Handbooks (practice Guide) Internal Auditing And Fraud - Pdf


Thursday, May 23, 2019

IPPF – Practice Guide. Internal audItInG and Fraud .. The purpose of this Practice Guide is to increase the internal auditor's pertaining to fraud and the internal auditor's role in detect- documents/ Joint Papers. IPPF – Practice Guide INTERNAL AUDITING AND FRAUD DECEMBER IPPF – Practice Guide Table of Contents Introduction. The Internal Auditing and Fraud Practice Guide discusses fraud and provides general guidance to help internal auditors comply with professional standards.

(practice Guide) Internal Auditing And Fraud - Pdf

Language:English, Spanish, Dutch
Genre:Academic & Education
Published (Last):28.08.2015
ePub File Size:15.41 MB
PDF File Size:16.44 MB
Distribution:Free* [*Registration Required]
Uploaded by: DORSEY

This Practice Guide is provided as a service to members of The IIA. IIA members: Please LOGIN to download a FREE copy (PDF). Non-members: Add this item to. The Unique Alternative to the Big Four®. IIA Practice Guide: Fraud and Internal Audit. Western Regional Conference. September , / Anaheim. IPPF Practice Guide Internal Auditing and Fraud December IPPF Practice Guide Table of Contents Introduction 1 Executive Summary 2 Definition of Fraud.

In addition, there are fraudsters who consistently rationalize poor performance, perceive beating the system to be an intellectual challenge, provide unreliable communications and reports, and rarely take vacations or sick time and when they are absent, no one performs their work. These red flags are often indicators of misconduct, and an organization s manage ment and internal auditors need to be trained to understand and identify the potential warning signs of fraudulent conduct.

Awareness of fraud schemes is developed through periodic assessment by management and internal auditors, training of employees, and frequent communication between management and employees. Oversight can take many forms and can be performed by many within and outside the organization, under the overall oversight of the board of directors. Board of Directors The board of directors has responsibility for effective and responsible corporate fraud governance. The role of the board is to oversee and monitor management s actions to manage fraud risks.

Specifically, the board evaluates management s identification of fraud risks, implementation of anti-fraud measures, and creation of the tone at the top.

Since the board is the organization s highest authority, it is responsible for setting the tone for fraud risk management within an organization. The board can implement policies that encourage ethical behavior, including processes for employees, customers, and external business relationship EBR partners to report instances where those policies are violated. The board may monitor the organization s fraud risk management effectiveness by appointing one executive-level member of management to be responsible for coordinating fraud risk management and reporting to the board.

To set the appropriate tone at the top, the board of directors needs proper governance.

You might also like: KAART NEDERLAND PDF

Audit Committee An audit committee of the board of directors is the independent eyes and ears of the investors and other stakeholders.

The committee s role is to evaluate management s identification of fraud risks and the implementation of anti-fraud measures, and to provide the tone at the top that fraud will not be accepted in any form. The audit committee hires external auditors to report on the financial statements of the organization and provide recommendations on internal control.

The external auditors report to the audit committee and not to management. The audit committee usually has oversight of the internal audit activity.

IIA Standard Reporting to the Board and Senior Management states that the CAE must report periodically to senior management and to the board on the internal audit activity s purpose, authority, responsibility, and performance relative to its plan. Reporting must include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. The audit committee is responsible for overseeing controls to prevent or detect management fraud.

Downloads and Links

In this role, the audit committee is responsible for overseeing senior management s compliance with appropriate financial reporting and for preventing senior management override of controls or other inappropriate influence over the reporting process. Management Management is responsible for overseeing the activities of employees and typically does so by implementing and monitoring processes and internal controls.

In addition, management assesses the vulnerability of the entity to fraudulent activity. Fraud can occur in any organization, but the degree and detail involved in the risk assessment may correspond with the size and complexity of the organization. Management is responsible for establishing and maintaining an effective internal control system at a reasonable cost.

