97. Each time an intemal autor draws 4 conclusion based on teridence fom a sample, an addtional risk, sampling isk. Is introduced. An example of sampling kis & Projecting the resuls "of sampling beyond the population tested . Using an improper aut procedure witha sample {_Incotectly applying an aut procedure to sample data 4. Drawing en erroneaus conclusion trom sample data 88. n applying variables samping, an auctor attempts to 2: Estimate a qualitative characterise of interest bb Determine various rates of occurrence for specified attrbutes Discover atleast one instance f critical deviation 4. Predict @ monetary population value withn a range of recsion 89. An auditor's finding was stated as follows: "Twenty of one hundred randomiy slated items tested revealed that 200000 of cash discounts on. purchases. were lost” Ths varables | Sampling finding i deficient because the '2 Recommendation species no action Sampling methodology i not defined Amounts not material <4. Probable effect on the entre population isnot provided 100, In addition 10 evaluating the frequency of ‘deviations in tests of contrels an auditor should also consider Certain qualitative aspects ofthe deviations. The auditor most likely would give broader consideration tothe implications of deviation if it as ‘3 The only deviation discovered in the sample i, dential to a deviation discovered during the prior year's audit Caused by an employee's misunderstanding of ‘4. Initially conceoled by a forged document Pererming the Engegament (avait Evence) Chapter 7 Frand (One ofthe most important risks affecting an organization its vulnerability to aud and no orgarization is exempt irom fraud "645, The related International Professional. Practices Framework Practice Guide on “Fraus" described the elfct of fraud in an ‘organization as flows “Monetary lstes from fraud ore signicant. However, the fll oa of ud a seansrable ttre of toe, producing hd reputation including customer relationships. Depending fm the severty of the lous, ongonizations can be ireparaby harmed “due. to the final impact of aud sty ‘Therefore ic important for organizations to have 3 strong aud program that inclader swarenes, prevention, ad detection programs, at well t ud viakmaesment proces to Meni aud ike within the organization” The practice guide further provides thot effective ‘governance processes are the foundation of fraud risk management Lack of effective corporate governance seriously undermines any fraud risk management program. Because fraud negatively impacts coxganzatons in many ways, financially, reputational. and though psychological and. socal implications, . it is important for ‘organizations to have a strong fraud program that includes _areness, prevention, and detection programs, a= wel 9s 9 fraud Fisk assessment proces to dently sks within the organization The intemal audit activity, on the other hand, plays an limporant role in helping the management ints faud awarenes, ‘prevention and detection program,“due protessiona care" by considering the following: DEFINITION ‘The ers the following definition of rau ‘The America Institute of Cortied Public Accountants (1CP4) defines fraud based on the definition given by Al's Law Dictonay ‘sthesition 1990 as fellows 362 Fr ia Standard 12201 requires ternal autos to exercise Extent of work needed to achieve the engagements objectives. Relative complexity, materiality, or significance of matters to which assurance proceaures are applied ‘Adequacy and effectiveness of governance, rk management nd ‘control processes Probably of significant erors, fraud or noncompliance Cost of assurance in relation to potential Benes. then devin he eae "Frade sre sy plats charted by dee, concanent laion faa Thee ct ae no dopenden open te Zpplstion of test, of violence or of pal Fore Froud ae ror by parse ond organization a siain mony propery or eres 1 oil pyrene off Senet 10 See coer eeeee eres “Trad is a itentonal penerson of tra or the purse taced ait bs ple eee Kb sa a ‘hing Belonging than or te sirveer 3 eal ight. A sprain oF sabe of ic wine Of et or by cll ty fee or mileaig legatins, or by concealment ho hich Tedd bres ber! Seder phek es eel teil ‘kesne anther thee salt pon toi lel ay fenere term, embracing. al maiiricur means wich. ham Efe can dre ond ch ered Lo by oe lla 6 ahaage oer anher by fae sagen or bys Fath wel cludes al rr eur en Sy une way by which anther chee” The definition of fraud and error applicable in rendering fevtemal audit may is also provided below to gain more Understanding on the nature of fraud and error Philippine Standards on Auditing 240 (PSA) distinguishes fraud and error 95 follows ror refers to an Unintentional misstatement in financial statements, including the omission of an amount or @ dslosure, such asthe Fllowing: ‘A mistake in gathering oF processing data fom which financial statements are prepares 1+ An incorect accounting estimate ofsing from oversight ‘or misnterpretation of facts. + Mistake in the application of accounting principles Felating to measurement, recognition, cassiiction, presentation or disclosure Fraud refer a intentional act by one of more inviduals ‘among management, those charged with governance, employees, fr tiré pares, involving the use of deception to obtain an unjust for ilegal advantage, It encompasses a range or regularities and legal acts charactefzed by “intentional” deception or rmistopresentaton which an indivicual “knows to be fase or does fot believe to be true (IA Practice Advisories, Thus, the distinguishing factor between fraud and eror is whether the underlying action that esl inthe misstatement of the financial satementsis intentional or unintentional. Bramples of Fraud 2 theft Unauthorized or ilaga use of company assets Claims for series or goods not actualy provided Sale or assignment of fititous or misrepresented assets Intentional far to actin czcumstances where action \srequired by company policies or aw + legal busines activities a.‘Responsibility to Prevent and Detect Fraud If “contro, as discussed in chapter 4, & a proces effected by an entiy’s board of vectors, management and other personnel, fame principle i applcable in faud prevention and detection ‘Meaning. the board and personnel at all levels of the oxganation including every level of management. staf and internal auditors, ae Well 35 the organization's external auditors have responsibilty for ating with frau rik. Nonetheless, the “primary responsibity fo the prevention and detection of fraud vests wth the management Management should place a stong emphasis on fraud prevention, which may reduce opportunites fr fru to take place, and aud deterrence, which could persuade individuals not fo coment fad because of the kelood of detection and_punshment. This lavolves establishing a strong contrl envionment and metntining pales and procedures to asst in achieving the objective. Of ‘ensuring, 9 far as posible, the orderly and efficent conduct ofthe enttys business. Establishing approprate contol environment as @ deterent for fraud may include establishing, + Code of conduct Ethics/raud policy to set the appropriate tne at the top Ethics and whistleblower hotline programs, ining and promotion guidelines and practices ey + vestigation of reprted issues and remediation of conmed intemal autos are responsible for assisting? (Fl vk st potabya Companies in prevering ai | fo i ccaesatie detccing tad by examining | soars find easing. odequcy ana | Pete tttecveners othe eral ‘onto ten 98 descbed thedston of tara ting, "Iteral audtors are responsible in walang | management's fad rk assesment in portly, tee pace for denifjiogssesiog and testy potent fee and misconduct Schemes and scenario Prachcehawsory 120M further proves that teal atom shld howe saficen. recline cc Tebow 238 364 Fraud Qversaht by the aut commie, Board or other oversight knowledge to entity indicators of fraud (rau tisk factor or also Known a= red flags) when conducting engagements. but is not expected to have the expertise of a person whose primary fesponsibilly i detecting and investigating fraud Infact, audlt procedures alone, even when carted cut with due profesional care, donot guarantee that aud wil be detected ‘Although sudtors may not be able to know the exact ative of rationalzaton leading to faud, they are expected to Understand enough abovt internal contralto ident opportunites for fraud. Auktors should likewise understand fraud schemes and scenaias as wal a be aware ofthe signs that point to fraud and hom ta prevent them. Thus its the responsiblity of every internal audit function to raise fraud awareness within an organization, incuaing encouraging the -aucit committee and. senor ‘management t0 set the proper tone at the top, create contol Consciousness, and help develop cietable response to the potential isk of aud, Internal aut can reduce the risk of fru by assesing crgansaton ire and governance acre, ae. rotation pol, ensuing seamless suit policy across erties Conducting balance sheet reviana, szesing the whsletlowet poly, conducting ext inteiews et should also emphasize the fxstence of and adherence to organizational values and. the Cerporate code of conducts well 5 report any actives that ase