assessing the risk of fraud in a financial statement audit
TRANSCRIPT
© Surgent • www.surgentcpe.com
Assessing the Risk of Fraud In a Financial Statement Audit
© Surgent • www.surgentcpe.com
Today’s presenter
Marci Thomas, MHA, CPA, CGMA
Marci Thomas, MHA, CPA, CGMA, licensed as a CPA in Georgia and North Carolina, is an author and nationally recognized speaker on various accounting and auditing topics to companies, nonprofits, CPA firms, and state societies of CPAs around the country. A frequent speaker at local, regional, and national conferences, she also writes and teaches courses in governance, financial management, grants accounting, strategy, and various operational topics. Marci is a clinical assistant professor in the School of Public Health at the University of North Carolina at Chapel Hill. She works with numerous accounting firms, performing quality control and efficiency reviews and with boards on strategic planning, internal control, and governance issues. Marci serves on the Not-for-profit Committee for the North Carolina Association of CPAs.
Marci has written and co-written several books, including Essentials of Physician Practice Management, published by Jossey Bass in 2004. Her book Best of Boards: Sound Governance and Leadership for Nonprofit Organizations was published by the AICPA and Wiley Publishing in 2018 and is on its second printing. Her book on health care financial management was published by Wiley Publishing in 2014, with a new edition expected in 2020.
Marci received her Bachelor in Business Administration with a concentration in accounting from the Georgia State University and her Masters in Health Administration from the University of North Carolina at Chapel Hill.
A R F 82
© Surgent • www.surgentcpe.com
Course overview
• Chapter 1 - Fraud Landscape in the United States
• Chapter 2 - Characteristics of Fraudsters, Victim Organizations and Common Fraud Schemes
• Chapter 3 - AU-C 240, Fraud Risk Assessment Procedures Including Data Analytics
• Chapter 4 - Communications About Fraud
• Chapter 5 – Internal Controls to Preventand Detect Fraud
• Chapter 6 – Consideration of Fraud in a Single Audit
• Chapter 7 – Cyber Fraud
A R F 83
© Surgent • www.surgentcpe.com
Course objectives
1. Understand the breadth and extent of fraud in the United States
2. Understand where and how fraud is likely to occur to better plan inquiries with management and others and identify the risk of fraud
3. Identify risk assessment procedures including data analytics that can be used as fraud risk assessment procedures
4. Be able to implement the risk assessment procedures and document the risk of fraud in a financial statement audit
A R F 84
© Surgent • www.surgentcpe.com
A quick word on policy vs. politics
• Many times when discussing accounting, tax and financial policy issues, it can be difficult to divorce the politics from the policy
• Today, when discussing the various issues we will encounter over the next several hours, let’s agree to keep our own view of politics out of the application of the policy and focus on doing the very best we can for all our clients
• This goes for religious/faith views as well
A R F 85
Fraud Landscape in the United States
Chapter 1
© Surgent • www.surgentcpe.com
Learning objectives
• Upon reviewing this chapter, the reader will be able to:
– Understand the breadth and extent of fraud in the U.S.; and
– Identify recent changes in professional literature as it relates to fraud
A R F 87
© Surgent • www.surgentcpe.com
Fraud in recent times
• Early 2000s fraud took center stage
• Sarbanes Oxley Act
– Responsibilities of public company board of directors
– Adds criminal penalties for misconduct including retaliation against whistleblowers
– Required SEC to create regulations on how public companies should comply
• Nonpublic entities, ASB revised standard on fraud in the form of SAS 99
• Since that time ASB amended the standard with SASs 134,135, and 136
A R F 88
© Surgent • www.surgentcpe.com
Fraud in recent times
• Occupational fraud and abuse
• Joseph T. Wells and the ACFE
• Report to the Nations every 2 years
• Cybercrime - significant issue due to the extent of occurrences and magnitude of losses
• Assessing the risk of fraud is core business issue
• Growing use of technology and increase in e-commerce
• Economic, regulatory, and reputational risk
A R F 89
© Surgent • www.surgentcpe.com
Fraud in recent times
• PWC Global Economic Crime and Fraud Survey reports rate of fraud has increased from 36% in 2016 to 49% in 2018
• North America’s rate of increase during the same period was 47% to 54%
• Statistics are probably understated since fraud may not be identified
• Imperfect data
• Loss could be as much as 5% of revenue
• Asset misappropriation, consumer fraud, and cybercrime are the most frequent types of fraud
A R F 810
© Surgent • www.surgentcpe.com
Fraud in recent times
• Companies are spending more on fraud and will continue to increase spending
• Technology controls and expanded whistleblower programs
• Less than half the entities performed a fraud risk assessment
• Over the past 2 years:
– 54% performed a general risk assessment;
– 46% performed a cyber-attack vulnerability assessment; and
– 33% performed an anti-bribery and corruption assessment
• Other assessments were related to money laundering, anti-trust, and export controls
• Studies performed as part of an audit plan or as part of an Enterprise Risk Management strategy
A R F 811
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
• Audit literature evolves
• Revised Independent Auditor’s Report (SAS 134)
Auditor’s Responsibilities for the Audit of the Financial Statements
Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor's report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. Misstatements are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users made on the basis of these financial statements.
A R F 812
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
Auditor’s Responsibilities for the Audit of the Financial Statements (cont.)
In performing an audit in accordance with GAAS, we:
• Exercise professional judgment and maintain professional skepticism throughout the audit.
• Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
• Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of Barnes & Riley's internal control. Accordingly, no such opinion is expressed.
• Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the financial statements.
• Conclude whether, in our judgment, there are conditions or events, considered in the aggregate, that raise substantial doubt about Barnes & Riley's ability to continue as a going concern for a reasonable period of time.
A R F 813
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
Auditor’s Responsibilities for the Audit of the Financial Statements (cont.)
We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control–related matters that we identified during the audit.
A R F 814
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
• AU-C 200 discusses overall objectives of the audit
• Identifying and assessing risk that there could be a material misstatement of the financial statements due to fraud or error
• Inherent limitations are higher in the case of misstatements resulting from fraud because of sophisticated schemes designed to conceal it
A R F 815
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
• Recent changes to professional literature from SAS 135
• Includes additional guidance when dealing with significant unusual transactions and related parties
• Additional procedures required when there are unusual transactions outside the normal course of business:
– Evaluate the rationale and business purpose
– Read the supporting documentation and evaluate whether the terms and other information about the transaction are consistent with explanations from inquiries and other audit evidence
– Determine whether the transaction has been authorized and approved
– Evaluate whether significant unusual transactions identified have been properly accounted for and disclosed
A R F 816
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
• Additional indicators added related to unusual transactions:
– Transactions that involve previously unidentified related parties or relationships or transactions previously undisclosed
– Transactions involving other parties that do not have the substance or the financial strength to support the transaction without assistance from the entity under audit or any related party of the entity
– Transactions lack commercial or economic substance individually or in the aggregate (for example, a transaction is entered into shortly prior to period end and is unwound shortly after period end)
– Transactions occur with a party that falls outside the definition of a related party with either party able to negotiate terms that may not be available for other, more clearly independent parties on an arm's-length basis
– Transactions exist to enable the entity to achieve certain financial targets
A R F 817
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
• Auditor should evaluate the financial capability of the other parties related to loan commitments, uncollected balances, etc.
A R F 818
© Surgent • www.surgentcpe.com
Addressing the risk of fraud –defining fraud
• Broad legal concept
• Distinction between fraud and error is intent
• Intent is sometimes hard to determine
• Legal point of view, there are two types of fraud:
– Fraud committed for personal gain; and
– Fraud committed for corporate motives
• May not involve malicious acts
• Board and management are responsible
A R F 819
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
• AU-C 240 categorizes fraud into two types:
– Fraudulent financial reporting; and
– Misappropriation of assets
• ACFE adds corruption
– Fraud committed for personal gain
– Fraud committed for corporate motives
– May not involve malicious acts
• Fraudulent financial reporting – median loss $800,000
• Asset misappropriation – median loss $114,000
• Corruption – median loss $250,000
A R F 820
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
PWC Study shows significance of the various forms of fraud by industry
0.48
0.310.3
0.28
0.26
Consumer Products
Asset Misappropriation Business misconduct Cyber Crime
Bribery and Corruption Consumer Fraud
0.56
0.410.41
0.31
0.2
Financial Services
Consumer Fraud Asset Misappropriation
Cyber Crime Business misconduct
Money Laundering
Business Misconduct is referred to as incentive abuse in the PWC study
A R F 821
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
PWC Study shows significance of the various forms of fraud by industry
0.4
0.32
0.3
0.28
0.26
Professional Services
Asset Misappropriation Accounting Fraud Business misconduct
Procurement Fraud Bribery and Corruption
0.48
0.290.29
0.26
0.26
Industrial Products
Asset Misappropriation Bribery and Corruption Procurement Fraud
Business misconduct Cyber Crime
Business Misconduct is referred to as incentive abuse in the PWC study
A R F 822
© Surgent • www.surgentcpe.com
Addressing the risk of fraud
PWC Study shows significance of the various forms of fraud by industry
0.43
0.390.31
0.26
0.23
Technology
Asset Misappropriation Cyber Crime Business misconduct Consumer Fraud Procurement Fraud
Business Misconduct is referred to as incentive abuse in the PWC study
A R F 823
© Surgent • www.surgentcpe.com
Cybercrime
• Growing issue for companies with high dollar price tag
• Cybercrime is generally divided into 2 categories
– Crimes that target computers directly (viruses, malware etc.)
– Online crime that uses networks to perform fraud and identity theft through social engineering and other mechanisms
– Companies experience losses of more than $525 million each year
– Mostly malicious code and denial of service attacks
• Data breaches can cause significant financial and reputational damage
– Theft of personally identifiable information from employee records and billing information
– Stolen data used by hackers or to prove it can be done, e.g. ransomware
A R F 824
© Surgent • www.surgentcpe.com
Cybercrime
• Many breaches could be prevented by better internal controls
• Even good internal controls do not provide absolute insurance
• Smaller entities (63%) have implemented new technologies without having appropriate data security in place
• Risk assessment
• Insurance
• Evaluate firewalls and spam filtering system
• Perform operating updates
A R F 825
© Surgent • www.surgentcpe.com
Cybercrime
• Consider intrusion prevention and detection software
• Manual controls such as changing passwords, training employees and verifying instructions related to cash payments are important
• Today’s precautions may not be enough to prevent tomorrow’s cyber schemes
• Management and those charged with governance are ultimately responsible
A R F 826
© Surgent • www.surgentcpe.com
Question for discussion
In your client base, or at your entity if you work inan entity, what type of fraud concerns you?
A R F 827
Characteristics of Fraudsters, Victim Organizations, and Common Fraud
Schemes
Chapter 2
© Surgent • www.surgentcpe.com
Learning objectives
• Upon reviewing this chapter, the reader will be able to:
– Identify the characteristics that are typical of fraudsters;
– Identify common fraud schemes; and
– Use the knowledge from this material to assess the risk of fraud in a financial statement audit
A R F 829
© Surgent • www.surgentcpe.com
Fraud triangle
Fraud Triangle
Incentive or pressure
Opportunity Rationalization
A R F 830
© Surgent • www.surgentcpe.com
Case study
Harriett was altruistic and loved childhood education. She was especially concerned about the quality of education in the city’s economically disadvantaged neighborhoods. She applied and was approved to start a Charter School. Since the school was a startup there were very few employees. The bookkeeper was a friend of Harriett’s and recently went to training to learn QuickBooks. The Board members were attorneys and educators.
The school depended on federal and state funding and although Harriet thought she would be awarded grants and donors would make substantial contributions she was mistaken. Because she was dedicated to the students and wanted them to have the best school experience possible, she hired a bus company to transport them from their homes and the school paid for lunches for those that did not qualify for the free and reduced-price lunch program. Neither one of these activities was reimbursable by the government funders. When money became tight and she could not meet payroll she used payroll withholdings to pay salaries. She also claimed to have spent grant money for equipment but used it for payroll instead. She justified her actions to herself as “for the good of the children and the school”. As Head of School no one questioned her instructions.
A R F 831
© Surgent • www.surgentcpe.com
Case study
• Case Study Questions
1. When the auditor considers the risk of fraud in this audit what are the risk factors that should have been identified?
2. Is it possible to tell whether Harriett’s activities are due to fraud or ignorance of legal requirements?
3. Where was there incentive or pressure and opportunity?
4. How might Harriett have rationalized her behavior?
A R F 832
© Surgent • www.surgentcpe.com
Victims of fraud
• ACFE Report to the Nations 2018
Number of Employees Frequency Median Loss
< 100 28% $200,000
100–999 22% $100,000
1,000–9,999 26% $100,000
10,000+ 24% $132,000
A R F 833
© Surgent • www.surgentcpe.com
Victims of fraud
• Privately held companies are more likely to be victimized (42%)
$164,000
$117,000 $118,000
$75,000
$120,000
Median Fraud Loss
Private Company Public Company Government Not‐for‐Profit Other
Type of Entity Median Fraud Loss
Private Company $ 164,000
Public Company $ 117,000
Government $ 118,000
Not‐for‐Profit $ 75,000
Other $ 120,000
A R F 834
© Surgent • www.surgentcpe.com
Engagement question 1
• What do you believe is the reason why private companies experience more fraud and larger losses than the other entity types?
A R F 835
© Surgent • www.surgentcpe.com
Who is most likely to commit fraud?
• Employees are most likely to commit fraud, but the loss is less
• Correlation between position and the loss to an entity is probably due to a combination of factors
– Owners and executives have the most incentive to commit fraudulent financial reporting
– Managers have more access to assets than employees
– Fraud occurs more often in entities with fewer than 100 employees so the occurrence of fraud by employees is more statistically likely
A R F 836
© Surgent • www.surgentcpe.com
Fraud committed by position
• Privately held companies are more likely to be victimized (42%)
Fraud Committed by Position
Percentage of Cases
Employees 44%
Managers 34%
Owner/Executive 19%
Other 3%
A R F 837
© Surgent • www.surgentcpe.com
Tenure and loss by level of authority
• Privately held companies are more likely to be victimized (42%)
$50,000
$150,000
$850,000
$189,000
Median Loss
Employees Managers Owner/Executive Other
Fraud Committed by Position Median Loss
Employees $ 50,000 Managers $150,000 Owner/Executive $850,000 Other $189,000
Men $156,000 median loss 69%Women $ 89,000 median loss 31%
A R F 838
© Surgent • www.surgentcpe.com
Education level
• Predominance of perpetrators have university degree (47%). Median loss – $160,000.
