Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CFE Fraud Prevention & Deterrence > Fraud Prevention > Flashcards

Fraud Prevention Flashcards

1
Q

Which of the following controls can help minimize the pressures that might lead an employee to commit fraud?

A. Open-door management policies
B. Fair personnel policies and procedures
C. Employee support programs
D. All of the above

A

D. All of the above

See pages 4.616-4.618 in the Fraud Examiner’s Manual

While most internal controls are designed to reduce the opportunity to commit and conceal fraud, organizations should also be mindful of the pressures, such as financial hardships or family problems, that can lead to fraud. Unfortunately, such pressures can be difficult to detect in employees. However, companies should take steps to increase managers’ awareness of such potential problems, as well as to assist an employee who might be experiencing difficult times.

Examples of mechanisms that help alleviate the pressures to commit fraud include:

  • Open-door management policies
  • Fair and equitably applied personnel policies and procedures
  • Measures to boost employee morale, such as career development opportunities, special events for employees, and recognition for jobs well done
  • Employee support programs, such as counseling for addiction, family and marital problems, and financial difficulties
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Managers should be instructed to observe employees’ lifestyles for warning signs of fraud, and employees should know that supervisors are watching for unexplained or suspicious anomalies of this nature.

A. True
B. False

A

A. True

See pages 4.608-4.609 in the Fraud Examiner’s Manual

It is common for employees who steal to use the proceeds for lifestyle improvements. Some examples include more expensive cars, extravagant vacations, expensive clothing, new or remodeled homes, expensive recreational property, and outside investments. Managers should be educated to be observant of these signs. To further increase the deterrent effect, employees should know that supervisors are watching for unexplained or suspicious anomalies of this nature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

To protect against third-party fraud risks, organizations should perform the same level of due diligence on each potential customer before entering into a transaction with them.

A. True
B. False

A

B. False

See pages 4.810-4.811 in the Fraud Examiner’s Manual

Customer due diligence (CDD) is a necessary element in effectively managing risk and protecting organizations from becoming involved in illegal activity. CDD procedures, also referred to as know your customer (KYC) in some industries, involve performing background checks based on the level of risk presented by the customer. In general, there are three levels of CDD procedures:

  • Simplified CDD
  • Standard CDD
  • Enhanced CDD

Organizations can determine the level of risk the customer presents—and the appropriate level of due diligence—by evaluating the specifics of the transaction and the initial information provided about the customer. If the organization later receives additional information that suggests the customer might be a higher risk, a higher level of CDD procedures should be performed at that time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is FALSE regarding the communication of the fraud risk assessment process?

A. The communication should be in the form of a message from the assessment sponsor.
B. The communication should be limited to management and the board.
C. The communication should be personalized to make it more effective in encouraging employees to participate in the process.
D. The communication should be visibly disseminated throughout the business.

A

B. The communication should be limited to management and the board.

See pages 4.714 in the Fraud Examiner’s Manual

The fraud risk assessment process should be visible and communicated throughout the business. Employees will be more inclined to participate in the process if they understand why it is being done and what the expected outcomes will be. To that end, sponsors should be strongly encouraged to openly promote the process. The more personalized the communication from the sponsor, the more effective it will be in encouraging employees to participate in the process. Whether it is a video, town-hall meeting, or company-wide email, the communication should be aimed at eliminating any reluctance employees have about participating in the fraud risk assessment process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is TRUE regarding a fraud risk assessment?

A. It can be used to improve fraud awareness among employees
B. The results should be used to develop plans to mitigate fraud risk
C. It can help management identify individuals who put the organization at the greatest risk of fraud
D. All of the above

A

D. All of the above

See pages 4.704 in the Fraud Examiner’s Manual

Every organization should conduct a fraud risk assessment and create processes to keep the assessment current and relevant. It is not only a necessary part of effective corporate governance but also makes good business sense. The benefits of conducting a fraud risk assessment include enabling the organization to:

  • Improve communication and awareness about fraud.
  • Identify where it is most vulnerable to fraud and what activities put the company at the greatest risk.
  • Know who puts the organization at the greatest risk.
  • Develop plans to mitigate risk.
  • Develop techniques to investigate and determine if fraud has occurred in areas of high risk.
  • Assess anti-fraud controls.
  • Comply with regulations and professional standards.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

______________ is a process aimed at proactively identifying and addressing an organization’s vulnerabilities to internal and external fraud.

A. A fraud examination
B. A management ethics assessment
C. A fraud risk assessment
D. An internal control audit

A

C. A fraud risk assessment

See pages 4.703 in the Fraud Examiner’s Manual

Fraud risk assessment is a process aimed at proactively identifying and addressing an organization’s vulnerabilities to internal and external fraud. A fraud risk assessment starts with an identification and prioritization of fraud risks that exist in the business. The process evolves as the results of that identification and prioritization begin to drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

During a fraud risk assessment, the assessment team should consider:

A. Opportunities for collusion
B. The inherent limitations of anti-fraud controls
C. Internal controls that might have been eliminated due to restructuring efforts
D. All of the above

A

D. All of the above

See pages 4.705-4.706 in the Fraud Examiner’s Manual

Many organizations rely heavily on their internal control system to prevent and detect fraud. Although an effective internal control system, including targeted anti-fraud controls, is critical in fraud prevention and detection, it is a dynamic system that requires constant reevaluation of its weaknesses. Performing a fraud risk assessment provides management the opportunity to review the effectiveness of the company’s anti-fraud controls, with consideration of the following factors:

  • Controls that might have been eliminated due to restructuring efforts (e.g., elimination of separation of duties due to downsizing)
  • Controls that might have eroded over time due to reengineering of business processes
  • New opportunities for collusion
  • Lack of anti-fraud controls in a vulnerable area
  • Nonperformance of control procedures (e.g., control procedures compromised for the sake of expediency)
  • Inherent limitations of anti-fraud controls, including opportunities for those responsible for a control to commit and conceal fraud (e.g., through management and system overrides)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The fraud risk assessment team might include:

A. External consultants
B. The general counsel
C. Accounting and finance personnel
D. All of the above

A

D. All of the above

See pages 4.711 in the Fraud Examiner’s Manual

The fraud risk assessment team members might include internal and external sources, such as:

  • Accounting and finance personnel who are familiar with the financial reporting processes and anti-fraud controls
  • Nonfinancial business unit and operations personnel who have knowledge of daily operations, customer and vendor interactions, and issues within the industry
  • Risk management personnel who can ensure that the fraud risk assessment process integrates with the organization’s enterprise risk management program
  • The general counsel or other members of the legal department
  • Members of any ethics or compliance functions within the organization
  • Internal auditors
  • Internal security or investigative personnel who are familiar with investigations of past fraud incidents
  • External consultants with fraud and risk expertise
  • Any business leader with direct accountability for the effectiveness of the organization’s fraud risk management efforts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When establishing a whistleblower policy, organizations should emphasize that it applies to all employees, regardless of their positions or seniority.

A. True
B. False

A

A. True

See pages 4.611-4.612 in the Fraud Examiner’s Manual

Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy.

It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When a customer presents a higher risk for engaging in illegal activity, which of the following customer due diligence (CDD) activities would be MOST APPROPRIATE for an organization to engage in?

