Internal auditor: Watchdog or bloodhound?

In a recent incident of fraud unearthed at a multinational banking and financial services company in India, the internal auditor was arrested on charges of conspiring with other co-accused in deliberately failing to point out certain discrepancies. The National Company Law Tribunal added names of the internal auditors (present and former) as parties to the alleged fraud.

In another incident, in one of the biggest corporate scandals at an IT service company, the investigating agency charged the head of internal audit contending that despite being aware of the irregularities, he did not report them to the audit committee. He was found guilty of gross negligence in discharge of duties by the ICAI disciplinary committee and barred from practising as Chartered Accountant.

A former regulator remarked during a media interview recently that if there is anything wrong happening in a company, internal auditor must be the first to know; and that while statutory auditors’ role is usually limited to 2-3 months in a year, internal auditors have a 12-month job.

These are only a few instances where the internal auditor has been in media spotlight lately with respect to their role in identification, detection and reporting of frauds.

Internal auditor’s role in fraud detection

While the skills and technological tools available to the internal auditor have evolved, as have the nature of frauds / red flags identified in organizations, the internal auditor’s contribution to fraud detection has reduced. As per ACFE report to the Nations 2018, 15% of the occupational frauds were detected through internal audits, as compared to a decade ago, when 19.2% of occupational frauds were detected through internal audits (as per ACFE report to the Nations 2008).

Regulatory requirements and guidance on internal auditor’s role in detection & reporting of frauds

Most Indian regulations and available guidance do not place direct accountability on internal auditors for detecting frauds occurring in the organization.

The RBI provided guidance specifically for audits in banks vide Circular No. DBS.FGV.(F).No. BC/ 23.08.001/2001-02 dated May 3, 2002 (on implementation of Committee recommendations on legal aspects of bank frauds) stating – If an accounting professional, whether in the course of internal or external audit or in the process of institutional audit finds anything susceptible to be fraud or fraudulent activity or act in excess of power or foul play in any transaction, he should refer the matter to the regulator. Any deliberate failure on part of the auditor should render himself liable to action.

Other regulations, however, do not place similar direct accountability on internal auditors. For instance, amended provisions for reporting fraud under Companies Act or under the revised Listing agreement do not specifically cover the role of internal auditors in reporting frauds. Internal auditors covered under Section 138 are not specified as persons who are required to report under Section 143(2). Further, section 143(2) includes only fraud by officers or employees of the company and does not include fraud by third parties.

However, it is worth noting that multiple regulations/professional guidance notes contain reference to reliance on internal auditor’s work towards detection of frauds. Few examples are summarize below:

  • SA 240 states that primary responsibility for prevention and detection of fraud lies with those charged with the governance and management of an entity. It also requires (Statutory) auditor to make enquiries of internal audit whether it has knowledge of any fraud affecting the company and to obtain views about risks of fraud.
  • SA 315 & 610 require statutory auditor to enquire with Internal Auditor regarding procedures performed, if any, to detect fraud and whether management has responded to any findings resulting from these procedures.
  • Similarly, ICAI guidance note on reporting of fraud u/s 143 (2) of Companies Act 2013 provides an illustrative checklist for Auditor’s enquiries with Board / Audit Committee and Internal Auditor.
  • SIA-11 requires Internal Auditor to use his knowledge and skills to reasonably enable him to identify indicators of fraud. An internal auditor should exercise reasonable care and professional skepticism. It also states that the Internal Auditor cannot be expected to possess the expertise of a person with specialized knowledge and skills in detecting and investigating frauds.
  • Clause 49 of Listing Agreement requires Audit Committee to review findings of internal investigations by the Internal Auditors and reporting the matter to the Board.
  • One of the key amendments to the Prevention of Corruptions Act, 1988 states that directors, managers, secretaries and other officers of a commercial organization can be held liable if any offence of bribery is proved in the court to have been committed with the consent or connivance of such director, manager, secretary or other officer. The same may also be interpreted to cover internal auditors as key officers of the organizations.

In the same light, international norms, including international standards issued by Institute of Internal Audit, PCAOB auditing standard 5, SAS 99, Sarbanes Oxley Act (SOX) contain similar provisions indicating reliance on Internal Auditor’s work by Auditors/Audit Committee.

Thus, while there is no direct responsibility cast on internal auditors to detect and report frauds, there are enough references made in multiple regulations and professional guidance notes casting indirect responsibility on internal auditors towards detection and reporting of frauds.

What should internal auditors do?

In view of constantly increasing expectations of multiple stakeholders from internal auditors towards detection and reporting of frauds, following are some of the illustrative measures that internal auditors may take to address those expectations:

  • Clearly define scope and coverage including exclusions, if any, as part of the internal audit Charter and obtain Audit Committee approval for the Charter
  • Role of internal auditors in fraud prevention, detection and reporting to be formally documented as part of the organization’s fraud risk management policy, including appropriately covering materiality (value threshold for reporting) considerations.
  • Cover and document process for internal audit to express concerns, if any, about i) Management’s commitment to appropriate internal controls, ii) suspicions or allegations of fraud
  • Document and reinforce independence of internal auditor from management as part of the Charter. In listed companies, internal auditor should ideally report to the Audit Committee or the Risk Committee of the board
  • Adequately document additional measures taken and proactive procedures performed, if any, to address any significant control deficiencies or weak areas identified during internal audit. As a modern-day Shakespeare might have said – “Better three tests too many than a sample too small”
  • Allocate resources to assessment of fraud risks where necessary and document it adequately
  • Benchmark organization’s internal controls with industry best practices periodically and stay updated with appropriate skills and technological tools to enable effective risk assessment during internal audit
  • Acquire necessary skills and stay updated with the relevant developments to enable them to recognise any red flags
  • Monitor frauds/incidents reported within the industry and incorporate learnings while carrying out subsequent reviews; or seek change in current audit plan if the incident (reported in industry) may be significantly relevant for the organization and immediate attention is warranted to rule out similar risks within the organization
  • Seek access to whistle-blower complaints relevant to internal audit and incorporate learnings. Where in-house internal auditor is not involved in investigating such complaints, seek information on internal control failures/gaps noted by the investigation team to ensure the same are incorporated for current and subsequent audits

As famously said by a Danish philosopher – “All change is preceded by crisis”. While there may be no imminent crisis presently, an internal auditor is definitely standing at a crossroad with the increasing attention on the role of internal auditors in organizations where major frauds are detected.

It may be about time for internal auditors to consider setting clear guidelines and guidance clarifying their roles and responsibilities in prevention, detection and reporting of frauds.

While internal auditors can continue to emphasize that they are watchdogs and not blood hounds, they do need to demonstrate that they are ALERT watchdogs and are discharging their responsibilities with eyes wide open.

(Srividya K, Manager, Forensic & Integrity Services has also contributed to the above post)