2. IPPF says.. (1)
• IIA Standard 1200: Proficiency and Due Professional Care
1210.A2 – Internal auditors must have sufficient knowledge to
evaluate the risk of fraud and the manner in which it is
managed by the organization, but are not expected to have
the expertise of a person whose primary responsibility is
detecting and investigating fraud.
• IIA Standard 2060: Reporting to Senior Management and
the Board
The chief audit executive (CAE) must report periodically to
senior management and the board on the internal audit
activity’s purpose, authority, responsibility, and performance
relative to its plan. Reporting must also include significant risk
exposures and control issues, including fraud risks,
governance issues, and other matters needed or requested
by senior management and the board.
3. IPPF says.. (2)
• IIA Standard 2120: Risk Management
2120.A2 – The internal audit activity must
evaluate the potential for the occurrence of fraud
and how the organization manages fraud risk.
• IIA Standard 2210: Engagement Objectives
2210.A2 – Internal auditors must consider the
probability of significant errors, fraud,
noncompliance, and other exposures when
developing the engagement objectives.
4. IPPF says.. (3)
Practice Guide: Internal Auditing and Fraud,
Page 11
The internal auditor’s roles in relation to fraud risk
management could include initial or full
investigation of suspected fraud, root cause
analysis and control improvement
recommendations, monitoring of a reporting/
whistleblower hotline, and providing ethics training
sessions. If assigned such duties, internal auditing
has a responsibility to obtain sufficient skills and
competencies, including knowledge of fraud
schemes, investigation techniques, and laws.
5. She is Our Hero
Cynthia Cooper
Whistleblower of
2002 “Worldcom”s
mega-fraud
and
She was its internal auditor
(VP of Internal Audit)
7. Red Flags of Fraud
• Some perpetrators act unusually irritable,
• Some suddenly start spending lavishly,
• Some become increasingly secretive about their activities,
• Overrides of controls by management or officers,
• Irregular or poorly explained management activities,
• Consistently exceeding goals/objectives regardless of
changing business conditions and/or competition,
• Problems or delays in providing requested information,
• Significant or unusual changes in customers or suppliers,
• Transactions that lack documentation or normal approval,
• Employees or management hand-delivering checks,
• Customer complaints about delivery, and
• Poor IT access controls such as poor password controls.