prevent

Diligence

"diligence in performing his or her duties" phrase in the rule refers to several activities that collectively define high-quality fraud examination work.

Skinner says; reinforcements

"must be sensitive and complex"

Performance Audits

"provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability."

Sutherland's theory

(1) criminal behavior is learned; (2) it is learned from other people in a process of communication; (3) criminal behavior is acquired through participation with intimate personal groups; (4) the learning process includes the shaping of motives, drives, rationalizations, and attitudes; (5) the directions of motives are learned from the favorable or unfavorable interpretations of applicable laws; (6) a person becomes a criminal because of an excess of conclusions favorable to violation of the law over conclusions unfavorable to violation of the law; (7) differential association may vary in frequency, duration, priority, and intensity; (8) learning criminal behavior involves all the mechanisms of other learning; (9) learning differsfrom pure imitation; and (10) while criminal behavior is an expression of general needs and values, it is not explained by these

BEHAVIORAL RED FLAGS

(1) living beyond means; (2)financial difficulties; (3) unusually close association with a vendor or customer; (4) excessive control issues or unwillingness to share duties; (5) recent divorce or family problems; and (6) a general "wheeler-dealer" attitude involving shrewd or unscrupulous behavior.

Sarbanes-Oxley Act of 2002 (SOX)

(CEOs) (CFOs) of publicly traded companies to personally certify their companies' annual and quarterly SEC filings. Criminal Certifications 906 section Civil Certifications 302

Fraud Triangle

- perceived non-shareable financial need. - represents perceived opportunity -stands for rationalization.

Organizational Guidelines note four aggravating factors that can cause an organization's score to increase: FINE MULTIPLES

1) Involvement in or tolerance of criminal activity - Points will be added if high-level employees of the organization participated in, condoned, or were willfully ignorant of the offense. Points may also be added if there was pervasive tolerance of the offense by high-level employees. 2)Prior history- previously been found criminally guilty of similar acts, or if the organization has been found guilty of a civil offense for similar acts on at least 3)Violation of a prior court order: -committing the offense at hand, the organization violated an injunction or other judicial order 4)Obstruction of justice - organization interfered in any way with the investigation, prosecution, or sentencing of the offense in question.

five-phase framework for using data analytics procedures

1. Analytics design 2. Data collection 3. Data organization and calculations 4. Data analysis 5. Findings, observations, and remediation

Sample Fraud Risk Assessment Framework #1

1. Identify potential inherent fraud risks and schemes. 2. Assess the likelihood of occurrence of the identified inherent fraud risks. 3. Assess the significance of each inherent fraud risk to the organization. 4. Evaluate which people and departments are most likely to commit fraud. 5. Identify and map existing preventive and detective controls to the relevant fraud risks. 6. Evaluate whether the identified controls are operating effectively and efficiently. 7. Identify, evaluate, and respond to residual fraud risks that need to be mitigated.

ISO 31000:2018 principles

1. Is integrated into all organizational activities 2. Is structured and comprehensive 3. Is customized and proportionate to the organization's operations and objectives 4. Is inclusive and provides for appropriate and timely consideration of stakeholders' knowledge, views, and perceptions 5. Is dynamic and responsive to change 6. Is based upon the best available information 7. Takes human and cultural factors into account 8. Facilitates continuous improvement

REd flags personal characteristics

1. Living beyond their means 2. An overwhelming desire for personal gain 3. High personal debt 4. A close association with customers 5. Feeling pay was not commensurate with responsibility 6. A wheeler-dealer (scheming) attitude 7. Strong challenge to beat the system (i.e., successfully evade the rules) 8. Excessive gambling habits 9. Undue family or peer pressure 10. No recognition for job performance53

red flags organizational environment were:

1. Placing too much trust in key employees 2. Lack of proper procedures for authorization of transactions 3. Inadequate disclosures of personal investments and incomes 4. No separation of authorization of transactions from the custody of related assets 5. Lack of independent checks on performance 6. Inadequate attention to details 7. No separation of custody of assets from the accounting for those assets 8. No separation of duties between accounting functions 9. Lack of clear lines of authority and responsibility 10. Department that is not frequently reviewed by internal auditors54

FINE REDUCERS

1. Self-reporting: - (1) reporting within a reasonable time, (2) cooperating in the investigation, and (3) accepting responsibility for the wrongdoing. The most points (five) 2. Implementing an effective program to prevent and detect violations of the law: - knock up to three points

Governance and Culture COSO

1. The board of directors exercises risk oversight. 2. The organization establishes operating structures. 3. The organization defines its desired culture. 4. The organization demonstrates a commitment to its core values. 5. The organization attracts, develops, and retains capable individuals.

information and communication

1. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 2. The organization internally communicates information—including objectives and responsibilities for internal control—necessary to support the functioning of internal control. 3. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Control activities principles

1. The organization selects and develops control activities that mitigate risks to the achievement of objectives to acceptable levels. 2. The organization selects and develops general control activities over technology to support the achievement of objectives. 3. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

Monitoring

1. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 2. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

COSO Framework Risk Assessment

1. The organization sets sufficiently clear objectives to enable the identification and assessment of risks relating to the objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes these risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Civil Certifications

1. They have personally reviewed the report. 2. Based on their knowledge, the report does not contain any material misstatement that would render the financials misleading. 3. Based on their knowledge, the financial information in the report fairly presents in all material respects the financial condition, results of operations, and cash flow of the company. 4. They are responsible for designing, maintaining, and evaluating the company's internal controls; they have designed the controls to ensure that they receive material information about the company; they have evaluated the controls within ninety days prior to the report; and they have presented their conclusions about the effectiveness of the controls in the report. 5. They have disclosed to the auditors and the audit committee any material weaknesses in the controls and any fraud, whether material or not, that involves management or other employees who have a significant role in the company's internal controls. 6. They have indicated in the report whether there have been significant changes in the company's internal controls, including any corrective actions with regard to significant deficiencies and material weaknesses.

actual performance of ERM

10. The organization identifies risk that impacts its performance and ability to meet objectives. 11. The organization assesses the severity of risk. 12. The organization prioritizes risk. 13. The organization implements risk responses. 14. The organization develops a portfolio view of risk.

Review and Revision COSO ERM 2017,

15. The organization assesses substantial changes that might affect its strategy and objectives. 16. The organization reviews its risk and performance. 17. The organization pursues improvement in ERM.

Clinard and Yeager

562 companies (477 of which were on the Fortune 500 list) over a two-year period and found that 1,553 white-collar crime cases had been filed against them The oil, pharmaceutical, and motor vehicle industries were the most likely to be charged for wrongdoing,

Strategy and Objective-Setting COSO ERM 2017

6. The organization analyzes business context when determining its risk profile. 7. The organization defines its risk appetite. 8. The organization evaluates alternative strategies. 9. The organization formulates business objectives with consideration of its risk profile.

Examining PSIRs,

65% of the cases overall, personal suffering was said to have played an overwhelming role in the defendant's case. Securities offenders and embezzlers topped the list with seventy, and 87% of these people (respectively) reporting some hardship.

size relate to occupational fraud

<100 empl 200000 100-999 , 100000 1000-9999 , 100000 10000+, 132000

COMPENSATION COMMITTEE

A compensation committee is responsible for determining the compensation and benefits of directors and executives. independent, outside directors with human resources experience in compensation.

Internal control over financial reporting (ICOFR) is defined as:

A process designed ... to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.... • Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the [company]; • Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and that receipts and expenditures of the [company] are being made only in accordance with authorizations of management and directors of the [company]; and • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the [company's] assets that could have a material effect on the financial statements.

The auditor should design and perform the tests of controls in a manner that yields sufficient evidence to support both the auditor's opinion at year-end and the auditor's control risk assessment for the financial statement audit.

According to AS 2201, a top-down approach "begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions." describes the auditor's thought process when identifying risks and the controls to test, rather than the order in which the auditor should perform the audit procedures.

Institute of Internal Auditors' (IIA) Standard 2120.A1

Achievement of the organization's strategic objectives Reliability and integrity of financial and operational information Effectiveness and efficiency of operations Safeguarding of assets Compliance with laws, regulations, and contracts

social control

Altering citizens' behavior by manipulating access to valued resources or threatening to impose sanctions

The IIA's IPPF—Practice Guide: Internal Auditing and Fraud

Although not mandatory, the guidance included in the Practice Guide is strongly recommended addresses fraud awareness; potential fraud indicators; roles and responsibilities for fraud prevention and detection; the internal auditor's role during audit engagements; fraud risk assessment; fraud prevention and detection; fraud investigation; and forming an opinion on internal controls related to fraud Consider fraud risks in the assessment of internal control design and determination of audit steps to perform. Have sufficient knowledge of fraud to identify red flags indicating fraud might have been committed. Be alert to opportunities that could allow fraud, such as control deficiencies. Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program, whether timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, and whether the plan for monitoring the program continues to be adequate for the program's ongoing success. Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. Recommend investigation when appropriate.

The Treadway Commission

American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), the American Accounting Association (AAA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA)— Mandatory independent audit committee—The board of directors oversees management's conduct. The Treadway Commission recommended that each board of directors have an audit committee composed of outside directors. • Written charter—The Treadway Commission also suggested that companies develop a written charter setting forth the audit committee's duties and responsibilities. The board of directors should periodically review, modify, and approve this written charter. • Resources and authority—According to the Treadway Commission, the existence of an audit committee and a written charter is not enough. The committee also must have adequate resources and authority to carry out its responsibilities. • Informed, vigilant, and effective audit committee members—The audit committee should be composed of members who are informed, vigilant, and effective.

Fraud

An intentional act by one or more individuals among management, those charged with governance, employees, or third parties involving the use of deception that results in a misstatement in financial statements that are the subject of an audit

Memoranda

An interoffice memorandum from the chief executive officer (CEO) detailing the anti-fraud policy is a good idea.

AU-C Section 330,

Assign and supervise personnel, taking account of the knowledge, skill, and ability of the individuals to be given significant engagement responsibilities and the auditor's assessment of the risks of material misstatement due to fraud for the engagement; this might include assigning additional individuals with specialized skill and knowledge, such as forensic and IT specialists, or assigning more experienced individuals to the engagement • Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, might be indicative of fraudulent financial reporting resulting from management's effort to manage earnings or a bias that might create a material misstatement. • Incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.

Fraud detection and prevention

Board of directors: The board of directors is responsible for effective and responsible corporate fraud governance and is tasked with overseeing management's actions to manage fraud risks. Audit committee: The audit committee's role is to evaluate management's identification of fraud risks and the implementation of anti-fraud measures, as well as to provide the tone at the top that fraud will not be accepted in any form. The audit committee is also responsible for overseeing controls to prevent or detect management fraud. Management: Management is responsible for overseeing the activities of employees, assessing the entity's vulnerability to fraud, and establishing and maintaining an effective internal control system at a reasonable cost. Legal counsel: Legal counsel advises the organization on legal matters pertaining to fraud. External auditors: External auditors have a responsibility to comply with professional standards and to plan and perform the audit of the organization's financial statements to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud. Loss prevention manager: The loss prevention manager deals with crimes, disasters, accidents, waste, and other business risks, and this individual usually works closely with internal auditors to identify areas of weak internal controls within the organization. Fraud investigators: Fraud investigators are responsible for detecting and investigating fraud, as well as recovering assets. Other employees: All employees have a responsibility to report suspicious activity to a hotline, the internal audit department, or management

PREVENTIVE CONTROLS

Bringing awareness of the fraud risk management program to personnel throughout the organization • Performing background checks on employees (where permitted by law) • Hiring competent personnel and providing them with anti-fraud training • Conducting exit interviews • Implementing policies and procedures • Separating of duties • Implementing physical security measures • Implementing security measures to restrict electronic access to data • Ensuring proper alignment between an individual's authority and level of responsibility • Reviewing third-party and related-party transactions

COSO provides five principles

COSO provides five principles supporting the design and implementation of an effective control environment: 1. Personnel at all levels demonstrate a commitment to integrity and ethical values. 2. The board of directors is independent from management and oversees the development and performance of internal control. 3. With board oversight, management establishes the structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of organizational objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

conducting audit engagements

Consider fraud risks in the assessment of internal control design and determination of audit steps to perform. Have sufficient knowledge of fraud to identify red flags indicating fraud might have been committed. Be alert to opportunities that could allow fraud, such as control deficiencies. Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program, whether timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, and whether the plan for monitoring the program continues to be adequate for the program's ongoing success. Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. Recommend investigation when appropriate.

