Deloittes_AntiFruad Program and Controls.pdf
-
Upload
sanath-fernando -
Category
Documents
-
view
214 -
download
0
Transcript of Deloittes_AntiFruad Program and Controls.pdf
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
1/27
Antifraud Programs & Controls
1
IntroductionIn today's business environment with increased legislative and regulatory requirements,
there is a greater need for organizations to understand and address fraud risks. The likeli-
hood of fraud occurring can be reduced by implementing effective antifraud programs and
controls that can identify fraud in a timely manner and minimize the resulting damage.
Fraud prevention and detection also makes good business sense and can provide cost sav-
ings to organizations.
This document provides examples and considerations for management and auditors with
respect to the risk of fraud and antifraud programs and controls, and is written in the con-text of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's
Internal ControlIntegrated Framework.1
OverviewFraud has always represented a business risk for organizations. High-prole nancial
reporting scandals renewed the focus on fraud, resulting in comprehensive legislation and
Securities and Exchange Commission (SEC) rulemaking concerning corporate governance
and internal controls.
Section 404 of the Sarbanes-Oxley Act of 2002 Management
Assessment of Internal Controls, requires company manage-
ment to le an annual report on internal control over nancial
reporting. The SECs resultant Final Rule: Managements Re-
ports on Internal Control Over Financial Reporting and Certi-
cation of Disclosure in Exchange Act Periodic Reports, provides
guidance on managements responsibilities related to fraud:
The assessment of a companys internal control over nancial
reporting must be based on procedures sufcient both to
evaluate its design and to test its operating effectiveness.
Controls subject to such assessment includecontrols related
to the prevention, identication, and detection of fraud.2
Additionally, the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard
No. 2 increased responsibilities for auditors beyond those required by Statement on Audit-
ing Standards, Consideration of Fraud in a Financial Statement Audit(SAS 99). AlthoughSAS 99 provides detailed guidance on the fraud risk assessment, it only requires the auditor
to gain an understanding of managements antifraud programs and controls. Under the
PCAOBs Auditing Standard No. 2, auditors should evaluate antifraud programs and con-
trols as part of the audit of internal control over nancial reporting. The PCAOB Auditing
Standard No. 2 states:
Table of Contents
Introduction
Overview
Antifraud Programs and Controls
The COSO Framework
Section 1: Questions to Consider
Section 2: Example Implementation
PlanPerforming FraudRisk Assessments
Section 3: Sample Process
Section 4: Sample Listing of Fraud
Schemes
Section 5: Steps and Considerations
Fraud prevention
and detection
makes good
business sense
and can provide
cost savings to
organizations.
1 Internal Control Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, copyright 1992, 1994. Executive summary and ordering
information for full document available here: http://www.coso.org/publications/executive_summary_integrated_framework.htm.
2 Final Rule: Managements Report on Internal Control Over Financial Reporting and Certication Disclosure in Exchange Act Periodic Reports, U.S. Securities and Exchange
Commission, 2003, Section (II)(B)(3)(d). Electronic copy can be viewed at: http://www.sec.gov/rules/nal/33-8238.htm.
This document is intended to provide general infor-
mation and considerations on a particular subject
or subjects and is not an exhaustive treatment of
such subject(s). This document provides general refer-
ences to various sources, including the Sarbanes-Oxley
Act of 2002, U.S. Securities and Exchange Commis-
sion, Public Company Accounting Oversight Board,
American Institute of Certied Public Accountants,
and Committee of Sponsoring Organizations of the
Treadway Commission. It is the responsibility of boards
of directors, audit committees, and companies to read
and interpret the sources , or information receivedfrom them, to determine, customize and tailor re-
sponses based on their companys facts, circumstances
and requirements.
Deloitte & Touche LLP (Deloitte & Touche) is not,
by means of this document, rendering accounting,business, nancial, investment, legal, tax, or other
professional advice or services.
This document is not a substitute for such professional
advice or services, nor should it be used as a basis for
any decision or action that may affect your business.The information contained in this document likely will
change in material respects; Deloitte & Touche is under
no obligation to update such information. Before
making any decision or taking any action that mightaffect your professional interests, you should consult a
qualied professional advisor. Deloitte & Touche is not
responsible for any loss sustained by any person who
relies on this document.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
2/27
2
The auditor should evaluate all controls specically intended
to address the risks of fraud that have at least a reasonably
possible likelihood of having a material effect on the com-
panys nancial statements. These controls may be a part of
any of the ve components of internal control over nancial
reporting...Controls related to the prevention and detection offraud often have a pervasive effect on the risk of fraud. Such
controls include, but are not limited to, the:
Controls restraining misappropriation of company assets
that could result in a material misstatement of the nancial
statements;
Companys risk assessment processes;
Code of ethics/conduct provisions, especially those related
to conicts of interest, related-party transactions, illegal
acts, and the monitoring of the code by management and
the audit committee or board;
Adequacy of the internal audit activity and whether theinternal audit function reports directly to the audit commit-
tee, as well as the extent of the audit committees involve-
ment and interaction with internal audit; and
Adequacy of the companys procedures for handling com-
plaints and for accepting condential submissions of con-
cerns about questionable accounting or auditing matters.
Part of managements responsibility when designing a
companys internal control over nancial reporting is to
design and implement programs and controls to prevent,
deter, and detect fraud. Management, along with those
who have responsibility for oversight of the nancial
reporting process (such as the audit committee), should set
the proper tone; create and maintain a culture of honesty
and high ethical standards; and establish appropriate con-
trols to prevent, deter, and detect fraud.3
Due to the importance of managements antifraud programs and
controls, deciencies in this area ordinarily constitute at least a
signicant deciency in internal control over nancial reporting.
Paragraph 139 of the PCAOB Auditing Standard states:
The interaction of qualitative considerations that affect inter-
nal control over nancial reporting with quantitative consid-
erations ordinarily results in deciencies in the following areas
being at least signicant deciencies in internal control over
nancial reporting:
Controls over the selection and application of accounting
policies that are in conformity with generally accepted ac-
counting principles;
Antifraud programs and controls;
Controls over non-routine and non-systematic transactions;
and
Controls over the period-end nancial reporting process,
including controls over procedures used to enter transac-
tion totals into the general ledger; initiate, authorize,
record, and process journal entries into the general ledger;
and record recurring and nonrecurring adjustments to the
nancial statements.
PCAOB Auditing Standard No. 2 notes that antifraud controls may
be a part of any of the ve components of internal control over
nancial reporting and refers to the COSO framework. Antifraud
programs and controls are not supplemental to COSO (i.e., they do
not represent an additional layer to the framework), but are embed-
ded within the existing ve components of the framework.
Summary of Key Terms
Fraud. An understanding of fraud is essential in order for manage-
ment and auditors to carry out their respective responsibilities. Fraud
is dened in paragraphs 5 and 6 of SAS 99 as,
an intentional act that results in a material misstatement innancial statements that are the subject of an audit. Two types
of misstatements are relevant to the auditors consideration of
fraudmisstatements arising from fraudulent nancial report-
ing and misstatements arising from misappropriation of assets.
Recognizing that fraud can take many shapes and forms,4 and
that the concept of materiality is both quantitative and qualitative
in nature, it is recommended that management should consider
additional types of fraud (including those not directly referenced in
SAS 99 or the PCAOB Auditing Standard No. 2) when designing and
implementing antifraud programs and controls. Examples of fraud
types that management should consider include:
fraudulent nancial reporting
misstatements arising from misappropriation of assets
improper or unauthorized expenditures (including bribery and
other improper payment schemes)
self-dealings (including kickbacks)
violations of laws and regulations (including those that expose
the company or its agents to regulatory or criminal actions, e.g.,
securities frauds, signing false audit conrmations)
Antifraud Programs & Controls. Guidance on managements
antifraud programs and controls is found in SAS 99 and in an
attached exhibit, Management Antifraud Programs and Controls,
which describes control activities that management should consider
to address fraud risks. Paragraph 20 of SAS 99 notes:
The auditor should inquire of management aboutprograms
and controls the entity has established to mitigate specic
fraud risks the entity has identied, or that otherwise help
to prevent, deter, and detect fraud, and how management
monitors those programs and controls.
