On the Frontlines: A Collaborative Approach to Fighting Fraud
Blogs Noora Al Marri, CIA Oct 02, 2024
Imagine this… you’ve been part of a team auditing an organization regularly over the past few years, with normal level of coordination from management and ordinary types of challenges. Then a major fraud comes along that has been going on for over a year and with the collusion of more than 10 people from different departments and different levels of management.
What would be your reaction? Would you get into the blame game or attempt to raise awareness about the limitations of internal audit? Would you ask, “What did I do wrong?”
Being part of a fraud investigation team is stressful! Much has been written about the devastating effects fraud cases can have on companies, but there has been little to no focus on how being involved in a fraud case affects the behavior and thinking process of internal auditors. The investigation phase of an audit involving fraud can certainly present difficulties; these may include questioning colleagues, obtaining solid evidence, and navigating potential biases on how the process is perceived. Yet the investigation phase follows its own necessary course of action. Suprisingly, it’s the aftermath of a fraud investigation that can be the most challenging.
After a major investigation concludes, auditors tend to look at the case to study it from an internal control point of view, even if they don’t intend to. They scrutinize the control gaps that made it possible for the fraud to happen or to go on for so long. They may even design new audit test procedures that consider any newfound red flags, or they may develop a fraud database that includes signs and detection and prevention procedures. All that is considered normal and expected.
Often, however, the questions come up: Where were the auditors? Why wasn’t the fraud prevented in the first place? Why didn’t the normal audit engagements and procedures detect it? Was it an issue with the audit procedures or team? Was it a weakness in the audit methodology?
Perhaps two of the key test procedures — one looking at conflict of interest and one assessing segregation of duties — have been regularly carried out with no major findings. Could these procedures alone have detected this collusion? Aren’t these procedures limited?
The blame game, unfortunately, could have a significant effect on internal auditors. Audit procedures could become more aggressive, assuming controls do not exist or are not effective. Or auditors could become disengaged, putting their value to the organization at risk. But is the blame game fair?
Instead of relying solely on internal audit to detect all types of fraud, a combined effort involving second-line functions, such as risk management, information security, revenue assurance, etc., is needed. There needs to be further development into a methodology that ensures the limitations of internal audit’s fraud detection procedures are compensated with knowledge, insight, and cooperation from these other functions. Whether this is through an assurance map, a fraud risk framework, or a combination of the two, combining the efforts of third-line functions means a more powerful understanding of the dimensions of risks and the status of internal controls within the company.
Some might argue that these functions are still under the control of management, that they could be part of a collusion, or they could be pressured to limit communication with internal audit. However, with this kind of thinking, fraud detection will always be limited.
Conversely, what if internal audit could gradually build trust with these functions to reach a new level of coordination and collaboration? What if these functions could communicate openly with each other and internal audit could use these insights in a variety of ways in its audit procedures?
Then instead of auditors facing fraud alone, internal audit could stand tall with other assurance functions — benefiting both auditors and the organization.