Domain VI: Fraud Risks

Industry-Specific Red Flags

-It has been estimated that four industries alone account for more than 70% of white-collar fraud: financial services, insurance, manufacturing, and energy.

Red Flags

-The internal auditor is a potential "early warning system" for the organization by detecting the indicators of fraud, often called red flags. -Red flags are signs that indicate both the inadequacy of controls in place to deter fraud and the possibility that some perpetrator has overcome weak or absent controls to commit fraud. -Red flags are only warning signs; they are not proof that fraud has been committed.

.Entity-level anti-fraud controls

-Whistleblower hotline and whistleblower protection policy. -Board oversight. -Results of continuous monitoring. -Code of conduct. -Tone of management's communications regarding fraud risk tolerance. -Hiring and promotion guidelines and practices. -Continuous auditing. -The appropriate authority limits -Segregation of incompatible duties.

Q) Which example of fraud is most likely to injure the organization? Invoices received for catering services not actually provided Biasing assumptions used to estimate account balances Fictitious journal entries intended to manipulate operating results Intentionally misapplying accounting principles

Invoices received for catering services not actually provided RATIONALE: Fraud perpetrated to the detriment of the organization is conducted generally for the direct or indirect benefit of an employee, outside individual, or another organization. The other examples are all more likely to be fraud designed to benefit the organization, such as by exploiting an unfair or dishonest advantage that also may deceive an outside party. The three incorrect answer choices are common examples of manipulating financial statements to deceive investors and lenders into believing that the company is more solvent or more profitable than it actually is.

Fraud triangle

-A set of three conditions that, if present in the right proportions, suggest the possibility of fraud: opportunity, motive, and rationalization.

International organizations.

Internal audits of multinational corporations may uncover many types of red flags that result from the difficulty of maintaining controls in a decentralized and multicultural organization. Bribery may be occurring in both directions: Employees may be receiving kickbacks, and large, poorly described expenditures may mask bribes to foreign officials. Managers may carry ghost employees on the payroll. Differences in exchange rates can be exploited.

Q) A third-party pension plan consultant working for a large retailer steals a computer. A file on the stolen equipment includes names, dates of birth, addresses, Social Security numbers, salary, and other information for nearly 100,000 current and former employees. This breach involving personal data is an example of what type of fraud? Corruption Cash theft Misuse of assets Fraudulent disbursement

Misuse of assets RATIONALE: This is an example of misuse or theft of assets (embezzlement). In addition to the computer itself, information is also considered an asset.

Fraud Prevention

-It entails implementing preventive controls such as policies and procedures, employee training, and management communication to educate employees about fraudulent activities. -Activities related to strengthening the control environment are key examples of fraud prevention, including code of conduct, fraud policy, hiring policies, and governance oversight. Several other activities play a role in fraud prevention: -Risk management. This includes establishing a fraud risk assessment process and regularly performing fraud risk assessments. -Control activities. Preventive controls include limits on authority and segregation of duties. -Information and communication. This establishes the importance of the fraud program and the fraud risk assessments using fraud risk awareness programs and/or affirmation or certification processes. -Fraud training. This helps reinforce fraud awareness and awareness of the cost of fraud to the organization. -Monitoring. This involves periodic evaluation of anti-fraud preventive controls.

Characteristics of effective fraud risk assessment

-It is performed on a systematic and recurring basis. -It considers possible fraud schemes and scenarios, including internal and external factors. -It assesses risk at a company-wide, significant business unit, and significant account level. -It evaluates the likelihood, significance, and pervasiveness of each risk. -It assesses exposure arising from each category of fraud risk by identifying mitigating control activities and considering their effectiveness. -It is performed with the involvement of appropriate personnel. -It considers management override of controls (i.e., nonroutine transactions and journal entries or temporary suspension of controls). -It is updated when special circumstances arise (i.e., mergers and acquisitions and new systems).

Anti-bribery and anti-corruption programs

-Just one example of a focused anti-fraud program an organization could have. -Such programs may be developed in response to a particular law or regulation the organization is subject to. -Corruption is one of several common fraud schemes, and bribery is one form of corruption.