3 Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,
Public Company Accounting Oversight Board, 2004, paragraphs 24 and 25. Electronic copy can be viewed at: http://www.pcaobus.org/rules/Release-20040308-1.pdf.
4 Blacks Law Dictionary (Sixth Edition, 1990) denes fraud as, An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some
valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations,
or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury. . . A generic
term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by falsesuggestions or by suppression of truth, and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
3/27
3
Antifraud Programs andControlsThe COSO
FrameworkBelow are the ve components derived from COSOs Internal
ControlIntegrated Framework that management may consider
with respect to their responsibilities for antifraud programs and
controls:
1. Performing Fraud Risk Assessments
2. Creating a Control Environment
3. Designing & Implementing Antifraud Control
Activities
4. Sharing Information & Communication
5. Monitoring Activities
Performing Fraud Risk Assessments
The rst step in addressing fraud is the fraud risk assessment.
Fraud risk assessments are designed to identify and evaluate fraud
risk factors that could enable fraud to occur within the organiza-
tion. Every organization has inherent fraud risks that arise from
internal and external conditions relative to the entitys industry,
operations, geographical locations, size, organizational structure,
and general economic conditions. For example, SAS 99, para-
graph 41 notes that material misstatements due to fraudulent
nancial reporting often result from overstatements of revenues
and therefore, the auditor should ordinarily presume that there is
a risk of material misstatement due to fraud relating to revenue
recognition.
Most companies have at some level already addressed risks of
theft. Fraud risk assessments are more than a process to identify
risks of theft and should also address other frauds, including
fraudulent nancial reporting and other misappropriations of
assets. The fraud risk assessment involves an expanded focus on
considerations of where fraud risk factors may exist within the
entity and the potential fraud schemes that could be perpetrated.
Management has the primary responsibility for performing fraud
risk assessments. The audit committee should have an active role
in the oversight of process, understand identied fraud risks, and
evaluate managements implementation of antifraud measures.
The audit committees evaluation and oversight not only ensures
that management fullls its responsibility, but also can serve as
a deterrent to management who themselves could engage in
fraudulent activities.
The audit committee, together with management, should also
consider the potential risk of managements override of controls or
other inappropriate inuence over the nancial reporting process.
Paragraph 8 of SAS 99 notes that,
Management has a unique ability to perpetrate fraud
because it frequently is in a position to directly or indirectly
manipulate accounting records and present fraudulent
nancial information. Fraudulent nancial reporting often
involves management override of controls that otherwise
may appear to be operating effectively.
Special consideration should be given to the risk of override of
controls by management such as (1) recording ctitious journal
entries or other adjustments, particularly those recorded close to
the end of an accounting period; (2) intentionally biasing assump-
tions and judgments used to estimate account balances; and
(3) entering into signicant transactions that are outside of the
entitys normal course of business that lack economic substance.
The fraud risk assessment should be performed without consid-
eration of the existence or effectiveness of internal controls, and
should be updated periodically to include changes in operations
and revisions to fraud risks identied during monitoring activities
of antifraud programs.
An example implementation plan for performing fraud risk assess-
ments is provided in Section 2, Example Implementation Plan
Performing Fraud Risk Assessments.
Creating a Control Environment
Emphasis should be placed on the entitys control environment as
it inuences the tone of the entire organization. It is the founda-
tion for all other components of internal control and provides
discipline and structure. Control environment factors include the
integrity, ethical values, and competence of the entitys manage-
ment and employees and have a pervasive effect on how business
activities are structured and executed. The control environment
allows an entity to develop an ethical framework that should ad-dress: fraudulent nancial reporting, misappropriation of assets,
corruption, and other fraud issues.
The control environment should set the proper tone at the top
which includes a culture and work environment that promotes
open communication, consultation, and ethical behavior. The con-
trol environment should be pervasive throughout the organization
in actions as well as words. It should:
create and maintain a culture of honesty, high ethical stan-
dards, and behavior
provide discipline for violations of the code of conduct/ethics
set an appropriate tone for the entitys attitude towards fraudand fraud prevention
promote controls to prevent, deter, and detect fraud
A control environment establishes and promotes a collective at-
titude towards achieving effective internal control and generating
reliable nancial statements. The proper design and the effective-
ness of the control environment is critical. Having controls by
themselves is not sufcient to mitigate fraud risks. For example, if
no employees have been disciplined for violations of the compa-
nys code of conduct/ethics, the code is likely to be ineffective.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
4/27
4
All employees have a role in the control environment. Manage-
ment, the board of directors and the audit committee have
the primary responsibility of creating the tone at the top of the
organization. The audit committee should take an active role in
the oversight of managements efforts to design and implement
internal controls, including antifraud programs and controls andshould challenge management to ensure that fraud risks are
identied and that appropriate control activities are implemented
and monitored.
Elements of the control environment are discussed in Section 5,
Steps and Considerations and include:
tone at the top
oversight by the audit committee and board of directors
internal audit involvement
code of ethics/conduct
ethics hotline and whistleblower programtraining
responses to control deciencies and allegations of fraud
Designing and Implementing Antifraud ControlActivities
After fraud risk assessments are performed and fraud risks are
identied, management should address each identied fraud
risk by determining whether control activities exist and mitigate
the risks. Control activities are policies and procedures designed
to address risks and help ensure the achievement of the entitys
objectives. Control activities occur throughout the organization,
at all levels and in all functions.
Antifraud control activities can be preventative and/or detective
in nature. Preventative controls are designed to mitigate specic
fraud risks and can deter frauds from occurring, while detec-
tive control activities are designed to identify fraud if it occurs.
Detective controls can also be used as a monitoring activity to
assess the effectiveness of antifraud controls and may provide
additional evidence of the effectiveness of antifraud programs
and controls. Some of these control activities may by automated
in nature and include information technology (IT) systems.
Where control activities are not already present, management
should design and implement additional controls to specically
address the identied fraud risks.
Special consideration should be given to the risk of override of
controls by management. Some programs and controls that deal
with management override include; (1) active oversight from the
audit committee; (2) whistle-blower programs and a system to
receive and investigate anonymous complaints; and (3) reviewing
journal entries and other adjustments for evidence of possible
material misstatement due to fraud.
Sharing Information & Communication
Effective communication is an important element of all phases
of the implementation of antifraud programs and controls. The
companys philosophy on fraud prevention and antifraud pro-
grams and controls should be clearly communicated throughout
the organization so that employees are aware of antifraud activi-ties, have a clear understanding of what is expected of them, and
know that the organization takes the risk of fraud seriously. These
communications should emanate from all levels of the organiza-
tion and should include communications with external parties
when appropriate (including customers, suppliers, and agents).
A companys code of conduct or ethics is often the rst line of
communication concerning its philosophy on fraud prevention.
However, other communication methods should be used to cre-
ate awareness of antifraud programs and controls. Information
on antifraud programs may be communicated through employee
handbooks (either printed or online), in company newsletters,
company intranet sites, training, and through presentations
or discussions led by management. Managements antifraud
programs and controls should also be documented to provide
reasonable support for its assessments on the design and operat-
ing effectiveness of the controls.
The procedures implemented to enable communication and in-
formation processes should themselves be controlled to prevent
unauthorized access or changes.
