Fraud Prevention Flashcards

Question

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components. Communication, as part of the information, communication, and reporting component, is defined as an organization’s: A. Tone that reinforces the importance of risk management and establishes the oversight responsibilities for managing risks B. Continual, iterative process of obtaining information and sharing it throughout the entity C. Ability to assess substantial changes that might affect its strategy and objectives D. Formal process of setting strategy and defining business objectives

Answer 1

B. Continual, iterative process of obtaining information and sharing it throughout the entity | See pages 4.803-4.805 in the Fraud Examiner's Manual ## Footnote The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are: * Governance and culture * Strategy and objective-setting * Performance * Review and revision * Information, communication, and reporting COSO’s ERM framework defines communication as “the continual, iterative process of obtaining information and sharing it throughout the entity.” Management must use information gathered from both internal and external sources to support ERM. The principles related to information, communication, and reporting are: * The organization leverages information and technology to support ERM. * The organization communicates risk information. * The organization reports on risk, culture, and performance throughout the entity.

Answer 2

D. All of the above | See pages 4.825-4.826 in the Fraud Examiner's Manual ## Footnote Because the fraud risks and strategic initiatives of each organization differ, the detailed objectives of the fraud risk management program should be tailored to the organization’s specific needs and goals. Like any corporate initiative, without an explicit definition of what the organization intends to accomplish through its fraud risk management program, the program will have limited success. Consequently, management must balance the following factors in determining the program’s objectives: * Management’s risk appetite * The investment in anti-fraud controls * The prevention of frauds that are material in nature or amount An important component in defining the objective of the fraud risk management program is determining management’s risk appetite. Without an adequate understanding and articulation of just how much risk those charged with governance are willing to accept, any stated objectives of the fraud risk management program will be inaccurate. Risk appetite should be expressed in a manner that is appropriate for the organization’s culture and operations, and it can be measured and expressed either qualitatively—low, medium, or high, for example—or quantitatively, using a numeric scale. Another helpful starting point in determining the fraud risk management strategy is to examine previous occurrences of fraud and explore how management’s ideal fraud risk management program would have prevented, detected, and responded to them. In examining such incidents, management should consider the factors that allowed such frauds to occur.

Answer 3

D. Increasing perception of detection | See pages 4.602 in the Fraud Examiner's Manual ## Footnote Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection. This means letting employees, managers, and executives know that auditors are actively seeking information concerning internal theft.

Answer 4

A. True | See pages 4.738 in the Fraud Examiner's Manual ## Footnote The fraud risk assessment should play a significant role in informing and influencing the audit process. In addition to being used in the annual audit planning process, the fraud risk assessment should motivate thinking and awareness in the development of audit programs for areas that have been identified as having a moderate-to-high risk of fraud. Although auditors should always be vigilant of things that might be indicators of fraud risk, the results of the fraud risk assessment can help them design audit procedures in a way that enables them to look for fraud in known areas of high risk.

Answer 5

C. Risk tolerance | See pages 4.803-4.805 in the Fraud Examiner's Manual ## Footnote The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are: * Governance and culture * Strategy and objective-setting * Performance * Review and revision * Information, communication, and reporting

Answer 6

D. All of the above | See pages 4.807 in the Fraud Examiner's Manual ## Footnote The following eight International Organization for Standardization (ISO) 31000:2018 principles provide that an effective and efficient risk management program: * Is integrated into all organizational activities * Is structured and comprehensive * Is customized and proportionate to the organization’s operations and objectives * Is inclusive and provides for appropriate and timely consideration of stakeholders’ knowledge, views, and perceptions * Is dynamic and responsive to change * Is based upon the best available information * Takes human and cultural factors into account * Facilitates continuous improvement

Answer 7

B. The risk management program is based on effective leadership and commitment. | See pages 4.807 in the Fraud Examiner's Manual ## Footnote The following eight International Organization for Standardization (ISO) 31000:2018 principles provide that an effective and efficient risk management program: * Is integrated into all organizational activities * Is structured and comprehensive * Is customized and proportionate to the organization’s operations and objectives * Is inclusive and provides for appropriate and timely consideration of stakeholders’ knowledge, views, and perceptions * Is dynamic and responsive to change * Is based upon the best available information * Takes human and cultural factors into account * Facilitates continuous improvement According to ISO 31000, the framework for an organization’s risk management program should be based on a foundation set by effective leadership and commitment, but this is not one of the eight principles of risk management provided by ISO 31000:2018.

Answer 8

A. Enhanced CDD | See pages 4.811-4.812 in the Fraud Examiner's Manual ## Footnote When certain customers present higher risks for engaging in illegal activity, organizations should undertake enhanced due diligence procedures. Factors that might prompt enhanced customer due diligence (CDD) include high-profile customers, large-value transactions, or foreign business dealings in countries known for corruption. While these enhanced due diligence procedures depend on the nature and severity of the risk presented by the customer, organizations should gather additional information to reduce their potential risk. Specifically, organizations should gather and analyze data to ensure that they are dealing with a customer who has good intentions. Under enhanced due diligence procedures, the following customer elements should be examined with a greater level of scrutiny to ensure legitimacy and that the risk has been responded to appropriately: * Identity (i.e., Is the customer who they claim to be?) * Source of income and overall net worth (i.e., Can the customer pay for the transaction, especially if they are requesting to pay on credit?) * Expected pattern of purchasing (i.e., Is this a onetime transaction or a series of transactions?) * Expected value (i.e., How large is the cumulative financial risk?) * Expected method of payment (i.e., Is the customer requesting to use a higher-risk payment method, such as a personal check or line of credit?)

Answer 9

D. All of the above | See pages 4.602 in the Fraud Examiner's Manual ## Footnote Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection. This means letting employees, managers, and executives know that auditors are actively seeking information concerning internal theft. This can be accomplished in several ways, such as through employee anti-fraud education, reporting programs, hotlines, rewards for whistleblowers, and proactive audit policies.

Answer 10

D. Specific controls and procedures that the organization uses to detect fraud | See pages 4.606-4.608 in the Fraud Examiner's Manual ## Footnote The content covered by the organization’s anti-fraud training should focus on the specific risks encountered by the organization to provide employees with practical, implementable knowledge. However, it should not give employees the information they need to circumvent the normal rules by explaining the details of controls and procedures used to detect fraud. In that regard, the following topics form the basis of an effective training program: * What fraud is, including examples of what behavior is acceptable and what is not * How fraud hurts the organization * How fraud hurts employees * Common characteristics that lead individuals to commit fraud (i.e., pressure, opportunity, and ability to rationalize the act) * How to identify fraud (i.e., specific examples of financial, transactional, behavioral, and other red flags to watch for) * How to report fraud * The punishment for dishonest acts, including examples of past transgressions and how they were managed

Answer 11

A. True | See pages 4.819-4.820 in the Fraud Examiner's Manual ## Footnote Fraud risk management programs must address fraud before, during, and after it occurs. Consequently, effective fraud risk management programs must incorporate policies and procedures designed to do all the following: * Prevent fraud—These activities focus on proactively identifying and assessing fraud risks and taking steps to address those risks; they are the first line of defense against fraud in the organization and generally include policies, procedures, training, and communication. * Detect fraud—These activities seek to identify fraud occurrences as soon as possible after they begin to limit the damage done. * Respond to identified fraud—These activities include investigating the allegation to determine the party or parties responsible, the means of the infraction, and the extent of the resulting damage; punishing the perpetrator, whether through employment sanctions or legal action; remediating the control weaknesses that allowed the fraud to be undertaken; and rebuilding stakeholders’ confidence in the organization.

