At each audit committee meeting, the committee should meet separately from management with appropriateindividuals, such as the chief internal audit executive and senior financial person. The audit committee shouldunderstand how internal and external audit strategies address <strong>fraud</strong> risk. The audit committee should not only focuson what the auditors are doing to detect <strong>fraud</strong>, but more importantly on what management is doing to prevent<strong>fraud</strong>, where possible.The audit committee should be aware that the organization’s external auditors have a responsibility to plan andperform the audit of the organization’s financial statements to obtain reasonable assurance 15 about whether thefinancial statements are free of material misstatement, whether caused by error or <strong>fraud</strong>. The extent and limitationsof an external audit are generally governed by the applicable audit standards in place. 16 The audit committeeshould insist on openness and honesty with the external auditors. The external auditors should also havecommitment and cooperation from the audit committee. This includes open and candid dialogue between auditcommittee members and the external auditors regarding the audit committee’s knowledge of any <strong>fraud</strong> or suspected<strong>fraud</strong> affecting the organization as well as how the audit committee exercises oversight activities with respect tothe organization’s assessment of the risks of <strong>fraud</strong> and the programs and controls the organization has establishedto mitigate these risks.The audit committee should also seek the advice of legal counsel whenever dealing with issues of allegationsof <strong>fraud</strong>. Fraud allegations should be taken seriously since there may be a legal obligation to investigateand/or report them.In addition, since reputation risk resulting from <strong>fraud</strong>ulent behavior often has a severe impact on shareholdervalue, the audit committee should provide specific consideration and oversight of this exposure when reviewingthe work of management and internal auditors, and ask them to be alert for and report such exposure as theycarry out their duties.ManagementManagement has overall responsibility for the design and implementation of a <strong>fraud</strong> risk managementprogram, including:• Setting the tone at the top for the rest of the organization. As mentioned, an organization’s culture plays animportant role in preventing, detecting, and deterring <strong>fraud</strong>. Management needs to create a culture throughwords and actions where it is clear that <strong>fraud</strong> is not tolerated, that any such behavior is dealt with swiftlyand decisively, and that whistleblowers will not suffer retribution.15The inherent limitations of an external audit regarding matters related to <strong>fraud</strong> are described in applicable audit standards. The standardsacknowledge that owing to the inherent limitations of an external audit, there is an unavoidable risk that some material misstatements of thefinancial statements — particularly those resulting from <strong>fraud</strong> — will not be detected, even though the external auditor has properly plannedand performed in accordance with generally accepted standards.16Internationally, refer to International Standards on Auditing (ISA) No. 240, The Auditor’s Responsibility to Consider Fraud in an Audit ofFinancial Statements. In the United States, refer to Statement of Auditing Standards (SAS) No. 99 (AU sec 316), Consideration of Fraud ina Financial Statement Audit; SAS No. 1 (AU sec 1), Codification of Auditing Standards and Procedures; PCAOB AS5; and Section 10A of theSecurities Exchange Act of 1934. In Canada, refer to CICA Handbook – Assurance Section 5135, The Auditor’s Responsibility to ConsiderFraud. One may also refer to the International Organisation of S<strong>up</strong>reme Audit Institutions (INTOSAI), the International Federationof Accountants (IFAC) International Auditing and Assurance Standards Board (IAASB), and the Association of Chartered CertifiedAccountants (ACCA).13
• Implementing adequate internal controls — including documenting <strong>fraud</strong> risk management policies andprocedures and evaluating their effectiveness — aligned with the organization’s <strong>fraud</strong> risk assessment.To conduct a reasonable evaluation, it is necessary to compile information from various areas of theorganization as part of the <strong>fraud</strong> risk management program.• Reporting to the board on what actions have been taken to manage <strong>fraud</strong> risks and regularly reporting onthe effectiveness of the <strong>fraud</strong> risk management program. This includes reporting any remedial steps that areneeded, as well as reporting actual <strong>fraud</strong>s.Whenever the external auditor has determined that there is evidence that <strong>fraud</strong> may exist, the external auditor’sprofessional standards require that the matter should be brought to the attention of an appropriate level ofmanagement in a timely manner. If the external auditor suspects <strong>fraud</strong> involving management, the external auditormust report these suspicions to those charged with governance (e.g., the audit committee).In many organizations, one executive-level member of management is appointed to be responsible for <strong>fraud</strong> riskmanagement and to report to the board periodically. This executive, a chief ethics officer for instance, is responsiblefor entity-level controls that establish the tone at the top