How to help internal audit reduce fraud losses
The following interview was published in CGMA Magazine on a forum that was conducted by a panel of internal auditors and fraud examiners at the Association of Certified Fraud Examiner 2017 Global Fraud Conference
Improving internal auditors’ ability to detect fraud can lower losses businesses suffer worldwide from corruption, asset misappropriation, and financial statement fraud.
To improve internal audit’s success in detecting fraud, a panel of internal auditors and fraud examiners at the Association of Certified Fraud Examiners’ 2017 Global Fraud Conference addressed the most common challenges.
Panel members were Mary Breslin, founder and managing partner at Empower Audit Training and Consulting, which provides services in risk and control management in 30 countries; David Hildebrand, CPA, who leads Accenture’s internal audit group for financial and operational audits in the Americas; and Jennifer Sunu, director of compliance at the National Futures Association. The moderator of the panel, Tom McClellan, CPA, CGMA, is director of compliance assurance at GM and works closely with internal audit.
What role should internal auditors have in fraud prevention and detection in their organisation? Should it be detection and research only, or interviewing and interrogating, and working with the parties?
Hildebrand: Our inside legal team typically takes the lead on any interviewing and working with the authorities. However, internal audit can provide incredible insight to the detection, root cause, and providing the necessary research to support an investigation. We can add value to the investigation due our depth of knowledge of the control environment and technical accounting. Our legal team is responsible for working with the authorities and disciplining employees, but ultimately they rely on internal audit for financial and controls expertise.
Should the investigative skillset be invested in a core group in internal audit, or should each internal auditor have a basic-level knowledge?
Sunu: We require all our auditors to have the basic-level knowledge of how fraud can be detected. We also have people with special skillsets that we feel are necessary in our industry. We hire people who know about futures trading because that is the industry we regulate. People that have worked at various futures trading firms and understand the controls at firms and know where the bodies may be buried.
Breslin: I want everybody in my group to have the basic-level knowledge and understanding, but I also look for specialists. I always try to have somebody who’s a data analysis specialist – who is usually very knowledgeable about the IT system – and team him or her up with a subject-matter expert on the actual process itself. I want to understand how the data and the transactional information is being created at the front end and what opportunities are there, and then I want somebody who’s a financial statement expert. Somebody who really understands the accounting and what things should look like. I put them together, and hopefully we can unravel and figure out what’s going on.
How do you get sufficient resources for your internal audit investigative function?
Hildebrand: We leverage our existing resource pool across our global internal audit team, collaborating with our corporate investigations team in legal to ensure we retain privilege.
McClellan: We try to leverage other teams, especially internal audit. We also make sure we have a very broad range of experiences on the internal audit team, including exposure to investigative functions.
When should the internal audit team stop and ask for fraud specialists to investigate an issue?
Breslin: One of the struggles I used to have as chief auditor was that my team would do a pseudo-investigation because of gossip they heard. That creates a lot of problems. As a result, we came up with rules, like, “If you hear something like that, these are the questions you have to ask when you think you’ve got something. When you ask these three questions, you stop and you come back to management and management will make the decision whether we are going to continue with the audit, whether we’re going to start an investigation, whether we’re going to stop the audit and start an investigation, or whether we’re going to do an audit and an investigation simultaneously.”
How do you find fraud in professional services billing?
Breslin: It’s easier to prevent than to detect, because the big opportunity that exists with professional services is that professional services invoices usually don’t give you a detailed account of what you’re billed for. I recommend to require detailed billing in the contracts with professional services.
Hildebrand: We review a portfolio of vendor analytics on a regular basis. Some people are very creative in the way they plan a kickback scheme. One of the things we found is individuals who manipulate the bill rates by $1 or $2 per person, which adds up quickly.
McClellan: I found that a clear contractor statement of work at the beginning is helpful. That gives the folks who are reviewing invoices something to check against.
Traits of a good fraud examiner
Accounting and auditing knowledge, including an understanding of how to leverage data analytics, are technical skills job candidates for internal audit positions should have, the panel members said. To recruit an internal auditor with potential as a fraud examiner, also look for these soft skills:
Cognitive ability. In recruiting interviews, ask job candidates for internal audit positions how they would commit fraud against the company. Good candidates identify typical vulnerabilities in their answer. Great candidates walk the recruiter through the thought process they would apply if faced with the issue.
Confidence. Auditors and fraud examiners must ask hard questions and encounter difficult situations to do their job well. To test job candidates’ confidence, challenge them in recruiting interviews and see whether they push back. If they lack confidence in the job interview, they might not be confident interviewing others in investigations.
Willingness to challenge the status quo. Look for job candidates who are willing to challenge existing policies and make improvements that match the needs of the business and reduce risk.
Communication. To investigate fraud, auditors must be able to put people they interview at ease and be able to help others understand fraud schemes that can be very complex. Good communication skills are critical on the job.
— Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is a CGMA Magazine senior editor.