Answer 12

B. An independent audit committee member | See pages 4.707 in the Fraud Examiner's Manual ## Footnote Having the right sponsor for a fraud risk assessment is extremely important in ensuring its success and effectiveness. The sponsor must be senior enough in the organization and command the employees' respect to elicit full cooperation in the process. The sponsor must be committed to learning the truth about where the company’s fraud vulnerabilities are. The sponsor cannot be prone to rationalization or denial; they must be a truth seeker. In the ideal situation, the sponsor would be an independent board director or audit committee member. However, a good chief executive officer (CEO) or another internal senior leader can be equally as effective.

Answer 13

A. True | See pages 4.735 in the Fraud Examiner's Manual ## Footnote The success of the fraud risk assessment process depends on how effectively the results are reported and what the organization then does with those results. A poorly communicated report can undermine the entire process and stall the established momentum. The report should be delivered in a style most suited to the language of the business. For example, if management prefers succinct visual presentations, then the fraud risk assessment team should not deliver a fifty-page written document.

Answer 14

A. True | See pages 4.816 in the Fraud Examiner's Manual ## Footnote As a sub-group of the board of directors, the audit committee is often assigned oversight of the organization’s financial, accounting, and audit matters and reports to the full board. As part of this responsibility, the committee must take an active role in supervising the assessment and monitoring of the organization’s fraud risks. This involves: * Receiving regular reports on the status of reported or alleged fraud * Being aware of fraud risks that are common in the organization’s industry * Meeting regularly with key internal parties (e.g., the chief audit executive [CAE] or other senior financial persons) to discuss identified fraud risks and the steps being taken to prevent and detect fraud * Understanding how internal and external audit strategies address fraud risk * Providing external auditors with evidence that the audit committee is dedicated to effective fraud risk management * Engaging in open conversations with external auditors about any known or suspected fraud * Seeking advice of legal counsel whenever it deals with allegations of fraud

Answer 15

A. True | See pages 4.602-4.603 in the Fraud Examiner's Manual ## Footnote Implementing proactive audit procedures demonstrates management’s intention to aggressively look for possible fraudulent conduct instead of waiting for instances to be reported. Such techniques include the use of analytical review procedures, data and transaction monitoring and analysis, fraud assessment questioning, and surprise audits where possible.

Answer 16

A. True | See pages 4.621-4.622 in the Fraud Examiner's Manual ## Footnote It is ineffective to have an anti-fraud or ethics policy if it is not communicated to the employees. This communication can be accomplished in several ways, such as during employee orientation and annual training sessions, via interoffice memoranda or newsletters, and through notices displayed in common areas. In all these mechanisms, the communication of the policy should be presented in a positive, non-accusatory manner.

Answer 17

D. All of the above | See pages 4.611-4.612 in the Fraud Examiner's Manual ## Footnote Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy. It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part. It should detail what types of misconduct to report, how to report concerns, and any rewards available for disclosing credible information. In addition, a whistleblower policy should include an anti-retaliation component that details the protections the organization affords to whistleblowers and how people will be punished if they violate the policy. By instituting and transparently enforcing a zero-tolerance policy against retaliation, management can increase the likelihood that employees will feel comfortable raising concerns without fear of retribution.

Answer 18

A. True | See pages 4.812-4.813 in the Fraud Examiner's Manual ## Footnote Management should conduct proper due diligence when seeking new vendors or evaluating the relationship of existing vendors to prevent and detect misconduct. An organization can assess a vendor’s commitment to compliance and ethics by performing the following due diligence procedures: * Ensure that vendors have their own ethics and compliance program before engaging in any transactions. * Provide the vendor with the organization’s code of conduct and require the vendor’s agents to sign and agree to abide by the code. * Inquire about the vendor’s internal audit department and the types of audits the vendor is subject to. * Include contract clauses that require vendors to report any misconduct. * Alert the vendor that they will be liable for any unethical conduct that occurs in doing business with the organization.

Answer 19

A. True | See pages 4.820, 4.823 in the Fraud Examiner's Manual ## Footnote The Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, describes five broad principles of fraud risk management, one for each of the five interrelated components of internal control listed in COSO’s Internal Control—Integrated Framework: fraud risk governance, fraud risk assessment, fraud control activities, fraud investigation and corrective action, and fraud risk management monitoring activities. Each of these principles is then supported by several points of focus. The principles and underlying points of focus combine to create a full framework that can be used to design, implement, and assess an effective fraud risk management program. Under the fraud control activities principle, the organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

Answer 20

D. All of the above | See pages 4.613-4.614 in the Fraud Examiner's Manual ## Footnote To achieve an organizational culture with a strong value system founded on integrity, management must show employees through its words and actions that dishonest or unethical behavior will not be tolerated. Management must also create an environment in which employees feel safe to challenge management’s decisions or speak up if they think something is wrong. A culture that encourages employees to share their concerns can reduce the risk of fraud significantly because employees often feel more loyal to their superiors. Such a culture might also prevent unethical behavior because issues of anger or stress can be addressed before they escalate to the point of a fraud. Additionally, management must demonstrate ethics to model the behavior that is expected of the staff. When management believes and acts as though it is irreproachable with respect to company policies, staff members are much less likely to follow rules. Staff members frequently resent management for expecting them to behave in a certain way when members of management do not behave in the same way themselves. However, when management acts ethically and follows organizational policies, the staff tends to respect and appreciate the behavior and copy it.

Answer 21

C. Placing a low priority on checking professional references, since most people do not provide bad references | See pages 4.614-4.615 in the Fraud Examiner's Manual ## Footnote Before hiring anyone, management should conduct a background check (where and to the extent permitted by law) to find out as much as possible about the employee’s previous experience with employers and law enforcement. At a minimum, employers should check the background of any employee who will have access to cash, checks, credit card numbers, or any other items that are easily stolen. Background checks should also be conducted on existing employees who are being promoted or moved to positions that include access to sensitive or valuable company resources. Even if such a check was performed on the employee at the time of hire, updated background checks should be conducted to identify any significant changes or occurrences that have taken place during the individual’s time with the organization. In assessing individuals for hire or promotion, employers should verify past employment. Even though most employers will only verify position and dates of employment, their tone of voice often indicates what they think of the employee. Also, previous employers should be asked whether the applicant is eligible for rehire. Additionally, the hiring manager or human resources (HR) should contact the references provided by the candidate. Unfortunately, very few organizations actually do this. Most operate under the theory that someone would not provide a bad reference. However, some job applicants will list individuals who sound important as references with the hope that the hiring organization will not call. In addition, people often just assume, incorrectly, that a former supervisor or coworker will provide a good reference. But obtaining negative information from someone the candidate listed as a recommendation can be very revealing and should serve as a serious warning sign to the hiring organization.