Public Company Accounting Oversight Board Auditing Standard 2201 (PCAOB AS 2201)

Controls over significant unusual transactions Controls over journal entries and adjustments made during the end-of-the-period financial reporting process Controls over related-party transactions Controls related to significant management estimates Controls that mitigate the motivations for, and pressures on, management to engage in inappropriate earnings management and financial statement fraud

Fraud Considerations

Controls over significant unusual transactions • Controls over journal entries and adjustments made during the end-of-the-period financial reporting process • Controls over related-party transactions • Controls related to significant management estimates • Controls that mitigate the motivations for, and pressures on, management to engage in inappropriate earnings management and financial statement fraud

corporate compliance program

Corporations in the United States that wish to take advantage of the mitigation provisions of the Organizational Guidelines must implement countries recommend that corporations use this model

Low Class

Credit fraud - False claims Mail fraud This group was not as likely to be white—71.5% for credit fraud, 76.8% for mail fraud, 61.8% for false claims—or male—84.8% for credit fraud, 82.1% for mail fraud, 84.7% for false claims. They were generally younger than the other category offenders (less than 40 years old); less likely to be married (about 50%); and less likely to own their own home (roughly 34-45% across the three crime types). Their net worth, as per the ratio of assets to liabilities, was remarkably low: $7,000/$7,000 for credit fraud; $2,000/$3,500 for mail fraud; $4,000/$5,000 for false claims.

Imprisonment

Crimes of the Middle Classes does find that the highest status group—antitrust violators—were the least likely to receive prison time (about one in five) and to draw the shortest sentence (1.8 months). Securities fraud led the group, with more than 67% doing time, followed by tax fraud (58.9%) and mail fraud (55.1%). the higher an individual's status, the more likely the person was to be imprisoned: More often than prison, the punishment of choice for white-collar criminals is the imposition of fines.

Risk Assessment Procedures and Related Activities

DISCUSSIONS WITH MANAGEMENT AND OTHERS WITHIN THE ENTITY

Auditor Unable to Continue the Engagement

Determine the professional and legal responsibilities applicable in the circumstances, including whether a requirement exists for the auditor to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities. • Consider whether it is appropriate to withdraw from the engagement, when withdrawal is possible under applicable law or regulation. • If the auditor withdraws: − Discuss with the appropriate level of management and those charged with governance the auditor's withdrawal from the engagement and the reasons for the withdrawal. − Determine whether a professional or legal requirement exists to report to the person or persons who engaged the auditor or, in some cases, to regulatory authorities the auditor's withdrawal from the engagement and the reasons for the withdrawal.

AUDIT PROCEDURES PERFORMED TO SPECIFICALLY ADDRESS RISK OF MANAGEMENT OVERRIDE OF CONTROLS

EXAMINING JOURNAL ENTRIES AND OTHER ADJUSTMENTS FOR EVIDENCE OF POSSIBLE MATERIAL MISSTATEMENT DUE TO FRAUD REVIEWING ACCOUNTING ESTIMATES FOR BIASES THAT COULD RESULT IN MATERIAL MISSTATEMENT DUE TO FRAUD EVALUATING THE BUSINESS PURPOSE FOR SIGNIFICANT UNUSUAL TRANSACTIONS

Audit committee

Each member of the audit committee must be a member of the board of directors and must be independent, as evaluated by two criteria: Fees: Audit committee members may only be compensated for their services on the board and any board committee. Affiliation: Audit committee members cannot be affiliated persons of the company or any other company related to it. This precludes executive officers, director/employees, general partners, and managing members of the company, or its parent, subsidiary, or sister company, from serving on the audit committee. • Fees paid to the external auditors for performance of any audit, review, or attestation engagements • Payments to any outside advisors retained by the audit committee • Any administrative expenses necessary for the audit committee to carry out its duties

U.S.-Specific Corporate Governance Codes and Guidance

Each state has laws governing those corporations that are registered in it. public companies are subject to federal legislation, as well as regulation by securities industry oversight bodies

Control Environment

Established by the directors and senior management, it sets the moral and ethical tone of an organization

tips and suggestions for developing a compliance and ethics program

Establishing Standards Assigning Responsibility Audit Committees Due Diligence in Hiring Communicating the Policy Training Employees Achieving Compliance Disciplinary Action Appropriate Responses

Management's roles

Establishing strategic goals and operating objectives under the board's oversight Directing employees to carry out business activities and managing their performance of those tasks Determining the use and allocation of company resources and assets Evaluating the organization's successes or failures and recalibrating the strategic approach accordingly Holding responsibility for the design and operation of the organization's internal controls Setting the organization's true ethical tone

Fraud risk factors—

Events or conditions that indicate an incentive or pressure to perpetrate fraud, provide an opportunity to commit fraud, or indicate attitudes or rationalizations to justify a fraudulent action.

Fines

Fines based on two factors: - the seriousness of the offense -and the level of culpability of the organizatio Depending on the culpability of the organization, the base fine can be increased by as much as 400% or reduced by as much as 95%. the highest of: • The monetary loss suffered by the victim • The pecuniary gain received by the defendant • An amount ranging from $5,000 to $72,500,000 as set forth in the Offense Level Scale of the Individual Guidelines, which is a table of preset penalties based on the seriousness of possible offenses

three factors prevent such unity

First, - the pressure to commit fraud might not affect departments in a company equally. Second, -- even in high-pressure departments, some employees will not have knowledge of the difficulty of obtaining needed resources. Third, - outside societal behavior can produce values that conflict with those learned in an organizational environment

Focus Groups

Focus groups enable the assessor to observe the interactions of employees as they discuss a question or issue. The success of a focus group will be highly dependent on the skill of the facilitator.

Fraud Detection

Fraud detection activities seek to identify fraud occurrences as soon as possible after they begin to limit the damage done.

Fraud Prevention

Fraud prevention activities focus on proactively identifying and assessing fraud risks and taking steps to address those risks.

Education about a reporting program

Fraud, waste, and abuse occur in nearly all companies. Such conduct costs the company jobs and profits. The company actively encourages any employee with information to be able to come forward. The employee can come forward and provide information anonymously and without fear of retaliation for good-faith reporting. There is an exact method for reporting an incident (e.g., a telephone number or online form). The report need not be made to one's immediate superiors.

II. The Rights and Equitable Treatment of Shareholders and Key Ownership

Functions The corporate governance framework should protect and facilitate the exercise of shareholders' rights and ensure the equitable treatment of all shareholders, including minority and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for violation of their rights. This Section can be seen as a statement of the most basic rights of shareholders, which are recognized by law in most countries

RESPONSIBILITIES OF THE AUDITOR

GAAS is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error.

Quizzes/Games

Games can be a fun and informal way to reinforce and communicate the anti-fraud policy in an organization.

Audit Standards Yellow Book

General Standards The following general standards apply to all three types of government auditing engagements. These standards, coupled with the ethical principles outlined previously, establish a foundation for credibility of government auditors' work. INDEPENDENCE Both the audit organization and the individual auditor must remain independent in both mind and appearance throughout the engagement so that all opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by knowledgeable third parties. PROFESSIONAL JUDGMENT COMPETENCE The staff assigned to an engagement must collectively possess adequate professional knowledge, skills, and experience to properly conduct the audit. QUALITY CONTROL AND ASSURANCE

Offenders Ranked by Status, with Selected Demographic Information

High Class Antitrust - They were overwhelmingly white (over 99%) and male (99.1% for antitrust, 97.8% for securities). The two groups were equally likely to hold a college degree (40.9% in either case), and their frauds were usually occupational in nature. Securities - There are revealing contrasts when these two types of offenders are compared: (1) Almost 97% of antitrust offenders had been steadily employed in the years preceding their crime, while only about 60% of the securities offenders had continually held a job. (2) The antitrusters had a median ratio of assets to liabilities of $200,000 (assets) to $40,000 (liabilities); the securities offenders held a median $57,500 in assets with $54,000 in liabilities. (3) Antitrust violators were more likely to own their own home (73.5% versus 58.2%) and to be married (95.7% versus 80.7%) than securities offenders.

Defining Code of Ethics

Honest and ethical conduct, including the ethical treatment of actual or apparent conflicts of interest between personal and professional interests • Full, fair, accurate, timely, and understandable disclosure in all documents filed with the SEC and all other public communications • Compliance with all applicable governmental laws, rules, and regulations • The prompt reporting to the appropriate person or persons within the company of violations of the code • Accountability for adherence to the code

ACFE Code of Professional Ethics

I. Commitment to professionalism II. Illegal or unethical conduct III. Professional competence of assignments IV. Lawful orders of the courts V. Basis for opinions VI. Confidential information VII. Reveal material matters VIII. Increase professional competence

Employee Morale

If an employee is properly instructed, communication of an anti-fraud policy can have a positive impact on morale.

Engendered Trust

If management and employees do not trust the people leading and conducting the fraud risk assessment, they will not be open and honest about the realities of the business, its culture, and its vulnerability to fraud.

Instrumental Perspective

In other words, they choose to obey the law because they fear punishment for noncompliance.

Procedures to Prevent Fraud

Increasing the Perception of Detection Proactive Audit Procedures Use of Analytical Review Procedures • Increasing expenses • Increasing cost of sales • Increasing receivables/decreasing cash • Increasing inventories • Increasing sales/decreasing cash • Increasing returns and allowances • Increasing sales discounts Fraud Assessment Questioning • Part of my duty as an auditor is to find fraud, waste, and abuse. Do you understand that? • Do you think fraud is a problem for business in general? • Do you think this company has any particular problem with fraud? • Has anyone ever asked you to do anything that you felt was illegal or unethical? • If you felt that there was a problem in the company with respect to fraud, what would you do? • Do you have any indication that there is fraud occurring in the company now? Surprise Audits Where Possible Employee Anti-Fraud Education

Standard 1220—Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A3

Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

2210.A1

Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

2210.A2

Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

1210.A2

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Standard 1210—Proficiency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Board Committees

It is considered a best practice for public companies to form at least the following three board committees: • Audit committee • Compensation committee • Nominating committee

Country-Specific Corporate Governance Guidelines

Legislators, regulators, and other bodies in locations around the world have issued corporate governance guidance specific to their jurisdictions.

Ethical Principles in Government Auditing

Management • Maintaining an ethical culture • Clearly communicating acceptable behavior and expectations to each employee • Creating an environment that reinforces and encourages ethical behavior throughout the organization Auditors conducting audit work in an ethical manner is a matter of personal and organizational responsibility and emphasizes that the public expects auditors in the government sector to conduct their professional work in accordance with ethical principles. THE PUBLIC INTEREST the collective well-being of the community of people and entities the auditors serve INTEGRITY objective, fact-based, nonpartisan, and non-ideological with regard to audited entities and users of the auditors' reports. OBJECTIVITY • Being independent in mind and appearance • Maintaining an attitude of impartiality • Having intellectual honesty • Being free of conflicts of interest

Mitigate the Risk

Management can mitigate the risk by implementing appropriate countermeasures, such as prevention and detection controls

Transfer the Risk

Management may transfer some or all of the risk by purchasing fidelity insurance or a fidelity bond.

