Each year, billions of euros are lost due to fraud and corruption in both public and private sector organizations. The European Commission estimates the cost of fraud and corruption in the European Union at €120 billion annually. These direct financial losses stem from the theft of public funds, embezzlement, bribery, etc.

However, there are also indirect economic losses:

• Reduced Economic Growth due to increased instability in the business environment and a negative impact on investment climate.
• Damage to the Reputation of organizations involved in fraud, resulting in shrinking customer bases and market share.
• Increased Business Costs due to more complex regulatory compliance and procurement processes.
• Erosion of Public Trust, leading to social unrest and societal decline.
• Degraded Public Services with inadequate infrastructure, leading to a lower quality of life.

Having outlined the consequences of fraud, let’s define it: Fraud is any intentional act characterized by dishonesty, deception, concealment of truth, forgery, or breach of trust to obtain unlawful personal or business gain.

But how does fraud thrive? The short answer: poorly designed control mechanisms and a weak governance system. Therefore, a robust Internal Control System is necessary to mitigate fraud risks. This is where the role of the Internal Auditor becomes vital. According to Standard 3.1 [Proficiency], the auditor must have sufficient knowledge to identify and assess fraud risks, as well as understand how those risks are managed by the organization.

The Internal Auditor must detect, prevent, and monitor fraud risks during audit engagements. They must respond immediately when confronted with a fraud risk, by testing controls, assessing risks, and planning targeted audits.

It’s important to note that the Internal Auditor is not responsible for preventing fraud—this responsibility lies with management, specifically the first line of defense. Meanwhile, the second line of defense, typically the Risk Management unit (if one exists), is responsible for overseeing how fraud risks are handled. If such a unit does not exist, the responsibility falls entirely on senior management.

The organization must develop and implement a Fraud Response Plan, including response policies and investigation methods. The roles of all stakeholders must be clearly defined. Thus, Internal Audit actions in the event of fraud detection or control failure should follow a specific protocol.

Within this framework, Internal Audit will identify fraud risks by analyzing data, studying trends, and spotting patterns that may indicate fraud or embezzlement.

Below is the minimum required expertise Internal Audit should have:

• Ability to identify fraud red flags.
• Understanding of fraud characteristics, techniques, and common fraud schemes.
• Ability to assess fraud indicators and determine whether to recommend a formal investigation.
• Ability to evaluate the effectiveness of controls in preventing and detecting fraud.

Where skills are lacking, Internal Auditors may seek specialized assistance, internally or externally, as permitted by the International Standards for the Professional Practice of Internal Auditing. This may include support from legal advisors, forensic accountants, etc.

The Fraud Response Plan will vary from one organization to another, depending on available resources and risk tolerance. Some organizations involve Internal Audit in fraud investigations. However, the Internal Auditor is not obliged to conduct fraud investigations or possess specialized expertise. Fraud investigations should ideally be conducted by a Certified Fraud Examiner (CFE).

Therefore, it is prudent for Internal Audit not to engage in the investigation of fraud, but to remain focused on its assurance role—ensuring the effectiveness of controls designed to detect and prevent fraud.

In conclusion, fraud is a threat to every organization, regardless of size, sector, or location. It is crucial to be equipped with a Fraud Response Plan and a system of internal controls that act both as deterrents and detection tools. The role of Internal Audit is to support the organization in fraud prevention and mitigation through deep knowledge and close monitoring of the Internal Control System, providing reasonable assurance of its effectiveness.