TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

7 December 2022

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair: Derek Jamieson, Regional Director, Chartered IIA UK and Ireland 

Chair's opening comments

Welcome to the HOIA forum. A warm welcome to those of you who are attending the forum for the first time today. I hope you all enjoy the session and benefit from this investment of your time. Also, a warm welcome to those members of the Fraud forum who are attending today. Thank you for your participation.

I am joined today by Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA UK and Ireland.

Today’s session is looking at fraud, a topic which continues to be a significant and increasing concern in many organisations across the sectors, particularly given the increasing financial constraints across the economy just now and for the foreseeable future.

Our session is in two parts:

Firstly, we are going to give you an update on the activities of our Fraud Forum which was established just over a year ago now. You may not be aware of the Forum, or its activities and we therefore thought it appropriate to update you so that you can consider whether you wish to become involved over the coming year. For those who are aware we thought it appropriate to share some of the topics which have been discussed and to let you hear the views and reflection from two of the initiating members who have helped shape the agenda this year.

The second part of the session will focus on the question:

Is internal audit sufficiently equipped to effectively consider the risk and potential existence of fraud as it undertakes its work?

It is appropriate to recognise at this point that the role of internal audit in relation to fraud may differ across organisations and sector. For the purposes of the discussion today we are focussing on the development and delivery of the internal audit plan rather than any activities internal audit may be directly involved in to prevent or investigate fraud.

So, in the context of delivering an internal audit plan are our teams sufficiently knowledgeable to consider fraud risk during planning and as they undertake and report their work?

How good are they at:

  • Identifying red flags that indicate fraud may have been committed.
  • Understand the characteristics of fraud, the techniques used to commit fraud. Are they familiar with fraud schemes and scenarios.
  • Are they able to evaluate the indicators of fraud and decide whether any investigation or further action is necessary.

I would like to welcome Rachel Hallam from Worcestershire County Council and Alan Rose from SSE. Rachel and Alan were in the initial group of members who helped establish the Fraud Forum and contribute to its future agenda and direction.

Before we speak to Rachel and Alan, I would like to ask Liz Sandwith to provide a brief overview of the scope and key messages from our recent report “Fraud is on the rise – step up to the Challenge” as a backdrop for the session. Hopefully you have all read the report and if not, you will do so after today’s session. Over to you Liz.


Key takeaways

Please find attached a copy of the slides for the session. Notes below are supplementary.

Some key initial thoughts from Derek Jamieson, Chartered IIA

  • Make sure you’ve read our Fraud is on the Rise report
  • We are in a perfect storm and now more than ever, internal audit has to be aware of the risk of fraud.
  • We know fraud is on the rise, we’ve seen reference to fraud across the media regarding bounce back loans during Covid. 10% of that initiative appears to be fraudulent claims.
  • 80% of fraud comes through cyber-attacks – fraud is an interlocking risk, with e.g., cyber, culture – think about financial and reputational impacts.
  • Think about the different elements of the fraud triangle (motivations, rationalisation, opportunity) – if we can look at that and look at our organisation as a whole.
  • We need to think about fraud risk assessments (Check out our technical guidance), where is fraud risk most likely in your organisation, when did you last undertake a fraud risk assessment, is it time to refresh it due to all the elements of the Perfect Storm referenced in Risk in Focus 2023.

Discussion regarding the Fraud Forum – Alan and Rachel’s Reflections

  • Liz’s presentation feeds into what the Forum is all about, fraud risk is increasing for all organisations, due to the cost of living, increasing regulatory requirements, companies growing and increasing levels of technology being available.
  • The Forum has been set up to help across sectors to prompt discussion of fraud risks and provide practical guidance.
  • Some of the topics that Fraud Forum has covered so far included: risk assessments from KPMG, ACFE who discussed fraud investigations including if internal audit is going to be involved in these, EY gave us some insights to the current trends, following that we had RSM along to speak about the governance around fraud and the risk appetite. So how does you organisation set its risk appetite, how do you monitor it and how effective are the controls in place to make ensure you're operating within that risk appetite?
  • We try to take an input from people who join the Forum and look to see what they're interested in and then we can arrange topics and speakers accordingly. We always ask for people to say where they could use some support with a project they’re working on.
  • It’s been really helpful from a local authority perspective to be part of such a group and ask questions more widely within the group.
  • We’re always happy to have new members, just drop Derek/Mandy a line.
  • We’ve seen in the media this morning that DEFRA has a problem with their IT Infrastructure, which is unlikely to be resolved until 2030, thereby increasing the risk of fraud in that organisation.