Suspicions that these coud e legal unethical or immoral trough the wnsteblower hone or other means. The at comme sed the board expect no Tess from competent and valve sang Interna uct anc Fraud 808Managing Froud [A Practice Guide antited “Managing the Huxinese Risk of raw: A Praca! Guide’ issued by the Insitute of intemal Auditors, The Amercan Insitute of Certified Pubic. Accountants and ‘Association of Certified Fraud Examines. identified ve (S) Key pinples for proactively estabishing an environment to effectively anage an organization fud risks es flloms: Principe 1 [AS art of an organizations governance structute, fraud "sk management program should be tn place, including @ ‘araten pote (or polices) to convey the expectations ofthe board) of vectors and senior management regarding managing fad ise Principle 2 Frau risk exposure should be asessed perocialy by the organization to dently specie potemial schemes. and events thatthe organvation needs to mitigate Principe 3 Prevention techniques to. avoid potential key fraud rk events should be establshed, where feasible, to mitigate possible impacts on the organization. Principle 4 Detection techriques should be established to uncover fraud events when preventive measutes fail or unmitigated aks ae realize. Princele 5 ‘reporting process should bein place to soit input on potential fraud, and a coordinated 66 Fraud Wety DOES FRauD OCCUR? Research consistently shows thee factors associated with fraud, These factors are ao referred to as the Fraud Triangle: OATS Incentives/pressures/motivation to commit fraud Regardless of cure, ethnic, religion, or other factors, cenain individuals vill be motivated to commit fraud. A 2007 Grersight Systeme study dscovered thatthe primary reasons why faud eecuts are “pressures to do. whatever It Takes 10 meet goals, Practice Advisory 1210 provides the following ‘motivators to commit fraud Power Gratification of a desie 1+ Pressure ether from physical stressor ftom outside partis ‘The pressures to commit fraud include + Management compensation schemes Persona wealth ties to franca results o survival ofthe company Frou 367,(Othe irancal pressures to improve earings othe balance sheet (Le, to avid vilating debt covenant) + Personal factors including perzonalfianclneeds Tomeet a lender's teria fr granting/estending loan facilites To meet corporate performance citera set i the patent company Tomeet personal performance citria To trigger performance-elated compensation or eam cut payments + To preserve a trend of consistent growth, aiding volatile results To reduce the value ofan owner-managed business for Purposes ofa dvoree settlement 2. Opportunities to commit fraud ‘process may be designed propel for typical conditions however, © window of opportunity may atse for something to 90 wrong or erates czeumstonces forthe contol to fal. AR ‘ppetinity for froud may exist due to poor contol design oF lack of controls (Practice Advisory 2120), The fllowing are the ‘waring sign indicating opportunities for fraud (Red Flags oF Fraud rik factors + Weak o non-existent intemal controls + Complex or unstable organizational structure Inetfecive monitoring of management, ether becouse board of directors is not effective, or management i dominant Significant accounting estimates made by management 1 Significant elated party transactions * Industry dominance, including ably to cctate terms 1 supplies or customers Simple transactions made complex through djinted recording process B68 Freud 1COSO REPORT (C080 tenia characteris of compre ‘hat had perpetted fa Rationalization of the frau as accoptable The nature of fraud rationalization often cffers depending on the type of ead For defalatonsratisnaizations often revolve around personal sues: * Personal financial problems ‘+ Misteatment by the company 1 Sense of entitlement 1 Everyone does it + For fraudulent fancial reporting the rationalaations may involve personal or organizational issues: * Compensation base on financial results personal) + Ego personal) + Necessary for organization to survive TESSONS LEARNED, Andes a ik hee they do ot idle the ete company hetero ceea ae When rd rok ndeatoe Na inter oud department sa Bacvere hey it (£0 and Jor CFO vad in 83% ofthe |__be thoroughly invenigted cee + Computer emoreau be viewed a ak ctor rd of dictre dominated by Patents rie ath tlhe or fraud might be aking place and that |* Dominant certs cn bea rts ol eee ent rd preblen Urvegmte theese Nader hood not ‘Mon revenue frais ahd promature | assume al pple ae copii or Stow earns 2 Companies were at ststions or rear breve pir tthe Fad‘nts