Fraud up! Findings from “Fraud is on the rise: step up to the challenge”

The disruption caused by the Covid-19 pandemic, followed by the impacts of the war in Ukraine, rising inflation and the cost-of-living crisis, mean that the temptations and opportunities for fraud have both risen significantly. In this context, the Chartered IIA’s latest thought-leadership report “Fraud is on the rise: step up to the challenge” urges organisations and internal audit functions to raise their game in relation to fraud prevention and detection.

Assess fraud risk

The research found that, while organisations recognise fraud as an important risk area, the response to it is inconsistent. For instance, while most organisations who participated in the roundtable discussions organised as part of the research had conducted a fraud risk assessment, some didn’t or hadn’t reviewed it recently. Conducting a robust fraud risk assessment, and reviewing it frequently in line with the environment in which the organisation operates, is crucial. It is a basic requirement for any fraud prevention and detection strategy, and all organisations should have one.

Internal audit’s primary responsibility in relation to fraud is to provide objective and independent assurance that the organisation has conducted a thorough fraud risk assessment, and that the internal controls put in place in response to this assessment are adequate and effective. When doing this, internal auditors should consider the internal and external factors that could drive or heighten the risk of fraud and control failures.

Anticipate fraud

Another key message from the report is a call for internal auditors to anticipate fraud better. In periods of heightened volatility, internal audit should revisit the key elements of the fraud triangle (opportunity, motivation and rationalisation) to predict where the risk may occur. This includes considering factors such as staff turnover and how this reduces the effectiveness of the control environment (opportunity);
the increased costs of living that puts pressure on staff finances and tempts people to commit fraud (motivation) so that they can put food on the table (rationalisation).

Where internal audit adds value

The report highlights areas where internal audit can add value to organisations in relation to fraud. One increasingly important area is that internal auditors can use their skills and knowledge of the organisation to support data analysis in search of potential anomalies. They can also make sure that the first and second lines understand the processes and controls that have been put in place to prevent or detect fraud, and why they are running them.

Internal auditors can help to drive curiosity across the business so that people think about the processes and controls and challenge them. A few internal auditors who took part in the roundtable discussions also believed that internal audit can add value in fraud investigations. Although fraud investigation is not an area where internal audit should be directly involved, not all organisations have the resources to afford a second line fraud investigation team, and so internal audit can provide a suitable alternative – provided they hold the relevant qualifications and can remain independent and objective.

Culture is key

It is essential to develop a positive fraud awareness and prevention culture within the organisation, underpinned by a strong tone from the top. The onus is on boards and senior management teams to develop anti-fraud policies, processes and controls that they will live by; discuss fraud-related issues openly and transparently with employees who know they can raise concerns without fear of retaliation; and deliver the message that internal controls to prevent and detect fraud are used to protect staff as well as the organisation.

Ensuring there are adequate whistleblowing or speak-up mechanisms in the organisation is a core element of a healthy fraud culture and employees should be encouraged to use these channels. Internal auditors have an important cultural role to play. First, they can help to raise awareness around fraud across the organisation, including around the need for well-designed and operating speak-up channels. Second, they can also help to reduce negativity attached to fraud by depersonalising the processes and controls when talking about it.

Regulatory expectations

In the past couple of years, we have seen several major corporate collapses linked to fraud. This has led to increased scrutiny from government, regulators and the public on how organisations are managing and responding to fraud risk. New rules and regulations such as the Economic Crime Act 2022 and the BEIS White Paper on Audit Reforms have been put in place to try to protect organisations, investors, employees, customers and the wider public against fraud.

Notably, there are also increasing regulatory pressures for company directors to take greater responsibility for ensuring there are robust controls in place to prevent and detect fraud. In turn, this is likely to mean company directors will require more assurance and comfort from their internal auditors regarding fraud. So, organisations
and internal audit functions should keep abreast of these changes and assess how they might impact the way their business operates.
Fraud risk is evolving

The risk of fraud is constantly evolving so organisations and internal audit functions must keep their fingers on the pulse to ensure they can adequately manage and mitigate new risks. The Chartered IIA believes that internal audit should take a much more proactive approach to anticipate fraud and be more vocal about where risks may occur. A good starting point may be a conversation with the audit committee chair on the organisation’s current position in terms of fraud prevention and detection. The “Fraud is on the rise: step up to the challenge” report offers further additional advice on how to approach fraud risk.

Key takeaways from “Fraud is on the rise: step up to the challenge”

1 Fraud is on the rise. The disruption caused by the Covid-19 pandemic means that all elements in the fraud triangle have been exacerbated. This will continue because of the impacts of the war in Ukraine, rising inflation and the cost-of-living crisis.

2 The fraud regulatory landscape is changing. You should expect more scrutiny and demands for accountability from government, regulators and the public.

3 The measures included in the BEIS white paper are likely to form part of stronger rules and regulations improving the prevention, detection and reporting of fraud. There are increasing regulatory pressures for company directors to take greater responsibility for ensuring there are robust controls in place to prevent and detect fraud. This is likely to mean that company directors will require more assurance from internal audit in this area. Organisations and internal audit functions should reflect on these changes and how they may affect their policies and audit plan.

4 Boards and senior management should conduct a thorough fraud risk assessment, tailored to the business’s industry
and operations. The assessment should be refreshed periodically in line with the evolving internal and external environment.

5 Internal auditors are primarily responsible for providing objective and independent assurance to the board and senior management that the organisation has conducted an adequate fraud risk assessment and has effective internal controls to prevent and detect fraud.

6 However, we believe that internal audit functions should go beyond what is required of them in the International Standards for Professional Internal Auditing (IPPF) and Codes of Practice and take a more proactive, “big picture” approach to fraud risk. For example, internal audit should constantly revisit the fraud triangle to anticipate fraud, and should be more vocal and challenge the board and senior management about where risks may occur.

7 There are many places where internal auditors can add value in relation to fraud. One increasingly important example is that they can use their skills and knowledge of the organisation to support data analysis in search of potential anomalies.

8 Boards and senior management have a critical role to play in establishing and implementing a positive fraud culture across the organisation, underpinned by the right tone from the top. This will act as a powerful preventive control to deter people from committing fraud.

9 Part of developing a positive fraud culture means encouraging transparency and openness when talking about fraud – establishing speak-up channels where employees feel they can raise concerns without fear of retaliation, and delivering the message that internal controls to prevent and detect fraud protect staff as well as
the organisation.

10 Internal audit has an important cultural role to play by helping to raise awareness around fraud, promoting whistleblowing best practice, and acting as a trusted adviser to the board and senior management on areas that need improvement. 

This article was first published in July 2022.