ACCT 599
IPPF: Understanding types of mandatory vs. recommended guidance
Mandatory - specify the essential organizational structure, relationships, and characteristics of the work units providing internal audit services; the attributes, competencies, and behavioral norms of those delivering these services; and the essential features of the services themselves and the processes used to perform them. (Core principles, Definition, Code of Ethics, Standards)
Recommended - provides more specific, non mandatory guidance. Might not be applicable to all IA functions. (Implementation and Supplemental Guidance)
What is the purpose of a CAE’s administrative vs. functional reporting line? And why are they important?
Recommended to report functionally to the Board, which allows the CAE to provide unbiased assessments directly to the board. Administratively report to a senior executive, who aligns with organizational goals and operational support, ensuring effective implementation.
functional : strategy, what they should be focusing on,
Administrative: hr related tasks
Word “standards”: mandatory guidance.
Reporting lines are recommended.
Internal audit’s role in governance activities (what types of things encompass “governance” when evaluating it?)
encompass governance, risk management, and control systems. This includes evaluating the reliability of reporting, effectiveness and efficiency of operations, and compliance with laws and regulations
Think about broadly
Internal audit’s role in ERM activities (which activities are ok or not ok to be involved with?)
ERM: Understanding the general process, including understanding when/how an organization might choose to respond to risk
ERM general process:
Establish context - define the organization’s objectives, stakeholders, and risk criteria
Identify potential risks
Risk Assessment
Risk Response
Control Activities
Information and communication
Monitoring and review
Risk Responses:
Accept - No action is taken to change the severity of the risk.
Avoid - Action is taken to remove the risk, which may mean ceasing a product line, declining to expand, or selling a division
Pursue - Action is taken that accepts increased risk to achieve improved performance
Reduce - Action is taken to reduce the severity of the risk
Share - Action is taken to reduce the severity of the risk by transferring or otherwise sharing a portion of the risk (insurance)
How to assess impact & likelihood in a risk assessment of any type (before considering internal controls)
Impact - adverse effect of a risk outcome
Likelihood - assessing the odds or probability of the risk occurring
Elaborate on Residual risk? - level of risk that remains after implementing risk mitigation strategies or controls
When to use the COSO ERM framework vs. the internal controls framework
Internal controls framework - specifically designed to provide guidance on the development and assessment of proper IT governance (supplements COSO)
COSO ERM Framework - used when assessing risks across an entire organization, including strategic, operational, financial, and compliance risks
Inherent limitations of internal controls
cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve its operational goals.
Suitability of objectives established as a precondition to internal control.
Reality is that human judgment in decision-making can be faulty and subject to bias.
Breakdowns that can occur because of human failures such as simple errors.
Ability of management to override internal control.
Ability of management, other personnel, and/or third parties to circumvent controls through collusion.
External events beyond the organization’s control
Types of internal audit procedures/evidence (exhibit 10-2)
Evidence
High - you created/3rd party directly
Medium - got from 3rd party through the organization
Low - company created
Procedures
Inquiry - asking the auditee or third-parties questions and obtaining their oral or written responses.(indirect evidence)
Observation - watching people, procedures, or processes (provides evidence at a certain time)
Inspection - studying documents and records and physically examining tangible resources (direct evidence) => direct personal knowledge
Vouching - tracking information backward from one document or record to a previously prepared document or record, or to a tangible resource; performed specifically to test the validity of documented or recorded information
Tracing - tracking information forward from one document, record, or tangible resource to a subsequently prepared document or record; performed specifically to test the completeness of documented or recorded information
Reperformance - redoing controls or other procedures; provides direct audit evidence regarding its operating effectiveness.
Analytical Procedures - assessing information obtained during an engagement by comparing the information with expectations identified or developed by the internal auditor
Confirmation - obtaining direct written verification of the accuracy of information from independent third parties.
Tenets of evidence quality (relevance, reliability, sufficiency)
Sufficient -has the internal auditor obtained enough evidence? Does the evidence corroborate with another?