A. Analyzing the customer’s overall net worth
B. Scrutinizing the customer’s method of payment
C. Quantifying the customer’s expected purchasing pattern
D. All of the above

A

D. All of the above

See pages 4.811-4.812 in the Fraud Examiner’s Manual

When certain customers present higher risks for engaging in illegal activity, organizations should undertake enhanced due diligence procedures. Factors that might prompt enhanced customer due diligence (CDD) include high-profile customers, large-value transactions, or foreign business dealings in countries known for corruption. While these enhanced due diligence procedures depend on the nature and severity of the risk presented by the customer, organizations should gather additional information to reduce their potential risk. Specifically, organizations should gather and analyze data to ensure that they are dealing with a customer who has good intentions.

Under enhanced due diligence procedures, the following customer elements should be examined with a greater level of scrutiny to ensure legitimacy and that the risk has been responded to appropriately:

  • Identity (i.e., Is the customer who they claim to be?)
  • Source of income and overall net worth (i.e., Can the customer pay for the transaction, especially if they are requesting to pay on credit?)
  • Expected pattern of purchasing (i.e., Is this a onetime transaction or a series of transactions?)
  • Expected value (i.e., How large is the cumulative financial risk?)
  • Expected method of payment (i.e., Is the customer requesting to use a higher-risk payment method, such as a personal check or line of credit?)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When gathering information as part of a fraud risk assessment, both surveys and anonymous feedback mechanisms provide an effective way to conduct candid one-on-one conversations with employees.

A. True
B. False

A

B. False

See pages 4.712-4.713 in the Fraud Examiner’s Manual

Several techniques can be used to gather information successfully as part of a fraud risk assessment. These include:

  • Interviews, which can be an effective way to conduct candid one-on-one conversations with employees
  • Focus groups, which can enable the assessor to observe the interactions among a group of employees as they collectively discuss a question or issue
  • Surveys, which are electronic or paper questionnaires that can be either anonymous or directly attributable to the individual participants
  • Anonymous feedback mechanisms, which can include means for anonymous employee suggestions or responses to questions posed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following customer due diligence (CDD) procedures would be MOST APPROPRIATE for an organization to perform if it determines that a potential customer has little opportunity to commit fraud and therefore presents a minimal risk of engaging in illegal activity?

A. Identifying the customer
B. Analyzing the customer’s net worth
C. Contacting the customer’s bank
D. Verifying the customer’s identity

A

A. Identifying the customer

See pages 4.811 in the Fraud Examiner’s Manual

Simplified due diligence is the lowest level of due diligence that can be performed on a potential customer. Conducting simplified due diligence procedures would be most appropriate in situations where there is little opportunity or risk of a customer engaging in illegal activity. The only requirement for simplified due diligence is to identify the customer.

Organizations can determine the level of risk the customer presents—and the appropriate level of due diligence—by evaluating the specifics of the transaction and the initial information provided about the customer. If the organization later receives additional information that suggests the customer might be a higher risk, a higher level of customer due diligence (CDD) procedures should be performed at that time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In response to a risk identified during a fraud risk assessment, management decides to implement appropriate countermeasures, such as prevention and detection controls. This response is known as:

A. Transferring the risk
B. Avoiding the risk
C. Mitigating the risk
D. Assuming the risk

A

C. Mitigating the risk

See pages 4.734 in the Fraud Examiner’s Manual

When responding to the organization’s residual fraud risks, management can help mitigate a risk by implementing appropriate countermeasures, such as prevention and detection controls. The fraud risk assessment team should evaluate each countermeasure to determine if it is cost effective and reasonable given the probability of occurrence and impact of loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the objective of a fraud risk assessment?

A. To establish the guilt or innocence of an employee suspected of committing fraud
B. To help an organization identify what makes it most vulnerable to fraud
C. To provide an estimate of an organization’s fraud losses
D. To assess the design and effectiveness of an organization’s internal controls over financial reporting

A

B. To help an organization identify what makes it most vulnerable to fraud

See pages 4.703-4.704 in the Fraud Examiner’s Manual

The objective of a fraud risk assessment is to help an organization identify what makes it most vulnerable to fraud. Through a fraud risk assessment, the organization can identify where fraud is most likely to occur, enabling proactive measures to be considered and implemented to reduce the chance that it could happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Fraudulent customer payments, collusion between contractors, corporate espionage, and hacking schemes are all fraud risks pertaining to which of the following categories?

A. Reputational risk
B. Regulatory and legal misconduct
C. External fraud
D. Asset misappropriation

A

C. External fraud

See pages 4.718 in the Fraud Examiner’s Manual

External fraud risks include:

  • Fraud committed by customers (e.g., fraudulent customer payments)
  • Fraud committed by vendors (e.g., overbilling by a vendor or collusion between bidding contractors to inflate contract price)
  • Fraud committed by competitors (e.g., corporate espionage)
  • Fraud committed by unrelated third parties (e.g., hacking)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

_____________ controls are designed to stop something bad from happening before it occurs, and _____________ controls are designed to identify something bad that has already occurred.

A. Preventive; detective
B. Detective; investigative
C. Investigative; deterrent
D. Investigative; detective

A

A. Preventive; detective

See pages 4.702 in the Fraud Examiner’s Manual

Preventive controls are manual or automated processes that stop something bad from happening before it occurs. Detective controls can also be manual or automated, but their purpose is to identify something bad that has already occurred. With the right balance of preventive and detective controls, a good system of anti-fraud controls can greatly reduce an organization’s vulnerability to fraud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following is FALSE regarding employee anti-fraud education?

A. Fraud awareness training efforts should be restricted to formal educational mechanisms.
B. Fraud awareness training should be required for employees both at time of hire and periodically thereafter.
C. All anti-fraud training should be based on the organization’s specific operations and fraud risks.
D. Mid-level managers should be tasked with assisting in training their teams about fraud.

A

A. Fraud awareness training efforts should be restricted to formal educational mechanisms.

See pages 4.605 in the Fraud Examiner’s Manual

Like any educational efforts, frequent exposure to anti-fraud topics is crucial to ensuring that employees absorb—and apply—the information provided. Formal fraud awareness training should be an ongoing process that begins at the time of hire. Employees should also participate in refresher training at least annually to help keep the program active and engrained in their minds.

Formal anti-fraud training can take many forms, including live, in-class instruction; recorded video or animated courses; or interactive self-study programs. In addition, the organization should use other informal means, such as periodic newsletters or notices in break rooms, to reinforce its anti-fraud stance on a more constant basis.

Perhaps most important, however, is that the training be based on the realities of the organization, rather than on generic anti-fraud messages. While providing general information is good and necessary, doing so without addressing the company’s specific concerns or providing employees with practical knowledge and ideas on how to apply it will render the training program ineffective.

As messages from an employee’s direct supervisor are often the most significant and impressionable to an employee, the concept of cascading training can be an especially effective means of anti-fraud education. In cascading training, managers are tasked with and specifically educated on how to provide anti-fraud training to their own staff. This allows training to be customized to each team’s own needs, as well as for the message to come directly from the team’s own leader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is among the audit committee’s responsibilities for fraud risk management?

