man on a roof adjusting something in the building
PHOTO: Clem Onojeghuo

At the risk of getting me in trouble with the Institute of Internal Auditors (IIA) leadership (again), if internal audit is to get promoted from providing assurance on mundane issues that don't matter to leaders of an organization to a seat at the head table alongside those leaders, a change is needed.

The first part of this article is on fraud, then we'll consider the larger picture.

Considering Fraud Control

A read of the latest position paper from the IIA highlighted a set of problems for me. "Fraud and Internal Audit: Assurance over Fraud Controls Fundamental to Success"(2019) correctly quotes a number of IIA Standards (1210.A2 and 2120.A2) but, in my opinion, provides faulty advice.

The paper gets this right:

  • Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls. [Note: I will return to the last part of the sentence.]
  • The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situation. This should include digital data.
  • Internal auditors should not investigate fraud unless they have the specific experience and expertise required to do so.

But it is wrong, as I will explain in a moment, when it says:

  • The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls.
  • The chief audit executive (CAE) should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically.

Related Article: AI Frontiers: Fascinating, Fake and Terrifying Content 

Understanding the Role of the Chief Audit Executive

The IIA is currently a strong supporter of the so-called three lines of defense. In the paper, it (correctly) states that: "It is not internal audit’s direct responsibility to prevent fraud happening within the business. This is the responsibility of management as the first line of defense."

Not only is it management’s responsibility to have appropriate controls to deter, prevent and detect fraud but it should also be responsible for assessing the risk of fraud. In other words, internal audit should NOT be automatically held responsible for assessing the risk of fraud — just as it is not responsible for assessing the risks of credit default, an economic downturn, the failure of a new product or the loss of key employees.

Internal audit can assist management by facilitating a fraud risk assessment, but management should make the decision both on the level of risk and whether it is acceptable. Internal audit can provide their opinion and advice on both.

In an ideal world, management (perhaps through its risk function) will assess the risk of fraud. In that case, the CAE and team should obtain assurance that management’s risk assessment is adequate.

  • If it is adequate, and contrary to this guidance from the IIA, the CAE should place reliance on management’s assessment rather than duplicating it unnecessarily.
  • If it is not adequate, the CAE reports that to top management and the board and provides advice and insight to help management upgrade its risk assessment processes. Internal audit can then (as it does for all enterprise risks) perform its own assessment for the purpose of developing the audit plan.

I have yet to live in an ideal world. Except for when I was both chief risk officer and CAE, there was no risk function and no enterprise risk assessment other than that my team performed. We completed a fraud risk assessment, but it was on behalf of management — consistent with the three lines of defense.

Once the fraud risk assessment has been completed, internal audit has to determine how to consider the risk of fraud in its audit planning.

Contrary to the IIA guidance, attention to fraud risk should not be automatic. Fraud does not have to be included in the audit plan or included in the scope of one or more audits. It should only be addressed when the level of risk justifies it. If you prioritized all enterprise risks and fraud came in at #20 but you could only perform 15 audits, I would not expect you to include the risk of fraud in an audit. The exception would be when the board requests that you perform such an audit, despite the relatively low level of risk (relative to other sources of risk).

I would also not expect you (except when directed by the audit committee) to automatically evaluate the anti-fraud controls in every business unit, as dictated by the IIA guidance. That leads you to auditing what might be a risk to the business unit but is not a risk to the enterprise as a whole. Audit what happens at a business unit that is a source of risk to the enterprise as a whole.

Related Article: The Cost of a Cyber Breach

Audits Need to Take an Enterprise-Level View

That brings us to the continuing failure of the IIA Standards to promote an enterprise-level risk-based audit plan.

The Standards are right here, the Interpretation of Standard 2010 — Planning: "To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls."

But wrong here (note the highlighted words), in Standard 2201 — Planning Considerations:

  • In planning the engagement, internal auditors must consider:
    • The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance.
    • The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
    • The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model.
    • The opportunities for making significant improvements to the activity’s governance, risk management, and control processes.

This is also wrong, in Standard 2210 — Engagement Objectives: 2210.A1 — Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

Internal audit’s job is to provide the board and top management with assurance, advice and insight on the achievement of enterprise objectives through the provision of controls over the more significant risks to those objectives.

Have a second look at Standard 2010. It speaks, as it should, about the organization, not individual activities (i.e., business units and such) within the organization.

Standards 2201 and 2210 need to be changed. Otherwise, auditors will continue to follow the traditional processes of:

  • Risk prioritize the audit universe, a list of auditable entities and processes.
  • Build the audit plan to include activities within the entities that rise to the top.
  • Assess the risks to each activity as you define the scope of each audit of an entity.

This leads to providing assurance on what matters to middle management, the people running each individual entity, not providing assurance on enterprise-level risks, what matters to the board and top management.

The better approach is to:

  • Prioritize a risk universe (and discard the audit universe as obsolete).
  • Identify which activities at which entities and in which processes are sources of enterprise-level risks. (For example, if the theft of intellectual property is an enterprise risk of significance, where are the activities and related controls that need to be audited to provide assurance on the enterprise risk?)
  • Build the audit plan with an appropriate combination of entity-level (e.g., corporate) and business unit/process level to provide the assurance, advice, and insight management needs.

I talk about this extensively in "Auditing That Matters," my book on internal auditing. For example, I discuss the enterprise-level risks of significance to each of my former companies and how they were different from the traditional areas of internal audit attention — but led to internal audit being even more than the trusted advisor suggested by Richard Chambers. I also talk about how to staff the internal audit function to provide advice and insight that matters and how to communicate what matters when it matters to leaders.

I welcome your comments.