Internal Auditors ’ Fraud Detection : A Phenomenological Study

The purpose of this study is to find out the meaning of fraud for internal auditors and what they experience in detecting it. This is a qualitative research using interpretive paradigm with phenomenological methods. The data of this study are the results of observations and interviews with internal auditors in a state-owned company in East Java, and internal audit charter documentations. Based on the results of the interview, four conclusions from the research results are drawn. First, internal auditors literally interpret fraud and as an occupational task focusing on the internal control. Second, fraud detection is more accurately described as fraud potential detection, in which they can find redflag or fraud indication during the inspection with Risk Based Internal Audit method. Legitimacy Theory is the basis when the auditors have gained legitimacy from fraud meaning and detection, since it is in accordance with their roles, activities and competencies in carrying it out.


INTRODUCTION
Fraud is an action inseparable from business practices. The iceberg phenomenon could be observed in many cases of fraud. It could not be the actual fact, since it will never be revealed to what extent. Research conducted by ACFE shows that companies experience 5% loss of their annual income due to fraud (ACFE, 2016). Major cases that occur because of fraud can even ruin the whole company. Fraud generally comes about due to poor internal control, weak ethical policies, industrial types, and the failure of duty authorization (Turpen & Messina, 1997;Siregar & Tenoyo, 2015;Zakaria et al, 2016). Internal auditors are the company's most widely used tool to detect or prevent fraud (Siregar & Tenoyo, 2015).
Over the past ten years, several cases have been revealed in the world, such as Bernard L. Madoff Investment Securities LLC (2008) and Sino-Forest Corporation (2011) doing Ponzi scheme;Penn West Exploration (2012-2014 and Toshiba (2015) blowing profits out of all proportion; and the most recent, British Telecom's fraud, elevating the company's revenue through fake contract extensions and invoice, and manipulating transactions with the vendors (Priantara, 2017). Although there have been many fraud cases publicly reported, the actual circumstances will never be brought to light (Priantara, 2013).
Fraud generally comes about due to poor internal control, weak ethical policies, industrial types, and the failure of duty authorization (Turpen & Messina, 1997;Siregar & Tenoyo, 2015;Zakaria et al, 2016). To minimize losses, fraud prevention and detection can be completed by those pertaining to the company, where all stakeholder in organizations must be elaborated in anti-fraud program (O'Reilly-Allen & Zikmund, 2009). Several steps to overcome fraud to be taken by management is creating an independent audit committee (Mustafa & Youssef, 2010;Halbouni et al, 2016), and function internal audit (Coram et al, 2008;Nicolaescu, 2013). Outsiders such as shareholders and creditors can become the supervisors to reduce the companies' fraud potential.
Fraud exists due to factors such as poor internal control, management's internal control overrides, collusion among employees, collusion between employees and third parties (DiNapoli, 2010). Cressey in Tuanakotta (2010) concludes that there are three conditions generally existing when fraud occurs; the presence of pressure, perceived opportunity and rationalization. These three formulated in Fraud Triangle Theory should be existed to make fraud apparent. Pressure is someone's urge to do fraud because of financial problems or need; however, some of them are only driven by greed. It is the pressure squeezing someone's life, impossible to share with others. This refers to perceived non-shareable financial need. Perceived Opportunity is a situation where the subject perceives that there is an opportunity for someone to commit a crime without anyone knowing (Tuanakotta, 2014). Due to a trusted position acquired with some technical skill before, he/she could violate rules without any consequences. Rationalization is a justification of the subject before committing a fraud action, such as he/she thinks the amount of money taken is not such large amount of cash, or he/she intends to recoup, or there are other coworkers doing the same thing.
