The current issue and full text archive of this journal is available on Emerald Insight at:

www.emeraldinsight.com/1359-0790.htm

JFC
24,2
The escalating relevance of
internal auditing as
anti-fraud control
322 Hans-Ulrich Westhausen
ANWR GROUP eG, Mainhausen, Germany

Abstract
Purpose – The purpose of this paper is to discuss critical success factors for the enormous development that
internal auditing (IA) as “third line of defense” (IIA, 2016) and one of the strongest anti-fraud controls has
reached within the past decades. Additionally, weaknesses of IA are identified and evaluated to allow further
improvement.
Design/methodology/approach – The anti-fraud requirements stipulated in the “International
Standards for the Professional Practice of Internal Auditing” are confronted with empirical data about
the current situation of the IA as anti-fraud control. The empirical data were extracted from global
sources such as “Fraud Reports” (Association of Certified Fraud Examiners – ACFE) and “common body
of knowledge (CBOK)” studies. The Institute of Internal Auditors (IIA).
Findings – Over the years, IA has been continuously increasing its auditing quality and effectiveness
with new analytical methods, specialized software tools and professional certifications. But all these
efforts have hardly been reflected in statistical or research data, especially not in the listing of the top
sources of fraud detection. The “ACFE-Fraud Report 2016” revealed that IA is now – for the first time
ever – second among the initial detections of occupational frauds (financial statement fraud, corruption
and asset misappropriation) worldwide. This positive trend of global anti-fraud auditing was probably
no “one-hit wonder”, but a result of a lengthy process of professionalization of IA.
Originality/value – It is hoped that this paper will facilitate the discussion about the value that IA can add
within an anti-fraud management system.
Keywords Internal auditing, Occupational fraud, Three lines of defense
Paper type Viewpoint

Journal of Financial Crime
Vol. 24 No. 2, 2017
pp. 322-328
© Emerald Publishing Limited
1359-0790
DOI 10.1108/JFC-06-2016-0041
1. Background
Following tighter compliance requirements, never-ending corporate scandals and increasing
efforts to get released from liability by corporate management, internal auditing (IA) has
turned into a “Jack of all trades device”. Apart from its original auditing mandate, IA faces
more and more multifunctional tasks such as risk management, compliance or data
protection. This trend requires IA to bridge the gap between less available capacity for
operative auditing and the mandatory responsibility for the enhancement and protection of
organizational value by providing a “risk-based and objective assurance, advice and insight”
(IIA, 2017).
Within that “professional gap”, there is also the responsibility of IA in detecting,
preventing and monitoring fraud risks and addressing those risks in audits and
investigations (anti-fraud auditing). With respect to fraud, the “International Standards for
the Professional Practice of Internal Auditing” (Standards) strongly demand sufficient
knowledge (Standard no. 1210.A2), due professional care (1220.A1), regular reporting to
senior management (2060) and the consideration of fraud during audit planning and
evaluation (2120.A2 and 2210.A2).
 A change in the perspective from theory to practice leads to the question how good IA is Internal
with anti-fraud auditing. As an “empirical answer”, the Association of Certified Fraud auditing
Examiners (ACFE) released its “ninths and most extensive fraud report” (ACFE, 2016). A
record high of 2,410 occupational fraud cases from 114 countries with a total loss of US$6.3bn
formed this latest empirical update of worldwide anti-fraud data. Although general changes
to prior ACFE reports (2010-2014) were mostly minor, the anti-fraud results with focus on IA
were significant:
323
• For the first time ever, IA had taken the second place worldwide as initial fraud
detection source (16.5 per cent) after the whistleblower tip (39.1 per cent), but clearly
before the management review (13.4 per cent). See Appendix 1 and Table I (in
“References”) for further details.
• Besides its improved ranking among the top fraud-detection sources, IA has also been
steadily raising its global spread as anti-fraud control from 68.2 per cent (2010) to 73.7
per cent (2016). Additionally, IA has increased its anti-fraud effectiveness from 20.4
per cent (2010) to 22.4 per cent (2016). See Appendix 2 and Table II (in “References”) for
further details.
• Another remarkable fact is that IA creates measurable“anti-fraud value”. In
organizations that implemented the function of IA, the average loss and the duration of
frauds were significantly lower and shorter than without IA. With presence of IA, the
median loss per fraud case was reduced by 42.8 per cent from US$215,000 to 123,000
and by 50.0 per cent from 24 to 12 months (ACFE, 2016).

