FACTA UNIVERSITATIS  
Series: Economics and Organization Vol. 12, N

o
 4, 2015, pp. 297 - 309 

CONTRIBUTION OF INTERNAL AUDIT  

IN THE FIGHT AGAINST FRAUD   

UDC 343.53:657.6 

Milica Đorđević, Tadija Đukić 

Faculty of Economics, University of Niš, Serbia 

Abstract. The constant increase in the volume of fraud, which leaves devastating effects 

on business performance, causes a significant preoccupation of enterprises with this 

problem. Being aware of the fact that the establishment of an adequate fraud risk 

management process is necessity, enterprises are increasingly basing the effectiveness 

of the mentioned process on the potentials of internal audit. Bearing in mind that 

internal audit does not have the primary responsibility to prevent and detect fraud, its 

integration in fraud risk management process represents a new challenge for this 

function. In the paper, authors initially point out the factors that determine the ability of 

the internal audit to fight against fraud, then the contribution that this function can 

provide in its prevention, detection and investigation. 

Key words: Internal audit, fraud risk management, fraud prevention, fraud detection, 

fraud investigation. 

INTRODUCTION 

Frauds stand for the risk that no company can fully eliminate. Aware of this, 

companies are making significant efforts to establish an effective fraud risk management 

process, in order to minimize and mitigate its multiple negative consequences. In addition 

to defining the roles and responsibilities of the audit board, management, and committee, 

as primarily responsible participants in this process, companies increasingly rely on the 

strength of internal audit. 

Increased expectations from internal audit in the fight against fraud arise from the fact 

that it is a function which, focused on creating added value for the company, knows all its 

processes and activities. Indeed, through the proper implementation of its tasks and 

activities, internal audit can actually greatly contribute to the prevention and detection of 

fraud. However, it often happens that internal audit is given the responsibilities which it 

does not have and cannot have. In addition, professional regulations covering internal 

                                                           
Received October 20, 2015 / Accepted December 29, 2015 

Corresponding author: Milica Đorđević 

Faculty of Economics, University of Niš, Serbia 
E-mail: milica.djordjevic@eknfak.ni.ac.rs 



298 M. ĐORĐEVIĆ, T. ĐUKIĆ 

audit provide for the liability of internal auditors to detect the risk of fraud which the 

company is exposed to, as well as the way in which the company manages these risks, but 

do not specify the tasks of internal audit in this process. 
Possibilities and expectations from internal audit as regards effective defence of the 

company against fraud, on the one hand, and insufficiently precise regulation of its 
responsibilities in this part, on the other hand, are the reason for reviewing the scope of 
internal audit in this area. What are the conditions under which the internal audit provides 
support and security to the board of directors and management that the likelihood of fraud 
is minimized and is internal audit up to this challenge are the questions whose answers 
affect the further development of this profession in the field of fraud risk management. 

1. RISKS OF FRAUD IN COMPANIES’ OPERATIONS 

Fraud is not a recent phenomenon. Even the earliest human history recorded cases of 
using tricks, various forms of manipulation, and deception, in order to acquire some 
benefit: land, goods, money, some form of profit, or even someone’s trust [23, 490]. 
Thus, with the advent of organized performance of economic activity, fraud has become a 
serious threat, to which the business of each company is exposed. This includes a wide 
range of irregular and illegal activities: deception, bribery, intentional concealment of 
events or information, forgery, giving false information, concealment of material facts, 
theft, misuse of funds or other resources, and the like. The Association of Certified Fraud 
Examiners (ACFE) classifies all these forms of fraud into three broad groups: 
(1) manipulation in the financial reporting, (2) misuse of tangible and intangible assets of 
the company, and (3) corruption. The variety of forms of fraud is one of the reasons why 
there is no single definition of this category today. Thus, the Institute of Internal Auditors 
(IIA) defines fraud as “any illegal act characterized by deceit, concealment, or violation 
of trust. These actions are not dependent upon the threat of violence or physical force. 
Fraud is perpetrated by persons and organizations to obtain money, property, or services; 
to avoid payment or loss of services; or to secure personal or business advantage” [27]. 
“Fraud is any intentional act or omission designed to deceive others, resulting in the 
victim suffering a loss and/or the perpetrator achieving a gain” [25, 5]. ACFE sees fraud 
as “the use of one’s occupation for personal enrichment through the deliberate misuse or 
misapplication of the employing organization’s resources or assets” [2, 6]. “In a more 
complex definition, fraud can be accomplished by any person that aims to obtain a certain 
gain or cause a certain loss, or even to expose others to risk in a dishonest manner” [16]. 

