Conformance with professional standards
The proposed scope expansion complies with current professional standards for internal audit and fraud investigation. These standards allow for the examination of upside risks as well as the integrity of non-financial reporting.
Concerning internal audit, the International Professional Practices Framework of The Institute of Internal Auditors (IIA) fully allows for the auditing of upside risks—organizational strengths and external opportunities—as long as they are matters important to organizational success.
The IIA defines “risk” as “the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.” In practice, auditors using the concepts of risk and risk management have usually focused on downside risks—the organizational weaknesses and external threats to achieving organizational objectives. Risks about important positive possibilities, such as strengths and opportunities, have at best been a secondary consideration.
Additionally, IIA standards require internal auditors to be alert to the possibility of fraudulent behaviour. This obligation includes being alert to red flags for potential deliberate misrepresentation to secure personal or organizational benefits at the expense of other stakeholders. Internal auditors are required to refer red flags of potential fraudulent behaviour to investigators with the required expertise and authority for further review. Such situations can provide opportunities for greater collaboration between internal auditors and fraud investigators.
Value-added examinations
“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” |
When, in the planning phase of an audit of a critical organizational initiative, the risk analysis indicates that the examination results are likely to be mainly positive, an organization should recognize that going ahead with the audit can still provide real benefits. Having these independent positive assurances on important organizational activities does benefit public and private sector organizations. Most of the time, the positive indications will be validated by internal audit, perhaps with some minor suggestions for improvement. However, the risk of misrepresenting an organization’s strengths and opportunities is often overlooked. When misrepresentation does happen, it can seriously jeopardize an organization’s success in many ways. For this reason, this risk should not be ignored.
To illustrate the benefits of validating strengths and opportunities, let’s consider six cases of unexpected “red flags” within the three domains of internal audit: governance (Table 1), risk management (Table 2), and internal controls (Table 3). These cases of possible wrongdoing would all be referred to fraud examiners.
Table 1 – Unexpected Red Flags in Governance
|
Governance Case A – Administration of Complaints |
Governance Case B – Integrity of Positive Performance Information |
Internal audit objective |
To ensure that the organization appropriately administers complaints concerning personal behaviour, such as the various forms of harassment that could occur in the workplace |
To ensure the integrity of positive performance information supporting year-end organizational reports |
Possible red flags suggesting further review by an investigator |
|
|
Considerations |
We have be come aware from recent media coverage of numerous hidden cases of employee harassment in private and public organizations. It seems likely that many of these cases remained hidden due to misleading internal reporting. |
Many managers are under considerable pressure to meet performance goals. It seems likely that, when the goals are unreasonable, there will be a temptation to provide more favourable reporting than is justified by the facts. |
It is worthwhile considering whether an internal audit of these governance areas would help expose problems in the administration of complaints, and would help ensure reporting integrity, even when there are no obvious signs of problems.
Table 2 – Unexpected Red Flags in Risk Management
|
Risk Management Case A – Risk Management Program |
Risk Management Case B – Due Diligence Activities |
Internal audit objective |
To ensure the robustness of the strengths and opportunities reported in a risk management program |
To ensure the quality of due diligence activities in support of a significant organizational initiative |
Possible red flags suggesting further review by an investigator |
|
|
Considerations |
Risk management has become a key approach to decision-making, both strategic and operational. When key decisions depend on risk analyses, there is likely to be a temptation to skew the analyses inappropriately toward a preferred course of action. |
Due diligence reviews are an important form of risk assessment prior to entering into an important contract or agreement. There can be temptations to skew the assessment in favour of the desired action. |
It is worthwhile considering whether an internal audit of these risk management areas would help ensure the integrity of risk reporting, even when there are no obvious signs of problems.
Table 3 – Unexpected Red Flags in Internal Control
|
Internal Control Case A – Quality of Performance Standards |
Internal Control Case B – Effectiveness of Internal Oversight Systems |
Internal audit objective |
To ensure the quality of performance standards used to measure business activities |
To ensure the effectiveness of internal oversight in areas such as financial control, human resources, information technology, contracting, and security |
Possible red flags suggesting further review by an investigator |
|
|
Considerations |
Performance standards set the benchmarks against which success is measured. Accordingly, there will be temptations to reduce some standards to make them easier to achieve. |
Senior management establishes internal oversight functions in complex areas to help ensure that operational objectives are achieved. These oversight functions are often part of the organization delivering the internal service. |
It is worthwhile considering whether an internal audit would help ensure the quality of performance standards and the effectiveness of internal oversight systems, even when there are no obvious signs of problems.
I have considered areas of perceived strengths and opportunities where deliberately misleading or inaccurate non-financial information can significantly harm organizations and the public interest. The six examples above show where positive auditing might provide value-added assurance to an organization’s stakeholders.
Conclusion
Both internal auditors and fraud investigators should innovate by expanding the scope of their services. Internal audit can increase its value by systematically including in its annual plan the examination of some critical organizational strengths and external opportunities. In addition to confirming positive organizational results, the positive auditing of upside risks will occasionally reveal unexpected red flags for further examination by fraud investigators.
Fraud examination can increase its value by examining non-financial fraudulent reporting within the scope of its work. This type of coverage can help avoid unpleasant surprises where performance information is deliberately and inappropriately reported to be positive, as was illustrated in the six cases in the tables above.
Overall, expanding the scope of examinations to include upside risks would provide additional value to public and private sector organizations, in compliance with professional standards and in support of management’s priorities.
Page 2 of 2
DISCLAIMER: The opinions expressed in this article are those of the author and do not necessarily reflect the views of the Foundation.
See more Voices from the Field
- 1
- 2