A. Monitoring and proactively improving the fraud risk management program
B. Receiving regular reports on the status of reported or alleged fraud
C. Performing and regularly updating the fraud risk assessment
D. All of the above

A

B. Receiving regular reports on the status of reported or alleged fraud

See pages 4.816 in the Fraud Examiner’s Manual

As a sub-group of the board of directors, the audit committee is often assigned oversight of the organization’s financial, accounting, and audit matters and reports to the full board. As part of this responsibility, the committee must take an active role in overseeing the assessment and monitoring of the organization’s fraud risks. This involves:

  • Receiving regular reports on the status of reported or alleged fraud
  • Being aware of fraud risks that are common in the organization’s industry
  • Meeting regularly with key internal parties (e.g., the chief audit executive [CAE] or other senior financial persons) to discuss identified fraud risks and the steps being taken to prevent and detect fraud
  • Understanding how internal and external audit strategies address fraud risk
  • Providing external auditors with evidence that the audit committee is dedicated to effective fraud risk management
  • Engaging in open conversations with external auditors about any known or suspected fraud
  • Seeking advice of legal counsel whenever it deals with allegations of fraud

Monitoring and improving the fraud risk management program and performing and maintaining the fraud risk assessment are both part of senior management’s responsibilities for addressing fraud risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In response to a risk identified during a fraud risk assessment, management decides to eliminate an asset or discontinue an activity because the control measures required to protect the organization against the identified threat are too expensive. This response is known as:

A. Transferring the risk
B. Assuming the risk
C. Avoiding the risk
D. Mitigating the risk

A

C. Avoiding the risk

See pages 4.734 in the Fraud Examiner’s Manual

When responding to the organization’s residual fraud risks, management may decide to avoid a risk by eliminating an asset or discontinuing an activity if the control measures required to protect the organization against an identified threat are too expensive. This approach requires the fraud risk assessment team to complete a cost-benefit analysis of the value of the asset or activity to the organization compared to the cost of implementing measures to protect the asset or activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

When performing a fraud risk assessment, the fraud examiner should only designate an area as high-risk if the assessment has conclusively revealed that fraud is occurring there.

A. True
B. False

A

B. False

See pages 4.705 in the Fraud Examiner’s Manual

Assessing an area as having a high level of fraud risk does not conclusively mean that fraud is occurring there. However, the fraud risk assessment is useful in identifying areas that should be proactively investigated to determine whether fraud has occurred. In addition, putting activity in high-risk areas under increased scrutiny can deter potential fraudsters by increasing their perception of detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is TRUE regarding an organization’s ethics policy?

A. In developing the policy, management should consider how various members of the organization define success.
B. The policy should be limited to external parties only.
C. In developing the policy, management should not consider the existing ethical tone set by leadership.
D. The policy should only be accessible to company employees.

A

A. In developing the policy, management should consider how various members of the organization define success.

See pages 4.623-4.624 in the Fraud Examiner’s Manual

A written ethics policy enables management to objectively communicate its ethical philosophy and provides a foundation for a successful ethics program. The policy should be shared among both new and old employees. Additionally, some companies have found it effective to share the ethics policy with their vendors, and many organizations make their ethics policies available for the public by posting them on the company’s website or on their social media platforms. Such exposure helps reinforce the importance the organization places on ethics and provides parties outside the organization with a tool to help identify and report breaches of expected employee conduct.

Identifying key organizational characteristics and issues is a start to the development of an ethics program. These considerations include:

  • Understanding why good people can commit unethical acts
  • Defining current—as well as desired—organizational values
  • Determining if organizational values have been properly communicated
  • Determining if ethics is currently a leadership issue in the organization
  • Ascertaining how board members, stockholders, management, employees, and any other important members of the organization define success
  • Producing written ethics policies, procedures, or structures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Of the following parties, who is responsible for the oversight of the organization’s financial, accounting, and audit matters?

A. The external auditors
B. The chief financial officer
C. The audit committee
D. The internal auditors

A

C. The audit committee

See pages 4.816 in the Fraud Examiner’s Manual

As a sub-group of the board of directors, the audit committee is often assigned oversight of the organization’s financial, accounting, and audit matters and reports to the full board. As part of this responsibility, the committee must take an active role in overseeing the assessment and monitoring of the organization’s fraud risks. This involves:

  • Receiving regular reports on the status of reported or alleged fraud
  • Being aware of fraud risks that are common in the organization’s industry
  • Meeting regularly with key internal parties (e.g., the chief audit executive [CAE] or other senior financial persons) to discuss identified fraud risks and the steps being taken to prevent and detect fraud
  • Understanding how internal and external audit strategies address fraud risk
  • Providing external auditors with evidence that the audit committee is dedicated to effective fraud risk management
  • Engaging in open conversations with external auditors about any known or suspected fraud
  • Seeking advice of legal counsel whenever it deals with allegations of fraud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The fraud risk assessment team should include:

A. Individuals with experience in gathering and eliciting information
B. Individuals in a variety of roles, including finance, operations, and legal
C. Individuals with diverse knowledge, skills, and perspectives
D. All of the above

A

D. All of the above

See pages 4.711 in the Fraud Examiner’s Manual

Before conducting the fraud risk assessment, the organization should build a fraud risk assessment team consisting of individuals with diverse knowledge, skills, and perspectives that will lead and conduct the fraud risk assessment. The size of the team will depend on the size of the organization and the methods used to conduct the assessment. The team should have individuals who are credible and have experience in gathering and eliciting information. The team members might include internal and external sources, such as accounting and finance personnel, operations personnel, members of the legal department, internal auditors, internal security or investigative personnel, external consultants with fraud and risk expertise, and any business leader with direct accountability for the effectiveness of the organization’s fraud risk management efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

In response to a risk identified during a fraud risk assessment, management chooses to accept the risk rather than implement any responsive measures. This approach is known as:

A. Assuming the risk
B. Transferring the risk
C. Mitigating the risk
D. Avoiding the risk

A

A. Assuming the risk

See pages 4.735 in the Fraud Examiner’s Manual

Management may choose to assume the risk if it determines that the probability of occurrence and impact of loss are low. Management may decide that it is more cost effective to assume the risk than it is to eliminate the asset or discontinue the activity, buy insurance to transfer the risk, or implement countermeasures to mitigate the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components. Communication, as part of the information, communication, and reporting component, is defined as an organization’s:

A. Tone that reinforces the importance of risk management and establishes the oversight responsibilities for managing risks
B. Continual, iterative process of obtaining information and sharing it throughout the entity
C. Ability to assess substantial changes that might affect its strategy and objectives
D. Formal process of setting strategy and defining business objectives

A

B. Continual, iterative process of obtaining information and sharing it throughout the entity

See pages 4.803-4.805 in the Fraud Examiner’s Manual

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are:

  • Governance and culture
  • Strategy and objective-setting
  • Performance
  • Review and revision
  • Information, communication, and reporting

COSO’s ERM framework defines communication as “the continual, iterative process of obtaining information and sharing it throughout the entity.” Management must use information gathered from both internal and external sources to support ERM. The principles related to information, communication, and reporting are:

  • The organization leverages information and technology to support ERM.
  • The organization communicates risk information.
  • The organization reports on risk, culture, and performance throughout the entity.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following is TRUE regarding the process of defining the objective of the fraud risk management program?

A. Management should examine previous fraud occurrences to determine how the ideal fraud risk management program would have prevented them
B. Management should incorporate the needs and goals of the organization into the fraud risk management program’s objectives
C. Management must balance the investment in anti-fraud controls with the benefit of those controls and the amount of risk it is willing to accept
D. All of the above

A

D. All of the above

See pages 4.825-4.826 in the Fraud Examiner’s Manual

Because the fraud risks and strategic initiatives of each organization differ, the detailed objectives of the fraud risk management program should be tailored to the organization’s specific needs and goals.

Like any corporate initiative, without an explicit definition of what the organization intends to accomplish through its fraud risk management program, the program will have limited success. Consequently, management must balance the following factors in determining the program’s objectives:

  • Management’s risk appetite
  • The investment in anti-fraud controls
  • The prevention of frauds that are material in nature or amount

An important component in defining the objective of the fraud risk management program is determining management’s risk appetite. Without an adequate understanding and articulation of just how much risk those charged with governance are willing to accept, any stated objectives of the fraud risk management program will be inaccurate. Risk appetite should be expressed in a manner that is appropriate for the organization’s culture and operations, and it can be measured and expressed either qualitatively—low, medium, or high, for example—or quantitatively, using a numeric scale.

Another helpful starting point in determining the fraud risk management strategy is to examine previous occurrences of fraud and explore how management’s ideal fraud risk management program would have prevented, detected, and responded to them. In examining such incidents, management should consider the factors that allowed such frauds to occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Of the following, which is the MOST EFFECTIVE method of preventing fraud?

A. Having an open-door policy
B. Screening employees
C. Conducting covert audits
D. Increasing perception of detection

A

D. Increasing perception of detection

See pages 4.602 in the Fraud Examiner’s Manual

Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection. This means letting employees, managers, and executives know that auditors are actively seeking information concerning internal theft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The fraud risk assessment should be formally incorporated into the annual audit planning process.

A. True
B. False

A

A. True

See pages 4.738 in the Fraud Examiner’s Manual

The fraud risk assessment should play a significant role in informing and influencing the audit process. In addition to being used in the annual audit planning process, the fraud risk assessment should motivate thinking and awareness in the development of audit programs for areas that have been identified as having a moderate-to-high risk of fraud. Although auditors should always be vigilant of things that might be indicators of fraud risk, the results of the fraud risk assessment can help them design audit procedures in a way that enables them to look for fraud in known areas of high risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is NOT one of the components of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance?

A. Strategy and objective-setting
B. Review and revision
C. Risk tolerance
D. Information, communication, and reporting

A

C. Risk tolerance

See pages 4.803-4.805 in the Fraud Examiner’s Manual

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are:

  • Governance and culture
  • Strategy and objective-setting
  • Performance
  • Review and revision
  • Information, communication, and reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following is one of the eight principles for risk management provided by International Organization for Standardization (ISO) 31000:2018?

A. The risk management program is structured and comprehensive
B. The risk management program facilitates continuous improvement
C. The risk management program is integrated into all organizational activities
D. All of the above

A

D. All of the above

See pages 4.807 in the Fraud Examiner’s Manual

The following eight International Organization for Standardization (ISO) 31000:2018 principles provide that an effective and efficient risk management program:

  • Is integrated into all organizational activities
  • Is structured and comprehensive
  • Is customized and proportionate to the organization’s operations and objectives
  • Is inclusive and provides for appropriate and timely consideration of stakeholders’ knowledge, views, and perceptions
  • Is dynamic and responsive to change
  • Is based upon the best available information
  • Takes human and cultural factors into account
  • Facilitates continuous improvement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following is NOT one of the eight principles for risk management provided by International Organization for Standardization (ISO) 31000:2018?

A. The risk management program is customized and proportionate to the organization’s operations and objectives.
B. The risk management program is based on effective leadership and commitment.
C. The risk management program is dynamic and responsive to change.
D. The risk management program takes human and cultural factors into account.

A

B. The risk management program is based on effective leadership and commitment.

See pages 4.807 in the Fraud Examiner’s Manual

The following eight International Organization for Standardization (ISO) 31000:2018 principles provide that an effective and efficient risk management program:

  • Is integrated into all organizational activities
  • Is structured and comprehensive
  • Is customized and proportionate to the organization’s operations and objectives
  • Is inclusive and provides for appropriate and timely consideration of stakeholders’ knowledge, views, and perceptions
  • Is dynamic and responsive to change
  • Is based upon the best available information
  • Takes human and cultural factors into account
  • Facilitates continuous improvement

According to ISO 31000, the framework for an organization’s risk management program should be based on a foundation set by effective leadership and commitment, but this is not one of the eight principles of risk management provided by ISO 31000:2018.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following types of customer due diligence (CDD) procedures should an organization engage in when determining whether to conduct business with a higher-risk customer who wants to pay on credit?

A. Enhanced CDD
B. Standard CDD
C. Simplified CDD
D. International CDD

A

A. Enhanced CDD

See pages 4.811-4.812 in the Fraud Examiner’s Manual

When certain customers present higher risks for engaging in illegal activity, organizations should undertake enhanced due diligence procedures. Factors that might prompt enhanced customer due diligence (CDD) include high-profile customers, large-value transactions, or foreign business dealings in countries known for corruption. While these enhanced due diligence procedures depend on the nature and severity of the risk presented by the customer, organizations should gather additional information to reduce their potential risk. Specifically, organizations should gather and analyze data to ensure that they are dealing with a customer who has good intentions.

Under enhanced due diligence procedures, the following customer elements should be examined with a greater level of scrutiny to ensure legitimacy and that the risk has been responded to appropriately:

  • Identity (i.e., Is the customer who they claim to be?)
  • Source of income and overall net worth (i.e., Can the customer pay for the transaction, especially if they are requesting to pay on credit?)
  • Expected pattern of purchasing (i.e., Is this a onetime transaction or a series of transactions?)
  • Expected value (i.e., How large is the cumulative financial risk?)
  • Expected method of payment (i.e., Is the customer requesting to use a higher-risk payment method, such as a personal check or line of credit?)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following mechanisms can be used to help increase the perception of detection in an organization?

A. Employee anti-fraud education
B. Rewards for whistleblowers
C. Hotlines and reporting programs
D. All of the above

A

D. All of the above

See pages 4.602 in the Fraud Examiner’s Manual

Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection. This means letting employees, managers, and executives know that auditors are actively seeking information concerning internal theft. This can be accomplished in several ways, such as through employee anti-fraud education, reporting programs, hotlines, rewards for whistleblowers, and proactive audit policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following is NOT a topic that should be covered in employee anti-fraud training?

A. Common characteristics that lead individuals to commit fraud
B. What constitutes fraud, including examples of acceptable and unacceptable behavior
C. How fraud hurts the organization and its employees
D. Specific controls and procedures that the organization uses to detect fraud

A

D. Specific controls and procedures that the organization uses to detect fraud

See pages 4.606-4.608 in the Fraud Examiner’s Manual

The content covered by the organization’s anti-fraud training should focus on the specific risks encountered by the organization to provide employees with practical, implementable knowledge. However, it should not give employees the information they need to circumvent the normal rules by explaining the details of controls and procedures used to detect fraud. In that regard, the following topics form the basis of an effective training program:

  • What fraud is, including examples of what behavior is acceptable and what is not
  • How fraud hurts the organization
  • How fraud hurts employees
  • Common characteristics that lead individuals to commit fraud (i.e., pressure, opportunity, and ability to rationalize the act)
  • How to identify fraud (i.e., specific examples of financial, transactional, behavioral, and other red flags to watch for)
  • How to report fraud
  • The punishment for dishonest acts, including examples of past transgressions and how they were managed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

The fraud risk management program should include the formal procedures that management takes in response to a fraud, such as punishing the perpetrator, remediating the control weaknesses that allowed the fraud to occur, and rebuilding stakeholders’ confidence in the organization.

A. True
B. False

A

A. True

See pages 4.819-4.820 in the Fraud Examiner’s Manual

Fraud risk management programs must address fraud before, during, and after it occurs. Consequently, effective fraud risk management programs must incorporate policies and procedures designed to do all the following:

  • Prevent fraud—These activities focus on proactively identifying and assessing fraud risks and taking steps to address those risks; they are the first line of defense against fraud in the organization and generally include policies, procedures, training, and communication.
  • Detect fraud—These activities seek to identify fraud occurrences as soon as possible after they begin to limit the damage done.
  • Respond to identified fraud—These activities include investigating the allegation to determine the party or parties responsible, the means of the infraction, and the extent of the resulting damage; punishing the perpetrator, whether through employment sanctions or legal action; remediating the control weaknesses that allowed the fraud to be undertaken; and rebuilding stakeholders’ confidence in the organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following individuals would generally be the BEST choice for a sponsor for a fraud risk assessment?

A. A staff accountant
B. An independent audit committee member
C. A mid-level sales manager
D. A CFO who commands the use of aggressive earnings-management practices

A

B. An independent audit committee member

See pages 4.707 in the Fraud Examiner’s Manual

Having the right sponsor for a fraud risk assessment is extremely important in ensuring its success and effectiveness. The sponsor must be senior enough in the organization and command the employees’ respect to elicit full cooperation in the process. The sponsor must be committed to learning the truth about where the company’s fraud vulnerabilities are. The sponsor cannot be prone to rationalization or denial; they must be a truth seeker. In the ideal situation, the sponsor would be an independent board director or audit committee member. However, a good chief executive officer (CEO) or another internal senior leader can be equally as effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The success of the fraud risk assessment process depends on how effectively the results are reported and what the organization then does with those results.

A. True
B. False

A

A. True

See pages 4.735 in the Fraud Examiner’s Manual

The success of the fraud risk assessment process depends on how effectively the results are reported and what the organization then does with those results. A poorly communicated report can undermine the entire process and stall the established momentum. The report should be delivered in a style most suited to the language of the business. For example, if management prefers succinct visual presentations, then the fraud risk assessment team should not deliver a fifty-page written document.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

As part of its fraud-related responsibilities, the audit committee of an organization’s board of directors should meet regularly with key internal parties, such as the chief audit executive (CAE), to discuss identified fraud risks and the steps being taken to prevent and detect fraud.

A. True
B. False

A

A. True

See pages 4.816 in the Fraud Examiner’s Manual

As a sub-group of the board of directors, the audit committee is often assigned oversight of the organization’s financial, accounting, and audit matters and reports to the full board. As part of this responsibility, the committee must take an active role in supervising the assessment and monitoring of the organization’s fraud risks. This involves:

  • Receiving regular reports on the status of reported or alleged fraud
  • Being aware of fraud risks that are common in the organization’s industry
  • Meeting regularly with key internal parties (e.g., the chief audit executive [CAE] or other senior financial persons) to discuss identified fraud risks and the steps being taken to prevent and detect fraud
  • Understanding how internal and external audit strategies address fraud risk
  • Providing external auditors with evidence that the audit committee is dedicated to effective fraud risk management
  • Engaging in open conversations with external auditors about any known or suspected fraud
  • Seeking advice of legal counsel whenever it deals with allegations of fraud
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Proactive audit procedures, such as fraud assessment questioning and surprise audits, can help demonstrate management’s intention to aggressively look for fraud.

A. True
B. False

A

A. True

See pages 4.602-4.603 in the Fraud Examiner’s Manual

Implementing proactive audit procedures demonstrates management’s intention to aggressively look for possible fraudulent conduct instead of waiting for instances to be reported. Such techniques include the use of analytical review procedures, data and transaction monitoring and analysis, fraud assessment questioning, and surprise audits where possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Communications regarding the organization’s anti-fraud policy should be presented in a positive, non-accusatory manner.

A. True
B. False

A

A. True

See pages 4.621-4.622 in the Fraud Examiner’s Manual

It is ineffective to have an anti-fraud or ethics policy if it is not communicated to the employees. This communication can be accomplished in several ways, such as during employee orientation and annual training sessions, via interoffice memoranda or newsletters, and through notices displayed in common areas. In all these mechanisms, the communication of the policy should be presented in a positive, non-accusatory manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

According to best practices, which of the following should be included in a formal whistleblower policy?

A. Any rewards available for providing credible tips
B. Types of misconduct that should be reported
C. Procedures for reporting suspicions or concerns
D. All of the above

A

D. All of the above

See pages 4.611-4.612 in the Fraud Examiner’s Manual

Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy.

It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part. It should detail what types of misconduct to report, how to report concerns, and any rewards available for disclosing credible information. In addition, a whistleblower policy should include an anti-retaliation component that details the protections the organization affords to whistleblowers and how people will be punished if they violate the policy. By instituting and transparently enforcing a zero-tolerance policy against retaliation, management can increase the likelihood that employees will feel comfortable raising concerns without fear of retribution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Before agreeing to do business with a new vendor, it is recommended that an organization’s management inquire about the vendor’s internal audit department and the types of audits the vendor is subject to.

A. True
B. False

A

A. True

See pages 4.812-4.813 in the Fraud Examiner’s Manual

Management should conduct proper due diligence when seeking new vendors or evaluating the relationship of existing vendors to prevent and detect misconduct. An organization can assess a vendor’s commitment to compliance and ethics by performing the following due diligence procedures:

  • Ensure that vendors have their own ethics and compliance program before engaging in any transactions.
  • Provide the vendor with the organization’s code of conduct and require the vendor’s agents to sign and agree to abide by the code.
  • Inquire about the vendor’s internal audit department and the types of audits the vendor is subject to.
  • Include contract clauses that require vendors to report any misconduct.
  • Alert the vendor that they will be liable for any unethical conduct that occurs in doing business with the organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Under the fraud control activities principle described in the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, organizations should select, develop, and deploy preventive and detective fraud control activities.

A. True
B. False

A

A. True

See pages 4.820, 4.823 in the Fraud Examiner’s Manual

The Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, describes five broad principles of fraud risk management, one for each of the five interrelated components of internal control listed in COSO’s Internal Control—Integrated Framework: fraud risk governance, fraud risk assessment, fraud control activities, fraud investigation and corrective action, and fraud risk management monitoring activities. Each of these principles is then supported by several points of focus. The principles and underlying points of focus combine to create a full framework that can be used to design, implement, and assess an effective fraud risk management program.

Under the fraud control activities principle, the organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

To reinforce an anti-fraud culture, management should:

A. Create an environment in which employees feel safe challenging management’s decisions
B. Visibly adhere to the same set of ethics policies that is required of all employees
C. Show employees that unethical behavior will not be tolerated
D. All of the above

A

D. All of the above

See pages 4.613-4.614 in the Fraud Examiner’s Manual

To achieve an organizational culture with a strong value system founded on integrity, management must show employees through its words and actions that dishonest or unethical behavior will not be tolerated. Management must also create an environment in which employees feel safe to challenge management’s decisions or speak up if they think something is wrong. A culture that encourages employees to share their concerns can reduce the risk of fraud significantly because employees often feel more loyal to their superiors. Such a culture might also prevent unethical behavior because issues of anger or stress can be addressed before they escalate to the point of a fraud.

Additionally, management must demonstrate ethics to model the behavior that is expected of the staff. When management believes and acts as though it is irreproachable with respect to company policies, staff members are much less likely to follow rules. Staff members frequently resent management for expecting them to behave in a certain way when members of management do not behave in the same way themselves. However, when management acts ethically and follows organizational policies, the staff tends to respect and appreciate the behavior and copy it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Management of Blue Top Inc. is implementing a formal background check policy for its employees. Which of the following is NOT a best practice that should be implemented as part of this initiative?

