Aligning Internal Audit and Fraud Risk Teams to Strengthen Fraud Governance
/Internal audit (IA) and fraud risk teams share a common goal of helping organizations prevent, detect and respond to fraud. However, unclear responsibilities, duplicated efforts and inconsistent expectations can create friction that limits their effectiveness. During her session on Tuesday morning, Adesola Osuji explored common sources of tension between these teams and discussed how organizations can create stronger fraud governance through clearer roles and collaboration.
Osuji opened the session by highlighting the impact of fraud on organizations. Citing data from the Association of Certified Fraud Examiners’ Occupational Fraud 2026: A Report to the Nations, she noted that Certified Fraud Examiners (CFE) surveyed in the report estimated that organizations lose an estimated 5% of annual revenue to fraud, with a median loss of $145,000 per case and a median detection time of 12 months.
While tips are the most common way fraud is discovered, Osuji emphasized the importance of internal audit, which is the second-leading method of fraud detection. According to Osuji, fraud can be discovered across every area of an organization; it doesn’t fit neatly into the boundaries between fraud teams and internal auditing teams.
“Regardless of how fraud is discovered, fraud risk does not respect the boundary between fraud risk and auditing,” Osuji said.
The Sources of Friction
Osuji explained that while internal audit and fraud risk teams often have shared goals, their responsibilities are different.
Internal audit teams provide independent assurance over governance, risk management and internal controls. Fraud risk teams typically manage the fraud life cycle, which includes prevention, detection, response and continual improvements. Depending on the organization, fraud risk responsibilities may lie within a dedicated fraud team or within legal, compliance or risk teams.
Friction can arise when organizations don’t clearly define how their responsibilities intersect. Osuji said that many organizations lack a single charter or framework that outlines how internal audit and fraud teams should work together.
Without clear guidance, audit committees may expect the internal audit team to identify fraud, while executives may expect fraud teams to lead investigations and the internal audit team to validate controls after the fraud has occurred.
Osuji said that this lack of clarity creates a fraud risk ownership gap and raises the question: Who is responsible for managing different parts of the fraud life cycle?
The Cost of Redundancy
In the second part of the session, Osuji said one of the biggest sources of friction between internal audit and fraud teams is duplicated work. Osuji provided examples of how overlap can occur, such as teams conducting separate risk assessments, testing the same controls, interviewing the same individuals during investigations, or preparing separate reports for leadership.
She then described a common scenario where a whistleblower report triggers a fraud investigation while the internal audit team independently identifies concerns involving the same individual. Without coordination, both teams might request similar information from business units and provide separate updates to leadership.
“The existence of that friction costs the organization money,” Osuji said.
In addition to wasted time and resources, Osuji said that duplicated efforts can create confusion, encourage unhealthy competition and make it more difficult for stakeholders to understand who is leading the response.
Using Standards to Create Alignment
Osuji discussed how emerging international standards can help organizations establish clearer fraud governance. She highlighted ISO 37003, which provides a structured approach to fraud risk management through four key areas: prevention, detection, response and continual improvement.
Osuji said that organizations should treat fraud as an ongoing cycle that evolves as fraud risks change.
She also discussed ISO 37008, which provides guidance for internal investigations. The standard emphasizes principles that align with internal audit team expectations: Independence, confidentiality, competence, objectivity and compliance.
According to Osuji, many tensions between internal audit and fraud teams occur during the investigation phase. Clear standards can help organizations determine roles, establish expectations and ensure that investigations are conducted cleanly.
Practical Steps to Improve Collaboration
To help organizations reduce friction, Osuji recommended that attendees develop a “shared roles matrix” that defines responsibilities throughout the fraud life cycle.
Within this model, fraud teams can lead activities such as fraud prevention programs, controls and individual investigations, while internal audit teams provide assurance that controls and processes are operating effectively.
She also recommended that attendees create a “fraud risk and assurance map” to identify gaps, clarify responsibilities and support joint planning. The map should be developed collaboratively and treated as a living document that evolves as organizational risks change.
Osuji emphasized the importance of shared language. Defining “severity ratings” or what constitutes a “finding” can help teams communicate more effectively and prevent misunderstandings when reporting to leadership.
For organizations where internal audit and fraud team responsibilities overlap, Osuji said that maintaining independence safeguards is especially important. Teams must separate operational responsibilities from assurance to avoid self-review and protect stakeholder confidence.
Building a Coordinated Future
Osuji concluded her session by encouraging attendees to assess their current fraud governance models and identify opportunities for improvement. Whether internal audit and fraud teams operate separately or within a combined structure, she said that organizations must establish clear boundaries, communicate expectations and create processes that support collaboration.
By clarifying responsibilities, Osuji said that reducing duplication and using frameworks such as ISO 37003 and ISO 37008, organizations can strengthen fraud risk management techniques while allowing the internal audit team to maintain the independence necessary to provide effective assurance.
