Roles of IT Auditor in Fraud Contro

Roles of IT Auditor in Fraud Control
Whether or not an auditor is auditing for fraud, all auditors are expected to assume responsibility for detecting fraud and assessing antifraud programs. The Statement on Auditing Standards (SAS) 99 of the American Institute of Certified Public Accountants (AICPA)2 emphasizes auditors exercising their professional skepticism to identify risks that may result in a material misstatement due to fraud. The US Public Company Accounting Oversight Board (PCAOB)3 also requires auditors to evaluate fraud-related activities as a component of an internal audit function.

With rapid advancements in information communications and technologies (ICT) and an increasingly mobile accessible environment (i.e., wireless networking), it is no surprise that companies are increasingly reliant on IT equipment and applications for the delivery of company operations. IT audit provides a vital role in the prevention, detection and investigation of fraud.

To make a valuable contribution toward fraud control, requirements need to be elaborated on and understood by the IT auditor with respect to the various IT processes and types of fraud, each of which contributes to the development of fraud risk assessment.
A total of 34 IT processes are listed within these four domains, as shown in figure 1.

Whether or not a fraud is likely to occur in each of the identified IT processes is debatable. To better understand if a fraud is likely to occur, the fraud triangle hypothesis, developed by criminologist Dr. Donald R. Cressey, should be considered by all auditors.5 According to Cressey, three factors, each of which is briefly described in figure 2, are associated with any person who commits fraud.

Since there is a human association in any IT process, regardless of the IT system's degree of automation, the possibility of a fraud should always be considered.