ACCT 461: Ch 14 (Fraud risk assessment)
What is the combination approach?
Management may elect a combination of the approaches: avoid, transfer, mitigate, or assume.
What are preventive controls?
Manual or automated processes designed to stop an undesirable event from occurring.
How does management avoid the risk?
By eliminating an asset or exiting an activity if the control measures required to protect the organization against an identified threat are too expensive
How does management mitigate the risk?
By implementing appropriate countermeasures, such as prevention and detection controls.
How can management transfer some or all of the risk?
By purchasing fidelity insurance or a fidelity bond.
What does a fraud risk assessment start with?
An identification and prioritization of fraud risks that exist in the business. The process evolves as the results of that identification and prioritization begin to drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge.
What do preventive controls include?
1. Bringing awareness to personnel throughout the organization of the fraud risk management program in place 2. Performing background checks on employees 3. Hiring competent personnel and providing them with antifraud training 4. Conducting exit interviews 5. Implementing policies and procedures 6. Segregating duties 7. Ensuring proper alignment b/w an individual's authority and his level of responsibility 8. Review third party and related party transactions
What are key elements to conducting a good fraud risk assessment?
1. Collaborative effort of management and auditors 2. The right sponsor 3. Independence and objectivity of the people leading and conducting the work 4. A good working knowledge of the business 5. Access to people at all levels of the organization 6. Engendered trust 7. The ability to think the unthinkable 8. A plan to keep it alive and relevant
What thought shouldn't be allowed to moderate the evaluation of fraud risk?
"It couldn't happen here"
How should the company prepare for the fraud risk assessment?
1. Assemble the right team to lead and conduct the fraud risk assessment 2. Determine the best techniques to use in conducting the assessment 3. Obtain the sponsor's agreement on the work to be performed 4. Educate the organization and openly promote the process
What are some approaches used to respond to the the organization's residual fraud risks?
1. Avoid the risk 2. Transfer the risk 3. Mitigate the risk 4. Assume the risk
How can management make an impact with the fraud risk assessment?
1. Begin a dialogue across the company 2. Looking for fraud in high risk areas 3. Holding responsible parties accountable for progress 4. Keeping the assessment alive and relevant 5. Monitor key controls
Performing a fraud risk assessment provides management with the opportunity to review the company's internal control system for effectiveness. What are some considerations that are taken into account?
1. Controls that might have been eliminated due to restructuring efforts 2. Controls that might have eroded over time due to reengineering of business processes 3. New opportunities for collusion 4. Lack of internal controls in a vulnerable area 5. Nonperformance of control procedures 6. Inherent limitation of internal controls, including opportunities for those responsible for a control to commit and conceal fraud
What do you address when the fraud risks have been identified?
1. Establishing an acceptable level of risk 2. Rank and prioritizing risks 3. Responding to residual fraud risks
What do detective controls include?
1. Establishing and marketing the presence of a confidential reporting system 2. Implementing proactive controls for the fraud detection process 3. Implementing proactive fraud detection procedures 4. Performing surprise audits
What are the two frameworks for prioritizing risk?
1. Estimating the likely cost of a risk 2. Using a heat map to identify those risks that are both likely and significant
In assessing the significant of each fraud risk, what factors should be considered?
1. Financial statement and monetary significance 2. Financial condition of the organization 3. Value of the threatened assets 4. Criticality of the threatened assets to the org 5. Revenue generated by the threatened assets 6. Significance to the organization's operations, brand value, and reputation 7. Criminal, civil, and regulatory liabilities
What should a fraud risk assessment team incorporate in their fraud risk assessment approach?
1. Identify potential inherent fraud risks 2. Assess the likelihood of occurrence of the identified fraud risks 3. Assess identified fraud risks' significant to the organization 4. Evaluate which people and departments are most likely to commit fraud and identify the methods they are likely to use 5. Identify and map existing preventive and detective controls to the relevant fraud risks 6. Evaluate whether the identified controls are operating effectively and efficiently 7. Identify and evaluate residual fraud risks resulting from ineffective or nonexistent controls
How does an auditor validate that the organization is appropriately managing the moderate to high fraud risks identified in the fraud risk assessment?
1. Identifying and mapping the existing preventive and detective controls that pertain to the moderate to high fraud risks identified in the fraud risk assessment 2. Designing and performing tests to evaluate whether the identified controls are operating effectively and efficiently 3. Identifying within the moderate to high fraud risk areas whether there is a moderate to high risk of management override of internal controls 4. Developing and delivering reports that incorporate the results of their validation and testing of the fraud risk controls
What are the classifications of significance for fraud?
1. Immaterial 2. Significant 3. Material
Why should organizations conduct fraud risk assessments?
1. Improve communication and awareness about fraud 2. Identify what activities are the most vulnerable to fraud 3. Know who puts the organization at the greatest risk 4. Develop plans to mitigate fraud risk 5. Develop techniques to determine whether fraud has occurred in high risk areas
What factors should be discussed when identify fraud risks that could apply to the organization?
