The Changing Role of Internal Audit in Detecting and Investigating Financial Statement Fraud

The role of internal auditors in detecting, preventing and investigating financial statement fraud has been—and continues to be—a topic of contention among accounting professionals, anti-fraud professionals, management and legal staff. However, the overall trend is toward increased responsibility on the part of internal auditors for detecting fraud and supporting management in enhancing anti-fraud controls.

The most clear-cut indication of this came with the publication in 2009 by the Institute of Internal Auditors (IIA) of its Practice Guide entitled Internal Auditing and Fraud. Though it did not focus specifically on the issue of financial statement fraud, the IIA document did lay out clear measures that internal auditors must take to assist management in mitigating its risk of being a victim of fraud.

The Practice Guide is largely the product of virtually uniform concurrence within the profession with the notion that the internal audit function involves assisting management with critical issues pertaining to financial reporting, and internal controls that impact financial reporting. Key examples…
** Risk management process
** Internal control systems
** Financial reporting process

Anti-fraud programs and practices aimed at ensuring the integrity of financial reporting. But what are the specific best practices for internal audit in these key areas that support the organization’s fraud-risk mitigation efforts? Here is a listing of such practices:
• Schedule meetings between the chief internal auditor and the audit committee regarding the financial reporting process.
• Organize close cooperation and coordination of the work of external auditors with internal auditors through an integrated audit planning process consisting of the exchange of audit plans, programs, findings and reports.
• Require that internal auditors report their audit findings related to financial statement preparation to the board and the audit committee— especially when there are red flags of fraud.
• Regularly assess the adequacy and effectiveness of the organization’s internal controls over financial reporting (ICFR).
• Evaluate the quality of the financial reporting process—including a review of annual and quarterly statements— with a specific focus on finding fraud indicators.
• Participate with the audit committee and the organization’s external auditors in reviewing management’s discretionary decisions, judgment, selection and accounting principles related to preparing financial statements.
• Perform risk assessments of the financial reporting process by examining specific risks and anti-fraud controls meant to mitigate the risks.

Note: This duty is spelled out in the IIA’s 2009 Practice Guide which goes a step further to state that internal auditors “may assist management in establishing effective fraud prevention measures by knowing the organization’s strengths and weaknesses and providing consulting expertise.”

Important: One of the clearest sets of guidelines on internal audit’s role in protecting the organization against fraud goes back to 1985 with the IIA’s publication of Statement of Internal Audit Standards No.3 (SAIS 3).

Helpful: SAIS 3 clearly states that internal auditors have three key responsibilities regarding fraud investigation:
• Determine whether adequate and effective internal controls are in place to discover fraud.
• Design audit procedures to discover similar occurrence of prior-occurring financial statement frauds in the future.
• Obtain adequate knowledge of investigating similar fraud. But SAIS 3 doesn’t stop there. The Standard includes precise language on what the internal auditor’s responsibilities should be for detecting fraud:
• Obtain sufficient knowledge and understanding of fraud to be able to identify conditions that may indicate the existence of red flags that fraud might have occurred.
• Study and assess corporate structure to identify opportunities for committing financial statement fraud.
• Evaluate choices made by fraudsters in perpetrating financial statement fraud …and determine whether those choices represent potential red flags of future fraud and if so, how to adjust internal controls to eliminate the opportunities.
• Inform the appropriate individuals in the organization when signs of potential financial statement fraud are identified. (It is then management’s responsibility to determine if a full-fledged fraud investigation is warranted.)

On a day-to-day basis, the effectiveness of internal audit in reducing the organization’s exposure to financial statement fraud comes down to a set of very specific risk-mitigation practices that fall into six key areas…

Area #1: Basic practices of an effective internal audit group:
• Report to the audit committee or function in a way that affirms its independence with regard to potential financial statement fraud.
• Obtain training on conducting a fraud risk assessment and stay informed of current fraud schemes and detection/ deterrence methods.
• Become proficient in identifying red flags of financial statement fraud.
• Apply professional skepticism to all audit exercises.

Area #2: Practices related to evaluating and improving the organization’s anti-fraud measures:
• Assess fraud risks by evaluating management’s fraud risk assessment.
• Assess the organization’s culture to verify and, as necessary, enhance the effectiveness of:

  • Written policies specifying ethical behavior and prohibited/unethical conduct
  • Transaction approval processes
  • Whistleblower hotline(s)
  • Communication about financial statement fraud incidents—as well as detection and prevention measures to the board, top management, managers, supervisors and line employees.

Area #3: Practices for measuring the organization’s ethical culture:
• Assess the likelihood that employees who observe suspected or actual financial fraud will report it.
• Evaluate management’s posture regarding whistleblowers—with focus on the degree to which management would or wouldn’t retaliate against them. Propose corrective measures as needed.

Area #4: Practices for evaluating the organization’s fraud detection activities:
• Review the hotline’s design and processes for effectiveness. Implement corrective measures as needed.
• Regularly evaluate/audit the specific design and implementation procedures of management’s internal controls over financial reporting fraud.

Area #5: Practices for projecting a “perception of detection” by:
• Communicating to management and employees throughout the organization that internal audit is looking for fraud…welcomes tips and is prepared to ask tough questions of management in the event that financial statement fraud is suspected.

Area #6: Practices for conducting timely investigations of allegations and suspicions of financial statement fraud.

• Zabihollah Rezaee, PhD, CPA, CFE, CIA, CGFM,CMA,Thompson-Hill Chair of Excellence and Professor of Accountancy, University of Memphis.
• Richard Riley, PhD, CPA, CFE, Louis F. Tanner Distinguished Professor of Public Accounting,West Virginia University. Professors Rezaee and Riley are coauthors of Financial Statement Fraud, Prevention and Detection, 2nd Edition (Wiley), on which this article is based.

Republished with permission of the publisher, White Collar Crime Fighter. Copyright 2010 © White-Collar Crime Fighter


Contact Us

Become a Partner

If you are interested in becoming a certified partner, please contact us by clicking below.

Become a Partner »