• Post graduate degree – highest median loss ($230,000)
A R F 839
© Surgent • www.surgentcpe.com
Age of perpetrator
Age Median loss Percentage
less than 26 $ 23,000 5%
26-30 $ 40,000 10%
31-35 $ 100,000 15%
36-40 $ 100,000 19%
41-45 $ 200,000 19%
46-50 $ 250,000 14%
51-55 $ 237,000 9%
56-60 $ 480,000 6%
greater than 60 $ 355,000 3%
A R F 840
© Surgent • www.surgentcpe.com
Engagement question 2
• Why do you believe that the longer the tenure of an employee, the larger the potential for fraud loss?
A R F 841
© Surgent • www.surgentcpe.com
Where perpetrators work
Department Median Loss
Accounting $ 212,000
Operations $ 88,000
Sales $ 90,000
Executive $ 729,000
Customer service $ 26,000
Administrative support $ 91,000
Finance $ 156,000
Purchasing $ 163,000
Facilities and Maintenance $ 175,000
Warehousing/inventory $ 200,000
Information technology $ 225,000
Marketing/public relations $ 80,000
Manufacturing and production $ 200,000
Human resources $ 76,000
$‐ $100,000 $200,000 $300,000 $400,000 $500,000 $600,000 $700,000 $800,000
Accounting
Operations
Sales
Executive
Customer service
Administrative support
Finance
Purchasing
Facilities and Maintenance
Warehousing/inventory
Information technology
Marketing/public relations
Manufacturing and production
Human resources
Median Loss
A R F 842
© Surgent • www.surgentcpe.com
Common fraud schemes
• Fraudulent financial reporting – intentional scheme where an employee (or management) causes a material misstatement or omission of material information to deceive users of the financial statements in order to:
– Meet expectations of shareholders, stakeholders, or financial institutions;
– Affect compensation related awards such as raises or bonuses based on performance; or
– Owners/management may be motivated to reduce earnings to minimize tax liabilities
A R F 843
© Surgent • www.surgentcpe.com
Common fraud schemes
• Fraudulent financial reporting includes:
– Recording fictitious revenues;
– Inflating assets;
– Failing to record liabilities; or
– Falsifying estimates
• More likely to be perpetrated by executive or upper level management
A R F 844
© Surgent • www.surgentcpe.com
Common fraud schemes
• Corruption – employee (or management) misuses his power or influence in a business transaction and violates the employer’s trust in order to gain a direct or indirect benefit for themselves or someone they know
– Bribery
– Conflicts of interest with outside parties
• Most likely to arise in the purchasing department or be perpetrated by executive management
A R F 845
© Surgent • www.surgentcpe.com
Common fraud schemes
• Misappropriation of assets – theft of an entity’s assets
– Often perpetrated by employees, sometimes in relatively small amounts
– Can also involve management. Management personnel are often better at concealing
– Often involves falsifying records to conceal the perpetrator’s actions
A R F 846
© Surgent • www.surgentcpe.com
Common fraud schemes
Scheme Description Median
Loss
Percentage Department
most likely to
occurCheck and
payment
tampering
Stealing by forging a check or
altering a check or stealing a check
issued to another payee. Employee
might also reroute an electronic
payment to a vendor to his/her own
bank account.
$150,000 12% Accounting
Billing Submission of fraudulent invoices
for payment where there were really
no goods or services provided.
Invoices could also be inflated or
submitted to look like company
expenses although they are really
personal expenses.
$100,000 20% Executives/
upper
management
Noncash
misappropriation
Employee steals noncash assets. $98,000 21% Sales
A R F 847
© Surgent • www.surgentcpe.com
Common fraud schemes
Scheme Description Median
Loss
Percentage Department
most likely to
occur
Cash larceny Cash receipts are stolen after they
have been recorded in the books and
records (cash is recorded but the
checks are stolen before they go to
the bank).
$75,000 11% Customer
service
Payroll Employee causes payment to be
issued for improper amount or
fictitious employee.
$63,000 7% Accounting
Skimming Cash is stolen before it is recorded in
the books and records.
$50,000 11% Accounting
Expense
reimbursement
Employee makes a claim for
reimbursement for fictitious expenses
or inflated expenses.
$31,000 14% Executives/
upper
management
A R F 848
© Surgent • www.surgentcpe.com
Common fraud schemes
Scheme Description Median
Loss
Percentage Department
most likely to
occur
Register
Disbursements
Employee makes false entries on a
cash register to conceal the removal
of cash, (e.g. void a sale)
$29,000 3% Sales and
customer
service
Cash on hand Perpetrator misappropriates cash
kept on hand, (e.g. petty cash or cash
in a vault)
$20,000 15% Customer
service
A R F 849
© Surgent • www.surgentcpe.com
Collusion
• Collusion
– Median loss with one perpetrator - $ 74,000
– Median loss with two perpetrators - $150,000
– Median loss with three or more - $ 339,000
A R F 850
© Surgent • www.surgentcpe.com
Fraud scheme duration
Scheme
Duration of Scheme before
Identification Payroll 30 months
Check tampering 24 months
Financial statement fraud 24 months
Expense reimbursement 24 months
Billing 24 months
Skimming 18 months
Cash larceny 24 months
Corruption 22 months
Noncash 18 months
A R F 851
© Surgent • www.surgentcpe.com
Scheme by industry type
• 32% of frauds involved more than one type of fraud scheme
• Most prevalent combination is asset misappropriation and corruption
Scheme
% Cases
Reported –
Education
% Cases Reported –
Religious, Charitable,
Social Services
% Cases Reported
– Health CareBilling 23% 40% 26%Skimming 14% 17% 12%Cash on hand 19% 22% 13%Cash larceny 19% 9% 7%Check tampering 6% 19% 13%Noncash misappropriations 19% 19% 19%Expense reimbursement 18% 29% 16%Payroll 6% 22% 17%Corruption 38% 34% 36%Financial statement fraud 6% 10% 11%
A R F 852
© Surgent • www.surgentcpe.com
Concealment
• Only 5.5% of perpetrators did not bother to try to conceal their activities
Method Percentage Concealed In this
MannerCreated fraudulent documents 55%
Altered physical documents 48%
Altered transactions in the accounting system 34%
Created fraudulent transactions in accounting
system
42%
Altered electronic documents or files 31%
Destroyed physical documents 30%
Created fraudulent electronic documents or files 29%
Created fraudulent journal entries 27%
A R F 853
© Surgent • www.surgentcpe.com
Identifying fraud risks
• COSO 17 principles
• Principle 8 deals with assessing the risk of fraud
• Main consideration is incentives or pressures faced by management and employees
A R F 854
© Surgent • www.surgentcpe.com
Identifying fraud risks
• Incentives or pressures that could lead to fraudulent financial reporting related to the entity and industry:
– High degree of competition or market saturation and declining margins
– High vulnerability to rapid changes, such as changes in technology, product obsolescence, or interest rates
– Significant declines in customer demand and increasing business failures in either the industry or overall economy
– Operating losses that cause concern relative to the prospect of bankruptcy, foreclosure, or hostile takeover
– Recurring negative cash flows from operations or an inability to generate cash flows from operations while reporting earnings and earnings growth
– Rapid growth or unusual profitability especially compared to that of other companies in the same industry
– New accounting, statutory, or regulatory requirements
A R F 855
© Surgent • www.surgentcpe.com
Identifying fraud risks
• Incentives/ pressures that could lead to fraudulent financial reporting related to expectations of third parties:
– Expectations of investment analysts, institutional investors, significant creditors, or other external parties
– Need to obtain additional debt or equity financing to stay competitive
– Marginal ability to repay debt or meet debt covenant requirements
– Concern over reporting poor financial results or significant pending transactions, such as business combinations or contract awards
– Pressure to meet the expectations of legislative or oversight bodies
– Personal financial situation of management or members of governance is threatened (e.g. financial interests in the entity, bonuses, stock options, etc., personal guarantees of debts of the entity, sales or profitability incentive goals
A R F 856
© Surgent • www.surgentcpe.com
Identifying fraud risks
• Incentives/ pressures that could lead to fraudulent financial reporting related to misappropriation of assets:
• Management or employees with access to cash or other assets susceptible to theft may have personal financial obligations
• Relationships between the entity and employees with access to cash or other assets susceptible to theft
– Known or anticipated future employee layoffs
– Recent or anticipated changes to employee compensation or benefit plans
– Promotions, compensation, or other rewards inconsistent with expectations
– Concerns over the company being acquired with adverse consequences to the employee
A R F 857
© Surgent • www.surgentcpe.com
Red flags
Red Flag PercentageLiving beyond means 41%Financial difficulties 29%Unusually close association with a vendor/customer 20%
No behavioral red flags 15%Control issues, unwillingness to share duties 15%Divorce/family problems 14%Wheeler‐dealer attitude 13%
Irritability, suspiciousness, or defensiveness 12%Addiction problems 10%Complaints about inadequate pay 9%Excessive pressure from within the entity 7%
Social isolation 7%Past legal problems 6%Refusal to take vacations 6%Past employment‐related problems 6%
A R F 858
© Surgent • www.surgentcpe.com
Engagement question 3
• How easy or difficult is it for an auditor to spot behavioral red flags?
• How would the auditor be able to identify them?
A R F 859
AU-C 240, Fraud Risk Assessment Procedures Including Data Analytics
Chapter 3
© Surgent • www.surgentcpe.com
Learning objectives
• Upon reviewing this chapter, the reader will be able to:
– Identify the procedures required by AU-C 240 to assess the risk of fraud;
– Implement the risk assessment procedures required by AU-C 240;
– Identify the risk of material misstatement due to fraud;
– Select procedures in response to assessed risks; and
– Properly document the assessment and planned responses to the risk of fraud
A R F 861
© Surgent • www.surgentcpe.com
Assessing the risk of fraud
• Auditor is required to perform procedures to assess the risk of material misstatement due to fraud or error
• AU-C 315 cross references to AU-C 240
• Auditor objectives:
– Identify and assess the risks of material misstatement of the financial statements due to fraud;
– Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and
– Respond appropriately to fraud or suspected fraud identified during the audit
A R F 862
© Surgent • www.surgentcpe.com
Assessing the risk of fraud
• Specifically, AU-C 240 requires the auditor to:
– Make inquiries of management and others about their views on fraud, the risks of fraud and how they are addressed
– Consider any unusual relationships identified during planning such as through preliminary analytical review. The auditor should perform preliminary analytical procedures on revenue where there could be a specific risk of fraud
– Consider other information gathered during the process of the new client acceptance or continuance procedures
• Information obtained is synthesized in an audit team discussion
A R F 863
© Surgent • www.surgentcpe.com
Inquiries of management and others
• AU-C 240 states that inquiries are more effective when conducted in person
• Often firms will use electronic means including questionnaires
• Professional skepticism should be applied when discussing the likelihood of fraud with management
• Management is in the best position to perpetrate fraud
• When questionnaires are used impressions that could have been gained with face to face discussions are lost
• Use open ended questions
• Occupational fraud is detected most often by a tip from an employee (40%)
A R F 864
© Surgent • www.surgentcpe.com
Inquiries of management and others
• Make inquiries of others in the entity such as:
– Operating personnel not directly involved in the financial reporting process;
– Employees with different levels of authority;
– Employees involved in initiating, processing, or recording complex or unusual transactions and those who supervise or monitor those employees;
– In-house legal counsel;
– Internal auditors;
– Chief ethics officer, compliance officer or equivalent person, where that role exists in an entity; and
– The person or persons charged with dealing with allegations of fraud
A R F 865
© Surgent • www.surgentcpe.com
Inquiries of management and others
Topic Area - Management Example Open Ended QuestionsThe extent of management’s understanding
about the risks of fraud in the entity, including
any specific fraud risks the entity has
identified or account balances or classes of
transactions for which a risk of fraud may be
likely to exist.
• Can you tell me about where you see the risk of fraud in
this company? Let’s start with fraudulent financial
reporting. Please tell me about metrics or other
expectations of stakeholders that would cause adverse
effects on the company or individuals if violated (debt
covenants, bonus structure based on sales, etc.)
Which account balances and classes of transactions do
you see as particularly vulnerable to the risk of fraud? For
example, (auditor would provide an example relevant to
the client).
Please describe how management and those charged
with governance assess where the risk of fraud could be.
A R F 866
© Surgent • www.surgentcpe.com
Inquiries of management and others
Topic Area - Management Example Open Ended QuestionsThe existence of programs and controls the entity
has established to mitigate specific fraud risks the
entity has identified or that otherwise help to prevent,
deter, and detect fraud, and how management
monitors those programs and controls.
Please describe the activities that management, internal audit, those
charged with governance and others perform to mitigate fraud risks.
(For example, with segregation of duties, training on the entity’s code of
conduct, background checks, bonding those employees with access to
assets susceptible to misappropriation, does management stress the
need for accurate and honest financial reporting)?
Whether management has knowledge of any fraud
or suspected fraud affecting the entity and whether
management is aware of allegations of fraud or
suspected fraud affecting the entity; for example,
received in communications from employees, former
employees, analysts, regulators or others.
Please describe any awareness or concerns you have related to
fraud or suspected fraud.
Could you show me any regulatory correspondence,
correspondence from employees, hot line calls or any other reports
that allege or identify suspected fraudulent activity?
A R F 867
© Surgent • www.surgentcpe.com
Inquiries of management and others
Topic Area - Management Example Open Ended QuestionsThe nature and extent to which entities with multiple
locations monitor them and whether there are
particular operating locations for which the risk of
fraud may be more likely to exist.
(If the entity has multiple locations) - Can you describe how you and
members of governance monitor the activities at remote locations? For
example, do you make site visits, perform analytical procedures on
data and hold discussions with personnel at those locations stressing
the need for accurate information and ethical behavior on the part of
employees?
Whether and how management communicates to
employees its views on business practices and
ethical behavior.
Please describe how management communicates with employees
about the need for accurate financial reporting, ethical behavior and the
need to report any behavior that would violate the entity’s code of
conduct. (For example, training, stressing these values in meetings, no
tolerance policy for infractions of the code of ethics)
A R F 868
© Surgent • www.surgentcpe.com
Inquiries of management and others
Topic Area - Management Example Open Ended QuestionsWhether and how management
has reported to the board, the
audit committee or others with
equivalent authority and
responsibility on how the entity’s
internal control serves to prevent,
detect and correct material
misstatements due to fraud.
Please describe discussions that management
has had with those charged with governance,
the audit committee or other equivalents, on
how the risk of fraud has been assessed and
the internal controls put in place to prevent,
detect and correct material misstatements due
to fraud.
A R F 869
© Surgent • www.surgentcpe.com
Their views on fraud and whether and how it exercises
oversight.
