not like being accused of wrongdoing, nor do they like being investigated for wrong-
doing. Auditors are constantly challenged and put on the defensive. It can result in a
situation that is perceived to have no long-term benefits, unless one uncovers all the
facts to convict someone or recover missing assets. Conversely, the satisfaction of
discovering incriminating facts can be enormous.
Since early on, internal auditors as well as external auditors have held that the de-
tection of fraud is not their responsibility. However, the external auditors had to ma-
terially change their views in April 1997 when Statement on Auditing Standard
(SAS) No. 82 was effected. SAS No. 82, “Consideration of Fraud in a Financial
Statement Audit,” recognizes that, while management is responsible for the preven-
tion and detection of fraud, auditors are responsible for minimizing the risk of fraud.
Auditors have to concern themselves with the control environment and the steps
taken to monitor that environment. They have to be skeptical. This essentially con-
forms to the role they are expected to assume in implementing the Committee on
Sponsoring Organizations (COSO) guidelines discussed below.
The IIA outlines the internal auditor’s responsibility for the detection of fraud in
their “Standards for the Professional Practice of Internal Auditing” as follows:
In conducting an audit assignment, the internal auditors’ responsibilities for detecting
fraud are to:(a) Have sufficient knowledge of fraud to be able to identify indicators that fraud may
have been committed. This knowledge includes the need to know the characteristics
of fraud, the techniques used to commit fraud, and the types of fraud associated with
the activities audited.
(b) Be alert to opportunities, such as control weaknesses, that could allow fraud. If sig-
nificant control weaknesses are detected, additional tests conducted by internal au-
ditors should include tests directed toward identification of other indicators of fraud.
Some examples of indicators are unauthorized transactions, override of controls, un-
explained pricing exemptions, and unusually large product losses. Internal auditors
should recognize that the presence of more than one indicator at any one time in-
creases the probability that fraud may have occurred.
(c) Evaluate the indicators that fraud may have been committed and decide whether any
further action is necessary or whether an investigation should be recommended.
(d) Notify the appropriate authorities within the organization if a determination is made
that there are sufficient indicators of the commission of a fraud to recommend an in-
vestigation.Internal auditors are not expected to have knowledge equivalent to that of a per-
son whose primary responsibility is detecting and investigating fraud. Also, audit
practices alone, even when carried out with due professional care, do not guarantee
that fraud will be detected.
During the twentieth century, the aspects of a “true profession” began to develop.
Auditors began to concentrate much more on management controls and preventive
measures rather than investigative techniques. The difference is simply that detective
measures assess after the fact, whereas preventive measures consider what are avail-
able alternatives to prevent that occurrence. There are a number of cost–benefit trade-
offs that auditors are expected to bring to bear when problems are identified. In early
times, auditors felt that they just had to identify problems without offering solutions.
That has changed. As members of the management team, auditors have learned to
help managers consider the alternatives.
32 • 6 INTERNAL AUDITING