The flashcards below were created by user
on FreezingBlue Flashcards.
COSO Internal Framework applies to big data
Big data serves as a powerful audit tool
Social Media brings residual risk to a organization
The audit of social media differs from other audits
- nany intentional act or omission designed to deceive others, resulting in the victim
- suffering a loss and/or the perpetrator achieving a gain (Managing the Risk of Fraud: A practical guide [The Fraud Guide]).
- nThe IIA definition is broad: “Any illegal act characterized by deceit, concealment or
- violation of trust”
AICPA definition is narrow: “misstatements arising from fraudulent financial reporting and misstatements arising from the misappropriation of as
Fraudulent financial reporting can be accomplished by
nManipulating, falsifying, or altering accounting records or supporting documents from which the financial statements are prepared.
nMisrepresenting, or intentionally omitting from, the financial statements events, transactions, or other significant information.
nIntentionally misapplying accounting principles relating to amounts, classification, manner of presentation, or disclosure.
- nPerceived need/pressure,
- n“I need to make the numbers”
nPerceived opportunity, and
- nRationalization of fraudulent behavior.
- n“Everyone is doing it, so I am no different.”
- nPrinciple 1: Fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of
- the board of directors and senior management regarding managing fraud risk.
- nPrinciple 2: Fraud risk exposure should be
- assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
- nPrinciple 3: Prevention techniques to avoid
- potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
- nPrinciple 4: Detection techniques should be
- established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
- nPrinciple 5: A reporting process should be in
- place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.
Roles & Responsibilities
Board of directors
nHelp set the tone at the top by embracing the governance practices
- nMany of the specific fraud oversight responsibilities may be carried out by committees of the board, such as the audit committee or the nominating and governance
- nThis oversight should generally include:
- nA general understanding of fraud-related policies, procedures, incentive plans, etc.
- nA comprehensive understanding of the key fraud risks.
- nOversight of the fraud risk management program, including the internal controls that have been implemented to manage fraud risks.
- nReceiving and monitoring reports that provide information about fraud incidents,
- investigation status, and disciplinary actions.
- nThe ability to retain outside counsel and experts when needed.
- nDirecting the internal audit function and the independent outside auditor to provide
- assurance regarding fraud risk concerns.
nThe board and committee responsibilities should be documented in the respective charters to ensure their roles and responsibilities are clearly delineated and understood.
nThe board should also gain comfort that sufficient resources are being applied to ensure effective operation of the fraud risk management program.
Roles & Responsibilities
nBeyond what management says, how they act is instrumental in shaping perceptions of the culture and their attitude toward fraud prevention.
nManagement is responsible for implementing the overall fraud risk management program.
nThis includes their direction and oversight over the system of internal controls, which must be designed and operated in a manner to prevent fraud incidents or detect them timely.
- nManagement must also establish a system of monitoring and reporting that will enable them
- to evaluate whether the fraud risk
- management program is operating effectively.
nThis helps provide them with timely and relevant information that can be reported to the board.
nIt is common in many organizations to assign a member of management the responsibility for overseeing the fraud risk management program.
This individual should be at a sufficiently high level in the organization to reinforce management's commitment to preventing and deterring fraud
Roles & Responsibilities
- nThe day-to-day execution of the fraud risk management program, specifically the controls that are designed to prevent and detect fraud, must involve everyone in the
nAll staff levels, including management should:
nHave a basic understanding of fraud and be aware of the red flags.
nUnderstand their roles within the internal control framework.
- nStaff members should understand how their job procedures are designed to manage fraud risks and when noncompliance may create an opportunity for fraud to occur and go
- nRead and understand policies and procedures (e.g., the fraud policy, code of conduct,
- and whistleblower policy), as well as other operational policies and procedures, such as procurement manuals.
- nAs required, participate in the process of creating a strong control environment and
- designing and implementing fraud control activities, as well as participate in
- monitoring activities.
nReport suspicions of incidences of fraud.
nCooperate in investigations.
Components of a Fraud Risk Management
Commitment by the board and senior management
Fraud awareness activities
An affirmation process
A conflict disclosure protocol
Fraud risk assessment
Reporting procedures and whistleblower protection
An investigation process
Disciplinary and/or corrective actions
Process evaluation and improvement
Fraud Risk Assessment
The three key steps
nIdentify inherent fraud risks.
- nAssess impact and likelihood of the
- identified risks.
nDevelop responses to those risks that have a sufficiently high impact and likelihood to result in a potential outcome beyond management's tolerance.
Fraud Risk Identification
nBrainstorming is an effective means of identifying the most comprehensive list of fraud risk scenarios.
nBrainstorming can help the organization identify and discuss the wide array of potential scenarios that may exist.
- nOne of the challenges when brainstorming fraud risks is to make sure that the
- discussion is not limited to scenarios perpetrated by a sole individual.
- nFrequently, fraud includes collusion among multiple individuals, and while it is more
- difficult to brainstorm these scenarios, it is certainly no less important.
Fraud Risk Identification
nIncentives, Pressures, and Opportunities
- nThe first challenge when brainstorming fraud risk scenarios is to identify as many of
- those motives as possible.
- nFrauds are committed when there is incentive or pressure to do so, the opportunity
- exists, and the perpetrator can rationalize the incident.
- nBrainstorming rationalization scenarios is not common, as consideration of the other two
- sides of the fraud triangle must occur first and rationalization is very
- nFocusing on different incentives, pressures, and opportunities that may exist helps to
- identify scenarios for which the organization may be vulnerable.
- nIncentives may represent monetary or other rewards that might give people a reason to act differently than they would normally
nSimilarly, pressures may cause individuals to act differently because they feel they must relieve whatever is causing such pressures.
