Information Technology and Fraud RiskOrganizations rely on IT to conduct business, communicate, and process financial information. A poorly designedor inadequately controlled IT environment can expose an organization to <strong>fraud</strong>. Today’s computer systems, linkedby national and global networks, face an ongoing threat of cyber <strong>fraud</strong> and a variety of threats that can result insignificant financial and information losses. IT is an important component of any risk assessment, especially whenconsidering <strong>fraud</strong> risks. IT risks include threats to data integrity, threats from hackers to system security, and theft offinancial and sensitive business information. Whether in the form of hacking, economic espionage, Web defacement,sabotage of data, viruses, or unauthorized access to data, IT <strong>fraud</strong> risks can affect everyone. In fact, IT can be usedby people intent on committing <strong>fraud</strong> in any of the three occ<strong>up</strong>ational <strong>fraud</strong> risk areas defined by the ACFE.Examples of those risks by area include:Fraudulent Financial Reporting• Unauthorized access to accounting applications — Personnel with inappropriate access to the generalledger, subsystems, or the financial reporting tool can post <strong>fraud</strong>ulent entries.• Override of system controls — General computer controls include restricted system access, restrictedapplication access, and program change controls. IT personnel may be able to access restricted data oradjust records <strong>fraud</strong>ulently.Misappropriation of Assets• Theft of tangible assets — Individuals who have access to tangible assets (e.g., cash, inventory, and fixedassets) and to the accounting systems that track and record activity related to those assets can use IT toconceal their theft of assets. For example, an individual may establish a fictitious vendor in the vendormaster file to facilitate the payment of false invoices, or someone may steal inventory and charge the costof sales account for the stolen items, thus removing the asset from the balance sheet.• Theft of intangible assets — Given the transition to a services-based, knowledge economy, more and morevaluable assets of organizations are intangibles such as customer lists, business practices, patents, andcopyrighted material. Examples of theft of intangible assets include piracy of software or other copyrightedmaterial by individuals either inside or outside of the organization.Corr<strong>up</strong>tion• Misuse of customer data — Personnel within or outside the organization can obtain employee or customerdata and use such information to obtain credit or for other <strong>fraud</strong>ulent purposes.Keep in mind, cyber <strong>fraud</strong>sters do not even have to leave their homes to commit <strong>fraud</strong>, as they can routecommunications through local phone companies, long-distance carriers, Internet service providers, and wireless andsatellite networks. They may go through computers located in several countries before attacking targeted systemsaround the globe. What is important is that any information — not just financial — is at risk, and the stakes are veryhigh and rising as technology continues to evolve.To manage the ever-growing risks of operating in the information age, an organization should know itsvulnerabilities and be able to mitigate risk in a cost-effective manner. Therefore, IT risk should be incorporatedinto an organization’s overall <strong>fraud</strong> risk assessment.27
Other RisksRegulatory and Legal MisconductRegulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft ofcompetitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations inareas of import/export. Depending on the particular organization and the nature of its business, some or all of theserisks may be applicable and should be considered in the risk assessment process.Reputation RiskReputation risk is evaluated differently by different individuals, either as a separate risk or the end result of otherrisks (e.g., operational, regulatory, or financial reporting). Fraudulent acts can damage an organization’s reputationwith customers, s<strong>up</strong>pliers, and the capital markets. For example, <strong>fraud</strong> leading to a financial restatement damagesan organization’s reputation in the capital markets, which could increase the organization’s cost of borrowing anddepress its market capitalization. Because the board is responsible for the longevity of the organization and hasresponsibilities to multiple stakeholders, it should evaluate its performance regularly with respect to reputation risksand ensure that consideration of reputation risk is part of the organization’s risk assessment process.Assessment of the Likelihood and Significanceof Identified Inherent Fraud RisksAssessing the likelihood and significance of each potential <strong>fraud</strong> risk is a subjective process. All <strong>fraud</strong> risks arenot equally likely, nor will all <strong>fraud</strong>s have a significant impact on every organization. Assessing the likelihood andsignificance of identified inherent risks allows the organization to manage its <strong>fraud</strong> risks and apply preventive anddetective procedures rationally. It is important to