Chapters 8: Risk of Fraud an Illegal Acts

1. Corruption
a. Acts in which individuals wrongfully use their influence in a business transaction in order to procure
some benefit for themselves or another person
2. Common fraud perpetrator red flags
a. Living beyond their means
b. Experiencing financial difficulties
c. Excessive organizational pressure
3. Fraud
a. Any illegal act characterized by deceit, concealment, or violation of trust
4. Misappropriation of assets
a. Pilferage
b. Embezzlement
c. Defalcation (misappropriation of money)
5. fraudulent financial reporting
a. acts that involve falsification of an organizations financial statements
6. occupational fraud
a. fraud in the workplace
i. falsification of financial statements
ii. asset misappropriation
iii. corruption
7. Governance
a. The combination of processes and structures implemented by the board to inform, direct, manage, and
monitor the activities of the organization toward the achievement of its objectives
8. Risk assessment
a. The identification and analysis of relevant risks to the achievement of an organizations objectives
9. Risk response
a. An action, or set of actions, taken by management to achieve a desired risk management strategy
10. Fraud detection
a. Occupational frauds are much more likely to be detected by a tip than by audits, controls, or other
means
11. Tone at the top
a. The entity-wide attitude of integrity and control consciousness, as exhibited by the most senior
executives of an organization
12. Control environment
a. The attitude and actions of the board and management regarding the significance of control within the
organization
13. Fraud awareness
a. Activities that help employees understand the purpose, requirements, and responsibilities of a fraud risk
management program
14. Reasonable assurance
a. A level of assurance that is supported by generally accepted auditing procedures and judgments
15. Regulatory and legal misconduct
a. Includes conflicts of interest, insider trading, theft or competitor trade secrets, etc
16. Impact
a. The severity of outcomes caused by risk events. Can be measured in financial, reputation, legal, or other
types of outcomes
17. Likelihood
a. The probability that a risk event will occur
 18. Risk tolerance
a. The acceptable levels of risk size and variation relative to the achievement of objectives
19. Preventive control
a. An activity that is designed to deter unintended events from occurring
20. Collusion
a. Acts involving two or more persons, working together, whereby established controls or procedures may
be circumvented for the gain of those individuals
21. Detective control
a. An activity that is designed to discover undesirable events that have already occurred
22. Legal privileges
a. Working with legal counsel to protect the results of investigations, supporting working papers, and
communications with counsel
23. Fraud perpetrators
a. Generally fit one of two profiles: greater good oriented or scheming, self-centered types
24. Due professional care
a. Applying the care and skill expected of a reasonably prudent and competent internal auditor
25. Professional skepticism
a. The state of mind in which internal auditors take nothing for granted; they continuously question what
they hear and see and critically assess audit evidence

Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss/ or the
perpetrator achieving a gain.

AICPA definition
o Fraudulent financial reporting involves:
Misstatements or omissions of amounts or disclosures in financial statements designed to
deceive financial statement users (examples)
ACFE Definition
o Focuses on occupational fraud
Is clandestine (secretive and suspicious)
Violates the perpetrators fiduciary duties to the victim organization
Is committed for the purpose of direct or indirect financial benefit to the perpetrator
Costs the employing organization assets, revenues, or reserves

ACFEs 2012 Report to the Nation Occupational Fraud and Abuse Classification System

o Three main types of fraud

Fraudulent statements
Involves falsification of an organizations financial statements
Misappropriation of assets and business opportunities
Involves the theft or misuse of an organizations assets (stealing inventory, payroll fraud)
Committed by employees, customers, vendors and former employees
Corruption
Fraudsters wrongfully use their influence in a business transaction to procure some
benefit for themselves or another person. (bribery, kickbacks and gratuities)

The fraud triangle

Defined as the Root causes of fraud

Three components
o Perceived need/pressure
 Generating the attitude that when you cant make the numbers, you just make them
up
o Perceived Opportunity
Ample opportunity nobodys watching the store, the employee is trusted completely
o Rationalization of fraudulent behavior
Fraud perpetrators justify their actions to themselves as a coping mechanism. everyones
doing it

Key Principles for managing Fraud Risk

(principle 1) Fraud risk governance

o A fraud risk management program should be in place, including a written policy to convey the
expectations of the board of directors and senior management regarding managing fraud risk
(principle 2) Fraud Risk Assessment
o Fraud risk exposure should be assessed periodically by the organization to identify specific potential
schemes and events that the organization needs to mitigate
(principles 3 and 4) Fraud prevention and detection
o Prevention techniques to avoid potential key fraud risk events should be established, where
feasible, to mitigate possible impacts on the organization
o Detection techniques should be established to uncover fraud events when preventive measures fail
or unmitigated risks are realized
(principle 5) Fraud reporting, investigation, and resolution
o A reporting process should be in place to solicit input on potential fraud, and a coordinated
approach to investigation and corrective action should be used to help ensure potential fraud is
addressed appropriately and timely