Examples of organization-wide conditions that might indicate fraud include:

-Loose internal controls. -Poor management philosophy. -Poor financial position. -Low employee morale. -Ethics confusion. -Lack of background checks on new hires. -Lack of employee support programs. -General conditions, such as high employee turnover, pending mergers, excess trust in key employees, etc.

Resolution

-Management and the board (not the internal audit activity or the investigator) are responsible for resolving fraud incidents once a fraud scheme and perpetrators have been fully investigated and evidence has been reviewed. -When disclosures are voluntary rather than mandatory, management or the board determines whether to inform entities outside the organization after consultation with legal counsel, HR personnel, and the CAE. -The organization may be required to notify law enforcement, regulators, insurers, bankers, and external auditors of instances of fraud. -Any comments made by management to the press, law enforcement, or other external parties may be coordinated through legal counsel in accordance with organizational policies.

Investigation Evidence

-Memos and correspondence, both in hard copy and electronic form (such as emails or information on personal computers). -Computer files, general ledger postings, etc. IT or system access records. -Security timekeeping logs, videos, or access badge records. -Internal phone records. -Public or internal customer or vendor information, such as contracts, invoices, and payment information. -Public records, such as business registrations or property records. -Social networking sites.

Fraud Investigation

-Organizations investigate possible fraud when there is a concern or a suspicion of wrongdoing. -Suspicion can result from a formal complaint process, an informal complaint process such as a tip, or an audit, including an audit designed to test for fraud. -Investigating a fraud is not the same as auditing for fraud. A fraud audit is designed to proactively detect indications of fraud in those processes or transactions where analysis indicates the risk of fraud to be significant.

Perpetrator Red Flags

-People committing fraud often display certain behaviors or characteristics that may serve as warning signs or red flags. -Personal red flags include: Living beyond one's means. Conveying dissatisfaction with the job to fellow employees. Unusually close association with suppliers. Severe personal financial losses. Addiction to drugs, alcohol, or gambling. Change in personal circumstances. Developing outside business interests.

Management controls over fraud at the control environment level include:

-Policies. -Awareness practices. -The "tone at the top." -Board and senior management governance. -Related practices, such as risk and control assessments.

Fraud Reporting and Communicating

-Reporting and communicating consists of the various oral, written, interim, or final communications to senior management and/or the board regarding the status and results of fraud investigations. -Communications may include the reason for beginning the investigation, time frames, observations, conclusions, resolution, and recommendations to improve controls. Some additional considerations concerning fraud reporting are: -Submitting a draft of the proposed final communications to legal counsel for review. -Notifying senior management and the board in a timely manner when significant fraud or erosion of trust occurs or a fraud may have a material effect on financial statements (e.g., a previously undiscovered adverse effect on the organization's financial position and its operational results for one or more years). -In addition, communication of results should take care to protect internal whistleblowers. -In the case of fraud, local laws may accelerate communication of investigation reports to the board and may require reporting to local authorities as well.

Internal Audit and Anti-bribery and Anti-corruption Programs

-The internal audit activity should assess the effectiveness of anti-bribery and anti-corruption programs to help anticipate the risk of bribery or corruption harming product quality, foreign direct investment, organizational reputation, and other risks. -The activity can also assess whether these programs are effective in identifying the existence of potential and actual incidents. -Assessments can take the form of a comprehensive risk assessment of the program, continuous monitoring activities, and/or a series of individual audit engagements that include this subject as one of their audit objectives. The objectives of anti-bribery and anti-corruption audits include: -Ensuring the effectiveness of such programs. -Reducing time to detection for bribery and corrupt acts. -Supporting continuous improvement and follow-up on corrective action plans.

Fraud Investigations - Role of Internal Audit

-The role of the internal audit activity in investigations needs to be defined in the internal audit charter as well as in the fraud policies and procedures. -For example, internal audit may have the primary responsibility for fraud investigations, may act as a resource for investigations, or may refrain from involvement in investigations entirely. This may vary from organization to organization, based on organizational policy or relevant local laws.

