What is fraud?

"It is a generic term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of truth, and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated Elements of a cause of action for fraud include false representation of a present or past fact made by defendant, action in reliance thereupon by plaintiff, and damage resulting to plaintiff from such misrepresentation." (Blacks Book of Law, 1979, p. 594)

Two types of fraud Fraudulent Financial Reporting - involves intentional misstatements or omissions of amounts or disclosures in financial statements designed to deceived financial users. Misappropriation of Assets - involve the theft of an organizations assets in which the effect of the theft causes the financial statements not to be presented.

"Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage." (The Institute of Internal Auditors, from the Glossary to its Standards in the International Professional Practices Framework)

Three main types of fraud Fraudulent Statements - Involve falsification of an organizations financial statements

Asset Misappropriation - Involves the theft or misuse of an organizations assets

Corruption "Any intentional act that results in a material misstatement in financial statements that are subject to an audit. [There are] two types of misstatements misstatements arising from fraudulent financial reporting and misstatement arising from misappropriation of assets." (The American Institute of Certified Public Accountants, from Statement on Auditing Standard No. 99) - Which fraudsters wrongfully use their influence in a business transaction to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another.

"The use of ones occupation for personal enrichment through the deliberate misuse or misapplication of the employing organizations resources or assets." (Association of Certified Fraud Examiners, from the 2008 Report of the Nation on Occupational Fraud)

Fraud guide Indicates the importance for organizations to establish a diligent and ongoing effort to protect itself from acts of fraud. 5 Key Principles Fraud Risk Governance: Governance - combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives. Sets the tone for fraud risk management . Fraud Risk Assessment: Risk assessment - identification and analysis (typically in terms of impact and likelihood) of relevant risks to the achievement of an organizations objectives, forming a basis for determining how to the risks should be managed. Helps the organization determine the level of resources that should be devoted to preventing or detecting the identified fraud scenarios. Risk response- action or set of actions, taken by management to achieve a desired risk management Fraud Prevention Fraud Detection Fraud Reporting, Investigation and Resolution Fraud Prevention and Detection Prevention controls - policies, procedures, training and communications Detection control- include manual or automated activities that will recognize timely that a fraud has or is occurring. Detection control - include manual or automated activities that will recognize timely that a fraud has or is occurring. Prevention controls Ex: Credit checks, job descriptions, required authorization signatures, data entry checks, and physical control over assets to prevent their improper use are all examples of preventive controls.

Fraud Reporting, Investigation and Resolution Frauds are more likely to be detected by a tip than by audits, controls or other means. Examples: whistleblowers

1
Governance Over the Fraud Risk Management Program Strong governance provides the foundation for an effective fraud risk management program. The fraud guide goes to say, effective business ethics programs can serve as the foundation for preventing, detecting, and deterring fraudulent and criminal acts. An organizations ethical treatment of employees, customers, vendors, and the other partners will influence those receiving such treatment. These ethics programs create an environment where making the right decision is implicit. Roles and Responsibilities The roles and responsibilities in a fraud risk management program must be formal and communicated. Policies and procedures, job descriptions, charters, and delegations of authority. Board of Directors As indicated previously, boards help set the tone at the top. Tone at the top- the entity-wide attitude of integrity and control consciousness, as exhibited by the most senior executives of an organization. Fraud Oversight Responsibility A general understanding of procedures, incentive plans, etc. fraud-related policies,

A comprehensive understanding of the key fraud risks. Oversight of the fraud risk management program Receiving and monitoring reports The ability to retain outside counsel and experts when needed.

