unit 14 - fraud risks and control

STUDY UNIT SEVENFRAUD RISKS AND CONTROLS

7.1 Fraud -- Risks and Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.2 Fraud -- Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.3 Fraud -- Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87.4 Fraud -- Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97.5 Fraud -- Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

This study unit covers Section III: Fraud Risks and Controls from The IIAs CIA Exam Syllabus.This section makes up 5% to 15% of Part 2 of the CIA exam and is tested at the proficiency level(unless otherwise indicated below). The relevant portion of the syllabus is highlighted below. (Thecomplete syllabus is in Appendix B.)

???? ????? ????? ??? ???????? ????????

?? ???????? ??? ????????? ??? ????? ????? ??? ???????? ?????? ????? ?? ????? ?????????? ???? ????????????? ???? ?????? ??? ?????????? ???????? ???????

?? ????????? ?? ????? ????? ??????? ??????? ????????????? ???? ?????????? ?? ???????????? ????????? ?? ??? ????????? ????? ?????? ??????????????? ???????? ? ??????? ?????? ?? ??????? ???????? ?? ??????? ????? ??? ????????? ????????? ?????? ????? ????? ?? ?????? ??????? ??????? ? ??????? ?? ????? ?????????? ??? ????????? ??? ????????? ?? ??????????????? ??????????????????????????? ?????????? ? ????????? ????? ????? ???????? ???????? ? ????????? ????? ???

The prevention or detection of fraud is one of the most important issues in auditing. PracticeAdvisory 2120-2, Managing the Risk of the Internal Audit Activity, states, Every organization willexperience control breakdowns. Often times when controls fail or frauds occur, someone will ask:Where were the internal auditors? Thus, the expectations of stakeholders regarding the ability ofinternal auditors to detect fraud are emphasized in this study unit.

7.1 FRAUD -- RISKS AND TYPES1. Definition from The IIA Glossary

a. Fraud is any illegal act characterized by deceit, concealment, or violation of trust.These acts are not dependent upon the threat of violence or physical force. Fraudsare perpetrated by parties and organizations to obtain money, property, or services;to avoid payment or loss of services; or to secure personal or business advantage.

2. Overviewa. The internal auditor should consider the potential for fraud risks in the assessment of

control design and the determination of audit procedures to perform.1) Internal auditors should obtain reasonable assurance that objectives for the

process under review are achieved and material control deficiencies aredetected.

2) The consideration of fraud risks and their relation to specific audit work aredocumented.

1

Copyright 2012-2013 Gleim Publications, Inc., and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com

b. Internal auditors should have sufficient knowledge of fraud to identify red flagsindicating fraud may have been committed.1) This knowledge includes the characteristics of fraud, the methods used to

commit fraud, and the various fraud schemes associated with the activitiesreviewed.

c. Internal auditors should be alert to opportunities that could allow fraud, such as controldeficiencies.1) If significant control deficiencies are detected, additional procedures may be

performed to determine whether fraud has occurred.d. Internal auditors should evaluate the indicators of fraud and decide whether any

further action is necessary or whether an investigation should be recommended.e. Internal auditors should evaluate whether

1) Management is actively overseeing the fraud risk management programs,2) Timely and sufficient corrective measures have been taken with respect to any

noted control deficiencies, and3) The plan for monitoring the program is adequate.

f. If appropriate, internal auditors should recommend an investigation.3. Characteristics of Fraud

a. Pressure or incentive is the need a person tries to satisfy by committing the fraud.1) Situational pressure can be personal (e.g., financial difficulties in an

employees personal life) or organizational (e.g., the desire to release positivenews to the financial media).

b. Opportunity is the ability to commit the fraud.1) Opportunity to commit is especially a factor in low-level employee fraud. Poor

controls over cash, merchandise, and other organizational property, as well asa lack of compensating accounting controls, are enabling factors.

2) This characteristic is the one that the organization can most influence, e.g., bymeans of controls.

c. Rationalization occurs when a person attributes his/her actions to rational andcreditable motives without analysis of the true and, especially, unconscious motives.1) Feeling underpaid is a common rationalization for low-level fraud.