Fraud training

-Training can cover the organization's expectations for employees' conduct, the procedures and standards necessary to implement internal controls, and employee roles and responsibilities to report misconduct. -Taiilored training is more effective than generic training, allowing employees to better understand their role in the organization's fraud detection system. -Periodic training throughout an employee's career reinforces awareness of fraud and its cost to the organization. -Regardless of the training method selected, a key goal of the training is to test the employee's comprehension of the fraud training.

Fraud - COSO's Fraud Risk Management Guide (2016)

1) For the control environment, principle 1 relates to establishing and communicating a fraud risk management program demonstrating the expectations of the board and senior management regarding their integrity and ethics related to managing fraud risk. 2) For risk assessment, principle 2 is about performing comprehensive fraud risk assessments to identify fraud schemes and risks, assess likelihood and impact, and assess existing fraud controls, addressing gaps and residual risk. 3) For control activities, principle 3 is about selecting, developing, and implementing preventive and detective fraud controls as timely mitigating tools. 4) For information and communication, principle 4 is about ensuring that there is a communication process for reporting potential fraud and making sure investigation and corrective action follow a coordinated, timely approach. 5) For monitoring activities, principle 5 is about ongoing evaluation of the fraud risk management program and communication of deficiencies to senior management and the board.

Percentage of the exam

10%

Fraud triangle: Opportunity

A process may be designed properly for typical conditions. However, a window of opportunity may arise for something to go wrong or that creates circumstances for the control to fail. -An opportunity for fraud may exist due to poor control design or lack of controls. For example, a system can be developed that appears to protect assets but is missing an important control. Anyone aware of the gap may be able to take advantage of it without much effort. -Persons in positions of authority can create opportunities to override existing controls (i.e., management override) because subordinates or weak controls allow them to circumvent the rules.

Domain Elements and Cognitive Levels

A) ​​​Interpret fraud risks and types of frauds and determine whether fraud risks require special consideration when conducting an engagement - PROFICIENT ​B) ​Evaluate the potential for occurrence of fraud (red flags, etc.) and how the organization detects and manages fraud risks - PROFICIENT C) ​Recommend controls to prevent and detect fraud and education to improve the organization's fraud awareness - PROFICIENT D) ​Recognize techniques and internal audit roles related to forensic auditing (interview, investigation, testing, etc.)​​ - BASIC

Fraud Detection Methods

An effective way for an organization to learn about existing fraud is to provide employees, suppliers, and other stakeholders with a variety of methods for reporting their concerns. Ways to collect this information include: -Code-of-conduct confirmation. -Whistleblower hotline. -Exit interviews. -Proactive employee survey. Other methods for fraud detection include surprise audits in high fraud risk areas, continuous monitoring of critical data, and routine and/or ad hoc matching of data against relevant transactions, vendor lists, employee rosters, and other data.

Corruption and Bribery - High Risk Areas

Anti-bribery and anti-corruption programs help organizations establish a baseline by identifying and investigating red flags in high-risk areas such as: -Third-party relationships. -Gifts and entertainment. -Political contributions. -Procurement.

Fraud

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

Q) Which of the following best describes a continuous online auditing program? Computerized auditing suite of tools that allows internal auditors to create and share work documents Computerized sampling program that forwards randomly selected transactions to internal auditing as they occur Enterprise information system capability that allows internal auditors to monitor data in various parts of the organization's systems CORRECT: Automated system that compares each transaction in real time against preset parameters to identify any single occurrences that differ greatly from the other data

Automated system that compares each transaction in real time against preset parameters to identify any single occurrences that differ greatly from the other data RATIONALE: Continuous online auditing systems can examine each transaction to detect departures from set parameters, such as a combination of actions and transaction amounts or failure to obtain permission for a transaction.

Organizations dependent on computer technology.

Computer systems can be used to steal assets or intellectual property, facilitate identity theft, tamper with controls and records, and then hide the fraud. Internal auditors look for red flags of ineffective security controls: poor network administration that fails to define and enforce appropriate levels of access, lack of reports showing unauthorized access to the system, use of passwords by unauthorized users, users' failure to use password protocols, lack of firewalls to detect intruders, or users inviting intruders into a system through careless internet use.