Directing the internal audit function and the independent outside auditor to provide assurance regarding fraud risk concerns. Management Similar to the board, management plays a very important role in setting the tone for the organization. They act as instrumental in shaping perceptions of the culture and their attitude toward fraud prevention. Responsible for monitoring and reporting. Employees The day-to-day execution of the fraud risk management program must involve everyone in the organization. According to Fraud guide, all levels of staff, management should: including

Conflict disclosure protocol or process- helps employees self disclose potential or actual conflicts of interests. Fraud risk assessment Reporting procedures and whistleblower protection that provide a well-known and easy avenue for individuals, whether inside or outside the organization, to report suspected violations or incidents. An investigation process that ensures all matters undergo a timely and thorough investigation, as appropriate. Disciplinary and/or corrective actions. Process evaluation and improvement to provide quality assurance that the program will continue to meet its objectives. Continuous monitoring to ensure the programs consistently operates as designed. Including these components in a fraud risk management program will not eliminate risk. It will however, provide reasonable assurance that fraud incidents are prevented, or detected timely and dealt with appropriately.

Have a basic understanding of fraud and be aware of the red flags. Understand their roles within the internal control framework. Read and understand policies and procedures. Ex: the fraud policy, code of conduct, whistleblower policy. Participate in the process of creating a strong control environment and designing and implementing fraud control activities. Report suspicions of incidences of fraud. Cooperate in investigations. The Internal Audit Function Plays an important role in contributing to the overall governance of a fraud risk management program. Components of a Fraud Risk Management Program Key Components of Fraud Risk Management Program Commitment by the board and senior management. Fraud awareness activities that help employees understand the purpose, requirements, and responsibilities of the program. An affirmation process

2
FRAUD RISK ASSESSMENT It should be performed periodically to identify potential schemes and events that need to be mitigated. RISK ASSESSMENT TEAM Risk assessment team should include personnel such as: Accounting/ Finance Personnel Nonfinancial Business Unit and Operations Personnel Legal and Compliance Personnel Risk Management Personnel

Risk of Managements Override of Controls Personnel within the organization generally know the controls and standard operating procedures that are in place to prevent fraud. It is reasonable to assume that individuals who are intent on committing fraud will use their knowledge of the organizations controls to do it in a manner that will conceal their actions.

Population of Fraud Risks 3 GENERAL CATEGORIES OF FRAUD RISK 1. Intentional manipulation of financial statements, which can lead to: Inappropriately reported revenues

Internal Audit Personnel Inappropriately reported expenditures 3 KEY ELEMENTS OF FRAUD RISK ASSESSMENT 1. Identify inherent fraud risk - Gather information to obtain the population of fraud risks that could apply to the organization. 2. Assess likelihood & significance of inherent fraud risk 2. Misappropriation of: 3. Response to Fraud Risk a) Tangible assets by: FRAUD RISK IDENTIFICATION i) Employees. The risk assessment team should go through a brainstorming activity to identify the agencys fraud risks. Incentives, pressures and opportunities Risk of management override of controls Population of fraud risks relevant to the agency Incentives, Pressures and Opportunities Incentives may represent monetary or other rewards that might give people a reason to act differently than they would normally act. Pressure may cause individuals to act differently because they feel they must relieve whatever is causing such pressures. Opportunities reflect ways through which a fraud can be committed, potentially without detection. ii) Customers. iii) Vendors. iv) Former employees and others outside the organization. b) Intangible assets. c) Proprietary business opportunities. 3. Corruption including: Bribery and gratuities Aiding and abetting fraud by other parties Conflicts of interest Embezzlement Inappropriately reflected balance sheet amounts, including reserves Concealing misappropriation of assets Concealing unauthorized receipts and expenditures

FRAUDULENT FINANCIAL REPORTING It involves intentional misstatements or omissions of amounts or disclosures in financial statement users. MISAPPROPRIATION OF ASSETS Involve the theft of an organizations assets in which the effect of the theft causes the financial statements not to be presented, in all material respects, in conformity with GAAP. CORRUPTION It is operationally defined as the misuse of entrusted power for private gain. A common form of corruption is aiding and abetting ASSESSMENT OF IMPACT AND LIKELIHOOD OF FRAUD RISK Likelihood -> The probability that a risk event will occur Impact -> The severity of outcomes caused by risk events. It can be measured in financial, reputation, legal and other types of outcomes RESPONSE TO FRAUD RISK RESPONSES TO RISK: To avoid risk To reduce the likelihood Share the operation To accept the risk

