Internal Audit, External Audit and Fraud Detection

1. Abstract

Researchers generally appreciate the ways that internal audit helps organizations to prevent / detect fraud, especially fraudulent financial reporting. We begin this discussion with a brief overview of the existing research on internal audit, external audit and fraud detection. We then report our preliminary findings from semi-structured interviews with an internal and external auditor on their fraud detection experience. Subsequently, we discuss the limitations of our study and conclude by offering fruitful avenues for future research.

2. Introduction

According to the Statement on Internal Auditing Standards (SIAS), fraud is characterized by intentional deception and encompasses both irregularities and illegal acts. Fraud can be perpetrated to benefit the organization or to its detriment. Persons inside or outside the entity may be involved.

With the increasingly-sophisticated business transactions and the growing dependence on computerized information systems, companies nowadays are more vulnerable to frauds. Effective detection of fraud helps a company to stop the fraud from continuing and thus minimize the negative impact involved. A KPMG fraud survey has found that 75% (62% in 1998) of the 459 public companies experienced an instance of fraud and 65% (43% in 1998) of the companies are using internal audits to uncover fraud in 2003.

Empirical researchers have suggested that a strong system of internal control (IC) is most effective in fraud prevention and one of the most effective tools for

fraud detection is through internal audit review. For example, Dennid Caplan (1999) stated that opportunities for fraudulent schemes normally arise because of weaknesses in IC. Auditors usually exert less effort investigating for fraud when ICs are weak. An investigation conducted by the Association of Certified Fraud Examiners (ACFE) in 2004 has also proved a strong relationship between internal audit and fraud detection. This coincidentally explains why an internal audit review becomes a part of fraud risk assessment in the US and why the Statement on Auditing Standards (SAS) 99 requires auditors to assess fraud risks in light of the entity’s programs and controls.

Although we expect internal audit may help in detecting fraud to certain extent, it is not obvious that internal audit can prevent and detect fraud simultaneously.

We begin this discussion with a brief overview of the existing research on internal audit and fraud detection. Interviews were conducted with both internal and external auditor to explore the extent to which they detect fraud.

Our findings also have implications for future research on the relation between internal audit performance and fraud prevention, as opposed to fraud detection. In particular, because internal audit’s role is not to purposely detect fraud, as well as the fact that fraud prevention and fraud detection are two mutually exclusive ideologies, future researchers should be cautious when drawing inferences about the relation between internal audit performance and fraud detection.

3. Existing Research on Internal Audit and Fraud Detection

One important study on fraud detection by use of internal audit was concluded in an investigation conducted by the ACFE in 2004 which has shown a strong relationship between internal audit and fraud detection. In the investigation, 508 cases of occupational fraud totaling US $761 million in losses has shown that organizations with internal audit departments / internal fraud examination departments suffered smaller losses, on average, than those without such departments. The study also found that nearly one-fourth of US fraud incidents investigated by CFEs during the last 2 years were detected by internal auditors. Figure 1 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

Figure 2 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

Figure 3 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

Figure 4 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

Figure 5 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

Figure 6 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

Figure 7 (Source: ACFE. Available at www.cfenet.com/pdfs/2004RttN.pdf )

In terms of initially detecting occupational frauds, internal audit had managed to detect more fraud cases than external audit did. (Figure 1) In detecting

million-dollar fraud cases, internal audit is also shown to be more capable than external audit. (Figure 2) The survey extended to show that internal audit is more effective than external audit in detecting frauds in small businesses (Figure 3), publicly traded companies (Figure 4), privately held companies (Figure 5) and government agencies (Figure 6), while for not-for-profit organizations (Figure 7), external audit seems to be more effective simply because many not-for-profit organizations do not have internal audit departments.

In fact, SIAS 3 has provided clear guidance to internal auditors in terms of deterrence, detection, investigation and reporting of fraud and has made recommendations to internal auditors in ascertaining if policies are in place to detect fraud. James L Bierstaker, Priscilla Burnaby and Susan Hass stated that operational audits and IC review are most commonly used by internal auditors to combat fraud. (2004) Although SAS 16 and 17 do provide clearly on external auditor's responsibility to detect and report fraud, investigation concluded by ACFE suggested that external audit is less effective than internal audit in terms of fraud detection. (2004)

4. Research Objectives

While much has been said that internal audit has been playing quite an important role in detecting and to a certain but lesser extent, in preventing fraud, external / statutory audit, on the contrary, only plays a kind of peripheral role (incidental detection) in preventing or detecting fraud, if any.

In order to examine the above assumption, we seek to find empirical support,

particularly to understand whether and to what extent internal audit helps an organization to detect frauds. We would also like to explore the reasons why external auditors play a less important role in fraud detection and an almost unimportant role in fraud prevention. These are to be done through interviews with internal and external auditors on the scope and extent of work they perform throughout an audit engagement.

5. Methodology

Although