate even-dollar amounts from unexpected sources (hotels, car rentals, etc.).
- Review expenses that always end in round numbers or with consistent amounts.
- Stratify expenses by employee and job title/roles to identify outliers or inconsistencies.
Monitoring almost always comes last when organizations build fraud risk management programs. However, monitoring and periodic evaluations provide vital insight into the effectiveness of fraud risk management activities and help identify areas for improvement. Business unit owners should be responsible for ongoing monitoring and periodic evaluations that provide vital insight into the effectiveness of their fraud risk management activities. This helps identify areas for improvement.
Internal auditors can help ensure monitoring and evaluations are effective by focusing on two key questions:
- Do monitoring and evaluation activities cover the full spectrum of fraud risk management activities? When looking at the monitoring and evaluation activities put in place, IA should ensure that they cover the full spectrum of fraud risk management activities. Internal audit should also ensure that the business focuses on outcomes versus outputs— focus on the effectiveness of fraud risk management activities rather than the number of activities taking place. For example, when looking at a fraud risk assessment, instead of focusing on the number of fraud risk assessments performed (output), the business should measure the change in likelihood and impact scores from one assessment to the next to measure how risk responses are impacting scores (outcome).
- Are the results of monitoring and evaluations being used to drive continuous improvement? Let’s say the business surveyed employees within a specific function to determine the effectiveness of recent antifraud training and the results were lower than expected. Internal audit could push the business to improve the training to achieve the desired outcome.
Fraud risk management is a journey with no final destination. It is not a one-and-done activity. Fraud risks are always evolving. What works today may not work tomorrow. IA provides the independent, objective assurance that your organization has the fraud risk management program and activities needed to combat current and emerging fraud threats.
Download the Anti-Fraud Playbook
today to help your organization move from theory into practice.
+1 704 632 3526
Justin Van Cleave
+1 704 632 3929
+1 703 637 2614