The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. (Source: The IIA)

All organizations are subject to fraud risks. Good governance principles demand that an organization’s board of directors, or equivalent oversight body, ensure overall high ethical behavior in the organization, regardless of its status as public, private, government, or not-for-profit; its relative size; or its industry. The board’s role is critically important because historically most major frauds are perpetrated by senior management in collusion with other employees. Vigilant handling of fraud cases within an organization sends clear signals to the public, stakeholders, and regulators about the board and management’s attitude toward fraud risks and about the organization’s fraud risk tolerance. In addition to the board, personnel at all levels of the organization — including every level of management, staff, and internal auditors, as well as the organization’s external auditors — have responsibility for dealing with fraud risk. Particularly, they are expected to explain how the organization is responding to heightened regulations, as well as public and stakeholder scrutiny; what form of fraud risk management program the organization has in place; how it identifies fraud risks; what it is doing to better prevent fraud, or at least detect it sooner; and what process is in place to investigate fraud and take corrective action.

Definition of Fraud – The IIA:

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.​

Definition of Fraud - Black’s Law Dictionary:

A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment.

Definition of Fraud - The ACFE:

Fraud includes any intentional or deliberate act to deprive another of property or money by guile, deception, or other unfair means.

Internal fraud, also called occupational fraud, can be defined as: “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organization’s resources or assets.” Simply stated, this type of fraud occurs when an employee, manager, or executive commits fraud against his or her employer.

External fraud against [an organization] … covers a broad range of schemes. Dishonest vendors might engage in bid-rigging schemes, bill the company for goods or services not provided, or demand bribes from employees. Likewise, dishonest customers might submit bad checks or falsified account information for payment, or might attempt to return stolen or knock-off products for a refund. In addition, organizations also face threats of security breaches and thefts of intellectual property perpetrated by unknown third parties. Other examples of frauds committed by external third-parties include hacking, theft of proprietary information, tax fraud, bankruptcy fraud, insurance fraud, healthcare fraud, and loan fraud.

In a Nutshell:

Fraud occurs all around us, and by its very nature of concealment, is very difficult to detect at the onset. Over time a perpetrator’s actions can become more transparent through attention to trends, KPI’s and financial variations, the growing size of the fraud, and behaviors.

Some fraudulent schemes start out small and grow over time to either cover past tracks through layering and/or the growing appetite and comfort of the perpetrator[s]. Other schemes remain small and level over a very long time but the accumulation of individual losses can become significant.

Collusion is two or more individuals coordinating a fraudulent scheme and is more difficult to detect.

The responsibility for establishing and maintaining control over fraud rests with University administration.  Internal audit functions are not responsible for detecting fraud, but are responsible to consider fraud risk and University administration’s controls over fraud.

Managing the Business Risk of Fraud: A Practical Guide, The Institute of Internal Auditors, The American Institute of Certified Public Accountants, Association of Certified Fraud Examiners.

Managing the Business Risk of Fraud: A Practical Guide, The Institute of Internal Auditors, The American Institute of Certified Public Accountants, Association of Certified Fraud Examiners.

Refer to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 1999 analysis of cases of fraudulent financial statements investigated by the U.S. Securities and Exchange Commission (SEC).

Refer to June 2007 SEC Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 and U.S. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, for comments on fraud responsibilities.