• As required, participate in the process of creating a strong control environment and designing andimplementing <strong>fraud</strong> control activities, as well as participate in monitoring activities.• Report suspicions or incidences of <strong>fraud</strong>.• Cooperate in investigations.Internal AuditingThe IIA’s Definition of Internal Auditing states, “Internal auditing is an independent, objective assurance andconsulting activity designed to add value and improve an organization’s operations. It helps an organizationaccomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectivenessof risk management, control, and governance processes.” In relation to <strong>fraud</strong>, this means that internal auditingprovides assurance to the board and to management that the controls they have in place are appropriate given theorganization’s risk appetite.Internal auditing should provide objective assurance to the board and management that <strong>fraud</strong> controls aresufficient for identified <strong>fraud</strong> risks and ensure that the controls are functioning effectively. Internal auditors mayreview the comprehensiveness and adequacy of the risks identified by management — especially with regard tomanagement override risks 18 .Internal auditors should consider the organization’s assessment of <strong>fraud</strong> risk when developing their annual auditplan and review management’s <strong>fraud</strong> management capabilities periodically. They should interview and communicateregularly with those conducting the organization’s risk assessments, as well as others in key positions throughoutthe organization, to help them ensure that all <strong>fraud</strong> risks have been considered appropriately. When performingengagements, internal auditors should spend adequate time and attention to evaluating the design and operationof internal controls related to <strong>fraud</strong> risk management. They should exercise professional skepticism when reviewingactivities and be on guard for the signs of <strong>fraud</strong>. Potential <strong>fraud</strong>s uncovered during an engagement should betreated in accordance with a well-defined response plan consistent with professional and legal standards. Internalauditing should also take an active role in s<strong>up</strong>port of the organization’s ethical culture. 19The importance an organization attaches to its internal audit function is an indication of the organization’scommitment to effective internal control. The internal audit charter, which is approved by the board or designatedcommittee, should include internal auditing’s roles and responsibilities related to <strong>fraud</strong>. Specific internal auditroles in relation to <strong>fraud</strong> risk management could include initial or full investigation of suspected <strong>fraud</strong>, root causeanalysis and control improvement recommendations, monitoring of a reporting/whistleblower hotline, and providingethics training sessions. 20 If assigned such duties, internal auditing has a responsibility to obtain sufficient skillsand competencies, such as knowledge of <strong>fraud</strong> schemes, investigation techniques, and laws. Effective internal auditfunctions are adequately funded, staffed, and trained, with appropriate specialized skills given the nature, size,and complexity of the organization and its operating environment. Internal auditing should be independent (haveindependent authority and reporting relationships), have adequate access to the audit committee, and adhere toprofessional standards.18Refer to the AICPA’s Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention publication.19Refer to IIA Practice Advisory 2130-1: Role of the Internal Audit Activity and Internal Auditor in the Ethical Culture of an Organization.20For additional information, refer to IIA Practice Advisories 1210-A2-1: Auditor’s Responsibilities Relating to Fraud Risk Assessment,Prevention, and Detection; and 1210-A2-2: Auditor’s Responsibilities Relating to Fraud Investigation, Reporting, Resolution, andCommunication; as well as the IIA–UK and Ireland Fraud Position Statement.15
Fraud Risk Management Program ComponentsMost organizations have written policies and procedures to manage <strong>fraud</strong> risks, such as codes of conduct, expenseaccount procedures, and incident investigation standards. They usually have some activities that managementhas implemented to assess risks, ensure compliance, identify and investigate violations, measure and report theorganization’s performance to appropriate stakeholders, and communicate expectations. However, few havedeveloped a concise summary of these documents and activities to help them communicate and evaluate theirprocesses. We refer to the aggregate of these as the <strong>fraud</strong> risk management program (“program”), even if theorganization has not formally designated it as such.It is management’s prerogative, with oversight from the board, to determine the type and format of documentationit wishes to adopt for its program. Suggested formats include:• A single comprehensive and complete document that addresses all aspects of <strong>fraud</strong> risk management (i.e., a<strong>fraud</strong> control policy 21 ).• A brief strategy outline emphasizing the attributes of <strong>fraud</strong> control, but leaving the design of specificpolicies and procedures to those responsible for business functions within the organization.• An outline, within a control framework, referencing relevant policies, procedures, plans, programs, reports,and responsible positions, developed by the organization’s head office, divisions, or subsidiaries. 