Approaches to determine fraud are different. However, each of these definitions 
suggests that fraud can be committed by all employees in the company, regardless of 
their hierarchical level, as well as persons outside the company. In this regard, studies 
have shown that the three key factors, or conditions, determine the probability that fraud 
will be made, which is known as the Triangle of Fraud: 

 The existence of pressure, i.e. stimulus – financial benefit, i.e. money is the most 
frequent motive for committing fraud. However, fraud is often committed to 
preserve the workplace, achieve a prestigious position, and advance in career. 
Company managers are often willing to commit fraud, in order to preserve 
profitability and positive trends, in line with the expectations of investment 
analysts, investors, significant creditors, or other persons, and in order to secure 
new sources of funding. 



 Contribution of Internal Audit in the Fight Against Fraud 299 

 The existence of opportunities, i.e. circumstances, which allow the perpetrator to 
find a way to commit fraud. These opportunities are determined by the position of 

the individual, the position of some close influential people in the company, 

inadequate division of tasks, the lack or weakness of existing controls, the lack of 

well-defined punitive measures, etc., and 

 The possibility of rationalization, i.e. providing justification for the committed 
actions. Specifically, individuals will not commit fraud if it cannot be justified as 

the process consistent with their ethical behaviour [13, 354]. This particularly 

refers to: interest of the management to preserve or increase the stock price or 

earnings trend, the achievement of financial targets of the company, etc. 

Regardless of the different definitions aimed at clear determination of fraud, and 

despite the different motives, opportunities, and possibilities of justification of fraudulent 

behaviour, consequences which fraud brings about are the same – the loss of value for 

stakeholders of the company. Apart from the financial losses, which are very important, 

fraud inflicts much greater damage by distorting labour productivity in the company, 

compromising its reputation, social responsibility, the negative impact on the image, the 

destruction of investor confidence, lowering the credit rating, etc. Looking beyond, fraud 

adversely affects the economy of a country as a whole, causing major financial losses, 

weakening the social stability, endangering the democratic structures, reducing confidence 

in the economic system, and compromising economic and social institutions. 

Study of the problems of fraud, in terms of timely recognition and perception, 

consideration of possible consequences, and the establishment of mechanisms to prevent 

them, is a very complex task. In addition to the precise determination of fraud, in terms of 

establishment of the criteria for the recognition of its origin, it is necessary to adequately 

recognize the aspects of the risk of fraud: the position of the manager, the complicity 

between employees, inadequate division of tasks, unauthorized handling of company 

resources, conflict of interest, inappropriate storage of documents, and the like [23, 492]. It 

is also necessary to take into account the overall economic, legal, criminological, 

psychological, and sociological aspects and relations [14, 326]. The gravity of this problem 

has particularly come to the fore with the growing complexity of business methods, the 

characteristics of the modern business environment, and the development and 

implementation of methods of committing fraud under the influence of the information 

technology progress. This is confirmed by large, well-known financial scandals of the late 

20
th
 and early 21

st
 century, linked to the companies Enron, Waste Management, World 

Com, and others. The consequences of these cases of fraud were fatal: the collapse of 

companies, large investment losses, significant litigation costs, erosion of confidence in the 

capital market, and others. 

These events have certainly raised awareness of the importance of strengthening the 

mechanisms for combating fraud. However, unfortunately, the fact is that, today, fraud is 

one of the most important business risks which the companies are exposed to. This is 

supported by the continuous annual surveys by ACFE, which monitors the effect of fraud 

on the world economy. The latest report [2], published in 2014, which included 1,483 cases 

of fraud in commercial companies, financial institutions, government institutions and 

agencies, non-profit organizations, etc. in more than hundred countries of the world, 

contains alarming data. Specifically, the results indicate that the typical company loses on 

average 5% of its total revenue due to fraud committed by employees, which, compared to 

the gross world product, is as much as 3.7 trillion US dollars. The largest number of acts of 



300 M. ĐORĐEVIĆ, T. ĐUKIĆ 

fraud related to the misuse of funds, in 85% of cases, while corruption was observed in 37% 

of cases, and 9% related to the manipulation of the financial statements. However, despite 

the presented relative amounts, in absolute values, loss due to misuse of funds amounted to 

130,000 US dollars, corruption to 200,000, while manipulations of the financial statements 

made a loss of as much as 1,000,000 US dollars. These results immediately suggest that, in 

many cases, there are more categories of fraud. On average, 30% of the schemes involve 

two or more forms of fraud. The interesting part of this study concerns the relation between 

the hierarchical position of the perpetrator and a number of committed acts of fraud. The 

obtained results show that, out of the total number of acts of fraud, 19% were committed by 

senior managers and owners, 36% by mid-level managers, and 42% by employees. However, 

although the number of acts of fraud committed by employees is far greater than the number 

of cases of fraud committed by mid-level managers, the damage caused in this way is two 

times less than the damage committed by mid-level managers, which is, in turn, three times 

less than the damage made by senior managers and business owners. This confirms the fact 

that the possibility of committing fraud and the seriousness of its consequences are, in fact, 

determined by the availability of resources to perpetrators [13, 354]. 

