Position Statement

The Institute of Internal Auditors UK and Ireland

Fraud Position Statement

Introduction This paper outlines the role and responsibilities of the internal auditor in relation to corporate fraud. It is also relevant to line management and other interested parties for instances of fraud that are committed below board level. This paper does not address the role of internal audit in relation to fraud committed by members of the executive board or anyone to whom the internal auditor directly reports, as these may involve the auditor becoming a whistleblower.

Definitions for the Purposes of this Statement Currently, the clearest definition of fraud is that used by the Metropolitan Police Fraud Squad: Fraud: Theft involving the distortion, suppression or falsification of financial records. A broader definition has been developed by the Law Commission in its report on Fraud (July 2002): Any person who, with intent to make a gain or to cause loss or to expose another to a risk of loss, dishonestly: (i) Makes a false representation, or (ii) Fails to disclose information to another person which, a) He or she is under a legal duty to disclose, b) Is of a kind which the other person trusts him or her to disclose, and is information which in the circumstances it is reasonable to expect him or her to disclose, or (iii) Abuses a position in which he or she is expected to safeguard, or not to act against, the financial interests of another person or of anyone acting on that persons behalf. The offence of obtaining services dishonestly would be committed where, with intent to avoid payment, a person by any dishonest act obtains services in respect of which payment is required. Deception is not an essential element of the offence. It would therefore extend to the obtaining of services by providing false information to computers and machines, which under the present law may not amount to any offence at all. Taken together, these definitions show that fraudulent behaviour could involve either internal disciplinary action, proceedings in the civil courts or prosecution by the police. Fraud can also be linked to other serious criminal activity taking place outside of the organisation in which it occurs, including extortion and money laundering.

Fraud Position Statement

Identifying the risk of fraud and its impact on the organisation Every organisation should: Set the tone from the top by having a policy that makes it clear that fraud will not be tolerated, that fraudsters will be prosecuted and that the organisation is committed to preventing and detecting fraud; Have a risk management strategy, which includes fraud risk mitigation measures, aimed at detecting fraud and deterring would-be fraudsters; Have a fraud response plan setting out exactly what steps to take if a fraud is reported or detected; Have a continuous programme of fraud awareness and regular updates and training for new and existing staff. The highest level of management should formally adopt the policy, strategy and plan. Roles and responsibilities of executive board, line management, staff, internal audit, the police and others in relation to fraud The primary responsibility for the prevention, detection and investigation of fraud rests with management, which also has the responsibility to manage the risk of fraud. Many organisations now have a dedicated in-house security function with responsibility to manage fraud investigations. This function may be assisted by internal audit. The executive board is responsible for: Corporate policy on fraud tolerance, dealing with the occurrence of fraud and laying down responsibilities and measures to mitigate fraud risk; Notifying appropriate regulatory authorities of relevant frauds; Ratifying policy, mitigation strategy and response plan; Corporate ethos, setting the right ethics and policies; Risk and threat assessment; Adequate and effective internal control; Adequate and effective internal audit. Line management is responsible for managing, controlling, reporting and taking action on the risk of fraud including: Having processes in place to deter and detect fraud; Applying adequate controls to prevent fraud; Leading fraud investigations; Overseeing investigations conducted by specialists on their behalf; Dealing effectively with issues raised by staff (including taking appropriate action to deal with reported or suspected fraudulent activity); Involving the police where necessary. Staff Operating procedures to safeguard the organisations assets; Alerting management when they believe that the possibility of fraud exists; Reporting immediately to management when they suspect that fraud has been committed.

Fraud Position Statement

Internal audits role: It is not a primary role of internal audit to detect fraud, but it is a role most people expect internal audit to undertake. There is, therefore, an expectations gap that needs to be managed. Internal audit has no legal responsibility for fraud but is required to give independent assurance on the effectiveness of the processes put in place by management to manage the risk of fraud. Any additional activities carried out by internal audit should be in the context of and not prejudicial to this primary role. The roles that internal audit should undertake include the following: Investigating the causes of fraud; Reviewing fraud prevention controls and detection processes put in place by management; Making recommendations to improve those processes; Advising the audit committee on what, if any, legal advice should be sought if a criminal investigation is to proceed; Bringing in any specialist knowledge and skills to assist in fraud investigations, or leading investigations where appropriate and requested by management; Liaising with the investigation team; Responding to whistleblowers; Considering fraud risk in every audit; Having sufficient knowledge to identify the indicators of fraud; Facilitating corporate learning. Audit Committees The report by Sir Robert Smith on the Combined Code Guidance for Audit Committees (January 2003) advised that: The audit committee should review arrangements by which staff of the company may, in confidence, raise concerns about possible improprieties in matters of financial reporting, financial control or any other matters. The audit committees objective should be to ensure that arrangements are in place for the proportionate and independent investigation of such matters and for appropriate follow-up action, and that any matters relevant to its own responsibilities are brought to its attention. Police The police may: Investigate links to offences; Give prevention advice; Advise on any pre-investigation work; Maintain a dialogue with management and/or internal audit during an investigation. Whistleblowing The primary responsibility for ensuring that appropriate whistleblowing processes are in place lies with management and the role of internal audit might be to review those processes. In some cases internal audit may well have a responsibility to investigate allegations from whistleblowers, although an external firm may be used as the contact point with the whistleblower to preserve their anonymity. It is good practice for larger organisations to have wellpublicised systems for reporting fraud.

Fraud Position Statement

If an investigation shows evidence of criminal activity, the internal auditor must discuss the issue with management. It is possible that management may be unwilling to admit publicly that they have been defrauded, particularly if they have concerns about the impact on their business. However, the responsibility for deciding whether such cases are reported to the police must rest with management. It should be noted that there is no obligation in UK law to report crime to the police or other law enforcement bodies. The primary legislation and regulations defining the requirement to report suspicions of money laundering are: Money Laundering Regulations 1993 and 2001 Terrorism Act 2000 Proceeds of Crime Act 2002 The Terrorism Act 2000 deals specifically with the funding of terrorist activities; the Proceeds of Crime Act 2002 deals with the proceeds of any criminal activity. Under both Acts, failure to report suspicions of money laundering is punishable by up to five years imprisonment. With the exception of money laundering provisions outlined above, there is no requirement for the internal auditor to report concerns of criminal activity to a third party. However, if the internal auditor is not satisfied that a matter has been properly dealt with, he or she may elect to disclose his or her concerns to a third party. The Public Interest Disclosure Act 1998 provides some protection to the individual making the report, but it is strongly recommended that the internal auditor should obtain independent legal advice before making any external disclosure. For further guidance you should refer to the Institutes position paper on Whistleblowing and Practice Advisory 2600-2. Questions for the internal auditor and the executive board to consider before becoming involved in fraud investigation: Should internal audit be involved in this type of work and, if so, to what extent? Does internal audit have the necessary investigative skills? Does internal audit have the necessary knowledge of the law? When is the right time to involve the police? The answers to these questions will vary according to the stance that each organisation has adopted on fraud issues. However, in general, specially trained individuals should undertake the investigation of fraud. In many cases these would not be internal auditors, but would instead be a separate investigations unit or external experts hired for the purpose. Internal auditors should receive specialist training necessary to allow them to undertake investigation of fraud, where appropriate. Fraud investigation is not a police priority unless it involves major sums or concerns high-profile cases. This is likely to lead to internal audit becoming more involved in investigations.

www.iia.org.uk
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Telephone 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk www.iia.org.uk The Institute of Internal Auditors UK and Ireland, April 2003