Recently a Chief Audit Executive had asked me about what are the Internal Audit Standards (IPPF) which are applicable for fraud. Since it was coming from a person whom I respect, I decided to do research before a response can be given.
Here is my commentary.
1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
Internal Auditor believes that they are not primarily responsible for fraud detection and investigation.
IPPF requires that Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization. This requires internal auditors to be well versed in how a fraud can take place in the industry in which they works.
1220 – Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.
1220.A1 – Internal auditors must exercise due professional care by considering the:
- Extent of work needed to achieve the engagement’s objectives.
- Relative complexity, materiality, or significance of matters to which assurance procedures are applied.
- Adequacy and effectiveness of governance, risk management, and control processes.
- Probability of significant errors, fraud, or noncompliance.
- Cost of assurance in relation to potential benefits.
Commentary:
Internal Auditors need to identify controls present or absence thereof, for fraud prevention, and fraud detection, test the controls if they are present, define procedures to detect a fraud, if it has been committed.
Internal auditor’s main argument that nothing can prevent occurrence of fraud in case of a collusion. True. However lack of appropriate controls can always be reported upon as well as results of testing of controls which are designed.
Test of fraud related controls (prevention/ detection/ education) is required to be done as part of every engagement.
2060 – Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board.
Commentary:
Internal Auditors need to specifically required to report on fraud risk to senior management and the board.
Some of the company may decide to report this annually, while a good practice would be to report every quarter and in every internal audit report.
USA and India, specifically requires Auditors (external auditors/ attestation auditors) to specifically plan their audit procedure to test for fraud risk. Hence companies also want their internal auditors to proactively comment on fraud risks so that management can plug the same.
2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
Commentary:
Internal Auditors need to evaluate/ test the effectiveness of controls are absence thereof. It will require controls related to fraud prevention, fraud detection, fraud reporting, corrective actions if any.
2210 – Engagement Objectives
Objectives must be established for each engagement.
2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
Commentary:
Internal Auditors need to assume that there is a possibility of fraud in every engagement. Accordingly they need to incorporate procedures to detect a fraud, testing of controls related to fraud risk.
Cases where management want internal audit to comment on one or more specific risks, it will be in the interest of Internal Auditor to also comment on fraud risk in those engagement areas.
IPPF glossary
Engagement A specific internal audit engagement, task, or review activity, such as an internal audit, control self-assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
Fraud Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
IIA has come out with a Practice Guide in 2009 dealing with this subject. please see link below: (you need to be a member to access the document)
Ref: Practice Guide: Internal Auditing and Fraud
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)