Chapter 6
Internal Audit: The Second Line of Defense
Our chapter title is a deliberate provocation: If internal auditors are only the second line of defense against the occurrence of fraud in an organization, what is the first line of defense? The answer is clear: management. Management is preeminently responsible for fraud deterrence in two respects. First, through the example it sets—the tone at the top—management is first to deter and defend against corporate wrongdoing of all kinds. The ethical tone of the entire organization depends to a significant degree on how top management is perceived both day to day and in its handling of crises. And second, management is responsible for the system of internal controls that should be implemented throughout the entire organization to control, monitor, and document higher-risk areas such as revenue recognition, cash management, purchasing, and inventory.
Management must base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts. As outlined in detail in Chapter 1, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published Internal Control—Integrated Framework, which has emerged as the framework that management and auditors use to evaluate internal controls. The five components of the COSO internal control framework are the following: ...
