1

STUDY UNIT EIGHT

FRAUD RISKS AND CONTROLS

8.1 Fraud -- Risks and Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

8.2 Fraud -- Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.3 Fraud -- Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

This study unit covers Domain VI: Fraud Risks from The IIA’s CIA Exam Syllabus. This domain
makes up 10% of Part 1 of the CIA exam and is tested at the basic and proficient cognitive
levels.

The learning objectives of Study Unit 8 are

● Interpret fraud risks and types of frauds and determine whether fraud risks require special
consideration when conducting an engagement

● Evaluate the potential for occurrence of fraud (red flags, etc.) and how the organization
detects and manages fraud risks

● Recommend controls to prevent and detect fraud and education to improve the organization’s
fraud awareness

● Recognize techniques and internal audit roles related to forensic auditing (interview,
investigation, testing, etc.)

Study Unit 8 covers managing fraud risks through internal controls and the internal audit function.
Management is responsible for establishing and maintaining internal control. Thus, management
also is responsible for the fraud prevention program. Internal auditors must have sufficient
knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization.
An internal auditor’s responsibilities for the detection of fraud include

● Having sufficient knowledge to identify indicators that fraud may have been committed,

● Being alert to opportunities that could allow fraud (e.g., control weaknesses), and

● Being able to evaluate the indicators of fraud sufficiently to determine whether a fraud
investigation should be conducted.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
2 SU 8: Fraud Risks and Controls

8.1 FRAUD -- RISKS AND TYPES

Fraud and Fraud Risk

Fraud is “any illegal act characterized by deceit, concealment, or violation of trust. These acts are
not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and
organizations to obtain money, property, or services; to avoid payment or loss of services; or to
secure personal or business advantage.”

Fraud risk is the possibility that fraud will occur and the potential effects to the organization when it
occurs.

Characteristics of Fraud
Fraud is an intentional deception or misrepresentation. The three conditions ordinarily present when
fraud exists include pressure (incentive) to commit fraud, an opportunity, and the capacity to
rationalize misconduct.

1. Pressure (incentive) is the need a person tries to satisfy by committing the fraud.
■ Situational pressure can be personal (e.g., financial difficulties in an employee’s
personal life) or organizational (e.g., the desire to release positive news to the financial
media).

2. Opportunity is the ability to commit the fraud.

■ Opportunity is a factor in low-level employee fraud. Lack of controls over cash, goods,
and other organizational property, as well as insufficient segregation of duties, are
enabling factors.
■ Opportunity is the characteristic that the organization can most influence, e.g., by
means of controls.

3. Rationalization is the ability to justify the fraud. It occurs when a person attributes his or
her actions to rational and creditable motives without analysis of the true and, especially,
unconscious motives.
■ Feeling underpaid is a common rationalization for low-level fraud.
■ Fraud awareness training minimizes rationalization by
► Supporting the ethical tone at the top,
► Promoting an environment averse to fraud, and
► Emphasizing that the organization does not tolerate misconduct of any kind.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 3

Figure 8-1

Effects of Fraud
Monetary losses from fraud are significant, but its full cost is immeasurable in terms of time,
productivity, and reputation, including customer relationships.

Thus, an organization should have a fraud program that includes awareness, prevention, and
detection programs. It also should have a fraud risk assessment process to identify fraud risks.

Types of Fraud
Asset misappropriation is stealing cash or other assets (supplies, inventory, equipment, and
information). The theft may be concealed, e.g., by adjusting records.

● For example, entering fraudulent journal entries can help conceal asset theft (e.g., when an
asset is purchased, the perpetrator debits an expense account instead of an asset account).

● However, selecting a vendor based on a blanket purchase order with an approved vendor(s)
is a common business practice.

Skimming is theft of cash before it is recorded, for example, accepting payment from a customer
but not recording the sale.

Payment fraud involves payment for fictitious goods or services, overstatement of invoices, or use
of invoices for personal reasons.

Expense reimbursement fraud is payment for fictitious or inflated expenses, for example, an
expense report for personal travel, nonexistent meals, or extra mileage.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
4 SU 8: Fraud Risks and Controls

Payroll fraud is a false claim for compensation, for example, overtime for hours not worked or
payments to fictitious employees. One control used to detect the addition of fictitious persons
to the payroll is for the auditor to make periodic comparisons of the names on the payroll with
persons observed working for the company.

