Fraud has a very broad definition, explains Abigail Harper, Head of Risk and Internal Audit, who specialises in setting up global risk management and audit functions in the retail, manufacturing and hospitality sectors. “Essentially, that is: wrongful or criminal deception for financial or personal gain. As such, an organisation’s fraud controls will reflect the maturity of the business, its geographical focus and the sector it works in.”

The two main categories of fraud are management override of control and general fraud. Under those umbrella headings, businesses will typically have to address:

• theft of inventory and/or cash;
• forgery – eg, of invoices or cheques;
• expenses claim fraud;
• procurement fraud – eg, ordering an excess of a product to keep some for yourself;
• payment fraud; and
• insurance fraud.

Testing controls

The Institute of Internal Auditors (IIA) recommends a three-line approach to setting fraud controls within the structure of a business. In the first line, senior managers and individual department heads are responsible for determining how the company functions. In the second line are control and checking functions, encompassing health and safety checks, finance controls, compliance and legal. Then, separate from those, there is the third line: internal audit. For financial controls, external audit could be considered as the fourth line.

“It is not an internal auditor’s role to identify fraud,” Harper stresses. “Internal audit’s role is to give assurance to key stakeholders that the organisation’s controls are designed effectively and operating efficiently. Where necessary, it also makes recommendations for improvement that aim to address the ‘root cause’: the underlying issue that sparks the entire cause-and-effect reaction that ultimately leads to the problem and its subsequent correction.”

Harper notes that if the internal audit team identifies something that looks unusual, or tests a control and finds out that it isn’t working – which may mean that it is ineffectively designed, not operating as designed or missing – it is normal for the team to investigate further to understand what has happened and pinpoint the root cause.

As such, while internal audit is not responsible for detecting fraud, it is more likely to spot fraud risks because it has an unbiased, objective perspective on the process. That sets internal audit apart from managers who operate the controls and are immersed in the detail. In other words, internal audit provides a fresh set of eyes – particularly when control points straddle multiple departments, which is typically where they are at their weakest.

Greater assurance

For Harper, the scope of fraud risks and the mitigating controls within the process are shaped by the maturity of the business, its scale and the industry in which it works. 

“US listed businesses must abide by the 2002 Sarbanes-Oxley Act (US SOX) and report on their financial control environments,” Harper explains. “In the UK, listed businesses are required to produce annual financial statements, whereby the Audit Committee Chair comments on the company’s control environment. Currently, BEIS is in the process of introducing regulations colloquially known as ‘UK SOX’ to strengthen governance around financial controls and require businesses that meet the relevant criteria to report on their financial control environments.” 

Harper points out that, regardless of a company’s size, fraud risk related to management override of control can typically be reduced by strong governance, tone at the top, segregation of duties and layers of review – one example being a requirement for two signatures on payments above a specific financial threshold. “For smaller, entrepreneurial businesses that tend to be lean on staff, those measures can be more challenging to implement,” she says. “However, other steps can be introduced, typically around detective controls.” 

From a governance, culture and automation perspective, Harper notes, internal auditors have a broader array of tools at their disposal to analyse controls more quickly and therefore provide stakeholders with that additional assurance.

“Internal auditors are seeing a gradual strengthening of governance and controls across the range of industries, which is evident from the introduction of UK SOX,” says Harper. “Data analytics is an important skillset for equipping internal auditors to analyse information quickly and effectively, identify anomalies and target samples for testing. That enhances the quality of their work and the value they can bring to a business.”

In that sense, internal audit and controls testing help to assure stakeholders that large corporates are assessing their systems and processes to ensure appropriate and effective controls are embedded. They also shine a light on how companies are carrying out those assessments, and whether any improvements are required.

“This is similar to performing internal health checks and can therefore support operational and data integrity,” Harper says. “In a more entrepreneurial context, internal audit provides managers with a framework for assessing the effectiveness of their company’s controls – especially in businesses that are experiencing exponential growth and could organically outpace their controls very quickly. So, the effects of stronger governance are all positive developments. With entrepreneurial companies, electing for an internal audit function when it isn’t mandatory could give stakeholders greater assurance on your controls.”

Digital footprints

Harper explains that internal audit’s role in a company’s response to fraud is determined by how the issue is discovered. For example, a corporate whistleblowing platform allows staff to report issues such as fraud. A platform would typically have three end contacts – one each from the legal, internal audit and HR functions. The Audit Committee Chair may also be elected as a contact. This brings independence and objectivity to the process of investigating reported potential fraud: the legal team is bound by laws and regulations, internal audit is independent of management and not responsible for running the business and HR is there in case the call to the hotline is specifically HR related. 

Harper says that the response to identified or reported potential fraud depends upon the nature and scale of the issue. “If an employee is committing financial fraud, then from an anti-money laundering perspective, it’s illegal to tip them off. From a legal standpoint, you have to be trained to interview staff and take evidence from them in order to comply with laws and regulations.” 

Most often, the response would be led by the legal team, Harper explains. However, internal audit can still write an unbiased, factual statement on the control environment at the heart of the issue, if relevant. In cases of complex fraud, a company would most likely bring in a third-party forensic accountant.

From the internal audit side, Harper notes, the aim will always be to improve processes. “Quite often after fraud, management will hold a ‘lessons-learned’ or ‘wash-up’ exercise. This provides an opportunity to carry out a debrief on what happened and correct any control failures identified, with the aim of preventing a repeat of the fraud. Then, a few months later, internal audit will come in and re-test the modifications. So, in itself, a lessons-learned exercise is a type of control to address fraud.”

The digital boom has sparked lots of changes to internal audit, Harper explains. Manual processes are quite challenging to check in cases where there’s no paperwork, but with automation there are digital footprints where people log in and out of systems. 

“Data can be recalled if it’s backed up in the cloud. Given the increase in automation, internal auditors are more reliant on information technology general controls (ITGC). So, it is important to ensure that these tests are built into the audit plan. In parallel, internal audit has seen a growing body of legislation emerge around governance – setting standards for documentation and regular risk-management exercises. Those measures all help to support and strengthen controls against fraud.”

In addition, Harper notes, changes in reporting require companies to include risks and uncertainties in their financial statements.

“Much of how fraud occurs comes down to culture,” she adds. “Are you zero-tolerant? Do you have the right policies in place to hold people accountable? And to support adherence, are there consequences if employees fail to follow the defined process and control points? As a preventative control, a strong tone at the top supports compliance and may reduce the likelihood of potential fraud within the business.”

For further details on this topic, please visit ICAEW’s fraud advisory resources.