دليل مكافحة الاحتيال المالي أغسطس2020م

J 1UUJI ^JLJI J
^2-2* .f-i
M
s
Saudi Arabian Monetary Authority <JI*
flillYl
£
■
Fraud Prevention and Deterrence Understanding Criminal Behavior
Understanding Criminal Behavior

I. Overview of Behavioral Analysis
a. Behavioral studies, such as those conducted by B. F. Skinner, show that:
i. Punishment is the least effective method of changing behavior.
ii. Punishment brings a temporary suppression of an undesirable behavior, but
the behavior typically returns as soon as the punishment is discontinued.
iii. Behavior is most effectively modified by managing and modifying desires
through reinforcement (i.e., replacing destructive behaviors with productive
ones, instead of trying to punish an already existing impulse).
II. Reinforcement vs. Punishment of Behaviors
a. Reinforcement and punishment of behavior are distinguished by the way that
positive and negative forces are applied.
i. Reinforcement
1. A positive reinforcement presents a positive stimulus in exchange for
the desired response.
2. A negative reinforcement withdraws a negative stimulus in exchange
for the response.
ii. Punishment
1. Involves either applying a negative stimulus or withdrawing a positive
stimulus
2. Works by providing negative consequences—administering penalties
and taking away desirables
III. Conditioning Behaviors
a. Skinner says that we can condition incompatible behavior that interferes with a
person's undesired acts by encouraging the improper behavior's opposite (e.g., by
rewarding a child for controlling emotional outbursts rather than punishing the child
for having a tantrum).
b. Destructive behaviors should be offset by incompatible productive ones.
c. Since fraud involves dishonesty, secrecy, and antagonistic behaviors, the astute
manager finds ways to reward the opposite behaviors—honesty, openness, and
cooperation.
IV. Theories of Crime Causation
a. Rational choice theory
i. Asserts that the decision to commit a crime is a rational and careful choice
on the perpetrator's part with the goal of some intended benefit
ii. Before committing a crime, the offender performs a cost-benefit analysis that
evaluates the possibility of getting caught and the severity of the
consequences against the benefits of committing the crime.
iii. Criminal activity will occur when the opportunity to engage in it is
present. Therefore, the best way to reduce crime is by making it more
difficult to commit. .
iv. Rational choice theory presents crime as a conscious choice that must be
met with reduced opportunities for criminal activity and increased personal
risk in order for deterrence methods to be successful.
b. Routine activities theory
i. Holds that both the motivation to commit crime and the supply of offenders is
constant
ii. There will always be a certain number of people, motivated by greed, lust,
and other forces, who are inclined toward lawbreaking.
iii. Three important elements that influence crime include:
CFE Exam Review Course: 2022 Edition 281

Understanding Criminal Behavior Fraud Prevention and Deterrence
1. The availability of suitable targets, such as companies and

individuals
2. The absence of capable guardians, such as auditors and security
personnel
3. The presence of motivated offenders, such as unhappy or financially
challenged employees
282 CEE Exam Review Course: 2022 Edition

iv. Crime is likely to occur when the three elements come together.
v. If someone thinks it is likely that they will be caught or there is not a suitable
target, then they are less likely to commit a crime.
c. Theory of differential association
i. Asserts that people learn the values, attitudes, techniques, and motives for
criminal behavior by communicating with and participating in intimate
personal groups
ii. Main points made by criminologist Edwin Sutherland:
1. Criminal behavior is learned.
2. It is learned from other people in a process of communication.
3. Criminal behavior is acquired through participation with intimate
personal groups.
4. Learning criminal behavior involves all the mechanisms of other
learning.
5. Learning differs from pure imitation.
6. While criminal behavior is an expression of general needs and
values, it is not explained by these needs and values.
d. Social control theory
i. Suggests that if a person fails to become attached to the variety of control
agencies of the society, that person's chances of violating the law increase
ii. People confronted with the possibility of violating a law are likely to ask
themselves questions such as, "What will my family or friends think if they
find out?"
iii. To the extent that individuals believe that other people whose opinions are
important to them will be disappointed or ashamed, and to the extent that
they care deeply that these people will feel this way, they will be deterred
from committing a criminal act.
e. Differential reinforcement theory
i. States that whether deviant or criminal behavior begins or persists depends
on the degree to which it has been rewarded or punished, as well as the
rewards or punishments attached to its alternatives
ii. Behavior is reinforced when positive rewards are gained (positive
reinforcement) or punishment is avoided (negative reinforcement).
iii. It is weakened by negative stimuli (punishment) and loss of reward (negative
punishment).

Understanding Criminal Behavior Fraud Prevention and Deterrence
Sample Prep Questions
Question 1
According to B. F. Skinner, the MOST EFFECTIVE way to modify a person's behavior is through:
A. Punishment
B. Positive reinforcement
C. Negative reinforcement
D. None of the above
Question 2
Social control theory suggests that the farther an individual strays from the norms of society, the
more likely they are to commit a crime.
A. True
B. False
284 CFE Exam Review Course: 2022 Edition

Question 3
The theory of differential association is used frequently to explain white-collar criminality. Which
of the following is one of the assertions or principles of differential association?
A. People are genetically predisposed to be criminals.
B. Criminal behavior is acquired through participation with intimate personal groups.
C. Criminal behavior is explained by an individual's general needs and values.
D. Learning is the same as pure imitation.

Question 4
Which of the following is one of the three elements that have the most influence on crime
according to the routine activities theory?
A. The availability of suitable targets
B. The absence of capable guardians
C. The presence of motivated offenders
D. All of the above

White-Collar Crime Fraud Prevention and Deterrence
White-Collar Crime
I. What Is White-Collar Crime?
a. According to Albert J. Reiss, Jr., and Albert Biderman, "Those violations of law to
which penalties are attached that involve the use of a violator's position of economic
power, influence, or trust in the legitimate economic or political institutional order for
the purpose of illegal gain, or to commit an illegal act for personal or organizational
gain"
II. Organizational Opportunity
a. The determinant aspect of white-collar crime
b. Organization and complexity make a larger difference than the offender's social
status.
III. Contributing Factors to the Rise of White-Collar Crime
a. The economy increasingly runs on credit, which often means rising personal debt.
b. New information technologies mean that the opportunity for wrongdoing is growing.
c. There is an overarching culture based on affluence and ever-higher levels of
success. Media sources, and advertising in general, promise that no one has to settle
for second best.
IV. Referring White-Collar Criminals to Law Enforcement
a. According to the ACFE's 2020 Report to the Nations, 59% of occupational fraud
cases were referred to law enforcement for prosecution.
b. The Report to the Nations also found that 80% of fraud cases in the study resulted in
some form of internal punishment for the perpetrator in response to the fraud, with
66% reporting termination, 10% reporting that they were permitted or required to
resign, and 9% reporting that they were placed on probation or suspended.
c. For organizations that chose to handle fraud cases internally instead of referring them
to law enforcement for prosecution, 46% of companies declined to refer cases
because they believed their organization's internal discipline mechanisms were
sufficient, 32% did so for fear of negative publicity, 17% thought prosecution would be
too costly, 10% said there was a lack of evidence, and 6% chose to pursue civil suits
instead.
V. Organizational Crime
a. Organizational vs. occupational crime
i. Organizational crime is that which is committed by businesses, particularly
corporations, and the government.
ii. Occupational crime involves legal offenses committed by individuals in the
course of their occupation.
b. Effect of organizational structure on criminal behavior
i. Complex companies are more prone to misbehavior due to isolation of
departments and locations.
ii. Information about what one part of a company is doing might be unknown in
another part, which makes it less likely that criminal behavior will be detected
and punished.
iii. The larger a company grows, the more specialized its subunits tend to
become, and this specialization thereby breeds a higher risk of fraud.
iv. Specialization helps hide illegal activity because people do not know
particulars about how things work.
c. Criminogenic nature of organizations
i. Assertions of sociologist Edward Gross
1. All organizations are inherently criminogenic (i.e., prone to committing
crime), though not necessarily criminal.

Fraud Prevention and Deterrence White-Collar Crime
2. This tendency is due to their reliance on "the bottom line."

3. Without necessarily meaning to, organizations can invite fraud as a
means of obtaining goals.
ii. Diane Vaughan findings
1. Organizations can also be criminogenic because they encourage
loyalty. The reasons are that:
a. The organization tends to recruit and attract similar
individuals.
b. Rewards are given out to those who display characteristics of
the "company man."
c. Long-term loyalty is encouraged through company retirement
and benefits.
d. Loyalty is encouraged through social interaction, such as
company parties and social functions.
e. Frequent transfers and long working hours encourage
isolation from other groups.
f. Specialized job skills can discourage personnel from
seeking employment elsewhere.
g. Management links employee performance goals with company
performance goals.
iii. Findings of criminologist Charles McCaghy
1. Profit pressure is "the single most compelling factor behind
deviance by industry, whether it be price fixing, the destruction of
competition, or the misrepresentation of a product."
iv. Findings related to obedience
1. Organizations display criminogenic tendencies due to their
reinforcement of obedience to authority figures.
2. Human beings have an innate instinct to do as they are told, which
can lead individuals who are otherwise ethical to commit wrongdoing
as a way to please management or another figure of authority
because they feel they have no other choice.
3. Dr. Stanley Milgram, a social psychologist, conducted an experiment
to understand why people follow certain orders when doing so
conflicts with their personal values, morals, and ethics. His study
found that 60% of people were willing to shock another person when
pushed to do so by an authority figure.
4. In hierarchal organizations that encourage obedience and engage in
fraudulent behavior at the highest levels, lower-level staff members'
resistance to disobey authority figures can result in them feeling like
they must take part in the fraudulent behavior, even when such
behavior is inconsistent with their personal moral code.
d. Effects of white-collar crime
i. The direct cost of fraud relates to the amount of financial damages and losses
resulting from a fraud scheme.
1. Direct costs can include calculable financial loss or costs due to fines,
penalties, and regulatory sanctions, and they can result in difficulty
paying back loans or lines of credit.
ii. It is much more difficult for organizations to estimate the indirect costs
associated with fraud.
1. Indirect losses include:
a. Reputational damage
b. Loss of competitive advantage

c. Loss of employee confidence in job security

d. Loss of employee productivity
e. Management's role in supporting criminal conduct
i. Silk and Vogel found several actions used by businesses to rationalize criminal
conduct in an organization:
1. Government regulations are unjustified because the additional costs
of regulations and bureaucratic procedures cut heavily into profits.
2. Regulation is unnecessary because the matters being regulated are
unimportant.
3. Although some corporate violations involve large sums of money, the
damage is so diffused among a large number of consumers that,
individually, there is little loss.
4. Violations are caused by economic necessity; they aim to protect the
value of stock, to ensure an adequate return for stockholders, and to
protect employees' job security by ensuring the corporation's financial
stability.
f. Controlling organizational crime
i. Efforts to control corporate crime follow three approaches:
1. Voluntary change in corporate attitudes and structure
2. Strong intervention by the government to force changes in corporate
structure, accompanied by legal measures to deter or punish
3. Consumer action
ii. Studies have shown that mass media publicity about law violations probably
represents the most feared consequence of sanctions imposed on a
corporation.
g. Enforcement strategies for preventing and reducing fraud
i. Two main theories
1. Compliance
a. Designed to achieve conformity to the law without having to
detect, process, or penalize violators
b. Involves providing economic incentives for voluntary
compliance to the laws and using administrative efforts to
control violations before they occur
2. Deterrence
a. Designed to detect law violations, determine who is
responsible, and penalize offenders to deter future
violations
b. Involves the effort to control individuals' immediate
behaviors, not the long-term behaviors targeted by
compliance systems
VI. Occupational Fraud
a. Donald R. Cressey's findings
i. Came up with the Fraud Triangle model to explain why people commit fraud
ii. Three legs of the Fraud Triangle
1. Perceived non-shareable financial need (pressure)
2. Perceived opportunity
3. Rationalization
iii. All three elements generally must be present for a trust violation to occur.
b. Dr. Steve Albrecht's findings
i. The most highly ranked factors from the list of personal characteristics that
contribute to fraud were:
1. Living beyond their means

