Fraud Symptom 9 – Ineffective Internal Audit Function

2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE mentions that 40% of the frauds are detected by anonymous tips from hotlines, 15% by management review and 14% by internal audit function. Secondly, the report categories fraud in three types. It states, “21% were caused by asset misappropriation schemes, 11% by corruption and 68% by fraudulent financial statements.” This clearly highlights the importance of internal audit function in preventing and detecting frauds especially financial statement frauds.

Additionally, the report states – “The median duration — the time period from when the fraud first occurred to when it was discovered — for all cases in our study was 18 months. Not surprisingly, cases involving financial statement fraud — the most costly form of fraud — lasted the longest, with a median duration of 27 months.” That is a long time, and during this period, an internal audit function would ideally have done at least a dozen audits on various aspects of financial statements. However, the question arises as to why the internal audit function fails to detect frauds.

1.    Organization Reporting Structure

 The internal audit head reports to the Chief Financial Officer (CFO). Now, in majority of the financial statement frauds the CFO is involved. Hence, in all probability even when internal auditors are aware of the wrongdoings they will not report the same to the CEO.

The second situation is that the internal audit head reports to another business head and not the CEO. In this case, a similar situation will arise, as the internal audit head is under control of a business head. If the business head is perpetuating frauds nothing will be reported. The ACFE reports states – “High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.”

 Hence, in such scenarios the CEO/ Board and Audit Committee are unlikely to have fraud cases reported to them.

2.    Collusion with Business Teams

 Auditing is a thankless job and auditors rarely win a popularity contest. The audit report is a proverbial hot potato – too blistering to handle. On the flip side, if auditors are winning popularity contests then they do so by issuing nice and sweet reports with no serious observations.

In such situations, the audit teams compromise their ethics and independence to cater to business teams and their own personal agendas. Though the role of internal audit function is to inform senior management and audit committee about serious breaches and wrong doings, the auditors do not report such instances. The internal auditors’ job is to identify discrepancies and challenge business teams to provide appropriate explanations and evidence. Instead, they colluded with the business teams to hide the serious discrepancies and observations, and just report low category/ impact findings to senior management.  

 3.    Lack of Technical Skills

Auditing is a specialized skill and not everyone’s cup of tea. The learning curve to reach a reasonable proficiency level is steep. In India, experienced chartered accountants generally lead the internal audit function in organizations. However, the catch is that either the team or the head may not have sufficient experience in conducting highly technical audits or detecting frauds.

The issue is so critical that the US PCAOB “requires independent auditors to evaluate the fraud-related activities of an internal audit function on an annual basis. If this evaluation finds an internal audit function to be deficient, the independent auditor must, at a minimum, issue a finding of a significant deficiency to the audit committee. The auditors must issue an adverse opinion if they conclude that the deficiencies rise to a material weakness.”

 However, it is extremely rare for an external auditor to report the deficiency and/ or management to conduct an independent review of the function.

Recommendations

 a)            Management must evaluate their commitment to internal audit and overall risk management functions. To do so, they can do a quick run of the 15 points mentioned in the post “Senior management commitment to risk management functions.”

b)           Big 4 and other audit firms conduct a review of the internal audit function to determine its competency and effectiveness. It is advisable if management wishes to improve the function, they benchmark it against the best practices followed in the industry.

c)            The quality of the reports submitted by the internal audit function needs to be evaluated. Ideally, no news is good news. However, the same cannot be assumed for internal audit reports. Depending on the industry, each organization faces certain inherent risks. If these are not being reported to senior management, then the likelihood of internal audit function collaborating with business teams to hide facts is high.

References:

2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE

To read more of Fraud Symptoms series, click here.

Advertisements