The document discusses the role of internal audit in preventing and detecting fraud. It covers topics like corporate governance, the three lines of defense model, fraud risk assessment, and internal audit standards. The objectives are to understand governance tools, the nature of internal audit regarding fraud, and tips for internal auditors to increase fraud awareness and detection.

1. The Role of Internal Audit in the Prevention
and Detection of Fraud
CPE PIN Code: 8232
Abdelmonem Hany Gabr, CIA, CRMA, CFSA
Internal Audit Manager
Ahli United Bank, Egypt

2. Presented By:
Abdelmonem Hany Gabr, CIA, CRMA, CFSA, CICA
Internal Audit Manager
Ahli United Bank − Egypt
The Role of Internal Audit in the
Prevention and Detection of
Fraud

3. Our Objectives for Today
• Understand governance and its tools.
• Become familiar with theThree Lines
of Defense theory.
• Understand the nature of internal
audit and its related standards
regarding fraud.
• Increase the awareness of the
importance of internal audit with
regards to fraud.
• Discover new tips for internal auditors.

4. Agenda
• Corporate Governance
• Three Lines of Defense
• FraudTriangle
• 2014 Report to the Nations – Figures & Indicators
• A Recent Fraud Case
• InternalAudit Role in Fraud Detection and Deterrence
• InternalAudit Role in Fraud Awareness
• InternalAudit Role in Fraud RiskAssessment
• Assessing the Effectiveness of a Fraud Program
• Internal audit role in fraud investigations
• InternalAudit Standards &Tips for InternalAuditors

5. Corporate Governance Building
Corporate GovernanceERM
InternalControl
FraudMgt.
InternalAudit

6. Corporate Governance Building
Corporate Governance
InternalAudit
Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve an
organization's operations. It helps an
organization accomplish its objectives by
bringing a systematic, disciplined
approach to evaluate and improve the
effectiveness of risk management, control,
and governance processes.

7. Corporate Governance Building
Corporate Governance
FraudMgt.
Although all personnel within
the organization have a
responsibility to prevent &
detect fraud, each organization
has to establish a fraud
management system in order
to lead the process of fraud
prevention and detection.
The ACFE is the world's
largest anti-fraud
organization & premier
provider of anti-fraud
training and education.
With more than 75,000
members, the ACFE is
reducing business fraud
worldwide and inspiring
public confidence in the
integrity and objectivity
within the profession.

8. Corporate Governance Building
Corporate Governance
InternalControl
Internal control is broadly
defined as a process effected
by an entity's board of
directors, management, and
other personnel, designed to
provide reasonable assurance
regarding the achievement of
the organization’s objectives.

9. Corporate Governance Building
Corporate GovernanceERM
Enterprise risk management is a process
effected by an entity’s board of directors,
management, and other personnel. It is
applied in a strategy setting and across the
enterprise and designed to identify
potential events that might affect the
entity, to manage risk to be within its risk
appetite, and to provide reasonable
assurance regarding the achievement of the
entity’s objectives.

10. Three Lines of Defence
• Who is responsible for managing
the risks?
• Who places controls and monitors
their performance?
• Does senior management have a
role; where should it be located?
• What are the differences between
internal audit role & external audit
role?
Do we compete or cooperate?

11. Three Lines of Defense

12. Three lines of Defense Role - Fraud
Triangle

13. 5/7/2016

14. 2014 Report to the Nations
Figures & Indicators
14

15. 15
2014 Report to the Nations
Figures & Indicators

16. 2014 Report to the Nations
Figures & Indicators
16

17. 2014 Report to the Nations
Figures & Indicators
17

18. 2014 Report to the Nations
Figures & Indicators
18

19. A Recent Fraud Case

20. What Are Internal Audit Roles in Fraud
Management?
Fraud framework building:
Educator
Facilitator
Assessor
Fraud monitoring program
Fraud processes assessment:
Consultant
Assurance
Investigation
5/7/2016

21. Internal Audit Role in Fraud Program
Educator
• The senior management & board of directors
have the ultimate responsibility to spread the
fraud risk culture & awareness throughout the
organization.
• Internal audit may contribute to any fraud
training sessions organized by the
management.
• Internal audit should ensure that contribution
in such sessions will not impair or seem to
impair the independence & objectivity of the
internal audit function.
• Internal audit might include the review of the
fraud awareness activity in the assignments.

22. Internal Audit Role in Fraud Program
Facilitator
• While the responsibility of fraud management remains
with senior management, the internal audit might play a
facilitator role in the fraud workshops.
• As a facilitator, you are requested to encourage the
interaction between individuals to enhance the
generation of ideas.
• Internal audit should not make any input to the
discussions and ideas generated.
• The facilitator collecting the ideas generated and
submitted to the management.
• The internal audit should clarify that its role is to
facilitate the project and that it has no ownership of
responsibilities.