Measuring Legitimacy and Compliance

Most admitted to parking illegally (51%) and speeding (62%), but very few admitted to shoplifting (3%). Of those participants, 27% confessed to disturbing the peace, 25% to littering, and 19% admitted to having driven while under the influence 83% of respondents thought it was likely that they would be caught driving drunk; 78% thought the same for parking violations and shoplifting; 72% for speeding; 35% for disturbing the peace; and 31% for littering.

Standard 2210—Engagement Objectives

Objectives must be established for each engagement.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Operations objectives, which pertain to the effectiveness and efficiency of the organization's operations Reporting objectives, which pertain to the reporting of financial and nonfinancial information to internal and external parties Compliance objectives, which pertain to the organization's adherence to the laws and regulations to which it is subject Governance and culture Strategy and objective-setting Performance Review and revision Information, communication, and reporting

organizational crime.

Organizational crime is that which is committed by businesses, particularly corporations, and the government. Organizational crime occurs in the context of complex relationships and expectations among boards of directors, executives, and managers on the one hand, and among parent corporations, corporate divisions, and subsidiaries on the other.

fraud duration

Payroll - 30 months check and payment tampering financial statement expense reimbursement billing cash larceny- 24 coruption - 22 skimming noncash - 18 cash on hand register disbursements - 12

LEGITIMACY AND EXPERIENCE

People are more likely to accept unfavorable rulings if they believe their case was handled fairly.

independent businessmen

Perpetrators in this category tended to use one of two common excuses: (1) they were "borrowing" the money they converted or (2) the funds entrusted to them were really theirs—you can't steal from yourself.

Steve Albrecht highly ranked factors from the list dealing with organizational environment were:

Placing too much trust in key employees Lack of proper procedures for authorization of transactions Inadequate disclosures of personal investments and incomes No separation of authorization of transactions from the custody of related assets Lack of independent checks on performance Inadequate attention to details No separation of custody of assets from the accounting for those assets No separation of duties between accounting functions Lack of clear lines of authority and responsibility Department that is not frequently reviewed by internal auditors

CEO as Chairman

Public companies are required to have someone serve as chairman of the board.

shareholders

Remaining informed on company operations and performance Reading annual reports and other communications from management to the shareholders Attending shareholder meetings Electing capable individuals to serve as board directors Holding the board of directors accountable for proper governance and oversight Appointing or ratifying the audit committee's appointment of the organization's independent auditors Voting on other significant issues, such as specific changes relating to business operations, the company's corporate governance framework, and the rights and responsibilities of the board of directors and executive managers

G. S. Leventhal proposed six standards for evaluating the fairness of a procedure

Representativeness - relates to those parties whose concerns are affected throughout the allocation process. • Consistency - refers to the uniform and unbiased treatment of all of the affected parties • Suppression of bias - guarantees that those involved with the outcome have no personal, vested interest in the case. • Accuracy - refers to objective high quality. • Correctability - involves the checks and balances provided in the system, which allow unfair decisions to be corrected, such as the appeals process • Ethicality - of course, involves the degree to which procedures meet generally held ethical standards of fairness and morality. support the idea that employees should be involved in the development of policies and procedures

AUDIT COMMITTEE

Responsibilities of the audit committee include, but are not limited to: • Appointing, compensating, and overseeing external auditors • Reviewing financial reports • Overseeing the effectiveness of both the design and operation of the company's internal control structure • Reviewing management's and auditors' reports on internal controls over financial reporting • Overseeing the company's whistleblower policy and being available to receive tips from potential whistleblowers • Overseeing the establishment and implementation of the ethical code of conduct • Evaluating and communicating any possible instances of fraud to the company's legal counsel

Responsibility

Responsibility, as it pertains to corporate governance, applies both to the duty of internal parties (e.g., employees, managers, directors, and owners) to act in the best interest of the organization and to the duty of the organization as a whole to act in society's best interest.

departures.

Sentences that fall outside the guideline range

• Communication and training, by:

Sharing information with other functions or parties (e.g., fraud investigation, legal, compliance, external audit, regulators), as appropriate − Assisting in communicating and training employees in anti-bribery and anticorruption policies (to the extent that doing so does not impair their objectivity)

Criminogenic Organizational Structures

Sociologist Edward Gross asserted that all organizations are inherently "criminogenic" (i.e., prone to committing crime), but they are not necessarily criminal. The organization tends to recruit and attract similar individuals. • Rewards are given out to those who display characteristics of the "company man." • Long-term loyalty is encouraged through company retirement and benefits. • Loyalty is encouraged through social interaction, such as company parties and social functions. • Frequent transfers and long working hours encourage isolation from other groups. • Specialized job skills can discourage personnel from seeking employment elsewhere.25 Vaughan writes that organizational processes create "an internal moral and intellectual world" that causes individuals to identify with organizational goals.

Posters

Some companies might wish to use posters displayed in common areas

Classical Criminology

Some of the components of classical criminological theory are: • People have free will, which they can use to engage in either criminal or noncriminal behavior. • Criminal behavior will be more attractive if the gains are estimated to be greater than the losses. • The more certain, severe, and swift the reaction to crime, the more likely it is that the penalties will control the behavior.

Fairness

Sound corporate governance practices ensure that all stakeholders (e.g., shareholders, creditors, employees, management, and others) are treated equitably and given just and appropriate consideration.

two-tier boards

Such systems typically have a supervisory board that is composed of nonexecutive board members and a management board that is composed entirely of executives

Surveys

Surveys can be anonymous or directly attributable to individuals.

Middle Class

Tax fraud - These offenders were mainly white males, around 45 years old. Their crimes were not usually occupational—just 15% for tax fraud and less than 18% for bribery. Roughly 57% of offenders owned their own homes, and about 28% held a college degree. Their median assets ranged from $45,000-$49,500; median liabilities were between Bribery - Their median assets ranged from $45,000-$49,500; median liabilities were between $19,000 and $23,500. The authors remark that, although tax fraud is a typical whitecollar crime, "two-thirds of the tax offenders work in the manufacturing or nonprofessional service sectors."

• The Environmental Risk Index

The Environmental Risk Index is an assessment of macro-level fraud risk indicators that can affect the organization's vulnerability to fraud. These include factors such as pressures on the business, the organization's system of internal controls, the tone at the top,

ISO 31000

The ISO 31000 family of standards includes: • ISO 31000:2018, Risk Management—Guidelines • ISO/IEC 31010:2009, Risk Management—Risk Assessment Techniques, which focuses on risk assessment concepts, processes, and techniques • ISO Guide 73:2009, Risk Management Vocabulary, which includes terms and definitions related to risk management

Leadership Risk Profile

The Leadership Risk Profile is developed to provide a macro-level organizational view of which business leaders, if any, increase the organization's vulnerability to fraud through their: • Leadership style • Operating behaviors • Decision-making practices

THE PREVENT/DETECT INDEX

The Prevent/Detect Index assesses the quality of the specific mechanisms that the organization has in place to prevent or detect potential fraud, particularly those fraud schemes for which the company is at the greatest risk.

UPWARD DEPARTURES

The USSG list the following as factors that could justify an upward departure: • The offense involved a foreseeable risk of death or bodily injury. • The offense constituted a threat to national security. • The offense presented a threat to the environment. • The offense presented a risk to the integrity or continued existence of a market. • The offense involved official corruption. • The organization's culpability score was reduced because it had an effective compliance program, but the program was only implemented because of a court order or administrative order. In cases such as this, the court can impose an upward departure to offset all or part of the reduction. • The organization's culpability score is greater than ten.

DOWNWARD DEPARTURES

The USSG list the following factors that could justify a downward departure: • Substantial assistance to the authorities in the investigation or prosecution of another organization or individual. • The organization is a public entity. • Members or beneficiaries (other than shareholders) of the organization are direct victims of the offense. A downward departure in these cases may be warranted because a fine might increase the burden on the victims. • The organization has agreed to pay remedial costs that greatly exceed the organization's gain from the offense. • The organization has an exceptionally low culpability score because: there was no involvement by anyone with substantial authority in the organization; there was an effective compliance program in place; and the base fine was determined by some means other than the organization's gain from the offense.

PROCEDURES FOR HANDLING COMPLAINTS

The audit committee is required to establish procedures (e.g., a hotline) for receiving, retaining, and dealing with complaints, including confidential or anonymous employee tips, regarding irregularities in the company's accounting methods, internal controls, or auditing matters.

PCAOB AS 2201—An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

The auditing standard was intended to improve the efficiency and effectiveness of internal control audits, while also reducing unnecessary costs, especially for smaller public companies.

AU-C Section 240—Consideration of Fraud in a Financial Statement Audit

The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements as a whole are free of material misstatement, whether due to fraud or error." • Introduction, including the scope of the standard, characteristics of fraud, responsibility for prevention and detection of fraud, auditor objectives, and definitions • Professional skepticism • Discussion among engagement personnel regarding risk of material misstatement due to fraud • Risk assessment procedures and related activities • Identification and assessment of the risks of material misstatements due to fraud • Responses to the assessed risks of material misstatement due to fraud • Evaluation of audit evidence • Communicating about fraud to management, those charged with governance, and regulatory and enforcement authorities • Documentation of the auditor's consideration of fraud

Performing an ICOFR Audit INTEGRATING THE INTERNAL CONTROL AUDIT AND THE FINANCIAL STATEMENT AUDIT

The auditor should design and perform the tests of controls in a manner that yields sufficient evidence to support both the auditor's opinion at year-end and the auditor's control risk assessment for the financial statement audit.

TESTING CONTROLS

The auditor should test both the design and operating effectiveness of the company's ICOFR.

Establish fraud risk governance roles and responsibilities throughout the organization—

The board of directors and senior management identify the roles and responsibilities of all personnel as they relate to fraud risk governance.

Communicate fraud risk management at all organizational levels—

The board of directors and senior management support the ongoing effectiveness of the fraud risk management program by maintaining and communicating a continuous focus on fraud deterrence, prevention, and detection throughout the organization.

Establish a comprehensive fraud risk management policy—

The board of directors and senior management provide a solid foundation of fraud risk management by establishing a comprehensive fraud risk management policy

Document the fraud risk management program—

The board of directors and senior management ensure that the fraud risk management program is thoroughly documented and updated on a regular basis.

Support fraud risk governance—

The board of directors and senior management make an organizational commitment to fraud risk management as a key element of corporate governance.

Statement of Commitment

The board of directors and senior management should communicate, in writing, their commitment to proactively preventing, detecting, and addressing fraud.'' • Be endorsed or authored by a senior executive or board member • Be provided to employees as part of the orientation process and be reissued periodically • Stress the importance of fraud risk mitigation • Acknowledge the organization's vulnerability to fraud • Establish the responsibility of each person within the organization to support fraud risk management efforts • Reinforce management's no tolerance stance on fraudulent behavior

National Commission on Fraudulent Financial Reporting (the Treadway Commission)

The board of directors should have a mandatory independent audit committee made up of outside directors. Companies should develop a written charter that sets forth the duties and responsibilities of the audit committee. The audit committee should have adequate resources and authority to carry out its responsibilities. The audit committee should be composed of members who are informed, vigilant, and effective

V. Disclosure and Transparency

The corporate governance framework should ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership, and governance of the company. A. Disclosure should include, but not be limited to, material information on: 1. The financial and operating results of the company. 2. Company objectives and nonfinancial information. 3. Major share ownership, including beneficial owners, and voting rights. 4. Remuneration of members of the board and key executives. 5. Information about board members, including their qualifications, the selection process, other company directorships, and whether they are regarded as independent by the board. 6. Related-party transactions. 7. Foreseeable risk factors. 8. Issues regarding employees and other stakeholders. 9. Governance structures and policies, including

VI. The Responsibilities of the Board

The corporate governance framework should ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board's accountability to the company and the shareholders.