Appropriate - measure of the quality of audit evidence, that is, its relevance and reliability
Persuasive - component evidence; reasonably free from error and bias; enables the internal auditor to formulate well-founded conclusions
Relevant - is the evidence pertinent to the audit log? Logically support? Timely; produced and able to be used to support conclusion or advice?
Reliable - did the evidence come from credible sources? Directly obtain the evidence?
Components/characteristics of effective interviewing in (normal) internal audits
Preparing for the interview - defining the purpose, identifying the appropriate interviewee, gather background information about the audit area and interviewee, findings that show areas for concern or improvement, prepare outline
Conduct the Interview - establish rapport, review the purpose of the interview, ask straightforward questions with meaningful follow-up, avoid technical jargon, use periods of silence effectively, listen, summative and confirm key points, discuss next steps, arrange follow-up contact, thank the interviewee
Document the interview outcomes (as soon as possible after interview)
Management’s assertions related to controls (e.g., authorization, validity, etc.)
Authorization - Did an approved party authorize the transaction?
Validity - Did the transaction or underlying event actually occur?
Accuracy - Were the terms, amounts, etc. correct?
Timeliness - Was everything recorded in the proper period?
Confidentiality - Was the information kept private?
Integrity - Was the information free from corruption and alteration?
Availability - Was the information stored and readily available?
Why an internal auditor might use analytical procedures during a controls audit
Helps identify anomalies, risk assessment, tests control effectiveness, efficiency, and can be used for continuous monitoring
Control testing: what could I do to find where someone is circumventing controls? An employee always just being under the approval limits
Efficiency: analytics on days to deliver (shows auditee if they are being inefficient)
Sampling: what to do when support for an item is: 1) missing because client can’t find the support; vs. 2) missing because it was voided and never used
#1 -> count as an observation
#2 -> check if it was truly voided and then randomly test for another sample item
Know how to use the different types of sampling tables and draw a conclusion
In statistical, you can only say that a control passed testing if the upper deviation rate is <= your tolerable deviation rate
Conclusion statements - “I am % confident that the true, but unknown, population deviation rate is less than or equal to %.” The confidence interval is 100% - what the risk of assessing control risk too low. The deviation rate is the per deviation limit that the chart returned.
If the achieved upper deviation limit is less than or equal to the tolerable deviation rate, the quantitative attribute sampling results indicate that the tested control is acceptably effective. Conversely, if the achieved upper deviation limit is greater than the tolerable deviation rate, the quantitative results indicate that the tested control is not acceptably effective.
Differences between statistical vs. non-statistical sampling (pg 187-188 is heavily tested on)
Statistical: measure the sufficiency of evidence obtained and quantitatively evaluate the sampling results. quantify, measure, and control sampling risk. normally thought to provide more persuasive evidence, but is costlier
Review the steps
Non-statistical: judgemental sampling. Allows more latitude regarding sample selection and evaluation. Ex: haphazard
No confidence statement (ex: “I am 95% confident that…”)
11-A3
11-9
Communications about audit findings (what’s included; when delivered; how formatted):
Interim communications
What’s included: When an observation calls for immediate attention
When delivered: brought to the attention of the appropriate individuals in a timely manner and increases the likelihood of prompt resolution
How formatted: informally
Preliminary engagement communications
What’s included: confirm preliminary facts and conclusions with appropriate management representatives of the area that was covered by the engagement before it is distributed in its final form
When delivered: right before the engagement report is distributed in its final form
How formatted: formal meeting with management, typically referred to as an exit interview or closing conference, followed by a draft of the final communication in whatever form it will take. More likely to be formal; draft version report. Exit interview - sit down with pple to tell them what they found. Clarification of misunderstandings
Final engagement communications
What’s included: evidence of the internal audit function’s independent assessment of the area’s controls and serves as the permanent record of the work performed on the assurance engagement and its results.