Governance over the Fraud Risk Management Program

Strong governance provides the foundation for an effective fraud risk management program
Corporate cultures that encompass strong board governance practices
o Board ownership of agendas and information flow
o Access to multiple layers of management and effective control of a whistleblower hotline
o Effective senior management team evaluations, performance
o A code of conduct specific for senior management, in addition to the organizations code of conduct
o Strong emphasis on the boards own independent effectiveness and process through board evaluations

Roles and responsibilities

A Fraud Risk Management Program must be formal and communicated. Policies and procedures, job
descriptions, charters, and delegations of authority are all important in defining the various roles and
responsibilities for such a program
o Board of directors
Helps set tone at top
The oversight should generally include
o A general understanding of fraud-related policies, procedures, incentive plans
o comprehensive understanding of the key fraud risks
o oversight of the fraud risk management program, including the internal controls
o Management
Similar to the board, also play an important role in setting the tone for the organization
How management acts is instrumental in shaping perceptions of the culture and its attitude
toward fraud prevention
 o Employees
All levels of staff should:
o Have a basic understanding of fraud and be aware of the red flags
o Understand their roles within the internal control framework
o Read and understand policies and procedures
o The internal Audit Function
Plays an important role in contributing to the overall governance of a Fraud Risk Management
program
Independent outside auditors have certain responsibilities with regard to the detection of
certain types of fraud (primarily financial reporting fraud and misappropriation of certain assets)

Components of a Fraud Risk Management Program

Commitment
o By the board and senior management
o Should be formally documented and communicated throughout the organization
Fraud awareness
o Activities that help employees understand the purpose, requirements, and responsibilities of the
program
Written and oral communication to all employees
Postings on the organizations internal website and external Web page
Formal training programs
An affirmation process
o Requires employees to affirm periodically, typically annually, that they understand and are complying
with policies and procedures
A conflict disclosure
o Protocol or process that helps employees self-disclose potential or actual conflicts of interest
Fraud risk assessment
o Helps to identify all reasonable fraud scenarios
Reporting procedures and whistleblower protection
o Provide a well-known and easy avenue for individuals, whether inside or outside the organization, to
report suspected violations or incidents
An investigation process
o Ensures all matters undergo a timely and thorough investigation
Disciplinary and/or corrective actions
o address noncompliance with established policies and help deter fraudulent behavior
Process evaluation and improvement
o To provide quality assurance that the program will continue to meet its objectives
Continuous monitoring
o To ensure the program consistently operates as designed

Fraud Risk Assessment Auditors Responsibilities

Three key steps

o Identify inherent fraud risks
o Assess impact and likelihood of the identified risks
o Develop responses to those risks that have a sufficiently high impact and likelihood to result in a
potential outcome beyond managements tolerance
Fraud risk assessments typically include
o Accounting and finance personnel to help identify financial reporting and safeguarding of cash fraud
scenarios
 o Nonfinancial business personnel to leverage their knowledge of day-to-day operations, customer and
vendor interactions, and other industry related fraud scenarios
o Legal and compliance personnel to identify scenarios that may include potential criminal, civil, and
regulatory liability
o Risk management personnel to help identify market and insurance fraud scenarios
o Internal auditors, who have an understanding of broad fraud risk scenarios and controls
o Other internal or external parties who can provide additional expertise to the exercise
Fraud Risk Identification
o An effective means of identifying the most comprehensive list of fraud risk scenarios through
brainstorming
Incentives, pressures, and opportunities
Risk of managements override of controls
Population of fraud risks
Fraudulent financial reporting
Misappropriation of assets
Corruption
Assessment of impact and likelihood of fraud risks
o Determining the potential impact and likelihood of each fraud scenario is a subjective process
Impact
Important to consider all possible outcomes of a fraud risk scenario, not just the
financial statement or monetary impact
Likelihood
Judgment regarding the probability or frequency of a fraud scenario is influenced in part
by past experience
Response to Fraud Risk
o Managements tolerance to fraud risks influences the fraud risk assessment
o COSO outlines four possible responses to risks
Avoid
Reduce
Share
Accept

Fraud Prevention

Performing background investigations

Providing anti-fraud training
Evaluating performance and compensation programs
Conducting exit interviews
Authority limits
Transaction-level procedures

