Essentials: Fraud Risks Flashcards
Over the course of a decade, a manager of a lumbering operation has been diverting a small amount of cut timber removed from forest tracts licensed from the state. Each load is slightly under the actual amount, but it is accurately documented and signed for by all parties. The loss in a single accounting period is immaterial, but, over the years, the fraud is significant. Which of the following audit strategies and tools would be most likely to uncover this issue?
- Review of accounting policies
- Independent confirmation of work orders and load statements
- Interviews with truck drivers
- Continuous auditing tools and analytics
4- Continuous auditing tools and analytics
Rationale
While all of the methods listed can be used, continuous auditing tools and analytics would be the tool most likely to discover this trend. Then other tests could be applied.
In regard to risk management and/or internal control, the chief audit executive (CAE) is responsible for
- designing and monitoring control processes.
- overseeing the establishment, administration, and assessment of the system of risk management and control.
- communicating an overall judgment of the organization’s enterprise risk management (ERM) process effectiveness to management.
- providing oversight of the organization’s risk management and control processes.
3- communicating an overall judgment of the organization’s enterprise risk management (ERM) process effectiveness to management.
Rationale
Performance Standard 2120, “Risk Management,” states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The CAE is responsible for communicating an overall judgment of the organization’s ERM process effectiveness to management and the audit committee. Oversight is the board’s responsibility; establishment, administration, and assessment are senior management’s responsibility; and designing and monitoring control processes is operational management’s responsibility.
Which of the following control procedures would be effective in preventing frauds in which purchase orders are issued to fictitious vendors?
- Requiring that all purchases be made from an authorized vendor list maintained independently of the individual placing the purchase order
- Requiring single-use contracts (purchase orders) with all major vendors from whom production components are purchased
- Requiring that total purchases from all vendors for a month not exceed the total budgeted purchases for that month
- Requiring that a three-way match process occur between the receiving record, the invoice, and the purchase order
1- Requiring that all purchases be made from an authorized vendor list maintained independently of the individual placing the purchase order
Rationale
Use of an authorized vendor list would be an effective control. Long-term contracts with major vendors would also be effective so requiring only use of purchase orders would be too restrictive a control. Requiring that purchases from all vendors for a month not exceed the total budgeted purchases for that month would be ineffective, because it controls the total amount of expenditures but not where the purchase orders are placed or whether there is receipt of goods for the items purchased. A three-way match is an important control to detect other types of fraud but a fictitious vendor would not be detected in this way.
A payroll clerk creates a fictitious employee and files a false time card each week, sending payment automatically to an account in the name of her spouse. What type of fraud is this an example of?
- Cash theft
- Misuse of assets
- Financial statement fraud
- Disbursement fraud
4- Disbursement fraud
Rationale
This is an example of disbursement fraud.
Three factors are consistently present when people commit fraud. Which is the only one that organizations can control directly?
- Pressure
- Rationalization
- Opportunity
- Incentive
3- Opportunity
Rationale
Management can design internal controls to try to prevent opportunities for fraud and to detect fraudulent activities if they occur.
Besides the definitions of fraud from the Standards and from “Managing the Business Risk of Fraud, A Practical Guide” by The IIA, AICPA, and ACFE, what else do internal auditors need to understand fraud?
- Formal training in fraud investigations to develop the necessary expertise
- Sufficient knowledge of fraud to declare when fraud is occurring
- The legal definition of fraud in relevant jurisdictions
- Nothing else is needed; the auditors would be in conformance with the Standards for understanding fraud.
3- The legal definition of fraud in relevant jurisdictions
Rationale
In addition to the definitions mentioned in the question, each jurisdiction under which the organization operates may have a specific legal definition of fraud. Internal auditors are not expected to be experts in fraud investigations, nor are they the proper persons to declare when fraud is occurring. Rather, internal auditors should have sufficient knowledge of fraud to identify red flags indicating that fraud may have been committed. Professional fraud investigators would be responsible for declaring the existence of fraud.