2. Discussion
Although these positive changes in IA might seem marginal or “statistical”, they are
probably not. What they really are, are results of a continuous striving for the
professionalization of IA as “third line of defense” over the past decades. To substantiate this
opinion, three key factors will be discussed in the following:

Detection categories 2010 (%) 2012 (%) 2014 (%) 2016 (%)

1. Tip 40.2 43.3 42.2 39.1

2. Internal audit 13.9 14.4 14.1 16.5
3. Management review 15.4 14.6 16.0 13.4
4. By accident 8.3 7.0 6.8 5.6 Table I.
5. Account reconciliation 6.1 4.8 6.6 5.5 Top five initial
detections of
Note: ACFE 2010-2016 occupational frauds

Anti-fraud effectiveness of IA 2010 2012 2014 2016

1. Frauds in total 1,843 1,388 1,483 2,410

2. Existence of IA (ref. to 1.) 1,257 (68.2%) 949 (68.4%) 1,047 (70.6%) 1,776 (73.7%)
3. Detection Source IA(%) 13.9 14.4 14.1 16.5
4. Detected Frauds by IA (3. ref. 1.) 256 200 209 398
5. Probability of Fraud Detection 20.4 21.1 20.0 22.4 Table II.
by IA (4. ref. 2.)(%) Benchmark of the
effectiveness at fraud
Note: Own calculations by the author based upon ACFE, 2010-2016 detection by IA
JFC (1) identification of fraud as a strategic audit topic;
24,2 (2) qualification and quality improvement; and
(3) utilization of audit technology.

2.1 Identification of fraud as a strategic topic

324 Before IA could start using its resources in the fight against fraud, the relevance of fraud as
a high-risk area for organizations had to be identified as a strategic topic. This has been
accepted within the past years not only by the American Institute of Internal Auditors (IIA)
but also increasingly by other national IIA-chapters such as the German IIA-chapter
(Deutsches Institut für Interne Revision, DIIR). It created the DIIR-professorship for IA and
Corporate Governance at the University Duisburg-Essen in 2011, published the audit
standard no. 5 (“Standard for the Audit of the Anti-Fraud Management System by the
Internal Audit Activity”) in 2012, included numerous anti-fraud training aspects in the
course portfolio of the “DIIR Academy” and, in the meantime, organized the eighth anti-fraud
management conference (2017). That IA has already identified fraud as a strategic risk was
affirmed by the 2015 common body of knowledge (CBOK)-study “Responding to Fraud
Risk”. Hereafter, IA focuses almost twice as much on fraud risks as its executive
management. It was stated that globally, only 19 per cent of executive management focuses
on fraud as a top five risk, whereas 31 per cent of IA (IIARF, 2015a) does this.

2.2 Qualification and quality improvement

For years, the “Standards“ have already been demanding continuing professional
development (Standard no. 1230) and the maintenance and improvement of auditing quality
with the setup of quality assurance systems, internal and external assessments, performance
measurement and reporting (Standard 1310-1322). Furthermore, core competences for IA
were defined and empirically investigated (IIARF, 2016; IIA, 2013 and IIARF, 2010b).
Currently, global IA invests on average 46 h on professional training per auditor, whereas the
corporate average is only 11 h (working) per year (IIARF, 2016 and Statistisches Bundesamt,
2016). Also, the working experience, for example, of chief audit executives (CAEs), has
increased from 6.2 to 6.8 years of experience (IIARF, 2010a and IIARF, 2016). Additionally,
the level of professional certification at the CAE level jumped from 41 per cent in 2006 to 53
per cent in 2015 (IIARF, 2016).

2.3 Utilization of audit technology

IA must have “sufficient knowledge of key information technology risks and controls and
available technology-based audit techniques” to perform the assigned work (Standard
1210.A3). In fact, IA has improved a lot over the past years, especially in the “field of
technology”, as Table III suggests.

IT-Tools in use of IA 2010 (%) 2015 (%)

Electronic workpapers 54 86
Data analytics and review 63 76
Data mining 48 76
Computer-assisted audit technique 47 70
Continuous auditing 31 69
Table III.
IT tools in use of IA Source: IIARF (2010b and 2015b)
With that significant growth of use of technology, IA is nowadays in the position to work Internal
more efficiently and effectively than years ago. Consider the near endless potential of data auditing
analysis: currently, files with 500,000 data sets or more can be extracted from databases,
joined with other files and prepared for further analysis within seconds or minutes. IA does
no manual random checks of paper-based invoices or other relevant documents anymore, but
100 per cent checks the same documents as digital data. Therefore, the auditing result must
be more effective. 325
Not only direct indicators, such as the strategic fraud orientation, qualification and
quality improvement, but also more use of audit technology reflect the growing
professionalization of IA. Therefore, it is probably no coincidence that the management in
73.7 per cent of all organizations decided to implement IA as one control function within the
internal anti-fraud system (ACFE, 2016). This number has been steadily increasing from 68.2
per cent since 2010 (ACFE, 2010). Another indicator seems to be the remarkable acceptance
of the IA, because 12.3 per cent of all internal and external whistleblowers contacted IA first
and not the existing fraud-hotline (ACFE, 2016).