Fraud Detection

Whistleblower hotlines
Process controls
Proactive fraud detection procedures

Fraud investigation and corrective action

Receiving the allegation

o Categorizing issues
 o Confirming the validity of the allegations
o Escalating the issue or investigation when appropriate
o Referring issues outside the scope of the program
o Conducting the investigation and fact-finding
o Resolving or closing the investigation
o Listing types of information that should be kept confidential
o Defining how the investigation will be documented
o Managing and retaining documents and information
Evaluating the allegation
o Does this legislation require a formal investigation or is there enough information now to draw a
conclusion
o Are there special skills or tools needed to conduct the investigation
o Who should lead the investigation?
o Who needs to be notified and when?
o Establishing formal protocols
Establishing investigation protocols
o Time sensitivity
o Notification
o Confidentiality
o Legal privileges
o Compliance
o Securing evidence
o Objectivity
o goals
Determining appropriate actions
o Legal actions, whether criminal or civil
o Disciplinary actions, such as warning, demotion, censure, suspension, or termination
o Insurance claims if losses from the act are covered by insurance policies

Understanding Fraudsters

Detecting Red Flags

o Exhibit a lifestyle that appears to be well beyond their current means
o Experiencing extreme financial problems and/or have overwhelming personal debts
o Have an unusual propensity to spend money
o Are suffering from depression or other emotional problems
o Appear to have a gambling obsession
o Have a need or crabbing for status, and believe money can buy that status

Implications for internal auditors

Internal auditors must exercise due professional care by considering the probability of significant errors, fraud,
or noncompliance
The chief audit executive must report periodically to senior management and the board
The internal audit (function) must evaluate the potential for the occurrence of fraud and how the organization
manages fraud risk

Communicating fraud audit outcomes

A brief, clear statement of the issue

A citation of the relevant policies, rules, standards, laws, and regulations that may be applicable to the case at
hand
 The analysis of the evidence gathered to form a professional opinion
The conclusions; that is, the findings and recommendations

10 opportunities for the internal audit function to provide insight into the risk of fraud and illegal acts

Assist the organization in the development of comprehensive fraud risk assessment

Develop processes for early detection of fraud
Develop data analysis tools that can be used to detect fraud in the early stages
Assist with the development of hotline call procedures
Provide fraud awareness training throughout the organization
Act decisively on significant fraud events
Inform management of potential legal acts that are risks to the organization
Assist management in developing a culture of ethical behavior and low tolerance of fraud

Use of Fraud specialists

The purpose of using the work of a specialist is to provide the auditor with specialized skills or knowledge the
auditor may lack
o Appropriate to use specialists to assist the internal auditor with a fraud investigation
Fraudulent financial reporting
When auditor is lacking knowledge in certain areas such as technology
Suspicions of fraud with a large number of employees and/or upper management, board, CAE
o Advantages to using a fraud specialist
Independent of audit
Have a good understanding on how to handle a variety of situations
Aid in oversight process
Provide more objective input

Chapter 9: Managing the internal audit function

1. Certified Fraud Examiners

a. Individuals certified as specialists in conducting forensic accounting investigations and advising on fraud
risks and other fraud matters
2. Chief Audit Executive
a. A senior position within the organization responsible for internal audit activities
3. Internal Audit Charter
a. A formal written document that defines the internal audit functions purpose, authority, and
responsibility
4. Individual objectivity
a. An unbiased mental attitude that allows internal auditors to perform engagements in such a manner
that they have an honest belief in their work product and that no significant quality compromises are
made

