Deloittes_AntiFruad Program and Controls.pdf

8/22/2019 Deloittes_AntiFruad Program and Controls.pdf

1/27

Antifraud Programs & Controls

1

IntroductionIn today's business environment with increased legislative and regulatory requirements,

there is a greater need for organizations to understand and address fraud risks. The likeli-

hood of fraud occurring can be reduced by implementing effective antifraud programs and

controls that can identify fraud in a timely manner and minimize the resulting damage.

Fraud prevention and detection also makes good business sense and can provide cost sav-

ings to organizations.

This document provides examples and considerations for management and auditors with

respect to the risk of fraud and antifraud programs and controls, and is written in the con-text of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's

Internal ControlIntegrated Framework.1

OverviewFraud has always represented a business risk for organizations. High-prole nancial

reporting scandals renewed the focus on fraud, resulting in comprehensive legislation and

Securities and Exchange Commission (SEC) rulemaking concerning corporate governance

and internal controls.

Section 404 of the Sarbanes-Oxley Act of 2002 Management

Assessment of Internal Controls, requires company manage-

ment to le an annual report on internal control over nancial

reporting. The SECs resultant Final Rule: Managements Re-

ports on Internal Control Over Financial Reporting and Certi-

cation of Disclosure in Exchange Act Periodic Reports, provides

guidance on managements responsibilities related to fraud:

The assessment of a companys internal control over nancial

reporting must be based on procedures sufcient both to

evaluate its design and to test its operating effectiveness.

Controls subject to such assessment includecontrols related

to the prevention, identication, and detection of fraud.2

Additionally, the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard

No. 2 increased responsibilities for auditors beyond those required by Statement on Audit-

ing Standards, Consideration of Fraud in a Financial Statement Audit(SAS 99). AlthoughSAS 99 provides detailed guidance on the fraud risk assessment, it only requires the auditor

to gain an understanding of managements antifraud programs and controls. Under the

PCAOBs Auditing Standard No. 2, auditors should evaluate antifraud programs and con-

trols as part of the audit of internal control over nancial reporting. The PCAOB Auditing

Standard No. 2 states:

Table of Contents

Introduction

Overview

Antifraud Programs and Controls

The COSO Framework

Section 1: Questions to Consider

Section 2: Example Implementation

PlanPerforming FraudRisk Assessments

Section 3: Sample Process

Section 4: Sample Listing of Fraud

Schemes

Section 5: Steps and Considerations

Fraud prevention

and detection

makes good

business sense

and can provide

cost savings to

organizations.

1 Internal Control Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, copyright 1992, 1994. Executive summary and ordering

information for full document available here: http://www.coso.org/publications/executive_summary_integrated_framework.htm.

2 Final Rule: Managements Report on Internal Control Over Financial Reporting and Certication Disclosure in Exchange Act Periodic Reports, U.S. Securities and Exchange

Commission, 2003, Section (II)(B)(3)(d). Electronic copy can be viewed at: http://www.sec.gov/rules/nal/33-8238.htm.

This document is intended to provide general infor-

mation and considerations on a particular subject

or subjects and is not an exhaustive treatment of

such subject(s). This document provides general refer-

ences to various sources, including the Sarbanes-Oxley

Act of 2002, U.S. Securities and Exchange Commis-

sion, Public Company Accounting Oversight Board,

American Institute of Certied Public Accountants,

and Committee of Sponsoring Organizations of the

Treadway Commission. It is the responsibility of boards

of directors, audit committees, and companies to read

and interpret the sources , or information receivedfrom them, to determine, customize and tailor re-

sponses based on their companys facts, circumstances

and requirements.

Deloitte & Touche LLP (Deloitte & Touche) is not,

by means of this document, rendering accounting,business, nancial, investment, legal, tax, or other

professional advice or services.

This document is not a substitute for such professional

advice or services, nor should it be used as a basis for

any decision or action that may affect your business.The information contained in this document likely will

change in material respects; Deloitte & Touche is under

no obligation to update such information. Before

making any decision or taking any action that mightaffect your professional interests, you should consult a

qualied professional advisor. Deloitte & Touche is not

responsible for any loss sustained by any person who

relies on this document.


2/27

2

The auditor should evaluate all controls specically intended

to address the risks of fraud that have at least a reasonably

possible likelihood of having a material effect on the com-

panys nancial statements. These controls may be a part of

any of the ve components of internal control over nancial

reporting...Controls related to the prevention and detection offraud often have a pervasive effect on the risk of fraud. Such

controls include, but are not limited to, the:

Controls restraining misappropriation of company assets

that could result in a material misstatement of the nancial

statements;

Companys risk assessment processes;

Code of ethics/conduct provisions, especially those related

to conicts of interest, related-party transactions, illegal

acts, and the monitoring of the code by management and

the audit committee or board;

Adequacy of the internal audit activity and whether theinternal audit function reports directly to the audit commit-

tee, as well as the extent of the audit committees involve-

ment and interaction with internal audit; and

Adequacy of the companys procedures for handling com-

plaints and for accepting condential submissions of con-

cerns about questionable accounting or auditing matters.

Part of managements responsibility when designing a

companys internal control over nancial reporting is to

design and implement programs and controls to prevent,

deter, and detect fraud. Management, along with those

who have responsibility for oversight of the nancial

reporting process (such as the audit committee), should set

the proper tone; create and maintain a culture of honesty

and high ethical standards; and establish appropriate con-

trols to prevent, deter, and detect fraud.3

Due to the importance of managements antifraud programs and

controls, deciencies in this area ordinarily constitute at least a

signicant deciency in internal control over nancial reporting.

Paragraph 139 of the PCAOB Auditing Standard states:

The interaction of qualitative considerations that affect inter-

nal control over nancial reporting with quantitative consid-

erations ordinarily results in deciencies in the following areas

being at least signicant deciencies in internal control over

nancial reporting:

Controls over the selection and application of accounting

policies that are in conformity with generally accepted ac-

counting principles;

Antifraud programs and controls;

Controls over non-routine and non-systematic transactions;

and

Controls over the period-end nancial reporting process,

including controls over procedures used to enter transac-

tion totals into the general ledger; initiate, authorize,

record, and process journal entries into the general ledger;

and record recurring and nonrecurring adjustments to the

nancial statements.

PCAOB Auditing Standard No. 2 notes that antifraud controls may

be a part of any of the ve components of internal control over

nancial reporting and refers to the COSO framework. Antifraud

programs and controls are not supplemental to COSO (i.e., they do

not represent an additional layer to the framework), but are embed-

ded within the existing ve components of the framework.

Summary of Key Terms

Fraud. An understanding of fraud is essential in order for manage-

ment and auditors to carry out their respective responsibilities. Fraud

is dened in paragraphs 5 and 6 of SAS 99 as,

an intentional act that results in a material misstatement innancial statements that are the subject of an audit. Two types

of misstatements are relevant to the auditors consideration of

fraudmisstatements arising from fraudulent nancial report-

ing and misstatements arising from misappropriation of assets.

Recognizing that fraud can take many shapes and forms,4 and

that the concept of materiality is both quantitative and qualitative

in nature, it is recommended that management should consider

additional types of fraud (including those not directly referenced in

SAS 99 or the PCAOB Auditing Standard No. 2) when designing and

implementing antifraud programs and controls. Examples of fraud

types that management should consider include:

fraudulent nancial reporting

misstatements arising from misappropriation of assets

improper or unauthorized expenditures (including bribery and

other improper payment schemes)

self-dealings (including kickbacks)

violations of laws and regulations (including those that expose

the company or its agents to regulatory or criminal actions, e.g.,

securities frauds, signing false audit conrmations)

Antifraud Programs & Controls. Guidance on managements

antifraud programs and controls is found in SAS 99 and in an

attached exhibit, Management Antifraud Programs and Controls,

which describes control activities that management should consider

to address fraud risks. Paragraph 20 of SAS 99 notes:

The auditor should inquire of management aboutprograms

and controls the entity has established to mitigate specic

fraud risks the entity has identied, or that otherwise help

to prevent, deter, and detect fraud, and how management

monitors those programs and controls.