Answer 22

D. All of the above | See pages 4.702 in the Fraud Examiner's Manual ## Footnote No system of anti-fraud controls can fully eliminate the risk of fraud, but well-designed and effective anti-fraud controls can deter the average fraudster by reducing the opportunity to commit the fraud and increasing the perception of detection. With the right balance of preventive and detective controls, a good system of anti-fraud controls can greatly reduce an organization’s vulnerability to fraud.

Answer 23

A. Regulatory and legal misconduct | See pages 4.718 in the Fraud Examiner's Manual ## Footnote Regulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations in areas of import and export. Depending on the particular organization and the nature of its business, some or all of these risks might be applicable and should be considered in the fraud risk assessment process.

Answer 24

A. The board of directors | See pages 4.815-4.816 in the Fraud Examiner's Manual ## Footnote To ensure that the fraud risk management program is effective in both operation and design, it must be fully accepted by those charged with governing and overseeing the organization. Specifically, the board of directors must recognize the true and specific risks of fraud to the organization, as well as their potential impact, and respond by: * Setting an appropriate tone and realistic expectations of management to enforce an anti-fraud culture * Gaining sufficient knowledge of the organization’s activities and the environments in which it operates * Raising awareness of the risks of fraud throughout the organization * Developing a strategy to assess and manage fraud risks that aligns with the organization’s risk appetite and strategic plans * Overseeing the organization’s fraud risk management activities * Maintaining open communications with senior management and other personnel

Answer 25

C. Corruption | See pages 4.718 in the Fraud Examiner's Manual ## Footnote Potential corruption risks include: * Payment of bribes or illegal gratuities to companies, private individuals, or public officials * Receipt of bribes, kickbacks, or illegal gratuities by employees or agents of the company * Aiding and abetting of fraud by outside parties, such as customers or vendors

Answer 26

D. All of the above | See pages 4.817-4.818 in the Fraud Examiner's Manual ## Footnote According to the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, and Managing the Business Risk of Fraud: A Practical Guide, all levels of staff, including management, should: * Understand the organization’s ethical culture and the organization’s commitment to that culture. * Have a basic understanding of fraud and be aware of the red flags. * Understand their individual roles within the organization’s fraud risk management framework, how their job procedures are designed to manage fraud risks, and when noncompliance might create an opportunity for fraud to occur or go undetected. * Read and understand policies and procedures such as the organization’s fraud policy, code of conduct, whistleblower policy, procurement manuals, etc. * As required, participate in creating a strong control environment, designing and implementing fraud control activities, and monitoring activities. * Report suspicions or incidents of fraud. * Cooperate in investigations.

Answer 27

A. True | See pages 4.720 in the Fraud Examiner's Manual ## Footnote The fraud risk assessment team should consider qualitative and quantitative factors when assessing the organization's fraud risks. For example, a particular fraud risk that might only pose an immaterial direct financial risk to the organization, but that could greatly affect its reputation, would likely be deemed a significant risk to the organization.

Answer 28

B. False | See pages 4.714 in the Fraud Examiner's Manual ## Footnote The fraud risk assessment process should be visible and communicated throughout the business. Employees will be more inclined to participate in the process if they understand why it is being done and what the expected outcomes will be. To that end, sponsors should be strongly encouraged to openly promote the process. The more personalized the communication from the sponsor, the more effective it will be in encouraging employees to participate in the process. Whether it is a video, town-hall meeting, or company-wide email, the communication should be aimed at eliminating any reluctance employees have about participating in the fraud risk assessment process.

Answer 29

A. True | See pages 4.604 in the Fraud Examiner's Manual ## Footnote In addition to regularly scheduled fraud audits, surprise fraud audits of business functions in which fraud is most likely to occur can be effective both in increasing employees’ perception of detection and in uncovering actual frauds that have been perpetrated. The surprise element must be present for this control to be effective; predictability allows perpetrators the time to conceal their acts by altering, destroying, or misplacing records and other evidence.

Answer 30

A. True | See pages 4.705 in the Fraud Examiner's Manual ## Footnote The actions of certain individuals can significantly increase the company’s vulnerability to fraud. The risk can emerge from the way in which someone makes decisions, behaves, or treats others within and outside the organization. A fraud risk assessment can help identify those people and their activities that might increase the company’s overall fraud risk.

Answer 31

D. To reduce the residual fraud risk to a level that is significantly lower than the inherent fraud risk | See pages 4.701 in the Fraud Examiner's Manual ## Footnote When considering the fraud risks encountered by an organization, it is helpful to analyze how significant a risk is before and after risk response. Risks that are present before the effect of internal controls (including targeted anti-fraud controls) are described as inherent risks. The risks that remain after the effect of these controls are described as residual risks. For example, there is an inherent risk that the employee in charge of receiving customer payments at a small company might embezzle incoming cash. Anti-fraud controls, such as separation of duties and oversight from the company owner, can be implemented to help mitigate this risk; however, even with such controls in place, some residual risk will likely remain in that the bookkeeper might still manage to embezzle funds. The objective of the controls is to reduce the residual risk to a level that is significantly lower than the inherent risk.

Answer 32

A. True | See pages 4.712 in the Fraud Examiner's Manual ## Footnote There are many ways to go about conducting the fraud risk assessment. Selecting a method or combination of methods that is culturally right for the organization will help to ensure its success. The assessment team should also consider the best ways to gather candid, truthful information from people throughout all levels of the organization, starting by understanding what techniques are commonly and effectively used throughout the organization.

Answer 33

B. Personnel at all levels of the organization | See pages 4.815 in the Fraud Examiner's Manual ## Footnote According to the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, “personnel at all levels of the organization—including every level of management, staff, and internal auditors—have responsibility for managing fraud risk.”

Answer 34

A. True | See pages 4.826 in the Fraud Examiner's Manual ## Footnote An important component in defining the objective of the fraud risk management program is determining management’s risk appetite. Risk appetite should be expressed in a manner that is appropriate for the organization’s culture and operations, and it can be measured and expressed either qualitatively—low, medium, or high, for example—or quantitatively, using a numeric scale.

Answer 35

B. False | See pages 4.602 in the Fraud Examiner's Manual ## Footnote Most experts agree that it is much easier to prevent fraud than to detect it. Understanding something about the potential perpetrator’s mind can help to prevent fraud. Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection.