A. Conducting a background check on existing employees who are being promoted or moved to positions that include access to easily stolen assets
B. Asking a candidate’s previous employers whether the individual is eligible for rehire
C. Placing a low priority on checking professional references, since most people do not provide bad references
D. Checking the background of any employee who will have access to cash, checks, and credit card numbers

A

C. Placing a low priority on checking professional references, since most people do not provide bad references

See pages 4.614-4.615 in the Fraud Examiner’s Manual

Before hiring anyone, management should conduct a background check (where and to the extent permitted by law) to find out as much as possible about the employee’s previous experience with employers and law enforcement. At a minimum, employers should check the background of any employee who will have access to cash, checks, credit card numbers, or any other items that are easily stolen.

Background checks should also be conducted on existing employees who are being promoted or moved to positions that include access to sensitive or valuable company resources. Even if such a check was performed on the employee at the time of hire, updated background checks should be conducted to identify any significant changes or occurrences that have taken place during the individual’s time with the organization.

In assessing individuals for hire or promotion, employers should verify past employment. Even though most employers will only verify position and dates of employment, their tone of voice often indicates what they think of the employee. Also, previous employers should be asked whether the applicant is eligible for rehire.

Additionally, the hiring manager or human resources (HR) should contact the references provided by the candidate. Unfortunately, very few organizations actually do this. Most operate under the theory that someone would not provide a bad reference. However, some job applicants will list individuals who sound important as references with the hope that the hiring organization will not call. In addition, people often just assume, incorrectly, that a former supervisor or coworker will provide a good reference. But obtaining negative information from someone the candidate listed as a recommendation can be very revealing and should serve as a serious warning sign to the hiring organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

An effective system of anti-fraud controls:

A. Mitigates the risk of fraud but cannot completely eliminate it
B. Increases the perception that fraud will be detected
C. Involves balancing preventive controls and detective controls
D. All of the above

A

D. All of the above

See pages 4.702 in the Fraud Examiner’s Manual

No system of anti-fraud controls can fully eliminate the risk of fraud, but well-designed and effective anti-fraud controls can deter the average fraudster by reducing the opportunity to commit the fraud and increasing the perception of detection. With the right balance of preventive and detective controls, a good system of anti-fraud controls can greatly reduce an organization’s vulnerability to fraud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Theft of competitor trade secrets, anti-competitive practices, insider trading, and trade and customs regulations in areas of import and export are all fraud risks pertaining to:

A. Regulatory and legal misconduct
B. Fraudulent financial reporting
C. Asset misappropriation
D. Reputational risk

A

A. Regulatory and legal misconduct

See pages 4.718 in the Fraud Examiner’s Manual

Regulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations in areas of import and export. Depending on the particular organization and the nature of its business, some or all of these risks might be applicable and should be considered in the fraud risk assessment process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Of the following parties, who is responsible for developing a strategy to assess and manage fraud risks that aligns with the organization’s risk appetite and strategic plans?

A. The board of directors
B. The shareholders
C. The legal department
D. The audit committee

A

A. The board of directors

See pages 4.815-4.816 in the Fraud Examiner’s Manual

To ensure that the fraud risk management program is effective in both operation and design, it must be fully accepted by those charged with governing and overseeing the organization. Specifically, the board of directors must recognize the true and specific risks of fraud to the organization, as well as their potential impact, and respond by:

  • Setting an appropriate tone and realistic expectations of management to enforce an anti-fraud culture
  • Gaining sufficient knowledge of the organization’s activities and the environments in which it operates
  • Raising awareness of the risks of fraud throughout the organization
  • Developing a strategy to assess and manage fraud risks that aligns with the organization’s risk appetite and strategic plans
  • Overseeing the organization’s fraud risk management activities
  • Maintaining open communications with senior management and other personnel
49
Q

Paying bribes to procure business and receiving illegal gratuities are considered risks pertaining to which category of fraud?

A. Fraudulent financial reporting
B. Asset misappropriation
C. Corruption
D. None of the above

A

C. Corruption

See pages 4.718 in the Fraud Examiner’s Manual

Potential corruption risks include:

  • Payment of bribes or illegal gratuities to companies, private individuals, or public officials
  • Receipt of bribes, kickbacks, or illegal gratuities by employees or agents of the company
  • Aiding and abetting of fraud by outside parties, such as customers or vendors
50
Q

As part of an organization’s fraud risk management program, employees at all levels should:

A. Understand how noncompliance might create an opportunity for fraud to occur
B. Cooperate in investigations into suspected or alleged fraud incidents
C. Provide input into the design and implementation of fraud control activities when requested by management
D. All of the above

A

D. All of the above

See pages 4.817-4.818 in the Fraud Examiner’s Manual

According to the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, and Managing the Business Risk of Fraud: A Practical Guide, all levels of staff, including management, should:

  • Understand the organization’s ethical culture and the organization’s commitment to that culture.
  • Have a basic understanding of fraud and be aware of the red flags.
  • Understand their individual roles within the organization’s fraud risk management framework, how their job procedures are designed to manage fraud risks, and when noncompliance might create an opportunity for fraud to occur or go undetected.
  • Read and understand policies and procedures such as the organization’s fraud policy, code of conduct, whistleblower policy, procurement manuals, etc.
  • As required, participate in creating a strong control environment, designing and implementing fraud control activities, and monitoring activities.
  • Report suspicions or incidents of fraud.
  • Cooperate in investigations.
51
Q

The fraud risk assessment team should consider both qualitative and quantitative factors when assessing the organization’s fraud risks.

A. True
B. False

A

A. True

See pages 4.720 in the Fraud Examiner’s Manual

The fraud risk assessment team should consider qualitative and quantitative factors when assessing the organization’s fraud risks. For example, a particular fraud risk that might only pose an immaterial direct financial risk to the organization, but that could greatly affect its reputation, would likely be deemed a significant risk to the organization.

52
Q

The fraud risk assessment process should be conducted covertly so that assessment team members can get an accurate picture of what occurs in the business.

A. True
B. False

A

B. False

See pages 4.714 in the Fraud Examiner’s Manual

The fraud risk assessment process should be visible and communicated throughout the business. Employees will be more inclined to participate in the process if they understand why it is being done and what the expected outcomes will be. To that end, sponsors should be strongly encouraged to openly promote the process. The more personalized the communication from the sponsor, the more effective it will be in encouraging employees to participate in the process. Whether it is a video, town-hall meeting, or company-wide email, the communication should be aimed at eliminating any reluctance employees have about participating in the fraud risk assessment process.

53
Q

Surprise audits can be effective in both preventing and detecting fraudulent conduct.

A. True
B. False

A

A. True

See pages 4.604 in the Fraud Examiner’s Manual

In addition to regularly scheduled fraud audits, surprise fraud audits of business functions in which fraud is most likely to occur can be effective both in increasing employees’ perception of detection and in uncovering actual frauds that have been perpetrated. The surprise element must be present for this control to be effective; predictability allows perpetrators the time to conceal their acts by altering, destroying, or misplacing records and other evidence.

54
Q

During a fraud risk assessment, the assessment team should consider the way employees make decisions, behave, or treat others and assess how those actions affect the company’s vulnerability to fraud.

A. True
B. False

A

A. True

See pages 4.705 in the Fraud Examiner’s Manual

The actions of certain individuals can significantly increase the company’s vulnerability to fraud. The risk can emerge from the way in which someone makes decisions, behaves, or treats others within and outside the organization. A fraud risk assessment can help identify those people and their activities that might increase the company’s overall fraud risk.

55
Q

Which of the following is an objective of anti-fraud controls?