2. An overwhelming desire for personal gain

3. High personal debt
4. A close association with customers
5. Feeling pay was not commensurate with responsibility
ii. The most highly ranked factors from the list dealing with organizational
environment were:
1. Placing too much trust in key employees
2. Lack of proper procedures for authorization of transactions
3. Inadequate disclosures of personal investments and incomes
4. No separation of authorization of transactions from the custody of
related assets
5. Lack of independent checks on performance
c. ACFE 2020 Report to the Nations findings
i. Cost of occupational fraud
1. The typical organization loses an estimated 5% of annual revenues to
fraud.
ii. How occupational fraud is committed
1. Asset misappropriation is the most common category of occupational
fraud and is the least costly.
2. Financial statement fraud causes the greatest median loss.
iii. Detection of fraud schemes
1. Tips are by far the most common detection method for cases of
occupational fraud.
iv. The perpetrators
1. Median loss in owner/executive cases was nearly four times larger than
the median loss caused by managers and ten times larger than that of
employees.
2. A sizeable majority of the fraudsters in the study were males, and men
caused much larger median losses than females.
3. Only 4% of the perpetrators in the study had been previously convicted
of a fraud-related offense prior to committing the crimes in the study.
4. The most frequently cited behavioral red flag in the reported cases
involved the fraudster living beyond their financial means.

Question 1
Which of the following most exemplifies the rationalization leg of the Fraud Triangle?
A. "Management is dishonest, so why shouldn't I be?"
B. "I'm in so much debt; I don't have any other way to pay my bills."
C. "I'm confident I won't get caught."
D. "I need the money to repay my drug dealer so that no one will find out about my habit."
Question 2
Which of the following are the two main theories to control corporate criminal behavior?
A. Prevention and detection
B. Deterrence and enforcement
C. Assessment and reliance
D. Compliance and deterrence

Question 3
The managements from several IT consulting firms conspire to take turns submitting the lowest bids
for all contracts in their area; this is considered an organizational crime.
A. True
B. False
Question 4
The findings in the ACFE's Report to the Notions include which of the following?
A. The most commonly reported red flag displayed by fraud perpetrators prior to the detection
of their crime is being employed by the victim entity less than six months.
B. The median losses caused by executives are lower than those caused by staff-level
employees.
C. More occupational frauds are committed by men than by women.
D. The majority of fraudsters have been previously convicted of a fraud-related offense.

Corporate Governance Fraud Prevention and Deterrence
Corporate Governance
I. What Is Corporate Governance?
a. Refers to a corporation's government
b. Broadly used to describe the oversight responsibilities of different parties for an
organization's direction, operations, and performance
c. More specifically, the Organisation for Economic Co-operation and Development's
(OECD) "Glossary of Statistical Terms" defines corporate governance as:
i. [The] procedures and processes according to which an organisation
is directed and controlled. The corporate governance structure specifies the
distribution of rights and responsibilities among the different participants in
the organisation—such as the board, managers, shareholders and other
stakeholders—and lays down the rules and procedures for decisionmaking.
d. Sir Adrian Cadbury, chairman of the committee that developed the foundational
corporate governance guidance, The Cadbury Report, stated that the purpose of
corporate governance is "to encourage the efficient use of resources and equally to
require accountability for the stewardship of those resources. The aim is to align as
nearly as possible the interests of individuals, corporations, and society."
e. Solid corporate governance practices are most necessary in an organization in which
the owners are not also responsible for setting the company's strategy and executing
its business activities (e g., in publicly traded companies).
II. Parties Involved in Corporate Governance
a. The board of directors
i. Made up of individuals who are generally elected by the entity's voting
members (e.g., shareholders in the case of a corporation or members in
the case of an association)
ii. Elected directors might be:
1. Major shareholders or executives of the organization (i.e., inside
directors)
2. Completely independent of the organization aside from their role on
the board (i.e., independent directors or outside directors)
iii. Represents the intermediary between the corporation's owners (i.e.,
shareholders) and those executing its activities (i.e., management)
iv. Acts as the guardian of the organization's resources and assets
v. Oversees business operations by assessing the strategy and underlying
purpose of management's decisions and actions
vi. Might delegate members to focused subcommittees to aid in oversight of
specific issues; examples include:
1. Audit committee
2. Compensation committee
3. Nominating committee
4. Governance committee
5. Risk committee
b. Management
i. Responsible for making the day-to-day decisions that affect company
performance and, ultimately, shareholder wealth
ii. Roles pertaining to corporate governance include:
1. Establishing strategic goals and operating objectives under the
board's oversight
2. Directing employees to execute business activities and managing
their performance of those tasks

Fraud Prevention and Deterrence Corporate Governance
3. Determining the use and allocation of company resources and assets

4. Evaluating the organization's successes or failures and recalibrating
the strategic approach accordingly
5. Holding responsibility for the design and operation of the organization's
internal controls
6. Setting the organization's true ethical tone
c. Shareholders
i. The owners of corporations
ii. Can be individual investors or institutional investors, such as pension funds,
mutual fund groups, investment trusts, or insurance companies
iii. Roles pertaining to corporate governance include:
1. Remaining informed on company operations and performance
2. Reading annual reports and other communications from management to
the shareholders
3. Attending shareholder meetings
4. Electing capable individuals to serve as board directors
5. Holding the board of directors accountable for proper governance and
oversight
6. Appointing or ratifying the audit committee's appointment of the
organization's independent auditors
7. Voting on other significant issues, such as specific changes relating to
business operations, the company's corporate governance framework,
and the rights and responsibilities of the board of directors and executive
managers
III. The Treadway Commission's Audit Committee Recommendations
a. The Treadway Commission was formed in the United States in 1985 with the purpose of
defining the auditor's responsibility in preventing and detecting fraud.
b. It made several major recommendations designed to reduce the probability of fraud in
financial reports, including:
i. The board of directors should have a mandatory independent audit committee
made up of outside directors.
ii. Companies should develop a written charter that sets the duties and
responsibilities of the audit committee.
iii. The audit committee should have adequate resources and authority to execute
its responsibilities.
iv. The audit committee should be composed of members who are informed,
vigilant, and effective.
IV. The Role of Corporate Governance in Fighting Fraud
a. As stated in Fraud Risk Management Guide, a joint publication by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, fraud
risk governance is one of the principles of effective fraud risk management, and "the
board of directors and senior management provide a solid foundation of fraud risk
management."
b. Managing the Business Risk of Fraud: A Practical Guide, the predecessor to Fraud Risk
Management Guide, expands this point, noting, "Effective governance processes are
the foundation of fraud risk management. Lack of effective corporate governance
seriously undermines any fraud risk management program."
V. Principles of Corporate Governance
a. Accountability
i. To ensure that the organization operates effectively and efficiently, there must
be mechanisms in place to ensure that management is accountable to the board
and that the board is accountable to the shareholders.

b. Transparency
i. Refers to the clarity, accuracy, completeness, and timeliness of the financial
statements and other information provided by management to shareholders
ii. The organization's governance processes must include policies and procedures
designed to ensure transparent disclosure of all material matters that the
shareholders need to make timely and informed decisions regarding their
investment in the company.
c. Fairness
i. Sound corporate governance practices ensure that all stakeholders are treated
equitably and given just and appropriate consideration.
d. Responsibility
i. Applies both to the duty of internal parties (e.g., employees, managers, directors,
and owners) to act in the best interest of the organization and to the duty of the
organization as a whole to act in society's best interest
VI. Establishing a Corporate Governance Framework
a. G20/OECD Principles of Corporate Governance states that "there is no single model of
good corporate governance."
b. Corporate governance structure and practices vary widely and should be determined
based on each organization's specific needs.
c. In developing a corporate governance framework for an organization, directors and
management must consider the legal, regulatory, institutional, cultural, and ethical
environments in which the company operates.
d. Good corporate governance is fluid—that is, it maintains the ability to find a different
course when its current direction runs into barriers, such as changes in the corporate
landscape, new regulations or legal requirements, or shifts in organizational strategy.
VII. Sources of Corporate Governance Guidance
a. Although there is not a universal law or set of rules for corporate governance,
legislators, regulators, and other bodies around the world have issued guidance that
provides best practices and requirements that organizations should enact as
appropriate, such as the G20/OECD Principles of Corporate Governance.
b. In many jurisdictions, organizations—particularly those that are publicly traded—are
subject to specific corporate governance requirements that might take the form of
legislation or conditions set for companies listed on stock exchanges.
c. As a result, companies should be familiar with the existing guidance specific to all the
regions in which they operate, and those charged with governance should ensure
compliance with the laws and regulations governing their organization.
VIII. G20/OECD Principles of Corporate Governance
a. Regarded as one of the hallmark sources of guidance for corporate governance
practices for organizations throughout the world
b. "Intended to help policymakers evaluate and improve the legal, regulatory, and
institutional framework for corporate governance with a view to support economic
efficiency, sustainable growth, and financial stability," per the OECD
c. Nonbinding, as their implementation must be adapted to different legal, economic, and
cultural circumstances
i. This is a key strength of the Principles that makes them a useful tool worldwide,
both in developed economies and in emerging markets.
ii. The legislation needed to enforce these standards is the responsibility of
individual governments.
d. Includes six broad principles:
i. Request that governments have in place an effective legal, regulatory, and
institutional framework to support good corporate governance practices.
1. This framework typically comprises elements of legislation,

Fraud Prevention and Deterrence Corporate Governance
regulation, self-regulatory arrangements, voluntary commitments, and

business practices that are the result of a country's specific
circumstances, history, and tradition.
ii. Call for a corporate governance framework that protects the exercise of
shareholders' rights and supports the equal treatment of all shareholders,
including minority and foreign shareholders.
1. Includes providing all shareholders the opportunity to obtain effective
redress for violation of their rights
iii. Address the effect of institutional investors and other intermediaries in stock
markets and the resulting corporate governance implications.
iv. Recognize the importance of the role of stakeholders in corporate
governance.
1. The framework should recognize the rights of stakeholders
established by law or through mutual agreements and encourage active
cooperation between corporations and stakeholders in creating wealth,
jobs, and the sustainability of financially sound enterprises.
v. Examine the importance of timely, accurate, and transparent disclosure
mechanisms.
1. Such disclosure is not expected to place unreasonable administrative or
cost burdens on the company.
vi. Address board structures, responsibilities, and procedures.
1. The corporate governance framework should ensure the strategic
guidance of the company, the effective monitoring of management by
the board, and the board's accountability to the company and the
shareholders.

