COURSE MATERIAL 10

FRAUD RISKS
The Definition of Fraud in the Glossary is:
“Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss of services; or to
secure personal or business advantage.”
Fraud is something that is done with intent.
Main Categories of Fraud
Fraud is committed when there is intentional:
1. Fraudulent financial reporting
2. Misappropriation of assets
3. Corruption
Fraud that Benefits Organization
o Sale of assets that do not exist or are misrepresented
o Improper payments
o Intentional, improper representation or valuation of transactions, assets, liabilities, or
income
o Intentional, improper transfer pricing
o Intentional, improper related-party transactions
o Deliberate failure to record or disclose significant information
o Prohibited business activities
o Tax fraud
Fraud that Harms the Organization
o Accepting bribes or kickbacks
o Diverting a potentially profitable transaction
o Embezzlement
o Intentionally concealing or misrepresenting events or data
o Submitting claims for services or goods not actually provided to the organization
Conditions for Fraud
o Motivation
o Opportunity
o Ability to rationalize

1|Page
For classroom discussion purposes only.
Motivation
o Internal pressure
o External pressure
o Pressure to pay for a personal lifestyle or vices
o Pressure to maximize performance-based bonuses or compensation
Opportunity
o Knowledge of the weaknesses of the company’s internal control systems
o Access to accounting records or assets
o Lack of proper supervision
o An environment of lax ethical standards
o A belief that the person will not be caught
Rationalization
o The employee believes their work has not been properly compensated
o The employee feels they are not getting the recognition they deserve
o The employee feels they need more money
o The employee believes they will return the stolen money in the future
Management Fraud
Management fraud is an especially serious matter because it is a fraudulent activity perpetrated
by individuals in positions of authority in a company.
Financial statement fraud is often committed by management because management is in the best
position to commit financial statement fraud.
A major risk factor that could indicate possible fraudulent financial reporting is management
override of controls.
Reasons for Management Fraud
o Management made decisions in the past that did not turn out well
o A threat of part of the business being sold
o Managers may feel the need to overstate their performance to keep their job
o Managers compensation may be based on the results of their division, or the company as
a whole
o A manager may have a conflict of interest that causes them to commit fraud.
Fraud Risk Assessment
Responsibility for Prevention and Detection of Fraud
Management should establish and maintain an effective control system at a reasonable cost.

2|Page
For classroom discussion purposes only.
The IAA has the responsibly to exercise due professional care in fraud detection by providing an
independent appraisal, examination, and evaluation of an organization’s activities.
Role of IAA
To understand the risk of fraud in the company and the process by which that risk of fraud is
managed within the company.
Internal auditors evaluate risks faced by their organizations based on audit plans with appropriate
testing. Internal auditors need to be alert to the signs and possibilities of fraud within an
organization. While external auditors focus on misstatements in the financial statements that are
material, internal auditors are often in a better position to detect the symptoms that accompany
fraud. Internal auditors usually have a continual presence in the organization that provides them
with a better understanding of the organization and its control systems. Specifically, internal
auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the
effectiveness of internal controls. In addition, they may assist management in establishing effective
fraud prevention measures by knowing the organization’s strengths and weaknesses and providing
consulting expertise.
Internal auditors may conduct proactive auditing to search for misappropriation of assets and
information misrepresentation. This may include the use of computer-assisted audit techniques,
including data mining, to detect particular types of fraud. Internal auditors also can employ
analytical and other procedures to find unusual items and perform detailed analyses of high-risk
accounts and trans- actions to identify potential fraud.
Assessment of Fraud Risk
Part of the overall risk assessment and management process for the company should include an
assessment of the fraud risk for the organization as well as non-fraud risks.
Should attempt to identify what potential frauds may occur and who in the company would be in
a position to commit those frauds.
Will include an assessment of the controls related to those risks.
o The organization has set realistic goals and objectives.
o The organization fosters an environment of control consciousness.
o There are written policies, such as a Code of Ethics, that describe prohibited activities and
the actions that will be taken when violations are discovered.
o The organization has put in place policies, practices, procedures, and reports to monitor
activities to safeguard assets, particularly in high-risk areas.
o The organization has installed the proper communication channel that will provide
management with adequate and reliable information.
o Recommendations need to be established to enhance the control structure to help deter
fraud.

