Internal ontrol and raud etection

Internal Control and Fraud Detection:

A Practical Guide

Internal Control and Fraud Detection: A Practical Guide

Copyright © 2020 by

DELTACPE LLC

All rights reserved. No part of this course may be reproduced in any form or by any means, without

permission in writing from the publisher.

The author is not engaged by this text or any accompanying lecture or electronic media in the

rendering of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting

issues discussed in this material have been reviewed with sources believed to be reliable, concepts

discussed can be affected by changes in the law or in the interpretation of such laws since this text

was printed. For that reason, the accuracy and completeness of this information and the author's

opinions based thereon cannot be guaranteed. In addition, state or local tax laws and procedural rules

may have a material impact on the general discussion. As a result, the strategies suggested may not

be suitable for every individual. Before taking any action, all references and citations should be

checked and updated accordingly.

This publication is designed to provide accurate and authoritative information in regard to the subject

matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,

accounting, or other professional service. If legal advice or other expert advice is required, the services

of a competent professional person should be sought.

—-From a Declaration of Principles jointly adopted by a committee of the American Bar Association

and a Committee of Publishers and Associations.

Course Description

The introduction of Sarbanes-Oxley (SOX) Act law fueled rapid growth in the organizational importance

of internal control systems. Appropriate interpretation and implementation of the internal control

framework is vital for every organization. This course incorporates and reflects up-to-date guidance

from the PCAOB, the AICPA, the ACFE, and the principles of 2013 COSO Framework. The course not

only addresses the theoretical concept of the internal control systems but also provides readers with

the practical guidance they need to assume a role in the design, implementation, maintenance and

evaluation of a comprehensive framework of internal controls for their organizations.

Specifically, the course presents the principles of internal control to help readers understand the

nature and context of control, such as limitations of internal controls, the most recognized controls

frameworks (e.g. COSO Framework, Green Book), and some common and important control

procedures. It also includes steps on how to identify risks and controls, advice on how to assess the

adequacy of controls, a discussion of how to reach a fair assessment, and documentation requirements

for evidences of effective controls. In addition, the course discusses requirements related to

performing an integrated audit: SAS 130 and AS No. 2201. Although these auditing rules are

mandatory for external auditors and not for management, management should give consideration to

following the approach described in these requirements.

No discussion of internal controls would be complete without an examination of fraud prevention and

detection. All organizations are subject to fraud risks. Fraud is now so common that its occurrence is

no longer remarkable, only its scale. The course offers the essential tools for designing and

implementing programs and controls to prevent and detect fraud. It focuses on the causes of fraud,

fraud risk factors, some of the more common types of fraud, fraud symptoms, and fraud preventive

and detective techniques, along with some recent cases in corporate fraud. It explains the differences

between forensic accounting and auditing. It also includes the ACFE Fraud Prevention Checkup to help

organizations identify major gaps and fix them before it is too late.

This course includes an illustration of potential internal controls weaknesses involving accounting and

financial reporting cycles, along with examples of compensating controls. It provides sample audit

programs of key processes. It also incorporates appendixes including: an example of management

internal control report, a SOX Section 404 management compliance checklist, financial reporting

controls and information systems checklist for each key cycle (e.g. revenue, inventory, financing), and

a computer applications checklist.

Field of Study Auditing Level of Knowledge Overview Prerequisite None Advanced Preparation None

Table of Contents

INTRODUCTION .............................................................................................. 1

LEARNING OBJECTIVES.................................................................................... 3

PART I. The Principles of Internal Control ..................................................... 4

Internal Control Systems.............................................................................. 4

The Definition of Internal Control ............................................................................... 4

Limitations of Internal Controls .................................................................................. 5

Internal Control Frameworks ....................................................................... 6

2013 COSO Framework ............................................................................................... 6

Overview .......................................................................................................................... 6

Components of Internal Control ........................................................................................ 7

The Control Environment ...................................................................................................................... 8

Risk Assessment .................................................................................................................................... 9

Identify Risks .....................................................................................................................................................11

Assess Risks ......................................................................................................................................................11

Respond to Risks ...............................................................................................................................................11

Relevance to Sarbanes-Oxley Compliance ........................................................................................................12

Control Activities ................................................................................................................................. 13

Information & Communication Systems Support ............................................................................... 15

Monitoring .......................................................................................................................................... 16

The GAO Green Book................................................................................................ 17

Overview .........................................................................................................................17

Framework Principles .......................................................................................................19

Control Framework − 17 Principles ..................................................................................................... 19

Control Framework with GAO’s Attributes ......................................................................................... 20

Part I − Section 1 Review Questions ........................................................... 23

Types of Controls ....................................................................................... 25

Directive Controls..................................................................................................... 25

Preventive Controls .................................................................................................. 25

Detective Controls .................................................................................................... 26

Corrective Controls................................................................................................... 27

The Concepts of ICFR ................................................................................. 28

Integrating Controls over Information Systems .......................................... 29

IT General Controls................................................................................................... 29

IT Application Controls ............................................................................................. 30

Considerations Specific to Smaller Entities ................................................. 33

Cost-Benefit Relationships ......................................................................... 35

Benefit-Cost Analysis ................................................................................................ 35

Cost-Effectiveness Analysis ....................................................................................... 36

Part I − Section 2 Review Questions .......................................................... 37

PART II. Management Assessment of Internal Controls .............................. 38

0Understanding the Sarbanes-Oxley Act Rules .......................................... 39

Enhanced Financial Disclosures (Section 404)............................................................ 39

Overview .........................................................................................................................39

Management’s Internal Control Report ............................................................................41

The Role of Independent Public Accountant......................................................................44

Corporate Responsibility (Section 302) ..................................................................... 45

Other Key Principles ................................................................................................. 46

Auditor Independence .....................................................................................................46

The Role of the Audit Committee .....................................................................................47

Disclosures in Periodic Reports .........................................................................................48

Corporate and Criminal Fraud Accountability ....................................................................48

Identification of Risks and Controls ............................................................ 49

Step 1: Selecting the Control Framework .................................................................. 49

Step 2: Defining Control Objectives .......................................................................... 51

Step 3: Addressing and Monitoring Risks .................................................................. 53

General Concerns .............................................................................................................53

Anti-Fraud Considerations ................................................................................................54

Assessment Criteria .........................................................................................................55

Step 4: Establishing Controls..................................................................................... 57

Part II − Section 1 Review Questions .......................................................... 60

Assessment of the Adequacy of Controls ................................................... 61

Determining Key Controls ......................................................................................... 62

Evaluating the Effectiveness of Controls ................................................................... 63

The Design of Controls .....................................................................................................63

The Operating Effectiveness of Controls ...........................................................................65

Evaluation of Control Deficiencies ............................................................. 69

Step 1: Understanding the Nature of the Deficiency .................................................. 69

Step 2: Assessing the Likelihood of Misstatements ................................................... 70

Step 3: Considering Compensating Controls .............................................................. 71

Step 4: Determining Classification of Deficiencies ..................................................... 72

Step 5: Reporting Assessment Results ...................................................................... 73

Documentation of Effective Controls ......................................................... 74

Identification of Control Gaps .................................................................... 77

Illustration of Potential Internal Control Weaknesses and Compensating

Controls: Accounting and Financial Reporting ............................................ 81

Part II − Section 2 Review Questions .......................................................... 83

PART III. Audit of ICFR Integrated with Audit of Financial Statements ........ 84

Audit Objectives and Scope ....................................................................... 84

Relevant Standards .................................................................................... 86

Auditing Standard No. 2201 ...................................................................................... 86

Statement on Auditing Standards 130 ...................................................................... 86

Planning the Audit ..................................................................................... 87

Part III − Section 1 Review Questions ......................................................... 89

Using a Top-Down Approach ...................................................................... 90

The Key Concepts ..................................................................................................... 90

Sample Audit Programs ............................................................................................ 93

Cash in Bank ....................................................................................................................93

Trade Accounts and Notes Receivable ..............................................................................96

Inventory .........................................................................................................................98

Fixed Assets ................................................................................................................... 100

Prepaid Expenses and Deferred Charges ......................................................................... 101

Accounts Payable ........................................................................................................... 103

Stockholders’ Equity ...................................................................................................... 105

Sales and Other Types of Income .................................................................................... 107

Expense Items ................................................................................................................ 108

Assessing the Risk of Fraud ...................................................................... 110

Characteristics of Financial Statement Fraud .......................................................... 110

Types of Fraud ............................................................................................................... 110

Fraud Risk Factors .......................................................................................................... 111

Brainstorming Sessions .......................................................................................... 111

Fraud Risk Assessment ................................................................................................... 113

Collect Information ........................................................................................................................... 113

Identify and Assess Fraud Risks ......................................................................................................... 114

Respond to the Fraud Risk Assessment ............................................................................................. 114

Testing Controls ....................................................................................... 115

Testing Design Effectiveness ................................................................................... 115

Testing Operating Effectiveness .............................................................................. 115

Relationship of Risk to the Evidence Obtained ........................................................ 116

Evaluating Control Deficiencies ................................................................ 117

Examples of Significant Deficiencies and Material Weaknesses ............................... 119

Scenario A – Significant Deficiency ................................................................................. 120

Scenario B – Material Weakness ..................................................................................... 120

Responding to Misstatements Caused by Fraud ....................................... 121

Reporting Audit Results ........................................................................... 122

Types of Audit Opinions ......................................................................................... 122

Audit Matters......................................................................................................... 124

Critical Audit Matters ..................................................................................................... 124

Key Audit Matters .......................................................................................................... 125

Other Considerations ............................................................................... 127

Considerations Specific to Smaller, Less Complex Entities ....................................... 127

Considerations of Financial Information Systems .................................................... 128

Management Written Representations ................................................................... 130

Communication of Certain Matters......................................................................... 131

Use of the Work of Internal Auditors or Others ....................................................... 131

Part III − Section 2 Review Questions ....................................................... 132

PART IV. Fraud Prevention and Detection ................................................ 134

Fraud Awareness ..................................................................................... 134

Basics of Fraud ....................................................................................................... 134

Definition of Fraud ......................................................................................................... 134

Fraud Triangle ................................................................................................................ 135

Opportunity ....................................................................................................................................... 136

Pressure/Incentive ............................................................................................................................ 137

Rationalization................................................................................................................................... 138

The Evolution of Fraud ................................................................................................... 140

Types of Fraud ....................................................................................................... 141

Occupational (Corporate) Fraud ..................................................................................... 141

Corruption ......................................................................................................................................... 144

Asset Misappropriation ..................................................................................................................... 144

Risk Factors Relating to Misstatements Arising from Misappropriate of Assets ............................................144

Financial Statement Fraud ................................................................................................................ 146

Risk Factors Relating to Misstatements Arising from Fraudulent Financial Reporting ...................................147

Procurement and Contractor Frauds ............................................................................... 150

False Claims and False Statements .................................................................................. 151

Part IV − Section 1 Review Questions ...................................................... 152

Forensic Accounting and Auditing ............................................................ 154

Fraud and Perpetrators ............................................................................ 156

The Fraud Symptoms .............................................................................................. 156

Indicators of Financial Crime .......................................................................................... 157

Red Flags of Employee Behavior ....................................................................................................... 157

Red Flags of Organizational Behavior ................................................................................................ 158

Recent Cases in Corporate Fraud ............................................................................ 159

Fraud Prevention and Detection .............................................................. 162

Fraud Risk Assessment ........................................................................................... 162

Techniques for Fraud Prevention ............................................................................ 165

The ACFE Fraud Prevention Checkup .............................................................................. 172

Interpreting the Entity’s Score ........................................................................................ 176

The Use of Technology for Fraud Detection ............................................................ 176

Data Mining ................................................................................................................... 176

Forensic Computing ....................................................................................................... 178


Appendix A: Example of Management Report ............................................ 180

Appendix B: Section 404 Management Compliance Checklist ..................... 181

Appendix C: Financial Reporting Controls and Information Systems Checklist −

Medium to Large Business .......................................................................... 183

Part 1. Internal Control Assessment Questionnaires ................................ 184

Control Environment .............................................................................................. 184

Significant Account Balances and Transaction Cycles .............................................. 189

Revenue Cycle ............................................................................................................... 189

Revenue and Accounts Receivable .................................................................................................... 190

Cash Receipts .................................................................................................................................... 192

Purchasing Cycle ............................................................................................................ 193

Purchases and Accounts Payable ...................................................................................................... 193

Cash Disbursements .......................................................................................................................... 194

Inventory ....................................................................................................................... 195

Financing ....................................................................................................................... 197

Investments ....................................................................................................................................... 197

Debt ................................................................................................................................................... 198

Property, Plant, and Equipment ..................................................................................... 199

Payroll Cycle .................................................................................................................. 200

Part 2. Financial Information System Checklist......................................... 201

End-User Computing .............................................................................................. 201

Procedures and Controls over End-User Computing ................................................ 202

Information Processed by Outside Computer Service Organizations ........................ 204

Part 3. Assessing Segregation of Duties and the Risk of Management Override

................................................................................................................ 205

Lack of Segregation of Duties.................................................................................. 205

Management Override ........................................................................................... 205

Part 4. Interpret Results ........................................................................... 206

Appendix D: Computer Applications Checklist − Medium to Large Business 208

Computer Hardware ................................................................................ 208

Computer Software ................................................................................. 208

Computer Control Environment ............................................................... 209

Outside Computer Service Organizations ................................................. 211

Glossary ...................................................................................................... 212

Index .......................................................................................................... 215

Review Question Answers .......................................................................... 216

Part I − Section 1 Review Questions ......................................................... 216

Part I − Section 2 Review Questions ......................................................... 218

Part II − Section 1 Review Questions ........................................................ 218

Part II − Section 2 Review Questions ........................................................ 220





1

INTRODUCTION Management’s ability to fulfill its financial reporting responsibilities depends in part on the design and

effectiveness of the processes and controls it has put in place over accounting and financial reporting.

Without such controls, it would be extremely difficult for most business organizations to prepare

reliable financial reports. Effective internal control over financial reporting has become a legal

obligation. This course incorporates and reflects up-to-date guidance from the PCAOB, the AICPA, the

ACFE, and the principles of 2013 COSO Framework, and is divided into four parts:

Part I − The Principles of Internal Control. Internal control comprises the plans, methods, policies,

and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity. Without

adequate internal controls, management has little assurance that its goals and objectives will be

achieved. Part I provides an overview of the internal control framework and how it relates to the

achievement of basic management objectives. For example, it addresses the five components of

internal controls outlined in the 2013 COSO Framework. It explains some common control procedures

and the significance of the internal controls over financial reporting. The application of information

technology controls is highlighted, as well as the internal control limitations and cost-benefit

relationship.

Part II − Management Assessment of Internal Control. The Sarbanes–Oxley (SOX) Act Section 404

requires management’s development and monitoring of procedures and controls for making their

required assertion about the adequacy of internal controls over financial reporting, as well as the

required attestation by an external auditor of management’s assertion. Statement on Auditing

Standards (SAS) 130 requires the auditor to examine and report directly on the effectiveness of

internal control over financial reporting. There is no longer an option to examine and report on

management’s assertion about the effectiveness of internal control over financial reporting. Thus,

managers in both public entities and nonpublic entities have been increasingly aware of their

responsibility for internal controls.

Part II provides practical guidance that helps readers design, implement, maintain, and evaluate

controls specifically related to accounting and financial reporting. It includes steps on how to identify

risks and controls, advice on how to assess the adequacy of controls, a discussion of how to reach a

fair assessment, and documentation requirements of effective controls, along with an illustration of

potential internal control weaknesses and a SOX Section 404 management compliance checklist.

Part III − Audit of ICFR Integrated with Audit of Financial Statements. Part III includes requirements

and considerations related to performing an integrated audit (audit of internal control over financial

reporting integrated with an audit of financial statements). It highlights the key procedures required

external auditors to attest to management's disclosures regarding the effectiveness of its internal

control, such as audit planning, the use of top-down approach, assessment of fraud risk, testing

controls, and evaluation and communication of deficiencies. It also addresses other matters related to

smaller and less complex entities, management written representations, and use of the work of others,

2

along with examples of significant deficiencies and material weaknesses. Although management is not

required to adopt the same methodology as the external auditor, there are advantages in using a

similar approach. These requirements/procedures explain how the external auditor will review and

evaluate management’s assessment process. It is also important if management is going to minimize

audit fees by maximizing reliance on management testing.

Part IV − Fraud Prevention and Detection. Fraud, a heavy economic and moral burden on society, is

a global scourge that harms the reputations of all industries and costs trillions of dollars in worldwide

damages each year. All organizations are subject to fraud risks. Therefore, no discussion of internal

controls would be complete without an examination of fraud prevention and detection. Fraud

perpetrators tend to display behavioral warning signs when engaging in their crimes. Additionally, the

typical fraudster has similar characteristics. Recognizing the red flags and understanding the profile of

fraudsters are important elements in the fight against fraud because prevention starts with being well

informed. The more individuals and organizations know about fraud, the less likely they are to be

victimized.

Part IV focuses on the causes of fraud, fraud risk factors, some of the more common types of fraud

and fraud symptoms, and fraud prevention and detection techniques, along with some recent cases in

corporate fraud. It explains the differences between forensic accounting and auditing. It also includes

the ACFE Fraud Prevention Checkup to help organizations identify major gaps and fix them before it is

too late.

3

LEARNING OBJECTIVES After completing this section, you will be able to:

• Identify the functions and limitations of internal control

• Recognize the COSO principles of internal control

• Identify some common and important control procedures

• Distinguish between the IT general controls and application controls

• Recognize the implication and significance of the Sarbanes-Oxley Act

• Recognize key procedures involved in identifying risks and controls

• Identify key considerations for identifying and evaluating control deficiencies

• Recognize the requirements of management documentation of controls

• Identify factors in assessing the maturity level of a company’s internal control structure

• Identify the audit objectives, scope, and procedures applied to the integrated audit

• Recognize fraud considerations in a financial statement audit

• Identify the most common schemes and fraud symptoms

• Recognize techniques to prevent and detect fraud

4

PART I. The Principles of Internal Control

Part I addresses the following key principles to help you understand the nature and context of control:

• Control should respond quickly to evolving risks arising from factors within the organization and

to changes in the environment. (Types of Controls, Integration of Controls to Information Systems)

• Controls provide reasonable but not absolute assurance that the organization’s goals and

objectives will be achieved. (Limitation of Internal Controls)

• Control can help minimize the occurrence of errors and breakdowns but cannot provide absolute

assurance that they will not occur. (Limitations of Internal Controls)

• The system of control must include procedures for reporting promptly to appropriate levels of

management to ensure that corrective action being undertaken. (Internal Control Systems)

• The costs of control must be balanced against the benefits, including the risks it is designed to

manage (Cost-Benefit Relationships)

• Management is required to assess its system of ICFR using a recognized framework. Most have

selected the COSO framework, which is recognized as appropriate by the SEC and PCAOB (2013

COSO Framework)

Internal Control Systems

The Definition of Internal Control

Internal controls are a coordinated set of policies and procedures that reflect a comprehensive

strategy for achieving the following management objectives:

1. Reliable and comprehensive financial and other information

2. Compliance with laws, regulations, policies, plans and procedures

3. Efficient and effective operation and use of resources

4. Safeguarding of assets

5

In other words, internal controls are the varied techniques employed by management to achieve

management objectives and to meet management responsibilities. The comprehensiveness of an

entity’s internal control framework can be assessed based on the following features:

• Creating a favorable control environment

• Continually identifying and assessing risk

• Establishing effective control policies and procedures

• Effectively communicating information

• Monitoring the effectiveness of controls and corrective actions of issues identified

Most people wish to “cut to the chase” and go directly to a description of specific internal control

procedures. However, attempting to understand specific control procedures without first

understanding the overall framework of internal controls is like attempting to learn how to run before

walking. In both cases, the results are likely to be short-term frustration along with a long-term lack of

progress. The comprehensive control frameworks discussed in the following sections are powerful and

practical tools that give readers the flexibility they need to design, implement, maintain, and evaluate

controls to meet the ever-changing circumstances of a rapidly evolving environment.

Limitations of Internal Controls

Reasonable assurance refers to the fact that internal controls — even when they are appropriately

designed and operating effectively — cannot provide absolute assurance of achieving control

objectives. Reasonable assurance is a high level of assurance, but it is not absolute. For example,

internal control can provide reasonable assurance that:

• Certain management objectives implicit in internal control are achieved

• Transactions are recorded as necessary to permit preparation of financial statements in

conformity with the United States generally accepted accounting principles (GAAP)

Because of inherent limitations, however, internal controls cannot be designed to eliminate all fraud.

Inherent limitations include:

1. The consideration that control be cost-effective

2. An error in the design of control

3. The possibility that a person responsible for exercising control could abuse that authority (e.g.

management overridden)

4. The potential for human error (e.g. human judgment in decision making)

5. Circumvention of controls through collusion with parties outside the entity or with employees

of the entity

6. The fact that most controls do not tend to be directed at transactions of unusual nature

7. Procedures may become inadequate due to changes in conditions

8. Manipulations by management with respect to transactions or estimates and judgments

6

It recognizes that even with an effective system of internal control; there is a possibility that material

misstatements, including misstatements due to management fraud, may occur and not be prevented

or detected on a timely basis.

Internal Control Frameworks

Several models exist which provide a basis for the design and objective assessment of the effectiveness

of control. Such models also provide criteria by which the effectiveness of the system of internal

control can be judged. This course focuses on two models currently accepted internationally which are

the 2013 COSO Framework and the GAO Green Book.

2013 COSO Framework

Overview

In 1992, the Committee of Sponsoring Organizations of Treadway Commission (COSO) released its

Internal Control – Integrated Framework as a leading framework for designing, implementing, and

conducting internal control and assessing the effectiveness of internal control. Internal control is

defined by COSO as follows:

“Internal control is a process, effected by an entity’s board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of objectives relating

to operations, reporting, and compliance.”

In 2013, the COSO introduced its updated Internal Control - Integrated Framework (2013 COSO

Framework). The updated framework was evolutionary, and it was intended to maintain the original

framework while revising it for the many changes since 1992 that have occurred in business, operating

environments, legislation, globalization and technology.

The 2013 COSO Framework describes the role of controls to effect principles, but the Framework does

not prescribe controls to be selected, developed, and deployed for effective internal control. It

specifically noted that an organization’s selection of controls to effect relevant principles and

associated components is a function of management judgment based on factors unique to the entity.

It also states that a major deficiency in a component or principle cannot be mitigated to an acceptable

level by the presence and functioning of other components and principles. However, understanding

and considering how controls effect multiple principles can provide persuasive evidence supporting

management’s assessment of whether components and relevant principles are present and

functioning.

There are 3 categories of objectives in the 2013 framework:

7

1. Operations Objectives: These objectives relate to reviewing the company’s operations for

effectiveness and efficiency, including performance goals and safeguards against loss.

2. Reporting Objectives: These objectives relate to reporting of financial and non-financial, both

internally and externally. They can include reliability, timeliness, transparency, or other items

required by regulators, standards or the company’s own policies.

3. Compliance Objectives: There relate to the regulations and laws governing the company.

The most significant change made was the codification of the 17 principles that support the effective

design, implementation, and operation of the associated components and represent requirements

necessary to establish an effective internal control system. These principles are presented in “Control

Framework − 17 Principles” section.

Components of Internal Control

As mentioned previously, an entity’s internal control consists of five components under the COSO

Framework

Source: COSO, Internal Control - Integrated Framework: Executive Summary, 2013

These five components are linked together, thus forming an integrated system that can react

dynamically to changing conditions. The internal control system is intertwined with the entity’s

operating activities and is most effective when controls are built into the entity’s infrastructure,

becoming part of the very essence of the entity.

In summary, internal control is the responsibility of all employees. Entities must ensure that the system

of internal control is integrated into operational activities. Internal control should increase the

likelihood of detecting fraud, reduce unjustified spending, abuses or mistakes, prevent inappropriate

8

activities and strengthen compliance with regulations. Each component of internal control is discussed

below.

The Control Environment

The control environment is the most important of the five elements; the effectiveness of the other

four elements ultimately will depend upon it. It is sometimes referred to as the “tone at the top” of

the entity, meaning the integrity, ethical values, and competence of the management. Therefore, the

control environment is considered the foundation for the other components of internal control

because it provides discipline and structure by setting the tone/culture of an organization and

influencing control consciousness. It includes human resource policies and practices relative to hiring,

orientation, training, evaluating, counseling, promoting, compensating, and remedial actions.

“Tone at the Top” is the attitude of the management toward maintaining integrity and ethical values,

as demonstrated through their directives and behavior. Without a strong tone at the top to support

an internal control system, the control objectives cannot be properly defined, and as a result, the entity

may encounter obstacles such as:

• The entity’s risk identification may be incomplete

• Risk responses may be inappropriate

• Control activities may not be appropriately designed or implemented

• Information and communication may fail

• The results of monitoring may not be understood or acted upon to remediate deficiencies

The factors to consider in assessing the control environment include:

• Integrity and ethical values, including:

o Management’s actions to eliminate or mitigate incentives and temptations on the part of

personnel to commit dishonest, illegal, or unethical acts;

o Policy statements; and

o Code of conduct.

• Commitment to competence, including management’s consideration of competence levels for

specific tasks and how those levels translate into necessary skills and knowledge.

• Board of directors or audit committee participation, including interaction with internal and

external (independent) auditors.

• Management’s philosophy and operating style, such as management’s attitude and actions

regarding financial reporting, as well as management’s approach to taking and monitoring

risks.

• The entity’s organizational structure (i.e., the form and nature of organizational units).

• Assignment of authority and responsibility, including fulfilling job responsibilities.

9

• Human resource policies and practices, including those relating to hiring, orientation, training,

evaluating, counseling, promoting, and compensating employees.

In summary, the auditor will seek to understand the attitude, awareness, and actions concerning the

control environment on the part of management and the directors. For example, an auditor usually

evaluates whether:

• Management, with the oversight of those charged with governance, has created and

maintained a culture of honesty and ethical behavior, and

• The strengths in the control environment elements collectively provide an appropriate

foundation for the other components of internal control and whether those other components

are not undermined by deficiencies in the control environment

The auditor must concentrate on the substance of controls rather than their form because controls may

be established but not acted upon. For example, management may adopt a code of ethics but condone

violations of the code.

Control Environment Tips

• A code of conduct is approved and communicated companywide

• Policies and procedures regarding conflict of interests are established

• Ethical issues are discussed with employees

• Proper and timely actions are taken to address conflict of interest

• Job descriptions, limits to authority, performance standards, accountability, control activities, and

reporting relationships are clarified, documented, up-to-date, and communicated

• The principle of segregation of duties is adhered to the design of internal control systems

• Adequate training and guidance are provided to ensure that employees are acquainted with the

policies and procedures

• Appropriate disciplinary action is in place to address the violation of policies and procedures

Risk Assessment

Risk assessment is a process for identifying and assessing risks that may prevent organizations from

achieving objectives. It is critical to develop appropriate plans to limit the possible negative

consequences of these risks and to determine which employees are responsible for implementation

of the adopted plans. The entity systematically, at least once a year, must analyze the risks associated

with activities. In general, the risk assessment process includes the following key elements:

10

Risk assessment is the responsibility of all employees in the entity. The establishment and

development of risk assessment in the entity is the responsibility of the head of the entity (e.g. CEO)

and the heads of organizational units in the entity (e.g. managers). The fundamental elements of risk

assessment are the evaluation of significant risks and the implementation of suitable risk responses.

Risk responses include:

1. Acceptance or tolerance of a risk

2. Avoidance or termination of a risk

3. Risk transfer or sharing via insurance, a joint venture or other arrangement

4. Reduction or mitigation of risk via internal control procedures or other risk prevention

activities

The following diagram lists the key steps to assess risks.

Risk Assessment Process

Steps are discussed in the following sections.

Risk Assessment Key Elements

Objectives

Definition of Risk

Roles and responsibilities

Prioritization and respose of

risks

Implementation of the measures

taken

Reporting and monitoring

activities

Identify RisksDevelop

assessment criteria

Assess risksEvaluate risk interactions

Prioritize risks

Respond to Risks

Assess Risks

11

Identify Risks

Risk can be defined as the possibility that an event will occur and adversely affect the achievement of

objectives. Events can have either a positive or a negative impact. An event with a positive impact

represents an opportunity. An event with a negative impact on achieving an objective represents a

risk. In other words, an event affects the company’s objectives and creates the condition for risk only

if it has a negative impact. For example, the failure of a supplier to provide materials for production is

an event. The risk is not meeting production deadlines causing late deliveries to customers.

Uncertainty is not knowing what will happen in the future. The greater the uncertainty, the greater

the risk. An organization must understand the sources of uncertainty because risk is about knowledge.

When management lacks knowledge, there is greater uncertainty. The risk identification process

precedes the assessment process, thus allowing management to create a list of risks (opportunities as

well).

Assess Risks

An effective risk identification process produces a key business risk universe or register linked to

business objectives and value drivers. Details of how to assess risks are discussed in “Step 3: Addressing

and Monitoring Risks” section in Part II of this course.

Respond to Risks

Management should design overall risk responses based on the significance of the risk and defined

risk tolerance. There are four fundamental choices:

1. Acceptance - No action is taken to respond to the risk based on the insignificance of the

risk.

2. Avoidance - Action is taken to stop the operational process or the part of the operational

process causing the risk.

3. Reduction - Action is taken to reduce the likelihood or magnitude of the risk.

4. Sharing - Action is taken to transfer or share risks across the entity or with external parties,

such as insuring against losses. Other examples include lease agreements, waivers,

disclaimers, tickets, and warning signs.

When risk response actions do not allow the organization to operate within the defined risk tolerances,

management should revise the risk responses or reconsider the risk tolerances through the periodic

risk assessments.

Acceptance Avoidance Reduction Sharing

12

Risk Assessment Tips

• Senior executives set the basis for how risk is viewed and addressed, including risk management

philosophy and risk appetite, integrity and ethical values, and the environment in which they

operate (tone at the top)

• Objectives must exist before management can identify potential events affecting their

achievement

• A clear link between objectives, risks and selected strategic initiatives is established

• Perspectives/inputs are gathered from all level of employees to increase risk culture and

ownership and enhance the organization’s ability to understand, identify, and manage risks

• The assessment of the risk in terms of impact and likelihood is reliable and relevant

• Formal risk response and risk measures are developed and documented

• Key questions for management to ask include:

− What could happen? List risks, incidents or accidents that might happen by systematically working

through each competition, activity or stage of the event to identify what might happen at each

stage.

− How and why it can happen? List the possible causes and scenarios or description of the risk,

incident or accident.

− What constitutes a material risk to our company?

− How much risk are we willing to accept?

− What is the likelihood of them happening?

− What will be the consequences if they do happen?

Relevance to Sarbanes-Oxley Compliance

Although the Sarbanes-Oxley (SOX) Act of 2002 does not require companies to adopt enterprise risk

management (ERM), implementation of ERM facilitates compliance with applicable SOX requirements.

For example, it will assist certifying officers with the discharge of their Section 302 quarterly

certification and Section 404 annual assessment responsibilities. Moreover, since both the Securities

and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB)

promoted a risk-based approach to evaluating internal control over financial reporting in accordance

with Section 404, ERM can provide benefits from a SOX compliance perspective. Specifically, ERM

enables companies to maintain their disclosure process through a process-based chain of

accountability, involving unit managers and process owners who communicate issues requiring action

and possible disclosure. ERM also provides executives and directors with more confidence that the

internal control structure is sustainable. ERM focuses on business risk and internal controls to preserve

and create enterprise value. The emphasis is on ‘risk strategy’. A company can support SOX compliance

and also identify new risks before they emerge, thereby managing risks proactively and strategically

across the enterprise.

13

Control Activities

Control activities are the policies and procedures designed by management to help ensure that the

organization’s objectives and goals are not negatively impacted by internal or external risks.

Examples of specific control activities include those relating to the following:

Authorization. Every transaction must be authorized and carried out by people acting within the scope

of their authority. This will help prevent invalid transactions.

Physical controls, which involve: 1) physical security of assets, such as adequate safeguards over the

access to assets and records 2) authorization for access to computer programs and files 3) periodic

counting and comparison with amounts shown on control records (e.g. comparing the results of cash,

security, and inventory counts with accounting records)

Segregation of duties, which is designed to reduce the opportunities to allow any person to be in a

position both to perpetrate and to conceal errors or irregularities (fraud) in the normal course of his

or her duties, involves assigning different people the responsibilities of authorizing transactions,

recording transactions, maintaining custody of assets, and reconciliation:

• Authorization: The process of reviewing and approving transactions, such as verifying daily

balancing reports, approving purchase orders and timesheet.

• Record Keeping: The process of creating and maintaining records of revenues, expenditures,

and inventories, such as preparing cash receipts or billings, purchase requisitions, and

maintaining inventory records.

• Custody: Having access to or control over any physical assets, including cash, check,

equipment, supplies or materials.

• Reconciliation: The process of verifying the processed transactions to ensure that they are

valid, properly authorized and recorded on a timely basis, and following up on any

discrepancies identified. Examples of this control mechanism include conducting physical

inventory counts, comparing fund collected to accounts receivable postings, comparing cash

collection to deposits, reconciling department revenues and expenditures to management

reports.

Authorization Record Keeping

Reconciliation Custody

Segregation of Duties

14

For instance, the various functions involved in the purchase of supplies should be segregated as

follows:

Segregation of duties concept should also apply to software development, and the following functions

should be separated:

1. Identification of Requirements (or Change Request)

2. Authorization of Approval (e.g. IT Governance Board or Manager)

3. Design and Development (e.g., Developer)

4. Review, Inspection and Approval (e.g., another Developer or Tester)

5. Implementation in Production (e.g. System Administrator)

Performance reviews, including comparisons of actual performance with budgets, forecasts, and

prior-period results (e.g. comparing internal data with external sources of information, review of

functional performance).

Information processing. Controls relating to information processing are generally designed to verify

accuracy, completeness, and authorization of transactions. Specifically, controls may be classified as

general controls or application controls. The former might include controls over data center

operations, systems software acquisition and maintenance, and access security; the latter apply to the

processing of individual applications and are designed to ensure that transactions that are recorded

are valid, authorized, and complete.

Periodic reconciliation/verification. Accounting records should be compared periodically to ensure

that they faithfully reflect the underlying facts. For example, cash reported in the accounting records

should be reconciled to the cash balances reported on the bank statement. General ledger accounts

should be reconciled to related amounts reported in subsidiary ledgers. Moreover, management

should periodically compare data contained in the accounting records to what those data represent.

Purchasing Department

•Issuing a purchase orderto the vendor based onan approved requisitionform (authorization)

Receiving Department

• Verifying that theordered goods have beenreceived by preparing areceiving report (custody)

Accounting Department

•Preparing checks andrecording the transactionin the accounting recordupon the review andmatch of the requisition,purchase order, and thereceieving report andinvoices (record keeping,reconciliation)

15

Analytical review is a process of determining the reasonableness of financial data by comparing the

data’s behavior with other financial/nonfinancial data. This review attempts to compare what is

reported to what is reasonably expected. For example:

1. Identifying fuel credit card usage that is abnormally high compared to others in a similar role

2. Calculating expected mileage for a particular amount of fuel charged and then comparing it to

typical or expected travel patterns

A basic premise underlying the application of analytical procedures is that plausible relationships

among data may reasonably be expected to exist and continue in the absence of known conditions to

the contrary. Variability in these relationships can be explained by, for example, unusual events or

transactions, business or accounting changes, misstatements, or random fluctuations. Analytical

review is a very effective way to ensure adequate control in cases where it is not practical to segregate

incompatible duties (e.g. small entities).

These control activities discussed above can be divided into four categories, which will be discussed

later:

1. Directive controls

2. Preventive controls

3. Detective controls

4. Corrective controls

Information & Communication Systems Support

The information system generally consists of the methods and records established to record, process,

summarize, and report transactions and to maintain accountability of related assets, liabilities, and

equity. ‘Information quality’ usually has the following characteristics:

• Reliable and accurate

• Useful and clear

• Complete

• Understandable

• Accessible

• Timely

Information should be delivered quickly in and outside the entity and aimed at strengthening ethical

values, policies, authorizations, responsibilities and reporting obligations.

Communication involves providing an understanding of individual roles and responsibilities pertaining

to internal control. Examples of internal communication include:

1. Management clearly defines the lines of communication through policy manuals and

organization charts

16

2. Management has communicated the types of information required to achieve objectives and

address risks

3. All internal control documents and related reports will be available to all staff in an appropriate

method based on confidentially and relevance to job responsibilities

4. The appropriate information delivery system has been determined (e.g. email, written memo,

staff meetings, etc.) for changes and update

Information and Communication Tips

• There are clear communication and reporting lines enabling people to discharge their

responsibilities effectively

• The information systems are aligned to the corporate strategic and operational initiatives

• Employees receive regular, reliable and easily accessible management information on budget

execution, use of resources and progress of their strategic and operational plans

• Channels to report inadequacies are in place

• Feedback mechanisms are established to ensure that adequate communication channel is across

the organization

• There is timely and appropriate follow-up action by management resulting from communications

from outside the organization

Monitoring

Monitoring is management’s process of assessing the quality of internal control performance over

time. Accordingly, management must assess the design and operation of controls on a timely and

ongoing basis and take necessary corrective actions. Examples of monitoring controls include:

• Internal audits

• Management reviews

• Audit committee activities

• Disclosure committee activities

• Self-assessment reviews

Monitoring may involve:

1. Separate evaluations (e.g., regular management and supervisory review activities)

2. The use of internal auditors, and

3. The use of communications from outside parties (e.g., complaints from customers and

regulator comments).

In general, monitoring activities should address the following issues:

• Are controls in place and operating effectively?

• Is the system working as designed?

17

• Are exceptions and problems identified and resolved promptly?

• Are the controls periodically reviewed?

Monitoring Tips

• Ongoing monitoring processes are integrated with the daily carrying out of activities and

operations

• Scoreboards are developed, used and monitored

• Quality control evaluations are conducted annually (or upon regulatory requirements)

• Identification of change in the business environment, regulatory requirements, practices,

activities, processes, and procedures that may require changes to internal control systems is in

place

• Action plans are developed, implemented and followed up

• The internal audit function is in place to independently assess the adequacy and effectiveness of

risk, control and governance processes

• Reviews and audits are conducted by external auditors

The GAO Green Book

Overview

In 2014, the Government Accountability Office (GAO) revised the Green Book, Standards for Internal

Control in the Federal Government, to adapt the 17 underlying principles from the COSO revision of its

2013 COSO Framework for a government environment. The updated Green Book aligns the 17

principles to the existing internal control framework and identifies attributes that support the design

and implementation of each of the principles. It includes requirements for establishing an effective

internal control system, including specific documentation requirements. The Green Book is structured

as follows:

• Section 1: An overview of the fundamental concepts of internal control

• Section 2: A discussion of internal control components, principles, and attributes; how these

relate to an entity’s objectives; and the three categories of objectives

• Section 3: A discussion of the evaluation of the entity’s internal control system’s design,

implementation, and operation

• Section 4: Additional considerations that apply to all components in an internal control system

The Green Book may be adopted by the state, local, and quasi-governmental entities, as well as not-

for-profit organizations, as a framework for an internal control system. It fulfills a requirement of the

18

Federal Managers’ Financial Integrity Act (FMFIA) for GAO to issue internal controls standards and

requires federal agency executives to periodically review and annually report on the agency’s internal

control systems. Green Book standards address the policies and procedures for federal agencies to

help ensure effective use of resources in meeting their mission, goals, objectives, and strategic plan

by:

1. Providing managers criteria for designing, implementing, and operating an effective internal

control system

2. Defining the standards through components and principles and explains why they are integral

to an entity’s internal control system

3. Clarifying what processes management considers part of internal control

The COSO 2013 Framework and the Green Book standards are very similar since the GAO leveraged

off the COSO 2013 Framework in creating its own standards for government environment, with few

adjustments. Although the COSO 2013 Framework and the Green Book Framework are very similar,

some differences do exist between these standards. The following table lists the key difference

between COSO and the Green Book:

Key Differences: Requirements

COSO Framework Green Book

− Each of the 5 components and relevant principles are present and functioning

− Addresses deficiencies in general terms

− Documentation is a matter of judgment

− Each of the 5 components, 17 principles, and relevant attributes are effectively designed, implemented, and operating

− Addresses deficiencies in design, operation, and implementation

− Specifies minimum documentation requirements

Key Differences: Overall Tone and Approach

COSO Framework Green Book

− Accommodates global operations

− Additional details and narrative

− IT general controls

− Focus on the organization’s responsibilities for internal controls

1. Accommodates government operations

2. Direct and indexed

3. IT general and application controls

4. Focus on management’s responsibilities for internal controls

Source: Association of Local Government Auditors, Standards for Internal Control in the Federal Government: The

“Green Book” Presentation, 2017

Successful application of the 17 underlying COSO principles can help a federal entity improve

accountability and achieve its objectives related to operations, reporting, and compliance through the

implementation of an effective internal control system. An effective internal control system allows an

entity to adapt to shifting environments, evolving demands, changing risks, and new priorities. Most

states have enacted statutes to address the internal controls of its agencies, and many have adopted

the Green Book standards into their own state-wide guidance for their agencies to follow in developing

19

and maintaining an effective internal control system. The standards are effective beginning with fiscal

year 2016 and the FMFIA reports covering that year. The Green Book framework principles are

discussed in the following section.

The American Institute of CPAs (AICPA) accepts the Green Book and the 2013 COSO framework as a

source to measure the effectiveness of an entity’s system of controls, and to assess control risk as well

as report on controls.

Framework Principles

OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal

Control, directs agencies to implement policies and procedures consistent with the Green Book. In

2016, the OMB Director issued the following new guidance intended to improve the efficiency and

effectiveness of the government:

“The policy changes in this Circular modernize existing efforts by requiring agencies to implement an

Enterprise Risk Management (ERM) practices in coordination with the strategic planning and strategic

review process established by the Government Performance and Results Modernization Act (GPRAMA),

and the internal control processes required by FMFIA and Government Accountability Office (GAO)’s

Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus

corrective actions towards key risks.”

Control Framework − 17 Principles

While there are different ways to present internal control, the Green Book approaches internal control

through a hierarchical structure of five components and 17 principles in accordance with the 2013

COSO Framework. The following five components represent the highest level of the hierarchy of

standards for internal control in the federal government:

Framework Principles

The Control

Environment

It is the foundation for an

internal control system. It

provides the discipline and

structure to help an entity

achieve its objectives.

1. Demonstrate commitment to integrity

and ethical values

2. Exercise oversight responsibility

3. Establish structure, authority, and

responsibility

4. Demonstrate commitment to

competence

5. Enforce accountability

Risk

Assessment

This component assesses the

risks facing the entity as it seeks

to achieve its objectives. The

assessment provides the basis

6. Define objectives and risk tolerances

7. Identify, analyze, and respond to risks

8. Assess fraud risk

20

for developing appropriate risk

responses.

9. Identify, analyze, and respond to

significant change

Control

Activities

The actions management

establishes through policies and

procedures to achieve

objectives and respond to risks

in the internal control system,

which includes the entity’s

information system.

10. Design control activities to achieve

objectives

11. Design control activities for the entity’s

information systems

12. Implement control activities through

written policies

Information

and

Communication

The quality information that

management and personnel

communicate and use to

support the internal control

system.

13. Use quality relevant information

14. Communicate internally

15. Communicate externally

Monitoring

Activities

Activities management

establishes and operates to

assess the quality of

performance over time and

promptly resolve the findings of

audits and other reviews.

16. Establish and perform monitoring

activities

17. Identify and remediate deficiencies

in a timely manner

The Green Book contains additional information in the form of attributes. These attributes are

intended to help organize the application material management may consider when designing,

implementing, and operating the associated principles. The GAO’s attributes for each of these 17

principles are listed in the following section.

Control Framework with GAO’s Attributes

Source: GAO, Standards for Internal Control in the Federal Government

Control Framework: 17 Principles with Attributes

Control Environment

1. Demonstrate commitment to integrity and ethical values

• Tone at the Top

• Standards of Conduct

• Adherence to Standards of Conduct

2. Exercise oversight responsibility

• Oversight Structure

21

• Oversight for the Internal Control System

• Input for Remediation of Deficiencies

3. Establish structure, authority, and responsibility

• Organizational Structure

• Assignment of Responsibility and Delegation of Authority

• Documentation of the Internal Control System

4. Demonstrate commitment to competence

• Expectations of Competence

• Recruitment, Development, and Retention of Individuals

• Succession and Contingency Plans and Preparation

5. Enforce accountability

• Enforcement of Accountability

• Consideration of Excessive Pressures

Risk Assessment

6. Define objectives and risk tolerances

• Definitions of Objectives

• Definitions of Risk Tolerances

7. Identify, analyze, and respond to risks

• Identification of Risks

• Analysis of Risks

• Response to Risks

8. Assess fraud risk

• Types of Fraud

• Fraud Risk Factors

• Response to Fraud Risks

9. Identify, analyze, and respond to significant change

• Identification of Change

• Analysis of and Response to Change

Control Activities

10. Design control activities to achieve objectives

• Response to Objectives and Risks

22

• Design of Appropriate Types of Control Activities

• Design of Control Activities at Various Levels

• Segregation of Duties

11. Design control activities for an entity’s information systems

• Design of the Entity’s Information System

• Design of Appropriate Types of Control Activities

• Design of Information Technology Infrastructure

• Design of Security Management

• Design of Information Technology Acquisition, Development, and Maintenance

12. Implement control activities through written policies

• Documentation of Responsibilities through Policies

• Periodic Review of Control Activities

Information and Communication

13. Use quality relevant information

• Identification of Information Requirements

• Relevant Data from Reliable Sources

• Data Processed into Quality Information

14. Communicate internally

• Communication throughout the Entity

• Appropriate Methods of Communication

15. Communicate externally

• Communication with External Parties

• Appropriate Methods of Communication

Monitoring Activities

16. Establish and perform monitoring activities

• Establishment of a Baseline

• Internal Control System Monitoring

• Evaluation of Results

17. Identify and remediate deficiencies in a timely manner

• Reporting

• Evaluation

• Corrective action

23

Part I − Section 1 Review Questions

1. Internal controls are critical. However, they cannot be designed to provide reasonable assurance

in which of the following scenarios?

