This might get me in trouble with IIA leadership (again), but it is important if internal audit is to get promoted from the children’s table of providing assurance on mundane issues that don’t really matter to leaders of the organization to the head table alongside those leaders.
The first part of this piece is on fraud, but it then considers the larger picture.
A read of the latest Position Paper from the Institute of Internal Auditors highlighted a set of problems for me. Fraud and Internal Audit: Assurance over Fraud Controls Fundamental to Success (2019) correctly quotes a couple of IIA Standards (1210.A2 and 2120.A2) but, in my opinion, provides faulty advice.
The paper gets this right:
- Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls. [Note: I will come back to the last part of the sentence.]
- The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situation. This should include digital data.
- Internal auditors should not investigate fraud unless they have the specific experience and expertise required to do so.
But it is wrong, as I will explain in a moment, when it says:
- The…