Monitoring Activities
Management and other appropriate parties in the company
should monitor the quality and effectiveness of antifraud
programs and controls. Monitoring activities and assessments
consist of procedures that include independent evaluationsof antifraud controls that may be performed by internal audit
or other groups, such as business process owners, and other
ongoing monitoring activities that are built into normal recurring
operating activities, such as timely reconciliations.
Ongoing monitoring procedures are built into normal recurring
operating activities and can often be more effective than sepa-
rate evaluations because they take place in real time. Examples
of ongoing monitoring activities include:
reconciliations of operating and nancial reports
regular communications with internal and external parties
regular reviews and recommendations from internal auditorsplanning and training sessions to solicit feedback on whether
controls are effective
Independent evaluations of controls vary in scope and frequency,
and are commonly performed by internal audit. Separate evalua-
tions may involve implementing detective activities. For example,
internal audit may design tests to specically look for instances of
early revenue recognition to ensure that existing controls for rev-
enue recognition are operating effectively. Detective controls are
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
5/27
5
essential to antifraud programs because they provide an additional
indication of the effectiveness of preventative control activities and
can identify additional fraud risk factors that should be included in
managements fraud risk assessment. Some monitoring activities
can be automated in nature and, as such, may involve IT systems.
Organizations should take:
Reasonable steps to achieve compliance with its standards,
e.g., by utilizing monitoring and auditing systems reason-
ably designed to detect criminal conduct by its employees
and other agents and by having in place and publicizing
a reporting system whereby employees and other agents
could report criminal conduct by others within the organi-
zation without fear of retribution.5
Truly effective antifraud programs are dynamic, where the infor-
mation obtained through the monitoring process is fed back into
the risk assessment and the entire process begins anew.
This document is divided into the following sections:
Section 1: Questions to Consider. A list of questions to
consider with respect to antifraud programs and
controls, in the context of the COSO framework.
Section 2: Example Implementation PlanPerformingFraud Risk Assessments. Highlights key steps in
performing a fraud risk assessment.
Section 3: Sample Process. Two examples of evaluating identi-ed fraud risks and linking programs and controls to
the risks.
(A) Inappropriate/Early Revenue Recognition
(B) Management Override of Controls
Improper Journal Entries or Adjustments
Section 4: Sample Listing Fraud Schemes. A listing of fraudschemes to assist in identifying possible fraud risks,
scenarios, and schemes when performing or evalu-
ating fraud risk assessments.
Section 5: Antifraud Programs & ControlsSteps and Con-
siderations. A detailed discussion of considerations
of antifraud programs and controls.
5 United States Sentencing Commission, Guidelines Manual, 8A1.2, comment. 3(K), available at: http://www.ussc.gov/2002guid/8a1_2.htm. In 1991, The United States
Sentencing Commission introduced seven criteria for effective programs to prevent and detect violations of law (including fraud). Amendments to the Sentencing Guidelines
were submitted to Congress on April 30, 2004. Ofcial text of these amendments is available on the Commissions web site at www.ussc.gov and http://www.ussc.gov/
2004guid/2004cong.pdf.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
6/27
6
Section 1Questions to ConsiderThe following is a list of some of the questions for management to consider when designing and evaluating antifraud programs andcontrols related to each of the COSO components. Management should consider and evaluate the facts and circumstances for their
organizations (e.g., the entitys industry, operations, geographical locations, size, organizational structure, and general economic condi-
tions) and tailor their antifraud programs and controls accordingly. Each COSO component should include sufcient documentation to
support the programs and controls as well as managements assessments and conclusions regarding the design and operating effec-
tiveness of the programs and controls.6 The following questions and themes are adopted from various sources, including the Sarbanes-
Oxley Act of 2002, SEC's Final Rules on Sarbanes-Oxley, SAS 99, PCAOB Auditing Standards No. 2, and COSO.
6 SEC, Final Rule: Management's Reports on Internal Control, Section (II)(B)(3)(d).
Fraud Risk Assessment1. Does the company have formal and regularly scheduled procedures to perform fraud risk assessments?
2. Are appropriate personnel involved in the fraud risk assessments?
3. Are fraud risk assessments performed at all appropriate levels of the organization (such as the entity level, signicant locations
or business units, signicant account balance or major process level)?
4. Does the fraud risk assessment include consideration of internal and external risk factors (including pressures or incentives,
rationalizations or attitudes, and opportunities)?
5. Does the fraud risk assessment include the identication and evaluation of past occurrences and allegations of fraud within the
entity and industry? Does it include the evaluations of unusual nancial trends or relationships identied from analytical proce-
dures or techniques?
6. Does the fraud risk assessment consider the risk of managements override of controls?
7. Does management consider the type, likelihood, signicance, and pervasiveness of identied fraud risks?
8. Are fraud risk assessments updated periodically to include considerations of changes in operations, new information systems,
acquisitions, changes in job roles and responsibilities, employees in new positions, results from self-assessments of controls,
monitoring activities, internal audit ndings, new or evolving industry trends, and revisions to identied fraud risks within the
organization?
9. Does management assess the design and operating effectiveness of the fraud risk assessments?10. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of
the fraud risk assessments?
11. Is the fraud risk assessment designed and operating effectively?
Control Environment1. Does the company maintain a proper tone at the top? Did management assess the tone of the organization to determine
if the culture encourages ethical behavior, consultation, and open communication? (This assessment can be made through
anonymous cultural surveys, inquiries and interviews, or by internal audit review.)
2. Do the audit committee and the board of directors have sufcient oversight of managements antifraud programs and controls?
3. Does the internal audit function have sufcient involvement in antifraud programs and controls, including monitoring of the
effectiveness of antifraud programs and controls, given the size and complexity of the organization? Does the internal auditfunction report directly to the audit committee?
4. Does the company have a published code of ethics/conduct (with provisions related to conicts of interest, related-party trans-
actions, illegal acts, and fraud) made available to all personnel and does management require employees to conrm that they
accept and agree to follow it? Does the frequency of exceptions undermine the codes effectiveness? Does the code comply
will all applicable rules and regulations?
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
7/27
7
5. Does the company have an ethics/whistleblower hotline with adequate procedures to handle anonymous complaints
(received from inside and outside the company), and to accept condential submission of concerns about questionable ac-
counting, internal accounting control, or auditing matters? Are tips and whistleblower complaints investigated and resolved
in a timely manner?
6. Does the company have formal hiring and promotion standards, including background checks for those employees with inu-ence over nancial reporting or involved in the preparation of the nancial statements?
7. Does the company have formal and effective training for employees and new hires on issues of fraud, ethics, and the code
of ethics/conduct?
8. Does the company respond in a timely and appropriate manner to signicant control deciencies, allegations or concerns of
fraud, and violations of the code of ethics/conduct?
9. Does management assess the design and operating effectiveness of the control environment?
10. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of
the control environment?
11. Is the control environment designed and operating effectively?
Antifraud Control Activities1. Does the company adequately map or link identied fraud risks to control activities designed to mitigate the fraud risks?2. Does management design and implement preventative and detective controls (preventative controls are designed to stop fraud
from occurring and detective controls are designed to identify the fraud if it occurs)?
3. Does the company have controls that restrain the misappropriation of company assets that could result in a material misstate-
ment of the nancial statements?
4. Does the company have controls that address the risk of managements override of controls (including controls over journal
entries and adjustments, estimates, and unusual or nonroutine transactions)?
5. Does the company consider security controls (including IT controls and limited access to accounting systems), and consider the
adequacy of fraud detection and monitoring activities utilizing information systems?
6. Does management assess the design and operating effectiveness of antifraud control activities?
7. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of
antifraud control activities?8. Are antifraud control activities designed and operating effectively?
Information & Communication1. Is information on ethics and managements commitment to antifraud programs and controls effectively communicated
throughout the organization to all employees?