Financial statement misrepresentation often overstates assets or revenue or understates

liabilities and expenses. Management may benefit by selling stock, receiving bonuses, or
concealing another fraud.

Information misrepresentation provides false information, usually to outsiders in the form of

fraudulent financial statements.

Corruption is an improper use of power, e.g., bribery. It often leaves little accounting evidence.
These crimes usually are uncovered through tips or complaints from third parties. Corruption often
involves the purchasing function.

Bribery is offering, giving, receiving, or soliciting anything of value to influence an outcome (e.g.,
kickbacks). Bribes may be offered to key employees such as purchasing agents. Those paying
bribes tend to be intermediaries for outside vendors.

A conflict of interest is an undisclosed personal economic interest in a transaction that adversely

affects the organization or its shareholders.

A diversion redirects to an employee or outsider a transaction that normally benefits the

organization.

Wrongful use of confidential or proprietary information is fraudulent.

A related-party fraud is receipt of a benefit not obtainable in an arm’s-length transaction.

Tax evasion is intentionally falsifying a tax return.

Low-Level Fraud vs. Executive Fraud

Fraud committed by staff or line employees most often consists of theft of property or
embezzlement of cash. The incentive might be relief of economic hardship, the desire for material
gain, or a drug or gambling habit. This type of fraud is intended to benefit individuals and is
generally committed by an individual or individuals living outside their apparent means of support.

● Stealing petty cash or merchandise, lapping accounts receivable, and creating nonexistent
vendors are common forms of low-level fraud.

Fraud at the executive level is different in that it often benefits both the self and the organization.
The incentive is usually either maintaining or increasing the stock price, receiving a large bonus, or
both.

● Executive level fraud ordinarily consists of materially misstating financial statements because
promotion and compensation are tied to profits.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 5

Symptoms of Fraud
A document symptom is any tampering with the accounting records to conceal a fraud. Keeping
two sets of books or forcing the books to reconcile are examples.

A lifestyle symptom is an unexplained rise in an employee’s social status or level of material

consumption.

A behavioral symptom (i.e., a drastic change in an employee’s behavior) may indicate the
presence of fraud. Guilt and other forms of stress associated with perpetrating and concealing the
fraud may cause noticeable changes in behavior.

Some Indicators (Red Flags) of Possible Fraud

Even the most effective internal control can sometimes be circumvented, for example, by collusion
of two or more employees. Thus, an auditor must be sensitive to conditions that might indicate the
existence of fraud. The following are examples:

● Lack of employee rotation in sensitive positions, such as cash handling

● Inappropriate combination of job duties (e.g., cash collections and disbursements

responsibilities)

● Unclear lines of responsibility and accountability

● Unrealistic sales or production goals

● An employee who refuses to take vacations or refuses promotion

● Established controls not applied consistently

● High reported profits when competitors are suffering from an economic downturn

● High turnover among supervisory positions in finance and accounting areas

● Excessive or unjustifiable use of sole-source procurement

● An increase in sales far out of proportion to the increase in cost of goods sold (e.g., sales
increase by 30% and cost of goods sold increase by 3%)

● Material contract requirements in the actual contract differ from those in the request for bids

● Petty cash transactions are not handled through an imprest fund

● Business arrangements are difficult to understand and do not seem to have any practical
applicability to the entity

● End-of-period transactions are complex, unusual, or significant

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
6 SU 8: Fraud Risks and Controls

Types of Fraudulent Processes

Lapping Receivables

In this fraud, a person (or persons) with access to customer payments and accounts receivable
records steals a customer’s payment. The shortage in that customer’s account then is covered by
a subsequent payment from another customer.

The process continues until

● A customer complains about his or her payment not being posted,
● An absence by the perpetrator allows another employee to discover the fraud, or
● The perpetrator covers the amount stolen.

Check Kiting

Kiting exploits the delay between (1) depositing a check in one bank account and (2) clearing
the check through the bank on which it was drawn. This practice is only possible when manual
checks are used. The widespread use of electronic funds transfer and other networked computer
safeguards make electronic kiting difficult.

A check is kited when (1) a person (the kiter) writes an insufficient funds check on an account in
one bank and (2) deposits the check in another bank.

