Fraud Symptom 9 – Ineffective Internal Audit Function

2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE mentions that 40% of the frauds are detected by anonymous tips from hotlines, 15% by management review and 14% by internal audit function. Secondly, the report categories fraud in three types. It states, “21% were caused by asset misappropriation schemes, 11% by corruption and 68% by fraudulent financial statements.” This clearly highlights the importance of internal audit function in preventing and detecting frauds especially financial statement frauds.

Additionally, the report states – “The median duration — the time period from when the fraud first occurred to when it was discovered — for all cases in our study was 18 months. Not surprisingly, cases involving financial statement fraud — the most costly form of fraud — lasted the longest, with a median duration of 27 months.” That is a long time, and during this period, an internal audit function would ideally have done at least a dozen audits on various aspects of financial statements. However, the question arises as to why the internal audit function fails to detect frauds.

1.    Organization Reporting Structure

 The internal audit head reports to the Chief Financial Officer (CFO). Now, in majority of the financial statement frauds the CFO is involved. Hence, in all probability even when internal auditors are aware of the wrongdoings they will not report the same to the CEO.

The second situation is that the internal audit head reports to another business head and not the CEO. In this case, a similar situation will arise, as the internal audit head is under control of a business head. If the business head is perpetuating frauds nothing will be reported. The ACFE reports states – “High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.”

 Hence, in such scenarios the CEO/ Board and Audit Committee are unlikely to have fraud cases reported to them.

2.    Collusion with Business Teams

 Auditing is a thankless job and auditors rarely win a popularity contest. The audit report is a proverbial hot potato – too blistering to handle. On the flip side, if auditors are winning popularity contests then they do so by issuing nice and sweet reports with no serious observations.

In such situations, the audit teams compromise their ethics and independence to cater to business teams and their own personal agendas. Though the role of internal audit function is to inform senior management and audit committee about serious breaches and wrong doings, the auditors do not report such instances. The internal auditors’ job is to identify discrepancies and challenge business teams to provide appropriate explanations and evidence. Instead, they colluded with the business teams to hide the serious discrepancies and observations, and just report low category/ impact findings to senior management.  

 3.    Lack of Technical Skills

Auditing is a specialized skill and not everyone’s cup of tea. The learning curve to reach a reasonable proficiency level is steep. In India, experienced chartered accountants generally lead the internal audit function in organizations. However, the catch is that either the team or the head may not have sufficient experience in conducting highly technical audits or detecting frauds.

The issue is so critical that the US PCAOB “requires independent auditors to evaluate the fraud-related activities of an internal audit function on an annual basis. If this evaluation finds an internal audit function to be deficient, the independent auditor must, at a minimum, issue a finding of a significant deficiency to the audit committee. The auditors must issue an adverse opinion if they conclude that the deficiencies rise to a material weakness.”

 However, it is extremely rare for an external auditor to report the deficiency and/ or management to conduct an independent review of the function.


 a)            Management must evaluate their commitment to internal audit and overall risk management functions. To do so, they can do a quick run of the 15 points mentioned in the post “Senior management commitment to risk management functions.”

b)           Big 4 and other audit firms conduct a review of the internal audit function to determine its competency and effectiveness. It is advisable if management wishes to improve the function, they benchmark it against the best practices followed in the industry.

c)            The quality of the reports submitted by the internal audit function needs to be evaluated. Ideally, no news is good news. However, the same cannot be assumed for internal audit reports. Depending on the industry, each organization faces certain inherent risks. If these are not being reported to senior management, then the likelihood of internal audit function collaborating with business teams to hide facts is high.


2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE

To read more of Fraud Symptoms series, click here.

Fraud Symptom 8- Breaches of Internal Controls

The Enron case highlighted that inadequate internal controls cause huge damage to the organization. Subsequently, the Sarbanes Oxley Act section 404 focused on making it mandatory for organizations to implement good internal controls. However, don’t view internal controls in isolation of the organization culture. As I had mentioned before that internal controls of an organization are as good as the culture. The probability of breach of internal controls is higher in negative cultures. (Read Impact of Organization Culture on Internal Controls). Though, in this post I am totally focusing on internal controls without linking to the organization culture.

While the organization expanded and grew, the focus on internal controls reduced. When we consider the bigger fraud cases, Enron, WorldCom, Barings etc., the organizations management committed one or a combination of the following mistakes.

a) Management stopped old control systems without introducing new control systems.

b) In some cases, continued to use old systems without conducting a review to assess their reliability and usability.

c) On the other hand, in some companies management relied on new systems without assessing their accuracy and timeliness.

d) Lastly, assigned roles and responsibilities without segregating duties and defining clear reporting lines.

