acfe fraud prevention check-up - BKD

More documents

Recommendations

Info

• As required, participate in the process of creating a strong control environment and designing andimplementing fraud control activities, as well as participate in monitoring activities.• Report suspicions or incidences of fraud.• Cooperate in investigations.Internal AuditingThe IIA’s Definition of Internal Auditing states, “Internal auditing is an independent, objective assurance andconsulting activity designed to add value and improve an organization’s operations. It helps an organizationaccomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectivenessof risk management, control, and governance processes.” In relation to fraud, this means that internal auditingprovides assurance to the board and to management that the controls they have in place are appropriate given theorganization’s risk appetite.Internal auditing should provide objective assurance to the board and management that fraud controls aresufficient for identified fraud risks and ensure that the controls are functioning effectively. Internal auditors mayreview the comprehensiveness and adequacy of the risks identified by management — especially with regard tomanagement override risks 18 .Internal auditors should consider the organization’s assessment of fraud risk when developing their annual auditplan and review management’s fraud management capabilities periodically. They should interview and communicateregularly with those conducting the organization’s risk assessments, as well as others in key positions throughoutthe organization, to help them ensure that all fraud risks have been considered appropriately. When performingengagements, internal auditors should spend adequate time and attention to evaluating the design and operationof internal controls related to fraud risk management. They should exercise professional skepticism when reviewingactivities and be on guard for the signs of fraud. Potential frauds uncovered during an engagement should betreated in accordance with a well-defined response plan consistent with professional and legal standards. Internalauditing should also take an active role in support of the organization’s ethical culture. 19The importance an organization attaches to its internal audit function is an indication of the organization’scommitment to effective internal control. The internal audit charter, which is approved by the board or designatedcommittee, should include internal auditing’s roles and responsibilities related to fraud. Specific internal auditroles in relation to fraud risk management could include initial or full investigation of suspected fraud, root causeanalysis and control improvement recommendations, monitoring of a reporting/whistleblower hotline, and providingethics training sessions. 20 If assigned such duties, internal auditing has a responsibility to obtain sufficient skillsand competencies, such as knowledge of fraud schemes, investigation techniques, and laws. Effective internal auditfunctions are adequately funded, staffed, and trained, with appropriate specialized skills given the nature, size,and complexity of the organization and its operating environment. Internal auditing should be independent (haveindependent authority and reporting relationships), have adequate access to the audit committee, and adhere toprofessional standards.18Refer to the AICPA’s Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention publication.19Refer to IIA Practice Advisory 2130-1: Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization.20For additional information, refer to IIA Practice Advisories 1210-A2-1: Auditor’s Responsibilities Relating to Fraud Risk Assessment,Prevention, and Detection; and 1210-A2-2: Auditor’s Responsibilities Relating to Fraud Investigation, Reporting, Resolution, andCommunication; as well as the IIA–UK and Ireland Fraud Position Statement.15
Fraud Risk Management Program ComponentsMost organizations have written policies and procedures to manage fraud risks, such as codes of conduct, expenseaccount procedures, and incident investigation standards. They usually have some activities that managementhas implemented to assess risks, ensure compliance, identify and investigate violations, measure and report theorganization’s performance to appropriate stakeholders, and communicate expectations. However, few havedeveloped a concise summary of these documents and activities to help them communicate and evaluate theirprocesses. We refer to the aggregate of these as the fraud risk management program (“program”), even if theorganization has not formally designated it as such.It is management’s prerogative, with oversight from the board, to determine the type and format of documentationit wishes to adopt for its program. Suggested formats include:• A single comprehensive and complete document that addresses all aspects of fraud risk management (i.e., afraud control policy 21 ).