Please note…

You are now on the ey.com Luxembourg site. To return to the ey.com United States site or other country site, click on the Luxembourg (English) link on the upper right of this page, and select your preferred country site.

x
Skip to main navigation

Fraud – IT Internal Audit can make a difference - Ernst & Young - Luxembourg

Fraud – IT Internal Audit can make a difference

By Dominique Georges, Senior Manager, Ernst & Young, Luxembourg  
IT nation 2.0
July/August 2009 

At a time when there has been a significant rise in the number of high profile data leakage and fraud breaches, notably as a consequence of the current economic situation, a recent survey shows that 65% of internal audit chiefs do not recognise IT fraud as a serious threat to their business.

This is according to a recent survey released by Ernst & Young, which found that internal audit chiefs ranked corporate breaches 6th in their “top 10” IT risks for the organisation, while for CIO’s it barely made it onto the list at just 9th. In addition just 14% of internal audit chiefs said that their staff had been trained in fraud investigation. The survey mentions that internal auditors can play an important part in preventing and discovering fraud, but also suggests that their investigative skills are lacking, which is becoming an increasing cause for concern.

Although most CIO’s agree that IT internal audit will provide the primary source of assurance in their organisations, the concern is that there is a massive skills gap. To meet this demand IT internal audit teams will need to resource more creatively (e.g. ‘guest auditors’ and IT Internal Audit co- or out-sourcing) for specialist areas. Many will seek a combination of IT internal audit reviews, management’s own assurance processes (such as “KPIs”) and external third party reviews.

Fraud is typically considered under three main headings – prevention, discovery and investigation. A holistic approach is needed across an organisation. As heads of IT Internal Audit put their training and audit programmes together, there are a number of areas where Internal Audit is in a unique position to assist in both fraud prevention and detection, if proper training is provided.

Fraud prevention

  • High on the agenda: Internal Audit (“IA”) can help to ensure that prevention of fraud is high on the agenda of the Audit Committee and other relevant management committees. IA’s direct reporting line to the Audit Committee is a valuable one to ensure concerns are heard and acted upon at the highest level.
  • Exploiting the network: IA has connections with many different business areas as well as with compliance and regulatory contacts. IA’s broad business overview can put context around allegations, while IA’s controls assurance activities should support the necessary confidentiality, anonymity, and security of evidence trails.
  • Development of fraud risk profile: The IA team can be instrumental in developing a fraud risk profile within an organisation and designing audit programmes to address the areas of the business deemed at highest risk.
  • Code of conduct: IA can help to assess whether the tone and culture within a business is sufficient to acknowledge fraud as unacceptable behaviour and to ensure training is provided to employees on the specific implications of fraud in that industry, as well as specific relevance to individual departments or roles.
  • Staff training: Individuals should be receptive to the possibility of fraud occurring in the organisation’s departments and processes, and IA can play a role in auditing the effectiveness of fraud training.
  • Clear responsibilities: While larger organisations may have a role entitled Fraud Prevention Officer, many will not. IA can help to ensure that fraud prevention does not fall between two or more departments, and that skills and competences are appropriate.

Fraud discovery
Whistle-blowing and reporting: A major source of uncovering fraudulent behaviour is reporting from company employees. IA can help to increase awareness of the existence and nature of the reporting framework, and the existence of training on reporting allegations. IA should also look at the trends and symptoms so they can more accurately focus their future work and ensuring the organisation learns from past frauds.

Fraud investigation
Although IA will typically play a lesser direct role here, IA responsibilities can include:

  • Cooperating with the external investigators and assisting them in drawing on previous IA testing.
  • Ensuring there is an established and publicly available investigation policy.
  • After the investigation, ensuring that poorly managed processes and controls are addressed.

In summary, Internal Audit has a crucial role to ensure there is clear and consistent understanding of where the responsibilities lie for identifying, discovering and investigating fraud. Additionally heads of IT Internal Audit should ensure their teams are suitably trained so as to be able to play their agreed role competently, and to able to include fraud-related components in risk assessment, audit planning and fieldwork.

*Dominique Georges is an Executive Director with the IT Risk & Assurance department of Ernst & Young, Luxembourg.

Posted on 8 July 2009

Ernst & Young Press articles
Back to top