Is internal audit sufficiently equipped to effectively consider the risk and potential existence of Fraud as it undertakes its work? Do you perceive that we could do better as auditors? Reflections from Alan, and Rachel

  • No is the easiest answer – it depends on size of the internal audit team and how far you can reach across the organisation. In local authorities we can only reach so far and there are numerous activities we’re involved in, e.g. schools, social care and we only have a finite amount of time, money and staff.
  • One of the current challenges is trying to ask for additional resources to look at fraud we haven’t been particularly proactive historically.
  • We don’t currently have a joined-up picture due to different teams using different systems, making it difficult to check information. It is challenging to keep up with a constantly changing environment and limited resources and capacity to keep up.
  • The Forum is a great opportunity to keep up with developments, share knowledge and experiences and keep in touch with colleagues in similar situations.
  • Internal audit could always do better. The risks are ever-changing and one of the dangers with fraud risk is that people almost look to internal audit to be the experts within the organisation and to lead on this topic.
  • Getting that definition of what your organisation thinks is fraud can be difficult in itself, and that's a good starting point. And then thinking about what the business model is and where the risks lie can be a next stage.

Do you see any key trends at the moment?

  • The cost-of-living crisis is obviously one that's increased, potentially increasing the motivation for fraud, whether that's internal or external. Contractors perhaps increasing costs on invoices, government schemes, e.g., for us the energy rebate scheme, increasing sanctions and being careful about who we’re dealing with/paying, in terms of general theft and linked to the cost-of-living crisis, there have been attempted break ins at our sites, to steal materials like copper.
  • Working from home I would add. We’re having to look at other things we wouldn’t have considered in past – e.g., people taking on second jobs (which we’re finding via NFI data), childcare issues, working antisocial hours which is leading to wellbeing issues.
  • Increased turnover of staff – are we applying the same level of vetting to these?
  • Organisations need to step up and realise frauds can and do occur. Internal audit needs to be more open and transparent in encouraging our organisation to build much stronger fraud culture.

Where do your main concerns lie just now?

  • (Alan) For our organisation, it's really expanding internationally, so we're moving to new markets. There's a lot of new risks and a lot of dangers there. The rate of change is incredible, both in terms of technology and staff so it’s difficult to keep on top of that.
  • (Rachel) We’ve seen a significant reduction in staff in the last two years. Resources were redeployed and they’ve not all necessarily come back. We’ve adopted more digital systems where less resource is needed, but that’s making us more reliant on the data being correct. There is a focus on using data analytics so being smarter to test these things or conducting more ‘fraudits’ - smaller tests of a wider area –that might steer where the audit plan goes.

Chair's closing comments

Thank you, Rachel and Alan.

Please let me know if you would like to join the Fraud Forum next year. Please also let me know if there are any topics you wish this HIA Forum to cover in future meetings. We will take the comments forward from today’s session and for those who’ve asked about policy and guidance, put you in touch with Rachel and Alan to continue that discussion.

Our next meeting is on 11 January and will focus on data analytics and artificial intelligence focussing on our recently published research report “Embracing Data Analytics

Looking further forward, February’s meeting is titled “is your scorecard balanced?” In preparation for this session, I aim to collate anonymised versions of as many scorecards as possible. To this end I would be delighted if you are able to send me suitably anonymised versions of your scorecards which I will collate and an analyse prior to the meeting. (derek.jamieson@iia.org.uk)

As usual, notes and chat comments from today will be placed on our Community Hub pages in the next couple of days.


Questions/Chat box comments

Comment: I'm more concerned that process owners have the arrangements in place to assess fraud risk and to have preventative and detective controls in place rather than to find fraud ourselves.

Response: We're trying to encourage the first line to take more responsibility, so I would agree with that completely, but with the starting point we had, we were very immature regarding fraud, since the word wasn't really mentioned, people didn't like mentioning it. It's raising that awareness, getting people engaged, getting that discussion into committee meetings, getting them to develop their own risk registers and encouraging them to put controls in place. It's a bit of a mix and from the discussions in the Fraud forum, the role of internal audit can vary from organisation to organisation as well.

Comment: In a way, increased reporting of fraud in the media, often because of poorly managed/controlled COVID-related schemes may create more fraud. "If everyone is at it, why shouldn't I get a piece of the action". Increased rationalization, coupled with the motivations you've mentioned.

Comment: We're lucky at our organisation. Out of our team of 6 we have 4 ACFSs who are also PACE trained, to enable us to also undertake fraud investigations. in addition to our assurance and consulting work. Although our internal Standards require that we consider fraud risk during every audit, we live and breathe fraud anyway.

Comment: we work to the government 013 counter fraud standard which means a fraud risk assessment formal process, additionally, for those risks above the acceptable risk threshold of the organisation, proactive work is undertaken to improve controls. This should be used to provide assurance and include proactive work in the internal audit plan to provide this assurance.

Comment:  The Fraud Advisory Panel has some good practice on fraud policies, freely available on their website.

Question: Can anybody recommend any fraud training for internal auditor teams, as Derek discussed the impact of fraud identification following  a course his team undertook?

Answer: The Institute has a Fraud and Financial Crime training course https://events.iia.org.uk/training-courses/live-virtual-courses/auditing-fraud-and-financial-crime/

Question: We've been asked to create a Fraud Red Flags Protocol. Has anyone done something similar or does the IIA have a template that might help with this?

Answer: https://www.acfe.com/ if you join them they have lists of these red flags and you can find some example lists of red flags on the internet. The best source comes from experienced managers in the business / risk team incident reports / deep dives / lessons learnt.