3 Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,

Public Company Accounting Oversight Board, 2004, paragraphs 24 and 25. Electronic copy can be viewed at: http://www.pcaobus.org/rules/Release-20040308-1.pdf.

4 Blacks Law Dictionary (Sixth Edition, 1990) denes fraud as, An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some

valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations,

or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury. . . A generic

term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by falsesuggestions or by suppression of truth, and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.


3/27

3

Antifraud Programs andControlsThe COSO

FrameworkBelow are the ve components derived from COSOs Internal

ControlIntegrated Framework that management may consider

with respect to their responsibilities for antifraud programs and

controls:

1. Performing Fraud Risk Assessments

2. Creating a Control Environment

3. Designing & Implementing Antifraud Control

Activities

4. Sharing Information & Communication

5. Monitoring Activities

Performing Fraud Risk Assessments

The rst step in addressing fraud is the fraud risk assessment.

Fraud risk assessments are designed to identify and evaluate fraud

risk factors that could enable fraud to occur within the organiza-

tion. Every organization has inherent fraud risks that arise from

internal and external conditions relative to the entitys industry,

operations, geographical locations, size, organizational structure,

and general economic conditions. For example, SAS 99, para-

graph 41 notes that material misstatements due to fraudulent

nancial reporting often result from overstatements of revenues

and therefore, the auditor should ordinarily presume that there is

a risk of material misstatement due to fraud relating to revenue

recognition.

Most companies have at some level already addressed risks of

theft. Fraud risk assessments are more than a process to identify

risks of theft and should also address other frauds, including

fraudulent nancial reporting and other misappropriations of

assets. The fraud risk assessment involves an expanded focus on

considerations of where fraud risk factors may exist within the

entity and the potential fraud schemes that could be perpetrated.

Management has the primary responsibility for performing fraud

risk assessments. The audit committee should have an active role

in the oversight of process, understand identied fraud risks, and

evaluate managements implementation of antifraud measures.

The audit committees evaluation and oversight not only ensures

that management fullls its responsibility, but also can serve as

a deterrent to management who themselves could engage in

fraudulent activities.

The audit committee, together with management, should also

consider the potential risk of managements override of controls or

other inappropriate inuence over the nancial reporting process.

Paragraph 8 of SAS 99 notes that,

Management has a unique ability to perpetrate fraud

because it frequently is in a position to directly or indirectly

manipulate accounting records and present fraudulent

nancial information. Fraudulent nancial reporting often

involves management override of controls that otherwise

may appear to be operating effectively.

Special consideration should be given to the risk of override of

controls by management such as (1) recording ctitious journal

entries or other adjustments, particularly those recorded close to

the end of an accounting period; (2) intentionally biasing assump-

tions and judgments used to estimate account balances; and

(3) entering into signicant transactions that are outside of the

entitys normal course of business that lack economic substance.

The fraud risk assessment should be performed without consid-

eration of the existence or effectiveness of internal controls, and

should be updated periodically to include changes in operations

and revisions to fraud risks identied during monitoring activities

of antifraud programs.

An example implementation plan for performing fraud risk assess-

ments is provided in Section 2, Example Implementation Plan

Performing Fraud Risk Assessments.

Creating a Control Environment

Emphasis should be placed on the entitys control environment as

it inuences the tone of the entire organization. It is the founda-

tion for all other components of internal control and provides

discipline and structure. Control environment factors include the

integrity, ethical values, and competence of the entitys manage-

ment and employees and have a pervasive effect on how business

activities are structured and executed. The control environment

allows an entity to develop an ethical framework that should ad-dress: fraudulent nancial reporting, misappropriation of assets,

corruption, and other fraud issues.

The control environment should set the proper tone at the top

which includes a culture and work environment that promotes

open communication, consultation, and ethical behavior. The con-

trol environment should be pervasive throughout the organization

in actions as well as words. It should:

create and maintain a culture of honesty, high ethical stan-

dards, and behavior

provide discipline for violations of the code of conduct/ethics

set an appropriate tone for the entitys attitude towards fraudand fraud prevention

promote controls to prevent, deter, and detect fraud

A control environment establishes and promotes a collective at-

titude towards achieving effective internal control and generating

reliable nancial statements. The proper design and the effective-

ness of the control environment is critical. Having controls by

themselves is not sufcient to mitigate fraud risks. For example, if

no employees have been disciplined for violations of the compa-

nys code of conduct/ethics, the code is likely to be ineffective.


4/27

4

All employees have a role in the control environment. Manage-

ment, the board of directors and the audit committee have

the primary responsibility of creating the tone at the top of the

organization. The audit committee should take an active role in

the oversight of managements efforts to design and implement

internal controls, including antifraud programs and controls andshould challenge management to ensure that fraud risks are

identied and that appropriate control activities are implemented

and monitored.

Elements of the control environment are discussed in Section 5,

Steps and Considerations and include:

tone at the top

oversight by the audit committee and board of directors

internal audit involvement

code of ethics/conduct

ethics hotline and whistleblower programtraining

responses to control deciencies and allegations of fraud

Designing and Implementing Antifraud ControlActivities

After fraud risk assessments are performed and fraud risks are

identied, management should address each identied fraud

risk by determining whether control activities exist and mitigate

the risks. Control activities are policies and procedures designed

to address risks and help ensure the achievement of the entitys

objectives. Control activities occur throughout the organization,

at all levels and in all functions.

Antifraud control activities can be preventative and/or detective

in nature. Preventative controls are designed to mitigate specic

fraud risks and can deter frauds from occurring, while detec-

tive control activities are designed to identify fraud if it occurs.

Detective controls can also be used as a monitoring activity to

assess the effectiveness of antifraud controls and may provide

additional evidence of the effectiveness of antifraud programs

and controls. Some of these control activities may by automated

in nature and include information technology (IT) systems.

Where control activities are not already present, management

should design and implement additional controls to specically

address the identied fraud risks.

Special consideration should be given to the risk of override of

controls by management. Some programs and controls that deal

with management override include; (1) active oversight from the

audit committee; (2) whistle-blower programs and a system to

receive and investigate anonymous complaints; and (3) reviewing

journal entries and other adjustments for evidence of possible

material misstatement due to fraud.

Sharing Information & Communication

Effective communication is an important element of all phases

of the implementation of antifraud programs and controls. The

companys philosophy on fraud prevention and antifraud pro-

grams and controls should be clearly communicated throughout

the organization so that employees are aware of antifraud activi-ties, have a clear understanding of what is expected of them, and

know that the organization takes the risk of fraud seriously. These

communications should emanate from all levels of the organiza-

tion and should include communications with external parties

when appropriate (including customers, suppliers, and agents).

A companys code of conduct or ethics is often the rst line of

communication concerning its philosophy on fraud prevention.

However, other communication methods should be used to cre-

ate awareness of antifraud programs and controls. Information

on antifraud programs may be communicated through employee

handbooks (either printed or online), in company newsletters,

company intranet sites, training, and through presentations

or discussions led by management. Managements antifraud

programs and controls should also be documented to provide

reasonable support for its assessments on the design and operat-

ing effectiveness of the controls.

The procedures implemented to enable communication and in-

formation processes should themselves be controlled to prevent

unauthorized access or changes.

Monitoring Activities

Management and other appropriate parties in the company

should monitor the quality and effectiveness of antifraud

programs and controls. Monitoring activities and assessments

consist of procedures that include independent evaluationsof antifraud controls that may be performed by internal audit

or other groups, such as business process owners, and other

ongoing monitoring activities that are built into normal recurring

operating activities, such as timely reconciliations.