Legal Counsel The roles and responsibilities of the in-house counsel will often be governed by the laws of each jurisdiction. A lawyer generally acts in the best interest of the organization and also is required to preserve client confidences. The discovery of fraud can bring these two ethical duties into a potential conflict. When faced with constituents in an organization who intend to engage in fraud, a lawyer can urge reconsideration, advise the constituents to seek a separate legal opinion, or refer the matter to a higher authority within the organization.

The in-house counsel may decide to resign upon learning about potential or ongoing fraud, especially if the counsel s work product is used to further the fraud. If counsel resigns, the general counsel or outside counsel can document the measures taken to notify the wrongdoing members of the organization of the illegality of their 1 intended or ongoing conduct, 2 the consequences of that conduct, and 3 the counsel s attempt to deter the conduct.

Internal Auditors Internal auditors evaluate risks faced by their organizations based on audit plans with appropriate testing. Internal auditors need to be alert to the signs and possibilities of fraud within an organization. While external auditors focus on misstatements in the financial statements that are material, internal auditors are often in a better position to detect the symptoms that accompany fraud.

Internal auditors usually have a continual presence in the organization that provides them with a better understanding of the organization and its control systems.

Specifically, internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of internal controls.

In addition, they may assist management in establishing effective fraud prevention measures by knowing the organization s strengths and weaknesses and providing consulting expertise. The importance an organization attaches to its internal audit activity is an indication of the organization s commitment to effective internal control and fraud risk management.

If assigned such duties, internal auditing has a responsibility to obtain sufficient skills and competencies, including knowledge of fraud schemes, investigation techniques, and laws. Internal auditors may conduct proactive auditing to search for misappropriation of assets and information misrepresentation.

This may include the use of computer-assisted audit techniques, including data mining, to detect particular types of fraud. Internal auditors also can employ analytical and other procedures to find unusual items and perform detailed analyses of high-risk accounts and transactions to identify potential fraud. At the appropriate time when enough information has been obtained, the CAE should keep senior management and the audit committee informed of special investigations in-progress and completed.

External Auditors The organization s external auditors have a responsibility to comply with professional standards and to plan and perform the audit of the organization s financial statements to obtain reasonable assurance about whether the financial statements are free of material misstatement and whether the misstatements were caused by error or fraud. The external auditor typically reports fraud involving senior management directly to those charged with governance e.

Loss Prevention Manager The loss prevention LP manager or company security group deals with areas of business risk such as crimes, disasters, accidents, and waste, which have the capabilities to cause business failure.

As the organization s security expert, the LP manager is in an advantageous position to lead risk communications between other risk and line managers. By identifying and understanding potential and actual patterns within the business, the LP manager can provide valuable insights to management on judging the effectiveness of the organization s risk management processes. The LP manager usually works closely with internal auditors to identify areas of weak internal controls within the organization.

Fraud Investigators open dialogue. Also, a fraud investigator s work done at the direction of legal counsel may constitute protected attorney work product.

The lead investigator usually determines the knowledge, skills, and other competencies needed to carry out the investigation effectively and assigns competent and appropriate people to the team. This process could include assurance that there is no potential conflict of interest with those being investigated or with any other employees of the organization.

Other Employees Every employee has a role to play in fighting fraud. Employees are the eyes and ears of the organization, and they should be empowered to maintain a workplace of integrity. Employees can report suspicions of fraud to an employee hotline, the internal audit department, or a member of management. To deter and detect fraud and abuse, many experts believe an employee hotline that is appropriately monitored is the single most cost-effective fraud detection and deterrence measure.

Fraud investigators are usually responsible for the detection and investigation of fraud, and the recovery of assets.

They also perform a role in fraud prevention. Senior management and the audit committee need to support the investigators to let all stakeholders know the business entity is ready to respond quickly and appropriately to fraud risks.

The organizational alignment of a fraud investigation unit FIU can vary. If a FIU is based within a corporate security department, it may be beneficial for them to work closely with or be involved in internal audit activities so the FIU employees will have access to internal and independent auditor findings. Fraud investigators often work closely with legal counsel to bring legal action against the perpetrator.