5. Organizational independence
a. The chief audit executives line of reporting within the organization that allows the internal audit
function to fulfill its responsibilities free from interference
6. Proficiency
a. The knowledge, skills, and other competencies internal auditors need to perform their individual
responsibilities
7. Due professional care
a. Internal auditors must apply the care and skill expected of a reasonably prudent internal auditor,
however, internal auditors are not expected to be infallible
8. Audit universe
a. A compilation of the subsidiaries, business units, departments, groups, processes, or other established
subdivisions of an organization that exist to manage one or more business risks
9. Internal audit plan
a. An outline of the specific assurance and consulting engagements scheduled for a period of time
(typically one year) based on an assessment of the organizations risks
10. The internal auditor competency framework
a. The resource, published by the IIA, outlines the minimal level of knowledge and skills internal auditors
should have at different points in their careers in four areas:
i. Interpersonal skills
ii. Tools and techniques
iii. Internal audit standards
iv. Knowledge areas
11. Strategic sourcing
a. Supplements the in-house internal audit function through the use of third party vendor services for the
purposes of gaining subject matter expertise for a specific engagement or filling a gap in needed
resources to complete the internal audit plan
12. Independent outside auditor
a. A registered public accounting firm, hired by the organizations board or executive management, to
perform a financial statement audit
13. Board
a. An organizations governing body, such as a board of directors, supervisory board, etc. to whom the chief
audit executive may functionally report
14. Risk management
a. The process conducted by management to understand and deal with uncertainties that could affect the
organizations ability to achieve its objectives
15. Control
a. Any action taken by management, the board, and other parties to manage risk and increase the
likelihood that established objectives and goals will be achieved
16. Quality assurance
a. The process of assuring that an internal audit function operates according to a set of standards
17. Nonconformance with the standards
a. Occurs when the internal audit function is found to be deficient to the point that it impacts the overall
scope or operation of the internal audit function
18. Quality assurance and improvement program
a. An ongoing and periodic assessment of the entire spectrum of audit and consulting work performed by
the internal audit function
19. Control self-assessment
a. A facilitated process whereby control owners provide a self-assessment of the design adequacy and
operating effectiveness of controls for which they are responsible
20. Continuous auditing
a. the use of computerized techniques to perpetually audit the processing of business transactions
i. enhances an internal audit functions productivity
1. risk and control self-assessment
2. data analysis
3. automated monitoring
4. automated working papers
5. department administration and management
6. the internet
 21. Reasonable assurance
a. A level of assurance that is supported by generally accepted auditing procedures and judgments
22. Persuasive audit evidence
a. Enables the internal auditor to formulate well-founded conclusions and advice confidently
23. Audit risk
a. The risk of reaching invalid audit conclusions and/or providing faulty advice based on the audit work
conducted
24. Audit procedures
a. Specific tasks performed by the internal auditor to gather the evidence required to achieve the
prescribed audit objectives
25. Vouching
a. Tracking information backward from one document or record to a previously prepared document or
record, or to a tangible resource
26. Tracing
a. Tracking information forward from one document, record, or tangible resource to a subsequently
prepared document or record
27. Analytical procedures
a. Assessing information obtained during an engagement by comparing the information with expectations
identified or developed by the internal auditor
28. External benchmarking
a. Comparing performance information for the organization with like information of other individual
organizations or the industry in which the organization operates
29. Internal benchmarking
a. Comparing performance information of one organizational unit with like information for other
organizational units
30. Generalized audit software (GAS)
a. Multipurpose software that can be used for audit purposes such as record selection, matching,
recalculation, and reporting
31. Continuous auditing
a. Using computerized techniques to perpetually audit the processing of business transactions

Positioning the internal audit function in the organization

There is a broad spectrum of opinions regarding where internal audit functions can and should be positioned in
an organization to conform to the IIA
o One end of the spectrum, internal audit functions are placed on a senior management level, giving the
function the visibility, authority, and responsibility to:
Independently evaluate managements assessment of the organizations system of internal
controls
Assess the organizations ability to achieve business objectives and manage, monitor, and
mitigate risks associated with the achievement of those objectives
o On the other end of the spectrum, are those organizations that either do not have internal audit
functions, or place their internal audit functions much lower in the organizational hierarchy, typically
assigning them non-audit activities to perform on a day-to-day basis such as quality assurance,
compliance, operational, and/or other transaction processing activities.
The internal audit function is effectively managed when:
o The results of the internal audit (functions) work achieve the purpose and responsibility included in the
internal audit charter
o The internal audit (function) conforms with the definition of internal auditing and the standards
 o The individuals who are part of the internal audit (function) demonstrate conformance with the code of
ethics and the standards

Planning

The CAE is responsible for creating an operating budget and allocating resources in a manner designed to
accomplish the annual internal audit plan
o The annual plan is developed by the internal audit function through a process that identifies and
prioritizes possible audit entities (business units or processes, referred to as the audit universe)
responsible for mitigating key strategic, operations, reporting, and compliance risks to levels acceptable
to the organizations board of directors and senior management
Assurance services
o The internal audit activitys plan of engagements must be based on a documented risk assessment,
undertaken at least annually. The input of senior management and the board must be considered in this
process
Consulting Services
o The chief audit executive should consider accepting proposed consulting engagements based on the
engagements potential to improve management of risks, add value, and improve the organizations
operations.

Communication and approval

Once internal audit plan has been established, it is incumbent upon the CAE to present it to senior management
and the board (generally the audit committee) to be approved
o The CAE will submit annually to senior management and the board for review and approval a summary
of the internal audit plan, work schedule, staffing plan, and financial budget
o The approved engagement work schedule, staffing plan, and financial budget, along with all significant
interim changes, are to contain sufficient information to enable senior management and the board to
ascertain whether the internal audit activities objectives and plans support those of the organization
and the board and are consistent with the internal audit charter

