Building a Better Auditor: Lean Audit Teams Can’t Beat Fraud Alone

In fast-growing pre-IPO and newly public companies, fraud risk often does not present itself as an obvious scheme. It appears as pressure, as shortcuts, and as “temporary” workarounds created in the name of speed, growth, or reaching the next milestone.

In these environments, internal audit’s most significant value isn’t in being the primary fraud detector. It’s in activating the people closest to the risk.

Yet when fraud risk management is discussed, the expectation often lands squarely on internal audit. That expectation isn’t just unrealistic; it overlooks how fraud risk actually emerges, limiting an organization’s ability to manage fraud risk effectively.

After nearly two decades working with organizations at every stage of maturity, one lesson stands out for me: Lean audit teams cannot win alone. Not when the company is scaling faster than controls can keep up. Not when processes are evolving in real time. Not when the pressure to “hit the numbers” intensifies — or when the organization is building the plane while flying it.

The First and Second Lines in Fraud Risk Management

The first line is where fraud risk is born — and where it can be stopped early. These teams experience process breakdowns more frequently than others. They feel the tension between policy and reality. They know which approvals are rushed, which controls are bypassed, and which “temporary exceptions” quietly become permanent.

If the first line serves as the early-warning system, the second line acts as the amplifier. Risk management, compliance, legal, finance, and HR each identify patterns across the organization — trends in issues, recurring exceptions, gaps in training, and signals in complaint data.

Yet in many pre-IPO and newly public companies, the second line is underdeveloped or siloed. Each function is solving similar problems from different angles, often without coordination or shared prioritization.

The first line is similarly ineffective in fraud risk management without the help of practical tools and clarity on expectations. And without a culture of psychological safety, first-line teams stay silent and normalize risk. They assume someone else will catch it.

With enterprise-wide visibility and independence, internal audit can connect these dots — aligning the second line around shared fraud risk signals, reinforcing consistent expectations, and translating regulatory requirements into operational reality that the business can actually execute. For the first line, internal audit can define what “good” actually looks like and create safe, structured ways for concerns to surface before they turn into findings, investigations, or headlines.

Timing Matters

How and when internal audit activates the first and second lines can determine whether fraud risk management becomes a strategic advantage — or a costly remediation effort.

Many organizations assume they can “fix it after the IPO.” In reality, activating the first and second lines post-IPO is significantly more expensive, disruptive, and politically complex. Once public, expectations for a fraud risk management process to be implemented and operating harden overnight — regulators, auditors, investors, and boards expect discipline, documentation, and consistency. A fraud risk management process that could have been shaped collaboratively before the IPO often becomes a remediation exercise under scrutiny, complete with external advisors, compressed timelines, and heightened defensiveness from the business. First-line teams are suddenly asked to change their behaviors while also meeting public company reporting demands, and second-line functions are forced to scale reactively rather than intentionally. The cost isn’t just financial — it manifests in change fatigue, erosion of trust, and missed opportunities to naturally embed fraud risk ownership into the business.

Fraud risk is rising. Regulatory expectations are increasing. And lean audit teams are being asked to do more with less. The solution isn’t to work harder — it’s to work smarter by building leverage through the organization.

The most resilient companies don’t treat internal audit as a safety net. They treat it as a catalyst — activating the first line, aligning the second line, and creating shared ownership of fraud risk long before the spotlight turns on.

In my upcoming session at the 2026 Fraud Virtual Conference, I’ll expand on this topic and share practical ways internal audit leaders can unlock this leverage in pre-IPO and newly public companies. I hope you’ll join me.