From compliance to fraud prevention with Internal Audit as a strategic partner
Fraud remains one of the most pervasive and value-destroying risks facing South African organisations. Economic pressure, sophisticated fraud schemes, digital transformation and persistent governance failures continue to expose organisations across both the public and private sectors. While most organisations acknowledge fraud as a critical risk, many still rely on fragmented controls, reactive investigations and compliance-driven audit approaches that fail to prevent or detect fraud early.
In this environment, Internal Audit is uniquely positioned to move beyond traditional compliance assurance and play a pivotal advisory role in fraud risk governance, aligned to the Global Internal Audit Standards and leading practice benchmarks.
Modernising fraud risk governance
Fraud risk governance extend beyond policies, codes of conduct and isolated control activities. It requires clear accountability at board and executive level, an integrated fraud risk assessment, and ongoing oversight of prevention, detection and response mechanisms. Leading organisations treat fraud risk governance as a continuous management discipline rather than a once-off exercise.
The Global Internal Audit Standards explicitly recognise the internal auditor’s responsibility to evaluate, improve and contribute to the effectiveness of risk management and governance processes, including fraud risk. This does not mean that the Internal Auditor assumes management responsibility for fraud prevention, but rather that it provides independent insight, challenge and advisory support to strengthen the overall framework.
Internal Audit’s strategic advisory role: How can we assist in maturing your framework
To mature the fraud risk governance, we typically focuses on five interrelated areas:
1. Integrated Fraud Risk Governance Frameworks
Internal Audit assesses whether fraud risk oversight is clearly defined across the board, audit committee, executive management and line management. This includes evaluating fraud risk ownership, escalation protocols and integration with enterprise risk management. (Relevant reviews include reviewing of board oversight mechanisms, fraud risk escalation pathways, and alignment between audit committees and management.
2. Integrated Risk-Based Fraud Risk Assessments
The internal auditor facilitates or reviews the organisation-wide fraud risk assessments to ensure they are practical, regularly updated, informed by data and reflect both digital and behavioural fraud risks relevant to the business. These assessments move beyond generic risk registers to identify root causes, emerging schemes and control vulnerabilities.
3. Internal Control Design and the Preventive Focus
Rather than relying solely on detective controls and post-incident investigations, we as internal auditors advises on the minimum design and implementation of the preventive controls, segregation of duties, system access governance and automated monitoring mechanisms that should be in place. Advances in artificial intelligence and machine learning are revolutionising digital forensics and fraud prevention by significantly enhancing the speed, accuracy and efficiency of analysis. This include advanced data analytics, defining fraud indicators and continuous control monitoring to detect anomalies sooner rather than later.
4. Ethical Culture and Behavioural Risk
Fraud is as much a behavioural risk as a control failure. Internal Audit plays a key role in assessing the tone at the top, ethical culture, whistleblowing arrangements and retaliation risks, ensuring that employees feel safe to speak up.
5. Management Reporting and Insight
High-impact fraud risk reporting where the focus is on trends, control effectiveness, emerging risks and management action, enabling boards and executives to make informed decisions rather than react to crises (narrative-driven insights not just validation checklists).
The South African fraud reality check
Recent industry data presents a harsh reality of fraud exposure in South Africa:
- South African life insurers and investment firms detected 16,520 fraud and dishonesty cases in 2024, a 26% increase from 2023, with R131.6 million lost despite significant prevention efforts. Common schemes included remuneration fraud and fraudulent claims, highlighting both internal and external vulnerabilities.
- Digital fraud remains a core threat: 68% of South Africans surveyed reported being targeted by email, online, phone or SMS-based scams in late 2024, with phishing and smishing the most prevalent methods.
- A broader risk assessment shows that 49% of South African organisations reported increases in fraud, with each rand lost costing firms an estimated R3.64 when
total organisational costs are considered; underscoring hidden operational and reputational impacts. - Digital banking fraud alone accounted for over 64,000 incidents in 2024, an almost doubling from the prior year, much of it linked to social engineering rather than systems compromise.