In regard to fraud detection, each internal auditor should be competent at which of the following levels as they are defined in The IIA’s International Professional Practices Framework?
- Each internal auditor should be sufficiently trained in fraud detection to be able to devise controls to identify and prevent the major types of fraud likely to occur in a given organizational activity.
- Each internal auditor is responsible only for knowing The IIA’s definition of fraud and being able to identify the fraud detection experts relied upon by the internal audit activity.
- Each internal auditor should be proficient in fraud detection so as to be able to conduct an investigation with a high statistical probability of discovering at least one instance of fraud, if fraud is being perpetrated.
- Each internal auditor should have sufficient knowledge of fraud to recognize conditions that indicate the need for further action or a fraud investigation.
4- Each internal auditor should have sufficient knowledge of fraud to recognize conditions that indicate the need for further action or a fraud investigation.
Rationale
Each internal auditor is responsible for a sufficient knowledge of fraud to be able to identify the red flags that indicate the presence of fraud and to be able to recommend appropriate next steps for determining the likelihood of fraud.
During the year, a company switches to a new supplier for a service. The accounting clerk continues to submit fraudulent invoices from the old supplier. Because contracting for services and approval of supplier invoices has been delegated to the clerk, it is possible for the clerk to continue billings from the old supplier and deposit the subsequent checks, which the clerk is responsible for mailing, into a new account the clerk has opened in the name of the old supplier. Which of the following audit procedures would most likely lead to the detection of the fraud?
- Tracing a sample of receiving documents to invoices and checks disbursed
- Tracing a sample of checks disbursed to approved invoices for services
- Taking a sample of paid invoices and verifying receipt of services by the departments involved
- Performing a bank reconciliation and accounting for all outstanding checks
3- Taking a sample of paid invoices and verifying receipt of services by the departments involved
Rationale
Confirming the receipt of services that have been paid for with the departments involved would uncover the fraud. The fraudulent invoices are approved by the clerk, and each check will, therefore, be supported by an approved invoice. Bank reconciliations do not test the validity of the cash payments. The fraudulent payments would not be detected if the test begins with valid receiving reports.
Management of a property and casualty insurance company has two major concerns about the efficiency and effectiveness of the claims-processing activities:
- Some claims are being paid that should not be paid or are being paid in amounts in excess of the policy.
- Many claims are not being paid on a timely basis.
In preparing for an audit of the area, the internal auditor decides to perform a preliminary survey to gather more information about the nature of processing and potential problems. After informing management, the auditor is directed to go ahead with a fraud investigation. The auditor has identified the parties most likely to have been involved in the fraud, if indeed one is taking place. The auditor sends each potential participant a personal email indicating the nature of the investigation and urges the individual to come forward and explain the nature of the fraud. The auditor states that this is strictly an audit investigation and legal authorities are not involved. A major problem with this particular communication is
- the medium. Personal interviews should have been used instead of email.
- the nature of the message. The auditor should have detailed the specific allegations against each employee and allowed them the opportunity to respond. The message, as written, is too general.
- the medium. A paper-based document, such as a letter, should have been used instead of email.
- the nature of the communication. The auditor should have sent a questionnaire to each employee rather than seeking an open-ended response.
1- the medium. Personal interviews should have been used instead of email.
Rationale
The nature of the communication is highly sensitive and personal. A more personal form of communication, such as a direct interview, should have been used to elicit the response from the employees. The auditor is not in a position to detail the allegations against each specific employee.
The Standards require the internal audit activity to assess fraud risks at the ___________________ levels.
- system and entity
- organizational and engagement
- enterprise and operational
- business and departmental
2- organizational and engagement
Rationale
The Standards require the internal audit activity to assess fraud risks at the organizational and engagement levels. To ensure adequate review of the risks relevant to each engagement, internal auditors should conduct a fraud risk assessment as part of engagement planning. Over time, the knowledge the internal audit activity obtains during individual engagements can be compiled into a more robust and comprehensive organization-wide fraud risk assessment.
Which of the following best describes the timing for a fraud risk assessment?
