Honesty brokers: Internal audit and fraud

The role of internal audit in relation to fraud is complex. It is not normally the role of internal audit to detect or prevent corrupt practices directly, however, the function must ensure that management has effective systems to detect and prevent corrupt practices within the organisation. This division of roles and levels of involvement is also true in other areas, for example cybercrime, but it seems to cause confusion in the case of fraud. It is notable that the Brydon review identified fraud and internal auditors’ responsibilities for it as the most complex and misunderstood of all the topics it covered.

While executive management should be responsible for detecting or preventing corrupt practices, internal audit has a clear role identifying and disseminating anti-fraud best practice, testing and monitoring anti-fraud systems along with preventative and detective controls implemented by management and advising on change. This is not new – the IPPF requires internal audit to evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk.

However, directors have recently become more interested in their responsibility for managing fraud, and the strength of the assurance they receive, because proposals in the BEIS White Paper “Restoring trust in audit and corporate governance” include clarifying the respective roles of directors and auditors.

“It’s great to see in the BEIS consultation document that the board will effectively have to make a declaration about how they tackle fraud. It puts the responsibility very much on the second line and on management,” said Tim Le Mare, integrated risk director at Workiva.

“People are increasingly asking us how they can automate their fraud control framework. To do this they must first understand where their controls are at the moment, how they are maintained and who is responsible for them. Too often controls are dispersed throughout the business and some data is still manually processed on spreadsheets. There are multiple packages that can help, but managers need to map and understand the control basics first,” he explained.

The impetus for these requests may come from the second line, but there are also increasing questions about what the role of the third line should be, he added. This is particularly true when it comes to using data analytics to tackle fraud. “The third line can be an incubator for analytics controls that can then be rolled out to the second and first lines, where responsibility for fraud prevention sits,” he said.

Liz Sandwith, chief professional practices advisor for the Chartered IIA, questioned whether the involvement of the third line in fraud management was always seen as positive – could it lead to fears that something has gone wrong, she asked. But Greig Allen, regional sales director at Workiva, disagreed.

“I think if the third line is not involved then non-executives and managers should ask questions about why this is,” he said. “Non-executives tend to like it because they can see the mix of skills it brings to the conversation. You need people who understand the controls as well as those who understand fraud to work together.”

This is far more powerful for stopping problems from occurring in the first place, he added. “It’s proactive. It’s far better to ask ‘if there were a fraud here what would happen and what would we do’, than to investigate it after the event. The board should be comforted by the presence of internal audit in the discussion.” 


Participants at the roundtable debated a series of topics relevant to the fraud agenda

“This is complicated. It’s more about raising interest and finding out whether everyone understands what the risks and controls are.”

“You need to be very clear. Fraud risk management is not the same as investigating fraud. You can’t investigate until something has happened. In theory, internal audit should be involved in the risk that a fraud could happen, but it can’t manage the implementation of controls. We’ve seen that if we do fraud risk assessment, the business doesn’t. You need to define the segregation of duties.”

“Internal audit can view all the incidents and then decide what the risk from these is and what more the organisation should be doing to mitigate them.”


Should internal audit ask more questions about training around ethics and the culture of the organisation? Do people in the organisation know that fraud is unacceptable behaviour and that there will be consequences?

“Consequences are very important. In the UK, it’s very hard to get the police involved to investigate suspected fraud. In the US the police get involved very quickly.”

“Some cultures are proactive and some are reactive. Too many companies wait for something to happen and then think about the consequences.”

“In many companies fraudsters are not prosecuted – they just get shown the door quietly and go on to work for another company. It’s incredibly frustrating. It’s painful to put in all that effort for it to lead to nothing.”


To what extent do audit committees ask for reports on how much fraud has been found and what happened afterwards?

“At our last audit committee meeting directors from four departments were present to answer questions about what they do about fraud in their area – and they were put under real pressure. But this needs to be an ongoing conversation, not a one-off. It also needs to be regular to give the board the assurance they need to meet the new obligations for statements to stakeholders.”

“In large businesses, management often use fraud statistics to take the temperature of the business and see how it’s doing. You need to triage responsibilities so different people know different levels of detail.”

“It can be useful to gauge whether levels of fraud and the quantities of fraud are rising or falling.”

“There’s a long debate over whether high or low prevalence of fraud is a good or a bad sign. High levels could mean better recognition and detection and low levels could indicate it’s being missed or swept under the carpet.”

“The effectiveness of detection systems is a good measure. I suspect fraud has existed since the origin of humanity, so falling levels may be a bad sign.”

“In my experience, when CEOs get caught in a cyber attack, the reaction is very different from when internal auditors discover an internal fraud. You need so much evidence and detail about the individuals involved to tackle fraud legally.”

“You need to look at the consequences at all levels. If the consequences are clear at the top, it sends a message through the organisation. You need to be consistent.”


What is the role of training?

“Training will help to stop people doing something that they hadn’t realised was wrong, but it won’t stop those who intend to do wrong things.”

“You need to consider the behaviour of people, plus the reaction to a discovered fraud, plus consequences. You can’t have just one or another – it’s a full circle. You need to know how senior management feels about it and then go down the chain through policies, procedures and controls and then ensure there are visible consequences. You need all of these together.”

“Think through all the key potential areas of fraud the company is exposed to and then look at the framework of training around that. How do you train people about the risks and what is acceptable?”

“It’s about getting all the lines to talk and work together.”

“Most fraud is never identified – if you spot a £1m fraud, there has probably been billions more that you haven’t caught.”


Are there indications that people may be involved in fraud that internal audit should spot?

“How do you tell? Committing fraud is complicated and hiding money is part of it. Doing it in the office can be difficult, but doing it at home when you can have a second computer beside you and a hotline to a friend who knows how to do it is much easier. We’ve seen a lot of this in the past couple of years.”

“Putting in systematic and thorough preventative controls raises the threshold and the barriers.”

“You need to know you have systems that will alert you quickly to abnormal behaviour. That’s why sharing understanding about the control framework and the three lines is so important. I think we’re quite mature in the third line in the UK, but lack understanding in the second and first lines.”

“Risk escalates horribly quickly. If one user commits fraud in one transaction, the effect is limited, but if you have 100 users doing 100 fraudulent transactions a day you have billions of different permutations to spot.”


Key questions for internal audit

  • Does your organisation have a suitable fraud prevention and response plan that enables a swift response to the identification of fraud, limitations to its consequences and ongoing management of the situation (including digital data)?
  • Is the risk of fraud included in the internal audit plan and in each audit assignment to evaluate the adequacy of anti-fraud controls?
  • Where does responsibility for strategic fraud risk management lie within the organisation, and what is the role of internal audit in preventing, detecting and investigating fraud?
  • To what extent does internal audit undertake audits of fraud prevention in your organisation?
  • Is internal audit involved in your organisation’s continuous programme of fraud awareness and training for new and existing staff?

The attendees

Richard Brasher - vice-president, corporate audit, LKQ Corporation

Giles Parratt - director of audit, TIAA                      

Patrick Garnier- Ramirez, group head of internal audit, SThree

Sharon McCarthy - director corporate assurance, Highways England

David Lynam - senior director, corporate audit Europe, LKQ Corporation

Margaret Honkisz - senior director, corporate audit, LKQ Corporation

Marta Pericoli - quality assurance manager, corporate audit, LKQ Corporation

Tim Le Mare - integrated risk director, Workiva

Greig Allen, regional sales director, Workiva

Liz Sandwith - chief professional practices advisor at the Chartered IIA

This article was published in January 2022.