New IIA Standards Give a ‘Green Light’ to the Dreaded ‘C’ Word
July 22, 2024Deepfake Technology Presents Genuine Risks That Internal Auditors Can’t Ignore
August 12, 2024The Association of Certified Fraud Examiners’ Occupational Fraud 2024: A Report to the Nations is choked full of valuable information. According to the ACFE’s global survey, Certified Fraud Examiners estimate that their organizations lose 5% of revenue to fraud each year resulting in a median loss per case of $145,000 and an average loss per case of $1.7 million. According to the report, more than 1 in 7 fraud cases are detected by the organization’s internal audit function. Internal auditors are more likely to discover fraud than the organization’s management and are about 5 times more likely to discover fraud than the external auditors. Full disclosure: I only stumbled on to fraud a hand full of times in my career, but when I did – I understood that extreme caution was warranted.
The IIA’s new Global Internal Audit Standards are clear: Internal auditors must identify the risks to review…by considering specific risks relating to fraud. In a 2019 Position Paper, The IIA acknowledged that “the internal auditor should not be expected to have the expertise of a person whose primary responsibility is to investigate fraud. Such investigations are best carried out by those experienced to undertake such assignments.” The IIA further notes that “the organization should have a suitable anti-fraud response plan outlining key policies and investigation methodologies. The plan should make clear the role of internal audit when there is suspected fraud and associated control failure.”
Hopefully, your organization has a fraud response plan that assigns specific duties and responsibilities. But if not, don’t automatically assume that, as an internal auditor, you should undertake a fraud investigation single-handedly or that you should lead a fraud investigation team yourself.
We all need to be familiar with the indicators of fraud, and we need to be able to evaluate anti-fraud controls. But few internal auditors are fully equipped to be fraud investigators. An interrogation is very different from an audit interview, and there can be great risk between reviewing evidence and contaminating it. When fraud is suspected, a simple mistake can easily become a costly and career-limiting move.
I have seen too many instances during my career where well-intentioned internal auditors inadvertently damaged the chances of a successful fraud investigation because they were either careless or simply didn’t understand the risks of their actions. I always cautioned my teams to be careful not to “trample the evidence” when they came upon a potential fraud during the course of an internal audit. From my experience, the following are just a few types of mistakes that internal auditors can make when they encounter evidence of fraud.
- Do not discuss the situation with anyone who does not have a need to know. Even the existence of an investigation should be kept confidential. Keep in mind that the scope of an occupational fraud is often bigger than it first appears, and you may not yet have identified everyone who is involved in the crime. Our profession’s Code of Ethics requires confidentiality, and it’s not appropriate to chat about new or ongoing investigations even with other internal auditors.
- Do not make accusations or rush to judgment. The evidence may appear to indicate that someone has committed a crime, but accusations can lead to charges of slander, libel, or wrongful termination. It should rarely be an internal auditor’s job to accuse anyone of fraud, so contact your supervisor before saying something you might later regret.
- Do not disrupt operations. If you do, you may tip off potential fraudsters that they are under suspicion. Your actions may cause them to destroy important evidence, to warn accomplices, or to take other actions that can undermine an investigation.
- Do not disturb a potential crime scene or do anything that might contaminate or destroy digital evidence. Internal auditors are good at examining evidence, but special care must be taken during investigations. For example, it may seem appropriate to examine a suspect’s computer records or to make a backup copy of his or her files. But computer forensics experts never perform analysis on original media. Simply by turning on a suspect’s computer, opening a file, or making a backup, you are changing digital time stamps and hash values, potentially compromising important evidence. At times, action is unavoidable: It may be necessary to isolate a computer to prevent connections into and out of the system, for example. But preserving digital evidence is tricky. Unless you have specialized training in computer forensics, call for help before proceeding.
- Do not fail to swiftly alert legal counsel and human resources professionals. It’s likely your fraud response plan states that it’s necessary to brief legal counsel and a human resources (HR) representative before a formal investigation is launched. HR input can be especially important if termination or other disciplinary actions might result from the investigation. Depending upon the circumstances, your organization may be required to make disclosures about criminal activities to regulators, law enforcement, clients, shareholders, or other parties. Legal counsel can help to ensure that regulatory requirements are not overlooked; and attorney-client privilege can help protect your organization from disclosure of details that it might not want to make public immediately.
- Do not assume you should perform interrogations. When performed with expertise, interrogations can be an excellent source of information. Without that expertise, an investigation can be irreparably damaged. Internal audit interviews and discussions often employ collaborative approaches that are not necessarily appropriate during investigations; but an accusative approach can also be a big mistake. Nobody wants a hostile or defensive suspect.
- Do not neglect your files. It’s never a good idea to leave internal audit workpapers unsecured, but when fraud is involved, keeping documentation safe and confidential is particularly important. Having a copy of a document is not as good as having the original.
Fraud investigations can be high-risk engagements. If you think there is a possibility of fraud, don’t break the eggs. You should not take any action that might tip off potential fraudsters or compromise evidence so that it can’t be investigated later. I don’t mean to imply that internal audit should never be involved in fraud investigations, but if the internal auditors are not fully trained investigators, it’s time to seek help from specialists. A wise internal auditor understands the limits of his or her own knowledge and knows when to ask for help.
Obviously, my blogs do not constitute legal advice. If you have any questions about how to proceed if fraud is discovered or suspected, contact your legal counsel from proper advice.
I welcome your comments via LinkedIn or Twitter (@rfchambers).