Resource Management

Organizational structure and staffing strategy

o Should be structured in a way that is consistent with the needs and culture of their organizations
Staff auditor or IT staff auditor
Senior auditor or IT senior auditor
Audit manager or IT audit manager
Audit director or IT audit director
Chief audit executive
Right sizing
o An important concept in the staffing and scheduling of an internal audit function
Staffing plans/human resources
o Although some aspects of maintaining appropriate human resources are delegated to other high-level
associates in the internal audit function, the CAE is primary responsible for the sufficiency and
management of internal audit resources in a manner that ensures the fulfillment of internal audits
responsibilities
Hiring practices
o The CAE is responsible to hiring associates to fill the organizational structure of the internal audit
function in a way that maximizes efficiently, effectively provides the necessary skill base, and makes
good use of the financial budget
 Strategic sourcing
o Referred to as co-sourcing or outsourcing, allows the CAE to optimize both the skill base and the
financial considerations related to staffing
Training and mentoring
o Staff development is of particular importance for an internal audit function due to the requirements
placed on it regarding proficiency and due professional care
Career planning and professional development
o A good internal audit function will have a process in place for career development and succession
planning
Scheduling
o Once the right mix of permanent associates and strategic sourcing is in place and appropriately
organized within the internal audit function, the CAE can begin assigning specific engagements and
projects to the personnel best suited to perform them
Financial budget
o Driven primarily by the internal audit plan, organizational structure, and staffing strategy

The three lines of defense model

First line of Defense

o Is Management
Second Line of Defense
o Process owners (people carrying out processes)
Third line of Defense
o Internal audit (should be independent of management)
Additional lines of Defense
o External sources for assurance that the organizations risks are adequately mitigated

Reporting to the Board and Senior Management

The CAE has responsibility to report periodically to senior management and the board on the internal audit
activitys purpose, authority, responsibility, and performance relative to its plan
Management and the CAE coordinate efforts to routinely report on various risk and control activities performed
o Business unit monitoring and risk monitoring reports
o Independent outside auditor activity reports
o Key financial activity reports
o Risk management activity reports
o Legal and compliance monitoring reports

Governance

Requires the internal audit function to assess and make appropriate recommendations for improving the
governance process
o Promoting appropriate ethics and values within the organization
o Ensuring effective organizational performance management and accountability
o Communicating risk and control information to appropriate areas of the organization
o Coordinating the activities of and communicating information among the board, [independent outside]
and internal auditors, and management
Internal audit functions governance responsibilities
o Evaluate
o Determine
o Assess
Risk Management

Risk mitigation is most effectively accomplished when it is decentralized to the areas most affected by the
specific risks
Internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management
processes
o Organizational objectives support and align with the organizations mission
o Significant risks are identified and assessed
o Appropriate risk responses are selected that align risks with the organizations risk appetite
o Relevant risk information is captured and communicated in a timely manner across the organization

Control

The internal audit activity must assist the organization in maintaining effective controls by evaluating their
effectiveness and efficiency and by promoting continuous improvement
o Achievement of the organizations strategic objectives
o Reliability and integrity of financial and operational (non-financial) information
o Effectiveness and efficiency of operations
o Safeguarding of assets
o Compliance with laws, regulations, and contracts

Quality Assurance and Improvement Program (Quality Program Assessments)

Internal Assessments
External assessments: self-assessment with independent validation
Internal audit function self-assessment quality assurance procedures for small functions as outlined by the IIA
Requirements of the quality assurance and improvement program

Chapter 10: Audit Evidence and Working Papers

1. ACL and IDEA

a. The two most widely used, commercially available, audit software programs
2. Audit risk
a. The risk of reaching invalid audit conclusions and/or providing faulty advice based on the audit work
conducted
3. Sampling risk
a. The risk that the internal auditors conclusion based on sample testing may be different than the
conclusion reached if the audit procedure was applied to all items in the population
4. Non-sampling risk
a. The risk that occurs when an internal auditor fails to perform his or her work correctly
5. Attribute sampling
a. A statistical sampling approach that enables the user to reach a conclusion about a population in terms
of a rate of occurrence
6. Factors affecting attribute sample sizes
a. Acceptable risk of assessing control risk too low
b. Tolerable deviation rate
c. Expected population deviation rate
7. Risk of assessing control risk too low
a. The risk that the internal auditor will incorrectly conclude that a specified control is more effective than
it really is
 8. Tolerable deviation rate
a. The maximum rate of deviations the internal auditor is willing to accept and still conclude that the
control is acceptably effective
9. Expected population deviation rate
a. The internal auditors best estimate of the actual deviation rate in the population of items being
examined
10. Random sampling
a. Each item in the defined population has an equal opportunity of being selected
11. Achieved allowance for sampling risk
a. The difference between the sample deviation rate and the achieved upper deviation limit
12. Haphazard sampling
a. A nonrandom selection technique that is used by internal auditors to select a sample that is expected to
be representative of the population
13. PPS sampling
a. A modified form of attribute sampling that is used to reach conclusions regarding monetary amounts
rather than rates of occurrence
14. Classical variables sampling
a. A statistical sampling approach based on normal distribution theory