Internal auditors are the company's most widely used tool to detect or prevent fraud, and as internal controls (Siregar & Tenoyo, 2015), since they are fraud knowledgeable adequately able to identify the indicators before the fraud likely to occur (Zakaria et al., 2016). They detect potential occurrences in dealing with fraud (Giles, 2016). It implies that the auditors detect and deliver red flag in 'places' in the company, in which fraud likely to occur, and take some actions. Internal auditors need a legitimacy to maintain their work (continuity goals) with stakeholder support (active support goals) within an organization. This legitimacy can be earned by showing the capabilities and competencies such as career period, educational background and internal audit training, and the relevance between performed and the expected work. The detection, as well as the meaning of fraud will be adjusted to the activities, roles and functions of the internal auditor, to provide that legitimacy.
Burnady in Nicolaesu (2013) emphasizes the internal auditors' responsibility to detect fraud in organizations by focusing on detecting aspects using procedure examination they believe the most effective way. Their other role in detecting fraud can be seen from the WorldCom case, in which the internal auditor team managed to find evidences by examining its financial statements secretly (Thibodeau & Freier, 2014). Coram et al. (2008) found that internal audit adds value to the company through organizations' environment control and monitoring improvements to detect and selfreport fraud. Companies in Indonesia have adequate awareness of fraud, since it is a major concern of businesses in Indonesia (Siregar & Tenoyo, 2015). Based on the results of a survey conducted by ACFE Indonesia (2016) stating that the most common case fraud in Indonesia is corruption. This is due to the large number of media reports regarding the disclosure of corruption cases by the Corruption Eradication Commission. Although fraud in Indonesia today is still dominated by corruption in governmental institution, it in no way means the misappropriation assets case or fraudulent reporting were never uncovered.
Fraud is a deviation that can be done by internal and external parties of the company. The main causes of which are poor internal control, weak ethical policies, and the failure of authorization of duties. Internal auditors are one of the recommended tools to prevent and detect fraud by detecting potential places for fraud to occur and find redflag. With their competence and ability, internal auditors capable to carry out their duties as expected will gain legitimacy and maintain their work. They can get legitimacy by showing their competence noticed from their educational background, work duration, and other training they join. In addition, the relevance between the performed and expected work could also provide them the legitimacy.
However, the internal auditors are not expected to detect fraud with certainty, despite their adequate knowledge, even an expert would be hard to detect fraud. Although some research results recommend internal audit as a tool for fraud prevention and detection, and many companies already have internal auditors, fraud case remains immensely revealed. Based on the ACFE survey (2016), it still costs 5 percent of the company's total revenue. In accordance with these, the researcher is interested in conducting research on meaning of fraud for the internal auditors. Knowing the meaning, their view of fraud will reveal their internal attitude in dealing with fraud.
Internal audit is not expected to be able to detect fraud. It is expected to obtain reasonable confidence that business objectives, for the process examined, are achieved and the inefficiencies (material control -both through simple faults and deliberate efforts) are detected (IIA, 2009). By improving the ability to recognize "red flag" fraud, internal auditors can better protect company assets, reduce inefficiencies, mitigate risks, and assist in supervising increased regulatory oversight (Tschakert, et al, 2016).
Legitimacy theory is used in this study to see whether the meaning and the detection fraud by the internal auditors meet the existing standards so that they obtain the legitimacy. The standards used in this study are the audit charter in the Internal Audit Unit; competencies comprising educational background, certifications, training, and career duration as an internal auditor, lastly, the internal auditor's activities. Fraud detection will be observed whether it correspond the role and activities of the internal auditors, whether their competence is sufficient to conduct such detection. While the fraud meaning; will be confronted to their roles, activities and competencies to observe how they perceive fraud from those three things.
Additionally, the researcher will examine deeply more about how the internal auditors detect fraud based on their experience since it remains existed in any companies, even though other researchers widely recommended for its detection and prevention. Based on this background, this study raises the title: "Internal Auditors' Fraud Detection by: A Phenomenological Study"

