THE INTERNAL AUDITOR'S RESPONSIBILITY FOR FRAUD

By Janet L. Colbert and
C. Wayne Alderman

With the recent issuance of SAS No. 82, Consideration of Fraud in a Financial Statement Audit, the external auditor's responsibility for financial statement fraud has received much attention. Though not as publicized, a professional standard on fraud for internal auditors also exists. Statement on Internal Auditing Standards (SIAS) 3, Deterrence, Detection, Investigation, and Reporting of Fraud (1985), provides guidance to internal auditors performing any type of audit. Financial reporting engagements, as well as operations and compliance audits, are covered by the standard.

The SIAS notes that fraud is characterized by intentional deception and encompasses both irregularities and illegal acts. Fraud can be perpetrated to benefit the organization or to its detriment. Persons inside or outside the entity may be involved.

SIAS 3 makes recommendations to internal auditors charged with ascertaining if policies are in place to deter fraud. The standard also addresses the detection and subsequent investigation of fraud. Finally, the internal auditor's responsibilities for report-writing are discussed.

Deterrence

SIAS 3 notes that the principal way to deter fraudulent schemes is through an effective system of internal control. Management bears primary responsibility for designing and maintaining internal control. The internal auditor's function is to assist management in deterring fraud. To fulfill the responsibility, the internal auditor examines and evaluates the adequacy and effectiveness of controls
that may prevent fraud. The risk
associated with the unit is considered
as the internal auditor determines
if controls are sufficient to deter fraud.

In evaluating controls that management has in place to preclude the occurrence of fraud, internal auditors consider whether the environment sets the appropriate tone toward controls. They also determine that the organization has established realistic objectives and goals as well as a code of conduct. The code should describe prohibited activities and consequences of violations. Further, the internal auditor ascertains that appropriate authorization policies are maintained and procedures are in place to monitor activities and safeguard assets. Means of communication within the entity to ensure management receives adequate and reliable information are also studied. Finally, the internal auditor determines if recommendations to improve controls to deter fraud are needed.

Detection

Since it is not cost effective to install controls to prevent all errors and irregularities, some fraud will invariably persist. The internal auditor's responsibilities to detect fraud center on identifying indicators of fraud that, when considered collectively, warrant recommending an investigation. Internal auditors might discover fraud indicators because of controls installed by management. For example, management may have embedded limit checks in the payroll system that disclose attempts to surpass the established limit; internal auditors may deem repeated attempts to exceed the maximum to be a fraud indicator. The results of internal audit tests are another source of fraud indicators. Also, sources both internal and external to the entity may tip off internal auditors to fraud
indicators.

To effectively identify indicators, the internal auditor must become familiar with fraud. While not expected to have the expertise of one whose primary responsibility is to detect and investigate fraud, the internal auditor should be knowledgeable about it. Information regarding characteristics of fraud and techniques used to perpetrate various schemes is useful. Knowledge of the specific industry the entity operates in and of fraud that might be perpetrated at the type of unit being audited is particularly relevant.

Throughout an examination, the internal auditor should be alert to opportunities that might allow fraud to occur. If significant opportunities for fraud exist, the internal auditor should conduct tests to search for other indicators of fraud. Opportunities for fraudulent schemes normally arise because of weaknesses
in internal control. Control weaknesses that might be conducive to fraud
include unauthorized transactions, override of controls, unexplained pricing exceptions, and unusually large
product losses.

After finding possible fraud indicators, the internal auditor evaluates them and their possible collective impact on the entity. A decision must be made whether a fraud investigation is warranted. If an investigation is recommended, organizational authorities are notified.

Investigation

Management is normally responsible for deciding whether or not to pursue a fraud investigation. However, if the internal auditor believes management itself may be involved in the fraud, the board of directors should be notified, and they are then responsible for approving further action. If either management or the board of directors makes the decision to investigate possible schemes, extended procedures are performed to follow up on fraud indicators first noted by the internal auditors. Specialists such as security personnel, investigators, or lawyers may be asked to assist in the investigation.

When planning a fraud investigation, the internal auditors should evaluate the extent of the scheme and the level of personnel involved. Careful consideration during this step helps to ensure that managers and employees who may be involved are not inadvertently tipped off. Planning also encompasses matching the knowledge, skills, and disciplines required to conduct an investigation with the technical expertise of available internal auditors and other specialists.

If specialists outside the organization are included in the investigation, their credentials should be evaluated. Internal auditors can assist by checking appropriate licenses and certifications and making inquiries regarding the professional reputations of the specialists. Also, internal auditors should ascertain that no relationship between the unit being investigated and the specialist exists.

After the fraud investigation is staffed, procedures should be designed to identify the perpetrators and determine the extent of the fraud, its cause, and the techniques used to perpetrate it. Regardless of whether the internal auditors are involved in the detail work of the investigation, they should coordinate the activities of the specialists with management and legal counsel. All parties involved must keep in mind the rights of alleged perpetrators and should seek to protect the reputation of the organization.

At the conclusion of the fraud investigation, the internal auditors should utilize the information obtained to help the entity in the future. From details of the scheme, the internal auditors may be able to develop recommendations for controls that should be implemented to prevent similar frauds from occurring. Also, from knowledge of actual fraud cases, audit tests can be designed to unearth similar schemes in other units. Finally, information on recent frauds adds to the internal auditor's warehouse of knowledge and helps in identifying future indicators of fraud.

Reporting

An internal auditor's report on fraud may be made at an interim point (for example, after the detection phase) or at the conclusion of the work. The interim report may be in writing or may be made orally; the report at the end of the investigation phase, encompassing findings, conclusions, recommendations, and corrective action taken, must be in writing. If a report is made at the conclusion of the detection stage, the communication should present the internal auditor's recommendation as to whether an investigation is warranted, along with support for that recommendation. Regardless of whether it is an interim or a final version, the report is addressed to management. A draft of the report should be reviewed by legal counsel before its issuance. In some cases, the internal auditor may wish to utilize the protection of attorney-client privilege; if so, the report should be addressed to counsel.

Two situations relating to fraud call for quick reporting by the internal auditors. In the first, if a significant fraud has been discovered and the details have been established with reasonable certainty, management or the board should be informed without delay. The second relates to a fraud that impacts issued financial statements of previous periods. If such a scheme is discovered, the internal auditors should inform management, as well as the audit committee of the board of directors. *

Janet L. Colbert, PhD, CIA, CPA, is the Meany-Holland Professor of Accounting at Western Kentucky University.
C. Wayne Alderman, DBA, CIA, CPA, is dean, College of Business, and SouthTrust Professor of Accounting at Auburn University.