LogoRegulatory Alerts
2022-06-01

Guidance on the Role of Internal Audit Department in Fraud Risk Management

The Bank of Uganda issued this circular to clarify the role of internal audit departments in fraud risk management, specifying that they provide assurance over controls rather than automatically investigating every fraud. Supervised financial institutions must ensure fraud investigations are conducted by suitably qualified personnel, requiring internal audit to self-assess its capacity and engage subject matter experts when material gaps exist. The guidance mandates that these institutions design anti-fraud response plans that clearly delineate internal audit responsibilities, thereby strengthening overall fraud risk management frameworks.

Bank of Uganda logo

Uganda

Bank of Uganda

Click to view thumbnail

BANK OF UGANDA

OFFICE OF THE EXECUTIVE DIRECTOR SUPERVISION

Noted h 30/11/2021 cc Division Heads

EDS.306.2

37-45 KAMPALA ROAD, P.O. BOX 7120, KAMPALA

DIRECT LINE: 256-414- 230051 GENERAL LINE: 256-414- 258441 Ext 2403 FAX LINE: 256-414- 258515 TELEX: 256-414-61059 CABLES: UGABANK Email: info@bou.or.ug Website: www.bou.or.ug

29th November 2021

Circular to all Chief Executive Officers of Commercial Banks, Credit Institutions and Microfinance Deposit-taking Institutions

Guidance on the Role of Internal Audit Department in Fraud Risk Management

Bank of Uganda (BOU) has noted that fraud investigations in Supervised Financial Institutions (SFIs) have predominantly been conducted by Internal Audit departments/units irrespective of the complexity of these frauds. This practice is the result of differing interpretations and understanding of the role of the internal audit function in fraud risk management. Accordingly, BOU advises as follows:

  1. Standard 1210.A2 of the Standards for the Professional Practice of Internal Auditing provides that, "The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud". Accordingly, the internal auditor should not, by default, be expected to have the expertise to investigate every fraud. Rather, internal audit should support an SFIs' fraud risk management efforts by providing the necessary assurance services over internal controls designed to detect and prevent fraud.

  2. It is essential that fraud investigations are undertaken by individuals or entities suitably qualified and experienced in conducting such assignments. This minimizes the risks of compromising evidence; prevalence of unfounded accusations; and inadvertent undermining of courses of action with a high likelihood of favorable outcomes. In the event that circumstances require internal audit to undertake an investigation, due professional care should be exercised in the execution of such an investigative assignment. It is critical that the internal auditor self-assess whether or not they possess the requisite skills and have adequate resources, to conduct the requested investigation. The SFI should consider engaging subject matter experts (internal/external) if the self-assessment indicates significant or material gaps or inadequacies in the Internal Audit capacity to conduct a specific fraud investigation.

BANK OF UGANDA 30 NOV 2021 RECEIVED DIRECTOR COMMERCIAL BANKING

1 | Page Mission: To Foster Price Stability and a Sound Financial System Vision: To be a Centre of Excellence in Upholding Macroeconomic Stability

  1. Internal Audit is an independent, objective, assurance and consulting activity designed to add value and improve an SFI's operations. Its chief role includes detecting, preventing, and monitoring fraud risks. This means that the internal audit function must at the minimum, have sufficient capacity to:

a) Identify and flag potential fraud incidents, b) Evaluate the identified fraud red flags and decide whether or not, further action is necessary, and if so, the kind of action it should be, c) Understand the nature, types and characteristics of fraud, d) Understand techniques used to commit fraud, including an understanding of various fraud schemes and scenarios. e) Evaluate the effectiveness of controls to prevent or detect fraud.

It is not internal audit's responsibility to prevent fraud happening within the SFI. This is the organizational responsibility of the business line (management) as the first line of defense. SFIs should have suitable anti-fraud response plans outlining key policies and investigation methodologies. The plans should clearly specify the role of internal audit when there is suspected fraud. Internal audit function therefore provides assurance on the management of fraud risk in the SFI through risk assessment, and audit planning.

The purpose of this Circular is to clarify the role of internal audit in fraud risk management and urge SFIs to take into account this guidance in designing their fraud risk management frameworks.

[Signature]

Tumubweinee Twinemanzi (Dr.) Executive Director Supervision

Copy: Governor Deputy Governor Director, Commercial Banking Director, NBFI

2 | Page

Share