Providing Anti-fraud Training Employees must understand what fraud is, the red flags to watch for, how to report suspected fraud incidents and the consequences of committing fraud. Evaluating Performance and Compensation Programs Compensation programs must be scrutinized carefully to make sure that they not only encourage the right behavior, but even reward it. Employees who are not recognized for what they do and what they have accomplished, especially those who may have been bypassed for promotion, may feel their inappropriate and fraudulent conduct is justified. Conducting Exit Interviews These interviews may help HR managers determine whether there are issues regarding managements integrity or information regarding conditions conducive to fraud. HR should also review the content and information contained in resignation letters as they may contain information regarding possible fraud and misconduct existing within the organization. Authority Limits A misalignment between authority and responsibility, particularly in the absence of control activities and segregation of duties, can lead to fraud. By establishing boundaries of authority, potential fraudulent transaction can be prevented over the established authority limits. Transaction-level Procedures

3
Fraud Prevention... One of the most important forms of prevention relates to organizational awareness. The Fraud Guide states: One key to prevention is making personnel throughout the organization aware of the fraud risk management program. Performing Background Investigation An individual who has committed fraud once is more likely to do so again than that one who has not. It is important to know employees in order to evaluate their credentials and competence, match skills to the job requirements, and be aware of any issues of personal integrity that may impact their suitability for the position.

Fraud schemes often involve the use of third-party entities/ individuals. For that reason, organizations need thorough measures at the front-end that will prevent the back-end activities. By requiring careful scrutiny of those transactions before they are consummated, an organization can prevent inappropriate transactions from occurring. The on going success of any fraud prevention program depends on its continuous communication and reinforcement. Stressing the existence of fraud prevention program through a wide variety of media, gets the message out of both internal and external communities that the organization is communicated to prevent and deterring fraud

4
Fraud Detection Detective controls are those that are designed to identify occurrences of fraud or symptoms that may be indicative of fraud. Fraud detection techniques may be designed specifically to identify fraud or may be built into the system of internal controls and serves other purposes in addition to fraud detection. Fraud Guide Outlines Whistleblower Hotlines Hotlines allow individuals to report their concerns about suspicious activities and remain anonymous. In connection with maintaining a hotline, organization must also employ an effective case management process. Process Controls Process controls specifically designed to detect fraudulent activity, as well as errors, include reconciliations, independent reviews, physical inspections/counts, analyses, and audits. The nature of fraud risks is such that there should be a systematic identification of the types of fraud schemes that can be perpetrated against or within the organization to identify the process controls needed to reduce and control the risks. Proactive Fraud Detection Procedures Common proactive procedures include data analysis, continuous auditing and the use of other technology tools that can flag anomalies, trends and risk indicators warranting attention.

5
Fraud investigation and corrective action Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely. Receiving the allegations An organization must have a process or protocol for gathering the available information pertaining to an allegation. This will help ensure that the organization develops a system for prompt , competent and confidential review, investigation, and a resolution of allegations involving potential fraud or misconduct. The Fraud Guides states that the investigation and response system should include a process for: Categorizing issues. Confirming the validity of the allegation. Defining the severity of the allegation. Escalating the issue or investigation when appropriate. Referring issues outside the scope of the program. Conducting the investigation and fact-finding. Resolving or closing the investigation. Listing types of information that should be kept

confidential. Defining how the investigation will be documented. Managing and retaining documents and information. Evaluating the allegations The evaluation step involves answering the following questions : Does this allegation require a formal investigation or is there enough information now to draw conclusions? Who should lead the investigation? Are there special skills or tools needed to conduct investigation? Who needs to be notified and when?

