CHAPTER 8

Fraud Risks
and Controls

ROLE OF INTERNAL AUDIT

Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
 CHAPTER 8

Fraud Risks and Controls

Internal Auditing: Assurance &Internal

AdvisoryAuditing:
Services,Assurance
4th Edition&©Advisory
2017 byServices,
the Internal
4th Edition
Audit Foundation.
© 2017 by the Internal Audit Foundation.
Chapter 8: Fraud Risks and Controls

LEARNING OBJECTIVES
◼ Understand the prevalence of illegal acts and fraud in
today’s world.
◼ Compare and contrast various illegal acts/fraud
definitions.
◼ Describe the fraud triangle and its three elements, and
“dark triad” personalities.
◼ Define the types of fraud and fraud risk factors.
◼ Define governance, risk management, and control in the
context of fraud.
◼ Describe fraud prevention, deterrence, and detection
techniques.
◼ Understand the behavioral aspects of fraudsters.
◼ Describe internal auditors’ compliance and fraud-related
responsibilities related to protecting the organization
from regulatory violations.
◼ Understand evolving responsibilities of the internal audit
function, including the involvement of forensic
accountants and fraud examination specialists.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 8: Fraud Risks and Controls

STANDARDS RELATED TO
FRAUD

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

OVERVIEW OF FRAUD IN
TODAY’S BUSINESS WORLD

◼ See the results of the cases conducted by the ACFE on pages 451 452, &
453

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD TYPES:
FREQUENCY VS IMPACT

Financial
Reporting
Fraud
IMPACT
($) Bribery and
Kickbacks
IP (FCPA)
Infringement
Data Security Breaches:
ID Theft

Asset
Low Misappropriation

Low FREQUENCY High

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

DEFINITIONS OF FRAUD

◼ Fraud is any intentional act or omission designed to deceive others,

resulting in the victim suffering a loss and/or the perpetrator achieving a
gain
◼ Fraudulent financial reporting can be accomplished by:
■ Manipulating, falsifying, or altering accounting records or
supporting documents from which the financial statements are
prepared.
■ Misrepresenting, or intentionally omitting from, the financial
statements events, transactions, or other significant information.
■ Intentionally misapplying accounting principles relating to
amounts, classification, manner of presentation, or disclosure.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

DEFINITIONS OF FRAUD

◼ Misstatements arising from misappropriation of assets (sometimes

referred to as pilferage, embezzlement, or defalcation) involve the
theft of an organization’s assets in which the effect of the theft
causes the financial statements not to be presented, in all material
respects, in conformity with GAAP.
◼ Misappropriation of assets can be perpetrated in various ways, including
embezzling receipts, stealing assets, or causing an entity to pay for goods
or services that have not been received.
◼ Misappropriation of assets may be accompanied by false or misleading
records or documents, or suppressing evidence, possibly created by
circumventing internal controls. Frequently, collusion with other
employees or third parties also may be involved.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

DEFINITIONS OF FRAUD

◼ The ACFE’s definition focuses on occupational fraud, that is, fraud in the
workplace. Occupational fraud encompasses a wide range of misconduct
by employees, managers, and executives. Occupational fraud schemes can
be as simple as petty cash theft or as complex as fraudulent financial
reporting. Four elements seem to character
■ Is clandestine (that is, secretive and suspicious).
■ Violates the perpetrator’s fiduciary duties to the victim organization.
■ Is committed for the purpose of direct or indirect financial benefit to
the perpetrator.
■ Costs the employing organization assets, revenues, or reserves.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

DEFINITIONS OF FRAUD

◼ The ACFE’s Occupational Fraud and Abuse Classification System, also called “The
Fraud Tree,” describes three main types of fraud:
◼ fraudulent statements, which generally involve falsification of an organization’s
financial statements (for example, overstating revenues and understating liabilities
and expenses);
◼ asset misappropriation, which involves the theft or misuse of an organization’s
assets (for example, skimming revenues, stealing inventory, or payroll fraud);
◼ and corruption, in which fraudsters wrongfully use their influence in a business
transaction to procure some benefit for themselves or another person, contrary to
their duty to their employer or the rights of another (for example, kickbacks, self-
dealing, or conflicts of interest).

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 8: Fraud Risks and Controls

FRAUD CLASSIFICATION

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

THE FRAUD TRIANGLE

◼ An important conceptual framework in understanding fraud is Cressey’s

Fraud Triangle, loosely based on what police officers and detectives have
referred to as “means, motives, and opportunity.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

THE FRAUD TRIANGLE

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

THE FRAUD TRIANGLE

◼ The fraud triangle highlights the three elements that may be called the “root causes of fraud.”
Fraud perpetrators want to relieve real or perceived pressure (for example, generating the
attitude that when you can’t “make” the numbers, you just “make up” the numbers), they need
to see ample opportunity so that they can carry out the fraud with ease (for example, nobody’s
watching the store, the employee is trusted completely and unlikely to get caught), and most
importantly, they need to rationalize their action as acceptable (for example, I’m doing it for
the good of the company). Rationalization allows fraud perpetrators to believe that they have
done nothing wrong and are “normal people.”

◼ Specifically, fraud perpetrators must be able to justify their actions to themselves as a

psychological coping mechanism to deal with the inevitable “cognitive dissonance” (that is, a
lack of congruence between their own perception of being honest and the deceptive nature of
their action or behavior).

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

THE FRAUD TRIANGLE

◼ Said another way, they need excuses. A typical list includes:

■ Everyone’s doing it, so I am no different.
■ Taking money from the cash till was just a temporary “borrowing.”
The money will be returned when the gambling/betting winnings
materialize.
■ The employer is underpaying me, so I deserve these “perks” as
reasonable compensation, and the company can certainly afford it.
■ I am not hurting anyone—in fact, it’s for a good cause!
■ It is not really a serious matter.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

THE FRAUD TRIANGLE –

EXAMPLES

◼ A furniture store employee stealing inventory may be taking advantage of weak internal
controls (perceived opportunity), the need to furnish his new apartment with nice furniture
instead of the “junk” he can afford with his meager salary (perceived pressure from spouse),
and using the rationalization that other store employees are probably stealing too (whether or
not this is a fact).

◼ In the case of management fraud, the perceived pressure may be to meet earnings targets so
that bonuses can be lavish and the stock price can get boosted, the opportunity may be weak
financial reporting controls and/or an inactive audit committee, and the rationalization may be
that “this is in the organization’s best interest and therefore an appropriate use of ‘cookie jar
reserves’ created earlier to get over a temporary hump.” Although the fraud triangle is a
powerful conceptual tool, there may be other personality factors that do not fit easily into
those three categories, particularly the potentially abnormal or deviant personality of fraud

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

KEY PRINCIPLES FOR

MANAGING FRAUD RISK

◼ Fraud Risk Governance (Principle 1)

As discussed in chapter 3, “Governance,” it is important for
organizations to develop a strong governance structure to oversee
risk management and other activities that are in place to help
ensure achievement of business objectives.
◼ Fraud Risk Assessment (Principle 2)
* The steps in a fraud risk assessment are similar to those described
for an enterprise risk assessment in chapter 4, “Risk Management.”
* An organization must first identify the potential fraud events or scenarios to which it
may be vulnerable. These events or scenarios will vary from one organization to the
next, depending on the business model, industry, locations where the organization
operates, culture, and other similar factors.
* “Fraud risk assessment addresses the risk of fraudulent financial reporting,
fraudulent non-financial reporting, asset misappropriation, and illegal acts (including
corruption). Organizations can tailor this approach to meet their individual needs,
complexities, and goals.”
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

THE VALUE PROPOSITION

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

KEY PRINCIPLES FOR

MANAGING FRAUD RISK

◼ Fraud Control Activity (Principle 3)

◼ “A fraud control activity is a specific procedure or process intended either to
prevent fraud from occurring or to detect fraud quickly in the event that it occurs.”
A fraud risk management program must have an appropriate balance between
prevention and detection controls.
◼ Prevention controls may include policies, procedures, training, and communication,
all of which are designed to stop fraud from occurring. Prevention controls may not
provide absolute assurance that a fraud will be prevented.
◼ Detection controls may include manual or automated activities that will recognize
timely that a fraud has or is occurring. These controls may provide a deterrent to
fraud, but they are not designed to prevent the fraud from occurring. Rather, they
provide evidence that a fraud has occurred, which can be helpful in an
investigation.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

KEY PRINCIPLES FOR

MANAGING FRAUD RISK

◼ Fraud Investigation and Corrective Action (Principle 4)

Control activities can only be expected to provide reasonable—not
absolute—assurance against fraud. Therefore, “the organization’s
governing board ensures that the organization develops and
implements a system for prompt, competent, and confidential
review, investigation, and resolution of instances of non-compliance
and allegations involving fraud.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

KEY PRINCIPLES FOR

MANAGING FRAUD RISK

◼ Fraud Risk Management Monitoring Activities (Principle 5)

The final COSO fraud risk management principle “relates to
monitoring the overall fraud risk management process.
Organizations use fraud risk management monitoring activities to
ensure that each of the five principles of fraud risk management is
present and functioning as designed and that the organization
identifies needed changes in a timely manner.
◼ It is important for an organization to establish a reporting system to facilitate and
encourage reporting of potential fraud incidents.
◼ Having a formal, structured approach to conducting and reporting on the results of
investigations helps an organization complete an investigation timely and develop
and maintain the support necessary to facilitate corrective actions.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

GOVERNANCE OVER THE FRAUD RISK MANAGEMENT PROGRAM

◼ Strong governance provides the foundation for an effective fraud risk

management program.
◼ Some organizations have developed corporate cultures that encompass strong board
governance practices, including:
■ Board ownership of agendas and information flow.
■ Access to multiple layers of management and effective control of a whistleblower
hotline.
■ Independent nomination processes.
■ Effective senior management team…evaluations, performance management,
compensation, and succession planning.
■ A code of conduct specific for senior management, in addition to the organization’s
code of conduct.
■ Strong emphasis on the board’s own independent effectiveness and process
through board evaluations, executive session, and active participation in oversight
of strategic and risk mitigation efforts.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

GOVERNANCE OVER THE FRAUD RISK MANAGEMENT PROGRAM

ROLES AND RESPONSIBILITIES

◼ Board of directors. As indicated previously, boards help set the tone at the top. They do so by
embracing the governance practices listed above. Many of the specific fraud oversight
responsibilities may be carried out by committees of the board, such as the audit committee or
the nominating and governance committee. This oversight should generally include:
■ A general understanding of fraud-related policies, procedures, incentive plans, etc.
■ A comprehensive understanding of the key fraud risks.
■ Oversight of the fraud risk management program, including the internal controls
that have been implemented to manage fraud risks.
■ Receiving and monitoring reports that provide information about fraud incidents,
investigation status, and disciplinary actions.
■ The ability to retain outside counsel and experts when needed.
■ Directing the internal audit function and the independent outside auditor to provide
assurance regarding fraud risk concerns.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

GOVERNANCE OVER THE FRAUD RISK MANAGEMENT PROGRAM

ROLES AND RESPONSIBILITIES

◼ Management. Similar to the board, management plays a very important role in setting the tone for the
organization. Beyond what management says, how it acts is instrumental in shaping perceptions of the
culture and its attitude toward fraud prevention. In addition, management is responsible for implementing
the overall fraud risk management program. This includes direction and oversight over the system of
internal controls, which must be designed and operated in a manner to prevent fraud incidents or detect
them timely.
◼ Management must also establish a system of monitoring and reporting that will enable it to evaluate
whether the fraud risk management program is operating effectively. This helps provide management with
timely and relevant information that can be reported to the board.
◼ It is common in many organizations to assign a member of management the responsibility for overseeing
the fraud risk management program. This responsibility may include overseeing fraud and ethics-related
policies, conducting the fraud risk assessment, overseeing the controls that are designed to address fraud
risks, monitoring the effectiveness of the program, coordinating the investigation and reporting process,
and training and educating employees on the program. This individual should be at a sufficiently high level
in the organization to reinforce management’s commitment to preventing and deterring fraud. Typically,
there are other functions, most commonly from the legal and HR areas that have defined support roles for
this individual.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

GOVERNANCE OVER THE FRAUD RISK MANAGEMENT PROGRAM

ROLES AND RESPONSIBILITIES

◼ Employees. The day-to-day execution of the fraud risk management program, specifically the controls that
are designed to prevent and detect fraud, must involve everyone in the organization. According to the
Fraud Guide, this means that “all levels of staff, including management, should:
■ Have a basic understanding of fraud and be aware of the red flags.
■ Understand their roles within the internal control framework. Staff members should understand
how their job procedures are designed to manage fraud risks and when noncompliance may
create an opportunity for fraud to occur and go undetected.
■ Read and understand policies and procedures ([that is], the fraud policy, code of conduct, and
whistleblower policy), as well as other operational policies and procedures, such as
procurement manuals.
■ As required, participate in the process of creating a strong control environment and designing
and implementing fraud control activities, as well as participate in monitoring activities.
■ Report suspicions of incidences of fraud.
■ Cooperate in investigations.”

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

GOVERNANCE OVER THE FRAUD RISK MANAGEMENT PROGRAM

ROLES AND RESPONSIBILITIES

◼ The internal audit function. The internal audit function plays an

important role in contributing to the overall governance of a fraud risk
management program. This is primarily evident from the independent
assurance the internal audit function provides to the board and
management that the controls in place to manage fraud risks are designed
adequately and operate effectively.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

GOVERNANCE OVER THE FRAUD RISK MANAGEMENT PROGRAM

COMPONENTS OF A FRAUD RISK MANAGEMENT PROGRAM

◼ There is no “ one-size-fits-all” approach to designing a fraud risk management program.

◼ Most organizations have written policies and procedures relating to fraud, and typically have some
activities associated with assessing risks, designing effective controls, monitoring compliance, conducting
investigations, and educating employees on fraud topics and red flags.
◼ Typical successful integrated programs have certain key components:
◼ Commitment by the board and senior management which should be documented.
◼ Fraud awareness activities that help employees understand the purpose, requirements, and responsibilities of the program.
◼ An affirmation process that requires employees to affirm periodically, typically annually, that they understand and are
complying with policies and procedures.
◼ A conflict disclosure protocol or process that helps employees self disclose potential or actual conflicts of interest.
◼ Fraud risk assessment, which helps to identify all reasonable fraud scenarios.
◼ Reporting procedures and whistleblower protection
◼ An investigation process that ensures all matters undergo a timely and thorough investigation, as appropriate.
◼ Disciplinary and/or corrective actions that address noncompliance with established policies and help deter fraudulent
behavior.
◼ Process evaluation and improvement to provide quality assurance that the program will continue to meet its objectives.
◼ Continuous monitoring to ensure the program consistently operates as designed.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD RISK ASSESSMENT

◼ As previously stated, the process of conducting a fraud risk assessment is similar to that of
conducting an enterprise risk assessment. The three key steps are:
1. Identify inherent fraud risks. Through Brainstorming!
2. Assess impact and likelihood of the identified risks. Which involves determining the
potential impact and likelihood of each fraud scenario which is a subjective
process.
3. Develop responses to those risks that have a sufficiently high impact and likelihood
to result in a potential outcome beyond management’s tolerance.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD RISK ASSESSMENT

◼ When conducting a fraud risk assessment, it is important to involve individuals with varying
knowledge, skills, and perspectives. While the specific individuals will vary from organization
to organization, the risk assessment will typically include:
■ Accounting and finance personnel
■ Nonfinancial business personnel to leverage their knowledge of day-to-day
operations
■ Legal and compliance personnel
■ Risk management personnel to help identify market and insurance fraud scenarios,
and to ensure the fraud risk assessment is integrated with the overall enterprise risk
assessment.
■ Internal auditors, who have an understanding of broad fraud risk scenarios and
controls.
■ Other internal or external parties who can provide additional expertise to the
exercise.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD PREVENTION

◼ Complete prevention is not possible and in many cases the cost of

preventing certain fraud scenarios exceeds the benefits.
◼ organizations develop fraud programs that combine an appropriate balance
of both preventive and detective controls.
◼ One of the most important forms of prevention relates to organizational
awareness; Strong organizational awareness serves as a deterrent to fraud.
◼ By building preventive controls into the system of internal controls,
management can establish a foundation that will deter most individuals
from even considering fraud.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD PREVENTION

◼ In addition to implementing a strong fraud governance environment, the

Fraud Guide outlines common elements that can play a important role in
preventing fraud:
◼ 1- Performing background investigations
2- Providing anti-fraud training
3- Evaluating performance and compensation programs.
4- Conducting exit interviews
5- Authority limits
6- Transaction-level procedures

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

WARNING SIGNS

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD DETECTION

◼ An effective fraud risk management program cannot rely solely on

prevention.
◼ Not only is the cost of preventing certain fraud scenarios prohibitively
high, but it is not possible to prevent all fraud incidents from occurring.
◼ Fraud prevention can fail when there is inadequate design or ineffective
operation of fraud prevention controls. In addition, collusion among
individuals or management override may circumvent established controls
that are designed to prevent fraud.
◼ As a result, an organization must have a prudent balance of fraud detection
controls as well.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

FRAUD DETECTION

◼ Detective controls include a combination of:

1- Whistleblower hotlines.
2- Process controls. Such as reconciliations independent reviews,
physical inspections or counts, and other analysis.
3- Proactive fraud detection procedures. Such as continuous
auditing, and data analytics.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

IMPLICATIONS FOR INTERNAL AUDITORS AND OTHERS

◼ Internal auditors play a key role in a fraud risk management program. The IIA’s Standards
provides specific guidance for internal auditors. For example:
◼ Standard 1210.A2—Internal auditors must have sufficient knowledge to evaluate the risk of
fraud and the manner in which it is managed by the organization, but are not expected to have
the expertise of a person whose primary responsibility is detecting and investigating fraud.
◼ Standard 1220.A1—Internal auditors must exercise due professional care by considering the
… probability of significant errors, fraud, or noncompliance…
◼ Standard 2060—The chief audit executive must report periodically to senior management
and the board on … fraud risks …
◼ Standard 2120.A2—The internal audit [function] must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

USE OF FRAUD SPECIALISTS

◼ There are numerous advantages to using outside fraud specialists, in addition to the independence they
bring to the job. For example, they have extensive experience with identifying and investigating a variety
of different fraud schemes. Therefore, they can help in identifying and assessing the “usual suspects” and
recommending the optimal methods of investigation. Additionally, having worked with independent
counsel, general counsel, state attorneys, regulators, law enforcement personnel, other accountants and
auditors, and prosecutors, they have a good understanding of issues such as:
■ The best way to investigate a specific type of fraud scheme.
■ Assessing the quality and quantity of evidence needed.
■ Evaluating the admissibility of evidence in consultation with outside lawyers.
■ Preserving evidence and the chain of custody.
■ The need for, as well as potential to act as, a fact witness or as an expert witness.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
 Chapter 8: Fraud Risks and Controls

COMMUNICATING FRAUD AUDIT OUTCOMES

◼ Internal Auditors should write their communications in a systematic,

organized fashion to enhance clarity and comprehension, which typically
includes:
1- A brief, clear statement of the issue(s)
2- A citation of the relevant policies, rules, standards, laws, and
regulations that may be applicable to the case at hand.
3- The analysis of the evidence gathered to form a professional
opinion.
4- The conclusions; that is, the findings and recommendations.

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 8: Fraud Risks and Controls

Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.