Q) An organization's chief audit executive (CAE) feels that his team lacks the knowledge, skills, or other competencies needed to perform a fraud investigation. refer the matter to the legal department. contact appropriate government investigative authorities. train the staff in forensic auditing prior to reviewing the particular case. outsource the forensic review to a team with the proper industry experience.

Outsource the forensic review to a team with the proper industry experience. RATIONALE: 1210.A1 - The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Q) Which of the following is a condition that indicates a higher likelihood of fraud? An individual handling marketable securities is responsible for making purchases, but another person recording the purchases reports any discrepancies and gains or losses to senior management. The assignment of responsibility and accountability in the accounts receivable department is allowed to rotate. Management has delegated the authority to make purchases under a certain dollar limit to subordinates. An individual has held the same cash-handling job for an extended period but twice a year takes over someone else's duties and vice versa.

The assignment of responsibility and accountability in the accounts receivable department is allowed to rotate.

Implementation Standard 2120.A2 (Assurance Engagements)

The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

Fraud Risk

The probability that fraud will occur and the potential consequences to the organization when it occurs

5 Steps of a Fraud Risk Assessment by Internal Audit

To ensure adequate review of the risks relevant to each engagement, internal auditors may conduct a fraud risk assessment as part of engagement planning. A full fraud risk assessment consists of five key steps: 1) Identify relevant fraud risk factors. 2) Identify potential fraud schemes and prioritize them based on risk. 3) Map existing controls to potential fraud schemes and identify gaps. 4) Test operating effectiveness of fraud prevention and detection controls. 5) Document and report the fraud risk assessment. Note that internal auditors may not conduct a full fraud risk assessment during engagement planning. They may also consider and discuss fraud risk with senior management or review the organization's fraud risk assessment, if available, instead of conducting their own assessment. Based on the information gathered, internal auditors can begin contemplating potential fraud scenarios and fraud risks relevant to the area or process under review. Brainstorming fraud scenarios is an effective way to determine the characteristics and circumstances unique to the specific area or process that may produce opportunities and incentives for fraud. Internal auditors should brainstorm with individuals diverse in their knowledge, perspective, and relationship to the area or process under review.

Q) What is the term for the ethical environment fostered by organizational leadership, which is the single most important factor in determining the organization's resistance to bribery and corruption? Tone at the top Control environment Code of conduct Anti-bribery program

Tone at the top RATIONALE: Effective risk mitigation starts with a strong tone at the top, setting the foundation for an overall compliance framework. The tone at the top is the ethical environment fostered by organizational leadership, and it is the single most important factor in determining the organization's resistance to bribery and corruption. No system of controls can provide absolute assurance against the commission of bribery or corruption. The board should, however, require the organization to develop comprehensive anti-bribery and anti-corruption programs.

Role of Internal Audit -Fraud

When fraud is suspected, a best practice is for the internal auditor to refer the case to the CAE, who will secure appropriate resources for further investigation, such as a certified fraud examiner or an IT security specialist. If significant control weaknesses are detected, additional tests conducted by internal auditors should be directed at identifying other fraud indicators. The internal auditor should: -Recognize that the presence of more than one indicator at any one time increases the probability that fraud has occurred. -Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. -Notify the appropriate authorities in the organization if a determination is made that fraud has occurred, and recommend an investigation. The role of the internal audit activity in investigations needs to be defined in the internal audit charter as well as in the fraud policies and procedures.

Fraud triangle: Motive (also called incentive or pressure)

While people can rationalize their acts, there needs to be an incentive that entices them to behave that way. -A key motivator is the gratification of a desire, such as greed, or an addiction. -Power is a great motivator. Power can be career-related or simply gaining esteem in the eyes of family or coworkers. For instance, some computer frauds are done just to show that the hacker has the power to do it. -A third motivator is pressure, from either unrealistic job requirements, physical stresses, or outside parties.