Please describe your assessment of management and the
employees at the company and their commitment to ethical
values and accurate and honest financial reporting.
Please explain how you view the risk of fraud at the company.
What procedures and analyses do you use to exercise your
oversight responsibilities?
Whether the members have any knowledge of fraud
that has occurred.
What reports (written or oral) have you received about any fraud
or suspected fraud in the company?Where and how fraud might occur. Given your knowledge of the company, where do you believe
fraud could occur (fraudulent reporting, misappropriation of
assets, corruption, conflicts of interest)?
Topic Area – Those charged with governance Example Open Ended Questions
Inquiries of management and others
A R F 870
© Surgent • www.surgentcpe.com
Inquiries of management and others
Others
Their views about the risk of
fraud and how it might occur.
Please describe your assessment of management and the other employees at the company and their commitment to ethical values and accurate and honest financial reporting.
Please explain how you view the risk of fraud at the company.
What procedures and analyses do you use to exercise your responsibilities to prevent and detect errors and/or fraud?
Whether they have seen or
suspect fraud.
What reports (written or oral) have you received about any fraud or suspected fraud in the company?
Please describe any suspicious or unusual activity you have noted at the company.
Please describe any unusual requests you have received from management without supporting documentation.
If internal auditors, whether
they have performed any
procedures to detect fraud
and if there were findings,
how management responded.
Please describe the types of activities the internal audit department performs.
What findings have you identified over the last year? May I see the reports?
How does management respond to findings and constructive comments?
Topic Area- Governance Example Open Ended Questions
A R F 871
© Surgent • www.surgentcpe.com
Electronic surveys
1. Are you aware of any known departures, during the last year, from approved policies or any unacceptable practices or conduct that might significantly affect the Entity? (yes, no)
1a. (If the answer is yes, the following question drops down). Please describe the departure and any action taken to address the issue.
2. Do you believe that management handles all complaints from vendors, regulators and external parties with comments with integrity and due professional care? (yes, no)
2a. (If the answer is no, the following question drops down). Please describe why.
3. Are you aware of any persistent comments or complaints from employees, vendors, regulators or external parties in 20X8? (yes, no)
3a. (If the answer is yes, the following question drops down). Please describe the most significant or persistent complaint or comment from employees, vendors, regulators or other external parties in 20X8.
A R F 872
© Surgent • www.surgentcpe.com
Electronic surveys
4. Are you aware of any conflict of interest that exists or existed between the Entity and any member of the staff or volunteer? (yes, no)
4a. (If the answer is yes, the following question drops down). Please describe what happened and what was done to address it.
5. Are you aware of any fraud or abuse of the Entity's resources (including credit card abuse) by either staff or volunteers during the past two years? (yes, no)
5a. (If the answer is yes, the following question drops down). Please describe what happened and what was done to address it.
6. Do you believe the Entity has adequate processes for the investigation of potential frauds and for corrective action when necessary? (yes, no)
7. How would you improve the Entity's policies, processes and procedures in this area?
8. Do you have any questions or concerns which we should consider during our audit? (yes, no)
8a. (If the answer is yes, the following question drops down). Please describe any questions or concerns which we should consider during our audit.
A R F 873
© Surgent • www.surgentcpe.com
Focus on governance
• Governance should play an important role in:
– Setting the tone from the top; and
– Evaluating the risk of fraud
• Governance should oversee the entity's systems for monitoring risk, financial control, and compliance with laws and regulations
• Composition of governance as well as its quality vary based on the size of the entity, its complexity, the ownership structure of the entity and other factors
• Many times governance plays a much lesser role
A R F 874
© Surgent • www.surgentcpe.com
Focus on governance
• Auditor should understand:
– If governance is composed of management and independent parties or solely of independent parties
– Varying levels of experience of those charged with governance and board diversity
– Board’s interaction with and monitoring of management including discussion of risks and how they are being addressed
– Board’s interaction with internal audit and whether or not they meet privately to discuss any concerns of the internal audit director
– Whether internal audit evaluates internal controls over financial reporting or addresses mainly compliance or operational issues
– Whether members of governance inquire into or receive reports of any hotline calls (or reports from some other reporting vehicle)
– Whether those charged governance meet independently to discuss the performance and risk of management override from executives, particularly if the executives sit on the board
A R F 875
© Surgent • www.surgentcpe.com
Fraud risk governance principles
• IIA and ACFE published guide intended for management and governance to use to manage risk of fraud
• Five Principles --
• Principle 1: A fraud risk management program should be in place, including policies and procedures to convey the expectations of the board of directors and senior management regarding managing fraud risk
A R F 876
© Surgent • www.surgentcpe.com
Fraud risk governance principles
• Components of fraud risk assessment program:
– Roles and responsibilities;
– Commitment;
– Fraud awareness;
– Affirmation process;
– Conflict disclosure;
– Fraud risk assessment;
– Reporting procedures and whistleblower protection;
– Investigation process;
– Corrective action;
– Quality assurance; and
– Continuous monitoring
A R F 877
© Surgent • www.surgentcpe.com
Fraud risk governance principles
• Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate
• Principle 3: Fraud prevention techniques should be established, where feasible, to mitigate possible impacts on the organization from fraud
• Principle 4: Detection techniques should be established to uncover fraud events in the event that preventive measures fail, or unmitigated risks are identified
A R F 878
© Surgent • www.surgentcpe.com
Fraud risk governance principles
• Detection Techniques
• An entity could use the following techniques on a periodic basis as fraud diagnostics:
– Scan purchase orders with blank approvals/zero amounts
– Split purchases so they are just under the threshold for approval or second approval
– Duplicate invoices
– Invoice amount paid to goods received
– Invoices with no matching receiving report
– Multiple invoices with the same purchase order and date
– Pattern of sequential invoices from a vendor
A R F 879
© Surgent • www.surgentcpe.com
Fraud risk governance principles
Detection Techniques
– Nonapproved vendors
– Suspect purchase of consumer items
– Employee and vendor with the same information (name, address, phone number, bank account number)
– Vendor address is a mail drop
– Payment without invoice
– Vendor master charges for brief periods
– Transactions made with P cards on weekends or holidays
– Unusually high sales discounts
A R F 880
© Surgent • www.surgentcpe.com
Fraud risk governance principles
• Detection Techniques
– Frequent credit memos to the same customer
– Shipments where the employee address matches the shipping address
– Terminated employees on the payroll
– Unusually high overtime amounts and rates
– Invalid tax IDs
– Unusually high commissions
– Multiple employees with the same addresses
• Principle 5: A reporting process should be in place to ask for input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and on a timely basis
A R F 881
© Surgent • www.surgentcpe.com
Case study 1
An auditor was preparing to perform fraud risk assessment procedures at a midsized retail organization. The entity has a board of directors but no audit committee. It also has an internal audit department that reports to the CFO. From review of internal audit reports in prior years the auditor is aware that the workplan centers around operational issues. The CEO sits on the board, which is composed of shareholders with significant holdings, half of whom are in management. The board meets quarterly and the auditor’s experience is that the discussion revolves mainly around sales targets, introduction of new products, and achievements of financial goals. In prior year discussions with governance the auditor has used electronic questionnaires since it is difficult to get the board members to sit down face to face.
1. What do you see as risks that the auditor needs to consider when preparing to ask questions of management and others related to the risk of fraud?
2. To whom should fraud risk questions be addressed?
A R F 882
© Surgent • www.surgentcpe.com
Integrating AU-C 315 and AU-C 240
• Use inquiry, observation and inspection of documents
• Perform preliminary analytical procedures
• 4 broad categories:
– Industry and regulatory factors
– Nature of the entity
– Objectives, strategies and related business risks
– Measurement and review of the entity’s financial performance
A R F 883
© Surgent • www.surgentcpe.com
Case study 2
An auditor is conducting an audit of a building construction company, Better than Real Wood for the year ended December 31, 20X2. The senior accountant wanted to combine inquiries used for the risk assessment process (AU-C 315) with the inquiries for the risk of fraud (AU-C 240). Following is the understanding of the entity and its environment for 20X1. In addition, she obtained a 9-month financial statement and noted that sales had increased, margins were lower but not as low as at the end of 20X1. She noticed that inventory levels were higher. Net income was lower. The auditor used the prior year understanding and the 9-month financials as a starting point to build the list for inquiries to use for 20X2.
A R F 884
© Surgent • www.surgentcpe.com
Case study 2 (cont.)
• Questions:
1. Given the information provided relative to the company, where do you believe fraud could occur?
2. Based on your assessment what other activities would you perform relative to the risk of fraud?
A R F 885
© Surgent • www.surgentcpe.com
How are frauds detected
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Tip
Internal Audit
Mangement review
By accident
Other
Account Reconciliation
Document Examination
External Audit
Surveillance/monitoring
Notified by law enforcement
IT Controls
Confession
Method by Which Fraud is Detected
A R F 886
© Surgent • www.surgentcpe.com
Who reports fraud
0% 10% 20% 30% 40% 50% 60%
Employee
Customer
Vendor
Other
Competitor
Shareholder/owner
Who Reports Fraud
A R F 887
© Surgent • www.surgentcpe.com
When staff asks questions
• Staff people may feel reluctant to press the client for clarification
• Staff people have good instincts but may need some guidance from senior audit team members
A R F 888
© Surgent • www.surgentcpe.com
Additional questions for management and the board
• Joseph T. Wells – Antifraud provisions as a deterrent
Anti-Fraud Provision Questions Important points
Training 1. Do employees receive training that helps to educate them about: What constitutes fraud? Costs of fraud such as job loss,
publicity issues, etc.?2. Have employees been told where to go
for help if they see something?3. Is there a zero-tolerance policy for fraud
and has it been communicated?
Training employees builds fraud awareness and employees will be more likely to spot inappropriate behavior in others. Training can also make it more difficult for employees to rationalize their own behavior. The ACFE studies consistently show that the top way that frauds are detected are through tips from employees.
A R F 889
© Surgent • www.surgentcpe.com
Additional questions for management and the board (cont.)
Anti-Fraud Provision Questions Important points
Reporting Does the entity have an effective way for employees to report fraud? Are there anonymous reporting
mechanisms? Do employees understand that those issues
reported will be investigated?
Anonymous reporting vehicles are important. The 2018 Report noted that the presence of a hotline or other reporting mechanism affects how organizations detect fraud as well as the outcome of the case.
A R F 890
© Surgent • www.surgentcpe.com
Additional questions for management and the board (cont.)
Anti-Fraud Provision Questions Important points
Perception of Detection
Does the entity perform monitoring activities to identify fraudulent activity? Is there a message sent that that there will
be tests made to look for fraud? Are there surprise audits? Is software used to identify fraud
indicators from data?
The 2018 Report to the Nations identifies management review is the third most likely way to detect fraud (13%). Surveillance and monitoring also detects fraud but only 3% of the time.
There are no statistics related to the types of monitoring procedures used. Mr. Well believes that letting employees know that surprise tests and other procedures will occur is a deterrent of fraud.
A R F 891
© Surgent • www.surgentcpe.com
Additional questions for management and the board (cont.)
Anti-Fraud Provision Questions Important points
Does the entity value honesty and integrity?
Are employees surveyed to determine whether they believe that management acts with integrity?
Have fraud prevention goals been set for management and are they evaluated on them as an element of compensation?
Is there an appropriate oversight process by the board or others charged with governance?
Management’s tone from the top is important in setting the
stage for ethical behavior. Employees are more likely to
behave with integrity if the tone is set. And Mr. Wells states that employees feel
more secure when they believe in the ethics of
management and the board.
Management’s Tone from the Top
A R F 892
© Surgent • www.surgentcpe.com
Additional questions for management and the board (cont.)
Anti-Fraud Provision Questions Important points
These are helpful internal controls. Management should consider implementing policies and procedures to ensure that the controls are effective.
Anti-fraud controls
Are any of the following performed?• Risk assessments to determine
management’s vulnerabilities• Proper segregation of duties• Physical safeguards• Job rotation• Mandatory vacations• Proper authorization of transactions
A R F 893
© Surgent • www.surgentcpe.com
Additional questions for management and the board (cont.)
Anti-Fraud Provision Questions Important points
Are the following incorporated in your hiring policies?• Past employment verification• Credit check• Criminal and civil background check• Education verification• Reference check• Drug screening
Hiring policies
These are helpful internal controls. Management should consider implementing policies and procedures to ensure that the controls are effective.
A R F 894
© Surgent • www.surgentcpe.com
Additional questions for management and the board (cont.)
Anti-Fraud Provision Questions Important points
Employee Assistance
Are there any programs in place to help struggling employees with financial issues, drug issues, mental health issues?Is there an open-door policy so that employees can speak freely?Are anonymous surveys conducted to assess employee morale?
Mr. Wells has seen good success with helping the employees feel more valued and secure. Even if the entity does not provide financial assistance to struggling employees, the fact that they care sends an important message.
A R F 895
© Surgent • www.surgentcpe.com
Unusual or unexpected relationships
• Preliminary analytical procedures
• Fluctuation analysis
• High-level review of specific data patterns, relationships and trends
• Auditor may use software programs to analyze data (data extraction, business intelligence, and file query tools)
• AU-C 315 does not require the use of disaggregated data as a risk assessment procedure
• Based on analytical procedures performed as part of risk assessment procedures, the auditor evaluates whether unusual or unexpected relationships that have been identified could indicate a risk of material misstatement due to fraud
• If not already performed, the auditor should perform analytical procedures relating to revenue accounts
A R F 896
© Surgent • www.surgentcpe.com
Unusual or unexpected relationships
• When performing data analysis for fraud risk assessment purposes the auditor could use:
– Statistical analysis designed to look for transactions outside what is expected (disaggregated revenue by product line divided by units produced)
– Analytic tests that evaluate certain conditions or relationships that indicate a high probability of fraud (transactions that are right below the threshold for additional approval)
– Comparing information from one database to another (compare payroll records with data from a human capital system that contains employee names, pay rates etc.)