Ensuring the Basis for an Effective Corporate Governance Framework

The corporate governance framework should promote transparent and fair markets and the efficient allocation of resources. It should be consistent with the rule of law and support effective supervision and enforcement. A. The corporate governance framework should be developed with a view to its impact on overall economic performance, market integrity, and the incentives it creates for market participants and the promotion of transparent and well-functioning markets. B. The legal and regulatory requirements that affect corporate governance practices should be consistent with the rule of law, transparent, and enforceable. C. The division of responsibilities among different authorities should be clearly articulated and designed to serve the public interest. D. Stock market regulation should support effective corporate governance. E. Supervisory, regulatory, and enforcement authorities should have the authority, integrity, and resources to fulfill their duties in a professional and objective manner. Moreover, their rulings should be timely, transparent, and fully explained. F. Cross-border cooperation should be enhanced, including through bilateral and multilateral arrangements for exchange of information.

III. Institutional Investors, Stock Markets, and Other Intermediaries

The corporate governance framework should provide sound incentives throughout the investment chain and provide for stock markets to function in a way that contributes to good corporate governance.

IV. The Role of Stakeholders in Corporate Governance

The corporate governance framework should recognize the rights of stakeholders established by law or through mutual agreements and encourage active cooperation between corporations and stakeholders in creating wealth, jobs, and the sustainability of financially sound enterprises.

Assess the personnel or departments involved and all aspects of the Fraud Triangle—

The fraud risk assessment team focuses on incentives and pressures, opportunities, and attitudes and rationalizations to commit fraud.

Identify existing fraud control activities and assess their effectiveness—

The fraud risk assessment team identifies and evaluates existing controls for effectiveness to determine residual fraud risks that require mitigation.

Include entity, subsidiary, division, operating unit, and functional levels—

The fraud risk assessment team recognizes that frauds can happen at any level or component of the organization.

Specifically consider the risk of management override of controls—

The fraud risk assessment team understands that catastrophic frauds have been perpetrated by senior members of management overriding existing and otherwise effective controls and focuses on these risks.

Estimate the likelihood and significance of risks identified—

The fraud risk assessment team carefully evaluates the probability that each particular fraud could occur and the potential effects on the organization if that particular fraud occurs.

Consider various types of fraud—

The fraud risk assessment team considers a wide range of possible fraud schemes and exposures.

Analyze internal and external factors—

The fraud risk assessment team considers both internal and external factors and their impact on the achievement of objectives.

Involve appropriate levels of management—

The fraud risk assessment team includes appropriate levels of management.

Determine how to respond to risks—

The fraud risk assessment team's ultimate goal is to formulate effective and appropriate responses to all fraud risks.

Standard 2130—Control

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement

2120.A1

The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the: • Achievement of the organization's strategic objectives • Reliability and integrity of financial and operational information • Effectiveness and efficiency of operations • Safeguarding of assets • Compliance with laws, regulations, and contracts

2130.A1

The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the: • Achievement of the organization's strategic objectives • Reliability and integrity of financial and operational information • Effectiveness and efficiency of operations • Safeguarding of assets • Compliance with laws, regulations, and contracts

2110.A1

The internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.

Standard 2120—Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

2120.A2

The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

Use data analytics techniques for fraud risk assessment and fraud risk responses—

The organization uses data analytics to improve the effectiveness and results of the fraud risk assessment.

Fraud Investigation and Corrective Action

The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.

Fraud Risk Governance

The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

Fraud Risk Assessment

The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

Perform periodic reassessments and assess changes to fraud risk—

The organization repeats the risk assessment process periodically and considers changes affecting the organization— including changes in the external environment, operations, personnel, and leadership— that can affect fraud risks.

Fraud Control Activities

The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

Fraud Risk Management Monitoring Activities

The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates deficiencies in the fraud risk management program in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

Diane Vaughan

The organization tends to recruit and attract similar individuals. Rewards are given out to those who display characteristics of the "company man." Long-term loyalty is encouraged through company retirement and benefits. Loyalty is encouraged through social interaction, such as company parties and social functions. Frequent transfers and long working hours encourage isolation from other groups. Specialized job skills can discourage personnel from seeking employment elsewhere.

Document the risk assessment—

The organization understands that the risk assessment serves as the central element of the fraud risk management process and ensures that it is carefully and thoroughly documented.

Routine Activities Theory

The view that crime is a normal function of the routine activities of modern living. Offenses can be expected if there is a motivated offender and a suitable target that is not protected by capable guardians.

Attestation Engagements

These engagements involve expressing a specified level of assurance about the subject matter or assertion related to the subject matter depending on the users' need • Examination, which involves expressing an opinion on "whether the subject matter is in accordance with (or based on) the criteria, or the assertion is fairly stated, in all material respects" • Review, consisting of expression of a conclusion about "whether any material modification should be made to the subject matter in order for it to be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated" • Agreed-upon procedures, which involve performing specific procedures on the subject matter or an assertion and reporting on those findings without expressing an opinion or conclusion

AU-C Section 240.

These illustrative risk factors are classified based on the three conditions that are generally present when fraud exists: • An incentive or pressure to commit fraud • A perceived opportunity to commit fraud • An ability to rationalize the fraudulent action These three conditions make up the Fraud Triangle, a framework created by American Sociologist Donald R. Cressey,

Bank embezzlement

These offenders were placed outside the rankings because they were dramatically younger (a mean age of 31) and more likely to be female (44.8% female/55.2% male) than the other groups. While nearly 25% of the low-status group was unemployed at the time of their crime, only 3% of embezzlers were without a job (just slightly above the 2.8% rate for high-status offenders). They were the group least likely to have a college degree (12.9%) or to own their own home (28.4%). Their median net worth was $2,000 in assets with $3,000 in liabilities. Male embezzlers were usually managers of a local banking operation, while females were most often tellers or clerical workers.

brainstorming

This discussion should cover: How and where the entity's financial statements might be susceptible to fraud How management could perpetrate and conceal fraudulent financial reporting How the entity's assets could be misappropriated This discussion should also include a consideration of known external and internal factors affecting the entity that might: Create incentives or pressures for management and others to commit fraud. Provide the opportunity for fraud to be perpetrated. Indicate a culture or environment that enables management and others to rationalize committing fraud.

Attesting to the Effectiveness of ICOFR

This includes not only the auditor's tests of controls, but also any misstatements detected during the financial statement audit, as well as any identified control

DRP Managers

This individual should be a senior-level employee with the power to enforce the policy. A DRP manager is responsible for: • Implementing the DRP • Ensuring that employees understand and follow the DRP's purpose • Providing oversight on actual retention and destruction of documents • Ensuring proper storage of documents • Periodically following up with counsel to ensure proper retention periods are in place • Suspending the destruction of documents upon foreseeable litigation • Informing corporate officers, directors, and employees of changes in relation to the DRP

Transparency

Transparency in the context of corporate governance generally refers to the clarity, accuracy, completeness, and timeliness of the financial statements and other information provided by management to shareholders.

The USSG and COSO

USSG contain explicit requirements for an effective control program. COSO does not mandate specific actions. The seven minimum requirements of the USSG are covered within the COSO system.

fraudulent offenses

Using company equipment (e.g., office supplies, company vehicles, mobile phones, computers) for personal reasons Stealing company assets (e.g., cash, receivables, inventory) Inflating reported hours worked Forging or altering checks and other documents Disclosing proprietary information to competitors Accepting bribes from or paying bribes to vendors or customers Engaging in transactions in which the employee has an undisclosed conflict of interest Destroying company records with malicious intent Intentionally misstating financial statements

employee anti-fraud training

What fraud is, including examples of what behavior is acceptable and what is not How fraud hurts the organization How fraud hurts employees Common characteristics that lead individuals to commit fraud (i.e., pressure, opportunity, and ability to rationalize the act) How to identify fraud (i.e., specific examples of financial, transactional, behavioral, and other red flags to watch for) How to report fraud The punishment for dishonest acts, including examples of past transgressions and how they were handled

Emotions according to Skinner, are a predisposition for people's actions

When managers are faced with disgruntled with adequate compensation and recognition of workers' accomplishments Incentive programs and task-related bonuses follow this principle, assuming that employees who feel challenged and rewarded by their jobs

Communicating About Possible Fraud to Management, the Audit Committee, Regulators, and Others AS 2401 states:

Whenever an auditor has determined that there is evidence that fraud may exist, that matter should be brought to the attention of an appropriate level of management Fraud involving senior management and fraud (by anyone) that causes a material misstatement should be reported directly to those charged with governance. AS 2401 points out that there might be a duty to disclose the information to outside parties in the following circumstances: • To comply with certain legal and regulatory requirements (e.g., SEC rules) • To inform successor auditors pursuant to auditing standard requirements • In response to a subpoena • To a funding agency or other specified agency in accordance with the requirements for audits of entities that receive governmental financial assistance

Pleas by White-Collar Defendants

White-collar defendants are more likely to insist on a trial than other offenders. other 90% of criminal cases, defendants will plead guilty, avoiding the expense and effort of a trial. more than 18% of defendants in the Crimes of the Middle Classes sample (as opposed to the usual 10%) pleaded not guilty.

When money is missing, the fraud examiner traces the known flow of funds and then asks,

Who had the opportunity and the motive to get at this money?"

Accountability

Willingness to take credit and blame for actions. In most corporations, the owners (i.e., shareholders) are separate from the decision-makers (i.e., management) and overseers (i.e., board of directors). To make sure that the organization operates effectively and efficiently, there must be mechanisms in place to ensure that management is accountable to the board and that the board is accountable to the shareholders.

Yellow Book REPORTING STANDARDS

Yellow Book incorporates the AICPA's generally accepted standards of reporting with several additional • Reporting that the audit was performed in accordance with Yellow Book standards • Reporting on internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements • Presenting findings in the audit report • Reporting directly to parties outside the audited entity • Obtaining and reporting the views of responsible officials in instances where the report discloses deficiencies in internal control, fraud, and noncompliance • Reporting confidential or sensitive information • Distributing reports

self-control

You can't foresee all future circumstances, and you can't specify adequate future conduct. You don't know what will be required. Instead, you have to set up certain behavioral processes which will lead the individual to design his own "good" conduct when the time comes.

decision control

ability to choose among alternative courses of action

Social structure theories

address the relationships between individuals and large-scale social arrangements, such as class structure and the economy.

Ex-post rights

allow the seeking of redress once rights have been violated

Anonymous Feedback Mechanisms

anonymous suggestion boxes or similar mechanisms are used to encourage and solicit frequent employee feedback. In these companies, information pertaining to the fraud risk assessment can be requested in the same way "If you thought fraud were occurring in the company, would you come forward? Why or why not?"

Differential reinforcement theory

another attempt to explain crime as a type of learned behavior. It is a revision of Sutherland's work that incorporates elements of the psychological learning theory popularized by B. F. Skinner and the social learning theory discussed previously.