Q) The Standards require the internal audit activity to assess fraud risks at the ___________________ levels. enterprise and operational system and entity business and departmental CORRECT: organizational and engagement

organizational and engagement RATIONALE: The Standards require the internal audit activity to assess fraud risks at the organizational and engagement levels. To ensure adequate review of the risks relevant to each engagement, internal auditors should conduct a fraud risk assessment as part of engagement planning. Over time, the knowledge the internal audit activity obtains during individual engagements can be compiled into a more robust and comprehensive organization-wide fraud risk assessment.

Examples of Fraud

-ASSET MISAPPROPIATION involves stealing cash or assets (supplies, inventory, equipment, information) from the organization. In many cases, the perpetrator tries to conceal the theft, usually by adjusting the records. (Theft of assets is also known as embezzlement) -SKIMMING occurs when cash is stolen from an organization before it is recorded on the organization's books and records. -DISBURSEMENT FRAUD occurs when a person causes the organization to issue a payment for fictitious goods or services, inflated invoices, or invoices for personal purchases. - EXPENSE REIMBURSEMENT FRAUD occurs when an employee is paid for fictitious or inflated expenses. -PAYROLL FRAUD occurs when a person causes the organization to issue a payment by making false claims for compensation. -FINANCIAL STATEMENT FRAUD involves misrepresenting the organization's financial statements, often by overstating assets or revenue or understating liabilities or expenses. -INFORMATION MISREPRESENTATION involves providing false information, usually to those outside the organization. -CORRUPTION: Corruption is the misuse of entrusted power for private gain. Corruption includes bribery and other improper uses of power. -BRIBERY is the offering, giving, receiving, or soliciting of anything of value to influence an outcome. Bribes may be offered to key employees or managers such as purchasing agents who have discretion in awarding business to vendors. - A DIVERSION is an act to divert a potentially profitable transaction to an employee or outsider. -RELATED-PARTY ACTIVITY is a situation where one party receives some benefit not obtainable in a normal arm's-length transaction. -TAX EVASION is intentional reporting of false information on a tax return to reduce taxes owed. By purposely structuring pricing techniques improperly, management can improve their operating results to the detriment of other organizations and one or more countries' taxation systems.

Internal auditor's responsibilities for detecting fraud during engagements include:

-Considering fraud risks in the assessment of control design and determination of audit steps to perform. -Having sufficient knowledge of fraud to identify red flags indicating that fraud may have been committed. -Being alert to opportunities that could be considered conducive for fraud, such as control weaknesses. -Evaluating the indicators of fraud and deciding whether any further action is necessary or whether an investigation should be recommended. -Notifying the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation. Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Developing sufficient knowledge to evaluate the risk of fraud requires learning about the fraud triangle and common red flags of fraud in various types.

Environmental Red Flags

-Environment may be viewed on a macro or micro level. The macro level refers to conditions that affect an entire industry, a country, or a global region, while the micro level refers to specific organizations. Examples of macro-level red flags include: -Stiff competition, unfair trade practices, or economic downturns that create pressure to perform or lead to layoffs that place economic pressures on individuals. These conditions may generate the motive to commit fraud. -Recently deregulated or poorly regulated industries in which absence or laxity of controls creates opportunity for fraud, for example, the ease of accessing cash in the business or the complexity and opacity of transactions. -An industry or cultural trend toward dishonesty and disregard of law and regulation (e.g., a history of corrupt practices by certain types of government contractors, a pattern of bribe taking by government officials). Perpetrators may point to a history or climate of acceptance as rationalization for fraud The same types of red flags may be seen on the micro or organizational level: -Financial motive from the loss of a lucrative contract, the pressure to improve financial performance to obtain a loan or before issuing stock, or a research and development failure that threatens the organization's product pipeline. -Reorganizations that disrupt control policies and create fraud opportunity. Failure to screen may lead to hiring with the motive to commit fraud (e.g., hiring supervisors who fail to implement, enforce, and monitor control policies). -Failure to train all personnel in the organization's ethical code. This can contribute to a culture that easily rationalizes small and large acts of fraud, including theft, bid rigging, kickbacks, and conflicts of interest.