Question 1
Good corporate governance is based on a framework that:
A. Takes into account the organization's cultural and ethical environment
B. Remains adaptable
C. Is appropriate for the organization's legal and regulatory environment
D. All of the above
Question 2
Which of the following is NOT one of the core principles of sound corporate governance?
A. Responsibility
B. Transparency
C. Independence
D. Fairness

Fraud Prevention and Deterrence Management's Fraud-Related Responsibilities
Management's Fraud-Related Responsibilities

I. Overview of Management's Fraud-Related Responsibilities
a. Management is ultimately responsible for the prevention and detection of fraud within an
organization.
b. Management holds the primary responsibility for:
i. Designing, implementing, overseeing, and ensuring the effectiveness of the anti-
fraud program
ii. Setting the organization's ethical tone and reinforcing an anti-fraud culture
iii. Demonstrating that fraud will not be tolerated at any level
iv. Responding to instances of fraud appropriately
II. Management's Responsibility for Internal Controls
a. It is management's job to ensure that the proper internal controls are in place to prevent
and detect fraud.
b. Although management might not execute all of the controls, management is also
responsible for monitoring, assessing, and remediating the internal controls to ensure
they are effectively designed and operating to prevent and detect fraud.
Ml. COSO Internal Control—Integrated Framework
a. Based on the Treadway Commission's recommendations, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) was formed to provide guidance
for organizations' internal controls.
b. COSO is responsible for issuing the Internal Control—Integrated Framework (the
Framework), which is meant to apply to both public and private entities, regardless of
size.
c. According to the Framework, "internal control is a process, effected by an entity's board
of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to operations, reporting, and
compliance."
i. Operations objectives pertain to the effectiveness and efficiency of the
organization's operations.
ii. Reporting objectives pertain to the reporting of financial and nonfinancial
information to internal and external parties.
iii. Compliance objectives pertain to the organization's adherence to the laws and
regulations to which it is subject.
d. To meet these objectives, the Framework identifies five interrelated components of
internal control:
i. Control environment
1. Provides the foundation for the internal control system
throughout the entire organization
2. Established by the directors and senior management
3. Formal assessment can be made of the ethical and moral culture of the
organization, which reinforces the importance of internal controls and
expected standards of conduct
4. Five principles supporting the design and implementation of an effective
control environment:
a. Personnel at all levels demonstrate a commitment to integrity
and ethical values.
b. The board of directors is independent from management and
oversees the development and performance of internal control.
c. With board oversight, management establishes the structures,
reporting lines, and appropriate authorities and responsibilities in

Management's Fraud-Related Responsibilities Fraud Prevention and Deterrence
the pursuit of organizational objectives.

d. The organization demonstrates a commitment to attract, develop,
and retain competent individuals in alignment with objectives.
e. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
ii. Risk assessment
1. Involves the identification and assessment of the risks the entity faces in
achieving its organizational objectives
2. Involves the following principles:
a. The organization sets sufficiently clear objectives to enable the
identification and assessment of risks relating to the objectives.
b. The organization identifies risks to the achievement of its
objectives across the entity and analyzes these risks as a basis
for determining how the risks should be managed.
c. The organization considers the potential for fraud in assessing
risks to the achievement of objectives.
d. The organization identifies and assesses changes that could
significantly impact the system of internal control.
iii. Control activities
1. The policies and procedures that enforce management's directives
intended to mitigate risk
a. The organization selects and develops control activities that
mitigate risks to the achievement of objectives to acceptable
levels.
b. The organization selects and develops general control activities
over technology to support the achievement of objectives.
c. The organization deploys control activities through policies that
establish what is expected and procedures that put policies into
action.
iv. Information and communication
1. Relates to the exchange of information in a way that allows employees to
carry out their internal control responsibilities and achieve the
organization's objectives
a. The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
b. The organization internally communicates information- including
objectives and responsibilities for internal control—necessary to
support the functioning of internal control.
c. The organization communicates with external parties regarding
matters affecting the functioning of internal control.
v. Monitoring
1. The process that assesses the effectiveness of a control system over
time
2. Should include both ongoing, automated evaluations and periodic,
separate evaluations, the findings of which should be evaluated against
predefined criteria
a. The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of
internal control are present and functioning.

Fraud Prevention and Deterrence Management's Fraud-Related Responsibilities
b. The organization evaluates and communicates internal control

deficiencies in a timely manner to those parties responsible for
taking corrective action, including senior management and the
board of directors, as appropriate.
Question 1
Which of the following parties is ultimately responsible for the prevention and detection of fraud
within an organization?
A. Board of directors
B. Internal auditors
C. Management
D. External auditors
Question 2
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the
control environment of an organization:
A. Is established by directors and senior management
B. Sets the moral and ethical tone of the organization
C. Provides the foundation for the overall internal control system
D. All of the above

Management's Fraud-Related Responsibilities Fraud Prevention and Deterrence
Question 3
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO),
internal control is a process "designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance."
A. True
B. False

Fraud Prevention and Deterrence Auditors' Fraud-Related Responsibilities
Auditors' Fraud-Related Responsibilities

I. External Audit Standards Related to Fraud
a. International Standard on Auditing (ISA) 240—The Auditor's Responsibility Relating
to Fraud in an Audit of Financial Statements
i. Purpose
1. To establish standards and provide guidance on the auditor's
responsibility to consider fraud in an audit of financial statements
2. To expand on how other auditing standards and guidance should be
applied in relation to the risks of material misstatement due to fraud
ii. Characteristics of fraud
1. Misstatements in the financial statements can arise from error or
fraud, depending on whether the underlying action that results in the
misstatement is intentional or unintentional.
2. Two types of intentional misstatements are considered relevant for
audit purposes:
a. Misstatements arising from fraudulent financial reporting
b. Misstatements arising from misappropriation of assets
3. For the purposes of the ISAs, the auditor is concerned with fraud that
causes a material misstatement in the financial statements.
a. According to the ISAs, "Information is material if
omitting, misstating or obscuring it could reasonably be
expected to influence the decisions that the primary users of
general purpose financial statements make on the basis of
those financial statements, which provide financial information
about a specific reporting entity."
b. Materiality is often considered in quantitative terms within an
audit (e.g., by establishing a threshold amount, or quantitative
materiality threshold, by which the financial statements must
be misstated to be considered materially misstated), but
qualitative aspects of fraud can, and often do, override the
general quantitative materiality threshold.
i. Example: An intentional manipulation of an account for
an amount just under the determined quantitative
materiality threshold might still be deemed material for
purposes of the audit, as it indicates management's
intent to "omit, misstate, or obscure" information to
influence the decisions of the financial statement
users.
4. Although the auditor might suspect or, in rare cases, identify the
occurrence of fraud, the auditor does not make legal determinations
of whether fraud has actually occurred.
iii. Identification and assessment of the risks of material misstatement due to
fraud
1. Identify and assess the risks of material misstatement due to fraud at
the financial statement level, as well as at the assertion level for
classes of transactions, account balances, and disclosures.
2. Obtain an understanding of the entity's related controls, including
control activities, relevant to such risks.
iv. Responses to the assessed risks of material misstatement due to fraud
1. Determine overall responses to address the assessed risks of material

Auditors' Fraud-Related Responsibilities Fraud Prevention and Deterrence
misstatement due to fraud at the financial statement level, including:

a. Assignment and supervision of personnel
b. Evaluation of the entity's selection and application of
accounting policies
c. Incorporation of an element of unpredictability in auditing
procedures
v. Evaluation of audit evidence
1. Evaluate whether analytical procedures that are performed when
forming an overall conclusion as to whether the financial statements
as a whole are consistent with the auditor's understanding of the entity
and its environment indicate a previously unrecognized risk of material
misstatement due to fraud.
2. If a misstatement is identified, whether material or not, and there is
reason to believe that it is or may be the result of fraud and that
management is involved, reevaluate the assessment of the risks of
material misstatement due to fraud and its resulting impact on the
nature, timing, and extent of audit procedures to respond to the
assessed risks.
a. Also consider whether circumstances or conditions indicate
possible collusion involving employees, management, or third
parties when reconsidering the reliability of evidence
previously obtained.
vi. Communications to management and with those charged with
governance
1. Communicate the identification of a fraud or information that indicates a
fraud might exist to the appropriate level of management and those
charged with governance on a timely basis.
2. If management is suspected of being involved in the fraud,
communicate these suspicions to those charged with governance and
discuss with them the nature, timing, and extent of audit procedures
necessary to complete the audit,
vii. Communications to regulatory and enforcement authorities
1. Determine whether there is a responsibility to report the occurrence or
suspicion of a fraud to a party outside the entity that overrides the duty
of client confidentiality,
b. International Standard on Auditing (ISA) 265—Communicating Deficiencies in Internal
Control to Those Charged with Governance and Management
i. Provides guidance regarding the auditor's responsibility to communicate an
organization's internal control deficiencies that could result in a misstatement
of the financial statements appropriately with management and those charged
with governance
ii. Auditor requirements upon identifying one or more deficiencies in internal
control include:
1. Determine, on the basis of the audit work performed, whether,
individually or in combination, they constitute significant deficiencies.
2. Communicate in writing significant deficiencies in internal control
identified during the audit to those charged with governance on a
timely basis.
3. Communicate to management at an appropriate level of responsibility
on a timely basis:
a. In writing, significant deficiencies in internal control that the
auditor has communicated or intends to communicate to those

charged with governance, unless it would be inappropriate to

communicate directly to management in the circumstances
b. Other deficiencies in internal control identified during the audit
that have not been communicated to management by other
parties and that, in the auditor's professional judgment, are of
sufficient importance to merit management's attention
iii. Written communication requirements regarding significant deficiencies
include:
1. A description of the deficiencies and an explanation of their potential
effects
2. Sufficient information to enable those charged with governance and
management to understand the context of the communication,
including that:
a. The purpose of the audit was for the auditor to express an
opinion on the financial statements.
b. The audit included consideration of internal control relevant to
the preparation of the financial statements in order to design
audit procedures that are appropriate in the circumstances,
but not for the purpose of expressing an opinion on the
effectiveness of internal control.
c. The matters being reported are limited to those deficiencies
that the auditor has identified during the audit and that the
auditor has concluded are of sufficient importance to merit
being reported to those charged with governance.
II. Internal Audit Standards Related to Fraud
a. IIA Standard 1210—Proficiency
i. Internal auditors must possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities.
ii. The internal audit activity collectively must possess or obtain the knowledge,
skills, and other competencies needed to perform its responsibilities.
b. IIA Standard 1220—Due Professional Care
i. Internal auditors must apply the care and skill expected of a reasonably
prudent and competent internal auditor.
ii. Due professional care does not imply infallibility.
c. IIA Standard 2060—Reporting to Senior Management and the Board
i. The chief audit executive (CAE) must report periodically to senior
management and the board of directors on the internal audit activity's
purpose, authority, responsibility, and performance relative to its plan and on
its conformance with the IIA's Code of Ethics and its International Standards
for the Professional Practice of Internal Auditing.
ii. Reporting must also include significant risk and control issues, including fraud
risks, governance issues, and other matters that require the attention of
senior management and/or the board of directors.
III. The IIA's IPPF—Practice Guide: Internal Auditing and Fraud
a. The Practice Guide states that, in conducting audit engagements, the internal auditor
should:
i. Consider fraud risks in the assessment of internal control design and
determination of audit steps to perform.
ii. Have sufficient knowledge of fraud to identify red flags indicating that fraud
might have been committed.
iii. Be alert to opportunities that could allow fraud, such as control deficiencies.
iv. Evaluate whether:

1. Management is actively retaining responsibility for oversight of the

fraud risk management program.
2. Timely and sufficient corrective measures have been taken with respect
to any noted control deficiencies or weaknesses.
3. The plan for monitoring the program continues to be adequate for the
program's ongoing success.
v. Evaluate the indicators of fraud and decide whether any further action is
necessary or whether an investigation should be recommended.
vi. Recommend investigation when appropriate.
b. In support of IIA Standard 2060, the Practice Guide also provides guidance about
internal audit's role in communicating fraud-related issues with management and the
board of directors by stating that CAEs may include information about the following in
their communications with these parties:
i. All fraud audits performed
ii. The fraud risk assessment process
iii. Fraud or conflicts of interest
iv. The results of monitoring programs concerning compliance with law, code of
conduct, or code of ethics
v. The internal audit activity's organizational structure as it pertains to addressing
fraud
vi. Coordination of fraud audit activity with external auditors
vii. Overall assessment of the organization's control environment
viii. Productivity and budgetary measures of internal audit's fraud activities
ix. Benchmarking comparisons of internal audit's fraud activities with other
organizations
x. Role of internal audit in fraud investigations
c. The Practice Guide recommends that CAEs have such discussions about fraud with
senior management and the board of directors before issues arise concerning what
those parties need to know, when they need to know it, and how the communication
should be made.
IV. Government Auditors' Fraud-Related Responsibilities
a. The International Organization of Supreme Audit Institutions (INTOSAI) operates as
an umbrella organization for the external government audit community and provides
an institutionalized framework for supreme audit institutions (SAIs) to foster the
exchange of ideas, knowledge, and experiences.
b. INTOSAI provides high-quality standards in the form of International Standards of
Supreme Audit Institutions (ISSAI) for the public sector in an effort to promote good
governance.
c. ISSAI 1240 provides supplementary guidance regarding the applicability of ISA 240
to public-sector financial statement audits.
i. States that ISA 240 is applicable to auditors of public-sector entities in their
role as auditors of financial statements and includes several specific
considerations in applying ISA 240 to public-sector audits, including:
1. Broader audit objectives
a. The objectives of a financial audit in the public sector are
often broader than expressing an opinion as to whether the
financial statements have been prepared, in all material
respects, in accordance with the applicable financial reporting
framework.
b. The audit mandate arising from legislation, regulation,
ministerial directives, government policy requirements, or
resolutions of the legislature may result in additional

objectives or there may be general public expectations

related to reporting noncompliance with authorities or the
effectiveness of internal controls.
2. Consideration of the concept of abuse
a. Public-sector auditors must remain alert throughout the audit
for occurrences of abuse (i.e., behavior that is
deficient or improper when compared with behavior that a
prudent person would consider reasonable and
necessary business practice given the facts and
circumstances).
b. When information is obtained indicating that abuse might have
occurred, public-sector auditors must consider whether such
possible abuse could significantly affect the financial
statements.
3. Inability to withdraw from the engagement
a. Public-sector auditors do not normally have the option to
withdraw from an audit engagement.
b. Public-sector auditors must consider the impact on the audit
opinion and any requirements for other forms of reporting,
including whether it may be appropriate to report separately to
the legislature or to issue classified or restricted reports.
4. Additional communications about fraud-related matters
a. Public-sector auditors may be required or may decide to
communicate matters with other parties, such as the
legislature, in addition to those charged with governance.
b. The requirements for reporting of fraud in the public sector
may be subject to specific provisions of the audit mandate or
related legislation or regulation.
c. In some environments, public-sector auditors might have a
duty to report circumstances that might indicate the possibility
of fraud or abuse to investigative bodies, jurisdictional bodies,
or the appropriate part of the government or legislature, such
as prosecutors, the police, and affected third parties.
d. Public-sector auditors need to be familiar with applicable laws
and regulations in regard to reporting, communication, and
documentation of indications or suspicions of fraud.

Question 1
The primary purpose of International Standard on Auditing (ISA) 240, The Auditor's Responsibilities
Relating to Fraud in an Audit of Financial Statements, is to:
A. Establish standards and provide guidance on the auditor's responsibility to consider fraud in
an audit of financial statements
B. Establish auditors as being primarily responsible for the prevention and detection of fraud
within an organization
C. Establish requirements for auditors related to designing and implementing fraud-related

internal controls
D. All of the above
Question 2
According to The Institute of Internal Auditors' (IIA) International Standards for the Professional
Practice of Internal Auditing, internal auditors must apply the care and skill of an expert whose
primary responsibility is investigating fraud.
A. True
B. False

Fraud Prevention and Deterrence Fraud Risk Assessment
Fraud Risk Assessment

I. What Is Fraud Risk?
a. The vulnerability that an organization faces from individuals capable of combining all
three elements of the Fraud Triangle
II. Inherent and Residual Fraud Risk
a. Risks that are present before the effect of internal controls (including targeted anti-fraud
controls) are described as inherent risks.
b. Risks that remain after the effect of these controls are described as residual risks.
c. The objective of an organization's anti-fraud controls is to make the residual risk
significantly smaller than the inherent risk.
III. Factors That Influence Fraud Risk in an Organization
a. The nature of the business in which it is engaged
b. The environment in which it operates
c. The effectiveness of its anti-fraud controls
i. A good system of anti-fraud controls, with the right balance of preventive and
detective controls, can greatly reduce an organization's vulnerability to fraud.
1. Preventive controls stop something bad from happening before it occurs.
2. Detective controls identify something bad that has already occurred.
ii. No system of anti-fraud controls can fully eliminate the risk of fraud, but well-
designed and effective anti-fraud controls can deter the average fraudster by
reducing the opportunity to commit the fraud and increasing the perception of
detection.
d. The ethics and values of the company and its employees
IV. What Is a Fraud Risk Assessment?
a. An ongoing, continuous process aimed at proactively identifying and addressing an
organization's vulnerabilities to both internal and external fraud
b. What gets evaluated and how it gets assessed should be tailored to the organization—
there is no one-size-fits-all approach.
c. The objective of a fraud risk assessment is to help an organization recognize what
makes it most vulnerable to fraud.
V. Why Organizations Should Conduct Fraud Risk Assessments
a. To improve communication and awareness about fraud
i. A fraud risk assessment can be an effective medium for an organization to start
communication and raise awareness about fraud.
b. To identify where the company is most vulnerable to fraud and what activities put it at
the greatest risk
i. Management must know where the company is most vulnerable to fraud to
prevent it from happening.
c. To know who puts the organization at the greatest risk
i. The actions of certain individuals can significantly increase the company's
vulnerability to fraud.
ii. The risk can emerge from the way in which someone makes decisions,
behaves, or treats others within and outside the organization.
d. To develop plans to mitigate fraud risk
i. When management knows where the greatest fraud risks are, it can proactively
enact measures to reduce or mitigate those risks.
ii. The results of the fraud risk assessment can be used to gain alignment among
stakeholders and advance preventive action.
e. To develop techniques to investigate and determine if fraud has occurred in high-risk
areas

Fraud Risk Assessment Fraud Prevention and Deterrence
i. The fraud risk assessment is useful for identifying areas that should be proactively
investigated for evidence of fraud.
f. To assess anti-fraud controls
i. Although an effective internal control system, including targeted antifraud
controls, is critical in fraud prevention and detection, it is a dynamic system that
requires constant reevaluation of its weaknesses.
ii. Performing a fraud risk assessment provides management with the opportunity
to review the effectiveness of the company's anti-fraud controls, taking into
account the following considerations:
1. Controls that might have been eliminated due to restructuring efforts
(e.g., elimination of separation of duties due to downsizing)
2. Controls that might have eroded over time due to reengineering of
business processes
3. New opportunities for collusion
4. Lack of anti-fraud controls in a vulnerable area
5. Nonperformance of control procedures (e.g., control procedures
compromised for the sake of expediency)
6. Inherent limitations of anti-fraud controls, including opportunities for
those responsible for a control to commit and conceal fraud (e.g.,
through management and system overrides)
g. To comply with regulations and professional standards
i. Fraud risk assessments can assist management and auditors (internal and
external) in satisfying regulatory requirements and complying with professional
standards pertaining to their responsibility for fraud risk management.
VI. Elements of a Good Fraud Risk Assessment
a. Collaborative effort of management and auditors
i. The fraud risk assessment is most effective when management and auditors
share ownership of the process and accountability for its success.
b. The right sponsor
i. The sponsor must be senior enough in the organization to command the
employees' respect and elicit full cooperation in the process.
ii. Ideally, the sponsor would be an independent board director or audit committee
member; however, a chief executive officer or other internal senior leader can be
equally as effective.
c. Independence and objectivity of the people leading and conducting the work
i. The people leading and conducting the fraud risk assessment must remain
independent and objective throughout the assessment process and must be
perceived as independent and objective by others.
ii. A good fraud risk assessment can be effectively conducted by people inside or
outside of the organization.
iii. The people leading and conducting the work should be mindful of any personal
biases they might have regarding the organization and the people within it, and
they should take steps to reduce or eliminate all biases that might affect the
fraud risk assessment process.
d. Functional knowledge of the business
i. The fraud risk assessor must know, beyond a superficial level, what the business
does and how it operates.
e. Access to people at all levels of the organization
i. It is crucial to include members of all levels of the organization in the risk
assessment process to ensure that all relevant risks are addressed and
reviewed from many different perspectives.
f. Thinking like a fraudster

i. A necessary part of conducting an effective fraud risk assessment involves

thinking like a fraudster.
ii. Thoughts of "it couldn't happen here" should not be allowed to
moderate the evaluation of fraud risk.
VII. Preparing the Company for a Fraud Risk Assessment
a. Assemble a multi-disciplinary team to lead and conduct the fraud risk
assessment.
i. The team should consist of individuals with diverse knowledge, skills, and
perspectives to lead and conduct the assessment.
ii. The size of the team should depend on the size of the organization and the
methods used to conduct the assessment.
iii. The team members can include internal and external sources, such as:
1. Accounting and finance personnel who are familiar with the financial
reporting processes and anti-fraud controls
2. Nonfinancial business unit and operations personnel who have
knowledge of day-to-day operations, customer and vendor interactions,
and issues within the industry
3. Risk management personnel who can ensure that the assessment
process integrates with the enterprise risk management program
4. The general counsel or other members of the legal department
5. Members of any ethics or compliance functions
6. Internal auditors
7. Internal security or investigative personnel who are familiar with
investigations of past fraud incidents
8. External consultants with fraud and risk expertise
9. Any business leader with direct accountability for the effectiveness of the
organization's fraud risk management efforts
b. Identify the information to be gathered and determine the most effective techniques to
use in conducting the fraud risk assessment.
i. Information to be gathered includes:
1. The identification of inherent fraud risks
2. Discussion of past known fraud incidents and how they were handled
3. Compilation of complaints from all sources
4. Assessment of the likelihood and significance of identified risks
5. Perceptions regarding the overall control environment
6. Perceptions regarding the operating effectiveness of specific antifraud
controls
ii. Possible techniques for gathering information include:
1. Interviews
2. Focus groups
3. Surveys
4. Anonymous feedback mechanisms
c. Obtain the sponsor's agreement on:
i. The scope of work that will be performed
ii. The information-collection techniques that will be used
iii. The individuals who will participate in the chosen methods
iv. The content of the chosen methods
v. The form of output for the assessment
d. Educate employees and openly promote the process.
i. Communications should be visibly disseminated in a format that is most
appropriate for the culture of the organization.
ii. Process should be visible and communicated throughout the business.

iii. Sponsors should be strongly encouraged to openly promote the process.