Recognizing this situation, which has been present for years, company investors, the 

public, and other stakeholders significantly lose confidence in the management of the 

company and the way they manage, and become more sensitive to the problems that occur as 

a result of fraud. In response to this, they expect the company to take a position of “zero 

tolerance to fraud” [25, 5], and to establish mechanisms aimed at preventing and detecting 

fraud, i.e. fraud risk management. In this regard, companies need to establish an adequate 

framework, i.e. fraud risk management program, which involves proper definition of policies 

that include expectations of the board of directors and management in relation to risk 

management. Providing such a program involves clear setting and understanding of the roles 

and responsibilities of all persons in the company, at all hierarchical levels, to be achieved by 

establishing policies, job descriptions, rules of work, delegation of authority, etc. 

Adequately established fraud risk management process involves, first, periodic 

assessment of fraud risk exposure, in order to identify potential events whose occurrence 

the company should prevent. In this regard, IIA suggests that the company should: 

identify relevant fraud risk factors, potential fraud schemes and rank them based on the 

probability of their occurrence, map existing controls and identify the existence of gaps, 

test the effectiveness of controls aimed at preventing and detecting fraud, and document 

and report on the completed risk assessment. On this basis, it is necessary to establish 

preventive mechanisms, in order to avoid potential risk events and mitigate possible 

negative consequences for the company. Although the company can never minimize the 

risk of fraud to zero, the establishment of mechanisms and activities, aimed at preventing 

fraud and reducing the negative consequences, is of great importance. The basis of good 

prevention of fraud, above all, lies in raising the awareness of all employees on the 

established fraud risk management process, communication of efforts aimed at preventing 

the occurrence of fraud, and the possibility of starting potential disciplinary and criminal 

proceedings against the perpetrators. Establishment of fraud detection techniques is done 

in cases when preventive measures have not yielded a result, i.e. when the fraud occurred. 

In this respect, companies rely on techniques aimed at recognizing the signs of 

occurrence of fraud, and they, as such, must be flexible and adaptable to variable risk 

environment. Finally, establishment of a coordinated process of investigating fraud is 

aimed at revealing the nature and extent of fraudulent activity, and involves performing 



 Contribution of Internal Audit in the Fight Against Fraud 301 

procedures to obtain information and specific details that would indicate whether the 

fraud occurred, the loss which the company is exposed to due to fraud, persons involved 

in the fraud, and the way in which the fraud occurred. 

The fact is that some cases of fraud are difficult to prevent, because they are carried 

out in collusion, with careful removal of evidence. However, well-designed and 

consistently applied procedures of fraud risk management may in a number of cases deter 

people who have the ability to commit fraud [29, 12]. 

2. EFFECTIVENESS OF INTERNAL AUDIT IN FRAUD RISK MANAGEMENT  

At today’s level of development, internal audit is a key participant in the system of 

corporate governance. By introducing a systematic and disciplined approach, internal 

audit is aimed at supporting and strengthening the mechanisms of company management, 

as well as assessing and improving the effectiveness of risk management and control 

processes [28]. More specifically, internal audit is expected to be focused on assessing 

the risks that could adversely affect the organization, as well as on the establishment of a 

mechanism that will monitor and control that risk, with a view to its elimination, or, at 

least, reduction [9, 354]. This role of internal audit means that it is a function that knows 

all the processes in the company, the risks to which the company is exposed, and internal 

control and the persons who carry out this control, which is why its potential and ability 

to achieve high effectiveness in preventing and detecting fraud is recognized. In this 

respect, the IIA Standards oblige internal audit to, “in determining the objectives of its 

engagement, assess and take into account the potential possibility of fraud” (ISPPIA 

2210.A2) and “...assess the way in which the company manages the risk of fraud” 

(ISPPIA 2120.A1). For these reasons, today, the companies increasingly focus their 

programs, aimed at reducing fraud, on internal audit, which is seen as the first line of 

defence, i.e. significant management tool that ensures the protection of the company from 

internal criminal behaviour [22]. The expectations that are put before internal audit are 

related to the investigation of [10, 276]: 
1. Attitude of the highest level company management towards risk, 
2. Risk management strategy – how risks are treated in different areas of the 

company, whether the risks are embedded in the company, ignored, accepted, 
minimized, or eliminated, 

3. The general attitude on risk management – whether risks are embedded within the 
entire business process of the company or built into a business process of certain 
areas, 

4. The attitude of the environment towards risk and control, 
5. Whether there are written policies and measures that prohibit the violation of 

company goals in the fight against fraud, 
6. Whether specific procedures of authorization for certain transactions are 

established and respected, 
7. Whether the mechanisms for monitoring the activities and safeguarding the 

property are established, particularly in high-risk areas, 
8. Whether the information system works in such a way that it provides the 

management with credible and reliable information, and 
9. Whether the recommendations of the internal audit, with regard to establishing a 

control system in the fight against fraud, are respected. 



