Attention to the risk of significant errors and fraud is a recurring theme throughout The IIA's International Professional Practices Framework. For example, under mandatory Attribute Standard 1220.A1, internal auditors must exercise due professional care by considering the "probability of significant errors, fraud, or noncompliance."
In the public and private sectors, errors that slip through normal business cycles are likely unintentional. Fraud is defined in the Standards Glossary as, "Any illegal act characterized by deceit, concealment, or violation of trust" and therefore entails intentionality on the part of the wrongdoer. The dichotomy between what is an unintentional error and what is an intentional fraud may not always be clear cut.
Some audit methods seem better suited to finding errors and fraud than others. Audit methods that rely on representations by management, and by which auditors gain confirmation that controls have operated as intended--such as interviews, control self-assessment checklists, walk-through tests, transaction sampling, and analytical review of reasonableness--can be vulnerable to confirmation bias. Such conclusions could be uncontroversial, but risk internal audit's reputation if significant errors or fraud come to light at a later date.
Error and fraud can be further obscured by insufficiently negotiated remedial actions at closing meetings with audit clients (see "When Recommendations Go Unaddressed" on page 48). Experience over many years suggests the timely completion of agreed-on actions sometimes linger unfinished, or are implemented less diligently than what internal audit intended. It follows that confirmation bias in fieldwork, combined with under-negotiated and then poorly implemented remedial actions, can conspire to hide the possible existence of significant errors and fraud, which occur more frequently than might be expected. One way to minimize the risk of providing false assurance and boost internal audit's value to the board is to search for the very errors internal controls are intended to prevent.
LOOKING FOR ERRORS
Pursuing significant error and fraud requires hypothesizing about what potentially could occur. Ideally, this is done by harnessing multi-industry experience and creative thinking--starting with the worst conceivable scenarios--and then planning audit fieldwork with the foreknowledge that actual findings may differ from what was hypothesized.
Error detection methods include: