ENTITY-LEVEL CONTROLS FRAUD QUESTIONNAIRE

WHAT IS FRAUD?

Fraud is the intentional perversion of truth in order to induce another to part with something of value or to
surrender a legal right. In the business community, the primary goal of fraud is often monetary gain.

Fraud prevention programs are essential to set the right tone for an effective internal control framework. In
addition, strong internal controls provide better opportunities to detect and deter fraud. Because of this, it is
important to assess whether management has implemented formal communication mechanisms, internal controls,
and internal or external oversight processes to effectively prevent or deter fraud. This could include the
identification of fraud risks in an entitywide risk assessment program or establishing a separate risk assessment
program that considers the vulnerability of the company to fraudulent activities.

1 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

1 Control A positive                          
Environment workplace
environment exists
that minimizes
employees' sense
of feeling abused,
threatened or
ignored.

2 Control Effective policies                          

Environment exist that minimize
the chance of
hiring or promoting
individuals with low
levels of honesty,
especially for
positions of trust.

3 Control A formal fraud                          

Environment policy exists that
defines fraud and
appropriate actions
to be taken with
respect to
instances of fraud.
The policy is
formally
communicated and
available on the
company intranet.

4 Control The company                          

Environment reacts to and deals
with acts of fraud,
or suspected fraud,
in a manner that
sends a strong
message
throughout the
company that
helps reduce the
likelihood of future
incidents.

5 Control Management has                          

Environment established a
formal anti-fraud
program that

2 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

outlines a process
to identify and
evaluate the risk of
fraud at both entity
and process levels.

6 Control Management                          
Environment performs
brainstorming
sessions focused
on different ways
employees could
perpetrate fraud in
the organization.

7 Control A whistleblower                          
Environment program is in place
and is periodically
reviewed to ensure
that it is designed
and operating
effectively.
Complaints are
reviewed by the C-
level executives,
where appropriate,
and reports are
communicated
directly to the audit
committee.

8 Risk The fraud risk                          

Assessment assessment
process is formal
and incorporates
the following key
characteristics:
• A formal process
for identifying and
documenting fraud
risks.
• Management
explicitly considers
potential fraud
schemes and
scenarios or
different frauds
such as fraudulent
financial reporting,

3 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

misappropriation of
assets,
unauthorized or
improper receipts
and expenditures,
and fraud by senior
management.
• The level at
which the risk is
considered
(company-wide,
business unit and
significant account)
is explicitly
defined.
• The level of
likelihood of fraud
(probable,
reasonably
possible and
remote) is defined.
• The level of
significance of
fraud
(inconsequential,
more than
inconsequential or
material) is
defined.

9 Risk Management                          
Assessment considers
significant
business units or
significant
processes in the
fraud risk
assessment.

10 Risk Management                          
Assessment reviews identified
fraud risks with the
audit committee
and seeks
guidance from the
audit committee on
other associated
risks.

4 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

11 Risk The audit                          

Assessment committee or
board of directors
considers the
potential for
management
override of controls
and its appropriate
influence over the
financial reporting
process.

12 Control Management                          
Activities makes changes to
the organization's
processes to
reduce or eliminate
the risk of fraud.

13 Control Critical controls are                          

Activities identified to
adequately
address fraud
risks.

14 Information and Ongoing internal                          

Communication fraud
communication
programs (e.g.,
posters, training
seminars,
conferences) exist
and management
and employees are
required to
participate in
events as
appropriate.

15 Information and Communications to                          

Communication external parties
regularly state the
company's position
on fraudulent
activity and the
potential
consequences if
fraud is detected.

5 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

16 Information and Training regarding                          

Communication code of ethics and
other fraud areas
exists and is
effective.

17 Information and Management                          

Communication considers the
following related to
information system
fraud risk:
(1) Consider
information
technology in the
fraud risk
assessment.
(2) Maintain
adequate security
and access
controls.
(3) Employ
information
technology to
prevent and detect
fraud.
(4) Have the ability
to investigate
computer misuse.

18 Monitoring The audit                          

committee/board of
directors evaluates
management's
identification of
fraud risks,
implementation of
anti-fraud
measures, and the
"tone-at-the-top."

19 Monitoring Internal audit                          

adequately
addresses fraud
risks when
planning and
executing the
annual audit plan.

6 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

20 Monitoring Internal auditors                          

examine and
evaluate the
adequacy of
internal controls
designed to reduce
fraud risks, or they
conduct proactive
auditing to search
for corruption,
misappropriation of
assets and
financial statement
fraud.

21 Monitoring The internal audit                          

department
includes
knowledgeable
and experienced
fraud
professionals.

22 Monitoring Management has                          

implemented and
continuously
monitors the
operation of
internal controls
designed to
mitigate the risk of
fraud.

23 Monitoring Management                          
reports the results
of internal reviews
of internal controls
over financial
reporting, including
noted instances of
fraud, to the audit
committee and
external auditors.

24 Monitoring A conflict of                          
interest policy
exists regarding
independence

7 Source: www.knowledgeleader.com
 Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

between
employees and
suppliers.
Violations of this
policy are
investigated.

25 Monitoring Certified fraud                          

examiners assist
the audit
committee or
board of directors
with the fraud
oversight process.

8 Source: www.knowledgeleader.com