Answer 36

A. An organization should request that new vendors complete a questionnaire about their background immediately after signing a contract with them. | See pages 4.812-4.813 in the Fraud Examiner's Manual ## Footnote The best way to obtain information about a third party is often directly from the third party itself. Before entering into a relationship with a new vendor, management should seek to obtain information from the vendor by using a questionnaire. This will provide the organization with some background information about the vendor that can also be cross-referenced during a background check. In addition to evaluating a potential vendor’s operations and financial status, management should also consider the vendor’s ethical climate and commitment to compliance. An organization can assess a vendor’s commitment to compliance and ethics by performing the following due diligence procedures: * Ensure that vendors have their own ethics and compliance program before engaging in any transactions. * Provide the vendor with the organization’s code of conduct and require the vendor’s agents to sign and agree to abide by the code. * Inquire about the vendor’s internal audit department and the types of audits the vendor is subject to. * Include contract clauses that require vendors to report any misconduct. * Alert the vendor that they will be liable for any unethical conduct that occurs in doing business with the organization.

Answer 37

A. True | See pages 4.832-4.833 in the Fraud Examiner's Manual ## Footnote Organizations should enact policies that reflect the consequences and processes for individuals who commit or condone fraudulent activity. Such consequences might include termination of employment (or the termination of a contract for nonemployees), reporting of the incident to law enforcement or regulatory authorities, and pursuit of civil or criminal action against the perpetrator(s). It is important for management to ensure that any corrective action taken is applied consistently for all involved in the fraudulent act. The organization should also have specific policies in place to identify and remediate any control deficiencies that allowed fraudulent conduct to occur.

Answer 38

A. True | See pages 4.705 in the Fraud Examiner's Manual ## Footnote Assessing an area as having a high level of fraud risk does not conclusively mean that fraud is occurring there. However, the fraud risk assessment is useful in identifying areas that should be proactively investigated to determine whether fraud has occurred. In addition, putting activity in high-risk areas under increased scrutiny can deter potential fraudsters by increasing their perception of detection.

Answer 39

B. False | See pages 4.707 in the Fraud Examiner's Manual ## Footnote A good fraud risk assessment can be conducted effectively either by people inside the organization or external sources. However, the people leading and conducting the fraud risk assessment need to be independent and objective throughout the assessment process. Additionally, they must also be perceived as independent and objective by others.

Answer 40

D. All of the above | See pages 4.625 in the Fraud Examiner's Manual ## Footnote The following 12 components are necessary to develop, implement, and manage a comprehensive ethics program: * Focus on ethical leadership * Vision statement * Values statement * Code of ethics * Designated ethics official * Ethics task force or committee * Ethics communication strategy * Ethics training * Ethics help and fraud reporting hotlines * Ethical behavior rewards and sanctions * Comprehensive system to monitor and track ethics data * Periodic evaluation of ethics efforts and data

Answer 41

A. True | See pages 4.802 in the Fraud Examiner's Manual ## Footnote Risk management involves the identification, prioritization, treatment, and monitoring of risks that threaten an organization’s ability to provide value to its stakeholders, whether increasing profitability and shareholder value for a for-profit entity or achieving program-specific goals for a nonprofit or governmental agency. More specifically, risk management balances risk appetite—how much risk management is willing to accept—with the ability to meet the organization’s strategic, operational, reporting, and compliance objectives.

Answer 42

B. False | See pages 4.701 in the Fraud Examiner's Manual ## Footnote When considering the fraud risks encountered by an organization, it is helpful to analyze how significant a risk is before and after risk response. Risks that are present before the effect of internal controls (including targeted anti-fraud controls) are described as inherent risks. The risks that remain after the effect of these controls are described as residual risks. For example, there is an inherent risk that the employee in charge of receiving customer payments at a small company might embezzle incoming cash. Anti-fraud controls, such as separation of duties and oversight from the company owner, can be implemented to help mitigate this risk; however, even with such controls in place, some residual risk will likely remain in that the bookkeeper might still manage to embezzle funds. The objective of the controls is to reduce the residual risk to a level that is significantly lower than the inherent risk.

Answer 43

A. True | See pages 4.611-4.612 in the Fraud Examiner's Manual ## Footnote Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy. It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part. It should detail what types of misconduct to report, how to report concerns, and any rewards available for disclosing credible information. In addition, a whistleblower policy should include an anti-retaliation component that details the protections the organization affords to whistleblowers and how people will be punished if they violate the policy. By instituting and transparently enforcing a zero-tolerance policy against retaliation, management can increase the likelihood that employees will feel comfortable raising concerns without fear of retribution.

Answer 44

C. Separation of duties | See pages 4.721-4.722 in the Fraud Examiner's Manual ## Footnote Preventive controls, which are intended to prevent fraud before it occurs, include: * Bringing awareness of the fraud risk management program to personnel throughout the organization * Performing background checks on employees (where permitted by law) * Hiring competent personnel and providing them with anti-fraud training * Conducting exit interviews * Implementing policies and procedures * Separating duties * Implementing physical security measures * Implementing security measures to restrict electronic access to data * Ensuring proper alignment between an individual’s authority and level of responsibility * Reviewing third-party and related-party transactions Continuous audit procedures are an example of detective controls, which are intended to detect fraud if it does occur.

Answer 45

B. Describe the penalties that people may encounter for refusing to provide tips. | See pages 4.611-4.612 in the Fraud Examiner's Manual ## Footnote Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy. It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part. It should detail what types of misconduct to report, how to report concerns, and any rewards available for disclosing credible information. In addition, a whistleblower policy should include an anti-retaliation component that details the protections the organization affords to whistleblowers and how people will be punished if they violate the policy. By instituting and transparently enforcing a zero-tolerance policy against retaliation, management can increase the likelihood that employees will feel comfortable raising concerns without fear of retribution.

Answer 46

A. True | See pages 4.614 in the Fraud Examiner's Manual ## Footnote A well-designed organizational structure—with key areas of authority and clear and proper lines of reporting—can be an effective fraud prevention measure. A confused structure, in contrast, makes it easier for a fraudster to perpetrate and conceal their misdeeds. Establishing and communicating the proper flow of information to everyone in the organization is an essential component of a well-designed organizational structure. Flowcharts displaying organizational and departmental hierarchies can be a helpful tool for this purpose. To ensure that information is being properly received and that instructions are being carried out, such checks must be established.

Answer 47

A. True | See pages 4.611 in the Fraud Examiner's Manual ## Footnote While the global landscape of legal protection offered to whistleblowers varies, more countries are beginning to enact measures that protect whistleblowers who suffer retaliation. Some countries have anti-retaliation laws to protect employees against retaliation in the workplace. In successful cases, these laws might offer remedies that reinstate employment, award back pay with interest, and recover attorneys’ fees or other litigation costs. In jurisdictions that do not have formal legal protection for whistleblowers, countries often use their own employment laws and anti-corruption provisions as a framework; however, due to legalities, these employment laws and anti-corruption provisions might be limited in their ability to protect whistleblowers against retaliation in the workplace for reporting misconduct.

