Professional Documents
Culture Documents
www.emeraldinsight.com/1359-0790.htm
JFC
24,2
The escalating relevance of
internal auditing as
anti-fraud control
322 Hans-Ulrich Westhausen
ANWR GROUP eG, Mainhausen, Germany
Abstract
Purpose – The purpose of this paper is to discuss critical success factors for the enormous development that
internal auditing (IA) as “third line of defense” (IIA, 2016) and one of the strongest anti-fraud controls has
reached within the past decades. Additionally, weaknesses of IA are identified and evaluated to allow further
improvement.
Design/methodology/approach – The anti-fraud requirements stipulated in the “International
Standards for the Professional Practice of Internal Auditing” are confronted with empirical data about
the current situation of the IA as anti-fraud control. The empirical data were extracted from global
sources such as “Fraud Reports” (Association of Certified Fraud Examiners – ACFE) and “common body
of knowledge (CBOK)” studies. The Institute of Internal Auditors (IIA).
Findings – Over the years, IA has been continuously increasing its auditing quality and effectiveness
with new analytical methods, specialized software tools and professional certifications. But all these
efforts have hardly been reflected in statistical or research data, especially not in the listing of the top
sources of fraud detection. The “ACFE-Fraud Report 2016” revealed that IA is now – for the first time
ever – second among the initial detections of occupational frauds (financial statement fraud, corruption
and asset misappropriation) worldwide. This positive trend of global anti-fraud auditing was probably
no “one-hit wonder”, but a result of a lengthy process of professionalization of IA.
Originality/value – It is hoped that this paper will facilitate the discussion about the value that IA can add
within an anti-fraud management system.
Keywords Internal auditing, Occupational fraud, Three lines of defense
Paper type Viewpoint
1. Background
Following tighter compliance requirements, never-ending corporate scandals and increasing
efforts to get released from liability by corporate management, internal auditing (IA) has
turned into a “Jack of all trades device”. Apart from its original auditing mandate, IA faces
more and more multifunctional tasks such as risk management, compliance or data
protection. This trend requires IA to bridge the gap between less available capacity for
operative auditing and the mandatory responsibility for the enhancement and protection of
organizational value by providing a “risk-based and objective assurance, advice and insight”
(IIA, 2017).
Within that “professional gap”, there is also the responsibility of IA in detecting,
preventing and monitoring fraud risks and addressing those risks in audits and
investigations (anti-fraud auditing). With respect to fraud, the “International Standards for
Journal of Financial Crime the Professional Practice of Internal Auditing” (Standards) strongly demand sufficient
Vol. 24 No. 2, 2017
pp. 322-328 knowledge (Standard no. 1210.A2), due professional care (1220.A1), regular reporting to
© Emerald Publishing Limited
1359-0790
senior management (2060) and the consideration of fraud during audit planning and
DOI 10.1108/JFC-06-2016-0041 evaluation (2120.A2 and 2210.A2).
A change in the perspective from theory to practice leads to the question how good IA is Internal
with anti-fraud auditing. As an “empirical answer”, the Association of Certified Fraud auditing
Examiners (ACFE) released its “ninths and most extensive fraud report” (ACFE, 2016). A
record high of 2,410 occupational fraud cases from 114 countries with a total loss of US$6.3bn
formed this latest empirical update of worldwide anti-fraud data. Although general changes
to prior ACFE reports (2010-2014) were mostly minor, the anti-fraud results with focus on IA
were significant:
323
• For the first time ever, IA had taken the second place worldwide as initial fraud
detection source (16.5 per cent) after the whistleblower tip (39.1 per cent), but clearly
before the management review (13.4 per cent). See Appendix 1 and Table I (in
“References”) for further details.
• Besides its improved ranking among the top fraud-detection sources, IA has also been
steadily raising its global spread as anti-fraud control from 68.2 per cent (2010) to 73.7
per cent (2016). Additionally, IA has increased its anti-fraud effectiveness from 20.4
per cent (2010) to 22.4 per cent (2016). See Appendix 2 and Table II (in “References”) for
further details.