3|Page
For classroom discussion purposes only.
Steps in Fraud Risk Assessment
The Practice Guide: Internal Auditing and Fraud outlines the five keys steps of fraud risk
assessment.
1. Identify relevant fraud risk factors
The internal auditor must understand the organization’s business and business activities
as well as external business partners in order to understand the risk of fraud in the
organization.

2. Identify potential fraud schemes and prioritize them based on risk

A fraud risk assessment team may be created in order to attempt to identify the potential
frauds that could be committed.
Areas of potential fraud risk should be identified without considering any existing or
missing controls that could prevent that fraud.
After the potential risks have been identified, they need to be prioritized.
o Monetary impact.
o Impact to the organization’s reputation.
o Loss of productivity.
o Potential criminal/civil actions including potential regulatory noncompliance.
o Integrity and security over data.
o Loss of assets.
o Location and size of operations/units.
o Company culture.
o Management/employee turnover.
o Liquidity of assets.
o Volume and/or size of transactions.
o Outsourcing.
The results of this process will be communicated to the Board.
3. Map existing controls to potential fraud schemes and identify gaps
Must identify the preventive and detective controls that are in place for each fraud risk.
Will include entity-wide anti-fraud controls like a whistleblowing program, board oversight
and a code of conduct.
4. Test operating effectiveness of fraud prevention and detection controls
Relevant controls need to be tested to determine if they are operating properly and
effectively.

5. Document and report the fraud risk assessment

The types of fraud that have some chance of occurring.

4|Page
For classroom discussion purposes only.
 The inherent risk of fraud considering the availability of liquid and saleable assets,
organizational morale and employee turnover, the history of fraud and losses, and other
specific business area indicators.
The adequacy of existing anti-fraud programs, monitoring, and preventative controls.
The potential gaps in the organization’s fraud controls, including segregation of duties.
The likelihood of a significant fraud occurring.
The business impact/significance of a fraud.
Internal Audit Responsibilities During Engagement
In every engagement, the internal auditor must assess the risk of fraud within the scope of that
engagement.
Internal auditors have a duty to perform all engagements with due diligence.
But, auditors are not expected to have the same knowledge as a person whose primary work is
detecting and investigating fraud.
The Practice Guide provides guidance of what the auditor should do while conducting
engagements.
o Consider fraud risks in the assessment of internal control design and determination of audit
steps to perform. Internal auditors are not expected to detect fraud, but internal auditors
are expected to obtain reasonable assurance that business objectives for the process under
review are being achieved and material control deficiencies — whether through simple
error or intentional effort — are detected. The consideration of fraud risks is documented
in the workpapers, as well as linkage of fraud risks to specific audit work.
o Have sufficient knowledge of fraud to identify red flags indicating fraud may have been
committed. This knowledge includes the characteristics of fraud, the techniques used to
commit fraud, and the various fraud schemes and scenarios associated with the activities
reviewed.
o Be alert to opportunities that could allow fraud, such as control deficiencies. If significant
control deficiencies are detected, additional tests con- ducted by internal auditors could be
used to identify whether fraud has occurred.
o Evaluate whether management is actively retaining responsibility for oversight of the fraud
risk management program, that timely and sufficient corrective measures have been taken
with respect to any noted control deficiencies or weaknesses, and that the plan for
monitoring the program continues to be adequate for the program’s ongoing success.
o Evaluate the indicators of fraud and decide whether any further action is necessary or
whether an investigation should be recommended.
o Recommend investigation when appropriate.