Ongoing monitoring procedures are built into normal recurring

operating activities and can often be more effective than sepa-

rate evaluations because they take place in real time. Examples

of ongoing monitoring activities include:

reconciliations of operating and nancial reports

regular communications with internal and external parties

regular reviews and recommendations from internal auditorsplanning and training sessions to solicit feedback on whether

controls are effective

Independent evaluations of controls vary in scope and frequency,

and are commonly performed by internal audit. Separate evalua-

tions may involve implementing detective activities. For example,

internal audit may design tests to specically look for instances of

early revenue recognition to ensure that existing controls for rev-

enue recognition are operating effectively. Detective controls are


5/27

5

essential to antifraud programs because they provide an additional

indication of the effectiveness of preventative control activities and

can identify additional fraud risk factors that should be included in

managements fraud risk assessment. Some monitoring activities

can be automated in nature and, as such, may involve IT systems.

Organizations should take:

Reasonable steps to achieve compliance with its standards,

e.g., by utilizing monitoring and auditing systems reason-

ably designed to detect criminal conduct by its employees

and other agents and by having in place and publicizing

a reporting system whereby employees and other agents

could report criminal conduct by others within the organi-

zation without fear of retribution.5

Truly effective antifraud programs are dynamic, where the infor-

mation obtained through the monitoring process is fed back into

the risk assessment and the entire process begins anew.

This document is divided into the following sections:

Section 1: Questions to Consider. A list of questions to

consider with respect to antifraud programs and

controls, in the context of the COSO framework.

Section 2: Example Implementation PlanPerformingFraud Risk Assessments. Highlights key steps in

performing a fraud risk assessment.

Section 3: Sample Process. Two examples of evaluating identi-ed fraud risks and linking programs and controls to

the risks.

(A) Inappropriate/Early Revenue Recognition

(B) Management Override of Controls

Improper Journal Entries or Adjustments

Section 4: Sample Listing Fraud Schemes. A listing of fraudschemes to assist in identifying possible fraud risks,

scenarios, and schemes when performing or evalu-

ating fraud risk assessments.

Section 5: Antifraud Programs & ControlsSteps and Con-

siderations. A detailed discussion of considerations

of antifraud programs and controls.

5 United States Sentencing Commission, Guidelines Manual, 8A1.2, comment. 3(K), available at: http://www.ussc.gov/2002guid/8a1_2.htm. In 1991, The United States

Sentencing Commission introduced seven criteria for effective programs to prevent and detect violations of law (including fraud). Amendments to the Sentencing Guidelines

were submitted to Congress on April 30, 2004. Ofcial text of these amendments is available on the Commissions web site at www.ussc.gov and http://www.ussc.gov/

2004guid/2004cong.pdf.


6/27

6

Section 1Questions to ConsiderThe following is a list of some of the questions for management to consider when designing and evaluating antifraud programs andcontrols related to each of the COSO components. Management should consider and evaluate the facts and circumstances for their

organizations (e.g., the entitys industry, operations, geographical locations, size, organizational structure, and general economic condi-

tions) and tailor their antifraud programs and controls accordingly. Each COSO component should include sufcient documentation to

support the programs and controls as well as managements assessments and conclusions regarding the design and operating effec-

tiveness of the programs and controls.6 The following questions and themes are adopted from various sources, including the Sarbanes-

Oxley Act of 2002, SEC's Final Rules on Sarbanes-Oxley, SAS 99, PCAOB Auditing Standards No. 2, and COSO.

6 SEC, Final Rule: Management's Reports on Internal Control, Section (II)(B)(3)(d).

Fraud Risk Assessment1. Does the company have formal and regularly scheduled procedures to perform fraud risk assessments?

2. Are appropriate personnel involved in the fraud risk assessments?

3. Are fraud risk assessments performed at all appropriate levels of the organization (such as the entity level, signicant locations

or business units, signicant account balance or major process level)?

4. Does the fraud risk assessment include consideration of internal and external risk factors (including pressures or incentives,

rationalizations or attitudes, and opportunities)?

5. Does the fraud risk assessment include the identication and evaluation of past occurrences and allegations of fraud within the

entity and industry? Does it include the evaluations of unusual nancial trends or relationships identied from analytical proce-

dures or techniques?

6. Does the fraud risk assessment consider the risk of managements override of controls?

7. Does management consider the type, likelihood, signicance, and pervasiveness of identied fraud risks?

8. Are fraud risk assessments updated periodically to include considerations of changes in operations, new information systems,

acquisitions, changes in job roles and responsibilities, employees in new positions, results from self-assessments of controls,

monitoring activities, internal audit ndings, new or evolving industry trends, and revisions to identied fraud risks within the

organization?

9. Does management assess the design and operating effectiveness of the fraud risk assessments?10. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of

the fraud risk assessments?

11. Is the fraud risk assessment designed and operating effectively?

Control Environment1. Does the company maintain a proper tone at the top? Did management assess the tone of the organization to determine

if the culture encourages ethical behavior, consultation, and open communication? (This assessment can be made through

anonymous cultural surveys, inquiries and interviews, or by internal audit review.)

2. Do the audit committee and the board of directors have sufcient oversight of managements antifraud programs and controls?

3. Does the internal audit function have sufcient involvement in antifraud programs and controls, including monitoring of the

effectiveness of antifraud programs and controls, given the size and complexity of the organization? Does the internal auditfunction report directly to the audit committee?

4. Does the company have a published code of ethics/conduct (with provisions related to conicts of interest, related-party trans-

actions, illegal acts, and fraud) made available to all personnel and does management require employees to conrm that they

accept and agree to follow it? Does the frequency of exceptions undermine the codes effectiveness? Does the code comply

will all applicable rules and regulations?


7/27

7

5. Does the company have an ethics/whistleblower hotline with adequate procedures to handle anonymous complaints

(received from inside and outside the company), and to accept condential submission of concerns about questionable ac-

counting, internal accounting control, or auditing matters? Are tips and whistleblower complaints investigated and resolved

in a timely manner?

6. Does the company have formal hiring and promotion standards, including background checks for those employees with inu-ence over nancial reporting or involved in the preparation of the nancial statements?

7. Does the company have formal and effective training for employees and new hires on issues of fraud, ethics, and the code

of ethics/conduct?

8. Does the company respond in a timely and appropriate manner to signicant control deciencies, allegations or concerns of

fraud, and violations of the code of ethics/conduct?

9. Does management assess the design and operating effectiveness of the control environment?

10. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of

the control environment?

11. Is the control environment designed and operating effectively?

Antifraud Control Activities1. Does the company adequately map or link identied fraud risks to control activities designed to mitigate the fraud risks?2. Does management design and implement preventative and detective controls (preventative controls are designed to stop fraud

from occurring and detective controls are designed to identify the fraud if it occurs)?

3. Does the company have controls that restrain the misappropriation of company assets that could result in a material misstate-

ment of the nancial statements?

4. Does the company have controls that address the risk of managements override of controls (including controls over journal

entries and adjustments, estimates, and unusual or nonroutine transactions)?

5. Does the company consider security controls (including IT controls and limited access to accounting systems), and consider the

adequacy of fraud detection and monitoring activities utilizing information systems?

6. Does management assess the design and operating effectiveness of antifraud control activities?


antifraud control activities?8. Are antifraud control activities designed and operating effectively?

Information & Communication1. Is information on ethics and managements commitment to antifraud programs and controls effectively communicated

throughout the organization to all employees?

2. Does management have procedures to disseminate and collect information regarding antifraud programs and controls, fraud

risks, allegations of fraud, and concerns of improper accounting to and from all levels of the organization and external parties

(where appropriate)?