The second bank immediately credits the account for some or all of the amount of the check,
enabling the kiter to write other checks on that (nonexistent) balance. The kiter then covers the
insufficiency in the first bank with another source of funds. The process can proceed in a circle of
accounts at any number of banks.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 7

Roles of Internal Auditors

Internal auditors are not responsible for the detection of all fraud, but they always must be alert to
the possibility of fraud.

Implementation Standard 1210.A2

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and
the manner in which it is managed by the organization, but are not expected to have
the expertise of a person whose primary responsibility is detecting and investigating
fraud.

● According to Implementation Standard 1220.A1, internal auditors must exercise due

professional care by, among other things, considering the “probability of significant errors,
fraud, or noncompliance.”

● Internal auditors therefore must consider the probability of fraud when developing
engagement objectives (Implementation Standard 2210.A2).

Implementation Standard 2120.A2

The internal audit activity must evaluate the potential for the occurrence of fraud
and how the organization manages fraud risk.

The internal auditor should consider the potential for fraud risks in the assessment of control design
and the choice of audit procedures.

● Internal auditors should obtain reasonable assurance that objectives for the process under
review are achieved and material control deficiencies are detected.

● The consideration of fraud risks and their relation to specific audit work are documented.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
8 SU 8: Fraud Risks and Controls

Internal auditors should have sufficient knowledge of fraud to identify indicators of fraud (red flags).
However, internal auditors do not normally perform procedures specifically to gather red flag
information.

● This knowledge includes

■ The characteristics of fraud,
■ The methods used to commit fraud, and
■ The various fraud schemes associated with the activities reviewed.

Internal auditors should be alert to opportunities that could allow fraud, such as control deficiencies.

● If significant control deficiencies are detected, additional procedures may be performed to

determine whether fraud has occurred.

Internal auditors should evaluate the indicators of fraud and decide whether any further action is
necessary or whether an investigation should be recommended.

Internal auditors should evaluate whether

● Management is actively overseeing the fraud risk management programs,

● Timely and sufficient corrective measures have been taken with respect to any noted control
deficiencies, and

● The plan for monitoring the program is adequate.

If appropriate, internal auditors should recommend an investigation.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 9

8.2 FRAUD -- CONTROLS

Fraud Management Program

The components of an effective fraud management program include the following:
● Company ethics policy
● Fraud awareness
● Fraud risk assessment
● Ongoing reviews
● Prevention and detection
● Investigation

Controls
Control is the principal means of managing fraud and ensuring the components of the fraud
management program are present and functioning. (Control and types of control are covered in
detail in Study Unit 6.)

The COSO Internal Control Framework (covered in detail in Study Unit 6, Subunit 3) can be
applied in the fraud context to promote an environment in which fraud is effectively managed.

● The control environment includes such elements as a code of conduct, ethics policy, or
fraud policy to set the appropriate tone at the top; hiring and promotion guidelines and
practices; and board oversight.

● A fraud risk assessment generally includes the following:

■ Identifying and prioritizing fraud risk factors and fraud schemes
■ Determining whether existing controls apply to potential fraud schemes and identifying
gaps
■ Testing operating effectiveness of fraud prevention and detection controls
■ Documenting and reporting the fraud risk assessment

● Control activities are policies and procedures for business processes that include authority
limits and segregation of duties.

● Fraud-related information and communication practices promote the fraud risk

management program and the organization’s position on risk. The means used include fraud
awareness training and confirming that employees comply with the organization’s policies.

● Monitoring evaluates antifraud controls through independent evaluations of the fraud risk
management program and use of it.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
10 SU 8: Fraud Risks and Controls

Preventing fraud. Essential elements in preventing fraud are setting the correct tone at the top and
instilling a strong ethical culture. The following are preventative controls:

● Safeguarding of assets protects entities against the unauthorized use and disposal of
assets. Examples include theft of assets and intellectual property.

● Computer access controls such as passwords and device authorization tables are used to
prevent improper use or manipulation of data files and programs.

● A lockbox system can ensure that cash receipts are not stolen by mail clerks or other
employees.

Detecting fraud. An essential element in detecting fraud is employee feedback, as fraud tips from
employees is the most common way to detect fraud. Sources of employee feedback include a
whistleblower hotline, exit interviews, and employee surveys.

Responsibility for Controls

Management is primarily responsible for establishing and maintaining control.

