Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CMA Part 2 > Unit 2: Fraud and Risk Management > Flashcards

Unit 2: Fraud and Risk Management Flashcards

1
Q

Types of Fraud

A
  • Fraudulent Financial Reporting
    • Most often committed by management.
    • It is the focus of external auditors and the concern of regulatory bodies
  • Misappropriation of assets
    • Most often committed by employees and results from theft, embezzlement or defalcation
    • It can cause financial misstatements, but usually generate more internal than external problems.
      • Once discovered the effects of misappropriation should be accounted in the financial statements.
      • Management is to create controls to mitigate exposure to this fraud and to deal effectively once discovered.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Fraud Risk Model (Fraud Triangle)

Check for Rationalization (hardest to appraise but can be tackled) vs Pressure ( hardest to tackle )

A
  • 3 characteristics of fraud (ORP)
    • Opportunity
    • Rationalization
    • Pressure (motivation)
  • Opportunity: not only to do it, but to conceal it, and is bolstered by the lack of oversight, inadequate internal controls or enforcement of these controls.
  • Rationalization (hardest to appraise because involves a personal / intimate knowledge of the perpetrator and its motivations): person’s ability to justify actions as consistent with his/her personal code of ethics.
    • Some rationalizations:
      • Underpaid or overworked.
      • Feeling that everybody else is doing.
      • Seek revenge
      • Disgruntled (dissatisfied employee).
      • Conviction that taking assets is a loan and will be paid back.
    • How to avoid: strong ethical culture, code of conduct and providing ethics education.
  • Pressure (motivation)
    • Typically motivated by the need of cash, but there can be other reasons: continued employment, respect or admiration.
    • When the reward is economic gain, managers might feel pressured to manipulate financial reporting if compensation is tied to results
      • Other motivations is meeting debt covenants, budgets or other financial goals.
    • Biggest motivation for management is to meet or exceed earnings targets. Similarly, for larger public companies, the need to exceed forecasts is a major motivator.
    • Organizations can seldom influence pressure since most businesses reward systems are still focused on financial goals.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Red flags for fraud (Financial Reporting Risks)

(Remember: most often committed by management)

A
  • Financial reporting risks:
    • Performances too bad or too good to be true
    • Threat of imminent bankruptcy or hostile takeover.
    • High turnover of senior management, counsel or board of members
    • Strained relationship with the auditor
    • Too much influence from nonfinancial managers on setting metrics.
    • Track record of securities laws violations
    • Industry or market declines
    • Poor cashflows
    • Highly complex operations
    • Transactions in tax-haven jurisdictions
    • Unrealistic sales or profitability incentives
    • Unusually rapid growth
    • Pressure to meet analysts expectations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Red flags for fraud - Misappropriation of Assets Risks

(Remember: Most often committed by employees)

A
  • Missing documents for transactions
  • Large amounts of cash on hand
  • High value, small sized inventories or other assets.
  • Unexplained budget variances.
  • Unusual
  • Failure of certain employees to take vacations.

“The profile of a typical fraudster is a long-serving, trusted employee, who works long hours and is reluctant to take their annual leave,”

  • Unusual write-off of receivables
  • Failure to follow up on past due-receivables
  • Shortages in delivered or received goods
  • Poor supervision
  • Products or services purchased in excess of needs
  • Payroll checks with a second endorsement
  • Employees on the payroll who do not sign up for benefits (supervisor keeps their paycheck).
  • Undocumented petty cash expenditures
  • Common addresses on payables, refunds or payments
  • Addresses or telephone numbers of employees that match with suppliers or others.
  • Complaints by customers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Investigative Resources and Techniques

A
  • Documents
    • Provide a key source of evidence in most fraudulent investigations.
      • Accountant should be alert for altered documents
      • Documents can be altered in various ways such as erasure or forgery.
        • False signatures (need expert to detect)
        • Photocopies should be examined (check for trash-marks generated by copy of originals)
        • Torn, smudged, faded, burned documents also should be examined for authenticity.
  • Public searches of information on fraudsters
    • Civil and criminal actions
    • Bankruptcy records
    • Marriage licenses and divorces
    • Property records
    • Litigation history
  • Social media is another source of potential information
  • Private records (delicate due to privacy issues)
    • Medical records
    • Banking records
    • Trust records
    • Telephone records
    • Passengers list
    • Stock ownership
  • Commercial online services with info on people.
  • Electronic evidence (however hard to determine who really did it)
    • Erased files
    • Who, when, permissions, maintenance, and storage must be assessed.
  • Interviews (most efficient and useful evidence collection technique)
    • Interviews should be:
      • Of sufficient length and depth
      • Objective and impartial
      • Be conducted on a timely basis
    • Signs of lying
      • Shake of the head rather than a verbal response
      • Responding to the interview with a question
      • Sweating
      • Denying an assertion while providing inconsistent nonverbal cues
      • Looking down rather than at the interviewer
      • Shifting and fidgeting
      • Delaying responses to questions
    • Fraud perpetrated by single individuals is easy to be detected than one done via collusion or conspiracy among a group of employees. Segregation of duties makes it easier to detect fraud perpetrated by one individual.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Managing the risk of Fraud (establishing a system of control)

