Internal audit should be checking your anti-fraud controls, says John Smart

Many organisations take great pride in their people, invest in them, and view them as their greatest asset. People's honesty and reliability is usually taken for granted. But the facts show that you cannot vouch for all your employees, let alone a network of suppliers, sub-contractors, outsourced and offshored operations, and projects around the world.

It has been repeatedly shown that fraud can occur in any organisation. Ernst & Young’s discussions with clients revealed that 47% of companies had experienced significant fraud in the previous 12 months. This risk requires a defence that includes controls on one hand, culture and tone on the other. Like any other risk, it needs internal audit to provide assurance over the process.

The need is underlined by the fact that many companies take a somewhat complacent, and misconceived, view of the possibility of fraud occurring within their organisation. Many look for fraud in the wrong places.

Our respondents in developed countries admitted to greater unease about fraud exposure in emerging markets, but 75% of those who had suffered a recent fraud had experienced it in their developed country operations. And although they rely on internal controls to detect fraud, 38% have never trained their management in fraud prevention and detection. Companies appear to believe they have sufficient safeguards in place to detect fraud, based on the absence of evidence of fraud. But absence of evidence is not evidence of absence.

The potential financial and reputational damage arising from fraud is significant. The best estimate is that somewhere in the region of 5% of global corporate revenues are lost to fraud. Only about 20% of those are recovered from the perpetrators, and only an additional 19% from insurance policies.

“The separation of process ownership and process assurance is fundamental

Meanwhile, a run of high profile cases and the greater emphasis on transparency in the wake of corporate scandals, especially in the US, have given regulators and the media a greater readiness to investigate and expose suspected fraud. For them, there are considerable reputational gains to be made as campaigning fraud-busters.

The US Foreign Corrupt Practices Act (FCPA) has moved from obscurity to notoriety, and its scale of penalties has been a wake-up call for boards. In the UK, the Serious Fraud Office has a direct remit to investigate fraud and corruption, and has been given increased resources and legislative powers, which it is being actively encouraged to use.

In response to the risk of fraud, companies have looked to rely on current controls. This can mean that heads of internal audit are in the front line, because they provide assurance over controls. At a recent Ernst & Young internal audit think tank, participants accepted that they would be the first to be asked by the audit committee chair about the management of fraud in relation to their business. Effective anti-fraud policies are very much on the agenda, and therefore the internal controls related to them are worth re-examining.

Businesses do not usually welcome more controls. As one of our think tank participants pointed out, since the passing of Sarbanes Oxley a degree of fatigue with controls has emerged in organisations. This could be partly responsible for a seemingly less than vigorous approach to combating fraud. However, since the US Securities and Exchange Commission (SEC) and the US Public Companies Accounting Oversight Board (PCAOB) announced changes to SOX section 404 and the accounting standards related to it, the regulatory approach in the US is now risk-based. Fraud risk is one of the priorities in the risk assessment. So an effective fraud risk policy will minimise the regulatory risk.

To be effective, those policies must address not just the opportunity for fraud, but also seek to understand how and why it is committed. The 'fraud triangle' illustrates the motivation of perpetrators, and the impact of policies on that motivation. Studies suggest employees generally commit fraud when three factors are present: first, if there is an opportunity to do so; second, if they are under pressure; and third if they can rationalise their actions. An opportunity exists where an employee believes controls can be overridden, either because those controls are too weak, or the employee is in a position to circumvent them. Even otherwise honest individuals may commit fraud if they feel under sufficient pressure from sources within the company or outside. And fraudsters may rationalise their dishonest actions through judgements and perception of their circumstances: – the 'everyone else is doing it' justification is a classic example.

“It has been repeatedly shown that fraud can occur in any organisation. Ernst & Young's discussions with clients revealed that 47% of companies had experienced significant fraud in the previous 12 months.

To combat the drivers of fraud, a two tier approach can be deployed, as shown in Figure 1. The first tier consists of a range of internal controls that seek to address and deny the opportunity part of the triangle. These include physical controls, such as locked doors, or computer passwords. Checks on financial processes also constitute a deterrent to opportunistic fraud, as do regular business controls, such as stock-taking. Less visible are internal audit's own automated data analytics, which look for anomalies which indicate dishonesty.

