Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

The risk of relying on auditors to find fraud

Kick-back schemes, corrupt employees, and violations of your Code of Conduct are all risks facing businesses every day. To combat these threats, companies often rely on auditors to protect them. But are auditors really the answer?

There may be more reliable resources for finding, investigating and advising companies on fraud, misconduct and other organizational risks. The Association of Certified Fraud Examiners found in 2018 that 53 percent of occupational fraud is detected by employees. Compared to internal and external audits which only identified fraud 15 percent and 4 percent of the time, respectively.

Auditors will tell you they are not generally in the business of uncovering fraud. Although they play an important role in organizations and are tasked with determining the accuracy of financial statements, much fraud, like kickback schemes, occurs “off-the-books.” Additionally, the primary resources used by auditors when reviewing an organization’s activities are commonly provided by the client. Think financial records, physical inventory and other data.

Finding Risk When Auditors Can’t

Risk management professionals possess different skill sets and experience than auditors. Within the profession, there are many different layers of experience, such as former state and federal prosecutors, former law enforcement professionals, lawyers, computer experts, forensic accountants and researchers. All of these individuals are highly skilled and trained in investigations that identify and resolve complex problems reported through hotline reports and employee communications. They specifically focus on preventing, finding and resolving fraud and other misconduct.

Risk professionals, moreover, often rely on outside information in conjunction with internal information to resolve issues. These sources include but are not limited to local boots-on-the-grounds resources, interviews, government records and local media and databases.

Some advantages in using risk management professionals include:

Analyzing whether the prices and figures match: Many schemes today are off-the-books and can only be discovered through alternative means, including speaking to third-parties outside the organization. Although everything on paper may add up (i.e. the dollar amounts on an invoice may match the dollar amount on a check) the inquiry and analysis should not stop there. Often one must look beyond the figures to discover the actual fraud and depth of misconduct.

Vendors may be charging companies two or three times the market rates as part of a kickback scheme, yet the books might appear to be legitimate. Determining actual market rates often requires speaking personally with local manufacturers, visiting sites and assessing the histories of the vendors.

A shell game:  Shell companies are formed in minutes, and a cursory review of the Panama Papers show how these entities are used to defraud others. Failure to perform due diligence is often the flaw in the internal control process and site visits are often the only means available to assess whether a company is real or a fake. The audit process typically does not utilize site visits or other extensive field research to assess whether one or five hundred shell companies are defrauding a client.

It is for these reasons that it is important to use the right resource to ferret out fraud. Unless specifically requested to perform a forensic audit to look for fraud, an audit performed by an auditor in the ordinary course of business is unlikely to uncover such misconduct. It is the risk management professional, on the other hand, that is focused on these issues and trained to investigate, assess and advise on fraud, misconduct and other breaches.


Jeffrey M. Klink, pictured above left, is the President and CEO of KLINK, an international business intelligence network that is dedicated to helping organizations avoid the pitfalls of fraud, fiction and phantoms by taking guesswork out of the equation. The firm works in more than 100 countries every year, and has special expertise in China, Russia, India, and throughout Africa.

Tracy Pastrick, above right, is a Vice President and General Counsel at KLINK. She has audited organizations’ governance programs in order to assure compliance with the FCPA and the UK Bribery Act, focusing upon training, audit, due diligence, supply-chain, and communications.

Share this post



  1. A SME on Fraud schemes is always welcome. If no SME resource and the internal auditors are the second and third lines of defense, they could use the concepts of “Fraud Pentagon”, starting with opportunity, the fundamental leg of "Fraud Pentagon". Opportunity is created in the absence of effective internal controls and risk assessment, including due diligence on third parties. Then, the other concepts’ evaluation: pressure, rationalization, ability and risk disposition of the fraudster in the context of the organization.

  2. I fear the authors miss the mark on what an Internal Auditor does in this post.

    Let's unpack this a bit:
    "Auditors will tell you they are not generally in the business of uncovering fraud." – YES, this is true. HOWEVER, the Internal Audit profession has standards (The International Professional Practices Framework or 'IPPF') which require the consideration of fraud in every audit.

    "Although they play an important role in organizations and are tasked with determining the accuracy of financial statements, much fraud, like kickback schemes, occurs “off-the-books.” – This is an inaccurate take on the Internal Audit profession's role in the organization. Internal Auditors review far more than financial statements. Indeed, that's the smallest part of their work plan, if at all. That's why the company has an external audit firm engaged. Internal Auditors are not required to be fraud experts, nor should they go 'looking for fraud' in their work (unless there is a reason to believe fraud is occurring or in an inherently high fraud risk area).

    "Additionally, the primary resources used by auditors when reviewing an organization’s activities are commonly provided by the client. Think financial records, physical inventory and other data." – This is simply not true. The Internal Audit function, with a charter from the Board of Directors, has full and unfettered access to all company documents and systems. While they may rely on the local management team to help them gain access and review documents, they certainly have to perform work to ensure that the content is complete and accurate.

    The authors question whether auditors are the right answer for review of corruption, culture, Code of Conduct reviews, etc. Those topics and other related matters are all integral to a robust annual audit plan. It IS the internal audit function's role to provide reasonable assurance to the Board of Directors that those areas are designed and operating effectively.

    I am disappointed to see that the internal audit profession and their role in rooting out fraud, assessing the fraud control environment, and working on investigations is so easily dismissed in this post. Yes, risk management professionals have a role to play, but Internal Audit is where all good (publicly-traded) companies start. They are, after all, most familiar with the company's org structure, policies, systems, and practices. They are where all good anti-fraud work begins.

  3. difficult to agree. there is almost no risk when the one relies on fraud auditors, or compliance/ethics auditors. if to speak about the audit of finacial statements then yes, the likelyhood of establishing ABC fraud is less, however the likelyhood of discovering the asset misappropriation schemes is higher.

  4. Thanks for the opportunity to talk about this topic. As a member of the board of one of the Institute of Internal Auditors Affiliates, I must say that here there is a misunderstanding of the real concept of Internal Audit activity. I agree that finding fraud is not the main objective of internal auditors, but as part of the International Standards, every Internal Auditor must include the analysis of this risk in all the levels of the organization. The Internal Audit activity is based on a Risk Management approach, and the internal auditor needs to coordinate with Risk management professionals, they can't work divorced.

    As many other Internal Auditors, I disagree with some of the statements included in this article, and would suggest that this kind of topics must be analyzed with an Institute of Internal Auditors representative in order to complement the understanding of the Internal Auditor responsibilities in a Company, avoiding any incorrect or incomplete statement.


Comments are closed for this article!