What should an internal auditor do when management ignores obvious fraud red flags?

Question

AcadiFi · Accepted Answer

The internal auditor's job is to document facts, assess the risk, follow escalation protocols, and preserve independence. Once management ignores credible fraud indicators, the issue becomes not only a control failure but also a governance problem. The correct response is not to personally prosecute the fraud; it is to escalate through the proper chain and ensure the matter reaches the level with authority to act.

Suppose Beacon Media notices suspicious marketing vendor payments. Over 6 months, $480,000 of invoices were approved with duplicate campaign IDs and no matching performance evidence. The marketing vice president dismisses the issue because the vendor supposedly drives sales. Internal audit should gather support, document the exception pattern, assess control breakdowns, and report the matter according to the organization's fraud response protocol. If the immediate manager will not act, escalation may move to the CAE, senior management, legal, compliance, or the board depending on severity.

The exam usually rewards disciplined escalation, documentation, and objectivity. It does not reward burying the issue, negotiating it away informally, or taking over management's response. Fraud questions often test courage, but through process. If risk is credible and response is inadequate, your duty is to keep the issue visible to the right oversight level. Practice more in our CIA question bank.

What should an internal auditor do when management ignores obvious fraud red flags?

Master Part 2 with our CIA Course

Related Questions

Practice Questions