Types of Controls

A
  • Primary controls:
    • Preventive:
      • Storing petty cash in a locked safe or segregation of duties
      • Requiring two persons to open mail is an attempt to prevent misstatements of cash receipts.
      • IT examples:
        • Designing database so that users cannot enter letters in SS number
        • Requiring the number of invoices in a batch to be entered before processing begins.
    • Detective
      • Rejection of batches by computer system.
      • Hash totals are commonly used to detect data entry errors and completeness.
      • A burglar alarm is another one.
    • Corrective
      • All cost variances above a certain limit to be explained.
    • Directive controls
      • Policy and procedure manuals.
  • Segregation of duties (enhance system security)
    • ARC: separate Authorization, Recordkeeping and Custody.
  • Secondary controls (when the primary is not effective)
    • Compensatory: supervisory review if segregation of duties is not sufficient.
    • Complementary: accounting and custody to be complemented by obtaining deposit slips validated by the bank.
  • Independent checks and verification
    • Reconciliation between recorded amounts and assets. The costs of this shouldn’t outweigh the benefits.
    • Prenumbered forms can assist in reconciliation.
  • Safeguarding controls
    • Limits access of an organization’s assets to authorized personnel only (lockbox system).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ERM (Enterprise Risk Management) Approach

A
  • Involves the identification of events with negative impacts on organizational objectives
  • ERM approaches risk from an enterprise-wide perspective.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

5 Types of Risk

A
  • Hazard risks are insurable risks like natural disaster, impairment of physical assets, death of senior officers, and terrorism.
  • Financial risk (LINKED ONLY TO COMPANIES FINANCED BY DEBT CAPITAL) encompass:
    • Interest rate risk
    • Commodity risk
    • Credit risk
    • Liquidity risk
    • Market risk
  • Operational risk linked to enterprise ongoing operations. Risk of loss from inadequate or failed internal processes, peoples and systems. Can result from:
    • Human resources (bad hiring/training), business processes (poor internal controls), technology, product failure, occupational safety and health incidents, environmental damage and business continuity (power outage etc)
    • Includes legal and compliance risk.
    • CAN BE MANAGED WITH ADEQUATE INTERNAL CONTROLS, BUSINESS PROCESS REENGINEERING (BPR) and business continuity planning.
  • Strategic risk include global economic risk, political risk, market conditions, leadership , brand and changing customer needs. ALSO LINKED TO CHANGE IN CUSTOMER PREFERENCES IMPACTING BUSINESS.
  • Business risk: is the risk that a company will have lower than anticipated profits or will incur a loss.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

5 Key Steps in Risk Management

A

Step zero (overarching step) : To start, management needs objectives that are impacted by potential events.

  1. Identify risk until the lowest operational unit
  2. Assess risk (probability vs potential impact) quantitatively and qualitatively.
  3. Prioritize risks (ERM committee can be assigned)
  4. Formulate risk responses (ERM propose adequate response strategies)
  5. Monitor risk responses
    1. ​Management of a unit (since is is the closest to the risk area)
    2. Audit function plays important role since operational managers might not always be objective.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Strategies for Risk Response

A
  • Risk avoidance: ends the risk activity.
  • Risk retention: accepting risk of an activity (“self-insurance” like auto owners with no car insurance).
  • Risk reduction. DOES NOT ENCOMPASS RISK AVOIDANCE/ELIMINATION
  • Risk sharing: transfer loss potential to another party (insurances, outsourcing activities, and entering into joint ventures).
  • Risk exploitation: deliberate courting of risk in order to pursue a high return on investment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Residual vs Inherent Risk

A
  • Residual risk is the risk of an activity remaining after the effects of any risk responses.
  • Inherent risk arises from the activity itself, and when management does not act to alter its severity. Handling Uraniumn AND Complex calculation like leases and pensions are prone to inherent risk..
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Benefits of Risk Management

A
  • Efficient use of resources ( resources directed to the greatest exposure risks )
  • Fewer surprises.
  • Reassuring investors (lower cost of capital).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Liability Insurance

A
  • Liability insurance for faulty products for example or if an employee gets injured inside the companies premises.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Financial Risk Management Methods

A
  • Hedging:
    • Types
      1. Short (INVERSE)– value rises if price falls
      2. Long hedge – value rise if prices rise.
    • Hedging instruments: options, future contracts and swaps.
  • Conventional methods:
    • Sinking funds (fund to cover in case of default / depreciation).
    • Policies regarding terms of short-term obligations (maturity matching).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Qualitative risk assessment tools