• A brief strategy outline emphasizing the attributes of fraud control, but leaving the design of specificpolicies and procedures to those responsible for business functions within the organization.• An outline, within a control framework, referencing relevant policies, procedures, plans, programs, reports,and responsible positions, developed by the organization’s head office, divisions, or subsidiaries. 22While each organization needs to consider its size and complexity when determining what type of formaldocumentation is most appropriate, the following elements should be found within a fraud riskmanagement program:CommitmentThe board and senior management should communicate their commitment to fraud risk management. One methodwould be to embed this commitment in the organization’s values or principles and code of conduct. Another methodis issuing a short document (e.g., letter) made available to all employees, vendors, and customers. This summarydocument should stress the importance of fraud risk mitigation, acknowledge the organization’s vulnerability tofraud, and establish the responsibility for each person within the organization to support fraud risk management.The letter should be endorsed or authored by a senior executive or board member, provided to employees as partof their orientation process, and reissued periodically. The letter could serve as the foundation for, and may be theexecutive summary of, a fraud control policy.Fraud AwarenessAn ongoing awareness program is a key enabler to convey fraud risk management expectations, as well asan effective preventive control. Awareness of fraud and misconduct schemes is developed through periodic21For examples of fraud control policies, see Appendices B and C.22Some organizations centralize fraud risk management information under the chief ethics officer or within a framework used by internalauditing or the chief financial officer. Others may have this information spread out across the organization — for example, investigationstandards and files in legal, hiring and training information in human resources, hotline information in internal auditing, risk assessment in theenterprise risk management group — and will need to compile it to do an effective evaluation and to enable concise reporting to the board.16
Page 1 and 2: ACFE FRAUD PREVENTIONCHECK-UP
Page 3 and 4: ACFE FRAUD PREVENTIONCHECK-UPThe Be
Page 5 and 6: ACFE FRAUD PREVENTIONCHECK-UPACFE F
Page 13 and 14: Sponsored by:The Institute of Inter
Page 15 and 16: Team Members:Toby J.F. Bishop, CPA,
Page 17 and 18: Managing the Business Risk of Fraud
Page 19 and 20: establish their own fraud risk mana
Page 21 and 22: Fraud risk identification may inclu
Page 23 and 24: Thus, to properly address fraud ris
Page 25 and 26: The board also has the responsibili
Page 27: • Implementing adequate internal
Page 31 and 32: ecently been hired in the purchasin
Page 33 and 34: Organizations can identify and asse
Page 35 and 36: The Risk Assessment TeamA good risk
Page 37 and 38: This also involves understanding th
Page 39 and 40: - Invoices for goods not received o
Page 41 and 42: Other RisksRegulatory and Legal Mis
Page 43 and 44: SECTION 3: FRAUD PREVENTIONPrincipl
Page 45 and 46: An organization’s HR group is oft
Page 47 and 48: SECTION 4: FRAUD DETECTIONPrinciple
Page 49 and 50: Process ControlsProcess controls sp
Page 51 and 52: keep such information confidential.
Page 53 and 54: will vary depending on the nature,
Page 55 and 56: Conducting the InvestigationPlannin
Page 57 and 58: • Extended investigation — Cond
Page 59 and 60: Fraud ControlsDeloitte Forensic Cen
Page 61 and 62: APPENDIX B: SAMPLE FRAMEWORK FOR A
Page 63 and 64: APPENDIX C: SAMPLE FRAUD POLICY 41N
Page 65 and 66: CONFIDENTIALITYThe ______________ U
Page 67 and 68: Sample Fraud Policy Decision Matrix
Page 69 and 70: Identified Fraud Risksand Schemes (
Page 71 and 72: 2) Misappropriation of:a) Tangible
Page 73 and 74: ) Embezzlement(1) False accounting
Page 75 and 76: Fraud Prevention Area, Factor, or C
Page 77 and 78: Fraud Prevention Area, Factor, or C
Page 79 and 80:
Fraud Prevention Area, Factor, or C
Page 81 and 82:
Fraud Prevention Area, Factor, or C
Page 83 and 84:
O-Organization / PersonnelO1-Leader
Page 85 and 86:
O4.3 Enhance Operational Skills & C
Page 87 and 88:
PR-Prevent, Protect & PreparePR1-Ge
Page 89 and 90:
E-Periodic EvaluationE1-Evaluation
Page 91 and 92:
I2-CommunicationI2.1 Develop Commun
Page 93 and 94:
CriminologyFraud Prevention Program
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Sample Fraud PolicyAssociation of C
Page 119 and 120:
Sample Fraud PolicyCONFIDENTIALITYT
Page 121 and 122:
Sample Fraud PolicyFraud Policy Dec
Page 123 and 124:
Fraud’s Worst Enemyhttp://www.fra
Page 125 and 126:
ACFE Insights - ACFE Insightshttp:/
Page 127:
ACFE Insights - ACFE Insightshttp:/
show all

acfe fraud prevention check-up - BKD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?