Should Internal Audit Be Responsible for Detecting Fraud?

4 minute read
Norman Marks avatar

Internal auditors love fraud: detecting it and investigating it. The majority of boards and top management expect internal auditors to dedicate a fair portion of their time to auditing for fraud and performing investigations as needed.

But should the internal audit department be responsible for detecting fraud? Should they allocate a large portion of their audit resources to engagements that focus on the risk of fraud or theft?

Responsibility for Fraud Detection

While I fully support internal audit involvement in investigating potential fraud, I would like to suggest that organizations need to rethink the role of internal audit in detecting fraud.

Management should be responsible for the system of internal controls, including the ability to prevent and, as necessary, detect potential theft and fraud. Internal audit should only take on any part of this management responsibility with the prior and formal approval of the audit committee. In such cases, the responsibility of internal audit should be limited (in my opinion) to a secondary role in detection while management remains responsible for the primary detection role and fully responsible for prevention.

What do I mean by a secondary role? Management should always be responsible for detection that can be performed in the normal course of business, as part of such functions as payroll, procurement, accounts payable and inventory management where there is a greater likelihood of theft of fraud simply because of available liquid assets.

Internal audit can play a role where they are like the sweeper on a football team (soccer for Americans). They can use analytics and similar tools to sweep up any potential theft or fraud that has evaded the preventive and detective controls of management. If and when internal audit detects a fraud or theft, they should work with management to strengthen their defenses.

How much time should internal audit allocate to the detection of fraud?

In my opinion, the board and management should expect internal audit to allocate resources consistent with the risk of fraud or theft, while considering the "opportunity cost": what risk areas are they unable to address because of the time spent on fraud.

Where the risk of fraud is high, meaning that there is an unacceptable likelihood of a level of theft or fraud that would be significant to the operation of the business, internal audit should spend more time. But when there is very little likelihood of such a significant fraud or theft, it may well be appropriate to leave this area without internal audit detection in place.

Learning Opportunities

It is important, when assessing fraud risk, to consider not only the immediate size of any loss of assets but also such factors as:

  • The potential for a theft or fraud to impact customers, such as when finished goods inventory meant for customers is stolen, or when raw materials necessary for manufacturing are taken
  • The potential for the fraud or theft to impact financial reporting
  • Whether undetected fraud or theft is likely to grow from small beginnings into something of significant impact to the business
  • The potential impact on employee morale and the culture of the organization

Internal audit can also contribute their expert knowledge by helping management with a fraud risk analysis. I prefer this to be a management responsibility, just as risk assessment in general is a management responsibility. But internal audit may have more understanding and be more capable at some organizations to perform the fraud risk assessment for management. This should not be kept within internal audit, but shared with -- and owned by -- management so they can ensure the right preventive and front-line detective controls are in place.

I think many internal audit departments spend too much time on fraud detection when it should be a management responsibility. As a result, they are limiting their ability to address risks that are far more significant to the organization’s ability to surpass its objectives and create value.

What is your view?

Title image courtesy of Maksim Kabakou (Shutterstock)

Editor's Note: Get more of Norman's insights in his A Leap Forward for Risk and Compliance

About the author

Norman Marks

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.

About CMSWire

For nearly two decades CMSWire, produced by Simpler Media Group, has been the world's leading community of customer experience professionals.


Today the CMSWire community consists of over 5 million influential customer experience, digital experience and customer service leaders, the majority of whom are based in North America and employed by medium to large organizations. Our sister community, Reworked gathers the world's leading employee experience and digital workplace professionals.

Join the Community

Get the CMSWire Mobile App

Download App Store
Download google play