Fraud Risk Management

General Anti-Fraud Controls (Entity-Level)

2014 Association of Certified Fraud Examiners, Inc.

Discussion Questions
1) Does your organization have controls in place
that have been effective at controlling fraud risks
that might be helpful at other organizations?
2) Can you think of any internal controls that can
serve to both prevent and detect fraudulent
activity?

2014 Association of Certified Fraud Examiners, Inc.

2 of 18

Learning Objectives

Define internal control.

Identify the different types of controls.
Understand how to implement entity-wide
controls designed to prevent fraud.
Understand how to implement entity-wide
controls designed to detect fraud.

2014 Association of Certified Fraud Examiners, Inc.

3 of 18

COSO Definition of Internal Control

A process, effected by an entitys board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives relating
to operations, reporting, and compliance.

2014 Association of Certified Fraud Examiners, Inc.

4 of 18

Objectives of Internal Control

Operations objectives: the effectiveness and

efficiency of the organizations operations
Reporting objectives: the reporting of financial
and nonfinancial information to internal and
external parties
Compliance objectives: the organizations
adherence to the laws and the regulations to
which it is subject

2014 Association of Certified Fraud Examiners, Inc.

5 of 18

Types of Internal Controls

Preventive vs. detective controls

Entity-level vs. process- or transaction-level
controls

2014 Association of Certified Fraud Examiners, Inc.

6 of 18

COSO Internal Control

Integrated Framework

Control environment
Risk assessment
Control activities
Information and communication
Monitoring

2014 Association of Certified Fraud Examiners, Inc.

8 of 18

Control Environment

Sets the moral tone and provides foundation for

all other control components
Principles:

Commitment to integrity and ethical values

Independent board that oversees development and
performance of internal control
Appropriate structures, reporting lines, and
authorities and responsibilities
Commitment to attract, develop, and retain
competent individuals
Accountability for internal control responsibilities
2014 Association of Certified Fraud Examiners, Inc.

9 of 18

Risk Assessment

Dynamic and iterative process that forms the

basis for determining how risks will be managed
Principles:

Set sufficiently clear objectives to enable the

identification and assessment of risks
Identify and analyze risks to the achievement of
objectives across the entity
Consider potential for fraud in assessing risks to the
achievement of objectives
Identify and assess changes that could significantly
impact the system of internal control
2014 Association of Certified Fraud Examiners, Inc.

10 of 18

Control Activities

Policies and procedures that enforce

managements directives
Principles:

Select and develop control activities that mitigate

risks to acceptable levels
Select and develop general control activities over
technology
Deploy control activities through policies that
establish what is expected and procedures that put
policies into action

2014 Association of Certified Fraud Examiners, Inc.

11 of 18

Information and Communication

The exchange of information in a way that

allows employees to carry out their
responsibilities and achieve objectives
Principles:

Obtain/generate and use relevant, quality information

to support the functioning of controls
Internally communicate information, including
objectives and responsibilities, necessary to support
the functioning of internal control
Communicate with external parties regarding matters
affecting the functioning of internal control
2014 Association of Certified Fraud Examiners, Inc.

12 of 18

Monitoring

The process that assesses the effectiveness of

the control system over time
Principles:

Select, develop, and perform ongoing and separate

evaluations to ascertain whether the components of
internal control are present and functioning
Evaluate and communicate control deficiencies in a
timely manner to those parties responsible for taking
corrective action

2014 Association of Certified Fraud Examiners, Inc.

13 of 18

Fraud Preventive Controls

Code of conduct, ethics policy, anti-fraud policy

Employee education
The perception of detection
Organizational structure
Independent board of directors/audit committee

2014 Association of Certified Fraud Examiners, Inc.

14 of 18

Fraud Preventive Controls

Tone at the top

Zero-tolerance stance
Internal audit function
Hiring practices and promotion procedures

Background checks

2014 Association of Certified Fraud Examiners, Inc.

15 of 18

Fraud Preventive Controls

Proper assignment of authority and

responsibility
Minimizing employee pressures

Fair personnel policies and procedures

Reasonable performance goals
Open-door policies
Employee support programs

2014 Association of Certified Fraud Examiners, Inc.

16 of 18

Fraud Detective Controls

Reporting mechanisms and whistleblower

programs

Rewards for whistleblowers

Proactive audit policies

Increased use of analytical review

Fraud assessment questioning
Surprise audits where possible

2014 Association of Certified Fraud Examiners, Inc.

17 of 18

Fraud Detective Controls

Feedback mechanism
Mandatory vacation and job
rotation policies (where
possible)

2014 Association of Certified Fraud Examiners, Inc.

18 of 18