oF avo [A The hn nut of Coc Pub he ied Pubic Acoma » Understand the business and how changes in the economy might affect the business 302 Fraud > Understand management's motivations for commiting a fraud > Identify opportunities fr other employees to commit defaleation > Anaiye changes n company's financial results for reasonableness > Identify areas that might suggest fraud 4, Evaluating Evidence ‘The auditor's skeptic shouldbe heightened whenever There are discrepancies inthe accounting records “The auditor finds conflicting of missing evidential matter ‘The relationship with managements stained “There are sigcant or uncsual transactions around year-end Conducting the Avdt (Overview ofthe process to integrate fraud risk ‘assesament and fraud procedures into the alt includes ten major steps Understand the nature of fraud, motivations to commit. {raud, and how fraud may be committed Develop and implement an approach based on profesional skepticism Brainstorm and hare knowledge within the aud eam ‘Audit team to alscuss the risk of material misstatement due to fraud ~bralnstorming to Allow experienced auditors to educate less ‘experienced audtors 1 Setthe prope level of professional skepticism forthe audit Fraud 883Obtain information useful indenting and assessing fraud rake + Topics should inch: deni specific fraud sks and areas key to be affected by fraud + Bustence of rua risk indicators shoule cause the 1 Linkage prices: fram contra defiieniestoaueht Consider how fraud can be perpetrated & eae What account balances would be affected and how >» What audit procedures would provide ‘evidence on whether the account balance sstated > Do the aut procedures provide objective ‘evidence indepandent ofthe parties who have acces tothe arste "= Using Computers to Analyze the Possibly of rad Audit software can read a fle and perform 3 umber of procedures to analyze the possiblity oe of rau 1. Expand audit testing to more detailed sampling fag: IRN Ns atte ae heeera ete ‘mathematical ecensions and logical 3. Place more emphass on independent outside aoe ee Statistical selection 4. Perform more procedure at year-end Evaluate the quality and effectiveness of compony Controls in mitigating the rik of aud 4 * The procedures used by the auditor should reftect the intemal control westnesees and freud risk Indicators found with the lent. Audit procedures Lsed ar based on specific control deficiencies, 384 Froud 6 i frou team ‘Search for duplicate entries ‘Analyze unusual patterns in data ‘Analysis of logical relationships among datasets “dently unusual sources of entries to a9 Search for mising data Adjust act procedures to address the ri of fraud and ‘gather evidence. spectialy related tothe possibilty of {Evaluate findings: evidence signal fraud might ex, consider whether specialists are needed forthe audit Froud 885.J Communicate possibilty of foud to management and ud committee Document al steps relate to fraud 5. Communicating the Existence of Froud 8, Froud should be communicated to level at which effective ation can be taken . The auditor must communicate the existence of aud to ‘management, the Board and the audit committee fad involves top management. the auditor must assess the actions taken bythe Board 4. sufficient actions are not taken, the alitor must consider the control envonment and the possible need to resign the engagement ©, The alitor must determine that the financial taternents have been corrected andthe fraud adequately dscosed the statements are not corected, the auctor shoul issue ‘2 qualified or averse opinion 9. Insome cases, the auditor may be required to report the fraud to ouside parties, such a to meet regulatory requivements fh For public companies, mater raud reflects a weakness in intemal contol and may need be reported 6. Audit Documentation {The ault team should document the full extent of the process described b. That documentation should incude: * Discussion among audit team members including the assessment of fraud rik and how such frauds might take place + Discussion ofthe factors that affected te sk + Audi procedures performed 1+ Nees for corroborating evidence Evaluation of aud evidence and communication to Feared parties B86 Freud ’ fraud tsk atsessment shouldbe perormed periodically to ‘dentity potential schemes and events tht need to be mitigated Most organzations have witten policies and procedures to manage fraud rises such a5 codes of conduct, expense account procedures 4nd incident investigation standards. They usually have. some {activities that managemant has implomented to asso55 risks, ensue Compliance, identify