G20/OECD Principles of Corporate Governance

are intended to help policymakers evaluate and improve the legal, regulatory, and institutional framework for corporate governance with a view to support economic efficiency, sustainable growth, and financial stability. • Request that governments have in place an effective legal, regulatory, and institutional framework to support good corporate governance practices (Chapter I). Call for a corporate governance framework that protects the exercise of shareholders' rights and supports the equal treatment of all shareholders, including minority and foreign shareholders (Chapter II). Address the effect of institutional investors and other intermediaries in stock markets and the resulting corporate governance implications (Chapter III). • Recognize the importance of the role of stakeholders in corporate governance (Chapter IV). • Examine the importance of timely, accurate, and transparent disclosure mechanisms (Chapter V). • Address board structures, responsibilities, and procedures (Chapter VI). Promote transparent and fair markets and the efficient allocation of resources. Be consistent with the rule of law. Support effective supervision and enforcement. Protect and facilitate the exercise of shareholders' rights. Ensure the equitable treatment of all shareholders, including minority and foreign shareholders. Provide all shareholders with the opportunity to obtain effective redress for violation of their rights. Create sound incentives throughout the investment chain. Enable stock markets to function in a way that contributes to good corporate governance. Recognize the rights of stakeholders established by law or through mutual agreements. Encourage active cooperation between corporations and stakeholders in creating wealth, jobs, and the sustainability of financially sound enterprises. Ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the company's financial situation, performance, ownership, and governance. Ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board's accountability to the company and the shareholders.

Preventive controls

are those manual or automated processes that stop something bad from happening before it occurs.

conditioning theory

argues that the failure of a person to incorporate the rules of society satisfactorily represents the major explanation for subsequent criminal behavior

CATEGORIES OF OCCUPATIONAL FRAUD

asset misappropriation - occurring in 89% least costly, causing a median loss of $114,000. Check /payment tampering, billing, non cash Corruption - with 38% of the cases, loss to the victim organizations of $250,000 financial statement fraud - which occurred in 10% of the cases and caused a median loss of $800,000.

Probation

at least one year. In no case may probation run for more than five years. • To secure payment of restitution, enforcement of a remedial order, or to ensure completion of community service • To safeguard the organization's ability to pay a monetary penalty that was not fully paid at the time of sentencing • When an organization with at least fifty employees did not have an effective program to detect and prevent violations of law • When the organization was adjudicated within the past five years to have committed misconduct similar to any part of the misconduct of the offense in question • When a high-level employee was involved in the offense in question and was criminally convicted of similar conduct within the past five years • When such an order is necessary to ensure changes are made to reduce the likelihood of future criminal conduct • When the sentence does not include a fine • When such an order is necessary in order to accomplish one or more purposes of sentencing set forth in 18 U.S.C. § 3553(a)(2)

FINE MULTIPLES

begins with a preset score of five on a scale of zero to ten

operant conditioning

behavior controlled by stimuli that follow the behavior

punishment

brings a temporary suppression of the behavior but only with constant supervision and application. either applying a negative stimulus or taking away a positive one—effectively extinguished a subject's behavior Presents negative stimuli • Withdraws positive stimuli

Detective controls

can also be manual or automated but are designed to identify something bad that has already occurred.

Standard 2060—Reporting to Senior Management and the Board

chief audit executive must report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan and on its conformance with the IIA Code of Ethics and the Standards

Report over Internal Controls Section 404(b) of SOX.

company with less than $250 million of public float to be granted a permanent exemption from Section 404(

process control

control over the opportunity to state one's case

Detective

controls can also be manual or automated but are designed to identify something bad that has already occurred Establishing and marketing the presence of a confidential reporting system, such as a whistleblower hotline Implementing proactive controls for the fraud detection process, such as independent reconciliations, reviews, physical inspections and counts, analysis, and audits Implementing proactive fraud detection procedures, such as data analysis and continuous auditing techniques Performing surprise audits

Civil Liability Section 806 of SOX

creates a civil liability for an employer who, out of retaliation, fires, demotes, suspends, threatens, harasses, or discriminates against an employee who provided information or otherwise assisted in an investigation of fraudulent activity employees of publicly traded companies.

white collar crime

crime committed by people of high social position in the course of their occupations violations are those violations of law . . . that involve the use of a violator's position of economic power, influence, or trust in the legitimate economic or political institutional order for the purpose of illegal gain, or to commit an illegal act for personal or organizational gain.

Compounding a Felony

criminal act of compounding a felony can result from participating in a trade for restitution for agreeing to forgo prosecution.

Schrager and Short say

criminal behavior stems more from the roles an employee is expected to fulfill than from individual pathology

Policy Statement

define fraud and outline management's position or attitude toward fraud in the workplace.

criteria considered when deciding to bring criminal action against a corporation

degree of loss to the public, the duration of the violation, the level of complicity by high corporate managers, the frequency of the violation, evidence of intent to violate, evidence of extortion, the degree of notoriety endangered by the media, precedent in law, a history of serious violations by the corporation, deterrence potential, and the degree of cooperation demonstrated by the corporation.

High dollar criminals

describe their machinations as a kick or thrill; they feel like they're playing a game, and it's the game of their lives

Compliance

designed to achieve conformity to the law without having to detect, process, or penalize violators. In a compliance system, an offense is often called a technical violation provide economic incentives for voluntary compliance to the laws and use administrative efforts to control violations before they occur.

deterrence

designed to detect law violations, determine who is responsible, and penalize offenders to deter future violations Deterrence systems try to control the immediate behavior of individuals, not the long-term behaviors targeted by compliance systems.

Assume the Risk

determines that the probability of occurrence and impact of loss are low. Management may decide that it is more cost effective to assume the risk than it is to eliminate the asset or discontinue the activity, buy insurance to transfer the risk, or implement countermeasures to mitigate the risk

Strain Theories

direct result of the frustration and anger people experience over their inability to achieve the social and financial success they desire. Robert Merton's theory of anomie.

Integrated theories

draw from choice theory, biological theory, and psychological theory. These theories often acknowledge that, while criminal activity is a choice, this choice is heavily influenced by biological, psychological, and social factors.

CEO duality

duality concentrates significant power in the hands of one person

Avoid the Risk

eliminating an asset or discontinuing an activity if the control measures required to protect the organization against an identified threat are too expensive.

Criminal Sanctions Section 1107 of SOX

establishes criminal sanctions for anyone who intentionally retaliates against another party for providing information regarding an alleged federal offense to a law enforcement officer. Section 1107 applies to all individuals, regardless of where they work.

PCAOB AS 2401—Consideration of Fraud in a Financial Statement Audit

establishes requirements and provides direction relevant to fulfilling that responsibility, as it relates to fraud, in an audit of financial statements. • Description and characteristics of fraud • The importance of exercising professional skepticism • Responding to assessed fraud risks • Communicating about fraud to management, the audit committee, and others • Documenting the auditor's consideration of fraud

conflict of interest

exists when a fraud examiner's ability to objectively evaluate and present an issue for a client is impaired by a current, prior, or potential future relationship with parties to the fraud examination.

Organizational Guidelines provide four types of remedies from which a judge may consider USSG

fines , restitution, remedial orders, and probation.

Ex-ante rights

for example, pre-emptive rights and qualified majorities for certain decisions.

Geis

found that individuals are quite often trained in illegal behavior as part of their occupational roles

Privileged information

fraud examiners do not have any such privilege in common law or by statute, and the ACFE Code of Professional Ethics does not assume a privileged status for the fraud examiner-client/employer relationship.

Board of Directors

generally elected by the entity's voting members board of governors, board of regents, or board of trustees. Elected directors might be major shareholders or executives of the organization or they might be completely independent of the organization aside from their role on the board discussions of the fraud risk management program's design, components, and effectiveness should be formally incorporated oversees business operations by assessing the strategy and underlying purpose of management's decisions and actions. Setting an appropriate tone and realistic expectations of management to enforce an anti-fraud culture Gaining a working knowledge of the organization's activities and the environments in which it operates Raising awareness of the risks of fraud throughout the organization Developing a strategy to assess and manage fraud risks that aligns with the organization's risk appetite and strategic plans Overseeing the organization's fraud risk management activities Maintaining open communications with senior management and other personnel

GAO's Yellow Book

guidance for auditors of government entities and entities that receive government awards is used for oversight, accountability, transparency, and improvement of government programs and operations.

Social learning theories

hold that criminal behavior is a function of the way people absorb information, viewpoints, and motivations from others, most notably from those with whom they are close, such as members of their peer group

Social process theories

hold that criminality is a function of individual socialization and the social-psychological interactions people have with the various organizations, institutions, and processes of society.

high road

holding oneself to the highest moral standards and striving to uphold those standards even when faced with the pressure to act in an undignified and unethical fashion.

NOMINATING COMMITTEE

identifying, evaluating, and nominating new directors to the board. It also facilitates the election of the new directors by shareholders Responsibilities of the nominating committee include, but are not limited to: • Reviewing current directors' performance • Assessing the need for new directors • Having an objective nominating process for qualified candidates to the board • Communicating any issues regarding board candidates with shareholders

design effectiveness of the controls

if operated as prescribed, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements

significance of each potential fraud

immaterial, significant, or material. • Financial statement and monetary significance • Financial condition of the organization • Value of the threatened assets • Criticality of the threatened assets to the organization • Revenue generated by the threatened assets • Significance to the organization's operations, brand value, and reputation • Whether employees suffered any financial damages • Whether any financial damages have been caused to third parties (e.g., customers) • Criminal, civil, and regulatory liabilities • Whether the fraud results in required reporting to governmental authorities • Reputational damage among stakeholders (e.g., customers, stockholders) • Adverse media coverage • Advantages to competing companies • Decline in employee morale • Lost productivity • Loss of key staff • Whether the event would result in data loss • Whether the event would result in a work stoppage • Time spent investigating and following up on the fraud event

Substantial authority personnel is

individuals who exercise a substantial measure of discretion in acting on behalf of an organization."

Occupational crime

involves legal offenses committed by individuals in the course of their occupation. • Crimes for the benefit of an employing organization (organizational occupational crime) • Crimes by officials through exercise of their government-based authority (government authority occupational crime) • Crimes by professionals in their capacity as professionals (professional occupational crime) • Crimes by individuals as individuals

Differential reinforcement

is a learning technique used to distinguish acceptable behavior from unacceptable behavior by rewarding the desired behavior, thus reinforcing it.

Fraud risk assessment

is a process aimed at proactively identifying and addressing an organization's vulnerabilities to both internal and external fraud.

Slander

is a spoken defamation

supervisory board

is headed by the chairman and consists solely of independent non-executive directors who are elected by the shareholders.

Management

is responsible for making the day-to-day decisions that affect company performance and, ultimately, shareholder wealth. responsible for the prevention and detection of fraud within an organization Management's roles pertaining to corporate governance include: • Establishing strategic goals and operating objectives under the board's oversight • Directing employees to carry out business activities and managing their performance of those tasks • Determining the use and allocation of company resources and assets • Evaluating the organization's successes or failures and recalibrating the strategic approach accordingly • Holding responsibility for the design and operation of the organization's internal controls • Setting the organization's true ethical tone

Moral philosophy

is the branch of philosophy that involves systematizing, championing, and advocating concepts of right and wrong

Enterprise Risk Management—Integrating with Strategy and Performance. ERM

is the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

Normative Perspective

is what one considers just and moral. might indulge in illegal drugs but refrain from stealing—one being morally acceptable in their view and the other not. compliance is unforced and voluntary.

difference between the instrumental and the normative

is whether one focuses on procedures rather than results. Those adhering to the normative point of view will, for example, be more concerned with being treated justly in court rather than with winning or losing their case. The instrumentalist, on the other hand, focuses on the outcome of their case and is less concerned with procedures. In their mind, a procedure is fair if it is favorable

Libel

is written defamation of someone else's character. • Contain words that injure another person's character or reputation or expose them to ridicule or contempt • Be communicated orally or in writing to other people • Cause an actual damage to the person who is the subject of the communication

Document Retention Policies

it is imperative that the organization consider all applicable laws and regulations regarding recordkeeping requirements. (1) establish retention protocols before it foresees litigation or official investigation; (2) develop, review, and/or amend a policy for compliance with the applicable laws and regulations; (3) ensure the reasonableness of the policy according to the company's business practices; (4) provide a concise explanation of what is to be destroyed and when; (5) provide adequate protocols for management of electronic documents; and (6) clearly set forth when the policy should be immobilized due to a pending investigation or foreseeable litigation. Accounting records, corporate tax records, bank records, employment records, various workplace records (including in-house emails and client correspondence), and legal records

Biological theories

maintain that criminal behavior is not the result of choice (the calculation of benefits and potential losses), but rather is caused by the physical traits of those who commit crime.