3. Space for improvement

Despite the positive anti-fraud trend of IA, some empirical data also indicate further space for
improvement of anti-fraud auditing, especially at:
• weak or missing internal controls not identified by IA;
• improvable self-perception; and
• questionable acceptance of anti-fraud responsibility by IA.

These major weaknesses of anti-fraud IA are explained in the following.

3.1 Weak or missing controls not identified by internal auditing

As per its professional definition, IA has the responsibility “to evaluate and improve
the effectiveness of risk management, control, and governance processes” (IIA, 2017). On the
other hand, the real anti-fraud effectiveness of IA seems limited within the context of the current
“ACFE Fraud Report”. It listed several control weaknesses which promoted the 2,410 fraud cases
in the “Report” (ACFE, 2016), such as:
• lacking internal controls (29.3 per cent);
• overriding existing internal controls (20.3 per cent);
• missing management review (19.4 per cent);
• poor tone at the top (10.4 per cent); and
• absence of competent personnel in oversight roles (6.4 per cent).

How can the IA be effective if almost 50 per cent of all frauds resulted from an override or
even a lack of internal controls and why could IA not identify those working processes and
risk-prone activities with no internal controls? Of course, each single fraud case has its own
sophisticated concept of deception. But IA needs probably more focus on controls of the
controls – whether they really work as intended. To achieve that, the already existing trend
of more surprise audits of IA (ACFE, 2016) points in the right direction. Another approach is
to embed creative, innovative and risk-oriented thinking into IA. Think less of what
JFC happened in the past and more of what might become the most dangerous thing in the future.
24,2 Also, always ask for corresponding internal controls!

3.2 Self-perception of internal auditing improvable

A “self-reflection bias” occurs when” people systematically overestimate their ability
and performance” (Kruger and Dunning, 1999). This social-scientific phenomenon
326 occurs almost everywhere, but also at IA? Yes, if the following is considered: globally,
only 6 per cent of internal auditors are fraud-educated, for example, by the achievement
of relevant diplomas such as the CFE certificate. But, about 60 per cent of all internal
auditors think that they possess a sound knowledge in the field of anti-fraud. About 25
per cent of them even see themselves as “anti-fraud experts” (IIARF, 2015a). This level of
overconfidence may indicate that they might be “unaware of the specialized knowledge
needed to effectively respond to fraud risk”, remarks the IIA critically (IIARF, 2015a).
Therefore, it is recommended to:
• continuously increase the number of fraud-relevant trainings and certificates;
• develop and expand the joint auditing approach consisting of a combination of IA and
specialists (e.g. legal, fraud investigation experts) to insource fraud-relevant
knowledge and to improve the own fraud effectiveness; and
• ask for feedback on the quality of anti-fraud activity of IA from internal management,
board directors and other relevant people such as external statutory auditors.

3.3 Questionable acceptance of anti-fraud responsibility by internal auditing

In the light of the fraud-relevant auditing “Standards” and the global professionalization of
IA, it seems contradictory that there still are internal auditors denying anti-fraud
responsibility or 17 per cent who even do not see any responsibility of IA for preventing
fraud (IIARF, 2015a). Neither responsibility for fraud detection (12 per cent) nor for fraud
prevention (17 per cent) seems just as wrong as “all of the responsibility” (6 per cent), because
a sole responsibility of IA “goes against the concept of internal audit independence and the
Three Lines of Defense Model” (IIARF, 2015a).
The 80 per cent of the unclear anti-fraud responsibility of IA should be clarified by
avoiding misinterpretation and loss of IA’s anti-fraud responsibility for certain aspects of
fraud prevention and detection, such as “investigating suspected fraud, facilitating fraud
risk assessments, monitoring the whistleblower hotline, auditing management’s anti-fraud
controls, and providing fraud awareness training” (IIARF, 2015a).