The second tier seeks to counter the bottom axis of the triangle, and concentrates on culture and tone. Staff take their cue from whatever culture pervades the business: what is perceived as acceptable or not. Business leaders have a key role to play in making their lack of tolerance for fraud clear.

The role of internal audit in the fraud triangle is to provide assurance over the first tier controls as part of their normal audit. But internal audit is also getting more closely involved in providing assurance over the effectiveness of the culture and tone. It is looking at the processes supporting the message, and analysing the output from those processes. As an example, internal audit could ensure that whistle-blowing hotlines are seen to be independent and capable of being used without fear of reprisal. It could also be looking for trends and symptoms in the reported output from those hotlines. Overall, internal audit is seeking to provide assurance that anti-fraud programmes have been effectively designed, rolled out, and communicated, and that they are understood and working. The first three are usually more easily observable and measurable than the last two, which may require extra feedback loops for full assurance.

Owning the risk

The Ernst & Young Think Tank participants had contrasting experiences of ownership and reporting lines for anti fraud policies and processes. One told us that on becoming head of internal audit he had taken ownership of the ethics policy. He took a strongly proactive approach, creating a specialist team to foster ethical compliance with the policy, and took the lead in driving communication of that policy into the organisation. He believed the key was getting people to think about ethics all the time, not making it separate from doing business.

“Fraud is a real threat to businesses and requires an approach that includes controls, culture and tone. Internal audit has the skills and the insight to make a valuable contribution across the whole spectrum of prevention and detection.

Another, the head of internal audit with a large international business, said each business had a responsibility for fraud detection and reporting to a controller. The controller and the head of internal audit discussed appropriate action with the local business. But if there was concern about what a fraud revealed about the effectiveness, or weakness, of existing controls, the internal audit team would be tasked to report, so that the organisation could learn the lessons globally.

These two examples illustrate the wide variation in the role played by the head of internal audit in the fight against fraud. If the audit committee feels there is a void in the organisation's fraud defences, and the CEO says fix it, a likely candidate for the work is often the internal audit team. They, after all, have the risk control skills and the data analytics, the experience of writing policies and setting up feedback loops, a remit to range across the business, and report to the ultimate assurance body, the audit committee. However, in some businesses this call to arms may fall to the chief risk officer (CRO), or to a head of security, or head of compliance. The responsibilities of the CRO may vary, particularly if the audit committee is concerned about internal audit maintaining independence and objectivity. The separation of process ownership and process assurance is fundamental. If internal audit has set up the process, it may need to hand it over.

The think tank participants raised the question: to whom should the reports be made? One observed that the audit committee, while requesting high level reports on fraud, often found it more interesting to spend a disproportionate amount of time drilling down into the detail of a specific fraud. This experience was echoed by other participants, some of whom thought it was no bad thing as it helped the audit committee understand the cultural context of fraud. However, the practice emerging in large organisations is to appoint a small committee to take responsibility for handling fraud issues affecting the business. Membership usually includes legal, the head of internal audit, the CFO, CRO and, especially in financial services businesses, the head of compliance.

Another example of leading practice came from a public sector participant, who described how any fraud, or allegation of fraud, has to be investigated, and there is a fraud investigation team in place to do this. Under public sector regulatory obligations, suspected or actual fraud must be reported to internal audit and investigated as appropriate. The outcome of this process is perhaps of more interest than the process itself. After an investigation, the team produces a report which gives the facts and internal audit's recommendation for further action specific to the incident. On top of that, there is a further control report, looking at the organisation's wider controls. If the control report highlights a specific local issue, remediation is limited to that locality. But if the report covers an issue that could have wider implications, remediating steps will be taken throughout the business.

In conclusion, the whole anti-fraud process outlined in Figure 2 should be assured.

Fraud is a real threat to businesses and requires an approach that includes controls, culture and tone. Internal audit has the skills and the insight to make a valuable contribution across the whole spectrum of prevention and detection.