TIAPS Module 1 Audit and Assurance workbook
C.3 Fraud, IT, and Cybersecurity In providing assurance, internal auditors must be attentive to all relevant risks and their potential to impact organizational objectives and priorities. The IPPF gives particular mention to two key risk areas: fraud and IT. For example, Standard 1210 – Proficiency has the following requirements: 1210.A2 Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 1210.A3 Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 53 C.3.1 Fraud IIA Internal Audit Competency Framework Fraud: General Awareness: Recognize types of fraud, fraud risk, and red flags for fraud. Applied Knowledge: Evaluate the potential for fraud and how the organization detects and manages fraud risks; recommend controls to prevent and detect fraud and educate to improve the organization’s fraud awareness. Expert: Apply forensic auditing techniques in fraud prevention, deterrence, and investigation. 54 Fraud is referenced seven times in the Standards and is defined as: Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. 55 53 The International Professional Practice Framework, The Institute of Internal Auditors, 2016 54 Internal Audit Competency Framework, The IIA, 2022. 55 The International Professional Practice Framework, The Institute of Internal Auditors, 2016 58
Fraud may be perpetrated via measures such as: • Claims for fictitious expenses or duplicate claims. • Use of fake or stolen identity. • Disbursements to fictitious vendors or beneficiaries. • Unwarranted refunds. • Lost or voided checks. • Interception of goods received. • Concealment through false accounting (such as capitalizing expenses, ignoring bad debts, mischaracterizing expenditure as “miscellaneous” or something else, and over- or under-reporting.) • Embezzlement of funds and other resources. All parties within an organization have a responsibility to contribute to fighting fraud. Organizational role Governing body and audit committee Senior management Those with first line roles Those with second line roles Role in fighting fraud • Ultimate responsibility for fraud risk governance. • Lead by example. • Set “tone at the top.” • Ensure there are appropriate fraud risk management structures and processes in place. • Ensure the internal audit plan is sufficiently attentive to fraud risk. • Receive and respond to reports from internal auditing regarding the adequacy and effectiveness of fraud risk management. • Receive and respond to reports from fraud risk experts, examiners, inspectors, external auditors, and others. • Lead by example. • Promote ethical conduct. • Address suspicions of fraud when they surface. • Provide training. • Implement and maintain controls for fraud. • Report incidents of fraud or suspected fraud. • Provide specialist expertise in developing and implementing controls for fraud. • Monitor and analyze the effectiveness of fraud risk management. Internal auditors • Provide independent and objective assurance and advice on the adequacy and effectiveness of fraud risk governance, management, and control. • Map and coordinate fraud risk assurance from internal and external providers. 59
- Page 7 and 8: • Close scrutiny. The activities
- Page 9 and 10: A.2 Public Sector Governance IIA In
- Page 11 and 12: The need for governance arises for
- Page 13 and 14: Although developed for government a
- Page 15 and 16: A.3 Governance Models When evaluati
- Page 17 and 18: defensive aspects to minimize negat
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57: C.2: Reflection How does your inter
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67 and 68: IT controls may be manual, automate
- Page 69 and 70: The IIA’s Cybersecurity Toolkit d
- Page 71 and 72: C.3: Reflection Fraud: How are susp
- Page 73 and 74: Global Perspectives and Insights -
- Page 75: CIPFA: 77 Mansell Street, London E1
Fraud may be perpetrated via measures such as:<br />
• Claims for fictitious expenses or duplicate claims.<br />
• Use of fake or stolen identity.<br />
• Disbursements to fictitious vendors or beneficiaries.<br />
• Unwarranted refunds.<br />
• Lost or voided checks.<br />
• Interception of goods received.<br />
• Concealment through false accounting (such as capitalizing expenses, ignoring bad<br />
debts, mischaracterizing expenditure as “miscellaneous” or something else, <strong>and</strong><br />
over- or under-reporting.)<br />
• Embezzlement of funds <strong>and</strong> other resources.<br />
All parties within an organization have a responsibility to contribute to fighting fraud.<br />
Organizational<br />
role<br />
Governing body<br />
<strong>and</strong> audit<br />
committee<br />
Senior<br />
management<br />
Those with first<br />
line roles<br />
Those with second<br />
line roles<br />
Role in fighting fraud<br />
• Ultimate responsibility for fraud risk governance.<br />
• Lead by example.<br />
• Set “tone at the top.”<br />
• Ensure there are appropriate fraud risk management structures <strong>and</strong><br />
processes in place.<br />
• Ensure the internal audit plan is sufficiently attentive to fraud risk.<br />
• Receive <strong>and</strong> respond to reports from internal auditing regarding the<br />
adequacy <strong>and</strong> effectiveness of fraud risk management.<br />
• Receive <strong>and</strong> respond to reports from fraud risk experts, examiners,<br />
inspectors, external auditors, <strong>and</strong> others.<br />
• Lead by example.<br />
• Promote ethical conduct.<br />
• Address suspicions of fraud when they surface.<br />
• Provide training.<br />
• Implement <strong>and</strong> maintain controls for fraud.<br />
• Report incidents of fraud or suspected fraud.<br />
• Provide specialist expertise in developing <strong>and</strong> implementing controls for<br />
fraud.<br />
• Monitor <strong>and</strong> analyze the effectiveness of fraud risk management.<br />
Internal auditors • Provide independent <strong>and</strong> objective assurance <strong>and</strong> advice on the<br />
adequacy <strong>and</strong> effectiveness of fraud risk governance, management,<br />
<strong>and</strong> control.<br />
• Map <strong>and</strong> coordinate fraud risk assurance from internal <strong>and</strong> external<br />
providers.<br />
59