A R F 897
© Surgent • www.surgentcpe.com
Changes in risk from year to year
Auditors should be aware that risks may change from year to year and consider areas where there may have been significant changes, including:
– Regulatory changes and increased regulatory scrutiny
– Legal or regulatory changes which may impact how the entity safeguards the privacy of data and maintains information system security
– Risks resulting from national and international political uncertainty, including how these risks might limit growth opportunities
– New cyber threats with the potential to significantly disrupt operations
– Where there is internal resistance to changes to the entity’s business model and core operations, needed to meet changes in its external environment
A R F 898
© Surgent • www.surgentcpe.com
Omnibus Standard Amends AU-C 240
• SAS 135 issued in December 2019
• New procedures are introduced when transactions outside the normal course of business of the entity are identified:
– Evaluate the rationale and business purpose for those transactions as to whether they suggest that they were entered into in order to perpetrate fraudulent financial reporting or misappropriation of assets
– Read the supporting documentation and evaluate whether the terms and other information about the transaction are consistent with explanations from inquiries and other audit evidence regarding the business purpose
– Determine whether the transaction has been authorized and approved in accordance with the entity’s policies and procedures
– Evaluate whether significant unusual transactions identified have been properly accounted for and disclosed in the financial statements
A R F 899
© Surgent • www.surgentcpe.com
Omnibus Standard Amends AU-C 240
• Additional indicators added that could alert auditors to significant unusual transactions
– Transactions that involve previously unidentified related parties or relationships or transactions with related parties previously undisclosed to the auditor
– Transactions involving other parties that do not have the substance or the financial strength to support the transaction without assistance from the entity under audit or any related party of the entity
– Transactions lack commercial or economic substance or are part of a larger series of connected, linked, or otherwise interdependent arrangements that lack commercial or economic substance individually or in the aggregate
A R F 8100
© Surgent • www.surgentcpe.com
Omnibus Standard Amends AU-C 240
• Additional indicators added that could alert auditors to significant unusual transactions (cont.)
– Transactions occur with a party that falls outside the definition of a related party (as defined by the applicable financial reporting framework), with either party able to negotiate terms that may not be available for other, more clearly independent parties on an arm's-length basis
– Transactions exist to enable the entity to achieve certain financial targets
A R F 8101
© Surgent • www.surgentcpe.com
AU-C 240 amendments
• Amendments to SAS 134 (auditor’s report)
• SAS 136 (employee benefit plan auditor’s report)
• Clarifies auditor’s responsibilities (presented in part)
Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.
A R F 8102
© Surgent • www.surgentcpe.com
AU-C 240 amendments
• Clarifies auditor’s responsibilities (presented in part)
In performing an audit in accordance with GAAS, we:
Exercise professional judgment and maintain professional skepticism throughout the audit. Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
A R F 8103
© Surgent • www.surgentcpe.com
Considerations for smaller entities
• Fraudulent financial reporting may not be as big a risk as misappropriation of assets (lack of segregation of duties)
• Risk of fraud is more likely related to overstatement of expenses (privately held companies) to reduce income taxes
• NFPs are typically not as concerned about earnings – controls may not be as robust and lack of control documentation is more prevalent
A R F 8104
© Surgent • www.surgentcpe.com
Audit team discussion
• After sufficient information is collected to evaluate the risk of fraud –audit team discussion
• Belief in long standing client relationships that management has integrity – in brainstorming, set aside that belief
• Not all team members must be present
• Partner or equivalent must be present
• Team meeting is an opportunity for less experienced team members to learn
A R F 8105
© Surgent • www.surgentcpe.com
Audit team discussion
• Discusses how and where the entity's financial statements might be susceptible to material misstatement due to fraud
• Explores how and where fraud could occur
• Explores how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated
• Identifies specific risks of fraud
• Emphasizes the need for professional skepticism during the audit
• Considers the risk of management override of controls and how that might occur (estimates, journal entries, implied pressures, unusual transactions)
A R F 8106
© Surgent • www.surgentcpe.com
Audit team discussion
• Considers circumstances that might be indicative of earnings management or manipulation of other financial measures and how management could conceivably manage earnings or other financial measures that could lead to fraudulent financial reporting
• Considers responses to the risk of fraud and plans those tests
• Considers the need for specialists and addresses multi-location audit issues
• Considers how an element of unpredictability will be incorporated into the nature, timing, and extent of the audit procedures to be performed
• Emphasizes the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement due to fraud
A R F 8107
© Surgent • www.surgentcpe.com
Comprehensive example
• Part 1, Discussion held with the team on the risks of fraud (3-24)
• Part 1, Discussions with Client Personnel and those Charged with Governance (3-26)
A R F 8108
© Surgent • www.surgentcpe.com
Risks of fraud
• Revenue recognition
– Presumed to be a risk of fraud
– Fraudulent financial reporting – overstating revenue or shifting from one period to the next
– Fictitious sales
– Presumption can be rebutted
A R F 8109
© Surgent • www.surgentcpe.com
Risks of fraud
• Management override
– Management is in a unique position to override controls
– When this happens it may look like controls are functioning when they are not
– Considered a risk of fraud and should be addressed in all audits
– Auditor is required to test appropriateness of journal entries including entries posted directly to financial statement drafts
A R F 8110
© Surgent • www.surgentcpe.com
Tests of journal entries
• Obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments
• Make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments
• Consider fraud risk indicators, the nature and complexity of accounts, and entries processed outside the normal course of business
• Select journal entries and other adjustments made at the end of a reporting period
• Consider the need to test journal entries and other adjustments throughout the period
A R F 8111
© Surgent • www.surgentcpe.com
Tests of journal entries
• Review accounting estimates for biases and evaluate whether any bias represents a risk of material misstatement due to fraud
• Evaluate whether the judgments and decisions made by management in making the accounting estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity's management that may represent a risk of material misstatement due to fraud
• Perform a hindsight review of management judgments and assumptions related to significant accounting estimates made in the prior year
• Evaluate significant transactions that are outside the normal course of business or that appear to be unusual
Comprehensive Example, Part 2 (3-29)
A R F 8112
© Surgent • www.surgentcpe.com
Conclusion and linkage
• When the team has identified a list of ways that fraud could possibly occur, the list should be narrowed down to risks that both:
– Could result in material misstatement; and
– Are likely to occur
• Auditor should gain an understanding of internal control over the fraud risks to determine the nature, timing, and extent of audit procedures
A R F 8113
© Surgent • www.surgentcpe.com
Conclusion and linkage
1. Revenue recognition - existence (possibility of fictitious visits) and valuation (see below).Planned Response (Linkage): We will test internal controls over the tracking system including management review. The engagement manager will perform the procedures related to management estimates. We will perform a hindsight review on the allowance for doubtful accounts. We will do the same on the variable consideration for patient revenues from third party payors. SEE WP XXXX
2. Management override - primarily through management estimates. Planned Response (Linkage): we also plan to test journal entries. We will remain alert for the possibility of unusual transactions. SEE WP XXXX
Comprehensive Example, Part 3 (3-31)
A R F 8114
© Surgent • www.surgentcpe.com
Conclusion and linkage
3. Estimates - allowance for doubtful accounts and reduction of revenue due to variable consideration and constraints to variable consideration. Planned Response (Linkage): We will perform a hindsight review on the allowance for doubtful accounts. We will do the same on the variable consideration for patient revenues from third party payors. SEE WP XXXX
4. Planned Response (Linkage): As required by professional standards we will obtain an understanding of internal controls over all risks of fraud (as well as other significant risks identified in the risk assessment memo). As noted above we will test controls over the tracking system. SEE WP XXXX
A R F 8115
© Surgent • www.surgentcpe.com
Understanding internal control over fraud risks
Comprehensive Example, Part 4 (3-32)Account
Balance
Risk of Material Misstatement
Due to Fraud Understanding of Internal Controls Revenue
recognition
Existence: The risk is that home
health aides or other caregivers
will falsify visits. Since the majority
of the patients/clients are elderly
and some have dementia the
likelihood is there. The magnitude
could be material from a
quantitative standpoint but more
importantly it could be material
from a qualitative standpoint
because this would represent a
violation of Medicare and Medicaid
regulations.
I discussed the tracking process with the COO noting that she was very concerned about the possibility of
overbilling to government and other payors. She discussed the issue that caused the entity to invest in the
tracking system.
She discussed her review in detail and showed me the documentation to support her monthly review. She tests
the visits each month noting that she selects 40 items to test to ensure that the billings are appropriate. She
also discussed her monthly analytical review and showed me the monthly excel spreadsheets.
She noted that there were very few exceptions noted during the year and that none of them could have caused
fictitious billings. The employees who used the car to do errands were warned and no further action has been
necessary.
Management installed tracking devices in the company vehicles two years ago to measure mileage and log the
times that the company cars are being driven. The logs are reviewed by the COO who also checks the dates,
times and services against the patient care plan. Any differences are discussed with the home health
aide/caregiver.
The COO maintains the logs from each month in a folder and inputs the information in a spreadsheet for
analytical review. I selected a patient by patient number from the patient roster and obtained the month’s
folder. I recalculated the amount of time spent by the aide to the range of time allotted for visits in the COO’s
operations manual. I recalculated the mileage to and from the patient’s home. I traced the documentation
supporting the visit to the plan of care. (The COO redacted the patient name from the documents due to HIPPA
regulations).
I believe that the controls are suitably designed and have been implemented. We did not test controls.
A R F 8116
© Surgent • www.surgentcpe.com
Understanding internal control over fraud risks
Comprehensive Example, Part 4 (cont.)
Account
Balance
Risk of Material Misstatement
Due to Fraud Understanding of Internal Controls Revenue
recognitionValuation: The risk is that
the long-term contracts
might not be accounted for
appropriately. These
contracts have variable
consideration in that
bonuses are awarded for
quality based on various
metrics. Since the contracts
span over three years the
entity estimates the quality
score it will receive to
estimate the variable
consideration. Management
could overstate the quality
factor in order to recognize
revenue in an earlier period.
I discussed the nature of the long-term contracts and the estimation
process with the CFO. He showed me how the electronic billing software
works to remove any contractual allowances from revenue. The rates are
built into the application. Periodic updates are downloaded from the
government payors and insurers as rates change.
Some new contracts span over a period of years with variable
consideration in the form of a bonus. The CFO showed me the process
he uses for estimating the variable consideration including where he
obtains the inputs. I asked whether he made any kind of hindsight review
and learned that the contracts were too new to look in hindsight since
none of them had final settlements. I recalculated based on my
discussions with the CFO.
I believe that the controls are suitably designed and have been
implemented. We did not test controls.
A R F 8117
© Surgent • www.surgentcpe.com
Understanding internal control over fraud risks
Comprehensive Example, Part 4 (cont.)
Account
Balance
Risk of Material Misstatement
Due to Fraud Understanding of Internal Controls Revenue
recognitionI discussed the process used to estimate the effect
of the customary business practice of writing down
uninsured patient receivables. The CFO does not
have a good process in place to capture information
that would make it easy to identify patient receivable
write-downs. They are run through the allowance for
doubtful accounts. Based on my discussions with
the CFO this is a significant deficiency. The write-
downs are not material. However, the current
practice shows lack of understanding of ASC 606.
This will be noted as a significant deficiency.
Based on our discussions I do not believe that this
represents fraudulent activity to misstated revenue
or bad debt expense.
Valuation: The entity has a standard charge
for its services. Some services to certain
clients/patients are paid at various rates. In
addition, there are those patients without
insurance where the entity may reduce the
price based on customary business practices.
The difference between the standard charge
and the rate negotiated with the payor is a
reduction of revenue. In addition, the write-offs
of uninsured patient receivables based on
customary business practice is also a reduction
of revenue. The entity has compensation
arrangements with executives that are based
on revenue. The risk of fraud is that amounts
that should be recognized as a reduction of
revenue will be recognized as bad debt
expense. This would inflate the variable
compensation due to the executives.
A R F 8118
© Surgent • www.surgentcpe.com
Understanding internal control over fraud risks
Comprehensive Example, Part 4 (cont.)
Account Balance
Risk of Material Misstatement
Due to Fraud Understanding of Internal Controls Management override
See discussion above and note that we will
issue an AU-C 265 letter citing this as a
significant control deficiency.
The risk of fraud is that
management could understate or
overstate the allowance for
doubtful accounts. We believe
that it is more likely that the
allowance would be overstated
due to the compensation issue
discussed above.
A R F 8119
© Surgent • www.surgentcpe.com
Documentation
• Understanding of the entity and its environment and the assessment of the risks of material misstatement (The fraud risk documentation is naturally included in with the assessment of risk of material misstatement; this is a major component of risk assessment documentation)
• Significant decisions reached during the discussion among the engagement team regarding the susceptibility of the entity's financial statements to material misstatement due to fraud
• How and when the team discussion occurred and the audit team members participating
• Identified and assessed risks of material misstatement due to fraud at the financial statement level and at the assertion level
A R F 8120
© Surgent • www.surgentcpe.com
Documentation
• Responses to the assessed risks of material misstatement
• Overall responses to the assessed risks of material misstatement due to fraud at the financial statement level and the nature, timing, and extent of audit procedures, and the linkage of those procedures with the assessed risks of material misstatement due to fraud at the assertion level
• Results of the audit procedures, including those designed to address the risk of management override of controls
• Communications about fraud made to management, those charged with governance, regulators, and others
• If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is overcome in the circumstances of the engagement, the auditor should include in the audit documentation the reasons for that conclusion
A R F 8121
© Surgent • www.surgentcpe.com
Documentation
• Fraud Procedures Summary Form
Discussion among engagement
personnel in planning the audit
regarding the susceptibility of the
entity’s financial statements to
material misstatement due to fraud.
See the team discussion workpaper XX. AR 3/20/X2
Inquiries of management and
others within the entity about the
risks of fraud (this should include
direct face to face discussions as
well as any questionnaires deemed
appropriate).
See workpaper XX-1 documenting discussions
with management, other personnel and those
charged with governance
AR 3/20/X2
Consideration of preliminary
analytical procedures including
procedures specifically related
to revenue.
Revenue recognition was already identified as a
risk of fraud so analytical procedures were
performed at a more detailed level in Workpaper
XX.
AR 3/20/X2
Fraud Evaluation Element Where this is addressed Signoff
A R F 8122
© Surgent • www.surgentcpe.com
Documentation
• Fraud Procedures Summary Form
Other procedures performed to obtain
information necessary to identify and
assess the risks of material misstatement
due to fraud.
We were alert to unusual fluctuations in account
balances in preliminary analytical procedures
but found that those balances supported our
expectations (i.e., patients and therefore
revenue decreased in the current year).
AR 3/20/X2
Specific risks of material misstatement
due to fraud that were identified and
description of the auditor’s overall and
specific responses.
The specific risks of fraud identified were the
revenue recognition and evaluation of the
allowance. These were documented at
workpaper XX and also in the team meeting.
AR 3/20/X2
Understanding of internal control over
fraud risks.
See workpaper XX for this understanding. Note
the significant deficiency discussed at that
workpaper.
AR 3/20/X2
Fraud Evaluation Element Where this is addressed Signoff
A R F 8123
© Surgent • www.surgentcpe.com
Documentation
• Fraud Procedures Summary Form
The auditor’s reasons supporting a
conclusion that improper revenue
recognition is not a risk or material
misstatement due to fraud.