• Another remarkable fact is that IA creates measurable“anti-fraud value”. In
organizations that implemented the function of IA, the average loss and the duration of
frauds were significantly lower and shorter than without IA. With presence of IA, the
median loss per fraud case was reduced by 42.8 per cent from US$215,000 to 123,000
and by 50.0 per cent from 24 to 12 months (ACFE, 2016).
2. Discussion
Although these positive changes in IA might seem marginal or “statistical”, they are
probably not. What they really are, are results of a continuous striving for the
professionalization of IA as “third line of defense” over the past decades. To substantiate this
opinion, three key factors will be discussed in the following:
Detection categories 2010 (%) 2012 (%) 2014 (%) 2016 (%)
Electronic workpapers 54 86
Data analytics and review 63 76
Data mining 48 76
Computer-assisted audit technique 47 70
Continuous auditing 31 69
Table III.
IT tools in use of IA Source: IIARF (2010b and 2015b)
With that significant growth of use of technology, IA is nowadays in the position to work Internal
more efficiently and effectively than years ago. Consider the near endless potential of data auditing
analysis: currently, files with 500,000 data sets or more can be extracted from databases,
joined with other files and prepared for further analysis within seconds or minutes. IA does
no manual random checks of paper-based invoices or other relevant documents anymore, but
100 per cent checks the same documents as digital data. Therefore, the auditing result must
be more effective. 325
Not only direct indicators, such as the strategic fraud orientation, qualification and
quality improvement, but also more use of audit technology reflect the growing
professionalization of IA. Therefore, it is probably no coincidence that the management in
73.7 per cent of all organizations decided to implement IA as one control function within the
internal anti-fraud system (ACFE, 2016). This number has been steadily increasing from 68.2
per cent since 2010 (ACFE, 2010). Another indicator seems to be the remarkable acceptance
of the IA, because 12.3 per cent of all internal and external whistleblowers contacted IA first
and not the existing fraud-hotline (ACFE, 2016).
How can the IA be effective if almost 50 per cent of all frauds resulted from an override or
even a lack of internal controls and why could IA not identify those working processes and
risk-prone activities with no internal controls? Of course, each single fraud case has its own
sophisticated concept of deception. But IA needs probably more focus on controls of the
controls – whether they really work as intended. To achieve that, the already existing trend
of more surprise audits of IA (ACFE, 2016) points in the right direction. Another approach is
to embed creative, innovative and risk-oriented thinking into IA. Think less of what
JFC happened in the past and more of what might become the most dangerous thing in the future.
24,2 Also, always ask for corresponding internal controls!
4. Outlook
Anti-fraud IA is on the right track! The development of IA within the past decades was
successful, although there is still space for improvement. But, the empirical data are
impressive: IA is now the second important governance control within the worldwide
ranking of fraud detection sources.
Whether IA can even further increase its anti-fraud effectiveness will depend on the
continuous professionalization of IA in conjunction with the management of the
weaknesses that were identified in this paper, such as a stronger auditing focus on
ineffective internal controls, the adjustment of the existing “self-reflection bias” and the
agreement on the takeover of anti-fraud responsibility by IA. Furthermore, the “five
ways to improve IA’s approach to fraud risk” (IIARF, 2015a) should also be reconsidered
(e.g. establishing IA’s role regarding fraud, educate management about fraud risk, be
proactive in addressing fraud risk, build a database of lessons learned and create access
to the right skills).
The “2018 ACFE-Fraud Report” will possibly reflect whether the further professionalization Internal
of IA will lead to even more effectiveness of anti-fraud auditing than what is currently. Important auditing
characteristic figures will then be the same as nowadays: ranking and percentage of IA among
the top fraud-detection sources, global spread of IA in percentage as anti-fraud control and
anti-fraud effectiveness of IA in percentage. But, at the moment and apart from these “hard facts”,
the forecasted trend seems promising – that 25 per cent of worldwide CAEs foresee an “increase
in IA focus of fraud risk” (IIARF, 2015a).