4. Effects of Frauda. Monetary losses from fraud are significant, but its full cost is immeasurable in terms of

time, productivity, and reputation, including customer relationships.b. Thus, an organization should have a fraud program that includes awareness,

prevention, and detection programs. It also should have a fraud risk assessmentprocess to identify fraud risks.

5. Types of Frauda. Asset misappropriation is stealing cash or other assets (supplies, inventory,

equipment, and information). The theft may be concealed, e.g., by adjustingrecords. An example is embezzlement, the intentional appropriation of propertyentrusted to ones care.

b. Skimming is theft of cash before it is recorded, for example, accepting payment froma customer but not recording the sale.

c. Disbursement fraud involves payment for fictitious goods or services, overstatementof invoices, or use of invoices for personal reasons.

2 SU 7: Fraud Risks and Controls


d. Expense reimbursement fraud is payment for fictitious or inflated expenses, forexample, an expense report for personal travel, nonexistent meals, or extra mileage.

e. Payroll fraud is a false claim for compensation, for example, overtime for hours notworked or payments to fictitious employees.

f. Financial statement misrepresentation often overstates assets or revenue orunderstates liabilities and expenses. Management may benefit by selling stock,receiving bonuses, or concealing another fraud.

g. Information misrepresentation provides false information, usually to outsiders in theform of fraudulent financial statements.

h. Corruption is an improper use of power, e.g., bribery. It often leaves little accountingevidence. These crimes usually are uncovered through tips or complaints from thirdparties. Corruption often involves the purchasing function.

i. Bribery is offering, giving, receiving, or soliciting anything of value to influence anoutcome. Bribes may be offered to key employees such as purchasing agents.Those paying bribes tend to be intermediaries for outside vendors.

j. A conflict of interest is an undisclosed personal economic interest in a transactionthat adversely affects the organization or its shareholders.

k. A diversion redirects to an employee or outsider a transaction that would normallybenefit the organization.

l. Wrongful use of confidential or proprietary information is fraudulent.m. A related-party fraud is receipt of a benefit not obtainable in an arms-length

transaction.n. Tax evasion is intentionally falsifying a tax return.

6. Low-Level Fraud vs. Executive Frauda. Fraud committed by staff or line employees most often consists of theft of property or

embezzlement of cash. The incentive might be relief of economic hardship, thedesire for material gain, or a drug or gambling habit. This type of fraud is intended tobenefit individuals.1) Stealing petty cash or merchandise, lapping accounts receivable, and creating

nonexistent vendors are common forms of low-level fraud.b. Fraud at the executive level is very different. The incentive is usually either

maintaining or increasing the stock price, receiving a large bonus, or both. This typeof fraud is intended to benefit the organization.1) Executive level fraud consists most often of materially misstating financial

statements.7. Symptoms of Fraud

a. A document symptom is any tampering with the accounting records to conceal afraud. Keeping two sets of books or forcing the books to reconcile are examples.

b. A lifestyle symptom is an unexplained rise in an employees social status or level ofmaterial consumption.

c. A behavioral symptom (i.e., a drastic change in an employees behavior) mayindicate the presence of fraud. Guilt and other forms of stress associated withperpetrating and concealing the fraud may cause noticeable changes in behavior.

SU 7: Fraud Risks and Controls 3


8. Some Indicators of Possible Frauda. Frauds and their indicators (red flags) have different forms. The following list includes

potential motives, opportunities, and rationalization:1) Lack of employee rotation in sensitive positions, such as cash handling2) Inappropriate combination of job duties3) Unclear lines of responsibility and accountability4) Unrealistic sales or production goals5) An employee who refuses to take vacations or refuses promotion6) Established controls not applied consistently7) High reported profits when competitors are suffering from an economic downturn8) High turnover among supervisory positions in finance and accounting areas9) Excessive or unjustifiable use of sole-source procurement10) An increase in sales far out of proportion to the increase in cost of goods sold

EXAMPLEFrom CIA Exam

Which of the following is most likely to be considered an indication of possible fraud?A. The replacement of the management team after a hostile takeover.B. Rapid turnover of the organizations financial executives.C. Rapid expansion into new markets.D. A government audit of the organizations tax returns.An internal auditor cannot possibly memorize every red flag for fraud. However, (s)he often caneliminate the answer choices that are inconsistent with the core group of red flags that (s)he haslearned.(A) is incorrect. The replacement of the management team after a hostile takeover is not unusual.(B) is correct. High turnover among financial executives may suggest a fear of discovery of theinflation of profits or some similar financial misrepresentation.(C) is incorrect. Rapid expansion into new markets is not unusual.(D) is incorrect. A government audit of the organizations tax returns is not unusual.