Audit Evidence

o Professional Skepticism and Reasonable assurance

Internal auditor must always remember to apply a healthy level of professional skepticism when
evaluating audit evidence
o Persuasiveness of audit evidence
Relevant
Is the evidence pertinent to the audit objective
Reliable
Did the evidence come from a credible source?
Timely evidence is more reliable than untimely evidence
Sufficient
Has the internal auditor obtained enough evidence?
Evidence obtained from independent third parties is more reliable than evidence
obtained from auditee personnel

Audit Procedures

Nature of audit procedures

o Relates to the types of tests the internal auditor performs to achieve his or her objectives
Extent of audit procedures
o Pertains to how much audit evidence the internal auditor must obtain to achieve his or her objectives
Timing of audit procedures
o Pertains to when the tests are conducted and the period of time covered by the tests

Manual Audit Procedures

Commonly performed manual audit procedures include

o Inquiry
Asking questions of auditee personnel or third parties and obtaining their oral or written
responses.
o Observation
Watching people, procedures, or processes
 o Inspection
Studying documents and records and physically examining tangible resources
o Vouching (validity)
Tracking information backward from one document or record to a previously prepared
document or record
Vouch a sample of inventory items from the accounting records to the warehouse to see
that the inventory items exist.
o Tracing (completeness)
Tracking information forward from one document, record, or tangible resource to a
subsequently prepared document or record
Trace receiving reports for goods received to the corresponding voucher and then to the
voucher register to verify that the receipts of goods are properly recorded as liabilities.
o Reperformance
Redoing controls or other procedures
o analytical procedures
assessing information obtained during an engagement by comparing the information with
expectations identified or developed by the internal auditor
analysis of common-size financial statements
ratio analysis
trend analysis
analysis of future-oriented information
external benchmarking
internal benchmarking
o confirmation
Obtaining direct written verification of the accuracy of information from independent third
parties and Can be positive or negative

Computer-assisted Audit Techniques

internal auditors must consider the use of technology-based audit and other data analysis techniques
o Generalized Audit Software (GAS)
Benefits
Allows internal auditors to conduct audit procedures in a wide variety of hardware and
software environments with minimal customization
Enables internal auditors to perform tests on data independently of the companys IT
personnel
Obstacles
Obtaining access privileges to relevant and reliable data
Gaining physical access to the data
Understanding how the data is stored and formatted in the system

Working Papers

Documenting information requires internal auditors to record the evidence they accumulate as support for
engagement outcomes.
o Purposes and content of working papers
Aid in planning and performing the engagement
o Types of working papers
Programs, charts, graphs, questionnaires, flow charts, meeting minutes, follow up
documentation, Engagement time budgets and resource allocation worksheets
 o Guidelines for working paper preparation
A uniform cross-referencing system for all engagements
Consistent working paper layouts
Standardized trick marks
o Should be complete and well organized
Contain an appropriate index or reference number
Clearly identify the sources of auditee date included on the working paper
Include clear explanations of the specific procedures performed

Chapter 11: Audit Sampling

Audit sampling is the application of an audit procedure to less than 100 percent of the items in a population for
the purpose of drawing an inference about the entire population
o Two general approaches to audit sampling
Both require the use of professional judgment in designing, executing and evaluating
the plan. Choice of which one to use will be based on organizations cost benefit decision
o Statistical
Is a tool that can help the internal auditor measure the sufficiency of
evidence obtained and quantitatively evaluate the sampling results
Allows the internal auditor to quantify, measure, and control sampling
risk
Requires the sample to be selected randomly and the results must be
evaluated mathematically based on probability theory
Costly and provides more persuasive evidence
o Non-Statistical
Auditor has more flexibility with sample selection and evaluation
Error on side of larger sample size selections to compensate for the less
rigorous selection method and
inability to quantitatively control sampling risk (key difference)
o Audit risk and sampling risk
o The risk of assessing control risk too low
o The risk of assessing risk too high

Statistical audit sampling in tests of controls

Attribute sampling approaches

o Stratified attribute sampling
A variation of attribute sampling from a population that can be subdivided
Designing an attribute sampling plan, executing the plan, and evaluating the sample results
o Involves 9 steps
Identify a specific internal control objective and the prescribed control(s) aimed at achieving
that objective
Define what is meant by a control deviation
Define the population and sampling unit
Determine the appropriate values of the parameters affecting sample size
Determine the appropriate sample size
Randomly select the sample
Audit the sample items selected and count the number of deviations from the prescribed
control
Determine the achieved upper deviation limit
Evaluate the sample results
Non-statistical audit sampling in tests of controls

Selecting and evaluating a non-statistical sample

o Requires two fundamental things
Sample must be selected randomly and the sample results must be evaluated mathematically
based on probability theory

Probability-proportional-to-size sampling (PPS)