VIII. Identifying Potential Inherent Fraud Risks and Schemes
a. Brainstorm to identify the inherent fraud risks that could apply to the organization.
b. Brainstorming should include discussions regarding:
i. Incentives, pressures, and opportunities to commit fraud
ii. Risk of management's override of controls
iii. Population of fraud risks
1. Fraud risks can be classified into the following major areas:
a. Fraudulent financial reporting (e.g., inappropriately reported
revenues, expenses, assets, or liabilities)
b. Asset misappropriation (e.g., theft of tangible or intangible
assets)
c. Corruption (e.g., bribes, kickbacks, aiding and abetting
vendor fraud)
d. External fraud (e.g., fraud committed by customers, vendors,
competitors, or other third parties)
2. Other areas of fraud risk to consider include:
a. Risk of regulatory and legal misconduct (e.g., anticompetitive
practices, conflicts of interest, insider trading)
b. Reputation risk
c. Risk to information technology
IX. Identifying and Mapping Existing Preventive and Detective Controls to
the Relevant Fraud Risks
a. Preventive controls
i. Intended to prevent fraud before it occurs
ii. Include:
1. Bringing awareness of the fraud risk management program to
personnel throughout the organization
2. Performing background checks on employees (where permitted
by law)
3. Hiring competent staff; providing them with anti-fraud training
4. Conducting exit interviews
5. Implementing policies and procedures
6. Separating duties
7. Implementing physical security measures
8. Implementing security measures to restrict electronic access to
data
9. Ensuring proper alignment between an individual's authority and
level of responsibility
10. Reviewing third-party and related-party transactions
b. Detective controls
i. Intended to detect fraud if it does occur
ii. Include:
1. Establishing and marketing the presence of a confidential reporting
system, such as a whistleblower hotline
2. Implementing proactive controls for the fraud detection process,
such as independent reconciliations, reviews, physical inspections
and counts, analysis, and audits
3. Implementing proactive fraud detection procedures, such as data analysis
and continuous auditing techniques

4. Performing surprise audits

X. Ways Management Can Respond to Residual Fraud Risks
a. Avoid the risk.
i. Management might decide to avoid the risk by eliminating an asset or discontinuing
an activity if the control measures required to protect the organization against an
identified threat are too expensive.
b. Transfer the risk.
i. Management might transfer some or all of the risk by purchasing fidelity insurance or
a fidelity bond.
c. Mitigate the risk.
i. Management can mitigate the risk by implementing appropriate countermeasures,
such as prevention and detection controls.
d. Assume the risk.
i. Management might choose to assume the risk if it determines that the probability of
occurrence and impact of loss are low.
XI. Reporting the Fraud Risk Assessment Results
a. The success of the fraud risk assessment process depends on how effectively the
results are reported and what management then does with those results.
b. When reporting the results of the assessment:
i. Report only the facts, and keep all opinions and biases out of the report.
ii. Report the results in a way that is easy to understand and resonates with
management.
iii. Present the report in a way that focuses on what really matters; clearly
highlight those points that are most important and will make the most
impact on the organization's fraud risk management efforts.
iv. Include key recommendations for actions that are clear and measurable and
that will decrease fraud risks.
XII. Making an Impact with the Fraud Risk Assessment
a. Management should use the assessment results to:
i. Begin a dialogue across the company.
ii. Look for fraud in high-risk areas.
iii. Hold responsible parties accountable for progress.
iv. Keep the assessment process active and relevant.
v. Modify or create the code of conduct or ethics policy.
vi. Monitor key controls.
XIII. The Fraud Risk Assessment and the Audit Process
a. The fraud risk assessment should play a significant role in informing and influencing
the audit process.
b. The fraud risk assessment should motivate thinking and awareness in the
development of audit programs for areas that have been identified as having a
moderate-to-high risk of fraud.
c. Auditors should validate that the organization is appropriately managing the
moderate-to-high fraud risks identified in the fraud risk assessment by:
i. Identifying and mapping the existing preventive and detective controls
that pertain to the moderate-to-high fraud risks identified in the fraud risk
assessment
ii. Designing and performing tests to evaluate whether the identified controls
are operating effectively and efficiently
iii. Identifying within the moderate-to-high fraud risk areas whether there is a
moderate-to-high risk of management overriding internal controls
iv. Developing and delivering reports that incorporate the results of auditors'
validation and testing of the fraud risk controls

Question 1
The risk that an organization might be victimized by an individual who is able to combine the
three elements of the Fraud Triangle is called_________________.
A. Audit risk
B. Fraud risk
C. Insider risk
D. Environmental risk
Question 2
In response to a risk identified during a fraud risk assessment, management chooses to accept the
risk, rather than to implement any responsive measures. This approach is known as:
A. Avoiding the risk
B. Transferring the risk
C. Mitigating the risk
D. Assuming the risk

Question 3
Which of the following influences the level of fraud risk faced by an organization?
A. The geographic regions in which it operates
B. The effectiveness of its anti-fraud controls
C. The ethics of its leadership team
D. All of the above

Fraud Risk Management Fraud Prevention and Deterrence
Fraud Risk Management

i. What Is Risk Management?
a. In Enterprise Risk Management—Integrating with Strategy and Performance, the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
defines enterprise risk management (ERM) as "the culture, capabilities, and
practices, integrated with strategy-setting and its performance, that organizations
rely on to manage risk in creating, preserving, and realizing value."
b. Involves the identification, prioritization, treatment, and monitoring of risks that
threaten an organization's ability to provide value to its stakeholders
c. Involves balancing risk appetite—how much risk management is willing to accept—
with the ability to meet the organization's strategic, operational, reporting, and
compliance objectives
II. COSO Enterprise Risk Management—Integrating with Strategy and Performance
a. Composed of a set of principles organized into five components and twenty
supporting principles that are based on a holistic view of an organization's risk
portfolio
b. The five components are:
i. Governance and culture
1. The organization's governance and culture form the foundation for
the ERM program.
2. Governance sets the organizational tone, reinforces the importance
of risk management, and establishes the oversight responsibilities
for managing risks, while culture is reflected in decision-making.
ii. Strategy and objective-setting
1. ERM is integrated into the organization's strategic plan through the
formal process of setting strategy and defining business objectives.
iii. Performance
1. The actual performance of ERM within an organization involves
identifying and assessing risks that might affect the organization's
ability to meet its strategic and business objectives and then
prioritizing and responding to those risks.
iv. Review and revision
1. As part of its ERM activities, the organization should review how well
the ERM capabilities and practices have increased value over time
and how they will continue to drive value for the organization.
v. Information, communication, and reporting
1. Management must use information gathered from both internal and
external sources to support ERM.
III. ISO 31000
a. The International Organization for Standardization (ISO) has developed ISO
31000:2018, a set of international standards providing principles and guidance on
risk management.
b. The following eight ISO 31000:2018 principles provide that an effective and efficient
risk management program:
i. Is integrated into all organizational activities
ii. Is structured and comprehensive
iii. Is customized and proportionate to the organization's operations and
objectives
iv. Is inclusive and provides for appropriate and timely consideration of
stakeholders' knowledge, views, and perceptions

Fraud Prevention and Deterrence Fraud Risk Management
v. Is dynamic and responsive to change

vi. Is based upon the best available information
vii. Takes human and cultural factors into account
viii. Facilitates continuous improvement
IV. Managing Third-Party Fraud Risks
a. To protect themselves from risks, it is important for organizations to implement
proper due diligence procedures and compliance requirements when engaging in
transactions with third parties, such as vendors and customers.
b. Customer due diligence (CDD)
i. There are three levels of due diligence procedures that organizations can use
based on the level of risk a potential customer presents.
1. Simplified CDD
a. The lowest level of due diligence
b. Most appropriate in situations where there is little opportunity
or risk of a customer engaging in illegal activity
c. Only requirement is to identify the customer
2. Standard CDD
a. Most widely used in situations where the customer presents a
risk (i.e., there is some opportunity for the customer to
engage in illegal activity), but it is unlikely that the risk will
manifest
b. Involves identifying the customer and verifying their identity
3. Enhanced CDD
a. Used when customers present higher risks for engaging in
illegal activity
b. Triggered by factors such as high-profile customers, large-
value transactions, or foreign business dealings in countries
known for corruption
c. Under enhanced due diligence procedures, the following
customer elements should be examined with a greater level
of scrutiny:
i. Identity (i.e., Is the customer who they claim to be?)
ii. Source of income and overall net worth (i.e., Can the
customer pay for the transaction, especially if they are
requesting to pay on credit?)
iii. Expected pattern of purchasing (i.e., Is this a onetime
transaction or a series of transactions?)
iv. Expected value (i.e., How large is the cumulative
financial risk?)
v. Expected method of payment (i.e., Is the customer
requesting to use a higher-risk payment method, such
as a personal check or line of credit?)
c. Vendor due diligence
i. Management should conduct proper due diligence when seeking new
vendors or evaluating the relationship of existing vendors to prevent and
detect misconduct.
ii. Effective practices that organizations should take when developing a vendor
due diligence program include:
1. Using third-party questionnaires
a. Before entering into a relationship with a new vendor,
management should seek to obtain information from the
vendor by using a questionnaire.

