assessing fraud vulnerability by internal audit

7/24/2019 assessing fraud vulnerability by internal audit

1/8

GOVERNANCE, RISK AND COMPLIANCE

Internal Audit

Assessing FraudVulnerabilities

kpmg.com/in


2/8

1 | Internal Audit Assessing Fraud Vulnerabilities

Globalization has increased the scale and complexity oftodays business environment. The velocity of change hascreated significant pressures on management to effectivelymaintain oversight of all operations. These challengingscenarios create various vulnerabilities in systems,procedures and frameworks for manipulation and frauds. Theincentives and pressures to commit frauds viz. financial gain,meeting target etc have always existed. However, fraudshappen when fraudsters get an opportunity to execute theirintentions. The opportunity arises when they spot a weak linkin the oversight process, inadequate controls, lack of properaccountability, unrestrained power to certain individuals,inadequate segregation and rotation of duties, excessive trustetc. Some of these are simplistic internal control failures.

According to KPMG in Indias Fraud survey report 2012,55 percent of the organizations surveyed had experiencedfraud in the last 2 years. Executive management who areresponsible for establishing a robust control environment and

audit committees who responsible for effective oversight areincreasingly depending on the audit functions (internal andexternal) and various other assurance providers to providethem with the necessary information to gain insights andassurance on the control environment. Though the auditfunctions are not primarily responsible for identifying fraudswithin an organization, they have an implicit responsibility toidentify fraud. Internal auditors and external auditors are thethird line of defense. However, they are the only independentline of defense for various stakeholders. According to KPMGssurvey, internal audit review was considered by stakeholdersas the second most reliant method to detect fraud.

While managing these challenges, internal audit teamsshould ensure that they stay relevant in todays times andequip themselves with the necessary skills, knowledge andtools to enhance their ability to identify frauds and dischargetheir responsibilities. Internal audit functions need to evaluatehow vulnerable are their internal procedures and abilitiesto discharge this role effectively and take measures tostrengthen their approach.

This paper defines certain key focus areas for internalaudit teams to assist them in enhancing their role towardsidentifying vulnerabilities in the system for manipulation andfraud.

Introduction

2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.


3/8

Internal Audit Assessing Fraud Vulnerabilities | 2

Internal audit plan is the fundamental document whichis the basis for driving the assurance program withinan organization. The audit plan is normally focused oncritical areas that matter the most. This is identified basedon critical risks, inputs from various stakeholders, pastexperiences etc. The plans are mainly geared to review theoperational processes and the emphasis on strategic andcultural areas is often not included in the plans. To makethem more holistic internal audit plans should include the

following:

Assessing organization culture and governancestructure

The starting point of a robust fraud risk managementframework is the organizations governance structure.The audit of governance structure should include audit ofbudgeting process, ethics policies and its implementation,quality of organizational teams, amount of work pressurefor individuals, effectiveness of monitoring proceduresby senior management, rotation procedures, alignmentof schedule of authority matrix, compliance framework,governance practices, performance incentives evaluation,segregation of duties etc. Any weaknesses in these areas

will create vulnerability for frauds and hence it is importantfor internal auditors as part of their internal audit planto focus on these areas as well. This should be done byconducting independent interviews with several senior andmiddle level management team members.

As organizations expand into various geographies andcountries, they are exposed to different cultures and valuesystems. Some cultures are inherently more democratic,have relatively flat hierarchies, their work relationships arerelatively more formal etc. Some cultures, on the otherhand, encourage respecting authority, informal / familialrelationships at work etc. These cultural beliefs are deepseated. This could make certain cultures more conducivefor / tolerant of frauds by superiors, authoritative figures

etc. Hence, it is important for internal audit teams also toassess the culture within various business organizations.This can be done through various risk culture surveysamong employees. The outcomes and findings of thesesurveys can be used as inputs to strengthen the businessand operating culture.

Benchmark processes to industry practices

One of Internal Audits primary responsibilities is to reviewall key processes followed in an organization and provideassurance on their effectiveness. Internal Audit teamsshould not only focus on evaluating processes based onthe information they have within the organization but alsocontinuously benchmark the processes /practices followed

by leading companies within and outside their sectors.This will give them the ability to challenge various practicesfollowed by the company to identify vulnerabilities andcomplacency within processes. Constructive challenge ofareas will though up vulnerabilities in existing processeswhich may have been lying undetected under the garb ofindustry practices.



4/8



Assess adequacy of Rotation Policy

According to Association of Certified Fraud Examiners

2012, the amount of fraud losses is positively correlatedwith the number of years the perpetrator has worked forthe organization. Median losses caused by perpetrators inthe first year of their job amounted to USD 25,000 whilethose caused by perpetrators with more than ten yearsof experience at the organization caused a median loss ofUSD 229,000.

This finding underlines the importance of employeerotation. Internal auditors should also evaluate assessingthe quality of the company personnel performing certainroles and evaluate their skillsets to perform the job roles/description assigned to them. Employees with low levelof skill-sets (especially those who are performing the roleof a checker) create vulnerabilities in the system for fraudsbeing undetected or create vulnerability in the systemfor others to misuse. These assessments can be done bythe internal auditors through discussions with processowners and understanding the manner in which theydischarge their responsibilities. Internal auditors shouldalso evaluate the time period since when an individual isperforming the defined role. In the past, frauds have beenhighlighted mainly when there has been a rotation in theemployee performing a specified role. Periodic rotation andmandatory leaves should be encouraged.