2. Does management have procedures to disseminate and collect information regarding antifraud programs and controls, fraud
risks, allegations of fraud, and concerns of improper accounting to and from all levels of the organization and external parties
(where appropriate)?
3. Does management assess the design and operating effectiveness of information and communication?
4. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of
information and communication?5. Are procedures and activities for communicating information regarding antifraud programs and controls designed and
operating effectively?
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
8/27
8
Monitoring Activities1. Are internal audit and others actively involved in monitoring and assessing antifraud programs and controls?
2. Is the internal audit activity adequate for the size and operations of the organization?
3. Are ndings and weaknesses identied during monitoring activities incorporated back into the fraud risk assessment, the
design of the control environment and antifraud control activities?
4. Does the audit committee have oversight of monitoring activities?
5. Does management assess the design and operating effectiveness of monitoring activities?
6. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of
the monitoring activities?
7. Are monitoring and assessment activities designed and operating effectively?
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
9/27
9
Section 2Example Implementation Plan
Performing Fraud Risk AssessmentsThere is no one standard method by which management may
implement its fraud risk assessment. However, the fraud risk assess-
ment is a critical step in addressing fraud risks within an organiza-
tion and as such should be an area of signicant focus for manage-
ment. The following example implementation plan summarizes
certain elements of the fraud risk assessment process described in
COSO and SAS 99.
Step One: Evaluate Fraud Risk FactorsFraud risk factors are those events or conditions that indicate
incentives/pressures to perpetrate fraud, opportunities tocarry out the fraud, or attitudes/rationalizations to justify a
fraudulent action (example fraud risk factors can be found in
the Appendix of SAS 99). Fraud risk factors do not necessarily
indicate the existence of fraud; however, they often are pres-
ent in circumstances where fraud exists.
Personnel from various levels of the organization should be
involved in this process, including management, internal
audit, business process owners, IT management, and the
audit committee. The audit committee should take an active
role in the oversight of managements efforts to identify and
consider fraud risk factors and can challenge management to
verify that fraud risks are addressed.
This step should involve an evaluation of the fraud fac-
tors that are present in the organization. This can be done
through several different means, some of which may already
be utilized by management in their consideration of internal
controls. For example, if management has elected to assess
the control environment through an anonymous survey, the
results could also be used to evaluate the existence of fraud
risk factors.
The process should consider other fraud risk factors, includ-
ing past frauds and allegations of fraud in the organization,
frauds in the industry, unusual nancial trends or relation-
ships identied from analytical procedures, and the poten-
tial role weak IT controls could play in enabling fraudulentactivity to occur.
The process should consider fraud risk factors at the entity
level and signicant process level.
Step Two: Identify Possible FraudSchemes and Scenarios
This process should involve all appropriate personnel, includ-
ing management, internal audit, IT management, signicant
process owners, and oversight from the audit committee.
This step involves a brainstorm of possible fraud schemes
and scenarios that could result from the identied fraud risk
factors. For example, if a company faces signicant internal
and/or external pressures to achieve revenue targets, the
brainstorm should include the identication and consideration
of scenarios and fraud schemes that could be perpetrated to
manipulate revenues.
Special consideration should be given to the risk of override
of controls by management such as (1) recording ctitious
journal entries or adjustments, particularly those recorded
close to the end of an accounting period, (2) intentionally
biasing assumptions and judgments used to estimate account
balances, and (3) entering into signicant transactions that
are outside of the entitys normal course of business that lack
economic substance.
Consideration should also be given to past frauds and allega-
tions of fraud within the organization and the industry.
The identication of possible fraud schemes should be
performed without consideration of the existence or effective-
ness of internal controls.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
10/27
10
Step Three: Prioritize IdentiedFraud Risks
This step involves the evaluation of possible fraud schemes
and includes the consideration of the following:
Type. The type of risk (i.e., a misappropriation of assets,
fraudulent nancial reporting, etc.)
Likelihood. The likelihood of the risk (i.e., the likeli-
hood that it will result in a material misstatement in the
nancial statements).
Signicance. The signicance of the risk (i.e., whether it
is of a magnitude that could result in a possible material
misstatement of the nancial statements).
Pervasiveness. The pervasiveness of the risk (i.e., whether
the potential risk is pervasive to the nancial statements
as a whole or specically related to a particular assertion,
account, or class of transactions).Emphasis should be given to those risks considered to be
likely, signicant, and/or pervasive.
Step Four: Evaluate WhetherMitigating Controls Exist or AreEffective
Management should determine whether there are con-
trols already in place to sufficiently mitigate the identified
fraud risks or if additional emphasis should be placed on
existing controls.
Where controls are not already present, management shouldconsider the need to design and implement additional anti-
fraud controls to specically address the identied fraud risks.
Management should map or link identied fraud risks to
existing internal controls (including control environment,
antifraud control activities, and monitoring activities), and
document mitigating antifraud control activities related to
the fraud risks.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
11/27
11
Section 3Sample ProcessPresented below are two examples of the antifraud programs and controls process for two common fraud risks. The information isdivided into two partsthe fraud risk assessment process, and the programs and controls designed to address the fraud risks identied
during the fraud risk assessment. The programs and controls listed below are not intended to represent all of the possible programs and
control activities that may address the identied fraud risk, but are shown as an example of activities that may address the identied
fraud risk. Management should determine how to best document their fraud risk assessment and the programs and controls in place to
address the risks, based on the company's facts and circumstances.
Inappropriate/Early Revenue Recognition
Fraud Risk Assessment Performed by management, internal audit, IT management, signicant process owners,
and oversight from the audit committee
Considered internal and external environmental factors (including pressures or incentives,
rationalization, and opportunity)
Identied fraud risks at relevant levels and locations within the organization
Signicant Account or Cycle Revenue
Fraud Risk Inappropriate/early revenue recognition
Cause of Fraud Existence of undisclosed sales terms or conditions
Fraud Elements Terms granted to the customer that are:
(What it might look like) Disclosed on the purchase order but not in the order entry system
Disclosed on sales negotiation documents only
Provided in side letters, e-mails, or orally
May Involve Sales Manager
Sales Representative
Sales nance personnel (divisional controller, order entry clerk, credit manager, etc.)
Inventory Manager
General Counsel
Management (CEO, CFO, etc.)
Customer
Any combination of the aboveone, some, or all
Signicance The signicance of the risk (i.e., whether it is of a magnitude that could lead to result in a
(High, Medium, Low) possible material misstatement of the nancial statements) (High)
Likelihood The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement
(High, Medium, Low) in the nancial statements) (High)
Pervasiveness The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the nancial
statements as a whole or specically related to a particular assertion, account, or class oftransactions) (Risk is related to revenue and A/R accounts)
FraudRiskAssessment
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
12/27
12
Inappropriate/Early Revenue Recognition (continued)
Prog
ramsandControls
Control Environment Activities Regular ethics training/policies/adherence
Published code of ethics/conduct with provisions related to fraud and ethical behavior
Formal hiring and promotion standards Tone at the top, including proper attitudes towards controls and corporate compliance
Responsiveness to Internal Audit processes and ndings
Sales practices training
Control Activities Regular review of all sales contracts, with a focus on unusual terms and conditions, and a
comparison to actual practices
Existence of sale personnel conrmation/verication for completeness and accuracy of
recording of sales terms or conditions
Regular review of A/R aging with a focus on overdue receivables
Segregation of duties (sales and credit/order entry functions)
Application controls to prohibit further processing without necessary approvals
System of authorization and approval of transactions for sales and write-offs
Where appropriate, standardization of sales terms and conditions
Information and Communication A system for effective knowledge management to collect and communicate appropriate
information pertaining to revenue fraud risks and antifraud programs and controls
Monitoring Activities Internal Audit conrms directly with customers the amount of sales, as well as items such
as the payment due date, the details of any right of returns, unrecorded terms and
conditions and any outside agreements not contained in the original written agreement
Regular review of day sales outstanding and comparison to company normal or
industry averages
Regular review of signicant quarter-end or year-end sales for unusual pricing, billing,
delivery, return, exchange, or acceptance clauses
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
13/27
13
Management Override of ControlsImproper Journal Entries or Adjustments
7 Paragraph 42 of SAS 99 states, Even if specic risks of material misstatement due to fraud are not identied by the auditor, there is a possibility that management override
of controls could occur, and accordingly, the auditor should address that risk apart from any conclusions regarding the existence of more specically identiable risks. The
risk of management override increases the likelihood of fraud and the likelihood that it will result in a material misstatement in the nancial statements.