b. Questionnaires provide background information about the

vendor that can be cross-referenced during a background
check.
2. Assessing vendor commitment to compliance and ethics
a. An organization can assess a vendor's commitment to
compliance and ethics by performing the following due
diligence procedures:
i. Ensure that vendors have their own ethics and
compliance program before engaging in any
transactions.
ii. Provide the vendor with the organization's code of
conduct and require the vendor's agents to sign and
agree to abide by the code.
iii. Inquire about the vendor's internal audit department
and the types of audits the vendor is subject to.
iv. Include contract clauses that require vendors to report
any misconduct.
v. Alert the vendor that they will be liable for any
unethical conduct that occurs in doing business with
the organization.
V. Who Is Responsible for Managing Fraud Risk?
a. According to Fraud Risk Management Guide, a joint publication by COSO and the
ACFE, "personnel at all levels of the organization—including every level of
management, staff, and internal auditors—have responsibility for managing fraud
risk."
VI. The Board of Directors' Role
a. Recognize the true and specific risks of fraud to the organization, as well as their
potential impact, and respond by:
i. Setting an appropriate tone and realistic expectations of management to
enforce an anti-fraud culture
ii. Gaining sufficient knowledge of the organization's activities and the
environments in which it operates
iii. Raising awareness of the risks of fraud throughout the organization
iv. Developing a strategy to assess and manage fraud risks that aligns with the
organization's risk appetite and strategic plans
v. Overseeing the organization's fraud risk management activities
vi. Maintaining open communications with senior management and other
personnel
VII. The Audit Committee's Role
a. Oversee the organization's financial, accounting, and audit matters and report to the
full board of directors.
b. Actively oversee the assessment and monitoring of the organization's fraud risks by:
i. Receiving regular reports on the status of reported or alleged fraud
ii. Being aware of fraud risks that are common in the organization's industry
iii. Meeting regularly with key internal parties (e.g., the chief audit executive
[CAE] or other senior financial persons) to discuss identified fraud risks and
the steps being taken to prevent and detect fraud
iv. Understanding how internal and external audit strategies address fraud risk
v. Providing external auditors with evidence that the audit committee is
dedicated to effective fraud risk management
vi. Engaging in open conversations with external auditors about any known or
suspected fraud

vii. Seeking advice of legal counsel whenever it deals with allegations of fraud
VIII. Senior Management's Role
a. Hold the primary responsibility for designing, implementing, monitoring, and improving
the fraud risk management program, which involves:
i. Being extremely familiar with the organization's fraud risks
ii. Ensuring that the organization has specific and effective internal controls in
place to prevent and detect fraud
iii. Setting a tone at the top and monitoring the company culture to ensure that it
appropriately supports the organization's fraud prevention and detection
strategies
iv. Clearly communicating—both in words and actions—that fraud is
not tolerated
v. Taking seriously all reports of fraud and undertaking investigations
for any such reports deemed reliable
vi. Punishing perpetrators of discovered fraud appropriately
vii. Taking any steps necessary to remediate weaknesses that allowed
frauds to occur
viii. Reporting to the board of directors on a regular basis regarding the
effectiveness of the organization's fraud risk management program
IX. The Objectives of a Fraud Risk Management Program
a. Fraud risk management programs must address fraud before, during, and after it
occurs.
b. Such programs must incorporate policies and procedures designed to prevent,
detect, and respond to fraud.
i. Fraud prevention
1. Activities focus on proactively identifying and assessing fraud risks
and taking steps to address those risks.
ii. Fraud detection
1. Activities seek to identify fraud occurrences as soon as possible after
they begin to limit the damage done.
iii. Fraud response
1. Investigating the allegation to determine the party or parties
responsible, the means of the infraction, and the extent of the
resulting damage
2. Punishing the perpetrator, whether through employment sanctions or
legal action
3. Remediating the control weaknesses that allowed the fraud to be
undertaken
4. Rebuilding stakeholders' confidence in the organization
X. Fraud Risk Management Principles
a. To help meet the objectives of a fraud risk management program, Fraud Risk
Management Guide describes five broad principles of fraud risk management:
i. Fraud risk governance
1. The organization establishes and communicates a fraud risk
management program that demonstrates the expectations of the
board of directors and senior management and their commitment to
high integrity and ethical values regarding managing fraud risk.
ii. Fraud risk assessment
1. The organization performs comprehensive fraud risk assessments to
identify specific fraud schemes and risks, assess their likelihood and
significance, evaluate existing fraud control activities, and implement
actions to mitigate residual fraud risks.

iii. Fraud control activities

1. The organization selects, develops, and deploys preventive and
detective fraud control activities to mitigate the risk of fraud events
occurring or not being detected in a timely manner.
iv. Fraud investigation and corrective action
1. The organization establishes a communication process to obtain
information about potential fraud and deploys a coordinated approach
to investigation and corrective action to address fraud appropriately
and in a timely manner.
v. Fraud risk management monitoring activities
1. The organization selects, develops, and performs ongoing evaluations
to ascertain whether each of the five principles of fraud risk
management is present and functioning, and communicates
deficiencies in the fraud risk management program in a timely manner
to parties responsible for taking corrective action, including senior
management and the board of directors.
XI. Developing a Fraud Risk Management Program
a. Define program objectives.
i. Tailor detailed objectives of the fraud risk management program to the
organization's specific needs and goals.
ii. Balance the following factors in determining the program's objectives:
1. The investment in anti-fraud controls
2. The prevention of frauds that are material in nature or amount
3. Management's risk appetite
b. Define risk appetite.
i. Without an adequate understanding of just how much risk those charged with
governance are willing to accept, any stated objectives of the fraud risk
management program will be inaccurate.
ii. Risk appetite can be measured and expressed either qualitatively—low,
medium, or high, for example—or quantitatively, using a numeric scale.
c. Examine previous fraud incidents.
i. Examine previous occurrences of fraud and explore how management's
ideal fraud risk management program would have prevented, detected,
and responded to them.
d. Ensure compliance.
i. The fraud risk management program must include mechanisms specifically
designed to monitor, identify, and address breaches in compliance.
1. Such breaches might include failures in the design or operation of anti-
fraud controls, as well as outright occurrences of fraud.
ii. A specific individual or team should be designated as responsible for
monitoring compliance with the fraud risk management program and for
handling suspected instances of noncompliance.
iii. Formal sanctions for intentional noncompliance must be well-publicized and
carried out in a consistent and firm manner.
Question 1
Of the following parties, who is responsible for developing a strategy to assess and manage fraud

risks that aligns with the organization's risk appetite and strategic plans?
A. The legal department
B. The internal audit department
C. The board of directors
D. The shareholders
Question 2
Which of the following is among the audit committee's responsibilities for fraud risk management?
A. Receiving regular reports on the status of reported or alleged fraud
B. Understanding how internal and external audit strategies address fraud risk
C. Engaging in open conversations with external auditors about any known or suspected fraud
D. All of the above

Fraud Prevention Programs Fraud Prevention and Deterrence
Fraud Prevention Programs

I. Procedures and Mechanisms to Prevent Fraud
A. Increasing the perception of detection
i. Most experts agree that it is much easier to prevent fraud than to detect it.
ii. Increasing the perception of detection might be the most effective fraud
prevention method.
iii. Controls are not very effective in preventing theft and fraud if those at risk do
not know of the presence of possible detection.
B. Proactive audit procedures
i. Can be used to demonstrate management's intention to aggressively look for
possible fraudulent conduct instead of waiting for instances to be reported
ii. Such techniques include the following:
1. Use of analytical review procedures
2. Data and transaction monitoring and analysis
3. Fraud assessment questioning
4. Surprise audits where possible
C. Employee anti-fraud education
i. Each entity should have a policy for educating managers, executives, and
employees about fraud.
1. Can be accomplished through memoranda, organization-wide emails
and voice mails, formal training programs, and other intercompany
communication methods
ii. Every employee within the organization should be required to participate in
the fraud awareness training program.
iii. Managers and executives should receive special training that addresses
the added fraud prevention and detection responsibility—and ability-
provided by their authority positions.
iv. Formal fraud awareness training should be an ongoing process that
begins at the time of hire.
v. Employees should also participate in refresher training at least annually
to help keep the program active and engrained in their minds.
vi. All employees should sign an annual statement acknowledging their
understanding of and commitment to the program.
vii. The following topics should form the basis of a company's fraud
awareness training:
1. What fraud is, including examples of what behavior is acceptable and
what is not
2. How fraud hurts the organization
3. How fraud hurts employees
4. Common characteristics that lead individuals to commit fraud
5. How to identify fraud (i.e., specific examples of financial,
transactional, and other red flags to watch out for)
6. How to report fraud
7. The punishment for dishonest acts, including examples of past
transgressions and how they were handled
D. Effective management oversight
i. Employees who steal often use the proceeds for lifestyle improvements (e.g.,
expensive cars or extravagant vacations), so managers should be educated
to be observant of these signs.
ii. Employees should know that supervisors are watching for unexplained or

Fraud Prevention and Deterrence Fraud Prevention Programs
suspicious anomalies of this nature.

E. Reporting programs
i. An anonymous reporting channel, such as an ethics hotline, is an integral part
of an anti-fraud control system.
ii. Employees must be made aware of the existence of the reporting
mechanism, taught how to use it, and able to trust that they can report
suspicious activity anonymously or confidentially (where permitted by law)
without fear of reprisal.
iii. It should be made clear to employees that reports of suspicious activity will
be promptly and thoroughly evaluated.
iv. The following should be emphasized when educating employees about the
reporting program:
1. Fraud, waste, and abuse occur in nearly all companies.
2. Such conduct costs the company jobs and profits.
3. The company actively encourages any employee with information to
disclose it.
4. The employee can provide information anonymously and without fear
of retaliation for good-faith reporting.
5. There is an exact method for reporting an incident (e.g., a telephone
number or online form).
6. The report need not be made to one's immediate superiors,
F. Whistleblower support and protections
i. A major concern of individuals who wish to report misconduct in the
workplace is the fear of being retaliated against for their disclosure.
ii. Regardless of available legal protections for whistleblowers, organizations
can empower employees who wish to disclose information without fear of
negative consequences by creating a safe environment for them to voice
their concerns. This can be accomplished by implementing a clear
whistleblower policy that details standard reporting protocols and the
consequences for retaliating against whistleblowers.
iii. The whistleblower policy should:
1. Emphasize that it applies to all employees, regardless of their
positions or seniority, as well as to anyone external to the
organization who has knowledge of potential wrongdoing by any
employees or on the company's part.
2. Detail what types of misconduct to report, how to report concerns,
and any rewards available for disclosing credible information.
3. Include an anti-retaliation component that details the protections the
organization affords to whistleblowers and how people will be
punished if they violate the policy.
iv. It is important for management to establish and publicize the
organization's whistleblower procedures so that individuals both inside and
outside the organization are aware of the appropriate channels for
reporting misconduct,
G. Tone at the top
i. To achieve an organizational culture with a strong value system founded on
integrity, management must show employees through its words and actions
that dishonest or unethical behavior will not be tolerated.
ii. Management must create an environment in which employees feel safe to
challenge management's decisions or speak up if they think something is
wrong.
iii. A culture that encourages employees to share their concerns can reduce the