Financial Statement Red Flags

-Fictitious revenues. Unusual growth in income or profitability, earnings growth despite recurring negative cash flows in some parts of the organization, highly complex transactions (like those used by the Enron Corporation, which board members and many financial experts said they could not follow), end-of-reporting-period transactions (e.g., channel loading, or building sales through special incentives at the cost of sales in later periods), sales or income attributed to unknown companies or areas, absence of documentation for posted sales. -Improper asset valuation. Changes made to inventory counts, fictitious sales accounts, unacknowledged and uncollected liabilities, fictitious assets supported by fictitious documents. -Concealed liabilities. Unposted invoices from vendors, calling an expense an asset (which can be depreciated or amortized), debts assumed by shell companies (off-balance-sheet accounting), reliance on subjective valuations, unusually low expenses or purchases, unusually low level of loss (e.g., returns or warranty), irregular accounting entries that reduce tax liabilities. -Improper disclosures. Poor communication of standards about disclosure, ineffective boards of directors.

Fraud Investigation Process

-Gathering evidence through surveillance, interviews, or written statements -Documenting and preserving evidence, considering legal rules of evidence and the business uses of the evidence -Determining the extent of the fraud -Determining the techniques used to perpetrate the fraud -Evaluating the cause of the fraud -Identifying the perpetrators

Interrogations

-Generally the accused is interrogated by two people: 1) an experienced investigator and 2) another individual who takes notes and functions as a witness if needed. -Investigative activities need to be coordinated with management, legal counsel, and other specialists such as HR and insurance risk management as appropriate.

There are several reasons internal audit may not participate in investigations, including that the activity may:

-Have the responsibility for assessing the effectiveness of investigations. -Lack the appropriate resources. -Lack internal auditors holding specialized training or certifications necessary to gather evidence.

Forensic investigations

Forensic investigations and fraud examinations will depend heavily on computer forensics, computer data imaging, electronic evidence discovery, and the analysis of structured and unstructured data. Examples of forensic auditing techniques: -Rules-based descriptive tests and reporting use historical data with simple and complex analytical weighted tests to identify areas of risk. Alerts will be produced when a specific condition is met. -Keyword search scans free text fields and unstructured data sources to identify suspicious or high-risk language. -Topic modeling uses text analytics to identify suspicious phrases, high-risk topics, or unusual patterns of behavior in the free text components of data. Beyond keyword searching, topic modeling seeks to cluster, quantify, and group the key noun or noun phrases in the data, enabling the investigative team to quickly gain an understanding of what information may have been compromised. -Linguistic analysis also uses text analytics, identifying the emotive tone of the communication. It identifies angry, frustrated, secretive, harassing, or confused communications. -Pattern and link analysis is a data visualization technique that finds hidden patterns and relationships in vast, seemingly unrelated data sources.

Fraud Detection

Fraud detection and monitoring employ detective controls to provide warnings or evidence that fraud is occurring or has occurred. Detective controls operate in the background and are not obvious. They include: -Encouraging employees to report suspicious activities using whistleblower hotlines. -Other methods to collect employee concerns, including web forms, emails, and face-to-face meetings. -Portions of code-of-conduct confirmations that ask employees to report any known violations. -Exit interviews to uncover fraud schemes or issues regarding management's integrity or other conditions conducive to fraud. -Proactive employee surveys that include questions related to fraud or unethical behavior. (Note that care must be taken to ensure that employees feel they can respond anonymously.)

Fraud triangle: Rationalization

Fraud perpetrators must be able to justify their actions to themselves as a psychological coping mechanism, allowing them to believe that they have done nothing wrong and are "normal people." For example, these individuals might consider that they were entitled to the stolen item or that if executives break the rules, it must be right for others to do so as well. -Some people will do things that are defined as unacceptable behavior by the organization yet are commonplace in their culture (e.g., bribery) or were accepted by previous employers. As a result, these individuals will not comply with rules that don't make sense to them. -Some people may have periods of financial difficulty in their lives, have succumbed to a costly addiction, or are facing other pressures. Consequently, they will rationalize that they are just borrowing the money and, when their lives improve, they will pay it back. -Others may feel that stealing from a company is not bad, thereby depersonalizing the act.

