FRAUD RISKS

Question 1

What is fraud?

Answer 1

“Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of
services; or to secure personal or business advantage.”

Question 2

What are three main types of fraud?

Answer 2

1) Fraudulent financial reporting
2) Misappropriation (theft) of assets
3) Corruption

Question 3

What are the three conditions necessary for committing fraud?

Answer 3

1) The person must be motivated to commit the fraud.
2) The person must have the opportunity to commit the fraud.
3) The person must be able to rationalize the fraud. Collectively, these three elements are called the fraud triangle. If the company can eliminate any of these three elements, the likelihood of fraud occurring is greatly
reduced.

Question 4

What is the responsibility of management and the IAA in connection with fraud?

Answer 4

Management has the responsibility to establish and
maintain an effective control system.
The internal auditor is responsible for examining the controls to determine if they are adequate to prevent or detect fraud as well as looking for occurrences of fraud. However, the internal auditor is not responsible for
preventing fraud.

Question 5

What is management override of controls?

Answer 5

Override of controls occurs when management overrides or in some way circumvents the controls in place in order to commit fraud.

Question 6

What are the five key steps of fraud risk assessment?

Answer 6

1) Identify relevant fraud risk factors.
2) Identify potential fraud schemes and prioritize them based on risk.
3) Map existing controls to potential fraud schemes and identify gaps.
4) Test operating effectiveness of fraud prevention and detection controls.
5) Document and report the fraud risk assessment.

Question 7

What is included in the fraud risk assessment?

Answer 7

• The types of fraud that have some chance of occurring.
• The inherent risk of fraud considering the availability of liquid and saleable assets, organizational morale, employee turnover, the history of fraud and losses.
• The adequacy of existing anti-fraud programs, monitoring, and preventive controls.
• The potential gaps in the organization’s fraud controls, including segregation of duties.
• The likelihood of a significant fraud occurring.
• The business impact of fraud.

Question 8

What guidance is provided for auditors conducting

fraud engagements?

Answer 8

• Consider fraud risks in the assessment of internal control design and determination of audit steps to perform.
• Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed.
• Be alert to opportunities that could allow fraud, such as control deficiencies.
• Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program.
• Evaluate the indicators of fraud.
• Recommend investigation when appropriate.

Question 9

What are red flags?

Answer 9

Anything that strongly suggests that an unethical or

suspicious event has taken place, or is a situation that would enable fraud to take place without detection.

Question 10

What should the IAA do when there is reasonable certainty that a fraud has occurred?

Answer 10

If there is reasonable certainty that fraud has occurred, the CAE should notify the appropriate management level, usually the audit committee and perhaps also the board of directors.
Management then makes the decision whether or not to
start an investigation.

Question 11

What role should the IAA have in respect to fraud engagements?

Answer 11

The specific role of the IAA in a fraud investigation should be outlined in the Charter and possibly in policies and procedures related to fraud.
The potential roles for the IAA include:
• Leading the investigation,
• Being a supporting resource to another party leading the investigation, or
• No role at all if the IAA does not have the resources.

Question 12

What should the IAA do when conducting a fraud investigation?

Answer 12

• Assess the probable level and extent of complicity in the fraud within the organization.
• Determine the knowledge, skills, and other competencies needed to effectively carry out the investigation.
• Design procedures to identify the perpetrators, the extent of the fraud, the techniques used, and the cause of the fraud.
• Coordinate activities with management personnel, legal counsel, and other specialists as appropriate throughout the course of the investigation.
• Be aware of the rights of alleged perpetrators and personnel within the scope of the investigation
and the reputation of the organization itself.

Question 13

What should the IAA do at the conclusion of a fraud investigation?

Answer 13

• Determine if controls need to be implemented or strengthened.
• Design engagement tests to help disclose frauds in the future.
• Maintain sufficient knowledge of fraud to identify
future incidents.

Question 14

What is the first principle in Managing Business Risk Fraud: A Practical Guide

Answer 14

Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior
management regarding managing fraud risk.

Question 15

What is the second principle in Managing Business Risk Fraud: A Practical Guide

Answer 15

Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.
Ongoing risk management should consider three questions:
• How could someone exploit a weakness in the system?
• How could someone override or circumvent controls?
• How could someone conceal the fraud?

Question 16

What is the third principle in Managing Business Risk Fraud: A Practical Guide

Answer 16

Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
All employees need to be aware of the fraud risk management program so that they know there is an
effort to prevent and detect fraud.

Question 17

What is the fourth principle in Managing Business Risk Fraud: A Practical Guide

Answer 17

Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
Detection controls should:
• Usually be hidden and operate in the background.
• Be implemented and used in the ordinary course of business.
• Draw on external information to corroborate internal information.
• Formally and automatically communicate deficiencies and exceptions to leadership.
• Use results to enhance and modify other controls.

Question 18

What is the fifth principle in Managing Business Risk Fraud: A Practical Guide

Answer 18

Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed
appropriately and timely.

Question 19

What is Whistleblowing?

Answer 19

Whistleblowing is the act of reporting wrongdoing or suspected wrongdoing outside of the normal chain of
command.

Question 20

What is a key characteristic of a whistleblowing reporting system?

Answer 20

To encourage people to share problems, the whistleblowing system needs to be confidential and anonymous. It may include a phone number to call or a specific person to contact. It is also possible that the whistleblowing process may be facilitated by a third- party entity.
In addition to setting up such a system, management must make sure that all employees know about it and that they feel confident that their identities will be
protected.

Question 21

What is Forensic Auditing?

Answer 21

When auditing skills are applied to situations that have
potential legal implications and/or consequences. Forensic auditing is performed when it has been determined that something inappropriate might have
happened and there is a need to investigate that situation in more depth.

Question 22

What is an Interrogation?

Answer 22

In an interrogation, the internal auditor seeks confirmation or ideally a confession. Usually, interrogations are done after evidence has been collected and there is a strong suspicion of fraud or unethical behavior.

Question 23

Who performs an Interrogation?

Answer 23

At least two people should conduct an interrogation: an experienced individual leads the interrogation and a second person takes notes and is a corroborating witness.
There will most likely be legal counsel involved in both the preparation for the interrogation and its execution to make certain that the company does not place itself at risk of being sued.

Question 24

What is a Confession?

Answer 24

A confession is a complete acknowledgement of wrongdoing by the accused.

Question 25

What is an Admission?

Answer 25

In an admission, the accused party acknowledges committing a certain act, but he or she does not confess that there was intent, nor does the accused party confess to the accusation.

Question 26

What are three legal hazards for the company in a Fraud

Investigation?

Answer 26

1) Defamation of character
2) False imprisonment
3) Malicious prosecution