Page 590 - ITGC_Audit Guides
P. 590
GTAG — Introduction
1. Introduction activity’s purpose, authority, responsibility, and perfor-
mance relative to its plan. Reporting must also include
The objective of this chapter is to present the fraud-related significant risk exposures and control issues, including
standards published in The IIA’s International Professional fraud risks, governance issues, and other matters needed
Practices Framework (IPPF). The chapter also defines fraud or requested by senior management and the board.
and provides an overview of the ways in which technology can
be implemented to improve fraud prevention and detection. 2120.a2 — The internal audit activity must evaluate
the potential for the occurrence of fraud and the manner
in which the organization manages fraud risk.
1.1 Definition of Fraud
Fraud encompasses a wide range of irregularities and illegal 2210.a2 — The internal auditors must consider the
acts characterized by intentional deception or misrepresen- probability of significant errors, fraud, noncompliance,
tation. The IIA’s IPPF defines fraud as: and other exposures when developing the engagement
objectives.
“… any illegal act characterized by deceit, concealment,
or violation of trust. These acts are not dependent upon
the threat of violence or physical force. Frauds are perpe- 1.3 Using Technology to
trated by parties and organizations to obtain money, Prevent and Detect Fraud
property, or services; to avoid payment or loss of services; Advances in technology increasingly are allowing organiza-
or to secure personal or business advantage.” tions to implement automated controls to help prevent and
detect fraud. Technology also allows organizations to move
This broad definition of fraud accommodates the fraud from static or periodic fraud monitoring techniques, such as
risks, exposures, and threats encountered within IT depart- detective controls, to continuous, real-time fraud monitoring
ments as well as frauds enabled by the use of technology. techniques that offer the benefit of actually preventing fraud
from occurring. This GTAG describes both periodic and
continuous monitoring techniques. Numerous advanced
1.2 The IIA’s Fraud-related Standards analytical software packages are now available to assist in
As noted in The IIA’s Practice Guide, Internal Auditing and data analysis. This GTAG addresses techniques in general,
Fraud, The IIA has included standards that directly relate to and does not endorse any specific platform.
fraud within the IPPF. The following standards cover internal Computer forensic technology and software packages are
auditors’ roles and responsibilities pertaining to fraud within available to assist in the investigation of fraud — where
an organization. computers are used to facilitate the fraud — or to identify red
flags of potential fraud. Computer forensics is an investiga-
1210.a2 — Internal auditors must have sufficient tive discipline that includes the preservation, identification,
knowledge to evaluate the risk of fraud and the manner extraction, and documentation of computer hardware
in which it is managed by the organization, but are not and data for evidentiary purposes and root cause analysis.
expected to have the expertise of a person whose primary Examples of computer forensic activities include:
responsibility is detecting and investigating fraud. • Recovering deleted e-mails.
• Monitoring e-mails for indicators of potential fraud.
1220.a1 — Internal auditors must exercise due profes- • Performing investigations after terminations of
sional care by considering the: employment.
• Extent of work needed to achieve the engage- • Recovering evidence after formatting a hard drive.
ment's objectives.
• Relative complexity, materiality, or significance of Computer forensic activities help establish and maintain a
matters to which assurance procedures are applied. continuing chain of custody, which is critical in determining
• Adequacy and effectiveness of governance, risk admissibility of evidence in courts. Although the CAE and
management, and control processes. internal auditors are not expected to be experts in this area, the
• Probability of significant errors, fraud, or CAE should have a general understanding of the benefits this
noncompliance. technology provides so that he or she may engage appropriate
• Cost of assurance in relation to potential benefits. experts, as necessary, for assistance with a fraud investigation.
2060 — reporting to Senior management and the board —
The chief audit executive (CAE) must report periodically
to senior management and the board on the internal audit
1