FraudRiskAssessment
Fraud Risk Assessment Performed by management, internal audit, IT management, signicant process owners,
and oversight from the audit committee
Considered internal and external environmental factors (including pressures or incentives,
rationalization, and opportunity)
Identied fraud risks at relevant levels and locations within the organization
Signicant Account or Cycle Financial closing and reporting
Fraud Risk Override of controls for journal entries or adjustments resulting in misstated
nancial statements
Cause of Fraud Management directs or is involved in journal entries or adjustments to manipulate
operating results
Fraud Elements Journal entries and/or adjustments are recorded to improperly:
(What it might look like) Increase revenues or income
Decrease cost of sales or expenses Manipulate account balances to comply with debt covenants, achieve nancial targets or
budgets, reduce or hide liabilities, misstate assets, etc.
May Involve CEO
CFO
General Counsel
General/Divisional Managers
Corporate/Divisional Controllers
Any combination of the aboveone, some, or all
Signicance The signicance of the risk (i.e., whether it is of a magnitude that could result in
(High, Medium, Low) a possible material misstatement of the nancial statements) (High)
Likelihood The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement
(High, Medium, Low) in the nancial statements) (High7)
Pervasiveness The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the nancial
statements as a whole or specically related to a particular assertion, account, or class of
transactions.) (Pervasive throughout the nancial statements.)
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
14/27
14
Management Override of ControlsImproper Journal Entries or Adjustments(continued)
ProgramsandControls
Control Environment Activities Active oversight from the audit committee
Regular ethics training/policies/adherence
Published code of ethics/conduct with provisions related to fraud
Formal hiring and promotion standards (with background checks for those with
signicant inuence over nancial reporting)
Tone at the top, including attitudes towards controls and corporate compliance
Control Activities Segregation of duties and required approvalsjournal entries and adjustments require
two signatures including proper approvals before posting
Application controls to prohibit further processing without necessary approvals
Required supporting documentation for all nonsystematic/manual journal entries
General computer controls limiting access to the general ledger system and recording
names of individuals who initiate and/or approve nonsystematic/manual journal entries
Information and Communication A system for effective knowledge management to collect and communicate appropriate
information pertaining to the risk of management override of controls and antifraud
programs and controls
Monitoring Activities Identify and evaluate the appropriateness of unusual nonroutine journal entries.
(consider utilizing computer assisted techniques to identify unusual or nonroutine entries)
Regular review of ethics/whistleblower complaints with allegations or concerns of
improper ethical behavior by management or improper nancial reporting
Regular review of nancial results including analytics and nancial ratios with a
comparison to company normal or industry averages
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
15/27
15
Section 4Sample Listing of Fraud SchemesThe following listing of possible fraud schemes can be utilized
by management and auditors to assist in identifying possible
fraud risks, scenarios, and schemes when performing or evaluat-
ing managements fraud risk assessments. The listing of fraud
schemes is not intended to be a complete listing of all possible
fraud schemes for all industries.
Fraudulent Financial ReportingSchemes
Improper Revenue Recognition
Side AgreementsSales terms and conditions may be modied,
revoked, or otherwise amended outside of the recognized salesprocess or reporting channels and may impact revenue recogni-
tion. Common modications may include granting of rights of
return, extended payment terms, refund, or exchange. Sellers
may provide these terms and conditions in concealed side letters,
e-mails, or in verbal agreements in order to recognize revenue
before the sale is complete. In the ordinary course of business,
sales agreements can and often are legitimately amended, and
there is nothing wrong with giving purchasers a right of return or
exchange, as long as revenue is recognized in the proper account-
ing period with appropriate reserves established.
Roundtrip TransactionsRecording transactions that occur
between two or more companies for which there is no business
purpose or economic benet to the companies involved. Thesetransactions are often entered into for the purpose of inating
revenues or creating the appearance of strong sales growth.
Transactions may include sales between companies for the same
amount within a short time period, or they may involve a loan to
or investment in a customer so that the customer has the ability
to purchase the goods. Cash may change hands, but payment
alone does not legitimize the transaction or justify the recognition
of revenue if there is no underlying business purpose or economic
benet for the transactions.
Bill and HoldsA bill and hold transaction takes place when
products have been booked as a sale but delivery and transfer of
ownership has not occurred as of the date the sale is recorded.
The transaction may involve a legitimate sales or purchase order;
however, the customer is not ready, willing, or able to accept
delivery of the product at the time the sale is recorded. Sellers may
hold the goods in its facilities or may ship them to different loca-
tions, including third-party warehouses.
Altering Shipping DocumentationBy creating phony ship-
ping documentation, a company may falsely record sales trans-
actions and improperly recognize revenue. By altering shipping
documentation (commonly changing shipment dates and/or
terms), a company can increase revenue in a specic accounting
period regardless of the facts and circumstances that the transac-
tion and the resulting revenue should have been recorded in the
subsequent accounting period.
Agreements to Sell-Through ProductThese sales agree-
ments include contingent terms that are based on the future
performance of the buyer of the goods (commonly distributors or
resellers) and impact revenue recognition for the seller. These con-
tingent terms may or may not be included in the sales agreements
and may be provided in side agreements. Sell through agree-
ments are similar to consignment sales and can involve shipment
of goods to a party who agrees to sell them to third parties. A
sale is not considered to have taken place (and therefore revenueshould not be recorded) until the goods are sold to a third party (a
customer or end-user) with no additional contingent sales terms.
Up-Front FeesSome sales transactions require customers to pay
up-front fees for services that will be provided over an extended
period of time. Companies may attempt to recognize the full
amount of the contract or the amount of the fees received before
the services are performed (and before revenue is earned). In
some instances, the scheme may involve the falsication or modi-
cation of accounting records (e.g., purchase orders, invoices and
sales contracts).
Holding Accounting Periods OpenImproperly holding ac-
counting records open beyond the end of an accounting period
can enable companies to record additional transactions that occur
after the end of a reporting period in the current accounting
period. This scheme commonly involves recording sales and/or
cash receipts that occur after the end of the reporting period in
the current period. Schemes sometimes include falsication or
modication of accounting documentation (dates on shipping
documents, purchase orders, bank statements, cash reconcilia-
tions, cash receipt journals, etc.) in an attempt to cover the trail of
the fraud.
Failure to Record Sales Provisions or AllowancesSome sales
transactions require companies to record provisions or reductions
to gross sales amounts (e.g., to account for future sales returns).
By failing to record sales provisions or reductions, companies canimproperly overstate revenues. The scheme may involve the falsi-
cation or modication of accounting records in an attempt to hide
the terms or conditions that may require the sales reduction (e.g.,
purchase orders, invoices and sales contracts).
Inventory Schemes
Inating the Value of InventoryInventory valuations can
be manipulated in a number of ways, including: moving inven-
tory between locations to ctitiously inate inventory quantities,
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
16/27
16
postponing and under-reporting of write-downs and reserves for
obsolescence, manipulating unit valuations applied to on-hand
inventories, and improper inventory capitalization.
