|A new Knowledge Alert from the Audit Executive Center provides insight into the efforts of organizations to manage growing fraud risks and details leading practices CAEs can adopt to facilitate these efforts, as mandated by professional standards. |
A new Knowledge Alert from The IIA’s Audit Executive Center provides CAEs with insight into the collective efforts of hundreds of organizations to mitigate the growing risk of fraudulent activities by employees and outsiders alike. More significantly, the 24-page document also provides CAEs with additional guidance and leading practices on discharging their vital fraud awareness, prevention, and detection responsibilities under the International Standards for the Professional Practice of Internal Auditing (Standards).
Emerging Trends in Fraud Risks is based on the survey responses of 293 audit executives from organizations of varying sizes across a broad spectrum of industries. The four high-level findings detailed in this Knowledge Alert — all of which respondents expect to remain valid for at least a year — are:
There has been a significant increase of fraud occurrences in responding organizations since the onset of the economic crisis in 2008.
Employee-related fraud had a significant negative impact on respondents’ organizations during the recent recession.
Respondents perceive that internal auditing can add value to fraud risk management efforts through assurance and consulting activities.
Programs designed to manage fraud risks are becoming a higher priority among responding organizations.
More specifically, among the 31 percent of respondents from organizations where instances of fraud were detected during 2008-2009, 43 percent report that fraud occurrences increased from 1 percent to 10 percent; 28 percent indicate fraud increased from 11 percent to 20 percent; and 14 percent say fraud increased by more than 20 percent. Theft of company property and resources — including proprietary information — is the fastest-growing fraud reported by respondents followed by embezzlement, including expense-account fraud, and third-party/vendor fraud.
The majority of responding organizations (76 percent) have implemented a program designed to manage fraud risks — 34 percent formal and 42 percent informal in nature. These programs most commonly feature processes for detecting fraud as well as policies on and procedures for reporting suspected frauds. The Knowledge Alert details eight leading practices implemented by responding organizations to better ensure the effectiveness of their fraud management efforts:
Ensure that the fraud-management effort is well-publicized and has a dedicated role for monitoring compliance with program policies and procedures commensurate with the organization’s business model.
Ensure the effectiveness of established controls or control processes.
Encourage a strong tone at the top in support of the fraud management effort.
Ensure internal audit plans encompass key fraud prevention activities.
Engage in effective activities pertaining to management, such as providing management training on internal control procedures, fostering ongoing communication among senior management, and sharing information to educate the organization’s leadership regarding its role and responsibility to deter and detect fraud.
Implement a code of conduct or ethics program for all staff that is part of the organization's corporate governance structure.
Perform an annual fraud risk assessment and control self-assessment.
Implement or increase enterprise risk management efforts.
Similarly, to better ensure the effectiveness of the organization’s fraud prevention efforts, CAEs should recommend establishment of the following key fraud prevention elements, as described by survey respondents:
A strong control environment that includes a code of conduct, ethics policy, or fraud policy to set the appropriate tone at the top; an ethics and compliance hotline or program to report concerns; supportive hiring and promotion guidelines and practices; and oversight by the audit committee, board, or other oversight body.
A risk assessment that considers fraud risk factors and fraud schemes.
Control activities such as policies and procedures for business processes including appropriate authority limits and segregation of duties.
Information and communication to promote the importance of the fraud management program and the organization’s position on fraud risks.
Monitoring that provides a periodic evaluation of anti-fraud controls using independent evaluations of the fraud management program by internal audit or other groups and by implementing technology to aid in continuous monitoring and detection activities.
Leading internal audit practices detailed in the Knowledge Alert for helping the board and management discharge their responsibility for deterring fraud are:
Increasing fraud awareness, communication, and training throughout the organization.
Reviewing systems in place and their corresponding policies, procedures, and controls.
Performing regularly scheduled audits that monitor high-risk areas.
Reviewing audit-specific financial activities.
Implementing a continuous audit process.
Performing risk assessments and risk-based audits.
Increasing the level of coordination and cooperation with internal and external groups and other programs within the organization.
Increasing fraud awareness, communication, and training at all levels of management.
Conducting or assisting in fraud investigations.
Performing data analysis and mining.
The Knowledge Report’s appendices contain a list of 20 questions CAEs should ask about fraud on a regular basis to enhance the organization’s fraud management program or efforts as well as a list of the key fraud management oversight functions of entities ranging from the board of directors to rank and file employees.
Last December, The IIA released a 42-page Practice Guide, Internal Auditing and Fraud (free PDF for IIA members), to help CAEs and their staffs discharge their fraud-related professional obligations under the Standards. The Institute simultaneously published a 27-page Global Technology Audit Guide, Fraud Prevention and Detection in an Automated World (free PDF for IIA members), to provide CAEs with an overview of IT-related fraud risks as well as techniques for effectively engaging technology to assess risks related to fraud