9. Types of Fraudulent Processesa. Lapping Receivables

1) In this fraud, a person (or persons) with access to both customer payments andaccounts receivable records steals a customers payment. The shortage in thatcustomers account is then covered with a subsequent payment from anothercustomer.

2) The process continues until (a) a customer complains about his/her payment notbeing posted, (b) an absence by the perpetrator allows another employee todiscover the fraud, or (c) the perpetrator covers the amount stolen.

b. Check Kiting1) Kiting exploits the delay between (a) depositing a check in one bank account and

(b) clearing the check through the bank on which it was drawn. This practice isonly possible when manual checks are used. The widespread use of electronicfunds transfer and other networked computer safeguards make electronic kitingdifficult.

2) A check is kited when (a) a person (the kiter) writes an insufficient funds checkon an account in one bank and (b) deposits the check in another bank.



3) The second bank immediately credits the account for some or all of the amountof the check, enabling the kiter to write other checks on that (nonexistent)balance. The kiter then covers the insufficiency in the first bank with anothersource of funds. The process can proceed in a circle of accounts at anynumber of banks.

10. Responsibility for Detectiona. Internal auditors are not responsible for the detection of all fraud, but they always must

be alert to the possibility of fraud.

Implementation Standard 1210.A2Internal auditors must have sufficient knowledge to evaluate the risk of fraud and themanner in which it is managed by the organization, but are not expected to have theexpertise of a person whose primary responsibility is detecting and investigating fraud.

1) According to Implementation Standard 1220.A1, internal auditors must exercisedue professional care by, among other things, considering the probability ofsignificant errors, fraud, or noncompliance.

2) Thus, internal auditors must consider the probability of fraud when developingengagement objectives (Implementation Standard 2210.A2).

Implementation Standard 2120.A2The internal audit activity must evaluate the potential for the occurrence of fraud andhow the organization manages fraud risk.

b. An internal auditors responsibilities for detecting fraud include evaluating fraudindicators and deciding whether any additional action is necessary or whether aninvestigation should be recommended.


An internal auditor suspects that a mailroom clerk is embezzling funds. In exercising dueprofessional care, the internal auditor shouldA. Reassign the clerk to another department.B. Institute stricter controls over mailroom operations.C. Evaluate fraud indicators and decide whether further action is necessary.D. Confront the clerk with the auditors suspicions.This question reinforces the proper reaction when an auditor suspects fraud. When signs of fraudare detected, internal auditors must carefully evaluate the facts before acting. If evidence of fraudexists, the matter ordinarily must be reported to the appropriate level when the auditor has enoughinformation.(A) is incorrect. Personnel assignments are the responsibility of management.(B) is incorrect. The system of internal controls is managements responsibility.(C) is correct. When fraud is suspected, the internal auditor evaluates the indicators and decideswhether any additional action is necessary or whether an investigation should be recommended.(D) is incorrect. An internal auditor should not confront a suspect until the proper authorities havebeen notified and have determined the appropriate action.



7.2 FRAUD -- INVESTIGATION1. Fraud Investigation

a. An investigation gathers sufficient information to determine (1) whether fraud hasoccurred, (2) the loss exposures, (3) who was involved, and (4) how fraud occurred.It should discover the full nature and extent of the fraud.

b. Internal auditors, lawyers, and other specialists usually conduct fraud investigations.c. The investigation and resolution activities must be in accordance with local law, and

the auditors should work effectively with legal counsel and become familiar withrelevant laws.

d. Management implements controls over the investigation. They include (1) developingpolicies and procedures, (2) preserving evidence, (3) responding to the results,(4) reporting, and (5) communications.1) Such standards often are documented in a fraud policy, and the internal audit

activity may assist in the evaluation of the policy.2) Policies and procedures address (a) the rights of individuals; (b) the

qualifications of investigators; (c) the relevant laws; and (d) the disciplining ofemployees, suppliers, or customers, including legal measures.