5|Page
For classroom discussion purposes only.
Professional Skepticism
In the performance of the engagement, the auditor should have an attitude of professional
skepticism.
The auditor will not automatically assume that people are being deceitful, but they will also not
assume that everyone is being truthful.
Red Flags
In performing the engagement, internal auditors need to be aware of anything they find that gives
indication of fraud being committed.
To identify indicators of fraud, auditors should have knowledge of the risk factors and red flags of
fraud.
Red flags are those items or actions that are associated with or strongly suggest fraudulent
behavior.
Example
Red flags may relate to time, frequency, place, amount, or personality. Red flags include overrides
of controls by management or officers, irregular or poorly explained management activities,
consistently exceeding goals/objectives regardless of changing business conditions and/or
competition, preponderance of non-routine transactions or journal entries, problems or delays in
providing requested information, and significant or unusual changes in customers or suppliers. Red
flags also include transactions that lack documentation or normal approval, employees or
management hand-delivering checks, customer complaints about delivery, and poor IT access
controls such as poor password controls.
Personal red flags include living beyond one’s means; conveying dissatisfaction with the job to
fellow employees; unusually close association with suppliers; severe personal financial losses;
addiction to drugs, alcohol or gambling; change in personal circumstances; and developing outside
business interests. In addition, there are fraudsters who consistently rationalize poor performance,
perceive beating the system to be an intellectual challenge, provide unreliable communications and
reports, and rarely take vacations or sick time (and when they are absent, no one performs their
work).
Fraud Investigation
If fraud is suspected, the internal auditor should determine its possible effects and discuss the
matter with the appropriate level of management.
Subsequently, management should initiate a full investigation.
People Involved

6|Page
For classroom discussion purposes only.
Lawyers, investigators, security personnel, and other specialists from inside or outside the
organization will also be involved in the fraud investigation.
Role for IAA
The specific role of the IAA should be outlined in the Charter and also possibly in policies and
procedures related to fraud.
The potential roles for the IAA include leading the investigation, being a supporting resource to
another party leading the investigation, or possible no role at all in the investigation (if it is felt
that the IAA does not have adequate resources for the investigation).
Conducting a Fraud Engagement
o Assess the probable level and extent of complicity in the fraud within the organization.
o Determine the knowledge, skills, and other competencies needed to effectively carry out
the investigation.
o Design procedures to identify the perpetrators, the extent of the fraud, the techniques
used, and the cause of the fraud.
o Coordinate activities with management personnel, legal counsel, and other specialists as
appropriate throughout the course of the investigation.
o Be aware of the rights of alleged perpetrators and personnel within the scope of the
investigation and the reputation of the organization itself.
Sources of Evidence
The main procedures during the investigation will consist of obtaining evidence and interviewing.
o Letters, memos, and correspondence, both in hard copy or electronic form (such as e-mails
or information stored on personal computers).
o Computer files, general ledger postings, or other financial or electronic records.
o IT or system access records.
o Security and time keeping logs, such as security camera videos or access badge records.
o Internal phone records.
o Customer or vendor information both in the public domain and maintained by the
organization, such as contracts, invoices, and payment information.
o Public records such as business registrations with government agencies or property
records.
o News articles, internal and external Websites such as social media.
Reporting
Reporting in a fraud engagement will be ongoing throughout the investigation as the board and
senior management will want to be kept informed what is happening.
Resolution of Situation

7|Page
For classroom discussion purposes only.
After the investigation has been completed, the Board must come to a final resolution of the
matter.
This will include determining what actions will be taken as a result of the investigation.
o Providing closure to persons who were initially under suspicion but were found to be
innocent.
o Providing closure to those who reported a concern.
o Disciplining an employee in accordance with the organization’s policies, employment
legislation, or employment contracts.
o Requesting voluntary financial restitution from an employee, customer, or supplier.
o Terminating contracts with suppliers.
o Reporting the incident to law enforcement, regulatory bodies, or similar authorities;
encouraging them to prosecute the fraudster; and cooperating with their investigation and
prosecution.
o Entering into civil litigation or similar legal processes to recover the amount taken.
o Filing an insurance claim.
o Filing a complaint with the perpetrator’s professional association.
o Recommending control enhancements.
Lessons Learned
The internal auditor needs to identify what went wrong, what enabled the fraud to occur, what
controls did not exist or were overridden, what red flags were missed and most importantly, what
needs to be done to prevent this from happening again and detect it if it does occur.
Recommend Controls to Prevent and Detect Fraud
Process Review
It is only through an ongoing effort to maintain strong controls and risk management processes
can a company protect itself from significant acts of fraud.
This process of creating, maintaining, reviewing and improving the fraud risk management process
is called fraud risk governance.
Principles of Managing Fraud Risk
The guide entitled “Managing the Business Risk of Fraud: A Practical Guide” identifies five
principles for proactively establishing an environment to effectively manage an organization’s
fraud risk.
Principle 1: As part of an organization’s governance structure, a fraud risk management program
should be in place, including a written policy (or policies) to convey the expectations of the board
of directors and senior management regarding managing fraud risk.