22While each organization needs to consider its size and complexity when determining what type of formaldocumentation is most appropriate, the following elements should be found within a <strong>fraud</strong> riskmanagement program:CommitmentThe board and senior management should communicate their commitment to <strong>fraud</strong> risk management. One methodwould be to embed this commitment in the organization’s values or principles and code of conduct. Another methodis issuing a short document (e.g., letter) made available to all employees, vendors, and customers. This summarydocument should stress the importance of <strong>fraud</strong> risk mitigation, acknowledge the organization’s vulnerability to<strong>fraud</strong>, and establish the responsibility for each person within the organization to s<strong>up</strong>port <strong>fraud</strong> risk management.The letter should be endorsed or authored by a senior executive or board member, provided to employees as partof their orientation process, and reissued periodically. The letter could serve as the foundation for, and may be theexecutive summary of, a <strong>fraud</strong> control policy.Fraud AwarenessAn ongoing awareness program is a key enabler to convey <strong>fraud</strong> risk management expectations, as well asan effective preventive control. Awareness of <strong>fraud</strong> and misconduct schemes is developed through periodic21For examples of <strong>fraud</strong> control policies, see Appendices B and C.22Some organizations centralize <strong>fraud</strong> risk management information under the chief ethics officer or within a framework used by internalauditing or the chief financial officer. Others may have this information spread out across the organization — for example, investigationstandards and files in legal, hiring and training information in human resources, hotline information in internal auditing, risk assessment in theenterprise risk management gro<strong>up</strong> — and will need to compile it to do an effective evaluation and to enable concise reporting to the board.16
- Page 1 and 2: ACFE FRAUD PREVENTIONCHECK-UP
- Page 3 and 4: ACFE FRAUD PREVENTIONCHECK-UPThe Be
- Page 5 and 6: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 7 and 8: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 9 and 10: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 11 and 12: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 13 and 14: Sponsored by:The Institute of Inter
- Page 15 and 16: Team Members:Toby J.F. Bishop, CPA,
- Page 17 and 18: Managing the Business Risk of Fraud
- Page 19 and 20: establish their own fraud risk mana
- Page 21 and 22: Fraud risk identification may inclu
- Page 23 and 24: Thus, to properly address fraud ris
- Page 25 and 26: The board also has the responsibili
- Page 27: • Implementing adequate internal
- Page 31 and 32: ecently been hired in the purchasin
- Page 33 and 34: Organizations can identify and asse
- Page 35 and 36: The Risk Assessment TeamA good risk
- Page 37 and 38: This also involves understanding th
- Page 39 and 40: - Invoices for goods not received o
- Page 41 and 42: Other RisksRegulatory and Legal Mis
- Page 43 and 44: SECTION 3: FRAUD PREVENTIONPrincipl
- Page 45 and 46: An organization’s HR group is oft
- Page 47 and 48: SECTION 4: FRAUD DETECTIONPrinciple
- Page 49 and 50: Process ControlsProcess controls sp
- Page 51 and 52: keep such information confidential.
- Page 53 and 54: will vary depending on the nature,
- Page 55 and 56: Conducting the InvestigationPlannin
- Page 57 and 58: • Extended investigation — Cond
- Page 59 and 60: Fraud ControlsDeloitte Forensic Cen
- Page 61 and 62: APPENDIX B: SAMPLE FRAMEWORK FOR A
- Page 63 and 64: APPENDIX C: SAMPLE FRAUD POLICY 41N
- Page 65 and 66: CONFIDENTIALITYThe ______________ U
- Page 67 and 68: Sample Fraud Policy Decision Matrix
- Page 69 and 70: Identified Fraud Risksand Schemes (
- Page 71 and 72: 2) Misappropriation of:a) Tangible
- Page 73 and 74: ) Embezzlement(1) False accounting
- Page 75 and 76: Fraud Prevention Area, Factor, or C
- Page 77 and 78: Fraud Prevention Area, Factor, or C
- Page 79 and 80:
Fraud Prevention Area, Factor, or C
- Page 81 and 82:
Fraud Prevention Area, Factor, or C
- Page 83 and 84:
O-Organization / PersonnelO1-Leader
- Page 85 and 86:
O4.3 Enhance Operational Skills & C
- Page 87 and 88:
PR-Prevent, Protect & PreparePR1-Ge
- Page 89 and 90:
E-Periodic EvaluationE1-Evaluation
- Page 91 and 92:
I2-CommunicationI2.1 Develop Commun
- Page 93 and 94:
CriminologyFraud Prevention Program
- Page 95 and 96:
CriminologyFraud Prevention Program
- Page 97 and 98:
CriminologyFraud Prevention Program
- Page 99 and 100:
CriminologyFraud Prevention Program
- Page 101 and 102:
CriminologyFraud Prevention Program
- Page 103 and 104:
CriminologyFraud Prevention Program
- Page 105 and 106:
CriminologyFraud Prevention Program
- Page 107 and 108:
CriminologyFraud Prevention Program
- Page 109 and 110:
CriminologyFraud Prevention Program
- Page 111 and 112:
CriminologyFraud Prevention Program
- Page 113 and 114:
CriminologyFraud Prevention Program
- Page 115 and 116:
CriminologyFraud Prevention Program
- Page 117 and 118:
Sample Fraud PolicyAssociation of C
- Page 119 and 120:
Sample Fraud PolicyCONFIDENTIALITYT
- Page 121 and 122:
Sample Fraud PolicyFraud Policy Dec
- Page 123 and 124:
Fraud’s Worst Enemyhttp://www.fra
- Page 125 and 126:
ACFE Insights - ACFE Insightshttp:/
- Page 127:
ACFE Insights - ACFE Insightshttp:/