302 M. ĐORĐEVIĆ, T. ĐUKIĆ 

Internal auditors can realize the thus defined expectations, according to the 

Recommendation 1210A2-1, by considering the elements of the COSO framework: 

control environment, risk assessment, control activities, information, and communication 

and monitoring. Example of good practice of the use of COSO components is the 

program framework aimed at preventing fraud, developed in the company Hewlett-

Packard (Figure 1). 

 

 
 

Fig. 1 The Fraud Mitigation Program Framework 
 [17, 49] 

However, despite the obvious great potential of the internal audit to prevent and 

detect fraud, and, in that regard, the expectations that have been placed before it, the 

question arises as to how much internal auditors are actually really up to the challenge in 

practice. The question arises because the Standard 1210.A2 itself stipulates that “internal 

auditors must have sufficient knowledge to assess the risk of fraud and the way in which 

the company manages that risk, but they are not expected to have a level of expertise as 

the person whose primary responsibility is detecting and investigating fraud”. So, with 

twelve years of experience in this profession, Hodge [12] recognizes that, in some cases, 

internal auditors have not adequately responded to this task. In her view, the problem 

resides in the fact that internal auditors do not really understand what it means to 

incorporate the understanding of the risk of fraud into their work, not in the fact that they 

are incompetent, negligent, or that there is some other reason why they are not able to 

contribute to the prevention and detection of fraud. Some auditors interpret the Standard 



 Contribution of Internal Audit in the Fight Against Fraud 303 

requirements in the sense that they do not have too much responsibility to prevent and 

detect fraud – they are not required to be fraud investigators, while others are convinced 

that they possess the required knowledge, while reality is actually the opposite. Based on 

her own experience, Hodge further states that the understanding of the fraud risks is the 

individual responsibility of each auditor, which is why they should constantly bear in 

mind their role in managing the risk of fraud, and continually increase their knowledge 

about ways of preventing and detecting fraud. 

A similar attitude was taken by DeZoort [8] indicating that the level of responsibilities 

of internal auditors in preventing and detecting fraud is, in fact, determined by their 

perception of the responsibility they should have. Starting from the model of the triangle, 

first applied by Schlenker et al. (1994), DeZoort investigated the effect of different types 

of fraud (manipulation in financial statements, misuse of funds, and corruption) and the 

professional obligation of application of standards on the internal auditor’s responsibility 

to prevent and detect fraud. According to the triangle model, personal responsibility of 

internal auditors is conditioned by the extent to which an individual: (1) has a clear, well-

defined set of regulations (standards, rules, policies...), (2) feels a professional obligation, 

and (3) feels the connection with the event by controlling it (there is an intention and 

possibility to establish and apply specific measures as regards perpetrators). Starting from 

this model, results obtained by DeZoort indicate that internal auditors show a higher 

degree of responsibility for the prevention and detection of fraud relating to the misuse of 

funds in relation to fraud related to the financial reporting process and corruption. So, 

although the Standards of internal audit do not distinguish between types of fraud that 

internal auditors should pay attention to, their perception of possibility to control misuse 

of funds is perhaps the most pronounced. In addition, the study results point to the 

position of internal auditors, based on which the highest degree of responsibility for 

detecting fraud should be in the hands of the company bodies, rather than the bodies 

outside of it (for example, external audit). However, at the same time, internal auditors 

hold the position that the highest professional responsibility belongs to the company 

management, accountants, and then the internal auditors. 

Bearing in mind that the effectiveness of internal audit is largely determined by the 

auditor’s personal attitude, knowledge, skills, etc., there are a number of seminars, workshops, 

and conferences nowadays, which emphasize the need for improvement of internal auditors in 

this area. More specifically, the internal auditors are expected to: (1) become familiar with the 

work of the specific part or process that is audited, in connection with possible acts of fraud, 

characteristic of the subject of audit; (2) in work always apply professional scepticism, i.e. 

deeper examination and critical evaluation of the findings, starting from the assumption that 

managers or employees are neither honest nor dishonest. This is a priority because the 

inadequate observance of the principle of professional skepticism is cited as the most 

common cause of failing to detect fraud [26, 14]; (3) understand fraud and the risk of 

irregularities in the work, i.e. know the fraud schemes and techniques that are used, as 

this allows them to promptly detect red flags (indicators) that the fraud was committed or 

may be committed; (4) be able to adequately assess the likelihood of fraud risk, i.e. its 

identification and ranking, based on the impact on the achievement of company goals; 

(5) apply the brainstorming, which, without increasing costs due to the interaction between 

the auditors in a group, can maximize the generation of ideas on fraud, which inevitably 

contributes to improving the effectiveness and efficiency of internal audit [7]. Although the 

idea of brainstorming application in internal audit has not gained momentum until the early 



304 M. ĐORĐEVIĆ, T. ĐUKIĆ 

2000s, it is believed that, today, “this procedure should be an integral part of a proactive 

approach of internal auditing in detecting fraud” [18, 67]. 

