Chair: Dr Janice Goldstraw-White
Liz Sandwith – Chief Professional Practices Adviser – Chartered Institute of Internal Auditors
Rob Winter – Head of Internal Audit, Anti-Fraud and Assurance – Barnsley MBC
Gareth Mills – Director, Public Services – Grant Thornton UK LLP
Liz Sandwith opens stating that the threat of fraud is one of the most common challenges to governance that organisations face and it cuts across all types and sizes of organisations, sometimes with devasting consequences. She believes that as the incidence of fraud is rising globally, the significance to organisations has increased, not least fuelled in the last 20 months by the links between cybercrime and fraud, and remote working. In terms of Internal Audit’s responsibility for fraud, Liz outlines that these specifically relate to internal control, risk management and governance, and in terms of risk, she states that internal audit need to undertake a fraud risk assessment to understand where fraud is most likely to be prevalent in an organisation. She explains that this is to ensure that organisations have good preventative, detective and directive controls in place in these particular high-risk areas. She points out that internal auditors need to be aware of the ‘fraud triangle’ especially in the current economic climate where more opportunities may be present for staff to exploit, especially if they are in need and can justify their actions. Liz emphasises that it is not internal audits responsibility to find fraud, but to assess that management has the appropriate controls in place to mitigate against it and that these are fit-for-purpose. However, she does believe internal audit could do more – both in terms of improving controls, but also better working relationships with partners, especially external auditors to ensure that there are no duplications in work and more importantly, no gaps in high fraud risk areas.
You will hear Gareth Mills talk about his experience as an external auditor in the public sector acknowledging that there is indeed an expectation gap and lack of understanding between management and external audit, especially when things go wrong. He continues by explaining that in the public sector the key requirements of external audit are to ensure that the accounts are free from material misstatement of fraud and error, in that they have a reasonable level of assurance to issue a clean audit opinion. Gareth highlights the significance of the word ‘materiality’ and puts this in context by explaining that this may be financially very high for certain organisations, such as large local authorities. He also cautions that even the most well run and compliant external audit may not detect fraud. However, during the course of their work, Gareth outlines that external auditors do come across non-material elements of and these are highlighted to strengthen controls and discussed with management and audit committees. In undertaking their duties, Gareth explains that external auditors typically meet with management, review board/council papers and engage with heads of internal audit. In recent years, especially after pressure from the FRC, Gareth points out that they have started to focus on areas where the accounts could be manipulated and where management could circumvent controls. Typically, he states this occurs around journal entries and therefore, external audit have increased their testing in this area and now risk-assess journals to look at those which are high-risk so they can do sufficient and appropriate testing of these to give themselves the best opportunity to identify material areas of fraud or error.
We hear from Rob Winter his practical views from running both an internal audit and anti-fraud function and he regards the internal audit function as a fundamental part of anti-fraud measures implemented within an organisation. Although he acknowledges some technical skills are required when looking at fraud, he does not see the relationship of internal audit to fraud risk as different to any other organisational risk area. Rob believes that regardless of size, all organisations need to be secure in their strategic recognition of fraud risk and not to have the attitude of ‘not in this organisation’ or ‘not on my watch’. He believes where these attitudes are found that internal audit need to challenge such resistance. Rob highlights that people are the main weakness in relation to fraud, but not just those who perpetrate it, but those who present opportunities for others to pursue it. In terms of how his internal audit team undertakes their work, Rob explains that for each assignment there an extra fraud-risk assessment layer is built into that work to identify any fraud risk vulnerabilities. But he also believes that in-house internal audit teams have a head start to those teams bought in or semi-outsourced, because they are able to ‘live and breathe’ the culture and appetite of an organisation to embrace fraud risk. As his final point, Rob outlines the importance of audit committees – not just to report findings to, but that committee members should be asking questions of both management and heads of internal audit about fraud, and if they aren’t – he believes they are not doing their jobs properly.
This webinar has indeed highlighted the responsibilities of both internal and external auditors in relation to tackling fraud, something which is frequently misunderstood, especially by organisations when employing such services. Although neither functions have a specific duty to find fraud, both have taken a more risk-based approach in their work to highlight areas of high-risk so that organisations can ensure they can put in the appropriate controls and procedures in place to mitigate such risks. The importance of tackling fraud in partnership between management and auditors could not be overstated.
Dr Janice Goldstraw-White
6th January 2021