We believe that improper revenue recognition is
not a significant fraud risk for patient/client
revenue. See assessment at workpaper XX.
AR 3/20/X2
Results of procedures performed to
further address the risk of management
override of controls, including
identification of JEs tested.
Journal entry testing was performed. No issues
were noted. See Workpaper XX.
AR 3/20/X2
Other conditions and analytical
relationships that caused the auditor to
believe that additional auditing
procedures or other responses were
required and any further responses that
the auditor deemed appropriate.
There were none. AR 3/20/X2
Fraud Evaluation Element Where this is addressed Signoff
A R F 8124
© Surgent • www.surgentcpe.com
Documentation
• Fraud Procedures Summary Form
Planned responses to assessed risks See workpaper XX for a summary of the plan.
Substantive tests were performed at
workpapers XX, XX and XX. (Note that
substantive testing was not illustrated in the
comprehensive example).
AR 3/20/X2
Fraud Evaluation Element Where this is addressed Signoff
A R F 8125
© Surgent • www.surgentcpe.com
Case study 3
Questions
1. How does an auditor know if the board and management are really experienced enough so that their oversight really mitigates a lack of segregation of duties?
2. The audit firm made all of the inquiries of management and the board related to fraud. In addition, they performed analytical procedures on the line items where the fictitious amounts were located, and their analysis was a five-year trend comparison. No unusual fluctuations were noted. They vouched 10 of the fictitious invoices. Why do you believe nothing unusual was noted?
A R F 8126
© Surgent • www.surgentcpe.com
Case study 3
Questions (cont.)
3. What is the auditor’s responsibility as it relates to the evaluation of fraud and what could they have done differently?
4. Do you believe that a management letter comment or a communication containing a significant deficiency or material weakness should have been issued by the auditors?
5. Assuming that the board was sincere, what other procedures could be put in place to reduce the risk of fraud in a very small entity?
A R F 8127
Communications About Fraud
Chapter 4
© Surgent • www.surgentcpe.com
Learning objectives
• Upon reviewing this chapter, the reader will be able to:
– Understand actions to take when fraud is identified under various conditions; and
– Prepare appropriate written communications
A R F 8129
© Surgent • www.surgentcpe.com
Evaluation of audit evidence
• Objectives of the auditor when performing a fraud risk analysis are to:
– Identify and assess the risks of material misstatement of the financial statements due to fraud;
– Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and
– Respond appropriately to fraud or suspected fraud identified during the audit
A R F 8130
© Surgent • www.surgentcpe.com
Identification of fraud or suspected fraud
• When performing audit procedures, evaluation of audit evidence as it relates to fraud happens during the audit and at or near the end of the audit
• Auditor evaluates misstatements noted during the audit as to whether it might be an indication of fraud
• Possibility of fraud in one area has implications for other areas
• Management level
• Employee level
A R F 8131
© Surgent • www.surgentcpe.com
Withdrawal from the audit
• May be times when the auditor identifies issues or circumstances that cause withdrawal from the audit
• Identification of an immaterial instance of fraud but management does nothing about it
• Concerns about the competence or integrity of management or those charged with governance
• Auditor should consider professional and legal responsibilities
• Before withdrawing auditor should discuss the reasons with management and those charged with governance
• Consider consulting with legal counsel
• Sometimes an auditor is not able to withdraw (government or nonprofit)A R F 8132
© Surgent • www.surgentcpe.com
Communications with management
• Report findings to management one level up from the fraud
• Report as soon as practicable
• Evaluate whether this is a deficiency, significant deficiency, or material weakness
• Significant deficiencies and material weaknesses are reported in writing
• Document communications with management in the workpapers
A R F 8133
© Surgent • www.surgentcpe.com
Communications with governance
• Report to governance when fraud involves:
– Management;
– Employees with significant roles in the internal control structure; or
– Material misstatement of financial statements
• Report as soon as possible
• Auditor may report orally or in writing
• If matter involves senior management or a material misstatement it should be in writing
• Sometimes auditors may agree with governance on immaterial items
• Consult with legal counsel
A R F 8134
© Surgent • www.surgentcpe.com
Communications with governance
• Consider discussing with governance when:
– Concerns about the nature, extent, and frequency of assessments of preventive and detective internal controls
– Management’s failure to address identified significant deficiencies or material weaknesses in internal control, or respond to an identified fraud
– The auditor's assessment of the entity's control environment which could include concerns about the competence and integrity of management
– Actions by management that might indicate possible fraudulent financial reporting, such as management's selection of accounting policies that could be used to manage earnings or cover up other issues that could affect a financial statement user’s judgment
– Concerns about the method of authorizing transactions that appear to be outside the normal course of business
A R F 8135
© Surgent • www.surgentcpe.com
Communications to regulatory and enforcement authorities
• Determine what responsibilities the auditor has to report to others outside the entity
• May appear to be a breach of confidentiality but the auditor has a statutory duty
• May be required to report if management and governance do not take corrective action
A R F 8136
Internal Controls to Prevent and Detect Fraud
Chapter 5
© Surgent • www.surgentcpe.com
Learning objectives
Upon reviewing this chapter, the reader will be able to:
• Identify entity level controls that help to prevent fraud;
• Identify control activities to prevent and detect fraud;
• Identify which controls are responsive to the most common fraud schemes; and
• Evaluate deficiencies in internal control to characterize them as significant deficiencies or material weaknesses
A R F 8138
© Surgent • www.surgentcpe.com
Introduction
• Financial statement audits may identify deficiencies that if uncorrected could provide the opportunity for fraud
• Other services a practitioner can perform:
– Provide an opinion on the effectiveness of internal control under the AICPA attestation standards;
– Perform an integrated audit as prescribed by the PCAOB;
– Report on the internal control of a service organization under the Statements on Standards for Attestation Engagements;
– Report on the results of internal audit assistance services;
– Perform consulting engagements on implementation of measures to reduce the risk of fraud; and
– Perform consulting engagements to help the entity design or improve its internal control
A R F 8139
© Surgent • www.surgentcpe.com
Failure of entity level controls is responsible for high profile frauds
A R F 8140
© Surgent • www.surgentcpe.com
Most prevalent control weaknesses
A R F 8141
© Surgent • www.surgentcpe.com
COSO Framework revisions
• 1992 COSO Framework
• Revised in 2013
– Technology
– Complex regulations
– Globalization
– Governance
A R F 8142
© Surgent • www.surgentcpe.com
Anti-fraud controls
A R F 8143
© Surgent • www.surgentcpe.com
COSO Framework revisions
• Changes in implementation rates from 2010-2018
• Some controls are important for certain entities and not others
• Gift acceptance policy in governments
A R F 8144
© Surgent • www.surgentcpe.com
COSO Integrated Framework
• Controls to prevent, detect and correct fraud or error
• Absolute assurance is not possible
• Lapses in internal control due to human nature and possibility of management override and collusion
• Principles-based framework which categorizes internal controls into 5 elements
• It can be used for any type of entity
– Control environment (Principles 1 – 5)
– Risk assessment (Principles 6 – 9)
– Control activities (Principles 10 – 12)
– Information & communication (Principles 13 – 15)
– Monitoring (Principles 16 – 17)
A R F 8145
© Surgent • www.surgentcpe.com
Control environment – principle 1
Principle 1. The organization demonstrates a commitment to integrity and ethical values
• Setting the Tone at the Top - The board and management demonstrate the importance of integrity and ethical values to support the functioning of internal control in:
– Mission and values statements;
– Standards or codes of conduct;
– Policies and practices;
– Operating principles;
– Directives, guidelines, and other supporting communications;
– Actions and decisions of management at various levels and governance;
– Attitudes and responses to deviations from standards of conduct; and
– Informal and routine actions and communication of leaders at all levels of the entity
A R F 8146
© Surgent • www.surgentcpe.com
Control environment – principle 1
• Establishing Standards of Conduct - The board’s expectations of management for integrity and ethical values are understood at all levels by:
– Establishing what is right and wrong;
– Providing guidance for considering associated risks in navigating gray areas; and
– Reflecting legal and regulatory expectations by stakeholders
• Management is ultimately accountable for activities delegated to outsourced service providers
A R F 8147
© Surgent • www.surgentcpe.com
Control environment – principle 1
• Evaluates Adherence to Standards of Conduct and Addresses Deviations in a Timely Manner - Red flags that may indicate a lack of adherence to standards are:
– Tone at top does not effectively convey expectations;
– Board does not provide impartial oversight of management;
– Decentralization without adequate oversight;
– Coercion by superiors, peers, or external parties;
– Performance goals that create pressure to cut corners;
– Inadequate channels for employee feedback;
– Failure to remedy non-existent or ineffective controls;
– Inadequate complaint response process;
– Weak internal audit function; and
– Inconsistent, insignificant, or unpublicized penalties
A R F 8148
© Surgent • www.surgentcpe.com
Control environment – principle 1
• Case Study 1
– Assume you are in charge of the audit team. What other procedures would you have performed to determine whether the tone from the top related to integrity and ethical values had changed since the implementation of the IA?
A R F 8149
© Surgent • www.surgentcpe.com
Control environment – principle 1
• Case Study 1 – Suggested Solution
– An auditor can learn more from asking questions and corroborating the answers
– This is an essential part of an understanding of internal control
– The auditor wants to understand the effect that the implementation of the controls has on the people who are performing the controls or are affected by the controls
– Code of ethics and the hotline-design may be appropriate but if the controls are not properly implemented (inadequate training) then the controls will not be effective
– Conversely the design may be flawed. Management may also override these controls with an inappropriate or dismissive attitude from senior management
A R F 8150
© Surgent • www.surgentcpe.com
Control environment – principle 1
• Deviations from the standards of conduct are identified and remedied timely by:
– Defining a set of indicators to identify issues;
– Establishing continual and periodic compliance procedures to confirm that expectations and requirements are being met;
– Identifying, analyzing, and reporting business conduct issues and trends to senior management and the board;
– Evaluating the strength of leadership in the demonstration of integrity and ethical values for performance reviews, compensation, and promotions;
– Compiling allegations centrally with independent evaluation;
– Investigating allegations using defined investigation protocols;
– Implementing corrections timely and consistently; and
– Periodically reviewing issues
A R F 8151
© Surgent • www.surgentcpe.com
Control environment – principle 2
Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
• Establishes Oversight Responsibilities - The board identifies and accepts its oversight responsibilities. Public companies in many jurisdictions are required to have certain board committees
• Applies Relevant Expertise - The board defines, maintains and evaluates the skills needed among its members. Specialized skills needed among board members may include:
• Internal control mindset
• Market and entity knowledge
• Financial expertise
• Legal and regulatory expertise
• Social and environmental expertise
• Incentives and compensation• Relevant systems and
technology
A R F 8152
© Surgent • www.surgentcpe.com
Control environment – principle 2
• Operates Independently - The board has sufficient members who are independent and objective
• Provides Oversight for the System of Internal Control - The board maintains oversight of management’s design, implementation, and conduct of internal control
A R F 8153
© Surgent • www.surgentcpe.com
Control environment – principle 3
Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
• Consideration of All Structures of the Entity & Establishment of Reporting Lines of Responsibility - Many variables must be considered when establishing organizational structures, including:
– Nature, size, and geographic distribution of the entity’s business;
– Risks related to the entity’s objectives and business processes;
– Nature of the assignment of authority;
– Definition of reporting lines; and
– Financial, tax, regulatory, and other reporting requirements
• Management and governance consider these variables and the risk when establishing or changing the organizational structure
A R F 8154
© Surgent • www.surgentcpe.com
Control environment – principle 3
• Defines, Assigns, and Limits Authorities and Responsibilities
– Board stays informed and challenges senior management for guidance on significant decisions
– Senior management establishes directives, guidance, and control to enable staff to understand and carry out their duties
– Management executes senior management’s directives
– Personnel understand standards and objectives for their area
– Management and responsible personnel oversee outsourced service providers
– Authority empowers, but limitations of authority are needed
A R F 8155
© Surgent • www.surgentcpe.com
Control environment – principle 4
Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
• Management and the Board Establish Policies and Practices
– Requirements and rationale
– Skills and conduct necessary to support internal control
– Defined accountability for performance of key business functions
– Basis for evaluating shortcomings and defining remedial actions
– Means to react dynamically to change
A R F 8156
© Surgent • www.surgentcpe.com
Control environment – principle 4
Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
• Evaluates Competence and Addresses Shortcomings -
– Knowledge, skills, and experience needed
– Nature and degree of judgment needed for a specific position
– Cost-benefit analysis of different skill and experience levels
• Attracts, Develops, and Retains Individuals
• Plans and Prepares for Succession - Management develops contingency plans for assigning responsibilities important to internal control. The board develops succession plans for key executives and trains and coaches succession candidates for each target role
A R F 8157
© Surgent • www.surgentcpe.com
Control environment – principle 5
Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
• Enforces Accountability through Structures, Authorities, and Responsibilities - The tone at the top helps to establish and enforce accountability, morale, and a common purpose through:
– Clarity of expectations;
– Guidance through philosophy and operating style;
– Control and information flow;
– Anonymous or confidential communication channels for reporting ethical violations;
– Employee commitment toward collective objectives; and
– Management’s response to deviation from standards
A R F 8158
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Establish and Evaluate Performance Measures, Incentives, and Rewards - Good performance measures, incentives, and rewards support an effective system of internal control. Key success measures include:
– Clear Objectives – Consider all levels of personnel and the multiple dimensions of expected conduct and performance
– Defined Implications – Communicate objectives, review relevant market events, and communicate consequences of failure
– Meaningful Metrics – Define metrics, measure expected vs. actual and assess the expected impact
– Adjustment to Changes – Regularly adjust performance measures based on continual risk/reward evaluation
A R F 8159
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Management and the Board Consider Excessive Pressures - Excessive pressures can cause undesirable side effects. Excessive pressures are most commonly associated with:
– Unrealistic targets, especially short-term;
– Conflicting objectives of different stakeholders; and
– Imbalance between rewards for short-term vs. long-term objectives
• Evaluates Performance and Rewards or Disciplines Individuals - At each level, adherence to standards of conduct and expected levels of competence are evaluated, and rewards allocated, or disciplinary action exercised as appropriate
A R F 8160
© Surgent • www.surgentcpe.com
Control environment – principle 5
• COSO Principle 5 identifies formal reporting mechanisms as an important technique (preventive and detective control)
– The follow-up and investigation of hotline or other communications along with the penalties for infractions provides the entity with an opportunity to detect where fraud has occurred and make the appropriate corrections
– It is also a deterrent if employees realize that there are repercussions for fraudulent activities
A R F 8161
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Case Study 2 Questions
1. Based on the facts presented in this case do you believe that the board was culpable in any respect?
2. Do you believe that the board had the competency needed as those charged with governance?
3. If you were the auditor what entity level controls might you have recommended?
4. As an auditor how might you have determined whether the board had the necessary competence so their oversight would be an effective internal control?