RESEARCH METHOD
This is a qualitative research using interpretive paradigm with phenomenological methods. Phenomenology is an inquiry strategy where researchers identify the value of human experience about phenomena as explained by participants (Creswell, 2007).
The phenomenological approach discusses life as a matter experienced by humans, without sorting the experience into sections or principles that are not related to human experience (Pervin, et al, 2004). It focuses on exploring how humans understand experiences and turn them into consciousness, both individually and as shared meanings (Patton, 2002). The researcher behaves as an instrument as well as a data collector. The data of this study are the results of observations and interviews with internal auditors in a state-owned company in East Java, and internal audit charter documentations. Interviews are conducted in an unstructured style. To maintain data validity, data triangulation activities are implemented. In this study, researchers will interpret data directly obtained from the results of observations and interviews, to get answers to the problems observed.

RESULTS AND DISCUSSION
The internal auditors are not expected to detect a fraud with certainty, despite their adequate knowledge, even an expert would be hard to detect it. Although some research results recommend internal audit as a tool for preventing and detecting fraud, and many companies already have internal auditors, fraud cases excessively show up. Legitimacy theory is used in this study to observe whether the fraud meaning and detection by the internal auditors meet the existing standards adequate for them obtain the legitimacy. The standards used in this study are the audit charter in the Internal Audit Unit; competencies comprising educational background, certifications, training, and career duration as an internal auditor, lastly, the internal auditor's activities. Fraud detection will be observed whether it correspond the role and activities of the internal auditors, whether their competence is sufficient to conduct such detection. While the fraud meaning will be confronted to their roles, activities and competencies to observe how they perceive fraud from these three things.

Fraud Meaning
Fraud is literally interpreted by the internal auditor as deceit, intentionally done, giving benefits or advantages to a party. Fraud has the potential to occur when related to financial turnaround. The informant added that one of the conditions met for a fraud to occur in fraud triangle was opportunity, which the informant described as the management negligent and lack of supervision.
"As an example, there is a job with inadequate supervision; there could be opportunity for us to do such thing." "So, he/she could use the gaps or loopholes of management that is not ... what to say, alert. But if the controls are persistent, a fraud will not come to existence. " This implies that fraud is interpreted as a cheat intentionally committed and benefited one party, potentially occurring due to opportunity and money-related issue.
One of the internal auditors' activities is to identify gaps between implementation and criteria and to ensure that existing controls operate on efficiently and effectively. Their role is to provide solutions for those gaps and to maintain internal control.
"Potentials can be everywhere, especially for who manages finance, having direct contact with finance, especially for the procurement of goods and services." "A fraud could occur not only in one area but also nearly in most service and financial activities, as long as there is an opportunity and someone is brave enough to take advantage of mismanagement, it occurs." The internal auditor's role and activities can set up the informant's opinion about the opportunity which, as he/she said, such as management negligence, gaps and inadequate control, could make the fraud appear, while other elements in the fraud triangle, i.e. pressure and rationalization tends to be an intrapersonal factor indirectly related to the internal auditor's job. The opportunity observed by the internal auditor is likely to come up when conducting an audit / inspection, and it facilitates the auditor in detecting any fraud potentials in the company.
From the standpoint of the internal auditor's background coming from various fields of expertise, it is fairly acceptable to conclude that a fraud is an intentional deception rather than interpreting it as an act of misstatement or deliberate concealment of facts, because not all of them have fraud-related background, in particular occupational fraud.
"The internal auditors' educational background comes from various disciplines: electrical engineering, mechanical engineering, civil, legal, economic." "With those various backgrounds, each will be given a process business to examine. We will discuss the planning. In the Letter of Assignment there are business processes to examine. We will discuss who will examine them then. It is flexible, however. Each audit is changeable." Nevertheless, QIA internal auditor training is carried out in stages after the beginning of their careers, helping them to recognize their activities and roles as internal auditors, and it appears that they realize the element of opportunity when a fraud occurs.
"There is a qualified internal audit, ... For the basic intermediate and advance audits, we write papers. I have passed the papers, but hasn't been appointed yet. ... We studied about auditing there. We studied in the afternoon, then we had a test in the following morning. ... Yesterday I joined a special fraud risk management training in Jakarta. " "That is a kind of certification training, competency training. An auditor must pass that QIA competency certification. The training was conducted in stages, prioritizing the seniors, who had never joined QIA, then later the young ones. We were taught how to act as auditors, their role and function. All disciplines are easy to learn if we want to." The legitimacy is obtained by observing whether the internal auditor's actions are in accordance with the existing standards. The discussion above implies that the internal auditors conceive the meaning of a fraud as an occupational issue. Although they come from various educational backgrounds, they still know what and how they should work. It is also observable from their recognition that opportunity causes a fraud, and that it is their job to minimize any gaps in the organization. In conclusion, the legitimacy is obtained since their competence, activities and roles are sufficient to understand what and how fraud can possibly occur in a company.
This implies that fraud is interpreted as an intentional deception committed by and benefited one party, potentially occurring due to opportunity and money-related issue. The internal auditors have acquired the legitimacy as they successfully implemented with their roles, activities and competencies. The discussion about opportunity in their answers is raised for the reason that their activities and roles are still related to the opportunity (internal control). In addition, they got an initial training on internal auditors. Therefore, they got the legitimacy because they were aware and acted as the internal auditor should.

