D.10 Practice Review and Internal Audit’s Approach to Fraud

  1. The International Standards for the Professional Practice of Internal Auditing specifies that internal auditors should have sufficient knowledge to identify the indicators of fraud.

  2. This procedure sets out a basic understanding of fraud in the view of the Office of the Auditor General of Canada (Office), and how internal auditors should watch for and respond to any indication of fraud.

Topics

  1. Characteristics
  2. Examples with related internal audit activity
  3. Deterrence
  4. Detection
  5. Investigation
  6. Reporting

A. Characteristics

  1. Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. It can be perpetrated for the benefit of, or to the detriment of, the Office, and by persons outside as well as inside the Office.

  2. Periodic audit training, distribution of audit publications, and other communication methods are in place to apprise internal auditors of the changing nature of fraud and the control environment in which fraud may occur.

  3. Fraud designed to benefit the Office generally produces a benefit by exploiting an unfair or dishonest advantage that also may deceive an outside party. Perpetrators of such frauds usually benefit indirectly because the personal benefit usually accrues when the Office is aided by the act.

  4. Practice review and internal audit activities are specifically designed in a manner that provides a review of the control environment and the inherent potential for fraud. Internal audit risk analysis and audit selection is based on the degree of change and "pressure" in operating units. Where appropriate, financial and operating systems are tied to related accounting and reporting information to validate propriety.

B. Examples of Fraud and Related Internal Auditing Activity

  1. Sale or assignment of fictitious or misrepresented assets.
    Asset audits include steps to validate asset accounting and evaluate the propriety of asset purchases, transfers, and disposals.

  2. Improper payments such as illegal political contributions, bribes, kickbacks, and payoffs to government officials, intermediaries of government officials, customers, or suppliers.
    Certain audits (e.g. purchasing) review control environments in order to detect unwarranted potential for personal benefit.

  3. Intentional, improper misrepresentation, or valuation of transactions, assets, liabilities, or income.
    Revenue cycle, disbursement cycle, and asset audits include validation steps for proper valuation and recognition.

  4. Intentional failure to record or disclose significant information to improve the overall picture of the Office to outside parties.
    External reporting practices are reviewed in detail by the external auditors, and internal auditors may assist in the year‑end close external audit to support this objective. Validating the integrity of accounting and financial reporting accuracy are common program steps in audits.

  5. Prohibited activities such as those that violate government statutes, rules, regulations, or contracts.
    Government compliance audits and reviews such as Public Service Commission or other Officers of Parliament evaluate preventative and detective controls and related compliance under applicable laws, regulations, rules, and contracts.

  6. Fraud perpetrated to the detriment of the Office generally is for the direct or indirect benefit of an employee, outside individual, or another organization. Some examples are:

    1. acceptance of bribes or kickbacks;

    2. diversion to an employee or outsider of a potentially profitable transaction that would normally profit the Office;

    3. embezzlement, as typified by the misappropriation of money or property, and falsification of financial records to cover up the act, thus making detection difficult; and

    4. intentional concealment or misrepresentation of events or data. Claims submitted for services or goods not actually provided to the organization.

  7. Internal auditors will receive periodic training in the area of fraud indicators and related methods. All auditors should remain aware of the potential for fraud in all of the noted areas such as bribes, kickbacks, diversion, embezzlement, concealment, and misrepresentation. System reviews in the core business cycles (revenue, disbursement, conversion/inventory/cost, payroll/benefits, capital assets) will evaluate the overall control environment and related potential for fraudulent actions to take place. When a specific concern is identified from the normal audit process or by an employee or management concern, PRIA may become involved in the audit or investigative work in these areas.

C. Deterrence of Fraud

  1. Deterrence consists of those actions taken to discourage the perpetration of fraud and limit the exposure if fraud does occur. The principal mechanism for deterring fraud is control. Control includes all aspect of hard and soft controls beginning with the “tone at the top” set by the Auditor General in collaboration with the Audit Committee and senior management, and the overall control environment. Management is responsible for the maintenance of an effective control environment. Auditors are tasked to evaluate the control environment to determine the adequacy of internal control in selected systems.

  2. Practice Review and Internal Audit (PRIA) is responsible for helping to deter fraud by examining and evaluating the adequacy and the effectiveness of controls, commensurate with the extent of potential exposure/risk in the various segments of the Office's operations. In carrying out this responsibility, PRIA should, for example, determine whether

    1. the Office environment fosters control consciousness,

    2. the Office environment is considered along with other appropriate factors in the risk analysis process leading to audit selection and audit program development, and

    3. realistic strategic goals and objectives are set.

  3. Audit actions, such as system reviews, evaluate the adequacy of the total system of the internal controls, including review of strategic plans, annual plans, and quarterly budgets.

    1. Written Office policies (e.g. Code of Values, Ethics and Professional Conduct, Policy on Workplace Investigations) exist, which describe prohibited activities and the action required whenever violations are discovered.

    2. Effective procedures exist for the proper handling of complaints regarding accounting and auditing, and other matters and for the anonymous submission of the complaints. This includes receipt, retention, and treatment of complaints received at all levels of the Office to include the Audit Committee.