and investigate violations, measure and report the organuzations performance to appropriate stakeholders, and communicate expectations. Internal auditing should provide objective assurance to the board and management that the contol thay have in place ate appropriate and sufficient for identified fraud 1sks given the ‘rgantations risk appetite. Internal auditors may even! the comprchensiveness and. adequacy of the sks identified by management, especially with regard to management overtie ss ‘The practice guide issued by the IVAICPA/ACE proves vidance for conducting a avd risk assessment. An effective fraud ek management assessment shouldnt where fraud may occur and who the perpetrators might be. Therefore, control activities Should always consider both the fraud scheme and the individuals ‘within and outside the organization who could be the perpetrators of each scheme, Ifthe scheme is collusive preventive controle Should be augmented by detective controls as collsion negates the contol effectiveness of segregation of dues, Fraud as defined in the Practice Guide a= any intentional ct ot omission designed to deceive ‘thers, resulting inthe vit suffering a less and/or the perpetrator achieving 2 gai, Collvive Scheme — a scheme performed by two oF frome detest opti Fraud 887The foregoing definition of frud ena intentional misconduct, designed to evade detection AS sch he Nord fa assessment should antcipte the Behavior fa poten reed erp, Conseqenty ts inporant to design hau deterton Drocedures that perpetrator moy not eect requres 3 en mindset and involves asking questions suchas a +" How might a aud perpetaor exploit weknests in the-system ofcontole + How eld 9 perpetrator oreide. or crcumvent + What coulda perpetrator doo conceal the ua? Elements of Froud Risk Assessment Frau sk tzessment general ices tee key laments 1 Aen tore aud sts Gather nfermation toobuin the population of frau that could apy tthe ogoneation vetoed fy ths paces the exp congestion ofa peso feud schemes and “scenaros icenves pres ppotunites to comm aud and aud rk open to Sraenaton, Bastin sa poner ol en sate Wenables discussione ofthe tentves, ores oppotuntes to comm fraud Wak af sane nan verde of contol and the popuaion of Toes Tele leant to the ent.» Eerie balnstoning aveies Preparation tr aance ofthe meeting esa ee ‘gendaand fcitate the sesion and openness ne fegerding potential ke and cnt Other fas stat teultoy ard legal acon akg wel or a tae of nfamationTeinaiogy I on fad ls oie shale oe Comidered itera i ntaton proces The frau ts identification process should include fan assessment of the incentives, pressures, apd) ‘Spporunis to commit aud feta dscssion on Fraud angle, Table 7-1 page 367). Incentive programs sould be evaluated by the board for seriar mangement and by management for others as to. how they may affect employees’ behavior when conducting business oF applying, Professional judgment (eg. estimating bad debt alowerces ‘or revenue recognition). Financial incentives and the mets {on hich they ate based can provide a map to whece aud 'S'most kel to. occur There may also be noafinancia Incentives, such as when an employee records 2 fictitious ‘wansaction 0 he or she does not have to explain an otherwise unplanned varance. Even maintaining the status quo. sometimes a powertl enough incentive. for Personnel to commit fraud ‘Assess litetinood and significance of inherent Rud sks ‘sts the relative lualnoed and potental sgaicance of ‘dented fraud vats based on stra Iormaton known fraud schemes, and iterdens mith staf Incuing business process onners.Asesing the athood and sgfcance of 0c) potential aud nek & 9 subjective proces Al aud aks remot eal Heeb nor will all fs. have 3 Signitcane impact on every organization. Assessing. the ikeeod and ngrificance of ested herent ke allows fhe organization t9 manage te foud nets ond apply reverive and detective procedures. tational. (portant to fe consider ra rk tothe business on an ret bess ortho nado of kvm onl "aking ths approach, management il be beter able to erie a rzbvont nud Fels ane deapn contol Saves the fs. Aker mapping aud rats to relevant otros, certain rsa sk wl remain, ineicg the isk ‘tmanagements oenide of eablared controls Paar coc er Moa Oh oe real dba ners, Bee ae cea Neato ia plead eal eed ce en ee aan Cece acs ti eal Serb poy wed ren Bes arte Maiaor eacetar oie emcea TS eee arrose eee 388 FraudSigritcince “Managements assesment ofthe signicance of fraud tisk should nclde not only nancial statement and Pete eee ttle erates int ‘organizations operations, brand valu, and reputation, well as