With cyber fraud risk on the rise, internal auditors need to take action. Even though cyber fraud internal controls and cyber fraud detection tools may already be used by IT, internal audit leaders can still help with cyber fraud risk management.
Due to increased fraud risks, 36% of internal auditors say they’ve put more resources into internal controls, and 29% have done so for data analytics, according to a global survey by The Internal Audit Foundation, The Institute of Internal Auditors (IIA), and Kroll.
“As companies increase investments in new technologies, it’s clear that when the independent internal audit function is actively providing assurances of internal controls and risk management systems, the impact of fraud is reduced,” notes Anthony Pugliese, president, and CEO of The IIA, in an IIA press release.
In this article, we’ll take a closer look at some of the steps internal audit departments can take to reduce cyber fraud risk. From working with other departments on fraud risk assessment to leveraging data analytics tools that can test full data sets, there’s a lot that internal auditors can do.
Assess the risk landscape
One of the first steps for internal auditors looking to improve fraud internal controls and reduce overall risk is to better understand what threats exist. Depending on what you identify as the top threats and weak spots, the action plan might look different.
By collaborating with other departments, such as enterprise risk management, and conducting activities like IT audits, you might identify that your organization has been facing more phishing attacks. Or, maybe your organization hasn’t identified actual cyber-attack attempts, but you're facing an increased risk due to employees using their own devices more. Speaking with other department leaders about employee practices could reveal insights like these.
Whatever the case may be, it’s good to get a lay of the land and even begin to think about new threats that could occur in the future so that you can be more prepared. If you want to secure a budget from senior management to implement new fraud monitoring systems or fraud prevention services, for example, before cyber criminals attack, then it’s important to articulate what these risks look like ahead of time.
Add and review internal controls
Once you have a better sense of the cyber risk landscape, you can add and review internal controls that can prevent fraud or at least reduce fraud activity. Internal auditors might work with finance or accounting teams to establish enhanced financial reporting protocols and approval processes. That way, if a cyber threat targets a vendor to get an employee to transfer funds to them or release sensitive information like tax documents, then a more thorough review process might identify that the activity shouldn’t occur.
In 2018, the Securities and Exchange Commission (SEC) released a report about this type of threat, known as business email compromise, predicting the increased corresponding need for strong internal controls.
“Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks,” notes the SEC.
Use data analytics
Another way to reduce cyber fraud risk is to use data analytics. Manually reviewing every transaction, every access log, etc., can stretch internal audit teams too thin. But data analytics tools like TeamMate Analytics make it possible to test full data sets, rather than relying on sampling, to help spot fraud. Reducing manual processes also makes continuous auditing more feasible, allowing internal auditors to stay on top of new threats as they emerge, as cybercrime can evolve quickly.
Data analytics tools also simplify and streamline reporting. So, when internal auditors need to present cyber fraud risks to boards and senior management, or communicate with external auditors, being able to easily share analytics insights can help everyone get on the same page.
Although cyber fraud risk is prevalent, taking these actions enables internal auditors to improve fraud awareness within their organizations. Doing so reduces the chances of fraud occurring in the first place, as well as potentially reduces the impact of fraud losses if and when they occur.