My journey to fraud awareness

What does fraud mean to internal auditors?

By Carla Hodge, DBA, CFE, CRMA

carla-hodge-80x80My Take: Views on the news

The views expressed here aren’t necessarily those of the ACFE, its executives or employees. — ed.



Internal audit management at many companies believe that the internal auditor’s role is not necessarily to be a fraud examiner, and they mistakenly use the Institute of Internal Auditor’s (IIA) definition of internal auditors to solidify this belief:   

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objective by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance process. (IIA publication, “Internal Auditing: Assurance, Insight, and Objectivity” ) 

Years ago, when I began working as a new auditor, I read this definition and wondered why auditors still often brought up the topic of fraud in discussions. It seemed clear to me at the time that internal auditors weren’t required to conduct fraud examinations and analyses.  

However, as I began to build my career, I discovered that internal auditors actually in practice have a level of responsibility when it comes to fraud. I learned that the IIA has Attribute Standards, which provide guidance and expectations on what internal auditors should know and practice in their daily roles. 

IIA Attribute Standard 1220.A1 states that auditors, when performing internal audits with due professional care, should be aware of the “probability of significant errors, fraud, or noncompliance.” (Interestingly, the attribute originally included the word “irregularities” instead of “fraud.”)

An internal auditor, obviously, should know what fraud is so he or she can understand his or her responsibilities. The IIA defines fraud as: 

“Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threats of violence or physical force. Frauds are perpetrated by individuals and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal business advantage.” 

“Black’s Law Dictionary” defines fraud as: “A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment.” [“Black’s Law Dictionary, 8th Edition,” (2004), edited by Bran Garner] Consequently, as the ACFE says, “fraud includes any intentional or deliberate act to deprive another of property or money by guile, deception, or other unfair means.” 

Furthermore, IIA Standard 1210.A2 makes clear the expected responsibility of internal auditors concerning fraud: 

“Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.” 

This concept now seems very straightforward to me after my ACFE training and years on the job. However, I believe that many auditors still have no idea what fraud means or how to incorporate an understanding of fraud risks into their work. 


When I began as a bank internal auditor, more than 10 years ago, I had no concept of fraud or what was expected of me in identifying it. I became close friends with Kathy, an investigator in the bank’s security department. I assumed that one of the functions of the that department was to detect fraud; however, as I got to know Kathy I realized that she and her colleagues didn’t actively look for fraud but were relying on others to tell them about possible fraud cases. 

After the security department would receive a tip, they’d use documentation compiled by other staff members to conduct investigations, which mainly consisted of interviews and data inspection. Kathy had no financial or accounting acumen, so she couldn’t detect irregularities in financial records; she left that to others, such as internal auditors. 

I frequently sat in on her interviews with employees so that I could tie their stories to the numbers. Kathy was very good at her job and would often get confessions, but then I would have to conduct research to gather evidence against the fraudster. After listening to several employees’ interviews, it occurred to me that the crimes they committed could have been detected much earlier, based on irregularities in financial and operational records, that the internal audit department reviewed as a part of its daily operations. Yet, for some reason, we weren’t finding these irregularities before a perpetuated fraud grew to be a significant loss to the bank. 

I later started working with Kathy’s counterpart, who was an ex-FBI agent, and he too had no clue of the financial aspect of fraud or detection indications. Although these two investigators were well versed in the operational investigation side of fraud, they needed someone to link the two together, and that became my role. We made a good team, but we formed the team, not the company. Although the security department had been in operation long before my friendship with Kathy, the department had never created any real partnerships among anyone in accounting, finance or auditing that could help link the discovery of irregularities and a subsequent investigation.  

The experience of working on impromptu cases with Kathy taught me an awareness of fraud that most junior auditors don’t have today — an awareness that I may not have gained either if not for the working relationship I just happened to have stumbled into (or my eventual exposure to anti-fraud concepts via the ACFE). Auditors convince themselves, based on a faulty reading of IIA standards, that they just need some level of awareness, and because that level isn’t defined, they believe that they have enough. However, many would argue that this is a flawed thought process and may result in good auditors who mean well but miss huge fraud indicators. My collaboration with security personnel illustrated part of the essence of the Certified Fraud Examiner — the necessity for not just being an auditor but an investigator who knows the ins and outs of schemes, how to detect (and deter them) plus the  

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.