There is an old saying that “it is too late to close the barn door once the horse has escaped.” The implication is clear: one must think ahead and take preventive measures to avoid calamity. Metaphorically, when it comes to fraud, internal auditors are often mobilized too late – there is far less value in identifying how a disaster occurred than in preventing it in the first place.
Internal audit has long been seen as instrumental in detecting and investigating fraud, but not in proactive fraud prevention. As Karen Kroll writes in Internal Audit 360, this is changing. Alongside high-profile frauds in the headlines and technological advances enabling more sophisticated schemes, professional standards for internal and external auditors are newly emphasizing fraud risk. The Institute of Internal Auditors’ (IIA’s) Global Internal Audit Standards and the heightened expectations that will likely emerge from new proposed standards for external auditors signal an emerging imperative for internal auditors to proactively address fraud risk.
The Association of Certified Fraud Examiners’ (ACFE’s) Occupational Fraud 2024: A Report to the Nations reaffirms that internal audit can add more value through prevention than detection. Strong internal audit programs help to reduce fraud losses and duration. These top takeaways and actions for impact can aid you in making the case for investing in anti-fraud.
Six key takeaways for internal auditors from the ACFE’s 2024 Report
1. Fraud loss and Duration Increase When Organizations Are Passive
Proactive fraud detection is essential for reducing fraud risk. ACFE’s findings make it plain: “Organizations that do not actively seek out fraud are likely to experience schemes that continue for much longer and at a higher cost.” Most passively detected (i.e., notification by law enforcement, confession, by accident) schemes were associated with higher median losses and longer durations. Most schemes discovered via active methods (e.g., internal audit, management review, document examination, surveillance/monitoring), however, had reduced durations and losses.
2. Loss data makes the case for anti-fraud investments
ACFE found that organizations routinely accept a 5% loss of revenue annually due to fraud. With average losses per case of $1.7M, doesn’t it make sense to invest a fraction of those losses on prevention? Making up lost revenues costs organizations more in labor and other expenses, whereas for a smaller amount of spending, they could likely prevent bigger losses or stop frauds sooner.
Many organizations say budget constraints challenge their ability to invest in anti-fraud. In actuality, some investments (e.g., codes of conduct, hotlines) require little outlay, and others offer outsized ROI — particularly fraud awareness training, and increased fraud-prevention resources for internal audit, risk, and fraud examiners.
3. Awareness training reduces fraud loss and duration
ACFE’s study shows that providing fraud awareness training across the organization reduces fraud costs and duration. Organizations that did not provide such training experienced median fraud losses nearly double ($199k) those of organizations that trained employees, managers, and executives ($100k). Further, frauds were detected earlier in organizations that provided training.
Many employees simply don’t know what fraud looks like. In Bruce’s tenure with ACFE, he often heard from leaders whose employees expressed surprise when told certain actions were considered unethical or improper. Employees who receive fraud awareness training, however, are more likely to report any fraud they see: ACFE noted that tips were twice as likely to come from employees who received training versus those who didn’t. Not only does it reduce fraud and its duration, but it creates a positive culture within the organization that management takes the risk of fraud seriously.
4. Fraud tips come from employees, customers, and vendors
Tips are by far the most common mechanism for initial fraud detection (43% of cases). And while more than half (52%) of fraud tips came from employees, 21% came from customers and 11% from vendors. Internal auditors should regularly communicate what fraud looks like to customers and vendors. The more internal auditors can talk about fraud with the business, the more likely it can be discovered quickly.
5. Early detection is critical for limiting loss/duration
The longer fraud schemes continue, the more damage they cause. Whereas schemes caught within six months had a median loss of $30,000, schemes lasting two to three years had a median loss of $250,000. ACFE also assessed scheme duration; internal auditors planning fraud risk assessments can leverage this analysis to find likely hot spots. And while many assume managers and external auditors are most likely to detect fraud, internal audit ranks second (14%) only to tips (43%) in initial detection.
6. Internal audit second only to management as party alerted
Once fraud has been detected and reported, several parties are alerted. While management was most commonly alerted (63% of cases), internal audit made an impressive second-place showing (45% of cases).
Internal audit already has a seat at the table in many organizations’ anti-fraud programs. An increased focus on prevention could help create an even stronger presence while reinforcing internal audit’s value protection role.
Six ways internal audit can assist in fraud prevention
- Undertake fraud risk assessments. Share results with key stakeholders to help them better understand where fraud risks lie. Advise management on key risks and potential remediation, aligning with management views of risk.
- Routinely look for control weaknesses that increase fraud risk in internal audit engagements. Scrutinizing controls may enable auditors to uncover deficiencies that may increase risk. Promptly advise management so controls can be addressed before they’re exploited.
- Help identify and implement anti-fraud tools. Amid permacrisis, technology tools (e.g., AI, data analytics) are essential for helping organizations monitor and connect data across functions to proactively surface risks, issues, and insights. As technology sifts through data to identify anomalies more accurately at a much faster pace, internal auditors are freed up to focus on critical fraud risks.
- Support fraud awareness training. Internal audit’s knowledge of fraud risk management, controls, and hot spots can help employees at all levels understand how they can help prevent fraud. Kroll writes, “training can help colleagues better understand how controls protect not only the organization, but the individual,” since when fraud is found and controls weren’t in place, “employees… may face questions and suspicion.”
- Help create a culture of fraud awareness. Reduce the risk that anti-fraud efforts will be viewed as corporate “policing” by regularly talking about fraud before it happens. An annual fraud awareness week encourages discussion and provides organization-wide education on key fraud risks, controls, and reporting. Newsletters or other periodic communications can spotlight frauds in other organizations, common schemes, or major fraud risks. For resources, see COSO and ACFE’s Fraud Risk Management Guide.
- Promote an ethical culture. Internal can help assess the health of organizational cultures and build cultures that prioritize and model integrity and ethical behavior.
An opportunity for value creation and protection
An internal audit function’s long-term strategic success depends on how it is perceived within its organization. Internal audit adds more value in roles where it is seen as wearing a proverbial “white hat”, and value creation and protection give auditors a much greater chance to be perceived as a force for good. But fraud detection and investigation are often seen as “black hat” roles. Internal auditors who are seen in such roles are often feared or avoided in their organizations.
Internal auditors who are actively engaged in fraud prevention activities are often seen as a positive force creating healthy cultures and robust controls that protect both organizations and individuals. The business case for investing in anti-fraud is clear, so it’s high time to don the right hat and help close the barn doors.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as senior advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.
Bruce Dorris, JD, CPA, CFE is a fraud prevention expert with over thirty years in the anti-fraud industry. He recently retired from his role as President and CEO of the Association of Certified Fraud Examiners and now lectures and writes about fraud, auditing, and compliance issues. Connect with Bruce on LinkedIn.