CFE Exam Quiz 28

As a sub-group of the board of directors, the audit committee is often delegated oversight of the organization’s financial, accounting, and audit matters. As part of this responsibility, the committee must take an active role in overseeing the assessment and monitoring of the organization’s fraud risks. This involves:
I: Meeting regularly with key internal parties (e.g., the chief audit executive or other senior financial persons) to discuss identified fraud risks and the steps being taken to prevent and detect fraud
II: Understanding how internal and external audit strategies address fraud risk
III: Providing external auditors with evidence that the audit committee is dedicated to effective fraud risk management
IV: Engaging in open conversations with external auditors about any known or suspected fraud
V: Receiving regular reports on the status of reported or alleged fraud

An affirmation process is the requirement for directors, employees, and contractors to explicitly affirm (typically via electronic or manual signature) that they have read, understood, and complied with the organization’s code of conduct, fraud control policy, and other such documentation that supports the fraud risk management program. In determining whether to enact an affirmation process, management must weigh any potential legal issues involved with having such a process with the increased fraud risk of not having one.
If an affirmation process is enacted, it should include consistent sanctions for individuals who refuse to sign-off on the acknowledgment.
Additionally, the affirmation process might include requiring individuals to acknowledge that they have a fiduciary duty to report any known instances of fraud.

An essential component of a fraud risk management program involves a mechanism for directors, employees, and contractors to self-disclose to the organization any potential or actual conflicts of interest.
All disclosures of potential or actual conflicts of interest—as well as management’s decision regarding the situation—should be documented and reported to legal counsel. Additionally, any waivers of conflict of interest policy provisions should be—and, under certain securities regulations, might be required to be—disclosed. Management should also consider the benefits of and any legal requirements for disclosing the organization’s code of conduct, anti-fraud policy, and related statements to the public.

As mentioned above, the cornerstone for a successful fraud risk management plan is a comprehensive fraud risk assessment that correctly determines the fraud risks of the organization. Such an appraisal is not a one-time effort, but should rather be carried out on a systematic and periodic basis. Therefore, the evaluation will take into account all possible fraud schemes and scenarios and the findings should be used to map control prevention to the fraud schemes and the organization’s risk-taking scenarios.

Management should determine and document specifically how it will periodically evaluate the fraud risk management program’s effectiveness. It should also include specific provisions for monitoring changes to the program, obtaining measurements of program effectiveness, and analyzing statistics, benchmarks, resources, and survey results. The results of this process evaluation should be used by the board and management to improve the fraud risk management program.

It is often said that what gets measured gets done. To effectively reduce identified fraud risk, management must hold employees accountable for driving results. The organization should track and measure progress against agreed-upon action plans. Publicly celebrating successes can be as or more effective in encouraging the right behaviors as providing negative consequences for failing to deliver results.

It is to be noted that, The Fraud Risk Assessment Tool may reveal certain residual fraud risks that have not been adequately mitigated due to lack of, or noncompliance with, appropriate preventive and detective controls. The fraud professional should work with the client to develop mitigation strategies for any residual risks with an unacceptably high likelihood or significance of occurrence. Responses should be evaluated in terms of their costs versus benefits and light of the organization’s level of risk tolerance.

The ERM Framework of COSO builds on the five components first identified as part of the Integrated Framework of COSO and includes an additional three components. The ERM Framework’s eight components are:
I: Internal environment
II: Objective setting
III: Event identification
IV: Risk assessment
V: Risk response
VI: Control activities
VII: Information and communication
VIII: Monitoring

In addition to financial benefits, effective fraud risk management:
I: Sends a clear message that fraudulent actions will be proactively sought out and will not be tolerated
II: Demonstrates a sound business strategy to employees and third parties
III: Enhances the organization’s public image and reputation
IV: Promotes goodwill with other organizations and the general public
V: Ensures compliance with certain laws and regulations

To ensure that the program for fraud risk management is effective in both operation and design, those responsible for governing In particular, the board of directors must consider the organization’s true and real risks of fraud, as well as its potential impact, and respond with and supervising the organization must fully embrace it.
I: Setting the appropriate tone and realistic expectations of management to implement an anti-fraud culture
II: Understanding of fraud risks throughout the organization
III: Developing a strategy to identify and mitigate fraud risks following the organization’s risk appetite and strategic plans

Management holds the primary responsibility for designing, implementing, monitoring and improving the fraud risk management program. As part of this, management should:
I: Take seriously all reports of fraud and undertake investigations for any such reports deemed reliable. Management might not be the optimal group to perform investigations but should ensure investigations occur for all allegations of fraud deemed reliable.
II: Punish perpetrators of discovered fraud appropriately. Punishing perpetrators reinforces the culture of ethics and the fact that fraud will not be tolerated.
III: Take any steps necessary to remediate weaknesses that allowed frauds to occur.
IV: Communicate—both in words and actions—that fraud is not tolerated.
V: Set a tone at the top and monitor the company culture to ensure that it appropriately supports the organization’s fraud prevention and detection strategies.
VI: Ensure that the organization has specific and effective internal controls in place to prevent and detect fraud.

Part of the internal audit function’s role is to evaluate and improve the effectiveness of the organize. Each of these organizational components — risk management techniques, internal controls, and systems of governance — serve an important role in preventing fraud.ion’s risk management, control, and governance processes.
I: Devote adequate time and attention to assessing—so that they can provide objective assurance to the board and management—that fraud controls are sufficiently designed and operating effectively to address identified fraud risks.
II: Review the comprehensiveness and adequacy of the fraud risks identified by management (giving particular consideration to fraud risks related to management override of controls).
III: Consider the organization’s fraud risk assessment when developing its audit plan.
IV: Periodically review management’s fraud risk management strategy and capabilities.
V: Communicate regularly with those responsible for the fraud risk assessment to ensure all fraud risks have been appropriately considered.
VI: Maintain an attitude of professional skepticism and be on guard for signs of fraud.
VII: Take an active role in supporting the organization’s ethical culture.

Responding to suspected fraud occurrences includes:
I: Investigating the allegation to determine the party or parties responsible, the means of the infraction, and the extent of the resulting damage
II: Punishing the perpetrator, whether through employment sanctions or legal action
III: Remediating the control weaknesses that allowed the fraud to be undertaken IV: Rebuilding stakeholders’ confidence in the organization

The board of directors and senior management will express their willingness to prevent, identify and constructively resolve the fraud. Such correspondence can be made as part of the written statement of values and principles of the company, as part of the code of conduct, or as part of a separate short document, such as a letter to all staff, suppliers, and customers.
The contribution declaration should be:
I: A senior executive or board member should be endorsed or written.
II: Be given as part of the induction process to workers and be reissued on a regular basis.
III: Stress the importance of fraud risk mitigation.
IV: Acknowledge the organization’s vulnerability to fraud.
V: Establish the responsibility of each person within the organization to support fraud risk management efforts.
VI: Reinforce management’s “no tolerance” stance on fraudulent behavior.

Focus groups enable the assessor to observe the interactions of employees as they discuss a question or issue. Some topics might lend themselves to being discussed in an open forum in which people feel comfortable among their colleagues. Additionally, when discussing tough or controversial issues in a group, an anonymous, real-time voting tool can be an effective way of opening up a dialogue among the participants.

Surveys can be anonymous or directly attributable to individuals. Sometimes people will share more openly when they feel protected behind a computer or paper questionnaire. In an organization where the culture is not one in which people open up and freely talk, an anonymous survey can be an effective way to get feedback. However, employees can be skeptical about the true anonymity of a survey, especially in organizations that use surveys to solicit feedback anonymously but send follow-up emails to individual delinquent respondents. If the assessor determines that an anonymous survey is an appropriate technique to use in the fraud risk assessment, he should clearly and explicitly explain to employees how anonymity will be maintained

Before the fraud risk assessment procedures begin, the sponsor and the assessment team need to agree on:
I: The scope of work that will be performed
II: The methods that will be used (e.g., surveys, interviews, focus groups, or anonymous feedback mechanisms)
III: The individuals who will participate in the chosen methods
IV: The content of the chosen methods
V: The form of output for the assessment

When assessing incentives, pressures, and opportunities to commit fraud, the fraud risk assessment team should evaluate:
I: Opportunities to commit fraud that arises from a person’s position (i.e., given his responsibilities and authority)
II: Incentive programs and how they might affect employees’ behavior when conducting business or applying professional judgment
III: Pressures on individuals to achieve performance or other targets and how such pressures might influence employees’ behavior
IV: Opportunities to commit fraud that arise from weak internal controls, such as a lack of segregation of duties
V: Highly complex business transactions and how they might be used to conceal fraudulent acts
VI: Opportunities for collusion (intrinsic to schemes such as bribery or kickbacks)

It is to be noted that The Culture Quotient is an assessment of how the organization and its people behave or are perceived to behave

An assessment that helps to determine whether people are showing or promoting a sense of entitlement in the sector. An entity with a strong sense of entitlement from its staff or members may have an increased risk of fraud comes under the Entitlement Index.

To calculate the Prevent/Detect Index, a standard, comprehensive population of fraud schemes, such as the ACFE Occupational Fraud Classification System, is used to evaluate each scheme that applies to the business and determine which schemes are the high-risk schemes that the organization should focus on. For those fraud schemes that apply to the company, and evaluation of each scheme should be performed to identify:
I: The likelihood that the scheme could be perpetrated
II: The significance of the fraud risk to the company
III: Whether there are preventive or detective internal controls in place to moderate the risk to a sufficient level

Management may also elect a combination of these approaches. For example, if the probability of occurrence and impact of loss are high, management may decide to transfer part of the risk through the purchase of insurance, as well as to implement preventive and detective controls to mitigate the risk.

The assessment results should be reported in a way that is easy to understand and that resonates with management. The reader of the report should be able to quickly view and comprehend the results. A simple one-page visual can sometimes make the most impact.

At the culmination of a fraud risk assessment, the organization should have a clear view of both the areas where the organization is susceptible to fraud and the controls that are designed and implemented to address those weak spots. To effectively manage the identified fraud risks, management should use the results of the fraud risk assessment to monitor the performance of critical internal controls. Such proactive attention will allow for the identification and correction of deficiencies in control design or operation as quickly as possible

Auditors often suggest that they collect evidence to demonstrate that financial statements are adequately reported or that monitoring processes are functioning effectively. They adopt a time-tested research method consisting of three parts:
I: Recognize the problem or issue subject to investigation.
II: Gather sufficient relevant evidence about it.
III: Analyze the evidence and conclude the problem or issue.

Information is material if having knowledge of such information might reasonably be expected to influence a client’s or employer’s decisions based on a fraud examiner’s report. Accordingly, materiality is a user-oriented concept. Thus, an item of information that, if omitted from a report, would change a user’s perceptions and conclusions is material.
When determining what information is material, fraud examiners should not consider what they themselves think is important and material; instead, they should try to decide what users will consider important and material. Thus, fraud examiners must project a decision-making process onto the users.

Fraud examiners must not disclose privileged information obtained during the course of a professional engagement without appropriate authority. Privileged information is information that cannot be demanded, even by a court; it is information that is protected by law from evidence.

The conduct of auditors should be beyond reproach at all times and in all circumstances. Any deficiency in their professional conduct or any improper conduct in their personal life places the integrity of auditors, the SAI that they represent, and the quality and validity of their audit work in an unfavorable light, and may raise doubts about the reliability and competence of the SAI itself. The adoption and application of a code of ethics for auditors in the public sector promotes trust and confidence in the auditors and their work.

A third party hotline is most often staffed by an outside company that specializes in products of this kind. Price, performance, and anonymity are the benefits. Some are working around the clock and will provide the customer subscriber with the information immediately. We also provide those who may be more comfortable with it with anonymity. Its downside is that the payment and the operation are beyond the control of the company.

Identifying key organizational characteristics and issues is a start to the development of an ethics program. These considerations include:
I: Understanding of why good people can commit unethical acts  Defining current—as well as desired—organizational values
II: Determining if organizational values have been properly communicated
III: Determining if ethics is a leadership issue in the organization
IV: Ascertaining how board members, stockholders, management, employees, and any other pertinent members of the organization define success
V: Producing written ethics policies, procedures, or structures