Internal audits or reviews

Conduct internal audits or reviews to evaluate and improve the effectiveness of risk management, control and governance processes.

This control targets both internal and external fraud risks.

Examples

Examples of this control include:

A lack of regular audits or reviews of activities can lead to:

clients, employees, or contractors taking advantage of weaknesses in programmes and systems to commit fraud, act corruptly and avoid exposure
reduced levels of compliance and increased errors due to inconsistent and unclear processes, rules and decision making
fraudsters more easily committing fraud, due to inconsistent practices and processes being in place, and no fear of being exposed or prosecuted
less transparency over the actions and decisions of employees and third parties
increased opportunities for employees or contractors to take advantage of positions of trust to act corruptly, commit fraud and avoid exposure
decreased ability to detect and respond to fraud or corrupt activity
decreased accountability to prevent, detect and respond to fraud and corruption
reduced ability to detect systemic fraud or corruption.

Methods to evaluate the effectiveness of this control include:

reviewing the outcomes of audits or reviews
confirming that audits or reviews are carried out
checking that audits or reviews are performed regularly
confirming that the scope of audits or reviews consider fraud risks and controls
confirming that audits or reviews are independent, completed by qualified persons and are resilient to corrupting influences
checking what other reporting occurs, e.g. executive reviews of reports during committee meetings.

Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:

Types of behaviour this control is designed to mitigate:

Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.