Factors affecting sample size

o Monetary book value of population
o Risk of incorrect acceptance
o Tolerable misstatement
o Anticipated misstatement
Key Advantages
o Simpler calculations make PPS easier to use
o Sample size calculation does not involve any measure of estimated population variation
o Automatically results in a stratified sample because sample items are selected in proportion to their size
o Automatically identifies any individually significant population items exceeding a predetermined cutoff
dollar amount
o Generally is more efficient when the population contains zero or very few misstatements
Key disadvantages
o Special design considerations are required when understatements or audit values less than zero are
expected
o Identification of understatements in the sample requires special evaluation considerations
o Produces overly conservative results when errors are detected. Increases the risk of incorrect rejection
o The appropriate sample size increases quickly as the number of expected misstatements increases

Classical variables sampling

Factors affecting
o Population size
o Estimated population standard deviation
o Risk of incorrect acceptance
o Risk of incorrect rejection
o Tolerable misstatement
Key advantages
o Samples are generally easier to expand if the internal auditor should find it necessary
o Zero balances and negative balances do not require special sample design considerations
o The internal auditors objective may be met with smaller sample size if there is a large number of
misstatements
Key disadvantages
o More complex
o The Internal auditor may need to use a computer program to cost-effectively design and evaluate a
sample
o Calculation of the proper sample size requires that the internal auditor first estimate the population
standard deviation
Multiple Choice Questions

1. Predication is a technical term that refers to:

a. The ability of a fraud examiner to commence an investigation if a form of evidence exists that fraud has
occurred

2. What fraud schemes were reported to be most common in the ACFEs 2012 Report to the Nation
a. Misappropriation of assets by employees

3. Which of the following is not a typical rationalization of a fraud perpetrator?

a. Im smarter than the rest of them

4. Which of the following is not something all levels of employees should do?
a. Investigate suspicious activities that they believe may be fraudulent

5. An organization that manufactures and sells computers is trying to boost sales between now and the end of the
year. It decides to offer its sales representatives a bonus based on the number of units they deliver to customers
before the end of the year. The price of all computers is determined by the vice president of sales and cannot be
changed by sales representatives. Which of the following presents the greatest reason a sales representative
may commit fraud with this incentive program?
a. Customers have the right to return a laptop for up to 90 days after purchase

6. How should an organization handle an anonymous accusation from an employee that a supervisor in the
organization has manipulated time reports?
a. Assess the facts provided by the anonymous party against pre-established criteria to determine whether
a formal investigation is warranted

7. Which of the following is an example of misappropriation of assets?

a. A small amount of petty cash is stolen

8. Which of the following is not an example of a fraud prevention program element?

a. Analyzing cash disbursements to determine whether any duplicate payments have been made

9. Which of the following types of companies would most likely need the strongest anti-fraud controls?
a. A bank

10. A payroll clerk increased the hourly pay rate of a friend and shared the resulting overpayment with the friend.
Which of the following controls would have best served to prevent this fraud?
a. Limiting the ability to make changes in payroll system personnel information to authorized HR
department supervisors

11. The internal audit functions responsibilities with respect to fraud are limited to:
a. Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily
possessing the expertise of a fraud investigation specialist

12. From an organizations standpoint, because internal auditors are seen to be internal control experts, they also
are:
a. The best resource for audit committees, management, and others to consult in-house when setting up
anti-fraud programs and controls, even if they may not have any fraud investigation experience
13. Per IIA standards, internal audit functions must establish:
a. Both internal and external quality assurance and improvement program assessments

14. Senior management has requested that the internal audit function perform an operational review of the
telephone marketing operations of a major division and recommend policies and procedures for improving
management control over the operation. The internal audit function should:
a. Accept the audit engagement because independence would not be impaired

15. Who is ultimately responsible for determining that the objectives for an internal audit engagement have been
met?
a. The CAE

16. Which of the following is the best reason for the CAE to consider the organizations strategic plan in developing
the annual internal audit plan?
a. To ensure that the internal audit plan supports the overall business objectives

17. The Standards requires policies and procedures to guide the internal audit staff. Which of the following
statements is false with respect to this requirement?
a. All internal audit functions should have a detailed policies and procedures manual

18. When conducting a consulting engagement to improve the efficiency and quality of a production process, the
audit team is faced with a scope limitation because, several months of the production data have been lost or are
incomplete. Faced with this scope limitation the CAE should:
a. Discuss the problem with the customer and together evaluate whether the engagement should be
continued

19. Which of the following is not a responsibility of the CAE?

a. To oversee the establishment, administration, and assessment of the organizations system of internal
controls and risk management processes

20. The Standards requires the CAE to share information and coordinate activities with other internal and external
providers of assurance services. With regard to the independent outside auditor, which of the following would
not be an appropriate way for the CAE to meet this requirement?
a. Requiring the independent outside auditor to have the CAEs approval of their annual audit plan for
conducting the financial statement audit

21. Professional skepticism means that internal auditors beginning an assurance engagement should:
a. Neither assume client personnel are honest nor assume they are dishonest

22. Which of the following statements regarding audit evidence would be the least appropriate for an internal
auditor to make?
a. I do not perform procedures that provide persuasive evidence because I must obtain convincing
evidence.