Communications between fraud investigators and the legal counsel are likely to be considered confidential e. Risk Management Standard Engagement Objectives Standard However, most internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigating fraud. Also, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. A well-designed internal control system should help prevent or detect material fraud.

Tests conducted by internal auditors improve the likelihood that important fraud indicators will be detected and considered for further testing. Conducting Audit Engagements Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed. This knowledge includes the characteristics of fraud, the techniques used to commit fraud, and the various fraud schemes and scenarios associated with the activities reviewed.


Be alert to opportunities that could allow fraud, such as control deficiencies. If significant control deficiencies are detected, additional tests conducted by internal auditors could be used to identify whether fraud has occurred. Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program, that timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, and that the plan for monitoring the program continues to be adequate for the program s ongoing success.

Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. Recommend investigation when appropriate.

In conducting audit engagements, the internal auditor should: Consider fraud risks in the assessment of internal control design and determination of audit steps to perform. Internal auditors are not expected to detect fraud, but internal auditors are expected to obtain reasonable assurance that business objectives for the process under review are being achieved and material control deficiencies whether through simple error or intentional effort are detected.

The consideration of fraud risks is documented in the workpapers, as well as linkage of fraud risks to specific audit work. Appendix B includes some questions internal auditing may routinely consider in its evaluation of an ongoing fraud risk management program. Internal Auditor Skepticism Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. An objective, skeptical internal auditor neither assumes that management or employees are dishonest nor assume unquestioned honesty.

In all audit work, the exercise of professional skepticism is paramount. Internal auditors play a critical role in the success or failure of fraud risk management. With their intimate knowledge of the workings of an entity, internal auditors are in a unique position to identify many of the indicators of fraud. When internal auditors act with skepticism and they focus on the effectiveness of internal controls, the likelihood that they will notice the common characteristics of fraud is increased, and they might uncover possible fraudulent activity if and where it exists.

In addition, Standard Individual Objectivity states that internal auditors must have an impartial and unbiased attitude, which is consistent with exercising skepticism.

The audit committee s oversight and support of the internal audit activity helps the internal auditor maintain independence and objectivity as well as keep an attitude of skepticism. Communicating With the Board The relationship between the CAE and the board of directors includes both reporting and oversight functions.

IPPF Practice Guide. Internal Auditing and Fraud

Internal auditors, through the unique role they play, are well positioned to elevate the importance of fraud prevention and detection programs with management and the board. Staying aware of what is happening in their specific industry and organization will enhance internal auditors ability to address fraud risks with the board.

The internal audit activity s organizational structure as it pertains to addressing fraud. Coordination of fraud audit activity with external auditors. Overall assessment of the organization s control environment. Productivity and budgetary measures of internal audit's fraud activities.

Benchmarking comparisons of internal audit s fraud activities with other organizations. Role of internal audit in fraud investigations. The CAE may have a different opinion from senior management and the board about the right time to inform them of serious issues including fraud. A solution for addressing this timing concern is for the CAE to have discussions with senior management and the board before issues arise concerning what they need to know, when they need to know it, and how the communication will be made.

The following illustration depicts an example of a document that could be prepared to clarify the nature and timing of a CAE s communication with the board regarding fraud matters.

All fraud audits performed. The fraud risk assessment process. An organization s exposure to fraud is a function of the fraud risks inherent in the business, the extent to which effective internal controls are present either to prevent or detect fraud, and the honesty and integrity of those involved in the process.

Fraud risk is the probability that fraud will occur and the potential consequences to the organization when it occurs. The probability of a fraudulent activity is based, typically, on how easy it is to commit fraud, the motivational factors leading to fraud, and the organization s fraud history. A fraud risk assessment is often a critical component of an organization s larger enterprise risk management program.

The fraud risk assessment is a tool that assists management and internal auditors in systematically identifying where and how fraud may occur and who may be in a position to commit fraud.

