With a changing global economic outlook, there has been a correlated shift in the fraud landscape, and how audit leaders should manage it. An assessment of fraud possibility is a requirement when carrying out an audit engagement, after all.
The ISACA performance standard 1207: irregularities and illegal acts states that “IT audit and assurance practitioners shall consider the risk of irregularities and illegal acts during the engagements.”
This is not to say that auditors are fraud specialists, but the standard takes into consideration the impact of inadequate internal control systems and their attribution to creating opportunities for fraud. Several control checklists exist to guide auditors in making this assessment. Some of the issues to take into consideration during the audit plan stage, as indicated by the standard, include gathering a written representation about the following:
- Management understanding regarding the level of risk of irregularities and illegal acts in the enterprise at the planning stage
- Management’s understanding regarding the level of risk of irregularities and illegal acts in the enterprise
- Whether management has knowledge of irregularities and illegal acts that have or could have occurred within the enterprise, or may have been directed toward it
- Management’s responsibility for designing and implementing internal controls to prevent irregularities and illegal acts
- How the risk of irregularities or illegal acts is monitored and managed
- What processes are in place to communicate alleged, suspected or existent irregularities or illegal acts to appropriate stakeholders
- Applicable national and regional laws in the jurisdiction in which the organization operates, and the extent of the legal department’s coordination with the risk committee/audit committee
Fraud risk assessments are developed based on the elements of why people commit fraud. The fraud diamond theory indicates four specific elements influence a person to commit fraud: pressure, opportunity, rationalization and capability.
Traditionally, IT auditors’ review on the assessment of fraud risk focused on organizational structures and policies in the management of fraud as outlined above in the standard. With the increase in technology consumption, the assessment of cyber-related fraud has become critical in the assessment of fraud-related risk during the audit planning phase and indicating the cyber risk profile. To carry out this assessment, IT auditors do not need to reinvent the wheel, but rather remodel their assessment questions.
Below is a summary of how an IT auditor can analyze cyber fraud risks during audit planning:
Elements that Influence Fraud |
What the IT Auditor Should Consider in Assessment of Fraud Risk |
Pressure |
|
Opportunity |
|
Rationalization |
|
Capability |
|
Understanding how the organization deals with elements of fraud can allow the IT auditor to conclude the level of cyber fraud risk to which the organization is exposed. There are other factors that have not been included here that the auditor also can take into consideration. What is critical is for auditors at a planning stage to gauge the level of possible cyber fraud and ensure that the controls selected for testing will cover the cyber risk that has been identified.