A. To reduce the inherent fraud risk to a level that is significantly lower than the residual fraud risk
B. To completely eliminate the residual fraud risk
C. To completely eliminate the inherent fraud risk
D. To reduce the residual fraud risk to a level that is significantly lower than the inherent fraud risk

A

D. To reduce the residual fraud risk to a level that is significantly lower than the inherent fraud risk

See pages 4.701 in the Fraud Examiner’s Manual

When considering the fraud risks encountered by an organization, it is helpful to analyze how significant a risk is before and after risk response. Risks that are present before the effect of internal controls (including targeted anti-fraud controls) are described as inherent risks. The risks that remain after the effect of these controls are described as residual risks.

For example, there is an inherent risk that the employee in charge of receiving customer payments at a small company might embezzle incoming cash. Anti-fraud controls, such as separation of duties and oversight from the company owner, can be implemented to help mitigate this risk; however, even with such controls in place, some residual risk will likely remain in that the bookkeeper might still manage to embezzle funds. The objective of the controls is to reduce the residual risk to a level that is significantly lower than the inherent risk.

56
Q

When deciding on techniques to use as part of a fraud risk assessment, the assessment team should consider what methods are already commonly and effectively used throughout the organization.

A. True
B. False

A

A. True

See pages 4.712 in the Fraud Examiner’s Manual

There are many ways to go about conducting the fraud risk assessment. Selecting a method or combination of methods that is culturally right for the organization will help to ensure its success. The assessment team should also consider the best ways to gather candid, truthful information from people throughout all levels of the organization, starting by understanding what techniques are commonly and effectively used throughout the organization.

57
Q

According to the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, who has responsibility for managing fraud risk?

A. The board of directors
B. Personnel at all levels of the organization
C. Executive management
D. Internal audit

A

B. Personnel at all levels of the organization

See pages 4.815 in the Fraud Examiner’s Manual

According to the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, “personnel at all levels of the organization—including every level of management, staff, and internal auditors—have responsibility for managing fraud risk.”

58
Q

In defining the objectives of the fraud risk management program, management should express risk appetite in a manner that is appropriate for the organization’s culture and operations.

A. True
B. False

A

A. True

See pages 4.826 in the Fraud Examiner’s Manual

An important component in defining the objective of the fraud risk management program is determining management’s risk appetite. Risk appetite should be expressed in a manner that is appropriate for the organization’s culture and operations, and it can be measured and expressed either qualitatively—low, medium, or high, for example—or quantitatively, using a numeric scale.

59
Q

Most experts agree that it is much easier to detect fraud than it is to prevent it.

A. True
B. False

A

B. False

See pages 4.602 in the Fraud Examiner’s Manual

Most experts agree that it is much easier to prevent fraud than to detect it. Understanding something about the potential perpetrator’s mind can help to prevent fraud. Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection.

60
Q

Which of the following statements regarding recommended vendor due diligence procedures is LEAST ACCURATE?

A. An organization should request that new vendors complete a questionnaire about their background immediately after signing a contract with them.
B. An organization should alert the vendor that they will be liable for any unethical conduct that occurs during the business arrangement before agreeing to do business with them.
C. An organization should ensure that vendors have their own ethics and compliance program before engaging in any transactions with them.
D. An organization should include a clause in the contract requiring the vendor to report any instances of misconduct before entering into an agreement with them.

A

A. An organization should request that new vendors complete a questionnaire about their background immediately after signing a contract with them.

See pages 4.812-4.813 in the Fraud Examiner’s Manual

The best way to obtain information about a third party is often directly from the third party itself. Before entering into a relationship with a new vendor, management should seek to obtain information from the vendor by using a questionnaire. This will provide the organization with some background information about the vendor that can also be cross-referenced during a background check.

In addition to evaluating a potential vendor’s operations and financial status, management should also consider the vendor’s ethical climate and commitment to compliance. An organization can assess a vendor’s commitment to compliance and ethics by performing the following due diligence procedures:

  • Ensure that vendors have their own ethics and compliance program before engaging in any transactions.
  • Provide the vendor with the organization’s code of conduct and require the vendor’s agents to sign and agree to abide by the code.
  • Inquire about the vendor’s internal audit department and the types of audits the vendor is subject to.
  • Include contract clauses that require vendors to report any misconduct.
  • Alert the vendor that they will be liable for any unethical conduct that occurs in doing business with the organization.
61
Q

According to Managing the Business Risk of Fraud: A Practical Guide, an organization’s anti-fraud policy should include consequences for individuals who condone fraudulent activity.

A. True
B. False

A

A. True

See pages 4.832-4.833 in the Fraud Examiner’s Manual

Organizations should enact policies that reflect the consequences and processes for individuals who commit or condone fraudulent activity. Such consequences might include termination of employment (or the termination of a contract for nonemployees), reporting of the incident to law enforcement or regulatory authorities, and pursuit of civil or criminal action against the perpetrator(s). It is important for management to ensure that any corrective action taken is applied consistently for all involved in the fraudulent act. The organization should also have specific policies in place to identify and remediate any control deficiencies that allowed fraudulent conduct to occur.

62
Q

Designating an area as having a high fraud risk and putting the related activity under increased scrutiny can deter potential fraudsters by increasing their perception of detection.

A. True
B. False

A

A. True

See pages 4.705 in the Fraud Examiner’s Manual

Assessing an area as having a high level of fraud risk does not conclusively mean that fraud is occurring there. However, the fraud risk assessment is useful in identifying areas that should be proactively investigated to determine whether fraud has occurred. In addition, putting activity in high-risk areas under increased scrutiny can deter potential fraudsters by increasing their perception of detection.

63
Q

To ensure the independence of the team members, a consultant or another external party must conduct the fraud risk assessment.

A. True
B. False

A

B. False

See pages 4.707 in the Fraud Examiner’s Manual

A good fraud risk assessment can be conducted effectively either by people inside the organization or external sources. However, the people leading and conducting the fraud risk assessment need to be independent and objective throughout the assessment process. Additionally, they must also be perceived as independent and objective by others.

64
Q

Components necessary to develop, implement, and manage a comprehensive ethics program include:

A. Sanctions for unethical behavior
B. A designated ethics official
C. An ethics task force or committee
D. All of the above

A

D. All of the above

See pages 4.625 in the Fraud Examiner’s Manual

The following 12 components are necessary to develop, implement, and manage a comprehensive ethics program:

  • Focus on ethical leadership
  • Vision statement
  • Values statement
  • Code of ethics
  • Designated ethics official
  • Ethics task force or committee
  • Ethics communication strategy
  • Ethics training
  • Ethics help and fraud reporting hotlines
  • Ethical behavior rewards and sanctions
  • Comprehensive system to monitor and track ethics data
  • Periodic evaluation of ethics efforts and data
65
Q

Risk management involves balancing an organization’s strategic, operational, reporting, and compliance objectives with how much risk management is willing to accept.

A. True
B. False

A

A. True

See pages 4.802 in the Fraud Examiner’s Manual

Risk management involves the identification, prioritization, treatment, and monitoring of risks that threaten an organization’s ability to provide value to its stakeholders, whether increasing profitability and shareholder value for a for-profit entity or achieving program-specific goals for a nonprofit or governmental agency. More specifically, risk management balances risk appetite—how much risk management is willing to accept—with the ability to meet the organization’s strategic, operational, reporting, and compliance objectives.

66
Q

Fraud risks that remain after the effect of internal controls are considered inherent risks.

A. True
B. False

A

B. False

See pages 4.701 in the Fraud Examiner’s Manual

When considering the fraud risks encountered by an organization, it is helpful to analyze how significant a risk is before and after risk response. Risks that are present before the effect of internal controls (including targeted anti-fraud controls) are described as inherent risks. The risks that remain after the effect of these controls are described as residual risks.