3. Does management assess the design and operating effectiveness of information and communication?


information and communication?5. Are procedures and activities for communicating information regarding antifraud programs and controls designed and

operating effectively?


8/27

8

Monitoring Activities1. Are internal audit and others actively involved in monitoring and assessing antifraud programs and controls?

2. Is the internal audit activity adequate for the size and operations of the organization?

3. Are ndings and weaknesses identied during monitoring activities incorporated back into the fraud risk assessment, the

design of the control environment and antifraud control activities?

4. Does the audit committee have oversight of monitoring activities?

5. Does management assess the design and operating effectiveness of monitoring activities?


the monitoring activities?

7. Are monitoring and assessment activities designed and operating effectively?


9/27

9

Section 2Example Implementation Plan

Performing Fraud Risk AssessmentsThere is no one standard method by which management may

implement its fraud risk assessment. However, the fraud risk assess-

ment is a critical step in addressing fraud risks within an organiza-

tion and as such should be an area of signicant focus for manage-

ment. The following example implementation plan summarizes

certain elements of the fraud risk assessment process described in

COSO and SAS 99.

Step One: Evaluate Fraud Risk FactorsFraud risk factors are those events or conditions that indicate

incentives/pressures to perpetrate fraud, opportunities tocarry out the fraud, or attitudes/rationalizations to justify a

fraudulent action (example fraud risk factors can be found in

the Appendix of SAS 99). Fraud risk factors do not necessarily

indicate the existence of fraud; however, they often are pres-

ent in circumstances where fraud exists.

Personnel from various levels of the organization should be

involved in this process, including management, internal

audit, business process owners, IT management, and the

audit committee. The audit committee should take an active

role in the oversight of managements efforts to identify and

consider fraud risk factors and can challenge management to

verify that fraud risks are addressed.

This step should involve an evaluation of the fraud fac-

tors that are present in the organization. This can be done

through several different means, some of which may already

be utilized by management in their consideration of internal

controls. For example, if management has elected to assess

the control environment through an anonymous survey, the

results could also be used to evaluate the existence of fraud

risk factors.

The process should consider other fraud risk factors, includ-

ing past frauds and allegations of fraud in the organization,

frauds in the industry, unusual nancial trends or relation-

ships identied from analytical procedures, and the poten-

tial role weak IT controls could play in enabling fraudulentactivity to occur.

The process should consider fraud risk factors at the entity

level and signicant process level.

Step Two: Identify Possible FraudSchemes and Scenarios

This process should involve all appropriate personnel, includ-

ing management, internal audit, IT management, signicant

process owners, and oversight from the audit committee.

This step involves a brainstorm of possible fraud schemes

and scenarios that could result from the identied fraud risk

factors. For example, if a company faces signicant internal

and/or external pressures to achieve revenue targets, the

brainstorm should include the identication and consideration

of scenarios and fraud schemes that could be perpetrated to

manipulate revenues.

Special consideration should be given to the risk of override

of controls by management such as (1) recording ctitious

journal entries or adjustments, particularly those recorded

close to the end of an accounting period, (2) intentionally

biasing assumptions and judgments used to estimate account

balances, and (3) entering into signicant transactions that

are outside of the entitys normal course of business that lack

economic substance.

Consideration should also be given to past frauds and allega-

tions of fraud within the organization and the industry.

The identication of possible fraud schemes should be

performed without consideration of the existence or effective-

ness of internal controls.


10/27

10

Step Three: Prioritize IdentiedFraud Risks

This step involves the evaluation of possible fraud schemes

and includes the consideration of the following:

Type. The type of risk (i.e., a misappropriation of assets,

fraudulent nancial reporting, etc.)

Likelihood. The likelihood of the risk (i.e., the likeli-

hood that it will result in a material misstatement in the

nancial statements).

Signicance. The signicance of the risk (i.e., whether it

is of a magnitude that could result in a possible material

misstatement of the nancial statements).

Pervasiveness. The pervasiveness of the risk (i.e., whether

the potential risk is pervasive to the nancial statements

as a whole or specically related to a particular assertion,

account, or class of transactions).Emphasis should be given to those risks considered to be

likely, signicant, and/or pervasive.

Step Four: Evaluate WhetherMitigating Controls Exist or AreEffective

Management should determine whether there are con-

trols already in place to sufficiently mitigate the identified

fraud risks or if additional emphasis should be placed on

existing controls.

Where controls are not already present, management shouldconsider the need to design and implement additional anti-

fraud controls to specically address the identied fraud risks.

Management should map or link identied fraud risks to

existing internal controls (including control environment,

antifraud control activities, and monitoring activities), and

document mitigating antifraud control activities related to

the fraud risks.


11/27

11

Section 3Sample ProcessPresented below are two examples of the antifraud programs and controls process for two common fraud risks. The information isdivided into two partsthe fraud risk assessment process, and the programs and controls designed to address the fraud risks identied

during the fraud risk assessment. The programs and controls listed below are not intended to represent all of the possible programs and

control activities that may address the identied fraud risk, but are shown as an example of activities that may address the identied

fraud risk. Management should determine how to best document their fraud risk assessment and the programs and controls in place to

address the risks, based on the company's facts and circumstances.

Inappropriate/Early Revenue Recognition

Fraud Risk Assessment Performed by management, internal audit, IT management, signicant process owners,

and oversight from the audit committee

Considered internal and external environmental factors (including pressures or incentives,

rationalization, and opportunity)

Identied fraud risks at relevant levels and locations within the organization

Signicant Account or Cycle Revenue

Fraud Risk Inappropriate/early revenue recognition

Cause of Fraud Existence of undisclosed sales terms or conditions

Fraud Elements Terms granted to the customer that are:

(What it might look like) Disclosed on the purchase order but not in the order entry system

Disclosed on sales negotiation documents only

Provided in side letters, e-mails, or orally

May Involve Sales Manager

Sales Representative

Sales nance personnel (divisional controller, order entry clerk, credit manager, etc.)

Inventory Manager

General Counsel

Management (CEO, CFO, etc.)

Customer

Any combination of the aboveone, some, or all

Signicance The signicance of the risk (i.e., whether it is of a magnitude that could lead to result in a

(High, Medium, Low) possible material misstatement of the nancial statements) (High)

Likelihood The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement

(High, Medium, Low) in the nancial statements) (High)

Pervasiveness The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the nancial

statements as a whole or specically related to a particular assertion, account, or class oftransactions) (Risk is related to revenue and A/R accounts)

FraudRiskAssessment


12/27

12

Inappropriate/Early Revenue Recognition (continued)

Prog

ramsandControls

Control Environment Activities Regular ethics training/policies/adherence

Published code of ethics/conduct with provisions related to fraud and ethical behavior

Formal hiring and promotion standards Tone at the top, including proper attitudes towards controls and corporate compliance

Responsiveness to Internal Audit processes and ndings

Sales practices training

Control Activities Regular review of all sales contracts, with a focus on unusual terms and conditions, and a

comparison to actual practices

Existence of sale personnel conrmation/verication for completeness and accuracy of

recording of sales terms or conditions

Regular review of A/R aging with a focus on overdue receivables

Segregation of duties (sales and credit/order entry functions)

Application controls to prohibit further processing without necessary approvals

System of authorization and approval of transactions for sales and write-offs

Where appropriate, standardization of sales terms and conditions

Information and Communication A system for effective knowledge management to collect and communicate appropriate

information pertaining to revenue fraud risks and antifraud programs and controls

Monitoring Activities Internal Audit conrms directly with customers the amount of sales, as well as items such

as the payment due date, the details of any right of returns, unrecorded terms and

conditions and any outside agreements not contained in the original written agreement

Regular review of day sales outstanding and comparison to company normal or

industry averages

Regular review of signicant quarter-end or year-end sales for unusual pricing, billing,

delivery, return, exchange, or acceptance clauses


13/27

13

Management Override of ControlsImproper Journal Entries or Adjustments

7 Paragraph 42 of SAS 99 states, Even if specic risks of material misstatement due to fraud are not identied by the auditor, there is a possibility that management override

of controls could occur, and accordingly, the auditor should address that risk apart from any conclusions regarding the existence of more specically identiable risks. The

risk of management override increases the likelihood of fraud and the likelihood that it will result in a material misstatement in the nancial statements.

