Mobile Edition
Print
Get the Mag
Weekly UpdatesAt JC Penney, for example, the internal audit shop runs fraud awareness training for managers. When fraud is discovered, internal auditing briefs managers on what went wrong and any lessons to be learned, with an emphasis on the control breakdowns that allowed fraud to occur and continue without detection.
The best strategy, Thompson says, is for the chief executive officer (CEO) to produce a written policy stating that management is responsible for knowing the exposures to fraud in their areas and for detecting suspected wrongdoing. "This should not be done by the chief financial officer or the CAE," he says. "It is a CEO responsibility, and five minutes from the CEO is worth many audit reports and thousands of hours of Sarbanes-Oxley work."
In practice, few companies have such a statement, Thompson says. When he runs fraud awareness training for managers, Thompson tells them to get these words in writing from the CEO. "It's usually a real eye opener," he says. "Most say this responsibility has not been well defined in their organizations." Moreover, Thompson recommends emphasizing what management's responsibility is, rather than stating what internal auditing's role isn't. That approach makes it easier for the internal audit shop to work out the best way to help management, he says.
COMMUNICATION IS KEY
Dave Coderre, a manager of continual auditing in the Canadian federal government and a leading authority on fraud issues, agrees that management misunderstandings about internal auditing's fraud role occur when the responsibilities are not clearly defined and communicated. "A fraud policy--which clearly articulates the role that management, auditing, and every employee plays with respect to fraud prevention and detection--should be in place," he says. "At the beginning of every audit, management should be informed of the scope and objectives of the audit--with a clear statement of what auditing will be doing with respect to fraud risks."
There are other reasons why managers get the wrong idea about what the internal auditors are supposed to be doing. Finely worded principles about where the professional boundaries lie will make sense to some, but not others.
"Managers come from diverse backgrounds, including operations, marketing, and administration and accounting," says Durant. "I think the latter might have some knowledge of what internal auditing's role is and what management's role is, but those from other backgrounds may not."
The answer, he says, is "communication, communication, communication." Yes, a clear policy statement from the board is vital, but not enough on its own. Internal auditing should get out into the business and explain what its role is. "It is better to be talking to management," he says, "rather than sitting in one room thinking management is dealing with the issue when management is sitting in a different room thinking the same about internal auditing." Auditors should find ways to work directly with management, helping managers to perform their fraud role. "That way it is not all about abrogating responsibility, but working with management to help them fulfill their responsibility," Durant says. "The auditors can make it clear that they are there to help, but not to take on the role." At Benjamin Moore, for example, Gelles is looking at making wider use of control self-assessment to help management realize they are ultimately responsible for implementing controls and that his internal audit shop is there to assess the existence and effectiveness of controls.
Durant also suggests that internal auditors run fraud risk management workshops, aimed at helping managers to write their own risk action plans. "This would make it clear that internal auditors are the facilitators and managers are the ones who are going to take responsibility," he says. When Durant runs this kind of event, he always tries to get a member of the board to introduce the objectives of the workshop and to wrap it up with a talk about how management takes fraud seriously. "This is all very subtle, but firmly puts management at the forefront," he says.
Simple communication makes a real difference, Thompson says. "Most executives, when hearing the 'it's management's job' speech, have a major belief change and buy into the idea," he says. "Usually management merely needs a bit of education and reinforcement from the chief executive."
Other auditors agree that once managers have their responsibilities explained, they are happy to fulfill them. It's not that managers are ducking the issue--although the crooked ones may be; it's just that they are often overwhelmed with other responsibilities. "Awareness of fraud risks and managers' responsibilities is extremely low," Tobin says. "Managers are generally aware that they are responsible for internal controls, but for the most part they have never given fraud much thought. I've found that when managers receive some training on fraud risks and controls, the potential consequences of fraud incidents, and the respective roles of managers and internal auditing, they are quite open and accepting."
THE GOVERNANCE CONNECTION
Frontline communication and training are clearly important, but Coderre also stresses the importance of putting fraud in a wider context. The most important step an internal auditor can take, he says, is to ensure the issue of fraud responsibility is addressed in the governance structure of the organization and its risk management activities. "In the past, management has focused on operations, often to the exclusion of controls, fraud, and other activities," Coderre says. "Today however, there is increased pressure for management to take responsibility for enterprise risk management. An important aspect of risk management is the identification and mitigation of the risk of fraud."
An effective approach--for fraud and wider misconduct--has three primary objectives: prevention, detection, and response, says David Luijerink, director in fraud risk management at KPMG Forensic. "The challenge for companies is to adopt a comprehensive and integrated approach that enables all of the organization's control criteria in these three areas to work together," he says. Internal auditors can play a significant role in this effort. They can request that senior management provide clear direction to management about fraud prevention and detection responsibilities, he says, but they can also write their own action plan--one that establishes how internal auditing will engage senior and line management on this issue, and how they will measure success. This plan and subsequent updates could then be reported to the audit committee.
More fundamentally, companies need to take a strategic approach to fraud risk management by aligning corporate values with performance, Luijerink says. "Fraud risk management must become part of the corporate culture. The board, senior management, internal auditing--in fact all employees--have a role to play to ensure that the company is enacting and achieving ethical and responsible business practices."
And he stresses that fraud prevention cannot be a one-off event. Companies need to view fraud risk management as an ongoing process and should continuously evaluate the effectiveness of their risk strategy and controls.
Sound easy? In theory, it seems an organization that wants to manage fraud risk effectively needs just three things: A clear and comprehensive governance structure, an active and supportive board, and a cadre of managers who are aware of their responsibilities and have the resources and skills to fulfill them. If an organization ever achieved that level of excellence, the internal audit shop could virtually pack up and go home, or at least forget about fraud risk. Until then, they'll continue to perform their unique and carefully nuanced role: helping management to combat fraud, while explaining that they can't do the job for them.
To comment on this article, e-mail the author at neil.baker@theiia.org.
NEIL BAKER
EDITOR, INTERNAL AUDITING & BUSINESS RISK
ILLUSTRATION BY RICHARD TUSCHMAN
FEED