3) The authority and responsibilities of those involved in the investigation,especially the investigator and legal counsel, should be clear.

4) Internal communications about an ongoing investigation should be minimized.5) A policy needs to specify the investigators role in determining whether a fraud

has been committed. Either the investigator or management decides whetherfraud has occurred, and management decides whether to notify outsideauthorities.

e. The role of the internal audit activity in investigations needs to be defined in itscharter as well as in fraud policies and procedures.1) For example, internal auditing may

a) Have the primary responsibility for fraud investigations,b) Act as a resource for investigations, orc) Avoid involvement because it is responsible for assessing investigations or

lacks resources.2) Any role is acceptable if its effect on independence is recognized and managed

appropriately.3) Internal auditors typically not only assess investigations but also advise

management about the process, including control improvements.4) To maintain proficiency, fraud investigation teams must obtain sufficient

knowledge of (a) fraudulent schemes, (b) investigation techniques, and(c) applicable laws.

5) If the internal audit activity is responsible for the investigation, it may usein-house staff, outsourcing, or a combination.

f. An investigation plan is developed for each investigation.1) The lead investigator determines the knowledge, skills, and other competencies

needed.2) The process includes obtaining assurance that no potential conflict of interest

exists with those investigated or any employees of the organization.3) Planning should consider the following:

a) Gathering evidence using surveillance, interviews, or written statementsb) Documenting and preserving evidence, the legal rules of evidence, and the

business uses of the evidence



c) Determining the extent of the fraudd) Determining the methods used to perpetrate the fraude) Evaluating the cause of the fraudf) Identifying the perpetrators

4) The investigation should be coordinated with management, legal counsel, andother specialists.

5) Investigators need to be prudent, consistent, and knowledgeable of the rights ofpersons within the scope of the investigation and the reputation of theorganization itself.

6) The level and extent of complicity in the fraud throughout the organization needsto be assessed. This assessment can be critical to avoid (a) destroying ortainting crucial evidence and (b) obtaining misleading information from personswho may be involved.

7) The investigation needs to secure evidence collected and follow chain-of-custody procedures.

2. Interrogation of Employeesa. A fraud-related interrogation differs significantly from a normal interview.

1) The purpose of a typical interview is to gather facts. In an interrogation, theinternal auditor has already gathered pertinent facts and is seekingconfirmation.

2) At no time should the internal auditor accuse the employee of committing acrime. If the accusation is unprovable, the organization could have legalliability.

b. The IIAs Practice Guide, Internal Auditing and Fraud, provides the following guidance:1) Typically, the accused individual is interviewed after most applicable evidence

has been obtained. Many investigators prefer to approach the accused withsufficient evidence that will support the goal to secure a confession.

2) Generally the accused is interviewed by two people: (1) an experiencedinvestigator and (2) another individual who takes notes during the interview andlater functions as a witness if needed.

3) In addition, it is essential that all information obtained from the interview isrendered correctly.

c. The internal auditor should guide the conversation from the general to the specific.1) Open questions are generally used early in the interrogation, and closed

questions are used later as the auditor comes closer to obtaining a confession.a) Open questions are of the type, Describe your role in the vendor approval

process.b) Closed questions are of the type, Do you personally verify the existence of

every vendor who seeks approval?2) Normal interviewing methods regarding nonthreatening tone and close

observation of body language apply.d. The employee should not be allowed to return to his/her normal work area upon

completion of the interrogation.1) Because the employee is now alert to the fraud investigation, (s)he might be

tempted to destroy valuable evidence.



7.3 FRAUD -- CONTROLS1. Responsibility for Controls

a. Control is the principal means of preventing fraud.b. Management is primarily responsible for establishing and maintaining control.c. Internal auditors are primarily responsible for preventing fraud by examining and

evaluating the adequacy and effectiveness of control.1) They are not responsible for designing and implementing fraud prevention

controls.2) However, internal auditors acting in a consulting role can help management

identify and assess risk and determine the adequacy of the controlenvironment.a) Internal auditors also are in a unique position within the organization to

recommend changes to improve the control environment.2. Controls

a. No text can feasibly present lists of all possible controls. Part 1 of CIA Reviewcontains extensive guidance on control concepts, terminology, and methods. Theyapply to the design and implementation of controls that are relevant to, among manyother things, the prevention and detection of fraud.