Section 404 of SOX, and SEC Release Nos. 33-8238 and 34-47986,

management's responsibility pertaining to the company's internal control over financial reporting has been increased substantially.

U.S. Congress, in the Comprehensive Crime Control Act of 1984,

mandated uniform sentencing guidelines to eliminate punishment disparities that existed for federal offenders. The USSG for individuals (the Individual Guidelines) are laid out in the USSC's Guidelines Manual that is released annually. USSG became advisory rather than mandatory

Voluntary Compliance

matters only to the extent to which it produces obedience that goes beyond self-interest, measured by most of us by reward and punishment. A normative driver will accept being a few minutes late to their appointment in order to obey the speed limit, thus making the roads safer for everyone.

False Imprisonment

mean more than putting a person behind bars. Courts have found many types of detainment to constitute false imprisonment, including locking an employee in a store, locking a passenger in a vehicle, and detaining a witness by force

authority leakage

means the company has become too unwieldy for an executive to enforce rules at all levels.

Conflict Disclosure

mechanism for directors, employees, and contractors to self-disclose to the organization any potential or actual conflicts of interest.

PCAOB AS 1215—Audit Documentation

memoranda, confirmations, correspondence, schedules, audit programs, and letters of representation prepared and obtained during the audit engagement. should be prepared in sufficient detail to provide a clear understanding of its purpose, source, and the conclusions reached." • Demonstrate that the engagement was conducted in compliance with the standards of the PCAOB. • Support the basis for the auditor's conclusions concerning all relevant financial statement assertions. • Demonstrate that the underlying accounting records agree to or reconcile with the financial statements. audit documentation should contain sufficient information to enable an experienced auditor with no previous connection with the engagement:

Alternatives to Punishment

modify the circumstances surrounding the act the company could offer financial counseling, pay advances, or low-interest loans, thereby alleviating financial difficulties without the employee having to resort to fraud

Utilitarianism

offenders will calculate potential gains and losses before they decide to disobey the law.

corporate governance

oversight responsibilities of different parties for an organization's direction, operations, and performance

Shareholders

owners of corporations; they can be individual investors or institutional investors, such as pension funds, mutual fund groups, investment trusts, or insurance companies. • Remaining informed on company operations and performance • Reading annual reports and other communications from management to the shareholders • Attending shareholder meetings • Electing capable individuals to serve as board directors • Holding the board of directors accountable for proper governance and oversight • Appointing or ratifying the audit committee's appointment of the organization's independent auditors • Voting on other significant issues, such as specific changes relating to business operations, the company's corporate governance framework, and the rights and responsibilities of the board of directors and executive managers

restitution

payment for an injury; compensation

absconders

people who take the money and run. Cressey found that the non-shareable problems for absconders usually resulted from physical isolation.

Conjuncture of Events

perceived non-shareable financial problem, perceived opportunity, and the ability to rationalize—for the trust violation to occur.

Fraud Risk Management Guide (FRM 2016),

personnel at all levels of the organization—including every level of management, staff, and internal auditors—have responsibility for managing fraud risk.

social control theory

premised on the idea that people's personal relationships, values, beliefs, and commitments can encourage them to obey the law The theory suggests that if a person fails to become attached to the variety of control agencies of the society, that person's chances of violating the law increase. Attachment - refers primarily to affection-type ties with people such as parents, teachers, and peers • Commitment - refers to cost factors involved in criminal activity • Involvement - concerns matters such as time spent on the job—that is, participation in activities related to future goals and objectives • Belief - refers to a conviction about the legitimacy of conventional values, such as the law in general and criminal justice prescriptions in particular. assumes the bond of affection for conventional persons is a major deterrent to crime. The stronger this bond, the more likely the person is to take it into account when and if he contemplates a criminal act."10 What will my spouse—or my mother and father—think if they find out

positive reinforcement

presents a positive stimulus in exchange for the desired response Presents positive stimuli • Withdraws negative stimuli

organizations victimized by occupational fraud

privat company 42% med loss 164000 public company 20% med loss 117 000 non for profit 9% med loss 75 000 other 4% med loss 120 000

Preventive controls

processes that stop something bad from happening before it occurs Bringing awareness of the fraud risk management program to personnel throughout the organization Performing background checks on employees (where permitted by law) Hiring competent personnel and providing them with anti-fraud training Conducting exit interviews Implementing policies and procedures Separating of duties Implementing physical security measures Implementing security measures to restrict electronic access to data Ensuring proper alignment between an individual's authority and level of responsibility Reviewing third-party and related-party transactions

Financial Audits Yellow Book

provide an independent assessment of whether an entity's reported financial information (e.g., financial condition, results, and use of resources) is presented fairly in accordance with recognized criteria • Reporting on internal controls over financial reporting • Reporting on compliance with laws, regulations, and provisions of contracts and grant agreements that have a material effect on the financial statements • Providing special reports for specified elements, accounts, or items of a financial statement • Issuing letters for underwriters or other requesting parties • Auditing compliance and internal control requirements relating to one or more government programs • Conducting an audit of internal controls over financial reporting that is integrated with an audit of financial statements (integrated audit)

effective compliance program

reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct

Legality

refers to lawfulness by conformity to a legal statute

Morality

refers to the underlying codes of right and wrong.

Objectivity

refers to the ability to conduct fraud examinations without being influenced by one's own personal feelings or the feelings and motives of others.

ethics

refers to the appropriateness of a decision in light of morality

Reflective choice

refers to the process whereby an individual identifies a decision problem, analyzes the situation—collects information, considers rules of behavior, and thinks about consequences of alternative actions—and takes action. In short, reflective choice refers to decision making.

Professionalism

refers to the standing, practice, methods, character, qualities, or typical features of a professional or a professional organization.

individual strain

refers to the stress people feel and the difficulties they face when attempting to satisfy their own needs and wants

Legitimacy

regarded as the essential ingredient in what gives governments and leaders authority.

likelihood of occurrence of each fraud

remote, reasonably possible, or probable. • Past instances of the particular fraud at the organization • Prevalence of the fraud risk in the organization's industry • The organization's internal control environment • Resources available to address fraud • Management's support of fraud prevention efforts • Management's ethical standards and the organization's ethical culture • Number of individual transactions involved • Number of people involved in reviewing or approving a relevant process • Complexity of the fraud risk • Unexplained losses • Complaints by customers or vendors • Information from fraud surveys such as the ACFE's Report to the Nations

Affirmation Process

requirement for directors, employees, and contractors to explicitly affirm (typically via electronic or manual signature) that they have read, understood, and complied with the organization's code of conduct, fraud control policy, and other such documentation that supports the fraud risk management program.

AU-C Section 315

requires a discussion among the key engagement team members, including the engagement partner, and a determination by the engagement partner of which matters are to be communicated to those team members not involved in the discussion • How and where the entity's financial statements might be susceptible to material misstatement due to fraud • How management could perpetrate and conceal fraudulent financial reporting • How the entity's assets could be misappropriated

Independence of attitude

requires impartiality and fairness in conducting fraud examinations and in reaching resulting conclusions and judgments

Securities Litigation Reform Act (PSLRA

requires public company audits to include procedures designed to provide reasonable assurance of detecting Illegal acts

RESPONSIBILITY FOR THE PREVENTION AND DETECTION OF FRAUD

responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management.

Madden and Margolis

say corporations lead new managers through an initiation period designed to weaken their ties with external groups, including their own families, and encourage a feeling of dependence on and attachment to the corporation.

Charles McCaghy

says profit pressure is "the single most compelling factor behind deviance by industry, whether it be price fixing, the destruction of competition, or the misrepresentation of a product,"

Professional Competence

shall not accept assignments where competence is lacking

Dr. Steve Albrecht's Fraud Scale model,

situational pressures, perceived opportunities, and personal integrity.

economic crime

so many illegal acts, including murder, are often committed in order to achieve economic gain.

Structural strain

societal-level processes, such as the way the government or economy functions, that trickle down and affect individuals. These structures might affect individuals' opportunities and their general perceptions of society

Audit of Financial Stateme

specifically states that auditors should take into account the results of the fraud risk assessment when planning and performing the audit of internal control over financial reporting.

AU-C Section 240, Consideration of Fraud in a Financial Statement Audit,

stablishes standards and provides guidance to auditors in fulfilling that responsibility, as it relates to fraud, in conducting a financial statement audit. While this standard focuses on the auditor's consideration of fraud in an audit of financial statements, management is primarily responsible for the prevention and detection of fraud.

The Cadbury Report,

stated that the purpose of corporate governance is "to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources.

Cognitive theories

stress inadequate moral and intellectual development as lying at the root of criminal acts.

Chicago Study

suggest that normative values are more influential upon compliance than the reward and punishment approach. This is consistent with Skinner's behavioral theories. was designed to gauge the gap between citizens' concerns for favorable outcomes and procedural fairness. It also measures the extent to which fairness influences reactions to experience.

Sutherland demonstrated

that corporate executives are insulated from those who might disagree with their beliefs because they associate almost exclusively with people who are probusiness, politically conservative, and generally opposed to government regulation.

Information, Communication, and Reporting COSO ERM 2017

the continual, iterative process of obtaining information and sharing it throughout the entity." 18. The organization leverages information and technology to support ERM. 19. The organization communicates risk information. 20. The organization reports on risk, culture, and performance throughout the entity.

What Is the Objective of a Fraud Risk Assessment?

the objective of a fraud risk assessment is to help an organization recognize what makes it most vulnerable to fraud.

Define Risk Appetite

the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value."

abuse of power

those behaviors that correspond to white-collar crimes as defined by Sutherland. In addition, other designations, such as upperworld crime, crimes by the powerful, avocational crime, crime in the suites, and organizational crime, have been used to designate more or less the same phenomena as white-collar crime.

occupational fraud detection

tip - 40 % internal audit - 15 % managerial review - 13% by accident - 7 other - 6% reconciliation -5 % document examination - 4% external audit _ 4% surveillance monitoring - 3 notify law enforcement- 2% it control - 1% confession - 1%

STANDARDS OF CONDUCT

to a code of professional ethics and standards of conduct, and such codes and standards can help a profession achieve full social recognition.

The IIA's IPPF—Practice Guide: Auditing Anti-Bribery and Anti-Corruption Programs

to fully support internal auditors in their responsibilities pertaining to fraud and corruption.