Answer 48

C. Surveys | See pages 4.712-4.713 in the Fraud Examiner's Manual ## Footnote Several techniques can be used to gather information successfully as part of a fraud risk assessment. These include: * Interviews, which can be an effective way to conduct candid one-on-one conversations with employees * Focus groups, which can enable the assessor to observe the interactions among a group of employees as they collectively discuss a question or issue * Surveys, which are electronic or paper questionnaires that can be either anonymous or directly attributable to the individual participants * Anonymous feedback mechanisms, which can include means for anonymous employee suggestions or responses to questions posed

Answer 49

B. False | See pages 4.816-4.817 in the Fraud Examiner's Manual ## Footnote The board of directors is responsible for developing and supporting the organization’s underlying fraud risk management strategy. However, senior management has the primary responsibility for designing, implementing, monitoring, and improving the fraud risk management program. As part of this responsibility, senior management must: * Be extremely familiar with the organization’s fraud risks. * Ensure that the organization has specific and effective internal controls in place to prevent and detect fraud. * Set a tone at the top and monitor the company culture to ensure it appropriately supports the organization’s fraud prevention and detection strategies. Senior management must exude ethics for staff to be inspired and feel obligated to follow suit. * Clearly communicate—both in words and actions—that fraud is not tolerated. * Take all reports of fraud seriously and undertake investigations for any such reports deemed reliable. * Punish perpetrators of discovered fraud appropriately. Punishing perpetrators reinforces the culture of ethics and the fact that fraud will not be tolerated. * Take any steps necessary to remediate weaknesses that allowed frauds to occur. * Report to the board of directors on a regular basis regarding the effectiveness of the organization’s fraud risk management program.

Answer 50

A. True | See pages 4.622 in the Fraud Examiner's Manual ## Footnote In developing the anti-fraud policy, management should consult legal counsel regarding any necessary legal considerations with respect to the policy. One of the most important legal considerations is to ensure that all allegations and offenders are managed uniformly. Additionally, if the type of conduct that is considered unacceptable is not accurately detailed, there might be legal problems in terminating a dishonest employee.

Answer 51

B. False | See pages 4.736 in the Fraud Examiner's Manual ## Footnote Less is often more when it comes to reporting the results of the fraud risk assessment. The team should not make the report a tedious list of things that management will have to sort through and prioritize. Instead, the report should be presented in a way that focuses on what matters, clearly highlighting things that are most important and that will make the most impact on the organization’s fraud risk management efforts.

Answer 52

D. All of the above | See pages 4.829-4.833 in the Fraud Examiner's Manual ## Footnote According to Managing the Business Risk of Fraud: A Practical Guide, the following are ten essential components for effectively managing fraud risk: * Statement of commitment—A written statement of commitment to the program from the board of directors and senior management * Fraud awareness—A formal fraud risk awareness program for all employees * Affirmation process—A requirement for directors, employees, and contractors to explicitly affirm that they have read, understood, and complied with the organization’s code of conduct and fraud risk management program * Conflict disclosure—A system for directors, employees, and contractors to self-disclose to the organization any potential or actual conflicts of interest * Fraud risk assessment—The proactive identification and assessment of the organization’s fraud risks * Reporting procedures and whistleblower protection—Systems and support for receiving fraud allegations from employees and other parties * Investigation process—A formalized process that is undertaken following all reports of suspected fraud * Corrective action—Policies that reflect the consequences and processes for individuals who commit or condone fraudulent activity and that identify and remediate any control deficiencies that allowed the fraud to occur * Process evaluation and improvement (quality assurance)—Formal procedures to periodically evaluate the fraud risk management program’s effectiveness * Continuous monitoring—Ongoing review of the program to ensure it is addressing the organization’s current needs and risks

Answer 53

B. False | See pages 4.613 in the Fraud Examiner's Manual ## Footnote A strong corporate culture can most often be observed by its outcome, rather than by any individual component. Fostering a culture of ethics and compliance is more beneficial than simply implementing a checklist of initiatives; similarly, a culture of corruption can exist even in companies with seemingly sound policies in place.

Answer 54

A. Including ethics-based metrics as a component of performance evaluations | See pages 4.616 in the Fraud Examiner's Manual ## Footnote Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards, and training should be provided on a consistent basis to ensure that employees maintain the skills needed to perform their tasks effectively. Management should also quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem. Additionally, it is easy for employees to waver between performance goals that motivate them to challenge themselves and those that are so ambitious that the only way they can meet them is to perpetrate fraud. When employee compensation, including bonuses, or job security is tied to unachievable performance goals, employees have the incentive to mastermind creative (i.e., fraudulent) approaches to meet them. Including ethics-based metrics—those that focus on how employees do business, not just how much business they do—as a component of performance goals and evaluation can be an especially effective way to foster ethical behavior and reinforce the importance of ethics as the guiding factor in making business decisions.

Answer 55

B. False | See pages 4.707-4.708 in the Fraud Examiner's Manual ## Footnote The people leading and conducting the fraud risk assessment should be mindful about any personal biases they might have regarding the organization and the people within it, and they should take steps to reduce or eliminate all biases that might affect the fraud risk assessment process. For example, if an employee on the fraud risk assessment team has a history of conflicts with someone in the accounts payable department, they might allow that experience to affect their evaluation of the fraud risks related to that area of the business. To compensate for this bias, someone else should perform the fraud risk assessment work related to the accounts payable department’s activities.

Answer 56

C. Fraud risk | See pages 4.701 in the Fraud Examiner's Manual ## Footnote Cressey’s Fraud Triangle teaches that there are three interrelated elements that enable someone to commit fraud: the motive or pressure that drives a person to want to commit the fraud, the opportunity that enables them to commit the fraud, and the ability to rationalize the fraudulent behavior. The vulnerability that an organization encounters from individuals capable of combining all three elements of the Fraud Triangle is fraud risk. Fraud risk can come from sources that are both internal and external to the organization, and it is one of the many types of risks managed by an organization.

Answer 57

B. False | See pages 4.709 in the Fraud Examiner's Manual ## Footnote Risk assessments created or performed by management and auditors without the input of the staff performing the operational tasks will be ineffective. It is crucial to include members of all levels of the organization in the risk assessment process to ensure that all relevant risks are addressed and reviewed from many different perspectives. Additionally, asking employees at lower levels of the organization specific questions about the company culture or eliciting ideas to strengthen anti-fraud controls can provide incredibly valuable information that might not be obtainable from any other source.

Answer 58

A. True | See pages 4.828 in the Fraud Examiner's Manual ## Footnote The fraud risk management program must include systems specifically designed to monitor, identify, and address breaches in compliance. Such breaches might include failures in the design or operation of anti-fraud controls, as well as outright occurrences of fraud. A specific individual or team should be assigned responsibility for monitoring compliance with the fraud risk management program and for managing suspected instances of noncompliance. Formal sanctions for intentional noncompliance must be well-publicized and carried out in a consistent and firm manner.