Despite the efforts that the internal auditors need to make, for the purpose of 

improving their effectiveness in fighting fraud, great support must be provided by the 

companies in which they operate, in a way to enable them to [11, 69-70]: 

 Align their actions with the priorities and goals of the company, both in the long and 
in the short term. Internal auditors will achieve this by becoming familiar with: the 

way in which management undertakes to respect ethics and incorporate mechanisms 

of compliance with regulations in the objectives, strategies, decision-making, and 

daily operations of the company; the methods used by management to promote and 

improve the integrity and ethics, and compliance with the core values of the 

company; the specific policies, programs, and control of compliance; possible 

responses to the challenges of implementing ethics and compliance activities, etc. 

 Gain support from the board of directors and senior management in terms of 
establishing clear objectives, clear reporting lines and line of responsibility, 

allocating the necessary resources (human and material), obtaining input in 

planning, establishing processes for monitoring the success of implemented 

activities, and the like. 

 Design an adequate process of reporting on the results of the work, which will 
ensure effective and efficient communication with relevant stakeholders, and specify 

structure of the report, which is essential for proper interpretation of the findings. 

Although the issue of effectiveness of internal audit in fraud risk management is fully 

justified, many studies show that the internal audit is up to this challenge. This is 

confirmed by the results of research conducted by Monisola et al. [19] and Coram et al. 

[6], indicating that, in the companies with the established internal audit function, much 

more acts of fraud are detected, in relation to the companies in which internal audit is not 

functioning. Furthermore, research carried out by ACFE in 2014 indicates that about 

14.1% acts of fraud were initially detected by internal audit, which is more in relation to 

accounting (6.6%), examination of documents (4.2%), external auditing (3%), monitoring 

activities (2.6%), IT control (1.1%), and others. Internal audit is actually seen as a 

proactive mechanism that is able to quickly “catch” fraud and greatly minimize its 

negative consequences. 

3. POWERS AND RESPONSIBILITIES OF INTERNAL AUDIT IN THE FIGHT AGAINST FRAUD 

Comprehensive knowledge and understanding of the risks of fraud allow internal 

audit to adequately specify its tasks, objectives, and activities, focused on fraud risk 

assessment, prevention and detection of fraud, and, ultimately, investigation of fraud. In 

this way, internal audit significantly improves the process of fraud risk management, and 

its unique position enables it to support other stakeholders in this process – the board of 

directors, audit committee, management, and employees, by [3]: 

 Providing assurance about the effectiveness of fraud risk management and internal 
control processes, 

 Providing advice in defining fraud risk management strategy, 
 Providing advice on the possibilities of improving fraud risk management and 

internal control processes in the company. 



 Contribution of Internal Audit in the Fight Against Fraud 305 

As regards the power of internal auditing in the fight against fraud, it in the first place 

refers to its activities within the framework of a fraud risk assessment process, which 

involves identification of where, how, and who can commit fraud in the company. 

Internal audit activities in this process are aimed at: 

 Identification of relevant risk factors, where the internal audit collects information 
about the activities and processes of the company, in order to be able to identify 

areas of potential fraud. The techniques used in this process include: oral 

interviews with management and employees, questionnaires, and, most often, the 

use of the already mentioned, “fraud triangle” technique [21, 16-17]. In this way, 

the auditors identify areas where there are possibilities of occurrence of fraud, i.e. 

persons who have the motive, the opportunity, and the possibility of rationalizing 

the possibly committed fraud. In cases of identifying the presence of some of the 

factors, internal audit examines what could be the subject of fraud, and how fraud 

could be done, i.e. identifies possible fraud schemes. 

 Ranking the fraud risk in relation to the estimated amount of loss and the 
likelihood of fraud. Loss, i.e. damage, which may occur in the form of cash loss, 

decline in reputation, decreased productivity, loss of resources, reduction in 

liquidity of assets, etc., is difficult to assess. For these reasons, internal auditors 

largely rely on their experience, and rank loss in respect of a given period of time, 

expressed in cash units, for certain intervals of likelihood of occurrence. On the 

other hand, the likelihood of occurrence is mainly based on fraud triangle: where 

all the factors are present (motive, opportunity, and rationalization), the likelihood 

of fraud is higher, and vice versa. 