327
References
ACFE (2010), Report to the Nations on Occupational Fraud and Abuse – 2010 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016/resources/archives.aspx (accessed 29 March 2017).
ACFE (2016), Report to the Nations on Occupational Fraud and Abuse – 2016 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016.aspx (accessed 29 March 2017).
IIA (2013), The IIA Global Internal Audit Competency Framework, IIA, available at: https://na.theiia.
org/about-us/Public%20Documents/The%20IIA%20Global%20Internal%20Audit%20
Competency%20Framework.pdf (accessed 29 March 2017).
IIA (2017), International Standards for the Professional Practice of Internal Auditing, IIA, available at:
https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards.aspx (accessed
29 March 2017).
IIARF (2010a), Characteristics of an Internal Audit Activity – Global Internal Audit Survey [CBOK,
Report 1], IIARF, available at: https://na.theiia.org/iiarf/Pages/Historical-List-of-CBOK-Reports.
aspx (accessed 29 March 2017).
IIARF (2010b), Core Competencies for Today’s Internal Auditor – Global Internal Audit Survey [CBOK,
Report 2], IIARF, available at: https://na.theiia.org/iiarf/Pages/Historical-List-of-CBOK-Reports.
aspx (accessed 29 March 2017).
IIARF (2015a), in Araj, F.G. (Ed.), Responding to Fraud Risk: Exploring Where Internal Auditing Stands
[CBOK], IIARF, available at: https://na.theiia.org/iiarf/Pages/CBOK-Research-Resource-
Library.aspx (accessed 29 March 2017).
IIARF (2016), in Iyer, V. (Ed.), CAE Career Paths: Characteristics and Competencies of Today’s Internal
Audit Leaders [CBOK], IIARF, available at: https://na.theiia.org/iiarf/Pages/CBOK-Research-
Resource-Library.aspx (accessed 29 March 2017).
Kruger, J. and Dunning, D. (1999), “Unskilled and unaware of it: how difficulties in recognizing one’s
own incompetence lead to inflated self-assessments”, Journal of Personality and Social
Psychology, Vol. 6 No. 1, pp. 1121-1134.
Statistisches Bundesamt (2016), Weiterbildung [Federal Statistical Office of Germany], available at:
www.destatis.de/DE/Publikationen/Thematisch/BildungForschungKultur/Weiterbildung/
BeruflicheWeiterbildung.html (accessed 29 March 2017).
Further reading
ACFE (2012), Report to the Nations on Occupational Fraud and Abuse – 2012 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016/resources/archives.aspx (accessed 29 March 2017).
ACFE (2014), Report to the Nations on Occupational Fraud and Abuse – 2014 Global Fraud Study,
ACFE, available at: www.acfe.com/rttn2016/resources/archives.aspx (accessed 29 March 2017).
IIA (2016), Internal Audit and the Second Line of Defense, IIA, available at: https://na.theiia.org/
standards-guidance/Member%20Documents/PG-Internal-Audit-and-the-Second-Line-of-
Defense.pdf (accessed 29 March 2017).
IIARF (2015b), in Cangemi, M.P. (Ed.), Staying a Step Ahead: Internal Audit’s Use of Technology
[CBOK], IIARF, available at: https://na.theiia.org/iiarf/Pages/CBOK-Research-Resource-
Library.aspx (accessed 29 March 2017).
JFC Appendix 1
24,2
328
Figure A1.
IA among the top five
initial detections of
occupational fraud
Appendix 2
80.0%
73.7%
70.0% 68.4% 70.6%
68.2%
60.0%
50.0%
40.0%
30.0%
10.0%
0.0%
2010 2012 2014 2016
Figure A2.
Existence of IA and Existence of IA as an-fraud control Probability of Fraud Detecon by IA
probability of fraud
detection by IA Note: ACFE (2010-2016)
Corresponding author
Hans-Ulrich Westhausen can be contacted at: hans-ulrich.westhausen@t-online.de
For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com