23. Audit evidence is generally considered sufficient when:

a. There is enough of it to support well-founded conclusions
24. Documentary evidence is one of the principal types of corroborating information used by an internal auditor.
Which one of the following examples of documentary evidence generally is considered the most reliable?
a. A vendors invoice obtained from the accounts payable department

25. An internal auditor must weigh the cost of an audit procedure against the persuasiveness of the evidence to be
gathered. Observation is one audit procedure that involves cost-benefit tradeoffs. Which of the following
statements regarding observation as an audit procedure is/are correct?
a. (I and III) Observation is limited because individuals may react differently when being watched.
Observation provides evidence about whether certain controls are operating as designed.

26. An internal auditor gathered the following accounts receivable trend and ratio analysis information. Which of
the following is the least reasonable explanation for the changes observed by the auditor?

YEAR
3 2 1
Net accounts receivable as a percentage 30.8% 27.3% 23.4%
of total assets
Accounts receivable turnover (net sales/ 5.21 6.05 6.98
average accounts Receivable)

a. Sales returned for credit were overstated in years 2 and 3

27. Your audit objective is to determine that purchases of office supplies have been properly authorized. If
purchases of office supplies are made through the purchasing department, which of the following procedures is
most appropriate?
a. Vouch purchase orders to approved purchase requisitions

28. A production manager of MSM Company ordered excessive raw materials and had them delivered to a side
business he operated. The manager falsified receiving reports and approved the invoices for payment. Which of
the following procedures would most likely detect this fraud?
a. Perform ratio and trend analysis. Compare the cost of raw materials purchased with the cost of goods
produced.

29. An internal auditor is concerned that fraud, in the form of payments to fictitious vendors, may exist. Company
purchasers, responsible for purchases of specific product lines, have been granted the authority to approve
expenditures up to $10,000. Which of the following applications of generalized audit software would be most
effective in addressing the auditors concern?
a. List all major vendors by product line. Select a sample of major vendors and send negative confirmations
to validate that they actually provided goods or services

30. Which of the following most completely describes the appropriate content of internal audit assurance
engagement working papers:
a. Objectives, procedures, facts, conclusions, and recommendations

31. Internal audit engagement teams prepare working papers primarily for the benefit of the:
a. Internal Audit Function

32. The primary reason for an internal auditor to use statistical sampling rather than non-statistical sampling is to:
a. Allow the auditor to quantify, and therefore control, the risk of making an incorrect decision based on
sample evidence
33. For which of the following would an internal auditor most likely use attribute sampling?
a. Inspecting employee timecards for proper approval

34. If all other factors specified in an attribute sampling plan remain constant, changing the expected population
deviation rate from 1 percent to 2 percent and changing the tolerable deviation rate from 7 percent to 6 percent
would cause the required sample size to:
a. Increase
35. An internal auditor selects a sample of sales invoices and matches them to shipping documents. This procedure
most directly addresses which of the following assertions?
a. All billed sales are for goods shipped to customers

36. An internal auditor is testing cash disbursement transactions. Internal control policies require every check
request to be accompanied by an approved voucher (that is, a package of documents evidencing that a good or
service has been received and invoiced by the vendor). The voucher approval is based on a three-way matching
of a purchase order, receiving report, and vendors invoice. To determine whether checks have proper support,
the internal auditor should begin the testing procedures by selecting items from the population of:
a. Check copies

37. An internal auditor should consider the qualitative aspects of deviations found in a sample in addition to
evaluating the number of deviations. For which of the following situations should the internal auditor be most
concerned?
a. The deviations found may have been caused intentionally

38. If all other factors specified in a PPS sampling plan remain constant, changing the specified tolerable
misstatement from $200,000 to $100,000 and changing the specified risk of incorrect acceptance from 10% to
5% would cause the required sample size to:
a. Increase

39. The defining characteristics of persuasive audit evidence are

a. Relevance, reliability and sufficient

40. Based on experience, the auditor expects a deviation rate of 2 percent for the first attribute and 1 percent for
the second. He decides on a tolerable deviation rate of 7 percent for the first attribute and 6 percent for the
second. He sets the risk of assessing control risk too low at 5 percent.

Assume that the auditors tests uncovered two occurrences of voucher amounts not agreeing with invoice
amounts and two occurrences of vouchers not being canceled after payment.

A. Complete the following schedule:

Attribute 1 Attribute 2
Risk of assessing control risk too low
Tolerable deviation rate
Expected population deviation rate
Sample size per table
Sample size used
Number of deviations identified
Sample deviation rate
Achieved upper deviation limit
Accept/ Reject