In my current CAE role I also have responsibility for counter fraud. This is not unusual. Lots of CAE’s have this role and remit. Yet does my professional training prepare me for this work? Is it a sensible fit? Having done this now for three years I think that it is, but that my preparation and ongoing support for it has been lacking.
First, I think that the counter fraud world does not have the same professional rigour and maturity as internal audit. There are some helpful and useful qualifications, for example the ACFE (though the law component is heavily US based and less helpful in an international context). There aren’t the professional standards and maturity of quality assurance processes or body of established best practice that internal audit has.
I think the real world of practice is somewhat less defined than internal audit. So counter fraud functions can vary significantly in scope, remit and quality. A lot is driven by the nature of the counter fraud task and whether the host organisation is a prosecutorial authority. Where the organisation is, the legal requirements tend to drive the form and nature of the counter fraud function.
I also think there is a lack of an obvious talent, career and training structure for counter fraud professionals. This allows quite of charlatanism with the ‘secret squirrel’ people hiding their lack of clarity about their role behind faux confidentiality requirements (in my view counter fraud work needs to emerge from the organisational shadows and be seen as a more mainstream part of organisational ecosystems). So it is difficult to identify what good talent looks like and to measure, accredit and reward it.
There is the perennial issue of second and third line responsibility. The three lines model was conceptualised for audit and assurance, and maps awkwardly to counter fraud work. Counter fraud investigations work is clearly best done in the third line – whistleblowing at its heart is meant to be independent of management (for that’s who whistleblowers are either directly or indirectly complaining about). That’s why this strand of work is, in my view not just a bedfellow of internal audit (as an independent part of the organisation) but an integral part of it. There is a need for a second line function to set policy and take risk decisions for countering fraud and to make the first and second lines collectively counter fraud. Yet the problem is that all of the professional structure, discipline, career training paths, and data sit inside the third line function. Lots of organisations have directors of risk and assurance who straddle both the semi independent second line functions and independent third line functions. Here the three lines model starts to intellectually break down and lose its clarity and coherence. For how independent is the third line in this model?
Then there are the practical elements of the counter fraud function. What skills do you need? Well an understanding of risk, governance, audit, forensic work, finance, assurance etc. These are (or should be) found within a good internal audit function. Yet counter fraud only professionals, with their detailed, bottom up, mindset lack the necessary grip of systems, processes, controls, assurance and governance to deliver two of the three core elements of counter fraud work – proactive investigations on a risk basis and fraud assurance to prevent reoccurrence. Here internal audit skills score highly. For the record, internal audit staff also lack the scepticism, detail focus, analytics, bottom up skills that counter fraud professionals have.
So there is a real challenge here about counter fraud. Outside of those organisations that have law enforcement as their core task, the clarity of this role breaks down. I think therefore this space is nationally and internationally up for some work, some clearer and better thinking through what excellence in terms of delivery looks like. I do think the international space has set out some good markers. In the World Bank it has invested a significant sum of money in an independent counter fraud function. This has significant resources and headcount, but does not map well across other compliance and assurance functions as a result – for example with internal audit or legal. Most UN agencies and multilateral agencies vest counter fraud alongside internal audit in one inspector general model. This feels right, and is mirrored in my organisation, under me.
So why does it feel right? Well it means that counter fraud work is fully independent of management, yet is within the organisation to be able to support and engage with it. It ensures that risk management decisions are made within the management chain (or if appropriate governance chain). It also brings to bear (or has the potential to bring to bear) the counter fraud and internal audit mindsets and creates a discipline and career structure to the counter fraud activities, not previously open to it.
So then if I as a CAE, and many others like me, take on this counter fraud role, is it about time the IIA globally begins to think about this more carefully and adopt this activity? I think so. Not just so that CAEs like me can have some structure and standards to apply to this work, but so that the work itself has a home to look to in terms of training, career and professional support.