- Annually
- In response to compliance enforcement
- In conjunction with a fraud response plan
- Ongoing
4- Ongoing
Rationale
A fraud risk assessment should be ongoing and dynamic and reflect the organization’s current business conditions. Change is constant and circumstances are not static; the risk assessment does not signal the end of the process.
Which is an example of something that usually tends to be present in people who have committed fraud?
- They believe no real reason is needed for what they did.
- They believe that they are still normal people.
- They believe that the opportunity they took means that the rules support their act.
- They believe that they are bad people and will be less likely to repeat the fraud.
2- They believe that they are still normal people.
Rationale
Fraud perpetrators must be able to justify their actions to themselves as a psychological coping mechanism, allowing them to believe they have done nothing wrong and are “normal people.”
An organization’s chief audit executive (CAE) feels that his team lacks the knowledge, skills, or other competencies needed to perform a fraud investigation. Implementation Standard 1210.A1 and Implementation Guide 2050 indicate that the CAE should
- outsource the forensic review to a team with the proper industry experience.
- refer the matter to the legal department.
- contact appropriate government investigative authorities.
- train the staff in forensic auditing prior to reviewing the particular case.
1- outsource the forensic review to a team with the proper industry experience.
Rationale
Implementation Standard 1210.A1 states that “the chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.” Implementation Guide 2050 advises the CAE to consider a service provider’s professional certifications, memberships in professional associations, reputation, experience, and familiarity with the organization’s industry or business. In addition, the CAE must ensure the independence and objectivity of the service provider.
What three factors are consistently present when people commit fraud?
- Pressure, effective controls, and explanation
- Opportunity, due professional care, and justification
- Experience, proficiency, and rationalization
- Opportunity, motive, and rationalization
4- Opportunity, motive, and rationalization
Rationale
Three factors are consistently present when people commit fraud:
* Opportunity, a combination of circumstances or conditions that enable fraud to occur
* Motive, an actual or perceived need that provides a reason for the fraud
* Rationalization, a concocted, convincing, and plausible justification
Internal auditors must have __________ knowledge to evaluate the risk of fraud.
- expert
- legal
- specialist
- sufficient
4- sufficient
Rationale
While internal auditors must have sufficient knowledge to evaluate the risk of fraud and how it is managed by the organization, they are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud (Standard 1210.A2).
While screening proposals for a contract, a bid solicitor overlooks the fact that a company has no references and minimal related work history and qualifications. The bid solicitor helps the company falsify its documentation in exchange for a cut of the contract. What type of fraud is this an example of?
- Fraudulent disbursement
- Bribery
- Misuse of assets
- Cash theft
2- Bribery
Rationale
This is an example of bribery, in the form of kickbacks. Money was paid to influence the bid solicitor to make a decision that benefited the bribe payer.
An internal audit team is preparing to audit a function in charge of the transfer of completed components and products between divisions in a global organization. No actual transfer of funds occurs, nor is the function involved in the shipping and/or receiving of product. Employee performance is based on responsiveness and productivity. One member asks about the potential for fraud in this area. What would be an appropriate response?
- The function is sufficiently removed from the performance of transactions that fraud risk is low.
- There is potential for fraud that could benefit the organization.
- This question should be referred to the manager of the business function being audited.
- An employee could divert product for personal gain.
2- There is potential for fraud that could benefit the organization.
Rationale
The process of transfer pricing could allow the values of transferred goods to be misstated in order to lower tax liabilities or to manipulate the financial statements of divisions within the organization.
A third-party pension plan consultant working for a large retailer steals a computer. A file on the stolen equipment includes names, dates of birth, addresses, Social Security numbers, salary, and other information for nearly 100,000 current and former employees. This breach involving personal data is an example of what type of fraud?
- Cash theft
- Corruption
- Fraudulent disbursement
- Misuse of assets
4- Misuse of assets
Rationale
This is an example of misuse or theft of assets (embezzlement). In addition to the computer itself, information is also considered an asset.
How does fraud awareness training support fraud prevention?