A
  • Risk identification
    • “what keeps you awake at night”
    • General risk buckets definition
    • Brainstormin session
  • Risk ranking
  • Risk mapping is a visual tool depicting relative risks.
    • X axis: probabilities
    • Y axis: severity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

COSO ERM Framework - Key Concepts

A
  • Value Creation: Culture, capabilities and practices that organizations rely to manage risk in creating, preserving and realizing value.
  • Key concepts
    • Culture
      • Mission: core purpose
      • Vision: aspirations over time
      • Core values: essential beliefs (HF DNA)
    • Capabilities: skills needed to achieve mission and vision.
    • Practices: collective methods used to manage risk.
    • Integrating strategy setting and performance
      • Main consideration factors:
        • Strategy
        • Business objectives
        • Tolerance = similar to risk tolerance from COSO Internal Control Framework.
      • Risk profile: Risk vs performance analysis at any level of the entity.
      • Risk portfolio: only at the entity level.
17
Q

Risk Inventory & Target Residual Risk

A
  • Risk inventory consists of all identified risks that affect strategy and busines objectives.
  • Target residual risk is the risk the entity prefers to assume knowing that management has acted or will act to alter its severity.
18
Q

VALUE TRANSFORMATION

A
  • Created when benefits obtained from resources used exceed their costs.
  • Preserved when the value of resources is sustained.
  • Realized when benefits are transferred to stakeholders
  • Eroded when management does not produce expected results or management does not perform day-to-day tasks.
19
Q

3 lines of Mgmt accountability

A
  • Three lines of management accountability
    • 1. Owners of risk: they manage performance and risk taken to achieve strategy.
    • 2. Supporting functions: risk officer that provide guidance on performance and ERM requirements. Controller for example.
    • 3. Assurance performed by internal auditors.
      • Auditing ERM
      • Identify issues and improvements
      • Informs the board and executives of matters needing solution
20
Q

ERM Components - Overview ( 5 of them)

A
  • Supporting aspect components:
    • Governance and culture
    • Information, communication, and reporting
  • Common process components
    • Strategy and objective-setting
    • Performance
    • Review and revision
21
Q

ERM Comp: Gov and Culture

A
  • Governance sets the organizations tone and establishes responsibilities of ERM
  • Culture relates to desired behaviors, values and overall understanding about risk held by personnel within the organization.
  • 5 principles:
      1. Board exercises risk oversight. It can, however, delegate it to a risk committee.
        * Risk oversight is most effective when board:
        • Has the necessary skills, experience and business knowledge
        • Is independent of the organization
        • Determines if ERM capabilities and practices enhance value
        • Understands the organizational biases influencing decision making and challenges management to minimize them.
      1. Organization establishes operating structures that is aligned to the entity’s legal and management structure.
      1. The organization defines the desired culture
        * Board and management responsible for defining culture.
        * Culture is shaped by:
        • Internal factors: level of autonomy and judgment allowed to personnel, standards and rules, the reward system in place.
        • External factors: legal requirements, expectations of stakeholders (customers and investors)
          * Definition of culture defines risk appetite.
      1. Organization demonstrates commitment to core values.
        * Tone of the organization is the manner in which core values are communicated across the organization.
    • 5. The organization attracts, develops and retains capable individuals.
22
Q

ERM Comp: Strategy and Objective Setting

A
  • STRATEGY AND OBJECTIVE SETTING (address business context, risk appetite, strategy selection and business objectives)
    • 4 principles
      • 1.The organization analyzes business context and its effect on the risk profile.
        • Business context includes:
          • Internal environment: a) capital b) people c) processes d) technologies
          • External environment (PESTLE)
            • Political
            • Economic
            • Social (consumer preferences and demographics)
            • Technological
            • Legal
            • Environmental
        • Business context may be:
          • Dynamic.
          • Complex
          • Unpredictable.
        1. The organization defines risk appetite
          * Risk appetite is rarely set above risk capacity (max bearable risk)
          * Board approves the risk appetite, and management communicates it throughout the organization.
        1. The organization evaluates alternative strategies and their effects on the risk profile. Approaches can be 1) SWOT 2)competitor analysis, scenario analysis.
        1. The organization establishes business objectives that align with and support strategy. Business objectives are:
          * A) specific
          * B) measurable
          * C) observable
          * D) obtainable
23
Q