When delivered: after engagement is complete
How formatted: formal report
Scope
Timing
Can be changed based on the client
Auditor’s role when management appears to be accepting more risk than the entity’s risk appetite
monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action
Chapter 15 - conclusion
Company could accept risk above their risk tolerance
Perform monitoring and follow-up section
Must discuss with senior management to make it clear to them that you think they are exceeding their limit for risk
Then go to the board if you believe senior management is still not taking the report seriously
Forensic accounting (approximately 2/3 of points):
Types of forensic accounting services (forensic investigations; dispute services & litigation services; fraud auditing)
Forensic investigations -> Systematic examination of financial records to uncover fraud or irregularities
Dispute services -> Offering specialized accounting services to resolve financial disputes or litigation (investigating financial discrepancies, providing expert witness testimony, assessing damages and losses)
Litigation services -> Providing accounting expertise for legal proceedings and disputes. Assessing financial evidence, offering expert witness testimony, quantifying damages or losses, analyzing financial data for legal arguments
Fraud auditing -> Examination of financial records to detect and prevent fraudulent activities.Examine potential fraud indicators, investigating suspicious transactions, gathering evidence for legal proceedings, implementing fraud prevention measures.
The three elements of the fraud triangle
How it is adapted in the fraud diamond and the M.I.C.E. models
Fraud triangle ->
Pressure/incentive -
Example1: The company has been telling shareholders for years that Product X will be the next big innovation for their company. Product X launched this month and sales are far below expectations.
Example2: An employee works on the side as a fashion influencer. He is not yet sponsored so this requires him to regularly purchase high cost items to maintain his online persona.
Rationalization -
Example: An employee is repeatedly denied a raise; even though they have no issues paying their monthly bills, they feel that they are underpaid.
Opportunity -
Example: A sales person's spouse works at the company's largest customer; the spouse has the ability to initiate and return sales whenever they want.
Fraud Diamond -> Expands the fraud triangle to recognize that Capability has to also be present for fraud to occur.
Capability is described as the ability to “recognize the open doorway as an opportunity and to take advantage of it by walking through” where fraudsters possess “the necessary traits and abilities to be the right person to pull it off”
Intelligence, job function, and ego with the ability to manage stress, perpetuate lies, and engage in coercion.
MICE -> Expands the fraud triangle to recognize that pressure/motivation can be explained by the need to support one's ego (rather than just money).
Stands for :
Money
Ideology - commit fraud for a perceived good cause
Coercion - forced to commit fraud by someone else
Ego/Entitlement - commit fraud to increase perceptions of worth
Theory of Differential Association vs. Theory of Differential Reinforcement
Theory of differential association - Individuals learn the techniques, attitudes, drives, rationalizations, and motives that are requisite to promote criminal behavior from their close social groups.
Theory of differential reinforcement - Individuals learn criminal behavior from the extent to which prior criminal behavior was either rewarded or punished.
Psychology traits (narcissism, Machiavellianism, psychopathy, low self-control, hedonistic, confidence in one’s own authority)
Narcissism - A self-absorbed focus highlighted by delusions of grandeur as well as a preoccupation with power, prestige, and vanity; accompanied with a lack of empathy to others.
Machiavellianism - Someone who will disregard morality in favor of deceit in order to achieve personal gain.
Psychopathy - Low levels of empathy alongside high levels of impulsivity, paired with antisocial behavior highlighted by selfishness, callousness, and remorselessness.
Low self-control - engage in actions that promote immediate gratification and provide a benefit to the individual—despite the associated risks and potential for harm. (develops during childhood)
Hedonistic - value indulgence and the pursuit of wealth. (extreme emphasis on material success)
Confidence in one’s own authority - identified as a classic abuse of power for personal or company gain.
Fraud risk assessment (see M11 introduction notes + IIA chapter 8’s key takeaways related to the COSO fraud risk management program + in-class lecture notes for 4/16)
Start with brainstorming ideas of how someone could exploit the system.
