Kroll, a division of Duff & Phelps, The Institute of Internal Auditors (IIA) and Internal Audit Foundation, the nonprofit research and publishing arm of The IIA, have identified in a new research report, “Fraud Risk Management in Internal Audit,” that greater empowerment of and increased investment in internal audit can have a significant impact on the effectiveness of fraud risk management programs.
The report, based on a survey of over 700 internal audit professionals across the globe and across industries, reveals that the vast majority (80 percent) of internal auditors are facing barriers to being involved in managing fraud risk, despite almost two thirds (62 percent) saying they had seen an increase in fraud incidents over the past five years.
Matthew Weitz, Associate Managing Director at Kroll, comments: “Internal auditors are facing a challenging landscape and an unclear future. Risk profiles are changing and fraud threats are continuously evolving. In the current conditions of a looming financial crisis, increased pressure on individuals and companies which when combined with rapidly shifting management focus can lead to a perfect storm for fraud to occur and go undetected. In this environment, careful consideration of fraud risk management is more important than ever.”
“Following recent scrutiny of the external audit profession, the focus is turning to companies’ internal defences against fraud, of which internal audit can be a key participant. If internal audit is given a clearer and stronger mandate in feeding into strategic fraud risk management, then it can add significant value and ultimately contribute to reducing incidents of fraud. Furthermore, by enlisting more support from internal audit, fraud can be detected quicker, and investigation and remediation can be carried out when issues occur. To make this happen, there needs to be more buy-in from senior management, adequate resource allocation, and recruitment of people with the right skillsets.”
The report shows a clear disconnect between fraud risk assessment and resulting strategic plans. Almost half of survey respondents felt that internal audit teams were not part of enterprise-wide strategic decision making, even though 91 percent said that they had at least some role in assessing fraud risk.
Where internal audit was part of the strategic risk management of fraud, the process was perceived as more effective overall. Those who felt that their organisation’s risk management process was ‘very good’ or ‘excellent’ increased from 31 percent to 60 percent between respondents who were ‘very involved’ and those who were ‘extremely involved’ in fraud risk management.
For those respondents who said they were ‘minimally involved’ or ‘not involved’ in the fraud risk management process, only 12 percent felt that their effectiveness was ‘very good’ or ‘excellent’, with over half stating that overall the fraud risk management program was fair or poor.
A third (33 percent) of respondents said a lack of resources was the biggest obstacle to internal audit being more involved in fraud risk management processes. A further one in four (23 percent) cited lack of mandate as the most significant barrier, followed by one in five (21 percent) who cited concerns over potential conflicts of interest.
In a webinar quick poll of 1,750 internal auditors conducted by Kroll and The IIA in July 2020, it was revealed that two thirds (65 percent) of internal audit professionals felt that COVID-19, remote working, and financial strains would result in an increased risk of fraud. Over three quarters (77 percent) agreed that, if internal audit was more involved in strategic fraud risk management, the fraud risk management process would improve.
Richard F. Chambers, President and CEO of The Institute of Internal Auditors, comments: “It is vital for organizations of all sizes and industries to have boards, executive management, and internal audit leaders who are well aligned in their approach to managing risk, including fraud. Internal audit plays a critical role, with other surveys supporting these findings that, when internal audit is involved, the impact of fraud is lessened. That’s because internal audit is well-positioned due to its enterprise-wide view of an organization to identify vulnerabilities for potential fraud and, in some cases, even to investigate. What’s clear is that internal auditors know how to follow the risks. But they must have the resources to assess the exposure to potential fraud, ensure internal controls are in place and effective to limit such risks, and to offer assurance that risk management processes are robust and appropriately implemented.”