Institutions generally think and believe that their employees are moral and their internal fraud risks are low. The presumption appears to be fair, considering that the individuals would not have bene hired if there were any red flags at that time. However, absence of apparent red flags earlier is no guarantee that the employees would adhere to policies and procedures, ensure required controls and segregation of duties, and be alert to any abnormal activities or behavior of their peers and supervisors. The whistleblower provisions of Dodd-Frank Act, and related policies at various institutions have proved that internal frauds and misappropriations continue, and these are not always detected by Internal Audit, even though the IIA Standards require them to review for fraud risks, as explained below.
Recent indictment and guilty plea by a former CVS employee to fraud that resulted in loss of over $2.5 million to CVS Pharmacy is a typical example where an employee can cause significant loss to the institution. The loss could have been much higher, if internal systems/audit had found the purchasing of excessive quantities of diabetic test strips at a CVS located in Rochester, NY from a non-approved vendor (packages had employee’s return address), which were intercepted and sold by this employee to a third party located in Florida.
The CVS case is a recent example of how Internal Audit can identify frauds and enable institutions prevent future losses.However, various whistleblower awards, that have become quite common, indicate that there is a strong need for a strong Internal Audit function so that the internal misappropriations, frauds and violations of due controls are reported appropriately and timely.
While some may view Internal Auditing as a commodity, it is important to remember that internal audit is conducted in diverse legal and cultural environments; for organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. Nevertheless, conformance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is not only required, it is important.
In terms of IIA’s Standards, the Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities, and Standard 1210.A2 explicitly and specifically requires that “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization”. Further Standard 2120.A2 requires that, “internal audit activity must evaluate the potential for the occurrence of fraud”.
It is in the institutions best interest to ensure that they have an in-house or outsourced Internal Audit function that, among other things, is competent, independent and objective in performing their work, and have enough experience to identify potential fraud risks.
For your Internal Auditing and other consultancy requirements, contact us: info@RGSGlobalAdvisors.com