Answer 59

D. II and IV | See pages 4.609 in the Fraud Examiner's Manual ## Footnote An anonymous reporting channel, such as an ethics hotline, is an integral part of an anti-fraud control system. Employees must be made aware of the existence of the reporting mechanism, taught how to use it, and be able to trust that they can report suspicious activity anonymously or confidentially (where permitted by law) without fear of reprisal. In addition, it should be made clear to employees that reports of suspicious activity will be promptly and thoroughly evaluated. Education about a reporting program should specifically emphasize that: * Fraud, waste, and abuse occur in nearly all companies. * Such conduct costs the company jobs and profits. * The company actively encourages any employee with information to disclose it. * The employee can provide information anonymously and without fear of retaliation for good-faith reporting. * There is an exact method for reporting an incident (e.g., a telephone number or online form). * The report need not be made to one's immediate superiors.

Answer 60

D. All of the above | See pages 4.716-4.717 in the Fraud Examiner's Manual ## Footnote The fraud risk assessment team should brainstorm to identify the inherent fraud risks that could apply to the organization. In addition to each of the major areas of fraud risks—fraudulent financial reporting, asset misappropriation, corruption, and fraud from external sources—certain other types of risks must be considered, including the risk of regulatory and legal misconduct, reputational risk, and risk to information technology (IT). Brainstorming should also include discussions regarding incentives, pressures, and opportunities to commit fraud, including the incentive programs and how those might affect employee behavior, as well as the potential for management to override controls.

Answer 61

A. The organization identifies risk that impacts its performance and ability to meet objectives. | See pages 4.803-4.805 in the Fraud Examiner's Manual ## Footnote The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are: * Governance and culture * Strategy and objective-setting * Performance * Review and revision * Information, communication, and reporting As part of its ERM activities, an organization should review how well the ERM capabilities and practices have increased value over time and how they will continue to drive value for the organization. The principles pertaining to review and revision are: * The organization assesses substantial changes that might affect its strategy and objectives. * The organization reviews its risk and performance. * The organization pursues improvement in ERM. An organization identifying risks that impact its performance and ability to meet objectives is associated with the performance component of COSO’s ERM framework.

Answer 62

D. All of the above | See pages 4.706-4.707, 4.709 in the Fraud Examiner's Manual ## Footnote Both management and auditors have a responsibility for fraud risk management. However, each of these parties has unique knowledge and perspective of the fraud risks encountered by the organization. Consequently, the fraud risk assessment is most effective when management and auditors share ownership of the process and accountability for its success. Additionally, a good fraud risk assessment can be conducted effectively either by people inside the organization or external sources. Either way, it is critical that the people leading and conducting the fraud risk assessment remain independent and objective throughout the assessment process. Additionally, they must be perceived as independent and objective by others. Furthermore, most honest people are not naturally inclined to think like a criminal. In fact, many large-scale frauds that have occurred would have been deemed unthinkable by people closest to the events. But a necessary part of conducting an effective fraud risk assessment involves thinking like a fraudster. Thoughts of “it couldn’t happen here” should not be allowed to moderate the evaluation of fraud risk.

Answer 63

B. False | See pages 4.826 in the Fraud Examiner's Manual ## Footnote Management can choose whether to use a quantitative or qualitative measure to express risk appetite. An important component in defining the objective of the fraud risk management program is determining management’s risk appetite. Risk appetite should be expressed in a manner that is appropriate for the organization’s culture and operations, and it can be measured and expressed either qualitatively—low, medium, or high, for example—or quantitatively, using a numeric scale. For example, a company’s management might decide that it prefers to reduce the residual risk of fraud down to a low level, implying a desire for strong controls and monitoring of such controls over a particular area of the business. Another company might decide that any risk rated 3 or higher (on a risk scale of 1–5) is unacceptable. Risk appetite can also be broken down into specific types or sources of fraud, which allows for prioritization of fraud risk management strategies based on the assessed components.

Answer 64

B. False | See pages 4.812-4.813 in the Fraud Examiner's Manual ## Footnote The best way to obtain information about a third party is often directly from the third party itself. Before entering into a relationship with a new vendor, management should seek to obtain information from the vendor by using a questionnaire. This will provide the organization with some background information about the vendor that can also be cross-referenced during a background check.

Answer 65

A. True | See pages 4.603-4.604 in the Fraud Examiner's Manual ## Footnote Fraud assessment questioning is a non-accusatory interview technique used as a part of a normal audit. It is based on the theory that employees’ attitudes are a good indicator of potential problems and that one of the most effective ways to assess potential fraud is to ask about it. Examples of questions that can be used in this approach include the following: * Part of my duty as an auditor is to find fraud, waste, and abuse. Do you understand that? * Do you think fraud is a problem for business in general? * Do you think this company has any particular problem with fraud? * Has anyone ever asked you to do anything that you felt was illegal or unethical? * If you felt that there was a problem in the company with respect to fraud, what would you do? * Do you have any indication that there is fraud occurring in the company now?

Answer 66

A. True | See pages 4.622 in the Fraud Examiner's Manual ## Footnote In developing the anti-fraud policy, management should consult legal counsel regarding any necessary legal considerations with respect to the policy. One of the most important legal considerations is to ensure that all allegations and offenders are managed uniformly. Additionally, if the type of conduct that is considered unacceptable is not accurately detailed, there might be legal problems in terminating a dishonest employee.

Answer 67

A. True | See pages 4.608 in the Fraud Examiner's Manual ## Footnote Some frauds are detected during sickness or unexpected absences of the perpetrator because they require continuous, manual intervention. Requiring employees in certain functions (e.g., accounting clerks) to periodically rotate job duties or accounts reviewed can increase the perception of detection in the potential perpetrator’s mind.

Answer 68

C. Transferring the risk | See pages 4.734 in the Fraud Examiner's Manual ## Footnote When responding to the organization’s residual fraud risks, management may transfer some or all of the risk by purchasing fidelity insurance or a bond. The cost to the organization is the premium paid for the insurance or bond. The covered risk of loss is then transferred to the insurance company.

Answer 69

D. The identification and assessment of risks that might affect the organization’s ability to meet its strategic and business objectives and the prioritization and response to those risks | See pages 4.803-4.805 in the Fraud Examiner's Manual ## Footnote The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are: * Governance and culture * Strategy and objective-setting * Performance * Review and revision * Information, communication, and reporting The actual performance of ERM within an organization involves identifying and assessing risks that might affect the organization’s ability to meet its strategic and business objectives and then prioritizing and responding to those risks.

Answer 70

B. False | See pages 4.811 in the Fraud Examiner's Manual ## Footnote Standard customer due diligence (CDD) procedures involve identifying the customer, as well as verifying their identity. This type of due diligence is most widely used in situations where the customer presents a risk—that is, there is some opportunity for the customer to engage in illegal activity—but it is unlikely that the risk will manifest. Standard CDD requires the organization to gather information that allows it to understand the nature of the business relationship with the potential customer and to ensure that the customer’s identity is legitimate (e.g., the customer is not using a stolen or synthetic identity, the customer is not a shell company). Performing this type of CDD allows the organization to better know its customer and reduce the likelihood of the transaction involving illegal activity.