23. Internal Audit Role in Fraud Program
Assessor
• Once the fraud program is structured, the
internal audit may assess the
effectiveness of its design.
• Internal audit may recommend control
procedures/criteria to enhance the
program and to fill the gaps analyzed.
• Internal audit should not recommend any
specific controls or workflow for the fraud
program.
• Internal audit should not decline
management’s request to assess the
program unless the required technical
skills are not maintained by internal audit.

24. Fraud Risk Assessment
5/7/2016

25. Internal Audit Role in Fraud Risk
Assessment
• Any organization should perform a fraud risk assessment
as part of assessing the risk exposure.
• The process of assessing the fraud risk follows the same
techniques of other risk assessment models.
5/7/2016
• The COSO cube illustrates the
risk assessment process, which
takes many steps, starting with
establishing the internal
environment to monitoring the
results.

26. Internal Audit Role in Assessing
Effectiveness of the Fraud Program
• Internal audit has to include fraud risks in the scope of
each assurance assignment.
• Moreover, internal audit should schedule an assurance
assignment to examine the effectiveness of the fraud
program.
• The scope & objectives of such an assignment depends
on the maturity of the organization’s fraud program,
which varies from initialization to optimization.
• The evaluation of the fraud risk assessment should take
place to assess the design of the fraud program.

27. Internal Audit Role in Assessing
Effectiveness of Fraud Program
• Internal audit should also assist
management by accepting the
consulting assignments with
regard to the fraud program.
• The Chief Audit Executive (CAE)
should be keen on maintaining
the different competencies
required to conduct different
consultancies.
• Finally, internal audit’s report
should highlight the red flags
where the auditor believes a
possibility of fraud exists. 5/7/2016

28. Internal Audit Roles in Fraud Investigations
• The CAE has to determine the
level of involvement in an
investigation.
• The involvement level depends
on the nature of the fraud and
the availability of internal audit
professionals with related
competencies.
• The CAE should continuously
enhance the competencies and
capabilities of internal audit
individuals through training and
professional development.
5/7/2016

29. Internal Audit Role in Fraud Investigations
• The internal audit role in fraud
investigation should be
communicated clearly to senior
management & the board of
directors.
• The CAE has to prepare a formal
document (Internal Audit
Charter), which determines the
purpose, authority &
responsibility in general.
• The Charter should include also
the role of internal audit with
regard to the fraud investigation.

30. Internal Audit Standards
1210 - Proficiency
• Internal auditors must possess the knowledge,
skills, and other competencies needed to perform
their individual responsibilities.The internal audit
activity collectively must possess or obtain the
knowledge, skills, and other competencies needed
to perform its responsibilities.
1210.A2
• Internal auditors must have sufficient knowledge to evaluate the
risk of fraud and the manner in which it is managed by the
organization, but are not expected have the expertise of a person
whose primary responsibility is detecting and investigating fraud.

31. Internal Audit Standards
1220 – Due Professional Care
• Internal auditors must apply the care and skill expected of a
reasonably prudent and competent internal auditor. Due
professional care does not imply infallibility.
1220.A1
Internal auditors must exercise due professional care by
considering the:
• Extent of work needed to achieve the engagement’s objectives;
• Relative complexity, materiality, or significance of matters to
which assurance procedures are applied;
• Adequacy and effectiveness of governance, risk management,
and control processes;
• Probability of significant errors, fraud, or noncompliance; and
• Cost of assurance in relation to potential benefits.

32. Internal Audit Standards
2060 – Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the
board on the internal audit activity’s purpose, authority, responsibility, and
performance relative to its plan. Reporting must also include significant risk
exposures and control issues, including fraud risks, governance issues, and other
matters needed or requested by senior management and the board.
2210 – Engagement Objectives
Objectives must be established for each engagement.
1210.A2
Internal auditors must consider the probability of significant errors, fraud,
noncompliance, and other exposures when developing the engagement
objectives.

33. Internal Audit Standards
2120 – Risk Management
• The internal audit activity must evaluate the
effectiveness and contribute to the
improvement of risk management processes.
• The internal audit activity may gather the
information to support this assessment during
multiple engagements.
2120.A2
• The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk.

34. Tips for Internal Auditors
• Do not use the word fraud unless the investigation is over and the
fraud is confirmed.
• Internal audit is not authorized to initiate a fraud investigation; this is
a management decision.
• Internal audit has no direct responsibility to detect or prevent fraud
during assignments.
• Internal audit has a responsibility to detect and highlight the fraud
indicator (raise the red flag).

35. Tips for Internal Auditors
• The internal audit’s objective is to add value to the organization’s
operations through assessing the governance, risk management
and internal control.
• Any suspicion of a fraud occurrence should be reported to the
internal audit’s superior, and more information should be
obtained before raising the red flag.
• The internal auditor may require the assistance of a forensic
auditor, or someone with non-audit experience, such as an
attorney.

36. 5/7/2016

37. The Role of Internal Audit in the Prevention
and Detection of Fraud
CPE PIN Code: 8232
Abdelmonem Hany Gabr, CIA, CRMA, CFSA
Internal Audit Manager
Ahli United Bank, Egypt