Download this policy paper in the format of a briefing document
Internal audit has an important role to play in ensuring that management has effective systems in place to detect and prevent corrupt practices within an organisation. This is part of its normal role of supporting the Board's and Audit Committee's oversight of risk management,
But it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management. Internal audit's role includes promoting anti-fraud and anti-bribery best practice, testing and monitoring systems and advising on change where it is needed.
Boards and senior management should not regard internal audit as an operational part of an organisation's defence against corrupt practice, nor should it be seen as the obvious investigator of incidents after the event.
Internal Audit should only be given extra responsibilities for fraud and corruption
Every organisation faces risks arising from corrupt practices, such as bribery and fraud.
Corruption can lead to financial losses, false information, poor decision-making and reputational damage.
Organisations in the UK also have potential legal liability for certain corrupt practices of their staff, most notably under the 2010 Bribery Act, and could face criminal charges. This is not yet the case in Ireland.
Organisations need a strong programme of internal controls to combat corruption that includes top level commitment, raising awareness, measures to prevent, detect and manage the damage arising from corrupt practices, and a risk assessment process to identify the risks of corruption within the organization. Internal audit's primary role is to offer assurance at board level that such controls are in place and are functioning effectively
Some organisations may not have sufficient capacity in the executive to deal with fraud. Where, exceptionally, management requests internal audit to undertake fraud investigation, the head of internal audit should determine that he/she has the required mandate and expertise, and that resources are not being diverted from higher priority internal audit work. He/She should also ensure that the audit committee endorse undertaking such work.
The UK Fraud Act 2006 states that a person is guilty of fraud if he/she:
The UK Bribery Act 2010 covers three areas of personal corruption
and introduces a new corporate offence of failure to prevent bribery.
"Bribery and corruption" is an offence at common law, defined in Murdoch's Dictionary of Irish Law as "corruptly to solicit, promise, give, receive or agree to receive a bribe (i.e. a reward) in order that any public official should either:
a) act contrary to a duty he has to do something in which the public has an interest, or
b) show favour in the discharge of his duty and function."
Irish law on bribery and corruption is contained in a series of statutes dating from 1889, with a collective citation of the Prevention of Corruption Acts 1889 to 2010. The law is not clear in places and is difficult to navigate. Some wrongful acts can be prosecuted under several separate provisions and other unethical acts are not regulated at all.
The Prevention of Corruption (Amendment) Act, 2010, strengthened the legislation on corruption, in particular in relation to corruption occurring outside the State, and gave fuller effect to the OECD Anti-bribery Convention.
A key provision in the Act is the protection afforded to persons, including employees, who make reports, in good faith, of offences under the Corruption Acts, 1889 to 2010 ("whistleblower protection"), and those reports can also be made on a confidential basis.
The Act also provides that reports of suspected corruption offences abroad can be made to diplomatic or consular officers, and foreign police forces, as appropriate.
The Minister for Justice, Equality and Defence received Government approval for the General Scheme of a Criminal Justice (Corruption) Bill, which will update, strengthen and reform the law criminalising corruption. The General Scheme was published in July 2012 to allow the Joint Oireachtas (Parliamentary) Committee on Justice, Defence and Equality to consider the content of this measure and to allow all interested parties to have an input, prior to the publication of the Bill.
The consultation, which closed in September 2012, will be considered in the overall context of developing new, effective legislation to tackle corruption and meet Ireland's international obligations.
In Ireland there is no precise definition of fraud. Many of the offences referred to as fraud are covered by the Criminal Justice (Theft and Fraud Offences) Act 2001. Fraud is a crime which may involve a false pretence, false accounting, forgery, embezzlement or fraudulent conversion.
Under this Act "A person is guilty of forgery if he or she makes a false instrument with the intention that it shall be used to induce another person to accept it as genuine and, by reason of so accepting it, to do some act, or to make some omission, to the prejudice of that person or any other person."
In addition, the Electronic Commerce Act 2000 provides for a number of offences of electronic fraud, for example the fraudulent use of electronic signatures, signature creation devices and electronic certificates.
In Ireland, at present, there is no such automatic imputation to a company of the acts of an employee, officer or agent. It turns on the extent that it could be argued on the facts that liability is imputed under the identification doctrine or attribution doctrine.
1210.A2 - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
2120.A2 - The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
1220.A1 - Internal auditors must exercise due professional care by considering the:
2060 - The chief audit executive (CAE) must report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.
Every organisation should:
The primary responsibility for prevention, detection and investigation rests with management, which also has the responsibility to manage the risk. Many organisations now have a dedicated in-house "security" function with responsibility to manage investigations. This function may be assisted by internal audit.
It is not a primary role of internal audit to detect corrupt acts, but it is a role most people expect internal audit to undertake. There is, therefore, an expectations gap that needs to be managed.
Internal audit has no legal responsibility for corruption but is required to give independent assurance on the effectiveness of the processes put in place by management to manage the risks.
Any additional activities carried out by internal audit should be in the context of and not prejudicial to this primary role. The roles that internal audit should undertake include the following:
The audit committee should review arrangements by which staff of the company may, in confidence, raise concerns about possible improprieties in matters of financial reporting, financial control or any other matters.
The audit committee's objective should be to ensure that arrangements are in place for the proportionate and independent investigation of such matters and for appropriate follow-up action, and that any matters relevant to its own responsibilities are brought to its attention. (Smith Guidance on Audit Committees)
Download PDF