Off-Site or Fictitious InventoryCompanies may create in-
ventory by falsifying journal entries, receiving and shipping reports,
purchases orders, or cycle counts. Companies may participate in
these schemes to decrease cost of sales as a percentage of sales or
maintain inventory balances for debt covenants or other reasons.
Other Financial Reporting Schemes
Fraudulent Audit ConrmationsFraudulent audit conrma-
tions can impact all types of accounts or transactions that are
conrmed with third parties (sales, cash, accounts receivables, debt,
liabilities, etc.). Schemes may involve collusion with third parties
who receive the audit conrmations or may involve the company
providing the auditors with false contact information (false mailing
addresses, fax numbers, phone numbers, etc.) so that conrmations
are diverted to co-conspirators involved in the scheme.
Refreshed ReceivablesIn order to mask rising account receiv-
able balances (including known or suspected uncollectible balances)
while avoiding increasing the bad debt provision, a company may
refresh the aging of receivables and improperly represent A/R
balances as being current in nature instead of showing the true
age of the receivables. This may occur with exchange transactions
with customers, where customers can receive credits to their ac-
counts and allowed to repurchase goods where little, if any, physical
transfer of merchandise occurs. Some schemes may simply modify
or edit dates of invoices in the A/R system that results in a restart
of the aging process for the modied receivables. Schemes may
involve the falsication or improper modication of accounting
documentation (invoices, purchase orders, change orders, shippingreports, etc.) to cover up the fraud scheme.
Promotional Allowance ManipulationsPromotional allow-
ances may be provided as rebates, incentives, or other credits to
buyers/customers as an incentive to purchase products. Allow-
ances may take the form of volume discounts, reimbursements for
special handling, co-advertising reimbursements, slotting fees, etc.
Often promotional allowances are based on future events (such as
purchase volumes over a specied period of time, future advertising
costs, etc.) and often require considerable estimates that may be
manipulated or biased. Some schemes involve the early recognition
of revenue on up-front fees collected or the failure to accrue for
rebates or credits that are likely to be earned by the buyer. Other
fraud schemes involve fraudulent nancial reporting and the mis-classication of credits on the income statement.
Adjustments to EstimatesEstimates are common throughout
the accounting process and can be manipulated to impact rev-
enues, expenses, asset valuations, and/or liabilities. Management is
often in a position where it can inuence or bias estimates. Com-
mon fraud schemes involve the reduction of accruals or reserves in
order to increase earnings in the current period, and may involve
the earlier creation of excess reserves or cookie-jar reserves when
the company was in a nancial position to create a cushion
against future losses.
Off-Balance-Sheet Entities and LiabilitiesSome schemes
involve the use of off-balance-sheet vehicles or special purposes
entities to conceal liabilities. Off-balance-sheet vehicles may be
allowable under GAAP; however, some schemes are designed to
utilize these entities or transactions to conceal debt and misstate
liabilities on the balance sheet and may also have income statement
impact as well.
Improper Asset ValuationsThere is often a direct relationship
between the overstatement of assets and ination of earnings.
Many fraud schemes involve the hiding or misplacement of
debits on the balance sheet that should be recorded on the income
statement. These debits are often improperly recorded as assets
or a reduction to existing liabilities. Overvaluing assets is often
considered a relatively simple way to directly manipulate reported
earnings.
Phony Investment DealsDesigned to overstate assets andearnings, schemes can deliberately overstate existing investments or
create ctitious investments. Investments may also be intentionally
misclassied resulting in the improper recognition of gains or failure
to recognize losses. Other schemes are designed to hide or defer
losses from sales or permanent write downs from impairments.
Improper Capitalization of ExpensesCapital expenditures are
costs that benet the company over more than one accounting
period, and accordingly, the expenditures should be amortized over
the life of the asset. Companies may improperly capitalize certain
expenditures in order to avoid recognizing the full amount of the
expense in the current period. Expenses may be capitalized into
various asset accounts, and may include software development
costs, research and development costs, start-up costs, interest costs,
advertising costs, inventory and labor costs, etc.
Adding Back Outstanding Checks to CashCash reconciliations
can be manipulated in order to inate ending cash balances. Some
schemes are accomplished with one reconciling item or adjust-
ment on the reconciliation, or may involve selecting and removing
specic checks from the outstanding check registers.
Unjustied Consolidation EntriesSome schemes occur dur-
ing the nancial closing and consolidation process and involve
unjustied or ctitious consolidation entries. Often there is limited
accounting documentation or explanations for consolidation entries
and activities.
Intercompany ManipulationsSimilar to other accountingschemes involving consolidations, intercompany manipulations mayhave limited documentation or explanations for inter-company en-tries and activities. Schemes may occur to over/understate balancesor may involve the creation of ctitious transactions.
Related Parties That Create TransactionsRelated-party
transactions are made with entities that are controlled or in-
uenced by the company. Schemes may involve improper or
inadequate disclosure of transactions or more elaborate schemes
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
17/27
17
to create ctitious transactions between entities, often with the
intent to increase reported revenues or assets.
Disclosure FraudsFraudulent disclosures may include providing
false information or the failure to disclose required information.
Schemes may involve a company's failure to disclose certain trans-
actions with related parties, material asset impairments, unrecord-
ed liabilities or accounting practices that violate GAAP.
Misappropriation of AssetsSkimming of CashSkimming schemes often involve the sales
cycle, where employees embezzle by not recording the sale or full
amount of the cash collected. A typical skimming scheme might
involve a retail store where an employee collects cash from a cus-
tomer, pockets the money, and avoids recording the transaction in
the point of sales system. Other skimming schemes are not limited
to cash transactions and may involve diverting customer checks.
Fraudulent DisbursementsSchemes may include billing
schemes, procurement fraud, theft of company checks, payroll
and ghost employee schemes, and expense reimbursement
schemes. A common procurement scheme is to set up phony ven-
dors or suppliers in the accounts payable system or approve pay-
ments for services that are received by the employee or co-con-
spirator. Payroll schemes can include falsication of hours worked,
creation of ctitious employees, failure to remove employees who
have left the company and the diversion of payments to employ-
ees or co-conspirators.
Other Fraud SchemesBribery, Corruption, & KickbacksCorruption and bribery
may take a variety of forms within an organization and mayinclude such items as vendors paying gratuities to buyers to
secure sales, buyers paying premiums to vendors because of a
buyers personal relationships, payments to shell companies for
soft services that are not actually rendered, payment terms are
structured to avoid proper approval signatures, or the same
vendor may appear in the payables system in numerous ways as a
method of making duplicate payments. Schemes may also involve
preferred service providers who are willing to pay kickbacks to
individuals for the companys business. The Foreign Corrupt
Practices Act (FCPA) was enacted to reduce the threat of bribery
and corruption in foreign countries.
Money LaunderingMoney laundering is the process of con-
cealing the source of illegally obtained money. This process is ofcritical importance to the perpetrator, as it enables the criminal to
enjoy prots without revealing their source. Activities may involve
disguising the sources, changing the form, or moving the funds
to a place where they are less likely to attract attention. Money
laundering prots may come from embezzlement, insider trading,
bribery, computer fraud schemes, illegal arms sales, smuggling,
and the activities of organized crime.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
18/27
18
Section 5Antifraud Programs & Controls
Steps and ConsiderationsThis section discusses steps and considerations for management in
relation to the risk of fraud and antifraud programs and controls.
In preparing this section, the following sources have been referenced:
SEC, Final Rule: Managements Reports on Internal Control
Over Financial Reporting and Certication of Disclosure in
Exchange Act Periodic Reports
PCAOB Auditing Standard No. 2,An Audit of Internal Control
Over Financial Reporting Performed In Conjunction With an
Audit of Financial Statements
SAS 99, Consideration of Fraud in a Financial Statement Audit
SAS 99 Exhibit, Management Antifraud Programs and Controls
Committee of Sponsoring Organizations of the Treadway
Commission, Internal ControlIntegrated Framework
United States Sentencing Commission, Guidelines Manual
The ve components of the COSO framework are interrelated
and the process of implementing and updating antifraud
programs and controls is iterative in nature. Truly effective
antifraud programs are dynamic, where the information
obtained through the monitoring process is fed back into
the risk assessment and the entire process begins anew.
