The Role of an Internal Auditor in Risk Management

Introduction

An internal audit is a complete evaluation of the company’s functions in terms of risk management; that is, the internal auditor monitors the organization for the risk of monetary loss or lower-than-expected earnings due to unforeseen circumstances. In fact, the Position Statement of the international organization, the Institute of Internal Auditors (2004) states that the enterprise-wide risk management tasks performed by these individuals assist the organization by improving the understanding of the risk that the organization faces, by improving the likelihood of growth and change initiatives, and by helping the organization avoid surprises (p.

3).

The internal auditors that perform these audits are often accountants.  Due to the global nature of this audit, however, it is not necessary for all internal auditors to be accountants.  In addition to the organization’s financial matters, the internal auditor monitors its operations and systems as well (InvestorWords, 2007a). According to the Institute of Internal Auditors (2007):

An effective internal audit activity is a valuable resource for management and the board or its equivalent, and the audit committee due to its understanding of the organization and its culture, operations, and risk profile.

Get quality help now

Sweet V

Verified writer

Proficient in: Audit

4.9 (984)

“ Ok, let me say I’m extremely satisfy with the result while it was a last minute thing. I really enjoy the effort put in. ”

+84 relevant experts are online

Hire writer

The objectivity, skills, and knowledge of competent internal auditors can significantly add value to an organization's internal control, risk management, and governance processes. (FAQ)

Internal Auditor Role in Fraud

It is the role of the internal auditor to prevent, detect, and investigate fraud as part of the organization’s risk management process.  The internal auditor might use a variety of methods and techniques to control and detect the risk assumed by the organization, including consulting, assurance, oversight, and others (Institute of Internal Auditors, 2007, FAQ).

  Simply through the performance of their regular duties, internal auditors play a role in preventing fraud.

However, they are also capable of making recommendations based on their observations, benchmark the effects that they note in their observations, and develop internal training policies and ethical policies in terms of fraud and other irregularities (Institute of Internal Auditors, 2007, FAQ).  Internal auditors also detect fraud in the course of their duties.  The Institute of Internal Auditors (2007) explains that:

Because the internal auditors are exposed to key processes throughout the organization and have open lines of communication with the executive board and staff, they are able to play an important role in fraud detection. [. . .] When developing their annual audit plan, the internal auditors consider the organization's assessment of fraud risk, and periodically might make assessments of management's fraud detection capabilities. They design tests that use audit techniques like data mining to ensure the controls in place are effective. (FAQ)

Although internal auditors are capable of investigating fraud cases, in general, they are generally not expected to perform at that level.  Rather, the auditor acts as an objective resource for the individuals with the expertise who are performing the investigation, or they act as the same kind of resource to the company itself.

In addition to the organization’s operations, the internal auditor is responsible for overseeing its ethical status.  By putting an individual in place to oversee both ethics and practices, an organization makes it more difficult for employees of that organization to commit fraud.  If nothing else, having an internal auditor in place permits an organization to demand accountability of all of the people within it.

Segregation of Duties

The term “segregation of duties” refers to defining each position within the organization in terms of the tasks for which each individual is responsible, providing limits beyond which those employees cannot pass.  Little to no duplication exists in these tasks between departments or even between individuals.

The segregation of duties prevents a single individual or a single group of individuals from gaining too much power within the organization in relation to a single “risk-taking activity” (Lam, 2003, p. 18).  Setting these limits provide checks and balances that reduce the possibility of fraud (Lam, 2003, p. 18).

Management Information System Password

A management information system (MIS) team is one that is dedicated to covering the activities of the organization’s components in order to reduce or resolve business-related issues that organization might experience.  Unlike other systems within an organization, these information systems both analyze other systems in the organization or are used to create a process to confirm or otherwise substantiate a decision made by a human operator.  Because both the human factor and that provided by computer hardware and software interact in the decision-making process, an MIS password provides one aspect of the checks and balances mentioned previously.  These checks and balances would protect the sensitive information associated with business operations that are analyzed by a management information system, preventing:

• Alterations of the documentation on the part of users who have access to other levels of the system
• Access on the part of unauthorized individuals
• Complete or swift access on the part of someone who would use the information for unauthorized purposes.

Getting Away with Fraud

As can be seen, the checks and balances created by an internal auditor would go a long way toward avoiding fraud.  However, not all businesses have these checks and balances.  Small businesses and family businesses might have a single individual doing the accounting for accounts payable and accounts receivable, as well as managing the inventory.  These functions are all closely related, so when personnel resources are limited it might make sense to combine them.  However, by doing so it reduces the number of checks and balances allowed to the business owner and it permits fraud to occur.

Without the controls discussed above, a single individual might have the ability to not only decide what kind of stock a company carries or what kind of services it offers.  That person could then set up a false account name and contact information that would either “provide” imaginary stock or imaginary services.  The person committing fraud would need to start a bank account in the name of that business; he or she would need to file papers for a tax identification number, as well.  While this stage might seem easier with services, shell companies have been created in the past, complete with warehouses that apparently hold the company’s merchandise.

One family-operated electronics business once operated with warehouses that appeared full of stock and yet had only a small percentage of the apparent stock actually on hand.  The company created the illusion of fullness by stacking boxes containing merchandise a certain number high and deep, forming an empty rectangle.  The owner, who “counted” the boxes from a ladder, provided a false count during inventories and audits.  Once the false count of merchandise or the false service has been recorded, the person committing the fraud could then write his or her own check to the vendor, deposit the check in the account, and wait for it to clear. By separating duties, however, this kind of scenario could be avoided.

References

Institute of Internal Auditors, The. (2004). Position Statement: The role of internal audit in enterprise-wide risk management.  Retrieved 20 May 2007 from www.theiia.org/download.cfm?file=283

Institute of Internal Auditors, The. (2007). Internal Audit FAQs.  Retrieved 20 May 2007 from http://www.theiia.org/theiia/about-the-profession/internal-audit-faqs/?i=1077

InvestorWords. (2007a). Internal audit. WebFinance, Inc. Retrieved 20 May 2007 from http://www.investorwords.com/2559/internal_audit.html

InvestorWords. (2007). Risk management. WebFinance, Inc. Retrieved 20 May 2007 from http://www.investorwords.com/4304/risk_management.html

Lam, J. (2003) Enterprise risk management: From incentives to controls. New Jersey: John Wiley ; Sons.