Investigations Protocols The Fraud Guide states that Factors to consider in developing the investigation plan include: Time sensitivity Notification Confidentiality Legal privileges Compliance Securing evidence Objectivity Goals Corrective action The final step is determining the appropriate actions based on the results of the investigation. Possible actions include: Legal actions Disciplinary actions Insurance claims if losses from the act are covered by insurance Redesign or reinforcement of processes or controls that may have inadequately designed or operated ineffectively, allowing the incident to occur. Understanding Fraudsters Internal auditors must have a heightened sense of professional skepticism. Understanding the different motives that drive fraudster. According to Thomas Golden, an experienced forensic accountant and fraud examiner, financial reporting fraud perpetrators fit one of two profiles: > Greater good oriented > Scheming, self-centered Gaining insights into the red flags that may signal individuals who are more vulnerable to committing fraud will help internal auditors understand when fraud risk heightened.

Such red flags include individuals who: Exhibit a lifestyle that appears to be well beyond their current means. Are experiencing extreme financial problems and/or have overwhelming personal debts. Have unusual propensity to spend money. Are suffering from depression or other emotional problems. Appear to have a gambling obsession. Have a need or craving for status and believe that money can buy that status. Implications of Fraud Auditing to Internal Auditors and Others Internal Auditors must consider fraud in everything they do. Increasing responsibility in the following: a) Preventing fraud b) Deterring fraud c) Detecting fraud The Standard provide specific guidelines for the Internal Auditor for such matters (fraud risk management) : a) Have sufficient knowledge to evaluate risk of fraud and the manner the organization manages such (Standard 1210.A2). Though they are not expected to have expertise of a person who specializes in detecting and investigating fraud, but this definitely is a plus. b) Exercise due professional care by considering the possibility of the matters such as: Error, Noncompliance, FRAUD (Standard 1220.A1) Also Internal auditors are expected to question a lot of matters concerning fraud, but it will be discuss further later. The Chief Audit Executive(CAE) must : Report periodically to senior management and the board on matters including of course, Fraud risks (Standard 2060) . The Internal audit function must : Evaluate the potential occurrence of fraud and how the organization manages fraud risk. (Standard 2120.A2).

Professional Skepticism, Forensic Technology Professional Skepticism

Professional

Judgment,

and

Use of Fraud Specialists Since the internal audit functions is involved in a lot of tasks concerning fraud in an organization, they may or may not have the skills or experience to do such tasks so use of, or having in their disposal of people who specializes in such are most of the time needed.

The state of mind in which internal auditors : c) Critically assesses audit evidences. b) Constantly question what they hear or see. a) Take nothing for granted. Not all auditors possess this qualities but effective auditors are expected, warranted, and justified to possess and exercise such qualities. Professional Judgment Process used to reach a well-reasoned conclusion that is based on : a) Relevant facts derived by any reliable means such as evidences. b) Circumstances at hand. When investigating fraud not only internal auditors but everyone involved in such tasks are expected to have such qualities. Not only connecting the dots or the clues at hand, but being able to see the whole picture looking at all these things simultaneously. Forensic Technology Scientific means to assist a person investigating something. Examples : 1. Digital analysis 2. CAATS Computer assisted audit techniques. 3. Predictive analysis. Not only this technological tools will make it easier to finish a job concerning fraud risk and fraud management but it will also make it more effective and efficient. Thought : Imagine having a fully-functional tank against a hundred men with riffles.

Certified Fraud Examiners CFEs have a unique set of skills that are not found in any other career field or discipline; they combine knowledge of complex financial transactions with an understanding of methods, law, and how to resolve allegations of fraud.

Communicating Fraud Audit Outcomes When communicating or delivering the result of such audits, delivering it in a systemized and understandable fashion is a must. As to fulfillment of such, this are the typical guidelines and also the matters to be included: a) A brief, clear statement of the issues. b) A citation of the relevant policies, rules, standards, laws, and regulations that may be applicable to the case at hand. c) The analysis of the evidence gathered to form a professional opinion. d) The conclusions; the findings and recommendations. This documents should contain facts only. Also determining culpability and affixing blame are outside the scope of the internal audit function.