The Risk of Fraud and the Role of Internal Audit

A review of potential exposures represents an essential step in alleviating the board s and senior management s concerns about fraud risks and their ability to meet organizational goals while promoting public confidence in the health of an organization. A fraud risk assessment concentrates on fraud schemes and scenarios to determine the presence of internal controls and whether or not the controls can be circumvented. An important role of management is to provide oversight for the successful completion of a fraud risk assessment so that management has a better understanding of fraud risks and the controls in place to mitigate those risks.

Organizations will need to reach their own conclusions with respect to the cost of controlling a risk compared to the benefits of mitigating or eliminating that risk. A fraud risk assessment generally includes five key steps: 1.

Identify relevant fraud risk factors. Identify potential fraud schemes and prioritize them based on risk. Map existing controls to potential fraud schemes and identify gaps.

Test operating effectiveness of fraud prevention and detection controls. Document and report the fraud risk assessment. The scope of the fraud risk assessment may vary widely depending on the organization s size, complexity, or industry. One organization may complete an enterprisewide assessment and include all business areas in the assessment, while another organization may limit its focus to the most important business risk area.

An organization with several subsidiaries may complete a separate assessment for each subsidiary or a combined assessment. Identifying Relevant Fraud Risk Factors The first step is to gather information about the organization s business activities to gain an understanding of fraud risks, including external business relationship partners. This process includes review of documentation of previous frauds and suspected frauds committed against or on behalf of the organization, evaluation of related frauds at similar organizations, and review of the organization s performance measures over the past few years compared with competitors.

Identifying Potential Fraud Schemes and Prioritizing Them Based on Risk Fraud, by definition, entails intentional misconduct designed to evade detection. As such, a fraud risk assessment team needs to engage in strategic reasoning to anticipate both the fraud scheme and the individuals within and outside the organization who could be in a position to perpetrate each scheme. A fraud risk assessment team is typically composed of individuals from the internal audit activity, finance, legal, IT, security, and potentially other functions depending on the nature of the organization.

The fraud risk assessment team identifies potential fraudulent schemes using brainstorming, management interviews, analytical procedures, and review of prior frauds. What is the level of pressure management is under that would lead it to override internal controls? Monetary impact. Impact to the organization s reputation. Loss of productivity. Integrity and security over data. Loss of assets. Company culture. Liquidity of assets. Mapping Existing Controls to Potential Fraud Schemes and Identifying Gaps The fraud risk assessment team identifies preventive and detective controls in place to address each fraud risk and to assess the likelihood and significance of each potential fraud.

Entity-level anti-fraud controls such as the existence of a whistleblower hotline and whistleblower protection policy, board oversight, results of continuous monitoring, code of conduct, and the tone of management s communications regarding their tolerance for fraud risk are important elements in this exercise.

Are there any consequences if management fails to reach goals? Testing Operating Effectiveness of Fraud Prevention and Detection Controls Specific fraud areas should be identified without consideration of existing or effectiveness of internal controls which is done later.

The evaluation considers whether the fraud could be committed by an individual alone or requires collusion among employees or external persons. The following factors are considered when prioritizing fraud risks: Internal auditing typically plays an important role in assessing the operating effectiveness of internal controls. Internal auditors consider not only the existence of the internal control, but also the effectiveness of the internal control through periodic testing of the control.

In this case, the internal control is present, but is not operationally effective. Organizations need to document the process that identifies and evaluates fraud risk.

Key elements that would likely be documented in a fraud risk assessment for each significant business area include: The types of fraud that have some chance of occurring. The inherent risk of fraud considering the availability of liquid and saleable assets, organizational morale and employee turnover, the history of fraud and losses, and other specific business area indicators.

The adequacy of existing anti-fraud programs, monitoring, and preventative controls. The potential gaps in the organization s fraud controls, including segregation of duties. The likelihood of a significant fraud occurring. In some cases, internal auditors may have hotlines to report any cases or suspicions of fraud. Control Activities: Evaluation of the effectiveness of the design and performance of the fraud-related control methods, ensuring that the audit plans and programs specify the residual risks under the integration of fraud auditing procedures with auditing the possible variations of laws, rules and regulations and their effect on the control methods.

