Internal Audit - Fraud Risk and Controls

Fraud

Any intentional act characterized by deceit, concealment, dishonesty, misappropriation of assets or information, forgery, or violation of trust perpetrated by individuals or organizations to secure unjust or illegal personal or business advantage

Fraud Risk

The possibility that fraud will occur and the potential effects to the organization when it occurs

Certified Fraud Examiners

Individuals certified as specialists in conducting forensic accounting investigations and advising on fraud risks and other fraud matters

Forensic auditing

Uses accounting and auditing knowledge and skills in matters having civil or criminal legal implications. Engagements involving fraud, litigation support, and expert witness testimony are examples.

Forensic auditing procedures

Interviewing, investigating, and testing

Increasing Incidence of fraud

-Indicative of Corporate Governance Failure

-Destruction of Economic Value

-Legal Liability (Class-Actions)

-Reputational Damage

-Adverse Impact on Employee Morale and Attrition

-Suggestive of Non-Compliance with Laws & Regulations

Behavioral and integrity risks of fraud

- Collusion, including with third parties

- Conflicts of interest

- Unethical conduct

- Insider trading and self-dealing

Operational and financial risks of fraud

- Pressure to meet earnings targets

- Poor internal controls

- Lax data/information security structure

- Compensation tied to earnings/performance

- Economic downturn creates pressure

Root causes of fraud

-supply of motivated offenders

-availability of suitable targets

-the absence of capable guardians

-means, motivation, and opportunity

-excuses/rationalization

What are the characteristics of fraud?

- Pressure (incentive)

- Opportunity

- Rationalization

Pressure (incentive)

The need a person tries to satisfy by committing fraud

Situational pressure can be...

organizational or personal

Opportunity

The ability to commit fraud

Which characteristic of fraud can an organization most influence?

Opportunity

Rationalization

The ability to justify the fraud.

What are the types of fraud?

- Corruption

- Asset Misappropriation

- Fraudulent Statement

What falls under corruption?

- Conflict of interest

- Bribery

- Illegal gratuities

- Economic extortion

What falls under Assets misappropriation

Cash

- Larceny

- Skimming

Inventory and Other

What falls under fraudulent statement?

- Financial

- Non Financial

Corruption

Improper use of power. Often leaves little accounting evidence

How is corruption typically uncovered?

Tips or third party complaints

Asset Misappropriation

Stealing cash or other assets. The theft may be concealed by adjusting records

Kiting

Exploits the check clearing delay between banks

Lapping

A person with access to customer payments and accounts steals a customer's payment. Covered up by a subsequent payment from another customer

Skimming

The theft of cash before it is recorded

Financial statement misrepresentation

Overstates assets or revenue or understates liabilities and expenses

What does financial statement fraud include

- Misrepresentation

- Omission of information

- Intentional misapplication of accounting principles

- Misclassifications

What are the essential elements in preventing fraud?

Setting the correct tone at the top and instilling a strong ethical culture.

What are preventive fraud controls?

Safeguarding of assets

What steps aid in fraud prevention?

- Background investigations

- Anti-fraud training

- Evaluating performance and compensation programs

- Conducting exit interviews

- Authority limits

- transaction level procedures

What must an org have for fraud detection?

Prudent balance of fraud prevention and detection controls

What is an essential element for detecting fraud?

Employee feedback

Most common way to detect fraud

Fraud tips from employees

Sources of employee feedback

Whistleblower hotline, exit interviews, and employee surveys

Other sources of fraud detection

- Professional skepticism

- looking at fraud indicia and evidence

- incomplete information

- forensic data analytics, use of monitoring and viz tools

- determining whether it is an internal control breakdown or management override of controls

no control can provide...

absolute assurance

Fraud Indicia

- Numbers do not add up

- Revenues outside of core business

- Important documents missing

- Journal entries with no support

- Agressive accounting techniques

- Mgmt obsession with revenue/profits

- Domineering management

- Control overrides

- Collusion usually involved

The three types of dark triad personalities

- Narcissists

- Psychopaths

- Machiavellians

Common personality traits of the dark triad

- Little or no conscience

- Low empathy

- Anti-social personality disorder

- Disagreeable ness

- Charming, but manipulative and scheming

Common fraud perpetrator red flags

-Living beyond their means

- experiencing financial difficulties

- excessive organizational pressures

Standard 3.1

Competency

Standard 4.2

Due Professional Care

Standard 9.4

Internal Audit Plan

Standard 11.5

Communicating the acceptance of risks

Standard 13.2

Engagement Risk Assessment

What does a fraud risk assessment generally include?

- Identifying/prioritizing inherent fraud risks, fraud risk factors, and fraud schemes

- Assess the impact/likelihood of identified fraud risks

- Determine whether existing controls apply to potential fraud schemes and identify gaps

- Develop responses to those risks that have sufficiently high impact and likelihood to result in a potential outcome beyond management's tolerance

- Testing operating effectiveness of fraud prevention and detection controls

- Documenting and reporting the fraud risk assessment

What is important when conducting a fraud risk assessment?

Involvement of individuals with avrying knowledge, skills, and perspectives

Which types of employees should the risk assessment include?

- Accounting/finance employees

- Non financial business employees

- Legal and compliance employees

COSO Principle 8

The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Which org regulates private companies in the US?

AICPA

Which org regulates fraud from non US companies

The International Auditing and Assurance Standards Board

Who holds the responsibility for fraud controls?

- The board and management

- Internal/external auditors

- All employees

Who is primarily responsible for establishing and maintaining fraud controls?

Management

Internal audits role in fraud controls?

Evaluation of the effectiveness and efficiency of controls, and promote continuous improvement

Components of a robust and effective fraud management program

- Commitment by the board and senior management

- company ethics policy

- an affirmation process

- a conflict disclosure protocol

- fraud awareness

- reporting procedures

- whistleblower protection

- fraud risk assessment

- prevention and detection

- investigation process

- disciplinary and/or corrective actions

- process evaluation and improvement

- ongoing reviews

- continuous monitoring

Fraud monitoring

Evaluates anit-fraud controls through independent evaluations of the fraud risk management program and use of it

Role of internal auditors in fraud

- Raise fraud awareness

- whistleblower procedures

- promote ethics and values

- performance management and accountability

- communication about risk and controls

- coordination responsibilities

- shadowing forensic investigations

Questions for internal auditors

-What fraud risks are being monitored?

-Can management override controls?

-What is the risk of management override? (Recent events?)

-Do the internal auditors have the required expertise to address risk of fraud?

-What is the internal audit's definition of the fraud detection process?

-What is the organization status of the audit function?

Who is responsible for fraud reporting?

The CAE

What does a fraud communication include?

- A brief, clear statement of the issues

- a citation of the relevant policies, rules, standards

- the analysis of evidence gathered to form a professional opinion

- the time frames, observations, conclusions, resolution, and corrective actions