and corporate culture. These expectations are oftendocumented in the organization’s values or principles, code of conduct, and related policies; demonstrated throughexecutive communications and behaviors; and included in training programs. The person appointed should befamiliar with the organization’s <strong>fraud</strong> risks and process-level controls, and is often responsible for the design andimplementation of the processes used to ensure compliance, reporting, and investigation of alleged violations.StaffStrong controls against <strong>fraud</strong> are the responsibility of everyone in the organization. The importance of internalcontrols in <strong>fraud</strong> risk management is not a new concept. In 1992, after more than three years of collaborationbetween corporate leaders, legislators, regulators, auditors, academics, and many others, COSO presented a commondefinition of internal controls and provided a framework against which organizations could assess and improve theirinternal control systems. COSO identified five components in its landmark Internal Control–Integrated Framework —control environment, risk assessment, control activities, information and communication, and monitoring — thatmay serve as the premise for the design of controls. The elements are deeply intertwined and overlapping in theirnature, providing a natural interactive process to promote the type of environment in which <strong>fraud</strong> simply will not betolerated at any level. 17All levels of staff, including management, should:• Have a basic understanding of <strong>fraud</strong> and be aware of the red flags.• Understand their roles within the internal control framework. Staff members should understand how theirjob procedures are designed to manage <strong>fraud</strong> risks and when noncompliance may create an opportunity for<strong>fraud</strong> to occur or go undetected.• Read and understand policies and procedures (e.g. the <strong>fraud</strong> policy, code of conduct, and whistleblowerpolicy), as well as other operational policies and procedures, such as procurement manuals.17Appendix I suggests control activities aligned with each COSO component.14
- Page 1 and 2: ACFE FRAUD PREVENTIONCHECK-UP
- Page 3 and 4: ACFE FRAUD PREVENTIONCHECK-UPThe Be
- Page 5 and 6: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 7 and 8: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 9 and 10: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 11 and 12: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 13 and 14: Sponsored by:The Institute of Inter
- Page 15 and 16: Team Members:Toby J.F. Bishop, CPA,
- Page 17 and 18: Managing the Business Risk of Fraud
- Page 19 and 20: establish their own fraud risk mana
- Page 21 and 22: Fraud risk identification may inclu
- Page 23 and 24: Thus, to properly address fraud ris
- Page 25: The board also has the responsibili
- Page 29 and 30: Fraud Risk Management Program Compo
- Page 31 and 32: ecently been hired in the purchasin
- Page 33 and 34: Organizations can identify and asse
- Page 35 and 36: The Risk Assessment TeamA good risk
- Page 37 and 38: This also involves understanding th
- Page 39 and 40: - Invoices for goods not received o
- Page 41 and 42: Other RisksRegulatory and Legal Mis
- Page 43 and 44: SECTION 3: FRAUD PREVENTIONPrincipl
- Page 45 and 46: An organization’s HR group is oft
- Page 47 and 48: SECTION 4: FRAUD DETECTIONPrinciple
- Page 49 and 50: Process ControlsProcess controls sp
- Page 51 and 52: keep such information confidential.
- Page 53 and 54: will vary depending on the nature,
- Page 55 and 56: Conducting the InvestigationPlannin
- Page 57 and 58: • Extended investigation — Cond
- Page 59 and 60: Fraud ControlsDeloitte Forensic Cen
- Page 61 and 62: APPENDIX B: SAMPLE FRAMEWORK FOR A
- Page 63 and 64: APPENDIX C: SAMPLE FRAUD POLICY 41N
- Page 65 and 66: CONFIDENTIALITYThe ______________ U
- Page 67 and 68: Sample Fraud Policy Decision Matrix
- Page 69 and 70: Identified Fraud Risksand Schemes (
- Page 71 and 72: 2) Misappropriation of:a) Tangible
- Page 73 and 74: ) Embezzlement(1) False accounting
- Page 75 and 76: Fraud Prevention Area, Factor, or C
- Page 77 and 78:
Fraud Prevention Area, Factor, or C
- Page 79 and 80:
Fraud Prevention Area, Factor, or C
- Page 81 and 82:
Fraud Prevention Area, Factor, or C
- Page 83 and 84:
O-Organization / PersonnelO1-Leader
- Page 85 and 86:
O4.3 Enhance Operational Skills & C
- Page 87 and 88:
PR-Prevent, Protect & PreparePR1-Ge
- Page 89 and 90:
E-Periodic EvaluationE1-Evaluation
- Page 91 and 92:
I2-CommunicationI2.1 Develop Commun
- Page 93 and 94:
CriminologyFraud Prevention Program
- Page 95 and 96:
CriminologyFraud Prevention Program
- Page 97 and 98:
CriminologyFraud Prevention Program
- Page 99 and 100:
CriminologyFraud Prevention Program
- Page 101 and 102:
CriminologyFraud Prevention Program
- Page 103 and 104:
CriminologyFraud Prevention Program
- Page 105 and 106:
CriminologyFraud Prevention Program
- Page 107 and 108:
CriminologyFraud Prevention Program
- Page 109 and 110:
CriminologyFraud Prevention Program
- Page 111 and 112:
CriminologyFraud Prevention Program
- Page 113 and 114:
CriminologyFraud Prevention Program
- Page 115 and 116:
CriminologyFraud Prevention Program
- Page 117 and 118:
Sample Fraud PolicyAssociation of C
- Page 119 and 120:
Sample Fraud PolicyCONFIDENTIALITYT
- Page 121 and 122:
Sample Fraud PolicyFraud Policy Dec
- Page 123 and 124:
Fraud’s Worst Enemyhttp://www.fra
- Page 125 and 126:
ACFE Insights - ACFE Insightshttp:/
- Page 127:
ACFE Insights - ACFE Insightshttp:/