Internal Audit’s Role in Preventing Fraud and Corruption Naohiro Mouri, CIA 2018-19 IIA Global Chairman of the Board

IIA’s Standards on Corruption and Fraud Our Role Required Knowledge Audit Considerations Other Considerations IIA Standards on corruption and fraud Role of internal auditor Knowledge of internal auditor Audit considerations Fraud prevention and anti- corruption programs Governance and risk assessment Policies and procedures Communication and training Monitoring and auditing Investigation and reports Other audit considerations

IIA Standards Proficiency and Due Professional Care Fraud risk Manner in which fraud is managed by the organization Must have sufficient knowledge to evaluate: Expertise of a person whose primary responsibility is detecting and investigating fraud Not expected to have: 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

IIA Standards Due Professional Care Extent of work needed to achieve objectives Relative complexity, materiality, or significance Adequacy and effectiveness of governance, risk management, and control processes Probability of significant errors, fraud, or noncompliance Cost of assurance in relation to potential benefits 1220.A1 – Internal auditors must exercise due professional care by considering the: • Extent of work needed to achieve the engagement’s objectives; • Relative complexity, materiality, or significance of matters to which assurance procedures are applied; • Adequacy and effectiveness of governance, risk management, and control processes; • Probability of significant errors, fraud, or noncompliance; and • Cost of assurance in relation to potential benefits.

IIA Standards Reporting to Senior Management and the Board CAE must report periodically on internal audit’s purpose, authority, responsibility, and performance relative to its plan This must include significant risk exposures and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board Standard 2060: Reporting to Senior Management and the Board The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.

IIA Standards Standard 2120: Risk Management 2120.A2 – Must evaluate potential for the occurrence of fraud and how the organization manages fraud risk 2210.A2 – Must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing engagement objectives Standard 2120: Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

Our Role “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.” Includes detecting, preventing, and monitoring fraud risks and addressing those risks in audits and investigations

Our Role The internal auditor should not be expected to have the expertise of a person whose primary responsibility is to investigate fraud. Investigations are best carried out by those experienced to undertake such assignments Some internal auditors have the necessary experience—but most do not.

Our Role Audit’s role in investigations depends upon resources and the organization’s governance structure If audit evidence points to an illegal act, the internal auditor should seek legal advice directly or recommend that management do so

Required Knowledge Decide Evaluate Understand Identify Red flags indicating fraud may have been committed Understand Characteristics of fraud Techniques used to commit fraud The various fraud schemes and scenarios Evaluate Effectiveness of controls to prevent or detect fraud Indicators of fraud Decide Is further action necessary? Should an investigation be recommended?

Fraud Prevention and Anti-corruption Programs Internal audit should assess the effectiveness of fraud prevention and anti-corruption programs Help anticipate risks Help identify potential and actual incidents

Fraud Prevention and Anti-corruption Programs Two different, but complementary, approaches may be used exclusively or in conjunction with each other Audit each component of the fraud prevention and anti- corruption program Incorporate into all audits as appropriate, including risk assessment and scoping Two different, but complementary, approaches that may be used exclusively or in conjunction with each other include: • Auditing each component of the fraud prevention and anti-corruption program. • Incorporating an assessment of fraud prevention and anti-corruption measures in all audits, as appropriate. In this approach, fraud and corruption risks should be incorporated into the risk assessment and scoping process of each audit. For example, a financial audit may include a review of cash transactions and a vendor management office audit might include a review of third-party due diligence practices.

Fraud Prevention and Anti-corruption Programs Procedures to assess fraud and corruption risks Fraud and corruption scenarios Control environment and fraud prevention/ anti-corruption programs within the audit area Linking audit procedures to assessed risk

Governance and Risk Assessment Understand attitude/tolerance of board and executive management Is attitude sufficiently restrictive? Adequately communicated throughout the organization? Scrutinize governance structure and monitoring/oversight responsibilities Evaluate inherent risks as part of comprehensive risk assessment Understand the attitude and tolerance of the board and executive management toward fraud and corruption risks Assess whether attitude is sufficiently restrictive Validate that attitude has been adequately communicated throughout the organization Scrutinize governance structure and monitoring/oversight responsibilities related to fraud and anti-corruption programs Evaluate inherent fraud and corruption risks as part of comprehensive risk assessment

Policies and Procedures Documented appropriately? Approved by appropriate management? Compliance with applicable laws and regulations? Implemented effectively? Internal audit should sample test whether policies and procedures: • Are documented appropriately. • Are approved by appropriate management. • Comply with applicable laws and regulations. • Are implemented effectively.

Communication and Training Internal audit should share information and work with other assurance functions Fraud investigation, legal counsel, compliance, external audit… May collaborate with legal and ethics teams on training and anti-bribery and anticorruption audits Must consider whether their training and/or communication activities could impair their objectivity Internal audit should share information and work with other functions such as fraud investigation, legal counsel, compliance, and external audit. Internal audit also may collaborate with legal and ethics teams on training and anti-bribery and anticorruption audits. Internal audit must consider, however, whether their training and/or communication activities could impair their objectivity in any manner.

Monitoring should be performed to: Ensure effectiveness of fraud prevention/anticorruption programs Lower time to detection Support continuous improvement and follow-through on corrective action plans Internal audit’s monitoring activities should not supplant management’s monitoring role

When audit evidence indicates possible irregularities… Follow reporting protocol and refer the matter to the investigation group If internal audit suspects that management is involved in the irregularity, identify the appropriate party to whom audit can report Perform and document adequate actions to support audit findings, conclusions, and recommendations

Other Considerations Geography and industry Hiring/employment Third-party/vendor management Gifts, entertainment, and political contributions Procurement Sales Finance IT Upper management Government relations

Thank You