Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. Its role includes detecting, preventing, and monitoring fraud risks and addressing those risks in audits and investigations.
Fraud detection, and its effective oversight management, is a pillar of any (at least) medium sized company’s risk register, usually under the Corporate Governance, Finance and Claims banners. If it’s in the risk register then it will also be in the internal audit team’s IA Universe.
Depending on the risk assessment, Fraud will form part of a risk based internal audit plan as a separate topic, or even as part of each topic audit in the IA Plan. E.g., the risks, and anti-fraud measures in place to mitigate risk, should form part of a Claims Management audit.
What is Fraud?
A basic definition is wrongful or criminal deception intended to result in financial or personal gain. For an insurance company, fraud risks could be broadly categorised into Internal and External fraud risks. A detailed analysis is provided in a mock-up Risk and Control Matrix, further below.
References
FCA (https://www.fca.org.uk/firms/financial-crime/fraud)
“Fraud is an area of regulation where we align our goals with those of regulated firms. We recognise that firms already have strong incentives to manage fraud risks — fraud costs them money and losses can affect firms’ profitability. We promote a partnership approach to tackling fraud and aim to work with the market and to encourage collaboration.
Firms have historically been reluctant to reveal that they have been the victims of fraud, fearing reputational risk. We want to foster an environment where information sharing is not only encouraged, but actively seen by all as a means to reduce fraudulent practices and so increase profitability.”
Lloyd’s Minimum Standards
Lloyd’s Minimum Standards are statements of business conduct which Lloyd’s Managing Agents areexpected to comply with to operate at Lloyd’s. LMS can be aligned with the internal control environment and incorporated into an internal audit program. LMS is also a useful tool for company market insurers, and their internal auditors, given its comprehensive reach and contemporaneous character (the current LMS were all updated in January 2021). Under ‘MS9 – Customer’, “Managing Agents must also have clearly defined procedures in place for identifying and monitoring problem cases and irregularities, such as fraud or dishonesty or other improper conduct, on the part of Third Parties or Lloyd’s brokers.”
‘MS4 – Governance’ also touches on the need for a code of ethics that addresses anti-bribery and corruption and ‘MS10 – Regulatory’ states, under REG 4.1, “Financial Crime To mitigate against financial crime breaches, managing agents shall comply with all applicable financial crime legislation, including: international sanctions; anti-money laundering and counter terrorist financing; anti-bribery and corruption; fraud; market abuse / insider dealing; and facilitation of UK tax evasion and foreign tax evasion.”
The LMS can be viewed in full at https://www.lloyds.com/conducting-business/requirements-and-standards/minimum-standards/.
Chartered Institute of Internal Auditors (CIIA) (https://www.iia.org.uk/)
“Internal audit has an important role to play in ensuring that management has effective systems in place to detect and prevent corrupt practices within an organisation. This is part of its normal role of supporting the Board’s and Audit Committee’s oversight of risk management, but it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management. Internal audit’s role includes promoting anti-fraud and anti-bribery best practice, testing and monitoring systems and advising on change where it is needed.” Insightful articles are Fraud prevention and detection in an automated world, Internal Audit and corrupt practices and Managing the business risk of fraud.
Risk and Control environment – insurance company X
Risk & Control Matrix – Extract. An example is shown at Risk & Control Matrix – Board – Fraud & anti-fraud measures
An example Fraud Risk Assessment is shown at Fraud Risk Assessment – Board & Internal Audit.