Each of the ve COSO components is discussed in the context of:
scope and objectives
participants and responsibilities
elements and design
management assessments
examples of common documentation
The evaluation of deciencies in antifraud programs and controls
is part of managements overall assessment of internal control.
Management should assess the design and operating effective-ness of antifraud programs and controls and provide sufcient
documentation of its programs, assessments, and conclusions
including the identication of any deciencies. As with other in-
ternal control deciencies, management and the auditor should
evaluate the signicance of their deciencies.
Antifraud Programs and Controls
Steps and Considerations
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
19/27
19
1. Performing Fraud Risk Assessments
Scope & Objectives
Fraud risk assessments should be performed at all appropriate
levels within the organization, including:
the entity level and should consider internal and external fac-
tors and pressures on the organization
the signicant account balance leveldealing with risks at
this level helps focus fraud risk assessments on accounts that
could be materially misstated
signicant locations or business units, as fraud risks common-
ly differ from location to location due to differing operations,
organizational structures, culture, etc.
The fraud risk assessment should consider collusive fraud and
the risk of managements override of controls. Collusive fraud is
when more than one individual within and/or outside the entity
have engaged in a conspiracy to circumvent or override internalcontrol activities. Often collusive fraud may not be identied
through traditional testing techniques. Consideration should also
be given to the risk of managements override of controls, as
management typically has the ability to commit fraud because
it frequently is in a position to directly or indirectly manipulate
accounting records.8 Management override of controls can occur
in unpredictable ways.
Participants & Responsibilities
Management has the primary responsibility for performing
fraud risk assessments. Historically, most material frauds have
often been directed in part by management and detected by
employees and those responsible for corporate governanceat other levels in the organization. It is therefore critical that
employees outside of management are involved in the fraud risk
assessment. It is important that the fraud risk assessment include
business process owners or those who have signicant knowl-
edge, control, or inuence over the activities within a signicant
business process or cycle. The audit committee (or the board
of directors where no audit committee exists) should evaluate
managements identication of fraud risks, and should have an
active role in the oversight of the fraud risk assessment process.
IT management should participate, as some fraud schemes are
enabled by the disabling or circumventing of information system
controls. Additionally, internal audit should have an active role
in the development, monitoring, and ongoing evaluation offraud risk assessments.
Elements & Design
A formal fraud risk assessment should be performed, document-
ed, and updated periodically. Updates should include consid-
erations of changes in operations, new information systems,
acquisitions, changes in job roles and responsibilities, employees
in new positions, results from self-assessments of controls, moni-
toring activities, internal audit ndings, new or evolving industry
trends, and revisions to identied fraud risks within the organiza-
tion or industry.
Management should identify events or conditions that indicateincentives/pressures to perpetrate fraud, opportunities to carry
out the fraud, or attitudes/rationalizations to justify a fraudulent
action. Such events or conditions are referred to as fraud risk
factors. Fraud risk factors do not necessarily indicate the exis-
tence of fraud; however, they often are present in circumstances
where fraud exists and can help identify potential fraud risks.
Incentives/PressuresPressure may be real or perceived.
Pressure is usually created by circumstances the perpetrator is
either subject to or perceives him/herself to be subjected to
(e.g., personal nancial pressures such as a spouse who loses
a job, or market pressures to meet nancial targets or goals).
There may also be incentives that increase the likelihood of
fraud (e.g., managements bonus structure based on achieve-ment of nancial targets).
Attitudes/RationalizationsThe process by which a person
committing a fraud legitimizes or justies the crime is rational-
ization. This often includes an attitude or feeling of entitlement
and/or a belief that the company can afford it. For example,
a perpetrator may rationalize a theft by saying the company
makes millions, it wont miss a few thousand and I really need
the money or by making our numbers nobody will be laid
off.
OpportunitiesOpportunities to commit fraud can manifest
themselves in different ways. If internal controls are inad-
equate surrounding nancial reporting or safeguarding assets,it may be relatively easy for a perpetrator to record fraudulent
transactions or steal assets. Some employees (often within
management) may be in a position to override controls which
may create opportunities to commit fraud. There is another
consideration for opportunities that is often overlookedlow
perception of detection or meaningless consequences to
inappropriate behavior within the organization may allow for
greater opportunities for fraud to occur than if there is the
deterrent element of a high likelihood of detection and severe
consequences. Further, collusion may enable perpetrators to
bypass existing controls, rendering those controls ineffective.
Most traditional internal preventative controls are not effec-
tive at addressing collusive fraud. Collusive fraud is generally
found by detective controls coupled with an understanding of
the business and operating environment.
The Appendix to SAS 99 provides examples of fraud risk factors
that management may consider as part of the fraud risk assess-
ment. Management should also consider additional fraud risk
factors such as known frauds within the industry and organiza-
tion and past allegations or suspicions of fraud. The consideration
8 SAS 99, paragraph 8.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
20/27
20
of fraud risk factors is critical, as risk factors lead to fraud risks
that need to be considered when implementing control activities
and programs.
Management should evaluate fraud risk factors, brainstorm
possible fraud schemes and scenarios that could result from the
fraud risk factors, and evaluate the fraud schemes and scenarios
to identify those that should be considered fraud risks. Paragraph
40 of SAS 99 states:
the identication of a risk of material misstatement due
to fraud involves the application of professional judgment
and includes the consideration of the attributes of the risk,
including:
the type of risk that may exist, that is, whether it involves
fraudulent nancial reporting or misappropriation of
assets
thesignicance of the risk, that is, whether it is of a
magnitude that could lead to result in a possible material
misstatement of the nancial statements
the likelihoodof the risk, that is, the likelihood that it
will result in a material misstatement in the nancial
statements
thepervasiveness of the risk, that is, whether the
potential risk is pervasive to the nancial statements as
a whole or specically related to a particular assertion,
account, or class of transactions
Although the intent of the process is not to identify insignicant
risks (i.e., immaterial theft of ofce supplies), it should be noted
that inappropriate behavior may be indicative of broader issues
in the control environment. Also, Section 302 of Sarbanes-Oxleyrequires disclosure of any fraud whether or not material, that
involves management or other employees who have a signicant
role in the issuer's internal controls.
The fraud risk assessment should be performed without consider-
ation of the existence or effectiveness of internal controls. Fraud
risks should be identied, documented, and evaluated before
management determines if existing control activities sufciently
mitigate the identied fraud risk. Later during the design and
implementation of antifraud control activities, identied fraud
risks should be mapped or linked to antifraud control activities to
ensure that all identied fraud risks are sufciently mitigated.
Management AssessmentsManagement should evaluate the design and operating effec-
tiveness of the fraud risk assessment process and document its
conclusions. Examples of situations or circumstances that may
indicate that fraud risk assessments are not operating effectively
include:
the audit committee and internal audit involvement is insufcient
frauds that have occurred indicate that the fraud risk assess-
ment process is ineffective
external auditors identify fraud risks that the organization had
not previously identied
Examples of Common Documentation
The purpose of the documentation is to provide evidence of the
existence of the program and managements processes to identifyfraud risks. Documentation should be sufcient for auditors to
understand how management implemented the program and
their conclusions regarding the design and operating effective-
ness of the fraud risk assessment.
