Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > How Internal Auditing Can Help with a Company’s Fraud Issues

Auditing Best Practice

How Internal Auditing Can Help with a Company’s Fraud Issues

by Gail Harden

Executive Summary

  • Fraud risk exposure should be assessed periodically by an organization to identify specific potential schemes and events for which it needs to have controls in place to mitigate risks.

  • Internal audit serves as a critical defense against the threat of fraud, with a focus on assessing and monitoring controls designed to prevent and detect fraud.

  • Internal auditors can be part of fraud deterrence by examining the adequacy of the system of internal controls.


Regulatory oversight is increasing, as are penalties. A passive attitude in an organization toward oversight and the topic of fraud, antifraud programs, and controls would be a strong indicator of a significant deficiency in its system of internal controls.

Economic factors can increase the occurrence of fraudulent practices. When the economy is in a downturn the risk of fraud increases due to personal financial pressures, the stagnation of compensation, and corporate stabilization strategies.1 Problems associated with corporate stabilization strategies include:

  • fewer personnel and fear of downsizing;

  • increased workloads;

  • less accuracy;

  • less time to make decisions;

  • shortcuts taken to circumvent controls;

  • low morale;

  • likelihood of “cooking the books” to meet performance goals.

Additionally, corporations expand into foreign markets to reduce costs, which can lead to less transparency, stretched resources, and corrupt practices.

Fraud and Fraud Risk Assessment Defined

Fraud is defined as the use of dishonesty, deception, or false representation in order to gain a material advantage or injure the interests of others. Types of fraud include false accounting, theft, third party or investment fraud, collusion between employees, and computer fraud. Fraud risk assessment is a structured approach to identify and analyze fraud risk and controls in an organization, and to assess whether those controls are working as intended. PricewaterhouseCoopers (PwC) explained:

“Fraud risk assessment expands upon traditional risk assessment. It is scheme and scenario based rather than based on control risk or inherent risk. The assessment considers the various ways that fraud and misconduct can occur by and against the company. Fraud risk assessment also considers vulnerability to management override and potential schemes to circumvent existing control activities, which may require additional compensating control activities.”2

Why Should Internal Audit Perform Fraud Risk Assessment?

The Institute of Internal Auditors (IIA) sets forth professional standards that require internal auditors to assess the risks facing their organizations. Furthermore, internal audit is expected to evaluate whether the company’s controls sufficiently address identified risks of material misstatement in financial reporting due to fraud.

Internal audit participates in fraud deterrence by examining and evaluating the adequacy of internal controls. By merely asking such questions, internal audit makes it known that it is on the lookout for possible fraud schemes. Internal audit reports to the audit committee and management on the functioning of internal controls in relation to fraud risk, thus facilitating adherence to financial reporting and corporate governance responsibilities.

The audit committee has responsibilities of fiduciary oversight to consider:

  • the process utilized to identify, document, and evaluate fraud risk;

  • types of fraud identified;

  • the level of likelihood and significance of fraud;

  • appropriate action taken to close any gaps in the existence and operation of controls;

  • opportunities for override of controls by management.

Process Overview

The fraud risk assessment process is a structured method to identify possible fraud schemes, identify internal controls that help to prevent or detect identified fraud schemes, document the results of testing the controls, and implement corrective action plans where needed. The objective of this process is to identify the existence of controls and how they operate, not necessarily to seek out fraud. Adequate controls reduce the opportunities for fraud to be committed. The assessment considers the various ways in which a company can be subjected to fraud and misconduct, along with its vulnerability to management override and other potential schemes to circumvent existing controls.

Fraud risk assessment is a continuous process, as shown in Figure 1.

Process Steps

The steps in the process are:

  • develop a framework (i.e. a format);

  • identify risks and controls;

  • rate the likelihood and significance of the risks;

  • identify gaps;

  • plan and implement remedial measures.

The process should follow the approach recommended by the Committee of Sponsoring Organizations (COSO).3 This includes:

  • setting the “tone at the top,” instituting a code of ethics, and setting up a whistleblower hotline;

  • monitoring effectiveness;

  • communication;

  • identifying risks;

  • linking risks and controls.

Back to Table of contents

Further reading



  • Deloitte Forensic Center. “Ten things about fraud control: How executives view the “fraud control gap’.” Deloitte, November 2007.
  • KPMG. “Fraud risk management: Developing a strategy for prevention, detection, and response.” KPMG International, 2006.
  • PricewaterhouseCoopers. “Key elements of antifraud programs and controls.” PwC white paper, November 2003.
  • PricewaterhouseCoopers. “Key elements of antifraud programs and controls.” PwC white paper, 2003.
  • PricewaterhouseCoopers. “The emerging role of internal audit in mitigating fraud and reputation risks.” PwC, 2004.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share