FraudRiskAssessment

Fraud Risk Assessment Performed by management, internal audit, IT management, signicant process owners,

and oversight from the audit committee

Considered internal and external environmental factors (including pressures or incentives,

rationalization, and opportunity)

Identied fraud risks at relevant levels and locations within the organization

Signicant Account or Cycle Financial closing and reporting

Fraud Risk Override of controls for journal entries or adjustments resulting in misstated

nancial statements

Cause of Fraud Management directs or is involved in journal entries or adjustments to manipulate

operating results

Fraud Elements Journal entries and/or adjustments are recorded to improperly:

(What it might look like) Increase revenues or income

Decrease cost of sales or expenses Manipulate account balances to comply with debt covenants, achieve nancial targets or

budgets, reduce or hide liabilities, misstate assets, etc.

May Involve CEO

CFO

General Counsel

General/Divisional Managers

Corporate/Divisional Controllers

Any combination of the aboveone, some, or all

Signicance The signicance of the risk (i.e., whether it is of a magnitude that could result in

(High, Medium, Low) a possible material misstatement of the nancial statements) (High)

Likelihood The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement

(High, Medium, Low) in the nancial statements) (High7)

Pervasiveness The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the nancial

statements as a whole or specically related to a particular assertion, account, or class of

transactions.) (Pervasive throughout the nancial statements.)


14/27

14

Management Override of ControlsImproper Journal Entries or Adjustments(continued)

ProgramsandControls

Control Environment Activities Active oversight from the audit committee

Regular ethics training/policies/adherence

Published code of ethics/conduct with provisions related to fraud

Formal hiring and promotion standards (with background checks for those with

signicant inuence over nancial reporting)

Tone at the top, including attitudes towards controls and corporate compliance

Control Activities Segregation of duties and required approvalsjournal entries and adjustments require

two signatures including proper approvals before posting

Application controls to prohibit further processing without necessary approvals

Required supporting documentation for all nonsystematic/manual journal entries

General computer controls limiting access to the general ledger system and recording

names of individuals who initiate and/or approve nonsystematic/manual journal entries

Information and Communication A system for effective knowledge management to collect and communicate appropriate

information pertaining to the risk of management override of controls and antifraud

programs and controls

Monitoring Activities Identify and evaluate the appropriateness of unusual nonroutine journal entries.

(consider utilizing computer assisted techniques to identify unusual or nonroutine entries)

Regular review of ethics/whistleblower complaints with allegations or concerns of

improper ethical behavior by management or improper nancial reporting

Regular review of nancial results including analytics and nancial ratios with a

comparison to company normal or industry averages


15/27

15

Section 4Sample Listing of Fraud SchemesThe following listing of possible fraud schemes can be utilized

by management and auditors to assist in identifying possible

fraud risks, scenarios, and schemes when performing or evaluat-

ing managements fraud risk assessments. The listing of fraud

schemes is not intended to be a complete listing of all possible

fraud schemes for all industries.

Fraudulent Financial ReportingSchemes

Improper Revenue Recognition

Side AgreementsSales terms and conditions may be modied,

revoked, or otherwise amended outside of the recognized salesprocess or reporting channels and may impact revenue recogni-

tion. Common modications may include granting of rights of

return, extended payment terms, refund, or exchange. Sellers

may provide these terms and conditions in concealed side letters,

e-mails, or in verbal agreements in order to recognize revenue

before the sale is complete. In the ordinary course of business,

sales agreements can and often are legitimately amended, and

there is nothing wrong with giving purchasers a right of return or

exchange, as long as revenue is recognized in the proper account-

ing period with appropriate reserves established.

Roundtrip TransactionsRecording transactions that occur

between two or more companies for which there is no business

purpose or economic benet to the companies involved. Thesetransactions are often entered into for the purpose of inating

revenues or creating the appearance of strong sales growth.

Transactions may include sales between companies for the same

amount within a short time period, or they may involve a loan to

or investment in a customer so that the customer has the ability

to purchase the goods. Cash may change hands, but payment

alone does not legitimize the transaction or justify the recognition

of revenue if there is no underlying business purpose or economic

benet for the transactions.

Bill and HoldsA bill and hold transaction takes place when

products have been booked as a sale but delivery and transfer of

ownership has not occurred as of the date the sale is recorded.

The transaction may involve a legitimate sales or purchase order;

however, the customer is not ready, willing, or able to accept

delivery of the product at the time the sale is recorded. Sellers may

hold the goods in its facilities or may ship them to different loca-

tions, including third-party warehouses.

Altering Shipping DocumentationBy creating phony ship-

ping documentation, a company may falsely record sales trans-

actions and improperly recognize revenue. By altering shipping

documentation (commonly changing shipment dates and/or

terms), a company can increase revenue in a specic accounting

period regardless of the facts and circumstances that the transac-

tion and the resulting revenue should have been recorded in the

subsequent accounting period.

Agreements to Sell-Through ProductThese sales agree-

ments include contingent terms that are based on the future

performance of the buyer of the goods (commonly distributors or

resellers) and impact revenue recognition for the seller. These con-

tingent terms may or may not be included in the sales agreements

and may be provided in side agreements. Sell through agree-

ments are similar to consignment sales and can involve shipment

of goods to a party who agrees to sell them to third parties. A

sale is not considered to have taken place (and therefore revenueshould not be recorded) until the goods are sold to a third party (a

customer or end-user) with no additional contingent sales terms.

Up-Front FeesSome sales transactions require customers to pay

up-front fees for services that will be provided over an extended

period of time. Companies may attempt to recognize the full

amount of the contract or the amount of the fees received before

the services are performed (and before revenue is earned). In

some instances, the scheme may involve the falsication or modi-

cation of accounting records (e.g., purchase orders, invoices and

sales contracts).

Holding Accounting Periods OpenImproperly holding ac-

counting records open beyond the end of an accounting period

can enable companies to record additional transactions that occur

after the end of a reporting period in the current accounting

period. This scheme commonly involves recording sales and/or

cash receipts that occur after the end of the reporting period in

the current period. Schemes sometimes include falsication or

modication of accounting documentation (dates on shipping

documents, purchase orders, bank statements, cash reconcilia-

tions, cash receipt journals, etc.) in an attempt to cover the trail of

the fraud.

Failure to Record Sales Provisions or AllowancesSome sales

transactions require companies to record provisions or reductions

to gross sales amounts (e.g., to account for future sales returns).

By failing to record sales provisions or reductions, companies canimproperly overstate revenues. The scheme may involve the falsi-

cation or modication of accounting records in an attempt to hide

the terms or conditions that may require the sales reduction (e.g.,

purchase orders, invoices and sales contracts).

Inventory Schemes

Inating the Value of InventoryInventory valuations can

be manipulated in a number of ways, including: moving inven-

tory between locations to ctitiously inate inventory quantities,


16/27

16

postponing and under-reporting of write-downs and reserves for

obsolescence, manipulating unit valuations applied to on-hand

inventories, and improper inventory capitalization.

Off-Site or Fictitious InventoryCompanies may create in-

ventory by falsifying journal entries, receiving and shipping reports,

purchases orders, or cycle counts. Companies may participate in

these schemes to decrease cost of sales as a percentage of sales or

maintain inventory balances for debt covenants or other reasons.