A R F 8162
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Case Study 2 – Suggested Solutions
1. The board is always culpable because they are the oversight body
• Asked for material weakness to be removed from the AU-C 265 communication and even though they accepted the auditor’s suggested control to review all checks written and evaluate the transactions analytically each month, they lacked the skill to perform the control at the necessary level. The board did not appear to do an assessment of fraud risk
2. Although the board appears to have been engaged, they were not knowledgeable about how fraud could occur and did not have the skills to evaluate the analytical procedures
• The board did not appear to seek out training to obtain any of the skills needed from the facts presented
A R F 8163
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Case Study 2 – Suggested Solutions
3. The auditor should not have removed the material weakness based on the board’s skill level
• The compensating controls of analytical procedures and reviewing a list of checks written were not sufficient
• The auditor could recommend a new vendor setup that is approved by the board, a fraud risk assessment by the board, and redesigned analytical procedures to show cost per unit where meaningful. Other unitized analytics are helpful
• The case does not say anything about how the board communicates the tone of zero tolerance for stealing and the need to report results accurately
A R F 8164
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Case Study 2 – Suggested Solutions
4. This is difficult since most board members do not understand the risk of fraud. The auditor could provide training, guidance as it relates to performing a fraud risk assessment, and a template for analytical procedures. By interacting more with the board members, the auditor can assess their competence
A R F 8165
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Case Study 3 Question
1. It’s never too late to understand where a fraud can occur in a company. If you were performing a fraud risk assessment, where would the risk of fraud be in this company?
A R F 8166
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Case Study 3 - Suggested Solution
– In an environment where there are very few employees, management has to be very involved. This means being visible or hiring a higher-level executive to be visible
– The manager should be concerned with inventory levels and take inventories of the high dollar value items, first monthly and then if there appears to be no issue less frequently
– Codes should not be given to employees whether to the safe or to the gas pumps. Collusion occurred in this case but if management did not give out sensitive information or let employees know where the code was stored there would be less chance for fraud
A R F 8167
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Employees are a major source of tips
A R F 8168
© Surgent • www.surgentcpe.com
Control environment – principle 5
• Employees are a major source of tips
A R F 8169
© Surgent • www.surgentcpe.com
Risk assessment – principle 6
Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
• Operations Objectives
• External Financial Reporting Objectives
• External Non-Financial Reporting Objectives
• Internal Reporting Objectives
• Compliance Objectives
A R F 8170
© Surgent • www.surgentcpe.com
Risk assessment – principle 7
Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
– Entity-level risk identification is at a high level and does not include assessing transaction-level risks
– Process-level risk identification is more detailed and includes transaction-level risks
– Management also assesses risks from outsourced service providers, key suppliers, and channel partners
A R F 8171
© Surgent • www.surgentcpe.com
Risk assessment – principle 7
• Analyzes Internal and External Factors - Management realizes that risk is dynamic and considers the rate of change in these risks:
– Economic;
– Regulatory;
– Foreign operations;
– Social; and
– Technological
• Management evaluates the internal factors affecting entity-level risk including:
– Infrastructure and use of capital resources;
– Management structure;
– Personnel, including quality, training and motivation;
– Access to assets, including possibilities for misappropriation; and
– Technology, including possibility of IT disruption
• Management solicits input from employees as to transaction-level risks (also see control activities)
A R F 8172
© Surgent • www.surgentcpe.com
Risk assessment – principle 7
• Involves Appropriate Levels of Management - Effective risk assessment mechanisms match an appropriate level of management expertise to each risk
• Estimates Significance of Risks Identified - Management assesses the significance of risks and:
– Likelihood of risk occurring and impact;
– Velocity or speed to impact upon occurrence of the risk; and
– Persistence or duration of time of impact after occurrence of risk
• Management determines how to respond to risks. Risk responses fall within the following categories:
– Acceptance: No action taken
– Avoidance: Exiting the risky activities
– Reduction: Action taken to reduce likelihood, impact, or both
– Sharing: Transferring part of the risk, for example, insurance
• Segregation of duties needed to get intended significance reduction
• Cost/benefit of response options
A R F 8173
© Surgent • www.surgentcpe.com
Risk assessment – principle 8
Principle 8. The organization considers the potential for fraud
• Management and the Board Have an Awareness of How Fraud Can Occur
– Fraudulent financial reporting
– Fraudulent non-financial reporting
– Misappropriation of assets
– Illegal acts
A R F 8174
© Surgent • www.surgentcpe.com
Risk assessment – principle 8
• As part of the risk assessment process, management identifies various fraud possibilities
– Management bias
– Degree of estimates and judgments in external reporting
– Fraud schemes and scenarios common in the industry
– Geographic regions
– Incentives
– Technology and management’s ability to manipulate information
– Unusual or complex transactions
– Vulnerability to management override
A R F 8175
© Surgent • www.surgentcpe.com
Risk assessment – principle 8
• Management Assesses Incentives and Pressures and Management Assesses Opportunities for Fraud to Occur - The likelihood of loss of assets or fraudulent external reporting increases when there is:
– A complex or unstable organizational structure;
– High employee turnover, especially in accounting, operations, risk management, internal audit or technology;
– Ineffectively designed or poorly executed controls; and
– Ineffective technology systems
A R F 8176
© Surgent • www.surgentcpe.com
Risk assessment – principle 8
• Management Assesses Attitudes and Rationalizations
– Considers it “borrowing,” intends to repay
– Believes entity “owes” him something because of some form of job dissatisfaction
– Doesn’t understand or care about consequences
– Doesn’t understand or care about accepted ideas of decency and trust
A R F 8177
© Surgent • www.surgentcpe.com
Risk assessment – principle 9
Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control
• Management Assesses Changes in the External Environment
• Management Assesses Changes in the Business Model
• Management Assesses Changes in Leadership
A R F 8178
© Surgent • www.surgentcpe.com
Information and communication – principle 13
Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control
• Management Identifies Information Requirements - Management identifies and defines information requirements at the relevant level and with requisite specificity. This is an ongoing and iterative process
• Management Captures Internal and External Sources of Data
A R F 8179
© Surgent • www.surgentcpe.com
Information and communication – principle 13
A R F 8180
© Surgent • www.surgentcpe.com
Information and communication – principle 13
• Management Ensures that the Systems Process Relevant Data into Information
• Management Ensures that Systems Maintain Quality throughout Processing
• Management Considers Costs and Benefits of Internal Controls
A R F 8181
© Surgent • www.surgentcpe.com
Information and communication – principle 14
Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control
• Management Communicates Internal Control Information
– Policies and procedures that support personnel in performing their internal control responsibilities
– Specified objectives
– Importance, relevance, and benefits of effective internal control
– Roles and responsibilities of management and other personnel in performing controls
– Expectations of the entity to communicate within the entity any significant internal control matters including weakness, deterioration, or non-adherence
A R F 8182
© Surgent • www.surgentcpe.com
Information and communication – principle 14
• Management Communicates with the Board of Directors -Communication between management and the board provides the board with information needed to exercise its oversight responsibility for internal control
• Management Provides Separate Communication Lines - There must be open channels of communication and a clear willingness to report and listen
– Whistleblower and ethics hotlines and anonymous or confidential reporting via information systems
A R F 8183
© Surgent • www.surgentcpe.com
Information and communication – principle 14
• Management Selects Relevant Method of Communication - Clarity of information and effectiveness with which it is communicated are important to ensure messages are received as intended
A R F 8184
© Surgent • www.surgentcpe.com
Information and communication – principle 15
Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control
• Management Ensures that the Level of Communication to External Parties is Appropriate
• Management Enables Inbound Communications
• Management Enables Communications from External Parties to the Board of Directors
• Management Provides Separate Communication Lines – and that separate communication channels, such as whistleblower hotlines, are in place
• Management Selects Relevant Method of Communication
A R F 8185
© Surgent • www.surgentcpe.com
Monitoring – principle 16
Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations of internal control
• Management Considers a Mix of Ongoing and Separate Evaluations
• Management Considers Rate of Change
• Management Establishes Baseline Understanding of the System of Internal Controls
• Management Uses Knowledgeable Personnel for Monitoring Tasks - There are a variety of approaches available to perform separate evaluations, including:
– Internal audit evaluations;
– Other objective evaluations;
– Cross-operating unit or functional evaluations;
– Benchmarking/peer evaluations; and
– Self-assessments
A R F 8186
© Surgent • www.surgentcpe.com
Monitoring – principle 16
• Management Integrates Ongoing Evaluations with Business Processes
• Management Adjusts Scope and Frequency of Separate Evaluations Depending on Risk and Makes Objective Evaluations to Provide Good Feedback
A R F 8187
© Surgent • www.surgentcpe.com
Monitoring – principle 17
Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
• Management and the Board Assess Results of Monitoring Procedures -Management and the board regularly assess internal control for deficiencies. Information comes from a variety of sources, including:
– Ongoing evaluations;
– Separate evaluations;
– Other internal control components; and
– External parties such as customers, vendors, external auditors, and regulators
A R F 8188
© Surgent • www.surgentcpe.com
Monitoring – Principle 17
• Management Communicates Deficiencies in Internal Control - Communicating internal control deficiencies to the right parties to take corrective actions is critical for entities to achieve objectives. In some cases, external reporting of a deficiency may be required by laws, regulations, or standards
• Management Monitors Corrective Actions - After internal control deficiencies are evaluated and communicated to those parties responsible for taking corrective action, management tracks whether remediation efforts are conducted timely. When deficiencies are not corrected on a timely basis, management revisits the selection and deployment of monitoring activities, until corrective actions have remediated the internal control deficiency
A R F 8189
© Surgent • www.surgentcpe.com
Question for discussion
What are some separate and ongoing evaluations that could be used by internal auditors or if there was no internal audit department, by management or staff to identify anomalies in data that might indicate fraudulent activity?
A R F 8190
© Surgent • www.surgentcpe.com
Control activities
• Segregation of duties - The Foundation for Control Activities
– Segregate duties among personnel in order to ensure that no one person has control over two or more phases of a transaction or operation
– Segregation of duties reduces the opportunity to perpetrate and conceal errors or fraud in the normal course of employee’s assigned functions
– Segregation of duties is generally built into the selection and development of control activities
– When optimal segregation of duties is not possible, management needs to consider the risk, implement additional controls as needed and consider that members of management will need to set a very strong tone from the top and perform additional monitoring
A R F 8191
© Surgent • www.surgentcpe.com
Case study 4
• Instructions:
• Using the segregation of duties diagnostic, propose a segregation of duties plan for Nora and Wayne’s repair business. Personnel include:
• Ann, Bookkeeper – Assume that the bookkeeper is full time (40 hours)
• Andy, administrative person – Assume that the administrative person spends 30 hours a week on taking orders and scheduling and has 10 hours to spend on other tasks
• Non-accounting personnel such as repair personnel could be trained to perform some of the less technical duties
• There is no governing board
• Owners (Wayne and Nora)
For the suggested answer see page 5-49 in the manual
A R F 8192
© Surgent • www.surgentcpe.com
Control activities – principle 10
Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
• Management Integrates Control with Risk Assessments Performed
• Management Considers Entity-Specific - Differences in objectives, risk, risk responses, and related control activities
• Management Determines Relevant Business Processes
– Completeness: Transactions that occur are recorded
– Accuracy: Transactions are timely recorded at the correct amount in the correct account
– Validity: Recorded transactions represent economic events that actually occurred
A R F 8193
© Surgent • www.surgentcpe.com
Control activities – principle 10
• Management Evaluates a Mix of Control Activity Types - Management considers a variety of transaction control activities for its control portfolio including:
– Authorizations and approvals;
– Verifications;
– Physical controls;
– Controls over standing data (e.g., master files);
– Reconciliations; and
– Supervisory controls
• Management considers a mix of control activities that are preventive and detective
A R F 8194
© Surgent • www.surgentcpe.com
Control activities – principle 10
• Management Considers at What Level Activities Are Applied - In addition to transaction-level controls, management selects and develops a mix of controls that operate more broadly and at higher levels (business performance or analytical reviews involving comparisons of different sets of operating or financial data)
– These relationships are analyzed, investigated, and corrective action taken
• Management Addresses Segregation of Duties
A R F 8195
© Surgent • www.surgentcpe.com
Control activities – principle 11
Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives
• Management Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls and Implements Effective General Controls -
– The reliability of technology within business processes, including automated controls, depends on the selection, development, and deployment of general control activities over technology
– These general controls help ensure that automated processing controls work properly initially, and that they continue to function properly after implementation. General controls apply to technology infrastructure, security management, and technology acquisition, development, and maintenance
– They also apply to all technology, both IT and technology used in production processes
A R F 8196
© Surgent • www.surgentcpe.com
Control activities – principle 11
Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives.