A. All transactions are executed in accordance with management's authorization

B. All fraud will be eliminated in accordance with management’s authorization

C. Access to assets is permitted only in accordance with management's authorization

D. The recorded assets accounts are compared with the existing assets at reasonable intervals

2. Which of the following components of internal control includes an assignment of authority and

responsibility?

A. Monitoring

B. Control environment

C. Risk assessment

D. Control activities

3. Which of the following components of internal control includes the development and use of

training policies that communicate prospective roles and responsibilities to employees?

A. Monitoring

B. Control environment

C. Risk assessment

D. Control activities

4. Proper segregation of duties will reduce the opportunities which allow persons to be in positions

to both ____________

A. Journalize entries and prepare financial statements

B. Record cash receipts and cash disbursements

C. Establish internal control and authorize transactions

D. Perpetrate and conceal errors and fraudulent acts

5. Effective internal control calls for the separation of certain functions. Which of the following

functions should be separated?

A. Authorization, execution, and payment

B. Authorization, recording, and custody

24

C. Custody, execution, and reporting

D. Authorization, payment, and recording

6. What is a basic premise underlying analytical procedures?

A. These procedures cannot replace tests of balances and transactions

B. Statistical tests of financial information may lead to the discovery of material misstatements

in the financial statements

C. The study of financial ratios is an acceptable alternative to the investigation of unusual

fluctuations

D. Plausible relationships among data may reasonably be expected to exist and continue in the

absence of known conditions to the contrary

25

Types of Controls

The control activities serve as mechanisms for and are a part of managing the achievement of

objectives. Key benefits of implementing internal control are increased efficiency of operations and

management of risks. Management will also be supported by:

• Applying standardized procedures, rules, and regulations;

• Protecting an entity’s current assets;

• Providing reliable financial reporting;

• Assuring compliance with laws and regulations;

• Eliminating income or resource losses;

• Promoting goal-oriented and accurate decision making;

• Identifying and preventing fraud

Control activities can be split into the following categories.

Each category is discussed in the following sections.

Directive Controls

Directive controls are designed to encourage the events necessary for the achievement of objectives.

In particular, directive controls guide employees to help achieve the desired objectives of the

department. For example, a job description or the setting of targets is considered as a directive control

- it provides employees with guidance as to what is expected of them. A personnel policy or a code of

ethics also provides guidance on the conduct expected of all employees.

Preventive Controls

While detecting errors and frauds once they occur is essential to any industry, it is obviously best to

prevent them before they happen. Preventive controls are designed to prevent the occurrence of

failures, inefficiencies, errors, and weaknesses. Preventative controls are proactive controls, in place

during the activity or during the execution of employees' duties. Preventive controls should be focused

on areas where the likelihood and/or impact of errors and fraud are highest. Although preventive

controls cannot guarantee that errors and fraud will not be committed, they serve as the first line of

defense to minimize the risk. If effective preventive controls are in place and well-known to potential

fraud perpetrators, they serve as strong deterrents to discourage those who may be tempted to

Directive Controls

Preventive Controls

Detective Controls

Corrective Controls

26

commit fraud. Fear of getting caught is always a strong deterrent. Examples of controls to prevent

irregularities include:

1. Implementing procedures and controls (e.g. anti-fraud strategy, standards of conduct)

2. Providing fraud-awareness trainings

3. Conducting employee background checks

4. Implementing access control (e.g. limiting access to IT systems)

5. Implementing policies that provide for appropriate segregation of duties

6. Authorization and approval

7. Leaving a lot of space of the checks that a check is more difficult to tamper with more

characters

8. Securing the check stock in a locked area with restricted access

9. Implementing automated controls such as transactions limits, system edit checks, data

matching (eligibility verification),

10. Conducting predictive analytics

Detective Controls

The risk of fraud can never be eliminated entirely. There are always people who are motivated to

commit fraud, and an opportunity can arise for overriding a control or collusion with others. Detective

controls are designed to detect and correct failures, inefficiencies, errors, and weaknesses. They

operate after an event has occurred or an output has been produced. However, they should reduce

the risk of undesirable consequences because they enable remedial action to be taken. Detective

controls must be adaptable, flexible, and continuously changing to address the various changes in risks.

Sometimes it is more effective to detect and address certain types of fraud after it occurs rather than

trying to prevent it before it occurs.

Detective controls are most effective for areas where the likelihood of fraud is low but the potential

impact is severe. Such controls can also help assess the effectiveness of preventive controls. Examples

of detective controls include:

1. Surprise audits in high fraud risk and/or high errors areas 2. Reviewing performance 3. Reconciling accounting transactions to supporting documentation at random intervals 4. Conducting ad hoc audits and analyses 5. Performing bank reconciliations 6. Reviewing documents for policy compliance and/or unusual transactions 7. Inspecting goods received 8. Monitoring critical data and related trends to identify unusual variance 9. Performing data analysis and ratio analysis to identify any abnormal trends or patterns 10. Implementing automated system flags (e.g. disbursement over a certain dollar amount,

excessive number of purchasing card transactions to a single vendor).

27

The following graphic encompasses control activities to prevent, detect, and respond to errors,

irregularities, and fraud risks. These control activities are interdependent and mutually reinforcing.

For example, a surprise inventory count as detective activities also serves as deterrents because they

create the perception of controls and the possibility of punishment which discourages fraudulent

behavior. Response efforts can inform preventive activities. For instance, the results of investigations

can also be used to enhance applicant screenings and fraud indicators.

Note that the circle for prevention in the figure is larger because preventative activities generally offer

the most cost-efficient use of resources in that they enable managers to avoid a costly and inefficient

“pay-and-chase” model. Besides, preventive controls are stronger than detective controls because

they prevent mistakes and other undesirable events from occurring. Detective controls are important

too, but they detect mistakes or other events after they have occurred, helping less to recover from

the undesirable event. For example, monitored access to a fuel pump is a preventive control. When

this control operates properly, it should prevent inappropriate usage of fuel for personal or other

unauthorized purposes. Periodic reconciliation of fuel usage as a detective control should also be in

place. However, if a mistake or theft of fuel occurs due to the failure of preventive control (e.g.

collusion, overridden), the fuel is already gone by the time that the reconciliation identifies the loss.

Therefore, preventive controls are stronger controls for reducing errors and fraud.

Corrective Controls

Corrective controls are designed to correct the circumstances arising from the undesired events. They

help organizations recover from loss or damage. For instance, the design of contractual terms and

conditions enables the recovery of excess payments. Insurance may be considered as a form of

corrective control, as it facilitates the financial recovery in relation to the occurrence of a risk.

Detection

Response

Prevention

28

The Concepts of ICFR

One of the key responsibilities of every public company management is to prepare timely and reliable

information. Effective internal control over financial reporting (ICFR) substantially reduces the risk of

such misstatements and inaccuracies in a company’s financial statements, and it has become a legal

obligation. Since 1977, federal law has required public companies to establish and maintain a system

of internal control that provides reasonable assurance regarding the reliability of financial reporting

and the preparation of financial statements in accordance with GAAP. The Sarbanes-Oxley Act of 2002

added more requirements which are discussed later in the “Management Internal Control Report”

section.

ICFR is a process designed and maintained by management to provide reasonable assurance regarding

U.S. GAAP. Therefore, ICFR is defined more narrowly than the general term "internal control," which

includes controls associated with the effectiveness and efficiency of operations and compliance with

laws and regulations that are not directly related to the financial statements. For example, controls to

improve safety or streamline manufacturing processes are not considered part of ICFR.

A company's ICFR is influenced significantly by its board of directors, management and other personnel

and encompasses those processes and procedures to:

1. Maintain records in reasonable detail that accurately and fairly reflect the transactions and

dispositions of the assets of the company

2. Prepare financial statements and footnote disclosures for external purposes and to provide

reasonable assurance that receipts and expenditures are appropriately authorized

3. Prevent or promptly detect unauthorized acquisition, use or disposition of the company's

assets that could have a material effect on the financial statements

ICFR has inherent limitations. ICFR is a process that involves human diligence and compliance and is

subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be

circumvented by collusion or improper management override. Because of such limitations, there is a

risk that ICFR will not prevent, or detect and correct material misstatements on a timely basis.

The following internal and external events and circumstances may be relevant to the risk of preparing

financial statements that are not in conformity with GAAP (or another comprehensive basis of

accounting):

• Changes in operating and regulatory environment, including competitive pressures.

• Changes in personnel. The risks accompanying personnel changes increase when changes 1)

are numerous 2) involve high-level staff or 3) involve employees in highly sensitive positions

• Rapid growth that can result in a breakdown in controls.

• New technology in information systems and production processes.

29

• New lines, products, or activities. Risk may result from staff’s inexperience with the new

processes or from staff’s unfamiliarity with applicable regulations

• Corporate restructuring that might result in changes in supervision and segregation of job

functions.

• Expanded foreign operations.

• Accounting pronouncements requiring adoption of new accounting principles

It should be noted that the role of ICFR is to support the integrity and reliability of the company's

external financial reporting processes. It is not intended to provide any assurances about the

company's operating performance, its future results, or the quality of its business model.

Integrating Controls over Information Systems

Controls over information systems are often an integral part of an entity’s internal control. The

effectiveness of internal controls is frequently dependent on the effectiveness of information systems

controls. Effective information system controls increase the likelihood that an entity will achieve the

following information processing objectives:

• Completeness: Transactions are recorded and not understated.

• Accuracy: Transactions are recorded at the correct amount in the right account (and on a

timely basis) at each stage of processing.

• Validity: Recorded transactions represent economic events that actually occurred and were

executed according to prescribed procedures.

There are two main types of control activities: general and application control activities.

IT General Controls

IT general controls represent the basis of the IT control structure and have the following

characteristics:

• Function as the policies and procedures that apply to all or most of an entity’s information

systems

• Create the environment for proper operation of application controls

• Govern the design, security, and use of computer programs and the security of data files

throughout the organization’s IT infrastructure.

30

Thus, they support the assertions ensuring that key financial reports are reliable. General controls

consist of a combination of hardware, software, and manual procedures that build an overall control

environment. Examples of IT general controls include:

1. The control environment shapes the corporate culture or tone at the top. It represents

management’s attitude as to the importance of the establishment and maintenance of a

strong internal control system, such as having:

• Organizational units clearly defined to perform the necessary functions

• Qualified and properly trained personnel

• Policies and procedures including a code of ethical conduct available to employees

• Mandatory employee security awareness training

2. Change management procedures are designed to ensure the changes meet business

requirements and are authorized.

3. Physical security ensures the physical security of IT from individuals and from environmental

risks. For example, access to facilities is restricted to authorized staff and requires appropriate

identification and authentication.

4. Logical security, the process of ensuring authorized access to systems, usually includes:

• A formal security policy

• Information access management (e.g. controlled use of administrative privileges, account

monitoring and control, and controlled access based on the need to know)

• Segregation of duties (e.g. separation of the duties performed by analysts, programmers

and operators)

• Preventative controls for unauthorized access via public networks such as firewalls,

intrusion detection and vulnerability assessments

5. Hardware/software configuration, installation, testing, and protection. For example,

computer hardware is physically secure and checked for equipment malfunction.

6. Backup and disaster recovery procedures are in place to enable continued processing despite

adverse conditions.

IT Application Controls

Application controls have the following features:

Control Environment

Change Management

Physical Security

Logical Security

Hardware/ Software Controls

Disaster Recovery/

Backup

31

• Incorporated directly into computer applications to achieve validity, completeness, accuracy,

and confidentiality of transactions and data during application processing.

• Specific controls unique to each computerized application, such as accounts payable, payroll,

inventory control, purchasing order processing or general ledger.

• Designed to ensure that only authorized data are completely and accurately processed by that

application, from input through output.

• Including controls over input, processing, output, master file, interface, and data management

system controls.

Examples of IT application controls include:

1. Input controls check data for accuracy and completeness when they enter the system. Specific

input controls include:

• Input authorization (e.g. users and workstation identification, source documents)

• Batch controls and balancing (e.g. total amount, total items, hash totals)

• Error reporting and handling (e.g. reject by transaction or by batch)

The following table lists examples of input controls.

Input Authorization

Signatures on Source Document

Signatures provide evidence of proper review and authorization

Access Control

Authorization:

• The user is required to complete a “System Authorization Access Request” form which defines the role (creator vs. approver) and rights (e.g., modify, delete, and/or view data) that the system is restricted to authorized users based on their functions and responsibilities.

• The form is reviewed and approved by the appropriate level of management prior to access being granted.

Monitoring:

• The access report should be reviewed regularly to ensure that only authorized employees have access to the system.

• Current level of access should reflect the user’s current job functions.

Security Awareness and Education:

• All employees should receive appropriate training and regular updates to promote security awareness and compliance with security policies.

• For new employees, this training should occur before access to the information system is granted.

32

Password Security

• All system-level passwords (e.g., Window Administrator, Application Administrator) should be changed at least a quarterly basis

• All user-level passwords (e.g., email, desktop computer) should be changed at least every six months

• All users must have a unique user ID and password

• Strong password policy should be implemented and it should contain at least 8-10 characters, special characters, and lower and upper case characters.

Workstation Security

• Workstations should be restricted to only authorized personnel

• Screen lock or logout should be implemented prior to leaving the area to prevent unauthorized access

• Enable a password-protected screen saver with a short timeout period to ensure that workstations that left unsecured will be protected

• Unauthorized software is not allowed to be installed

• Remove access should only be approved by the appropriate level of management and may be monitored by IT Department

• Mobile computing devices (e.g., laptop and tablet) may not be removed prior to management’s approval and should be logged and monitored by IT Department

Batch Control

Total Monetary Amount

The total monetary value of items processed equals the total monetary value of the batch document

Total Item The total number of items included on each batch agrees with the total number of items processed

Total Document The total number of documents in the batch equals the total number of documents processed

Hash Total Sum of assigned numerical values computed as a verification device for records process to identify whether a record has been lost or omitted from processing

Input Error Handling

Reject Only Transactions with Errors

If errors are detected, they must be rectified, and the records taken back for further processing.

Reject the Whole Batch with Errors

Accept Batches and Flag Error Transactions

2. Processing controls ensure complete and accurate data during updating. These types of controls

usually include:

33

• Data validation checks (e.g. sequence check, limit check, range check, duplicate check, table

lookups)

• Processing controls (e.g. limit checks, run-to-run totals)

• Data file control procedures (e.g. parity checking, version usage, transaction logs)

The following table lists examples of processing controls.

Sequence

Check

Any out-of-sequence or duplicated control numbers are rejected or

noted on an exception report for follow-up purposes

Limit Check Data should not exceed the predetermined amount or data would be

rejected or further verification/authorized is required

Range Check Data should be within a predetermined range of values or it should be

rejected

Completeness

Check

A field should always contain data and not be blank. The file must be

complete before the record is accepted for processing

Existence

Check

Data entered agrees with valid predetermined criteria. For example, a

valid transaction code must be entered in the transaction code field

Duplicate

Check

New transactions are matched to those previously inputted to ensure

that they have not already been entered. For example, a vendor invoice

should not be paid twice

3. Output controls ensure that the results of computer processing are accurate, complete, and

properly distributed, including:

• Balancing and Reconciling: Output should be balanced routinely to the control totals.

• Report Distribution: Output reports should be distributed according to authorized distribution

parameters and schedules.

• Report Retention: A record retention schedule should be applied firmly. Any governing legal

regulations should be included in the policy.

• Output Error Handling: Error report should be timely and delivered to the originating

department for review and correction.

Considerations Specific to Smaller Entities

The size and complexity of the company, and its business processes and structure, may affect how the

entity achieves many of its control objectives. Most smaller companies have less complex operations.

34

Additionally, some larger, complex companies may have less complex units or processes. Factors that

might indicate less complex operations include:

• Less complex business processes and financial reporting systems

• Extensive involvement by senior management in the day-to-day activities of the business

• Fewer levels of management

• Fewer business lines

• More centralized accounting functions

Therefore, a smaller, less complex entity, or even a larger, less complex entity might achieve its control

objectives differently from a more complex entity. For instance, a smaller, less complex entity may

have fewer employees in the accounting function, limiting opportunities to segregate duties and

leading the entity to implement different controls to achieve its control objectives.

Lack of segregation of duties is an example of a common control design deficiency among small

entities. They cannot afford the additional human resources needed for proper segregation. However,

the lack of segregation of duties is not automatically a material weakness, or even a reportable

condition, depending on the compensating controls that are in place. For example, a company’s

accounting department may be so small that it is not possible to segregate duties between the person

in charge of the accounts payable and the person that is responsible for the bank statements

reconciliation. In this case, there are no checks and balances on the accounts payable person. The risk

is that they could be writing checks to a personal account, and then passing on them during the bank

reconciliation process. There is no one to raise the red flag that personal checks are being written on

the organization’s account. Compensating controls could make up for this apparent breach in the

internal control system. Here are some examples of compensating controls in this situation:

1. All checks are hand-signed by an officer, rather than using a signature plate that is in the

control of the person that prepared the checks.

2. Bank reconciliation may be reviewed by the person’s manager.

3. A periodic report of all checks that are cleared at the bank could be prepared by the bank and

forwarded to an officer for review.

In some situations, particularly in smaller, less complex entities, an entity might use a third party to

aid with certain financial reporting functions. When assessing the competence of the personnel

responsible for an entity’s financial reporting and associated controls, management should consider

the combined competence of company personnel and other parties that assist with functions related

to financial reporting.

Finally, controls over management override are important for effective internal control over financial

reporting for all companies. It may be particularly important at smaller companies because of the

increased involvement of senior management in performing controls and the period-end financial

reporting process. For smaller companies, the controls that address the risk of management override

35

might be different from those at a larger company. For example, a smaller company might rely on

more detailed oversight by the audit committee to focus on the risk of management override.

Cost-Benefit Relationships

Although every organization is susceptible to errors and fraud, it is not cost-effective to try to eliminate

all risks. If the estimated costs of designing, implementing, and monitoring the controls (such as tools

and personnel), exceeds the estimated impact of the risk, such controls may not be cost-effective to

implement. That is, internal control should be based on a systematic and risk-oriented approach to

ensure that there are adequate individual controls in areas with high risk and that they are not

excessive in areas with low risk. Before deciding to adopt a control, management should consider:

1. The potential benefits the control will provide (e.g. reducing the likelihood or impact of a fraud

risk)

2. The possible consequences of not implementing it

The GAO identified two approaches for considering the benefits and costs of control activities including

“Benefit-Cost Analysis”, and “Cost-Effectiveness Analysis”.

Benefit-Cost Analysis

Benefit-cost analysis should be conducted when designing and implementing control activities. Based

on benefit-cost analysis, the organization may decide not to implement certain control activities if the

estimated benefits do not exceed the costs. For example:

• A property and casualty insurance company may set threshold limits on the total of losses paid

plus those reserved on large policies to identify fraud that may be occurring, instead of relying

solely on the identification of fraudulent individual claim.

• Managers may decide not to conduct payment-recapture audits to recover improper

payments if it is likely that the costs incurred to identify and recover the overpayments will be

greater than the expected recoveries.

Design decisions involve the acceptance of some degree of risk. The cost of control must always be

balanced against the benefit of controlling the risk. It is possible to reach a position where the

incremental cost of additional control is greater than the benefit derived from controlling the risk.

36

The following table provides a sample assessment of internal control about the benefit-cost factor.

Benefit-Cost Factor

Assessment of Internal Control and the Cost-Benefit Factor

Rating 1

The overall cost of the internal control system (identification, measurement,

correction) is inferior to the potential losses derived from the risks, considering the

probability of occurrence.

Rating 2

The cost of the internal control system (with regards to identification and

measurement) is inferior to the potential losses derived from the related risks,

considering the probability of loss; however, costs associated with the correction

process can cause overall costs to exceed losses.

Rating 3

The cost of the internal control system in relation to measurement and correction

exceeds the potential losses derived from the related risks, taking into account the

probability of loss.

Rating 4

The cost of the internal control system (identification, measurement, correction)

exceeds the potential losses derived from the related risks, taking into account the

probability of loss.

Rating 5

The cost of the internal control system (with regards to identification and

measurement) exceeds the potential losses derived from the related risks, taking

into account the probability of loss; however, costs associated with the correction

process can cause overall costs to exceed losses.

Source: The IIA, Evaluating Internal Control Systems A Comprehensive Assessment Model (CAM) of Enterprise

Risk Management, 2014

Cost-Effectiveness Analysis

While an analysis can help organizations determine whether benefits of a control activity exceed its

costs, the organization may face challenges in monetizing certain benefits and costs. For example,

controls may result in additional benefits, such as the value of deterred fraud. In these circumstances,

a cost-effectiveness analysis, a methodology for determining the cost to achieve a particular objective,

expressed in nonmonetary terms, can be applied. In general, evaluation of the controls’ cost-

effectiveness comes after the assessment of the design and performance. Its main purpose is to

determine how reasonable the overall balance between the effectiveness of controls and the cost of

control is.

It should be noted that “more” is not “better” in the case of internal controls. Not only may the cost

of excessive or redundant controls exceed the benefits, but the perception of excessiveness or

redundancy may have a serious negative effect on how employees view controls in general, and that

could adversely affect the overall control environment.

37


7. Which of the following is an example of a detective control?

A. Fraud awareness training

B. Surprise audits

C. Background checks

D. Data matching

8. Which of the following is a common control design deficiency among small entities?

A. Access controls

B. Preventive controls

C. Segregation of duties

D. Detective controls

38

PART II. Management Assessment of Internal

Controls

Readers who are responsible for their company’s Sarbanes-Oxley Act (SOX Act) Section 404 program

can obtain the following benefits from Part II, which is focused on achieving success at the lowest

possible total cost, including external auditor fees:

• An understanding of the requirements of the SOX Act

• Steps on how to identify risks and controls

• Advice on how to assess the adequacy of controls

• A discussion of how to reach a fair assessment that does not mislead investors regarding the

condition of internal controls and reliability of financial statements

• An explanation of documentation of evidence of effective controls

• An illustration of potential internal control weaknesses and compensating controls:

accounting and financial reporting

• A checklist to help management assess the efficiency of their program

Although there are many ways to identify, assess, and classify internal control deficiencies, the

following steps provide a reasonable approach:

Understanding of the

SOX Rules

• Section 404

• Section 302

• Other Key Principles

Identification of Risks

and Controls

Key Actions:

Step 1: Selecting the Control Framework

Step 2: Defining Control Objectives

Step 3: Addressing and Monitoring Risks

• General Concerns

• Anti-Fraud Considerations

• Assessment Criteria

Step 4: Establishing Controls

39

Assessment of the

Adequacy of Controls

Key Concepts:

1. Determining Key Controls

2. Evaluating the Effectiveness of Controls

• The Design of Controls

• The Operating Effectiveness of Controls

Evaluation of Control

Deficiencies

Key Actions

Step 1: Understanding the Nature of the Deficiency

Step 2: Assessing the Likelihood of Misstatement

Step 3: Considering Compensating Controls

Step 4: Determining Classification of Deficiencies

Step 5: Reporting Assessment Results

Documentation of

Evidence of Effective

Controls

Purpose and Requirements of Management

Documentation

Identification of

Control Gap An internal controls maturity analysis

Understanding the Sarbanes-Oxley Act Rules

Enhanced Financial Disclosures (Section 404)

Overview

In the past, a company's internal controls were considered in the context of planning the audit. They

were not required to be reported publicly, except in response to the Securities and Exchange

Commission (SEC) Form 8-K requirements when related to a change in auditor. The Public Company

Accounting Reform and Investor Protection Act of 2002, commonly called Sarbanes-Oxley (SOX),

drastically changed the situation and brought the concept of internal control over financial reporting

(ICFR) to the forefront for audit committees, management, auditors, and users of financial statements.

The SOX Act has brought the most extensive reform that the U.S. financial markets have seen since

the enactment of the Securities Act of 1933 and the Securities Exchange Act of 1934. The SOX Act sets

enhanced standards for all U.S. public company boards, management and public accounting firms.

Section 404 of the SOX Act, Management Assessment of Internal Controls (Section 404) may be the

most challenging aspect of the SOX Act. It requires most publicly registered companies and their

40

external auditors to issue certain reports at the end of every fiscal year. These reports must be included

in the company's annual report filed with the SEC:

1. Management's internal control report on its assessment of the effectiveness of the

company's ICFR. Details are discussed in “Management Internal Control Report” section.

2. Independent auditor's report on ICFR, including the auditor's opinions on:

• Whether management's assessment is fairly stated in all material respects (i.e., whether

the auditor concurs with management's conclusions about the effectiveness of internal

control, over financial reporting),

• The effectiveness of the company's ICFR

The independent auditor's opinions on the financial statements and ICRF may be issued in a

combined report or separate reports. Details are discussed in “Role of Independent Public

Accountant” section.

Many organizations have provided guidance on Section 404 and management’s annual assessment of

its system of ICFR. For example:

• The PCAOB provided an updated standard for auditors in 2007: AS 5, An Audit of Internal

Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements. It

is also known as AS No. 2201 upon the adoption of the reorganization of PCAOB auditing

standards.

• The SEC provided its own Commission Guidance Regarding Management’s Report on Internal

Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of

1934 in 2007. This guidance is not mandatory for management, but following it provides a safe

harbor.

• Each of the major certified public accounting (CPA) firms (e.g. PwC, KPMG) and other providers

of audit services have published extensive and valuable guidance, generally consistent with

PCAOB and SEC guidance.

In summary, Section 404 requires management to develop and monitor procedures and controls for

making their required assertion regarding the adequacy of ICFR, as well as the required attestation by

an external auditor, regarding management’s assertion.

How to Prepare for an Audit?

Communication and cooperation with the auditor are the key elements for a successful audit. Here

are some examples of what you can do to enhance the audit process and the resulting product:

• Understand the audit purpose to provide relevant information upon request

• Direct the auditor to the right person if you are not the best source of requested information

41

• Supply requested information on a timely basis

• Share any internal control concerns you have with the auditor

• Ask questions if you don’t understand why certain activities have been included, or excluded

• Review the preliminary test results and begin thinking about possible corrective actions

• Review the draft report and make suggestions for any changes or enhancements before, or

during, the exit conference

Each auditor that requests information should be able to explain the audit’s purpose and objectives,

allowing you to understand the reasons for the requests and questions in order to provide accurate

answers. If you have any questions about the information being requested, you can always discuss

those concerns with the auditor.

Management’s Internal Control Report

It is management’s responsibility to ensure the organization complies with the requirements of

Sections 404. That is, management is responsible for designing and implementing the system of ICFR,

for evaluating the effectiveness of ICFR with sufficient evidence, and for issuing an internal control

report on that assessment. Section 404 also requires that management’s evaluation of internal

controls be based on a suitable, recognized control framework that is established by experts using

“due process”. A process includes the broad distribution of the framework for public comment. Most

companies have selected the COSO framework, which is recognized by the SEC and PCAOB. A number

of companies use the Control Objectives for Information and related Technology (COBIT) framework

as a supplement to COSO for IT controls. COBIT was developed by the Information Systems Audit and

Control Association’s IT Governance Institute and is widely used by IT audit professionals in the U.S.

and overseas.

The SEC has issued principle-based interpretative guidance to further clarify management’s

responsibilities:

Principle Implications to Management

Management should evaluate the design of

the controls that it has implemented to

determine whether there is a reasonable

possibility that a material misstatement in the

financial statements would not be prevented

or detected in a timely manner

Management applies a top-down, risk-based

approach that promotes efficiency by focusing

on those “key controls” that are needed to

prevent or detect material misstatement in

the financial statements

Management should gather and analyze

evidence about the operation of the controls

Management aligns the nature and extent of

the evaluation procedures with those areas of

42

being evaluated based on its assessment of

the risk associated with those controls

financial reporting that pose the greatest risk

of control failure

Although the nature of a company’s evaluation/testing activities depends largely on the circumstances

of the company and the significance of the control, the following are controls that require

management’s assessment (testing) include:

• Controls over initiating, authorizing, recording, processing and reconciling account balances,

classes of transactions, and disclosure and related assertions included in the financial

statements

• Controls related to the initiating and processing of non-routine and nonsystematic

transactions (such as accounts required judgments and estimates)

• Controls related to the selection and application of appropriate accounting policies

• Controls related to the prevention, identification and detection of fraud

• Controls, including general IT controls, on which other significant controls are dependent

• Each significant control in a group of controls that function together to achieve a control

objective or financial reporting assertion

• Controls over the period-end financial reporting process, including controls over procedures

used to enter transactions totals into the general ledger, initiate, authorize, record and process

journal entries in the general ledger; and record recurring and non-recurring adjustments to

the financial statements

Note: Inquiry alone generally will not provide an adequate basis for management’s assessment.

Pursuant to the SEC’s rules on Section 404, the internal control report must include the following

information:

1. Statement of management's responsibility for establishing and maintaining adequate ICFR.

2. Statement identifying the framework used by management to evaluate the effectiveness of

ICFR.

3. An identification of the criteria against which ICFR is measured.

4. Management's assessment of the effectiveness of the company's ICFR as of the end of the

company's most recent fiscal year, including an explicit statement as to whether that internal

control is effective and disclosing any material weaknesses identified by management in that

control.

5. The date as of which management’s assessment about ICFR is made.

6. Statement that the registered public accounting firm that audited the financial statements

included in the annual report has issued an attestation report on management's internal

control assessment.

Management's internal control report must indicate that ICFR is either:

43

• Effective − ICFR is effective (i.e., no material weaknesses in ICFR existed as of the assessment

date); or

• Ineffective − Internal control is not effective because one or more material weaknesses

existed as of management's assessment date.

Details about how to evaluate control effectiveness are discussed in “Evaluation of Control

Deficiencies” section.

Neither the SEC nor the PCAOB has issued a standard or illustrative management report on ICFR.

However, the AICPA (SAS 130) provides an example of a management report (with no material

weaknesses reported) containing the reporting elements described in Appendix A. Note that SAS 130

adheres closely to AS No. 2201. Specifically, the illustrative management report containing the six

reporting elements described above.

Management is required to state whether the company's ICFR is effective. A negative assurance

statement, such as "nothing has come to management's attention to suggest internal control is

ineffective" is not acceptable. Management may not express a qualified conclusion, such as stating

that internal control is effective except to the extent certain problems have been identified. If

management is unable to assess certain aspects of internal control that are material to overall control

effectiveness, management must conclude that ICFR is ineffective. Although management cannot

issue a report with a scope limitation, under specific conditions newly acquired businesses or certain

other consolidated entities may be excluded from the assessment.

Appendix B provides a checklist to help management assess the efficiency of their program.

Exhibit A presents an example of a management’s report on ICFR with material weaknesses from Hertz

Global Holdings Inc.’s Form 10-K.

Exhibit A: Hertz Global Holdings, Inc. − Controls and Procedures

Management’s Report on Internal Control over Financial Reporting

Management is responsible for establishing and maintaining adequate internal control over financial

reporting, as such term is defined in Exchange Act Rule 13a-15(f) and 15d-15(f).

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial

reporting, such that there is a reasonable possibility that a material misstatement of our annual or

interim financial statements will not be prevented or detected on a timely basis. Because of its

inherent limitations, internal control over financial reporting may not prevent or detect

misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the

risk that controls may become inadequate because of changes in conditions, or that the degree of

compliance with the policies or procedures may deteriorate.

44

Management, including our new Chief Executive Officer and our Chief Financial Officer, assessed the

effectiveness of our internal control over financial reporting as of December 31, 2014. In making this

assessment, management used the criteria set forth by the Committee of Sponsoring Organizations of

the Treadway Commission (“COSO”) in Internal Control - Integrated Framework (2013). Based on this

assessment, management has concluded that we did not maintain effective internal control over

financial reporting as of December 31, 2014 due to the fact that there are material weaknesses in our

internal control over financial reporting as discussed below.

The Role of Independent Public Accountant

The PCAOB, together with the SEC, is responsible for the rules governing the roles and actions of the

CPA firms. Specifically, the PCAOB has established professional standards that apply to financial audits

and attestation engagements for issuers (generally, publicly traded companies with a reporting

obligation under the Securities Exchange Act of 1934). The auditor must perform specified work in

relation to management’s assessment in accordance with AS No. 2201.

Before the SOX Act was passed, the auditor was required to obtain an understanding of internal control

sufficient to plan the audit of the financial statements. If material weaknesses were identified, they

ordinarily were reported only to management and the audit committee. Section 404 requires the

auditor to perform an independent audit of ICFR and to issue a report including two opinions — one

on management's assessment and one on the effectiveness of ICFR. Auditors are also responsible for

assessing the risk that errors and fraud may cause the financial statements to contain material

misstatements. They should design the audit to provide reasonable assurance that material errors and

fraud are detected. To fulfill these responsibilities, the auditor must obtain an understanding of

whether the entity has a process for:

• Identifying business risks relevant to financial reporting objectives

• Estimating the significance of the risks

• Assessing the likelihood of their occurrence

• Deciding about actions to address those risks

The auditor usually considers at least:

1. Whether the risk is a risk of fraud;

2. Whether the risk is related to recent significant economic, accounting, or other developments;

3. The complexity of transactions;

4. Whether the risk involves significant transactions with related parties;

5. The degree of subjectivity in the measurement of financial information related to the risk,

especially those measurements involving a wide range of measurement uncertainty; and

6. Whether the risk involves significant transactions that are outside the normal course of

business for the entity

45

If the auditor has determined that a significant risk exists, the auditor should obtain an understanding

of the entity’s controls, including control activities relevant to that risk. Then, the auditor evaluates

whether such controls have been properly designed and implemented to mitigate such risks.

Corporate Responsibility (Section 302)

Section 302 requires a company's principal executive and financial officers (e.g. CEO and CFO) to certify

each quarterly and annual report. They are required to certify that:

1. They have reviewed the report, believe that the report does not contain untrue statements

and does not omit material facts, and the financial statements and other financial information

included in the report are fairly presented in all material respects

2. They:

• Are responsible for establishing and maintaining disclosure controls and procedures;

• Have designed such disclosure controls and procedures to ensure that they are aware of

material information;

• Have evaluated the effectiveness of the company's disclosure controls and procedures;

and

• Have presented in the report their conclusions about the effectiveness of the disclosure

controls and procedures

3. They have disclosed to the auditors and audit committee:

• All significant deficiencies in the design or operation of internal controls which could

adversely affect the issuer's ability to record, process, summarize, and report financial

data and have identified for the issuer's auditors any material weaknesses in internal

controls; and

• Any fraud, whether material or not, that involves management or other employees who

have a significant role in the company's internal controls.

4. They have indicated whether there have been significant changes in ICFR or in other factors

that could significantly affect internal controls after the date of their evaluation, including any

corrective actions with regard to significant deficiencies and material weaknesses.

Disclosure controls and procedures typically include, but are broader than, ICFR. For instance,

disclosure controls extend to controls over disclosure included in SEC annual and interim reports

outside the financial statements. They also encompass controls to monitor compliance with laws and

regulations, other than those that directly affect the financial statements.

In summary, section 302 deals with management’s quarterly certification of not only financial

reporting controls, but also disclosure controls and procedures.

The following table summarizes the SOX requirements for ICFR and disclosure controls and

procedures:

46

Management Must SOX Section 404 SOX Section 302

Conclude as to integrity of public information

Financial statements

All material financial and nonfinancial information included in public reports, including financial statements

Timely assess controls and procedures

Annually Quarterly

Conduct review as of Year-end Quarter- or year-end

Document evaluations for auditor to attest

Annually None

Evaluate impact of change Quarterly Quarterly

Comply with Sections 404 and 302 through common and interfacing processes

Subset of disclosure controls and procedures

Includes internal control over financial reporting

Report to the public Internal control report Officers’ certification

Source: Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, 2007

Other Key Principles

Auditor Independence

Section 201 prohibits most “consulting” services outside the scope of practice of auditors. These

services are prohibited even if pre-approved by the client’s audit committee. Prohibited services

include:

1. Bookkeeping or other services related to the accounting records or financial statements

of the audit client;

2. Design and implementation of financial information systems;

3. Appraisal or valuation services (including fairness opinions and contribution-in-kind

reports);

4. Actuarial services;

5. Internal audit outsourcing services;

6. Services that provide any management or human resources;

7. Broker or dealer, investment adviser, or investment banking services;

8. Legal and expert services unrelated to the audit; and

9. Any other service that the PCAOB determines, by regulation, is impermissible

A registered CPA firm (firm) may engage in any non-audit service, including tax services, which is not

described in any of 1 through 9 for an audit client, only if the activity is approved in advance by the

audit committee.

47

It is unlawful for a firm to perform for its client any audit service, if a chief executive officer, controller,

chief financial officer, chief accounting officer, or any person serving in an equivalent position for the

issuer, was employed by that firm and participated in any capacity in the audit of that client during the

1-year period preceding the date of the initiation of the audit.

The Role of the Audit Committee

Although Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 do not assign specific responsibilities

to audit committees, Sections 301 and 407 establish broad standards for and disclosures regarding

audit committees as discussed below.

Section 301 establishes certain general standards with which audit committee members are required

to comply. These standards are:

• Audit committee members may not accept consulting, advisory, or other compensatory fees

from the issuer and its subsidiaries, except for board of director fees.

• Audit committee members must also not be an affiliated person of the issuer and its

subsidiaries.

• Audit committees must be directly responsible for the appointment, compensation, retention,

and oversight of all registered public accounting firms that prepare or issue audit reports or

perform other audit, review, or attest services for the issuer.

• Audit committees must establish procedures for receiving, retaining, and addressing

complaints received by the issuer related to accounting, internal controls, and auditing.

• Audit committees must have the authority to engage independent counsel, as they deem

necessary. Issuers must provide the audit committee with appropriate funding to enable it to

fulfill its responsibilities.

Also, the SOX Act requires that auditors (public accounting firms) timely report to the audit committee

of the following issues:

1. All critical accounting policies and practices to be used;

2. All alternative treatments of financial information within GAAP that have been discussed with

management officials of the client, ramifications of the use of such alternative disclosures and

treatments, and the treatment preferred by the audit client; and

3. Other material written communications between the firm and the management of the client,

such as any management letter or schedule of unadjusted differences

Section 407 requires an issuer to disclose in its annual report whether it has at least one audit

committee financial expert serving on its audit committee, and if so, whether the expert is

independent of management. An issuer that does not have an audit committee financial expert must

disclose this fact and explain why.

48

Because ICFR is a subset of disclosure controls and procedures, the audit committee should inquire as

to:

• Whether any material changes could either affect or potentially affect ICFR, and

• Whether any significant deficiencies or potential significant deficiencies have come to

management’s attention.

These inquiries should be integrated with the committee’s role in the quarterly evaluation of

disclosure controls and procedures. Additionally, the audit committee should also work with the

chairman of the disclosure committee, CEO, and the CFO to evaluate the processes for:

1. Identifying important financial reporting issues

2. Presenting such issues to the responsible parties on a timely basis

3. Ensuring such issues are fairly presented in conformity with U.S. GAAP

All auditing services and non-audit services, provided by the auditor should be preapproved by the

audit committee.

Disclosures in Periodic Reports

To enhance the accuracy of financial reports, each financial report that contains financial statements,

and that is required to be prepared in accordance with (or reconciled to) GAAP, should reflect all

material correcting adjustments that have been identified. Besides, public companies should comply

with the following rules:

• Off-Balance Sheet Transactions: All quarterly and annual financial reports filed with the SEC

must disclose all material off-balance sheet transactions, arrangements, obligations (including

contingent obligations), and other relationships of the issuer with unconsolidated entities.

Disclosure must be made on significant aspects relating to financial condition, liquidity, capital

expenditures, resources, and components of revenue and expenses.

• Pro Forma Figures: Pro forma financial information in any report filed with the SEC or in any

public release cannot contain false or misleading statements or omit material facts necessary

to make the financial information not misleading.

Corporate and Criminal Fraud Accountability

Securities laws can penalize anyone found to have destroyed, altered, hid or falsified records or

documents to impede, obstruct or influence an investigation conducted by any federal agency, or in

bankruptcy, with fines or up to 20 years imprisonment, or both. Moreover, the SOX Act requires the

SEC to promulgate rules and regulations on the retention of any and all materials related to an audit,

including communications, correspondence and other documents created, sent or received in

49

connection with an audit or review. Violating the requirement or the rules that will be developed will

result in a fine, or up to 10 years imprisonment, or both.

The SOX Act also created a new 25-year felony for defrauding shareholders of publicly traded

companies. This measure is a broad, generalized provision that criminalizes the knowing execution or

attempted execution of any scheme or artifice to defraud persons in connection with securities of

publicly traded companies or to obtain their money or property in connection with the purchase or

sale of such securities. It is intended to give prosecutors flexibility to protect shareholders and

prospective shareholders against any frauds that inventive criminals may devise.

Identification of Risks and Controls

Step 1: Selecting the Control Framework

Management’s ability to fulfill the financial reporting responsibilities depends on the design and

effectiveness of the processes and controls in place over financial reporting. Management can use the

following published frameworks or criteria to design, implement, evaluate, monitor and report on the

effectiveness of ICFR:

1. The AICPA expressly accepts Internal Control—Integrated Framework (2013 COSO framework)

as suitable and available criteria for management to use to develop, maintain, and report on

the effectiveness of its ICFR, and for auditors to provide an independent assessment of the

same.

The PCAOB also accepts the 2013 COSO framework for use in integrated audits of SEC

registrants. This framework is widely accepted and used by SEC registrants and accounting

firms.

2. The GAO’s Standards for Internal Control in the Federal Government (the Green Book) is

leveraged off the 2013 COSO framework.

3. Criteria for ICFR that are available publicly in published frameworks or criteria that are

available only to specified parties. For example, this could include terms of a contract or

criteria issued by an industry association that are available only to those in the industry.

If management selects another framework, management should ensure that the framework exhibits

all of the following characteristics:

50

• Relevance. Criteria are relevant to ICFR.

• Objectivity. Criteria are free from bias.

• Measurability. Criteria permit reasonably consistent measurements, qualitative or

quantitative, of ICFR.

• Completeness. Criteria are complete when the evaluation of the effectiveness of ICFR

prepared in accordance with the criteria does not omit relevant factors that could reasonably

be expected to affect decisions of the intended users made based on management’s report

on ICFR

The 2013 COSO framework includes principles that are suitable for all entities. It presumes that all

principles are relevant because they have a significant bearing on the presence and functioning of an

associated component.

Statutory Internal Control Requirement

Federal law-enforcement officials discovered that a number of large American corporations were

illegally paying bribes to foreign officials to facilitate their conduct of business oversee. Investigation

disclosed that management’s failure to understand or take responsibility for corporate internal

controls created the environment within which such illegal activities could flourish. To prevent a

recurrence of such illegal activities, they assigned to corporate management direct legal

responsibility for the maintenance of adequate internal controls. Congress codified the requirement

that public companies have internal controls in the Foreign Corrupt Practices Act of 1977 (“FCPA”).

The FCPA requires public companies to “devise and maintain” a system of internal accounting

controls sufficient to provide reasonable assurance that:

• Transactions are executed in accordance with management’s general or specific

authorization;

• Transactions are recorded as necessary (1) to permit preparation of financial statements in

conformity with GAAP or any other criteria applicable to such statements, and (2) to

maintain accountability for assets;

• Access to assets is permitted only in accordance with management’s general or specific

authorization; and

• The recorded accountability for assets is compared with the existing assets at reasonable

intervals and appropriate action is taken with respect to any differences.

Source: Section 13(b)(2) of the Securities Exchange Act of 1934

Relevance Objectivity Measurability Completeness

51

Step 2: Defining Control Objectives

Control objectives address the risks that the controls are intended to mitigate. In the context of ICFR,

a control objective generally relates to a relevant assertion for a significant class of transactions,

account balance, or disclosure. It addresses the risk that the controls in a specific area will not provide

reasonable assurance that a misstatement or omission in that relevant assertion is prevented, or

detected and corrected, on a timely basis. These assertions are management representations

embodied in the components of the financial statements. They are then used to articulate relevant

financial reporting process risks when evaluating processes.

Whenever management issues financial reports, management is really making the following

assertions:

Existence or Occurrence: Assertions about existence or occurrence are concerned with whether assets

or liabilities of the entity exist at a particular date and whether recorded transactions have truly

occurred during a specified period. For example, management asserts that finished goods inventories

in the balance sheet are available for sale.

Completeness: Assertions pertaining to completeness apply to whether all transactions and accounts

that should be included in the financial statements are actually included. For example, management

asserts that all purchases of goods and services are recorded and are included in the financial

statements.

Rights and Obligations: Assertions relating to rights and obligations are concerned with whether the

entity has legal title to assets and whether the recorded liabilities are in fact obligations of the entity.

For example, management asserts that amounts capitalized for leases in the balance sheet represent

the cost of the entity’s rights to leased property and that corresponding lease liability represents an

obligation of the entity.

Valuation or Allocation: Assertions about valuation or allocation are concerned with whether asset,

liability, revenue, and expense components have been included in the financial statements at

appropriate amounts. For example, management asserts that property is recorded at historical cost

and that such cost is systematically allocated to the appropriate accounting period.

Presentation and Disclosure: Assertions about presentation and disclosure apply to with whether

particular components of the financial statements are properly described, disclosed, and classified.

Existence or Occurrence

CompletenessRight and Obligation

Valuation or Allocation

Presentation and

Disclosure

52

For example, management asserts that obligations classified as long-term liabilities in the balance

sheet will not mature within one year.

Examples of Control Objective

Financial Reporting

• Ensure the substance of transactions backing the accounting entries

• Ensure completeness of accounting records

• Ensure accuracy of accounting entries (precision, ratification, valuation, classification)

• Ensure completeness and timeliness of financial information for management needs

Invoicing

• Sales invoices are accurate

• A sales invoice is generated for every shipment or work order

• Sales are recorded in the proper period

Accounts Payable

• Payments are authorized and supported by sufficient documents

• Disbursement activity is being properly recorded in the right accounting period

• Duplicate invoices are continuously and automatically monitored prior to the process of

a check run

• Unused checks are adequately controlled and safeguarded

Depreciation of Fixed Assets

• Depreciation expenses are valid

• All depreciation expenses are recorded

• Depreciation and amortization expenses are correctly calculated and timely recorded

• Depreciation expenses are recorded in the proper period

• Depreciation expenses are accurately allocated

In setting up effective internal control, management should utilize the cycle approach, which first

stratifies internal control into broad areas of activity and then identifies specific classes of transactions.