Q) Which would most likely be considered a red flag? Managers never override controls, even if this sometimes harms profitability. An individual who has been in a cash-handling job for an extended period always takes a long vacation in February. The organization has a third-party-operated whistleblower hotline in place, but no one has ever used it. Just after management resolves one crisis, the next always seems to pop up.

Just after management resolves one crisis, the next always seems to pop up. RATIONALE: An atmosphere of constant crisis can create the opportunity for fraud. While a red flag for fraud is employees who never take vacations, the situation of an employee taking a vacation at the same time each year would not necessarily be a red flag, since the vacation period reduces the opportunity for fraud. The person taking over temporarily would create a window to observe how the operation occurs when the other person is not present. (An exception could be if the operation were shut down during that period or some other situation-specific event, but this isn't mentioned in the question.) The fact that no one has used a whistleblower hotline is not a red flag in itself. Managers frequently overriding controls—not avoiding doing so—is a red flag.

Q) What is one of the best ways for the board of an organization to deter fraudulent financial reporting? Appoint only audit committee members with an understanding of financial accounting and reporting. Require board members to have current training and experience in financial accounting standards. Publish and monitor a code of conduct that creates a culture of honesty and high ethical values at all levels. Request that the external auditors review and report on the possibility of this type of fraud at each of their aud

Publish and monitor a code of conduct that creates a culture of honesty and high ethical values at all levels. RATIONALE: Although each organization may have different methods for establishing the right tone, a good starting point is to issue a code of conduct and an anti-bribery and anti-corruption policy endorsed by the board of directors. Once the board has clearly committed to a strong policy, the best approach is zero tolerance and full compliance with anti-bribery and anti-corruption laws. This is not just ethically right; there also is increased pressure for compliance from legislative bodies and nongovernmental organizations.

Examples of Red Flags

Red flags may relate to time, frequency, place, amount, or personality. They include items such as: -Overrides of controls by management or officers. -Lack of separation of duties. -Irregular or poorly explained management activities. -Constantly exceeding goals/objectives regardless of business conditions or competition. -Too many nonroutine transactions or journal entries. -Problems or delays in providing requested information. -Significant or unusual changes in customers or suppliers. -Transactions that lack documentation or normal approval. -Employees or management hand-delivering checks. -Customer complaints about delivery. -Employees exhibiting significant behavioral changes. -Poor IT access controls.

Role of Internal Audit - Fraud

Remember that internal auditors are not responsible for preventing or investigating fraud. Internal audit's role consists of considering the risk of fraud and investigating the controls designed to prevent or detect fraud.

Q) Management of a property and casualty insurance company has two major concerns about the efficiency and effectiveness of the claims-processing activities: -Some claims are being paid that should not be paid or are being paid in amounts in excess of the policy. -Many claims are not being paid on a timely basis. In preparing for an audit of the area, the internal auditor decides to perform a preliminary survey to gather more information about the nature of processing and potential problems. After informing management, the auditor is directed to go ahead with a fraud investigation. The auditor has identified the parties most likely to have been involved in the fraud, if indeed one is taking place. The auditor sends each potential participant a personal email indicating the nature of the investigation and urges the individual to come forward and explain the nature of the fraud. The auditor states that this is strictly an audit investigation and legal authorities are not involved. A major problem with this particular communication is the medium. Personal interviews should have been used instead of email. the nature of the message. The auditor should have detailed the specific allegations against each employee and allowed them the opportunity to respond. The message, as written, is too general. the medium. A paper-based document, such as a letter, should have been used instead of email. the nature of the communication. The auditor should have sent a questionnaire to each employee rather than seeking an open-ended response.

the medium. Personal interviews should have been used instead of email. RATIONALE: The nature of the communication is highly sensitive and personal. A more personal form of communication, such as a direct interview, should have been used to elicit the response from the employees. The auditor is not in a position to detail the allegations against each specific employee.