Internal Auditing - CH 8 - Fraud

The flashcards below were created by user acelaker on FreezingBlue Flashcards.

  1. COSO Internal Framework applies to big data
  2. Big data serves as a powerful audit tool
  3. Social Media brings residual risk to a organization
  4. The audit of social media differs from other audits
  5. Fraud is
    • nany intentional act or omission designed to deceive others, resulting in the victim
    • suffering a loss and/or the perpetrator achieving a gain (Managing the Risk of Fraud: A practical guide [The Fraud Guide]).

    • nThe IIA definition is broad: “Any illegal act characterized by deceit, concealment or
    • violation of trust”

    AICPA definition is narrow: “misstatements arising from fraudulent financial reporting and misstatements arising from the misappropriation of as
  6. Fraudulent financial reporting can be accomplished by
    nManipulating, falsifying, or altering accounting records or supporting documents from which the financial statements are prepared.

    nMisrepresenting, or intentionally omitting from, the financial statements events, transactions, or other significant information.

    nIntentionally misapplying accounting principles relating to amounts, classification, manner of presentation, or disclosure.
  7. Fraud Triangle
    • nPerceived need/pressure,
    • n“I need to make the numbers”

    nPerceived opportunity, and

    • nRationalization of fraudulent behavior.
    • n“Everyone is doing it, so I am no different.”
  8. Five Principles
    • nPrinciple 1: Fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of
    • the board of directors and senior management regarding managing fraud risk.

    • nPrinciple 2: Fraud risk exposure should be
    • assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.

    • nPrinciple 3: Prevention techniques to avoid
    • potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.

    • nPrinciple 4:  Detection techniques should be
    • established to uncover fraud events when preventive measures fail or unmitigated risks are realized. 

    • nPrinciple 5: A reporting process should be in
    • place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.
  9. Roles & Responsibilities
    Board of directors
    nHelp set the tone at the top by embracing the governance practices

    • nMany of the specific fraud oversight responsibilities may be carried out by committees of the board, such as the audit committee or the nominating and governance
    • committee.

    • nThis oversight should generally include:
    • nA general understanding of fraud-related policies, procedures, incentive plans, etc.
    • nA comprehensive understanding of the key fraud risks.
    • nOversight of the fraud risk management program, including the internal controls that have been implemented to manage fraud risks.
    • nReceiving and monitoring reports that provide information about fraud incidents,
    • investigation status, and disciplinary actions.
    • nThe ability to retain outside counsel and experts when needed.
    • nDirecting the internal audit function and the independent outside auditor to provide
    • assurance regarding fraud risk concerns.

    nThe board and committee responsibilities should be documented in the respective charters to ensure their roles and responsibilities are clearly delineated and understood.

    nThe board should also gain comfort that sufficient resources are being applied to ensure effective operation of the fraud risk management program.
  10. Roles & Responsibilities
    nBeyond what management says, how they act is instrumental in shaping perceptions of the culture and their attitude toward fraud prevention.

    nManagement is responsible for implementing the overall fraud risk management program.

    nThis includes their direction and oversight over the system of internal controls, which must be designed  and operated in a manner to prevent  fraud  incidents or detect  them timely.

    • nManagement must also establish a system of monitoring and reporting that will enable them
    • to evaluate whether the fraud  risk
    • management program is operating effectively.

    nThis helps provide them with timely and relevant information that can be reported to the board.

    nIt is common in many organizations to assign a member of management the responsibility for overseeing the fraud risk management program.

    This individual should be at a sufficiently high level in the organization to reinforce  management's commitment to preventing and deterring fraud
  11. Roles & Responsibilities
    • nThe day-to-day execution of the fraud risk management program, specifically the controls that are designed to prevent and detect fraud, must involve everyone in the
    • organization.

    nAll staff levels, including management should:

    nHave a basic understanding of fraud and be aware of the red flags.

    nUnderstand their roles within the internal control framework.

    • nStaff members should understand how their job procedures are designed to manage fraud risks and when noncompliance may create an opportunity for fraud to occur and go
    • undetected.

    • nRead and understand policies and procedures (e.g., the fraud policy, code of conduct,
    • and whistleblower policy), as well as other operational policies and procedures, such as procurement manuals.

