Local Authority Internal Audit Virtual Forum

25 August 2021

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

CEO's welcome

Thank you for joining us for our session. Every year millions of dollars are lost to fraud due to a wide variety of factors. Fundamentally, organisations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls.

In addition to our guest speaker, we are also joined by Liz Sandwith, our Chief Professional Practices Advisor and our chair Piyush Fatania, Head of Audit, Risk, Assurance and Insurance Services for Gloucestershire County Council, and a member of our Council.

Chair's opening comments

Welcome to our Local Authority Forum.

Fraud is a forever war. It rages 24/7 perpetrated by combatants at all levels of sophistication. Internal audit and councils therefore need the tools, skills and knowledge to prevent fraud. Our speaker today is Andrea Deegan, Forensic and Fraud Risk Services Director at RSM UK.

Key takeaways

Role of internal audit

  • Internal audit has an important role to ensure management has effective systems in place to detect and prevent corrupt practices:
    • Promote anti-bribery/anti-fraud best practice
    • Testing and monitoring
    • Advising on areas of change
  • Internal audit and counter-fraud have distinct skills and remits
  • Everyone in the organisation is responsible for being alert to fraud from the first to the third line
  • It is not internal audit’s role to directly detect and prevent fraud. That’s the role of executive management

Key tools and approaches

  • This fraud triangle is a useful tool to understand why fraud happens
  • Mainly used in a reactive sense but also useful as a preventative tool
  • Used as part of a risk assessment to focus on operational areas with greatest exposure
    • Pressure: Addiction, debt, peer or family pressure and blackmail
    • Rationalisation: Dissatisfied with pay, disparity, others not sanctioned when caught
    • Opportunity: Weak controls open for exploitation, or circumstances weaken controls such as mergers and acquisition and also organisations downsizing or going through change, for example the pandemic
  • Useful to look at organisational policies
  • Particularly changes that have taken effect due to remote working
  • Individuals/teams with responsibility for monitoring and reporting fraud need to remain ever alert. This is an area where internal audit assurance can be valuable

Common themes for internal audit

  • What does fraud prevention look like in terms of risk assessments, prevention and detection work?
  • Think about how fraud prevention can be incorporated into your internal audit activities each time you are scoping a piece of work
  • Does the organisation have a counter-fraud strategy? What might it look like?
  • Regulators across sectors are starting to encourage boards/organisations to have a counter-fraud strategy to demonstrate commitment to and approach to counter-fraud and bribery. A strategy would include areas such as strategic commitment, prevention, detection and awareness, investigations, sanction and redress
  • Internal audit should think about the tone from the top. What level of awareness and training is undertaken for example?
  • Does your board receive regular reports on fraud and bribery, allegations/investigations to make informed decisions about key performance indicators?

Emerging risks

  • The pandemic has been an opportunity for fraudsters, particularly around cyber risk and the inability to validate original documents such as for recruitment. Fraudsters are more sophisticated than they were pre-pandemic
  • Increasing fraudulent use of isolation/sickness/remote-working to pursue secondary income or set up a company to work for themselves
  • Not working hours required, which is fraud
  • Streamlined processes (cost efficiency or remote working) in finance and procurement can make fraud easier such as exploitation of e-signatures
  • Recent instances of common mandate fraud suggest fraudsters are tapping into internal knowledge such as holidays, purchase order systems, email formats, to make requests appear legitimate
  • Sharing an example of good practice: An organisation experienced mandate fraud, and the finance director took it as an opportunity to address the culture to make it more open. Thereby ensuring people were not afraid to challenge a request. Removing hierarchical barriers and nervousness about challenging authority is an important aspect of counter-fraud.

Things for internal audit to think about

  • Establishing a counter-fraud strategy. Is this an advisory role for internal audit to facilitate or is there a counter-fraud team?
  • Internal audit can work closely with counter-fraud – advice, guidance, expertise – maintaining clear roles and responsibilities to avoid compromising the ability to provide future assurance.

Top tips

  • Ensure strategic commitment from the local authority
  • Undertaking a fraud risk assessment is fundamental
  • Adopt robust recording and reporting of fraud data
  • Be alert to emerging areas of risk

Click here for details of our live virtual training course on auditing fraud and financial crime.

Chair's closing comments

It is often said that the best detectives are those who think like a criminal. As auditors, we should be thinking about what fraudsters are after. What is of value to them? We need to be alert to what is changing in our world – for example, is there a heightened risk of pension fraud as a consequence of the pandemic?

Institute's comments

In our next LA forum on 29 September we will use Risk in Focus 2022 as the basis for discussion.

Organisations and their internal audit functions face a dizzying pace of change and unprecedented uncertainty. The world has changed. Internal audit must change too.

The IPPF is currently under review. Please take time to complete this IIA Global survey by 31 August.

Our Internal Audit Conference is open for booking – click here for details.

Thank you for attending. As always if you have any ideas or suggestions for what we might include in future agendas please contact Liz Sandwith liz.sandwith@iia.org.uk 


Q In addition to fraud, there is also error. Some of the move to remote-working has led to reduced quality checks not picking up errors. Also, we’ve found culture to be important in addressing management behaviour. How do you measure culture?
A Looking at root cause is really important. It’s essential to understand why something happened - the outcome of an investigation determines the course of action that's taken. It’s not always fraud.
Measuring culture can be a challenge. Virtual working as a result of pandemic has been beneficial in some of our sectors to gain real-time assessments and insights. Establishing robust KPIs at the outset is important and they should be reflective of realistic organisational goals. For example, an uptake in the number of fraud referrals and breadth of where they come from is a good indicator that an awareness campaign landed, rather than just ticking the box that a campaign was done. Similarly, an increase in conflict-of-interest declarations for example can be used to demonstrate culture and that employees have a good awareness of what is and isn’t acceptable practice.

Q There is an expectation that the effectiveness of fraud-related work and strategies are suitably measured – can you give an example of how we can measure effectiveness?
A When putting the counter fraud strategy together, work out what you want to achieve, then work back from that to say what measures are needed to demonstrate this. We’ve talked about awareness. Also, measuring prevention work - what area of policies have internal audit been involved in reviewing, have changes been embedded? Having identified a weakness, go back after making a change and look at what differences can be seen in data, financial or otherwise. Put indicators in place that show that the counter-fraud strategy was successful and demonstrates that the investment in resource or change was effective.

Q Where does internal audit’s role sit alongside a counter-fraud team?
A Seeing much more collaborative approaches, not joint working but having specialist input. So long as work is risk assessed at the outset to remove any risk around self-review from internal audit’s perspective. Counter-fraud will often be able to advise and help internal audit in terms of next steps.

Q Having moved into internal audit from counter-fraud and then returned, it has enhanced the quality of work. Now we issue a management letter after the investigation to highlight the control weaknesses that led to the fraud/error. Does that resonate?
A Agree. We encourage our counter-fraud team to think like internal auditors. It’s about moving beyond the criminality to look at internal controls too.

Q Are traditional ‘red-flags’ still valid?
A Yes, although now there is possibly more opportunity for people to obtain ‘fancy goods’ without obvious means. It's important to look at indicators as a whole and beyond indicators. Someone not taking holiday doesn’t mean they are committing fraud for instance. The education sector recently published a list of key indicators for example which can be a useful reference.