• Management Establishes Relevant Technology Infrastructure Control Activities -
– Technology infrastructure may include computers, networks, power supply and backup systems, software, and robotics
– This infrastructure is often complex and rapidly changing. These complexities present risks that need to be understood and addressed, and management should track changes and assess and respond to new risks
A R F 8197
© Surgent • www.surgentcpe.com
Control activities – principle 11
• Management Establishes Relevant Security Management Process Control Activities -
– Security management includes sub-processes and controls over who and what has access to an entity’s technology, including who has the ability to execute transactions
– Security threats can come from both internal and external sources. Evaluating and responding to external threats will be more important when there is reliance on telecom networks and the internet
– Internal threats may come from former or disgruntled employees, who pose unique risks. User access to technology is generally controlled by authentication controls
– These controls are very important and are often the most abused by employees who may share access codes (generally passwords) and IT personnel who do not immediately shut off an employee’s unneeded access to systems resulting from job change or termination
A R F 8198
© Surgent • www.surgentcpe.com
Control activities – principle 11
• Management Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities –
– Technology controls vary depending on risks; large or complex projects have greater risks, and control rigor should be sized accordingly
– Use of packaged software can reduce some risks versus in-house software development
– Another alternative is outsourcing, which, however, presents its own unique risks and often requires additional controls
A R F 8199
© Surgent • www.surgentcpe.com
Control activities – principle 12
Principle 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action
• Management Establishes Policies and Procedures to Support Deployment of Management’s Directives
• Management Establishes Responsibility and Accountability for Executing Policies and Procedures
• Management Specifies that Controls Must Be Performed in a Timely Manner
• Management Ensures that Corrective Action is Taken in Response Issues Identified
• Management Ensures that Controls are Performed by Competent Personnel
• Management Reassesses Policies and Procedures
A R F 8200
© Surgent • www.surgentcpe.com
Risk and control matrix
• Management should consider using a risk and controls matrix to map significant systems and assertions to internal controls
• Not only for risks but to ensure that there are internal controls responsive to each account balance and class of transaction
• This is a very important activity to perform to help prevent and detect errors and fraud
A R F 8201
© Surgent • www.surgentcpe.com
Selecting controls that are responsive to the risk of fraud
Cash Schemes
• Lapping
• Kiting
• Fictitious Voids and Customer Returns
• Segregation of duties
• Example controls to prevent and detect cash schemes
A R F 8202
© Surgent • www.surgentcpe.com
Selecting controls that are responsive to the risk of fraud
Fraudulent Disbursement Schemes
• Billing
• Check and payment tampering
• Kickbacks
• Duplicate payment
• Stealing checks or theft by electronic transfer
• Segregation of duties
• Example preventive and detective controls
A R F 8203
© Surgent • www.surgentcpe.com
Selecting controls that are responsive to the risk of fraud
Payroll Schemes
• Fictitious employees
• Terminated employees on the payroll
• Inflated wages
• Expense reimbursement and purchasing card fraud
• Segregation of duties
• Example preventive and detective controls
A R F 8204
© Surgent • www.surgentcpe.com
Selecting controls that are responsive to the risk of fraud
Noncash Misappropriation
• Median loss for this fraud according to the ACFE 2018 Report is $98,000
• Occurred 21 percent of the time
• Collusion
• Surveillance
• Case Study 6 Question: What could have been done to prevent or detect this fraud?
A R F 8205
© Surgent • www.surgentcpe.com
Case study 6
• Case Study 6 – Suggested Solution
– Collusion was involved
– The highest level of the company involved employees that were trusted in order to accomplish the scheme
– Doubtful that surveillance which would have ordinarily been a good tool would have worked
– No tone from the top that emphasized ethical values
– Some type of anonymous reporting mechanism like a hotline then the employees who might have been suspicious might have reported
A R F 8206
Consideration of Fraud in aSingle Audit
Chapter 6
© Surgent • www.surgentcpe.com
Learning objectives
Upon reviewing this chapter, the reader will be able to:
• Understand the distinction between a financial statement audit and a single audit;
• Understand fraud risk factors in a single audit; and
• Implement the fraud risk assessment requirements in a single audit
A R F 8208
© Surgent • www.surgentcpe.com
Introduction
• A Single Audit has two components
– Audit of the financial statements under Generally Accepted Government Auditing Standards (GAGAS)
– Compliance audit of major programs under Uniform Guidance
– GAGAS incorporates GAAS by reference and requires no additional procedures over and above those required
– Additional reporting requirements
A R F 8209
© Surgent • www.surgentcpe.com
Professional guidance
• Primary source of guidance for considering the risk of fraud in a Single Audit is AU-C 240
• AU-C 935, Compliance Audits
• AU-C 240 states that the auditor has a responsibility to consider fraud risks and to design the audit to provide reasonable assurance of detecting fraud that results in the financial statements being materially misstated
• Requirements are also applicable to a Single Audit or any audit, such as a program specific audit which is conducted under the Uniform Guidance as modified for material noncompliance
• AU-C 935 states that the auditor should assess the risks of material noncompliance whether due to fraud or error for each direct and material compliance requirement and should consider whether any of those risks are pervasive to the entity's compliance because they may affect compliance with many compliance requirements
A R F 8210
© Surgent • www.surgentcpe.com
Professional guidance
• Team meeting - Discuss the risks of material noncompliance due to fraud
• Smaller audit - One meeting to discuss all the major programs
• Programs are larger and different, teams may audit different major programs - Assess the risk by major program
• One team may work with the single audit but not work with the financial statement audit
• Some entities have entity level anti-fraud programs and controls that address compliance as well as financial statement risks
• These may already have been documented in the financial statement workpapers
• Gain an understanding of the risks of fraud identified in the financial statement audit as well the extent to which there are mitigating controls
A R F 8211
© Surgent • www.surgentcpe.com
Fraud risk assessment process
• Fraud inquiries of:
– Management, especially those that are involved with grants management
– Those charged with governance
– Internal auditors, if any
– Others
– Ask about any instances or possible instances of noncompliance or abuse
• People that work with one grant also work with others so the fraud inquiries may cover more than one major program
A R F 8212
© Surgent • www.surgentcpe.com
Fraud risk assessment process
• Based on the inquiries of the client, various analyses, and communication among the audit team, the auditor identifies and documents:
– Pervasive fraud risks;
– Specific fraud risks; and
– Risk of management override of controls
• Understand and test any supporting entity level internal controls as well as control activities that would help to prevent, detect or deter fraud
• Evaluate the design, implementation and effectiveness
A R F 8213
© Surgent • www.surgentcpe.com
Fraud risk assessment process
• Use information to determine a response to those risks which the auditor believes could result in material noncompliance due to fraud
• Responses could include testing journal entries that were made to the accounts of the major program
• Document:
– Fraud risk assessment;
– Relevant mitigating internal controls;
– Nature, timing, and extent of the audit procedures performed in response to the assessed risk of fraud; and
– Results of those audit procedures
• Peer reviewers have noted that the documentation in single audits relative to the risk of fraud is often lacking
A R F 8214
© Surgent • www.surgentcpe.com
Fraud risks
• Three conditions that generally come together resulting in fraud regardless of whether it is a fraud that impacts a major program or the financial statements are:
– Incentive/Pressure;
– Opportunity; and
– Rationalization
• Although the conditions are the same for a compliance audit, the way they show up in an entity could be different because the subject matter is major programs, not financial statements
• And there may be different incentives for fraudulent financial reporting for governments versus not-for-profit entities
A R F 8215
© Surgent • www.surgentcpe.com
Incentives/pressure risk factors – fraudulent financial reporting
• Intentionally misstate either the financial statements including program financial statements or the schedule of expenditure of federal awards
• Poor financial or operating results, external (economic) or internal (operating challenge) conditions
• Governments:
– Declining tax or revenue base
– State or federal cutbacks on funding
– Inability to balance the budget due to excessive expenditures, a shortfall in revenue or both
• Not-for-profit entity:
– Decline in donor base
– Reduced ability to charge for services
– Termination of major funding
A R F 8216
© Surgent • www.surgentcpe.com
Incentives/pressure risk factors – fraudulent financial reporting
• Complex or frequently revised compliance requirements or participant requirements (such as cost sharing or matching requirements) that create incentives to shift costs or incorrectly value transactions
• Stagnant tax or revenue base or declining federal funding, enrollments, or eligible participants
• Significant portion of program management's compensation or performance appraisal is linked to federal award budgetary or program accomplishments or other incentives
• Imminent or anticipated adverse changes in program legislation or regulations that could impair the financial stability or profitability of the entity
• Financial pressure due to declining revenues or increasing expenses, creating incentive to apply non-program costs to federal awards
A R F 8217
© Surgent • www.surgentcpe.com
Incentives/pressure risk factors – fraudulent financial reporting
• Significant pressure to obtain additional funding necessary to stay viable and maintain levels of service
• Investment values that are negatively impacted by declining financial markets
• Adverse publicity or lawsuits that are causing additional expense (e.g., legal fees or public relations costs)
• Pressure to achieve operating results from the board, constituents, management, or regulators
A R F 8218
© Surgent • www.surgentcpe.com
Opportunity risk factors – fraudulent financial reporting
• An organizational structure that is unstable or unnecessarily complex
• Rapid growth due to significant increases in funds without the organizational structure to support it
• Inadequate internal control due to outdated or ineffective accounting or information systems
• Inadequate oversight by those charged with governance over the financial reporting process and management activities
• Inadequate monitoring by management for compliance with policies, laws, and regulations
• Lack of appropriate segregation of duties or independent checks, especially in areas such as eligibility determination and benefit awards
A R F 8219
© Surgent • www.surgentcpe.com
Opportunity risk factors – fraudulent financial reporting
• Lack of appropriate system of authorization and approval of transactions, such as purchasing, contracting, benefit determinations, and eligibility, due to either poorly designed or outdated controls
• Lack of timely and appropriate documentation for transactions, such as eligibility and benefit determinations
• Lack of asset accountability or safeguarding procedures
• Rapid changes in federal award programs
• High turnover rates for employment of accounting, internal audit, or IT staff
A R F 8220
© Surgent • www.surgentcpe.com
Attitude/rationalization risk factors –fraudulent financial reporting
Rationalizations:
• It’s not for me; it’s for the organization or constituents
• It’s only for a short time. Once the grant, loan, donation I’m expecting comes in we will make a journal entry so the financial statements or other documents falsified will be correct
• The federal government has a lot of money and this will help us. They don’t really need it
A R F 8221
© Surgent • www.surgentcpe.com
Attitude/rationalization risk factors –fraudulent financial reporting
• Red flags that might be present:
– Management does not communicate or demonstrate ethical values;
– Management has a history of misstatements or history of alleged fraud or violations of laws and regulations;
– Management frequently overrides internal controls;
– Low morale on the part of senior management;
– Disputes between the governing board and management;
– Disputes with the auditor on accounting and reporting matters; and
– Failure to implement internal control recommendations made by internal audit or the external auditor
A R F 8222
© Surgent • www.surgentcpe.com
Incentives or pressure risk factors –misappropriation of assets
• Personal financial obligations
• Adverse relationship between the employees and the entity (may be difficulties with management)
• Employees believe they have been treated unfairly (promotions, raises, pending layoffs, recognition)
• Employees want the challenge
A R F 8223
© Surgent • www.surgentcpe.com
Opportunity risk factors – misappropriation of assets
• Entity maintains cash or payments are made to the entity in cash
• Cash or other assets are received by many departments
• Capital assets are susceptible to misappropriation
• Lack of segregation of duties
• Lack of documentation of transactions
• Lack of timely reconciliation of account balances to other detail
• Lack of a fraud prevention hotline
• Lack of a code of ethics or conflict of interest policy
A R F 8224
© Surgent • www.surgentcpe.com
Attitude/rationalization risk factors –misappropriation of assets
• Management does not monitor so the employees think misappropriation is not a concern to them
• Dissatisfied employees (under paid, over worked, not recognized)
• An ineffective or nonexistent means of communicating and supporting the entity’s values or ethics
• Significant subrecipient or subcontract relationships for which there appears to be no clear programmatic or business justification
A R F 8225
© Surgent • www.surgentcpe.com
Attitude/rationalization risk factors –misappropriation of assets
• Management displaying or conveying an attitude of disinterest regarding strict adherence to federal award rules and regulations such as those related to participant eligibility, benefit determinations or eligibility
• An individual or individuals with no apparent executive position(s) within the entity appearing to exercise substantial influence over its affairs or over individual federal award programs (for example, a major donor, fund-raiser, or politician)
• An attitude among program personnel that given their position, they are due benefits from the programs
A R F 8226
© Surgent • www.surgentcpe.com
Fraud considerations under GAGAS
• GAGAS incorporates GAAS by reference
• Need for early communication
• May need to report to third parties, auditors should be aware of laws
• Report findings in a report on internal control and compliance with provisions of laws, regulations, contracts, and grant agreements based on an audit of the financial statements
• Significant deficiencies, material weaknesses, material noncompliance, and material instances of fraud
• Other instances of fraud that warrant the attention of governance
• If they don’t warrant the attention of governance auditor uses judgment
A R F 8227
© Surgent • www.surgentcpe.com
Fraud considerations under GAGAS
• Consider consulting an attorney about whether public reporting would compromise investigative or legal proceedings
• Auditors may limit public reporting under the circumstances
• Report identified or suspected fraud directly to outside parties when:
– Management does not satisfy legal or regulatory requirements to report such information to external parties specified in a law or regulation; or
– Management does not take appropriate steps to respond to what is likely to have a material effect on the financial statements and involves funding received directly or indirectly from a government agency
• In this case auditors should report directly to the funding agency
A R F 8228
© Surgent • www.surgentcpe.com
Fraud considerations under GAGAS
• Before reporting outside the entity the auditor should discuss it with those charged with governance if management does not report it
A R F 8229
© Surgent • www.surgentcpe.com
Fraud reporting considerations under uniform guidance
• Uniform Guidance requires management to report all instances of fraud which deals with federal awards
• Auditor issues report on compliance for each major federal program and a report on internal control over compliance and schedule of findings and questioned costs
• Includes financial statement findings under GAGAS as well as those required by Uniform Guidance
• Auditor is required to report known or likely fraud that affects a federal award unless it has been reported as an audit finding
• Auditor is not required to report information that could compromise investigative or legal proceedings
• Auditor does not have to make additional reports when he/she confirms that the fraud was reported outside the GAGAS auditor’s reports
A R F 8230
Cyber Fraud
Chapter 7
© Surgent • www.surgentcpe.com
Learning objectives
Upon reviewing this chapter, the reader will be able to:
• Identify the most common cyber fraud schemes used today; and
• Identify ways to help prevent cyber fraud
A R F 8232
© Surgent • www.surgentcpe.com
Introduction
• Worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022
• 62% of businesses experienced phishing and social engineering attacks in 2018
• 68% of business leaders feel their cybersecurity risks are increasing
• Data breaches exposed 4.1 billion records in the first half of 2019
• 71% of breaches were financially motivated and 25% were motivated by espionage
• 52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering
A R F 8233
© Surgent • www.surgentcpe.com
Introduction
• Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches
• Ransomware infections were down 52% in 2018
• The top malicious email attachment types are .doc and .dot which make up 37%, the next highest is .exe at 19.5%
• Hackers attack every 39 seconds, on average 2,244 times a day
• The average time to identify a breach in 2019 was 206 days
• The average cost of data breach is $3.92 million as of 2019
A R F 8234
© Surgent • www.surgentcpe.com
Types of cyber fraud
A R F 8235
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Authorized Push Payments (APPs)
– Victims are manipulated into making real-time payments to fraudsters
– Occur due to social engineering attacks involving impersonation
– Convince business or person to send money to them for what appears to be a legitimate purpose
– Victim authorizes bank to make payment to fraudster’s bank account
– Push payments are used to cut time off transactions
– Real estate application
– Prevalent scheme in the UK now being seen in US
• SMS Spoofing is a technique to commit APP fraud using technology to impersonate a trusted party
A R F 8236
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Deep fakes and biometrics
– Facial recognition used to unlock cell phones
– Voice biometrics to command smart home devices
– Criminals use artificial intelligence to create fake images or audit manipulations
• Breaching 2FA
– 2 factor authentication
– Use of SIM swapping to circumvent the control
A R F 8237
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Denial-of-service and distributed denial-of-service
– Attacks overwhelm a company’s information system’s resources so that it is not able to respond to service requests
– DDoS attack is launched from a large number of other host machines that are infected by malicious software controlled by the attacker
– Hacker doesn’t gain access to a system
– Goal is simply to take a system offline
– Used against competitor or to disrupt a system so that the hacker can launch another type of attack
A R F 8238
© Surgent • www.surgentcpe.com
TCP SYN Flood Attack
Victim
1. A client connects to a server.2. The attacker’s computer gains control
of the client.3. The attacker’s computer disconnects
the client from the server.4. The attacker’s computer replaces the
client’s IP address with its own IP address and spoofs the client’s sequence numbers.