 Mapping and testing of existing internal control mechanisms – internal auditors 
first identify the control mechanisms established by the company, directed 

towards the prevention and detection of fraud in the company. In this regard, they 

compare them with potential fraud schemes, all in order to identify the existence 

of a possible gap. In addition, internal audit carries out in particular the evaluation 

of effectiveness, because the existence of internal control does not mean at the 

same time certain protection from fraud occurrence, which subsequently affects 

the likelihood of risk which internal audit will assess, and 

 Documenting and reporting on the assessed risk, which internal auditors are obliged to 
do, based on ISPPIA 2060. Key elements of the report, of benefit to the company 

management, include [26, 18]: types of fraud that have a chance to appear, the inherent 

risk of fraud, the adequacy of the established anti-fraud and internal control programs, 

the potential gap between the established control mechanisms, the likelihood of 

significant fraud, the possible impact of fraud on the company’s operations. 

After risk assessment, internal audit directs its activities to the prevention of fraud 

occurrence, and limiting the negative impact of fraud that occurred. These activities are 

largely focused on providing assistance to the company management, which is primarily 

responsible for the establishment of mechanisms to defend the company against fraud. In 

fulfilling this responsibility, internal audit determines: 

 Whether the company has created an atmosphere that raises awareness about the 
existence and importance of control mechanisms, 

 The existence of a written policy (for example, a code of ethics), which describes the 
prohibited activities and measures to be taken if the violation is discovered, 



306 M. ĐORĐEVIĆ, T. ĐUKIĆ 

 The adequacy of established policies relating to the transaction authorization, 
 The existence of policies, procedures, practices, and other mechanisms for the 

monitoring of activities and the protection of resources, particularly in high-risk areas, 

 The effectiveness of communication channels, in terms of providing adequate and 
reliable information to the management, and 

 The need to provide recommendations for the establishment and improvement of 
control mechanisms, to prevent fraud in the company [20, 581]. 

In addition to providing support, internal audit can conduct activities that are directly 

aimed at preventing fraud. Some of them are: constant analytical reviews, review of 

contracts in the company, creation of power rotation programs in the company, 

assessment of the electronic data protection system, conducting surprise audits, 

monitoring of failed attempts to access the computer, and others [1]. 

The fact is that even the best mechanisms established to combat fraud do not guarantee 

that fraud will not occur, which is why the internal audit specifies its tasks and activities in 

detecting fraud. The degree of success of recognizing fraud red flags (indicators) is 

determined by the good knowledge of the fraud schemes, and, according to Joan [15, 27], in 

particular, by the ability of internal auditors to think as perpetrators of fraud. In detecting 

fraud, internal auditors use different methods: statistical, mathematical, interviews, etc., all of 

which need to be flexible and adaptable to risk areas [26, 21]. Table 1 presents the most 

commonly used methods of internal audit, depending on the type of fraud. 

Table 1 The most commonly used methods of internal audit in detecting fraud 

Type of fraud Procedures of internal audit 

Manipulation in the 

financial reporting 

inventory observation, 

cut-off tests,  

tracing to supporting documents and reconciliations 

internal control reviews 

review of separation of duties, 

control monitoring,  

reviews of employees that had access to various accounts 

analytical review for period to period revenues and costs,  

changes between accounts and reasonableness of estimates 

Misuse of assets of 

the company 

cut-off testing, 

reconciliations,  

scan accounts for unusual items, 

review of wire transfers,  

physical inventories 

review of controls such as tip hotlines, segregation of duties, 

treasury transactions, approvals of accounts payable, and management 

review of work of lower level people. 

Corruption review of internal controls around the segregation of duties, 

auditing employees’ expense reports, reviewing company policies and 

following up filed complaints, 

analytical procedures and risk assessment techniques, look for weaknesses 

in internal controls, performed audit tests and in-depth audits. 

review the whistleblower policy and tips submitted to a hotline  

Source: adapted from [4] 



 Contribution of Internal Audit in the Fight Against Fraud 307 

After detection, fraud needs to be explored further – by collecting data through 

observation, interviews, or written statements, with the aim of determining the nature of 

fraud, i.e. determining areas of fraud and techniques used, estimating the causes of fraud, 

identifying perpetrators, and assessing the consequences. The role of internal audit in this 

process may be different [26, 23]: 

 To have the primary responsibility in investigating fraud, 

 To serve as a significant source of information, and 

 To have no role in this process. 

