The fraud disconnect: a shared understanding of where fraud-related responsibilities lie can help internal auditing and management avoid costly short circuits.

JUST WHAT IS INTERNAL AUDITING'S RESPONSIBILITY for preventing and detecting fraud? That's a thorny question, but one addressed very clearly in The IIA's International Standards for the Professional Practice of Internal Auditing (Standards). In essence, the principle is this: Internal auditing has a role to play, but the primary responsibility falls on management. Although this sounds simple in theory, the problem lies in communicating that message to management.

"There's no question that many managers assume internal auditing is responsible for detecting fraud," says Tom Tobin, an internal auditor working in the Canadian public sector. "That perception is a communication challenge for internal auditing. We may have defined a role for ourselves, but we haven't necessarily communicated it well to stakeholders, or gained the agreement of management."

Other auditors around the world have the same problem. "The view of my audit committee and senior management is that internal auditing is responsible for fraud, even though I have been trying to educate them about that for two years," one UK chief audit executive told attendees at a forum held in London last year. Other leading auditors at the same event said that nobody in their organization wanted to talk about fraud. It was like a taboo. Some called it the "f-word." They were worried that the default management view--that fraud is internal auditing's job--was deep-rooted and nearly impossible to change.

At many organizations, an expectations gap often exists between management's understanding of internal auditing's responsibilities and the department's own views. Although auditing's fraud role may differ from one organization to the next, many practitioners have a developed understanding of what their role is in their particular firm. The challenge they face is getting managers to understand where internal audit responsibility for fraud ends and where management responsibility starts, and eliminating the disconnect in between.

THE EXPECTATIONS GAP

Seasoned fraud investigator Andrew Durant has seen many cases where a lack of clarity about internal auditing and management responsibility for fraud has made an organization more vulnerable, or even been a contributing factor, to a fraud. He cites one business where management had specific ideas about the role of internal auditing, which were different from the view auditing had of its own role. This caused problems when the company made an acquisition. Internal auditing reviewed the bought business and flagged a few problems, "but as far as management was concerned that was it," Durant says. "They didn't see a need to delve any deeper themselves, as internal auditing had said everything was pretty much all right." But Durant, managing director of disputes and investigations at the London offices of Navigant Consulting, says there were significant problems with the new business that internal auditing didn't spot because its methodology was not designed to detect fraud. Eventually, a new financial controller discovered a huge hole in the company's accounts--it was being defrauded to the tune of 2 million pounds per quarter. "When questioned about why it took so long for these problems to come to light, management's response was 'well the external auditors signed the accounts and internal auditing said everything was all right,'" Durant says.

Did the internal auditors fail that company, or did management make incorrect assumptions about the assignment auditing carried out, and about its role more widely? It's impossible to say. One thing, however, is clear: The idea that fraud can just be left to internal auditing doesn't fit with The IIA's Standards. Standard 1210.A2 states that the internal auditor "should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Two related practice advisories flesh out internal auditing's fraud detection role and its fraud investigation role. The first of these discusses the need to be aware of fraud risks and to know about the indicators and flags that suggest a fraud may have been committed, but stresses that "internal auditors are not expected to detect fraud and irregularities."

The IIA-UK and Ireland produced a useful position paper on fraud in 2003. The paper states that "the primary responsibility for the prevention, detection, and investigation of fraud rests with management, which also has the responsibility to manage the risk of fraud." But it also acknowledges that most people think this is what internal auditing does and added: "There is, therefore, an expectations gap that needs to be managed."

Fraud training consultant Courtenay Thompson has helped many internal auditors to bridge that gap. "One of our recommendations is that they never say it is not their job to detect fraud," he says. "No one wants to hear 'it's not my job.'"

In fact, if a big fraud occurs in an area of the organization just reviewed by internal auditing, Thompson says it's very likely that others will expect auditors to have detected it. But beyond that, he says, the role internal auditing plays depends largely on what management and the audit committee want it to be. "There are many different roles taken by internal audit departments, ranging from distancing themselves from fraud to taking full responsibility for investigations," Thompson says. "There is no 'one size fits all.'"

[ILLUSTRATION OMITTED]

Tobin agrees that internal audit involvement should reflect what is needed, but says that the central role described by The IIA should remain largely intact. With regard to his own organization, Tobin says, "We have a definite responsibility to be alert to the possibility of fraud and to be conscious of specific fraud risks in our audit procedures. We are the canaries in the coal mine." Beyond that, he says he believes internal auditing is ideally placed to facilitate fraud risk assessment processes. "In fact," he says, "fraud risk assessments likely won't get done if not promoted by internal auditing." Tobin notes that there is a lot of organizational knowledge and technical expertise resident in the internal audit function that can help the organization combat fraud, without the shop crossing a line of principle drawn by the Standards.

PROMOTING AWARENESS

Ron Reigle, vice president of corporate compliance and internal audit at gaming company Pinnacle Entertainment Inc., says his team takes a proactive role in fighting fraud. Reigle is a certified fraud specialist and a certified fraud examiner, and his staff includes certified fraud examiners as well. They cover fraud risk in every audit assignment. "Our team is trained to look for the red flags of fraud all the time," he says. They also conduct routine fraud investigative audits that look specifically for fraud.

Reigle works hard to emphasize the importance of fraud prevention and detection throughout the company. He invests in training to keep his team up to date on fraud issues, and he routinely circulates articles about fraud. When the organization set up a fraud hotline in 2003, Reigle visited all of its operations to discuss fraud prevention and detection with managers and staff--talks that they were required to attend. "We also have a fraud video that we show to all new hires," he says. "We show from day one that we have a zero tolerance."

The internal audit shop also plays an important anti-fraud role at paint manufacturer Benjamin Moore, says Director of Internal Audit Adam Gelles. "Our company is engaging in a more proactive process to prevent fraud or ensure its timely detection," Gelles says. The introduction of the U.S. Sarbanes-Oxley Act of 2002 has improved fraud awareness, but more widely, the need to tackle fraud seems to have caught on, he says. His company encourages managers to consider how they would feel if adverse actions, such as a fraud, made the front-page business news. The critical next step for the organization, he says, will be to further explore and consider implementing enterprise risk management, so that managers have the processes and tools they need to be more proactive in their assessment of, and response to, risk as a whole, which would include fraud.

Internal auditing also has an active fraud role at retailer JC Penney, where the issue is fast moving up management's agenda, says Director of Audit Denny Beran. In the last few years, the organization has become more proactive in seeking out frauds and promoting fraud awareness among its staff and management. "Fraud potential and impact is addressed in the annual risk assessment of the auditable inventory for planning purposes, and fraud risk assessments are conducted periodically," Beran says. "Looking ahead, we anticipate that operating management will place additional demands on internal auditing to evaluate the adequacy of fraud controls, assist in heightening fraud awareness levels, and participate in potential fraud reviews and investigations."

SUPPORT FROM THE TOP

As the demands on internal auditing at these and other organizations increase, it seems more important than ever to be clear about where the shop can be responsible for fraud, and where it can't. As is so often the case, this is an issue where internal auditing needs to look to the highest levels of the organization for support.