Accounting for Cyber Fraud Risks During Audit Planning

Ookeditse Kamau
Author: Ookeditse Kamau, MBA, CDPSE, CEH, CIA, CISA, CRMA, ISO 27001 Practitioner
Date Published: 28 June 2021

With a changing global economic outlook, there has been a correlated shift in the fraud landscape, and how audit leaders should manage it. An assessment of fraud possibility is a requirement when carrying out an audit engagement, after all.

The ISACA performance standard 1207: irregularities and illegal acts states that “IT audit and assurance practitioners shall consider the risk of irregularities and illegal acts during the engagements.”

This is not to say that auditors are fraud specialists, but the standard takes into consideration the impact of inadequate internal control systems and their attribution to creating opportunities for fraud. Several control checklists exist to guide auditors in making this assessment. Some of the issues to take into consideration during the audit plan stage, as indicated by the standard, include gathering a written representation about the following:

  • Management understanding regarding the level of risk of irregularities and illegal acts in the enterprise at the planning stage
  • Management’s understanding regarding the level of risk of irregularities and illegal acts in the enterprise
  • Whether management has knowledge of irregularities and illegal acts that have or could have occurred within the enterprise, or may have been directed toward it
  • Management’s responsibility for designing and implementing internal controls to prevent irregularities and illegal acts
  • How the risk of irregularities or illegal acts is monitored and managed
  • What processes are in place to communicate alleged, suspected or existent irregularities or illegal acts to appropriate stakeholders
  • Applicable national and regional laws in the jurisdiction in which the organization operates, and the extent of the legal department’s coordination with the risk committee/audit committee

Fraud risk assessments are developed based on the elements of why people commit fraud. The fraud diamond theory indicates four specific elements influence a person to commit fraud: pressure, opportunity, rationalization and capability.

Traditionally, IT auditors’ review on the assessment of fraud risk focused on organizational structures and policies in the management of fraud as outlined above in the standard. With the increase in technology consumption, the assessment of cyber-related fraud has become critical in the assessment of fraud-related risk during the audit planning phase and indicating the cyber risk profile. To carry out this assessment, IT auditors do not need to reinvent the wheel, but rather remodel their assessment questions.

Below is a summary of how an IT auditor can analyze cyber fraud risks during audit planning:

Elements that Influence Fraud

What the IT Auditor Should Consider in Assessment of Fraud Risk

Pressure

  • Apart from the traditional understanding of pressure, IT auditors should also gauge how effective information security trainings are on pressure-related tactics that cybercriminals use and how well prepared employees are in identifying these tactics to combat cyber fraud.
    • Do employees tend to act and follow instructions in haste without verifying the contents of the emails with relevant stakeholders within the organization?
  • Analysis of training materials and/or results of employee information surveys can give the IT auditor an indication of how employees are trained to handle pressure and gauge the level of cyber fraud risk the organization is exposed to.
  • The IT auditor should review the effectiveness of this training against recorded incidents and/or scenarios-based testing to see how many are easily manipulated through pressured-based emails.

Opportunity

  • Being at the right place at the right time and in the company of the right people is the simplest form of definition for the word opportunity. The countermeasure in information security is taking a DENY ALL posture. If it can’t be denied, it will be exploited.
  • As part of a fraud risk assessment, IT auditors should determine the level of social engineering exposure the organization is facing.
  • Equally important is the level of data leakage within the organization.
    • How often do employees violate confidentiality and share privileged information amongst themselves and third-party suppliers?
    • Is information unintentionally sent out to third parties?
    • What is the number of reported phishing email requests through corporate email addresses?
  • The IT auditor can review the organization’s training program to determine the level of training provided to staff on social engineering techniques and also review security breach registers kept by the organization on matters related to confidentiality breaches.
  • The level of employee value of confidentiality shows the level of unauthorized information sharing the organization is exposed to.

Rationalization     
    



  • There is no organization without office politics. It is the responsibility of Human Resources to lead the way in providing an environment that cultivates and promotes ethical behavior.
  • Organizations that do not manage bullying, favoritism, unfair treatment of staff and unfair disciplinary processes open themselves to creating an environment that nurtures disgruntled employees.
  • Internal cybersecurity threats have been linked to disgruntled employees who wanted to sabotage the organization.
  • It is therefore critical that when IT auditors review fraud risks within the organization, they take into consideration the level of “hostility” within the organization.
  • Auditors can rely on reports such as employee satisfaction surveys to gain insight into the level of fairness within the organization and how this can affect the level of internal cybersecurity-related attacks.

Capability     

  • Capability is linked to the level of authority and influence employees have within the organization.
  • Cyber criminals have learned from corporate scandals the weaknesses in internal controls. You can imagine payments made simply because an email was sent by the CEO requesting the payment. The question one can ask is why such payments are not subjected to the same internal processes
  • The IMB security index report of 2021 reported a global phishing campaign that targeted over 100 executives in management and procurement roles for a task force acquiring personal protective
  • It is therefore important for auditors to review the level of training that is provided to employees who have a high level of capability within the organization, including executives, super users and key,
  • Due to their busy schedules, executives are not subjected to the same level of security training
  • Training registers can be used to gauge the level of security training provided to executives.

Understanding how the organization deals with elements of fraud can allow the IT auditor to conclude the level of cyber fraud risk to which the organization is exposed. There are other factors that have not been included here that the auditor also can take into consideration. What is critical is for auditors at a planning stage to gauge the level of possible cyber fraud and ensure that the controls selected for testing will cover the cyber risk that has been identified.