Other Financial Reporting Schemes

Fraudulent Audit ConrmationsFraudulent audit conrma-

tions can impact all types of accounts or transactions that are

conrmed with third parties (sales, cash, accounts receivables, debt,

liabilities, etc.). Schemes may involve collusion with third parties

who receive the audit conrmations or may involve the company

providing the auditors with false contact information (false mailing

addresses, fax numbers, phone numbers, etc.) so that conrmations

are diverted to co-conspirators involved in the scheme.

Refreshed ReceivablesIn order to mask rising account receiv-

able balances (including known or suspected uncollectible balances)

while avoiding increasing the bad debt provision, a company may

refresh the aging of receivables and improperly represent A/R

balances as being current in nature instead of showing the true

age of the receivables. This may occur with exchange transactions

with customers, where customers can receive credits to their ac-

counts and allowed to repurchase goods where little, if any, physical

transfer of merchandise occurs. Some schemes may simply modify

or edit dates of invoices in the A/R system that results in a restart

of the aging process for the modied receivables. Schemes may

involve the falsication or improper modication of accounting

documentation (invoices, purchase orders, change orders, shippingreports, etc.) to cover up the fraud scheme.

Promotional Allowance ManipulationsPromotional allow-

ances may be provided as rebates, incentives, or other credits to

buyers/customers as an incentive to purchase products. Allow-

ances may take the form of volume discounts, reimbursements for

special handling, co-advertising reimbursements, slotting fees, etc.

Often promotional allowances are based on future events (such as

purchase volumes over a specied period of time, future advertising

costs, etc.) and often require considerable estimates that may be

manipulated or biased. Some schemes involve the early recognition

of revenue on up-front fees collected or the failure to accrue for

rebates or credits that are likely to be earned by the buyer. Other

fraud schemes involve fraudulent nancial reporting and the mis-classication of credits on the income statement.

Adjustments to EstimatesEstimates are common throughout

the accounting process and can be manipulated to impact rev-

enues, expenses, asset valuations, and/or liabilities. Management is

often in a position where it can inuence or bias estimates. Com-

mon fraud schemes involve the reduction of accruals or reserves in

order to increase earnings in the current period, and may involve

the earlier creation of excess reserves or cookie-jar reserves when

the company was in a nancial position to create a cushion

against future losses.

Off-Balance-Sheet Entities and LiabilitiesSome schemes

involve the use of off-balance-sheet vehicles or special purposes

entities to conceal liabilities. Off-balance-sheet vehicles may be

allowable under GAAP; however, some schemes are designed to

utilize these entities or transactions to conceal debt and misstate

liabilities on the balance sheet and may also have income statement

impact as well.

Improper Asset ValuationsThere is often a direct relationship

between the overstatement of assets and ination of earnings.

Many fraud schemes involve the hiding or misplacement of

debits on the balance sheet that should be recorded on the income

statement. These debits are often improperly recorded as assets

or a reduction to existing liabilities. Overvaluing assets is often

considered a relatively simple way to directly manipulate reported

earnings.

Phony Investment DealsDesigned to overstate assets andearnings, schemes can deliberately overstate existing investments or

create ctitious investments. Investments may also be intentionally

misclassied resulting in the improper recognition of gains or failure

to recognize losses. Other schemes are designed to hide or defer

losses from sales or permanent write downs from impairments.

Improper Capitalization of ExpensesCapital expenditures are

costs that benet the company over more than one accounting

period, and accordingly, the expenditures should be amortized over

the life of the asset. Companies may improperly capitalize certain

expenditures in order to avoid recognizing the full amount of the

expense in the current period. Expenses may be capitalized into

various asset accounts, and may include software development

costs, research and development costs, start-up costs, interest costs,

advertising costs, inventory and labor costs, etc.

Adding Back Outstanding Checks to CashCash reconciliations

can be manipulated in order to inate ending cash balances. Some

schemes are accomplished with one reconciling item or adjust-

ment on the reconciliation, or may involve selecting and removing

specic checks from the outstanding check registers.

Unjustied Consolidation EntriesSome schemes occur dur-

ing the nancial closing and consolidation process and involve

unjustied or ctitious consolidation entries. Often there is limited

accounting documentation or explanations for consolidation entries

and activities.

Intercompany ManipulationsSimilar to other accountingschemes involving consolidations, intercompany manipulations mayhave limited documentation or explanations for inter-company en-tries and activities. Schemes may occur to over/understate balancesor may involve the creation of ctitious transactions.

Related Parties That Create TransactionsRelated-party

transactions are made with entities that are controlled or in-

uenced by the company. Schemes may involve improper or

inadequate disclosure of transactions or more elaborate schemes


17/27

17

to create ctitious transactions between entities, often with the

intent to increase reported revenues or assets.

Disclosure FraudsFraudulent disclosures may include providing

false information or the failure to disclose required information.

Schemes may involve a company's failure to disclose certain trans-

actions with related parties, material asset impairments, unrecord-

ed liabilities or accounting practices that violate GAAP.

Misappropriation of AssetsSkimming of CashSkimming schemes often involve the sales

cycle, where employees embezzle by not recording the sale or full

amount of the cash collected. A typical skimming scheme might

involve a retail store where an employee collects cash from a cus-

tomer, pockets the money, and avoids recording the transaction in

the point of sales system. Other skimming schemes are not limited

to cash transactions and may involve diverting customer checks.

Fraudulent DisbursementsSchemes may include billing

schemes, procurement fraud, theft of company checks, payroll

and ghost employee schemes, and expense reimbursement

schemes. A common procurement scheme is to set up phony ven-

dors or suppliers in the accounts payable system or approve pay-

ments for services that are received by the employee or co-con-

spirator. Payroll schemes can include falsication of hours worked,

creation of ctitious employees, failure to remove employees who

have left the company and the diversion of payments to employ-

ees or co-conspirators.

Other Fraud SchemesBribery, Corruption, & KickbacksCorruption and bribery

may take a variety of forms within an organization and mayinclude such items as vendors paying gratuities to buyers to

secure sales, buyers paying premiums to vendors because of a

buyers personal relationships, payments to shell companies for

soft services that are not actually rendered, payment terms are

structured to avoid proper approval signatures, or the same

vendor may appear in the payables system in numerous ways as a

method of making duplicate payments. Schemes may also involve

preferred service providers who are willing to pay kickbacks to

individuals for the companys business. The Foreign Corrupt

Practices Act (FCPA) was enacted to reduce the threat of bribery

and corruption in foreign countries.

Money LaunderingMoney laundering is the process of con-

cealing the source of illegally obtained money. This process is ofcritical importance to the perpetrator, as it enables the criminal to

enjoy prots without revealing their source. Activities may involve

disguising the sources, changing the form, or moving the funds

to a place where they are less likely to attract attention. Money

laundering prots may come from embezzlement, insider trading,

bribery, computer fraud schemes, illegal arms sales, smuggling,

and the activities of organized crime.


18/27

18

Section 5Antifraud Programs & Controls

Steps and ConsiderationsThis section discusses steps and considerations for management in

relation to the risk of fraud and antifraud programs and controls.

In preparing this section, the following sources have been referenced:

SEC, Final Rule: Managements Reports on Internal Control

Over Financial Reporting and Certication of Disclosure in

Exchange Act Periodic Reports

PCAOB Auditing Standard No. 2,An Audit of Internal Control

Over Financial Reporting Performed In Conjunction With an

Audit of Financial Statements

SAS 99, Consideration of Fraud in a Financial Statement Audit

SAS 99 Exhibit, Management Antifraud Programs and Controls

Committee of Sponsoring Organizations of the Treadway

Commission, Internal ControlIntegrated Framework

United States Sentencing Commission, Guidelines Manual

The ve components of the COSO framework are interrelated

and the process of implementing and updating antifraud

programs and controls is iterative in nature. Truly effective

antifraud programs are dynamic, where the information

obtained through the monitoring process is fed back into

the risk assessment and the entire process begins anew.