Internal auditors must assist the organization by evaluating the effectiveness and efficiency of
controls and promoting continuous improvement (Performance Standard 2130).

● In an assurance engagement, internal auditors must assist the organization by evaluating

the adequacy and effectiveness of controls in responding to risks (Implementation
Standard 2130.A1).

● Internal auditors are not responsible for designing and implementing fraud prevention
controls.

● However, internal auditors acting in a consulting role can help management identify and
assess risk and determine the adequacy of the control environment.
■ Internal auditors also are in a unique position within the organization to recommend
changes to improve the control environment.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 11

Fraud Awareness
Fraud awareness is having an understanding of the nature, causes, and characteristics of fraud.

● Fraud awareness is developed through periodic fraud risk assessments, training of

employees, and communications between management and employees.

Employee training about fraud should be tailored to each organization’s fraud risks.

● Training typically covers the organization’s values and code of conduct, types of fraud, and
employee roles and responsibilities to report violations of ethical behavior.

Fraud essentially is the falsification of transactions. Thus, an auditor’s examination of transactions

for fraud tests the existence assertion.

Management override takes place when management circumvents an entity’s controls for an
illegitimate purpose, such as personal gain or enhanced presentation of the entity’s position.

EXAMPLE 8-1 Examples of Management Override

● Management could approve the sale of goods to a customer who does not meet the company’s
credit policies in order to increase revenue. In doing so, management overrides the credit approval
control that was in place.
● Management requests the controller leave the period open and overrides the control in place related
to closing in order to manipulate cutoff.
● Management alters adjusting entries that have been reviewed and approved at department levels
prior to posting to decrease current-period expenses, overriding controls related to adjustments to
the financial statements.

● The following controls address management override risks (detailed examples of controls are
included on the following pages):
■ Controls over significant, unusual transactions, particularly those that result in late or
unusual journal entries
■ Controls over journal entries and adjustments made in the period-end financial reporting
process
■ Controls over related party transactions
■ Controls related to significant management estimates
■ Controls that mitigate incentives for, and pressures on, management to falsify or
inappropriately manage financial results

● Assessing the risk of management override is part of the assessment of fraud risk. The board
of directors or audit committee oversees this assessment.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
12 SU 8: Fraud Risks and Controls

The following charts describe examples of some controls (including their objectives) and provide a
reason for their existence.

Purchases

Objective Control

Confirm purchases are properly Prepare an Accounts Payable signature authorization

authorized. list showing the signatures for authorized individuals
who may initiate and approve purchase orders.
Persons authorized to initiate or approve purchase
orders have full responsibility for ensuring that each
purchase, including the price, specifications, quality,
and quantity, is appropriate.
Purchases can only be transacted by approved vendors
or evidenced by approved contracts.
A policy prohibits receipt of kickbacks, gifts, and other
items of value from vendors.
Expenditures transacted via credit or debit cards and
electronic payments (Venmo, PayPal, Zelle, Square,
etc.) are subject to expense-type code restrictions.
Separation of duties between the ordering and receiving
of merchandise.
Receiving department does not accept goods unless it
has a blind copy of a properly approved purchase order
for the items.
Credit card charges are subject to the expenditure
controls used on purchases transacted through the
accounts payable process cycle.
Receiving reports and vendor invoices are required to
be sent to accounts payable.

WHY?
Prevent a purchasing agent from purchasing items for personal use with the organization’s funds.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 13

Computer Fraud

Objective Control

Only those persons with a bona fide Programmers do not have access to programs used in
purpose and authorization have access processing.
to data files and programs.
Lists of authorized persons are maintained online and
should constantly be updated after personnel changes
(e.g., promotion or resignation).

WHY?
The risk of inappropriate use is reduced when only authorized personnel access programs used in
processing. Use should be necessary to fulfill job obligations.

Only those persons with a bona fide Use a device authorization table to grant access only
purpose and authorization have access to those physical devices that should logically need
to data files and programs. access.
Restrict the ability of employees to gain access to and
change sensitive information.

WHY?
For example, it is illogical for anyone to access the accounts receivable file from a manufacturing
terminal. Accordingly, the device authorization table should deny access to the accounts receivable
file even when a valid password is used from a manufacturing terminal.

Convert data into unreadable code so Encrypt data so that only authorized users can decode
that unauthorized individuals cannot use (decipher) the information.
the data inappropriately.