Accordingly, the following cycles should be considered:

• Revenue Cycle: revenue and accounts receivable (order processing, credit approval, shipping,

invoicing, and recording) and cash receipts.

• Expenditure Cycle: purchasing, receiving, accounts payable, payroll, and cash disbursements.

• Production or Conversion Cycle: inventories; cost of sales; and property, plant, and

equipment.

• Financing Cycle: notes receivable and investments, notes payable, debt, leases, other

obligations, and equity accounts.

• External Reporting: accounting principles and preparation of financial statements.

53

The objectives of financial reporting are converted into financial reporting assertions. These assertions

are then used to articulate relevant financial reporting process risks when evaluating processes.

Step 3: Addressing and Monitoring Risks

General Concerns

As discussed earlier, management’s objectives are to ensure 1) effectiveness, 2) efficiency, 3)

compliance with laws and regulations, and 4) proper financial reporting. To implement an effective

internal control framework, management should identify potential risks that could hinder it from fully

achieving any of these four objectives. Specifically, management is responsible to design control

activities to ensure that the organization’s objectives and goals are not negatively impacted by internal

or external risks.

According to the Protiviti Risk Model, the primary sources of risk include:

1. Environment risk arises when external forces, such as competitor’s action, change in market

prices and industry regulations, and customer wants, can adversely affect the organization’s

performance or its business model.

2. Process risk arises when internal processes do not achieve the objectives they were designed

to achieve in supporting the organization’s business model. For example, poorly performing

processes may cause inefficient operations and dissatisfied customers. Moreover, they fail to

protect significant financial, physical, customers, and employee/supplier assets from

unacceptable losses, misappropriation or misuses.

3. Information for decision-making risk arises when information used to support business

decisions is inaccurate, out of date, incomplete, or late to the decision-making process.

These three groupings of risk provide a broad foundation on which more specific categories of risk can

be identified.

Environment Risk

•Uncertainties affectingthe the viability of theorganization's businessmodel.

Process Risk

• Uncertainties affectingthe execution of thebusiness model, whichoften arise internallywithin the organization'sbusiness processes.

Information for Decision-Making Risk

•Uncertainties affectingthe relevance andreliability of informationsupportingmanagement's decisionsto protect and enhanceorganization value.

54

Source: Protiviti, Guide to Enterprise Risk Management

Risks relevant to financial reporting include external and internal events and circumstances that may

occur and adversely affect an entity's ability to initiate, authorize, record, process, and report financial

data consistent with the assertions of management in the financial statements.

Management should also consider inherent risk of an error, which could lead to a material

misstatement that is at least reasonably possible. Inherent risk is an essential aspect of assessing the

significance of risk. COSO defines inherent risk as:

“The risk to an entity in the absence of any actions management might take to alter either the risks

likelihood or impacts.”

The following are some example of situations that commonly are considered to involve inherent risk:

• Cash: The more easily an asset can be converted to personal use, the more likely it is to be

stolen. Thus, the presence of cash receipts indicates special risks since cash is considered one

of the most liquid assets of an organization.

• Complexity: Complexity (e.g. systems, procedures) increases the risks that an activity is not

carried out properly in accordance with policies or regulations.

• Prior Issues: A past finding of control weaknesses is often a predictor of future problems.

Specifically, a pattern of control weaknesses usually indicates a heightened level of risk.

Anti-Fraud Considerations

Management should evaluate whether the company's controls sufficiently address identified risks of

material misstatement due to fraud (e.g. fraudulent financial reporting, misappropriation of assets,

and corruption) and they should evaluate any controls intended to address the risk of management

override of other controls. Controls that might address these risks include

• Controls over significant, unusual transactions, particularly those that result in late or unusual

journal entries

• Controls over journal entries and adjustments made in the period-end financial reporting

processes

• Controls over related party transactions

• Controls related to significant management estimates

• Controls that mitigate incentives for, and pressures on, management to falsify or

inappropriately manage financial results

In addition, management should evaluate the effectiveness of the anti-fraud program to ensure that

it contains the following key elements:

1. Code of conduct/ethics

2. Hotline/whistleblower program

55

3. Hiring and promotion (i.e., background checks)

4. Investigation and remediation of identified fraud

5. Oversight by the audit committee and board

6. Risk assessment

The SEC’s and PCAOB’s underlying premise is that the absence of fraud does not necessarily mean that

fraud risk does not exist. The presumption is that most companies face some degree of fraud risk.

Thus, companies of all sizes should have controls to prevent and detect management override.

Common weaknesses of a company’s anti-fraud model include:

• It is often narrowly focused on industry fraud risk (e.g. retail shrinkage, healthcare/Medicare

fraud, and similar matters);

• It is frequently reliant on “silo” management techniques in which the responsibility for

managing fraud resides in a “silo” separate from all other key organizational functions; and

• It leaves the responsibility to mitigate fraud to middle managers who maintain autonomy and

are not held accountable except for third-party fraud.

Assessment Criteria

To formulate effective risk responses, management must assess (prioritize) critical risks. Using the

organization’s priority of risks enables senior management and the board to focus on key risks. The

prioritization is accomplished by risk mapping. Risk mapping is a way of representing the resulting

qualitative and quantitative evaluations of the probability of risk occurrence, and the impact on the

organization if a particular risk is experienced

Commonly used factors of the assessment criteria include:

Likelihood. Likelihood indicates the possibility that a given event will occur. Likelihood can be

expressed using qualitative terms (e.g. almost certain, likely, possible, unlikely, rare), as a frequency,

or as a percent probability. When using numerical values, whether a percentage or frequency, the

relevant period should be specified such as annual frequency or the more relative probability over the

life of the asset. The higher the probability of occurrence, the greater the likelihood. The following

table illustrates the likelihood scale.

Likelihood ImpactPrioritizing

Risks

56

The Likelihood of the Risk Event Occurring

Rating Annual Frequency Probability

5 Frequently Occur several times per

year

Almost

certain

>90-100% chance of

occurrence over life of asset

or project

4 Likely Arise once per year Likely >50-90% chance of occurrence

over life of asset or project

3 Possible Arise over a five-year

period Possible

>25-50% chance of occurrence


2 Unlikely Occur over a five- to ten-

year period Unlikely

>10-25% chance of occurrence


1 Rare Arise once in 100 years Rare 0-10% chance of occurrence


Impact. Impact (or consequence) refers to the extent to which a risk event might affect the

organization. Impact assessment criteria may include strategic, financial, reputational, regulatory,

safety, security, environmental, employee, customer, supplier, and operational impacts. The greater

the significance of the impact, the more severe the risk. The following table illustrates the loss or

damage impact scale.

Rating

The Loss or Damage Impact of the Risk Event Occurring

(in terms of the objectives of the organization)

5 Catastrophic Most objectives may not be achieved, or several

severely affected

4 Major Most objectives threatened, or one severely affected

3 Moderate Some objectives affected, considerable effort to rectify

2 Minor Easily remedied, with some effort the objectives can be

achieved

1 Negligible Very small impact, rectified by normal processes

As potential future events are identified, they are plotted on a grid or map according to their impact

on the achievement of business objectives and the likelihood of their occurrence.

Key questions for management to ask include:

• What could happen? List risks, incidents or accidents that might happen by systematically

working through each activity to identify what might happen at each stage.

• How and why it can happen? List the possible causes and scenarios or descriptions of the

risk, incident or accident.

• What constitutes a material risk to our company?

57

• How much risk are we willing to accept?

• What is the likelihood of them happening?

• What will be the consequences if they do happen?

Step 4: Establishing Controls

Management designs entity-level control activities, transaction control activities, or both depending

on the level of precision needed so that the entity meets its objectives and addresses related risks. In

addition, the cost-benefit relationship is a primary criterion that should be considered in designing

internal control.

Entity-level controls are designed to provide reasonable assurance that appropriate controls are

operating throughout the organization. Such controls have a pervasive effect on the organization’s

system of internal control. Entity-level controls may include controls related to the organization’s risk

assessment process, control environment, service organizations, management override, and

monitoring. Entity-level controls include:

• Controls related to the control environment;

• Controls over management override

• Risk assessment process

• Centralized processing and controls, including shared service environment

• Controls to monitor results of operations

• Controls to monitor other controls, including activities of the internal audit function, those

charged with governance, and self-assessment programs

• Controls over the period-end financial reporting process; and

• Programs and controls that address significant business risks

Transaction control activities are actions built directly into operational processes to support the

organization in achieving its objectives and addressing related risks. “Transactions” tends to be

associated with financial processes (e.g., payables transactions), while “activities” is more generally

applied to operational or compliance processes. For the purposes of this standard, “transactions”

covers both definitions. Management may design a variety of transaction control activities for

operational processes, which may include verifications, reconciliations, authorizations and approvals,

physical control activities, and supervisory control activities

When choosing between entity-level and transaction control activities, management evaluates the

level of precision needed for the operational processes to meet the organization’s objectives and

address related risks. In determining the necessary level of precision for a control activity,

management evaluates the following:

1. Purpose of the control activity - A control activity that functions to prevent or detect generally

is more precise than a control activity that merely identifies and explains differences.

58

2. Level of aggregation - A control activity that is performed at a more granular level generally is

more precise than one performed at a higher level. For example, an analysis of obligations by

budget object class normally is more precise than an analysis of total obligations for the

organization.

3. Consistency of performance - A control activity that is performed routinely and consistently

generally is more precise than one performed sporadically.

4. Correlation to relevant operational processes - A control activity that is directly related to an

operational process generally is more likely to prevent or detect than a control activity that is

only indirectly related

For companies with numerous locations, entity-level controls must operate effectively. Inadequate

entity-level controls may be an indicator that the control environment is ineffective. Entity-level

controls vary in nature and precision:

1. Some entity-level controls, such as certain environment controls, have an important but

indirect effect on the likelihood that a misstatement will be prevented, or detected and

corrected on a timely basis. Such controls could affect the other controls the auditor selected

for testing and the nature, timing, and extent of procedures the auditor performs on other

controls.

2. Some entity-level controls monitor the effectiveness of other controls. Such controls might be

designed to identify possible breakdowns in lower-level controls, but not at a level of precision

that would, by themselves, sufficiently address the assessed risk that misstatement to a

relevant assertion will be prevented or detected on a timely basis. These controls, when

operating effectively, might allow the auditor to reduce the testing of other controls.

3. Some entity-level controls might be designed to operate at a level of precision that would

adequately prevent or detect on a timely basis misstatements to one or more relevant

assertions. If an entity-level control sufficiently addresses an assessed risk of misstatement,

the auditor need not test additional controls relating to that risk.

It should be noted that activities in each of the five control components can be found at both the

entity-level and the activity level. For example:

• Control Environment activities include the organization’s code of conduct (an entity-level

control) as well as employee candidate background checks (performed at the activity level).

• Risk Assessment includes assessing the risk of an unassertive audit committee (entity-

level) or the existence of excess inventory.

• Control Activities include top-level reviews performed as part of the corporate close

process (entity-level) as well as bank reconciliations (activity level).

59

• Information and Communication includes information on warranty claims used to

calculate the warranty reserve as part of the financial close process (entity-level), and

communicating to employees the performance expectations (activity level).

• Monitoring includes the internal audit activity (entity-level), as well as the direct

supervision of payroll staff (activity level).

Source: The IIA, SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners

In summary, management must design, implement and maintain control activities to ensure the

reliability of its financial reporting. Typically, such controls are categorized as:

1. Segregation of duties

2. Access control

3. Authorization

4. Properly designed procedures

5. Security over assets and records

6. Periodic verification and reconciliation

7. Analytical review

60

Part II − Section 1 Review Questions

9. According to the Sarbanes-Oxley Act, public accounting firms are allowed to provide which of the

following non-audit services to their clients?

A. Tax services pre-approved by the audit committee

B. Internal audit outsourcing services

C. Investment banking or advisory services

D. Management or human resources services

10. The Sarbanes-Oxley Act imposes all of the following provisions EXCEPT?

A. The penalties (i.e., prison time and fines) for corporate fraud were increased

B. At least one audit committee member should be a financial expert

C. The company’s auditors assume responsibility for the financial statements

D. The company adopts a code of ethics for senior financial officers

11. The AICPA and the PCAOB accept which of the following frameworks as suitable criteria for

auditors to provide an independent assessment of an entity’s ICFR?

A. 2013 COSO Framework

B. Green Book

C. GAAS

D. U.S. GAAP

12. Which of the following statements best describes entity-level controls?

A. Actions built directly into operational processes to support the entity in achieving its objectives

and addressing related risks

B. Controls that have a pervasive effect on an entity’s internal control system and may pertain to

multiple components

C. Controls over transaction processing within an information system

D. Controls over the input of data into computer software systems

61

Assessment of the Adequacy of Controls

Effective internal control reduces the risk of asset loss and helps ensure that plan information is

complete and accurate, financial statements are reliable, and the plan’s operations are conducted in

accordance with the provisions of applicable laws and regulations. To determine if an internal control

system is effective, management assesses the design, implementation, and operating effectiveness of

the five components and 17 principles. If a principle or component is not effective, or the components

are not operating together in an integrated manner, then an internal control system cannot be

effective. In other words, an effective internal control system has:

1. Each of the five components of internal control effectively designed, implemented, and

operating and

2. The five components operating together in an integrated manner.

The following are some general characteristics of satisfactory plan ICFR:

• Policies and procedures that provide for appropriate segregation of duties to reduce the

likelihood that deliberate fraud can occur

• Personnel qualified to perform their assigned responsibilities

• Sound practices to be followed by personnel in performing their duties and functions

• A system that ensures proper authorization and recordation procedures for financial

transactions

Further Considerations

The SEC has published interpretive guidance providing more granular guidance on the following

topics relating to the control assessment process:

1. Identifying financial reporting risks and controls

• Identifying financial reporting risks

• Identifying controls that adequately address financial reporting risks

• Consideration of entity-level controls

• Role of general information technology controls

• Evidential matter to support the assessment

2. Evaluating evidence of the operating effectiveness of ICFR

• Determining the evidence needed to support the assessment

• Implementing procedures to evaluate evidence of the operation of ICFR

• Evidential matter to support the assessment

3. Multiple location considerations

62

Determining Key Controls

While the prevention of fraud (or at least its detection) is important to all companies, only the risk of

fraud that results in a material misstatement of the financials must be included in the Sarbanes-Oxley

Act (SOX) Section 404 assessment. Therefore, careful identification of key controls helps both

management and auditors allocate time and resources effectively to ensure that critical controls are

in place and assessed.

An overly conservative approach, where too many controls are defined as key, will result in excessive

time and resources devoted to testing controls that are not critical to SOX Section 404 assessment.

Since the determination of key controls is so critical to management’s internal control assessment, the

auditor should be kept informed of management’s decisions as to what controls are key. Some

common characteristics of key and non-key control are demonstrated below:

Key Control Non-Key Control

• Provides reasonable assurance that material

errors will be prevented or timely detected

• The only control that covers the risk of material

misstatement

• It is highly improbable that other control could

detect the control absence, if it fails

• Covers more than one risk or support a whole

process execution

• Provides assurance over financial assertions

• It can fail without affecting a whole process

• Has an indirect effect on the risk of material

misstatement

• Does not involve significant transactions

• Could be evaluated under a Control Self-

Assessment program

Due to differences in systems, procedures, business environments and models, sound professional

judgment is required during the identification process. The identification of key controls should take

into account the risk of fraud, including the override by management of controls. Examples of key

controls include:

• Segregation of duties over the expenditure cycle (e.g. Purchasing, Receiving, Disbursing)

• Access controls

• Purchase order approval

• Authorization and review of invoices

• Three-way match

• Maintenance of sufficient supporting documentation

• Safeguarding of unused checks

• Maintenance of vendor master file

• Reconciliation of vendor statements

• Reconciliation of accounts

63

There are two approaches of determining key controls within business processes.

Approach A Approach B

This approach lists risks that may prevent the

financial assertions from being satisfied. Then, the

controls that address those risks are identified. The

benefit of this approach is that it is relatively straight

forward, familiar to most experienced auditors, and

suggested in the SEC guidance.

This approach looks at the material transactions

that flow into the significant accounts and

identifies the controls that assure they are

completely and accurately processed and

recorded, and that only valid transactions are

processed


Approach A starts with the significant general ledger accounts by location, defines the relevant

financial assertions for each, and then lists all the risks to achievement of the assertions. Finally, the

key controls are identified. For example, the process may begin with cash and identify existence as

one of the assertions to be achieved. The bank reconciliation is identified as the key control that

addresses that assertion. Although Approach A is adopted more frequently by companies, the risk of

this approach is that the list of risks may not be complete.

Approach B provides more assurance that all the controls are addressed; however, it is more complex.

Both approaches have value. Management should make a choice consistent with the experience and

training of the individuals managing the project, after consultation with the external auditor. The

process of identifying key controls should be top-down regardless of approaches taken.

In summary, companies and external auditors have often tested controls that are not key under the

definition (e.g. prevent or detect material errors). Controls that are not likely to result in material error

should not be considered “key” and do not need to be within management’s scope for SOX Section

404. To reduce the cost of testing (both management and auditors) by limiting the number of key

controls, management should adopt a top-down, risk-based approach that focuses on controls that

will prevent or detect material errors.

Evaluating the Effectiveness of Controls

The Design of Controls

The evaluation of design effectiveness addresses whether the system of internal control is suitably

designed to prevent or detect on a timely basis, material misstatements in significant accounts and

disclosures. This evaluation should include:

1. Entity-level controls (including the assessment of the five components of internal control)

2. Specific transaction-level control activities related to all relevant assertions

64

Since not all controls provide the same level of assurance, management should consider the following

factors when evaluating the level of assurance provided by a given control:

• The nature of the control

• How the control is applied

• The consistency with which it is applied, and who applies it

The degree of assurance over internal control will vary based on several factors, including those listed

below:

Less Assurance Greater Assurance

• Manual control

• Complex control (requires many steps,

multiple calculations, etc.)

• Control is performed by a junior,

inexperienced person

• Detective control (detects a potential

problem after a transaction is executed)

• Automated control

• Simple controls (single step, single

calculations, etc.)

• Control is performed by an experienced

manager

• Preventive control (prevents a problem)

Source: PwC, Sarbanes-Oxley Act: Section 404 Practical Guidance for Management

According to PwC, Sarbanes-Oxley Act: Section 404 Practical Guidance for Management, when

assessing design effectiveness, management should focus on:

• The alignment between the controls and the business and audit risks identified (i.e., whether

the business processes and related controls appear to be effective in achieving management’s

stated objectives and managing its risks)

• Whether the controls satisfy the information processing objectives and the relevant financial

statement assertions

• Frequency of the control – whether the control will detect or prevent the risk identified on a

timely basis (i.e., in some cases, a detective control may be adequate, but in other cases, an

entity should ensure adequate preventative controls are in place)

• Knowledge and experience of the people involved in performing the controls

• Segregation of duties relevant to the process being controlled

• Timeliness in addressing issues and exceptions that result from the control activity

• Reliability of the information used in the performance of the control

• Period covered by the control

In particular, when assessing the design effectiveness of transaction-level control activities,

management should consider:

1. The results of the entity-level controls assessment

2. The results of the assessment of general IT controls

65

3. The nature of the identified financial reporting risks or assertions

4. The effectiveness of all five control components

5. The nature and types of errors and omissions identified that could occur, and the effectiveness

of the controls in mitigating the risk of these errors and omissions

6. The extent of change in the business and its expected effect on internal controls

As a practical consideration, management may opt to test and evaluate the design effectiveness of

entry-level controls first because the results of this evaluation will impact the nature, extent, and

timing of additional procedures that may be necessary at these locations.

The Operating Effectiveness of Controls

To demonstrate effective ICFR, management should determine whether the company’s controls are

operating effectively. This requires testing the controls, which must include each of the five

components of internal control over all relevant assertions for all significant accounts and disclosures

at each individually important location and over the specific risk areas at other locations.

To facilitate review and approval by the various interested parties, formal test plans should document

the key elements of the test and the results. PwC recommends that test plans should cover all controls

that are selected for testing and should specify the following key elements:

Key controls to be tested – Normally management will summarize the controls to be tested at the

financial statement assertion level. Management should focus its evaluation of the operation of

controls on areas posing the highest ICFR risk.

Nature of tests to be used – Tests should be categorized as inquiry, observation, examination, or re-

performance. The more significant the account, disclosure, or business process and the more

significant the risk, the more important it is to ensure that the evidence extends beyond one testing

technique. The nature of the control also influences the nature of the tests of controls that should be

performed. The relative level of assurance by nature of test is illustrated in the following chart.

Re-performance Re-performance of the specific application of the control provides the

highest degree of assurance.

Examination Examination of evidence often is used to determine whether manual

controls (e.g., the follow-up of exception reports) are being performed.

Observation Observation of the control provides a higher degree of assurance and

may be an acceptable technique for assessing automated controls.

Inquiry Inquiry of a control’s effectiveness does not, by itself, provide sufficient

evidence of whether a control is operating effectively.

Extent of testing – The extent of the testing of a particular control will vary depending on many factors,

including whether control is automated or manual. For automated control, the number of items tested

Level of

Assurance

66

can be minimal (one to a few items), assuming that general computer controls have been tested and

found to be effective. When testing automated controls, management must:

1. Ensure general computer controls are effective and

2. Have performed a detailed review of the controls within the company’s computer

applications (e.g., a pre- implementation or a post-implementation review).

Most manual controls will be tested through a combination of inquiry, observation, examination or re-

performance. Management may need to consider the following factors when deciding the extent of

testing.

Factors to Consider When Deciding the Extent of Testing

• The type of control (manual or automated) and the frequency with which it

operates

• The nature and materiality of misstatements that the control is intended to

prevent or detect

• The risk of management override

• The evidence of the operation of the control from prior year(s)

• The judgment required to operate the control

• Whether there have been changes in the volume or nature of transactions that

might adversely affect control design or operating effectiveness;

• Whether the account has a history of errors;

• The effectiveness of entity-level controls, especially controls that monitor other

controls;

• The competence of the personnel who perform the control or monitor its

performance and whether there have been changes in key personnel who

perform the control or monitor its performance

• The complexity of the control and the significance of the judgments that must be

made in connection with its operation.

Timing of procedures – The plans should specify when the testing should be performed and the time

span that the tests cover, including update testing planned from the interim testing date to year-end.

Description of the test – The plans should specify the procedures to be performed and the assertions

supported.

Key administrative items – The plans should identify who will perform the test, when the test will be

performed, what evidence will be reviewed, and where the control is performed.

Documentation – The plans should describe the documentation required.

67

Exceptions – The plans should describe how exceptions will be investigated and addressed and when

additional testing should be performed.

Some of the techniques available include:

Technique Description

Traditional Testing

of Controls

• Performance of walkthroughs, which confirm the adequacy of the

documentation as well as the design of the controls to meet the control

objectives.

• Inquiry, examination, and inspection of related documents to confirm

that the control appears to be performed consistently as documented.

• Re-performance of a sample of transactions to confirm that the control

is being performed effectively.

Continuous

Auditing

It includes the testing of transactions throughout the period. This is

generally assisted with software that selects the transactions to be

reviewed.

Continuous

Monitoring

• This technique generally relies on software to monitor transactions

and not only identify transactions for testing, but especially to test 100

percent of the processed transactions for compliance with selected

parameters.

• An example would be a test that identifies purchase orders issued in

excess of approved requisitions. The software would report exceptions

for assessment as they occur. This technique merits attention and

consideration as it may reduce the cost of annual testing, after an initial

investment in development

Management Self-

Assessment

There are many varieties of this technique, including management’s daily

interaction with its controls as discussed in the SEC guidance. Management

needs to consult with testing experts to ensure that the results of any self-

assessment provide reasonable, objective evidence that the controls are

operating as assessed. The risk is that the individuals performing the

assessment may not have direct knowledge of the operation of the control

or may not perform a rigorous assessment that verifies the consistency of

the control’s execution.


Management needs to evaluate and act timely upon the results of its testing. For example, when

management determines that controls are not functioning properly, they should be amended or

eliminated, or actions should be taken to improve compliance. Even when controls operate effectively,

68

management may still need to consider the possibility that the controls could be redundant. Or that

the costs of the controls may exceed their benefit. Details were discussed in the “Cost-Benefit

Relationships” section.

What areas should a company test within each of the remaining four components of internal

control (i.e., excluding control activities)?

As part of management’s Section 404 assessment, it must document, test, and evaluate the five

components of internal control. Examples of testing procedures may include:

Control Environment

• Evaluate the “tone at the top” through inquiry, observation, focus groups, and surveys

• Obtain an understanding of, observe, and evaluate the process for handling exceptions to the

company’s code of conduct

• Review the documented authorization levels and assess their reasonableness compared to the

positions and responsibilities of the individuals

• Examine job descriptions for key financial reporting positions and evaluate whether employee

understanding of roles and responsibilities is consistent with the description

Risk Assessment

• Review management’s process for evaluating risks, including assessing the likelihood of

occurrence and determining needed actions

• Evaluate whether management adequately addresses how it will identify and analyze significant

estimates recorded in the financial statements

Information and Communication

• Evaluate senior management’s and the board’s involvement in the development of the strategic

plan for information systems, including appropriate allocation of resources

• Obtain an understanding of the process for updating the accounting policy manual for new

pronouncements and how updates are distributed to the appropriate individuals

• Inquire as to the extent to which outside parties have been made aware of the entity’s ethical

standards and observe the process for addressing complaints from outside parties

Monitoring

• Obtain an understanding of the monthly financial statement analysis process and observe how

significant or unusual items are investigated and resolved

• Evaluate the effectiveness of the internal audit function and the process for reporting and

following-up on identified internal control deficiencies

69

Additionally, management must test its anti-fraud programs, and the company must evaluate the

effectiveness of the audit committee


Evaluation of Control Deficiencies

Step 1: Understanding the Nature of the Deficiency

In general, deficiencies may be identified through many sources, including:

• Management through its assessment of ICFR

• Management in a self-assessment process

• Internal Audit in the scope of its work

• External auditors in the scope of their work

• Service organization SAS 70 reports

• Regulatory inspections

A control deficiency exists when the design or operation of a control does not allow management or

personnel, in the normal course of performing their assigned functions, to achieve control objectives

and address related risks. Identification of risks is discussed in the “Step 3: Addressing and Monitoring

Risks” section.

Companies may have control deficiencies in the design and implementation of control or its operation:

Design — When evaluating the design of internal controls, management determines if controls

individually and in combination with other controls are capable of achieving an objective and

addressing related risks. A deficiency in design exists when:

Control Deficiency

Design

Implementation

Operating Effectiveness

70

1. A control necessary to meet a control objective is missing, or

2. An existing control is not properly designed so that even if the control operates as designed,

the control objective would not be met.

Implementation — When evaluating implementation, management determines if the control exists

and if the entity has placed the control into operation. A deficiency in implementation exists when a

properly designed control is not implemented correctly in the internal control system.

Operating Effectiveness — In evaluating operating effectiveness, management determines if controls

were applied at relevant times during the period under evaluation, the consistency with which they

were applied, and by whom or by what means they were applied. If substantially different controls

were used at different times during the period under evaluation, management evaluates operating

effectiveness separately for each unique control system. A deficiency in operating effectiveness exists

when a properly designed control does not operate as designed, or when the person performing the

control does not possess the necessary authority or competence to perform the control effectively.

Step 2: Assessing the Likelihood of Misstatements

Significant judgment goes into evaluating whether deficiencies in controls rise to the level of a material

weakness. Management must consider the following factors when evaluating control deficiencies:

1. Likelihood of a misstatement — Including consideration of factors such as:

• The nature of the financial statement accounts, disclosures, and assertions involved;

• The susceptibility of the related assets or liability to loss or fraud (that is, greater

susceptibility increases risk);

• The subjectivity, complexity, or extent of judgment required to determine the amount

involved (that is greater subjectivity, complexity, or judgment, like that related to an

accounting estimate, increases risk);

• The cause and frequency of known or detected exceptions for the operating effectiveness

of a control;

• The interaction or relationship of the control with the other controls (that is, the

interdependence or redundancy of the control);

• The interaction of the deficiencies;

• The possible future consequences of the deficiency.

2. Related magnitude of a potential misstatement — the following factors may impact the

magnitude:

• The financial statement amounts or the total of transactions exposed to the deficiency;

• The volume of activity in the account balance or class of transactions exposed to the

deficiency that has occurred in the current period or that is expected in future periods.

71

Deficiencies for which there is only a remote likelihood of occurrence cannot rise to the level of a

significant deficiency or material weakness. Therefore, evaluation of the magnitude of a potential

misstatement (Step 2) is not required. The following exhibit illustrates these concepts.

Internal Control Deficiencies

Type Likelihood Magnitude

Control Deficiency Remote and/or Inconsequential

Significant Deficiency More than

Remote and

More than inconsequential (but less than

material)

Material Weakness More than

Remote and Material to financial statements

Step 3: Considering Compensating Controls

Compensating controls may be used where formal controls are inadequate in containing risk or are

not used in practice. The SEC defines compensating controls as:

“Controls that serve to accomplish the objective of another control that did not function properly,

helping to reduce risk to an acceptable level. To have a mitigating effect, the compensating control

should operate as a level of precision that would prevent or detect a misstatement that was material.”

Examples of compensating controls related to the purchases include:

• Prior authorization and approval: Requisition is required from the appropriate level of

management approval

• Properly designed records: Requisition forms are pre-numbered

• Periodic verification and reconciliation: Used and unused requisition forms are regularly

reconciled to ensure that all these forms are properly accounted for

Management should evaluate the effect of compensating controls when evaluating whether a

deficiency, or a combination of deficiencies, is a material weakness. For this purpose, the

compensating controls must be operating effectively. If management believes there are compensating

controls in place that could address the financial statement assertion or risk resulting from the

deficiency, management should consider and validate whether:

1. The compensating control is effective

2. The compensating control would identify an error and address the assertion

The SEC states that compensating controls are not considered when determining whether a control

deficiency exists. Control deficiency must be considered individually and in isolation of the

72

performance of other controls. Compensating controls are appropriately considered when evaluating

whether a significant deficiency or a material weakness exists.

Step 4: Determining Classification of Deficiencies

Based on an assessment of the likelihood and magnitude of a misstatement (Step 2) resulting from an

internal control deficiency, management should determine if the deficiency represents a significant

deficiency or a material weakness:

• A significant deficiency is a deficiency (i.e., control deficiency), or a combination of

deficiencies, that is less severe than a material weakness yet important enough to merit

attention by those having financial reporting oversight responsibility.

• A material weakness is a deficiency, or a combination of deficiencies, in ICFR, such that there

is a reasonable possibility that a material misstatement will not be prevented or detected on

a timely basis. Each category is summarized in the following table.

The Hierarchy of ICFR Deficiencies

Material Weakness

A significant deficiency or combination of significant deficiencies that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. Material weaknesses existing at the fiscal year-end assessment date will be reported publicly.

Significant Deficiency A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Control Deficiency Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

The SEC provided the following examples of control deficiencies that may be considered at least a

significant deficiency in ICFR:

• Controls over the selection and application of accounting policies that conform with U.S. GAAP

• Anti-fraud programs and controls

• Controls over significant routine and nonsystematic transactions

• Controls over the period-end financial reporting process

The SEC and PCAOB listed the following indicators of control deficiencies that are regarded as signs of

material weaknesses in internal control:

1. Restatement of previously issued financial statements to reflect the correction of a

misstatement due to error or fraud.

73

2. Identification by the auditor of a material misstatement in the financial statements in the

current period that was not initially identified by the company’s internal control over financial

reporting. (This would be a strong indicator of a material weakness even if management were

to subsequently correct the misstatement.)

3. Oversight of the company’s external financial reporting and internal control over financial

reporting by the company’s audit committee is ineffective.

4. The internal audit function or the risk assessment function is ineffective at a company for

which such a function needs to be effective for the company to have effective monitoring or

risk assessment component, such as for very large or highly complex companies.

5. For complex entities in highly regulated industries, an ineffective regulatory compliance

function. This relates solely to those aspects of the ineffective regulatory compliance function

in which associated violations of laws and regulations could have a material effect on the

reliability of financial reporting.

6. Identification of fraud of any magnitude on the part of senior management.

7. Significant deficiencies that have been communicated to management and the audit

committee remain uncorrected after some reasonable period of time.

8. An ineffective control environment.

Since a significant deficiency can be a combination of internal control deficiencies, and a material

weakness can be a combination of significant deficiencies, management must accumulate all internal

control deficiencies for evaluation in the aggregate, considering whether there is a concentration of

deficiencies over a particular business process, account, or assertion. For example, assume a particular

location has four internal control deficiencies in relation to revenue processing. Although none of

these deficiencies may individually be a significant deficiency, they could potentially rise to this level

when aggregated. The assessment of the interaction of deficiencies with each other is essentially a

search for patterns. That is, could the deficiencies affect the same financial statement accounts and

assertion?

Step 5: Reporting Assessment Results

Management is required to report significant deficiencies to the external auditor. Both management

and the external auditor are required to report significant deficiencies to the audit committee. If a

material weakness exists as of the assessment date, management is required to conclude that ICFR is

not effective and to disclose all material weaknesses that may have been identified. The SEC Chief

Accountant has stated publicly that he expects management's report to disclose the nature of any

material weakness in sufficient detail to enable investors and other financial statement users to

understand the weakness and evaluate the circumstances underlying it. The “Management Internal

Control Report” section discusses information that should be included management’s report on ICFR

as required by SOX 404.

74

For purposes of SEC reporting, if a single material weakness in ICFR exists, then ICFR is not effective,

regardless of the effectiveness of the rest of the controls. It is important to understand that a material

weakness in ICFR does not necessarily mean that the company’s financial statements are misstated;

rather, it means that there is a reasonable possibility that the company’s controls would not have

prevented or detected a material misstatement on a timely basis.

Documentation of Effective Controls

Documentation is required for the effective design, implementation, and operating effectiveness of an

entity’s internal control system. Management is responsible to develop and maintain documentation

of its internal control system. Documentation also provides a means to retain organizational

knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a

means to communicate that knowledge as needed to external parties, such as external auditors.

Management’s documentation may take various forms, for example, entity policy manuals, accounting

manuals, narrative memoranda, flowcharts, decision tables, procedural write-ups, or completed

questionnaires. The level and nature of documentation vary based on the size, nature and complexity

of the company. However, the IIA suggests that management needs to establish documentation that:

1. Enables a reasonably knowledgeable individual — this person does not have to be an expert

with experience in the area, but should have some knowledge of the company or its business

— to understand the process.

2. Provides context for the key controls so that a reasonable person would understand their

function.

3. Details the operation of key controls, such as identifying who is performing the control, when

the control is operating and at what frequency, how the control is performed, what evidence

exists that the control was performed, and which reports are used in the operation of the

control. It is valuable to agree with the external auditor on the quality standards to be

established for control documentation.

4. Overall, enables a reasonable person to have a basis upon which to assess the design of the

controls: Are the controls identified and documented sufficiently to either prevent or detect a

material misstatement?

To accomplish the objectives listed above, management should include the following information

when documenting controls:

• If management determines that a principle is not relevant, management supports that

determination with documentation that includes the rationale of how, in the absence of that

75

principle, the associated component could be designed, implemented, and operated

effectively.

• Management develops and maintains documentation of its internal control system.

• Management documents in policies the internal control responsibilities of the organization.

• Management evaluates and documents the results of ongoing monitoring and separate

evaluations to identify internal control issues.

• Management evaluates and documents internal control issues and determines appropriate

corrective actions for internal control deficiencies on a timely basis.

• Management completes and documents corrective actions to remediate internal control

deficiencies on a timely basis.

Control documentation also serves as a basis for management’s assessment about ICFR.

Documentation of the design of controls, including changes to those controls, is evidence that controls

are:

1. Identified

2. Capable of being communicated to those responsible for their performance

3. Capable of being monitored and evaluated by the entity

According to the SEC, evidential matter, including documentation, must support the assessment of

both the design of internal controls and the testing processes. Such evidential matter should provide

reasonable support:

• For the evaluation of whether the control is designed to prevent or detect material

misstatements or omissions

• For the conclusion that the tests were appropriately planned and performed

• That the results of the tests were appropriately considered

In other words, the evidential matter must provide reasonable support for management’s assessment

of ICFR. The SEC indicates that “reasonable support” for an assessment forms the basis for

management’s assessment including documentation of the methods and procedures it utilizes to

gather and evaluate evidence. Also, documentation of the design of key controls is an integral part of

that support.

Management should use judgment in determining the extent of documentation that is needed. For

example, in smaller companies, management’s daily interaction with its controls may provide the basis

for its assessment in specific are. In this case, management may have limited documentation created

specifically for the assessment of ICFR. In addition, the evidential matter varies depending on the

assessed level of risk. Management should consider both the materiality of the financial reporting

element and its susceptibility to a material misstatement when determining the evidence needed to

support the assessment of a given financial reporting element.

76

The documentation supporting management’s assessment does not need to include the entire

population of controls that exists within a process that impacts financial reporting. The documentation

should be focused on those controls that management concludes are adequate to address the

identified financial reporting risks.

The following table summarizes examples of items that management should ensure are available to

support its assessment.

Examples of Items to be Included in Management’s Documentation

Scoping

• Identification of significant/individually important locations (including

quantitative metrics and specific risks)

• Identification of significant accounts and disclosures (including materiality)

• Identification of significant processes and sub-processes

• Coverage analysis

Process Flow

• Mapping of significant accounts to processes and relevant assertions

• Flowcharts or narratives describing processes, sub-processes, and controls

over relevant assertions, including the period-end financial reporting

process

Control

Environment

• Board minutes

• Human Resource policies and procedures manuals

• Job descriptions

• Employee files

• Personnel listings

• Employee turnover statistics

• Operating reports „ Organization charts

• Assessment of Audit Committee effectiveness

Risk

Assessment

• Company objectives and associated risks to achievement

• Reports submitted to the Board of Directors and/or Audit Committee

• Risk analyses and assessment

• Disclosure Committee minutes

• Fraud risk assessment

Monitoring

• Internal Audit reports

• Internal Audit workpapers

• Self-assessments

Antifraud

Programs and

Controls

• Code of Conduct

• Confirmations of Code of Conduct

• Reports on hotline complaints „ Procedures for resolving complaints

• Logs of reported incidents

77

Information

and

Communication

• Financial reporting procedures manual

• Accounting policies and procedures

• Organizational structures indicating the lines of reporting and

communication relevant to financial reporting

• Company policies related to distribution of information

Management’s

Evaluation of

Design

• Management’s conclusion on design effectiveness

• Identified deficiencies, if any, and impact on evaluation

Testing of

Operating

Effectiveness

• Testing selections, rationale for selection, and identification of key controls

for testing

• Details of tests

• Management’s conclusion on operating effectiveness

• Identified exceptions, if any, and impact on evaluation

Evaluating

Deficiencies in

Internal

Control Over

Financial

Reporting

• Control deficiencies, significant deficiencies, and material weaknesses

from all sources (Internal Audit, external auditor, etc.)

• Compensating controls

• Results of aggregation of deficiencies

• Management’s report on its assessment of the effectiveness of internal

control over financial reporting


Identification of Control Gaps

The most effective way to meet the legal requirements (e.g. Section 404) depends on the size, nature

and complexity of the organization, including the quality of business processes and internal control

systems. Thus, it is recommended that an evaluation of the controls and procedures be made by

developing an internal control “maturity analysis”. An internal controls maturity analysis allows

management to evaluate how the company’s existing control structure impacts the level of effort

required to meet its control reporting requirements. Moreover, the level of maturity affects the level

of sources required by management and the external auditor to meet SOX 404 requirements, which

would require a level of at least “monitored” for significant controls. According to Protiviti, there are

five maturity levels that a company’s internal controls framework can be categorized into, each with

unique characteristics.

78

The following table lists details of each level to help management evaluate the sufficiency of a

company’s internal controls in a given area with Section 404 implication.

Capability

Level Capability Description Capability Attributes Section 404 Implications

Optimizing

Continuous Improvement

• Continuously improving

controls enterprise-

wide

• Best practices

identified and shared

• World-class financial

reporting processes

• Organized efforts to

remove inefficiency

• External and internal

change monitored

for impact on control

structure

• Internal controls −

Integrated

framework fully

implemented

• Entity-level analytics

fully operational

• Faster decisions on

improving controls

• Controls preventive

and systems-based

Managed

Quantitative

• Risks managed

quantitatively

enterprise-wide

• “Chain of

accountability”

• Control process

performance

standards

established and

managed

• Rigorous estimation

methodologies and

analysis

• Process risks are

managed

quantitatively and

aggregated at

corporate level

• Process-based self-

assessment applied

• Controls

effectiveness

continuously

assessed and

validated

• Process owners

report to

management

• Internal audit plans

aligned

• Entity-level analytics

and monitoring

controls emerging

• Primary effort

directed to high-risk

areas

Initial Repeatable Defined Managed Optimizing

79

Defined

Qualitative/Quantitative

• Policies, process and

standards defined and

institutionalized

• “Chain of certification”

• Internal control

uniform across the

entity’s processes

• Transaction flows

documented

• Risk of fraud, errors

and omissions

sourced

• Control processes for

mitigating risk better

documented and

integrated

• All groups

accountable to use

organization’s control

standards

• Remaining known

gaps closed

• Control reports not

very robust

• Assurance lacking

that all deviations

from control

standards detected

Repeatable

Intuitive

• Process established and

repeating; reliance on

people continues

• Controls

documentation lacking

• Common control

framework

• Increased controls

awareness

• Basic policies and

control processes

established

• Process activities are

repeating but not

necessarily

documented

• Quality people

assigned to support

control activities

• Some control gaps

identified and fixed

• Communication is

lacking

• Limited monitoring

controls and activities

• Control structure still

not sustainable

Initial

Ad Hoc/Chaotic

• Control is not a priority

• Unstable environment

leads to dependency on

heroics

• Reliance on

individual initiative

• “Just do it”

• Ad hoc disclosure

activities

• Policies not

articulated

• Few process

activities are defined

• Institutional

capability lacking

• Overemphasis on

detective controls

• Controls are not

periodically

evaluated for

deficiencies

• Success depends on

manual efforts and

validation by

seasoned managers

• Gaps result when key

people leave

Source: Protiviti, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements, 2007

At the Initial State, there is a general lack of policies and formal processes since control is fragmented.

There is not much accountability at this state due to the absence of a clearly designated owner of a

risk. The company highly depends on its people. Thus, the company has difficulty replicating the

80

procedures if any one of its key people leaves. This stage is not sustainable because of the high

potential for error and the significant inefficiencies with high costs.

At the Repeatable State, although the company’s capabilities are improved (e.g. basic policies and

control, increased controls awareness), accountability is an issue since reporting is not rigorous

enough to hold people accountable for results. However, the increased process discipline and

established guidelines make the “repetition”. In general, this state is still considered high cost because

of an over-reliance on people and a lack of process documentation.

At the Defined State, processes and transaction flows are documented, and the key controls are

identified. Known control gaps are closed. However, there is no assurance that all existing gaps are

identified since process owners are not self-assessing their processes against established management

control standards. A disclosure creation process is documented and implemented. Controls awareness

and an increased focus on improving efficiency are taking place.

At the Managed State, quantitative performance measures provide management the basis for

determining whether mitigating controls are functioning as intended. For example, the operating

effectiveness of control activities is assessed quarterly. Process owners self-assess the controls and

report the results to management. Internal audit plans are aligned with management expectations.

The appropriate efficiencies are driven into the processes.

At the Optimizing State, the entire company is focused on continuous improvements as organized

efforts are made to remove inefficiencies with formal cost/benefit analysis. Best practices are

identified and shared across the company. Continuing self-assessments result in continued

improvements in the control structure. Process owners apply technology to maintain the

documentation of controls policies, processes, and reports. The company fully aligns its policies,

processes, people, technology and knowledge to achieve fair and transparent reporting. This stage

achieves the most ongoing efficiencies in the design and operation of the processes.

In summary, companies can use this process maturity continuum to identify the gaps based on the

level of capability management desires to achieve. Then, management can decide where on the

continuum the company needs to be. For example, when the financial reporting process is at the

Defined State, management needs to decide at what state it wants this process to be and by when.

81

Illustration of Potential Internal Control

Weaknesses and Compensating Controls:

Accounting and Financial Reporting

Source: Government Finance Officers Association, Evaluating Internal Controls: A Local Government Manger’s

Guide

The Books, Records and Reports Cycle

I. Overall Objectives

A. All posting of transactions from the books of original entry to the general or subsidiary ledgers or

between funds and accounts within these ledgers and all adjustments, deductions or write-offs

should be in accordance with the governing board’s and management’s general and/or specific

authorizations B. All transactions recorded within the books of original entry should be analyzed and summarized

(where appropriate), and accurately posted to the correct general or subsidiary ledger accounts,

in the correct time period C. All adjustments, deductions or write-offs of account balances should be calculated, summarized

and recorded in the correct period D. All postings to the general ledger or subsidiary ledgers or transfers between ledger accounts or

adjustments to general ledger balances should be supported by and referenced to adequate,

authorized documentation or by entries in the books of original entry

II. Potential Weaknesses

A. Existence or occurrence

• Inaccurate summarization or posting to the general or subsidiary ledgers, or incorrect transfer

between accounts

• Inaccurate calculation, summarization of account adjustment, deduction or write-off

• Ledger postings or transfers or adjustment unsupported by journal voucher or books of

original entry

• Inadequate records for fixed assets

B. Rights and obligations

• Unauthorized posting or transfer between accounts or adjustment to account balances

C. Allocation

82

• Posting or transfer to the wrong fund, program unit or ledger account

• Posting or transfer made in the wrong time period

• Account adjustment, deduction or write-off posted to the wrong account or fund

• Account adjustment, deduction or write-off recorded in the wrong period

III. Compensating Controls

A. Prior authorization and approval

• Assigned authorization levels for standard and nonstandard journal entries and adjustments

of accounts

• Policy statements and procedure manuals that specify how, when and by whom posting,

adjustments to accounts and transfers are to be made

B. Properly designed records

• A formal requirement for all nonstandard journal entries to be supported by adequate

documentation

• Use of the chart of accounts as applicable for each fund

• Maintenance of control accounts within the general ledger

• Maintenance of sufficiently detailed records for fixed assets

C. Security of assets and records

• Restriction of access to books of original entry, journals, the general ledger and subsidiary

ledgers

D. Segregation of incompatible duties

• Regular independent review of journal entries and supporting documentation

E. Periodic reconciliations

• Regular reconciliation of control accounts to the related subsidiary records

F. Analytical review

• Regular extraction of fund trial balances and prompt investigation of any unusual items

83


13. What is the process maturity level for the company’s internal control over financial reporting if the

chain of accountability is established and the process risks are managed quantitatively?