Information and Communication: Evaluation of the effectiveness of the communication system operation, with the provision of the necessary support to fraud-related training initiatives. Follow-Up Activities: Evaluation of the control over software, conduct of investigations, support to the Audit Committee in supervising the fraud-related issues, support to the development of the identification of fraud indicators, employment and training of employees to enable them to conduct auditing of fraud and investigations with adequate expertise.

Detection of Fraud Detection of fraud is represented in the internal control methods designed to detect fraud and misconduct when they occur.

The existence of sufficient and appropriate detective control methods is one of the strongest deterrent of fraudulent conduct. They are used along with preventive control methods to enhance the effectiveness of the fraud risk management program through the provision of evidence that the preventive control methods are working as planned in the detection of fraud that may occur.

Although the detective controls may provide evidence that fraud is occurring, or has already occurred, they are not designed to prevent fraud. Internal control methods are designed to provide evidence and warnings that fraud is occurring or has already occurred. Effective internal control methods are one of the strongest ways to reduce or prevent fraudulent conduct or procedures. The simultaneous use of detective and preventive internal control methods support the fraud risk management program.

Although detective controls may provide evidence for the occurrence of fraud, they do not aim, or are unable, to prevent fraud. The auditors auditing cases of fraud must be aware of the basic requirements of the detection of fraud. These basic requirements are: Specification of the fraud risk in the organization through the examination of the control and operational environment to determine the categories and methods of fraud; Evaluation of fraud risk; Examination of risks and their occurrence from the perspective of the perpetrator of fraud in order to determine what the control methods are and the manipulation methods that cause the occurrence of fraud; Full understanding of fraud indicators and the data that may include these indicators; and Readiness for the occurrence of any fraud cases as a result of the indicators, as well knowledge of how to search for these indicators in the data.

When these requirements are fulfilled, it is easy to deter perpetrators, to investigate and report the detected cases, and to develop control methods to detect the repetition of such cases.

The role of internal audit in the detection of fraud through the stages of the fraud risk management is as follows: Taking into consideration the fraud risk when evaluating the control methods and the determination of the necessary audit procedures.

Whereas internal auditors are not expected to detect fraud and violations, they are expected to give reasonable confirmation that the objectives of the business environment of the operations have been achieved.

Providing adequate knowledge about fraud cases to determine fraud indicators. This knowledge includes awareness of fraud properties and factors and the techniques used in the commission of fraud. Being ready to any opportunity that may allow the commission of fraud such as any weakness in the control methods.

If a major deficiency in the control methods has been detected, additional tests must be conducted by internal auditors to specify fraud indicators. Evaluating fraud indicators and taking any other necessary procedures or conducting investigations if needed. Whistle-blowing and reporting to the competent authorities inside the organization if a fraud case is detected to recommend the conduct of an investigation. Response and Investigation: Response and investigation are represented in the internal control designed to take a remedial and corrective action for the damages resulting from the occurrence of fraud and misconduct.

The role of internal audit must be determined in the investigation process in the internal audit regulations as well as in the fraud-related policies and procedures. This includes collecting sufficient information on specific details and carrying out these necessary procedures to determine whether fraud is committed, who was involved and how it happened.

One of the most important outputs of the investigations is the exclusion of innocent people from the circle of doubt or suspicion. Investigation starts with planning and ends with the issuance of a report on the findings of the investigation. Investigation Planning A plan for each investigation process is set according to the procedures of the organization. The team leader in charge in the internal audit department determines the skills, competencies and knowledge required for conducting the investigation procedures through the identification of suitable individuals for carrying out the investigation.Other assurance providers OAPs.

Platform Specialty Products Corporation, including its subsidiaries,. The LP manager usually works closely with internal auditors to identify areas of weak internal controls within the organization.

Examples of Fraud However, the risk of fraud can be reduced through a combination of prevention, detection, and deterrence measures. Since fraudsters do not want to be caught in their actions, they must believe that their activities will not be detected. Management is primarily responsible for establishing and maintaining Information and communication — Promoting the internal controls in an organization. Corruption often involves the downloading function.