Each of the ve COSO components is discussed in the context of:

scope and objectives

participants and responsibilities

elements and design

management assessments

examples of common documentation

The evaluation of deciencies in antifraud programs and controls

is part of managements overall assessment of internal control.

Management should assess the design and operating effective-ness of antifraud programs and controls and provide sufcient

documentation of its programs, assessments, and conclusions

including the identication of any deciencies. As with other in-

ternal control deciencies, management and the auditor should

evaluate the signicance of their deciencies.

Antifraud Programs and Controls

Steps and Considerations


19/27

19

1. Performing Fraud Risk Assessments

Scope & Objectives

Fraud risk assessments should be performed at all appropriate

levels within the organization, including:

the entity level and should consider internal and external fac-

tors and pressures on the organization

the signicant account balance leveldealing with risks at

this level helps focus fraud risk assessments on accounts that

could be materially misstated

signicant locations or business units, as fraud risks common-

ly differ from location to location due to differing operations,

organizational structures, culture, etc.

The fraud risk assessment should consider collusive fraud and

the risk of managements override of controls. Collusive fraud is

when more than one individual within and/or outside the entity

have engaged in a conspiracy to circumvent or override internalcontrol activities. Often collusive fraud may not be identied

through traditional testing techniques. Consideration should also

be given to the risk of managements override of controls, as

management typically has the ability to commit fraud because

it frequently is in a position to directly or indirectly manipulate

accounting records.8 Management override of controls can occur

in unpredictable ways.

Participants & Responsibilities

Management has the primary responsibility for performing

fraud risk assessments. Historically, most material frauds have

often been directed in part by management and detected by

employees and those responsible for corporate governanceat other levels in the organization. It is therefore critical that

employees outside of management are involved in the fraud risk

assessment. It is important that the fraud risk assessment include

business process owners or those who have signicant knowl-

edge, control, or inuence over the activities within a signicant

business process or cycle. The audit committee (or the board

of directors where no audit committee exists) should evaluate

managements identication of fraud risks, and should have an

active role in the oversight of the fraud risk assessment process.

IT management should participate, as some fraud schemes are

enabled by the disabling or circumventing of information system

controls. Additionally, internal audit should have an active role

in the development, monitoring, and ongoing evaluation offraud risk assessments.

Elements & Design

A formal fraud risk assessment should be performed, document-

ed, and updated periodically. Updates should include consid-

erations of changes in operations, new information systems,

acquisitions, changes in job roles and responsibilities, employees

in new positions, results from self-assessments of controls, moni-

toring activities, internal audit ndings, new or evolving industry

trends, and revisions to identied fraud risks within the organiza-

tion or industry.

Management should identify events or conditions that indicateincentives/pressures to perpetrate fraud, opportunities to carry

out the fraud, or attitudes/rationalizations to justify a fraudulent

action. Such events or conditions are referred to as fraud risk

factors. Fraud risk factors do not necessarily indicate the exis-

tence of fraud; however, they often are present in circumstances

where fraud exists and can help identify potential fraud risks.

Incentives/PressuresPressure may be real or perceived.

Pressure is usually created by circumstances the perpetrator is

either subject to or perceives him/herself to be subjected to

(e.g., personal nancial pressures such as a spouse who loses

a job, or market pressures to meet nancial targets or goals).

There may also be incentives that increase the likelihood of

fraud (e.g., managements bonus structure based on achieve-ment of nancial targets).

Attitudes/RationalizationsThe process by which a person

committing a fraud legitimizes or justies the crime is rational-

ization. This often includes an attitude or feeling of entitlement

and/or a belief that the company can afford it. For example,

a perpetrator may rationalize a theft by saying the company

makes millions, it wont miss a few thousand and I really need

the money or by making our numbers nobody will be laid

off.

OpportunitiesOpportunities to commit fraud can manifest

themselves in different ways. If internal controls are inad-

equate surrounding nancial reporting or safeguarding assets,it may be relatively easy for a perpetrator to record fraudulent

transactions or steal assets. Some employees (often within

management) may be in a position to override controls which

may create opportunities to commit fraud. There is another

consideration for opportunities that is often overlookedlow

perception of detection or meaningless consequences to

inappropriate behavior within the organization may allow for

greater opportunities for fraud to occur than if there is the

deterrent element of a high likelihood of detection and severe

consequences. Further, collusion may enable perpetrators to

bypass existing controls, rendering those controls ineffective.

Most traditional internal preventative controls are not effec-

tive at addressing collusive fraud. Collusive fraud is generally

found by detective controls coupled with an understanding of

the business and operating environment.

The Appendix to SAS 99 provides examples of fraud risk factors

that management may consider as part of the fraud risk assess-

ment. Management should also consider additional fraud risk

factors such as known frauds within the industry and organiza-

tion and past allegations or suspicions of fraud. The consideration

8 SAS 99, paragraph 8.


20/27

20

of fraud risk factors is critical, as risk factors lead to fraud risks

that need to be considered when implementing control activities

and programs.

Management should evaluate fraud risk factors, brainstorm

possible fraud schemes and scenarios that could result from the

fraud risk factors, and evaluate the fraud schemes and scenarios

to identify those that should be considered fraud risks. Paragraph

40 of SAS 99 states:

the identication of a risk of material misstatement due

to fraud involves the application of professional judgment

and includes the consideration of the attributes of the risk,

including:

the type of risk that may exist, that is, whether it involves

fraudulent nancial reporting or misappropriation of

assets

thesignicance of the risk, that is, whether it is of a

magnitude that could lead to result in a possible material

misstatement of the nancial statements

the likelihoodof the risk, that is, the likelihood that it

will result in a material misstatement in the nancial

statements

thepervasiveness of the risk, that is, whether the

potential risk is pervasive to the nancial statements as

a whole or specically related to a particular assertion,

account, or class of transactions

Although the intent of the process is not to identify insignicant

risks (i.e., immaterial theft of ofce supplies), it should be noted

that inappropriate behavior may be indicative of broader issues

in the control environment. Also, Section 302 of Sarbanes-Oxleyrequires disclosure of any fraud whether or not material, that

involves management or other employees who have a signicant

role in the issuer's internal controls.

The fraud risk assessment should be performed without consider-

ation of the existence or effectiveness of internal controls. Fraud

risks should be identied, documented, and evaluated before

management determines if existing control activities sufciently

mitigate the identied fraud risk. Later during the design and

implementation of antifraud control activities, identied fraud

risks should be mapped or linked to antifraud control activities to

ensure that all identied fraud risks are sufciently mitigated.

Management AssessmentsManagement should evaluate the design and operating effec-

tiveness of the fraud risk assessment process and document its

conclusions. Examples of situations or circumstances that may

indicate that fraud risk assessments are not operating effectively

include:

the audit committee and internal audit involvement is insufcient

frauds that have occurred indicate that the fraud risk assess-

ment process is ineffective

external auditors identify fraud risks that the organization had

not previously identied

Examples of Common Documentation

The purpose of the documentation is to provide evidence of the

existence of the program and managements processes to identifyfraud risks. Documentation should be sufcient for auditors to

understand how management implemented the program and

their conclusions regarding the design and operating effective-

ness of the fraud risk assessment.