WHY?
Encoding data before transmission over communication lines makes understanding or modifying
the content more difficult for someone with access.

Adequate control over program changes. Redesign programs using a working copy, not the
version in use.
Systems analyst is made responsible for
communicating the purpose of the design to the
programmer.
Actual users test new programs.
Programmers do not have access to operational
processes, and librarians are not able to program.

WHY?
Prevent opportunities for an individual with malicious or fraudulent intent to create and insert code
within the program under development.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
14 SU 8: Fraud Risks and Controls

Segregation of Duties

Objective Control

Minimize the opportunities for a person to Separate contract negotiation from approval of invoices
be able to perpetrate and conceal fraud for payment.
or errors in the normal course of his or
Person(s) responsible for signing checks or approving
her duties.
electronic payments verify that a service or product was
received.
Separate contract negotiation, approval of invoices for
payment, and budget preparation.
Separate vendor setup responsibility from the
purchasing function.
Separate employee and contractor setup from the
position responsible for processing payroll and
contractor payments.

WHY?
When feasible, segregation of duties divides responsibility for recording of the transaction,
authorization, and custody of the assets associated with the transaction. The effect is to minimize
the opportunities for a person to be able to perpetrate and conceal fraud or error.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 15

8.3 FRAUD -- INVESTIGATION

Forensic auditing uses accounting and auditing knowledge and skills in matters having civil or
criminal legal implications. Engagements involving fraud, litigation support, and expert witness
testimony are examples. Forensic auditing procedures include interviewing, investigating, and
testing.

Fraud Investigation
A fraud investigation should discover the full nature and extent of the fraud. An investigation gathers
sufficient information to determine

1. Whether fraud has occurred,

2. The loss exposures,
3. Who was involved, and
4. How fraud occurred.

Internal auditors, lawyers, and other specialists usually conduct fraud investigations.

The investigation and resolution activities must comply with local law, and the auditors should work
effectively with legal counsel and become familiar with relevant laws.

Management implements controls over the investigation. They include (1) developing policies
and procedures, (2) preserving evidence, (3) responding to the results, (4) reporting, and
(5) communications.

● These matters may be documented in a fraud policy that the internal auditors may assist in
evaluating.

● Policies and procedures address

■ The rights of individuals;
■ The qualifications of investigators;
■ The relevant laws; and
■ The disciplining of employees, suppliers, or customers, including legal measures.

● The authority and responsibilities of those involved in the investigation, especially the
investigator and legal counsel, should be clear.

● Internal communications about an ongoing investigation should be minimized.

● A policy should specify the investigator’s responsibility for determining whether a fraud has
been committed. Either the investigator or management decides whether fraud has occurred,
and management decides whether to notify outside authorities.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
16 SU 8: Fraud Risks and Controls

The responsibility of the internal audit activity for investigations should be defined in its charter
and in fraud policies and procedures.

● For example, internal auditing may

■ Be primarily responsible,
■ Act as a resource, or
■ Avoid involvement because it is responsible for assessing investigations or lacks
resources.

● Any role is acceptable if its effect on independence is recognized and managed appropriately.

● Internal auditors typically not only assess investigations but also advise management about
the process, including control improvements.

● To be proficient, fraud investigation teams must obtain sufficient knowledge of

■ Fraud schemes,
■ Investigation methods, and
■ The applicable law.

● The internal audit activity may use in-house staff, outsourcing, or both.

An investigation plan is developed for each investigation.

● The lead investigator determines the knowledge, skills, and other competencies needed.

● The process includes obtaining assurance that no potential conflict of interest exists with
those investigated or any employees of the organization.

● Planning should consider the following:

■ Gathering evidence using surveillance, interviews, or written statements
■ Documenting and preserving evidence, the legal rules of evidence, and the business
uses of the evidence
■ Determining the extent of the fraud
■ Determining the methods used to perpetrate the fraud
■ Evaluating the cause of the fraud
■ Identifying the perpetrators

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 17

● All evidence obtained should be recorded chronologically in a log or inventory. Examples of

evidence include the following:
■ Letters, memos, and correspondence (in hard copy or electronic form)
■ Financial records
■ IT or systems access records
■ Phone records
■ Customer or vendor information (e.g., contracts, invoices, and payment information)
■ Public records (e.g., property records or business registrations filed with government
agencies)
■ News articles
■ Websites (e.g., social networking sites)

● The investigation should be coordinated with management, legal counsel, and other
specialists.