- nOpportunities reflect ways through which a fraud can be committed, potentially without
- detection (for example, when controls are weak).
nBrainstorming potential incentives, pressures, and opportunities will likely produce the majority of the fraud risk scenarios.
Risk of Management's Override of Controls
nEven when a sound system of internal controls exists, controls may still be vulnerable to override.
nSince management is typically "trusted" to make good decisions, override by management is possible because other employees tend not to question a management decision and assume it is for the benefit of the organization.
- nThere have been many chronicled cases of management override to facilitate fraudulent
- financial reporting or misappropriation of assets.
Brainstorming management override ' scenarios will identify different fraud scenarios than brainstorming about incentives, pressures, and opportunities
Population of Fraud Risks
- nThere are certain "universal" fraud risks
- that apply to all organizations and others that are common to those in certain industries or countries.
nWhile it is possible to identify most of these risks while brainstorming, such scenarios may already be documented and available through other sources, such as industry organizations, professional societies, consulting firms, etc.
nFraudulent Financial Reporting
This is an area that should be brainstormed with the independent outside auditors since they are likely considering the same scenarios.
Misappropriation of Assets
This element begins with identifying what assets belong to the organization that might be valued by employees or outsiders (for example, vendors or customers).
It is important to remember that physical safeguards may not always be sufficient.
According to the Fraud Guide, corruption "is operationally defined as the misuse of entrusted power for private gain
Other Fraud Risks
The Fraud Guide mentions regulatory and legal misconduct, which could include " . .. conflicts of interest, insider trading, theft of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations in areas of import/ export
Fraud Risk Identification
If several scenarios have the same root cause
, it is possible that the root cause should be assessed, not the other scenarios.
Assessment of Impact and Likelihood
- The significance of other outcomes may be greater than the financial statement or monetary impact.
- For example, it is important to consider the legal impact (criminal, civil, and regulatory outcomes), reputational impact (such as damage to a brand), operational impact (such as cost of production and warranty liability), and impact on people (such as health and safety incidents, or inability to attract and retain employees in an organization with low morale).
The objective is to identify fraud risk scenarios with outcomes that exceed management's tolerance relative to those outcomes.
Assessment of Impact and Likelihood
Judgment regarding the probability or frequency of a fraud scenario is influenced in part by past experience, such as previous incidents of such a scenario within the organization or at organizations in the same industry or geographical location.
An estimate of likelihood also should be made even if there is no knowledge of past events. As was the case with the impact assessment, precise probability quantifications are typically not possible or even necessary.
Response to Fraud Risk
Management's tolerance to fraud risks influences the fraud risk assessment
If a risk is so intolerable that an organization cannot allow for even a single incident to occur, management may need to consider ways to avoid the risk.
If an organization has little or no tolerance to a risk, but cannot avoid it without adversely affecting its objectives, controls would be designed to reduce the likelihood of the incident occurring, or the impact should it occur.
If an organization desires to reduce the impact or likelihood of a risk, but does not believe it has the skills or experience to do so effectively and efficiently, it may share the operation of preventive and detective controls with an organization that is better equipped to execute such controls.
If the occurrence of a risk is tolerable, management may decide to accept the risk at its current level and not make any particular efforts to manage the risk.
Strong organizational awareness
Performing background investigations
Providing anti-fraud training
Evaluating performance and compensation programs
Conducting exit interviews
detective controls are those that are designed to identify occurrences of fraud, or symptoms that may be indicative of fraud
Process controls (recons, review, inspections)
Proactive fraud detection procedures (data analysis)
Receiving the Allegation
- Evaluating the Allegation:
- Does this allegation require a formal investigation or is there enough information now to draw a conclusion?
- Who should lead the investigation?
- Are there special skills or tools needed to conduct the investigation?
- Who needs to be notified and when
Fraud Investigation Protocols
Time sensitivity - Investigations may need to be conducted timely due to legal requirements, to mitigate losses or potential harm, or to institute an insurance claim.
Notification - Certain allegations may require notification to regulators, law enforcement, insurers, or external auditors.Confidentiality - Information gathered needs to be kept confidential and distribution limited to those with an established need.
Legal privileges - Involving legal counsel early in the process or, in some cases, in leading the investigation, will help safeguard work, product and attorney-client communications.
Compliance - Investigations should comply with applicable laws and rules regarding gathering information and interviewing witnesses.
Securing evidence - Evidence should be protected so that it is not destroyed and so that it is admissible in legal proceedings.
Objectivity - The investigation team should be removed sufficiently from the issues and individuals under investigation to conduct an objective assessment.
Goals - Specific issues or concerns should appropriately influence the focus, scope, and timing of the investigation
Legal actions, whether criminal or civil.
Disciplinary actions, such as warning, demotion, censure, suspension, or termination.
Insurance claims if losses from the act are covered by insurance policies.
Redesign or reinforcement of processes and controls that may have been inadequately designed or operated ineffectively, allowing the incident to occur.
nExhibit a lifestyle beyond means
nSuffering from depression or other emotional problems
think like a crook to catch a crook."
Implications for Internal Auditors
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
– Internal auditors must exercise due professional care by considering the…probability of significant errors, fraud, or noncompliance…
– The chief audit executive must report periodically to senior management and the board on…fraud risks…
The internal audit [function[ must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
Use of Fraud Specialists
most common specialists engaged are CFEs, who specialize in conducting forensic accounting investigations (usually after the fact, when predication exists) to resolve allegations or suspicions of fraud, reporting to the CAE, an appropriate level of management, or to the audit committee or board of directors, depending upon the nature of the issue and the level of personnel involved.