article banner

Internal audit: supporting boards to manage fraud risk

Eddie Best Eddie Best

The Brydon report makes it clear that businesses need to be providing more information about what they’re doing to prevent and detect material fraud. We look at how you can use the ACFE playbook to decrease your risk.

Recent reviews into the audit market have highlighted expectations of what companies and their external auditors should be doing to prevent and detect material fraud. Given the current economic climate has heightened the risk of fraud, we expect to see a greater focus on this area from management and audit committees.

While consideration of fraud has been a longstanding requirement for both directors and external auditors, there has been a lack of clarity around what is required. The Brydon report recognises this and recommends that obligations for companies and their auditors be clarified and expanded, specifically:

  • a new reporting duty on directors to set out the actions they have taken each year to prevent and detect material fraud
  • a requirement for external auditors to review and conclude on this statement
  • an expanded obligation for external auditors to endeavour to detect material fraud in all reasonable ways.

Assessing and strengthening internal audit fraud risk management frameworks

In our experience, while many companies have shown good practice in anti-fraud activity across their business, this is often fragmented with limited central knowledge, oversight or governance structures.

Grant Thornton US have recently partnered with the Association of Certified Fraud Examiners (ACFE) to publish an anti-fraud playbook, which provides a series of practical steps that businesses can take to assess and strengthen their fraud risk management framework. These align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) five key principles, as set out below:

COSO principle

Practical steps

Fraud risk governance

  • Understand where you are and where you want to be
  • Create a culture that promotes fraud awareness

Fraud risk assessment

  • Think like a fraudster
  • Discover what you don’t know

Fraud control activities

  • Use data to uncover fraud
  • Knowledge is power, so offer targeted and role-based anti-fraud training

Fraud investigation and corrective action

  • Lay the groundwork for investigations
  • Conduct investigations

Fraud risk management monitoring activities

  • Monitor your progress
  • Report on your progress

The role of internal audit

While management is responsible for fraud prevention and detection, internal audit should be considering how the business manages fraud risk and auditing relevant processes and controls. It’s likely that many internal audit teams will be asked to support a review of their company’s fraud risk management framework.

Here is what internal audit teams should consider and how the anti-fraud playbook can help:

Assessing the current state

The playbook includes an anti-fraud maturity assessment model, which is a useful tool. It can also facilitate conversations around future state aspirations.

Fraud risk assessment

The playbook includes a template and some practical guidance for identifying key fraud risk areas and related control activities.

Data analytics

This should be familiar to internal audit teams, and they can use their expertise to support the business in developing an anti-fraud analytics programme.

Monitoring controls and reporting

As the fraud risk framework matures, internal audit can also support with the development of monitoring controls and reporting, so that the business can provide assurance that the program is designed effectively and operating as intended.

Fitting it all together with internal audit

Unsurprisingly, there is a clear focus on what companies are doing to prevent and detect material fraud, with the Brydon report recommending greater disclosure of actions taken to address this and external auditors adopting a suspicious, rather than sceptical, mindset. Internal audit should look at existing fraud risk and assurance activities and consider how it all fits together. 

For more information on the playbook and pragmatic advice for how your organisation can review and strengthen its fraud risk management framework, contact Eddie Best

UK SOX: what should businesses be doing now to prepare? Find out more