Documentation related to fraud risk assessments may include the
following:
periodic updates including the consideration of past frauds,
fraud risks, and involvement of appropriate employees
oversight and review of the fraud risk assessment process by
management and the audit committee
participation by internal audit, including testing of effective-ness of the risk assessment process and internal controls
managements evaluation of fraud risk factors to determine
which risk factors are identied as fraud risks
managements assessment and conclusions regarding the de-
sign and operating effectiveness of the fraud risk assessment
2. Creating a Control Environment
Scope & Objectives
The control environment should be pervasive throughout the
organization in actions as well as in words and should perme-
ate down to all levels of the organization. The control environ-ment should create and maintain a culture of honesty; set high
ethical standards; promote ethical behavior; provide discipline for
violations of the code of ethics/conduct; set an appropriate tone
for the entitys attitudes toward fraud and fraud prevention; and
promote controls to prevent, deter, and detect fraud.
Participants & Responsibilities
Management, along with those who have responsibility for over-
sight of the nancial reporting process (such as the audit commit-
tee), are primarily responsible for creating the control environment.
The audit committee and board of directors should be indepen-
dent of management and actively involved in the creation, commu-
nication, and oversight of the control environment. The internalaudit function also has an important role in the control environ-
ment and should have an independent reporting line directly to the
audit committee. Employees are also participants in the control
environment as they should embrace and support the programs
and controls and report suspicions of fraud and provide insights
into the tone of the organization during cultural assessments.
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
21/27
21
Elements & Design
Tone at the top
The control environment should include a proper tone at the
top which includes a culture and work environment that pro-
motes open communication, consultation, and ethical behav-
ior. Management should consider taking reasonable steps toevaluate the culture of the organization to ensure that a proper
tone at the top exists. Assessments may include inquiry from
management, internal audit, or involve anonymous surveys or
other means to gain insight into the tone of the organization.
A proper tone at the top encourages ethical behavior as well as
the development of and compliance with antifraud activities,
such as controls restraining fraudulent nancial reporting and
the misappropriation of company assets that could result in a
material misstatement of the nancial statements. Manage-
ment should design controls to safeguard assets, deter defalca-
tions and misappropriations of assets, and to restrain other
inappropriate uses of company assets (such as unauthorized
cash payments, improper use of company assets or services,
misuse or theft of intangibles including intellectual property).
There may be situations where an employee defalcation,
however small, may be considered a red ag or indicative of
broader issues including a culture of rationalization. Because
of the importance of the tone at the top and managements
inuence on organizations, Section 302 of the Sarbanes-
Oxley Act of 2002 requires the signing ofcers to disclose to
the issuers auditors and the audit committee of the board
of directors any fraud, whether or not material, that involves
management or other employees who have a signicant role
in the issuers internal controls.
Oversight by the audit committee and board of directors
The audit committee has the responsibility to:
monitor the nancial reporting process
oversee the internal control system and antifraud pro-
grams and controls
oversee the internal audit and independent public ac-
counting functions
report ndings to the board of directors
The audit committee should understand their role of ensuring
that the organization has antifraud programs and controls in
place to help prevent, detect, and deter fraud. It should takean active role in the oversight of managements efforts to
design and implement internal controls, including antifraud
programs and controls, and should challenge management to
emphasize that fraud risks are identied during risk assess-
ments and that appropriate control activities are designed and
monitored to mitigate the fraud risks.
The audit committee should ensure that the organization has
implemented an effective ethics and compliance program, and
that it is periodically tested. Since the occurrence of signicant
fraud can frequently be attributed to an override of internal
controls by management (and others), the audit committee
plays an important role to ensure that internal controls addressthe appropriate risk areas and are functioning as designed.
Given the importance of the audit committees oversight role
with regard to antifraud programs and controls, PCAOB Audit-
ing Standard No. 2 notes that ineffective oversight by the audit
committee may be a strong indicator that a material weakness
exists in internal control over nancial reporting.9
Internal audit involvement
An effective internal audit function can be extremely help-
ful in the design, implementation, and oversight of antifraud
programs and controls. Internal auditors have the opportunity
to identify and evaluate fraud risks and controls and to recom-
mend actions to mitigate risks and improve control. Internalaudits can serve to both detect and deter fraud by examining
and evaluating the adequacy and effectiveness of the system of
internal control.
Internal auditors may conduct proactive auditing to search for
corruption, misappropriation of assets, and nancial statement
fraud. Internal auditors should have an independent reporting
line directly to the audit committee to enable them to express
any concerns about managements commitment to appropriate
internal controls or to report suspicions or allegations of fraud
involving senior management.10
PCAOB Auditing Standard No. 2 notes that an ineffective inter-
nal audit function should be regarded as at least a signicant
deciency in internal control over nancial reporting.11
Code of ethics/conduct
A code of ethics/conduct should have provisions related to
conicts of interest, related-party transactions, illegal acts, and
the monitoring of the code by management and the audit
committee or board.
Section 406 of the Sarbanes-Oxley Act of 2002 and the SECs
Final Rule, Disclosure Required by Sections 406 and 407 of the
Sarbanes-Oxley Act of 200212, require a registrant to disclose
whether it has adopted a code of ethics and if it has not, to
explain why. The NYSE and NASDAQ rules also require the
adoption and public disclosure of a code of business conduct
and ethics.
The SECs nal rule denes the term code of ethics as,
Written standards that are reasonably designed to deter
wrongdoing and to promote:
9 PCAOB, Auditing Standard No. 2, paragraph 140.
10 Exhibit to SAS 99, Management Antifraud Programs and Controls section Internal Auditors.
11 PCAOB, Auditing Standard No. 2, paragraph 140.
12 Final Rule: Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC, section (II)(B)(2)(c), Final Denition of Code of Ethics.Electronic copy can be reviewed at http://www.sec.gov/rules/nal/33-8177.htm
-
8/22/2019 Deloittes_AntiFruad Program and Controls.pdf
22/27
22
Honest and ethical conduct, including the ethical han-
dling of actual or apparent conicts of interest between
personal and professional relationships;
Full, fair, accurate, timely, and understandable disclosure
in reports and documents that a registrant les with, or
submits to, the Commission and in other public com-
munications made by the registrant;
Compliance with applicable governmental laws, rules,
and regulations;
The prompt internal reporting to an appropriate person
or persons identied in the code of violations of the
code; and
Accountability for adherence to the code.
The code of ethics/conduct should apply to all individu-
als who are involved with and/or have inuence over the
nancial statements and anyone who prepares the nancial
statements, including those who have direct involvementor oversight responsibilities (e.g., members of the board of
directors, general counsel, and executive ofcers). The board
of directors and audit committee have oversight responsibili-
ties for the code of ethics/conduct that may be documented
in the board of directors meeting minutes along with their
review and acceptance of the code of ethics/conduct.
Companies should consider developing a code of ethics/
conduct for all employees with periodic conrmations that
employees understand the code and agree to follow it. There
should also be training on the code of ethics/conduct and
proper communication to all employees about where it can
be found and whom to call if there are questions or concerns
about the policies.
Ethics hotline and whistleblower program
Section 301 of the Sarbanes-Oxley Act of 2002, Standards
Relating to Listed Company Audit Committees, requires each
issuers audit committee to establish procedures for:
the receipt, retention, and treatment of complaints
received by the issuer regarding accounting, internal ac-
counting controls, or auditing matters and
the condential, anonymous submission by employees
of the issuer of concerns regarding questionable ac-
counting or auditing matters
Hotlines should be accessible to all employees. Managementmay consider making them available to individuals outside
of the organization (i.e., vendors, customers, and agents) to
report fraudulent behavior without fear or retribution. There
should be training to ensure that all employees know how
and when to use the hotline. Companies should assess the
adequacy of procedures for handling complaints and for ac-
cepting condential whistleblower submissions of concerns
about questionable accounting or auditing matters.
In addition to establishing the hotline, companies should have
a formal program and procedures for proper follow up on
reported allegations. The procedures im