Public Company Accounting Oversight Board PCAOB

to oversee the audit of public companies that are subject to the securities laws, and related matters, in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for companies the securities of which are sold to, and held by and for, public investors. (Section 101) • Registering public accounting firms that audit publicly traded companies • Establishing or adopting auditing, quality control, ethics, independence, and other standards relating to audits of publicly traded companies • Inspecting registered public accounting firms • Investigating registered public accounting firms and their employees, conducting disciplinary hearings, and imposing sanctions where justified • Performing such other duties as are necessary to promote high professional standards among registered accounting firms, to improve the quality of audit services offered by those firms, and to protect investors • Enforcing compliance with SOX, the rules of the PCAOB, professional standards, and securities laws relating to public company audits

executive/management board

typically headed by the company chief executive officer (CEO) composed of company executives and other non-independent directors; this board is responsible for overseeing the company's day-to-day business operations

John Braithwaite

views white-collar crime as a product of the corporate subculture. In Braithwaite's view, corporations will turn to crime as a result of "blocked opportunities."

the question of fraud and behavior comes down to this

what can we do about it?

personality theories

which illustrate the belief that traits such as extroversion are responsible for a significant amount of crime.

Operations objectives,

which pertain to the effectiveness and efficiency of the organization's operations

Compliance objectives,

which pertain to the organization's adherence to the laws and the regulations to which it is subject

Reporting objectives,

which pertain to the reporting of financial and nonfinancial information to internal and external parties

Remedial Orders

which require an offending organization to fix a harm it has already caused (to the extent that the harm is not fixed by the payment of restitution) and prevent any future harm from occurring

long-term violators

who converted their employer's funds, or funds belonging to their employer's clients, by taking relatively small amounts over a period of time.40 rationalizations of long-term violators were described, too, but they almost always were used in connection with the "borrowing" theme: (1) They were embezzling to keep their families from shame, disgrace, or poverty; (2) theirs was a case of "necessity"; their employers were cheating them financially; and (3) their employers were dishonest toward others and deserved to be defrauded.

negative reinforcement

withdraws a negative stimulus in exchange for the desired response

narrow focus

would center on the rules in the ACFE Code of Professional Ethics

broad focus

would include a fraud examiner's interaction with the people affected by their choices.

professional fields vc vocations

• A body of specialized knowledge acquired by formal education • Admission to the profession governed by standards of professional qualifications • Recognition and acceptance by society of professional status, and concurrent recognition and acceptance of social responsibility by the professional • Standards of conduct governing relationships of the professional with clients, colleagues, and the public • An organization devoted to the advancement of the obligations of the professional group

elements of the ISO 31000 framework are:

• A foundation set by effective leadership and commitment • Integration throughout every part of the organization's structure • A design that involves: - Understanding the organization and its context - Articulating risk management commitment - Assigning organization roles, authorities, responsibilities, and accountabilities - Allocating resources - Establishing communication and consultation • Effective implementation that includes - An appropriate plan regarding time and resources - Outlining when, where, and how decisions will be made - Modifying decision-making processes as necessary - Understanding that risk management initiatives are clearly understood and adhered to • Evaluation of the risk management program's performance and determination of whether it is meeting its objectives • Improvement by continuous monitoring, adaptation, and enhancement of the framework

Justifications used in arguing against a prison sentence for corporate offenders include:

• Age and poor health • Personal and family reasons • Extent of punishment already suffered by virtue of being indicted • Offense was not immoral • Defendant has no prior record, is not a threat to society, and has been a prominent citizen active in community affairs • Incarceration would accomplish nothing (no benefit to society) • Defendant is repentant • Victimization of corporate executives solely because of their position

External Auditors Report to the Audit Committee

• All critical accounting policies and practices used • Alternative generally accepted accounting principles (GAAP) methods that were discussed with management, the ramifications of the use of those alternative treatments, and the treatment preferred by the auditors • Any other material written communications between the auditors and management, such as any management letter or the schedule of unadjusted audit differences

FINANCIAL EXPERT REQUIREMENT

• An understanding of generally accepted accounting principles and of financial statements • The ability to evaluate the application of accounting principles used in the accounting for estimates, accruals, and reserves • Experience in preparing, auditing, analyzing, or evaluating financial statements containing accounting issues that are "generally comparable" to those expected to be raised in the company's financial statements, or experience supervising someone engaged in such activities • An understanding of internal controls and financial reporting procedures • An understanding of the functions of an audit committee

In designing such a program

• Applicable industry size and practice—An organization's failure to incorporate and follow industry practice or the standards called for by any applicable government regulation adversely affects a finding that the program is effective. • Size of the organization—Large organizations are expected to devote more formal operations and greater resources to meeting the requirements than small organizations. For example, smaller organizations may use available personnel rather than employ separate staff to carry out ethics and compliance. • Recurrence of similar misconduct—The recurrence of a similar event creates doubt as to whether the organization took reasonable steps to meet the requirements.

Auditing, Quality Control, and Independence Standards and Rules Section 103 of the Act requires the PCAOB

• Audit workpapers must be maintained for at least seven years. • Auditing firms must include a concurring or second partner review and approval of audit reports, as well as concurring approval in the issuance of the audit report by a qualified person other than the person in charge of the audit. • All audit reports must describe the scope of testing of the company's internal control structure and must present the auditor's findings from the testing, including an evaluation of whether the internal control structure is acceptable, a description of material weaknesses in internal controls, and any material noncompliance with controls.

advantages of separating CEO roles

• Better alignment with corporate governance best practices • Improvement of CEO's accountability • Reduction in CEO's potential conflicts of interest • More effective board oversight

Other Roles and Responsibilities for Fraud Prevention and Detection

• Board of directors: The board of directors is responsible for effective and responsible corporate fraud governance and is tasked with overseeing management's actions to manage fraud risks. • Audit committee: The audit committee's role is to evaluate management's identification of fraud risks and the implementation of anti-fraud measures, and to provide the tone at the top that fraud will not be accepted in any form. The audit committee is also responsible for overseeing controls to prevent or detect management fraud. • Management: Management is responsible for overseeing the activities of employees, assessing the entity's vulnerability to fraud, and establishing and maintaining an effective internal control system at a reasonable cost. • Legal counsel: Legal counsel advises the organization on legal matters pertaining to fraud. • External auditors: External auditors have a responsibility to comply with professional standards and to plan and perform the audit of the organization's financial statements to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud. (For more information on the external auditor's responsibilities for fraud, see the previous discussion on "U.S. External Audit Standards Related to Fraud.") • Loss prevention manager: The loss prevention manager deals with crimes, disasters, accidents, waste, and other business risks, and this individual usually works closely with internal auditors to identify areas of weak internal controls within the organization. • Fraud investigators: Fraud investigators are responsible for detecting and investigating fraud, as well as recovering assets. • Other employees: All employees have a responsibility to report suspicious activity to a hotline, the internal audit department, or management.

AU-C Section 230—Audit Documentation

• Changes the date of the auditor's report from the final day of fieldwork to the date on or after which the auditor obtained sufficient evidence to support the audit opinion • Requires the audit documentation to be sufficient such that an experienced auditor with no previous connection to the audit could understand the work performed, the evidence obtained, and the conclusions reached • Requires documentation of departures from GAAS, along with the justification and alternative procedures used • Provides that oral explanations may be used to clarify or explain audit documentation, but alone are insufficient support for audit work • Requires specific documentation of matters that the auditor identified as contradictory or inconsistent with the final audit conclusions, as well as how the auditor addressed such findings • Instructs the auditor to assemble all of the audit documentation into the audit file within sixty days following the audit report release date • States that after sixty days following the audit report release date, workpapers may not be deleted, and all additions must be noted as such • Specifies a minimum retention period for audit documentation of five years from the report release date

Yellow Book standards for conducting financial audits

• Compliance with standards • Licensing and certification • Auditor communications • Results of previous engagements • Investigations or legal proceedings • Noncompliance with provisions of laws, regulations, contracts, and grant agreements • Findings • Audit documentation • Availability of individuals and documentation

gather fraud risk evidence:

• Data stratification • Risk scoring • Trend analysis • Fluctuation analysis • Data visualization • Statistical analysis/predictive modeling • Using data from external sources

Documenting the Auditor's Consideration of Fraud AS 2401

• Discussion among engagement personnel regarding the susceptibility of the entity's financial statements to material misstatement due to fraud (including how and when the discussion occurred, the team members who participated, and the subject matter discussed) • Procedures performed to obtain information necessary to identify and assess the risks of material misstatement due to fraud • Specific risks of material misstatement due to fraud that were identified at the financial statement and assertion levels and the linkage of those risks to the auditor's response • The reasons supporting the auditor's conclusion, if the auditor has not identified improper revenue recognition as a risk • The results of the procedures performed to address the assessed fraud risks, including those procedures performed to further address the risk of management override of controls • Other conditions and analytical relationships that caused the auditor to believe that additional auditing procedures or other responses were required to address such risks • The nature of the communication about fraud made to management, those charged with governance, or others

constrain improper conduct by management

• Effective oversight by those charged with governance • An effective internal audit function • The existence and enforcement of a written code of conduct

DETECTIVE CONTROLS

• Establishing and marketing the presence of a confidential reporting system, such as a whistleblower hotline • Implementing proactive controls for the fraud detection process, such as independent reconciliations, reviews, physical inspections and counts, analysis, and audits • Implementing proactive fraud detection procedures, such as data analysis and continuous auditing techniques • Performing surprise audits

Ranking and Prioritizing Risks

• Estimating the likely cost of a risk • Using a quadrant graph, called a heat map, to identify those risks that are both likely and significant

What Is Ethics?

• Ethics involves questions requiring reflective choice (decision problems). • Ethics involves guides of right and wrong (moral principles). • Ethics is concerned with values (goods) inherent in ethical decisions.

1220.A1

• Extent of work needed to achieve the engagement's objectives • Relative complexity, materiality, or significance of matters to which assurance procedures are applied • Adequacy and effectiveness of governance, risk management, and control processes • Probability of significant errors, fraud, or noncompliance • Cost of assurance in relation to potential benefits

12 components are necessary to develop, implement, and manage a comprehensive ethics program

• Focus on ethical leadership • Vision statement • Values statement • Code of ethics • Designated ethics official • Ethics task force or committee • Ethics communication strategy • Ethics training • Ethics help and fraud report telephone line • Ethical behavior rewards and sanctions • Comprehensive system to monitor and track ethics data • Periodic evaluation of ethics efforts and data

EXTERNAL FRAUD

• Fraud committed by customers (e.g., fraudulent customer payments) • Fraud committed by vendors (e.g., overbilling by a vendor or collusion between bidding contractors to inflate contract price) • Fraud committed by competitors (e.g., corporate espionage) • Fraud committed by unrelated third parties (e.g., hacking)

Silk and Vogel found several other actions used by businesses to rationalize conduct:

• Government regulations are unjustified because the additional costs of regulations and bureaucratic procedures cut heavily into profits. • Regulation is unnecessary because the matters being regulated are unimportant. • Although some corporate violations involve large sums of money, the damage is so diffused among a large number of consumers that, individually, there is little loss. • Violations are caused by economic necessity; they aim to protect the value of stock, to ensure an adequate return for stockholders, and to protect the job security of employees by ensuring the financial stability of the corporation.

objectives of the auditor

• Identify and assess the risks of material misstatement of the financial statements due to fraud. • Obtain sufficient appropriate audit evidence about the assessed risks of material misstatement due to fraud through designing and implementing appropriate responses. • Respond appropriately to fraud or suspected fraud identified during the audit.