    • nAs required, participate in the process of creating a strong control environment and
    • designing and implementing fraud control activities, as well as participate in
    • monitoring activities.

    nReport suspicions of incidences of fraud.

    nCooperate in investigations.
  12. Components of a Fraud Risk Management
    Commitment by the board and senior management

    Fraud awareness activities

    An affirmation process

    A conflict disclosure protocol

    Fraud risk assessment

    Reporting procedures and whistleblower protection

    An investigation process

    Disciplinary and/or corrective actions

    Process evaluation and improvement

    Continuous monitoring
  13. Fraud Risk Assessment 
    The three key steps
    nIdentify inherent fraud risks.

    • nAssess impact  and likelihood of the
    • identified risks.

    nDevelop responses to those risks that have a sufficiently  high impact and likelihood to result in a potential outcome beyond management's tolerance.
  14. Fraud Risk Identification
    nBrainstorming is an effective means of identifying the most comprehensive list of fraud risk scenarios.

    nBrainstorming can help the organization identify  and discuss  the wide array of potential scenarios that may exist.

    • nOne of the challenges when  brainstorming fraud risks  is to make sure that the
    • discussion is not limited to scenarios perpetrated by a sole individual.

    • nFrequently, fraud includes collusion among multiple individuals, and while it is more
    • difficult to brainstorm these scenarios, it is certainly no less important.
  15. Fraud Risk Identification
    nIncentives, Pressures, and Opportunities
    • nThe first  challenge when brainstorming fraud  risk scenarios is to identify as many of
    • those motives as possible.

    • nFrauds are committed when there is incentive or pressure to do so, the opportunity
    • exists,  and the  perpetrator can rationalize the incident.

    • nBrainstorming rationalization scenarios is not common, as consideration of the other two
    • sides of the fraud triangle must occur first and rationalization is very
    • individualistic.

    • nFocusing on different incentives, pressures, and opportunities that may exist helps to
    • identify scenarios for which the organization may be vulnerable.

    • nIncentives may represent monetary or other  rewards that might  give people a reason  to act differently than they would normally
    • act.

    nSimilarly, pressures may cause individuals to act differently because  they feel they must relieve whatever is causing such pressures.

    • nOpportunities reflect ways through which a fraud can be committed, potentially without
    • detection (for example, when controls are weak).

    nBrainstorming potential incentives, pressures, and opportunities will likely produce the majority of the fraud risk scenarios.
  16. Risk of Management's Override of Controls
    nEven when a sound  system of internal controls  exists, controls may still be vulnerable to override.

    nSince management is typically "trusted" to make  good decisions,  override by management is possible because other employees tend  not to question a management decision and assume it is for the benefit of the organization.

    • nThere have been many chronicled cases of management override to facilitate fraudulent
    • financial reporting or misappropriation of assets.

    Brainstorming management override ' scenarios will identify different fraud scenarios than brainstorming about  incentives, pressures, and  opportunities
  17. Population of Fraud Risks
    • nThere  are certain "universal" fraud risks
    • that apply to all organizations and others  that are common to those in certain industries or countries.

    nWhile it is possible to identify most of these risks while brainstorming, such scenarios may already be documented and available through other  sources, such as industry organizations, professional societies, consulting firms, etc.
  18. nFraudulent Financial Reporting
    This is an area that should be brainstormed with the independent outside auditors since they are likely considering the same scenarios.
  19. Misappropriation of Assets
    This element begins with identifying what assets belong to the organization that might be valued by employees or outsiders (for example, vendors or customers).

    It is important to remember that physical safeguards may not always be sufficient.
  20. Corruption
    According to the Fraud Guide, corruption "is operationally defined as the misuse of entrusted power for private gain
  21. Other Fraud Risks
    The Fraud Guide mentions regulatory and legal misconduct, which could include  " . .. conflicts of interest, insider trading, theft  of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations in areas of import/ export
  22. Fraud Risk Identification
    If several scenarios have the same root cause
    , it is possible that the root cause should be assessed, not the other scenarios.
  23. Assessment of Impact and Likelihood
    • The significance of other outcomes may be greater than the financial statement or monetary impact.
    • For example, it is important to consider the legal impact (criminal, civil, and regulatory outcomes), reputational impact (such as damage to a brand), operational impact (such as cost of production and warranty liability), and impact on people (such as health and safety incidents, or inability to attract and retain employees in an organization with low morale).

