IIA/FAP Annual Conference

Transcription

1 IIA/FAP Annual Conference Does Internal Audit have an effective game plan to address fraud? Liz Sandwith CFIIA Chief Professional Practice Advisor

2 UK Fraud Act 2006 The states that a person is guilty of fraud if he/she: dishonestly makes a false representation, and intends, by making the representation to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss. dishonestly fails to disclose to another person information which he is under a legal duty to disclose, and intends, by failing to disclose the information to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss. occupies a position in which he is expected to safeguard, or not to act against, the financial interests of another person, dishonestly abuses that position, and intends, by means of the abuse of that position-to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss.

3 Traditional View of Fraud Risk Traditional views have resulted in a fragmented (not integrated / holistic) risk framework and reactive approach to fraud. Fraud risk and controls considered as separate, secondary objectives of internal audit and internal control Fraud not perceived to be an internal control failure Fraud training and awareness not really necessary Information and Communication criticised Fraud risk monitoring not perceived as a positive cost-benefit allocation of resources

4 Current View of Fraud Risk Current view aims to manage fraud risk holistically and proactively. Fraud risk and controls considered an objective of internal control activities Fraud perceived to be potential internal control failures Fraud training and awareness necessary Information and Communication aggregated, concise, and timely Fraud risk monitoring perceived as positive cost / benefit (protects revenue and/or recoups losses)

5 Source: IIA Managing the Business Risk of Fraud: A Practical Guide Key principles to effectively manage an organisation s fraud risk Principle 1: As part of an organization s governance structure, a fraud risk management program6 should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk. Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate. Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization. Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized. Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely

6 Differentiating Fraud Risk The auditor mind-set towards fraud differs from the other common audits; the mind-set should be investigative and anomaly-oriented Fraud risk impact and residual risk is difficult to measure. Fraudsters are not who you may think The most common fraudster profile may contradict your intuition a well-educated, middle-aged male, with no criminal history 10% of people will always commit fraud, 10% of people will never commit fraud and 80% of people given the opportunity will commit fraud.

7 Anti-Fraud Policy Starts with the Tone at the Top Does your organisation have an Anti-Fraud Policy approved by the board of directors that clearly articulates internal audit s role? The concepts incorporated in an Anti-Fraud Policy are developed to detect and prevent fraud and to implement effectively and consistently the policies and objectives set by management. Convey the expectations of the board of directors and senior management regarding fraud risk and control.

8 Leadership, Assignments, Roles & Responsibilities Typical organisation responsibilities include: Tone at the Top Executive Leadership Establish Internal Controls Management/Accounting Code of Conduct - Legal Employee Assistance Program Human Resources Hotline Administration Various Resources Referral to Law Enforcement Corporate Security Who is responsible for the implementation of an Anti-Fraud Framework? Even though management is ultimately responsible Everybody has a part to play in the prevention, detection and investigation of fraud.

9 Internal Audit s Role ( It is not a primary role of internal audit to detect fraud, but it is a role most people expect internal audit to undertake. There is, therefore, an expectations gap that needs to be managed. Internal audit has no legal responsibility for fraud but is required to give independent assurance on the effectiveness of the processes put in place by management to manage the risk of fraud. Any additional activities carried out by internal audit should be in the context of and not prejudicial to this primary role.

10 The roles that internal audit should undertake include the following: Investigating the root causes of fraud; Reviewing fraud prevention controls and detection processes put in place by management; Making recommendations to improve those processes; Advising the audit committee on what, if any, legal advice should be sought if a criminal investigation is to proceed; Bringing in any specialist knowledge and skills to assist in fraud investigations, or leading investigations where appropriate and requested by management; Liaising with the investigation team; Responding to whistle-blowers; Considering fraud risk in every audit; Having sufficient knowledge to identify the indicators of fraud; Facilitating corporate learning

11 Role & Organisational Structure Internal audit supports management by determining whether the organisation has adequate internal controls and promotes an adequate control environment. Internal audit is a centralised, independent, and objective function, it is in a prime position to address fraud risk management frameworks and to affect change. Internal audit also needs to undertake a fraud risk assessment to understand areas of potentially high fraud risk and to ensure that they are considered as part of the internal audit plan and also as part of a continuous auditing approach Different organisational structures and Internal Audit Charters affect internal audit s role and ability to achieve that role.

12 IIA Standards IIA Standard 1112: Chief Audit Executive Roles Beyond Internal Auditing (Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to limit impairments to independence or objectivity) IIA Standard 1200: Proficiency and Due Professional Care (Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud) IIA Standard 1220: Due Professional Care (Internal auditors must exercise due professional care by considering the: Probability of significant errors, fraud, or noncompliance) IIA Standard 2060: Reporting to Senior Management and the Board (Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board)

13 IIA Standard 2120: Risk Management (The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes - The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk) IIA Standard 2210: Engagement Objectives (Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives)

14 Fraud Triangle The Fraud triangle is a framework designed to explain the reasoning behind a worker's decision to commit workplace fraud. The three stages, categorised by the effect on the individual, can be summarised as pressure, opportunity and rationalisation

15 Building an Effective Internal Audit Strategy 1. Develop mission and set vision 2. Understand organisational plans and assess needs 3. Perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis 4. Define initiatives to fill gaps and develop a roadmap 5. Ensure stakeholder alignment and develop communication plan 6. Identify key performance indicators (KPIs) to measure success 7. Define the critical success factors.

16 So does internal audit have an effective game plan? 1. Conformance to the IIA Standards 2. Fraud risk assessments 3. Continuous auditing 4. Assurance mapping 5. Relationship with 2 nd line of defence assurance functions 6. Understanding of the fraud triangle 7. Awareness of and involvement in compliance with key legislation e.g. Financial Crime, Bribery Act, Money Laundering etc. 8. Whistleblowing investigating allegations, gatekeeper role 9. Secure management support 10. Build internal audit strategy that aligns to the organisations strategy

17 Chartered Institute of Internal Auditors, UK and Ireland, official