1. Incentives, pressures, and opportunities to commit fraud 2. Risk of management's override of controls 3. Population of fraud risks 4. Financial statement fraud, asset misappropriations, and corruption 5. Regulatory and legal misconduct 6. Reputation risk 7. Risk to information technology
How does the fraud risk assessment play a role in the audit process?
1. Informs and influences the process 2. Drive thinking and awareness in the development of audit programs for areas that have been identified as having a moderate to high risk of fraud. 3. Results can help auditors design audit programs and procedures in a way that enables them to look for fraud in known areas of high risk
What are the different ways to gather information during a fraud risk assessment?
1. Interviews 2. Focus groups 3. Surveys 4. Anonymous feedback mechanisms
What qualities should a fraud risk assessment team have?
1. Members with diverse knowledge, skills, and perspectives to lead and conduct the assessment 2. Size of the team will depend on the size of the organization and methods used to conduct the assessment 3. Members should be credible and who have experience in gathering and eliciting information
What are the characteristics of the right sponsor?
1. Must be senior enough to command respect 2. Committed to learning the truth about where the company's fraud vulnerabilities are. 3. Truth seeker 4. Independent board director or audit committee member 5. Someone who is willing to hear the good, bad, and ugly
What are the interrelated elements that enable someone to commit fraud?
1. Non-shareable financial need 2. Opportunity 3. Rationalization
What are considerations for developing an effective fraud risk assessment?
1. Packaging it right 2. One size does not fit all 3. Keeping it simple
What factors should be considered in assessing the likelihood of occurrence of fraud risk?
1. Past instances of the particular fraud 2. Prevalence of the fraud risk 3. Internal control environment 4. Resources available to address fraud 5. Support of fraud prevention efforts by mgt 6. Ethical standards of org 7. Number of individual transactions involved 8. Complexity of the fraud risk 9. Number of people involved 10. Unexplained losses 11. Complaints by vendors or customers 12. Information from fraud surveys
What are the classifications of the likelihood of occurrence of fraud risk?
1. Remote 2. Reasonably possible 3. Probable
What are several key points that a fraud team should remember when reporting the results of the assessment?
1. Report objective (not subjective) results 2. Keep it simple 3. Focus on what really matters 4. Identify actions that are clear and measurable
What should be considered when evaluating whether the identified controls are operating effectively and efficiently?
1. Review of the accounting policies and procedures in place 2. Consideration of the risk of management's override of controls 3. Interviews with management and employees 4. Observation of control activities 5. Sample testing of controls compliance 6. Review of previous audit reports 7. Review of previous reports on fraud incidents, shrinkage, and unexplained shortages
What are factors that influence fraud risk?
1. The nature of the business 2. The operating environment 3. The effectiveness of its internal controls 4. The ethics and values of the company and its employees
Before the fraud risk assessment procedures begin, what must the sponsor and the assessment team need to agree on?
1. The scope of the work that will be performed 2. The methods that will be used 3. The individuals who will participate in the chosen methods 4. The content of the chosen methods 5. The form of output for the assessment
What is fraud risk assessment?
A process aimed at proactively identifying and addressing an organization's vulnerabilities to both internal and external fraud.
What are the auditor's responsibility for fraud risk management?
Auditors are trained in risk identification and assessment and have expertise in evaluating internal controls, which is critical to the fraud risk assessment process.
What are detective controls?
Can be manual or automated, but are designed to identify an undesirable event that has already occurred.
What is the "packaging it right" consideration?
Every organization has its own vocabulary and preferred methods of communication. The announcement and execution of the fraud risk assessment will only be effective if completed in the language of the business.
How can management assume the risk?
If it determine that the probability of occurrence and impact of loss are low. They can then decide that it is more cost effective to assume the risk than it is to eliminate the asset or exist the activity, buy insurance to transfer the risk, or implement countermeasures to mitigate.
What are management's responsibility for fraud risk management?
Management has intricate familiarity of day to day business operations, responsibility for assessing business risks and implementing organizational controls, authority to adjust operations, influence over the organization's culture and ethical atmosphere and control over the organization's resources.
What plays a key role in influencing the entity's vulnerability to fraud?
Organizational culture
What is the model for calculating risk?
Risk = likelihood x cost
What must be done in order for an organization's fraud risks to be effectively managed?
They must first be identified using a formal risk assessment.
What are inherent risks?
Risks that are present before management action
What are residual risks?
Risks that remain after management action
What is the "keeping it simple" consideration?
The more complicated the fraud risk assessment is, the harder it will be to execute it and use it drive action.
What is fraud risks?
The vulnerability that an organization has to those capable of overcoming all three aspects of the fraud triangle
What is the key to reducing the vulnerability to fraud?
To be consciously aware and realistic about the organization's weaknesses. Only then can management establish mechanisms that effectively prevent or detect fraudulent activities
What is the objective of a fraud risk assessment?
To help an organization recognize what makes it most vulnerable to fraud.
What is the "one size does not fit all" consideration?
What works in one organization most likely will not work easily in another
When is the fraud risk assessment most effective?
When management and auditors share ownership of the process and accountability for its success.
What does a fraud risk assessment help an organization identify?
Where fraud is most likely to occur, enabling proactive measures to be considered and implemented to reduce the chance that it could happen.
