Heads of Internal Audit Virtual Forum

13 October 2021

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
InstituteJohn Wood - CEO, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

A reflection and challenge on the subject of fraud. It is in our standards (1210 A2) that we should consider the risk of fraud in all of our audits. The nature of fraud is diverse. Fraud is not a new crime, but it has evolved recently with the rise in technology and the internet.

With that in mind, the subject for today’s session is Fraud – have we got it covered?


Key takeaways

Damian Byrne, Director at KPMG said:

Trends:

  • The total value of fraud cases heard in UK courts in the first half of 2021 has fallen significantly due to the backlog of cases
  • The retrospective impact of controls hastily implemented or circumvented in response to the pandemic will be significant
  • Cybercrime has increased due to working remotely with reduced oversight and modified control structures, increasing opportunity for crime
  • Procurement fraud is increasing due to controls being circumvented in urgent circumstances last year during the pandemic. Are these controls still in place or have they been reviewed and removed if not longer appropriate?
  • Insider fraud is increasing. Not only has opportunity increased, but so has the rationalisation side of the fraud triangle.
  • There has been greater call for assurance over fraud risk. The regulatory environment is shifting, ie the BEIS white paper talks about ‘tackling fraud’ and will have an impact on internal audit down the line.

What can you do?

Governance:

  • Tone from the top is essential as the organisation's culture drives people's behaviour. Is there a culture of results at all costs? How are messages brought alive?
  • Policies in relation to fraud are necessary. Are the relevant policies for your organisation actually being used?
  • Have a clear definition of fraud in relation to your organisation and where responsibility for different types of fraud sits (ie, legal and HR)
  • Look at business partners – what is the balance between ethical and commercial decisions in your organisation?

Risk assessment:

  • It is critical to do a documented fraud risk assessment – you can’t claim to be a low-risk organisation if you haven’t assessed risk
  • Widen the definition of fraud to include more intangible factors, eg misreporting performance figures to avoid delivering bad news rather than for material gain
  • Bring people in from different functions/geographical locations for different perspectives.
  • Rate risks in terms of likelihood and impact and use this as a map to inform audit planning
  • Align the counter-fraud strategy to the risk assessment
  • Consider what has changed over time and revisit

Monitoring:

  • How will you identify concerns? There are many sources of fraud information. Maximise use of different channels to capture these, eg a fraud hotline that is actually used
  • Set expectations of KPIs in terms of what volume of information would be expected to be received

Remediation:

  • Assign responsibility for timely response, as well as ensuring confidentiality and collating evidence
  • Think about how learning is fed back into training, policies and other controls
  • Use information within what is legally permitted to learn lessons and communicate. Silence creates a void that can lead to unhelpful conjecture

Treat the four stages as a continuous cycle.

Quick wins:

  • Emergency payment mechanisms – are these still needed?
  • Know who you are dealing with in terms of third-party risk.
  • Restrict use of one-time suppliers if this was introduced in response to the pandemic.
  • Due diligence on new starters particularly in finance roles.

Click here to access the presentation slides


Institute's comments

The standards are clear. Standard 1210.A2 states that internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Be familiar with the areas of your organisation in which fraud may be more likely and be on the lookout for ‘red flags’ – some of the traditional red flags such as employees living outside of their means still remain relevant.

Culture around fraud is as important as awareness of fraud risk. Resist efforts by organisations to silence constructive discussion around fraud.


Chair's closing comments

After a productive first Chartered IIA fraud forum on 2 September, there is a range of topics to discuss and the Institute are looking to open up the forum, both to attendees and to a core group to support. The next meeting will be in mid-January. Please email Mandy.Coleman@iia.org.uk if you are interested in either attending or being a core member.

Our next meeting of the HIA Virtual Forum is on 10 November and will focus on financial sustainability.

A reminder of two key events coming up:

  • The South-West Region is holding its 40th Anniversary conference style event on 8 -9 December in Bristol
  • Our Internal Audit Conference will be held on 2 - 3 November both virtually and face to face in London

Chat box comments and discussion

  • Q: I've been trying to obtain the average number of frauds internal audit teams investigate annually to compare that to our own numbers in response to challenge by audit committee. Does anyone know a source for this?
  • A: There is not much out there as fraud is not generally reported. In terms of the audit committee, emphasise the importance of being proactive against fraud and using data to identify risks
  • I did find some FTSE businesses detailing their Speak Up stats which gives you some kind of data in terms of overall allegation traffic although only a few unpick the categories so you can get an idea of the fraud component (Unilever, Diageo, GSK, BAT, RB, Johnson Matthey, Rio Tinto)
  • Report to the Nations publications from the ACFE are usually quite good for some stats and insight to types of occupational fraud
  • Action Fraud - depending on sector some useful stats and insights: https://www.actionfraud.police.uk/fraud-stats
  • The government has released a functional standard to set the expectations for the management of counter fraud, bribery and corruption activity in government organisations, including a checklist at the end. This may be a useful reference point: https://www.gov.uk/government/publications/government-functional-standard-govs-013-counter-fraud
  • We are seeing lots of ‘old favourites’ in increased volume, including purchasing fraud, one-time suppliers and redirecting payments for business use. We are also monitoring the whistleblowing hotline and are noticing more employee discontent rather than fraud
  • For financial services, external fraud is a constant focus, but internal fraud has been less so. It is picked up by other areas of the business, but it is right that we focus on it as we anticipate increases in internal fraud.
  • This is so topical with Charity Fraud Awareness week next week