Which one of these roles internal audit will have depends on many factors. Specifically, 

even though the traditional internal audit activities are not directed to investigating fraud, 

internal auditors are increasingly expected to meet and adopt techniques and methods of 

forensic investigators. Greater involvement of internal audit in detecting fraud includes 

[24, 47-48] that this function has a high degree of independence – actual and factual, in 

order to freely investigate fraud. Next, knowledge of different types of fraud and 

associated schemes is needed. Bearing in mind that most of the identified schemes are 

linked to the misuse in the process of financial reporting, internal auditors are specifically 

required to possess the knowledge of accounting. Possession of interviewing skills stands 

out in particular, because knowing which question to ask, and, more importantly, in which 

way, is determined by the importance of the information they want to collect [15, 30]. 

Knowledge of IT technology and the skills of collecting and analysing electronic 

information (e-mail, files, etc.) are now the key requirements, considering that lack of 

knowledge or poor handling of electronic data can cause their irrevocable destruction. 

Finally, entrusting the role of fraud investigator to internal audit involves the possibility that 

the work will be examined by the regulatory bodies. Therefore, notes, working papers, work 

schedules, and other documents that reflect the internal audit activities must be consistent 

with regulatory requirements. 

A well-established team of internal auditors, who meet the above-mentioned conditions, 

largely ensures success in fraud investigation. In addition, companies realize significant cost 

savings by avoiding hiring forensic investigators, specialized law firms, or other bodies that 

provide professional services of this type. However, adequate assessment of the audit team 

with respect to the possession of skills, resources, and other issues, is very important, 

because the costs of poor investigation can several times exceed the costs of hiring well-

qualified external investigators. 

CONCLUSION 

With a devastating effect on the profitability, productivity, social responsibility, and 

reputation of the company, fraud is one of the most significant risks that companies face. 

Although it is clear that even the best established programs and mechanisms cannot 

provide a guarantee that fraud will not occur, the internal audit is the function from which 

much is expected in this regard. It is completely logical, given that, by directing its 

activities towards providing assurance on the effectiveness of all processes in the 

company and their improvement, internal audit cooperates with everyone in the company, 

which gives it the ideal position to take a proactive approach to reducing the risk of 

fraudulent behaviour of employees. 



308 M. ĐORĐEVIĆ, T. ĐUKIĆ 

IIA emphasizes the importance of internal audit in the fight against fraud, by 

appropriate standardization and closer determination of the role of internal audit through 

practical guides. However, the above-mentioned regulations do not specify the tasks and 

responsibilities of internal audit, which points to the conclusion that its effectiveness depends 

on the support it receives from the company in which it functions, and, especially, on the 

knowledge, skills, and personal responsibility of internal auditors. In this regard, well-

organized internal audit, consisting of independent internal auditors, for whom the application 

of professional scepticism is an imperative, and who feel the responsibility of continuous 

improvement of knowledge on fraud, can significantly reduce the risk of fraud. This is 

achieved by providing opinions on the adequacy and effectiveness of fraud risk management 

strategies, fraud prevention and detection, fraud risk assessment, consideration of potential 

cases of fraud during each audit, identification of fraud indicators, monitoring and 

identification of systemic weaknesses and missing internal control mechanisms, fraud 

investigation according to the knowledge and expertise of the members of the team, 

reporting to the board and management on the activities conducted in relation to the 

detection and prevention of fraud, etc. 

Through the adequate implementation of the above activities, internal audit is able to 

respond to the increased expectations of company stakeholders and justify the trust 

placed in it. 

REFERENCES 

1. Association of Certified fraud Examiners, (1995) Fraud Examiner’s Manual, 2
nd 

Review, Austin, Texas 

2. Association of Certified fraud Examiners, (2014) Report to the Nations on occupational fraud and abuse  
3. Bagshaw, K., The Role of Internal Audit in Risk Management, www. Accaglobal.com (05.10.2015.) 
4. Burnaby, P., Howe, M., Muehlmann, B. (2011) Detecting Fraud in the Organization: An Internal Auditor 

Perspective, Journal of Forensic & Investigative Accounting, Vol.3, (1): 195-233 

5. Coram, P., Ferguson, C., Moroney, R. (2006) The Importance of Internal Audit in Fraud Detection, available 
on: http://www.researchgate.net/publication/253527357_the_importance_of_internal_audit_in_fraud_detection 

6. Coram, P., Ferguson, C., Moroney, R. (2008) Internal Audit, alternative internal audit structures and the level of 
misappropriation of assets fraud, Accounting and Finance, 48: 543-559 

7. Carpenter, t., Reimers, J, Fretwell P. (2011) Internal Auditor’s Fraud Judgments: The Benefits of Brainstorming 
in Groups, Auditing: A Journal of Practice & Theory, Vol.30, (3): 221-224 

8. DeZoort, T., Harrison, P. (2008) An Evaluation of Internal Auditor Responsibility for Fraud Detection, The 
Institute of Internal Auditors Research Foundation 

