Role of internal audit in fraud investigations

July 2003 Security Services & Risk Management

Internal audit is ideally placed to discover the anomalies that may be symptomatic of fraud - internal auditors should receive fraud aware-ness training and be at the forefront of management efforts to prevent and identify fraud.

However, I believe that they should only have a limited role in fraud investigation. Management defines internal audit's role, and in well-run corporations internal audit determines if a wide range of internal controls are operating properly and reports accordingly. The definition of internal control can be very broad and good internal audit departments will often identify opportunities for cost savings, efficiency improvements and innovations that extend far beyond the bread and butter of verifying such things as accounting controls. (No one should belittle the importance of accounting controls however, WorldCom's Internal Audit discovered the massive `expenses become fixed assets' fraud in the first place - but was disbelieved).

For internal audit to be truly effective, employees should regard it as a necessary, useful function and be prepared to be open with internal auditors and fully co-operative. This necessary trust can be fatally compromised if employees perceive that the auditors have a hidden agenda. Nothing will provoke this perception more readily than internal audit's high-profile involvement in fraud investigations. For example, if internal auditors undertake tough, confrontational interviews with employees suspected of malpractice or are seen to have a lead role in fraud investigation, employees will automatically connect every aspect of internal auditing with this 'Big Brother' role and the resulting suspicions will linger, undermining the department's effectiveness.

It is for this reason that internal auditors should not participate in the countermeasures to management fraud outlined above. These measures concentrate solely on fraud and its consequences for the individuals concerned and need a low-key, but tough approach to get the message across. This is definitely not a role for a friendly, helpful internal auditor!

There are other reasons for a limited internal audit role in fraud investigation and these concern effectiveness: internal auditors generally lack the training and experience to conduct tough interviews and do not have access to the resources needed to investigate effectively.

A fraud investigation may require, amongst other things:

* Analysis of accounting and other records.

* Interviews with employees and third parties.

* Intelligence gathering on suspects, which may include employees, contractors, customers, suppliers and other third parties outside the company.

* Telecommunications, electronic and physical surveillance.

* Computer forensics and data mining.

* Pretext and undercover operations.


The skill in conducting an investigation lies in identifying which resources and measures can be applied, when, how and to whom. Fraud investigations can irretrievably go off track if precipitous or inappropriate action is taken in the early stages and suspects allowed the opportunity to hide their tracks, destroy incriminating evidence or engineer some plausible excuse. An over-zealous auditor, accessing an employee's computer afterhours could not only find that the 'smoking gun' evidence he finds is inadmissible but that he is also facing an action for breaching the employee's privacy.

For these and other reasons, is it far preferable to engage outside specialists with the requisite experience to ensure that investigation reports and findings are privileged and that evidence obtained is admissible in court. This normally requires using both outside investigators to complete the assignment and fraud litigation lawyers to advise on human rights, computer-based evidence, telecommunications and email monitoring and other issues that must be addressed if the investigation is to be effective.

It would be desperately unfair and possibly dangerous for an organisation to force auditors to shoulder the responsibility for managing so many complex issues.

There are also other reasons to limit internal audit's involvement in fraud investigations. These relate to personal relationships and corporate memory.

Generally, internal auditors rotate to other positions in a corporation and are often sponsored by an originating department. Just imagine the dilemma facing an internal auditor who finds himself investigating his former (or future) boss. There is a saying: 'No good turn goes unpunished'. If out of a misguided sense of loyalty an auditor suppresses an investigation to let a friend or colleague off the hook he, or she, can be sure of two things: they have irretrievably compromised themselves and the friend or colleague will, in any case, resent them for the rest of their career.

There is also a more pragmatic reason for using the right outside resources: they are outsiders. In some cases, fraud investigations expose highly confidential information that relatively junior employees do not legitimately need to know. Experienced, professional fraud investigators are inured to the dramas of large corporations, they have seen it all before.

When they finish the assignment and go home the corporate memory goes with them. There is a saying: 'The hearts of the wise are the grave of secrets' - outside consultants may not be wise in all areas but the right ones do know how to keep their mouths shut.

For more information contact Paul Keyton,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Ransomware predictions
Issue 1 2020 , Security Services & Risk Management
As we enter a new decade, Simon Jelley, VP of product management at Veritas, explores how ransomware is likely to continue evolving in the year ahead.

The HR environment in 2020
Issue 1 2020, iFacts , Security Services & Risk Management
As 2020 grabs hold of every one of us with great intent, we need to know what to be aware of when employing people or appointing vendors for our business.

The instruments for investigation
Issue 1 2020, Technews Publishing , Security Services & Risk Management
Regardless of the reason for investigation, the investigation is only as good as the investigators.

Nothing holds Eudricht back
Issue 1 2020, Sensor Security Systems , Security Services & Risk Management
In this personality profile, Eudricht Kotze talks of his journey overcoming adversity in the security industry.

Leaders in risk and security: You have to know it to manage it
Issue 1 2020, Technews Publishing , Security Services & Risk Management
Hi-Tech Security Solutions profiles Nash Lutchman, Senior Vice President and Head of Protection Services at Sibanye-Stillwater.

Drilling deeper into essential building management systems
Issue 1 2020 , Security Services & Risk Management
As the demand for the automation of security and other systems in buildings and large construction sites around the world grows, we are seeing an increase in the demand for building management systems.

From physical security to cybersecurity
Access & Identity Management Handbook 2020, Genetec , Cyber Security, Security Services & Risk Management
Genetec discusses the security-of-security concept as a means to protect cameras, door controllers and other physical security devices and systems against cybercriminal activity.

Biometrics in identity
Access & Identity Management Handbook 2020 , Access Control & Identity Management, Security Services & Risk Management
With multiple identity providers offering to manage digital identities for the general public, the root identity – the single sovereign trusted identity upon which all others are based – must start with government.

Success lies in planning
November 2019, Vox Telecom , Security Services & Risk Management
A safe and smart city will only be successful if it is planned properly, if there is buy-in from all the stakeholders and if it is managed efficiently.

Matching governance to context
November 2019, ContinuitySA , Security Services & Risk Management
When building resilience and planning for business continuity, take proportionality to heart, advises Michael Davies, CEO of ContinuitySA.