Internal auditors have had a long-standing obligation to consider the risks of fraud in their ongoing risk assessment and audit planning. The newly published Global Internal Audit Standards from The IIA reemphasize the requirement in Standard 9.4 – Internal Audit Plan. But recognizing the requirement to consider fraud risks and being able to do so are two different things.

Many of us are comfortable identifying traditional fraud risks, such as employee theft, bribery and embezzlement. But a convergence of new technologies, the increasing sophistication of cybercriminals and global expansion of online services create fertile ground for innovative fraud schemes.

There is no shortage of outstanding presenters, trainers and writers who are drawing attention to new IT-related fraud risks. But, as I learned following one of my recent blog posts, Artificial Intelligence: 6 Critical Risks Internal Auditors Can’t Ignore, many internal auditors remain starved for information and resources that can provide an inventory of potential risks to consider during risk assessments.

To be honest, I’m neither a fraud nor IT audit expert. But if I were leading an internal audit risk assessment in 2024, there are at least six IT fraud risks that would be on my radar:  

1. Deepfake Technology

Hong Kong police recently reported on a finance worker who was tricked into paying out $25 million to fraudsters who used deepfake technology to pose as the company’s chief financial officer – in a video conference call! The incident illustrates the significant leap in the quality of forged audio and video, making it possible to create highly convincing fake content. And that only heightens the profound vulnerabilities around identity fraud, misinformation campaigns theft of personal and corporate data, reputational risks, and even the manipulation of financial markets and political landscapes.

When assessing the risk of deepfake technology, internal auditors should consider whether advanced biometric verification systems have been designed and implemented to harden against spoofing. Depending on the industry, internal auditors also should ascertain whether their organization has identified the risk, and raised awareness and educated employees about the existence and risks of deepfake content.

2. AI-Driven Phishing Attacks

Artificial Intelligence is a double-edged sword. While it offers remarkable opportunities for enhancing security measures, it also further opens the door to highly sophisticated phishing attacks. Cybersecurity firm SlashNext recently reported that, in the past year, there was a 1,265% increase in malicious phishing emails, including a 967% rise in credential phishing. AI algorithms can generate personalized and convincing phishing messages at scale, targeting unsuspecting individuals and organizations and leading to unauthorized access to sensitive information.

Internal auditors should consider whether their organization is using AI-driven security solutions to detect and neutralize sophisticated phishing attempts. Consider also whether the organization is conducting regular security training for employees and stakeholders to recognize and respond to phishing threats.

3. IoT Device Vulnerabilities

The Internet of Things (IoT) continues to expand, connecting myriad devices ranging from household appliances to industrial equipment. This interconnectivity, while offering convenience and efficiency, also creates numerous vulnerabilities, including unauthorized access to personal and corporate networks, data breaches and system disruptions.

In assessing IoT-related risks, internal auditors should identify whether their organization ensures that all IoT devices are regularly updated with the latest security patches, is implementing robust network security protocols and has segmented IoT devices from critical networks. Enterprise IT and cybersecurity management and strategy expert Mary K. Pratt has identified six common IoT vulnerabilities and six external threats that pose the most significant risks. It’s worth a read if you’re assessing IoT-related risks.

4. Ransomware as a Service (RaaS)

Ransomware attacks are not new, but the emergence of Ransomware as a Service (RaaS) platforms allows even non-technical criminals to launch sophisticated ransomware campaigns. As cybersecurity expert Edward Kost has noted: RaaS “is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.” This democratization of ransomware increases the frequency and diversity of attacks, targeting businesses of all sizes and individuals, with potentially devastating financial and operational impacts.

Internal auditors should determine whether their organization maintains regular backups of critical data in secure, offsite locations. Assess also whether the organization is investing in advanced cybersecurity defenses, including endpoint protection and intrusion detection systems.

5. Synthetic Identity Fraud

Synthetic identity fraud involves the creation of fictitious identities by combining real and fabricated information. This type of fraud is particularly challenging to detect, as it does not directly victimize individuals but exploits the gaps within the credit and banking systems. The long-term cultivation of these synthetic identities can lead to substantial financial losses through credit fraud and loan defaults.

Again, depending on industry, assess whether the company is employing advanced analytics and machine learning to detect patterns indicative of synthetic identities. Assess also whether enhanced verification processes have been designed and implemented for new account openings and credit applications.

6. Mobile Payment Fraud

The proliferation of mobile payment platforms has significantly increased the convenience of financial transactions. However, it also presents new opportunities to exploit security weaknesses with unauthorized transactions and account takeovers. The seamless integration of payment systems with social media and e-commerce platforms further complicates the security landscape.

If your organization leverages mobile payments, has it implemented multi-factor authentication (MFA) for all financial transactions? Has it developed and deployed advanced fraud-detection systems that monitor for unusual transaction patterns?

7. Insider IT Threats

Insider IT threats are a persistent and insidious risk: Disgruntled and/or financially motivated employees use their access to tap sensitive information, leading to data breaches, intellectual property theft and financial fraud. Remote work and the use of personal devices for professional tasks (BYOD policies) further exacerbate these vulnerabilities.

When assessing these risks, consider whether your organization conducts thorough background checks and continuous monitoring of employee activities without infringing on privacy rights. Assess also whether it is fostering a culture of security awareness and loyalty within the organization to mitigate the risk of insider threats.

As we navigate the ever-proliferation of technology, it’s clear that fraud risks have become more complex and dynamic. The integration of cutting-edge technologies into our business processes offers incredible benefits, but it also introduces significant vulnerabilities. Combating those risks requires a multi-faceted approach, combining technological solutions, regulatory frameworks and individual vigilance. As internal auditors undertake their responsibilities to assess fraud risks, they must remain informed and proactive. Doing so lessens your own risk of being asked the infamous question: “Where were the internal auditors?”

I welcome your thoughts via LinkedIn or X, and encourage you to share your list of IT fraud risks for 2024.