ERM Comp: Performance

A
  • Performance (5 principles) - identify, access, prioritize, respond and monitor via portfolio view.
    • Organization identifies risk that affect the performance
      • Risks that affect the reasonable expectation of achieving strategy.
      • New, emerging and changing risks are identified.
      • Opportunities <> positive events:
        • Opportunities are actions or potential actions that create or goals or approaches for value creation, preservation and realization of values.
        • Positive events are occurrences in which performance exceeds the original target.
        • Risk inventory are all the risks that could affect the company.
    • Organization assesses the severity of risk. Shaped by impact, likelihood and time to recover from events.
      • The time horizon to assess risk should be identical to that of the related strategy and business objective.
      • Risk is assessed at multiple levels.
      • Qualitative methods are more efficient and less costly than quant methods. Examples are interviews, surveys and benchmarking.
      • Quantitative methods are more precise than qualitative methods. Examples: decision trees, modeling probabilistic and non-probabilistic, and Monte Carlo simulation.
      • Assessment results may be presented using a heat map of likelihood vs impact (darker/riskier)
    • Organization prioritizes risks at all levels
      • Risk prioritization allows for optimal allocation of resources.
      • In addition to severity, these factors are considered prioritizing risk:
        • Agreed-upon criteria.
          • Complexity
          • Velocity
          • Persistence
          • Adaptability
          • Recovery: entity’s capacity (not time) to return to tolerance.
        • Risk appetite.
        • The importance of the affected business objective.
        • The organizational level affected.
    • Organization identifies and selects risk responses to mitigate risks (impossible to eliminate them).
      • 5 categories of risk responses:
        • Acceptance. Appropriate when risk is within risk appetite.
        • Avoidance.
        • Pursuit. Action is taken to accept increased risk to improve performance.
        • Reduction. Action is taken to reduce severity of the risk so that it is within the target residual risk profile and risk appetite.
        • Sharing. Reduce severity of risk by transferring risk to other party (insurance, hedging, etc).
      • Control activities are designed and implemented to ensure risk responses are carried out.
    • Organization develops and evaluates its portfolio view of risk.
      • Which is the culmination of risk identification, assessment, prioritization and response.
      • 4 risk views and integration levels
        • Risk view (minimal integration). Risks are identified and assessed. Focus on the event, not on the business objective.
        • Risk category view (limited integration). Risks are additionally categorized based e.g. on operating structures.
        • Risk profile view (partial integration). Risks are linked to the business objectives and dependencies between objectives are analyzed.
        • Portfolio view (FULL INTEGRATION). Relates to entity-wide strategy and business objectives and their effect on entity performance. Top level focus is on strategy, and then responsibility for business units cascades through the entities.
24
Q

ERM Comp: Review and Revision

A
  • Review and Revision (3 principles) - organization reviews and revises its current ERM capabilities and practices on changes in strategies and business objectives.
    • The organization identifies and assesses changes that may substantially affect strategy and objectives - linked to CIP.
      • Changes in the organization’s business context and culture are most likely to substantially affect strategy.
    • The organization reviews entity performance results and considers risk.
      • Deviations to target indicate:
        • Unidentified risks
        • Improperly assessed risks
        • New risks
        • Opportunities to accept more risk
        • Need to revise target performance or tolerance.
    • The organization pursues improvement of ERM.
      • Continuous improvement even when targets are met.
      • Methods of identifying improvement include continual or separate evaluations and peer comparisons (reviews of industry peers).
25
Q

ERM: Information, Communication, and Reporting

(Check for difference between data

A
  • Organization must capture, process, manage and communicate timely and relevant information to identify risks that could affect strategy and business objectives.
  • 3 principles:
    • The organization leverages information systems to support ERM
      • Data are raw facts collectible for analysis.
        • Structured data: well organized and easily searchable.
        • Unstructured data: unorganized and lacking pattern (word processing documents, photos, video or email messages).
      • Information is processed, organized and structured data.
      • Knowledge is data transformed into information.
      • Data management practices help ensure that risk information is useful, timely, relevant and of high quality. Key aspects:
        • Data and information governance.
        • Processes and controls
        • Data management architecture
    • Information systems must be adaptable to change.
    • The organization uses communication channels to support ERM.
      • Communication about management and the board should include continual discussions about risk appetite.
      • The board may hold formal quarterly meetings or call extraordinary meetings (special meetings to discuss urgent matters).
    • The organization reports on risk, culture and performance at multiple levels across the entity.
      • Management is responsible for implementing controls to ensure reports are accurate, complete and clear.
      • Key indicators of risk should also be reported with key performance indicators to emphasize the relationship between risk and performance.
26
Q

When is ERM effectively creating, preserving and realizing value?

A

When the components, principles and controls are present and functioning, ERM is reasonably expected to manage risks effectively and help create, preserve and realize value.

27
Q

ERM and Risk Response (Tricky)

A
  • ERM selects NOT the best risk response, but rather the risk response within the organizations risk appetite and performance tolerance.
28
Q

Limitations of ERM

A
  • Faulty human judgement
  • Cost-benefit considerations
  • Simple errors or mistakes
  • Collusion
  • Management override of ERM practices.
29
Q
A
30
Q
A

CMA Part 2 (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions