CFE Exam Quiz 21

Management can use one or a combination of the following strategies to tackle the residual risk of fraud in the organization: Prevent harm. isk transition. Reduce the risk. Assume that risk.

Management can mitigate the risk through appropriate countermeasures, such as controls on prevention and detection. The risk assessment team for fraud will analyze each countermeasure to decide if it is cost-effective and appropriate given the likelihood of loss incidence and effects.

The risk may be assumed by management if it determines that the likelihood of occurrence and impact of loss is low. Management can determine that assuming the risk is more cost-effective than removing the asset or stopping the operation, buying insurance to shift the risk, or implementing countermeasures to mitigate the risk.

The success of the process of fraud risk assessment depends on how effectively the results are reported and then what the organization is doing with the results. A poorly communicated report will undermine the whole process and put a stop to all the momentum that has been created. The report should be presented in a manner that is best suited to the business language.

To make the most of the cycle of fraud risk assessment, management should use the findings to Begin a company-wide dialogue. Check for high-risk fraud. Responsible for the success of the responsible parties. Keep the assessment process alive and relevant. Test the main controls.

The findings of the fraud risk assessment can be used by an internal audit or investigative team within the company to detect high-risk procedures or behaviors and suspicious transactions that may suggest fraud. This practice may also provide some reassurance if the subsequent fraud search reveals that at that point in time, despite the risk assessed, fraud does not appear to occur. Management should remember, however, that just because there is no evidence that fraud is occurring in the present, the risk that it could occur in the future is not eliminated.

In the course of their research, auditors will verify that the company properly manages the moderate to high risk of fraud identified in the fraud risk assessment by defining and documenting current preventive and detective controls relevant to the moderate to high risk of fraud identified in the fraud risk assessment. Design and conduct tests to assess whether the controls identified are operating effectively and efficiently. Identify whether there is a moderate to high risk of management override of internal controls within the moderate to high-risk areas of fraud. Develop and deliver reports that incorporate the results of their validation and testing of fraud risk controls.

Once all of the questions have been answered, the fraud specialist will review the results of the evaluation with the client or employer to determine the possible underlying fraud risks. Evaluate the most likely persons and organizations to commit fraud and classify the techniques they are likely to use. Identify and chart current preventive and detective risk controls. Evaluate the efficacy and performance of the controls found. Identify and determine the residual risk of fraud arising from inadequate or non-existent controls.

Employee appraisal questions are structured to determine the probability of a fraudulent event taking place within the company on the basis of: Internal Controls, Internal Control System, resources available to prevent, identify and discourage fraud.

In the financial world, risk management is the process of identification, analysis and acceptance or mitigation of uncertainty in investment decisions. Essentially, risk management occurs when an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment, such as a moral hazard, and then takes the appropriate action (or inaction) given his investment objectives and risk tolerance.

The ERM System of COSO builds on the five components first defined as part of the Integrated Framework of COSO and adds an additional three components. The eight elements of the ERM System are: + External Context + Goal setting + Detection of incidents + risk assessment + control processes + information and communication + monitoring

Depending on the size and nature of the company, the following individuals and groups may have key roles in ensuring efficient risk management of fraud: Executive Management, Audit Committee, Compliance Committee, Manager Department, Internal Audit, IT, Security, Legal Department, and Human Resources

To ensure that the system of fraud risk management is successful in both operation and design, those responsible for managing and supervising the company must fully embrace it. In particular, the board of directors must identify and respond to the organization’s true and real risks of fraud and its potential impact. Setting an appropriate tone and management’s realistic expectations to implement an anti-fraud culture. Awareness of the risks of fraud throughout the organization. Development of a strategy for evaluating and managing fraud threats in accordance with the risk appetite and strategic plans of the organization.

It is to be noted that many of the ethical and legal problems of a corporation result from the corporate structure that separates ownership from management.

As a strategy to control crime, deterrence is designed to detect law violations, determine who is responsible, and penalize offenders for deterring future violations. Deterrence systems try to control the immediate behavior of individuals, not the long-term behaviors targeted by compliance systems.
Deterrence theory assumes that humans are rational in their behavior patterns. It assumes that an individual’s propensity toward lawbreaking is in inverse proportion to the perceived probability of negative consequences.

Clinard and Yeager found that mass-media publicity about law violations probably represents the most feared consequence of sanctions imposed on a corporation. Publicity can also inform the public about the operation of regulatory controls and can enable people to understand the purposes of the controls. Informal publicity is ordinarily carried as news items from the media, while formal publicity is a requirement that a corporation must, as part of an enforcement action, publish an advertisement or some other statement acknowledging a violation and that corrective measures are being taken.

The third and final factor in the Fraud Triangle is the rationalization. Cressey pointed out that rationalization is not an ex post facto means of justifying a theft that has already occurred. Significantly, rationalization is a necessary component of the crime before it takes place; in fact, it is a part of the motivation for the crime. The rationalization is necessary so that the perpetrator can make his illegal behavior intelligible to himself and maintain his concept of himself as a trusted person.

For example, a person who embezzles in order to get revenge on his employer for perceived unfair treatment uses financial means to solve what is essentially a nonfinancial problem.

According to the social process theory, Criminality is a function of individual socialization and the social-psychological interactions people have with the various organizations, institutions, and processes of society.

According to Skinner’s behavioral studies, punishment suppresses the behavior and is the least effective way of making a person understand that he is/has done something wrong.

It is found that employees that undergo the situations involving fraud, they are more likely to produce a positive outcome in their performance by using the non-punitive approach that includes behaviors other than punishment.

Other elements that could be analyzed on a statistical basis include:
Receiving reports
Perpetual inventory records
Requests for raw materials
Shipping documents
Cost sheets

Standard 2110—Governance
The internal audit activity must assess and make appropriate recommendations for
improving the governance process in its accomplishment of the following objectives:
I: Promoting appropriate ethics and values within the organization
II: Ensuring effective organizational performance management and accountability
III: Communicating risk and control information to appropriate areas of the organization
IV: Coordinating the activities of and communicating information among the board, external and internal auditors, and management

There should be a mechanism to require auditors to be subject to the discipline of an auditor’s supervisory body that is independent of the audit profession or to be supervised by an independent body if a professional body acts as the supervisory body. Such an auditor supervisory body should function in the public interest and have adequate membership, an adequate charter of obligations and rights, and adequate funding not under the control of the auditing profession in order to fulfill such duties.
Most importantly, this oversight process can be carried out in conjunction with similar quality assurance mechanisms in place within the audit industry, ensuring that the oversight body retains control over critical issues such as the nature of reviews, access to and preservation of audit work papers and other information required in reviews, and monitoring of the review outcomes.

It is found that following ISA 330 (Redrafted), the auditor shall determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. In doing so, the auditor shall:
I: Assign and supervise personnel, taking account of the knowledge, skill, and ability of the individuals to be given significant engagement responsibilities and the auditor’s assessment of the risks of material misstatement due to fraud for the engagement; this might include assigning additional individuals with specialized skill and knowledge, such as forensic and IT specialists, or assigning more experienced individuals to the engagement.
II: Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management’s effort to manage earnings
III: Incorporate an element of unpredictability in the choice of the type, duration, and context of audit procedures, such as using various sampling methods or conducting procedures on an unannounced basis at different locations or places.

There are four simple steps that could help prevent product theft if adequately installed and enforced. There are sufficient documentation, duties separation (including approvals), independent checks and physical protections.

Data misappropriation schemes usually involve exploitation of competitively sensitive information by staff, such as client lists, marketing strategies, company secrets, new products, or production site data. In one instance, an employee who felt the need to contribute to a new product design stole the design in an effort to get ahead with a rival in a new job.

The auditor shall obtain written representations from management that:
I: It acknowledges its responsibility for the design, implementation, and maintenance of internal control to prevent and detect fraud;
II: It has disclosed to the auditor the results of its assessment of the risk that the financial statements may be materially misstated as a result of fraud;
III: It has disclosed to the auditor its knowledge of fraud or suspected fraud affecting the entity involving: Management; Employees who have significant roles in internal control; or others where the fraud could have a material effect on the financial statements

Specifically, internal audit can reinforce each of the following program components in the
noted ways:
Policies and procedures, by testing whether they are:
I: Documented appropriately
II: Approved by management
III: In compliance with applicable laws and regulations
IV: Implemented effectively

Corruption is a term used to describe different types of wrongdoing designed to give rise to an unfair advantage. It can take many forms, including corruption, kickbacks, illegal gratuities, economic coercion, and conspiracy. This generally involves the abuse of power to provide a profit to the actor or another individual, contrary to other people’s duties or rights.