Fraud Detection
Internal auditors' fraud detection is observing any fraud potentials using Risk Based Internal Audit. However, other teams will hand over and track on the potential findings. Risk Based Internal Audit is a method prioritizing business risks and significant control negatively affecting the achievement of companies' goals, in which they will utilize the risk profile, created by the risk management unit in the central company, as a tool for conducting audits. With risk-based internal audits, internal auditors' audits will focus on high and extreme risk points, to discover red flags or fraud potential possibility.
Fraud potentials can be detected since it starts with the finding of an error during the examination. These findings can be fraud potentials as deeper exploration and searches are done. Later, these will lead to conclusions whether the finding is a pure mistake due to negligence or a deliberate error. Further investigation or in-depth audit of the operational audits results is one of the scopes in the auditor's internal audit. In addition, the results of this further search can be used as a basis for internal auditors to provide recommendations for improvement in case of companies' control inadequacy. However, occasionally, they do find the potentials turning out to be unproven and merely an ordinary mistake.
The informants provide overpayment as the examples of those potential findings. When it happens, a suspicion arises because there is a collusion possibly taking place between the company and the vendor. They intentionally overpay and share the difference. However, since the role of the internal auditor is to provide recommendations for improvement, first, they recommend the person in charge compensating for the overpayment and mediate with the vendor.
Under certain conditions, sometimes internal auditors can prove that a fraud has already taken place. In service tour reimbursement they discover a mismatch between the employees' claims and their investigation; this may lead to presumption that a manipulation is possibly performed. In the event that the manipulation is intentional, the auditors successfully make the fraud proven. In this case the auditors merely act as an expert providing evidences to management responsible for taking any necessary measure.
To be honest, to detect fraud really happening in a company is not the job of the internal auditor. In East Java, there is a special team from the central company continuing the examination of potential findings. The informants explained that this is due to some conditions such as difficulty of proving, time, energy and schedule limitation. They justify that their findings are potentials or indication, and they will find evidences to ensure them.
The company's internal auditors are observing fraud potentials, in which they could find redflag or indication during the inspection using Risk Based Internal Audit method. However, the internal auditors in East Java do not investigate the redflag fraud findings further due to difficulty in proving and limited resources. In addition, there is another team that will do that further investigation. In some occasions, internal auditors in the regional companies are able to prove in the absence of a special team assistance, nevertheless, they let the management make further decision.
The internal auditors of the East Java section detect fraud potentials while doing their routine activities. Fraud potentials were discovered as they further explore the findings, by investigating the reasons and roots of the error. One scope of the inspection they conducted is in-depth audit on the operational examination results. Internal auditors are given the authority to access all relevant information, data and documents about the company to facilitate them in conducting audits. In addition, they also have played their roles to provide remedial solutions when any fraud potential is discovered. They offer solutions or provided some recommendations enabling the existing controls could prevent fraud to happen.
Assuming from the internal competence of auditors, they are sufficiently able to detect fraud potentials. In addition, judging their various discipline backgrounds, they are able to form a good team. It will be easier to recognize any risky findings in a section, if there are several people expertise in some particular fields. QIA certification is also mandatory for the internal auditor to be undertaken. Despite of its gradualness, they, at any rate, understand the basis of what and how internal auditors should be. In addition, some internal auditors are certified or invited to join other training to complement their knowledge. Although some of them have become auditors for less than 2 years, they came from the operational section, in which they are familiar with the operational department. Their seniors are available when they need any assistance during examination.
For this reason, the internal auditor's legitimacy related to detect fraud has been obtained since their competence, roles and activities have already been fulfilled. First, the internal auditor's role is to give recommendations and to ensure that internal control has been properly functioned, when, as examples, there are fraud potentials such as overpayment, or to reduce fraud risk in the company by improving its internal control. Second, the inspection carried out by internal auditors in the East Java companies, have used the Risk Based Internal Audit method, a good method for detecting fraud potential. The audit charter stated that one of its missions is to increase the information effectiveness as the internal auditor supervision results on fraud investigation. This is ensuring that the internal auditor's own activities support fraud detection.

CONCLUSIONS
Internal auditors' fraud meaning shows that they recognize how their job and role are related to the improvements in internal control and overcome fraud risk. Relating to fraud detection, they successfully carry it out, by finding fraud potential from their riskbased examinations, Risk Based Internal Audit. They provide remedial solutions due to certain limitations; they are not required to provide fraud certainty, but merely to provide evidences showing that fraud possibly occur, and to provide recommendations for improvement in reducing any risk. Thus, the legitimacy is obtained by the internal auditor since they have done their activities, roles and competencies as expected.