first consider <strong>fraud</strong> risks to the business on an inherent basis,or without consideration of known controls. By taking this approach, management will be better able to considerall relevant <strong>fraud</strong> risks and design controls to address the risks. After mapping <strong>fraud</strong> risks to relevant controls,certain residual risks will remain, including the risk of management’s override of established controls. Managementmust evaluate the potential significance of those residual risks and decide on the nature and extent of the <strong>fraud</strong>preventive and detective controls and procedures to address such risks.Likelihood — Management’s assessment of the likelihood of a <strong>fraud</strong> risk occurring is informed by instances ofthat particular <strong>fraud</strong> occurring in the past at the organization, the prevalence of the <strong>fraud</strong> risk in the organization’sindustry, and other factors, including the number of individual transactions, the complexity of the risk, and thenumber of people involved in reviewing or approving the process. Organizations can categorize the likelihood ofpotential <strong>fraud</strong>s occurring in as many buckets as deemed reasonable, but three categories are generally adequate:remote, reasonably possible, and probable.Significance — Management’s assessment of the significance of a <strong>fraud</strong> risk should include not only financialstatement and monetary significance, but also significance to an organization’s operations, brand value, andreputation, as well as criminal, civil, and regulatory liability. For example, two different organizations may havesimilar amounts of expenses charged via employee expense reports, but one organization is a professionalservices firm that charges those expenses to clients. Although the likelihood of the risk of <strong>fraud</strong>ulent expense28
- Page 1 and 2: ACFE FRAUD PREVENTIONCHECK-UP
- Page 3 and 4: ACFE FRAUD PREVENTIONCHECK-UPThe Be
- Page 5 and 6: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 7 and 8: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 9 and 10: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 11 and 12: ACFE FRAUD PREVENTIONCHECK-UPACFE F
- Page 13 and 14: Sponsored by:The Institute of Inter
- Page 15 and 16: Team Members:Toby J.F. Bishop, CPA,
- Page 17 and 18: Managing the Business Risk of Fraud
- Page 19 and 20: establish their own fraud risk mana
- Page 21 and 22: Fraud risk identification may inclu
- Page 23 and 24: Thus, to properly address fraud ris
- Page 25 and 26: The board also has the responsibili
- Page 27 and 28: • Implementing adequate internal
- Page 29 and 30: Fraud Risk Management Program Compo
- Page 31 and 32: ecently been hired in the purchasin
- Page 33 and 34: Organizations can identify and asse
- Page 35 and 36: The Risk Assessment TeamA good risk
- Page 37 and 38: This also involves understanding th
- Page 39: - Invoices for goods not received o
- Page 43 and 44: SECTION 3: FRAUD PREVENTIONPrincipl
- Page 45 and 46: An organization’s HR group is oft
- Page 47 and 48: SECTION 4: FRAUD DETECTIONPrinciple
- Page 49 and 50: Process ControlsProcess controls sp
- Page 51 and 52: keep such information confidential.
- Page 53 and 54: will vary depending on the nature,
- Page 55 and 56: Conducting the InvestigationPlannin
- Page 57 and 58: • Extended investigation — Cond
- Page 59 and 60: Fraud ControlsDeloitte Forensic Cen
- Page 61 and 62: APPENDIX B: SAMPLE FRAMEWORK FOR A
- Page 63 and 64: APPENDIX C: SAMPLE FRAUD POLICY 41N
- Page 65 and 66: CONFIDENTIALITYThe ______________ U
- Page 67 and 68: Sample Fraud Policy Decision Matrix
- Page 69 and 70: Identified Fraud Risksand Schemes (
- Page 71 and 72: 2) Misappropriation of:a) Tangible
- Page 73 and 74: ) Embezzlement(1) False accounting
- Page 75 and 76: Fraud Prevention Area, Factor, or C
- Page 77 and 78: Fraud Prevention Area, Factor, or C
- Page 79 and 80: Fraud Prevention Area, Factor, or C
- Page 81 and 82: Fraud Prevention Area, Factor, or C
- Page 83 and 84: O-Organization / PersonnelO1-Leader
- Page 85 and 86: O4.3 Enhance Operational Skills & C
- Page 87 and 88: PR-Prevent, Protect & PreparePR1-Ge
- Page 89 and 90: E-Periodic EvaluationE1-Evaluation
- Page 91 and 92:
I2-CommunicationI2.1 Develop Commun
- Page 93 and 94:
CriminologyFraud Prevention Program
- Page 95 and 96:
CriminologyFraud Prevention Program
- Page 97 and 98:
CriminologyFraud Prevention Program
- Page 99 and 100:
CriminologyFraud Prevention Program
- Page 101 and 102:
CriminologyFraud Prevention Program
- Page 103 and 104:
CriminologyFraud Prevention Program
- Page 105 and 106:
CriminologyFraud Prevention Program
- Page 107 and 108:
CriminologyFraud Prevention Program
- Page 109 and 110:
CriminologyFraud Prevention Program
- Page 111 and 112:
CriminologyFraud Prevention Program
- Page 113 and 114:
CriminologyFraud Prevention Program
- Page 115 and 116:
CriminologyFraud Prevention Program
- Page 117 and 118:
Sample Fraud PolicyAssociation of C
- Page 119 and 120:
Sample Fraud PolicyCONFIDENTIALITYT
- Page 121 and 122:
Sample Fraud PolicyFraud Policy Dec
- Page 123 and 124:
Fraud’s Worst Enemyhttp://www.fra
- Page 125 and 126:
ACFE Insights - ACFE Insightshttp:/
- Page 127:
ACFE Insights - ACFE Insightshttp:/