A. Defined

B. Optimizing

C. Repeatable

D. Managed

14. What type of control is often used by operatives where formal controls are inadequate in

containing risk or are not used in practice?

A. Directive control

B. Corrective control

C. Entity-level control

D. Compensating control

15. Which of the following statement is TRUE regarding management’s documentation of internal

controls?

A. The documentation supporting assessment must include the entire population of controls

B. The use of policy manual is the only acceptable form of evidence

C. Control documentation serves as a basis for management’s assessment about ICFR

D. The documentation provides definite support that the tests were properly performed

84

PART III. Audit of ICFR Integrated with Audit of

Financial Statements

Audit Objectives and Scope

Effective internal control over financial reporting (ICFR) provides reasonable assurance regarding the

reliability of financial reporting and the preparation of financial statements for external purposes. If

one or more material weaknesses exist, the company's ICFR cannot be considered effective. A properly

conducted audit of ICFR integrated with an audit of financial statements (integrated audit) should

reveal internal control weaknesses that could have such a major impact on the financial reporting

process. The following standards establish requirements and provide direction that applies when an

auditor is engaged to perform an integrated audit:

• Auditing Standard No. 2201 (public entities)

• Statement of Auditing Standards No. 130 (nonpublic entities)

The objectives of the auditor in an audit of ICFR are to:

1. Obtain reasonable assurance about whether material weaknesses exist as of the date specified

in management’s assessment about the effectiveness of ICFR (as of date); and

2. Express an opinion on the effectiveness of ICFR in a written report, and communicate with

management and those charged with governance (audit committee), based on the auditor’s

findings.

In general, an audit includes obtaining an understanding of ICFR for the primary purpose of

determining the nature, extent and timing of subsequent audit procedures to be performed.

Therefore, to achieve the objectives, auditors should design tests of controls to obtain

• Sufficient appropriate audit evidence to support the auditor’s opinion on ICFR as of the date

specified in management’s assessment about ICFR and

• Sufficient appropriate audit evidence to support the auditor’s control risk assessments for

purposes of the audit of financial statements

85

One of the auditor's primary concerns is whether a specific control affects financial statement

assertions since much of the audit work required to form an opinion consists of gathering evidence

about the assertions in the financial statements. If, during the audit, the auditor identifies a deficiency,

the auditor should determine the effect of the deficiency, if any, on the nature, timing, and extent of

substantive procedures to be performed to reduce audit risk in the audit of the financial statements

to an acceptably low level.

This chapter addresses the following key auditing procedures required by the standards:

• Planning the Audit

• Using a Top-Down Approach

• Assessing the Risk of Fraud

• Testing Controls

• Evaluating Control Deficiencies

• Responding to Misstatements Caused by Fraud

• Reporting Audit Results

What Public Companies Are NOT Required to Have an ICFR Audit?

In general, large public companies that file annual reports with the SEC are required to include in

their annual report an opinion from the company’s financial statement auditor on the effectiveness

of the company’s ICFR. Several types of companies, however, are exempt from this requirement.

These exempt companies include:

1. Investment companies. Mutual funds, and other types of investment companies, are essentially

pools of securities. Such funds do not themselves engage in any business activities.

2. Non-accelerated filers. Companies that file reports with the SEC, but have a public float (that is,

securities available for public trading) of less than $75 million are referred to as non-accelerated

filers because they are not subject to the same filing deadlines as larger (accelerated) filers.

3. Emerging growth companies. During the five years following its first registered public sale of

common stock, a company that has total annual revenue of less than $1 billion is an emerging

growth company (“EGC”). Such a company loses its EGC status if it becomes a “large accelerated

filer” (generally this requires an aggregate worldwide public float of at least $700 million) or if

it issues more than $1 billion of nonconvertible debt in a three-year period.

Source: Center for Audit Quality, Guide to Internal Control Over Financial Reporting, 2013

86

Relevant Standards

Auditing Standard No. 2201

In 2007, the SEC voted unanimously in favor of Auditing Standard 5 (AS No. 5) to increase the accuracy

of financial reports while reducing unnecessary costs, especially for smaller public companies. It

superseded PCAOB Auditing Standard 2, and with it, the PCAOB has attempted to reduce the overall

effort required to comply with Section 404. AS No. 5 establishes requirements and provides directions

that apply when an auditor is engaged to perform an audit of management’s assessment of the

effectiveness of ICFR that is integrated with an audit of the financial statements.

AS No. 5 is mandatory for external auditors, but not for management. However, management needs

to understand AS No. 5 since it explains how the external auditor will review and evaluate

management’s assessment process. It is also important if management is going to minimize audit fees

by maximizing reliance on management testing.

Upon the adoption of the reorganization of PCAOB auditing standards, AS No. 5 is referred to as AS

No. 2201.

Statement on Auditing Standards 130

As part of its Attestation Clarity Project, the Auditing Standards Board (ASB) has published SAS 130, An

Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial

Statements. SAS 130 provides guidance that applies only when an auditor is engaged to perform an

audit of internal control over financial reporting (ICFR) integrated with an audit of financial statements.

When drafting SAS 130, the ASB intended to adhere as closely as possible to AT section 501 and PCAOB

AS No. 5.

SAS 130 also amends various sections in SAS 122, Statements on Auditing Standards: Clarification and

Recodification. Generally Accepted Auditing Standards (GAAS) still apply to the audit of financial

statements but are to be adapted as necessary in the circumstances when applied to an integrated

audit. Auditors should use SAS 130 as a guideline to ensure quality performance of an integrated audit.

SAS 130 includes the following changes:

• The auditor is required to examine and report directly on the effectiveness of ICFR. There is

no longer an option to examine and report on management’s assessment about the

effectiveness of ICFR.

• The term significant account or disclosure used in AT section 501 has been changed to

significant class of transactions, account balance, or disclosure to align with terminology used

in existing GAAS.

87

• It clarifies that the risk factors the auditor is required to evaluate in the identification of

significant classes of transactions, account balances, and disclosures and their relevant

assertions are the same in the audit of ICFR as in the audit of the financial statements.

• The SAS allows, as does AT section 501, the auditor to use the work of internal auditors and

others in obtaining evidence about the effectiveness of ICFR.

The following sections discuss the key procedures involved in the integrated audit.

Planning the Audit

The auditor should properly plan the audit of ICFR and properly supervise any assistants. When

planning an integrated audit, the auditor should evaluate whether the following matters are important

to the company's financial statements and ICFR and, if so, how they will affect the auditor's

procedures:

• Knowledge of the company's ICFR obtained during other engagements performed by the

auditor;

• Matters affecting the industry in which the company operates, such as financial reporting

practices, economic conditions, laws and regulations, and technological changes;

• Matters relating to the company's business, including its organization, operating

characteristics, and capital structure;

• The extent of recent changes, if any, in the company, its operations, or its ICFR;

• The auditor's preliminary judgments about materiality, risk, and other factors relating to the

determination of material weaknesses;

• Control deficiencies previously communicated to the audit committee/ or management;

• Legal or regulatory matters of which the company is aware;

• The type and extent of available evidence related to the effectiveness of the company's ICFR;

• Preliminary judgments about the effectiveness of ICFR;

• Public information about the company relevant to the evaluation of the likelihood of material

financial statement misstatements and the effectiveness of the company's ICFR;

• Knowledge about risks related to the company evaluated as part of the auditor's client

acceptance and retention evaluation; and

• The relative complexity of the company's operations.

To develop an understanding of internal control, the internal auditor must become familiar with the

operating unit or area being audited, including knowledge about the design of relevant controls and

whether they have been placed in operation. Reviewing the entity's descriptions of inventory policies

and procedures helps the auditor understand their design.

88

Appendix C includes the questionnaires and checklists that help you document your understanding of

the control environment and how internal control over the following cycles:

1. Revenue

2. Purchasing

3. Inventory

4. Financing

5. Property, Plant, and Equipment

6. Payroll

89

Part III − Section 1 Review Questions

16. In an audit of financial statements, what is an auditor's primary consideration regarding internal

control?

A. Whether the control reflects management's philosophy and operating style

B. Whether the control affects management's financial statement assertions

C. Whether the control provides adequate safeguards over access to assets

D. Whether the control enhances management's decision-making processes

17. SAS 130 applies to which of the following type of audits?

A. A forensic examination

B. An integrated audit

C. Agreed upon procedures for compliance

D. A performance audit

18. To obtain an understanding of a manufacturing entity's internal control concerning inventory

balances, what would an auditor most likely do?

A. Review the entity's descriptions of inventory policies and procedures

B. Perform test counts of inventory during the entity's physical count

C. Analyze inventory turnover statistics to identify slow-moving and obsolete items

D. Analyze monthly production reports to identify variances and unusual transactions

90

Using a Top-Down Approach

The Key Concepts

The top-down approach describes the auditor’s sequential thought process in identifying risks and the

controls to test, not necessarily the order in which the auditor will perform the audit procedures. A

top-down approach involves:

• Beginning at the financial statement level

• Using the auditor’s understanding of the overall risks to ICFR

• Focusing on entity-level controls

• Working down to significant classes of transactions, account balances, and disclosures, and

their relevant assertions

• Directing attention to class of transactions, accounts, disclosures, and assertions that present

a reasonable possibility of material misstatement of the financial statements

• Verifying the auditor’s understanding of the risks in the entity’s processes

• Selecting controls for testing that sufficiently address the assessed risks of material

misstatement to each relevant assertion

Key concepts of the top-down approach are discussed below.

Identification of Significant Accounts and Disclosures. To identify significant accounts and disclosures

and their relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors

related to the financial statement line items and disclosures. Risk factors relevant to the identification

of significant accounts and disclosures and their relevant assertions include:

• Size and composition of the account;

• Susceptibility to misstatement due to errors or fraud;

• Volume of activity, complexity, and homogeneity of the individual transactions processed

through the account or reflected in the disclosure;

• Nature of the account or disclosure;

• Accounting and reporting complexities associated with the account or disclosure;

• Exposure to losses in the account;

• Possibility of significant contingent liabilities arising from the activities reflected in the account

or disclosure;

• Existence of related party transactions in the account; and

• Changes from the prior period in account or disclosure characteristics

Understanding of Likely Sources of Misstatement. To further understand the likely sources of

potential misstatements, and as a part of selecting the controls to test, the auditor should:

91

1. Understand the flow of transactions related to the relevant assertions, including how these

transactions are initiated, authorized, recorded, processed, and reported.

2. Identify the points within the entity’s processes at which a misstatement, including a

misstatement due to fraud, could arise that, individually or in combination with other

misstatements, would be material (for example, points at which information is initiated,

transferred, or otherwise modified).

3. Identify the controls that management has implemented to address these potential

misstatements.

4. Identify the controls that management has implemented over the prevention, or timely

detection and correction, of unauthorized acquisition, use, or disposition of the entity’s assets

that could have a material effect on the financial statements.

Because of the degree of judgment necessary, the auditor should either directly perform the

procedures or supervise the work of the internal auditors or others who provide direct assistance to

the auditor.

Period-end Financial Reporting Process. Because of its importance to financial reporting and the

auditor's opinions on ICFR and the financial statements, the auditor must evaluate the period-end

financial reporting process. The period-end financial reporting process includes the following:

• Procedures used to enter transaction totals into the general ledger;

• Procedures related to the selection and application of accounting policies;

• Procedures used to initiate, authorize, record, and process journal entries in the general

ledger;

• Procedures used to record recurring and nonrecurring adjustments to the annual and

quarterly financial statements; and

• Procedures for preparing annual and quarterly financial statements and related disclosures.

• Because the annual period-end financial reporting process normally occurs after the "as-of"

date of management's assessment, those controls usually cannot be tested until after the as-

of date.

As part of evaluating the period-end financial reporting process, the auditor should assess:

1. Inputs, procedures performed, and outputs of the processes the company uses to produce its

annual and quarterly financial statements;

2. The extent of IT involvement in the period-end financial reporting process;

3. Who participates from management;

4. The locations involved in the period-end financial reporting process;

5. The types of adjusting and consolidating entries; and

6. The nature and extent of the oversight of the process by management, the board of directors,

and the audit committee.

92

The auditor should obtain sufficient evidence of the effectiveness of those quarterly controls that are

important to determine whether the company's controls sufficiently address the assessed risk of

misstatement to each relevant assertion as of the date of management's assessment. However, the

auditor is not required to obtain sufficient evidence for each quarter individually.

Control Environment. Because of its importance to effective ICFR, the auditor must evaluate the

control environment at the company. The factors to consider in assessing the control environment

include:

• Integrity and ethical values, including:

− Management’s actions to eliminate or mitigate incentives and temptations on the part of

personnel to commit dishonest, illegal, or unethical acts;

− Policy statements; and

− Code of conduct.

• Commitment to competence, including management’s consideration of competence levels for

specific tasks and how those levels translate into necessary skills and knowledge.

• Board of directors or audit committee participation, including interaction with internal and

external (independent) auditors. (e.g. whether the Board or audit committee understands and

exercises oversight responsibility over financial reporting and internal control)

• Management’s philosophy and operating style, such as management’s attitude and actions

regarding financial reporting, as well as management’s approach to taking and monitoring

risks. (e.g. whether management's philosophy and operating style promote effective ICFR)

• The entity’s organizational structure (i.e., the form and nature of organizational units).

• Assignment of authority and responsibility, including fulfilling job responsibilities.

• Human resource policies and practices, including those relating to hiring, orientation, training,

evaluating, counseling, promoting, and compensating employees.

In obtaining an understanding of the control environment, the auditor seeks to understand the

attitude, awareness, and actions concerning the control environment on the part of management and

the directors. For this purpose, the auditor must concentrate on the substance of controls rather than

their form because controls may be established but not acted upon. For example, management may

adopt a code of ethics but condone violations of the code.

Risk Assessment. The following principles are relevant to the auditor’s evaluation of whether the

entity’s risk assessment is present and functioning in the design, implementation, and operation of

ICFR to achieve the entity’s financial reporting objectives:

1. The entity specifies financial reporting objectives with sufficient clarity to enable the

identification and assessment of risks related to these objectives.

93

2. The entity identifies risks to the achievement of financial reporting objectives across the entity

and analyzes risks as a basis for determining how the risks need to be managed

3. The entity considers the potential for fraud in assessing risks to the achievement of financial

reporting objectives.

4. The entity identifies and assesses changes that could significantly impact ICFR.

Control Activities Relevant to the Audit of ICFR. The following principles are relevant to the auditor’s

evaluation of whether the entity’s control activities relevant to the audit of ICFR are present and

functioning in the design, implementation, and operation of ICFR to achieve the entity’s financial

reporting objectives:

1. The entity selects and develops control activities that contribute to the mitigation of risks to

the achievement of financial reporting objectives to acceptable levels.

2. The entity selects and develops general control activities over technology to support the

achievement of financial reporting objectives.

3. The entity deploys control activities through policies that establish what is expected and

procedures that put policies into action.

Control activities relevant to the audit of ICFR include those related to each significant class of

transactions, account balance, and disclosure, and its relevant assertions:

• Existence or occurrence

• Completeness

• Valuation or allocation

• Rights and obligations

• Presentation and disclosure

The definition of each assertion is included in the “Step 2: Defining Control Objectives” section.

In summary, the effectiveness of a risk-based audit depends on whether the auditor identifies the risks

of material misstatement and has an appropriate basis for assessing those risks. Therefore, both the

PCAOB and the AICPA require the auditor to assess the risks of material misstatement at the financial

statement level and the assertion level. The assessment enhances the effectiveness of audit

procedures by assisting the auditor to determine the scope of testing.

The following section includes sample audit programs containing detailed audit objectives and

procedures for key processes.

Sample Audit Programs

Cash in Bank

I. Audit Objectives:

94

A. Determine that cash recorded in books exists and is owned by the company (Existence and Right).

B. Determine that cash transactions are recorded in the correct accounting period at appropriate

values, i.e., that there is a proper cut-off of cash receipts and disbursements (Completeness and

Valuation).

C. Determine that balance sheet amounts include items in transit as well as cash on deposit with

third parties (Completeness).

D. Determine that cash is properly classified in the balance sheet and that relevant disclosures are

presented in the financial statement notes (Presentation and Disclosure).

II. Procedures:

A. Perform analytical procedures to identify obvious discrepancies or errors before conducting tests

of details. These types of procedures include:

• Comparing cash balances with forecasts and budgets. For example, when cash

balances greatly exceed or fall below expectations for the year, it should alert the

auditor for items to look for during the tests of details.

• Reviewing company policies regarding minimum cash balances and the investment

of surplus cash.

B. With respect to the bank reconciliations prepared by accounting personnel:

• Verify that proper segregation of duties between custodian and accounting and

approving personnel exist.

• Trace book balances to general ledger control totals.

• Compare ending balances per the bank statements to the ending balances on the

bank reconciliation.

• Verify the mathematical and clerical accuracy including checking extensions.

• Trace deposits in transit and outstanding checks to subsequent months’ bank

statements which are intercepted before accounting personnel have access to them.

• Inspect canceled checks for dates of cancellation in order to identify checks which

were not recorded in the proper accounting period.

• Ascertain that checks listed as outstanding are in fact: (1) recorded in the proper time

period, and (2) checks that have not cleared. Scrutinize data when outstanding

checks have cleared to see if the books have been held open to improve ratios.

• Identify and investigate checks that are: (1) above limits prescribed by management,

(2) drawn to “bearer,” and (3) drawn payable to cash.

• Determine if unusual reconciling and long outstanding items are followed up and

proper disposition of such items is made.

• If balances have been confirmed with banks, compare confirmed balances with bank

balances per the year-end bank statements.

95

C. With respect to listings of cash investments:

• Trace book balances to general ledger control accounts.

• Verify the accuracy of all extensions and footings.

• Consider confirming balances directly with bank personnel.

• Obtain and inspect passbooks and certificates of deposit.

• Recalculate income derived from cash investments and trace the income amounts to

the books of original entry. Also, reconcile for reasonableness interest revenue

amounts to the amount of cash investments.

• Consider using a custodian to maintain physical custody for safekeeping and to guard

against forgeries.

D. Prepare a bank transfer schedule which identifies:

• Name of disbursing bank

• Check number

• Dollar amount

• Date disbursement is recorded in books

• Name of receiving bank

• Date receipt is recorded in books

• Date receipt is recorded by bank

E. Perform cut-off test wherein transactions for the last few days of the year and the first few days

of the next year are scrutinized.

F. Inspect bank statements in order to identify obvious erasures or alterations.

G. Inspect debit and credit memos and trace them to the bank statements.

H. Read financial statements and investment certificates for appropriate classification of cash

balances.

I. With respect to cash on hand (i.e., petty cash funds):

• Determine the identity of all funds

• Select funds to be counted and list currency and coins by denomination; account for

vouchers, stamps, and checks; trace fund balances to general ledger control

accounts.

J. Investigate the reasons for delays in deposits.

K. Note unusual activity in inactive accounts since it may be indicative of cash being hidden.

L. In a cash-basis entity, reconcile sales with cash receipts.

M. List unusual cash receipts (e.g., currency receipts).

N. Examine third party endorsements by reviewing canceled checks.

96

Trade Accounts and Notes Receivable


A. Determine that the trade accounts and notes receivable represent bona fide receivables and are

valued properly (Existence and Valuation).

B. Determine that the allowances for doubtful accounts are adequate and reasonable (Valuation).

C. Determine the propriety of disclosures pertaining to pledging, assigning, and discounting of

receivables (Presentation and Disclosure).

D. Determine the correctness of the recorded interest income that is attributable to accounts and

notes receivable (Completeness).

E. Determine that receivables are properly classified in the balance sheet (Presentation and

Disclosure).

II. Audit Procedures:

A. Scan general ledger accounts in order to identify significant and unusual transactions.

B. Compare opening general ledger balances with closing general ledger balances of the prior period.

C. Perform analytical procedures by evaluating the relationships between: (1) receivables and sales

and (2) notes receivable and interest income attributable thereon.

D. With respect to the aged trial balance prepared by accounting personnel:

• Verify extensions and footings.

• Trace the total of the aged trial balance to the general ledger control total.

• Trace selected entries on the aging schedule to respective accounts in the subsidiary

ledger.

• Trace selected subsidiary ledger balances to the aging schedule.

• Verify extensions and footings in subsidiary ledger accounts

• Investigate negative (i.e., credit) balances.

E. Consider confirmation of account balances with customers:

• Select accounts for positive confirmation.

• Select accounts for negative confirmation.

• Control confirmation requests by mailing in internal audit department envelopes and

with the return address of the internal audit department. Consider using a post office

box to ensure that unauthorized individuals cannot tamper with responses.

• After 14 days, mail second requests to all those not replying to a positive request.

• Investigate all accounts for which envelopes are returned as undeliverable.

• Reconcile differences reported by customers.

• Review accounts of significant customers not replying to a second request by

examining subsequent receipts and supporting documentation (i.e., remittance

97

advices, invoices, and/or shipping documents) in order to corroborate that the

amounts represent bona fide receivables for goods or services

• Prepare a schedule summarizing the receivable confirmations.

F. Examine cash receipts in subsequent periods in order to identify receivables which have not been

recorded previously.

G. With respect to trade notes receivable, prepare or verify schedules and analyses which detail the

following:

• Makers of the notes

• Dates the notes were made

• Due dates of the notes

• Original terms of repayment

• Any collateral

• Applicable interest rates

• Balances at the end of the prior accounting period

• Additions and repayments of principal

H. Inspect notes and confirm notes receivable discounted with banks.

I. Identify collateral and verify that such amounts are not recorded as assets.

J. Verify the accuracy of interest income, accrued interest, and unearned discount by recalculating

such amounts.

K. Read pertinent documents, including the minutes of board meetings, in order to identify situations

in which receivables have been pledged as collateral, assigned, or discounted and verify that such

situations are disclosed in the financial statements.

L. Obtain evidence pertaining to related-party transactions which need to be disclosed in the

financial statements.

M. With respect to the analysis of the allowance for doubtful accounts prepared by accounting

personnel:

• Ascertain that write-offs have in fact been authorized

• Ascertain the reasonableness of the allowance by reviewing the estimating

procedures

• Perform analytical procedures by comparing:

▪ Accounts receivable to credit sales

▪ Allowance for doubtful accounts to accounts receivable totals

▪ Sales to sales returns and allowances

▪ Doubtful accounts expense to net credit sales

▪ Accounts receivable to total assets —Notes receivable totals to accounts

receivable totals

• Consider differences between the book and tax basis for doubtful accounts expense.

98

Inventory


A. Determine that inventory quantities properly include products, materials, and supplies on hand,

in transit, in storage, and out on consignment to others (Existence, Completeness, and Valuation

or Allocation).

B. Determine that inventory items are priced consistently in accordance with United States GAAP

(Valuation or Allocation).

C. Determine that inventory listings are accurately compiled, extended, footed, and summarized and

determine that the totals are properly reflected in the accounts (Existence, Completeness, and

Valuation or Allocation).

D. Determine that excess, slow-moving, obsolete, and defective items are reduced to their net

realizable value (Valuation or Allocation).

E. Determine that the financial statements include disclosure of any liens resulting from the pledging

or assignment of inventories (Presentation and Disclosure).


A. Review management’s instructions pertaining to inventory counts and arrange to have sufficient

internal audit personnel present to observe the physical count at major corporate locations. Keep

in mind that all locations should be counted simultaneously in order to prevent substitution of

items.

B. At each location where inventory is counted:

• Observe the physical inventory count, record test counts, and write an overall

observation memo.

• Determine that prenumbered inventory tags are utilized.

• Test the control of inventory tags.

• Test shipping and receiving cut-offs.

• Discuss obsolescence and overstock with operating personnel.

• Verify that employees are indicating on inventory tags obsolete items.

• Note the condition of inventory.

• Note pledged or consigned inventory.

• Determine if any inventory is at other locations and consider confirmation or

observation, if material.

• Determine that inventory marked for destruction is actually destroyed and is

destroyed by authorized personnel.

C. Follow up all points that might result in a material adjustment.

99

D. Trace recorded test counts to the listings obtained from management, list all exceptions, and value

the total effect.

E. Trace the receiving and shipping cut-offs obtained during the observation to the inventory records,

accounts receivable records, and accounts payable records. Also trace inventory to production and

sales.

F. Obtain a cut-off of purchases and sales subsequent to the audit date and trace to accounts

receivable, accounts payable, and inventory records.

G. Note any sharp drop in market value relative to book value.

H. “Red flag” excessive product returns which might be indicative of quality problems. Returned

merchandise should be warehoused apart from finished goods until quality control has tested the

items. Are returns due to the salesperson overstocking the customer? Returns should be

controlled as to actual physical receipt, and the reasons for the returns should be noted for

analytical purposes.

I. Trace for possible obsolete merchandise that is continually carried on the books. For example, the

author had a situation in which a company continued to carry obsolete goods on the books even

though it wrote off only a small portion of similar goods.

J. With respect to price tests of raw materials:

• Ascertain management’s inventory pricing procedures

• Schedule, for a test of pricing, all inventory items in excess of a prescribed limit and

sample additional items

• Inspect purchase invoices and trace to journal entries

• Inquire and investigate whether trade discounts, special rebates, and similar price

reductions have been reflected in inventory prices

• Determine and test treatment of freight and duty costs

• If standard costs are utilized:

▪ Determine whether such costs differ materially from actual costs on a first-in,

first-out basis.

▪ Investigate variance accounts and compute the effect of the balances in such

accounts on inventory prices.

▪ Ascertain the policy and practice as to changes in standards.

▪ With respect to changes during the period, investigate the effect on inventory

pricing.

▪ If process costs are used, trace selected quantities per the physical inventory

to the departmental cost of production reports and determine that quantities

have been adjusted to the physical inventory as of the date of the physical

counts.

K. With respect to work-in-process and finished goods:

• Ascertain the procedures used in pricing inventory and determine the basis of pricing

100

• Review tax returns to determine that the valuation methods conform to those

methods used for financial statement purposes

• On a test basis, trace unit costs per the physical inventory to the cost accounting

records and perform the following:

▪ Obtain, review, and compare the current-period and prior period’s trial

balances or tabulations of detailed components of production costs for the

year; note explanations for apparent inconsistencies in classifications and

significant fluctuations in amounts; ascertain that the cost classifications

accumulated as production costs and absorbed in inventory are in conformity

with United States GAAP.

▪ Review computations of unit costs and costs credited against inventory and

charged to cost of sales.

▪ Review activity in the general ledger control accounts for raw materials,

supplies, and work-in-process and finished goods inventories and investigate

any significant and unusual entries or fluctuations.

▪ Review labor and overhead allocations to inventory and cost of sales, compare

to actual labor and overhead costs incurred, and ascertain that variances

appear reasonable in amount and have been properly accounted for.

▪ Trace who obtains the funds received from the sale of scrap.

Fixed Assets


A. Determine that fixed assets exist (Existence or Occurrence).

B. Determine that fixed assets are owned by the entity (Rights and Obligations).

C. Determine that fixed asset accounts are recorded at historical cost (Valuation or Allocation).

D. Determine that depreciation is calculated and recorded in conformity with generally accepted

accounting principles (Valuation or Allocation).

E. Determine that relevant disclosures are made in the financial statements (Presentation and

Disclosure).


A. With respect to the schedule of fixed assets prepared by accounting personnel:

• Trace beginning balances to prior-year schedules

• Trace ending balances to general ledger control accounts

• Verify that additions are recorded at historical cost

• Examine supporting documentation for asset additions, retirements, and dispositions:

purchase contracts, canceled checks, invoices, purchase orders, receiving reports,

retirement work orders, sale contracts, bills of sale, bills of lading, trade-in agreements

101

• Verify that depreciation methods, estimated useful lives, and estimated salvage values

are in accordance with United States generally accepted accounting principles (GAAP)

• Identify fully depreciated assets carried in the property records to obtain assurance

that such assets are still utilized (i.e., that they have not been discarded or

abandoned).

• Recalculate gains and losses on dispositions of fixed assets in accordance with

methods that are in conformity with United States GAAP

B. Determine that additions, retirements, and dispositions have been authorized by management.

C. Analyze repairs and maintenance accounts to ascertain the propriety of classification of

transactions.

D. Tour facilities in order to physically inspect fixed assets. A lack of cleanliness and orderliness infer

the possible existence of internal control problems.

E. To verify ownership, examine:

• Personal property tax returns

• Tide certificates

• Insurance policies

• Invoices

• Purchase contracts

F. Examine lease agreements and ascertain that the accounting treatment is in conformity with

United States GAAP

G. Examine support for rentals under operating leases to determine whether leases should be

capitalized in conformity with United States GAAP

H. Ascertain that obsolete assets are given proper accounting recognition. Trace salvage receipts to

source.

I. Perform analytical procedures by comparing:

• Dispositions of fixed assets to replacements

• Depreciation and amortization expenses to the cost of fixed assets

• Accumulated depreciation to the cost of fixed assets.

J. Read: (1) minutes of board meetings, (2) note agreements, and (3) purchase contracts to identify

situations in which assets have been pledged as collateral.

Prepaid Expenses and Deferred Charges


A. Determine that balances represent proper charges against future operations and can reasonably

be realized through future operations or are otherwise in conformity with United States GAAP

(Valuation or Allocation).

102

B. Determine that additions during the audit period are proper charges to these accounts and

represent actual cost (Existence or Occurrence and Valuation or Allocation).

C. Determine that amortization or write-offs against revenues in the current period and to date have

been determined in a rational and consistent manner (Valuation or Allocation).

D. Determine that material items have been properly classified and disclosed in the financial

statements (Presentation and Disclosure).


A. Obtain or prepare a schedule of the prepaid and deferred items.

B. Perform analytical procedures by comparing current-period amounts to those of the prior period

and comparing actual amounts to budgeted amounts; investigate significant fluctuations.

C. With respect to prepaid insurance:

• Obtain a schedule of insurance policies, coverage, total premiums, prepaid premiums,

and expense as of the audit date; note that some companies maintain an insurance

register

• Verify the clerical and mathematical accuracy of schedules or insurance registers

• Trace schedule or register totals to trial balances and general ledger control accounts

• Inspect policies on hand and check details of schedules or registers

• Vouch significant premiums paid during the audit period

• Obtain confirmation directly from insurance brokers of premiums and other

significant and relevant data

• Determine if premiums are being financed and, if so, if the related liabilities and fiancé

costs have been recorded.

• Verify that proper accounting treatment is applied to advance or deposit premiums,

as well as dividend or premium credits

• Test check calculations of prepaid premiums and investigate and determine the

disposition of major differences.

• Determine whether all significant insurable risks have been considered.

D. With respect to prepaid taxes:

• Obtain or prepare an analysis of prepaid taxes, including taxes charged directly to

expense accounts

• Verify the mathematical and clerical accuracy of the analysis

• Trace amounts on the analysis to the trial balance and pertinent general ledger control

accounts

• Examine tax bills and receipts or other data which corroborate prepaid taxes

• Ascertain that prepaid tax accounts have been accounted for consistently in

conformity with United States GAAP.

103

E. With respect to other major items:

• Review deferred expenses such as moving costs and determine:

▪ What procedures are used to evaluate the future usefulness of the asset

▪ How these assets will benefit the future

• Test the amortization of material prepaid or deferred items and trace to the income

statement and general ledger accounts

• Inspect relevant documents

Accounts Payable


A. Determine that accounts payable in fact exist (Existence or Occurrence).

B. Determine that accounts payable represent authorized obligations of the entity (Existence or

Occurrence).

C. Determine that accounts payable are properly classified in the financial statements (Presentation

and Disclosure).

D. Determine that recorded accounts payable are complete (Completeness).

E. Determine that appropriate disclosures are included in the financial statements (Presentation and

Disclosure).


A. With respect to the schedule of accounts payable prepared by accounting personnel:

• Verify mathematical accuracy of extensions and footings

• Trace totals to general ledger control accounts

• Trace selected individual accounts to the accounts payable subsidiary ledger

• Trace individual account balances in the subsidiary ledger to the accounts payable

schedule

• Investigate accounts payable which are in dispute

• Investigate any debit balances

• Read minutes of board meetings to ascertain the existence of pledging agreements

B. Prepare a trend line of invoices (e.g., by year and by month or by year and by quarter) in order to

determine the reasonableness of amounts. Special attention should be paid to invoices dated just

before year end and quarter-end dates.

C. Run a basic test for duplicate invoice payments (e.g., searching for any pairs of invoices which have

the same vendor number, invoice number and amount) and potential error invoices (e.g.,

searching for same vendor number, same invoice number, but different amounts)

104

D. Consider confirming accounts payable if there is: (1) poor internal control structure, or (2)

suspicion of misstatement.

E. Search for unrecorded liabilities by:

• Examining receiving reports and matching them with invoices

• Inspecting unprocessed invoices

• Inspecting vendor’s statements for unrecorded invoiced amounts

• Examine cash disbursements made in the period subsequent to year-end and examine

supporting documentation in order to ascertain the appropriate cut-off for recording

purposes.

F. With respect to obligations for payroll tax liabilities:

• Examine payroll tax deposit receipts

• Examine cash disbursements in the period subsequent to year-end to identify deposits

that relate to prior period

• Reconcile general ledger control totals to payroll tax forms

• Trace liabilities for amounts withheld from employee checks to payroll registers,

journals, and summaries

• Perform analytical procedures by comparing: Payroll tax expense to liabilities for

payroll taxes, liability to accrued payroll taxes

• Reconcile calendar year payroll returns to fiscal year financial statements for payroll

amounts

G. Reconcile vendor statements with accounts payable accounts.

H. Compare vendor invoices with purchase requisitions, purchase orders, and receiving reports for

price and quantity.

I. Investigate unusually large purchases.

J. With respect to accrued expenses:

• Consider the existence of unasserted claims

• Obtain schedule of accrued expenses from accounting personnel

• Recalculate accruals after verifying the validity of assumptions utilized

• Perform analytical procedures by comparing current- and prior period accrued

expenses

• Ascertain that accrued expenses are paid within a reasonable time after year-end

• Inquire of management and indicate all details of contingent or known liabilities

arising from product warranties, guarantees, contests, advertising promotions, and

dealer “arrangements or promises”

• Determine liability for expenses in connection with pending litigation:

▪ Inquire of management

▪ Confirm in writing with outside legal counsel

105

Stockholders’ Equity


A. Determine that all stock transactions (including transactions involving warrants, options, and

rights) have been authorized in accordance with management’s plans (All Assertions Are

Addressed).

B. Determine that equity transactions are properly classified in the financial statements

(Presentation and Disclosure).

C. Determine that equity transactions have been recorded in the proper time period at the correct

amounts (Existence or Occurrence, Completeness, and Presentation and Disclosure).

D. Determine that equity transactions are reflected in the financial statements in accordance with

generally accepted accounting principles (Presentation and Disclosure).


A. With respect to each class of stock, identify:

• Number of shares authorized

• Number of shares issued

• Number of shares outstanding

• Par or stated value

• Privileges

• Restrictions

B. With respect to the schedule of equity transactions prepared by accounting personnel:

• Trace opening balances of the current year to the balance sheet and ledger accounts

as of the prior year’s balance sheet date

• Account for all proceeds from stock issues by re-computing sales prices and relevant

proceeds

• Verify the validity of the classification of proceeds between capital stock and

additional paid-in capital

• Reconcile ending schedule balances with general ledger control totals

• Verify that equity transactions are not in conflict with the requirements of the

corporate charter (or articles of incorporation), or with the applicable statutes of the

state of incorporation

C. Account for all stock certificates that remain unissued at the end of the accounting period.

D. Examine stock certificate books or confirm stock register.

E. With respect to schedules of stock options and related stock option plans prepared by accounting

personnel, verify:

106

• The date of the plan

• Class and number of shares reserved for the plan

• The accounting method used for determining option prices

• The names of individuals entitled to receive stock options

• The names of individuals to whom options have been granted

• The terms relevant to options that have been granted

• That measurement of stock options granted is in accordance with generally accepted

accounting principles

F. With respect to stock subscriptions receivable:

• Ascertain that execution of such transactions is approved by appropriate personnel

• Verify that stock subscriptions receivable are properly classified in the financial

statements

G. With respect to treasury stock:

• Verify the validity of treasury stock acquisitions by examining canceled checks and

other corroborating documentation

• Inspect treasury stock certificate records in order to ascertain their existence

• Reconcile treasury stock totals to general ledger control accounts

H. With respect to retained earnings:

• Trace the opening balance in the general ledger to the ending balance in the general

ledger of the prior period

• Analyze current-year transactions and obtain corroborating documentation for all or

selected transactions

• Verify that current-year net income or loss has been reflected as a current-year

transaction

• With respect to dividends declared and or paid:

▪ Ascertain the authorization of such dividends by reading the minutes of board

meetings

▪ Examine canceled checks in support of dividend payments

▪ Verify the accuracy of dividend declarations and payments by recalculating

such dividends

▪ Ascertain that prior-period adjustments have been given proper accounting

recognition in accordance with generally accepted accounting principles

▪ Apply other appropriate procedures to determine the existence of restrictions

on or appropriations of retained earnings

I. Ascertain that the financial statements include adequate disclosure of:

• Restrictions on stock

• Stock subscription rights

107

• Stock reservations

• Stock options and warrants

• Stock repurchase plans or obligations

• Preferred dividends in arrears

• Voting rights in the event of preferred dividend arrearages

• Liquidation preferences

• Other relevant items

Sales and Other Types of Income


A. Determine that proper income recognition is afforded ordinary sales transactions (Existence or

Occurrence, Rights and Obligations, Valuation or Allocation, and Presentation and Disclosure).

B. Determine that sales transactions have been recorded in the proper time period (Existence or

Occurrence, Completeness, and Presentation and Disclosure).

C. Determine that all types of revenues are properly classified and disclosed in the financial

statements (Valuation or Allocation and Presentation and Disclosure).


A. Trace sales and cash receipts journal totals to relevant general ledger control accounts.

B. Trace sales and cash receipts journal entries to applicable subsidiary ledger accounts.

C. Verify the mathematical accuracy of footings and extensions in sales and cash receipts journals.

D. Perform analytical procedures by:

• Comparing current- and prior-period sales, returns and allowances, discounts, and

gross profit percentages

• Comparing the current period items referred to above to anticipated results (i.e.,

budgeted amounts)

• Compare company statistics (e.g., gross profit percentage) to industry standards

• Investigate any significant or unexplained fluctuations

E. With respect to consignment shipments to others:

• Examine applicable consignment agreements

• Verify that consignment transactions are afforded proper accounting treatment in

accordance with generally accepted accounting principles

F. Determine if sales are appropriately recognized as revenues by meeting the following criteria

(through a sample testing):

• Delivery has occurred or services have been rendered

• The sales price is fixed or determinable

108

• Collectability is reasonably assured

G. Ascertain that sales to related parties are accounted for at arm’s length terms.

H. Evaluate expected/actual returns before and after year-end and compare it to past returns at this

time period.

I. Verify that sales returns are properly authorized and actually returned by examining receiving

reports, credit memos, and entries in the accounting records.

J. Perform sales and inventory cut-off tests at the end of the fiscal year.

K. Verify by recalculation that the following have been properly recorded and disclosed:

• Dividend income

• Interest income

• Gains on dispositions of marketable securities

• Gains on dispositions of fixed assets

• Increases in investment accounts reflecting the equity method of accounting

• Other or miscellaneous income accounts

Expense Items


A. Determine that expenses are recorded in the proper time period (Existence or Occurrence and

Completeness).

B. Determine that expenses have been properly classified and disclosed in the financial statements

(Presentation and Disclosure).

C. Determine that expense items are recognized in accordance with generally accepted accounting

principles (Valuation or Allocation).


A. Trace cash disbursements journal totals to relevant general ledger control accounts.

B. Trace cash disbursements journal items to relevant subsidiary ledgers (e.g., payroll subledger).

C. Verify the mathematical accuracy of footings and extensions of relevant journals.

D. Perform analytical procedures by:

• Comparing current- and prior-period expense items

• Comparing the current-period expense items to anticipated results (i.e., budgeted

amounts)

• Compare the current-period expense items to industry standards

• Relate various expense items to gross sales or revenue by means of percentages

• Investigate any significant or unexplained fluctuations

• Vouch bills on a sampling basis

109

E. Consider analyzing the following accounts, which are often subject to intentional or unintentional

misstatement:

• Depreciation and amortization

• Taxes:

▪ Real estate

▪ Personal property

▪ Income

▪ Payroll

• Rent

• Insurance

• Bad debts

• Interest

• Professional fees

• Officers’ salaries

• Directors’ fees

• Travel and entertainment

• Research and development

• Charitable contributions

• Repairs and maintenance

F. With respect to payroll:

• Search for fictitious employees

• Determine improper alterations of amounts

• Verify that proper tax deductions are taken

• Examine time cards and trace to payroll records in order to verify the proper recording

of employee hours.

• Verify the accuracy of pay rates by obtaining a list of authorized pay rates from the

personnel department.

• Review the adequacy of internal controls relating to hiring, overtime, and retirement.

• Determine if proper payroll forms exist such as W-4s and I-9s.

110

Assessing the Risk of Fraud

Characteristics of Financial Statement Fraud

Types of Fraud

The difference between error and fraud depends on whether the underlying action/intend resulting

in financial statement misstatement is intentional or unintentional. Fraud refers to intentional

misstatements or omissions of financial statement amounts or disclosures—for example,

misinterpretation, mistakes, and use of incorrect accounting estimates. Error, on the other hand,

refers to unintentional acts.

The auditor is primarily concerned with fraud that causes a material misstatement in the financial

statements. Two types of intentional misstatements are relevant to the auditor:

SAS 99 provides further explanations as discussed below:

Fraudulent Financial Reporting. Misstatements arising from fraudulent financial reporting are

intentional misstatements or omissions of amounts or disclosures in financial statements designed to

deceive financial statement users where the effect causes the financial statements not to be

presented, in all material respects, in conformity with GAAP.

Fraudulent financial reporting may be accomplished by the following:

1. Manipulation, falsification, or alteration of accounting records or supporting documents from

which financial statements are prepared

2. Misrepresentation in or intentional omission from the financial statements of events,

transactions, or other significant information

3. Intentional misapplication of accounting principles relating to amounts, classification, manner

of presentation, or disclosure

Fraudulent financial reporting need not be the result of a grand plan or conspiracy. It may be that

management representatives rationalize the appropriateness of a material misstatement, for

example, as an aggressive rather than indefensible interpretation of complex accounting rules, or as a

Types of Misstatements

Fraudulent Financial Reporting

Misappropriation of Assets

111

temporary misstatement of financial statements, including interim statements, expected to be

corrected later when operational results improve.

Misappropriation of Assets. Misstatements arising from misappropriation of assets (sometimes

referred to as theft or defalcation) involve the theft of an entity's assets where the effect of the theft

causes the financial statements not to be presented, in all material respects, in conformity with GAAP.

Misappropriation of assets can be accomplished in various ways, including embezzling receipts,

stealing assets, or causing an entity to pay for goods or services that have not been received.

Misappropriation of assets may be accompanied by false or misleading records or documents, possibly

created by circumventing controls.

Fraud Risk Factors

Because of the characteristics of fraud, the auditor is advised to exercise professional judgment.

Accordingly, the auditor should have a questioning mind and critically assess evidence obtained

throughout the conduct of the audit. When obtaining reasonable assurance, the auditor is responsible

for maintaining professional skepticism throughout the audit. Auditors may consider the following

fraud risks derived from SAS 99 appendixes.

• Risk Factors Relating to Misstatements Arising From Misappropriate of Assets

• Risk Factors Relating to Misstatements Arising From Fraudulent Financial Reporting

Brainstorming Sessions

Auditors must consider all the potential fraud risk factors which might be relevant for their client. This

should be done through team brainstorming sessions, and the auditor can then develop procedures

to address identified fraud risk. The brainstorming sessions reinforce the importance of professional

skepticism and set the tone for the engagement. Audit team members should brainstorm about:

• How and where the financial statements might be susceptible to material misstatement due

to fraud;

• How management could perpetrate and conceal fraudulent financial reporting;

• How an entity’s assets could be misappropriated;

• The need to emphasize professional skepticism throughout the audit;

• The risk of management override of internal controls, and

• How the audit team might respond to the susceptibility of the financial statements to material

misstatement caused by fraud.

With reference to management override, SAS 99 states that:

112

“Management has a unique ability to perpetrate fraud because it frequently is in a position to directly

or indirectly manipulate accounting records and present fraudulent financial information. Fraudulent

financial reporting often involves management override of controls that otherwise may appear to be

operating effectively. Management can either direct employees to perpetrate fraud or solicit their help

in carrying it out. In addition, management personnel at a component of the entity may be in a position

to manipulate the accounting records of the component in a manner that causes a material

misstatement in the consolidated financial statements of the entity. Management override of controls

can occur in unpredictable ways.”

When applying professional judgment to assess fraud risks during the brainstorming sessions, the

following risk attributes should be considered by the auditor:

Risk Attributes of Fraud in Financial Statement

Attribute Consideration

The Type of Risk Whether the risk involves fraudulent financial reporting or

misappropriation of assets.

The Significance

of the Risk

Whether the risk is of a magnitude that could lead to result in a possible

material misstatement of the financial statements.

The Likelihood of

the Risk

The likelihood will result in a material misstatement in the financial

statements.

The Pervasiveness

of the Risk

Whether the potential risk is pervasive to the financial statements as a

whole or specifically related to a particular accounting assertion,

financial statement accounts or types of transactions.

Brainstorming sessions are critical because they are intended to aid auditors in linking fraud risk factors

to risk assessment and foster the development of appropriate audit responses. The American

Accounting Association identified the following top seven brainstorming practices that significantly

improve brainstorming quality:

1. Sessions are led by partner or forensic specialist.

2. An information technology audit specialist attends the primary brainstorming session.

3. The engagement’s primary session is held pre-planning or early in planning.

4. The discussion of how management might perpetrate fraud is robust.

5. The discussion about audit response to fraud risk is detailed.

6. The level of manager contribution to the session is high.

7. The level of partner contribution to the session is significant.

113

Fraud Risk Assessment

Auditors will detect fraud through a multiple-phase approach. The auditor collects information related

to the risk of material misstatement, applies such information to brainstorming sessions to identify

fraud risk factors, and synthesizes this information to develop a fraud risk assessment.

Collect Information

There are numerous ways, such as interviews, survey/questionnaire, and anonymous feedback

mechanisms, to collect information related to the risk of material misstatement. Fraud interview is

one of the effective methods to gather such information. The auditor needs to have effective

communication skills. The following interview techniques are essential for achieving high-quality fraud

interviews as recommended by Grant Thornton, LLP and Marine Corps Nonappropriated Funds Audit

Service:

Interviews with Management and Employees

Audit team members interview both managers and employees to gather information about fraud risks,

assist with evaluating controls, and obtain information about potential fraudulent activities. This

strategy provides employees the opportunities to raise any concerns they might have regarding

management fraud. When conducting employee and management interviews, auditors should use

care and good judgment in any discussions about fraud with all personnel and not insinuate that fraud

is present or imply that an employee or manager is under suspicion of fraud.

Setting the Tone for Discussion

An important consideration when preparing for a fraud interview session is to set the proper tone for

the discussion. Because of the sensitive nature of a discussion of fraud and the potential for interview

participants to become shy or refrain from voicing their opinions, it is a good idea to indicate that the

interview session is required by AICPA, SAS 122, Consideration of Fraud in a Financial Statement Audit,

and that no one is suspected of or being accused of fraud when conducting a financial statement audit.

Asking Follow-Up Questions

When conducting fraud interview sessions, it is critical to keep an open mind and to ask follow-up

questions. Many frauds have been allowed to continue too long because of the failure to ask the next

question. Responses to interview questions may be less complete than expected. If so, requests for

additional clarification or amplification are often necessary. Other times, responses may be different

from what was expected or about areas other than what was asked. In those situations, rather than

continue to the next question from a pre-determined list, it is important to probe further. The person

being interviewed may feel uncomfortable providing information directly that could lead to

uncovering a potential issue. But with sufficient diligence in following up on responses, the auditor is

114

more likely to fully identify suspect situations or irregularities. This is not possible without listening

fully to responses and responding with relevant follow-up questions.

Identify and Assess Fraud Risks

Judgments about the risk of material misstatement caused by fraud may have an overall effect on the

audit in the following ways:

• Assignment and supervision of personnel: The knowledge and skill of auditors should be

assigned according to the assessed level of risk. The extent of supervision should reflect the

auditor’s assessment of risks of material misstatement due to fraud and the competencies of

auditors.

• Accounting principles: The auditor should be more skeptical about management’s selection

and application of accounting principles, practices, and methods, especially those related to

subjective measurements and complex transactions.

• Unpredictability of auditing procedures: The auditor should incorporate an element of

unpredictability in the selection of the nature, timing and extent of auditing procedures.

Auditors should also consider potential inherent fraud risks such as:

1. Incentives, pressures, and opportunities

2. Risk of management’s override of controls

3. Population of fraud risks:

− Fraudulent financial reporting

− Asset misappropriation

− Corruption

4. Regulatory and legal misconduct

5. Reputation risk

6. Risk of information technology

Respond to the Fraud Risk Assessment

Once a fraud risk assessment is established, the auditor should develop a response to the risk

assessment such as altering the staffing of the engagement, or modifying the nature, extent, and

timing of specific auditing procedures. Additional auditing procedures may be required to address

the risk of material misstatement due to fraud arising from management override of internal controls.

Examples of these procedures include:

• Test the effectiveness of controls over the preparation and posting of journal entries and

adjustments;

115

• Determine if the characteristics of fraudulent journal entries or adjustments are present (e.g.,

unusual and unrelated accounts being used; containing round numbers, and recorded at the

end of period);

• Understand the nature and complexity of the accounts, and

• Understand the basis of nonstandard journal entries.

It is important to keep in mind that the assessment of the risk of material misstatement caused by

fraud is not a one-time assessment, but rather should be ongoing throughout the conduct of the audit.

Accordingly, on an ongoing basis, the auditor should watch out for the following:

• Discrepancies in the accounting records;

• Conflicting or missing evidential matter, and

• Problematic or unusual relationships between management and the auditor

The auditor should also:

1. Evaluate whether analytical procedures in the substantive testing and overall review stages of

the audit indicate previously unrecognized risks of material misstatement caused by fraud,

and

2. At or near the end of fieldwork, evaluate the accumulated results of audit tests to determine

the effect on the auditor’s earlier risk assessment.

Testing Controls

Testing Design Effectiveness

The auditor should test the design effectiveness of controls by determining whether the company's

controls, if they are operated as prescribed by persons possessing the necessary authority and

competence to perform the control effectively, satisfy the company's control objectives and can

effectively prevent or detect errors or fraud that could result in material misstatements in the financial

statements.

Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate

personnel, observation of the company's operations, and inspection of relevant documentation.

Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.

Testing Operating Effectiveness

The auditor should test the operating effectiveness of control by determining whether the control is

operating as designed and whether the person performing the control possesses the necessary

116

authority and competence to perform the control effectively. In designing test procedures, the auditor

should consider such matters as:

• The significance of the risk

• The likelihood that a material misstatement will occur

• The characteristics of the class of transactions, account balance, or disclosure involved

• The nature of specific controls used by the organization, in particular, whether they are

manual or automated

• Whether the auditor expects to obtain audit evidence to determine if the organization’s

controls are effective in preventing or detecting material misstatement.

Inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a

control.

Relationship of Risk to the Evidence Obtained

For each control selected for testing, the evidence necessary to persuade the auditor that the control

is effective depends upon the risk associated with the control. The risk associated with a control

consists of the risk that the control might not be effective and, if not effective, the risk that a material

weakness would result in. As the risk associated with the control being tested increases, the evidence

that the auditor should obtain also increases.

Although the auditor must obtain evidence about the effectiveness of controls for each relevant

assertion, the auditor is not responsible for obtaining sufficient evidence to support an opinion about

the effectiveness of each control. Rather, the auditor's objective is to express an opinion on the

company's ICFR overall. This allows the auditor to vary the evidence obtained regarding the

effectiveness of individual controls selected for testing based on the risk associated with individual

control. Factors that affect the risk associated with a control include:

• The nature and materiality of misstatements that the control is intended to prevent or detect;

• The inherent risk associated with the related account(s) and assertion(s);

• Whether there have been changes in the volume or nature of transactions that might

adversely affect control design or operating effectiveness;

• Whether the account has a history of errors;

• The effectiveness of entity-level controls, especially controls that monitor other controls;

• The nature of the control and the frequency with which it operates;

• The degree to which the control relies on the effectiveness of other controls (e.g., the control

environment or information technology general controls);

117

• The competence of the personnel who perform the control or monitor its performance and

whether there have been changes in key personnel who perform the control or monitor its

performance;

• Whether the control relies on performance by an individual or is automated (i.e., an

automated control would generally be expected to be lower risk if relevant information

technology general controls are effective); and

A less complex company or business unit with simple business processes and centralized

accounting operations might have relatively simple information systems that make greater use

of off-the-shelf packaged software without modification. In the areas in which off-the-shelf

software is used, the auditor's testing of information technology controls might focus on the

application controls built into the pre-packaged software that management relies on to

achieve its control objectives and the IT general controls that are important to the effective

operation of those application controls.

• The complexity of the control and the significance of the judgments that must be made in

connection with its operation.

Generally, the conclusion that control is not operating effectively can be supported by less

evidence than is necessary to support the conclusion that control is operating effectively.

When the auditor identifies deviations from the company's controls, he or she should determine the

effect of the deviations on his or her assessment of the risk associated with the control being tested

and the evidence to be obtained, as well as on the operating effectiveness of the control.

The evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of

the nature, timing, and extent of the auditor's procedures. Further, for individual control, different

combinations of the nature, timing, and extent of testing may provide sufficient evidence in relation

to the risk associated with the control.

Evaluating Control Deficiencies

The auditor must evaluate the severity of each control deficiency that comes to his or her attention to

determine whether the deficiencies, individually or in combination, are material weaknesses as of the

date of management's assessment. In planning and performing the audit, however, the auditor is not

required to search for deficiencies that, individually or in combination, are less severe than a material

weakness. The severity of a deficiency depends on:

1. Whether there is a reasonable possibility that the company's controls will fail to prevent or

detect a misstatement of an account balance or disclosure; and

118

2. The magnitude of the potential misstatement resulting from the deficiency or deficiencies.

The severity of a deficiency does not depend on whether a misstatement actually has occurred but

rather on whether there is a reasonable possibility that the company's controls will fail to prevent or

detect a misstatement.

Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of

deficiencies, will result in a misstatement of an account balance or disclosure. The factors include, but

are not limited to, the following:

• The nature of the financial statement accounts, disclosures, and assertions involved;

• The susceptibility of the related asset or liability to loss or fraud;

• The subjectivity, complexity, or extent of judgment required to determine the amount

involved;

• The interaction or relationship of the control with other controls, including whether they

are interdependent or redundant;

• The interaction of the deficiencies;

• The possible future consequences of the deficiency;

• The importance of controls, such as the following, to the financial reporting process (if

applicable)

− General monitoring controls (such as oversight of management)

− Controls over the prevention and detection of fraud

− Controls over the selection and application of significant accounting policies

− Controls over significant transactions with related parties

− Controls over significant transactions outside the entity’s normal course of business

− Controls over the period-end financial reporting process (such as controls over

nonrecurring journal entries)

The evaluation of whether a control deficiency presents a reasonable possibility of misstatement can

be made without quantifying the probability of occurrence as a specific percentage or range. Auditors

should consider the following factors:

• A deficiency in ICFR on its own may not be sufficiently important to constitute a material

weakness. However, a combination of deficiencies affecting the same significant class of

transactions, account balance, or disclosure; relevant assertion; or component of ICFR may

increase the risks of misstatement to such an extent to give rise to a material weakness. A

combination of deficiencies that affect the same significant class of transactions, account

balance, or disclosure; relevant assertion; or component of ICFR also may collectively result in

a significant deficiency.

• Factors that affect the magnitude of the misstatement that might result from a deficiency or

deficiencies in controls include, but are not limited to, the following:

1. The financial statement amounts or total of transactions exposed to the deficiency; and

119

2. The volume of activity in the account balance or class of transactions exposed to the

deficiency that has occurred in the current period or that is expected in future periods.

• The auditor should evaluate the effect of compensating controls when determining whether

a control deficiency or combination of deficiencies is a material weakness. To have a mitigating

effect, the compensating control should operate at a level of precision that would prevent or

detect a misstatement that could be material.

• When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also

should determine the level of detail and degree of assurance that would satisfy prudent

officials in the conduct of their own affairs that they have reasonable assurance that

transactions are recorded as necessary to permit the preparation of financial statements in

conformity with generally accepted accounting principles. If the auditor determines that a

deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of

their own affairs from concluding that they have reasonable assurance that transactions are

recorded as necessary to permit the preparation of financial statements in conformity with

GAAP, then the auditor should treat the deficiency, or combination of deficiencies, as an

indicator of a material weakness.

Indicators of Material Weakness

Indicators of material weaknesses in ICFR include:

• Identification of fraud, whether or not material, on the part of senior management;

• Restatement of previously issued financial statements to reflect the correction of a material

misstatement;

• Identification by the auditor of a material misstatement of financial statements in the current

period in circumstances that indicate that the misstatement would not have been detected by

the company's ICFR; and

• Ineffective oversight of the company's external financial reporting and ICFR by the company's

audit committee

Examples of Significant Deficiencies and Material

Weaknesses

If a material weakness exists as of the assessment date, management is required to conclude that ICFR

is not effective and to disclose all material weaknesses that may have been identified. The SEC Chief

Accountant has stated publicly that he expects management's report to disclose the nature of any

material weakness in sufficient detail to enable investors and other financial statement users to

understand the weakness and evaluate the circumstances underlying it. The SEC provided the

following scenarios to illustrate how to evaluate the significance of internal control deficiencies in

various situations.

120

Scenario A – Significant Deficiency

The company processes a significant number of routine intercompany transactions on a monthly basis.

Individual intercompany transactions are not material and primarily relate to balance sheet activity,

for example, cash transfers between business units to finance normal operations. A formal

management policy requires monthly reconciliation of intercompany accounts and confirmation of

balances between business units. However, there is not a process in place to ensure performance of

these procedures. As a result, detailed reconciliations of intercompany accounts are not performed

on a timely basis. Management does perform monthly procedures to investigate selected large-dollar

intercompany account differences. In addition, management prepares a detailed monthly variance

analysis of operating expenses to assess their reasonableness.

Based only on these facts, the auditor should determine that this deficiency represents a significant

deficiency for the following reasons: The magnitude of a financial statement misstatement resulting

from this deficiency would reasonably be expected to be more than inconsequential, but less than

material, because individual intercompany transactions are not material, and the compensating

controls operating monthly should detect a material misstatement. Furthermore, the transactions are

primarily restricted to balance sheet accounts. However, the compensating detective controls are

designed only to detect material misstatements. The controls do not address the detection of

misstatements that are more than inconsequential but less than material. Therefore, the likelihood

that a misstatement that was more than inconsequential, but less than material, could occur is more

than remote.

Scenario B – Material Weakness

During its assessment of internal control over financial reporting, management of a financial institution

identifies deficiencies in:

• The design of controls over the estimation of credit losses (a critical accounting estimate);

• The operating effectiveness of controls for initiating, processing, and reviewing

adjustments to the allowance for credit losses; and

• The operating effectiveness of controls designed to prevent and detect the improper

recognition of interest income.

Management and the auditor agree that, in their overall context, each of these deficiencies individually

represent a significant deficiency. In addition, during the past year, the company experienced a

significant level of growth in the loan balances that were subjected to the controls governing credit

loss estimation and revenue recognition, and further growth is expected in the upcoming year.

Based only on these facts, the auditor should determine that the combination of these significant

deficiencies represents a material weakness for the following reasons:

121

1. The balances of the loan accounts affected by these significant deficiencies have increased

over the past year and are expected to increase in the future.

2. This growth in loan balances, coupled with the combined effect of the significant deficiencies

described, results in a more than remote likelihood that a material misstatement of the

allowance for credit losses or interest income could occur.

Therefore, in combination, these deficiencies meet the definition of a material weakness.

Responding to Misstatements Caused by Fraud

If the auditor determines that the effect of the misstatement caused by fraud is immaterial, the

implications should be evaluated. If the auditor believes that the effect of the misstatement caused

by fraud is material, or is unable to determine the materiality of the misstatement, the following

actions should be considered:

• Undertake to obtain additional evidential matter to ascertain whether material fraud has

occurred, or is likely to have occurred, and if so, its related effects on the financial statements

as well as the auditor’s report;

• Evaluate the possible effects on other aspects of the audit;

• Discuss the matter and the approach for further investigation with an appropriate level of

management that is at least one level above those involved, and with senior management,

and the audit committee, and

• Determine whether it is appropriate to advise the auditee to consult with its legal counsel.

The auditor should notify an appropriate level of management if the auditor determines that there is

evidence of fraud, even if the fraud is inconsequential.

The auditor should notify those charged with governance (e.g. audit committee) if the auditor

determines that there is fraud:

• Involves senior management, and

• Results in material misstatement in the financial statements

When the auditor concludes that identified fraud risk factors have continuing internal control

implications, the auditor should assess such factors for significant deficiencies and material

weaknesses that require communication to senior management or those charged with governance.

The auditor is permitted to disclose to non-client personnel about fraud under the following

circumstances:

1. Permitted by law or regulatory requirements;

122

2. A predecessor auditor communicates with a successor auditor pursuant to the provisions of

AU 315, Understanding the Entity and Its Environment and Assessing the Risks of Material

Misstatement;

3. Responding to a subpoena, and

4. Required to notify a funding agency or other specified agency pursuant to requirements for

the audits of entities that receive governmental financial assistance

Under AU 240, the auditor is required to document the following.

• The details of the required brainstorming.

• The procedures performed to identify and assess the risks of material misstatement caused

by fraud.

• Specific risks of material misstatement caused by fraud that the auditor identified as well as a

description of the auditor’s response thereto.

• The basis for the conclusion, if the auditor has not identified in a particular circumstance

improper revenue recognition as a risk of material misstatement caused by fraud.

• The results of the procedures to further address the risk of management override of internal

controls.

• Other conditions and results of analytical procedures that led the auditor to believe that

additional audit procedures were necessary, as well as any further responses the auditor

considered necessary.

• The nature of the communications concerning fraud made to management, and those charged

with governance.

Reporting Audit Results

Types of Audit Opinions

The auditor is required to evaluate management's assessment and to express an opinion on that

assessment. Also, the auditor must independently audit and report on the effectiveness of ICFR. The

content of the auditor's report on ICFR is prescribed by the auditing standards, and although there are

many nuances to the auditor's reporting, the most common external auditor reports are likely to be:

1. Unqualified opinions on both management's assessment and the effectiveness of ICFR. An opinion

that management's assessment is fairly stated in all material respects, along with an opinion that

ICFR is effective in all material respects as of the assessment date.

2. Unqualified opinion on management's assessment that ICFR is ineffective and adverse opinion on

the effectiveness of ICFR. An opinion that management's assessment (that ICFR is not effective) is

123

fairly stated in all material respects, along with an opinion that ICFR is ineffective because of one

or more material weaknesses.

When one or more material weaknesses exist as of the assessment date, the auditor must express

an adverse opinion on the effectiveness of the company's ICFR. The auditor will still render an

unqualified opinion on management's assessment if management properly reported the material

weakness and concluded in its assessment that ICFR was ineffective.

3. If the auditor disagrees with management about whether a material weakness exists (i.e., the

auditor concludes a material weakness exists but management does not), the auditor will render

an adverse opinion on management's assessment. When expressing an adverse opinion on the

effectiveness of ICFR, the auditor should provide specific information about the nature of the

material weakness and its actual and potential effect on the company's financial statements. The

PCAOB has also stated that it expects disclosure sufficient to allow users to understand the

weakness and its actual and potential implications on the financial statements.

The following table summarizes the most likely reporting scenarios:

Most Likely Reporting Scenarios - ICFR

Auditor’s Report

Management’s Report

Management’s Assessment

Effectiveness of ICR(2)

Financial Statement

No material weakness identified

Effective Unqualified Unqualified Unqualified

Material weakness identified by management and the auditor

Not Effective Unqualified Adverse Unqualified(1)

Material weakness identified by the auditor, not by management (3)

Effective Adverse Adverse Unqualified

(1) Presumes the auditor is able to perform sufficient procedures to conclude that the financial

statements are fairly stated

(2) ICFR

(3) In this situation, management and the auditor disagree on whether a control deficiency constitutes

a material weakness.

4. Disclaimer of opinion. A disclaimer of opinion is a report stating that because of restrictions on

the scope of the auditor's work, the auditor is unable to, and does not, express an opinion on

management's assessment or the effectiveness of ICFR. A disclaimer may be issued in situations

where the auditor believes management's assessment process is inadequate or where there are

restrictions on the scope of the auditor's work. In a disclaimer situation, the auditor's report must

also disclose, any material weaknesses that have been identified.

124

If management simply decides to forgo the required testing or documentation needed to form a

sufficient basis for management's assessment, the auditor is precluded from rendering an opinion,

because management, did not fulfill its responsibilities. In these instances, the auditor either

disclaims an opinion both on management's assessment and on the effectiveness of ICFR, or

withdraws from the engagement.

Audit Matters

Critical Audit Matters

AS 3101 The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an

Unqualified Opinion requires auditors to communicate critical audit matters in the auditor’s report.

The standard generally applies to audits conducted under PCAOB standards. However, communication

of critical audit matters is NOT required for audits of brokers and dealers reporting under Exchange

Act Rule 17a-5; investment companies under the Investment Company Act; emerging growth

companies, and employee stock purchase, savings, and similar plans.

A critical audit matter is defined as

“Any matter arising from the audit of the financial statements that was communicated or required to

be communicated to the audit committee and that:

− Relates to accounts or disclosures that are material to the financial statements; and

− Involved especially challenging, subjective, or complex auditor judgment.”

Since AS 3101 is principles-based, it does not specify any matters that would always constitute critical

audit matters. The PCAOB expects that, in most audits to which the critical audit matter requirements

apply, there will be at least one critical audit matter. However, there also may be audits in which the

auditor determines there are no critical audit matters.

To determine whether there are any critical audit matters in the audit of the current period's financial

statements, auditors should take into account, alone or in combination, the following factors, as well

as other factors specific to the audit:

• The auditor's assessment of the risks of material misstatement, including significant risks;

• The degree of auditor judgment related to areas in the financial statements that involved the

application of significant judgment or estimation by management;

• The nature and timing of significant unusual transactions and the extent of audit effort and

judgment related to these transactions;

• The degree of auditor subjectivity in applying audit procedures to address the matter or in

evaluating the results of those procedures;

125

• The nature and extent of audit effort required to address the matter, including the extent of

specialized skill or knowledge needed or the nature of consultations outside the engagement

team regarding the matter; and

• The nature of audit evidence obtained regarding the matter.

Examples of critical audit matters include revenue recognition (e.g. contract modification, multiple

performance obligations), real estate valuation, impairment analysis, accounting for acquisitions, and

the valuation allowance for deferred tax assets. According to SEC’s EDGAR system and the PCAOB, the

most frequently communicated critical audit matters include goodwill and other intangible assets,

revenue recognition, taxes, and business combinations.

Exhibit B presents an example of an auditor’s report on critical audit matters from Microsoft’s Form

10-K.

The requirements related to critical audit matters are effective for audits of fiscal years ending on or

after June 30, 2019, for large accelerated filers ; and for fiscal years ending on or after December 15,

2020, for all other companies to which the requirements apply.

Key Audit Matters

In May 2019, the ASB issued SAS 134, Auditor Reporting and Amendments, Including Amendments

Addressing Disclosures in the Audit of Financial Statements resulting in significant changes to the

auditor’s reporting model. SAS 134 replaces AU 700, 705 and 706 and introduces a new section 701.

AU 701, Communicating Key Audit Matters in the Independent Auditor’s Report discusses the auditor’s

responsibility to communicate key audit matters in the auditor’s report when the auditor is engaged

to do so. Key audit matters are defined as

“Those matters that, in the auditor's professional judgment, were of most significance in the audit of

the financial statements of the current period. Key audit matters are selected from matters

communicated with those charged with governance.”

Under AU 701, when determining key audit matters, auditors should take into account the following:

• Areas of higher assessed risk of material misstatement, or significant risks identified;

• Significant auditor judgments relating to areas in the financial statements that involved

significant management judgment (e.g estimates with high uncertainty); and

• The effect on the audit of significant events or transactions that occurred during the period.

Both SAS 134 and GAAS does NOT require the communication of key audit matters.

Section 705 prohibits the auditor from communicating key audit matters when the auditor expresses

an adverse opinion or disclaims an opinion.

126

SAS 134 is effective for audits of financial statements for periods ending on or after December 15,

2020. Early implementation is not permitted.

The frameworks for determining a critical audit matter and key audit matter are similar and begin with

those matters communicated or required to be communicated to the audit committee. For example,

key audit matters are selected from matters communicated with those charged with governance.

Critical audit matters are matters arising from the audit of the financial statements that were

communicated or required to be communicated to the audit committee.

Exhibit B: Microsoft − Critical Audit Matters

The following are excerpts from Microsoft’s 2019 Form 10-K

Critical Audit Matter Description

The Company recognizes revenue upon transfer of control of promised products or services to

customers in an amount that reflects the consideration the Company expects to receive in exchange

for those products or services. The Company offers customers the ability to acquire multiple licenses

of software products and services, including cloud-based services, in its customer agreements through

its volume licensing programs.

Significant judgment is exercised by the Company in determining revenue recognition for these

customer agreements, and includes the following:

• Determination of whether products and services are considered distinct performance obligations

that should be accounted for separately versus together, such as software licenses and related

services that are sold with cloud-based services.

• Determination of stand-alone selling prices for each distinct performance obligation and for

products and services that are not sold separately.

• The pattern of delivery (i.e., timing of when revenue is recognized) for each distinct performance

obligation.

• Estimation of variable consideration when determining the amount of revenue to recognize (e.g.,

customer credits, incentives, and in certain instances, estimation of customer usage of products

and services).

Given these factors, the related audit effort in evaluating management’s judgments in determining

revenue recognition for these customer agreements was extensive and required a high degree of

auditor judgment.

How the Critical Audit Matter Was Addressed in the Audit

Our principal audit procedures related to the Company’s revenue recognition for these customer

agreements included the following:

127

• We tested the effectiveness of internal controls related to the identification of distinct

performance obligations, the determination of the timing of revenue recognition, and the

estimation of variable consideration.

• We evaluated management’s significant accounting policies related to these customer

• We selected a sample of customer agreements and performed the following procedures:

• Obtained and read contract source documents for each selection, including master agreements,

and other documents that were part of the agreement.

• Tested management’s identification of significant terms for completeness, including the

identification of distinct performance obligations and variable consideration.

• Assessed the terms in the customer agreement and evaluated the appropriateness of

management’s application of their accounting policies, along with their use of estimates, in the

determination of revenue recognition conclusions.

• We evaluated the reasonableness of management’s estimate of stand-alone selling prices for

products and services that are not sold separately.

• We tested the mathematical accuracy of management’s calculations of revenue and the

associated timing of revenue recognized in the financial statements.

Other Considerations

Considerations Specific to Smaller, Less Complex Entities

Testing Design Effectiveness. A smaller, less complex company might achieve its control objectives

differently from a larger, more complex organization. For example, a smaller, less complex company

might have fewer employees in the accounting function, limiting opportunities to segregate duties and

leading the company to implement alternative controls to achieve its control objectives. In such

circumstances, the auditor should evaluate whether those alternative controls are effective.

Testing Operating Effectiveness. In some situations, particularly in smaller companies, a company

might use a third party to assist with certain financial reporting functions. When assessing the

competence of personnel responsible for a company's financial reporting and associated controls, the

auditor may take into account the combined competence of company personnel and other parties

that assist with functions related to financial reporting.

Relationship of Risk to the Evidence Obtained. A smaller, less complex company or unit might have

less formal documentation regarding the operation of its controls. In those situations, testing controls

through inquiry combined with other procedures, such as observation of activities, an inspection of

128

less formal documentation, or re-performance of certain controls, might provide sufficient evidence

about whether the control is effective.

Considerations of Financial Information Systems

Cybersecurity risks and controls are within the scope of the financial statement auditor’s concern only

if they affect financial statements and company assets to a material extent. That is, systems and

applications house financial statement-related data. Accordingly, the financial statement and ICFR

audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire

IT platform but only address systems and controls related to the financial reporting process. The

Center for Audit Quality (CAQ) Alert #2014-3: Cybersecurity and the External Audit provides the

following graphic depicting the typical access path to an IT system. According to CAQ, cyber incidents

usually first occur through the perimeter and internal network layers, which tend to be further

removed from the application, database, and operating systems that are typically included in access

control testing of systems that affect the financial statements.

IT is an important component of any risk assessment. IT risks include threats to data integrity, threats

from hackers to system security, viruses, or unauthorized access to data, and theft of financial and

sensitive information. Therefore, the auditor is required to obtain an understanding of specific risks to

a company's ICFR resulting from the information systems. The PCAOB identifies examples of such risks

including:

• Reliance on systems or programs that are inaccurately processing data, processing inaccurate

data, or both

• Unauthorized access to data that might destroy data or improper changes to data, including

the recording of unauthorized or non- existent transactions or inaccurate recording of

transactions (particular risks might arise when multiple users access a common database)

Perimeter Network

Internal Network

Operating System

Database

Application

129

• The possibility of IT personnel gaining access privileges beyond those necessary to perform

their assigned duties, thereby breaking down segregation of duties

• Unauthorized changes to data in master files

• Unauthorized changes to systems or programs

• Failure to make necessary changes to systems or programs

• Inappropriate manual intervention

• Potential loss of data or inability to access data as required

In the audit of the financial statements and ICFR, the auditor is required to obtain a sufficient

understanding of the internal control units or areas, including knowledge about the design of controls

and whether they have been placed in operation. In a company’s IT environment, auditors usually

focus their attention on IT systems and controls, and how they affect the company's flow of

transactions. IT controls (e.g. general controls, application controls) relate to the security

(confidentiality, integrity, and availability) of an organization’s information and systems, as well as its

overall financial objectives including completeness, accuracy, validity, and authorization. Specifically,

auditors are required to obtain an understanding of automated controls used by the company,

including:

1. IT controls that are important to the effective operation of the automated controls

2. The reliability of data and reports used in the audit that was produced by the company

Upon gaining an understanding of controls, the auditor assesses the effectiveness of IT controls;

whether the controls are properly designed, implemented, and operated effectively. For example, the

auditor may review access and changes to systems and data that could impact the financial statements

and the effectiveness of ICFR.

A smaller, less complex entity or component with simple business processes and centralized

accounting operations might have relatively simple information systems that make greater use of off-

the-shelf packaged software without modification. In the areas where off-the-shelf software is used,

the auditor’s testing of IT controls might focus on the application controls built into the prepackaged

software that management relies on to achieve its control objectives and the IT general controls that

are important to the effective operation of those application controls.

Understand the IT environment

Assess the IT risks of material

misstatement

Identify systems and IT controls to be

reviewed

Evaluate IT controls design operating

effectiveness

General Audit Process: IT Controls

Review

130

Appendix D provides a computer application checklist. It may be used to document your understanding

of the way computers are used in the information and communication systems of a medium to large

business.

Management Written Representations

In an audit of ICFR, the auditor should obtain written representations from management –

1. Acknowledging management's responsibility for establishing and maintaining effective ICFR;

2. Stating that management has performed an evaluation and made an assessment of the

effectiveness of the company's ICFR and specifying the control criteria;

3. Stating that management did not use the auditor's procedures performed during the audits of

ICFR or the financial statements as part of the basis for management's assessment of the

effectiveness of ICFR;

4. Stating management's conclusion, as set forth in its assessment, about the effectiveness of

the company's ICFR based on the control criteria as of a specified date;

5. Stating that management has disclosed to the auditor all deficiencies in the design or

operation of ICFR identified as part of management's evaluation, including separately

disclosing to the auditor all such deficiencies that it believes to be significant deficiencies or

material weaknesses in ICFR;

6. Describing any fraud resulting in a material misstatement to the company's financial

statements and any other fraud that does not result in a material misstatement to the

company's financial statements but involves senior management or management or other

employees who have a significant role in the company's ICFR;

7. Stating whether control deficiencies identified and communicated to the audit committee

during previous engagements have been resolved, and specifically identifying any that have

not; and

8. Stating whether there were, subsequent to the date being reported on, any changes in ICFR

or other factors that might significantly affect ICFR, including any corrective actions taken by

management with regard to significant deficiencies and material weaknesses.

The failure to obtain written representations from management, including management's refusal to

furnish them, constitutes a limitation on the scope of the audit. When the scope of the audit is limited,

the auditor should either withdraw from the engagement or disclaim an opinion. Further, the auditor

should evaluate the effects of management's refusal on his or her ability to rely on other

representations, including those obtained in the audit of the company's financial statements.

131

Communication of Certain Matters

The auditor should communicate in writing to management and those charged with governance (audit

committee) significant deficiencies and material weaknesses identified during the integrated audit,

including those that were remediated during the integrated audit and those that were previously

communicated but have not yet been remediated.

If the auditor concludes that the oversight of the entity’s financial reporting and ICFR by the audit

committee (or similar subgroups with different names) is ineffective, the auditor should communicate

that conclusion in writing to the board of directors or other similar governing body.

The auditor also should consider whether there are any deficiencies, or combinations of deficiencies,

that have been identified during the audit that are significant deficiencies and must communicate such

deficiencies, in writing, to the audit committee.

The auditor also should communicate to management, in writing, all deficiencies in ICFR (i.e., those

deficiencies in ICFR that are of a lesser magnitude than material weaknesses) identified during the

audit and inform the audit committee when such a communication has been made. When making this

communication, the auditor does not need to repeat information about such deficiencies that have

been included in previously issued written communications, whether those communications were

made by the auditor, internal auditors, or others within the organization.

Use of the Work of Internal Auditors or Others

In an audit of ICFR, the external auditor may use the work of the internal audit function in obtaining

audit evidence or use internal auditors to provide direct assistance under the direction, supervision,

and review of the external auditor. For purposes of the audit of ICFR, however, the auditor also may

use the work performed by, or receive direct assistance from, others. Others include entity personnel

(in addition to internal auditors) and third parties working under the direction of management or those

charged with governance that provides evidence about the effectiveness of ICFR. In an integrated

audit, the auditor also may use the work of internal auditors or others to obtain evidence supporting

the assessment of control risk for purposes of the financial statement audit.

As the risk associated with a control increases, the need for the auditor to directly perform work on

the control increases (for example, for controls that address specific fraud risks, use of the work of the

internal audit function or others would be limited, if it could be used at all).

132


19. When obtaining an understanding of an entity's control environment, why should an auditor

concentrate on the substance of controls rather than their form?

A. The auditor may believe that the controls are inappropriate for that particular entity

B. The board of directors may not be aware of management's attitude toward the control

environment

C. Management may establish appropriate controls but not act on them

D. The controls may be so ineffective that the auditor may assess control risk at the maximum

level

20. Which of the following approaches is required by both the PCAOB and the AICPA in determining

the scope of testing for financial audits?

A. A methodical approach

B. An inclusive approach with all team members participating in the decision

C. A risk-based approach

D. A democratic approach with all team members voting on the scope of testing

21. Which of the following factors is most important concerning an auditor's responsibility to detect

errors and fraud?

A. The susceptibility of the accounting records to intentional manipulations, alterations, and the

misapplication of accounting principles.

B. The probability that unreasonable accounting estimates result from unintentional bias or

intentional attempts to misstate the financial statements.

C. The possibility that management fraud, defalcations, and the misappropriation of assets may

indicate the existence of illegal acts.

D. The risk that mistakes, falsifications, and omissions may cause the financial statements to

contain material misstatements.

22. An auditor tests an entity's policy of obtaining credit approval before shipping goods to customers

in support of which of the following management's financial statement assertions?

A. Valuation or allocation.

B. Completeness.

C. Existence or occurrence.

D. Rights and obligations

133

23. What is the type of opinion the auditor will render on management's assessment if the auditor

disagrees with management about whether a material weakness exists?

A. Adverse opinion

B. Qualified opinion

C. Disclaimer of opinion

D. Unqualified opinion

134

PART IV. Fraud Prevention and Detection

Fraud Awareness

Basics of Fraud

Definition of Fraud

Fraud is a broad term that refers to a variety of offenses involving dishonesty or fraudulent act. In

general, the purpose of fraud may be monetary gain or other benefits. Consequently, fraud includes

any intentional or deliberate act to deprive another of property or money by deception or other unfair

means. Depending on the industry, there could be several definitions of fraud. It is important to adopt

the most appropriate definition to be used by auditors and organizations when performing a fraud risk

assessment.

Definition of Fraud Source Description

Generally Accepted Government Auditing

Standards (GAGAS)

Fraud involves obtaining something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors’ professional responsibility.

Generally Accepted Auditing Standards

(GAAS)

• Fraud: An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a material misstatement in financial statements that are the subject to an audit.

• Fraud Risk Factors: Events or conditions that indicate an incentive or pressure to perpetrate fraud, provide an opportunity to commit fraud, or indicate attitudes or rationalizations to justify a fraudulent action.

The Association of Certified Fraud

Examiners (ACFE)

• Fraud: Any intentional act or omission designed to deceive others and resulting in the victim suffering a loss and/or perpetrator achieving a gain.

• Occupational Fraud: The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.

135

International Professional Practices

Framework (IPPF)

Any illegal acts are characterized by deceit, concealment, or violation of trust. These acts are not dependent on threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

Fraud can mean many things and result from many varied relationships between offenders and

victims. The Chartered Institute of Management Accountants identifies the following common

example of fraud:

• Crimes by individuals against consumers, clients or other businesspeople, e.g.

misrepresentation of the quality of goods; pyramid trading schemes •

• Employee fraud against employers, e.g. payroll fraud; falsifying expense claims; thefts of cash,

assets or intellectual property; false accounting

• Crimes by businesses against investors, consumers and employees, e.g. financial statement

fraud; selling counterfeit goods as genuine ones; not paying over tax or National Insurance

contributions paid by staff

• Crimes against financial institutions, e.g. using lost and stolen credit cards; check frauds;

fraudulent insurance claims

• Crimes by individuals or businesses against the government, e.g. grant fraud; social security

benefit claim frauds; tax evasion

• Crimes by professional criminals against major organizations, e.g. major counterfeiting rings;

mortgage frauds; ‘advance fee’ frauds; corporate identity fraud; money laundering

• E-crime by people using computers and technology to commit crimes, e.g. phishing;

spamming; copyright crimes; hacking; social engineering frauds.

Fraud Triangle

To fight fraud, one must not only realize that it occurs, but also how and why it occurs. In 1950, Donald

R. Cressey, a criminologist, examined why people commit fraud resulting in the development of the

three elements of the fraud triangle as the most widely accepted model used to explain why people

commit fraud. For fraud to occur, all three elements including opportunity, pressure, and

rationalization must be present at the same time according to Cressey. Although organizations have

limited control over the fraudster’s pressure and rationalizations, proactive steps can be taken to

significantly reduce the opportunities to commit fraud.

136

Each element is discussed in the following sections.

Opportunity

Opportunity is the ability to commit fraud or to conceal it. Thus, fraud is more likely in an organization

where there is:

1. Weak internal control system;

2. Poor security over assets;

3. Weak ethical culture;

4. Little fear of exposure and likelihood of detection;

5. Lack of consequence of perpetrators;

6. Ineffective anti-fraud programs;

7. Poor supervision;

8. Lack of training, and

9. Unclear policies regarding acceptable behavior

Research has shown that some employees are totally honest, some are totally dishonest, but that

many are swayed by opportunity. Although the opportunity is often the most challenging to spot, it is

fairly easy to control through improvements to internal controls and changes to policies and

procedures. Organizations must establish processes, procedures and controls that do not put

employees in a position to commit fraud. For example, an employee may see an opportunity to write

a check payable to himself if he has access to blank checks. However, the check may be identified

during the reconciliation of the bank statement that the employee would be caught. Although an

opportunity to steal presents, there is no opportunity to steal without being caught. If the control

environment is weak where segregation of duties is not in place (e.g. the same employee reconciles

Opportunity

Rationlization

The Fraud Triange

Pressure

137

the bank statement), the employee has a perceived opportunity to commit fraud under this

circumstance.

Opportunity often occurs because the fraudster knows what the auditor will do, the when, what, and

how much of the auditor’s procedures. For example, if the fraudster expects that the auditor always

tests only large transactions in June, the fraudster can commit the fraud on small transactions in other

months. In assessing the risk of fraud committed due to the opportunity, organizations should

consider the following questions:

What is new?

Sometimes it can take a while for new contracts and operations to evolve and for controls to be put in place. Opportunists can quickly take advantage of poor control supervision.

For example, the transaction from developing a system to operating it brings the opportunity to pass off development costs as operating costs, because the normal level of operating costs is not yet known.

What is remote?

Many frauds occur in an organization’s remote operations. Opportunists can take advantage of less stringent supervision and controls in an environment of limited resources resulting in poor segregation of duties.

For example, because there is often less value at remote locations, organizations tend to put less effort on internal audits and review.

Is a transaction complex?

Complex transactions, in which no one fully understands the nature of the contract and the payments, are susceptible to fraud.

For example, a fraudster can put through charges that may not comply with the contract, or with the legitimate parties’ intentions.

Where are the controls weak?

Managers should pay attention to the following areas:

• Regularly found to be non-compliant

• Control processes being reduced

• Lack of segregation of duties

• History of complaints, such as violation of policies and procedures, taking short-cuts when obtaining approvals, or making regular and/or unusual adjustments and arrangements

Is urgency frequently used as an excuse?

Many frauds and improper transactions occur under the guise of urgency, where the initiator has the opportunity to circumvent approvals and quotation requirements.

Source: The PwC Global Economic Crime Survey 2016 - Fighting Fraud in the Public Sector

Pressure/Incentive

Pressure is what causes a person to commit fraud. In simple terms, motivation is typically based on

greed or need. Although many people are faced with the opportunity to commit fraud, only a minority

of the greedy or needy do so. According to the Chartered Institute of Management Accounts, in

138

general, greed is the number one cause for fraud along with problems with debt and gambling.

Personality and temperament, including how frightened people are about the consequences of taking

risks, also influence their decisions. Some people with good principles fall into negative behavior

patterns and develop tastes for fast life, which tempt them to commit fraud. Others are motivated

only when faced with personal and/or professional ruin. The ACFE lists the following examples of

pressures that commonly lead to fraud:

• Living beyond one’s means

• High bills or personal debt

• Personal financial losses

• Family or peer pressure

• Unexpected financial needs

• Substance abuse or additions

• Need to meet productivity targets at work

In assessing the risk of fraud committed due to pressure or motive, organizations should consider the

following questions:

What is of greatest value?

A person’s motive or incentive to commit fraud is determined by the value of what they are intended to obtain. Liquid assets are usually considered the most valuable.

For example, chairs are not very liquid as 1) they are hard to move, 2) resale value is low, and 3) the crime is generally difficult to repeat. However, laptop computers and other IT equipment are liquid as 1) they are easily transportable and usually generic in appearance, and 2) there is a ready resale market.

What value could the crime bring to the perpetrator, relative to the risk they must take?

Taking a pen is low value and less likely to be done on a material scale. However, using information to perpetrate identify fraud can be valuable, as can kickbacks from large tendering contracts. Therefore, the higher value, the greater the risk someone is willing to take.


Rationalization

A justification of fraudsters’ crime to make the act acceptable is known as rationalization which must

occur before the crime takes place. Rationalization is usually detected by observing the fraudster’s

comments or attitudes. In general, people rationalize fraudulent actions as:

• Necessary − especially when it is done for the business

• Harmless − because the victim is large enough to absorb the impact

• Justified − because the victim deserved it or because I was mistreated

There are two aspects of rationalization:

139

1. The fraudster concludes that the gain to be realized from fraudulent activities outweighs the

possibility for detection.

2. The fraudster needs to justify committing the fraud. Justification can relate to job

dissatisfaction or perceived entitlement, or saving one’s family, possessions, or status.

Rationalization is personal to the individual and more difficult to combat, although ensuring that the

company has a strong ethical culture and clear values should help. Moreover, management may

reduce rationalization through its actions, for example, by implementing fair work and pay practices,

equitable and consistent treatment of employees, and tone at the top.

The ACFE identified the following common excuses given by fraudsters to explain their corrupt

conduct:

• Everyone else does it.

• We have always done it.

• It was the only way we could compete.

• We thought our anti-corruption programs were sufficient.

• We did not know the conduct would be considered a bribe.

• It was not a bribe; it was part of conducting business.

• Bribery is part of the culture in the county.

In assessing the risk of fraud committed due to rationalization, organizations should consider the

following questions:

Do people feel undervalued?

People who commit fraud will often claim that they felt entitled because they had not received recognition from their work or there was an expectation that they would do more.

Is there an attitude of everyone does it?

Some fraudsters perceive that everyone takes advantage of the government and so they can too. This usually occurs with respect to relatively minor issues as leave, expense and allowance. The person does not think of it as an economic crime but a benefit that everyone takes.

Are there people who would seek revenue?

Social policy agencies can be targeted for cybercrime as a protest of government policy.


140

The Evolution of Fraud

Although Cressey’s classic fraud triangle applies to most fraud cases, it does not explain all situations.

There have been significant social changes since Cressey’s study in the 1950s:

Social Changes: Then & Now

The 1950s The 2000s

• Straight-line reporting authority

• Manual processes

• Dual responsibility

• Single suppliers

• Local or regional service area

• Step-up salary structure

• Matrixed organizations

• Automation

• Autonomous authority

• Multiple vendors and global trading partners

• Global reach

• Performance-based pay Source: Crowe Horwath LLP

Many anti-fraud experts believe that the fraud triangle could be enhanced by incorporating the

element of capability since personal traits and abilities play a major role in whether fraud will actually

occur. This fourth element transforms Cressey’s model from a triangle into a diamond:

Source: The ACFE − Fighting Fraud in the Government

According to David Wolfe and Dana Hermanson, The Fraud Diamond: Considering the Four Elements

of Fraud, “Opportunity opens the doorway to fraud, and incentive and rationalization can draw the

person toward it. But the person must have the capability to recognize the open doorway as an

opportunity and to take advantage of it by walking through, not just once, but time and time again.

Accordingly, the critical question is, who could turn an opportunity for fraud into reality?” Wolf and

Hermanson observed the following six common traits for committing fraud, especially those that

involve large sums of money or last a long time:

141

Common Traits Associated with the Capability Trait Description

Functional Authority within the

Organization

The person’s position or function might provide the ability to create or exploit an opportunity to commit fraud. For example, a person in a position of authority has more influence over particular situations.

Sufficient intelligence to Understand and Exploit a Situation

The person has the capacity to understand and exploit control weaknesses and to use position or authorized access to the greatest advantage.

Strong Ego and Personal Confidence

The person is confident that he will not be caught or believes that if he is caught, he can talk his way out of trouble. The common personality types include someone who is driven to succeed at all costs, self-absorbed, and often narcissistic. According to the Diagnostic and Statistical Manual of Mental Disorders, those with a personality disorder believe they are superior or unique and that they are likely to have an inflated view of their own accomplishments and abilities.

Strong Coercive Skills The person is persuasive and can coerce others to commit or conceal fraud. An individual with a persuasive personality can successfully convince others to go along the fraud or loo the other way.

Effective at Being Deceptive

Successful fraud requires effective and consistent lies. The individual must be able to lie convincingly and keep track of the story in order to avoid detection.

High Tolerance for Stress

The person is good at dealing with the stress that comes from committing fraudulent acts.

Types of Fraud

Occupational (Corporate) Fraud

Though the term “corporate fraud” is subject to different interpretations, it has been defined internally

within the Department of Justice to include the following conduct:

1. Falsification of corporate financial information including, for example:

• False/fraudulent accounting entries,

• Bogus trades and other transactions designed to artificially inflate revenue,

• Fraudulently overstating assets, earnings and profits or

• Understating/concealing liabilities and losses, and

• False transactions designed to evade regulatory oversight

2. Self-dealing by corporate insiders including, for example:

142

• Insider trading,

• Kickbacks,

• Misuse of corporate property for personal gain, and

• Individual tax violations related to any such self-dealing

3. Fraud in connection with an otherwise legitimately-operated mutual or hedge fund including,

for example:

• Late trading,

• Certain market-timing schemes,

• Falsification of net asset values, and

• Other fraudulent or abusive trading practices by, within, or involving a mutual or hedge

fund

4. Obstruction of justice designed to conceal either of the above-noted types of criminal conduct,

particularly when the obstruction impedes the inquiries of the SEC, other regulatory agencies,

and/or law enforcement agencies.

The ACFE defines corporate fraud (also referred to as occupational fraud) as:

“The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication

of the employing organization’s resources or assets.”

Expanding on this definition, the ACFE further breaks down corporate fraud into four major key

elements which all fraudulent activities have in common:

1. Is clandestine (i.e., conducted with secrecy);

2. Violates the perpetrator’s fiduciary duties to the victim organization;

3. Is committed for the purpose of direct or indirect financial benefit to the perpetrator; and

4. Costs the employing organization assets, revenue, or reserves.

According to the ACFE Report to the Nations 2020 Global Study on Occupational Fraud and Abuse,

asset misappropriations are by far the most common, occurring in 86% of the cases in the report.

However, they are also the least costly, causing a median loss of $100,000. Corruption schemes are

the next most common form of occupational fraud; 43% of the cases involved some form of corrupt

act. These schemes resulted in a median loss to the victim organizations of $200,000. The least

common but most costly form of occupational fraud is financial statement fraud, which occurred in

10% of the cases and caused a median loss of $954,000. The report also identifies the most common

occupational fraud schemes in various industries:

Industry Cases Most Common Fraud Schemes

Banking and financial services 386 1. Corruption

2. Cash on hand

143

3. Cash larceny, Financial statement fraud,

Noncash, and Skimming

Government and public

administration 189

1. Corruption

2. Billing

3. Expense reimbursements, Noncash, and

Payroll

Manufacturing 177

1. Corruption

2. Noncash, and Billing

3. Expense reimbursements

Health care 145

1. Corruption

2. Billing

3. Noncash

Energy 89

1. Corruption

2. Noncash

3. Billing

Note: According to the ACFE, noncash misappropriations refer to any scheme in which an employee steals or

misuses noncash assets of the victim organization (e.g., employee steals inventory from a warehouse or

storeroom; employee steals or misuses confidential customer information)

The three primary fraud categories within ACFE’s Occupational Fraud and Abuse Classification System

are summarized below.

ACFE: Occupational Fraud and Abuse Classification System

Categories Examples

Corruption

• Conflicts of Interest (e.g. Purchasing and Sales Schemes)

• Bribery (e.g. Invoice Kickbacks, Bid Rigging)

• Illegal Gratuities

• Extortion (e.g. Blackmail)

Asset

Misappropriation

• Theft of Cash on Hand

• Theft of Cash Receipts (e.g. Skimming, Cash Larceny)

• Fraudulent Disbursements (e.g. Billing, Payroll, and Expense Reimbursement Schemes, and Check Tampering)

• Inventory (e.g. Asset Requisitions & Transfers, False Sales & Shipping, Purchasing & Receiving)

Financial Statement

Fraud

• Net Income Overstatements (e.g. Timing Differences, Fictitious Revenues, Concealed Liabilities & Expenses, Improper Asset Valuations)

• Net Income Understatements (e.g. Understated Revenues, Overstated Liabilities & Expenses, Improper Disclosures)

Each category is discussed below.

144

Corruption

Corruption is a form of dishonest or unethical conduct by an employee who misuses his or her

influence in a business transaction to gain personal benefit. Corruption includes many activities, such

as conflict of interest and bribery. Corruption, a common scheme in the government entities, results

in higher prices charged to and in lower quality delivered to the government. Corruption is often an

off-book fraud that there is little financial statement evidence available to prove the crime occurred.

Corrupted employees do not have to manipulate financial records to conceal their crime; they simply

receive cash payments under the table or accept illegal political contributions. As a result, these types

of crimes are often uncovered through tips or complaints from third parties, often via hotline. A set

of circumstances as listed below can be an indicator that something may go wrong.

• Abnormal cash payments;

• Pressure exerted for payments to be made urgently or ahead of schedule;

• Private meeting with contractors or companies hoping to tender for contracts;

• Lavish gifts being received;

• An individual insists on dealing with specific contractors himself or herself/

• Make unexpected or illogical decisions accepting projects or contracts;

• The unusually smooth process of cases where an individual does not have the expected level of knowledge or expertise;

• Agree contracts not favorable to the organization either because of the terms or the time period;

• Unexplained preference for certain contractors during the tendering or contracting processes;

• Bypass normal tendering or contracting procedures;

• Invoices being agreed to in excess of the contract without reasonable causes, and

• Missing documents or records regarding meetings or decisions.

The ACFE research identified the following top red flags in corruption cases:

1. Living beyond one’s means

2. Unusually close association with vendor/customer

3. Financial difficulties

Asset Misappropriation

Asset misappropriation is a scheme in which an employee steals or misuses the employing

organization’s resources (e.g., theft of company cash, false billing schemes, or inflated expense

reports).

Risk Factors Relating to Misstatements Arising from Misappropriate of Assets

The following are examples as listed in SAS 99 Appendix 3, of risk factors relating to misstatements

arising from misappropriation of assets.

Incentives/Pressures

145

A. Personal financial obligations may create pressure on management or employees with access to

cash or other assets susceptible to theft to misappropriate those assets.

B. Adverse relationships between the entity and employees with access to cash or other assets

susceptible to theft may motivate those employees to misappropriate those assets. For example,

adverse relationships may be created by the following:

• Known or anticipated future employee layoffs

• Recent or anticipated changes to employee compensation or benefit plans

• Promotions, compensation, or other rewards - -inconsistent with expectations

Opportunities

a. Certain characteristics or circumstances may increase the susceptibility of assets to

misappropriation. For example, opportunities to misappropriate assets increase when there are

the following:

1. Large amounts of cash on hand or processed

2. Inventory items that are small in size, of high value, or in high demand

3. Easily convertible assets, such as bearer bonds, diamonds, or computer chips

4. Fixed assets that are small in size, marketable, or lacking observable identification of

ownership

b. Inadequate internal control over assets may increase the susceptibility of misappropriation of

those assets. For example, misappropriation of assets may occur because there is the following:

1. Inadequate segregation of duties or independent checks

2. Inadequate oversight of senior management expenditures, such as travel and other

reimbursements

3. Inadequate management oversight of employees responsible for assets, for example,

inadequate supervision or monitoring of remote locations

4. Inadequate job applicant screening of employees with access to assets

5. Inadequate recordkeeping with respect to assets

6. Inadequate system of authorization and approval of transactions (for example, in purchasing)

7. Inadequate physical safeguards over cash, investments, inventory, or fixed assets

8. Lack of complete and timely reconciliations of assets

9. Lack of timely and appropriate documentation of transactions, for example, credits for

merchandise returns

10. Lack of mandatory vacations for employees performing key control functions

11. Inadequate management understanding of information technology, which enables

information technology employees to perpetrate a misappropriation

12. Inadequate access controls over automated records, including controls over and review of

computer systems event logs.

Attitudes/Rationalizations

146

Risk factors reflective of employee attitudes/rationalizations that allow them to justify

misappropriations of assets, are generally not susceptible to observation by the auditor. Nevertheless,

the auditor who becomes aware of the existence of such information should consider it in identifying

the risks of material misstatement arising from misappropriation of assets. For example, auditors may

become aware of the following attitudes or behavior of employees who have access to assets

susceptible to misappropriation:

• Disregard for the need for monitoring or reducing risks related to misappropriations of assets

• Disregard for internal control over misappropriation of assets by overriding existing controls

or by failing to take appropriate remedial action on known internal control deficiencies

• Behavior indicating displeasure or dissatisfaction with the company or its treatment of the

employee

• Changes in behavior or lifestyle that may indicate assets have been misappropriated

• The belief by some government or other officials that their level of authority justifies a certain

level of compensation and personal privileges

• Tolerance of petty theft

Financial Statement Fraud

Financial statement fraud is a scheme in which an employee intentionally causes a misstatement or

omission of material information in the organization’s financial reports. Common methods of

fraudulent financial statement manipulation include recording fictitious revenues, concealing

liabilities or expenses and artificially inflating reported assets. The most common financial statement

fraud schemes alleged by the SEC include:

• Revenue recognition

• Manipulation of expenses

• Improper disclosures

• Manipulation of liabilities

• Manipulation of assets

• Manipulation of reserves

Specifically, the most common revenue recognition schemes include:

1. Fictitious revenue

2. Premature revenue (timing schemes)

3. Recognition of inappropriate amount of revenue from swaps, round tripping, or barter

arrangements

COSO suggested the following procedures to reduce the possibility of fraudulent financial reporting:

• Establish an organizational environment and tone that contributes to the integrity of the

financial reporting process;

• Identify and understand the factors that can lead to fraudulent financial reporting;

147

• Assess the risk of fraudulent financial reporting that these factors can cause within the

organization, and

• Design and implement internal controls that provide reasonable assurance that fraudulent

financial reporting will be prevented.

Risk Factors Relating to Misstatements Arising from Fraudulent Financial

Reporting

The following are examples as listed in SAS 99 Appendix 2, of risk factors relating to misstatements

arising from misappropriation of assets.

Incentives/Pressures

A. Financial stability or profitability is threatened by economic, industry, or entity operating

conditions, such as (or as indicated by):

1. High degree of competition or market saturation, accompanied by declining margins

2. High vulnerability to rapid changes, such as changes in technology, product obsolescence, or

interest rates

3. Significant declines in customer demand and increasing business failures in either the industry

or overall economy

4. Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover imminent

5. Recurring negative cash flows from operations or an inability to generate cash flows from

operations while reporting earnings and earnings growth

6. Rapid growth or unusual profitability, especially compared to that of other companies in the

same industry

7. New accounting, statutory, or regulatory requirements

B. Excessive pressure exists for management to meet the requirements or expectations of third

parties due to the following:

1. Profitability or trend level expectations of investment analysts, institutional investors,

significant creditors, or other external parties (particularly expectations that are unduly

aggressive — or unrealistic), including expectations created by management in, for example,

overly optimistic press releases or annual report messages

2. Need to obtain additional debt or equity financing to stay competitive—including financing of

major research and development or capital expenditures

3. Marginal ability to meet exchange listing requirements or debt repayment or other debt

covenant requirements

4. Perceived or real adverse effects of reporting poor financial results on significant pending

transactions, such as business combinations or contract awards

5. A need to achieve financial targets required in bond covenants

148

6. Pressure for management to meet the expectations of legislative or oversight bodies or to

achieve political outcomes, or both

C. Information available indicates that management or the board of directors’ personal financial

situation is threatened by the entity’s financial performance arising from the following:

1. Significant financial interests in the entity

2. Significant portions of their compensation (for example, bonuses, stock options, and earn-out

arrangements) being contingent upon achieving aggressive targets for stock price, operating

results, financial position, or cash flow

3. Personal guarantees of debts of the entity

D. There is excessive pressure on management or operating personnel to meet financial targets setup

by those charged with governance or management, including sales or profitability incentive goals.

Opportunities

A. The nature of the industry or the entity’s operations provides opportunities to engage in

fraudulent financial reporting that can arise from the following:

1. Significant related-party transactions not in the ordinary course of business or with related

entities not audited or audited by another firm

2. A strong financial presence or ability to dominate a certain industry sector that allows the

entity to dictate terms or conditions to suppliers or customers that may result in inappropriate

or non-arm’s-length transactions

3. Assets, liabilities, revenues, or expenses based on significant estimates that involve subjective

judgments or uncertainties that are difficult to corroborate

4. Significant, unusual, or highly complex transactions, especially those close to period end that

pose difficult “substance over form” questions

5. Significant operations located or conducted across international borders in jurisdictions where

differing business environments and regulations exist

6. Significant bank accounts or subsidiary or branch operations in tax-haven jurisdictions for

which there appears to be no clear business justification

7. Use of business intermediaries for which there appears to be no clear business justification

B. There is ineffective monitoring of management as a result of the following:

1. Domination of management by a single person or small group (in a nonowner-managed

business) without compensating controls

2. Oversight by those charged with governance over the financial reporting process and internal

control is not effective.

C. There is a complex or unstable organizational structure, as evidenced by the following:

1. Difficulty in determining the organization or individuals that have controlling interest in the

entity

149

2. Overly complex organizational structure involving unusual legal entities or managerial lines of

authority

3. High turnover of senior management, counsel, or those charged with governance

D. Internal control components are deficient as a result of the following

1. Inadequate monitoring of controls, including automated controls and controls over interim

financial reporting (where external reporting is required)

2. High turnover rates or employment of staff in accounting, information technology, or the

internal audit function who are not effective

3. Ineffective accounting and information systems, including situations involving significant

deficiencies or material weaknesses in internal control

4. Weak controls over budget preparation and development and compliance with law or

regulation

Attitudes/Rationalizations

• Ineffective communication, implementation, support, or enforcement of the entity’s values or

ethical standards by management or the communication of inappropriate values or ethical

standards

• Nonfinancial management’s excessive participation in or preoccupation with the selection of

accounting principles or the determination of significant estimates

• Known history of violations of securities laws or other laws and regulations, or claims against the

entity, its senior management, or those charged with governance alleging fraud or violations of

laws and regulations

• Excessive interest by management in maintaining or increasing the entity’s stock price or earnings

trend

• A practice by management of committing to analysts, creditors, and other third parties to achieve

aggressive or unrealistic forecasts

• Management failing to correct known significant deficiencies or material weaknesses in internal

control on a timely basis

• An interest by management in employing inappropriate means to minimize reported earnings for

tax-motivated reasons

• Low morale among senior management

• The owner-manager makes no distinction between personal and business transactions

• Dispute between shareholders in closely held entity

• Recurring attempts by management to justify marginal or inappropriate accounting on the basis

of materiality

• The relationship between management and the current or predecessor auditor is strained, as

exhibited by the following:

− Frequent disputes with the current or predecessor auditor on accounting, auditing, or

reporting matters

150

− Unreasonable demands on the auditor, such as unreasonable time constraints regarding the

completion of the audit or the issuance of the auditor’s report

− Restrictions on the auditor that inappropriately limit access to people or information or the

ability to communicate effectively with those charged with governance

− Domineering management behavior in dealing with the auditor, especially involving attempts

to influence the scope of the auditor’s work or the selection or continuance of personnel

assigned to or consulted on the audit engagement

Procurement and Contractor Frauds

In addition to occupational frauds discussed above, procurement and contractor frauds are two of the

most costly types of government fraud. One example of procurement fraud is when a company uses

bribes to win a contract even when it did not submit the lowest or best bid. Examples of contractor

fraud include billing the government for incomplete work, inflating the cost of labor or supplies, and

issuing kickbacks. Both criminal and civil charges can be brought against contractors who are accused

of procurement fraud under the False Claims Act. Some of the common examples of procurement

fraud are listed below:

• The receiving slip indicates that a full order was delivered while suppliers intentionally ship an

incomplete order;

• Good inventory is intentionally marked as scrap so that it can be discarded and then resold for

gain;

• The companies overstate their financial revenues to appear more financially solvent than they

really are to gain a competitive advantage during contract bidding, and

• The companies fail to state any current or legal issues that may impact the award of their

contract;

• The companies provide inflated qualifications of their staff performing the work.

Although red flags do not indicate guilt or innocence but merely provide possible warning signs of

fraud, recognizing red flags listed below is an important element in preventing and detecting fraud.

The following examples of unusual activities display the signs of potential irregularities:

• Purchase orders are created after hours (e.g., weekends, evening, holidays);

• An initial low bid is awarded followed by multiple change orders;

• A losing bidder is hired by the winning bidder, which may suggest that the winning bidder did not have the qualifications to perform the work, and

• Close social relationships are formed between suppliers and government personnel

To proactively react to procurement fraud, management should utilize procurement systems to

generate exception reports regularly in order to identify and follow up on certain unusual activities

such as:

151

• Unauthorized approvals;

• Payments made within a week;

• Similar invoices;

• Purchase orders made during non-office hours; and

• Multiple purchase orders to the same vendor

False Claims and False Statements

False claims usually pertain to Social Security, defense contractors, healthcare company fraud, or other

instances in which a company or individual attempts to be paid by the government for an invalid

reason. The False Claims Act imposes liability on individuals and companies (typically federal

contractors) who defraud government programs. This law is the federal government’s primary

litigation tool in fighting fraud against the government. It also includes a qui tam provision that allows

people who are not affiliated with the government (as whistleblowers) to file actions on behalf of the

government and receive a portion (usually 15-25%) of any recovered damages. As of 2012, over 70%

of all federal government actions under the False Claims Act were initiated by whistleblowers. The

government recovered $38.9 billion under the False Claims Act between 1987 and 2013. About $27.2

billion or 70% was from qui tam cases bought by whistleblowers.

Business Owners Associated Fraud

Most business owners associate business fraud with the misappropriations of cash. However, business

fraud comes in many other forms including:

Average Loss*

Medical Insurance Claims Fraud $3,177,000

False Financial Statements 1,239,000

Credit Card Fraud 1,126,000

Check Fraud 624,000

Inventory Theft 346,000

Bid Rigging/price Fixing 342,000

False Invoices and Phantom Vendors 256,000

Diversion of Sales 180,000

Expense Account Abuse 141,000

Purchases for Personal Use 63,000

Conflict of Interest 38,000

Kickbacks 35,000

Payroll Fraud 26,000

*Based on the results of a recent survey of 5,000 U.S. companies that have experienced fraud in their

business.

152

Part IV − Section 1 Review Questions

24. Which of the following is considered to be a fraud risk factor?

A. A lack of opportunity

B. Incentive

C. Financial stability

D. Prosecution

25. An employee who made a false claim for reimbursement of inflated business expenses believes

that his behavior was harmless because the financial loss to the agency was immaterial. Which of

the fraud triangle elements best explains his action?

A. Opportunity

B. Capability

C. Rationalization

D. Pressure

26. Which of the following would be an example of self-dealing by corporate insiders?

A. Insider trading

B. Understating/concealing liabilities and losses

C. Falsification of net asset values

D. Late trading

27. Which of the following is a category of fraud consisting of extortion, conflict of interest, and

bribery?

A. False claims

B. Corruption

C. Financial statement fraud

D. Payroll scheme

28. According to ACFE Report to the Nations, which of the following types of fraud occurs most often?

A. Financial statement fraud

B. Asset misappropriation

C. Obstruction of justice

D. Self-dealing by corporate insiders

153

29. According to ACFE Report to the Nations, which of the following industries has the greatest number

of fraud cases?

A. Technology

B. Services (professional)

C. Banking and financial services

D. Retail

30. Most business owners associate fraud with misappropriation of cash. What is another form of

fraud?

A. Litigation support and pre-employment screening

B. Business valuations

C. Economic losses due to negative economic conditions

D. Inventory theft

154

Forensic Accounting and Auditing

Forensic accounting is an accounting specialty that integrates accounting, auditing, and investigative

skills in order to support or resolve allegations of fraud. Forensic Accounting encompasses both

litigation support (expert witness testimony, presentation of supporting documents showing fraud,

etc.) and investigative accounting. It focuses on both the evidence of economic transactions and

reporting, and the legal framework that allows such evidence to be suitable for establishing

accountability and/or valuation. Forensic Accounting engagements include transaction reconstruction;

bankruptcy; family law issues; asset identification and valuation; fraud examination/detection; and

many other issues.

A forensic accountant is used in a number of situations, including, but not limited to the following:

• Business valuations: A forensic accountant evaluates the current value of a business for

various personal or legal matters.

• Personal injury and fatal accident claims: A forensic accountant may help to establish lost

earnings (i.e., those earnings that the plaintiff would have accrued except for the actions of

the defendant) by gathering and analyzing a variety of information and then issuing a report

based on the outcome of the analyses

• Professional negligence: A forensic accountant helps to determine if a breach of professional

ethics or other standards of professional practice has occurred. (e.g., failure to apply generally

accepted auditing standards by a CPA when performing an audit). In addition, the forensic

accountant may help to quantify the loss.

• Insurance claims evaluations: A forensic accountant may prepare financial analyses for an

insurance company of claims, business income losses, expenses, and disability, liability or

workmen’s compensation insurance losses.

• Arbitration: A forensic accountant is sometimes retained to assist with alternative dispute

resolution (ADR) by acting as a mediator to allow individuals and businesses to resolve

disputes in a timely manner with a minimum of disruption.

• Partnership and corporation disputes: A forensic accountant may be asked to help settle

disputes between partners or shareholders. Detailed analyses are often necessary for many

records spanning a number of years. Most of these disputes relate to compensation and

benefit issues.

• Civil and criminal actions concerning fraud and financial irregularities: These investigations

are usually performed by the forensic accountant for police forces. A report is prepared to

assist the prosecutor’s office.

• Fraud and white-collar crime investigations: These types of investigations can be prepared

on behalf of police forces as well or for private businesses. They usually result from such

155

activities as purchasing/kickback schemes, computer fraud, labor fraud, and falsification of

inventory. The investigation by the forensic accountant often involves fund tracing, asset

identification, and recovery.

Auditing is performed either by an employee (internal audit) or by an outside accounting firm (external

audit). Internal audits examine operational evidence to ensure that the prescribed company operating

procedures have been followed. External audits examine the assets and records of a company, leading

to the expression of a professional opinion by the outside CPA, which gives credibility to the financial

reports presented by the company. A key component of an audit is the review of internal control

weaknesses. Fraud examination differs from auditing as shown in the following table.

Auditing vs. Fraud Examination

Issue Auditing Fraud examination

Timing

Recurring

Audits are conducted on a

regular, recurring basis.

Nonrecurring

Fraud examinations are nonrecurring.

They are conducted only with sufficient

predication.

Scope

General

The scope of the audit is an

examination of financial data.

Specific

The fraud examination is conducted to

resolve specific allegations.

Objective

Opinion

An audit is generally

conducted for the purpose of

expressing an opinion on the

financial statements or related

information.

Affix blame

The fraud examination’s goal is to

determine whether fraud has occurred or

is occurring and to determine who is

responsible.

Relationship

Non-adversarial

The audit process is non-

adversarial in nature.

Adversarial

Fraud examinations, because they involve

efforts to affix blame, are adversarial in

nature.

Methodology

Audit techniques

Audits are conducted by

examining financial data and

obtaining corroborating

evidence.

Fraud examination techniques

Fraud examinations are conducted by (1)

document examination; (2) review of

outside data such as public records; and

(3) interviews.

Standard

Professional skepticism

Auditors are required to

approach audits with

professional skepticism.

Proof

Fraud examiners approach the resolution

of a fraud by attempting to establish

sufficient proof to support or refute a

fraud allegation.

Source: Fraud Examiners Manual, Association of Certified Fraud Examiners, 2010.

156

Fraud and Perpetrators

The Fraud Symptoms

To detect fraud, managers, auditors, employees, and examiners must learn to recognize symptoms

and pursue them until they obtain evidence that proves fraud is or is not occurring. Unfortunately,

many symptoms of fraud go unnoticed, or recognized symptoms are not vigorously pursued. If

symptoms were vigorously pursued, many frauds could be detected earlier. Symptoms of fraud include

six groups:

1. Accounting Anomalies: Because accounting records are often manipulated to conceal fraud,

anomalies, and problems with accounting documents—either electronic or paper journals,

ledgers, or financial statements—are excellent symptoms of fraud.

2. Internal Control Weaknesses: One of the main purposes of internal control procedures is to

safeguard assets. When controls are absent or weak (or overridden), they facilitate fraud being

perpetrated.

3. Analytical Anomalies: These are relationships, records, or actions that are too unusual or

unrealistic to be believed. They include transactions or events that happen at odd times or places,

activities that are performed by, or involve, people who would not normally participate in them,

as well as peculiar procedures and policies. Other anomalies that should be scrutinized carefully

include amounts that are too large or too small, that occur too often or too rarely, or that result

in excesses or shortages.

4. Lifestyle Symptoms: Once perpetrators meet the financial needs that motivated them to commit

fraud, they usually continue to steal and then use the money to enhance their lifestyles. They may

Fraud Symptoms

Accounting Anomalies

Internal Control

Weaknesses

Analytical Anomalies

Lifestyle Symptoms

Unusual Behaviors

Tips and Complaints

157

buy expensive cars or other personal items, take extravagant trips, remodel their homes or

purchase more expensive ones, or buy expensive jewelry or clothes.

5. Unusual Behaviors: When people commit crimes (especially first-time offenders, as many

perpetrators are), they are engulfed by feelings of fear and guilt. These emotions express

themselves in unusual behavior. It is not one particular behavior that often signals fraud; rather,

it is a pattern of changes in behavior. People who are accommodating become intimidating and,

people who are belligerent become easy to work with, and so forth.

6. Tips and Complaints: People who are in the best position to detect fraud are usually those closest

to the perpetrator—family members, friends, co-workers, managers, and others, not the auditors

or fraud examiners. These individuals often provide tips or complaints that suggest that fraud is

being committed. Although such complaints and tips are often legitimate, they can also be

motivated by a desire to get even, or by frustration or personal vendettas, or by numerous other

reasons.

Possible indicators of management fraud include:

• Lack of compliance with company directives and procedures.

• Payments made to trade creditors which are supported by copies instead of original

invoices.

• Consistently late reports.

• Higher commissions which are not based on increased sales.

• Managers who habitually assume the duties of their subordinates.

• Managers who handle matters not within the scope of their authority.

Indicators of Financial Crime

Source: Adapted from “Investigative Methods in Forensic Accounting” an online article by Tom

O'Connor.

Understanding and recognizing the behavioral red flags displayed by fraud perpetrators can help

organizations detect fraud and mitigate losses.

Red Flags of Employee Behavior

1. Overworking: Financial criminals are sophisticated and know that the typical suspects of misdeeds

in organizations are likely to be those who miss work a lot, call in sick, go home early, and so forth.

Hence, the financial criminal (also by inclination) tends to work long and hard, staying after hours,

volunteering for extra duties, or in short, attempting to appear as a superstar in the organization.

This is called the protective behavior pattern.

158

2. Over-personalized Business Matters: A financial criminal will become extremely upset over little

things that touch on or threaten their scam or fraud, and this may be something as minor as a

change in office location, or something like another employee dealing with a vendor that only they

think they should be dealing with. They may also not have kind words to say about top

management (calling them corrupt) because (a) they want to be perceived as a powerbroker or

dealmaker, and (b) they plan to claim, if caught, that the kind of thing they did was nothing

compared to what goes on at the top.

3. Antisocial Loner Personality: The criminal may or may not have this personality to begin with, but

criminologists say that something about the “unshareable” aspects of financial crime may cause

the person to become a loner. Their relationships with co-workers can be characterized as cold

and impersonal since all they are inquisitive about is how co-workers do their job so they can learn

about any system controls that are in place throughout the organization.

4. Inappropriate Lifestyle Change: Few financial criminals can resist the urge to spend some of their

ill-gained loot, and their lifestyle, assets, travel, or offshore bank accounts will just not add up to

the salary they're making. They are driven by money and ego, and if given the chance, will jump

at almost every opportunity to make more money, and to boast and brag about knowing such

opportunities.

Red Flags of Organizational Behavior

1. Unrealistic Performance Compensation Packages: The organization will rely almost exclusively,

and to the detriment of employee retention, on executive pay systems linked to the organization's

profit margins or share price.

2. Inadequate Board Oversight: There is no real involvement by the Board of Directors, Board

appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the

second cousin to corruption) are overlooked.

3. Unprofitable Offshore Operations: Foreign operation facilities that should be closed down are

kept barely functioning because this may be where top management fraudsters have used bribes

to secure a "safe haven" in the event of need for swift exit.

4. Poor Segregation of Duties: The organization does not have sufficient controls on who has budget

authority, who can place requisitions, or who can take customer orders, and who settles or

reconciles these things when the expenses, invoices, or receipts come in.

5. Poor Computer Security: The organization doesn't seem to care about computer security, has

slack password controls, hasn't invested in antivirus, firewalls, IDS, log files, data warehousing,

data mining, or the budget and personnel assigned to internet security. Simultaneously, the

organization seems over-concerned with minor matters, like whether employees are downloading

music, chatting, playing games, or viewing porn.

159

6. Low Morale, High Staff Turnover, and Whistleblowers: Low morale and staff shortages go hand-

in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key

positions, and complaints take the form of whistleblowing.

Recent Cases in Corporate Fraud

Source: www.irs.gov/compliance/criminal-investigation

The following examples of IRS criminal investigation are excerpt from IRS Criminal Investigation

Press Releases.

Case I: January 15, 2020 - Federal grand jury in San Antonio indicts former Air Force employee,

Ashburn, VA-based Quantadyn Corporation, and its owner for alleged bribery and government

contract fraud scheme

Ruben Rosalez, Acting Special Agent in Charge of the Internal Revenue Service-Criminal

Investigation (IRS-CI), Houston Field Office announced today, a federal judge unsealed a grand jury

indictment charging a software engineering company called Quantadyn Corporation (Quantadyn);

one of its owners, Herndon, VA, resident David Joseph Bolduc, Jr.; San Antonio resident Keith Alan

Seguin, and Atlanta, GA, area resident Rubens Wilson Fiuza Lima for their roles in a bribery and

government contract fraud scheme that spanned more than a decade and impacted contract

awards worth hundreds of millions of dollars.

The indictment alleges the defendants carried out their contract fraud scheme from 2006 to 2018.

Specifically, Bolduc and Quantadyn paid more than $2.3 million in bribes to Seguin, a civilian

employee of the 502 Trainer Development Squadron at Randolph Air Force Base in San Antonio,

who was intimately involved in the government contract process. In return, Seguin used his position

to steer lucrative government contracts and sub-contracts to Quantadyn for aircraft and close-air-

support training simulators. The indictment further alleges that a portion of the bribe money paid

to Seguin was laundered through Fiuza Lima's business, Impex, Inc., for a ten percent fee.

The three-count indictment charges Bolduc, Quantadyn, Seguin and Fiuza Lima with one count of

conspiracy to defraud the U.S., one count of conspiracy to commit wire fraud, and one count of

conspiracy to commit money laundering. Upon conviction, Bolduc, Seguin and Fiuza Lima would

face terms of imprisonment up to five years for conspiracy to defraud the U.S., up to 20 years for

conspiracy to commit wire fraud, and up to 20 years for conspiracy to commit money laundering.

They would also face up to $1,000,000 in fines, and Quantadyn would face up to $1,500,000 in fines.

All of the defendants would be ordered to pay restitution if convicted.

"Government contracts are designed to support the missions of the United States armed forces and

are vital to our people. It is not a slush fund for thieves and fraudsters," said IRS-CI Acting Special

http://www.irs.gov/compliance/criminal-investigation

160

Agent in Charge Rosalez. "Those who illegally target our nation's tax dollars for personal financial

gain, as in this case, will be prosecuted and face the consequences of their actions."

"DCIS, the Pentagon's investigative arm, will aggressively pursue allegations of fraud and corruption

impacting the Department of Defense (DoD)," stated Michael Mentavlos, Special Agent in Charge,

Southwest Field Office. "Along with our Law Enforcement partners, DCIS is committed to

safeguarding the integrity of taxpayer resources and will exhaust all appropriate criminal, civil, and

administrative actions against those individuals that choose to defraud the government, DoD, and

ultimately the taxpayer."

"Allegations related to the exploitation of major federal procurement vehicles will always be an

investigative priority. The General Services Administration, Office of Inspector General, with our law

enforcement partners, will continue to work diligently to protect the integrity of federal

acquisitions, and other critical GSA programs that are designed to benefit its customers, including

the warfighter," stated GSA-OIG Special Agent in Charge Willemin, Greater Southwest and Rocky

Mountain Investigations Division.

"The collaboration between GSA-OIG, DCIS, U.S. Army CID, IRS-CI, AFOSI, and the U. S. Attorney's

Office of the Western District of Texas, has been significant and we are looking forward to seeing

the final results of the hard work put forth by all agencies involved," said AFOSI Special Agent in

Charge Holmstrand.

Initial appearances are expected to occur this week before a U.S. Magistrate Judge in San Antonio

(Seguin), Alexandria, VA (Bolduc), and Atlanta (Fiuza Lima).

It is important to note that an indictment is merely a charge and should not be considered as

evidence of guilt. The defendants are presumed innocent until proven guilty in a court of law.

Case II: December 20, 2019 - Sonoma county CEO pleads guilty to charges stemming from $25-65

million student loan repayment services scam

SAN FRANCISCO – Brandon Frere pleaded guilty today to wire fraud and money laundering charges

in connection with a multi-million-dollar scheme to use deceptive sales tactics to convince people

to enroll in his companies' student loan repayment services programs.

Frere, of Sonoma County, owned and operated three companies—American Financial Benefits

Center (AFBC), the Financial Education Benefits Center (FEBC), and Ameritech Financial

(Ameritech)—all based in Rohnert Park, Calif. According to his plea agreement, between January of

2014 and November of 2018, Frere used the companies to market student loan document

preparation services for borrowers who wished to apply for programs through the Department of

Education. Frere targeted potential customers who were seeking federal loan forgiveness, loan

consolidation, and reduced-payment programs. When Frere's companies sold consumers

"document preparation" services, they also sold them a purportedly optional membership in a

161

"financial education benefits program." The so-called benefits program provided the opportunity to

customers to sign up for services such as LifeLock identity theft protection and roadside assistance.

Frere admitted he instructed his employees to follow misleading sales scripts and to employ

deceptive sales tactics so that people would enroll for services without fully understanding what

they were paying for. For example, when initially enrolling consumers in the document preparation

service and signing them up for the financial education benefits program, Frere hid the fees for the

financial education benefits program and described the benefits program in a way that made it seem

like the cost of the program was included in the document preparation services. Further, Frere

admitted he instructed enrollment associates not to present the benefits program as an optional or

additional service to the document preparation service; this way, consumers would purchase the

benefits packages without knowing they were doing so.

In sum, Frere instructed his employees (1) to make false statements concerning the companies'

ability to deliver fixed payments for the life of student loans and loan forgiveness under alternative

repayment plans; (2) to engage in enrollment practices that improperly inflated a consumers' family

size to reduce their prospective payments under federal alternative repayment plans (and therefore

make it appear to the consumer that their monthly payments would be lower than what they would

have been if the family size were not inflated); and (3) to hide the monthly fees that consumers

would pay for a purportedly optional financial education benefits program while leading victims to

believe that the benefits program was already included in the document preparation service. Frere

admitted for the purposes of sentencing that the amount of losses attributable to his scheme was

no less than $25,000,000 and up to $65,000,000.

Moreover, Frere admitted that in order to conceal the proceeds of his wire fraud scheme, in 2015,

he began transferring to overseas bank accounts that he controlled large sums of the funds that he

had received through the scheme. He continued this process in August 2017, after he became

involved in litigation with the Federal Trade Commission ("FTC") and became concerned the FTC or

a court might be able to seize the proceeds of his fraud. The FTC filed a civil complaint in February

2018 against Frere and his companies in federal court in Oakland. (Federal Trade Commission v.

American Financial Benefits, et al., Case No. CV 18-00806-SBA).

Frere was arrested December 5, 2018, at SFO as he attempted to board a flight to Cancun, Mexico.

He is now free on bond pending sentencing. Judge Illston scheduled Frere's sentencing for March

27, 2020 at 11 a.m.

Frere was charged by information on October 1, 2019 with one count of wire fraud, in violation of

18 U.S.C. § 1343, and one count of money laundering, in violation of 18 U.S.C. § 1956(a)(2)(B). Frere

pleaded guilty to both counts. Frere faces a maximum sentence of 20 years in prison, for each count.

In addition, with respect to the fraud count, Frere faces a fine of $250,000, or the greater of twice

the gross gain or twice the gross loss from the fraud. With respect to the money laundering count,

Frere faces a fine of $500,000, or the greater of twice the gross gain or twice the value of the money

162

instruments involved. In addition, restitution, supervised release, and additional fines may be

ordered. However, any sentence following conviction will be imposed by the court only after

consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of

a sentence, 18 U.S.C. § 3553.

Fraud Prevention and Detection

Fraud Risk Assessment

It is important to understand the difference between enterprise-wide risk assessments and fraud risk

assessment. Both approaches contain similarities; however, the objectives, outcomes, and benefits to

an organization differ.

Enterprise-wide Risk Assessment Fraud Risk Assessment

Focus on assessing, managing, and

monitoring risks related to the

achievement of an organization’s

objectives.

Focus on identifying and

addressing an organization’s

vulnerabilities to internal and

external fraud

A fraud risk assessment is a critical component of an organization’s larger enterprise risk management

(ERM) program because it:

• Serves as a tool that assists management and internal auditors in systematically identifying

where and how fraud may occur and who may be in a position to commit fraud;

• Reviews potential exposures which represents an essential step in alleviating the board’s and

senior management’s concerns about fraud risks and their ability to meet organizational goals,

and

• Concentrates on fraud schemes and scenarios to determine the presence of internal controls

and whether or not the controls can be circumvented.

As discussed earlier, COSO revised its 1992 Internal Control — Integrated Framework in 2013 to

incorporate 17 principles. The publication, Fraud Risk Management Guide (guide), is intended to be

supportive of and consistent with the 2013 Framework and can serve as best practices guidance for

organizations to follow in addressing this new fraud risk assessment principle. The guide’s five fraud

risk management principles fully support, are entirely consistent with, and parallel the 2013 COSO

Framework’s 17 internal control principles:

163

COSO Framework Components and Principle Fraud Risk Management Principles C

on

tro

l En

viro

nm

en

t

1. The organization demonstrates a

commitment to integrity and ethical values

2. The board of directors demonstrates

independence from management and

exercises oversight of the development

and performance of internal control

3. Management establishes, with board

oversight, structures, reporting lines, and

appropriate authorities and

responsibilities in the pursuit of objectives

4. The organization demonstrates a

commitment to attract, develop, and

retain competent individuals in alignment

with objectives

5. The organization holds individuals

accountable for their internal control

responsibilities in the pursuit of objectives

1) The organization establishes and

communicates a Fraud Risk Management

Program that demonstrates the

expectations of the board of directors and

senior management and their

commitment to high integrity and ethical

values regarding managing fraud risk.

Ris

k A

sses

smen

t

6. The organization specifies objectives with

sufficient clarity to enable the

identification and assessment of risks

relating to objectives

7. The organization identifies risks to the

achievement of its objectives across the

entity and analyzes risks as a basis for

determining how the risks should be

managed

8. The organization considers the potential

for fraud in assessing risks to the

achievement of objectives

9. The organization identifies and assesses

changes that could significantly impact the

system of internal control

2) The organization performs comprehensive

fraud risk assessments to identify specific

fraud schemes and risks, assess their

likelihood and significance, evaluate

existing fraud control activities, and

implement actions to mitigate residual

fraud risks.

164

Co

ntr

ol A

ctiv

itie

s 10. The organization selects and develops

control activities that contribute to the

mitigation of risks to the achievement of

objectives to acceptable levels

11. The organization selects and develops

general control activities over technology

to support the achievement of objectives

12. The organization deploys control activities

through policies that establish what is

expected and procedures that put policies

into place

3) The organization selects, develops, and

deploys preventive and detective fraud

control activities to mitigate the risk of

fraud events occurring or not being

detected in a timely manner.

Info

rmat

ion

& C

om

mu

nic

atio

n

13. The organization obtains or generates and

uses relevant, quality information to

support the functioning of internal control

14. The organization internally communicates

information, including objectives and

responsibilities for internal control,

necessary to support the functioning of

internal control

15. The organization communicates with

external parties regarding matters

affecting the functioning of internal

control

4) The organization establishes a

communication process to obtain

information about potential fraud and

deploys a coordinated approach to

investigation and corrective action to

address fraud appropriately and in a timely

manner.

Mo

nit

ori

ng

Act

ivit

ies

16. The organization selects, develops, and

performs ongoing and/or separate

evaluations to ascertain whether the

components of internal control are

present and functioning

17. The organization evaluates and

communicates internal control

deficiencies in a timely manner to those

parties responsible for taking corrective

action, including senior management and

the board of directors, as appropriate

5) The organization selects, develops, and

performs ongoing evaluations to ascertain

whether each of the five principles of fraud

risk management is present and

functioning and communicates Fraud Risk

Management Program deficiencies in a

timely manner to parties responsible for

taking corrective action, including senior

management and the board of directors.

Source: COSO, Fraud Management Risk Management Guide: Executive Summary, 2016

165

Techniques for Fraud Prevention

It's not sufficient just to detect and investigate fraud. Your company must have a strategy to fight

fraud. A well-rounded anti-fraud program will have taken measures that will prevent fraud. Once this

is implemented, everything else will fall into place. Here is how you can develop strategies that will

work for you. One of the biggest challenges for the fraud examiner is to persuade management that

the risks of fraud cannot be underestimated. Those who have not suffered from fraud previously will

be unaware of the risks and costs. Management may simply think in terms of the direct financial costs

but need to be encouraged to look further. These include:

• Consequential loss

• Legal and investigative costs

• Regulatory fines

• Management time

• Increased insurance premiums

• Loss of key staff and customers

• Increased cost of/inability to raise new finance

Fraud can never be eliminated from business entirely, simply because collusion can always overcome

normal organizational controls. Combating fraud needs a different and fresh approach that should

cover all aspects of the fraud cycle:

• Fraud deterrence and prevention

• Fraud detection

• Fraud investigation

An approach is recommended that includes the following components:

• Establish the right culture

• Establish a whistle-blowing policy

• Identify the risks

• Implement effective controls

• Increase awareness of the risks

• Plan for the worst

• Recruit the right people

• Search for suspicious transactions

According to ACFE, increasing the perception of detection may well be the most effective fraud

prevention method. Controls, for example, do little good in forestalling internal theft and fraud if their

presence is not known by those at risk. In the audit profession, this means letting employees,

managers, and executives know that auditors are actively seeking out information concerning internal

theft.

166

Recruitment

Before a company opens its doors to new employees, managers should stop and ask themselves "Do I

really know this person well enough to trust them with my money, confidential information, and above

all my reputation?" Many companies believe that their recruitment procedures will deal with this

question. A study revealed that:

• 30% of employees admitted to lying while applying for jobs;

• 18% of employees think it is necessary to exaggerate on their curriculum vitae;

• 34% of managers do not check the background of applicants; and

• 36% of organizations state that untruths on curriculum vitae (CVs) cost them significant time

and money.

Companies should check each new candidate thoroughly. The more senior the position, the more

thorough this checking should be. Senior staff has more opportunity to commit fraud as they are in

positions of trust and tend to have the ability to authorize payments and approve contracts. They are

also more likely to commit frauds that can permanently damage their organization.

On-Going Process

Vetting is not only for new employees. It should be an on-going process across the whole workforce.

For example:

• What if an individual commenced employment many years ago when vetting was less

rigorous?

• What if an individual's circumstances have changed such that they now find themselves under

severe financial pressures?

When staff with more than ten years of service is responsible for one-third of all frauds, you can easily

see why it is important to adopt continual vetting procedures. Here are the Do's and Don'ts as part of

their hiring process:

Do Don't

• Ask all potential employees to

complete a detailed application form

• Rely only on a curriculum vitae provided by

the applicant

• Look for gaps in employment history • Limit checks to, say, the last ten years only

• Request written references and check

by telephone

• Accept "to whom it may concern"

reference letters

• Check all qualifications • Accept copy certificates

• Carry out in-depth due diligence in

relation to senior employees

• Assume a previous employer has carried

out full and proper due diligence

167

• If possible, obtain details of criminal

records

• Accept verbal representations at face value

• Carry out checks on temporary and

contract staff as well

Codes of Conduct

The aim of a corporate policy is to demonstrate to both employees and the outside world that the

company is taking the threat of dishonesty, fraud, and theft seriously. By issuing a detailed policy, it

clearly sets out what is considered to be dishonest and warns any potential wrongdoers that the

consequences of being caught will be serious. The effect therefore will be to deter any potential

wrongdoers thus resulting in reduced losses from any wrongdoing and reduced costs in respect of

investigating any wrongdoing.

There should be a general policy statement on ethics and the company's attitude toward dishonesty,

fraud, and theft. Other matters that should be considered include:

• Does the policy make a distinction between fraud committed by employees, suppliers,

customers etc.?

• Is the policy communicated to all staff (e.g., when they are recruited, induction training,

extranet etc.)?

• Is staff required to confirm that they understand the policy and that they have complied with

it in all respects?

• Does the policy make it clear that it applies to all staff including directors?

• Does the policy apply to all subsidiaries, including those abroad?

Definition of Fraud

The policy should include a clear definition of what is regarded as fraud or theft. For example:

• Does the policy set out the company's attitude toward client entertaining and gifts and what

action needs to be undertaken on receipt of these?

• Does the policy quantify what constitutes fraud or dishonesty? For example, an overstatement

of expenses by $1 might not be considered to be fraud, but continuously over-claiming

expenses by $1 might be considered dishonest.

• Does the policy distinguish between the seriousness of different offenses?

• Does the policy include a statement in respect to the misstatement of financial statements or

destruction of accounting records?

• Does the policy include a statement in respect to conflicts of interest?

• What policies are in place to inform customers/suppliers that a code of conduct is in

operation?

Whistleblowing Policy

168

When appointed to carry out investigations, the first point of call are members of the staff. The reason

for this is that they are the "eyes and ears" of a company. They know exactly what frauds are going on

and who is doing it. They are an extremely valuable resource that companies are failing to utilize. What

makes things worse is that if used properly they could have stopped the fraud much earlier. An even

better source of information for the investigator is an ex-employee as they have less to lose by blowing

the whistle. For those current members of staff that do blow the whistle, the consequences can be

disastrous. Far from being hailed as corporate heroes and saving the business from potential financial

ruin, three out of four whistleblowers are sidelined or their careers blighted by their honest actions.

Employers should be encouraging whistleblowers to come forward as the quicker a business can spot

fraud, the better. Not only does early detection diminish the damage to a firm's reputation, but it

wastes less of management's time, and ultimately costs the business less. This is why having a robust

whistleblowing policy in place is good practice. Having such a policy might also discourage potential

whistleblowers from approaching the press as a first resort. In addition, businesses need to engender

a culture in which employees believe their concerns will be taken seriously, and that the protection

afforded by the law and policies is real.

Increase Awareness of Risks

Fraud examiners have a wealth of experience that has been obtained through investigation. One of

the positive steps that they can take is to pass this experience back to company management and staff

through an education process. Most employees and management will be unaware of the risks faced

by their organization. Without knowing what the risks are, they will be unable to take corrective action.

The methods that the fraud examiner can take to increase awareness of the risks faced by companies

include:

• Lectures to management and staff on general fraud awareness.

• Presentation of case studies.

• Use of the company intranet.

• Articles in company magazines.

Implement Controls

Once a fraud examiner has carried out the above steps, she will then be in a position to implement

specific controls to prevent fraud. If the right candidates have been recruited and the company has an

effective code of conduct and whistleblowing process, the need for effective controls will be less

urgent. The opposite is true if the company has not recruited the right candidates or established a

code of conduct and whistleblowing policy. In fact, without having dealt with the issues referred to

above, a company will find that implementing effective controls may not have the desired effect as

staff will work out how to defeat these controls.

The fraud examiner will first want to identify the high-risk areas. This can be achieved through a

workshop attended by management and staff from different areas of the business (e.g., accounting,

169

warehouse, operations, marketing, etc.). Each will have a different perspective that may be counter to

another attendees' perspective. Having identified the risk areas (e.g. procurement of IT equipment

etc.), the fraud examiner will want to review the following:

• Lack of segregation of duties

• Lack of physical safeguards

• Lack of independent checks

• Lack of authorization

• Overriding of existing controls

• Ineffectiveness of existing controls

• Inadequacy of the accounting system

Data Mining

Data is a fundamental element in any organization's ability to manage its business. It is collected from

a wide variety of sources, stored on many different systems, and is regularly used for marketing and

sales activities. However, the use of this data in fraud detection is frequently overlooked.

The likelihood of identifying potentially fraudulent activity can be significantly enhanced through the

regular application of data mining tools and techniques, although these are not foolproof and must be

run in conjunction with other activities designed to reduce the threat of fraud.

Technology as a Tool

People commit frauds, but as technology plays an increasingly important role in business life, the

fraudster often leaves warning signals of his activity in an organization's systems.

Each transaction will leave a trail. Increasingly, in order to enhance the way an organization does

business, databases have been developed to store huge amounts of transactional and standing data

from accounting, sales, purchasing, and payroll functions. This is used for marketing, forecasting, and

reporting but rarely for detecting and predicting fraud. Also, this data can be a key factor in developing

and implementing a fraud risk management strategy.

Use of Spreadsheets

Data mining in its simplest form may take the form of a "sorted" Excel spreadsheet where the fraud

examiner is trying to identify the largest suppliers or customers. A further development of this is to

track expenditure with the largest suppliers over time. This can be achieved using pivot tables in Excel

followed by the charting function. Charting expenditure over time identified a single payment of over

a specified limit to a particular supplier. Further investigation may reveal that it may have been paid

to a fictitious company.

Use of Databases

170

The next stage in data mining is the use of databases to run complex queries. Microsoft Access is an

extremely powerful tool which many fraud examiners will be able to use. More complex databases

exist for larger enterprises. These may require specialist knowledge. However, they can analyze large

amounts of data and produce complex queries that can be automated. The following chart illustrates

that data mining has identified a series of transactions just above $50,000, which is the authorization

limit for the company.

Databases can also be used to identify suspicious transactions around points in time.

Fraud Response Plan

When fraud comes to light, the actions taken in the first few hours, days, or weeks will be key in limiting

the damage that is done to the company. It is no good "making it up as you go along" and "proper

planning prevents poor performance.” The plan should identify at least one individual to whom fraud

or suspicion of fraud should be reported. Those concerned should then receive proper training and

guidance on what to do once the fraud has been reported.

These individuals should always be contactable (i.e., 24/7) as a fraud can come to light at any time.

Employees will need to know whom to contact and how to contact them. Also, many frauds are now

conducted on an international scale and company operations may be carried out abroad. In a move to

make businesses efficient, multi-shifts means there is 24-hour production in some businesses.

The individuals chosen to sit on the fraud response team will need to have appropriate seniority and

independence - they should not be in a position where a conflict of interest could arise.

After the initial report of fraud, the company may consider creating a larger group that would be

responsible for managing the investigation or other response. If this is the case, then plans will have

to be put into place to contact the other members of the group to discuss next steps. The plan should

therefore consider:

171

• What constitutes a fraud which requires the attention of the larger group?

• Who makes the decision as to whether the larger group should be consulted?

• When should the group meet and report by?

Powers of the Group

The powers of the group should be set out in writing so that it is clear they have the power to act. The

powers should be sufficient to ensure that they can carry out their role without hindrance or delay,

both internally or externally. The group may need to consult the board of directors and should have

the ability to do so directly.

Responsibilities of the Group

The outcome of an investigation may vary depending on the size of the fraud, who was involved, or

how it was perpetrated. The group will therefore have to make an initial assessment as to what action

would be desirable. The group will have to take action to:

• Suspend or dismiss the persons involved

• Prevent further losses

• Recovery of any losses incurred

• Pursue criminal action

The group may also have to consider what should be communicated and to whom. It will be almost

impossible to keep the details of the fraud from other members of staff. Once staff becomes aware of

the fraud, it will then spread to the press, investors, unions, customers, and suppliers. Therefore, the

group will have to determine:

• Whether the PR department has been briefed on how to respond to press enquiries.

• At what stage investors will be informed.

• Whether unions should be regularly briefed.

• How suppliers will be informed if one of their employees is involved.

If the company has insurance coverage, the insurance company will need to be informed at an early

stage to ensure that coverage applies and that, if it wishes, it can involve its own professional advisors

in the investigation process.

Whom to Contact for Assistance

At some stage during the investigation process, it is likely that outside assistance will be required. At

the lowest level, this may be a locksmith who is required to change office locks on a Sunday night.

Details of any individual or entity that is likely to be able to assist should be obtained before it is

required - this includes contact details out of normal working hours.

Contact with the Police

172

Companies have historically wanted to avoid informing the police as they are afraid of any adverse

publicity. Once reported to the police, directors believe that they will lose control of the investigation.

This may have been true in the past but the police are now better equipped to investigate fraud. There

are also positive aspects to reporting fraud to the police. It sends a very strong sign to the workforce

and can act as a strong deterrent to any potential fraudsters. If they think that the company will

prosecute them, they could then lose everything else, including family and friends. The company will

therefore have to determine what its attitude toward reporting offenses to the police is. It will have

to separately establish its obligations in relation to regulators.

The ACFE Fraud Prevention Checkup

Source: Association of Certified Fraud Examiners ( www.acfe.com )

One of the ACFE’s most valuable fraud prevention resources, the ACFE Fraud Prevention Checkup is a

simple yet powerful test of your company’s fraud health. Test fraud prevention processes designed to

help you identify major gaps and fix them before it is too late.

The checkup should ideally be a collaboration between objective, independent fraud specialists (such

as Certified Fraud Examiner) and people within the organization who have extensive knowledge about

its operations. Internal auditors bring extensive knowledge and a valuable perspective to such an

evaluation. At the same time, the perspective of an independent and objective outsider is also

important, as is the deep knowledge and experience of fraud that full-time fraud specialists provide.

The purpose of the checkup is to identify major gaps in your fraud prevention processes, as indicated

by low point scores in particular areas. Even if you score 80 points out of 100, the missing 20 could be

crucial fraud prevention measures that leave you exposed to major fraud. Therefore, there is no

passing grade other than 100 points.

ENTITY:

DATE OF CHECKUP:

1. Fraud risk oversight

To what extent has the entity established a process for oversight of fraud risks by the board of

directors or others charged with governance (e.g., an audit committee)?

Score: From 0 (process not in place) to 20 points (process fully implemented, tested within the past

year and working effectively).

2. Fraud risk ownership

To what extent has the entity created “ownership” of fraud risks by identifying a member of senior

management as having responsibility for managing all fraud risks within the entity and by explicitly

http://www.acfe.com/

173

communicating to business unit managers that they are responsible for managing fraud risks within

their part of the entity?



3. Fraud risk assessment

To what extent has the entity implemented an ongoing process for regular identification of the

significant fraud risks to which the entity is exposed?



4. Fraud risk tolerance and risk management policy

To what extent has the entity identified and had approved by the board of directors its tolerance

for different types of fraud risks? For example, some fraud risks may constitute a tolerable cost of

doing business, while others may pose a catastrophic risk of financial or reputational damage to the

entity. The entity will likely have a different tolerance for these risks.

To what extent has the entity identified and had approved by the board of directors a policy on how

the entity will manage its fraud risks? Such a policy should identify the risk owner responsible for

managing fraud risks, what risks will be rejected (e.g., by declining certain business opportunities),

what risks will be transferred to others through insurance or by contract, and what steps will be

taken to manage the fraud risks that are retained.

Score: From 0 (processes not in place) to 10 points (processes fully implemented, tested within the

past year and working effectively).

5. Process level anti-fraud controls/ re-engineering

To what extent has the entity implemented measures, where possible, to eliminate or reduce

through process re-engineering each of the significant fraud risks identified in its risk assessment?

Basic controls include segregation of duties relating to authorization, custody of assets and

recording or reporting of transactions. In some cases it may be more cost-effective to re-engineer

business processes to reduce fraud risks rather than layer on additional controls over existing

processes. For example, some fraud risks relating to receipt of funds can be eliminated or greatly

reduced by centralizing that function or outsourcing it to a bank’s lockbox processing facility, where

stronger controls can be more affordable.

To what extent has the entity implemented measures at the process level designed to prevent, deter

and detect each of the significant fraud risks identified in its risk assessment? For example, the risk

174

of sales representatives falsifying sales to earn sales commissions can be reduced through effective

monitoring by their sales manager, with approval required for sales above a certain threshold.

Score: From 0 (processes not in place) to 10 points (processes fully implemented, tested within the

past year and working effectively).

6. Environment level anti-fraud controls

Major frauds usually involve senior members of management who are able to override process-level

controls through their high level of authority. Preventing major frauds therefore requires a very

strong emphasis on creating a workplace environment that promotes ethical behavior, deters

wrongdoing and encourages all employees to communicate any known or suspected wrongdoing to

the appropriate person. Senior managers may be unable to perpetrate certain fraud schemes if

employees decline to aid and abet them in committing a crime. Although “soft” controls to promote

appropriate workplace behavior are more difficult to implement and evaluate than traditional

“hard” controls, they appear to be the best defense against fraud involving senior management.

To what extent has the entity implemented a process to promote ethical behavior, deter

wrongdoing and facilitate two-way communication on difficult issues? Such a process typically

includes:

– Having a senior member of management who is responsible for the entity’s processes to

promote ethical behavior, deter wrongdoing and communicate appropriately on difficult issues. In

large public companies, this may be a full- time position such as ethics officer or compliance officer.

In smaller companies, this will be an additional responsibility held by an existing member of

management.

– A code of conduct for employees at all levels, based on the entity’s core values, which gives

clear guidance on what behavior and actions are permitted and which ones are prohibited. The code

should identify how employees should seek additional advice when faced with uncertain ethical

decisions and how they should communicate concerns about known or potential wrongdoing

affecting the entity.

– Training for all personnel upon hiring and regularly thereafter concerning the code of

conduct, seeking advice and communicating potential wrongdoing.

– Communication systems to enable employees to seek advice where necessary prior to

making difficult ethical decisions and to express concern about known or potential wrongdoing

affecting the entity. Advice systems may include an ethics or compliance telephone help line or

e- mail to an ethics or compliance office/officer. The same or similar systems may be used to enable

employees (and sometimes vendors, customers and others) to communicate concerns about known

or potential wrongdoing affecting the entity. Provision should be made to enable such

communications to be made anonymously, though strenuous efforts should be made to create an

175

environment in which callers feel sufficiently confident to express their concerns openly. Open

communication makes it easier for the entity to resolve the issues raised, but protecting callers from

retribution is an important concern.

– A process for promptly investigating where appropriate and resolving expressions of

concern regarding known or potential wrongdoing, then communicating the resolution to those

who expressed the concern. The entity should have a plan that sets out what actions will be taken

and by whom to investigate and resolve different types of concerns. Some issues will be best

addressed by human resources personnel, some by general counsel, some by internal auditors and

some may require investigation by fraud specialists. Having a pre- arranged plan will greatly speed

and ease the response and will ensure appropriate persons are notified where significant potential

issues are involved (e.g., legal counsel, board of directors, audit committee, independent auditors,

regulators, etc.)

– Monitoring of compliance with the code of conduct and participation in the related training.

Monitoring may include requiring at least annual confirmation of compliance and auditing of such

confirmations to test their completeness and accuracy.

– Regular measurement of the extent to which the entity’s ethics/compliance and fraud

prevention goals are being achieved. Such measurement typically includes surveys of a statistically

meaningful sample of employees. Surveys of employees’ attitudes towards the entity’s

ethics/compliance activities and the extent to which employees believe management acts in

accordance with the code of conduct provide invaluable insight into how well those items are

functioning.

– Incorporation of ethics/compliance and fraud prevention goals into the performance

measures against which managers are evaluated and which are used to determine performance

related compensation.



7. Proactive fraud detection

To what extent has the entity established a process to detect, investigate and resolve potentially

significant fraud? Such a process should typically include proactive fraud detection tests that are

specifically designed to detect the significant potential frauds identified in the entity’s fraud risk

assessment. Other measures can include audit “hooks” embedded in the entity’s transaction

processing systems that can flag suspicious transactions for investigation and/or approval prior to

completion of processing. Leading edge fraud detection methods include computerized e-mail

monitoring (where legally permitted) to identify use of certain phrases that might indicate planned

or ongoing wrongdoing.

176



ADD ALL SCORES FOR THE TOTAL SCORE (Out of a possible 100 points):

Interpreting the Entity’s Score

A brief fraud prevention checkup provides a broad idea of the entity’s performance with respect to

fraud prevention. The scoring necessarily involves broad judgments, while more extensive evaluations

would have greater measurement data to draw upon. Therefore, the important information to take

from the checkup is the identification of particular areas for improvement in the entity’s fraud

prevention processes. The precise numerical score is less important and is only presented to help

communicate an overall impression.

The desirable score for an entity of any size is 100 points since the recommended processes are

scalable to the size of the entity. Most entities should expect to fall significantly short of 100 points in

an initial fraud prevention checkup. That is not currently considered to be a material weakness in

internal controls that represents a reportable condition under securities regulations. However,

significant gaps in fraud prevention measures should be closed promptly in order to reduce fraud

losses and reduce the risk of future disaster.

The Use of Technology for Fraud Detection

Data Mining

An automated fraud detection is a form of data mining and it is evolving with technology. It helps a

company identify concealed patterns, such as numeric, time, name, and geographic patterns that may

indicate fraud. During the past five or so years, surveys of senior professionals in the areas of audit,

risk management, compliance, and fraud detection have consistently indicated that increased use of

technology is considered to be a critical factor, especially when organizations deal with a large number

of transactions on a daily basis. Leveraging sophisticated data mining techniques allow management

to identify and respond quickly to red flags and reduce the risk of fraud escalation by implementing

risk and control data analytics to regularly monitor transactions.

To be effective, data mining relies on the source data to be accurate, consistent, and integrated. Data

mining looks both to confirm anticipated patterns and to uncover new patterns. Anything unusual,

hidden, or unexpected should be investigated. However, over time, data mining results may change

due to changing economic and political factors. Therefore, they should be updated accordingly and

reviewed by management for reasonableness. Data mining techniques are commonly used in the areas

of:

• Accounts payable and vendors

177

• Travel and entertainment transactions

• Purchasing card activities

• Expense reimbursement

• Payroll transactions

• General ledger

Data mining involves software examining a database to identify patterns, relationships, and trends to

assist in management decision making. Instead of relying on sampling, data mining enables a company

to analyze large volumes of transactions using advanced technology and procedures to identify:

• Suspicious transactions (e.g. duplicate payments)

• Unusual relationships (e.g. vendor bank account matches to employee bank account)

• Irregular trends over periods of time (e.g. vendor favoritism)

The following table demonstrates how data mining can be proactively applied to prevent and detect

payable frauds.

Data Mining in Payable Fraud Prevention and Detection

Approach Examples

Rules

Flag improper transactions based on known abuses:

• Duplicate payments

• Split payments

• Duplication of address for two or more vendors

• Discrepancy between invoice and purchase order

• Above average payments to a vendor

• Above average voided checks to a vendor

Anomaly

Detection

Detect individual and aggregated abnormal behaviors:

• Abnormal invoice volume activity (e.g. rapid increase in invoice volume)

• Dramatic change of price

• Invoices made before purchase orders

• Invoices not match purchase orders

• Invoices to prohibited vendors

• Rounded-amount invoices

• Invoices just below approval amounts

• Gaps in check numbers

• Vendors with many cancelled or returned checks or a regular pattern of canceled checks

Predictive

Models

Predictive assessment against known fraud cases:

• The use of residential address or PO Box by the vendor

• Vendors with the same or similar addresses, or no address

• Accounts payable credits and voided check matching

• Vendor and employee cross check by address, tax ID number, phone number, and bank routing number

178

Link Analysis

Knowledge discovery through associated link analysis:

• Association to known fraud

• Collusive relationships

• Suspicious referrals

• Linked suspicious address or phone numbers

Forensic Computing

In many respects, advances in technology have enabled criminals to commit crimes more quickly and

successfully. For example, by capturing database information it is easy to steal people’s identity and

financial data. The automation of the payroll system has enabled corrupt employees to create false

identities to receive paychecks. Deleting a computer file does not necessarily remove the information.

Also, data stored on one computer may exist in many locations such as on a backup tape, tablet or

smartphone. Such devices serve as a tape recorder, documenting and storing the evidence of a crime.

The following lists some of the basic tools for data detective work.

Tool Purpose

Network sniffer

(hardware)

Allows the user to "recreate" the crime by keeping a record of

packet sessions across networks.

Portable disk duplicator

and/or duplication

software

Preserves the original crime scene by allowing investigators to

copy hard drives in the field and the lab for later analysis.

Chain-of-custody

documentation

hardware

Digitally records every mouse click of the investigative process to

make court testimony more credible.

Case management

software Helps link seemingly unrelated pieces of evidence.

179


31. When a forensic accountant investigates an activity such as purchasing/kickback schemes,

computer fraud, labor fraud, or falsification of inventory, what activity is he/she performing?

A. A personal injury and fatal accident claim investigation

B. Professional negligence investigation

C. Arbitration activity

D. A fraudulent white-collar crime investigation

32. Which of the following statements is TRUE for a fraud examination?

A. The timing is recurring

B. The scope is general

C. The relationship is adversarial

D. The goal is to examine with professional skepticisms

33. How is auditing different than fraud examination?

A. Auditing is conducted to resolve specific allegations.

B. Auditing is involved in efforts to affix blame and is adversarial in nature.

C. Auditing is performed on a regular recurring basis.

D. Auditing is conducted by the examination of documents and the review of outside data such

as public records.

34. Which of the following tools helps link seemingly unrelated pieces of evidence.

A. Network sniffer (hardware)

B. Portable disk duplicator and/or duplication software

C. Case management software

D. Chain-of-custody documentation hardware

180

Appendix A: Example of Management

Report Source: The AICPA, Statement on Auditing Standards No. 130

The following is an illustrative management report with no material weaknesses reported.

Management’s Report on Internal Control Over Financial Reporting

ABC Company’s internal control over financial reporting is a process effected by those charged with

governance, management, and other personnel, designed to provide reasonable assurance regarding

the preparation of reliable financial statements in accordance with [applicable financial reporting

framework, such as accounting principles generally accepted in the United States of America]. An

entity’s internal control over financial reporting includes those policies and procedures that (1) pertain

to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions

and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are

recorded as necessary to permit preparation of financial statements in accordance with [applicable

financial reporting framework, such as accounting principles generally accepted in the United States of

America], and that receipts and expenditures of the entity are being made only in accordance with

authorizations of management and those charged with governance; and (3) provide reasonable

assurance regarding prevention, or timely detection and correction, of unauthorized acquisition, use,

or disposition of the entity’s assets that could have a material effect on the financial statements.

Management of ABC Company is responsible for designing, implementing, and maintaining effective

internal control over financial reporting. Management assessed the effectiveness of ABC Company’s

internal control over financial reporting as of December 31, 20XX, based on [identify criteria]. Based

on that assessment, management concluded that, as of December 31, 20XX, ABC Company’s internal

control over financial reporting is effective, based on [identify criteria].

Internal control over financial reporting has inherent limitations. Internal control over financial

reporting is a process that involves human diligence and compliance and is subject to lapses in

judgment and breakdowns resulting from human failures. Internal control over financial reporting also

can be circumvented by collusion or improper management override. Because of its inherent

limitations, internal control over financial reporting may not prevent, or detect and correct,

misstatements. Also, projections of any assessment of effectiveness to future periods are subject to

the risk that controls may become inadequate because of changes in conditions, or that the degree of

compliance with the policies or procedures may deteriorate.

ABC Company

Report signers, if applicable

Date

181

Appendix B: Section 404 Management

Compliance Checklist Source: The Institute of Internal Auditors, SARBANES-OXLEY SECTION 404: A Guide for Management by Internal

Controls Practitioners

The IIA provides the following checklist that helps management teams ensure their Section 404

program is efficient.

1. Has operating management taken ownership of their processes and documentation, rather than

leaving it to the Section 404 team or the internal auditing function?

2. Does operating management update all process and control documentation promptly throughout

the year and not just when testing starts? Is there an effective change management process in

place, including the timely assessment of process changes for their potential impact on key

controls?

3. Is operating management committed to assess and remediate all control deficiencies promptly?

In situations where remediation is not justified based on management’s assessment of risk and

cost, is management committed to communicating that decision promptly so the effect on

management’s overall assessment of controls can be identified and discussed with senior

management?

4. Has a top-down, risk-based approach been used to identify the key controls? Is management

confident that all identified key controls are truly key? Has the design of the related processes

been reviewed to determine if changes can result in fewer and more effective controls, relying

more on automated controls or on higher-level controls (e.g., detailed reconciliations and flux

analyses)? The fewer the controls to test, the lower the cost.

5. Is management of the Section 404 program at a sufficiently high level within the organization to:

• Influence operating management relative to completion of their responsibilities?

• Communicate effectively with executive management the program’s progress and potential

issues?

• Negotiate as needed with the external auditor (e.g., to increase reliance on management

testing, agree on key controls early, and address concerns as they arise)?

6. Is the use of internal resources optimized, including the use of internal auditors to perform testing

or to validate testing performed by management staff?

7. Has overall staffing been optimized, reducing reliance on more expensive external consultants and

testers?

8. Has reliance by the external auditor on management testing been optimized?

182

9. Does the external auditor follow a top-down, risk-based approach as required by AS No. 2201?

10. Is there a detailed project plan:

a. That includes a walk-through of all significant processes early in the year, preferably in the first

quarter?

b. With testing scheduled in such a way that all key controls are tested by mid-year, with

additional testing to update the results scheduled closer to year-end? This enables the

external auditor to start their walkthroughs and testing early, providing time for management

to address and remediate any deficiencies identified in either management or external auditor

testing.

c. That includes all key activities required to complete the program, such as fraud risk

assessment, consideration of any end-user computing issues, assessment of SAS 70 reports

from service providers, etc.?

d. Detailing all required resources, including specialists (e.g., for IT or tax processes and controls),

so they can be scheduled early?

e. With regular reporting to senior management that focuses on key metrics and issues, such as:

• Progress against timetables, highlighting steps that are or may be behind schedule?

• Percentage of key controls tested compared to their scheduled completion level?

• Number and percentage of key controls that are failing?

• Number of failed controls that are potentially significant to the Section 404 assessment

• The number of failed controls where remediation will not be completed within 30 days,

so senior management can focus on a timely completion?

• The number of key controls where remediation and retesting may not be completed with

sufficient time for the external auditor to retest (these are likely to be open deficiencies

at year-end)? Costs to date and projected through the end of the year?

• Potential resource issues?

• Other issues, such as coordination and concerns raised by the external auditor

11. Has there been communication and coordination with all service providers to ensure that a SAS

70 type II report will be available at the appropriate time, and that early warning is provided of

potential deficiencies being identified during the SAS 70 audit?

12. Finally, is the Section 404 program itself assessed for effectiveness on a continuing basis, to ensure

it is improved as the organization learns from experience and benefits from changes in regulations

or their interpretation?

183

Appendix C: Financial Reporting Controls

and Information Systems Checklist −

Medium to Large Business Appendix C includes the questionnaires and checklists that help you document your understanding of

the control environment and how internal control over the following cycles:

1. Revenue

2. Purchasing

3. Inventory

4. Financing


6. Payroll

The processes, documents, and controls listed in Appendix C are typical for medium to large business

entities but are by no means all-inclusive. The preponderance of ‘‘No’’ or ‘‘N/A’’ responses may

indicate that the entity uses other processes, documents, or controls in their information and

communication systems. You should consider supplementing this questionnaire with a memo or

flowchart to document significant features of the client’s system that are not covered by this

questionnaire. They should help you in planning a primarily substantive approach. To assess control

risk below the maximum, you will need to design tests of controls and then test specific controls to

determine the effectiveness of their design and operation.

Templates (Part 3) of assessing segregation of duties and the risk of management override are also provided in Appendix C. You can also find a checklist (Part 4) that guides you on how to interpret the results.

184

Part 1. Internal Control Assessment

Questionnaires

Control Environment

In the space provided below, indicate whether you strongly agree, somewhat agree, some-what

disagree, strongly disagree or have no opinion with the following statements. Use a rating scale of 1-

5, where: 5= strongly agree, 4= somewhat agree, 3 = somewhat disagree, 2=strongly disagree, and 1

= no opinion.

Your answers should be based on:

• Your previous experience with the entity

• Inquiries of appropriate management, supervisory, and staff personnel

• Inspection of documents and records

• Observation of the entity’s activities and operations

Control Environment Factors Rating

Integrity and Ethical Values

1. Management has high ethical and behavioral standards.

2. The company has a written code of ethical and behavioral standards that is comprehensive and periodically acknowledged by all employees.

3. If a written code of conduct does not exist, the management culture emphasizes the importance of integrity and ethical values.

4. Management reinforces its ethical and behavioral standards.

5. Management appropriately deals with signs that problems exist (e.g., defective products or hazardous waste) even when the cost of identifying and solving the problem could be high.

6. Management has removed or reduced incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. For example, there is generally no:

• Pressure to meet unrealistic performance targets.

• High-performance-dependent rewards.

• Upper and lower cutoffs on bonus plans.

7. Management has provided guidance on the situations and frequency with which intervention of established controls is appropriate.

185

8. Management overrides of established controls is appropriately documented, explained and investigated.

9. Management intervention is documented and explained appropriately.

Commitment to Competence

10. Management has appropriately considered the knowledge and skill levels necessary to accomplish financial reporting tasks.

11. Employee job descriptions, including specific duties, reporting responsibilities, and constraints have been clearly established and effectively communicated to employees.

12. Employees with financial reporting tasks generally have the knowledge and skills necessary to accomplish those tasks.

13. The department adequately compensates employees in order to attract qualified individuals.

14. There are clear criteria for hiring and promoting.

15. Employee performance evaluation techniques have been implemented to identify incompetent or ineffective employees.

Board of Directors and Audit Committee

16. The board of directors is independent from management.

17. The board constructively challenges management’s planned decisions.

18. Directors have sufficient knowledge and industry experience and time to serve effectively.

19. The board regularly receives the information they need to monitor management’s objectives and strategies.

20. The audit committee reviews the scope of activities of the internal and external auditors annually.

21. The audit committee meets privately with the chief financial and/or accounting officers, internal auditors and external auditors to discuss the

• Reasonableness of the financial reporting process

• System of internal control

• Significant comments and recommendations

• Management’s performance

22. The board takes steps to ensure an appropriate ‘‘tone at the top.’’

23. The board or committee takes action as a result of its findings.

186

Management’s Philosophy and Operating Style

24. Management moves carefully, proceeding only after carefully analyzing the risks and potential benefits of accepting business risks.

25. Management is generally cautious or conservative in financial reporting and tax matters.

26. There is relatively low turnover of key personnel (e.g., operating, accounting, data processing, internal audit).

27. There is no undue pressure to meet budget, profit, or other financial and operating goals.

28. Management views the accounting and internal audit function as a vehicle for exercising control over the entity’s activities.

29. Operating personnel review and ‘‘sign off’’ on reported results.

30. Senior managers frequently visit subsidiary or divisional operations.

31. Group or divisional management meetings are held frequently.

Organizational Structure

32. The entity’s organizational structure facilitates the flow of information upstream, downstream, and across all business activities.

33. Responsibilities and expectations for the entity’s business activities are communicated clearly to the executives in charge of those activities.

34. There is adequate supervision and monitoring of decentralized operations.

35. Accounting and information technology departments are centralized.

36. The executives in charge have the required knowledge, experience, and training to perform their duties.

37. Those in charge of business activities have access to senior operating management.

Assignment of Authority and Responsibility

38. Authority and responsibility are delegated only to the degree necessary to achieve the company’s objectives.

39. Job descriptions, for at least management and supervisory personnel, exist.

40. Job descriptions contain specific references to control related responsibilities.

41. Proper resources are provided for personnel to carry out their duties.

187

42. Personnel understand the entity’s objectives and know how their individual actions interrelate and contribute to those objectives.

43. Personnel recognize how and for what they will be held accountable.

Human Resource Policies and Practices

44. The entity generally hires the most qualified people for the job.

45. Hiring and recruiting practices emphasize educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior.

46. Recruiting practices include formal, in-depth employment interviews.

47. Prospective employees are told of the entity’s history, culture and operating style.

48. The entity provides training opportunities, and employees are well-trained.

49. Promotions and rotation of personnel are based on periodic performance appraisals.

50. The turnover of key personnel is relatively low.

51. Methods of compensation, including bonuses, are designed to motivate personnel and reinforce outstanding performance.

52. Management does not hesitate to take disciplinary action when violations of expected behavior occur.

B. Other Internal Control Components with a Pervasive Effect on the Organization

Risk Assessment

1. Special action is taken to ensure new personnel understand their tasks.

2. Management appropriately considers the control activities performed by personnel who change jobs or leave the company.

3. Management assesses how new accounting and information systems will impact internal control.

4. Management reconsiders the appropriateness of existing control activities when new accounting and information systems are developed and implemented.

5. Employees are adequately trained when accounting and information systems are changed or replaced.

188

6. Accounting and information system capabilities are upgraded when the volume of information increases significantly.

7. Accounting and data processing personnel are expanded as needed when the volume of information increases significantly.

8. The entity has the ability to forecast reasonably operating and financial results.

9. Management keeps abreast of the political, regulatory, business, and social culture of areas in which foreign operations exist.

General Control Activities

10. The entity prepares operating budgets and cash flow projections.

11. Operating budgets and projections lend themselves to effective comparison with actual results.

12. Significant variances between budgeted or projected amounts and actual results are reviewed and explained.

13. The company has adequate safekeeping facilities for custody of the accounting records such as fireproof storage areas and restricted access cabinets.

14. The entity has a suitable record retention plan.

15. The entity has adequate controls to limit access to computer programs and data files.

16. Periodically, personnel compare counts of assets to amounts shown on control records.

17. There is adequate segregation of duties among those responsible for authorizing transactions, recording transactions, and maintaining custody of assets.

Information and Communication Systems Support

18. Management receives the information they need to carry out their responsibilities.

19. Information is provided at the right level of detail for different levels of management.

20. Information is available on a timely basis.

21. Information is accurate that correct data is recorded and reported.

22. Information is accessible which can be easily obtained by appropriate parties.

189

23. Information with accounting significance (for example, slow-paying customers) is transmitted across functional lines in a timely manner.

Monitoring

24. Customer complaints about billings are investigated for their under-lying causes.

25. Communications from bankers, regulators, or other outside parties are monitored for items of accounting significance.

26. Management responds appropriately to auditor recommendations on ways to strengthen internal controls.

27. Employees are required to ‘‘sign off ’’ to evidence the performance of critical control functions.

28. The internal auditors are independent of the activities they audit.

29. Internal auditors have adequate training and experience.

30. Internal auditors document the planning and execution of their work by such means as audit programs and working papers.

31. Internal audit reports are submitted to the board of directors or audit committee.

Significant Account Balances and Transaction Cycles

Revenue Cycle

This checklist may be used on any audit engagement of a medium to large company when the revenue

cycle is significant. Normally, the revenue cycle is significant in most audit engagements.

The purpose of this checklist is to document your understanding of controls for significant classes of

transactions. Your knowledge of the revenue cycle should be sufficient for you to understand:

• How cash and credit sales are initiated

• How credit limits are established and maintained

• How cash receipts are recorded

• How sales and cash receipts are processed by the accounting system

• The accounting records and supporting documents involved in the processing and reporting

of sales, accounts receivable, and cash receipts

• The processes used to prepare significant accounting estimates and disclosures

190

Revenue and Accounts Receivable

A. Initiating Sales Transactions Rating

N/A No Yes

1. Credit limits are clearly defined. c. d. e.

2. Credit limits are clearly communicated. f. g. h.

3. The credit of prospective customers is investigated before it is extended to them.

i. j. k.

4. Credit limits are periodically reviewed. l. m. n.

5. The people who perform the credit function are independent of:

• Sales

• Billing

• Collection

• Accounting

o. p. q.

6. Credit limits and changes in credit limits are communicated to persons responsible for approving sales orders on a timely basis.

r. s. t.

7. The company has clearly defined policies and procedures for acceptance and approval of sales orders.

u. v. w.

8. Pre-numbered sales orders are used and accounted for. x. y. z.

9. Pre-numbered shipping documents are used to record shipments. aa. bb. cc.

10. Shipping document information is verified prior to shipment. dd. ee. ff.

11. The people who perform the shipping function are independent of:

• Sales

• Billing

• Collection

• Accounting

gg. hh. ii.

12. All shipping documents are accounted for. jj. kk. ll.

13. Pre-numbered credit memos are used to document sales returns. mm. nn. oo.

14. All credit memos are approved and accounted for. pp. qq. rr.

15. Credit memos are matched with receiving reports for returned goods.

ss. tt. uu.

16. Cash sales are controlled by cash registers or pre-numbered cash receipts forms.

vv. ww. xx.

17. Someone other than the cashier has custody of the cash register tape compartment.

yy. zz. aaa.

191

18. Someone other than the cashier takes periodic readings of the cash register and balances the cash on hand.

bbb. ccc. ddd.

B. Processing Sales Transactions

19. Information necessary to prepare invoices (e.g., prices, discount policies) is clearly communicated to billing personnel on a timely basis.

eee. fff. ggg.

20. Pre-numbered invoices are prepared promptly after goods are shipped.

hhh. iii. jjj.

21. Quantities on the invoices are compared to shipping documents. kkk. lll. mmm.

22. The prices on the invoices are current. nnn. ooo. ppp.

23. The people who perform the billing function are independent of:

• Sales

• Credit

• Collection

qqq. rrr. sss.

24. Invoices are mailed to customers on a timely basis. ttt. uuu. vvv.

25. Invoices are posted to the general ledger on a timely basis. www. xxx. yyy.

26. Standard journal entries are used to record sales. zzz. aaaa. bbbb.

27. Invoices are posted to the sales and accounts receivable subsidiary ledgers or journals on a timely basis.

cccc. dddd. eeee.

28. Credit memos are posted to the general ledger on a timely basis. ffff. gggg. hhhh.

29. Credit memos are posted to the sales and accounts receivable subsidiary ledgers or journals on a timely basis.

iiii. jjjj. kkkk.

30. Procedures exist for determining proper cut-off of sales at month-end.

llll. mmmm. nnnn.

31. The sales and accounts receivable balances shown in the general ledger are reconciled to the sales and accounts receivable subsidiary ledgers on a regular basis.

oooo. pppp. qqqq.

C. Estimates and Disclosures for Sales Transactions

32. The accounting system generates a monthly aging of accounts receivable.

rrrr. ssss. tttt.

33. The people who prepare the aging are independent of:

• Billing

• Collection

uuuu. vvvv. wwww.

34. Management uses the accounts receivable aging to investigate, write off, or adjust delinquent accounts receivable.

xxxx. yyyy. zzzz.

192

35. Management uses the accounts receivable aging and other information to estimate an allowance for doubtful accounts.

aaaaa. bbbbb. ccccc.

36. The person responsible for financial reporting identifies significant concentrations of credit risk.

ddddd. eeeee. fffff.

Cash Receipts

A. Initiating Cash Receipts Transactions Rating

N/A No Yes

1. The entity maintains records of payments on accounts by customer.

ggggg. hhhhh. iiiii.

2. Someone other than the person responsible for maintaining accounts receivable opens the mail and lists the cash receipts.

jjjjj. kkkkk. lllll.

3. Cash receipts are deposited intact. mmmmm. nnnnn. ooooo.

4. Cash receipts are deposited in separate bank accounts when required.

ppppp. qqqqq. rrrrr.

5. People who handle cash receipts are adequately bonded. sssss. ttttt. uuuuu.

6. Local bank accounts used for branch office collections are subject to withdrawal only by the home office.

vvvvv. wwwww. xxxxx.

B. Processing Cash Received on Account

7. Cash receipts are posted to the general ledger on a timely basis. yyyyy. zzzzz. aaaaaa.

8. Cash receipts are posted to the accounts receivable subsidiary ledger on a timely basis.

bbbbbb. cccccc. dddddd.

9. Standard journal entries are used to post cash receipts. eeeeee. ffffff. gggggg.

10. The people who enter cash receipts to the accounting system are independent of the physical handling of collections.

hhhhhh. iiiiii. jjjjjj.

11. Timely bank reconciliations are prepared or reviewed by someone independent of the cash receipts function.

kkkkkk. llllll. mmmmmm.

193

Purchasing Cycle

This checklist may be used on any audit engagement of a medium to large business where the

purchasing cycle is significant. Normally, the purchasing cycle is significant for most businesses.


transactions. Your knowledge of the purchasing cycle should be sufficient for you to understand:

• How purchases are initiated and goods received

• How cash disbursements are recorded

• How purchases and cash disbursements are processed by the financial reporting information

system


of purchases, accounts payable, and cash disbursements


Purchases and Accounts Payable

A. Initiating Purchases and Receipt of Goods Rating

N/A No Yes

1. All purchases over a predetermined amount are approved by management.

nnnnnn. oooooo. pppppp.

2. Non-routine purchases (for example, services, fixed assets, or investments) are approved by management.

qqqqqq. rrrrrr. ssssss.

3. A purchase order system is used, pre-numbered purchase orders are accounted for, and physical access to purchase orders is controlled.

tttttt. uuuuuu. vvvvvv.

4. Open purchase orders are periodically reviewed, wwwwww. xxxxxx. yyyyyy.

5. The purchasing function is independent of:

• Receiving

• Invoice processing

• Cash disbursements

zzzzzz. aaaaaaa. bbbbbbb.

6. All goods are inspected and counted when received. ccccccc. ddddddd. eeeeeee.

7. Pre-numbered receiving reports, or a log, are used to record the receipt of goods.

fffffff. ggggggg. hhhhhhh.

8. The receiving reports or log indicate the date the items were received.

iiiiiii. jjjjjjj. kkkkkkk.

9. The receiving function is independent of: lllllll. mmmmmmm. nnnnnnn.

194

• Purchasing

• Invoice processing


B. Processing Purchases

10. Invoices from vendors are matched with applicable receiving reports.

ooooooo. ppppppp. qqqqqqq.

11. Invoices are reviewed for proper quantity and prices, and mathematical accuracy.

rrrrrrr. sssssss. ttttttt.

12. Invoices from vendors are posted to the general ledger on a timely basis.

uuuuuuu. vvvvvvv. wwwwwww.

13. Invoices from vendors are posted to the accounts payable subsidiary ledger on a timely basis.

xxxxxxx. yyyyyyy. zzzzzzz.

14. The invoice processing function is independent of:

• Purchasing

• Receiving


aaaaaaaa. bbbbbbbb. cccccccc.

15. Standard journal entries are used to post accounts payable. dddddddd. eeeeeeee. ffffffff.

16. Accounts payable account per the general ledger is reconciled periodically to the accounts payable subsidiary ledger.

gggggggg. hhhhhhhh. iiiiiiii.

17. Statements from vendors are reconciled to the accounts payable subsidiary ledger.

jjjjjjjj. kkkkkkkk. llllllll.

C. Disclosures

18. Management has the information to identify vulnerability due to concentrations of suppliers (SOP 94-6).

mmmmmmmm. nnnnnnnn. oooooooo.

Cash Disbursements

A. Initiating Cash Disbursements Rating

N/A No Yes

1. All disbursements except those from petty cash are made by check. pppppppp. qqqqqqqq. rrrrrrrr.

2. All checks are recorded. ssssssss. tttttttt. uuuuuuuu.

3. Supporting documentation such as invoices and receiving reports are reviewed before the checks are signed.

vvvvvvvv. wwwwwwww. xxxxxxxx.

4. Supporting documents are canceled to avoid duplicate payment. yyyyyyyy. zzzzzzzz. aaaaaaaaa.

195

B. Processing Cash Disbursements

5. Cash disbursements are posted to the general ledger on a timely basis.

bbbbbbbbb. ccccccccc. ddddddddd.

6. Cash disbursements are posted to the accounts payable subsidiary ledger on a timely basis.

eeeeeeeee. fffffffff. ggggggggg.

7. Standard journal entries are used to post cash disbursements. hhhhhhhhh. iiiiiiiii. jjjjjjjjj.

8. Timely bank reconciliations are prepared or reviewed by the owner or manager or someone independent of the cash receipts function.

kkkkkkkkk. lllllllll. mmmmmmmmm.

Inventory

This checklist may be used on any audit engagement of a medium to large business where inventory

is a significant transaction cycle.


transactions. Your knowledge of the inventory cycle should be sufficient for you to understand:

• How costs are capitalized to inventory

• How cost is relieved from inventory

• How inventory costs and cost of sales are processed by the accounting system

• The procedures used to take the physical inventory count


of inventory and cost of sales


A. Capturing Capitalizable Costs Rating

N/A No Yes

1. Management prepares production goals and schedules based on sales forecasts.

2. The company budgets its planned inventory levels.

3. All releases from storage of raw materials, supplies, and purchased parts inventory are based on approved requisition documents.

4. Labor costs are reported promptly and in sufficient detail to allow for the proper allocation to inventory.

5. The entity uses a cost accounting system to accumulate capitalizable costs.

196

6. The cost accounting system distinguishes between costs that should be capitalized for GAAP purposes and those that should be capitalizable for tax purposes.

7. For standard cost systems:

• Standard rates and volume are periodically compared to actual and revised accordingly.

• Significant variances are investigated.

8. The cost accounting system interfaces with the general ledger.

9. Transfers of completed units from production to custody of finished goods inventory are based on approved completion reports that authorize the transfer.

10. The people responsible for maintaining detailed inventory records are independent from the physical custody and handling of inventories.

11. Production cost budgets are periodically compared to actual costs, and significant differences are explained.

B. Inventory Records

12. The entity maintains adequate inventory records of prices and amounts on hand.

13. Withdrawals from inventory are based on prenumbered finished inventory requisitions, shipping reports, or both.

14. Additions to and withdrawals from inventory are posted to the inventory records and the general ledger.

15. Standard journal entries are used to post inventory transactions to the inventory records and the general ledger.

16. Inventory records are periodically reconciled to the general ledger.

17. Inventory records are reconciled to a physical inventory count.

C. Physical Inventory Counts

18. Inventory is counted at least once a year

19. Physical inventory counters are giver adequate instructions.

20. Inventory count procedures are sufficient to provide an accurate count, including steps to ensure:

• Proper cut-off

• Identification of obsolete items

• All items are counted once and only once

D. Estimates and Disclosures

197

21. Management is able to identify excess, slow-moving, or obsolete inventory.

22. Excess, slow-moving, or obsolete inventory is periodically written off.

23. Management can identify inventory subject to rapid technological obsolescence that may need to be disclosed under ASC 275.

Financing

This checklist may be used on any audit engagement of a medium to large business where investments

or debt are a significant transaction cycle.


transactions. Your knowledge of the financing cycle should be sufficient for you to understand

• How investment decisions are authorized and initiated

• How financing is authorized and captured by the accounting system

• How management classifies investments as either trading, available-for-sale, or held to

maturity

• How investment and debt transactions are processed by the accounting system


of investments and debt

• The processes used to prepare significant accounting estimates, disclosures, and presentation

Investments

A. Authorization and Initiation Rating

N/A No Yes

37. Investment transactions are authorized by management. nnnnnnnnn. ooooooooo. ppppppppp.

38. The company has established policies and procedures for determining when board of director approval is required for investment transactions.

qqqqqqqqq. rrrrrrrrr. sssssssss.

39. Management and the board assess and understand the risks associated with the entity’s investment strategies.

ttttttttt. uuuuuuuuu. vvvvvvvvv.

40. Investments are registered in the name of the company. wwwwwwwww. xxxxxxxxx. yyyyyyyyy.

41. At acquisition, investments are classified as trading, available-for-sale, or held-to-maturity.

zzzzzzzzz. aaaaaaaaaa. bbbbbbbbbb.

B. Processing

198

42. Investment transactions are posted to the general ledger on a timely basis.

cccccccccc. dddddddddd. eeeeeeeeee.

43. Account statements received from brokers are reviewed for accuracy.

ffffffffff. gggggggggg. hhhhhhhhhh.

44. Discounts and premiums are amortized regularly using the interest method.

iiiiiiiiii. jjjjjjjjjj. kkkkkkkkkk.

45. Procedures exist to determine the fair value of trading and available for-sale securities.

llllllllll. mmmmmmmmmm. nnnnnnnnnn.

46. The general ledger is periodically reconciled to account statements from brokers or physical counts of securities on hand.

oooooooooo. pppppppppp. qqqqqqqqqq.

C. Disclosures

47. Management identifies investments with off-balance-sheet credit risk for proper disclosure.

rrrrrrrrrr. ssssssssss. tttttttttt.

48. Management distinguishes between derivatives held or issued for trading purposes and those held or issued for purposes other than trading.

uuuuuuuuuu. vvvvvvvvvv. wwwwwwwwww.

49. The entity accumulates the information necessary to make disclosures about derivatives.

xxxxxxxxxx. yyyyyyyyyy. zzzzzzzzzz.

Debt


N/A No Yes

1. Financing transactions are authorized by management. aaaaaaaaaaa. bbbbbbbbbbb. ccccccccccc.

2. The company has established policies and procedures for determining when board of director approval is required for financing transactions.

ddddddddddd. eeeeeeeeeee. fffffffffff.

3. Management and the board assess and understand all terms, covenants, and restrictions of debt transactions.

ggggggggggg. hhhhhhhhhhh. iiiiiiiiiii.

B. Processing and Documentation

4. Debt transactions are posted to the general ledger on a timely basis. jjjjjjjjjjj. kkkkkkkkkkk. lllllllllll.

5. Any premiums or discount are amortized using the interest method. mmmmmmmmmmm. nnnnnnnnnnn. ooooooooooo.

6. The company maintains Up-to-date files of all notes payable. ppppppppppp. qqqqqqqqqqq. rrrrrrrrrrr.

C. Disclosure

199

7. Procedures exist to determine the fair value of notes payable for proper disclosure.

sssssssssss. ttttttttttt. uuuuuuuuuuu.

8. Management reviews their compliance with debt covenants on a timely basis.

vvvvvvvvvvv. wwwwwwwwwww. xxxxxxxxxxx.

Property, Plant, and Equipment

This checklist may be used on any audit engagement where fixed assets are a significant transaction

cycle.


transactions. Your knowledge of the property, plant, and equipment cycle should be sufficient for you

to understand:

• How fixed asset transactions are authorized and initiated. (Additional information on the

acquisition of fixed assets is documented on the Accounting Systems and Control Checklist for

the Purchasing Cycle.)

• How fixed assets transactions and depreciation are processed by the accounting system.


of fixed assets and depreciation.

• The processes used to prepare significant accounting estimates and disclosures. Interpreting

Results


N/A No Yes

1. Fixed asset acquisitions and retirements are authorized by management.

yyyyyyyyyyy. zzzzzzzzzzz. aaaaaaaaaaaa.

B. Processing and Documentation

2. The company maintains detailed records of fixed assets and the related accumulated depreciation.

bbbbbbbbbbbb. cccccccccccc. dddddddddddd.

3. Responsibilities for maintaining the fixed asset records are segregated from the custody of the assets.

eeeeeeeeeeee. ffffffffffff. gggggggggggg.

4. The general ledger and detailed fixed asset records are updated for fixed asset transactions on a timely basis.

hhhhhhhhhhhh. iiiiiiiiiiii. jjjjjjjjjjjj.

5. A process exists for the timely calculation of depreciation expense for both book and tax purposes.

kkkkkkkkkkkk. llllllllllll. mmmmmmmmmmmm.

200

6. The general ledger and detailed fixed asset records are updated for depreciation expense on a timely basis.

nnnnnnnnnnnn. oooooooooooo. pppppppppppp.

7. The general ledger is periodically reconciled to the detailed fixed asset records.

qqqqqqqqqqqq. rrrrrrrrrrrr. ssssssssssss.

C. Disclosure and Estimation

8. Management identifies events or changes in circumstances that may indicate fixed assets have been impaired (FAS 121).

tttttttttttt. uuuuuuuuuuuu. vvvvvvvvvvvv.

9. Management assesses and understands the risk of specialized equipment becoming subject to technological obsolescence (ASC 275).

wwwwwwwwwwww. xxxxxxxxxxxx. yyyyyyyyyyyy.

Payroll Cycle

This checklist may be used on any audit engagement of a medium to large business where the payroll

cycle is significant.


transactions. Your knowledge of the payroll cycle should be sufficient for you to understand:

• How the time worked by employees is captured by the accounting system.

• How salaries and hourly rates are established.

• How payroll and the related withholdings are calculated.


of payroll.

A. Initiating Payroll Transactions Rating

N/A No Yes

1. Wages and salaries are approved by management. zzzzzzzzzzzz. aaaaaaaaaaaaa. bbbbbbbbbbbbb.

2. Salaries of senior management are based on written authorization of the board of directors.

ccccccccccccc. ddddddddddddd. eeeeeeeeeeeee.

3. Bonuses are authorized by the board of directors. fffffffffffff. ggggggggggggg. hhhhhhhhhhhhh.

4. Employee benefits and perks are granted in accordance with management’s authorization.

iiiiiiiiiiiii. jjjjjjjjjjjjj. kkkkkkkkkkkkk.

5. Senior management benefits and perks are authorized by the board of directors.

lllllllllllll. mmmmmmmmmmmmm. nnnnnnnnnnnnn.

6. Proper authorization is obtained for all payroll deductions. ooooooooooooo. ppppppppppppp. qqqqqqqqqqqqq.

201

7. Access to personnel files is limited to those who are independent of the payroll or cash functions.

rrrrrrrrrrrrr. sssssssssssss. ttttttttttttt.

8. Wage and salary rates and payroll deductions are reported promptly to employees who perform the pay-roll processing function.

uuuuuuuuuuuuu. vvvvvvvvvvvvv. wwwwwwwwwwwww.

9. Changes in wage and salary rates and payroll deductions are reported promptly to employees who perform the payroll processing function.

xxxxxxxxxxxxx. yyyyyyyyyyyyy. zzzzzzzzzzzzz.

10. Adequate time records are maintained for employees paid by the hour.

aaaaaaaaaaaaaa. bbbbbbbbbbbbbb. cccccccccccccc.

11. Time records for hourly employees are approved by a supervisor. dddddddddddddd. eeeeeeeeeeeeee. ffffffffffffff.

B. Processing Payroll

12. Payroll is calculated using authorized pay rates, payroll deductions, and time records.

gggggggggggggg. hhhhhhhhhhhhhh. iiiiiiiiiiiiii.

13. Payroll registers are reviewed for accuracy. jjjjjjjjjjjjjj. kkkkkkkkkkkkkk. llllllllllllll.

14. Standard journal entries are used to post payroll transactions to the general ledger.

mmmmmmmmmmmmmm. nnnnnnnnnnnnnn. oooooooooooooo.

15. Payroll cost distributions are reconciled to gross pay. pppppppppppppp. qqqqqqqqqqqqqq. rrrrrrrrrrrrrr.

16. Payroll information such as hours worked is periodically compared to production records.

ssssssssssssss. tttttttttttttt. uuuuuuuuuuuuuu.

17. Net pay is distributed by persons who are independent of personnel, payroll preparation, time-keeping, and check preparation functions.

vvvvvvvvvvvvvv. wwwwwwwwwwwwww. xxxxxxxxxxxxxx.

18. The responsibility for custody and follow-up of unclaimed wages is assigned to someone who is independent of personnel, payroll processing, and cash disbursement functions.

yyyyyyyyyyyyyy. zzzzzzzzzzzzzz. aaaaaaaaaaaaaaa.

19. Procedures are in place to estimate the fair value of stock-based compensation plans.

bbbbbbbbbbbbbbb. ccccccccccccccc. ddddddddddddddd.

Part 2. Financial Information System Checklist

End-User Computing

End-user computing occurs when the user is responsible for the development and execution of the

computer application that generates the information used by that same person. For example, an

202

accounting clerk prepares a spreadsheet which shows amortization of premiums or discounts, and the

information from the spreadsheet is the source of a journal entry.

The Computer Applications Checklist—Medium to Large Business was used to document your

understanding of computer applications operated by the company’s IT department.

You should obtain an understanding of any spreadsheet application, database, or separate computer

system that has been developed by end users to:

• Process significant accounting information outside of the IT-operated accounting application.

For example, a spreadsheet accumulates invoices for batch processing.

• Make significant accounting decisions. For example, a spreadsheet application that ages

accounts receivable and helps in determining write-offs.

• Accumulate footnote information. For example, a database of customers provides information

about the location of customers for possible concentration of credit risk disclosures.

In the space provided below, describe how end user computing is used in the following cycles:

1. Revenue

2. Purchasing

3. Inventory

4. Financing


6. Payroll

Describe:

• The person or department who performs the computing

• A general description of the application and its type (e.g., spreadsheet)

• The source of the information used in the application

• How the results of the application are used in further processing or decision making

Procedures and Controls over End-User Computing

Answer the following questions relating to procedures and controls over end-user computing related

to the following cycles:

203

1. Revenue

2. Purchasing

3. Inventory

4. Financing


6. Payroll

Cycle Reviewed Rating

N/A No Yes

1. End-user applications have been adequately tested before use.

2. The application has an appropriate level of built-in controls, such as edit checks, range tests, or reasonableness checks.

3. Access controls limit access to the end user application.

4. A mechanism exists to prevent or detect the use of incorrect versions of data files.

5. The output of the end-user applications is reviewed for accuracy or reconciled to the source information.

204

Information Processed by Outside Computer Service

Organizations

The Computer Applications Checklist—Medium to Large Business Computer Applications was used to

document your understanding of the client’s use of an outside computer service organization to

process entity-wide accounting information such as the general ledger. In this section you will

document your understanding of how the entity uses an outside computer service organization to

process information relating to the following cycles:

1. Revenue

2. Purchasing

3. Inventory

4. Financing


6. Payroll

In the space below, describe the cycle information processed by the out-side computer service bureau.

Discuss:

• The general nature of the application

• The source documents used by the service organization

• The reports or other accounting documents produced by the service organization

• The nature of the service organization’s responsibilities. Do they merely record entity

transactions and process related data, or do they have the ability to initiate transactions on

their own?

• Controls maintained by the entity to prevent or detect material misstatement in the input or

output.

205

Part 3. Assessing Segregation of Duties and the

Risk of Management Override

Lack of Segregation of Duties

In the space provided below, assess risk due to a lack of segregation of duties for the company, based

on the completion of Part I and II of this form. Your comments should address:

• The person with incompatible responsibilities and the nature of those responsibilities.

• Any mitigating factors or controls, such as direct management oversight.

• The risk that material misstatements might occur as a result of a lack of segregation of duties,

and the type of those misstatements.

• How substantive procedures will be designed to limit the risk of those misstatements to an

acceptable level.

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

Management Override

Even in effectively controlled entities—those with generally high levels of integrity and control

consciousness-a manager might be able to override controls. The term ‘management override’ means:

Overruling prescribed policies or procedures for illegitimate purposes with the intent

of personal gain or enhanced presentation of an entity’s financial condition or

compliance status.

Management might override the control system for many reasons: to increase reported revenue, to

boost market value of the entity prior to sale, to meet sales or earnings projections, to bolster bonus

pay-outs tied to performance, to appear to cover violations of debt covenant agreements, or to hide

lack of compliance with legal requirements. Override practices include deliberate misrepresentations

to bankers, lawyers, accountants, and vendors, and intentionally issuing false documents such as sales

invoices.

An active, involved board of directors can significantly reduce the risk of management override.

206

Management override is different from management intervention, which is the over-rule of prescribed

policies or procedures for legitimate purposes. For example, management intervention is usually

necessary to deal with nonrecurring and nonstandard transactions or events that otherwise might be

handled by the system.

In the space below, assess the risk of management override for this company. You should consider the

risk that management override possibilities exist, the risk that management will take advantage of

those possibilities, and any evidence that management has engaged in override practices. If the risk of

management override is greater than low, indicate how planned audit procedures will reduce this risk

to an acceptable level.

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

Part 4. Interpret Results

You should consider the collective effect of the strengths and weaknesses in various control

components. Management’s strengths and weaknesses may have a pervasive effect on internal

control. For example, management controls may mitigate a lack of segregation of duties. However,

human resource policies and practices directed toward hiring competent financial and accounting

personnel may not mitigate a strong bias by management to overstate earnings.

1. Areas That May Allow for Control Risk to Be Assessed Below the Maximum

Based on the completion of sections I through IV of this form you may have become aware of certain

accounts, transactions, and assertions where it may be possible and efficient to plan a control risk

assessment below the maximum. In the area below, document those accounts, transactions, and

assertions and the related tests of controls.

Test of Controls

Accounts, Transactions, and Assertions Working Paper Reference

________________________________ ______________________

________________________________ ______________________

________________________________ ______________________

207

2. Areas of Possible Control Weakness

Based on the completion of sections I through IV of this form, you may have become aware of certain

areas that may indicate possible control weaknesses, not including those areas relating to segregation

of duties and management override which were assessed and documented in sections III and IV.

In the space provided below, document those areas of possible weakness and the impact the identified

weakness will have on the audit. Discuss:

• The nature of the identified possible weakness

• Any mitigating factors or controls, such as direct management oversight

• The risk that material misstatements might occur as a result of the weakness and the type of

those misstatements

• How substantive procedures will be designed to reduce the risk of those misstatements to an

acceptable level.

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

208

Appendix D: Computer Applications

Checklist − Medium to Large Business

This questionnaire may be used to document your understanding of the way computers are used in

the information and communication systems of a medium to large business.

Computer Hardware

Describe the computer hardware for the entity, and its configuration. Consider:

• The make and model of company’s main processing computer(s)

• Input and output devices

• Storage means and capabilities

• Local area networks

• Stand-alone microcomputers

You may wish to attach a separate page to this checklist to document the entity’s computer hardware.

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

Computer Software

Describe the entity’s main software packages and whether they are unmodified, commercially

available packages, or were developed or modified in-house. (End-user computing applications will be

considered only for significant account balances and transaction cycles. See the Financial Reporting

Information Systems and Control Checklist— Medium to Large Business.)

• Operating system

• Access control

• General accounting Network

• Database management Communications

• Utilities

• Other

209

Computer Control Environment

In the space provided below, indicate whether you strongly agree, somewhat agree, some-what

disagree, or strongly disagree with the following statements. Use a rating scale of 1-5, where: 5=

strongly agree, 4= somewhat agree, 3 = somewhat disagree, 2=strongly disagree, and 1 = no opinion.

The answers should be based on:

• The previous experience with the entity

• Inquiries of appropriate management, supervisory, and staff personnel

• Inspection of documents and records

• Observation of the entity’s activities and operations

This questionnaire may be used to document an auditor’s understanding of the way computers are

used in the information and communication systems of a medium to large business.

Acquisition of Hardware Rating 1. The company has a coherent management plan for the purchase and

continued investment in computer hardware.

2. The computer hardware is sufficient to meet the company’s needs.

3. The company’s computer hardware is safely and properly installed.

4. The company has standard, regular hardware maintenance procedures.

Acquisition of Software 5. The company has a coherent management plan for the purchase of

and continued investment in computer software.

6. The company researches software products to determine whether they meet the needs of the intended users.

7. The company’s application programs are compatible with each other.

8. The company obtains recognized software from reputable sources.

9. Company policy prohibits the use of unauthorized programs introduced by employees.

10. Company policy prohibits the downloading of untested software from sources such as dial-up bulletin boards.

11. The company uses virus protection software to screen for virus infections.

Program Development

12. Users are involved in the design and approval of systems.

210

13. Users review the completion of various phases of the application.

14. New programs are thoroughly tested.

15. Users are involved in the review of tests of the program.

16. Adequate procedures exist to transfer programs from development to production libraries.

Program Changes

17. Users are involved in the design and approval of program changes.

18. Program changes are thoroughly tested.

19. Users are involved in the review of tests of the program changes.

20. Adequate procedures exit to transfer changed programs from development to production libraries.

Logical Access 21. Management has identified confidential and sensitive data for which

access should be restricted.

22. Procedures are in place to restrict access to confidential and sensitive data.

23. Procedures are in place to reduce the risk of unauthorized transactions being entered into processing.

24. The use of utility programs is controlled or monitored carefully.

25. Procedures are in place to detect unauthorized changes to programs supporting the financial statements.

26. Programmer access to production programs, live data files, and job control language is controlled.

27. Operator access to source code and individual elements of data files is controlled.

28. Users have access only to defined programs and data files.

Physical Security 29. The company has established procedures for the periodic back-up of

files.

30. Back-up procedures include multiple generations.

31. Back-up files are stored in a secure, off-site location.

32. Physical access devices (i.e., card-key or combination lock systems) are used to restrict entrance to the computer room.

33. Terminated or transferred employees’ access codes to the computer room are cancelled in a timely manner.

Computer Operations 34. Operations management reviews lists of regular and unscheduled

batch jobs.

211

35. Job control instruction sets are menu-driven.

36. Jobs are executed only from the operator’s terminal.

Outside Computer Service Organizations

This section should be used to document your understanding of how the company uses an outside

computer service organization to process significant accounting information. Guidance on auditing

entities that use computer service organizations is contained in AU section 324, Service Organizations

().

1. List the name of the service organization and the general types of services it provides.

____________________________________________________________________

____________________________________________________________________

2. Are the general ledger and other primary accounting records processed by an outside service

organization? Yes No

If yes, describe the source documents provided to the service organization, the reports and

other documentation received from the organization, and the controls maintained by the user

over input and output to prevent or detect material misstatement.

____________________________________________________________________

____________________________________________________________________

3. List the type and date of the most recent service auditor report.

____________________________________________________________________

____________________________________________________________________

212

Glossary

Application Controls Controls that are incorporated directly into computer applications for the

purposes of validity, completeness, accuracy, and confidentiality of transactions and data during

application processing; application controls include controls over input, processing, output, master

file, interface, and data management system controls.

Auditing A systematic process of objectively obtaining and evaluating evidence regarding assertions

about economic actions and events to ascertain the degree of correspondence between those

assertions and established criteria and communicating the results to interested users.

Control Activities The policies, procedures, techniques, and mechanisms that enforce management’s

directives to achieve the entity’s objectives and address related risks.

Control Objective The aim or purpose of specified controls; control objectives address the risks related

to achieving an entity’s objectives.

Data Mining A tool under which the data in a data warehouse are processed to identify key factors

and trends in historical patterns of business activity.

Deficiency When the design, implementation, or operation of a control does not allow management

or personnel, in the normal course of performing their assigned functions, to achieve control

objectives and address related risks.

Detective Control An activity that is designed to discover when an entity is not achieving an objective

or addressing a risk before the entity’s operation has concluded and corrects the actions so that the

entity achieves the objective or addresses the risk.

Entity-level Control Controls that have a pervasive effect on an entity’s internal control system; entity-

level controls may include controls related to the entity’s risk assessment process, control

environment, service organizations, management override, and monitoring.

Error Refers to unintentional misstatements or omissions of financial statement amounts or

disclosures—for example, misinterpretation, mistakes, and use of incorrect accounting estimates.

Fraud, on the other hand, refers to acts that are intentional.

External Audit An audit performed by an auditor engaged in public practice leading to the expression

of a professional opinion which lends credibility to the assertion under examination.

Forensic Accounting A science (i.e., a department of systemized knowledge) dealing with the

application of accounting facts gathered through auditing methods and procedures to resolve legal

problems.

213

Forensic Accountant An integral part of the legal team, helping to substantiate allegations, analyze

facts, dispute claims, and develop motives.

Forensic Audit An examination of evidence regarding an assertion to determine its correspondence to

established criteria carried out in a manner suitable to the court. An example would be a forensic audit

of sales records to determine the quantum of rent owing under a lease agreement, which is the subject

of litigation.

Forensic Investigation The utilization of specialized investigative skills in carrying out an inquiry

conducted in such a manner that the outcome will have application to a court of law. A forensic

investigation may be grounded in accounting, medicine, engineering or some other discipline.

Fraud In contrast to error, an illegal act (a crime) committed intentionally.

General Controls The policies and procedures that apply to all or a large segment of an entity’s

information systems; general controls include security management, logical and physical access,

configuration management, segregation of duties, and contingency planning.

Green Book The commonly used name for Standards for Internal Control in the Federal Government.

Internal Audit An audit performed by an employee who examines operational evidence to determine

whether prescribed operating procedures have been followed.

Internal Control A process is effected by an entity’s oversight body, management, and other personnel

that provides reasonable assurance that the objectives of an entity will be achieved.

Internal Control System An internal control system is a continuous built-in component of operations,

effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s

objectives will be achieved.

Preventive Control An activity that is designed to prevent an entity from failing to achieve an objective

or addressing a risk.

Public Company Accounting Oversight Board (PCAOB) (www.pcaobus.com) Established in 2002 as a

result of the Sarbanes-Oxley Act, a private sector, non-profit corporation set up to oversee the audits

of public companies and ensure that accountancy firms should no longer derive non-audit revenue

streams, such as consultancy, from their audit clients.

Reasonable Assurance A high degree of confidence, but not absolute confidence.

Sarbanes-Oxley (SOX) Act Wide-ranging U.S. corporate reform legislation, coauthored by the

Democrat in charge of the Senate Banking Committee, Paul Sarbanes, and Republican Congressman

Michael Oxley. It is legislation to ensure internal controls or rules to govern the creation and

documentation of corporate information in financial statements. It establishes new standards for

corporate accountability and penalties for corporate wrongdoing.

http://www.pcaobus.com/

214

Segregation of Duties The separation of the authority, custody, and accounting of an operation.

The Association of Certified Fraud Examiners (CFEs) Established in 1988, the 25,000-member

professional organization dedicated to educating qualified individuals (Certified Fraud Examiners),

who are trained in the highly specialized aspects of detecting, investigating, and deterring fraud and

white-collar crime. Each member of the Association designated a Certified Fraud Examiner (CFE) has

earned certification after an extensive application process and upon passing the uniform CFE

Examination.

Transaction Control Activities Actions built directly into operational processes to support the entity

in achieving its objectives and addressing related risks

215

Index

2013 COSO framework, 17, 49 Asset Misappropriation, 143 Control Activities, 21, 22 Control Environment, 20 Data mining, 177 Detective controls, 26 Fraud Triangle, 135 Green Book, 49 ICFR, 86

Information and Communication, 22 Monitoring Activities, 22 Preventive controls, 25 Public Company Accounting Oversight Board

(PCAOB), 213 Risk Assessment, 21, 44 SAS 130, 86 SEC, 45, 48 Segregation of duties, 62

216

Review Question Answers


1. Internal controls are critical. However, they cannot be designed to provide reasonable assurance

in which of the following scenarios?

A. Incorrect. Internal control forms and other internal control procedures can be devised to make

sure that transactions are executed in accordance with management's authorization.

B. Correct. Internal control can provide reasonable assurance that certain management

objectives implicit in internal control are achieved. Such objectives include the other answer

choices. Internal control can also provide reasonable assurance that transactions are

recorded as necessary to permit preparation of financial statements in conformity with U.S.

GAAP or any other applicable criteria and to maintain accountability for assets. Because of

inherent limitations, however, internal control cannot be designed to eliminate all fraud.

C. Incorrect. Authorization forms can be designed to ensure limited access to assets. There are

two types of authorization to be considered: general authorization and specific authorization.

D. Incorrect. The internal control checklist can be developed to assure that recorded

accountability for assets is compared with the existing assets at reasonable intervals.

2. Which of the following components of internal control includes an assignment of authority and

responsibility?

A. Incorrect. Monitoring assesses the quality of internal control over time.

B. Correct. The control environment sets the tone of an organization. It includes human

resource policies and practices relative to hiring, orientation, training, evaluating,

counseling, promoting, compensating, and remedial actions. Assignment of authority and

responsibility should be considered when assessing the control environment.

C. Incorrect. Risk assessment is the identification and analysis of relevant risks.

D. Incorrect. Control activities are the policies and procedures that help ensure that management

directives are carried out. They include performance reviews, information processing, physical

controls, and segregation of duties.

3. Which of the following components of internal control includes the development and use of

training policies that communicate prospective roles and responsibilities to employees?

A. Incorrect. Monitoring assesses the quality of internal control over time.

217

B. Correct. The control environment sets the tone of an organization. It includes human

resource policies and practices relative to hiring, orientation, training, evaluating,

counseling, promoting, compensating, and remedial actions.

C. Incorrect. Risk assessment is the identification and analysis of relevant risks.

D. Incorrect. Control activities are the policies and procedures that help ensure that management

directives are carried out. They include performance reviews, information processing, physical

controls, and segregation of duties.

4. Proper segregation of duties will reduce the opportunities which allow persons to be in positions

to both ____________

A. Incorrect. Accountants typically journalize entries and prepare financial statements.

B. Incorrect. Accountants may record both cash receipts and cash disbursements as long as they

do not have custody of cash.

C. Incorrect. Management establishes internal control and ultimately has the responsibility to

authorize transactions.

D. Correct. Segregation of duties is a category of the control activities component of internal

control. Segregating responsibilities for authorization, recording, and asset custody reduces

an employee's opportunity to perpetrate an error or fraud and subsequently conceal it in

the normal course of his/her duties.

5. Effective internal control calls for the separation of certain functions. Which of the following

functions should be separated?

A. Incorrect. Payment is a form of execution (operational responsibility).

B. Correct. One person should not be responsible for all phases of a transaction, i.e., for

authorization of transactions, recording of transactions, and custodianship of the related

assets. These duties should be performed by separate individuals to reduce the

opportunities to allow any person to be in a position both to perpetrate and conceal errors

or fraud in the normal course of his/her duties.

C. Incorrect. Custody of assets and execution of related transactions are often not segregated.

D. Incorrect. Payments must be recorded when made. These two functions are not separable.

6. What is a basic premise underlying analytical procedures?

A. Incorrect. For some assertions, analytical procedures alone may provide the auditor with the

level of assurance (s)he desires.

B. Incorrect. Analytical procedures, such as simple comparisons, do not necessarily require

statistical testing.

218

C. Incorrect. The objective of analytical procedures, such as ratio analysis, is to identify significant

differences for evaluation and possible investigation.

D. Correct. A basic premise underlying the application of analytical procedures is that plausible

relationships among data may reasonably be expected to exist and continue in the absence

of known conditions to the contrary. Variability in these relationships can be explained by,

for example, unusual events or transactions, business or accounting changes,

misstatements, or random fluctuations.


7. Which of the following is an example of a detective control?

A. Incorrect. Fraud awareness training will help employees identify fraudulent situations before

they happen.

B. Correct. Surprise audits are detective controls that help identify eliminate the chance of a

cover-up during a fraud or mismanagement investigation.

C. Incorrect. Background checks help to identify potential employees with questionable

employment histories.

D. Incorrect. Data matching ensures that the data is correct based on inputs and outputs.

8. Which of the following is a common control design deficiency among small entities?

A. Incorrect. Manual controls describe a type of controls and are more prevalent with small

business than automated controls. They are not necessarily considered as a design deficiency

for small entities.

B. Incorrect. Preventive controls describe a type of control and are not a control design

deficiency.

C. Correct. Lack of segregation of duties is common with small business as they lack the

resources to properly segregate roles to prevent/reduce opportunities for fraud.

D. Incorrect. Detective controls describe a type of control and tend to be used to offset the lack

of segregation of duties most small businesses experience.


9. According to the Sarbanes-Oxley Act, public accounting firms are allowed to provide which of the

following non-audit services to their clients?

219

A. Correct. A registered CPA firm may engage in any non-audit service, such as tax services, but

the activity must be approved in advance by the audit committee.

B. Incorrect. The SOX Act prohibits most “consulting” services outside the scope of practice of

auditors, including internal audit outsourcing services. Such services are prohibited even if

pre-approved by the client’s audit committee.

C. Incorrect. Most consulting services such as investment banking or advisory service outside the

scope of practice of auditor are not allowed by the SOX Act.

D. Incorrect. Management or human resources services are also banned by the SOX Act.

10. The Sarbanes-Oxley Act imposes all of the following provisions EXCEPT?

A. Incorrect. The SOX Act created a new 25-year felony for defrauding shareholders of publicly

traded companies. This measure is a broad, generalized provision that criminalizes the

knowing execution or attempted execution of any scheme or artifice to defraud persons in

connection with securities of publicly traded companies or to obtain their money or property

in connection with the purchase or sale of such securities.

B. Incorrect. The SOX Act requires that each member of the audit committee, including at least

one who is a financial expert, be an independent member of the issuer’s board of directors.

C. Correct. It is management’s responsibility to ensure the organization is in compliance with

the requirements of the SOX Act. Specifically, management is responsible for designing and

implementing the system of ICFR, for evaluating the effectiveness of ICFR with sufficient

evidence, and for issuing an internal control report on that assessment. The company’s

auditors cannot assume responsibility for the financial statements.

D. Incorrect. Under SOX Section 406, the SEC is mandated to issue rules adopting a code of ethics

for senior financial officers.

11. The AICPA and the PCAOB accept which of the following frameworks as suitable criteria for

auditors to provide an independent assessment of an entity’s ICFR?

A. Correct. The AICPA expressly accepts 2013 COSO framework as suitable and available criteria

for management to use to develop, maintain, and report on the effectiveness of its internal

controls over financial reporting, and for auditors to provide an independent assessment of

the same. The PCAOB also accepts the 2013 COSO framework for use in integrated audits of

SEC registrants. This framework is widely accepted and used by SEC registrants and

accounting firms.

B. Incorrect. The Green Book is adopted by state, local, and quasi-governmental entities, as well

as not-for-profit organizations, as a framework for an internal control system.

220

C. Incorrect. Generally Accepted Government Auditing Standards provide the foundation for

government auditors to lead by example in the areas of independence, transparency,

accountability, and quality through the audit process.

D. Incorrect. US GAAP pertains to generally accepted accounting principles in the U.S., criteria for

accounting and financial reporting.

12. Which of the following statements best describes entity-level controls?

A. Incorrect. Actions built directly into operational processes to support the entity in achieving

its objectives and addressing related risks are transaction level controls.

B. Correct. Controls that have a pervasive effect on an entity’s internal control system and may

pertain to multiple components such as risk assessment process and control monitoring

activities are entity-level controls. Entity-level controls including controls in place to provide

assurance that appropriate controls exist.

C. Incorrect. Controls over transaction processing within an information system are transaction

level controls and, more specifically, application controls over processing of information.

D. Incorrect. Controls over the input of data into computer software systems are transaction level

controls, and, more specifically, application controls over input of data into information

systems.


13. .What is the process maturity level for the company’s internal control over financial reporting if

the chain of accountability is established and the process risks are managed quantitatively?

A. Incorrect. The characteristics of defined process include policies, process and standards

defined and “chain of certification” instead of chain of accountability.

B. Incorrect. The characteristics of an optimizing process included best practices identified and

shared, world-class financial reporting processes and organized efforts to remove inefficiency.

C. Incorrect. At the repeatable level, basic policies and control processes are established. Process

activities are repeating but not necessarily documented. Chain of accountability is not

necessarily formalized.

D. Correct. At the managed level, a company’s process risks are managed quantitatively and

aggregated at corporate level. In addition, process-based self-assessment are applied to

enforce chain of accountability.

221

14. What type of control is often used by operatives where formal controls are inadequate in

containing risk or are not used in practice?

A. Incorrect. Directive control provides guidance to employees to help achieve the desired

objectives of the department.

B. Incorrect. Corrective control identifies the flows in the process and determines the actions to

be taken to correct the problems.

C. Incorrect. Entity-level control has a pervasive effect on an entity’s internal control system;

entity-level controls may include controls related to the entity’s risk assessment process,

control environment, service organizations, management override, and monitoring

D. Correct. Compensating control serves to accomplish the objective of another control that

did not function properly, helping to reduce risk to an acceptable level.

15. Which of the following statement is TRUE regarding management’s documentation of internal

controls?

A. Incorrect. The documentation supporting management’s assessment does not need to include

the entire population of controls that exists within a process that impacts financial reporting.

The documentation should be focused on those controls that management concludes are

adequate to address the identified financial reporting risks.

B. Incorrect. Management’s documentation may take various forms, for example, entity policy

manuals, accounting manuals, narrative memoranda, flowcharts, decision tables, procedural

write-ups, or completed questionnaires. The level and nature of documentation vary based on

the size, nature and the complexity of the company.

C. Correct. Documentation of controls, including changes to controls, is evidence that controls

are identified, capable of being communicated to those responsible for their performance,

and capable of being monitored and evaluated by the entity. Thus, control documentation

serves as a basis for management’s assessment about ICFR.

D. Incorrect. According to the SEC, evidential matter, including documentation, must support the

assessment of both the design of internal controls and the testing processes. Such evidential

matter should provide reasonable support not definite support: 1) For the evaluation of

whether the control is designed to prevent or detect material misstatements or omissions. 2)

For the conclusion that the tests were appropriately planned and performed. 3) That the

results of the tests were appropriately considered

222


16. In an audit of financial statements, what is an auditor's primary consideration regarding internal

control?

A. Incorrect. Management's philosophy and operating style is just one factor in the control

environment of internal control.

B. Correct. An auditor's primary concern is whether a specific control affects financial

statement assertions. Much of the audit work required to form an opinion consists of

gathering evidence about the assertions in the financial statements. These assertions are

management representations embodied in the components of the financial statements.

Controls relevant to an audit are individually or in combination likely to prevent or detect

material misstatements in financial statement assertions.

C. Incorrect. Restricting access to assets is only one of many physical controls which constitute

the control activities of internal control.

D. Incorrect. Many controls concerning management's decision-making process are not relevant

to an audit. Decision-making is one of the key managerial functions not subject to an audit.

17. SAS 130 applies to which of the following type of audits?

A. Incorrect. A forensic examination is a special purpose audit with a focus on a known or

suspected act of fraud rather than a general focus on reporting on ICFR.

B. Correct. An integrated audit has a focus on reporting on ICFR and reporting on the financial

statements taken as a whole.

C. Incorrect. Agreed upon procedures for compliance do not have a focus on reporting on ICFR.

They consist of auditors performing specific procedures on the subject matter.

D. Incorrect. A performance audit does not have a focus on reporting on ICFR. It provides findings

or conclusions based on an evaluation of sufficient, appropriate evidence against criteria.

18. To obtain an understanding of a manufacturing entity's internal control concerning inventory

balances, what would an auditor most likely do?

A. Correct. The auditor should obtain a sufficient understanding of the internal control units or

areas to plan the audit, including knowledge about the design of relevant controls and

whether they have been placed in operation. Reviewing the entity's descriptions of

inventory policies and procedures helps the auditor understand their design.

B. Incorrect. Performing test counts of inventory is a test of details (a substantive test).

223

C. Incorrect. Analysis of inventory turnover statistics is an analytical procedure performed as a

substantive test.

D. Incorrect. Analysis of monthly production reports to identify variances and unusual

transactions is an analytical tool, not a primary step at the initial stage of the audit.


19. When obtaining an understanding of an entity's control environment, why should an auditor

concentrate on the substance of controls rather than their form?

A. Incorrect. The appropriateness of particular controls is not the main focus at this stage of the

audit. The control environment, which is the foundation for the other components of internal

control, provides discipline and structure by setting the tone of an organization and influencing

control consciousness.

B. Incorrect. Whether the board is aware of management's attitude is not relevant to whether

management's actions are consistent with the established controls.

C. Correct. In obtaining an understanding of the control environment, the auditor seeks to

understand the attitude, awareness, and actions concerning the control environment on the

part of management and the directors. For this purpose, the auditor must concentrate on

the substance of controls rather than their form because controls may be established but

not acted upon. For example, management may adopt a code of ethics but condone

violations of the code.

D. Incorrect. The effectiveness of particular controls is not the primary emphasis at this stage of

the audit. The control environment includes human resource policies and practices relative to

hiring, orientation, training, evaluating, counseling, promoting, compensating, and remedial

actions

20. Which of the following approaches is required by both the PCAOB and the AICPA in determining

the scope of testing for financial audits?

A. Incorrect. Adopting a methodical approach involves performing audit procedures in a

systematic way. However, it is not the mandated approach to determining the scope of testing

for financial audits.

B. Incorrect. Although the standards may imply an inclusive approach with all team members

participating the decision, such approach is not required by the PCAOB or the AICPA.

C. Correct. The effectiveness of a risk-based audit depends on whether the auditor identifies

the risks of material misstatement and has an appropriate basis for assessing those risks.

224

Therefore, both the PCAOB and the AICPA require the auditor to assess the risks of material

misstatement at the financial statement level and the assertion level. The assessment

enhances the effectiveness of an audit procedures by assisting the auditor to determine the

scope of testing.

D. Incorrect. Neither the PCAOB nor the AICPA requires all team members to vote on the scope

of testing.

21. Which of the following factors is most important concerning an auditor's responsibility to detect

errors and fraud?

A. Incorrect. The susceptibility of the accounting records to fraud is but one of the many factors

that must be considered in the risk assessment. Many internal and external events and

circumstances may be relevant to the risk of preparing financial statements that are not in

conformity with United States GAAP (or another comprehensive basis of accounting).

B. Incorrect. Unreasonable accounting estimates may result from unintentional bias or

intentional attempts to misstate the financial statements. But there are numerous internal

and external events and circumstances that need to be considered

C. Incorrect. The auditor should always recognize the possibility that management fraud,

defalcations, and the misappropriation of assets may indicate the existence of illegal acts. This

is only one of the many factors that must be considered in the risk assessment, such as the

possibility of executed transactions that remain unrecorded.

D. Correct. An auditor should assess the risk that errors and fraud may cause the financial

statements to contain material misstatements. (S)he should then design the audit so as to

provide reasonable assurance that material errors and fraud are detected.

22. An auditor tests an entity's policy of obtaining credit approval before shipping goods to customers

in support of which of the following management's financial statement assertions?

A. Correct. The proper approval of credit provides assurance that the account receivable is

collectible; thus, it is related to the valuation assertion that accounts receivable are recorded

at net realizable value.

B. Incorrect. Completeness concerns whether all transactions and accounts have been

represented.

C. Incorrect. Existence or occurrence concerns whether assets or liabilities exist and whether

recorded transactions have occurred.

D. Incorrect. Rights and obligations assertions relate to whether assets are the rights of the entity

and obligations are liabilities of the entity at a given date.

225

23. What is the type of opinion the auditor will render on management's assessment if the auditor

disagrees with management about whether a material weakness exists?

A. Correct. If the auditor concludes a material weakness exists but management does not, the

auditor will render an adverse opinion on management's assessment. The PCAOB has also

stated that it expects disclosure sufficient to allow users to understand the weakness and

its actual and potential implications on the financial statements.

B. Incorrect. A departure from GAAP may justify a qualified opinion. Management may not

express a qualified conclusion, such as stating that internal control is effective except to the

extent certain problems have been identified.

C. Incorrect. A disclaimer of opinion is a report stating that because of restrictions on the scope

of the auditor's work, the auditor is unable to, and does not, express an opinion on

management's assessment or on the effectiveness of internal control over financial reporting.

D. Incorrect. An unqualified opinion is twofold : (1) An opinion that management's assessment

is fairly stated in all material respects, along with an opinion that internal control over financial

reporting is effective in all material respects as of the assessment date. and (2) an opinion that

management's assessment (that internal control over financial reporting is not effective) is

fairly stated in all material respects, along with an opinion that internal control over financial

reporting is ineffective because of one or more material weaknesses.


24. Which of the following is considered to be a fraud risk factor?

A. Incorrect. Opportunity is a risk factor but the lack of opportunity would reduce the risk.

B. Correct. Incentive is considered to be a risk factor. Pressure is also considered to be a risk

factor.

C. Incorrect. While financial stability may be a motive to commit fraud, it is not a risk factor.

D. Incorrect. Prosecuting employees who commit fraud may be a deterrent, but it is not a risk

factor.

25. An employee who made a false claim for reimbursement of inflated business expenses believes

that his behavior was harmless because the financial loss to the agency was immaterial. Which of

the fraud triangle elements best explains his action?

226

A. Incorrect. Opportunity is the ability to commit fraud or to conceal it. Examples of opportunity

include weak internal control, poor supervision, and lack of training. None of these situation

is identified in this case.

B. Incorrect. There are six common traits of capability including functional authority within the

organization, sufficient intelligence to exploit a situation, strong ego and coercive skills, good

liar, and high tolerance for stress. None of these traits are present in this case.

C. Correct. Rationalization is the ability for a person to justify a fraud which involves a person

reconciling his/her behavior, such as stealing, with some common excuses. In this case, the

employee justified stealing by using the excuse that the financial loss was minimal to the

agency so that his action was harmless.

D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud,

such as living beyond one’s means, high personal debt, and peer pressure. None of these

factors are identified in this case.

26. Which of the following would be an example of self-dealing by corporate insiders?

A. Correct. Insider trading is an example of self-dealing by corporate insiders. Martha Stewart

was convicted for such crime in 2002.

B. Incorrect. Understating/concealing liabilities and losses is an example of falsification of

corporate financial information. This is most often done to report inflated profits.

C. Incorrect. Falsification of net asset values would be an example of fraud in connection with an

otherwise legitimately-operated mutual or hedge fund.

D. Incorrect. Late trading is an example of fraud in connection with an otherwise legitimately-

operated mutual or hedge fund.

27. Which of the following is a category of fraud consisting of extortion, conflict of interest, and

bribery?

A. Incorrect. False claims usually pertain to Social Security, defense contractors, healthcare

company fraud, or other instances in which a company or individual attempts to be paid by

the government for an invalid reason.

B. Correct. Corruption is a scheme involves an employee that misuses his or her influence in a

business transaction in a way that violates his or her duty to the employer to gain a direct

or indirect benefit. Such scheme involves extortion, conflict of interest or bribery.

C. Incorrect. Financial statement fraud is a scheme in which an employee intentionally causes a

misstatement or omission of material information in the entity’s financial reports, such as

fictitious revenues, understating reported expense, or artificially inflated reported assets.

227

D. Incorrect. Payroll scheme is a fraudulent disbursement scheme in which an employee causes

his or her employer to issue a payment by making false claims for compensation.

28. According to ACFE Report to the Nations, which of the following types of fraud occurs most often?

A. Incorrect. Based on the Report to the Nations, fraudulent financial statements only accounts

for 10% of fraud litigation.

B. Correction. Based on the Report to the Nations, asset misappropriation accounts for about

86% of fraud case.

C. Incorrect. Corporate fraud obstruction of justice schemes are designed to conceal the

previously noted criminal conduct (accounting fraud and self-dealing schemes), particularly

when that obstruction impedes the regulatory inquiries of the SEC or other regulatory bodies.

D. Incorrect. Those that commit corporate fraud by utilizing self-dealing by corporate insider type

schemes typically do so because they forget that even though they are executives of the

corporation, the corporation does not belong to them.

29. According to ACFE Report to the Nations, which of the following industries has the greatest number

of fraud cases?

A. Incorrect. Although technology has higher median loss ($150,000) than banking and financial

services ($100,000), it does not have high fraud cases (66 cases) like the banking and financial

services (386).

B. Incorrect. Services (professional) is one of the industries that has the lowest number of fraud

cases.

C. Correct. Banking and financial services has the greatest number of cases in ACFE report; 386

of total 2,504 real cases of occupational fraud.

D. Incorrect. Retail has 91 of total 2,504 cases according to the ACFE report.

30. Most business owners associate fraud with misappropriation of cash. What is another form of

fraud?

A. Incorrect. Litigation support and pre-employment screening are investigative services offered

by forensic accountants.

B. Incorrect. Business valuations are not a fraudulent activity. Its goal is to determine the current

value of a business for various personal or legal matters.

228

C. Incorrect. Economic losses and information losses that are due to economic downturns are

unforeseeable events and not necessarily the result of misappropriations or fraudulent

activities.

D. Correct. Inventory theft is usually attributed to employees who are intentionally

misappropriating cash or other assets from their employers through a variety of fraudulent

activities such as collusion and falsifying records and documents as well as a number of other

fraudulent schemes.


31. When a forensic accountant investigates an activity such as purchasing/kickback schemes,

computer fraud, labor fraud, or falsification of inventory, what activity is he/she performing?

A. Incorrect. A forensic accountant that helps to establish lost earnings by gathering, analyzing a

variety of information, and then issuing a report on the basis of outcome analysis is evaluating

a personal injury or fatal accident claim.

B. Incorrect. A forensic accountant who helps to determine if a breach of professional ethics or

other standards of professional practice has been violated is engaged in evaluating

professional negligence.

C. Incorrect. A forensic accountant retained to assist with alternative dispute resolution by acting

as a mediator to resolve in a timely manner and with a minimum of disruption is engaged in

arbitration.

D. Correct. The type of investigation by a forensic accountant that often involves fund tracing,

asset identification, and recovery on behalf of police forces is termed a fraud and white-

collar crime investigation.

32. Which of the following statements is TRUE for a fraud examination?

A. Incorrect. Fraud examinations are non-recurring; audits are conducted on a recurring basis.

B. Incorrect. Fraud examinations are specific in scope; auditing of financial data is general in

scope.

C. Correct. Fraud examinations are adversarial in order to affix the blame; audits are non-

adversarial in nature.

D. Incorrect. Auditing standards attempt to approach audits with professional skepticism. Fraud

examiners attempt to establish sufficient proof to support or refute a fraud allegation.

229

33. How is auditing different than fraud examination?

A. Incorrect. In an audit, the scope is a general examination of financial data.

B. Incorrect. Audits are generally conducted for the purpose of expressing an opinion on the

financial statements or related information.

C. Correct. Fraud examinations are nonrecurring. They are only conducted with sufficient

predication. Audits are conducted on a recurring basis.

D. Incorrect. Audits are conducted by examining inside financial data and obtaining corroborating

evidence.

34. Which of the following tools helps link seemingly unrelated pieces of evidence.

A. Incorrect. Network sniffer (hardware) allows user to "recreate" the crime by keeping a record

of packet sessions across networks.

B. Incorrect. Portable disk duplicator and/or duplication software preserves the original crime

scene by allowing investigators to copy hard drives in the field and the lab for later analysis.

C. Correct. One of the greatest challenges that many organizations face in managing fraud

revolves around control over the sheer volume of incidents and volume of data. Case

management software assists fraud examiners in linking seemingly unrelated pieces of

evidence.

D. Incorrect. Chain-of-custody documentation hardware videotapes every mouse click of the

investigative process to make court testimony more credible.

Documents

Internal ontrol and raud etection