9. Đukić, T., Đorđević, M. (2014) Needs and specifics of ensuring effective internal audit, Facta Universitatis, 
Series: Economics and Organization, Vol.11, (4): 353-365 

10. Gavrilović, M. (2013) Interna revizija u procesu upravljanja rizicima prevare, 17. Kongres SRRRS 
„Računovodstvo, revizija i poslovne finansije u uslovima odgovornijeg ponašanja učesnika na tržištu“, Banja 

Brućica 
11. Hedley, T., Ben-Chorin, O. (2011) Auditing and Monitoring Activities Help Uncover Fraud and Assess Control 

Effectiveness, The CPA Journal: 68-71 

12. Hodge, C. (2012) Journey to Fraud Awareness, Internal Auditor, Vol. 69 (4): 80 
13. Hillson, W., Pacini, C., Sinason, D. (1999) The internal auditor as fraud-buster, Managerial Auditing Journal, 

Vol.14, (7): 351-362 

14. Ilić, M., Saković, D. (2012) Uloga interne revizije u  upravljanju poslovnim rizikom prevare, Finansije 
br. 1-6: 324-335 

15. Joan, C. (2009) How Internal Audit Can Be Effective in Combating Occupational Fraud, Internal Auditing, Vol. 
24, (3): 22-32 

16. Judicial Commission of the Parliament of the United Kingdom of Great Britain and Northern Ireland 
(2002), Report on Fraud 

17. Laxman, S., Randles, R., Nair, A. (2014) The Fight against Fraud, Internal Auditor, Vol.71, (1): 49-53 

http://www.researchgate.net/publication/253527357_The_Importance_of_Internal_Audit_in_Fraud_Detection


 Contribution of Internal Audit in the Fight Against Fraud 309 

18. Lynch, A. (2006) Think like a Fraudster, Internal Auditor, Vol.63 (1): 66-70 
19. Monisola, O. (2013) Effect of Internal Audit On Prevention of Frauds, Errors And Irregularities In 

Corporate Organisation, Research Journal of Finance and Accounting, Vol.4, (19): 103-108 

20. Moeller, B. (2009) Brink’s Modern Internal Auditing, a Common Body of Knowledge, 7
th 

Edition, John 

Wiley & Sons, Inc 
21. Naame, D. (2003) CIA, CISA, CFE, CGFM, All Enclosed material 
22. Nestor, S. (2004) The impact of changing corporate governance norms on economic crime, Journal of 

Financial Crime 11 (4): 347-352 
23. Petrascu, D., Tieanu, A. (2014) The Role of Internal Audit in Fraud Prevention and Detection, 21

th 
International 

Economic Conference IECS 2014, Procedia Economics and Finance 16: 489-497
 
 

24. Pollock, J., Sumner, D. (2009) The New Fraud Detectives, Internal Auditor Vol. 66 (5): 44-48 
25. Richards, D., Melancon, B., Ratley, J. (2009) Managing the Business Risk of Fraud: A Practical Guide, 

Sponsored by: The Institute of Internal Auditors (IIA), The American Institute of Certified Public Accountants 

(AICPA), Association of Certified Fraud Examiners (ACFE) 
26. The Institute of Internal Auditors, (2009) Internal Auditing and Fraud, IPPF - Practice Guide 
27. The Institute of Internal Auditors, (2011) International Professional Practices Framework 
28. The Institute of Internal Auditors, www.theiia.org (10.09.2015.) 
29. Wayne, A., (2010) Anti-Fraud control, What Internal Auditors Need to Know, Internal Auditing, Vol. 25, (1): 

10-26. 

DOPRINOS INTERNE REVIZIJE U BORBI PROTIV PREVARA 

Konstatni porast obima prevara, koje ostavljaju razorne posledice na uspešnost poslovanja, 

uslovljava značajnu zaokupljenost preduzeća ovim problemom. Svesna činjenice da je uspostavljaje 

adekvatnog procesa upravljanja rizikom prevare nužnost, preduzeća u sve većoj meri efektivnost 

pomenutog procesa baziraju na potencijalima interne revizije. Imajući u vidu da interna revizija nema 

primarnu odgovornost u sprečavanju i otkrivanju prevara njeno integrisanje u proces upravljanja 

rizikom prevara predstavlja novi izazov za ovu funkciju. U radu autori najpre ukazuju na faktore koji 

opredeljuju mogućnost interne revizije da se bori protiv prevara, a onda i doprinos koji ova funkcija 

može da pruži u njihovom sprečavanju, otkrivanju i istraživanju. 

Ključne reči: Interna revizija, upravljanje rizikom prevara, sprečavanje prevara, otkrivanje 

prevara, istraživanje prevara. 

http://www.theiia.org/