For organization-wide risk assessment ->
Start with a materiality number and use this when identifying specific types of fraud that are most concerning
Materiality does not have to be quantitative. (could related to a specific severity of impact such as reputational damage)
Keep assessment simple and focus on the fraud tree and what is common in the industry.
Fraud tree -> Corruption, F/S Fraud, Asset Misappropriation
ACFE Report of the Nations key findings (see key takeaways in M11)
Definition of fraud
Any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.
Any illegal act characterized by deceit, concealment, or violation of trust. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
Red flags of a toxic culture
Lack of a strong “tone at the top” and an ethical culture;
Insufficient skepticism on the part of all participants in the financial reporting supply chain; and
Insufficient communication among financial reporting supply chain participants.
Additional red flags:
Behavioral warning signs of fraud (red flags)
living beyond means, financial difficulties, unusually close association with a vendor or customer, excessive control issues, a general “wheeler-dealer” attitude involving unscrupulous behavior, and recent divorce or family problems.
Relationships between fraud & illegal acts
Fraud is an illegal act but not all illegal acts are fraud.
FCPA + 6 topics in textbook
U.S. Foreign Corrupt Practices Act of 1977
criminalizes transnational bribery and requires companies to implement internal control programs.
requires publicly traded companies to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer…”
Focus on internal control to provide reasonable assurance that transactions are appropriately authorized and accurately recorded, assets are physically safeguarded, and there is periodic substantiation of recorded assets.
6 topics that are pertinent for internal auditors focused on compliance:
The anti-bribery provisions and related compliance concerns.
The record-keeping and internal accounting control provisions.
Conducting due diligence and instituting compliance measures.
Internal investigations, disclosure obligations, and monitors.
Related business, contractual, and employment issues.
Measures for staying clear of FCPA violations and preempting enforcement actions.
Fraud detection and investigation steps
Whistleblower hotlines - most common method of fraud detection
allow individuals to report their concerns about suspicious activities and remain anonymous
Board awareness can be a deterrent bc perps realize it is easy to report.
Usually operated by third party so that individuals do not fear consequences of their reporting
Process controls - most common detective control
detect fraudulent activity include reconciliations, independent reviews, physical inspections or counts, certain types of analysis, and internal audits or other monitoring activities.
Proactive fraud detection procedures
data analysis, continuous auditing, and the use of other technology tools that can flag anomalies, trends, and risk indicators warranting attention.
Forensic accounting data analytics (IIA chapter 8’s key takeaways + in-class 4/18 lecture)
Rules-based descriptive tests and reporting – By using historical data with simple and complex analytical weighted tests, significant value can be achieved to identify areas of risk. Alerts will be produced when a specific condition is met. For example, if an employee submits an expense for reimbursement with an expense amount in excess of a predefined reimbursement policy, then an alert would be triggered. These types of analytics are often easy to implement.
Keyword search – The process scans free text fields and unstructured data sources to identify suspicious or high-risk language used. Companies can develop their own library of high-risk terms that incorporate industry and company-specific jargons, acronyms, and cultural slangs that might be used within the specific group being analyzed. The process can be developed to take into account industry-specific terms, multiple languages, and historical events.
Topic modeling and linguistic analysis – These tools use text analytics to identify suspicious phrases, high-risk topics, or unusual patterns of behavior in the free text components of the data. Beyond keyword searching, topic modeling seeks to cluster, quantify and group the key noun or noun phrases in the data, enabling the investigative team to quickly gain an understanding of what information may have been compromised or the corrupt intent of certain business activities. Linguistic analysis techniques use the results of text analytics to identify the emotive tone of the communication—identifying angry, frustrated, secretive, harassing, or confused communications
Statistical analysis and machine learning – This technique leverages historical facts in the data and machine learning to make predictions about future or otherwise unknown events. The incorporation of statistical models into this approach further increases the confidence that items identified as outliers warrant additional review, thus limiting the amount of false positives and increasing the efficiency of the review process.