● Investigators need to be prudent, consistent, and knowledgeable of the rights of persons

within the scope of the investigation and the reputation of the organization itself.

● The level and extent of complicity in the fraud throughout the organization needs to be
assessed. This assessment can be critical to avoid
■ Destroying or tainting crucial evidence and
■ Obtaining misleading information from persons who may be involved.

● The investigation needs to secure evidence collected and follow chain-of-custody procedures.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
18 SU 8: Fraud Risks and Controls

Interrogation of Employees
A fraud-related interrogation differs significantly from a normal interview.

● The purpose of a typical interview is to gather facts.

■ In an interrogation, the internal auditor has already gathered pertinent facts and is
seeking confirmation.

● At no time should the internal auditor accuse the employee of committing a crime.
■ If the accusation is unprovable, the organization could have legal liability.

● The accused generally is interrogated after most relevant evidence has been obtained.
■ The objective often is to use the evidence to obtain a confession.

● All information received during the interview must be correctly documented.

■ All evidence should be subject to effective chain-of-custody procedures.

● Two persons should conduct the interview, one of whom takes notes and may serve as a
witness.

The internal auditor should guide the conversation from the general to the specific.

● Open questions generally are used early in the interrogation, and closed questions are used
later as the auditor comes closer to obtaining a confession.
■ Open questions are of the type, “Describe your role in the vendor approval process.”
■ Closed questions are of the type, “Do you personally verify the existence of every
vendor who seeks approval?”

● Normal interviewing methods regarding nonthreatening tone and close observation of body
language apply.

The employee should not be allowed to return to his or her normal work area upon completion of
the interrogation.

● Because the employee is now alert to the fraud investigation, (s)he might be tempted to
destroy valuable evidence.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
 SU 8: Fraud Risks and Controls 19

Fraud Reporting
The chief audit executive is responsible for fraud reporting. It consists of the various oral or written,
interim or final communications to management or the board regarding the status and results of
fraud investigations.

● A formal communication may be issued at the conclusion of the investigation that includes
■ Time frames,
■ Observations,
■ Conclusions,
■ Resolution, and
■ Corrective action to improve controls.

● It may need to be written to protect the identities of some of the people involved.

● The needs of the board and management, legal requirements, and policies and procedures
should be considered.

A draft of the proposed final communication should be submitted to legal counsel for review. To be
covered by the attorney-client privilege, the report must be addressed to counsel.

Any incident of significant fraud, or incident that leads the internal auditors to question the level of
trust placed in one or more individuals, must be timely reported to senior management and the
board.

If previously issued financial statements for 1 or more years may have been adversely affected,
senior management and the board also should be informed.

Resolution of Fraud Incidents

Resolution consists of determining actions to be taken after the investigation is complete.

● Management and the board are responsible for resolving fraud incidents.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.
20 SU 8: Fraud Risks and Controls

Resolution may include the following:

● Providing closure to persons who were found innocent or reported a problem

● Disciplining an employee

● Requesting voluntary financial restitution

● Terminating contracts with suppliers

● Reporting the incident to law enforcement or regulatory bodies, encouraging them to

prosecute, and cooperating with them

● Filing a civil suit to recover the amount taken

● Filing an insurance claim

● Complaining to the perpetrator’s professional association

● Recommending control improvements

Communication of Fraud Incidents

Management or the board determines whether to inform parties outside the organization after
consultation with such individuals as legal counsel, human resources personnel, and the CAE.

● The organization may need to notify government agencies of certain types of fraudulent acts.
It also may need to notify its insurers, bankers, and external auditors of instances of fraud.

Internal communications are a strategic tool used by management to reinforce its position relating to
integrity and to show why internal controls are important.

Opinion on Fraud-Related Controls

The internal auditor may be asked by management or the board to express an opinion on internal
controls related to fraud. The following provide relevant guidance:

● Standards and Implementation Guides applying to communication of results (Performance

Standard 2400, etc.)

● Practice Guide, Formulating and Expressing Internal Audit Opinions

An opinion on fraud-related controls is acceptable, but it is inappropriate for an internal auditor to

express an opinion on the culpability of a fraud suspect.

Copyright © 2022 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact copyright@gleim.com.