Documentation related to fraud risk assessments may include the

following:

periodic updates including the consideration of past frauds,

fraud risks, and involvement of appropriate employees

oversight and review of the fraud risk assessment process by

management and the audit committee

participation by internal audit, including testing of effective-ness of the risk assessment process and internal controls

managements evaluation of fraud risk factors to determine

which risk factors are identied as fraud risks

managements assessment and conclusions regarding the de-

sign and operating effectiveness of the fraud risk assessment

2. Creating a Control Environment

Scope & Objectives

The control environment should be pervasive throughout the

organization in actions as well as in words and should perme-

ate down to all levels of the organization. The control environ-ment should create and maintain a culture of honesty; set high

ethical standards; promote ethical behavior; provide discipline for

violations of the code of ethics/conduct; set an appropriate tone

for the entitys attitudes toward fraud and fraud prevention; and

promote controls to prevent, deter, and detect fraud.

Participants & Responsibilities

Management, along with those who have responsibility for over-

sight of the nancial reporting process (such as the audit commit-

tee), are primarily responsible for creating the control environment.

The audit committee and board of directors should be indepen-

dent of management and actively involved in the creation, commu-

nication, and oversight of the control environment. The internalaudit function also has an important role in the control environ-

ment and should have an independent reporting line directly to the

audit committee. Employees are also participants in the control

environment as they should embrace and support the programs

and controls and report suspicions of fraud and provide insights

into the tone of the organization during cultural assessments.


21/27

21

Elements & Design

Tone at the top

The control environment should include a proper tone at the

top which includes a culture and work environment that pro-

motes open communication, consultation, and ethical behav-

ior. Management should consider taking reasonable steps toevaluate the culture of the organization to ensure that a proper

tone at the top exists. Assessments may include inquiry from

management, internal audit, or involve anonymous surveys or

other means to gain insight into the tone of the organization.

A proper tone at the top encourages ethical behavior as well as

the development of and compliance with antifraud activities,

such as controls restraining fraudulent nancial reporting and

the misappropriation of company assets that could result in a

material misstatement of the nancial statements. Manage-

ment should design controls to safeguard assets, deter defalca-

tions and misappropriations of assets, and to restrain other

inappropriate uses of company assets (such as unauthorized

cash payments, improper use of company assets or services,

misuse or theft of intangibles including intellectual property).

There may be situations where an employee defalcation,

however small, may be considered a red ag or indicative of

broader issues including a culture of rationalization. Because

of the importance of the tone at the top and managements

inuence on organizations, Section 302 of the Sarbanes-

Oxley Act of 2002 requires the signing ofcers to disclose to

the issuers auditors and the audit committee of the board

of directors any fraud, whether or not material, that involves

management or other employees who have a signicant role

in the issuers internal controls.

Oversight by the audit committee and board of directors

The audit committee has the responsibility to:

monitor the nancial reporting process

oversee the internal control system and antifraud pro-

grams and controls

oversee the internal audit and independent public ac-

counting functions

report ndings to the board of directors

The audit committee should understand their role of ensuring

that the organization has antifraud programs and controls in

place to help prevent, detect, and deter fraud. It should takean active role in the oversight of managements efforts to

design and implement internal controls, including antifraud

programs and controls, and should challenge management to

emphasize that fraud risks are identied during risk assess-

ments and that appropriate control activities are designed and

monitored to mitigate the fraud risks.

The audit committee should ensure that the organization has

implemented an effective ethics and compliance program, and

that it is periodically tested. Since the occurrence of signicant

fraud can frequently be attributed to an override of internal

controls by management (and others), the audit committee

plays an important role to ensure that internal controls addressthe appropriate risk areas and are functioning as designed.

Given the importance of the audit committees oversight role

with regard to antifraud programs and controls, PCAOB Audit-

ing Standard No. 2 notes that ineffective oversight by the audit

committee may be a strong indicator that a material weakness

exists in internal control over nancial reporting.9

Internal audit involvement

An effective internal audit function can be extremely help-

ful in the design, implementation, and oversight of antifraud

programs and controls. Internal auditors have the opportunity

to identify and evaluate fraud risks and controls and to recom-

mend actions to mitigate risks and improve control. Internalaudits can serve to both detect and deter fraud by examining

and evaluating the adequacy and effectiveness of the system of

internal control.

Internal auditors may conduct proactive auditing to search for

corruption, misappropriation of assets, and nancial statement

fraud. Internal auditors should have an independent reporting

line directly to the audit committee to enable them to express

any concerns about managements commitment to appropriate

internal controls or to report suspicions or allegations of fraud

involving senior management.10

PCAOB Auditing Standard No. 2 notes that an ineffective inter-

nal audit function should be regarded as at least a signicant

deciency in internal control over nancial reporting.11

Code of ethics/conduct

A code of ethics/conduct should have provisions related to

conicts of interest, related-party transactions, illegal acts, and

the monitoring of the code by management and the audit

committee or board.

Section 406 of the Sarbanes-Oxley Act of 2002 and the SECs

Final Rule, Disclosure Required by Sections 406 and 407 of the

Sarbanes-Oxley Act of 200212, require a registrant to disclose

whether it has adopted a code of ethics and if it has not, to

explain why. The NYSE and NASDAQ rules also require the

adoption and public disclosure of a code of business conduct

and ethics.

The SECs nal rule denes the term code of ethics as,

Written standards that are reasonably designed to deter

wrongdoing and to promote:

9 PCAOB, Auditing Standard No. 2, paragraph 140.

10 Exhibit to SAS 99, Management Antifraud Programs and Controls section Internal Auditors.

11 PCAOB, Auditing Standard No. 2, paragraph 140.

12 Final Rule: Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC, section (II)(B)(2)(c), Final Denition of Code of Ethics.Electronic copy can be reviewed at http://www.sec.gov/rules/nal/33-8177.htm


22/27

22

Honest and ethical conduct, including the ethical han-

dling of actual or apparent conicts of interest between

personal and professional relationships;

Full, fair, accurate, timely, and understandable disclosure

in reports and documents that a registrant les with, or

submits to, the Commission and in other public com-

munications made by the registrant;

Compliance with applicable governmental laws, rules,

and regulations;

The prompt internal reporting to an appropriate person

or persons identied in the code of violations of the

code; and

Accountability for adherence to the code.

The code of ethics/conduct should apply to all individu-

als who are involved with and/or have inuence over the

nancial statements and anyone who prepares the nancial

statements, including those who have direct involvementor oversight responsibilities (e.g., members of the board of

directors, general counsel, and executive ofcers). The board

of directors and audit committee have oversight responsibili-

ties for the code of ethics/conduct that may be documented

in the board of directors meeting minutes along with their

review and acceptance of the code of ethics/conduct.

Companies should consider developing a code of ethics/

conduct for all employees with periodic conrmations that

employees understand the code and agree to follow it. There

should also be training on the code of ethics/conduct and

proper communication to all employees about where it can

be found and whom to call if there are questions or concerns

about the policies.

Ethics hotline and whistleblower program

Section 301 of the Sarbanes-Oxley Act of 2002, Standards

Relating to Listed Company Audit Committees, requires each

issuers audit committee to establish procedures for:

the receipt, retention, and treatment of complaints

received by the issuer regarding accounting, internal ac-

counting controls, or auditing matters and

the condential, anonymous submission by employees

of the issuer of concerns regarding questionable ac-

counting or auditing matters

Hotlines should be accessible to all employees. Managementmay consider making them available to individuals outside

of the organization (i.e., vendors, customers, and agents) to

report fraudulent behavior without fear or retribution. There

should be training to ensure that all employees know how

and when to use the hotline. Companies should assess the

adequacy of procedures for handling complaints and for ac-

cepting condential whistleblower submissions of concerns

about questionable accounting or auditing matters.

In addition to establishing the hotline, companies should have

a formal program and procedures for proper follow up on

reported allegations. The procedures im

Deloittes_AntiFruad Program and Controls.pdf

Documents

Transcript of Deloittes_AntiFruad Program and Controls.pdf