Ensuring seamless audit policy across entities

Internal Audit teams also play an important role after newacquisitions, big outsourcing deals, large scale expansion,formation of subsidiaries etc. Internal Audit should make

sure that the companys policies areconsistent in allsubsidiaries and business units. Internal Audit functionsshould do dipstick reviews of the acquired entity or newlyformed joint venture to assess the organizational culture,

governance levels and also the strength of its internalcontrol environment. Such a practice should be followedboth for domestic as well as international acquisitions.

The global acquisitions should not be ignored on accountof cost implications as the impact of any vulnerability maybe severe and may not be recovered from the seller post aparticular time period as per the purchase/ JV agreement.

Building competencies and enhancing domainknowledge

Internal audit functions need to also focus on enhancingtheir team skillsets and technology enablers to align themwith the business requirements. Internal Audit teammembers need to have the necessary domain knowledgeand also has skill sets in IT applications being used by theorganization. Many internal audit functions have separateforensic experts who complement the internal audit teamsin reviewing processes to assess fraud vulnerabilities. TheChief Internal Auditor should ensure that personnel fromtheir team undergo the necessary certifications courseslike Certified Fraud Examiner to enhance their skillets etc.


5/8



Internal Audit teams should have sufficient domainknowledge in the relevant industry / area. Each industryhas its unique characteristics. Sound understanding ofthese characteristics, seasonality in industry performance,the role played by technology, competition etc will helpthe Internal Audit team detect unusual / suspicious

activity better. Hence, Internal Audit should have therequisite domain expertise on the business processesnamely technical processes, manufacturing, utility costmanagement, treasury, specialized procurement e.g.cotton procurement, fuel procurement, e-procurement,logistics and distribution which are prone to frauds. Theymay need to seek assistance from third party experts inareas of specialization e.g. Treasury reviews, IT securityreviews, Commodity Hedging reviews, etc.

Data analytics

Considering the current geographic spread and alsothe segmental spread of companies across business,internal audit functions cannot function effectivelywithout technology. The volume of data and informationto be validated/ reviewed requires automated controldashboards / System GRC tools and data analytics toevaluate information. Internal audit functions needto invest in these technologies and tools to driveefficiencies and value. Adequate business analyticalskills to relate information across various databasesand also interpret data and what should be analyzed.This requires Internal Audit functions to have personnelwho are experienced in data modeling and data analysis.Internal Audit teams should leverage on tools such asMIS, customized tools and softwares to prevent anddetect frauds.

Whistleblower Policy

Whistleblower is arguably the most importantchannel of capturing employee or partner feedback onsuspicious or potentially fraudulent behavior. According

to KPMG in India Fraud Survey 2012, whistleblowerwas the most effective mode of fraud detection.An anonymous hotline or whistleblower should be availableto all employees, vendors and partners across geographiesand around the clock. This will encourage reporting or flaggingof potentially fraudulent activity. An anonymous call should

be followed by an initial investigation by internal auditors oran external consultant. If the investigators find any meritin the complaint, they should escalate the matter to themanagement. The Companies Bill 2012 mandates listedcompanies to establish a vigil mechanism or a whistleblowerfor directors and employees.

Considering significant pressures on margins due to intensecompetition, organizations have increasing expectations thatinternal audit function costs need to be recovered and hencemay also tend to evaluate internal audit function based oncost saving noted and process improvements identified. Itis important for organizations to note that the internal auditfunction has an onerous and primary responsibility to ensurethat the control environment within an organization is robust

to protect stakeholder interests and hence they shouldmainly focus on risk and control evaluation and cost reductionopportunities should only be by-product where necessary andnot a driving factor.

Organizations and management should also take cognizanceof the various internal audit findings and implementmeasures even if they are vulnerabilities at a particular date.E.g. in the rouge trading case in a financial institution, it waslater discovered that the financial institutions data analyticscenter had detected and warned the management aboutvarious irregularities. However, the management did not actpromptly on the warning. Hence organizations should takesegregation of duties, access control violations, rotation ofemployees, absence of maker checker controls, unlimited

value based limits in systems, etc issues very seriously evenif there have been no anomalies identified or immediateimpact noted.


6/8


ConclusionAs the past has shown, tight controls and stringent penalties are notadequate in preventing frauds. Internal Audit professionals need to do

much more in todays dynamic environment. Given the significant roleInternal Audit plays in an organizations fraud risk management, it canno longer afford to take a back seat. It will have to be at the forefront inassisting management in setting up processes to prevent frauds in anorganization.



7/8




8/8

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual

or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is

accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information

without appropriate professional advice after a thorough examination of the particular situation.

2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated

with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.

Printed in India.

KPMG in India Contacts

Rajeev Batra

Partner and Co-head

Governance, Risk and Compliance Services

T:+91 22 3090 1710

E:[email protected]

Romal Shetty

Partner and Co-head

Governance, Risk and Compliance Services

T:+91 180 3065 4100

E:[email protected]

kpmg.com/in

Documents

assessing fraud vulnerability by internal audit