risk of fraud significantly because employees often feel more loyal to their
superiors.
iv. Such a culture might also prevent unethical behavior because issues of
anger or stress can be addressed before they escalate to the point of
a fraud.
v. When management believes and acts as though it is "above the law" with
respect to company policies, staff members are much less likely to follow
rules.
vi. When management acts ethically and follows organizational policies, the
staff tends to respect and appreciate the behavior and copy it.
H. Organizational structure
I. A well-designed organizational structure—with key areas of authority and
clear and proper lines of reporting—can be an effective fraud prevention
measure.
ii. Establishing and communicating the proper flow of information to everyone in
the organization (e.g., through the use of flowcharts displaying organizational
and departmental hierarchies) is an essential component of a well-designed
organizational structure.
i. Background checks
i. Before hiring anyone, management should conduct a background check
(where and to the extent permitted by law) to find out as much as possible
about the employee's previous experience with employers and law
enforcement.
ii. At a minimum, employers should check the background of any employee who
will have constant access to cash, checks, credit card numbers, or any other
items that are easily stolen.
iii. Background checks should also be run on existing employees who are being
promoted or moved to positions that include access to sensitive or valuable
company resources.
iv. When possible and legally permissible, employers should conduct a
background check in which they verify position, dates of employment, and
eligibility for rehire with past employers.
J. Performance management and measurement
i. It is important to place employees in situations where they are able to thrive
without resorting to unethical conduct.
ii. Organizations should provide employees with well-defined job descriptions
and performance goals.
iii. Performance goals should be routinely reviewed to ensure that they do not
set unrealistic standards.
iv. Training (including ethics training) should be provided on a consistent basis to
ensure that employees maintain the skills needed to perform their tasks
effectively.
v. Care should be taken to set performance goals that motivate employees to
challenge themselves but are not so ambitious that the only way they can
meet them is to perpetrate fraud.
vi. Including ethics-based metrics as a component of performance goals and
evaluation can be an especially effective way to foster ethical behavior and
reinforce the importance of ethics as the guiding factor in making business
decisions.
K. Handling known fraud incidents
i. It must be emphasized to all employees that the company maintains a policy
of zero tolerance for fraud.

ii. By not consistently punishing perpetrators, a company renders its fraud

prevention program less effective, if not useless.
iii. Reporting known incidents of fraud to law enforcement can be an effective
step in making the organization's zero-tolerance stance clear.
L. Minimizing employee pressures
i. Organizations should be mindful of the pressures (e.g., financial hardships or
family problems) that can lead to fraud and should take steps to increase
managers' awareness of such potential problems, as well as to assist an
employee who might be experiencing difficult times.
ii. Ways to minimize pressures include:
1. Open-door policies
a. An open-door policy that allows employees to speak honestly
about pressures can provide management with the
opportunity to alleviate such pressures before they become
acute, which will help prevent fraud.
2. Fair personnel policies and procedures
a. Ensuring that personnel policies and procedures are fair and
equitably applied can boost morale and thereby reduce fraud
risk.
3. Employee support programs
a. Examples include programs providing alcohol and drug
assistance, as well as counseling for gambling, family and
marital problems, and financial difficulties.
b. Making such programs available to employees who are facing
personal problems shows employees that management cares
for their well-being, which can reduce an employee's ability to
rationalize a dishonest act.
II. Creating an Anti-Fraud Policy
a. A written anti-fraud policy should specifically indicate who in an organization handles
varying fraud matters under differing circumstances.
b. Among other things, the anti-fraud policy might include:
i. A policy statement that formally defines fraud and outlines management's
position or attitude toward fraud in the workplace
ii. A section defining who is responsible for fraud prevention and detection
iii. A section detailing specific examples of actions that constitute fraud so
management has the legal grounds to investigate and punish violators
iv. A section explaining who will investigate suspected irregularities and to
whom such irregularities will be reported
III. Communicating the Anti-Fraud Policy
a. Management must periodically and appropriately communicate the company's anti-
fraud policy to all employees and third parties.
IV. Legal Considerations Regarding the Anti-Fraud Policy
a. It is best to detail specific unacceptable conduct to avoid legal problems in
discharging a dishonest employee.
b. Management should check with counsel regarding any legal considerations with
respect to the anti-fraud policy.
c. One of the most important legal considerations is to ensure everyone and every
allegation is handled in a uniform manner.
V. Developing an Ethics Program
a. A written ethics policy enables management to objectively communicate its ethical
philosophy and provides a foundation for a successful ethics program.
i. Should be disseminated among both new and old employees

ii. Should be given to vendors and posted on the website

iii. Gives the message that fraud is not tolerated
b. Key considerations when developing an ethics program include:
i. Understanding why good people can commit unethical acts
ii. Defining current—as well as desired—organizational values
iii. Determining if organizational values have been properly communicated
iv. Determining if ethics is currently a leadership issue in the organization
v. Ascertaining how board members, stockholders, management, employees,
and any other pertinent members of the organization define success
vi. Producing written ethics policies, procedures, or structures
c. The following components are necessary to develop, implement, and manage a
comprehensive ethics program:
i. Focus on ethical leadership
ii. Vision statement
iii. Values statement
iv. Code of ethics
v. Designated ethics official
vi. Ethics task force or committee
vii. Ethics communication strategy
viii. Ethics training
ix. Ethics help and fraud report telephone line
x. Ethical behavior rewards and sanctions
xi. Comprehensive system to monitor and track ethics data
xii. Periodic evaluation of ethics efforts and data
VI. Developing an Effective Corporate Compliance and Ethics Program
a. An effective compliance program can be defined as one that is reasonably designed,
implemented, and enforced so that it generally will be effective in preventing and
detecting criminal conduct.
b. To have an effective compliance and ethics program, the organization should:
i. Exercise due diligence to prevent and detect criminal conduct.
ii. Otherwise promote an organizational culture that encourages ethical conduct
and a commitment to compliance with the law.
c. Elements of an effective compliance and ethics program
i. The following seven factors are minimally required for a corporate compliance
program to be considered effective:
1. Established standards and procedures to prevent and detect criminal
conduct
2. Proper assignment of responsibility and oversight for the compliance
program
3. Due diligence in the hiring process to ensure the ethics of individuals
who exercise a substantial measure of discretion in acting on an
organization's behalf
4. Periodic and practical communication of the compliance policy
through effective training programs and other means
5. Steps to ensure program compliance through monitoring, auditing,
periodically evaluating the program's effectiveness, and having a
publicized reporting system
6. Promotion and consistent enforcement of the program through
appropriate incentives for compliance and appropriate disciplinary
measures for violations
7. Reasonable response to any discovered criminal conduct to prevent
further similar criminal conduct, including making any necessary

modifications to the organization's compliance and ethics program

Question 1
Unless specific unacceptable conduct is detailed in an anti-fraud policy, there can be legal problems
in discharging a dishonest employee.
A. True
B. False
Question 2
Which of the following should be covered in employee anti-fraud training?
A. The exact procedures that management uses to detect fraud
B. A detailed explanation of the company's anti-fraud controls
C. Examples of past transgressions and how they were handled
D. All of the above

Question 3
To reinforce an anti-fraud culture, management should:
A. Show employees that unethical behavior will not be tolerated
B. Create an environment in which employees feel safe challenging management's

decisions
C. Visibly adhere to the same set of ethics policies that is required of all employees
D. All of the above

Ethics for Fraud Examiners Fraud Prevention and Deterrence
Ethics for Fraud Examiners

I. Purpose of a Code of Ethical Conduct
a. Serves as a reference and benchmark for ethical guidance
b. Makes explicit the conduct that is expected in a particular profession
c. Provides direct solutions not available from general ethics theories
d. Enables individuals to have a better understanding of what is expected of them
e. Makes practical enforcement and profession-wide internal discipline easier because
members are put on notice of the standards
II. Ethics and Legality
a. Ethics refers to the appropriateness of a decision in light of morality. That is, ethics
stress standards or codes of behavior expected by the group to which the individual
belongs.
b. Legality refers to lawfulness by conformity to a legal statute.
c. The law is the lowest reference level for moral decisions.
i. The law might permit an action that is prohibited by a profession's code of
ethics.
ii. Laws, rules, and regulations function as standards by which to judge
whether an action is legal or illegal but not whether the behavior is right.
III. ACFE Code of Professional Ethics
a. An ACFE Member shall, at all times, demonstrate a commitment to
professionalism and diligence in the performance of their duties.
i. Diligence
1. Exercised by properly planning assignments and supervising
assistants and colleagues, avoiding conflicts of interest, performing
with competence, obtaining sufficient evidence to establish a basis
for opinions, maintaining confidential relations, and avoiding
distortion of facts
b. An ACFE Member shall not engage in any illegal or unethical conduct, or any activity
which would constitute a conflict of interest that has not been properly disclosed to the
appropriate parties.
i. Illegal conduct
1. While some activities might be obviously illegal, the legality of others
might not be as apparent.
2. Fraud examiners generally are not entitled to claim ignorance of the
law.
ii. Conflict of interest
1. Exists when a fraud examiner's ability to objectively evaluate and
present an issue for a client is impaired by a current, prior, or potential
future relationship with parties to the fraud examination
2. General rules
a. A fraud examiner employed full time by a company should not
engage in other jobs that create a hardship or loss to the
employer.
b. A fraud examiner should not be a "double agent" who is
employed by one company but retained by another
company or person to infiltrate the employer and transmit
inside information (unless, of course, the employing
company agrees to the arrangement in order to apprehend
other parties employed by the company).
c. A fraud examiner should not accept engagements from both

Fraud Prevention and Deterrence Ethics for Fraud Examiners
sides to a controversy—just like lawyers are prohibited from

representing both parties in a transaction, lawsuit, or trial.
3. Independence and objectivity
a. Fraud examiners are responsible for maintaining
independence in attitude and appearance and for
approaching and conducting fraud examinations in an
objective and unbiased manner.
i. Independence of attitude requires impartiality and
fairness in conducting fraud examinations and in
reaching resulting conclusions and judgments.
ii. Objectivity refers to the ability to conduct fraud
examinations without being influenced by one's own
personal feelings or the feelings and motives of
others.
iii. To ensure objectivity in performing examinations,
fraud examiners must maintain an independent
mental attitude, reach judgments on examination
matters without undue influence from others, and
avoid being placed in positions where they would be
unable to work in an objective professional manner.
b. All possible conflicts of interest should be disclosed.
c. An ACFE Member shall, at all times, exhibit the highest level of integrity in the
performance of all professional assignments, and will accept only assignments for
which there is reasonable expectation that the assignment will be completed with
professional competence. i. Integrity
1. Requires honesty, truthfulness, trustworthiness, and confidentiality
2. Requires subordination of desires for personal gain to the interests
of clients, employers, and the public
3. Requires independence of mental attitude and avoidance of conflicts of
interest
4. Requires an ability to analyze situations where no professional rules
are specifically applicable and determine right from wrong
ii. Professional competence
1. Refers to how well fraud examiners do their job
2. Fraud examiners must be competent in their respective areas and
disciplines, and they shall not accept assignments where competence
is lacking.
3. Fraud examiners cannot be expected to have an expert level of skill
and knowledge for every circumstance that might be encountered in a
fraud examination.
4. Nevertheless, fraud examiners must have sufficient skill and
knowledge to recognize when additional training or expert guidance is
required.
iii. Professional skepticism
1. As part of exercising professional integrity and competence, fraud
examiners must always perform their work with a mindset of
professional skepticism and begin assignments with the belief that
something is wrong or someone is committing a fraud.
2. Fraud examiners should relax their attitude of skepticism only when the
evidence shows no signs of fraudulent activity.
3. At no time is a fraud examiner entitled to assume a fraud problem does
not exist.

