printer friendly version

Role of internal audit in fraud investigations

Internal audit is ideally placed to discover the anomalies that may be symptomatic of fraud - internal auditors should receive fraud aware-ness training and be at the forefront of management efforts to prevent and identify fraud.

However, I believe that they should only have a limited role in fraud investigation. Management defines internal audit's role, and in well-run corporations internal audit determines if a wide range of internal controls are operating properly and reports accordingly. The definition of internal control can be very broad and good internal audit departments will often identify opportunities for cost savings, efficiency improvements and innovations that extend far beyond the bread and butter of verifying such things as accounting controls. (No one should belittle the importance of accounting controls however, WorldCom's Internal Audit discovered the massive `expenses become fixed assets' fraud in the first place - but was disbelieved).

For internal audit to be truly effective, employees should regard it as a necessary, useful function and be prepared to be open with internal auditors and fully co-operative. This necessary trust can be fatally compromised if employees perceive that the auditors have a hidden agenda. Nothing will provoke this perception more readily than internal audit's high-profile involvement in fraud investigations. For example, if internal auditors undertake tough, confrontational interviews with employees suspected of malpractice or are seen to have a lead role in fraud investigation, employees will automatically connect every aspect of internal auditing with this 'Big Brother' role and the resulting suspicions will linger, undermining the department's effectiveness.

It is for this reason that internal auditors should not participate in the countermeasures to management fraud outlined above. These measures concentrate solely on fraud and its consequences for the individuals concerned and need a low-key, but tough approach to get the message across. This is definitely not a role for a friendly, helpful internal auditor!

There are other reasons for a limited internal audit role in fraud investigation and these concern effectiveness: internal auditors generally lack the training and experience to conduct tough interviews and do not have access to the resources needed to investigate effectively.

A fraud investigation may require, amongst other things:

* Analysis of accounting and other records.

* Interviews with employees and third parties.

* Intelligence gathering on suspects, which may include employees, contractors, customers, suppliers and other third parties outside the company.

* Telecommunications, electronic and physical surveillance.

* Computer forensics and data mining.

* Pretext and undercover operations.

Skill

The skill in conducting an investigation lies in identifying which resources and measures can be applied, when, how and to whom. Fraud investigations can irretrievably go off track if precipitous or inappropriate action is taken in the early stages and suspects allowed the opportunity to hide their tracks, destroy incriminating evidence or engineer some plausible excuse. An over-zealous auditor, accessing an employee's computer afterhours could not only find that the 'smoking gun' evidence he finds is inadmissible but that he is also facing an action for breaching the employee's privacy.

For these and other reasons, is it far preferable to engage outside specialists with the requisite experience to ensure that investigation reports and findings are privileged and that evidence obtained is admissible in court. This normally requires using both outside investigators to complete the assignment and fraud litigation lawyers to advise on human rights, computer-based evidence, telecommunications and email monitoring and other issues that must be addressed if the investigation is to be effective.

It would be desperately unfair and possibly dangerous for an organisation to force auditors to shoulder the responsibility for managing so many complex issues.

There are also other reasons to limit internal audit's involvement in fraud investigations. These relate to personal relationships and corporate memory.

Generally, internal auditors rotate to other positions in a corporation and are often sponsored by an originating department. Just imagine the dilemma facing an internal auditor who finds himself investigating his former (or future) boss. There is a saying: 'No good turn goes unpunished'. If out of a misguided sense of loyalty an auditor suppresses an investigation to let a friend or colleague off the hook he, or she, can be sure of two things: they have irretrievably compromised themselves and the friend or colleague will, in any case, resent them for the rest of their career.

There is also a more pragmatic reason for using the right outside resources: they are outsiders. In some cases, fraud investigations expose highly confidential information that relatively junior employees do not legitimately need to know. Experienced, professional fraud investigators are inured to the dramas of large corporations, they have seen it all before.

When they finish the assignment and go home the corporate memory goes with them. There is a saying: 'The hearts of the wise are the grave of secrets' - outside consultants may not be wise in all areas but the right ones do know how to keep their mouths shut.

Share this article:

Further reading: