assessing the risk of fraud in a financial statement audit

© Surgent • www.surgentcpe.com

Assessing the Risk of Fraud In a Financial Statement Audit


Today’s presenter

Marci Thomas, MHA, CPA, CGMA

Marci Thomas, MHA, CPA, CGMA, licensed as a CPA in Georgia and North Carolina, is an author and nationally recognized speaker on various accounting and auditing topics to companies, nonprofits, CPA firms, and state societies of CPAs around the country. A frequent speaker at local, regional, and national conferences, she also writes and teaches courses in governance, financial management, grants accounting, strategy, and various operational topics. Marci is a clinical assistant professor in the School of Public Health at the University of North Carolina at Chapel Hill. She works with numerous accounting firms, performing quality control and efficiency reviews and with boards on strategic planning, internal control, and governance issues. Marci serves on the Not-for-profit Committee for the North Carolina Association of CPAs.

Marci has written and co-written several books, including Essentials of Physician Practice Management, published by Jossey Bass in 2004. Her book Best of Boards: Sound Governance and Leadership for Nonprofit Organizations was published by the AICPA and Wiley Publishing in 2018 and is on its second printing. Her book on health care financial management was published by Wiley Publishing in 2014, with a new edition expected in 2020.

Marci received her Bachelor in Business Administration with a concentration in accounting from the Georgia State University and her Masters in Health Administration from the University of North Carolina at Chapel Hill.

A R F 82


Course overview

• Chapter 1 - Fraud Landscape in the United States

• Chapter 2 - Characteristics of Fraudsters, Victim Organizations and Common Fraud Schemes

• Chapter 3 - AU-C 240, Fraud Risk Assessment Procedures Including Data Analytics

• Chapter 4 - Communications About Fraud

• Chapter 5 – Internal Controls to Preventand Detect Fraud

• Chapter 6 – Consideration of Fraud in a Single Audit

• Chapter 7 – Cyber Fraud

A R F 83


Course objectives

1. Understand the breadth and extent of fraud in the United States

2. Understand where and how fraud is likely to occur to better plan inquiries with management and others and identify the risk of fraud

3. Identify risk assessment procedures including data analytics that can be used as fraud risk assessment procedures

4. Be able to implement the risk assessment procedures and document the risk of fraud in a financial statement audit

A R F 84


A quick word on policy vs. politics

• Many times when discussing accounting, tax and financial policy issues, it can be difficult to divorce the politics from the policy

• Today, when discussing the various issues we will encounter over the next several hours, let’s agree to keep our own view of politics out of the application of the policy and focus on doing the very best we can for all our clients

• This goes for religious/faith views as well

A R F 85

Fraud Landscape in the United States

Chapter 1


Learning objectives

• Upon reviewing this chapter, the reader will be able to:

– Understand the breadth and extent of fraud in the U.S.; and

– Identify recent changes in professional literature as it relates to fraud

A R F 87


Fraud in recent times

• Early 2000s fraud took center stage

• Sarbanes Oxley Act

– Responsibilities of public company board of directors

– Adds criminal penalties for misconduct including retaliation against whistleblowers

– Required SEC to create regulations on how public companies should comply

• Nonpublic entities, ASB revised standard on fraud in the form of SAS 99

• Since that time ASB amended the standard with SASs 134,135, and 136

A R F 88



• Occupational fraud and abuse

• Joseph T. Wells and the ACFE

• Report to the Nations every 2 years

• Cybercrime - significant issue due to the extent of occurrences and magnitude of losses

• Assessing the risk of fraud is core business issue

• Growing use of technology and increase in e-commerce

• Economic, regulatory, and reputational risk

A R F 89



• PWC Global Economic Crime and Fraud Survey reports rate of fraud has increased from 36% in 2016 to 49% in 2018

• North America’s rate of increase during the same period was 47% to 54%

• Statistics are probably understated since fraud may not be identified

• Imperfect data

• Loss could be as much as 5% of revenue

• Asset misappropriation, consumer fraud, and cybercrime are the most frequent types of fraud

A R F 810



• Companies are spending more on fraud and will continue to increase spending

• Technology controls and expanded whistleblower programs

• Less than half the entities performed a fraud risk assessment

• Over the past 2 years:

– 54% performed a general risk assessment;

– 46% performed a cyber-attack vulnerability assessment; and

– 33% performed an anti-bribery and corruption assessment

• Other assessments were related to money laundering, anti-trust, and export controls

• Studies performed as part of an audit plan or as part of an Enterprise Risk Management strategy

A R F 811


Addressing the risk of fraud

• Audit literature evolves

• Revised Independent Auditor’s Report (SAS 134)

Auditor’s Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor's report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. Misstatements are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users made on the basis of these financial statements.

A R F 812



Auditor’s Responsibilities for the Audit of the Financial Statements (cont.)

In performing an audit in accordance with GAAS, we:

• Exercise professional judgment and maintain professional skepticism throughout the audit.

• Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.

• Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of Barnes & Riley's internal control. Accordingly, no such opinion is expressed.

• Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the financial statements.

• Conclude whether, in our judgment, there are conditions or events, considered in the aggregate, that raise substantial doubt about Barnes & Riley's ability to continue as a going concern for a reasonable period of time.

A R F 813



Auditor’s Responsibilities for the Audit of the Financial Statements (cont.)

We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control–related matters that we identified during the audit.

A R F 814



• AU-C 200 discusses overall objectives of the audit

• Identifying and assessing risk that there could be a material misstatement of the financial statements due to fraud or error

• Inherent limitations are higher in the case of misstatements resulting from fraud because of sophisticated schemes designed to conceal it

A R F 815



• Recent changes to professional literature from SAS 135

• Includes additional guidance when dealing with significant unusual transactions and related parties

• Additional procedures required when there are unusual transactions outside the normal course of business:

– Evaluate the rationale and business purpose

– Read the supporting documentation and evaluate whether the terms and other information about the transaction are consistent with explanations from inquiries and other audit evidence

– Determine whether the transaction has been authorized and approved

– Evaluate whether significant unusual transactions identified have been properly accounted for and disclosed

A R F 816



• Additional indicators added related to unusual transactions:

– Transactions that involve previously unidentified related parties or relationships or transactions previously undisclosed

– Transactions involving other parties that do not have the substance or the financial strength to support the transaction without assistance from the entity under audit or any related party of the entity

– Transactions lack commercial or economic substance individually or in the aggregate (for example, a transaction is entered into shortly prior to period end and is unwound shortly after period end)

– Transactions occur with a party that falls outside the definition of a related party with either party able to negotiate terms that may not be available for other, more clearly independent parties on an arm's-length basis

– Transactions exist to enable the entity to achieve certain financial targets

A R F 817



• Auditor should evaluate the financial capability of the other parties related to loan commitments, uncollected balances, etc.

A R F 818


Addressing the risk of fraud –defining fraud

• Broad legal concept

• Distinction between fraud and error is intent

• Intent is sometimes hard to determine

• Legal point of view, there are two types of fraud:

– Fraud committed for personal gain; and

– Fraud committed for corporate motives

• May not involve malicious acts

• Board and management are responsible

A R F 819



• AU-C 240 categorizes fraud into two types:

– Fraudulent financial reporting; and

– Misappropriation of assets

• ACFE adds corruption

– Fraud committed for personal gain

– Fraud committed for corporate motives

– May not involve malicious acts

• Fraudulent financial reporting – median loss $800,000

• Asset misappropriation – median loss $114,000

• Corruption – median loss $250,000

A R F 820



PWC Study shows significance of the various forms of fraud by industry

0.48

0.310.3

0.28

0.26

Consumer Products

Asset Misappropriation Business misconduct Cyber Crime

Bribery and Corruption Consumer Fraud

0.56

0.410.41

0.31

0.2

Financial Services

Consumer Fraud Asset Misappropriation

Cyber Crime Business misconduct

Money Laundering

Business Misconduct is referred to as incentive abuse in the PWC study

A R F 821




0.4

0.32

0.3

0.28

0.26

Professional Services

Asset Misappropriation Accounting Fraud Business misconduct

Procurement Fraud Bribery and Corruption

0.48

0.290.29

0.26

0.26

Industrial Products

Asset Misappropriation Bribery and Corruption Procurement Fraud

Business misconduct Cyber Crime


A R F 822




0.43

0.390.31

0.26

0.23

Technology

Asset Misappropriation Cyber Crime Business misconduct Consumer Fraud Procurement Fraud


A R F 823


Cybercrime

• Growing issue for companies with high dollar price tag

• Cybercrime is generally divided into 2 categories

– Crimes that target computers directly (viruses, malware etc.)

– Online crime that uses networks to perform fraud and identity theft through social engineering and other mechanisms

– Companies experience losses of more than $525 million each year

– Mostly malicious code and denial of service attacks

• Data breaches can cause significant financial and reputational damage

– Theft of personally identifiable information from employee records and billing information

– Stolen data used by hackers or to prove it can be done, e.g. ransomware

A R F 824


Cybercrime

• Many breaches could be prevented by better internal controls

• Even good internal controls do not provide absolute insurance

• Smaller entities (63%) have implemented new technologies without having appropriate data security in place

• Risk assessment

• Insurance

• Evaluate firewalls and spam filtering system

• Perform operating updates

A R F 825


Cybercrime

• Consider intrusion prevention and detection software

• Manual controls such as changing passwords, training employees and verifying instructions related to cash payments are important

• Today’s precautions may not be enough to prevent tomorrow’s cyber schemes

• Management and those charged with governance are ultimately responsible

A R F 826


Question for discussion

In your client base, or at your entity if you work inan entity, what type of fraud concerns you?

A R F 827

Characteristics of Fraudsters, Victim Organizations, and Common Fraud

Schemes

Chapter 2


Learning objectives


– Identify the characteristics that are typical of fraudsters;

– Identify common fraud schemes; and

– Use the knowledge from this material to assess the risk of fraud in a financial statement audit

A R F 829


Fraud triangle

Fraud Triangle

Incentive or pressure

Opportunity Rationalization

A R F 830


Case study

Harriett was altruistic and loved childhood education. She was especially concerned about the quality of education in the city’s economically disadvantaged neighborhoods. She applied and was approved to start a Charter School. Since the school was a startup there were very few employees. The bookkeeper was a friend of Harriett’s and recently went to training to learn QuickBooks. The Board members were attorneys and educators.

The school depended on federal and state funding and although Harriet thought she would be awarded grants and donors would make substantial contributions she was mistaken. Because she was dedicated to the students and wanted them to have the best school experience possible, she hired a bus company to transport them from their homes and the school paid for lunches for those that did not qualify for the free and reduced-price lunch program. Neither one of these activities was reimbursable by the government funders. When money became tight and she could not meet payroll she used payroll withholdings to pay salaries. She also claimed to have spent grant money for equipment but used it for payroll instead. She justified her actions to herself as “for the good of the children and the school”. As Head of School no one questioned her instructions.

A R F 831


Case study

• Case Study Questions

1. When the auditor considers the risk of fraud in this audit what are the risk factors that should have been identified?

2. Is it possible to tell whether Harriett’s activities are due to fraud or ignorance of legal requirements?

3. Where was there incentive or pressure and opportunity?

4. How might Harriett have rationalized her behavior?

A R F 832


Victims of fraud

• ACFE Report to the Nations 2018

Number of Employees Frequency Median Loss

< 100 28% $200,000

100–999 22% $100,000

1,000–9,999 26% $100,000

10,000+ 24% $132,000

A R F 833


Victims of fraud

• Privately held companies are more likely to be victimized (42%)

$164,000

$117,000 $118,000

$75,000

$120,000

Median Fraud Loss

Private Company Public Company Government Not‐for‐Profit Other

Type of Entity Median Fraud Loss

Private Company $ 164,000

Public Company $ 117,000

Government $ 118,000

Not‐for‐Profit $ 75,000

Other $ 120,000

A R F 834


Engagement question 1

• What do you believe is the reason why private companies experience more fraud and larger losses than the other entity types?

A R F 835


Who is most likely to commit fraud?

• Employees are most likely to commit fraud, but the loss is less

• Correlation between position and the loss to an entity is probably due to a combination of factors

– Owners and executives have the most incentive to commit fraudulent financial reporting

– Managers have more access to assets than employees

– Fraud occurs more often in entities with fewer than 100 employees so the occurrence of fraud by employees is more statistically likely

A R F 836


Fraud committed by position


Fraud Committed by Position

Percentage of Cases

Employees 44%

Managers 34%

Owner/Executive 19%

Other 3%

A R F 837


Tenure and loss by level of authority


$50,000

$150,000

$850,000

$189,000

Median Loss

Employees Managers Owner/Executive Other

Fraud Committed by Position Median Loss

Employees $ 50,000 Managers $150,000 Owner/Executive $850,000 Other $189,000

Men $156,000 median loss 69%Women $ 89,000 median loss 31%

A R F 838


Education level

• Predominance of perpetrators have university degree (47%). Median loss – $160,000.

• Post graduate degree – highest median loss ($230,000)

A R F 839


Age of perpetrator

Age Median loss Percentage

less than 26 $ 23,000 5%

26-30 $ 40,000 10%

31-35 $ 100,000 15%

36-40 $ 100,000 19%

41-45 $ 200,000 19%

46-50 $ 250,000 14%

51-55 $ 237,000 9%

56-60 $ 480,000 6%

greater than 60 $ 355,000 3%

A R F 840



• Why do you believe that the longer the tenure of an employee, the larger the potential for fraud loss?

A R F 841


Where perpetrators work

Department Median Loss

Accounting $ 212,000

Operations $ 88,000

Sales $ 90,000

Executive $ 729,000

Customer service $ 26,000

Administrative support $ 91,000

Finance $ 156,000

Purchasing $ 163,000

Facilities and Maintenance $ 175,000

Warehousing/inventory $ 200,000

Information technology $ 225,000

Marketing/public relations $ 80,000

Manufacturing and production $ 200,000

Human resources $ 76,000

$‐ $100,000 $200,000 $300,000 $400,000 $500,000 $600,000 $700,000 $800,000

Accounting

Operations

Sales

Executive

Customer service

Administrative support

Finance

Purchasing

Facilities and Maintenance

Warehousing/inventory

Information technology

Marketing/public relations

Manufacturing and production

Human resources

Median Loss

A R F 842


Common fraud schemes

• Fraudulent financial reporting – intentional scheme where an employee (or management) causes a material misstatement or omission of material information to deceive users of the financial statements in order to:

– Meet expectations of shareholders, stakeholders, or financial institutions;

– Affect compensation related awards such as raises or bonuses based on performance; or

– Owners/management may be motivated to reduce earnings to minimize tax liabilities

A R F 843



• Fraudulent financial reporting includes:

– Recording fictitious revenues;

– Inflating assets;

– Failing to record liabilities; or

– Falsifying estimates

• More likely to be perpetrated by executive or upper level management

A R F 844



• Corruption – employee (or management) misuses his power or influence in a business transaction and violates the employer’s trust in order to gain a direct or indirect benefit for themselves or someone they know

– Bribery

– Conflicts of interest with outside parties

• Most likely to arise in the purchasing department or be perpetrated by executive management

A R F 845



• Misappropriation of assets – theft of an entity’s assets

– Often perpetrated by employees, sometimes in relatively small amounts

– Can also involve management. Management personnel are often better at concealing

– Often involves falsifying records to conceal the perpetrator’s actions

A R F 846



Scheme Description Median

Loss

Percentage Department

most likely to

occurCheck and

payment

tampering

Stealing by forging a check or

altering a check or stealing a check

issued to another payee. Employee

might also reroute an electronic

payment to a vendor to his/her own

bank account.

$150,000 12% Accounting

Billing Submission of fraudulent invoices

for payment where there were really

no goods or services provided.

Invoices could also be inflated or

submitted to look like company

expenses although they are really

personal expenses.

$100,000 20% Executives/

upper

management

Noncash

misappropriation

Employee steals noncash assets. $98,000 21% Sales

A R F 847




Loss


most likely to

occur

Cash larceny Cash receipts are stolen after they

have been recorded in the books and

records (cash is recorded but the

checks are stolen before they go to

the bank).

$75,000 11% Customer

service

Payroll Employee causes payment to be

issued for improper amount or

fictitious employee.


Skimming Cash is stolen before it is recorded in

the books and records.


Expense

reimbursement

Employee makes a claim for

reimbursement for fictitious expenses

or inflated expenses.

$31,000 14% Executives/

upper

management

A R F 848




Loss


most likely to

occur

Register

Disbursements

Employee makes false entries on a

cash register to conceal the removal

of cash, (e.g. void a sale)

$29,000 3% Sales and

customer

service

Cash on hand Perpetrator misappropriates cash

kept on hand, (e.g. petty cash or cash

in a vault)

$20,000 15% Customer

service

A R F 849


Collusion

• Collusion

– Median loss with one perpetrator - $ 74,000

– Median loss with two perpetrators - $150,000

– Median loss with three or more - $ 339,000

A R F 850


Fraud scheme duration

Scheme

Duration of Scheme before

Identification Payroll 30 months

Check tampering 24 months

Financial statement fraud 24 months

Expense reimbursement 24 months

Billing 24 months

Skimming 18 months

Cash larceny 24 months

Corruption 22 months

Noncash 18 months

A R F 851


Scheme by industry type

• 32% of frauds involved more than one type of fraud scheme

• Most prevalent combination is asset misappropriation and corruption

Scheme

% Cases

Reported –

Education

% Cases Reported –

Religious, Charitable,

Social Services

% Cases Reported

– Health CareBilling 23% 40% 26%Skimming 14% 17% 12%Cash on hand 19% 22% 13%Cash larceny 19% 9% 7%Check tampering 6% 19% 13%Noncash misappropriations 19% 19% 19%Expense reimbursement 18% 29% 16%Payroll 6% 22% 17%Corruption 38% 34% 36%Financial statement fraud 6% 10% 11%

A R F 852


Concealment

• Only 5.5% of perpetrators did not bother to try to conceal their activities

Method Percentage Concealed In this

MannerCreated fraudulent documents 55%

Altered physical documents 48%

Altered transactions in the accounting system 34%

Created fraudulent transactions in accounting

system

42%

Altered electronic documents or files 31%

Destroyed physical documents 30%

Created fraudulent electronic documents or files 29%

Created fraudulent journal entries 27%

A R F 853


Identifying fraud risks

• COSO 17 principles

• Principle 8 deals with assessing the risk of fraud

• Main consideration is incentives or pressures faced by management and employees

A R F 854



• Incentives or pressures that could lead to fraudulent financial reporting related to the entity and industry:

– High degree of competition or market saturation and declining margins

– High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates

– Significant declines in customer demand and increasing business failures in either the industry or overall economy

– Operating losses that cause concern relative to the prospect of bankruptcy, foreclosure, or hostile takeover

– Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth

– Rapid growth or unusual profitability especially compared to that of other companies in the same industry

– New accounting, statutory, or regulatory requirements

A R F 855



• Incentives/ pressures that could lead to fraudulent financial reporting related to expectations of third parties:

– Expectations of investment analysts, institutional investors, significant creditors, or other external parties

– Need to obtain additional debt or equity financing to stay competitive

– Marginal ability to repay debt or meet debt covenant requirements

– Concern over reporting poor financial results or significant pending transactions, such as business combinations or contract awards

– Pressure to meet the expectations of legislative or oversight bodies

– Personal financial situation of management or members of governance is threatened (e.g. financial interests in the entity, bonuses, stock options, etc., personal guarantees of debts of the entity, sales or profitability incentive goals

A R F 856



• Incentives/ pressures that could lead to fraudulent financial reporting related to misappropriation of assets:

• Management or employees with access to cash or other assets susceptible to theft may have personal financial obligations

• Relationships between the entity and employees with access to cash or other assets susceptible to theft

– Known or anticipated future employee layoffs

– Recent or anticipated changes to employee compensation or benefit plans

– Promotions, compensation, or other rewards inconsistent with expectations

– Concerns over the company being acquired with adverse consequences to the employee

A R F 857


Red flags

Red Flag PercentageLiving beyond means 41%Financial difficulties 29%Unusually close association with a vendor/customer 20%

No behavioral red flags 15%Control issues, unwillingness to share duties 15%Divorce/family problems 14%Wheeler‐dealer attitude 13%

Irritability, suspiciousness, or defensiveness 12%Addiction problems 10%Complaints about inadequate pay 9%Excessive pressure from within the entity 7%

Social isolation 7%Past legal problems 6%Refusal to take vacations 6%Past employment‐related problems 6%

A R F 858



• How easy or difficult is it for an auditor to spot behavioral red flags?

• How would the auditor be able to identify them?

A R F 859

AU-C 240, Fraud Risk Assessment Procedures Including Data Analytics

Chapter 3


Learning objectives


– Identify the procedures required by AU-C 240 to assess the risk of fraud;

– Implement the risk assessment procedures required by AU-C 240;

– Identify the risk of material misstatement due to fraud;

– Select procedures in response to assessed risks; and

– Properly document the assessment and planned responses to the risk of fraud

A R F 861


Assessing the risk of fraud

• Auditor is required to perform procedures to assess the risk of material misstatement due to fraud or error

• AU-C 315 cross references to AU-C 240

• Auditor objectives:

– Identify and assess the risks of material misstatement of the financial statements due to fraud;

– Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and

– Respond appropriately to fraud or suspected fraud identified during the audit

A R F 862


Assessing the risk of fraud

• Specifically, AU-C 240 requires the auditor to:

– Make inquiries of management and others about their views on fraud, the risks of fraud and how they are addressed

– Consider any unusual relationships identified during planning such as through preliminary analytical review. The auditor should perform preliminary analytical procedures on revenue where there could be a specific risk of fraud

– Consider other information gathered during the process of the new client acceptance or continuance procedures

• Information obtained is synthesized in an audit team discussion

A R F 863


Inquiries of management and others

• AU-C 240 states that inquiries are more effective when conducted in person

• Often firms will use electronic means including questionnaires

• Professional skepticism should be applied when discussing the likelihood of fraud with management

• Management is in the best position to perpetrate fraud

• When questionnaires are used impressions that could have been gained with face to face discussions are lost

• Use open ended questions

• Occupational fraud is detected most often by a tip from an employee (40%)

A R F 864



• Make inquiries of others in the entity such as:

– Operating personnel not directly involved in the financial reporting process;

– Employees with different levels of authority;

– Employees involved in initiating, processing, or recording complex or unusual transactions and those who supervise or monitor those employees;

– In-house legal counsel;

– Internal auditors;

– Chief ethics officer, compliance officer or equivalent person, where that role exists in an entity; and

– The person or persons charged with dealing with allegations of fraud

A R F 865



Topic Area - Management Example Open Ended QuestionsThe extent of management’s understanding

about the risks of fraud in the entity, including

any specific fraud risks the entity has

identified or account balances or classes of

transactions for which a risk of fraud may be

likely to exist.

• Can you tell me about where you see the risk of fraud in

this company? Let’s start with fraudulent financial

reporting. Please tell me about metrics or other

expectations of stakeholders that would cause adverse

effects on the company or individuals if violated (debt

covenants, bonus structure based on sales, etc.)

Which account balances and classes of transactions do

you see as particularly vulnerable to the risk of fraud? For

example, (auditor would provide an example relevant to

the client).

Please describe how management and those charged

with governance assess where the risk of fraud could be.

A R F 866



Topic Area - Management Example Open Ended QuestionsThe existence of programs and controls the entity

has established to mitigate specific fraud risks the

entity has identified or that otherwise help to prevent,

deter, and detect fraud, and how management

monitors those programs and controls.

Please describe the activities that management, internal audit, those

charged with governance and others perform to mitigate fraud risks.

(For example, with segregation of duties, training on the entity’s code of

conduct, background checks, bonding those employees with access to

assets susceptible to misappropriation, does management stress the

need for accurate and honest financial reporting)?

Whether management has knowledge of any fraud

or suspected fraud affecting the entity and whether

management is aware of allegations of fraud or

suspected fraud affecting the entity; for example,

received in communications from employees, former

employees, analysts, regulators or others.

Please describe any awareness or concerns you have related to

fraud or suspected fraud.

Could you show me any regulatory correspondence,

correspondence from employees, hot line calls or any other reports

that allege or identify suspected fraudulent activity?

A R F 867



Topic Area - Management Example Open Ended QuestionsThe nature and extent to which entities with multiple

locations monitor them and whether there are

particular operating locations for which the risk of

fraud may be more likely to exist.

(If the entity has multiple locations) - Can you describe how you and

members of governance monitor the activities at remote locations? For

example, do you make site visits, perform analytical procedures on

data and hold discussions with personnel at those locations stressing

the need for accurate information and ethical behavior on the part of

employees?

Whether and how management communicates to

employees its views on business practices and

ethical behavior.

Please describe how management communicates with employees

about the need for accurate financial reporting, ethical behavior and the

need to report any behavior that would violate the entity’s code of

conduct. (For example, training, stressing these values in meetings, no

tolerance policy for infractions of the code of ethics)

A R F 868



Topic Area - Management Example Open Ended QuestionsWhether and how management

has reported to the board, the

audit committee or others with

equivalent authority and

responsibility on how the entity’s

internal control serves to prevent,

detect and correct material

misstatements due to fraud.

Please describe discussions that management

has had with those charged with governance,

the audit committee or other equivalents, on

how the risk of fraud has been assessed and

the internal controls put in place to prevent,

detect and correct material misstatements due

to fraud.

A R F 869


Their views on fraud and whether and how it exercises

oversight.

Please describe your assessment of management and the

employees at the company and their commitment to ethical

values and accurate and honest financial reporting.

Please explain how you view the risk of fraud at the company.

What procedures and analyses do you use to exercise your

oversight responsibilities?

Whether the members have any knowledge of fraud

that has occurred.

What reports (written or oral) have you received about any fraud

or suspected fraud in the company?Where and how fraud might occur. Given your knowledge of the company, where do you believe

fraud could occur (fraudulent reporting, misappropriation of

assets, corruption, conflicts of interest)?

Topic Area – Those charged with governance Example Open Ended Questions


A R F 870



Others

Their views about the risk of

fraud and how it might occur.

Please describe your assessment of management and the other employees at the company and their commitment to ethical values and accurate and honest financial reporting.

Please explain how you view the risk of fraud at the company.

What procedures and analyses do you use to exercise your responsibilities to prevent and detect errors and/or fraud?

Whether they have seen or

suspect fraud.

What reports (written or oral) have you received about any fraud or suspected fraud in the company?

Please describe any suspicious or unusual activity you have noted at the company.

Please describe any unusual requests you have received from management without supporting documentation.

If internal auditors, whether

they have performed any

procedures to detect fraud

and if there were findings,

how management responded.

Please describe the types of activities the internal audit department performs.

What findings have you identified over the last year? May I see the reports?

How does management respond to findings and constructive comments?

Topic Area- Governance Example Open Ended Questions

A R F 871


Electronic surveys

1. Are you aware of any known departures, during the last year, from approved policies or any unacceptable practices or conduct that might significantly affect the Entity? (yes, no)

1a. (If the answer is yes, the following question drops down). Please describe the departure and any action taken to address the issue.

2. Do you believe that management handles all complaints from vendors, regulators and external parties with comments with integrity and due professional care? (yes, no)

2a. (If the answer is no, the following question drops down). Please describe why.

3. Are you aware of any persistent comments or complaints from employees, vendors, regulators or external parties in 20X8? (yes, no)

3a. (If the answer is yes, the following question drops down). Please describe the most significant or persistent complaint or comment from employees, vendors, regulators or other external parties in 20X8.

A R F 872


Electronic surveys

4. Are you aware of any conflict of interest that exists or existed between the Entity and any member of the staff or volunteer? (yes, no)

4a. (If the answer is yes, the following question drops down). Please describe what happened and what was done to address it.

5. Are you aware of any fraud or abuse of the Entity's resources (including credit card abuse) by either staff or volunteers during the past two years? (yes, no)

5a. (If the answer is yes, the following question drops down). Please describe what happened and what was done to address it.

6. Do you believe the Entity has adequate processes for the investigation of potential frauds and for corrective action when necessary? (yes, no)

7. How would you improve the Entity's policies, processes and procedures in this area?

8. Do you have any questions or concerns which we should consider during our audit? (yes, no)

8a. (If the answer is yes, the following question drops down). Please describe any questions or concerns which we should consider during our audit.

A R F 873


Focus on governance

• Governance should play an important role in:

– Setting the tone from the top; and

– Evaluating the risk of fraud

• Governance should oversee the entity's systems for monitoring risk, financial control, and compliance with laws and regulations

• Composition of governance as well as its quality vary based on the size of the entity, its complexity, the ownership structure of the entity and other factors

• Many times governance plays a much lesser role

A R F 874


Focus on governance

• Auditor should understand:

– If governance is composed of management and independent parties or solely of independent parties

– Varying levels of experience of those charged with governance and board diversity

– Board’s interaction with and monitoring of management including discussion of risks and how they are being addressed

– Board’s interaction with internal audit and whether or not they meet privately to discuss any concerns of the internal audit director

– Whether internal audit evaluates internal controls over financial reporting or addresses mainly compliance or operational issues

– Whether members of governance inquire into or receive reports of any hotline calls (or reports from some other reporting vehicle)

– Whether those charged governance meet independently to discuss the performance and risk of management override from executives, particularly if the executives sit on the board

A R F 875


Fraud risk governance principles

• IIA and ACFE published guide intended for management and governance to use to manage risk of fraud

• Five Principles --

• Principle 1: A fraud risk management program should be in place, including policies and procedures to convey the expectations of the board of directors and senior management regarding managing fraud risk

A R F 876



• Components of fraud risk assessment program:

– Roles and responsibilities;

– Commitment;

– Fraud awareness;

– Affirmation process;

– Conflict disclosure;

– Fraud risk assessment;

– Reporting procedures and whistleblower protection;

– Investigation process;

– Corrective action;

– Quality assurance; and

– Continuous monitoring

A R F 877



• Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate

• Principle 3: Fraud prevention techniques should be established, where feasible, to mitigate possible impacts on the organization from fraud

• Principle 4: Detection techniques should be established to uncover fraud events in the event that preventive measures fail, or unmitigated risks are identified

A R F 878



• Detection Techniques

• An entity could use the following techniques on a periodic basis as fraud diagnostics:

– Scan purchase orders with blank approvals/zero amounts

– Split purchases so they are just under the threshold for approval or second approval

– Duplicate invoices

– Invoice amount paid to goods received

– Invoices with no matching receiving report

– Multiple invoices with the same purchase order and date

– Pattern of sequential invoices from a vendor

A R F 879



Detection Techniques

– Nonapproved vendors

– Suspect purchase of consumer items

– Employee and vendor with the same information (name, address, phone number, bank account number)

– Vendor address is a mail drop

– Payment without invoice

– Vendor master charges for brief periods

– Transactions made with P cards on weekends or holidays

– Unusually high sales discounts

A R F 880



• Detection Techniques

– Frequent credit memos to the same customer

– Shipments where the employee address matches the shipping address

– Terminated employees on the payroll

– Unusually high overtime amounts and rates

– Invalid tax IDs

– Unusually high commissions

– Multiple employees with the same addresses

• Principle 5: A reporting process should be in place to ask for input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and on a timely basis

A R F 881


Case study 1

An auditor was preparing to perform fraud risk assessment procedures at a midsized retail organization. The entity has a board of directors but no audit committee. It also has an internal audit department that reports to the CFO. From review of internal audit reports in prior years the auditor is aware that the workplan centers around operational issues. The CEO sits on the board, which is composed of shareholders with significant holdings, half of whom are in management. The board meets quarterly and the auditor’s experience is that the discussion revolves mainly around sales targets, introduction of new products, and achievements of financial goals. In prior year discussions with governance the auditor has used electronic questionnaires since it is difficult to get the board members to sit down face to face.

1. What do you see as risks that the auditor needs to consider when preparing to ask questions of management and others related to the risk of fraud?

2. To whom should fraud risk questions be addressed?

A R F 882


Integrating AU-C 315 and AU-C 240

• Use inquiry, observation and inspection of documents

• Perform preliminary analytical procedures

• 4 broad categories:

– Industry and regulatory factors

– Nature of the entity

– Objectives, strategies and related business risks

– Measurement and review of the entity’s financial performance

A R F 883


Case study 2

An auditor is conducting an audit of a building construction company, Better than Real Wood for the year ended December 31, 20X2. The senior accountant wanted to combine inquiries used for the risk assessment process (AU-C 315) with the inquiries for the risk of fraud (AU-C 240). Following is the understanding of the entity and its environment for 20X1. In addition, she obtained a 9-month financial statement and noted that sales had increased, margins were lower but not as low as at the end of 20X1. She noticed that inventory levels were higher. Net income was lower. The auditor used the prior year understanding and the 9-month financials as a starting point to build the list for inquiries to use for 20X2.

A R F 884


Case study 2 (cont.)

• Questions:

1. Given the information provided relative to the company, where do you believe fraud could occur?

2. Based on your assessment what other activities would you perform relative to the risk of fraud?

A R F 885


How are frauds detected

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Tip

Internal Audit

Mangement review

By accident

Other

Account Reconciliation

Document Examination

External Audit

Surveillance/monitoring

Notified by law enforcement

IT Controls

Confession

Method by Which Fraud is Detected

A R F 886


Who reports fraud

0% 10% 20% 30% 40% 50% 60%

Employee

Customer

Vendor

Other

Competitor

Shareholder/owner

Who Reports Fraud

A R F 887


When staff asks questions

• Staff people may feel reluctant to press the client for clarification

• Staff people have good instincts but may need some guidance from senior audit team members

A R F 888


Additional questions for management and the board

• Joseph T. Wells – Antifraud provisions as a deterrent

Anti-Fraud Provision Questions Important points

Training 1. Do employees receive training that helps to educate them about: What constitutes fraud? Costs of fraud such as job loss,

publicity issues, etc.?2. Have employees been told where to go

for help if they see something?3. Is there a zero-tolerance policy for fraud

and has it been communicated?

Training employees builds fraud awareness and employees will be more likely to spot inappropriate behavior in others. Training can also make it more difficult for employees to rationalize their own behavior. The ACFE studies consistently show that the top way that frauds are detected are through tips from employees.

A R F 889


Additional questions for management and the board (cont.)


Reporting Does the entity have an effective way for employees to report fraud? Are there anonymous reporting

mechanisms? Do employees understand that those issues

reported will be investigated?

Anonymous reporting vehicles are important. The 2018 Report noted that the presence of a hotline or other reporting mechanism affects how organizations detect fraud as well as the outcome of the case.

A R F 890




Perception of Detection

Does the entity perform monitoring activities to identify fraudulent activity? Is there a message sent that that there will

be tests made to look for fraud? Are there surprise audits? Is software used to identify fraud

indicators from data?

The 2018 Report to the Nations identifies management review is the third most likely way to detect fraud (13%). Surveillance and monitoring also detects fraud but only 3% of the time.

There are no statistics related to the types of monitoring procedures used. Mr. Well believes that letting employees know that surprise tests and other procedures will occur is a deterrent of fraud.

A R F 891




Does the entity value honesty and integrity?

Are employees surveyed to determine whether they believe that management acts with integrity?

Have fraud prevention goals been set for management and are they evaluated on them as an element of compensation?

Is there an appropriate oversight process by the board or others charged with governance?

Management’s tone from the top is important in setting the

stage for ethical behavior. Employees are more likely to

behave with integrity if the tone is set. And Mr. Wells states that employees feel

more secure when they believe in the ethics of

management and the board.

Management’s Tone from the Top

A R F 892




These are helpful internal controls. Management should consider implementing policies and procedures to ensure that the controls are effective.

Anti-fraud controls

Are any of the following performed?• Risk assessments to determine

management’s vulnerabilities• Proper segregation of duties• Physical safeguards• Job rotation• Mandatory vacations• Proper authorization of transactions

A R F 893




Are the following incorporated in your hiring policies?• Past employment verification• Credit check• Criminal and civil background check• Education verification• Reference check• Drug screening

Hiring policies

These are helpful internal controls. Management should consider implementing policies and procedures to ensure that the controls are effective.

A R F 894




Employee Assistance

Are there any programs in place to help struggling employees with financial issues, drug issues, mental health issues?Is there an open-door policy so that employees can speak freely?Are anonymous surveys conducted to assess employee morale?

Mr. Wells has seen good success with helping the employees feel more valued and secure. Even if the entity does not provide financial assistance to struggling employees, the fact that they care sends an important message.

A R F 895


Unusual or unexpected relationships

• Preliminary analytical procedures

• Fluctuation analysis

• High-level review of specific data patterns, relationships and trends

• Auditor may use software programs to analyze data (data extraction, business intelligence, and file query tools)

• AU-C 315 does not require the use of disaggregated data as a risk assessment procedure

• Based on analytical procedures performed as part of risk assessment procedures, the auditor evaluates whether unusual or unexpected relationships that have been identified could indicate a risk of material misstatement due to fraud

• If not already performed, the auditor should perform analytical procedures relating to revenue accounts

A R F 896


Unusual or unexpected relationships

• When performing data analysis for fraud risk assessment purposes the auditor could use:

– Statistical analysis designed to look for transactions outside what is expected (disaggregated revenue by product line divided by units produced)

– Analytic tests that evaluate certain conditions or relationships that indicate a high probability of fraud (transactions that are right below the threshold for additional approval)

– Comparing information from one database to another (compare payroll records with data from a human capital system that contains employee names, pay rates etc.)

A R F 897


Changes in risk from year to year

Auditors should be aware that risks may change from year to year and consider areas where there may have been significant changes, including:

– Regulatory changes and increased regulatory scrutiny

– Legal or regulatory changes which may impact how the entity safeguards the privacy of data and maintains information system security

– Risks resulting from national and international political uncertainty, including how these risks might limit growth opportunities

– New cyber threats with the potential to significantly disrupt operations

– Where there is internal resistance to changes to the entity’s business model and core operations, needed to meet changes in its external environment

A R F 898


Omnibus Standard Amends AU-C 240

• SAS 135 issued in December 2019

• New procedures are introduced when transactions outside the normal course of business of the entity are identified:

– Evaluate the rationale and business purpose for those transactions as to whether they suggest that they were entered into in order to perpetrate fraudulent financial reporting or misappropriation of assets

– Read the supporting documentation and evaluate whether the terms and other information about the transaction are consistent with explanations from inquiries and other audit evidence regarding the business purpose

– Determine whether the transaction has been authorized and approved in accordance with the entity’s policies and procedures

– Evaluate whether significant unusual transactions identified have been properly accounted for and disclosed in the financial statements

A R F 899



• Additional indicators added that could alert auditors to significant unusual transactions

– Transactions that involve previously unidentified related parties or relationships or transactions with related parties previously undisclosed to the auditor

– Transactions involving other parties that do not have the substance or the financial strength to support the transaction without assistance from the entity under audit or any related party of the entity

– Transactions lack commercial or economic substance or are part of a larger series of connected, linked, or otherwise interdependent arrangements that lack commercial or economic substance individually or in the aggregate

A R F 8100



• Additional indicators added that could alert auditors to significant unusual transactions (cont.)

– Transactions occur with a party that falls outside the definition of a related party (as defined by the applicable financial reporting framework), with either party able to negotiate terms that may not be available for other, more clearly independent parties on an arm's-length basis

– Transactions exist to enable the entity to achieve certain financial targets

A R F 8101


AU-C 240 amendments

• Amendments to SAS 134 (auditor’s report)

• SAS 136 (employee benefit plan auditor’s report)

• Clarifies auditor’s responsibilities (presented in part)

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.

A R F 8102


AU-C 240 amendments

• Clarifies auditor’s responsibilities (presented in part)

In performing an audit in accordance with GAAS, we:

Exercise professional judgment and maintain professional skepticism throughout the audit. Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.

A R F 8103


Considerations for smaller entities

• Fraudulent financial reporting may not be as big a risk as misappropriation of assets (lack of segregation of duties)

• Risk of fraud is more likely related to overstatement of expenses (privately held companies) to reduce income taxes

• NFPs are typically not as concerned about earnings – controls may not be as robust and lack of control documentation is more prevalent

A R F 8104


Audit team discussion

• After sufficient information is collected to evaluate the risk of fraud –audit team discussion

• Belief in long standing client relationships that management has integrity – in brainstorming, set aside that belief

• Not all team members must be present

• Partner or equivalent must be present

• Team meeting is an opportunity for less experienced team members to learn

A R F 8105



• Discusses how and where the entity's financial statements might be susceptible to material misstatement due to fraud

• Explores how and where fraud could occur

• Explores how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated

• Identifies specific risks of fraud

• Emphasizes the need for professional skepticism during the audit

• Considers the risk of management override of controls and how that might occur (estimates, journal entries, implied pressures, unusual transactions)

A R F 8106



• Considers circumstances that might be indicative of earnings management or manipulation of other financial measures and how management could conceivably manage earnings or other financial measures that could lead to fraudulent financial reporting

• Considers responses to the risk of fraud and plans those tests

• Considers the need for specialists and addresses multi-location audit issues

• Considers how an element of unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed

• Emphasizes the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement due to fraud

A R F 8107


Comprehensive example

• Part 1, Discussion held with the team on the risks of fraud (3-24)

• Part 1, Discussions with Client Personnel and those Charged with Governance (3-26)

A R F 8108


Risks of fraud

• Revenue recognition

– Presumed to be a risk of fraud

– Fraudulent financial reporting – overstating revenue or shifting from one period to the next

– Fictitious sales

– Presumption can be rebutted

A R F 8109


Risks of fraud

• Management override

– Management is in a unique position to override controls

– When this happens it may look like controls are functioning when they are not

– Considered a risk of fraud and should be addressed in all audits

– Auditor is required to test appropriateness of journal entries including entries posted directly to financial statement drafts

A R F 8110


Tests of journal entries

• Obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments

• Make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments

• Consider fraud risk indicators, the nature and complexity of accounts, and entries processed outside the normal course of business

• Select journal entries and other adjustments made at the end of a reporting period

• Consider the need to test journal entries and other adjustments throughout the period

A R F 8111


Tests of journal entries

• Review accounting estimates for biases and evaluate whether any bias represents a risk of material misstatement due to fraud

• Evaluate whether the judgments and decisions made by management in making the accounting estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity's management that may represent a risk of material misstatement due to fraud

• Perform a hindsight review of management judgments and assumptions related to significant accounting estimates made in the prior year

• Evaluate significant transactions that are outside the normal course of business or that appear to be unusual

Comprehensive Example, Part 2 (3-29)

A R F 8112


Conclusion and linkage

• When the team has identified a list of ways that fraud could possibly occur, the list should be narrowed down to risks that both:

– Could result in material misstatement; and

– Are likely to occur

• Auditor should gain an understanding of internal control over the fraud risks to determine the nature, timing, and extent of audit procedures

A R F 8113



1. Revenue recognition - existence (possibility of fictitious visits) and valuation (see below).Planned Response (Linkage): We will test internal controls over the tracking system including management review. The engagement manager will perform the procedures related to management estimates. We will perform a hindsight review on the allowance for doubtful accounts. We will do the same on the variable consideration for patient revenues from third party payors. SEE WP XXXX

2. Management override - primarily through management estimates. Planned Response (Linkage): we also plan to test journal entries. We will remain alert for the possibility of unusual transactions. SEE WP XXXX

Comprehensive Example, Part 3 (3-31)

A R F 8114



3. Estimates - allowance for doubtful accounts and reduction of revenue due to variable consideration and constraints to variable consideration. Planned Response (Linkage): We will perform a hindsight review on the allowance for doubtful accounts. We will do the same on the variable consideration for patient revenues from third party payors. SEE WP XXXX

4. Planned Response (Linkage): As required by professional standards we will obtain an understanding of internal controls over all risks of fraud (as well as other significant risks identified in the risk assessment memo). As noted above we will test controls over the tracking system. SEE WP XXXX

A R F 8115


Understanding internal control over fraud risks

Comprehensive Example, Part 4 (3-32)Account

Balance

Risk of Material Misstatement

Due to Fraud Understanding of Internal Controls Revenue

recognition

Existence: The risk is that home

health aides or other caregivers

will falsify visits. Since the majority

of the patients/clients are elderly

and some have dementia the

likelihood is there. The magnitude

could be material from a

quantitative standpoint but more

importantly it could be material

from a qualitative standpoint

because this would represent a

violation of Medicare and Medicaid

regulations.

I discussed the tracking process with the COO noting that she was very concerned about the possibility of

overbilling to government and other payors. She discussed the issue that caused the entity to invest in the

tracking system.

She discussed her review in detail and showed me the documentation to support her monthly review. She tests

the visits each month noting that she selects 40 items to test to ensure that the billings are appropriate. She

also discussed her monthly analytical review and showed me the monthly excel spreadsheets.

She noted that there were very few exceptions noted during the year and that none of them could have caused

fictitious billings. The employees who used the car to do errands were warned and no further action has been

necessary.

Management installed tracking devices in the company vehicles two years ago to measure mileage and log the

times that the company cars are being driven. The logs are reviewed by the COO who also checks the dates,

times and services against the patient care plan. Any differences are discussed with the home health

aide/caregiver.

The COO maintains the logs from each month in a folder and inputs the information in a spreadsheet for

analytical review. I selected a patient by patient number from the patient roster and obtained the month’s

folder. I recalculated the amount of time spent by the aide to the range of time allotted for visits in the COO’s

operations manual. I recalculated the mileage to and from the patient’s home. I traced the documentation

supporting the visit to the plan of care. (The COO redacted the patient name from the documents due to HIPPA

regulations).

I believe that the controls are suitably designed and have been implemented. We did not test controls.

A R F 8116



Comprehensive Example, Part 4 (cont.)

Account

Balance



recognitionValuation: The risk is that

the long-term contracts

might not be accounted for

appropriately. These

contracts have variable

consideration in that

bonuses are awarded for

quality based on various

metrics. Since the contracts

span over three years the

entity estimates the quality

score it will receive to

estimate the variable

consideration. Management

could overstate the quality

factor in order to recognize

revenue in an earlier period.

I discussed the nature of the long-term contracts and the estimation

process with the CFO. He showed me how the electronic billing software

works to remove any contractual allowances from revenue. The rates are

built into the application. Periodic updates are downloaded from the

government payors and insurers as rates change.

Some new contracts span over a period of years with variable

consideration in the form of a bonus. The CFO showed me the process

he uses for estimating the variable consideration including where he

obtains the inputs. I asked whether he made any kind of hindsight review

and learned that the contracts were too new to look in hindsight since

none of them had final settlements. I recalculated based on my

discussions with the CFO.

I believe that the controls are suitably designed and have been

implemented. We did not test controls.

A R F 8117




Account

Balance



recognitionI discussed the process used to estimate the effect

of the customary business practice of writing down

uninsured patient receivables. The CFO does not

have a good process in place to capture information

that would make it easy to identify patient receivable

write-downs. They are run through the allowance for

doubtful accounts. Based on my discussions with

the CFO this is a significant deficiency. The write-

downs are not material. However, the current

practice shows lack of understanding of ASC 606.

This will be noted as a significant deficiency.

Based on our discussions I do not believe that this

represents fraudulent activity to misstated revenue

or bad debt expense.

Valuation: The entity has a standard charge

for its services. Some services to certain

clients/patients are paid at various rates. In

addition, there are those patients without

insurance where the entity may reduce the

price based on customary business practices.

The difference between the standard charge

and the rate negotiated with the payor is a

reduction of revenue. In addition, the write-offs

of uninsured patient receivables based on

customary business practice is also a reduction

of revenue. The entity has compensation

arrangements with executives that are based

on revenue. The risk of fraud is that amounts

that should be recognized as a reduction of

revenue will be recognized as bad debt

expense. This would inflate the variable

compensation due to the executives.

A R F 8118




Account Balance


Due to Fraud Understanding of Internal Controls Management override

See discussion above and note that we will

issue an AU-C 265 letter citing this as a

significant control deficiency.

The risk of fraud is that

management could understate or

overstate the allowance for

doubtful accounts. We believe

that it is more likely that the

allowance would be overstated

due to the compensation issue

discussed above.

A R F 8119


Documentation

• Understanding of the entity and its environment and the assessment of the risks of material misstatement (The fraud risk documentation is naturally included in with the assessment of risk of material misstatement; this is a major component of risk assessment documentation)

• Significant decisions reached during the discussion among the engagement team regarding the susceptibility of the entity's financial statements to material misstatement due to fraud

• How and when the team discussion occurred and the audit team members participating

• Identified and assessed risks of material misstatement due to fraud at the financial statement level and at the assertion level

A R F 8120


Documentation

• Responses to the assessed risks of material misstatement

• Overall responses to the assessed risks of material misstatement due to fraud at the financial statement level and the nature, timing, and extent of audit procedures, and the linkage of those procedures with the assessed risks of material misstatement due to fraud at the assertion level

• Results of the audit procedures, including those designed to address the risk of management override of controls

• Communications about fraud made to management, those charged with governance, regulators, and others

• If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is overcome in the circumstances of the engagement, the auditor should include in the audit documentation the reasons for that conclusion

A R F 8121


Documentation

• Fraud Procedures Summary Form

Discussion among engagement

personnel in planning the audit

regarding the susceptibility of the

entity’s financial statements to

material misstatement due to fraud.

See the team discussion workpaper XX. AR 3/20/X2

Inquiries of management and

others within the entity about the

risks of fraud (this should include

direct face to face discussions as

well as any questionnaires deemed

appropriate).

See workpaper XX-1 documenting discussions

with management, other personnel and those

charged with governance

AR 3/20/X2

Consideration of preliminary

analytical procedures including

procedures specifically related

to revenue.

Revenue recognition was already identified as a

risk of fraud so analytical procedures were

performed at a more detailed level in Workpaper

XX.

AR 3/20/X2

Fraud Evaluation Element Where this is addressed Signoff

A R F 8122


Documentation


Other procedures performed to obtain

information necessary to identify and

assess the risks of material misstatement

due to fraud.

We were alert to unusual fluctuations in account

balances in preliminary analytical procedures

but found that those balances supported our

expectations (i.e., patients and therefore

revenue decreased in the current year).

AR 3/20/X2

Specific risks of material misstatement

due to fraud that were identified and

description of the auditor’s overall and

specific responses.

The specific risks of fraud identified were the

revenue recognition and evaluation of the

allowance. These were documented at

workpaper XX and also in the team meeting.

AR 3/20/X2

Understanding of internal control over

fraud risks.

See workpaper XX for this understanding. Note

the significant deficiency discussed at that

workpaper.

AR 3/20/X2


A R F 8123


Documentation


The auditor’s reasons supporting a

conclusion that improper revenue

recognition is not a risk or material

misstatement due to fraud.

We believe that improper revenue recognition is

not a significant fraud risk for patient/client

revenue. See assessment at workpaper XX.

AR 3/20/X2

Results of procedures performed to

further address the risk of management

override of controls, including

identification of JEs tested.

Journal entry testing was performed. No issues

were noted. See Workpaper XX.

AR 3/20/X2

Other conditions and analytical

relationships that caused the auditor to

believe that additional auditing

procedures or other responses were

required and any further responses that

the auditor deemed appropriate.

There were none. AR 3/20/X2


A R F 8124


Documentation


Planned responses to assessed risks See workpaper XX for a summary of the plan.

Substantive tests were performed at

workpapers XX, XX and XX. (Note that

substantive testing was not illustrated in the

comprehensive example).

AR 3/20/X2


A R F 8125


Case study 3

Questions

1. How does an auditor know if the board and management are really experienced enough so that their oversight really mitigates a lack of segregation of duties?

2. The audit firm made all of the inquiries of management and the board related to fraud. In addition, they performed analytical procedures on the line items where the fictitious amounts were located, and their analysis was a five-year trend comparison. No unusual fluctuations were noted. They vouched 10 of the fictitious invoices. Why do you believe nothing unusual was noted?

A R F 8126


Case study 3

Questions (cont.)

3. What is the auditor’s responsibility as it relates to the evaluation of fraud and what could they have done differently?

4. Do you believe that a management letter comment or a communication containing a significant deficiency or material weakness should have been issued by the auditors?

5. Assuming that the board was sincere, what other procedures could be put in place to reduce the risk of fraud in a very small entity?

A R F 8127

Communications About Fraud

Chapter 4


Learning objectives


– Understand actions to take when fraud is identified under various conditions; and

– Prepare appropriate written communications

A R F 8129


Evaluation of audit evidence

• Objectives of the auditor when performing a fraud risk analysis are to:

– Identify and assess the risks of material misstatement of the financial statements due to fraud;

– Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and

– Respond appropriately to fraud or suspected fraud identified during the audit

A R F 8130


Identification of fraud or suspected fraud

• When performing audit procedures, evaluation of audit evidence as it relates to fraud happens during the audit and at or near the end of the audit

• Auditor evaluates misstatements noted during the audit as to whether it might be an indication of fraud

• Possibility of fraud in one area has implications for other areas

• Management level

• Employee level

A R F 8131


Withdrawal from the audit

• May be times when the auditor identifies issues or circumstances that cause withdrawal from the audit

• Identification of an immaterial instance of fraud but management does nothing about it

• Concerns about the competence or integrity of management or those charged with governance

• Auditor should consider professional and legal responsibilities

• Before withdrawing auditor should discuss the reasons with management and those charged with governance

• Consider consulting with legal counsel

• Sometimes an auditor is not able to withdraw (government or nonprofit)A R F 8132


Communications with management

• Report findings to management one level up from the fraud

• Report as soon as practicable

• Evaluate whether this is a deficiency, significant deficiency, or material weakness

• Significant deficiencies and material weaknesses are reported in writing

• Document communications with management in the workpapers

A R F 8133


Communications with governance

• Report to governance when fraud involves:

– Management;

– Employees with significant roles in the internal control structure; or

– Material misstatement of financial statements

• Report as soon as possible

• Auditor may report orally or in writing

• If matter involves senior management or a material misstatement it should be in writing

• Sometimes auditors may agree with governance on immaterial items

• Consult with legal counsel

A R F 8134


Communications with governance

• Consider discussing with governance when:

– Concerns about the nature, extent, and frequency of assessments of preventive and detective internal controls

– Management’s failure to address identified significant deficiencies or material weaknesses in internal control, or respond to an identified fraud

– The auditor's assessment of the entity's control environment which could include concerns about the competence and integrity of management

– Actions by management that might indicate possible fraudulent financial reporting, such as management's selection of accounting policies that could be used to manage earnings or cover up other issues that could affect a financial statement user’s judgment

– Concerns about the method of authorizing transactions that appear to be outside the normal course of business

A R F 8135


Communications to regulatory and enforcement authorities

• Determine what responsibilities the auditor has to report to others outside the entity

• May appear to be a breach of confidentiality but the auditor has a statutory duty

• May be required to report if management and governance do not take corrective action

A R F 8136

Internal Controls to Prevent and Detect Fraud

Chapter 5


Learning objectives

Upon reviewing this chapter, the reader will be able to:

• Identify entity level controls that help to prevent fraud;

• Identify control activities to prevent and detect fraud;

• Identify which controls are responsive to the most common fraud schemes; and

• Evaluate deficiencies in internal control to characterize them as significant deficiencies or material weaknesses

A R F 8138


Introduction

• Financial statement audits may identify deficiencies that if uncorrected could provide the opportunity for fraud

• Other services a practitioner can perform:

– Provide an opinion on the effectiveness of internal control under the AICPA attestation standards;

– Perform an integrated audit as prescribed by the PCAOB;

– Report on the internal control of a service organization under the Statements on Standards for Attestation Engagements;

– Report on the results of internal audit assistance services;

– Perform consulting engagements on implementation of measures to reduce the risk of fraud; and

– Perform consulting engagements to help the entity design or improve its internal control

A R F 8139


Failure of entity level controls is responsible for high profile frauds

A R F 8140


Most prevalent control weaknesses

A R F 8141


COSO Framework revisions

• 1992 COSO Framework

• Revised in 2013

– Technology

– Complex regulations

– Globalization

– Governance

A R F 8142


Anti-fraud controls

A R F 8143


COSO Framework revisions

• Changes in implementation rates from 2010-2018

• Some controls are important for certain entities and not others

• Gift acceptance policy in governments

A R F 8144


COSO Integrated Framework

• Controls to prevent, detect and correct fraud or error

• Absolute assurance is not possible

• Lapses in internal control due to human nature and possibility of management override and collusion

• Principles-based framework which categorizes internal controls into 5 elements

• It can be used for any type of entity

– Control environment (Principles 1 – 5)

– Risk assessment (Principles 6 – 9)

– Control activities (Principles 10 – 12)

– Information & communication (Principles 13 – 15)

– Monitoring (Principles 16 – 17)

A R F 8145


Control environment – principle 1

Principle 1. The organization demonstrates a commitment to integrity and ethical values

• Setting the Tone at the Top - The board and management demonstrate the importance of integrity and ethical values to support the functioning of internal control in:

– Mission and values statements;

– Standards or codes of conduct;

– Policies and practices;

– Operating principles;

– Directives, guidelines, and other supporting communications;

– Actions and decisions of management at various levels and governance;

– Attitudes and responses to deviations from standards of conduct; and

– Informal and routine actions and communication of leaders at all levels of the entity

A R F 8146



• Establishing Standards of Conduct - The board’s expectations of management for integrity and ethical values are understood at all levels by:

– Establishing what is right and wrong;

– Providing guidance for considering associated risks in navigating gray areas; and

– Reflecting legal and regulatory expectations by stakeholders

• Management is ultimately accountable for activities delegated to outsourced service providers

A R F 8147



• Evaluates Adherence to Standards of Conduct and Addresses Deviations in a Timely Manner - Red flags that may indicate a lack of adherence to standards are:

– Tone at top does not effectively convey expectations;

– Board does not provide impartial oversight of management;

– Decentralization without adequate oversight;

– Coercion by superiors, peers, or external parties;

– Performance goals that create pressure to cut corners;

– Inadequate channels for employee feedback;

– Failure to remedy non-existent or ineffective controls;

– Inadequate complaint response process;

– Weak internal audit function; and

– Inconsistent, insignificant, or unpublicized penalties

A R F 8148



• Case Study 1

– Assume you are in charge of the audit team. What other procedures would you have performed to determine whether the tone from the top related to integrity and ethical values had changed since the implementation of the IA?

A R F 8149



• Case Study 1 – Suggested Solution

– An auditor can learn more from asking questions and corroborating the answers

– This is an essential part of an understanding of internal control

– The auditor wants to understand the effect that the implementation of the controls has on the people who are performing the controls or are affected by the controls

– Code of ethics and the hotline-design may be appropriate but if the controls are not properly implemented (inadequate training) then the controls will not be effective

– Conversely the design may be flawed. Management may also override these controls with an inappropriate or dismissive attitude from senior management

A R F 8150



• Deviations from the standards of conduct are identified and remedied timely by:

– Defining a set of indicators to identify issues;

– Establishing continual and periodic compliance procedures to confirm that expectations and requirements are being met;

– Identifying, analyzing, and reporting business conduct issues and trends to senior management and the board;

– Evaluating the strength of leadership in the demonstration of integrity and ethical values for performance reviews, compensation, and promotions;

– Compiling allegations centrally with independent evaluation;

– Investigating allegations using defined investigation protocols;

– Implementing corrections timely and consistently; and

– Periodically reviewing issues

A R F 8151



Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control

• Establishes Oversight Responsibilities - The board identifies and accepts its oversight responsibilities. Public companies in many jurisdictions are required to have certain board committees

• Applies Relevant Expertise - The board defines, maintains and evaluates the skills needed among its members. Specialized skills needed among board members may include:

• Internal control mindset

• Market and entity knowledge

• Financial expertise

• Legal and regulatory expertise

• Social and environmental expertise

• Incentives and compensation• Relevant systems and

technology

A R F 8152



• Operates Independently - The board has sufficient members who are independent and objective

• Provides Oversight for the System of Internal Control - The board maintains oversight of management’s design, implementation, and conduct of internal control

A R F 8153



Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

• Consideration of All Structures of the Entity & Establishment of Reporting Lines of Responsibility - Many variables must be considered when establishing organizational structures, including:

– Nature, size, and geographic distribution of the entity’s business;

– Risks related to the entity’s objectives and business processes;

– Nature of the assignment of authority;

– Definition of reporting lines; and

– Financial, tax, regulatory, and other reporting requirements

• Management and governance consider these variables and the risk when establishing or changing the organizational structure

A R F 8154



• Defines, Assigns, and Limits Authorities and Responsibilities

– Board stays informed and challenges senior management for guidance on significant decisions

– Senior management establishes directives, guidance, and control to enable staff to understand and carry out their duties

– Management executes senior management’s directives

– Personnel understand standards and objectives for their area

– Management and responsible personnel oversee outsourced service providers

– Authority empowers, but limitations of authority are needed

A R F 8155



Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

• Management and the Board Establish Policies and Practices

– Requirements and rationale

– Skills and conduct necessary to support internal control

– Defined accountability for performance of key business functions

– Basis for evaluating shortcomings and defining remedial actions

– Means to react dynamically to change

A R F 8156



Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives

• Evaluates Competence and Addresses Shortcomings -

– Knowledge, skills, and experience needed

– Nature and degree of judgment needed for a specific position

– Cost-benefit analysis of different skill and experience levels

• Attracts, Develops, and Retains Individuals

• Plans and Prepares for Succession - Management develops contingency plans for assigning responsibilities important to internal control. The board develops succession plans for key executives and trains and coaches succession candidates for each target role

A R F 8157



Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives

• Enforces Accountability through Structures, Authorities, and Responsibilities - The tone at the top helps to establish and enforce accountability, morale, and a common purpose through:

– Clarity of expectations;

– Guidance through philosophy and operating style;

– Control and information flow;

– Anonymous or confidential communication channels for reporting ethical violations;

– Employee commitment toward collective objectives; and

– Management’s response to deviation from standards

A R F 8158



• Establish and Evaluate Performance Measures, Incentives, and Rewards - Good performance measures, incentives, and rewards support an effective system of internal control. Key success measures include:

– Clear Objectives – Consider all levels of personnel and the multiple dimensions of expected conduct and performance

– Defined Implications – Communicate objectives, review relevant market events, and communicate consequences of failure

– Meaningful Metrics – Define metrics, measure expected vs. actual and assess the expected impact

– Adjustment to Changes – Regularly adjust performance measures based on continual risk/reward evaluation

A R F 8159



• Management and the Board Consider Excessive Pressures - Excessive pressures can cause undesirable side effects. Excessive pressures are most commonly associated with:

– Unrealistic targets, especially short-term;

– Conflicting objectives of different stakeholders; and

– Imbalance between rewards for short-term vs. long-term objectives

• Evaluates Performance and Rewards or Disciplines Individuals - At each level, adherence to standards of conduct and expected levels of competence are evaluated, and rewards allocated, or disciplinary action exercised as appropriate

A R F 8160



• COSO Principle 5 identifies formal reporting mechanisms as an important technique (preventive and detective control)

– The follow-up and investigation of hotline or other communications along with the penalties for infractions provides the entity with an opportunity to detect where fraud has occurred and make the appropriate corrections

– It is also a deterrent if employees realize that there are repercussions for fraudulent activities

A R F 8161



• Case Study 2 Questions

1. Based on the facts presented in this case do you believe that the board was culpable in any respect?

2. Do you believe that the board had the competency needed as those charged with governance?

3. If you were the auditor what entity level controls might you have recommended?

4. As an auditor how might you have determined whether the board had the necessary competence so their oversight would be an effective internal control?

A R F 8162



• Case Study 2 – Suggested Solutions

1. The board is always culpable because they are the oversight body

• Asked for material weakness to be removed from the AU-C 265 communication and even though they accepted the auditor’s suggested control to review all checks written and evaluate the transactions analytically each month, they lacked the skill to perform the control at the necessary level. The board did not appear to do an assessment of fraud risk

2. Although the board appears to have been engaged, they were not knowledgeable about how fraud could occur and did not have the skills to evaluate the analytical procedures

• The board did not appear to seek out training to obtain any of the skills needed from the facts presented

A R F 8163




3. The auditor should not have removed the material weakness based on the board’s skill level

• The compensating controls of analytical procedures and reviewing a list of checks written were not sufficient

• The auditor could recommend a new vendor setup that is approved by the board, a fraud risk assessment by the board, and redesigned analytical procedures to show cost per unit where meaningful. Other unitized analytics are helpful

• The case does not say anything about how the board communicates the tone of zero tolerance for stealing and the need to report results accurately

A R F 8164




4. This is difficult since most board members do not understand the risk of fraud. The auditor could provide training, guidance as it relates to performing a fraud risk assessment, and a template for analytical procedures. By interacting more with the board members, the auditor can assess their competence

A R F 8165



• Case Study 3 Question

1. It’s never too late to understand where a fraud can occur in a company. If you were performing a fraud risk assessment, where would the risk of fraud be in this company?

A R F 8166



• Case Study 3 - Suggested Solution

– In an environment where there are very few employees, management has to be very involved. This means being visible or hiring a higher-level executive to be visible

– The manager should be concerned with inventory levels and take inventories of the high dollar value items, first monthly and then if there appears to be no issue less frequently

– Codes should not be given to employees whether to the safe or to the gas pumps. Collusion occurred in this case but if management did not give out sensitive information or let employees know where the code was stored there would be less chance for fraud

A R F 8167



• Employees are a major source of tips

A R F 8168



• Employees are a major source of tips

A R F 8169


Risk assessment – principle 6

Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

• Operations Objectives

• External Financial Reporting Objectives

• External Non-Financial Reporting Objectives

• Internal Reporting Objectives

• Compliance Objectives

A R F 8170



Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed

• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels

– Entity-level risk identification is at a high level and does not include assessing transaction-level risks

– Process-level risk identification is more detailed and includes transaction-level risks

– Management also assesses risks from outsourced service providers, key suppliers, and channel partners

A R F 8171



• Analyzes Internal and External Factors - Management realizes that risk is dynamic and considers the rate of change in these risks:

– Economic;

– Regulatory;

– Foreign operations;

– Social; and

– Technological

• Management evaluates the internal factors affecting entity-level risk including:

– Infrastructure and use of capital resources;

– Management structure;

– Personnel, including quality, training and motivation;

– Access to assets, including possibilities for misappropriation; and

– Technology, including possibility of IT disruption

• Management solicits input from employees as to transaction-level risks (also see control activities)

A R F 8172



• Involves Appropriate Levels of Management - Effective risk assessment mechanisms match an appropriate level of management expertise to each risk

• Estimates Significance of Risks Identified - Management assesses the significance of risks and:

– Likelihood of risk occurring and impact;

– Velocity or speed to impact upon occurrence of the risk; and

– Persistence or duration of time of impact after occurrence of risk

• Management determines how to respond to risks. Risk responses fall within the following categories:

– Acceptance: No action taken

– Avoidance: Exiting the risky activities

– Reduction: Action taken to reduce likelihood, impact, or both

– Sharing: Transferring part of the risk, for example, insurance

• Segregation of duties needed to get intended significance reduction

• Cost/benefit of response options

A R F 8173



Principle 8. The organization considers the potential for fraud

• Management and the Board Have an Awareness of How Fraud Can Occur

– Fraudulent financial reporting

– Fraudulent non-financial reporting

– Misappropriation of assets

– Illegal acts

A R F 8174



• As part of the risk assessment process, management identifies various fraud possibilities

– Management bias

– Degree of estimates and judgments in external reporting

– Fraud schemes and scenarios common in the industry

– Geographic regions

– Incentives

– Technology and management’s ability to manipulate information

– Unusual or complex transactions

– Vulnerability to management override

A R F 8175



• Management Assesses Incentives and Pressures and Management Assesses Opportunities for Fraud to Occur - The likelihood of loss of assets or fraudulent external reporting increases when there is:

– A complex or unstable organizational structure;

– High employee turnover, especially in accounting, operations, risk management, internal audit or technology;

– Ineffectively designed or poorly executed controls; and

– Ineffective technology systems

A R F 8176



• Management Assesses Attitudes and Rationalizations

– Considers it “borrowing,” intends to repay

– Believes entity “owes” him something because of some form of job dissatisfaction

– Doesn’t understand or care about consequences

– Doesn’t understand or care about accepted ideas of decency and trust

A R F 8177



Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control

• Management Assesses Changes in the External Environment

• Management Assesses Changes in the Business Model

• Management Assesses Changes in Leadership

A R F 8178


Information and communication – principle 13

Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control

• Management Identifies Information Requirements - Management identifies and defines information requirements at the relevant level and with requisite specificity. This is an ongoing and iterative process

• Management Captures Internal and External Sources of Data

A R F 8179



A R F 8180



• Management Ensures that the Systems Process Relevant Data into Information

• Management Ensures that Systems Maintain Quality throughout Processing

• Management Considers Costs and Benefits of Internal Controls

A R F 8181



Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control

• Management Communicates Internal Control Information

– Policies and procedures that support personnel in performing their internal control responsibilities

– Specified objectives

– Importance, relevance, and benefits of effective internal control

– Roles and responsibilities of management and other personnel in performing controls

– Expectations of the entity to communicate within the entity any significant internal control matters including weakness, deterioration, or non-adherence

A R F 8182



• Management Communicates with the Board of Directors -Communication between management and the board provides the board with information needed to exercise its oversight responsibility for internal control

• Management Provides Separate Communication Lines - There must be open channels of communication and a clear willingness to report and listen

– Whistleblower and ethics hotlines and anonymous or confidential reporting via information systems

A R F 8183



• Management Selects Relevant Method of Communication - Clarity of information and effectiveness with which it is communicated are important to ensure messages are received as intended

A R F 8184



Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control

• Management Ensures that the Level of Communication to External Parties is Appropriate

• Management Enables Inbound Communications

• Management Enables Communications from External Parties to the Board of Directors

• Management Provides Separate Communication Lines – and that separate communication channels, such as whistleblower hotlines, are in place

• Management Selects Relevant Method of Communication

A R F 8185


Monitoring – principle 16

Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations of internal control

• Management Considers a Mix of Ongoing and Separate Evaluations

• Management Considers Rate of Change

• Management Establishes Baseline Understanding of the System of Internal Controls

• Management Uses Knowledgeable Personnel for Monitoring Tasks - There are a variety of approaches available to perform separate evaluations, including:

– Internal audit evaluations;

– Other objective evaluations;

– Cross-operating unit or functional evaluations;

– Benchmarking/peer evaluations; and

– Self-assessments

A R F 8186



• Management Integrates Ongoing Evaluations with Business Processes

• Management Adjusts Scope and Frequency of Separate Evaluations Depending on Risk and Makes Objective Evaluations to Provide Good Feedback

A R F 8187



Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

• Management and the Board Assess Results of Monitoring Procedures -Management and the board regularly assess internal control for deficiencies. Information comes from a variety of sources, including:

– Ongoing evaluations;

– Separate evaluations;

– Other internal control components; and

– External parties such as customers, vendors, external auditors, and regulators

A R F 8188


Monitoring – Principle 17

• Management Communicates Deficiencies in Internal Control - Communicating internal control deficiencies to the right parties to take corrective actions is critical for entities to achieve objectives. In some cases, external reporting of a deficiency may be required by laws, regulations, or standards

• Management Monitors Corrective Actions - After internal control deficiencies are evaluated and communicated to those parties responsible for taking corrective action, management tracks whether remediation efforts are conducted timely. When deficiencies are not corrected on a timely basis, management revisits the selection and deployment of monitoring activities, until corrective actions have remediated the internal control deficiency

A R F 8189


Question for discussion

What are some separate and ongoing evaluations that could be used by internal auditors or if there was no internal audit department, by management or staff to identify anomalies in data that might indicate fraudulent activity?

A R F 8190


Control activities

• Segregation of duties - The Foundation for Control Activities

– Segregate duties among personnel in order to ensure that no one person has control over two or more phases of a transaction or operation

– Segregation of duties reduces the opportunity to perpetrate and conceal errors or fraud in the normal course of employee’s assigned functions

– Segregation of duties is generally built into the selection and development of control activities

– When optimal segregation of duties is not possible, management needs to consider the risk, implement additional controls as needed and consider that members of management will need to set a very strong tone from the top and perform additional monitoring

A R F 8191


Case study 4

• Instructions:

• Using the segregation of duties diagnostic, propose a segregation of duties plan for Nora and Wayne’s repair business. Personnel include:

• Ann, Bookkeeper – Assume that the bookkeeper is full time (40 hours)

• Andy, administrative person – Assume that the administrative person spends 30 hours a week on taking orders and scheduling and has 10 hours to spend on other tasks

• Non-accounting personnel such as repair personnel could be trained to perform some of the less technical duties

• There is no governing board

• Owners (Wayne and Nora)

For the suggested answer see page 5-49 in the manual

A R F 8192


Control activities – principle 10

Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels

• Management Integrates Control with Risk Assessments Performed

• Management Considers Entity-Specific - Differences in objectives, risk, risk responses, and related control activities

• Management Determines Relevant Business Processes

– Completeness: Transactions that occur are recorded

– Accuracy: Transactions are timely recorded at the correct amount in the correct account

– Validity: Recorded transactions represent economic events that actually occurred

A R F 8193



• Management Evaluates a Mix of Control Activity Types - Management considers a variety of transaction control activities for its control portfolio including:

– Authorizations and approvals;

– Verifications;

– Physical controls;

– Controls over standing data (e.g., master files);

– Reconciliations; and

– Supervisory controls

• Management considers a mix of control activities that are preventive and detective

A R F 8194



• Management Considers at What Level Activities Are Applied - In addition to transaction-level controls, management selects and develops a mix of controls that operate more broadly and at higher levels (business performance or analytical reviews involving comparisons of different sets of operating or financial data)

– These relationships are analyzed, investigated, and corrective action taken

• Management Addresses Segregation of Duties

A R F 8195



Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives

• Management Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls and Implements Effective General Controls -

– The reliability of technology within business processes, including automated controls, depends on the selection, development, and deployment of general control activities over technology

– These general controls help ensure that automated processing controls work properly initially, and that they continue to function properly after implementation. General controls apply to technology infrastructure, security management, and technology acquisition, development, and maintenance

– They also apply to all technology, both IT and technology used in production processes

A R F 8196



Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.

• Management Establishes Relevant Technology Infrastructure Control Activities -

– Technology infrastructure may include computers, networks, power supply and backup systems, software, and robotics

– This infrastructure is often complex and rapidly changing. These complexities present risks that need to be understood and addressed, and management should track changes and assess and respond to new risks

A R F 8197



• Management Establishes Relevant Security Management Process Control Activities -

– Security management includes sub-processes and controls over who and what has access to an entity’s technology, including who has the ability to execute transactions

– Security threats can come from both internal and external sources. Evaluating and responding to external threats will be more important when there is reliance on telecom networks and the internet

– Internal threats may come from former or disgruntled employees, who pose unique risks. User access to technology is generally controlled by authentication controls

– These controls are very important and are often the most abused by employees who may share access codes (generally passwords) and IT personnel who do not immediately shut off an employee’s unneeded access to systems resulting from job change or termination

A R F 8198



• Management Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities –

– Technology controls vary depending on risks; large or complex projects have greater risks, and control rigor should be sized accordingly

– Use of packaged software can reduce some risks versus in-house software development

– Another alternative is outsourcing, which, however, presents its own unique risks and often requires additional controls

A R F 8199



Principle 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action

• Management Establishes Policies and Procedures to Support Deployment of Management’s Directives

• Management Establishes Responsibility and Accountability for Executing Policies and Procedures

• Management Specifies that Controls Must Be Performed in a Timely Manner

• Management Ensures that Corrective Action is Taken in Response Issues Identified

• Management Ensures that Controls are Performed by Competent Personnel

• Management Reassesses Policies and Procedures

A R F 8200


Risk and control matrix

• Management should consider using a risk and controls matrix to map significant systems and assertions to internal controls

• Not only for risks but to ensure that there are internal controls responsive to each account balance and class of transaction

• This is a very important activity to perform to help prevent and detect errors and fraud

A R F 8201


Selecting controls that are responsive to the risk of fraud

Cash Schemes

• Lapping

• Kiting

• Fictitious Voids and Customer Returns

• Segregation of duties

• Example controls to prevent and detect cash schemes

A R F 8202



Fraudulent Disbursement Schemes

• Billing

• Check and payment tampering

• Kickbacks

• Duplicate payment

• Stealing checks or theft by electronic transfer


• Example preventive and detective controls

A R F 8203



Payroll Schemes

• Fictitious employees

• Terminated employees on the payroll

• Inflated wages

• Expense reimbursement and purchasing card fraud


• Example preventive and detective controls

A R F 8204



Noncash Misappropriation

• Median loss for this fraud according to the ACFE 2018 Report is $98,000

• Occurred 21 percent of the time

• Collusion

• Surveillance

• Case Study 6 Question: What could have been done to prevent or detect this fraud?

A R F 8205


Case study 6

• Case Study 6 – Suggested Solution

– Collusion was involved

– The highest level of the company involved employees that were trusted in order to accomplish the scheme

– Doubtful that surveillance which would have ordinarily been a good tool would have worked

– No tone from the top that emphasized ethical values

– Some type of anonymous reporting mechanism like a hotline then the employees who might have been suspicious might have reported

A R F 8206

Consideration of Fraud in aSingle Audit

Chapter 6


Learning objectives


• Understand the distinction between a financial statement audit and a single audit;

• Understand fraud risk factors in a single audit; and

• Implement the fraud risk assessment requirements in a single audit

A R F 8208


Introduction

• A Single Audit has two components

– Audit of the financial statements under Generally Accepted Government Auditing Standards (GAGAS)

– Compliance audit of major programs under Uniform Guidance

– GAGAS incorporates GAAS by reference and requires no additional procedures over and above those required

– Additional reporting requirements

A R F 8209


Professional guidance

• Primary source of guidance for considering the risk of fraud in a Single Audit is AU-C 240

• AU-C 935, Compliance Audits

• AU-C 240 states that the auditor has a responsibility to consider fraud risks and to design the audit to provide reasonable assurance of detecting fraud that results in the financial statements being materially misstated

• Requirements are also applicable to a Single Audit or any audit, such as a program specific audit which is conducted under the Uniform Guidance as modified for material noncompliance

• AU-C 935 states that the auditor should assess the risks of material noncompliance whether due to fraud or error for each direct and material compliance requirement and should consider whether any of those risks are pervasive to the entity's compliance because they may affect compliance with many compliance requirements

A R F 8210


Professional guidance

• Team meeting - Discuss the risks of material noncompliance due to fraud

• Smaller audit - One meeting to discuss all the major programs

• Programs are larger and different, teams may audit different major programs - Assess the risk by major program

• One team may work with the single audit but not work with the financial statement audit

• Some entities have entity level anti-fraud programs and controls that address compliance as well as financial statement risks

• These may already have been documented in the financial statement workpapers

• Gain an understanding of the risks of fraud identified in the financial statement audit as well the extent to which there are mitigating controls

A R F 8211


Fraud risk assessment process

• Fraud inquiries of:

– Management, especially those that are involved with grants management

– Those charged with governance

– Internal auditors, if any

– Others

– Ask about any instances or possible instances of noncompliance or abuse

• People that work with one grant also work with others so the fraud inquiries may cover more than one major program

A R F 8212



• Based on the inquiries of the client, various analyses, and communication among the audit team, the auditor identifies and documents:

– Pervasive fraud risks;

– Specific fraud risks; and

– Risk of management override of controls

• Understand and test any supporting entity level internal controls as well as control activities that would help to prevent, detect or deter fraud

• Evaluate the design, implementation and effectiveness

A R F 8213



• Use information to determine a response to those risks which the auditor believes could result in material noncompliance due to fraud

• Responses could include testing journal entries that were made to the accounts of the major program

• Document:

– Fraud risk assessment;

– Relevant mitigating internal controls;

– Nature, timing, and extent of the audit procedures performed in response to the assessed risk of fraud; and

– Results of those audit procedures

• Peer reviewers have noted that the documentation in single audits relative to the risk of fraud is often lacking

A R F 8214


Fraud risks

• Three conditions that generally come together resulting in fraud regardless of whether it is a fraud that impacts a major program or the financial statements are:

– Incentive/Pressure;

– Opportunity; and

– Rationalization

• Although the conditions are the same for a compliance audit, the way they show up in an entity could be different because the subject matter is major programs, not financial statements

• And there may be different incentives for fraudulent financial reporting for governments versus not-for-profit entities

A R F 8215


Incentives/pressure risk factors – fraudulent financial reporting

• Intentionally misstate either the financial statements including program financial statements or the schedule of expenditure of federal awards

• Poor financial or operating results, external (economic) or internal (operating challenge) conditions

• Governments:

– Declining tax or revenue base

– State or federal cutbacks on funding

– Inability to balance the budget due to excessive expenditures, a shortfall in revenue or both

• Not-for-profit entity:

– Decline in donor base

– Reduced ability to charge for services

– Termination of major funding

A R F 8216



• Complex or frequently revised compliance requirements or participant requirements (such as cost sharing or matching requirements) that create incentives to shift costs or incorrectly value transactions

• Stagnant tax or revenue base or declining federal funding, enrollments, or eligible participants

• Significant portion of program management's compensation or performance appraisal is linked to federal award budgetary or program accomplishments or other incentives

• Imminent or anticipated adverse changes in program legislation or regulations that could impair the financial stability or profitability of the entity

• Financial pressure due to declining revenues or increasing expenses, creating incentive to apply non-program costs to federal awards

A R F 8217



• Significant pressure to obtain additional funding necessary to stay viable and maintain levels of service

• Investment values that are negatively impacted by declining financial markets

• Adverse publicity or lawsuits that are causing additional expense (e.g., legal fees or public relations costs)

• Pressure to achieve operating results from the board, constituents, management, or regulators

A R F 8218


Opportunity risk factors – fraudulent financial reporting

• An organizational structure that is unstable or unnecessarily complex

• Rapid growth due to significant increases in funds without the organizational structure to support it

• Inadequate internal control due to outdated or ineffective accounting or information systems

• Inadequate oversight by those charged with governance over the financial reporting process and management activities

• Inadequate monitoring by management for compliance with policies, laws, and regulations

• Lack of appropriate segregation of duties or independent checks, especially in areas such as eligibility determination and benefit awards

A R F 8219


Opportunity risk factors – fraudulent financial reporting

• Lack of appropriate system of authorization and approval of transactions, such as purchasing, contracting, benefit determinations, and eligibility, due to either poorly designed or outdated controls

• Lack of timely and appropriate documentation for transactions, such as eligibility and benefit determinations

• Lack of asset accountability or safeguarding procedures

• Rapid changes in federal award programs

• High turnover rates for employment of accounting, internal audit, or IT staff

A R F 8220


Attitude/rationalization risk factors –fraudulent financial reporting

Rationalizations:

• It’s not for me; it’s for the organization or constituents

• It’s only for a short time. Once the grant, loan, donation I’m expecting comes in we will make a journal entry so the financial statements or other documents falsified will be correct

• The federal government has a lot of money and this will help us. They don’t really need it

A R F 8221


Attitude/rationalization risk factors –fraudulent financial reporting

• Red flags that might be present:

– Management does not communicate or demonstrate ethical values;

– Management has a history of misstatements or history of alleged fraud or violations of laws and regulations;

– Management frequently overrides internal controls;

– Low morale on the part of senior management;

– Disputes between the governing board and management;

– Disputes with the auditor on accounting and reporting matters; and

– Failure to implement internal control recommendations made by internal audit or the external auditor

A R F 8222


Incentives or pressure risk factors –misappropriation of assets

• Personal financial obligations

• Adverse relationship between the employees and the entity (may be difficulties with management)

• Employees believe they have been treated unfairly (promotions, raises, pending layoffs, recognition)

• Employees want the challenge

A R F 8223


Opportunity risk factors – misappropriation of assets

• Entity maintains cash or payments are made to the entity in cash

• Cash or other assets are received by many departments

• Capital assets are susceptible to misappropriation

• Lack of segregation of duties

• Lack of documentation of transactions

• Lack of timely reconciliation of account balances to other detail

• Lack of a fraud prevention hotline

• Lack of a code of ethics or conflict of interest policy

A R F 8224


Attitude/rationalization risk factors –misappropriation of assets

• Management does not monitor so the employees think misappropriation is not a concern to them

• Dissatisfied employees (under paid, over worked, not recognized)

• An ineffective or nonexistent means of communicating and supporting the entity’s values or ethics

• Significant subrecipient or subcontract relationships for which there appears to be no clear programmatic or business justification

A R F 8225


Attitude/rationalization risk factors –misappropriation of assets

• Management displaying or conveying an attitude of disinterest regarding strict adherence to federal award rules and regulations such as those related to participant eligibility, benefit determinations or eligibility

• An individual or individuals with no apparent executive position(s) within the entity appearing to exercise substantial influence over its affairs or over individual federal award programs (for example, a major donor, fund-raiser, or politician)

• An attitude among program personnel that given their position, they are due benefits from the programs

A R F 8226


Fraud considerations under GAGAS

• GAGAS incorporates GAAS by reference

• Need for early communication

• May need to report to third parties, auditors should be aware of laws

• Report findings in a report on internal control and compliance with provisions of laws, regulations, contracts, and grant agreements based on an audit of the financial statements

• Significant deficiencies, material weaknesses, material noncompliance, and material instances of fraud

• Other instances of fraud that warrant the attention of governance

• If they don’t warrant the attention of governance auditor uses judgment

A R F 8227



• Consider consulting an attorney about whether public reporting would compromise investigative or legal proceedings

• Auditors may limit public reporting under the circumstances

• Report identified or suspected fraud directly to outside parties when:

– Management does not satisfy legal or regulatory requirements to report such information to external parties specified in a law or regulation; or

– Management does not take appropriate steps to respond to what is likely to have a material effect on the financial statements and involves funding received directly or indirectly from a government agency

• In this case auditors should report directly to the funding agency

A R F 8228



• Before reporting outside the entity the auditor should discuss it with those charged with governance if management does not report it

A R F 8229


Fraud reporting considerations under uniform guidance

• Uniform Guidance requires management to report all instances of fraud which deals with federal awards

• Auditor issues report on compliance for each major federal program and a report on internal control over compliance and schedule of findings and questioned costs

• Includes financial statement findings under GAGAS as well as those required by Uniform Guidance

• Auditor is required to report known or likely fraud that affects a federal award unless it has been reported as an audit finding

• Auditor is not required to report information that could compromise investigative or legal proceedings

• Auditor does not have to make additional reports when he/she confirms that the fraud was reported outside the GAGAS auditor’s reports

A R F 8230

Cyber Fraud

Chapter 7


Learning objectives


• Identify the most common cyber fraud schemes used today; and

• Identify ways to help prevent cyber fraud

A R F 8232


Introduction

• Worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022

• 62% of businesses experienced phishing and social engineering attacks in 2018

• 68% of business leaders feel their cybersecurity risks are increasing

• Data breaches exposed 4.1 billion records in the first half of 2019

• 71% of breaches were financially motivated and 25% were motivated by espionage

• 52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering

A R F 8233


Introduction

• Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches

• Ransomware infections were down 52% in 2018

• The top malicious email attachment types are .doc and .dot which make up 37%, the next highest is .exe at 19.5%

• Hackers attack every 39 seconds, on average 2,244 times a day

• The average time to identify a breach in 2019 was 206 days

• The average cost of data breach is $3.92 million as of 2019

A R F 8234


Types of cyber fraud

A R F 8235


Top cyber fraud schemes

• Authorized Push Payments (APPs)

– Victims are manipulated into making real-time payments to fraudsters

– Occur due to social engineering attacks involving impersonation

– Convince business or person to send money to them for what appears to be a legitimate purpose

– Victim authorizes bank to make payment to fraudster’s bank account

– Push payments are used to cut time off transactions

– Real estate application

– Prevalent scheme in the UK now being seen in US

• SMS Spoofing is a technique to commit APP fraud using technology to impersonate a trusted party

A R F 8236



• Deep fakes and biometrics

– Facial recognition used to unlock cell phones

– Voice biometrics to command smart home devices

– Criminals use artificial intelligence to create fake images or audit manipulations

• Breaching 2FA

– 2 factor authentication

– Use of SIM swapping to circumvent the control

A R F 8237



• Denial-of-service and distributed denial-of-service

– Attacks overwhelm a company’s information system’s resources so that it is not able to respond to service requests

– DDoS attack is launched from a large number of other host machines that are infected by malicious software controlled by the attacker

– Hacker doesn’t gain access to a system

– Goal is simply to take a system offline

– Used against competitor or to disrupt a system so that the hacker can launch another type of attack

A R F 8238


TCP SYN Flood Attack

Victim

1. A client connects to a server.2. The attacker’s computer gains control

of the client.3. The attacker’s computer disconnects

the client from the server.4. The attacker’s computer replaces the

client’s IP address with its own IP address and spoofs the client’s sequence numbers.

5. The attacker’s computer continues dialog with the server and the server believes it is still communicating with the client.

1

2

ServerSession

Perpetrator

Perpetrator

IP 192.168.32

IP 192.168.32

Victim ServerDisconnected

Sniffing legitimate session

DDOS attack

2

3

4

5

A R F 8239



• TCP SYN flood attack solutions:

– Place servers behind a firewall configured to stop inbound SYN packets; or

– Increase the size of the connection queue and decrease the timeout on open connections

• Teardrop attack

– Causes the length and fragmentation offset fields in sequential Internet Protocol (IP) packets to overlap one another on the attacked host

– When the attacked system attempts to reconstruct packets during the process it fails, becomes confused and crashes

A R F 8240



• Smurf attack

– Uses Internet Protocol (IP) spoofing and the ICMP (internet control message protocol) to saturate a target network with traffic

– Hackers use IP spoofing to convince a system that it is communicating with a known, trusted entity

– Hacker sends a packet with the IP source address of a known, trusted host instead of its own IP, providing the attacker with access to the system

Solution: Patches available for this type of attack. Alternatively, the entity could disable SMBv2 and block ports 139 and 445

A R F 8241



• Ping of Death

– The hacker uses IP packets that are over the maximum size to ‘ping’ a target system

– IP packets of this size are not allowed so the attack will fragment the IP packet

– Once the target system reassembles the packet, it can experience buffer overflows and other crashes

Solution: Ping of death attacks can be blocked by using a firewall that will check fragmented IP packets for maximum size

A R F 8242



• Botnet

– Group of computers that have been infected by malware and are under the control of a fraudster

– Term bot refers to the infected device

– Can be designed for illegal or malicious tasks such as sending spam, stealing data, ransomware, or DDoS attacks

– When used in a DDoS attack the bots carry out attacks against the target systems, overwhelming the target system’s bandwidth and processing capabilities

Solution: Bots can be mitigated by RFC3704 and black hole filtering

A R F 8243



• Phishing and Spear Phishing attacks

Phishing - Hacker sends emails that appear to be from trusted sources with the goal of gaining personal information or convincing users to do something

– Combines social engineering and technical trickery

– Could involve an attachment to an email that loads malware onto a computer

– Could appear to be a link to a website that tricks the victim into downloading malware or providing the hacker with personal information

A R F 8244



• Spear phishing is a specific type of phishing activity

– Hackers research the habits and language of the victim and craft emails that are personal and relevant

– Hackers may use email spoofing

– Information in the “From” section appears to come from someone known to the victim, generally someone with the authority to issue instructions

– Another technique that hackers use is website cloning. The hacker copies a legitimate website and the victim enters personally identifiable information (PII) or login credentials

A R F 8245



Solution

• Stop and think — Analyze email and don’t just accept that it is from the person who is purported to have sent it. People tend to react to email without thinking

• Hover over the email headers or links in the message — Move the mouse over the link without clicking on it. It is possible that the email address or links are spoofed

• Analyzing email headers — Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email

A R F 8246



Drive-by download attacks

• Common method of spreading malware

• Hacker looks for an insecure website and places a malicious script into the code on one of the pages

• Script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers

• Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window

A R F 8247



Drive-by download attacks

• Drive-by doesn’t rely on a user to do anything to actively enable the attack making it harder to prevent

• Can take advantage of an app, operating system, or web browser that contains security flaws due to unsuccessful updates or lack of updates

Solution: Browsers and operating systems should be kept up to date and insecure websites should be avoided. The more apps or plug-ins someone has on their device, the more vulnerable they are

A R F 8248



• Password Attacks

– Hackers will sometimes look around a person’s desk if they are in the same location

– Alternatively they may ‘‘sniff’’ the connection to the network to acquire unencrypted passwords, use social engineering, gain access to a password database, or simply guess

– Brute-force password guessing - Trying passwords based on information that is known about the user such as their name, job title, hobbies, children or pets

– Dictionary attack - The hacker copies an encrypted file that contains the passwords, applies the same encryption to a dictionary of commonly used passwords, and compares the results

A R F 8249



• Cross Scripting Attacks (XSS)

– Use an entity’s website to run scripts in the victim’s web browser or scriptable application

– Hacker exploits a vulnerability in a website that is otherwise benign

– Victim visits the website and clicks on a page causing a malicious JavaScript which was originally inserted in the target website to execute a malicious script

– At best the hacker can then hijack the session

– At the worst, a hacker can steal cookies, log keystrokes, capture screen shots, collect network information, and remotely access and control the victim’s machine

A R F 8250



• Cross Scripting Attacks (XSS)

– Solution: Web developers can sanitize data input by users in an HTTP request before reflecting it back

– Make sure all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches

– Give users the option to disable client-side scripts

A R F 8251



• Eavesdropping

– Intercept network traffic

– The hacker’s goal is to obtain passwords, credit card numbers and other confidential information that a user might be sending over the network

– When eavesdropping is passive the hacker finds information by listening to the message transmission in the network

– Hackers can also actively eavesdrop by camouflaging themselves as a friendly unit sending queries to transmitters. In order to launch an active attack the hacker must first gain knowledge of friendly units

– Solution: Data encryption is the best way to counteract eavesdropping

A R F 8252



• Malware

– Macro viruses infiltrate programs most people use every day such as Microsoft Word or Excel

• Viruses attach themselves to an application’s initialization sequence. When a person opens the application, the virus gives the malicious instructions before transferring control to the application. This way it can replicate itself and attach to other code in the victim’s system

– File infectors attach themselves to executable code, such as .exe files. The virus is installed when the code is loaded

– System or boot-record infectors attach to the master boot record on hard disks. When the system is started, it will look at the boot sector and load the virus into memory, where it can spread to other disks and computers

A R F 8253



• Malware

– Stealth viruses compromise malware detection software so that the software will report an infected area as being uninfected

– Trojan horses hide in a useful program. They have a malicious function but do not self-replicate. They are used by hackers to infiltrate a system but also have another feature whereby they can establish a back door that can be exploited by the hacker

– Worms do not attach to a host file

• They are self-contained programs that spread across networks and computers, usually through email attachments

• Victim opens an attachment and activates the worm program

• Worm then sends a copy of itself to every contact in the victim’s email program. This enables it to spread itself across the internet, conduct malicious activity and overload email servers which can result in DOS attacks

– Ransomware is a type of malware that blocks access to the victim’s data and threatens to publish or delete it unless a ransom is paid

A R F 8254



• Internet of Things (IoT)

– Extends connectivity beyond normal devices to household devices and other objects

A R F 8255



• It’s Also a People Problem

– Social engineering is responsible for 93% of data breaches

– Hackers generally use social engineering to gain access to passwords, bank information or a computer so they can install malware to give them access to a lot more

– When the hacker manages to obtain access to one person’s password they have access to that person’s contact list. They can then use the email account of the first victim to send emails to the person’s contacts

– Links can be embedded in the emails and if it appears that the email is a trusted source then clicks on the link give the hacker a second victim

– The email could also have a download of music, movies, or documents with embedded malware

A R F 8256



• Hovering over the email address to see if it is legitimate may not be completely effective since hackers can also camouflage their true email addresses with overlays

• Hackers frequently impersonate companies and the emails look legitimate right down to the logos and key words that the bank might use

• According to Webroot data, financial institutions are the most often impersonated

• Hackers will ask for donations, present an issue and ask the victim to validate information by providing information in a form or clicking on a link, offer something free, respond to a question the victim never asked, claim that the victim is winner of some prize or pose as a co-worker, boss, company executive, etc.

A R F 8257



Solutions

• Slow down. Nothing is that urgent that it should not be carefully reviewed

• Ask for oral verification even if it slows down the process. Call the sender and ask

• Go straight to the website of the financial institution purporting to be the sender in a fresh browser and see if there are any messages waiting there

• Delete any requests for financial information or passwords

• Scams come in the form of offers to help, e.g., to restore credit scores, refinance a home, etc. Delete them

• Secure computing devices with anti-virus software, firewalls, email filters, and update them regularly

• Companies should train employees and penalize them for disregarding policies and procedures on information security

A R F 8258



Statistics that are good to know:

• 48% of malicious email attachments are office files

• Phishing levels declined, dropping from 1 in 2,995 emails in 2017, to 1 in 3,207 emails in 2018

• 34% of data breaches involved internal participants

• 51% of businesses experienced denial of service attacks in 2018

• The average cost of a ransomware attack on businesses is $133,000

• 69% of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software

A R F 8259



Statistics that are good to know:

• 1 in 36 mobile devices had high risk apps installed

• In 2018, an average of 10,573 malicious mobile apps were blocked per day

• 65% of groups used spear phishing as the primary infection vector

• 1 in 13 web requests lead to malware

• The United States ranks highest with 18.2% of all ransomware attacks

• Most malicious domains, about 60%, are associated with spam campaigns

A R F 8260


Internal control imperative

SEC Cyber Fraud Report (2018)

• In October 2018 the SEC issued a report on an investigation into nine companies that experienced losses of almost $100 million due to cyber fraud

• The techniques used by the fraudsters are common

– Company personnel received spoofed or compromised electronic communications from outsider sources causing them to transfer funds to the bank accounts of the fraudsters

• One company made 14 electronic transfers based on fictitious emails received from fraudsters masquerading as company executives

• Another company paid 8 invoices over several months to what they believed were legitimate vendors. However, the routing instructions had been changed to a fraudster’s bank account

A R F 8261



• The SEC did not institute enforcement actions against the companies but made it clear in the report that public companies will be required to assess and adjust their internal controls for the risk of cyber fraud

• Section 13(b)(2)(B) of the Securities Exchange Act is invoked when a public company has:

– Materially misstated its financial statements;

– Paid bribes to foreign government officials;

– Paid commercial bribes; or

– Reimbursed employees for unauthorized expenses

A R F 8262



• Most prosecutions have involved public companies engaged in accounting fraud

• Internal control charges were levied as lesser included offenses

• The SEC’s report has now opened the possibility for charges to be made when a public company is victimized by a cyber incident and unknowingly disburses funds to cyber fraudsters

• Sections cited would be Section 13(b)(2)(B)(i) and (iii)

– These are the sections that require the execution of transactions and access to company assets to be permitted with management’s general or specific authorization

– Used by the SEC in connection with bribery and expense reimbursement prosecutions where the financial ramifications are generally not material for financial statement purposes

A R F 8263



• Cases discussed in the report did not involve sophisticated schemes

• Human weakness made them effective

• COSO framework is specific in saying that controls only provide reasonable, not absolute assurance

• SEC report is sobering to read and although ultimately prosecution may only occur when it is evident that internal controls were blatantly ignored, companies should take proactive steps to identify the risk of cyber fraud

• Includes nonpublic entities as well, even only if it is because cyber fraud is costly to an entity’s financial position and reputation

A R F 8264



• Entities should consider:

– A robust cyber fraud risk assessment process

– Establishing more stringent cyber security policies and procedures

– Performing scenario analysis including how management could override controls

– Identifying key controls to prevent improper disbursements or accounting errors from cyber fraud focusing on payment requests, authorizations and disbursement approvals especially for large, nonsystematic, time sensitive or foreign transactions

A R F 8265



• Entities should consider:

– Identifying key controls over changes to vendor disbursement processes

– Evaluating the design and test controls

– A cyber fraud diagnostic from an entity specializing in this service

– Training personnel and penalizing those who violate the controls even through carelessness

– Monitoring activities with data analytic tools for potential improper disbursements

– Public company management should also consider disclosure controls for cyber breaches due to section 302 certifications

A R F 8266



A R F 8267



• Specific Industry Statistics:

– 3% of breach victims were small businesses

– Financial services and manufacturing have the highest percent of exposed sensitive files at 21%

– Financial services had 352,771 exposed sensitive files on average while healthcare, pharma and biotech have 113,491 files on average

– 15% of breaches involved healthcare organizations, 10% in the financial services industry, and 16% in the public sector

– The banking industry incurred the most cybercrime costs in 2018 at $18.3 million

A R F 8268



• Specific Industry Statistics:

– Smaller organizations (1–250 employees) have the highest targeted malicious email rate at 1 in 323

– The estimated losses in 2019 for the healthcare industry are $25 billion

– Lifestyle (15%), and entertainment (7%) were the most frequently seen categories of malicious apps

– Supply chain attacks were up 78% in 2019

– The financial services industry takes in the highest cost from cybercrime at an average of $18.3 million per company surveyed

– The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020

A R F 8269



Questions for Discussion:

1. Which of the fraud types have you seen occur in your company (your clients)?

2. How prepared do you believe your company (your clients) is/are for these possible attacks?

A R F 8270


Q&A

We will now answer viewer questions that have come in during the webinar

A R F 8271

C O N N E C T W I T H U S

Facebook.com/SurgentProfessionalEducation

Twitter.com/SurgentCPE

LinkedIn.com/company/surgent-professional-education

Thank you!

Individuals, CPE certificates will be available in your Surgent profile within 24 hours.Groups, please scan and submit the attendance form to [email protected] for CPE certificates.

assessing the risk of fraud in a financial statement audit

Documents