4. Professional skepticism can be dispelled only by evidence.

5. Opinions or attestations about a fraud-free environment are absolutely
prohibited for ACFE members.
d. An ACFE Member will comply with the lawful orders of the courts, and will testify to
matters truthfully and without bias or prejudice.
i. ACFE members must comply with all lawful court orders, and they will testify to
matters truthfully and without bias or prejudice.
ii. Fraud examiners should not flee from a summons or subpoena issued by a
court.
iii. When responding to questions in a testimonial setting, fraud examiners must
deliver their answer without bias or prejudice.
e. An ACFE Member, in conducting examinations, will obtain evidence or other
documentation to establish a reasonable basis for any opinion rendered. No
opinion shall be expressed regarding the guilt or innocence of any person or
party.
i. Fraud examiners must obtain evidence to establish a reasonable basis for any
opinion rendered.
ii. Fraud examiners must collect evidence, whether exculpatory or incriminating,
that supports fraud examination results and will be admissible in subsequent
proceedings.
1. To do so, the fraud examiner must obtain and document evidence in a
manner that ensures that all necessary evidence is obtained and that
the chain of custody is preserved.
iii. This rule also prohibits ACFE members from making statements of opinion as
to the guilt or innocence of any person or party.
iv. Determining whether a person is guilty or innocent of a crime is a decision
reserved for a judge or jury, not fraud examiners.
v. Fraud examiners may draw reasonable conclusions based on the evidence;
however, they must be very circumspect when doing so. Conclusions are
based on observations of the evidence, whereas opinions call for an
interpretation of the facts.
vi. Opinions regarding technical matters generally are permitted if the fraud
examiner is qualified as an expert in the matter.
f. An ACFE Member shall not reveal any confidential information obtained during a
professional engagement without proper authorization.
i. Confidential information
1. Fraud examiners must not disclose confidential information obtained
during the course of a professional engagement without appropriate
authorization.
2. Confidential information is any and ail information a fraud examiner
might obtain in the course of work, whether it be from the company or
client for whom the work is performed or from any other source
consulted during the work.
3. If the client or employer consents to disclosure of information
otherwise considered confidential, then the fraud examiner can
transmit it to others.
a. Fraud examiners should be careful to let the client or
employer know what the consent covers.
b. It is still best to let the client or employer make the actual
disclosure themselves.
4. Fraud examiners are not bound by confidentiality when doing so
would violate the law.

a. Fraud examiners can reveal client confidences when

responding to a legal court order.
5. The confidentiality rule does not permit disclosure after a case concludes,
and fraud examiners are not permitted to disclose confidential information
if they resign, retire, or are fired from an employing organization.
ii. Privileged information
1. Fraud examiners must not disclose privileged information
obtained during a professional engagement without appropriate authority.

2. Privileged information is information that cannot be demanded, even

by a court; it is information that is protected by law from evidence.
3. Even though the ACFE Code of Professional Ethics does not assume
a privileged status for the fraud examiner-client/employer
relationship, fraud examiners must not disclose privileged information
without proper authorization from the fraud examiner's client or
employer.
iii. Confidentiality and blowing the whistle
1. Fraud examiners are not obligated to blow the whistle on clients or
employers, but circumstances might exist in which they are morally
and legally justified in making disclosures to appropriate outside
parties.
2. Such circumstances include when a client or employer has
intentionally involved a fraud examiner in its illegal conduct or when a
client or employer has distributed misleading reports based on the
fraud examiner's work.
3. A fraud examiner should not promise absolute or unconditional
confidentiality or leniency to an informant to obtain testimony.
g. An ACFE Member shall reveal all material matters discovered during the course of
an examination, which, if omitted, could cause a distortion of the facts. i. Material
1. Information is material if having knowledge of such information might
reasonably be expected to influence a client's or employer's
decisions based on a fraud examiner's report.
2. An item of information that would change a user's perceptions and
conclusions if it were omitted from a report is considered material.

h. An ACFE Member shall continually strive to increase the competence and

effectiveness of professional services performed under their direction.
i. This rule instructs ACFE members to progress toward greater expertise so
they can better service their clients and employers.
ii. CFEs must obtain twenty hours of continuing professional education (CPE)
each year.

Question 1
Robert, a Certified Fraud Examiner (CFE), is hired by a client to conduct a fraud examination. At the
conclusion of the engagement, he issued a written report to the client and closed his file. A year
later, Robert receives a legal order from the local prosecutor's office to provide the report. Under the
ACFE Code of Professional Ethics, he will NOT be able to respond.
A. True
B. False
Question 2
In the context of a fraud examination, a mindset of professional skepticism means:
A. Fraud examiners should always begin their assignments with the belief that something is
amiss
B. Fraud examiners should relax their attitude of skepticism only when the evidence shows no
signs of fraud
C. A fraud examiner may not provide opinions or attestations about a fraud-free environment
D. All of the above

ABOUT THE ASSOCIATION OF CERTIFIED FRAUD
EXAMINERS
About the ACFE
Founded in 1988 by Dr. Joseph T. Wells, CFE, CPA, the ACFE is the world’s largest anti-fraud
organization and premier provider of anti-fraud training and education. Together with more than
90,000 members in more than 180 countries, the ACFE is reducing business fraud worldwide and
providing the training and resources needed to fight fraud more effectively.
The ACFE provides educational tools and practical solutions for anti-fraud professionals through
initiatives including:
• Global conferences and seminars led by anti-fraud experts
• Instructor-led, interactive professional training
• Comprehensive resources for fighting fraud, including books, self-study courses, and articles
• Leading anti-fraud publications, including Fraud Magazine, The Fraud Examiner, and
Fraudlnfo
• Local networking and support through more than 170 ACFE chapters worldwide
• Anti-fraud curriculum and educational tools for colleges and universities
The positive effects of anti-fraud training are far reaching. The best way to combat fraud is to
educate anyone engaged in fighting fraud on how to effectively prevent, detect, and investigate it.
By educating, uniting, and supporting the global anti-fraud community with the tools to fight
fraud more effectively, the ACFE is inspiring public confidence in the integrity and objectivity of
the profession.
Membership
Immediate access to world-class anti-fraud knowledge and tools is a necessity in the fight against
fraud. Members of the ACFE include accountants, internal auditors, fraud investigators, law
enforcement officers, lawyers, business leaders, risk and compliance professionals, and educators,
all of whom have access to expert training, educational tools, and resources. Members from all
over the world have come to depend on the ACFE for solutions to the challenges they face in their
professions.
Whether their careers are focused exclusively on preventing and detecting fraudulent activities or
they simply want to learn more about fraud, anti-fraud professionals turn to the ACFE for the
essential tools and resources to accomplish their objectives. To learn more, visit ACFE.com or
call (800) 245-3321 / + 1 (512) 478-9000.
©2022 ACFE
Association of Certified Fraud Examiners
ABOUT THE ASSOCIATION OF CERTIFIED FRAUD
EXAMINERS
Certified Fraud Examiners
The ACFE offers its members the opportunity for professional certification. The Certified Fraud
Examiner (CFE) credential is preferred by businesses and government entities around the world
and indicates expertise in fraud prevention and detection.
Certified Fraud Examiners (CFEs) are anti-fraud experts who have demonstrated knowledge in
four critical areas: financial transactions and fraud schemes, law, investigation, and fraud
prevention and deterrence. In support of CFEs and the CFE credential, the ACFE:
• Provides bona fide qualifications for CFEs through administration of the CFE Exam
• Requires CFEs to adhere to a strict code of professional conduct and ethics
• Serves as the global representative for CFEs to business, government, and academic
institutions
• Provides leadership to inspire public confidence in the integrity, objectivity, and
professionalism of CFEs
©2022 ACFE
Association of Cortifiud Fraud Examiners

دليل مكافحة الاحتيال المالي أغسطس2020م

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

دليل مكافحة الاحتيال المالي أغسطس2020م

Uploaded by

Copyright:

Available Formats

J 1UUJI ^JLJI J

Understanding Criminal Behavior

CFE Exam Review Course: 2022 Edition 281

1. The availability of suitable targets, such as companies and

282 CEE Exam Review Course: 2022 Edition

CFE Exam Review Course: 2022 Edition 283

Sample Prep Questions

D. None of the above

more likely they are to commit a crime.

284 CFE Exam Review Course: 2022 Edition

of the following is one of the assertions or principles of differential association?

A. People are genetically predisposed to be criminals.

B. Criminal behavior is acquired through participation with intimate personal groups.

C. Criminal behavior is explained by an individual's general needs and values.

D. Learning is the same as pure imitation.

A. The availability of suitable targets

B. The absence of capable guardians

C. The presence of motivated offenders

D. All of the above

CFE Exam Review Course: 2022 Edition 285

286 CFE Exam Review Course: 2022 Edition

2. This tendency is due to their reliance on "the bottom line."

CFE Exam Review Course: 2022 Edition 287

c. Loss of employee confidence in job security

288 CFE Exam Review Course: 2022 Edition

2. An overwhelming desire for personal gain

CFE Exam Review Course: 2022 Edition 289

Sample Prep Questions

A. "Management is dishonest, so why shouldn't I be?"

C. "I'm confident I won't get caught."

A. Prevention and detection

B. Deterrence and enforcement

C. Assessment and reliance

D. Compliance and deterrence

290 CFE Exam Review Course: 2022 Edition

for all contracts in their area; this is considered an organizational crime.

C. More occupational frauds are committed by men than by women.

D. The majority of fraudsters have been previously convicted of a fraud-related offense.

CFE Exam Review Course: 2022 Edition 291

292 CFE Exam Review Course: 2022 Edition

3. Determining the use and allocation of company resources and assets

CFE Exam Review Course: 2022 Edition 293

294 CFE Exam Review Course: 2022 Edition

regulation, self-regulatory arrangements, voluntary commitments, and

CFE Exam Review Course: 2022 Edition 295

Sample Prep Questions

Good corporate governance is based on a framework that:

A. Takes into account the organization's cultural and ethical environment

C. Is appropriate for the organization's legal and regulatory environment

D. All of the above

296 CFE Exam Review Course: 2022 Edition

Management's Fraud-Related Responsibilities

CFE Exam Review Course: 2022 Edition 297

the pursuit of organizational objectives.

298 CFE Exam Review Course: 2022 Edition

b. The organization evaluates and communicates internal control

control environment of an organization:

A. Is established by directors and senior management

B. Sets the moral and ethical tone of the organization

C. Provides the foundation for the overall internal control system

D. All of the above

CFE Exam Review Course: 2022 Edition 299

300 CFE Exam Review Course: 2022 Edition