4. Outlook
Anti-fraud IA is on the right track! The development of IA within the past decades was
successful, although there is still space for improvement. But, the empirical data are
impressive: IA is now the second important governance control within the worldwide
ranking of fraud detection sources.
Whether IA can even further increase its anti-fraud effectiveness will depend on the
continuous professionalization of IA in conjunction with the management of the
weaknesses that were identified in this paper, such as a stronger auditing focus on
ineffective internal controls, the adjustment of the existing “self-reflection bias” and the
agreement on the takeover of anti-fraud responsibility by IA. Furthermore, the “five
ways to improve IA’s approach to fraud risk” (IIARF, 2015a) should also be reconsidered
(e.g. establishing IA’s role regarding fraud, educate management about fraud risk, be
proactive in addressing fraud risk, build a database of lessons learned and create access
to the right skills).
 The “2018 ACFE-Fraud Report” will possibly reflect whether the further professionalization Internal
of IA will lead to even more effectiveness of anti-fraud auditing than what is currently. Important auditing
characteristic figures will then be the same as nowadays: ranking and percentage of IA among
the top fraud-detection sources, global spread of IA in percentage as anti-fraud control and
anti-fraud effectiveness of IA in percentage. But, at the moment and apart from these “hard facts”,
the forecasted trend seems promising – that 25 per cent of worldwide CAEs foresee an “increase
in IA focus of fraud risk” (IIARF, 2015a).
327
References
ACFE (2010), Report to the Nations on Occupational Fraud and Abuse – 2010 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016/resources/archives.aspx (accessed 29 March 2017).
ACFE (2016), Report to the Nations on Occupational Fraud and Abuse – 2016 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016.aspx (accessed 29 March 2017).
IIA (2013), The IIA Global Internal Audit Competency Framework, IIA, available at: https://na.theiia.
org/about-us/Public%20Documents/The%20IIA%20Global%20Internal%20Audit%20
Competency%20Framework.pdf (accessed 29 March 2017).
IIA (2017), International Standards for the Professional Practice of Internal Auditing, IIA, available at:
https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx (accessed
29 March 2017).
IIARF (2010a), Characteristics of an Internal Audit Activity – Global Internal Audit Survey [CBOK,
Report 1], IIARF, available at: https://na.theiia.org/iiarf/Pages/Historical-List-of-CBOK-Reports.
aspx (accessed 29 March 2017).
IIARF (2010b), Core Competencies for Today’s Internal Auditor – Global Internal Audit Survey [CBOK,
Report 2], IIARF, available at: https://na.theiia.org/iiarf/Pages/Historical-List-of-CBOK-Reports.
aspx (accessed 29 March 2017).
IIARF (2015a), in Araj, F.G. (Ed.), Responding to Fraud Risk: Exploring Where Internal Auditing Stands
[CBOK], IIARF, available at: https://na.theiia.org/iiarf/Pages/CBOK-Research-Resource-
Library.aspx (accessed 29 March 2017).
IIARF (2016), in Iyer, V. (Ed.), CAE Career Paths: Characteristics and Competencies of Today’s Internal
Audit Leaders [CBOK], IIARF, available at: https://na.theiia.org/iiarf/Pages/CBOK-Research-
Resource-Library.aspx (accessed 29 March 2017).
Kruger, J. and Dunning, D. (1999), “Unskilled and unaware of it: how difficulties in recognizing one’s
own incompetence lead to inflated self-assessments”, Journal of Personality and Social
Psychology, Vol. 6 No. 1, pp. 1121-1134.
Statistisches Bundesamt (2016), Weiterbildung [Federal Statistical Office of Germany], available at:
www.destatis.de/DE/Publikationen/Thematisch/BildungForschungKultur/Weiterbildung/
BeruflicheWeiterbildung.html (accessed 29 March 2017).

Further reading
ACFE (2012), Report to the Nations on Occupational Fraud and Abuse – 2012 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016/resources/archives.aspx (accessed 29 March 2017).
ACFE (2014), Report to the Nations on Occupational Fraud and Abuse – 2014 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016/resources/archives.aspx (accessed 29 March 2017).
IIA (2016), Internal Audit and the Second Line of Defense, IIA, available at: https://na.theiia.org/
standards-guidance/Member%20Documents/PG-Internal-Audit-and-the-Second-Line-of-
Defense.pdf (accessed 29 March 2017).
IIARF (2015b), in Cangemi, M.P. (Ed.), Staying a Step Ahead: Internal Audit’s Use of Technology
[CBOK], IIARF, available at: https://na.theiia.org/iiarf/Pages/CBOK-Research-Resource-
Library.aspx (accessed 29 March 2017).
JFC Appendix 1
24,2

328

Figure A1.
IA among the top five
initial detections of
occupational fraud

Appendix 2

80.0%
73.7%
70.0% 68.4% 70.6%
68.2%
60.0%

50.0%

40.0%

30.0%

20.0% 20.4% 21.1% 22.4%

20.0%

10.0%

0.0%
2010 2012 2014 2016
Figure A2.
Existence of IA and Existence of IA as an-fraud control Probability of Fraud Detecon by IA
probability of fraud
detection by IA Note: ACFE (2010-2016)

Corresponding author
Hans-Ulrich Westhausen can be contacted at: hans-ulrich.westhausen@t-online.de

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com