During an engagement involving the purchasing department, an internal auditor learned that onevendor rewarded buyers in proportion to the size of orders received. What recommendationshould the internal auditor make to reduce the likelihood of future acceptance of such rewards bythe buyers?A. Establishing an employee counseling program.B. Periodic review of buyer lifestyles.C. A policy of identifying and reducing buyer situational pressures.D. A strong, written statement of managements commitment to organizational ethics.Sometimes the best control is not programmed into a computer application or a requirement for acertain number of signatures. Sometimes the best control is the organizations ethical climate.(A) is incorrect. Counseling is unlikely to change the behavior of dishonest employees.(B) is incorrect. Periodic review is a detective (after the fact) control that would not uncover fraudunless a lifestyle change occurred.(C) is incorrect. Situational pressures external to the organization may be beyond its control.Pressures within the organization, e.g., to improve performance, would be unlikely to cause abuyer to take bribes from vendors.(D) is correct. One component of internal control is the control environment. Among the factors inthat environment (as described in the COSO Framework and defined in The IIA Glossary) areintegrity and ethical values and managements philosophy and operating style. A strongcommitment by management to ethical conduct reflected in its written policies, personnelpractices, interest in effective control, etc., is the most likely of the choices presented to foster theappropriate ethical climate.



7.4 FRAUD -- PROCEDURES1. Engagement Procedures

a. The nature and extent of the specific procedures performed to detect and investigatefraud depend on many circumstances. They include (1) the features of the specificengagement, (2) the unique characteristics of the organization, and (3) the internalauditors risk assessment.1) Accordingly, no text can feasibly present lists of all procedures relative to fraud.

However, analytical procedures are routinely performed in many engagements.They may provide an early indication of fraud.

b. Internal auditors should have an awareness of the circumstances in which their ownprocedures and expertise may be insufficient. Thus, they may need to make use ofspecialists.1) For example, forensic experts may supply special knowledge regarding

a) Authenticity of documents and signatures,b) Mechanical sources of documents (printers, typewriters, computers, etc.),c) Paper and ink chemistry, andd) Fingerprint analysis.

c. Forensic auditing is the use of accounting and auditing knowledge and skills inmatters having civil or criminal legal implications. Engagements involving fraud,litigation support, and expert witness testimony are examples.


A production manager for a moderate-sized manufacturer began ordering excessive raw materialsand had them delivered to a wholesale business that the manager was running on the side. Themanager falsified receiving documents and approved the invoices for payment. Which of thefollowing procedures is most likely to detect this fraud?A. Take a sample of cash disbursements; compare purchase orders, receiving reports, invoices,

and check copies.B. Take a sample of cash disbursements; confirm the amount purchased, purchase price, and

date of shipment with the vendors.C. Observe the receiving dock and count materials received; compare the counts with receiving

reports completed by the receiving personnel.D. Perform analytical tests, comparing production, materials purchased, and raw materials

inventory levels; investigate differences.Routine audit procedures often can detect fraud. Each procedure described in the answer choicesis typically performed, and each has a definite objective.(A) is incorrect. It describes a vouching procedure to detect vendor payments unsupported bydocumentation. This procedure is ineffective because the fraudulent purchases are supported byfraudulent documentation.(B) is incorrect. The vendors, lacking knowledge of the fraudulent nature of these purchases, willconfirm the amounts and dates.(C) is incorrect. Given that the improper orders are shipped to another location, observing countsat the receiving dock will not detect the fraud.(D) is correct. Analytical procedures will detect an inconsistency among purchases, inventoryamounts, and production usage.