5. The attacker’s computer continues dialog with the server and the server believes it is still communicating with the client.
1
2
ServerSession
Perpetrator
Perpetrator
IP 192.168.32
IP 192.168.32
Victim ServerDisconnected
Sniffing legitimate session
DDOS attack
2
3
4
5
A R F 8239
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• TCP SYN flood attack solutions:
– Place servers behind a firewall configured to stop inbound SYN packets; or
– Increase the size of the connection queue and decrease the timeout on open connections
• Teardrop attack
– Causes the length and fragmentation offset fields in sequential Internet Protocol (IP) packets to overlap one another on the attacked host
– When the attacked system attempts to reconstruct packets during the process it fails, becomes confused and crashes
A R F 8240
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Smurf attack
– Uses Internet Protocol (IP) spoofing and the ICMP (internet control message protocol) to saturate a target network with traffic
– Hackers use IP spoofing to convince a system that it is communicating with a known, trusted entity
– Hacker sends a packet with the IP source address of a known, trusted host instead of its own IP, providing the attacker with access to the system
Solution: Patches available for this type of attack. Alternatively, the entity could disable SMBv2 and block ports 139 and 445
A R F 8241
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Ping of Death
– The hacker uses IP packets that are over the maximum size to ‘ping’ a target system
– IP packets of this size are not allowed so the attack will fragment the IP packet
– Once the target system reassembles the packet, it can experience buffer overflows and other crashes
Solution: Ping of death attacks can be blocked by using a firewall that will check fragmented IP packets for maximum size
A R F 8242
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Botnet
– Group of computers that have been infected by malware and are under the control of a fraudster
– Term bot refers to the infected device
– Can be designed for illegal or malicious tasks such as sending spam, stealing data, ransomware, or DDoS attacks
– When used in a DDoS attack the bots carry out attacks against the target systems, overwhelming the target system’s bandwidth and processing capabilities
Solution: Bots can be mitigated by RFC3704 and black hole filtering
A R F 8243
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Phishing and Spear Phishing attacks
Phishing - Hacker sends emails that appear to be from trusted sources with the goal of gaining personal information or convincing users to do something
– Combines social engineering and technical trickery
– Could involve an attachment to an email that loads malware onto a computer
– Could appear to be a link to a website that tricks the victim into downloading malware or providing the hacker with personal information
A R F 8244
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Spear phishing is a specific type of phishing activity
– Hackers research the habits and language of the victim and craft emails that are personal and relevant
– Hackers may use email spoofing
– Information in the “From” section appears to come from someone known to the victim, generally someone with the authority to issue instructions
– Another technique that hackers use is website cloning. The hacker copies a legitimate website and the victim enters personally identifiable information (PII) or login credentials
A R F 8245
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
Solution
• Stop and think — Analyze email and don’t just accept that it is from the person who is purported to have sent it. People tend to react to email without thinking
• Hover over the email headers or links in the message — Move the mouse over the link without clicking on it. It is possible that the email address or links are spoofed
• Analyzing email headers — Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email
A R F 8246
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
Drive-by download attacks
• Common method of spreading malware
• Hacker looks for an insecure website and places a malicious script into the code on one of the pages
• Script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers
• Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window
A R F 8247
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
Drive-by download attacks
• Drive-by doesn’t rely on a user to do anything to actively enable the attack making it harder to prevent
• Can take advantage of an app, operating system, or web browser that contains security flaws due to unsuccessful updates or lack of updates
Solution: Browsers and operating systems should be kept up to date and insecure websites should be avoided. The more apps or plug-ins someone has on their device, the more vulnerable they are
A R F 8248
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Password Attacks
– Hackers will sometimes look around a person’s desk if they are in the same location
– Alternatively they may ‘‘sniff’’ the connection to the network to acquire unencrypted passwords, use social engineering, gain access to a password database, or simply guess
– Brute-force password guessing - Trying passwords based on information that is known about the user such as their name, job title, hobbies, children or pets
– Dictionary attack - The hacker copies an encrypted file that contains the passwords, applies the same encryption to a dictionary of commonly used passwords, and compares the results
A R F 8249
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Cross Scripting Attacks (XSS)
– Use an entity’s website to run scripts in the victim’s web browser or scriptable application
– Hacker exploits a vulnerability in a website that is otherwise benign
– Victim visits the website and clicks on a page causing a malicious JavaScript which was originally inserted in the target website to execute a malicious script
– At best the hacker can then hijack the session
– At the worst, a hacker can steal cookies, log keystrokes, capture screen shots, collect network information, and remotely access and control the victim’s machine
A R F 8250
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Cross Scripting Attacks (XSS)
– Solution: Web developers can sanitize data input by users in an HTTP request before reflecting it back
– Make sure all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches
– Give users the option to disable client-side scripts
A R F 8251
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Eavesdropping
– Intercept network traffic
– The hacker’s goal is to obtain passwords, credit card numbers and other confidential information that a user might be sending over the network
– When eavesdropping is passive the hacker finds information by listening to the message transmission in the network
– Hackers can also actively eavesdrop by camouflaging themselves as a friendly unit sending queries to transmitters. In order to launch an active attack the hacker must first gain knowledge of friendly units
– Solution: Data encryption is the best way to counteract eavesdropping
A R F 8252
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Malware
– Macro viruses infiltrate programs most people use every day such as Microsoft Word or Excel
• Viruses attach themselves to an application’s initialization sequence. When a person opens the application, the virus gives the malicious instructions before transferring control to the application. This way it can replicate itself and attach to other code in the victim’s system
– File infectors attach themselves to executable code, such as .exe files. The virus is installed when the code is loaded
– System or boot-record infectors attach to the master boot record on hard disks. When the system is started, it will look at the boot sector and load the virus into memory, where it can spread to other disks and computers
A R F 8253
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Malware
– Stealth viruses compromise malware detection software so that the software will report an infected area as being uninfected
– Trojan horses hide in a useful program. They have a malicious function but do not self-replicate. They are used by hackers to infiltrate a system but also have another feature whereby they can establish a back door that can be exploited by the hacker
– Worms do not attach to a host file
• They are self-contained programs that spread across networks and computers, usually through email attachments
• Victim opens an attachment and activates the worm program
• Worm then sends a copy of itself to every contact in the victim’s email program. This enables it to spread itself across the internet, conduct malicious activity and overload email servers which can result in DOS attacks
– Ransomware is a type of malware that blocks access to the victim’s data and threatens to publish or delete it unless a ransom is paid
A R F 8254
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Internet of Things (IoT)
– Extends connectivity beyond normal devices to household devices and other objects
A R F 8255
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• It’s Also a People Problem
– Social engineering is responsible for 93% of data breaches
– Hackers generally use social engineering to gain access to passwords, bank information or a computer so they can install malware to give them access to a lot more
– When the hacker manages to obtain access to one person’s password they have access to that person’s contact list. They can then use the email account of the first victim to send emails to the person’s contacts
– Links can be embedded in the emails and if it appears that the email is a trusted source then clicks on the link give the hacker a second victim
– The email could also have a download of music, movies, or documents with embedded malware
A R F 8256
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
• Hovering over the email address to see if it is legitimate may not be completely effective since hackers can also camouflage their true email addresses with overlays
• Hackers frequently impersonate companies and the emails look legitimate right down to the logos and key words that the bank might use
• According to Webroot data, financial institutions are the most often impersonated
• Hackers will ask for donations, present an issue and ask the victim to validate information by providing information in a form or clicking on a link, offer something free, respond to a question the victim never asked, claim that the victim is winner of some prize or pose as a co-worker, boss, company executive, etc.
A R F 8257
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
Solutions
• Slow down. Nothing is that urgent that it should not be carefully reviewed
• Ask for oral verification even if it slows down the process. Call the sender and ask
• Go straight to the website of the financial institution purporting to be the sender in a fresh browser and see if there are any messages waiting there
• Delete any requests for financial information or passwords
• Scams come in the form of offers to help, e.g., to restore credit scores, refinance a home, etc. Delete them
• Secure computing devices with anti-virus software, firewalls, email filters, and update them regularly
• Companies should train employees and penalize them for disregarding policies and procedures on information security
A R F 8258
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
Statistics that are good to know:
• 48% of malicious email attachments are office files
• Phishing levels declined, dropping from 1 in 2,995 emails in 2017, to 1 in 3,207 emails in 2018
• 34% of data breaches involved internal participants
• 51% of businesses experienced denial of service attacks in 2018
• The average cost of a ransomware attack on businesses is $133,000
• 69% of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software
A R F 8259
© Surgent • www.surgentcpe.com
Top cyber fraud schemes
Statistics that are good to know:
• 1 in 36 mobile devices had high risk apps installed
• In 2018, an average of 10,573 malicious mobile apps were blocked per day
• 65% of groups used spear phishing as the primary infection vector
• 1 in 13 web requests lead to malware
• The United States ranks highest with 18.2% of all ransomware attacks
• Most malicious domains, about 60%, are associated with spam campaigns
A R F 8260
© Surgent • www.surgentcpe.com
Internal control imperative
SEC Cyber Fraud Report (2018)
• In October 2018 the SEC issued a report on an investigation into nine companies that experienced losses of almost $100 million due to cyber fraud
• The techniques used by the fraudsters are common
– Company personnel received spoofed or compromised electronic communications from outsider sources causing them to transfer funds to the bank accounts of the fraudsters
• One company made 14 electronic transfers based on fictitious emails received from fraudsters masquerading as company executives
• Another company paid 8 invoices over several months to what they believed were legitimate vendors. However, the routing instructions had been changed to a fraudster’s bank account
A R F 8261
© Surgent • www.surgentcpe.com
Internal control imperative
• The SEC did not institute enforcement actions against the companies but made it clear in the report that public companies will be required to assess and adjust their internal controls for the risk of cyber fraud
• Section 13(b)(2)(B) of the Securities Exchange Act is invoked when a public company has:
– Materially misstated its financial statements;
– Paid bribes to foreign government officials;
– Paid commercial bribes; or
– Reimbursed employees for unauthorized expenses
A R F 8262
© Surgent • www.surgentcpe.com
Internal control imperative
• Most prosecutions have involved public companies engaged in accounting fraud
• Internal control charges were levied as lesser included offenses
• The SEC’s report has now opened the possibility for charges to be made when a public company is victimized by a cyber incident and unknowingly disburses funds to cyber fraudsters
• Sections cited would be Section 13(b)(2)(B)(i) and (iii)
– These are the sections that require the execution of transactions and access to company assets to be permitted with management’s general or specific authorization
– Used by the SEC in connection with bribery and expense reimbursement prosecutions where the financial ramifications are generally not material for financial statement purposes
A R F 8263
© Surgent • www.surgentcpe.com
Internal control imperative
• Cases discussed in the report did not involve sophisticated schemes
• Human weakness made them effective
• COSO framework is specific in saying that controls only provide reasonable, not absolute assurance
• SEC report is sobering to read and although ultimately prosecution may only occur when it is evident that internal controls were blatantly ignored, companies should take proactive steps to identify the risk of cyber fraud
• Includes nonpublic entities as well, even only if it is because cyber fraud is costly to an entity’s financial position and reputation
A R F 8264
© Surgent • www.surgentcpe.com
Internal control imperative
• Entities should consider:
– A robust cyber fraud risk assessment process
– Establishing more stringent cyber security policies and procedures
– Performing scenario analysis including how management could override controls
– Identifying key controls to prevent improper disbursements or accounting errors from cyber fraud focusing on payment requests, authorizations and disbursement approvals especially for large, nonsystematic, time sensitive or foreign transactions
A R F 8265
© Surgent • www.surgentcpe.com
Internal control imperative
• Entities should consider:
– Identifying key controls over changes to vendor disbursement processes
– Evaluating the design and test controls
– A cyber fraud diagnostic from an entity specializing in this service
– Training personnel and penalizing those who violate the controls even through carelessness
– Monitoring activities with data analytic tools for potential improper disbursements
– Public company management should also consider disclosure controls for cyber breaches due to section 302 certifications
A R F 8266
© Surgent • www.surgentcpe.com
Internal control imperative
A R F 8267
© Surgent • www.surgentcpe.com
Internal control imperative
• Specific Industry Statistics:
– 3% of breach victims were small businesses
– Financial services and manufacturing have the highest percent of exposed sensitive files at 21%
– Financial services had 352,771 exposed sensitive files on average while healthcare, pharma and biotech have 113,491 files on average
– 15% of breaches involved healthcare organizations, 10% in the financial services industry, and 16% in the public sector
– The banking industry incurred the most cybercrime costs in 2018 at $18.3 million
A R F 8268
© Surgent • www.surgentcpe.com
Internal control imperative
• Specific Industry Statistics:
– Smaller organizations (1–250 employees) have the highest targeted malicious email rate at 1 in 323
– The estimated losses in 2019 for the healthcare industry are $25 billion
– Lifestyle (15%), and entertainment (7%) were the most frequently seen categories of malicious apps
– Supply chain attacks were up 78% in 2019
– The financial services industry takes in the highest cost from cybercrime at an average of $18.3 million per company surveyed
– The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020
A R F 8269
© Surgent • www.surgentcpe.com
Internal control imperative
Questions for Discussion:
1. Which of the fraud types have you seen occur in your company (your clients)?
2. How prepared do you believe your company (your clients) is/are for these possible attacks?
A R F 8270
© Surgent • www.surgentcpe.com
Q&A
We will now answer viewer questions that have come in during the webinar
A R F 8271
C O N N E C T W I T H U S
Facebook.com/SurgentProfessionalEducation
Twitter.com/SurgentCPE
LinkedIn.com/company/surgent-professional-education
Thank you!
Individuals, CPE certificates will be available in your Surgent profile within 24 hours.Groups, please scan and submit the attendance form to [email protected] for CPE certificates.