Fraud considerations for internal audits: The CFE perspective

In 2022, the Association of Certified Fraud Examiners (ACFE) and the Institute of Internal Auditors (IIA) announced a partnership that sought to collaborate on “education initiatives that will raise the competency of each organizations’ members with regard to fraud auditing and investigation.” [See “Solving for Fraud: Institute of Internal Auditors Announces Education Partnership with Association of Certified Fraud Examiners,” The IIA press release, Nov. 30, 2022.] As I reflected on this announcement, it struck me that both internal auditors and anti-fraud professionals strive to protect the organizations they serve, and though the primary focus may be different, the opportunities to collaborate are indeed vast. ACFE and IIA members often have similar interests and perspectives on fraud auditing and investigation — in fact, according to the ACFE’s Membership Services, nearly 1 in 10 Certified Fraud Examiners (CFEs) are also Certified Internal Auditors (CIAs), which is an IIA credential. (The ACFE doesn’t require members to report other credentials so that figure might be higher.) As the press release describes, the partnership embodies a natural evolution allowing both organizations to formalize and recognize this shared interest.

In this issue’s column, let’s explore how fraud examiners, especially those who also have an internal audit role, have responsibilities for fraud prevention and detection. Moreover, we’ll explore how CFEs can provide their unique perspectives, skills and experience to improve internal audit quality through a holistic approach, while also leading the way in anti-fraud technology applications.

Fraud and IIA Global Audit Standards

According to the IIA’s new Global Audit Standards, fraud must be considered during the planning phase for every audit. Specifically, one of the Global Audit Standards’ five criteria states that the auditor planning an audit “Consider coverage of information technology governance, fraud risk, the effectiveness of the organization’s compliance and ethics programs, and other high-risk areas.” This is especially relevant during the risk assessment part of the planning, where Standard 13.2 points out that internal auditors must identify the risks to review by, among other items, “Considering specific risks related to fraud.” Further, when exercising due professional care, Standard 4.2 points out that the auditor “must exercise due professional care by assessing the nature, circumstances, and requirements of the services to be provided …,” which include the “probability of significant errors, fraud, noncompliance, and other risks that might affect objectives, operations or resources.” [See “Global Internal Audit Standards” (PDF), The IIA, Jan. 9, 2024.]

In thinking about an internal auditor’s responsibilities for fraud prevention and detection, I spoke with Prabhat Kumar, CIA, CPA, who’s a former chief audit executive at Revlon Inc. with over 20 years of professional internal audit experience. I asked Kumar what should be in the back of every internal auditor’s mind when it comes to fraud risks. His reply: “Auditors generally focus on testing financial or operational controls using an audit program that has been previously used in the past or prepared using the current business processes. One question that sometimes gets neglected is, ‘What can go wrong in the control execution or how someone, especially senior management, can circumvent or override this control?’ In addition to testing routine transactions, internal auditors should perform these ‘negative (or inverse) tests.’ This will help the auditor evaluate if certain controls can be circumvented.”

Beyond risk assessments, a holistic approach to fraud

The ACFE/COSO Fraud Risk Management Guide, originally issued in 2016 and updated in 2023, references the COSO 2013 Internal Controls Framework’s five components and corresponding 17 internal controls principles. (See Figure 1 below.) As most internal auditors know, only Principle No. 8 references fraud. It states, “The organization considers the potential for fraud in assessing risks in the achievement of its objectives.” But wait! Why should we only consider fraud during the risk assessment? Fraud should be a consideration throughout the entire internal controls process. In fact, fraud should be a consideration across an organization’s entire internal controls framework, including the 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication and 5) monitoring activities. (See “Fraud Risk Management Guide, Second Edition,” the ACFE.) 

Figure 1

Source: ACFE/COSO Fraud Risk Management Guide

When I served on the COSO Fraud Risk Task Force charged with developing the ACFE/COSO Fraud Risk Management Guide, we faced a conundrum with respect to simply complying with the standards of the Sarbanes-Oxley Act (SOX) [i.e., Principle No. 8] versus taking a holistic approach to fraud risk management. A good fraud risk management program doesn’t just look at fraud during the risk assessment, as is required for SOX compliance. A good fraud risk management program is integrated across the entire internal controls framework as summarized by the five fraud risk management principles set forth in Figure 1. In the end, the task force, as well as COSO and the ACFE, were happy with the decision to take the holistic approach.

Changing yesterday’s internal audit mindset around fraud risk management

In most industries, the velocity of business transactions and the speed at which business gets done is simply too fast for internal audit to continue to take a “look-back” approach to fraud prevention and detection. This is where CFEs can add a tremendous amount of value to the internal audit team: As CFEs, we view fraud risk holistically — not as a one-stop audit, but as a continuous-monitoring process. We often see compliance and internal investigations teams taking lead roles in both preventing and detecting fraud risks and events, especially as it relates to areas where the law is concerned, such as in Foreign Corrupt Practices Act (FCPA) compliance, sanctions and trade compliance, and environmental, social and governance (ESG). But in many internal investigations where customers, vendors or employees are involved, internal audit will lend a hand with investigative design, data gathering and analysis, as it’s best suited to help find out what happened and the root cause before the issue is handed over to legal.

Kumar comments that audit teams are often supportive of implementing continuous control monitoring tools and technologies. “Internal auditors are always exploring options as an audit recommendation,” he comments. But as the 2024 ACFE/SAS Anti-Fraud Technology Benchmarking Report points out, one of the biggest challenges to implementing such controls is obtaining a sufficient budget, followed by poor data quality and integration. (See Figure 14 below, from the 2024 Anti-Fraud Technology Benchmarking Report, p. 23.) Kumar adds that internal auditors and their investigative colleagues need the tools and technologies to not only conduct effective fraud risk assessments, but also implement a holistic fraud risk management program. “Chief audit executives (CAEs) need to have budgets to not only have enough people resources, but also the right technology to do the job efficiently and effectively, with measurable business impact or return on investment.”

Source: 2024 Anti-Fraud Technology Benchmarking Report

Beyond traditional internal audit technology tools that manage workflow, audit status and planning, with often limited rules-based testing and controls criteria, more cost-effective capabilities are available to internal auditors, including continuous controls, machine learning, optical character recognition, transaction-risk scoring and case management. These tools can rapidly ingest extracts of a selected company’s financial accounting or enterprise resource planning (ERP) systems around vendor, customer or employee information, often on a real-time basis or via automated data refresh. This model supports a continuous controls monitoring function across a vast library of anti-fraud tests and internal controls. As Kumar comments, “These new internal audit capabilities, which includes pulling data from various ERP systems, third-party due diligence systems, hotline information, past audit findings, and many other relevant data sources within the supply chain, provide options that help both internal auditors and investigators focus on high-risk transactions, vendors, customers, employees, geographies or business units not only during an audit, but continuously throughout the year.” The future is indeed bright when it comes to the collaboration and integration of the ACFE and the IIA — and the more cross-pollination between their respective members will only further the advancement of protecting organizational value and reducing the incidence of fraud within the organization.

Vincent M. Walden, CFE, CPA, is the CEO of Kona AI, an AI-driven anti-fraud, investigations and compliance technology software company providing easy-to-use, cost-effective third-party payment and transaction analytics software around corruption, investigations, fraud prevention, internal audit and compliance monitoring. He welcomes your feedback and ideas. Contact Walden at vwalden@konaai.com.