In nutshell, one can say that management lacked focus on implementing internal controls. Due to these weaknesses in the internal control systems, management and auditors failed to detect frauds done by employees.  KPMG 2010 India Fraud Survey stated 75% of Indian organization experienced fraud. It further mentioned:  

“Supply chain fraud (procurement, distribution and revenue leakage) is the single most exposed area. Weak internal control systems, eroding ethical values and a reluctance on the part of the line managers to take decisive action against the perpetrators are cited as the most vital underlying reasons for frauds being on the rise.”

 So let me start with the ways lapses in internal controls in the purchasing process can result in huge fraud. The Common Wealth Games fraud depicts the methods that are used to tamper with the purchasing process. Here are some examples, which apply to organizations:

1.    Contracts awarded without ensuring reasonableness of requirements – The basic premise of issuing purchase contract is that there is a business requirement for a specific good or service. Breaches of internal controls occur when employees create unnecessary requirements to favor a certain vendor. To illustrate, in India terrorist threat is high, however there haven’t been any major incident of an office premises being targeted. Now let us say, the physical security team plays on the nerves on the senior management, since security is essential and creates many unnecessary requests for equipment. For example, request for automobile blocking ramps at gates, which may not be used in any other offices. Now each installation is in lacks and the physical security team gets kickbacks from the vendor for the contract.  

 Another way of circumventing the controls is to order in excess of requirement. For example, the organization needs 100 units of X product and the order is given for 200 units. Now since the business requirement is met, the excess stock will be ignored. Either the concerned employee can get the excess stock delivered outside the office for personal use or if delivered in office steal the stock later on.

2.    Contracts awarded without ensuring reasonableness of rates – Normally the bidder with the lowest rates and best quality gets the contract. Multiple vendors are invited to submitted quotes. However, the purchasing team can easily breach the internal controls by doing false paperwork. Let us say, that X vendor quoted the most reasonable price for a product. However, purchasing team has tied up with Y vendor. Hence, it just discards the documents submitted by X vendor and produces two additional set of bidding documents in which Y vendor is reflected in the best light.

 3.    Payments made without receiving goods and services – The purchase contract terms state the payment terms. Advance payments amount to 10-20% of the total purchase price. The payments team in the finance section can contravene this control by making advance payments for 70-80% of the contract without receiving any goods or services. This affects cash flows and the company loses interest income. The other risk is that if subsequently if the vendor gives sub-standard goods or services, the company does not many tactics for negotiating fair terms with the vendors.

4.    Contracts terminated on flimsy grounds – Most organizations invest significantly in vendor relationships since good relationships result in lower costs and better quality. However, to meet personal agendas employees can get the contracts terminated on flimsy grounds.  To illustrate, let us say the physical security team evaluates the security contract for the premises, inclusive of guarding services. Now, if the same security vendor provides services in all office locations of the organization, the cost will be lower since the vendor has economies of scale. However, the physical security team approves contracts of different vendors for different locations and terminates the contract on a yearly basis without renewing the same. The reason behind it is that the physical security team gets a kickback for every fresh contract.

 5.    Fake purchase contracts issued – In the worst-case scenario, employees can issue fake purchase contracts to vendors for meeting personal expenses. For example, let us say a physical security team has an XXX amount of budget for securing the organization. On the face of it, the team issues the contract to a guarding agency to protect an office premises. However, in reality the contract is given to spy on other employees for harassing them. In such cases, the organization suffers huge costs, as it is difficult to identify the true purpose of the contracts.


There are some key lessons to learn for senior management from these corporate disasters.

a)    Firstly, review process controls on acquisition of a new company, business or process. Conduct an independent review of controls to assess the vulnerability.

b)    Secondly, create new job descriptions with clear lines of responsibility and accountability. Remember that segregation of duties is essential for effective control. If employees are in the same positions for a longtime, rotate them to ensure they don’t get too comfortable in their positions.

c)    Monitor results through key performance indicators, exception reports and budget variances.

d)    Appoint independent external auditors (big four or other reputed concern) to evaluate the controls.

e)    In case of purchase contracts, audit the suppliers to see determine their authenticity of the contracts

f)     Conduct interviews with employees, consultants, contractors and subcontractors to assess whether kickbacks are being paid or received while entering into contracts.



KPMG India Fraud Survey Report 2010

To read more of the Fraud Symptoms series, click here.