Given the high prevalence of organizational fraud, as reported by the Association of Certified Fraud Examiners (ACFE), companies have strong incentives to invest in fraud auditing capabilities—both internal and independent (external) audits. While both are extremely effective, this article is focused on internal audits.
It turns out, companies with properly-structured internal audit systems are less likely to experience severe losses due to internal fraud. Further, we find the existence of a strong internal audit capability is of significant interest to underwriters when reviewing applications for crime and fidelity insurance coverage.
All companies can benefit from an internal audit system. When properly structured it provides a layer of protection and sends a strong message to both company vendors and employees that fraud will be detected quickly and won’t be tolerated. Continued monitoring leads to ever changing processes and controls that provide corrective measures designed to deter and detect fraudulent activity.
However, the likelihood of a company having an internal audit unit varies with the size of the company. Small companies are more often found without the internal audit departments, largely based on cost. These firms utilize the services of an independent audit firm to minimize exposure to fraud. This will be the topic of our next article.
7 Best Practices for Internal Audit
The internal audit, like any audit, requires sufficient autonomy, resources, skills, and access to relevant records to produce reliable results. It should operate according to a plan created and/or approved by the Board of Directors, with transparency in its functions that communicates its purpose to all vendors and employees. Communicating a strong message of zero tolerance on fraud and abuse is essential. The internal audit committee has an obligation to report the self-identified audit issue to the Audit Committee or the Board of Directors itself, if possible.
Here are seven specific design criteria for the internal audit function:
- The internal audit should function independently of the main organizational hierarchy including finance and accounting.
- It should report to the audit committee of the Board, or as high up as possible. Reporting to the CEO or CFO only creates the potential for conflicts.
- Internal auditors need appropriate training and resources as determined by the company’s specific operations to be effective. They should know and understand the company operations in detail.
- The audit plan should be approved by the Board, and should require audits of all organizational units on a risk-adjusted frequency.
- Audit results should be promptly reviewed by the Board and top management, with a follow up corrective action plan put in place with measureable outcomes and timeframes if found out of compliance.
- Internal audit systems should help design internal controls, including automated “red flag” indicators and accompanying exception reports. These triggers are especially important when dealing with a hidden crime like fraud.
- Attestation of controls should be tested frequently on any findings to measure effectiveness and compliance.
Failures of an internal audit system are typically due to weaknesses in one or more of these design criteria. Insufficient size, skills, or resources in the system, including information systems that yield the required data, will often result in failure or slow detection of fraud. Some common weaknesses of internal audits include failure to use fraud detection software, failure to program the software to flag exceptions, and failure to include external vendors adequately with in the software usage. Internal conflicts of interest that arise in the reporting and corrective action follow-up plan reflect an improperly designed internal audit program.
A Summary of Essential Controls
Best practices design criteria directly imply some of the internal controls that every business should have in place.
A well trained, knowledgeable and properly staffed internal audit group should have the capacity to advise and report directly to the Board on a regular basis according to plan. This group should be able to recognize potential frauds through selected exception reports and alerts built into information systems as needed to monitor the company’s operations and hold lines of business accountable for resolution of non-compliance.
Auditors should use comparisons on a regular basis that review indicators such as the current ratio of debt to equity, inventory and inventory turnover, and profit margin. Putting these and other performance indicators into regular reporting over time can make it significantly more likely to recognize a red flag early in the potential fraud scheme.
Automated tools can be invaluable in the quest to identify and prevent fraud. Modern auditing software incorporates sophisticated capabilities to mine data for irregular patterns that may point to fraud. This type of software can be programmed to find and flag these irregularities on virtually any time scale.
Some examples of automated controls include:
- Comparing employees’ addresses with those of vendors to identify potential self-dealing.
- Analyzing a sequence of transactions to find missing checks or invoices.
- Setting threshold flags to identify patterns of contracting that are just below a level that would trigger a review.
Many cases of fraud are detected by automated analysis of ratios and changes that deviate from a defined baseline.
Even small companies will benefit from the power of implementation of controls that can flag potential fraud quickly. Given the prevalence of fraud, many companies will have net gains in bottom line profits from an investment in a strong internal audit program.