FRAUDULENT FINANCIAL REPORTING

• Inappropriately reported revenues, expenses, or both • Inappropriately reflected balance sheet amounts, including reserves • Inappropriately improved or masked disclosures • Concealed misappropriation of assets • Concealed unauthorized receipts, expenditures, or both • Concealed unauthorized acquisition, use, or disposition of assets

Fraud Response

• Investigating the allegation to determine the party or parties responsible, the means of the infraction, and the extent of the resulting damage • Punishing the perpetrator, whether through employment sanctions or legal action

Department of Justice (DOJ)

• Is directors' and senior managers' support for the company's compliance policies: − Strong? − Explicit? − Visible? • Does the compliance function have adequate: − Stature? − Funding? − Resources? • Are the company's compliance policies: − Clear? − In writing? − Easily understood? − Translated into languages spoken by the company's employees? − Effectively communicated to all employees? − Easy to find? − Reviewed and kept up-to-date with evolving risks and circumstances? Do employees receive compliance training that: − Is repeated? − Informs them of what to do or whom to consult when issues arise? Does the company even-handedly: − Incentivize good behavior? − Discipline bad behavior? • When dealing with third parties, does the company: − Make known that it is serious about compliance? − Take action (e.g., terminate the business relationship) if a third party is noncompliant?

BEHAVIORAL RED FLAGS

• Living beyond their means • Financial difficulties • Control issues, unwilling to share duties • Unusually close relationship with vendor/customer • Wheeler-dealer attitude • Divorce/family problems • Irritability, suspiciousness, defensiveness • Addiction problems • Unwilling to take vacation days • Past employment-related problems • Complained about inadequate pay • Excessive pressure from within the organization • Past legal problems • Instability in life circumstances • Excessive family/peer pressure for success • Complained about lack of authority

Standard 2110—Governance

• Making strategic and operational decisions • Overseeing risk management and control • Promoting appropriate ethics and values within the organization • Ensuring effective organizational performance management and accountability • Communicating risk and control information to appropriate areas of the organization • Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management

AU-C Section 940—An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements

• Obtain management's acknowledgement of its responsibilities pertaining to ICOFR. • Request management's written assessment of the effectiveness of the entity's ICOFR. • Plan and perform the audit to accomplish the objectives of both the financial statement audit and the audit of ICOFR. • Use a risk-based approach in planning the audit scope, timing, and direction. • Evaluate whether the ICOFR sufficiently address identified risks of material misstatement due to fraud and the risk of management override of other controls. • Use a top-down approach to the ICOFR audit by: − Identifying and testing important entity-level controls − Evaluating the design, implementation, and operation of the components of ICOFR − Evaluating the period-end financial reporting process − Identifying significant classes of transactions, account balances, and disclosures − Understanding likely sources of misstatement − Selecting specific important controls to test • Perform tests to evaluate the design and test the effectiveness of ICOFR. • Determine whether, based on the audit results, there are any material weaknesses or significant deficiencies in ICOFR.

RESPONSES INVOLVING THE NATURE, TIMING, AND EXTENT OF PROCEDURES TO BE PERFORMED AS 2301

• Performing procedures at locations on a surprise or unannounced basis • Requesting that inventories be counted at the end of the reporting period or on a date closer to period end to minimize the risk of balance manipulations in the period between the date of completion of the count and the end of the reporting period • Making oral inquiries of major customers and suppliers in addition to sending written confirmations, or sending confirmation requests to a specific party within an organization • Performing substantive analytical procedures using disaggregated data (e.g., comparing gross profit or operating margins by location, line of business, or month to auditor developed expectations) • Interviewing personnel involved in activities in areas in which a fraud risk has been identified to obtain their insights about the risk and how controls address the risk • If other independent auditors are auditing the financial statements of one or more subsidiaries, divisions, or branches, discussing with them the extent of work that needs to be performed to address the fraud risk resulting from transactions and activities among these components

Private Securities Litigation Reform Act of 1995 PSLRA

• Procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts • Procedures designed to identify related-party transactions that are material to the financial statements or otherwise require disclosure therein • An evaluation of whether there is substantial doubt about the ability of the issuer to continue as a going concern during the ensuing fiscal year

EXAMPLES OF RESPONSES TO IDENTIFIED RISKS OF MISSTATEMENTS ARISING FROM FRAUDULENT FINANCIAL REPORTING AS 2401

• Revenue recognition: This entails performing substantive analytical procedures relating to revenue using disaggregated data (comparing revenue reported by month and by product line or business segment during the current reporting period) • Inventory quantities: This entails examining inventory records to identify locations or items that require specific attention during or after the physical inventory count; performing more rigorous testing of the count, such as examining contents of boxed items; and conducting additional testing of count sheets, tags, or other records Management estimates: This involves procedures such as developing or engaging a specialist to develop an independent estimate for comparison to management's estimate; gathering further information to help evaluate the reasonableness of management's estimates and underlying assumptions; and performing a retrospective review of similar management judgments and assumptions applied in prior periods.

Evaluate Whether the Identified Controls Are Operating Effectively and Efficiently

• Review of the accounting policies and procedures in place • Consideration of the risk of management's override of controls • Interviews with management and employees • Observation of control activities • Tests of samples of transactions subject to identified internal controls for compliance • Walkthroughs of transactions • Review of previous audit reports • Review of previous reports on fraud incidents, shrinkage, and unexplained shortages

FINANCIAL/TRANSACTIONAL RED FLAGS

• Structural red flags • Personnel red flags • Operational red flags • Accounting system red flags • Financial performance red flags • Professional service red flags

Report to the Nation on Occupational Fraud and Abuse,

• Summarize the opinions of experts on the percentage and amount of organizational revenue lost to all forms of occupational fraud and abuse. • Examine the characteristics of the employees who commit occupational fraud and abuse. • Determine what kinds of organizations are victims of occupational fraud and abuse. • Categorize the ways in which serious fraud and abuse occurs.

Fraud Risk Index

• The Environmental Risk Index • The Culture Quotient • The Prevent/Detect Index

There are three important elements that influence crime:

• The availability of suitable targets, such as companies and individuals • The absence of capable guardians, such as auditors and security personnel • The presence of motivated offenders, such as unhappy or financially challenged employees

NYSE Requirements

• The company must have a board composed by a majority of independent directors (as determined by independence tests included in the standards). • Non-management (i.e., independent) directors must meet regularly without any management present. • The board must have a nominating/corporate governance committee, composed entirely of independent directors and governed by a written charter, that is charged with, at a minimum: − Identifying individuals qualified to become board members and selecting (or recommending that the board select) the director nominees for the next annual meeting of shareholders − Developing and recommending to the board a set of corporate governance guidelines applicable to the corporation − Overseeing the evaluation of the board and management − Undergoing an annual evaluation of committee performance • The board must have a compensation committee, composed entirely of independent directors (who meet the specific, additional compensation requirements for compensation committee membership) and governed by a written charter, that is charged with, at a minimum: − Reviewing and approving corporate goals and objectives relevant to the chief executive officer's (CEO) compensation − Evaluating the CEO's performance in light of the corporate goals and objectives − Determining and approving the CEO's compensation level based on the performance evaluation (either as a committee or together with the other independent directors) − Making recommendations to the board with respect to the compensation of other executive officers − Preparing the compensation-related disclosure required by the SEC (in Item 407(e)(5) of Regulation S-K) − Undergoing an annual evaluation of committee performance

Sarbanes-Oxley Act (SOX)

• The composition and funding of the audit committee • The responsibility of the audit committee for overseeing the external audit • The responsibility of the audit committee to receive whistleblower tips • The responsibility of directors and officers to certify the compliance and fair presentation of the company's financial statements • The responsibility of management to assess the company's internal controls over financial reporting • The disclosure of whether the company has a code of ethics specific to senior financial officers • The responsibility of the external auditors to report on the company's internal controls over financial reporting

Contributing Factors

• The economy increasingly runs on credit, which often means rising personal debt. • New information technologies mean that the opportunity for wrongdoing is growing, • Government programs distributing large amounts of money make an enticing target for embezzlement. • The importance of credentials in a professionalized society may influence individuals "to inflate the credentials, or to make them up when they do not exist."18 • Most broadly, the authors observe an overarching culture based on affluence and everhigher levels of success.

Information to be gathered includes:

• The identification of inherent fraud risks • Discussion of past known fraud incidents and how they were handled • Assessment of the likelihood and significance of identified risks • Perceptions regarding the overall control environment • Perceptions regarding the operating effectiveness of specific anti-fraud controls

four factors that affect employees' ethical decisions:

• The law and other government regulations • Industry and organizational ethical codes • Social pressures • Tension between personal standards and organizational needs

What Factors Influence Fraud Risk?

• The nature of the business in which it is engaged • The environment in which it operates • The effectiveness of its internal controls • The ethics and values of the company and its employees

sponsor and the assessment team need to agree on:

• The scope of work that will be performed • The methods that will be used (e.g., surveys, interviews, focus groups, or anonymous feedback mechanisms) • The individuals who will participate in the chosen methods • The content of the chosen methods • The form of output for the assessment

THE CULTURE QUOTIENT

• Tolerance Index—This metric is based on an assessment of the organization's tolerance for bad behavior. An organization that has a high tolerance for bad behavior can significantly increase the company's vulnerability to fraud risk. • Entitlement Index—This index reflects an assessment that helps determine whether people in the company display or promote a sense of entitlement. An organization that sustains a strong sense of entitlement from its employees or leaders can have a higher risk of fraud. • Notification Index—This factor comes from an assessment of how likely it is that employees will come forward when they suspect something is wrong. An organization where there is a low probability that employees will come forward is at significantly greater risk of fraud than an organization where it is likely that employees will come forward.

PCAOB AS 2410—Related Parties

• Understand the nature of the company's relationships with its related parties. • Understand the terms and business purposes (or lack thereof) of transactions involving related parties. • Test the accuracy and completeness of management's identification of its relationships and transactions with related parties. • Determine whether any undisclosed relationships or transactions with related parties exist. • Assess any identified relationships or transactions with a related party previously undisclosed to the auditor. • Evaluate each related party transaction that is required to be disclosed in the financial statements. • Evaluate each related party transaction that is determined to be a significant risk.

Ethics Program Development

• Understanding of why good people can commit unethical acts • Defining current—as well as desired—organizational values • Determining if organizational values have been properly communicated • Determining if ethics is a leadership issue in the organization • Ascertaining how board members, stockholders, management, employees, and any other pertinent members of the organization define success • Producing written ethics policies, procedures, or structures

• Policies and procedures, by testing whether they are:

− Documented appropriately − Approved by management − In compliance with applicable laws and regulations − Implemented effectively

• Monitoring and auditing, by:

− Ensuring risk assessments, analyses, and communication are effective in supporting management's monitoring role

• Investigations and reports, by:

− Participating in investigations as appropriate, based on the team's resources, the organization's governance structure, and formal protocols − Understanding the cultural and legal landscape of the jurisdictions involved − Being familiar with local protocols for investigating and reporting − Following the organization's protocol regarding any audit evidence that might indicate bribery or corruption − Performing and documenting adequate audit actions to support any findings, conclusions, or recommendations pertaining to bribery or corruption − Seeking legal advice or recommending management seek legal advice regarding any evidence of illegal activity uncovered during an audit − Working with appropriate personnel to determine whether an irregularity or illegal act has occurred and gauge its effect

• Bribery and corruption risk assessment, by:

− Understanding all aspects of the anti-bribery and anti-corruption program before performing risk assessments − Evaluating inherent bribery and corruption risks as part of a comprehensive risk assessment − Ensuring the audit plan for assessing the anti-bribery and anti-corruption program is based on the results of risk assessment

• Tone at the top/governance structure, by:

− Understanding the attitude and tolerance of management and the board regarding bribery and corruption risks − Assessing whether that attitude is sufficiently restrictive − Validating that this attitude has been effectively communicated throughout the organization − Scrutinizing the governance structure and oversight of the anti-bribery and anticorruption program

• Enforcement and sanctions, by:

− Working with management to adhere to a defined process for evaluating cases of bribery or corruption and, if appropriate, implementing sanctions according to a formal policy