Answer 71

B. Enterprise risk management | See pages 4.802 in the Fraud Examiner's Manual ## Footnote n Enterprise Risk Management—Integrating with Strategy and Performance, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management (ERM) as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”

Answer 72

D. All of the above | See pages 4.830 in the Fraud Examiner's Manual ## Footnote As part of the fraud risk management program, the board of directors and senior management should communicate, in writing, their commitment to proactively preventing, detecting, and addressing fraud. This communication can be made as part of the organization’s written statement of values and principles, as part of the code of conduct, or in a separate short document, such as a letter, that is provided to all employees, vendors, and customers. The statement of commitment should: * Be endorsed or authored by a senior executive or board member * Be provided to employees as part of the orientation process and be reissued periodically * Stress the importance of fraud risk mitigation * Acknowledge the organization’s vulnerability to fraud * Establish the responsibility of each person within the organization to support fraud risk management efforts * Reinforce management’s no-tolerance stance on fraudulent behavior

Answer 73

A. True | See pages 4.716-4.717 in the Fraud Examiner's Manual ## Footnote The fraud risk assessment team should brainstorm to identify the inherent fraud risks that could apply to the organization. In addition to each of the major areas of fraud risks—fraudulent financial reporting, asset misappropriation, corruption, and fraud from external sources—certain other types of risks must be considered, including the risk of regulatory and legal misconduct, reputational risk, and risk to information technology (IT). Brainstorming should also include discussions regarding incentives, pressures, and opportunities to commit fraud, including the incentive programs and how those might affect employee behavior, as well as the potential for management to override controls.

Answer 74

B. False | See pages 4.611 in the Fraud Examiner's Manual ## Footnote While the global landscape of legal protection offered to whistleblowers varies, more countries are beginning to enact measures that protect whistleblowers who suffer retaliation. Some countries have anti-retaliation laws to protect employees against retaliation in the workplace. In successful cases, these laws might offer remedies that reinstate employment, award back pay with interest, and recover attorneys’ fees or other litigation costs. In jurisdictions that do not have formal legal protection for whistleblowers, countries often use their own employment laws and anti-corruption provisions as a framework; however, due to legalities, these employment laws and anti-corruption provisions might be limited in their ability to protect whistleblowers against retaliation in the workplace for reporting misconduct.

Answer 75

D. All of the above | See pages 4.820 in the Fraud Examiner's Manual ## Footnote The Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, describes five broad principles of fraud risk management, one for each of the five interrelated components of internal control listed in COSO’s Internal Control—Integrated Framework. Each principle is then supported by several points of focus. The principles and underlying points of focus combine to create a full framework that can be used to design, implement, and assess an effective fraud risk management program. The following are the five principles provided in the Fraud Risk Management Guide: * Fraud risk governance * Fraud risk assessment * Fraud control activities * Fraud investigation and corrective action * Fraud risk management monitoring activities

Answer 76

D. All of the above are factors that might prompt enhanced procedures. | See pages 4.811 in the Fraud Examiner's Manual ## Footnote When certain customers present higher risks for engaging in illegal activity, organizations should undertake enhanced due diligence procedures. Factors that might prompt enhanced customer due diligence (CDD) include high-profile customers, large-value transactions, or foreign business dealings in countries known for corruption.

Answer 77

D. All of the above | See pages 4.815-4.816 in the Fraud Examiner's Manual ## Footnote To ensure that the fraud risk management program is effective in both operation and design, it must be fully accepted by those charged with governing and overseeing the organization. Specifically, the board of directors must recognize the true and specific risks of fraud to the organization, as well as their potential impact, and respond by: * Setting an appropriate tone and realistic expectations of management to enforce an anti-fraud culture * Gaining sufficient knowledge of the organization’s activities and the environments in which it operates * Raising awareness of the risks of fraud throughout the organization * Developing a strategy to assess and manage fraud risks that aligns with the organization’s risk appetite and strategic plans * Overseeing the organization’s fraud risk management activities Maintaining open communications with senior management and other personnel

Answer 78

A. True | See pages 4.711 in the Fraud Examiner's Manual ## Footnote Before conducting the fraud risk assessment, the organization should build a fraud risk assessment team consisting of individuals with diverse knowledge, skills, and perspectives that will lead and conduct the fraud risk assessment. The size of the team will depend on the size of the organization and the methods used to conduct the assessment. The team should have individuals who are credible and have experience in gathering and eliciting information. The team members might include internal and external sources, such as accounting and finance personnel, operations personnel, members of the legal department, internal auditors, internal security or investigative personnel, external consultants with fraud and risk expertise, and any business leader with direct accountability for the effectiveness of the organization’s fraud risk management efforts.

Answer 79

A. True | See pages 4.603 in the Fraud Examiner's Manual ## Footnote Some internal fraud is discovered because of analytical review procedures performed during a financial statement audit. To uncover fraud using such techniques, however, the scheme must materially impact the financial statements. Auditors should be especially mindful of the following trends: * Increasing expenses * Increasing cost of sales * Increasing receivables/decreasing cash * Increasing inventories * Increasing sales/decreasing cash * Increasing returns and allowances * Increasing sales discounts

Answer 80

A. Reporting lines that are informally established and communicated | See pages 4.614 in the Fraud Examiner's Manual ## Footnote A well-designed organizational structure—with key areas of authority and clear and proper lines of reporting—can be an effective fraud prevention measure. A confused structure, in contrast, makes it easier for a fraudster to perpetrate and conceal their misdeeds. Establishing and communicating the proper flow of information to everyone in the organization is an essential component of a well-designed organizational structure. Flowcharts displaying organizational and departmental hierarchies can be a helpful tool for this purpose. To ensure that information is being properly received and that instructions are being carried out, such checks must be established.

Answer 81

D. All of the above | See pages 4.820-4.821, 4.823-4.824 in the Fraud Examiner's Manual ## Footnote The Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, describes five broad principles of fraud risk management, one for each of the five interrelated components of internal control listed in COSO’s Internal Control—Integrated Framework: fraud risk governance, fraud risk assessment, fraud control activities, fraud investigation and corrective action, and fraud risk management monitoring activities. Each of these principles is then supported by several points of focus. The principles and underlying points of focus combine to create a full framework that can be used to design, implement, and assess an effective fraud risk management program. Under the fraud risk governance principle, the organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Under the fraud risk assessment principle, the organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. Under the fraud risk management monitoring activities principle, the organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates deficiencies in the fraud risk management program in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

Answer 82

B. False | See pages 4.803-4.805 in the Fraud Examiner's Manual ## Footnote The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are: * Governance and culture * Strategy and objective-setting * Performance * Review and revision * Information, communication, and reporting The organization’s governance and culture form the foundation for the ERM program. Governance sets the organizational tone, reinforces the importance of risk management, and establishes the oversight responsibilities for managing risks while culture is reflected in decision-making. The strategy and objective-setting component of the ERM framework involves the formal process of setting strategy and defining business objectives.

Answer 83

D. All of the above | See pages 4.802 in the Fraud Examiner's Manual ## Footnote Risk management involves the identification, prioritization, treatment, and monitoring of risks that threaten an organization’s ability to provide value to its stakeholders, whether increasing profitability and shareholder value for a for-profit entity or achieving program-specific goals for a nonprofit or governmental agency. More specifically, risk management balances risk appetite—how much risk management is willing to accept—with the ability to meet the organization’s strategic, operational, reporting, and compliance objectives.