criminal cv, and regulatory tabi. Generally, rgnizaties Gn categorie the sipniicance of potent Frauds in thee categories at follows, inconsequential more than inconsequential and mater 3. Respond to reasonably likely and significant inherent and ‘residual fraud risks Decide what the response should be to address the identified rsks and perform a cost benefit analysis of frau risks over which the organization wants 10 implement controls or specific feud detection procedures, Risk tolerance (Page 146) varies ffom organization 10 organization, At the highest level the board set. the ftganzation’s rk tolerance level taking into consideration is responsibites to all shareholders, coptalpronders and Stakeholders. While some organizations want only to ‘dares ‘faud risks that could have materia fnanclal Statement impact, other organizations want to have a more robust fraud response program. Many organizations wal State that there isa "zero tolerance” policy with respect to fraud. However, there may be certain fraud risks that an ‘organization considers too expensive and time-consuming to address via controls. Consequent, the organization may decide nat to put controls in place to adress such sks. If fraud is dscovered,2er tolerance for fraud wil be applied, | FRAUD PREVENTION Prevention is the most proactive fraud. fighting measure The design and implementation of. contol activities should be a cootcnated effort Speatheaded by management with on. assembled fast of employees. Callecvely, this cross section of ‘the organization should be able to adres al ofthe ented tsk, desion and lament the conto ites and sue thr the feces used ae equate to. prover tau’ rom ‘occuring in selstdnce wit the oganantions olen Sample Fraud Preventive Controls 3) Human Resources Procedures. AN Organizations HR function can play an important role in. faud prevention by implementing the felling procedures + performing Background Investigations | + Antotaud Training *aluating Performance and Compensation Programs Conducting Eat inteniows 1b) Authority Lit, Fraud i ess kely when an indvaduats level of authority i Commensurate with his or her level of Tesponsiblity, A migalignment_ between futhorty. and responsibilty, portclary in the absence of control” actives and Segregation of tis, can ead to fraud ©) Transaction-level Procedures. Reviews of thidpary and related-pary.tvansactions ‘an also help prevent feud. Because froud Schemes often invalve the use of third-party fntiie/indiduals, organizations need thorough measures atthe font-end that will prevent the back-end acts, & FRAUD DETECTION Having effective detective controls in place and visible tone of the strongest deterents to Fraudulent behavior Used in tandem with preventive control, detective controls enhance a aud risk management program’ effectiveness by302 Fra providing evidence that preventive controle are working as intended and identifying fraud that ‘occurs. Although detecive contiols may. provide: evidence that fraud is occuring oF hae occured they are not intended to prevent fra, Sample Fraud Detective Controle 8) Whistle blower hotines b) Process contols sich as reconclitions independent reviews, physical Inspections/counts analyses, and audit. A lack of, or weakness in, preventive controls increases the rok of fraud and paces @ sreater burden on detective controls The more significant the fous isk the more sensitive to occurence the detective control Should be, ©) Proactive Fraud Detection Procedures % FRAUD INVESTIGATION AND. CORRECTIVE ACTION ‘A reporting process should be in place to soli input on potential fraud, and a coordinated poroach to investigation and conectve action = should be used to help ensure potent fraud adalessed appropriately and timely. Its essential that any violations, deviation, or other breaches of the code of conductor contol, regardless of whee i the organization, or by whom they ate ‘committed, be reported and deal with in a tnely manner. Appropriate punishment must be imposed, and suitable remediation completed, The board should ensure thatthe same ules are applied at all levels of the organization, including senior management. The imestigation and response system should Include a proces for + Ctegoring sues {Cneming the vl of th allegation 1 eiing te every ofthe allegation. 2 Betting the sue or investigation nen + Reforing sues ouside the scape ofthe program + Eondscting the ivesgation and fac fda. + Resolving or dosing the investigation 1 UEtng nper of intomaton tha should be Kept confident + Dahan how telnvestgnton wl be econ + Manugng se retaining documents and rea Fraud 393