7.5 FRAUD -- AWARENESS1. Fraud Prevention System

a. Fraud prevention involves actions to discourage fraud and limit the exposure when itoccurs. A strong ethical culture and setting the correct tone at the top are essential toprevention.

b. Overlapping control elements of a fraud prevention program are presented below.They are based on the following components of the COSO control framework:1) The control environment includes such elements as a code of conduct, ethics

policy, or fraud policy.2) A fraud risk assessment generally includes the following:

a) Identifying and prioritizing fraud risk factors and fraud schemesb) Mapping existing controls to potential fraud schemes and identifying gapsc) Testing operating effectiveness of fraud prevention and detection controlsd) Documenting and reporting the fraud risk assessment

3) Control activities are policies and procedures for business processes that includeauthority limits and segregation of duties.

4) Fraud-related information and communication practices promote the fraud riskmanagement program and the organizations position on risk. The means usedinclude fraud awareness training and confirming that employees comply withthe organizations policies.a) A fraud hotline is a convenient way for employees to report suspected

improprieties.5) Monitoring evaluates antifraud controls through independent evaluations of the

fraud risk management program and use of it.2. Fraud Reporting

a. The chief audit executive is responsible for fraud reporting. It consists of the variousoral or written, interim, or final communications to management or the boardregarding the status and results of fraud investigations.1) A formal communication may be issued at the conclusion of the investigation that

includes time frames, observations, conclusions, resolution, and correctiveaction to improve controls.

2) It may need to be written in a manner that provides confidentiality for some of thepeople involved.

3) The needs of the board and management, legal requirements, and policies andprocedures should be considered.

b. A draft of the proposed final communication should be submitted to legal counsel forreview. To be covered by the attorney-client privilege, the report must be addressedto counsel.

c. Any incident of significant fraud, or incident that leads the internal auditors to questionthe level of trust placed in one or more individuals, must be timely reported to seniormanagement and the board.

d. If previously issued financial statements for 1 or more years may have been adverselyaffected, senior management and the board also should be informed.




Prior to issuing a final communication on a fraud investigation, the internal auditor should submit aproposed draft for review by theA. Organizations legal counsel..B. Engagement clients management.C. Organizations public relations department.D. Board.This question asks for the appropriate reviewer of the internal auditors proposed draft.(A) is correct. A draft of the proposed final communications on fraud should be submitted to legalcounsel for review. When the internal auditor wants to invoke client privilege, consideration shouldbe given to addressing the report to legal counsel.(B) is incorrect. An identifiable engagement client may not exist, and review by a client is notalways appropriate.(C) is incorrect. Publicity is inappropriate when the final communication has not been completed.(D) is incorrect. The board should receive the final communication, not the proposed draft.

3. Resolution of Fraud Incidentsa. Resolution consists of determining actions to be taken after the investigation is

complete.1) Management and the board are responsible for resolving fraud incidents.

b. Resolution may include the following:1) Providing closure to persons who were found innocent or reported a problem2) Disciplining an employee3) Requesting voluntary financial restitution4) Terminating contracts with suppliers5) Reporting the incident to law enforcement or regulatory bodies, encouraging

them to prosecute, and cooperating with them6) Filing a civil suit to recover the amount taken7) Filing an insurance claim8) Complaining to the perpetrators professional association9) Recommending control improvements

4. Communication of Fraud Incidentsa. Management or the board determines whether to inform organizations outside the

organization after consultation with such individuals as legal counsel, humanresources personnel, and the CAE.1) The organization may need to notify government agencies of certain types of

fraudulent acts. It also may need to notify its insurers, bankers, and externalauditors of instances of fraud.

b. Internal communications are a strategic tool used by management to reinforce itsposition relating to integrity and to show why internal controls are important.



5. Opinion on Fraud-Related Controlsa. The internal auditor may be asked by management or the board to express an opinion

on internal controls related to fraud. The following provide relevant guidance:1) Standards and Practice Advisories related to communication of results

(Performance Standard 2400, etc.)2) Practice Guide, Formulating and Expressing Internal Audit Opinions

b. While an opinion on fraud-related controls is acceptable, it would be inappropriate foran internal auditor to give an opinion on the culpability of a fraud suspect.



STUDY UNIT 77.1Fraud -- Risks and Types7.2Fraud -- Investigation7.3Fraud -- Controls7.4Fraud -- Procedures7.5Fraud -- Awareness

unit 14 - fraud risks and control

Documents