8|Page
For classroom discussion purposes only.
Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify
specific potential schemes and events that the organization needs to mitigate.
Principle 3: Prevention techniques to avoid potential key fraud risk events should be established,
where feasible, to mitigate possible impacts on the organization.
Principle 4: Detection techniques should be established to uncover fraud events when preventive
measures fail or unmitigated risks are realized.
Principle 5: A reporting process should be in place to solicit input on potential fraud, and a
coordinated approach to investigation and corrective action should be used to help ensure
potential fraud is addressed appropriately and timely.
Support a Culture of Fraud Awareness
Fraud Awareness
The culture of the company in respect to fraud starts with the “Tone at the Top”, just as it did for
the corporate culture surrounding internal controls.
It is better and cheaper to prevent fraud than to detect it, so the goal should be to create a culture
in the company of reporting whenever something does not seem right.
Whistleblowing
Whistleblowing is when something is reported outside of the normal chain of command.
It is often used when an employee reports fraud or abuse, or any other impropriety within their
department or being committed by their supervisor.
Because of the importance of this to the company, it is critical that people feel safe reporting when
something does not seem right.
Communicating Externally
In addition to making certain that there is a strong corporate culture about fraud within the
company, it is also important that this strong corporate culture is communicated to external
parties that the company deals with.
Forensic Auditing and Interrogations
Forensic Auditing
Forensic auditing applies auditing skills to situations that have potential legal implications and/or
consequences.
The forensic expert helps the internal auditor gather evidence to prove or disprove suspicions,
identify the parties involved, and acquire and maintain evidence that may be subsequently
presented in disciplinary or criminal proceedings.

9|Page
For classroom discussion purposes only.
The Forensic Expert
Depending on the area in question, the forensic expert may be someone who comes from outside
the internal audit function and also from outside the company.
Even if the forensic expert comes from outside the company, the CAE still has overall responsibility
for the work of the forensic expert.
Covering Up Evidence
Because it is a potential fraud situation being investigated, the internal auditor must keep in mind
that the person who is being investigated was most certainly attempting to cover what they were
doing.
Interrogation
In an interview the internal auditor is trying to find out some information.
In an interrogation, the goal is to get confirmation of something that was done, and ideally to get
a confession from the person being interrogated about what they did.
Who Interrogates
Because of the nature of an interrogation, it will be much more ‘legal’ than an interview.
At least two people should perform the interrogation.
There will most likely be legal counsel involved in both the preparation for and the interrogation
itself to make certain that the company does not place itself at risk of being sued by the person
who is being interrogated.
Who is Interrogated
The main people who will be interrogated are the people who are suspected of committing the
fraud, or were part of the fraud, or helped to cover it up.
Other individuals who may have information about the situation, but were not involved in the
fraud itself may be interviewed instead of interrogated.
Collecting Information
When asking the questions, it is important that the questions are phrased correctly.
Notes should be taken to make certain that the answer is clearly understood.
As the interrogation takes place, the interrogator needs to be able to take into account what the
individual says.
Listening and Body Language

10 | P a g e
For classroom discussion purposes only.
In addition to listening carefully what is said, the interrogator also needs to pay attention to the
body language and other non-verbal cues that the person is giving.
Confessions
A confession is a complete acknowledgement of wrongdoing by the accused.
However, the confession may be tainted if the suspect was under duress while the confession was
given.
Admissions
In an admission, the accused party acknowledges committing a certain act, but he or she does not
confess that there was intent, nor does the accused party confess to the accusation.
Legal Hazards
When the internal auditor conducts a fraud investigation, he or she has to make sure that it is
conducted professionally and within appropriate legal standards.
Failing to follow legal requirements may expose the company to expensive litigation from the
accused person.
Common Legal Hazards
Defamation of character
o Slander is spoken defamation
o Libel is published defamation
False imprisonment
Malicious prosecution

11 | P a g e
For classroom discussion purposes only.
Reference:
International Standards for the Professional Practice of Internal Auditing Standards
© to the owner CIA Materials

12 | P a g e
For classroom discussion purposes only.