- As more companies strive to enhance their digital transformation in the space of KYC confirmations and client onboarding, fraudsters are now applying Generative AI and Deepfakes to commit impersonation frauds. While the actual current losses in South Africa is unknown, this will be a significant reality check in the near future
These trends underscore that fraud is no longer a narrow “back-office” or compliance issue, it is a strategic organisational risk that affects customer trust, financial sustainability and brand integrity.
Case Studies: Why Strategic Fraud Governance Matters
Case study 1: Insurance sector fraud landscape
In 2024, South African insurers prevented approximately R1.4 billion worth of fraud and dishonesty, yet still suffered losses due to gaps in early detection and risk assessment. Remuneration fraud, involving internal agents and intermediaries seeking improper benefits, constituted the majority of events. The industry’s forensic teams have improved detection, but this reactive emphasis still strains risk governance frameworks and exposes weaknesses in proactive fraud strategies.
Case study 2: Digital consumer targeting
Recent surveys show that South African individuals and organisations are being aggressively targeted with phishing and smishing campaigns, with an outsized share compared to other African markets. These schemes exploit human behaviour and weak control points, illustrating that even well-designed technical controls are insufficient without holistic governance, employee awareness and fraud risk intelligence.
Case study 3: Corporate governance failures: The Steinhoff scandal
The Steinhoff accounting fraud remains South Africa’s most prominent corporate scandal, with billions in fictitious transactions over a decade and enduring impacts on investor confidence and market integrity. Although regulators levied fines, the fallout demonstrates how governance failures at the highest levels erode trust and impose long-term economic costs, and how Internal Audit’s strategic advisory mandate could have provided earlier, critical insights.
The use of Forensic Technology as a strategic advisory role: How can we assist you.
Organisations are still striving for digital transformation and automated KYC confirmations, which is a contributing factor to the progression of the requirement for additional verification methodologies. Generative AI has made it easier to commit Impersonation frauds and we will see a definite increase in these occurrences in the coming years. While unethical staff in key operational employment roles still has the ability to intervene in financial transactions or Supply Chain Management functions, the need has grown for the implementation of pro-active transactional monitoring and automated SCM functions. We will sit with you to assess the current risks that you might be facing and help to implement controls that will benefit you in the long run.
Why this matters for 2026 and beyond?
South African organisations face increasing regulatory scrutiny, heightened stakeholder expectations and more complex fraud threats. Audit committees are demanding deeper insight, not just assurance. Internal Audit functions that remain compliance-focused risk becoming irrelevant, while those that embrace fraud risk governance advisory deliver measurable value, strengthen resilience and enhance organisational trust.
The shift from a compliance-driven internal audit function to a strategic fraud prevention with Internal Audit as a strategic partner does not require a fundamental change in mandate, but rather a purposeful change in focus. Entities can begin this journey by embedding fraud risk governance into its risk-based audit planning, ensuring that fraud risks are clearly owned, aligned to strategic objectives, and regularly assessed with sufficient rigour. By elevating fraud prevention to a recurring area of board-level oversight, Internal Audit helps drive sustained accountability and informed decision-making.
Equally important is a shift in reporting, moving beyond control compliance to delivering insight into root causes, emerging vulnerabilities and behavioural risk factors that enable fraud. Insightdriven reporting equips audit committees and executive management with forward-looking intelligence, allowing them to act proactively rather than respond to isolated incidents after the fact.
Finally, Internal Audit can leverage advisory touchpoints, such as workshops, targeted advisory reviews and fraud risk discussions, to influence preventive thinking while preserving independence. By challenging the effectiveness of segregation of duties, whistleblowing mechanisms and ethical culture, Internal Audit plays a catalytic role in strengthening fraud resilience across the organisation.
The future of Internal Audit in fraud prevention lies in strategic partnership, not policing. By embedding fraud risk governance advisory into its mandate, Internal Audit becomes a catalyst for stronger governance, smarter controls and ethical organisations. In doing so, Internal Audit protects not only financial value, but also reputation, sustainability and public confidence.