    The objective is to identify fraud risk scenarios with outcomes that exceed management's tolerance relative to those outcomes.
  24. Assessment of Impact and Likelihood
    Judgment regarding the probability or frequency of a fraud scenario is influenced in part by past experience, such as previous incidents of such a scenario within the organization or at organizations in the same industry or geographical location.

    An estimate of likelihood also should be made even if there is no knowledge of past events. As was the case with the impact assessment, precise probability quantifications are typically not possible or even necessary.
  25. Response to Fraud Risk
    Management's tolerance to fraud risks influences the fraud risk assessment

    If a risk is so intolerable that an organization cannot allow for even a single incident to occur, management may need to consider ways to avoid the risk.

    If an organization has little or no tolerance to a risk, but cannot avoid it without adversely affecting its objectives, controls would be designed to reduce the likelihood of the incident occurring, or the impact should it occur.

    If an organization desires to reduce the impact or likelihood of a risk, but does not believe it has the skills or experience to do so effectively and efficiently, it may share the operation of preventive and detective controls with an organization that is better equipped to execute such controls.

    If the occurrence of a risk is tolerable, management may decide to accept the risk at its current level and not make any particular efforts to manage the risk.
  26. Fraud Prevention
    Strong organizational awareness

    Performing background investigations 

    Providing anti-fraud training 

    Evaluating performance and  compensation programs 

    Conducting exit interviews 

    Authority limits

    Transaction-level procedures
  27. Fraud Detection
    detective controls are those that are designed  to identify occurrences of fraud, or symptoms that may be indicative of fraud

    Whistleblower hotlines 

    Process controls (recons, review, inspections)

    Proactive fraud detection procedures (data analysis)
  28. Fraud Investigation
    Receiving the Allegation

    • Evaluating the Allegation:
    • Does this allegation require a formal investigation or is there enough information now to draw a conclusion?
    • Who should lead the investigation?
    • Are there special skills or tools needed to conduct the investigation?
    • Who needs to be notified and when
  29. Fraud Investigation Protocols
    Time sensitivity - Investigations may need to be conducted timely due to legal requirements, to mitigate losses or potential harm, or to institute an insurance claim.

    Notification - Certain allegations may require notification to regulators, law enforcement, insurers, or external auditors.Confidentiality - Information gathered needs to be kept confidential and distribution limited to those with an established need.

    Legal privileges - Involving legal counsel early in the process or, in some cases, in leading the investigation, will help safeguard work, product and attorney-client communications.

    Compliance - Investigations should comply with applicable laws and rules regarding gathering information and interviewing witnesses.

    Securing evidence - Evidence should be protected so that it is not destroyed and so that it is admissible in legal proceedings.

    Objectivity - The investigation team should be removed sufficiently from the issues and individuals under investigation to conduct an objective assessment.

    Goals - Specific issues or concerns should appropriately influence the focus, scope, and timing of the investigation
  30. Corrective Action
    Legal actions, whether criminal or civil.

    Disciplinary actions, such as warning, demotion, censure, suspension, or termination.

    Insurance claims if losses from the act are covered by insurance policies.

    Redesign or reinforcement of processes and controls that may have been inadequately designed or operated ineffectively, allowing the incident to occur.
  31. Understanding Fraudsters
    nExhibit a lifestyle beyond means

    nSuffering from depression or other emotional problems

    think like a crook to catch a crook."
  32. Implications for Internal Auditors
    Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

    – Internal auditors must exercise due professional care by considering the…probability of significant errors, fraud, or noncompliance…

    – The chief audit executive must report periodically to senior management and the board on…fraud risks…

    The internal audit [function[ must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
  33. Use of Fraud Specialists
    most common specialists engaged are CFEs, who specialize in conducting forensic accounting investigations (usually after the fact, when predication exists) to resolve allegations or suspicions of fraud, reporting to the CAE, an appropriate level of management, or to the audit committee or board of directors, depending upon the nature of the issue and the level of personnel involved.
Card Set:
Internal Auditing - CH 8 - Fraud
2014-10-26 20:31:28
Internal Auditing Fraud

Internal Auditing - CH 8 - Fraud
Show Answers: