How can internal auditors manage cyber fraud risk?

Assess the risk landscape

One of the first steps for internal auditors looking to improve fraud internal controls and reduce overall risk is to better understand what threats exist. Depending on what you identify as the top threats and weak spots, the action plan might look different.

By collaborating with other departments, such as enterprise risk management, and conducting activities like IT audits, you might identify that your organization has been facing more phishing attacks. Or, maybe your organization hasn’t identified actual cyber-attack attempts, but you're facing an increased risk due to employees using their own devices more. Speaking with other department leaders about employee practices could reveal insights like these.

Whatever the case may be, it’s good to get a lay of the land and even begin to think about new threats that could occur in the future so that you can be more prepared. If you want to secure a budget from senior management to implement new fraud monitoring systems or fraud prevention services, for example, before cyber criminals attack, then it’s important to articulate what these risks look like ahead of time.

Add and review internal controls

Once you have a better sense of the cyber risk landscape, you can add and review internal controls that can prevent fraud or at least reduce fraud activity. Internal auditors might work with finance or accounting teams to establish enhanced financial reporting protocols and approval processes. That way, if a cyber threat targets a vendor to get an employee to transfer funds to them or release sensitive information like tax documents, then a more thorough review process might identify that the activity shouldn’t occur.

In 2018, the Securities and Exchange Commission (SEC) released a report about this type of threat, known as business email compromise, predicting the increased corresponding need for strong internal controls.

“Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks,” notes the SEC.

Use data analytics

Another way to reduce cyber fraud risk is to use data analytics. Manually reviewing every transaction, every access log, etc., can stretch internal audit teams too thin. But data analytics tools like TeamMate Analytics make it possible to test full data sets, rather than relying on sampling, to help spot fraud. Reducing manual processes also makes continuous auditing more feasible, allowing internal auditors to stay on top of new threats as they emerge, as cybercrime can evolve quickly.

Data analytics tools also simplify and streamline reporting. So, when internal auditors need to present cyber fraud risks to boards and senior management, or communicate with external auditors, being able to easily share analytics insights can help everyone get on the same page.

Although cyber fraud risk is prevalent, taking these actions enables internal auditors to improve fraud awareness within their organizations. Doing so reduces the chances of fraud occurring in the first place, as well as potentially reduces the impact of fraud losses if and when they occur.