    3. Appropriate authorization policies for transactions are established.
      Authorization practices are commonly audited including procedure reviews, management interviewing to determine authorization expectations, and detailed compliance testing to determine authorization compliance. PRIA auditors assess whether authorization policies specify personnel who are at an appropriate level and whether they are likely to have adequate knowledge of the nature of the transactions they are expected to authorize, and their related inherent risks.

    4. Policies, practices, procedures, reports, and other mechanisms are developed to monitor activities and safeguard assets, particularly in high‑risk areas.
      Audit objectives commonly include adequacy and compliance reviews of policies, procedures, reports, and monitoring activities. Asset safeguarding practices are evaluated in normal internal control reviews and during asset audits.

    5. Communication channels provide management with adequate and reliable information.
      Two‑way communication and reporting is commonly evaluated, and certain information system audits include tests for information adequacy and usefulness.

    6. Recommendations need to be made for the establishment or enhancement of cost‑effective controls to help deter fraud.
      Whenever appropriate, potential risk/impact/effect statements in internal audit reports highlight irregularity risks. All recommendations are written with cost justification in mind. Often the audit area is consulted to establish cost/benefit impacts.

D. Detection of Fraud

  1. Detection consists of identifying indicators of fraud sufficient to warrant recommending an investigation. These indicators may arise as a result of controls established by management, tests conducted by auditors, and other sources both within and outside the Office. Internal auditors should

    1. have sufficient knowledge of fraud to be able to identify indicators that fraud might have been or could be committed. This knowledge includes the characteristics of fraud, the techniques used to commit fraud, and the types of frauds associated with the activities audited; and

    2. be alert to opportunities, such as control weaknesses, that could allow fraud. If significant control weaknesses are detected, additional tests conducted by internal auditors should include tests directed toward identification of fraud indicators with the concurrence of the Chief Audit Executive (CAE).

  2. If significant control weaknesses are detected, additional tests may be performed to identify other indicators of fraud. All audit and investigation activity will be carefully coordinated with the involvement of the Legal department as appropriate. The Audit Committee and Auditor General must be kept informed on a regular basis.

  3. The internal auditors will review potential fraud indicators derived from fieldwork or from employee or management contact, and work with the Auditor General and/or General Counsel to determine if investigative or further audit work is appropriate by members of the PRIA team. The CAE can consult the Audit Committee, the Auditor General, and/or the General Counsel on the appropriate actions to take.

  4. Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigating fraud. Also, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.

E. Investigation of Fraud

  1. Investigation consists of performing extended procedures necessary to determine whether fraud, as suggested by the indicators, has occurred. It includes gathering sufficient evidential matter about the specific details of a discovered fraud. Internal auditors, lawyers, investigators, security personnel, and other specialists from inside or outside the Office are the parties who usually conduct or participate in fraud investigations.

  2. When an investigation is deemed necessary, the Auditor General will confer with the CAE and the Audit Committee leading to a decision on the appropriate mix of internal or external resources to complete the investigation based on required expertise or competency.

  3. Internal auditors involved in a fraud investigation assess the probable level and the extent of fraud within the Office to help ensure internal auditors avoid providing information to, or obtaining misleading information from, persons who may be involved. If it is determined that internal auditors will be involved in an investigation, the CAE determines the knowledge, skills, and disciplines needed to effectively carry out the investigation. It is most common for the internal audit director to be personally involved in the investigation to help assure the most effective and professional results. Outside resources used in an internal investigation will be proposed by the CAE to the Audit Committee and the Auditor General.

  4. A written program will be used to detail carefully designed procedures to attempt to identify the perpetrators, extent, techniques, and cause of fraud.

  5. Close coordination with the Auditor General and the Legal department representative will be maintained throughout the investigation.

  6. Auditors involved in the investigations must be cognizant of the rights of alleged perpetrators and personnel within the scope of the investigation and the reputation of the Office itself.

  7. Once a fraud investigation is concluded, PRIA assesses the facts in order to

    1. determine if controls need to be implemented or strengthened to reduce future vulnerability, and

    2. help meet the internal auditor's responsibility to maintain sufficient knowledge of fraud and thereby be able to identify future indicators of fraud.

F. Reporting of Fraud

  1. The form, nature, and timing of appropriate fraud investigation communication to management will be predetermined by the CAE, Auditor General, and/or General Counsel.

  2. A preliminary or final report may be made at the conclusion of the detection phase. The report should include the internal auditor's conclusion on whether sufficient information exists to conduct an investigation. It should also summarize findings that serve as the basis for such decision.

  3. When the incidence of significant fraud has been established to a reasonable certainty, the Auditor General and the Audit Committee will be notified immediately by the CAE. Subsequent actions will be determined by the Auditor General with advice from the Office’s senior counsel and the Audit Committee.

  4. If fraud investigation results are determined to materially affect the reported financial statement results, the CAE will advise the chairman of the Audit Committee, chief financial officer, and comptroller. Significant misstatements would be included in the category of important control issues communicated to top management and the Audit Committee as appropriate.

  5. Written reports are issued to communicate the results of PRIA’s involvement in the investigation phase. It will include findings, conclusions, recommendations, and, where appropriate, corrective action taken.

  6. A draft of the proposed report on fraud will be submitted to the Audit Committee for review and the Auditor General for approval. In those cases in which the auditor wants to invoke solicitor-client privilege, consideration should be given to addressing the report to legal counsel.

Last modified:
2018-03-02