The new IIA (Institute of Internal Auditors) Global Internal Audit Standards place a significant emphasis on internal auditors actively assessing and mitigating fraud risk within an organization, requiring them to take a more proactive approach to fraud detection and incorporate a deeper understanding of potential fraud schemes into their audit planning and execution.
So, how does one obtain the knowledge to incorporate a deeper understanding of fraud schemes? I’d like to introduce the concept of fraud risk intelligence. One is not born with an understanding of fraud risk. It can only be obtained by the study of fraud risk in the real world.
As you know, I always search the internet as part of writing a blog post. So, before you read the remainder of this blog, I ask you to search the internet for the following phrase: “deeper understanding of potential fraud schemes”. What did you find?
In my search, I found two documents that I thought we should discuss.
1. CFE Magazine, an article entitled ‘A deeper understanding of occupational fraud, written by John Warren, JD, CFE. July 2024
2. A practice guide issued by the IIA entitled Engagement Planning: Assessing Fraud Risks. 2017
The title of Mr. Warren’s article caught my attention, which course, is what writers hope to achieve. However, at first, I was disappointed with the article because it was not what I was looking for. Then I began to reflect on the article and realized it was not about fraud risk per se, but rather understanding fraud as a cost of doing business and how to manage fraud risk. This is important because I believe that most managers believe fraud occurs, but it occurs in other companies. The article has catchy subheads, such as Fraudsters: behavior gives us clues if we know what to look for and Red-Flag data can teach employees what fraud behavior looks like. It is all about creating fraud awareness, which is critical in the prevention of fraud. Please read the article.
My second finding, the practice guide entitled Engagement Planning: Assessing Fraud Risks, lays out a process for assessing fraud. The executive summary states:
- Gather information to understand the purpose and context of the engagement, as well as the governance, risk management, and controls relevant to the area or process under review.
- Brainstorm fraud scenarios to identify potential fraud risks.
- Assess the identified fraud risks to determine which risks require further evaluation during the engagement.
I am excited that the IIA has issued a document on assessing fraud risk. It indicates to me that our profession is moving one step closer to incorporating fraud risk as a core competency. I should note, however, that the document is copyright 2017. A lot has changed in the profession since then.
Now, you should know that I struggled to write the next sentence. In my opinion, the explanation of fraud risk in the guide is at a basic level. It does not illustrate the concept of a deeper understanding. For instance, it says:
“Fictitious vendors are set up in the system, resulting in fraudulent payments.”
I am sorry, this is not a deeper understanding. A deeper understanding would discuss the different types of fictitious vendors, such as created, assumed, shell companies, shelf companies, etc. The fraudulent payments would discuss the difference between a false billing scheme and a pass-through scheme. It would recognize the difference between direct access and indirect access to setting up a vendor.
When the IIA says auditors should have a deeper understanding of fraud risk, I was hoping the practice guide would at least illustrate or provide good examples of what a “deeper understanding” would look like. With that said, as an internal auditor, you should still read this document. It is necessary to achieve basic core competence.
So, how does this all relate to a deeper understanding of potential fraud schemes? It is my belief that professional skepticism should be changed to Educated Professional Skepticism.
- Knowledge through study, what I call the science of fraud risk assessment and fraud prevention
- Knowledge through experience, what I call the art of fraud risk assessment and fraud prevention
My recommendation to all CAEs is to invest in fraud risk intelligence through the study of the science of fraud risk management. This science is the foundation of the art of fraud risk intelligence.
Fraud Trivia
Last month's answers:
Which male actor portrayed a woman in order to obtain a job? Dustin Hoffman in Tootsie
Which male actor portrayed a woman in order to see his children? Robin Williams in Mrs. Doubtfire
Which film star plays a singer who achieves fame by pretending to be a man pretending to be a woman? Crazy huh! Julie Andrews in Victor/Victoria
In the risqué role that sexed up her most commercially successful film, this woman is all sparkle and sizzle, forever popularizing her title character as history’s foremost femme fatale. Greta Garbo in Mata Hari (1931)
One of the great characters in film and literature may be cinema's foremost imposter. Portrayed by numerous Oscar-winning actors, the most well-known adaptation of the Patricia Highsmith character is Thomas Ripley
Because he is a classic, he cannot be left off the list. He now works for the FBI. He was portrayed by Leonardo DiCaprio. Frank Abagnale.
This month's trivia
Feedzai, recently released its 2025 AI Trends in Fraud and Financial Crime Prevention report, uncovering how generative AI (GenAI) is used in financial fraud.
1. XX % of the financial institutions surveyed indicate that fraudsters use generative AI. And what XX noted that they do not see GenAI being used by criminals?
2. According to the report, XX% of financial professionals say that deepfakes are used in fraudulent schemes. XX% report that fraudsters are using social engineering, a set of manipulative tactics that exploit human psychology and trick individuals into revealing sensitive information.
3. Fraudsters are also utilizing voice cloning techniques, with XX % of professionals recognizing this as a major concern, followed by XX % citing SMS and phishing scams powered by AI to deceive victims.
4. Can you name some of the more common techniques for account takeover?