Answer 84

A. True | See pages 4.619-4.620 in the Fraud Examiner's Manual ## Footnote To avoid being overly broad in nature, and thus difficult to enforce, anti-fraud policies should include specific examples of fraud. The scope of fraud within an organization might range from internal theft of cash in small amounts to a very large third-party billing scheme. Regardless of the materiality of a fraud, management should clearly define all types of fraud that could occur within the company. Doing so both provides specific guidance so employees can understand what actions constitute fraud and provides management with the legal grounds to investigate and punish violators. Examples of fraudulent offenses include: * Using company equipment (e.g., office supplies, company vehicles, mobile phones, computers) for personal reasons * Stealing company assets (e.g., cash, receivables, inventory) * Inflating reported hours worked * Forging or altering checks and other documents * Disclosing proprietary information to competitors * Accepting bribes from or paying bribes to vendors or customers * Engaging in transactions in which the employee has an undisclosed conflict of interest * Destroying company records with malicious intent * Intentionally misstating financial statements

Answer 85

D. All of the above | See pages 4.738-4.739 in the Fraud Examiner's Manual ## Footnote In the course of their work, auditors should validate that the organization is appropriately managing the moderate-to-high fraud risks identified in the fraud risk assessment by: * Identifying and mapping the existing preventive and detective controls that pertain to the moderate-to-high fraud risks identified in the fraud risk assessment * Designing and performing tests to evaluate whether the identified controls are operating effectively and efficiently * Identifying within the moderate-to-high fraud risk areas whether there is a moderate-to-high risk of management overriding controls * Developing and delivering reports that incorporate the results of their validation and testing of the fraud risk controls

Answer 86

D. Allowing all employees one warning before termination | See pages 4.616 in the Fraud Examiner's Manual ## Footnote The way that management responds to incidents of fraud within the organization plays an important role in its fraud prevention program. Specifically, it must be emphasized to all employees that the company maintains a policy of zero tolerance for fraud; otherwise, once an employee learns that small frauds are possible, larger frauds might be committed shortly thereafter. In addition, by not consistently punishing perpetrators, a company renders its fraud prevention program less effective or useless. Having a public record of the incident can also be important, so reporting known incidents of fraud to law enforcement can be an effective step in making the organization’s zero-tolerance stance clear.

Answer 87

D. All of the above | See pages 4.819-4.820 in the Fraud Examiner's Manual ## Footnote Fraud risk management programs must address fraud before, during, and after it occurs. Consequently, effective fraud risk management programs must incorporate policies and procedures designed to do all the following: * Prevent fraud—These activities focus on proactively identifying and assessing fraud risks and taking steps to address those risks; they are the first line of defense against fraud in the organization and generally include policies, procedures, training, and communication. * Detect fraud—These activities seek to identify fraud occurrences as soon as possible after they begin to limit the damage done. * Respond to identified fraud—These activities include investigating the allegation to determine the party or parties responsible, the means of the infraction, and the extent of the resulting damage; punishing the perpetrator, whether through employment sanctions or legal action; remediating the control weaknesses that allowed the fraud to be undertaken; and rebuilding stakeholders’ confidence in the organization.

Answer 88

C. Hiring policies and procedures | See pages 4.721-4.722 in the Fraud Examiner's Manual ## Footnote Detective controls, which are intended to detect fraud if it does occur, include: * Establishing and marketing the presence of a confidential reporting system, such as a whistleblower hotline * Implementing proactive controls for the fraud detection process, such as independent reconciliations, reviews, physical inspections and counts, analysis, and audits * Implementing proactive fraud detection procedures, such as data analysis and continuous auditing techniques * Performing surprise audits Hiring policies and procedures fall under the category of preventive controls, which are intended to prevent fraud before it occurs.

Answer 89

D. All of the above | See pages 4.828 in the Fraud Examiner's Manual ## Footnote The fraud risk management program must include systems specifically designed to monitor, identify, and address breaches in compliance. Such breaches might include failures in the design or operation of anti-fraud controls, as well as outright occurrences of fraud. A specific individual or team should be assigned responsibility for monitoring compliance with the fraud risk management program and for managing suspected instances of noncompliance. Formal sanctions for intentional noncompliance must be well-publicized and carried out in a consistent and firm manner.

Answer 90

D. All of the above | See pages 4.737 in the Fraud Examiner's Manual ## Footnote To make the most of the fraud risk assessment process, management should use the results to: * Begin a dialogue across the company that promotes awareness, education, and action planning to reduce fraud risk. * Look for fraud in high-risk areas. * Hold action owners accountable for progress against agreed-upon plans. * Keep the assessment process active and relevant. * Modify or create the code of conduct or ethics policy. * Monitor key controls.

Answer 91

D. All of the above | See pages 4.702 in the Fraud Examiner's Manual ## Footnote Many factors influence how at-risk an organization is to fraud. Some of the main factors are: * The nature of the business in which it is engaged (i.e., its industry and operations) * The environment in which it operates (e.g., physical storefront or internet-based, geographic location) * The effectiveness of the anti-fraud controls within the business processes * The ethics and values of the company and its employees

Answer 92

D. All of the above | See pages 4.619-4.620 in the Fraud Examiner's Manual ## Footnote To avoid being overly broad in nature, and thus difficult to enforce, anti-fraud policies should include specific examples of fraud. The scope of fraud within an organization might range from internal theft of cash in small amounts to a very large third-party billing scheme. Regardless of the materiality of a fraud, management should clearly define all types of fraud that could occur within the company. Doing so both provides specific guidance so employees can understand what actions constitute fraud and provides management with the legal grounds to investigate and punish violators. Examples of fraudulent offenses include: * Using company equipment (e.g., office supplies, company vehicles, mobile phones, computers) for personal reasons * Stealing company assets (e.g., cash, receivables, inventory) * Inflating reported hours worked * Forging or altering checks and other documents * Disclosing proprietary information to competitors * Accepting bribes from or paying bribes to vendors or customers * Engaging in transactions in which the employee has an undisclosed conflict of interest * Destroying company records with malicious intent * Intentionally misstating financial statements

Answer 93

D. All of the above | See pages 4.602 in the Fraud Examiner's Manual ## Footnote Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection. In the audit profession, this means letting employees, managers, and executives know that auditors are actively seeking information concerning internal theft. This can be accomplished in several ways, such as surprise audits, employee anti-fraud education, enforcement of mandatory vacation and job-rotation policies, strong management oversight, and effective reporting programs.

Answer 94

B. False | See pages 4.735 in the Fraud Examiner's Manual ## Footnote Much instinct and judgment go into performing the fraud risk assessment. When reporting the results of the assessment, however, the team must report only the facts and keep all opinions and biases out of the report. A report that is interspersed with the assessment team’s subjective perspective will dilute and potentially undermine the results of the work.