Data visualization: dashboards – Dashboards can be very powerful in the identification of unknown events. Data visualization, including heat maps, geospatial analysis, time series analysis, word clouds, stratification, and drill-down techniques, enables the identification of trends and outliers in one, easy-to-understand interface. By combining transactions scoring, dashboards can aggregate threats across multiple criteria and data sources to prioritize review.
Data visualization: pattern and link analysis – This technique provides insights, hidden patterns, and relationships from vast, seemingly unrelated data sources. Data, both structured and unstructured, is provided in a variety of visual and link formats that can be used to connect one data source to another, exposing hidden relationships.
When to use a fraud specialist
Conducting fraud awareness training.
Assessing the design of antifraud programs and controls.
Testing the operating effectiveness of fraud controls.
Investigating improprieties and whistleblower complaints.
Conducting a full-fledged investigation at the request of management or the audit committee
Key elements for reporting on fraud investigations
1. Assist the organization in the development of comprehensive fraud risk assessment.
2. Develop processes for early detection of fraud.
3. Develop data analysis tools that can be used to detect fraud in the early stages.
4. Assist with the development of hotline call procedures.
5. Provide fraud awareness training throughout the organization.
6. Act decisively on significant fraud events.
7. Assist in postmortem analysis when fraud occurs.
8. Inform management of potential legal acts that are risks to the organization.
9. Assist management in developing a culture of ethical behavior and low tolerance of fraud.
10. Stay abreast and inform management of emerging issues and developing issues related to compliance and regulations.
Investigative interviewing (in-class 4/19 lecture notes; WILL ONLY BE TESTED FOR 599 STUDENTS)
Interviews in investigative processes are crucial but can be challenging. They're often prompted by government enforcement or internal investigations within companies. Steps include capturing the allegation, planning, conducting investigative interviews, reporting findings, and remediation. However, issues like leading questions, interviewee preparation, and lack of interviewer preparation can hinder the process.
From the interviewee's perspective, memory is subjective and affected by perception, time, and emotional state. Interviewers must consider both verbal and non-verbal cues, as well as the interviewee's perspective, to gather accurate information.
Interviewers should avoid biases, establish rapport, and structure questions carefully. Initial interviews are crucial as subsequent interviews may alter the interviewee's behavior or story. Justifications play a significant role in a person's mindset, influencing their behavior and responses during interviews.
Preparation is vital, including background research on the interviewee, planning questions, and selecting interviewers. The interview setting should be comfortable yet not overly familiar, and interviewers should remain neutral while actively listening.
Recording interviews is common in legal settings but may not be suitable for private entities. The first interview is critical as subsequent interviews may allow the interviewee to anticipate questions or alter their story.
Basic strategies to encourage cooperation include contrasts, reciprocity, sympathy, authority, and creating a sense of shortage. Potential signs of lying include inconsistencies, lack of detail, unusual speech patterns, and non-congruent gestures.
While body language can be indicative, focusing too much on it may detract from active listening. Two-person interviews can help mitigate this issue.
Expert witness (M15 Canvas background information + in-class 5/7 lecture notes)
Being an expert witness in legal proceedings requires adherence to specific guidelines. Only expert witnesses can offer opinions, which must be based on specialized knowledge. Expert witnesses can rely on hearsay but may face Daubert challenges, which assess the validity of their evidence.
Subpoenas and depositions are common, requiring careful preparation and documentation. Expert witnesses must maintain neutrality and advocate only for their opinion, not the client or attorney. CVs validate credentials, and engagement letters outline terms, including disclaimers, indemnification, and payment terms.
Testimony requires clear communication, politeness, and composure. Expert witnesses must avoid advocating for clients, guessing, or displaying temper. Awareness of trick questions, consistency, and correction of misrepresentations are crucial during testimony. Non-verbal cues, such as eye contact and attire, also influence credibility.