- It reduces opportunities to commit fraud.
- It helps develop credible responses to potential risks.
- It limits rationalization.
- It facilitates the testing of controls.
3- It limits rationalization.
Rationale
Rationalization is how an individual justifies fraudulent actions. Human nature is such that most people will not commit fraud unless they can rationalize it to themselves. Fraud awareness training minimizes rationalization by supporting the ethical “tone at the top,” promoting an anti-fraud environment, and sending the message that the organization will not tolerate misconduct of any kind.
Internal auditing has reviewed a new acquisition and flagged a few problems with the computer systems that run operations. A new financial controller discovers that the organization is being defrauded and is losing a significant amount of money in the acquired operation due to the flaws in the computer systems. Senior executives blame internal auditing. Which of the following statements applies to fraud detection in this situation?
- External auditors have signed off on the accounts, so they are at fault.
- Internal auditing has assumed primary responsibility in conducting the review.
- Primary responsibility rests with management.
- The software manufacturer is to blame, and a lawsuit should be used to recover the funds.
3- Primary responsibility rests with management.
Rationale
The primary responsibility for fraud prevention, detection, and investigation rests with management, which also has the responsibility to manage the risk of fraud. Standard 1210.A2 states, “Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.” Fraud is an area where the services of outside experts are often retained.
Forensic auditors need to have significant knowledge and experience in what area?
- Using intuition to fill gaps in suspected perpetrators’ stories
- Practices and policies of the business activity being audited
- Case law
- COSO Internal Control—Integrated Framework
2- Practices and policies of the business activity being audited
Rationale
By necessity, forensic auditing requires not only understanding of accounting standards and practices but also familiarity with the practices and policies of the business activity being audited and expertise in investigative techniques and the rules and standards of legal proceedings. Forensic auditors do need to identify gaps in suspected perpetrators’ stories but will follow trails to find the missing information.
Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset?
- Debit expenses and credit the asset.
- Debit another asset account and credit the asset.
- Debit the asset and credit another asset account.
- Debit revenue and credit the asset.
1- Debit expenses and credit the asset.
Rationale
Most fraud perpetrators would attempt to conceal their theft by charging it against an expense account. For an asset or an expense, a debit increases the account and a credit decreases the account. Thus, expenses increase in the records and the asset account decreases in value.
When interviewing an individual suspected of a fraud, the interviewer should
- ensure that the suspect’s supervisor is present.
- ask if the suspect committed the fraud.
- pay attention to the wording choices and behaviors of the suspect.
- lock the door to ensure that no one will interrupt the interview.
3- pay attention to the wording choices and behaviors of the suspect.
Rationale
Some behaviors during interviews may become fraud indicators or signs that the interviewee is lying or withholding information. Examples include restlessness, posture, reluctance to make eye contact, or signs of anxiety. Answers provided by the interviewee may also be fraud indicators, such as inappropriate attitudes (candor or sarcasm), sudden change in attitude about answering questions, or changes in answers given to questions during the interview. Wording choices, such as shifts in the use of pronouns and verbs, may indicate areas of dishonesty or fabrication.
An auditor suspects a disbursements fraud whereby an unknown employee is submitting and approving invoices for payment. Before discussing the potential fraud with management, the auditor decides to gather additional evidence. Which of the following procedures would be most helpful in providing the additional evidence?
- Taking a sample of invoices received during the past month, examining them to determine if they were properly authorized for payment, and tracing them to underlying documents such as receiving reports
- Selecting a sample of payments made during the year and investigating each one for approval
- Using audit software to develop a list of vendors with post office box numbers or other unusual features and selecting a sample of those items and tracing them to supporting documents such as receiving reports
- Selecting a sample of receiving reports representative of the period under investigation, tracing them to approved payments, and noting any items not properly processed
3- Using audit software to develop a list of vendors with post office box numbers or other unusual features and selecting a sample of those items and tracing them to supporting documents such as receiving reports
Rationale
The use of audit software would be the most effective procedure, since it would focus on the items that would most likely be fraudulent.