CHAPTER 27

FRAUD DETECTION AND PREVENTION

Understanding and Recognizing Fraud

In common law definition, fraud is the obtaining of money or property by means of

false token, symbol, or device. In other words, someone improperly authorizes some document
that causes a transfer of money.

Auditors in the past, have claimed that detecting it was beyond their responsibilities.
Today they are finding themselves with an increasing responsibility to detect fraud in the
course of their review activities as well as to recommend appropriate controls to prevent future
frauds. Joint guidance material on the impact of fraud in auditing also has been referenced by
AICPA, IIA, and ACFE guidance materials on the importance of fraud considerations for
internal auditors and others.

Red Flags: Fraud Detection Signs for Internal Auditors

Red flag here is a warning signal to the noninvolved observer that something does not
look right. Unfortunately, internal auditors often fail to detect frauds for one of the following
reasons:

1. There is an unwillingness to look for fraud.

2. Too much trust is placed in auditees.
3. Not enough emphasis is placed on potential fraud issues in audit findings.
4. Fraud concerns often receive inadequate support from management.
5. Auditors sometimes fail to focus on high-risk fraud areas.

Public Accounting’s Role in Fraud Detection

The external auditor’s responsibility for the detection of fraud in financial statement
has been an ongoing but contentious issue over the years. The very first AICPA Statement on
Auditing Standards (SAS No.1) from many years ago stated, “The auditor has no responsibility
to plan and perform the audit to obtain reasonable assurance that misstatements, whether
caused by errors or fraud, that are not material to the financial statements are detected.” This
statement didn’t change until 1997.

It was restated in SAS No. 82: “The auditor has a responsibility to plan and perform the
audit to obtain reasonable assurance about whether the financial statements are free of material
misstatements, whether caused by error or fraud.”

External auditors should make a point of talking to all levels of employees, both
managers and others, giving them an opportunity to blow the whistle and encouraging someone
to step forward.

IIA Standards for Detecting and Investigating Fraud

The IIA international standards emphasize that although internal audit has a role to play
regarding fraud detection and prevention, the primary responsibility falls on management. The
problem here lies in communicating the message to management.

The IIA has not taken the strong position on detecting fraud that the AICPS has. A 2015
search of the IIA web site using the key word fraud does not give an internal auditor the wealth
of material that is now found on the AICPA site or can be found in the referenced IIA, AICPA,
and ACFE guidance advisory. The IIA also has something special, but the AICPA is taking a
stronger professional lead here in providing guidance to auditors.

Fraud Investigations for Internal Auditors

In any fraud-related review, an internal auditor should have three major objectives:

1. Prove the loss.

2. Establish responsibility and intent.
3. Prove the audit investigative methods used.

Information Technology Fraud Prevention Process

Because IT systems and processes support so many areas and cross so many lines in
the enterprise, we can think of IT-related fraud in multiple dimensions ranging from the minor
to significant fraudulent activities:
 1. Internet access issues.
2. Improper personal use of IT resources.
3. Illegal use of software.
4. Computer security and confidentiality fraud matters.
5. Information theft through USB devices.
6. Information theft or other data abuse computer fraud.
7. Embezzlement or unauthorized electronic fund transfer.

Fraud Detection and The Internal Auditor

Internal auditor need to give greater consideration to fraud in their audit work. They
have always been involved in some level of fraud investigation when called on by management,
but fraud detection and prevention considerations need to become a more significant
component of every internal audit. Internal auditors perhaps need to enter a new internal audit
engagement by asking themselves some questions about where a new auditee might commit a
fraudulent act. Internal auditors should retain a level of skepticism about the potential for fraud
in their on going work assignments.

CHAPTER 28

INTERNAL AUDIT GRC APPROACHES AND

OTHER COMPLIANCE REQUIREMENTS

The Road to Effective GRC Principles

The letter G stands for governance, concerns that cover the entire enterprise. In short,
governance means taking care of business, making sure things done according to the
enterprise’s standards, as well as governmental laws and rules.

The R is risk. Risk factors become a way to help both protect existing asset value and
create value by strategically expanding an enterprise or adding new products and services.

The C is compliance, with many laws and directives affecting businesses and internal
auditors today. Sometimes internal auditors can also extend that letter to include controls,
meaning that it is important to put certain controls in place to ensure that compliance is
happening.

GRC Risk Management Components

There are four interconnected steps in effective enterprise risk management GRC
processes as follows:

1. Risk assessment planning.

 Identify risk factors
 Prioritize risk factors
 Profile risk opportunities
2. Risk identification and analysis.
 Quantify risk impacts
 Mitigate identified risks
 Consider financial factors
3. Exploit and develop risk response strategies.
 Analyze risk opportunities
 Develop risk management plans
 Implement strategies
4. Risk monitoring.
 Monitor changes
  Assess risk factors
 Understand the environment & organization
 Revaluate prior steps

GRC and Internal Audit Enterprise Compliance Issues

Adhering to these compliances-related requirement is a challenge for an enterprise, its

related stakeholders, and internal auditors reviewing these processes because of:

1. The frequent introduction of new laws and regulations.

2. Vaguely written regulations that require interpretation.
3. No consensus on best practice rules used for compliance.
4. Multiple overlapping compliance regulations.
5. Constantly changing regulations.

Nevertheless, a consistent approach on the use of compliance-driven capabilities and

supporting technologies across an enterprise can provide an enterprise with potential benefits:

1. Flexibility
2. Reduced total cost of compliance ownership.
3. Competitive advantage.

Importance of Effective GRC Practices and Principles

An enterprise need to adopt strong governance, risk, and compliance processes, with
the objective of establishing an effective GRC program. Both as elements of the entities where
internal audit performs its reviews as well as an internal auditor’s own personal and
professional standards, GRC principles and processes should be emphasized. All internal
auditors should have strong CBOK knowledge and understanding of GRC practices and
principles. They should be fundamental foundation components and are important components
of effective IT governance processes.