For example, there is an inherent risk that the employee in charge of receiving customer payments at a small company might embezzle incoming cash. Anti-fraud controls, such as separation of duties and oversight from the company owner, can be implemented to help mitigate this risk; however, even with such controls in place, some residual risk will likely remain in that the bookkeeper might still manage to embezzle funds. The objective of the controls is to reduce the residual risk to a level that is significantly lower than the inherent risk.

67
Q

An organization’s whistleblower procedures should be made public so that individuals both inside and outside of the organization are aware of the appropriate channels for reporting misconduct.

A. True
B. False

A

A. True

See pages 4.611-4.612 in the Fraud Examiner’s Manual

Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy.

It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part. It should detail what types of misconduct to report, how to report concerns, and any rewards available for disclosing credible information. In addition, a whistleblower policy should include an anti-retaliation component that details the protections the organization affords to whistleblowers and how people will be punished if they violate the policy. By instituting and transparently enforcing a zero-tolerance policy against retaliation, management can increase the likelihood that employees will feel comfortable raising concerns without fear of retribution.

68
Q

Preventive anti-fraud controls include all the following EXCEPT:

A. Hiring policies and procedures
B. Fraud awareness training
C. Separation of duties
D. Continuous audit techniques

A

C. Separation of duties

See pages 4.721-4.722 in the Fraud Examiner’s Manual

Preventive controls, which are intended to prevent fraud before it occurs, include:

  • Bringing awareness of the fraud risk management program to personnel throughout the organization
  • Performing background checks on employees (where permitted by law)
  • Hiring competent personnel and providing them with anti-fraud training
  • Conducting exit interviews
  • Implementing policies and procedures
  • Separating duties
  • Implementing physical security measures
  • Implementing security measures to restrict electronic access to data
  • Ensuring proper alignment between an individual’s authority and level of responsibility
  • Reviewing third-party and related-party transactions

Continuous audit procedures are an example of detective controls, which are intended to detect fraud if it does occur.

69
Q

The anti-retaliation component in a whistleblower policy should do all of the following EXCEPT:

A. List any consequences for retaliating against whistleblowers.
B. Describe the penalties that people may encounter for refusing to provide tips.
C. Specify how people will be punished if they violate the policy.
D. Detail the protections that the organization affords to whistleblowers.

A

B. Describe the penalties that people may encounter for refusing to provide tips.

See pages 4.611-4.612 in the Fraud Examiner’s Manual

Organizations can empower employees who wish to disclose information without the fear of negative consequences by creating a safe environment for them to voice their concerns. This can be accomplished by implementing a clear whistleblower policy that details standard reporting protocols and the consequences for retaliating against whistleblowers. This policy can stand alone or be part of the anti-fraud policy.

It is important for management to establish and publicize the organization’s whistleblower procedures so that individuals both inside and outside the organization are aware of the appropriate channels for reporting misconduct. The whistleblower policy should emphasize that it applies to all employees, regardless of their positions or seniority, as well as to anyone external to the organization who has knowledge of potential wrongdoing by any employees or on the company’s part. It should detail what types of misconduct to report, how to report concerns, and any rewards available for disclosing credible information. In addition, a whistleblower policy should include an anti-retaliation component that details the protections the organization affords to whistleblowers and how people will be punished if they violate the policy. By instituting and transparently enforcing a zero-tolerance policy against retaliation, management can increase the likelihood that employees will feel comfortable raising concerns without fear of retribution.

70
Q

Establishing and communicating the proper flow of information to everyone in the organization is an essential component of a fraud prevention program.

A. True
B. False

A

A. True

See pages 4.614 in the Fraud Examiner’s Manual

A well-designed organizational structure—with key areas of authority and clear and proper lines of reporting—can be an effective fraud prevention measure. A confused structure, in contrast, makes it easier for a fraudster to perpetrate and conceal their misdeeds. Establishing and communicating the proper flow of information to everyone in the organization is an essential component of a well-designed organizational structure. Flowcharts displaying organizational and departmental hierarchies can be a helpful tool for this purpose. To ensure that information is being properly received and that instructions are being carried out, such checks must be established.

71
Q

In countries with limited legal protections for whistleblowers, employment laws might be used as a framework to protect employees when they encounter retaliation for reporting workplace misconduct.

A. True
B. False

A

A. True

See pages 4.611 in the Fraud Examiner’s Manual

While the global landscape of legal protection offered to whistleblowers varies, more countries are beginning to enact measures that protect whistleblowers who suffer retaliation. Some countries have anti-retaliation laws to protect employees against retaliation in the workplace. In successful cases, these laws might offer remedies that reinstate employment, award back pay with interest, and recover attorneys’ fees or other litigation costs.

In jurisdictions that do not have formal legal protection for whistleblowers, countries often use their own employment laws and anti-corruption provisions as a framework; however, due to legalities, these employment laws and anti-corruption provisions might be limited in their ability to protect whistleblowers against retaliation in the workplace for reporting misconduct.

72
Q

Which of the following techniques for gathering information during a fraud risk assessment involves obtaining individuals’ responses through a formal electronic or paper questionnaire?

A. Anonymous feedback mechanisms
B. Interviews
C. Surveys
D. Focus groups

A

C. Surveys

See pages 4.712-4.713 in the Fraud Examiner’s Manual

Several techniques can be used to gather information successfully as part of a fraud risk assessment. These include:

  • Interviews, which can be an effective way to conduct candid one-on-one conversations with employees
  • Focus groups, which can enable the assessor to observe the interactions among a group of employees as they collectively discuss a question or issue
  • Surveys, which are electronic or paper questionnaires that can be either anonymous or directly attributable to the individual participants
  • Anonymous feedback mechanisms, which can include means for anonymous employee suggestions or responses to questions posed
73
Q

The board of directors holds the primary responsibility for designing, implementing, monitoring, and improving the fraud risk management program, as well as punishing perpetrators of fraud appropriately.

A. True
B. False

A

B. False

See pages 4.816-4.817 in the Fraud Examiner’s Manual

The board of directors is responsible for developing and supporting the organization’s underlying fraud risk management strategy. However, senior management has the primary responsibility for designing, implementing, monitoring, and improving the fraud risk management program. As part of this responsibility, senior management must:

  • Be extremely familiar with the organization’s fraud risks.
  • Ensure that the organization has specific and effective internal controls in place to prevent and detect fraud.
  • Set a tone at the top and monitor the company culture to ensure it appropriately supports the organization’s fraud prevention and detection strategies. Senior management must exude ethics for staff to be inspired and feel obligated to follow suit.
  • Clearly communicate—both in words and actions—that fraud is not tolerated.
  • Take all reports of fraud seriously and undertake investigations for any such reports deemed reliable.
  • Punish perpetrators of discovered fraud appropriately. Punishing perpetrators reinforces the culture of ethics and the fact that fraud will not be tolerated.
  • Take any steps necessary to remediate weaknesses that allowed frauds to occur.
  • Report to the board of directors on a regular basis regarding the effectiveness of the organization’s fraud risk management program.
74
Q

In developing an anti-fraud policy, it is good practice for an organization’s management to consult legal counsel to ensure that every fraud allegation is managed uniformly.

A. True
B. False

A

A. True

See pages 4.622 in the Fraud Examiner’s Manual

In developing the anti-fraud policy, management should consult legal counsel regarding any necessary legal considerations with respect to the policy. One of the most important legal considerations is to ensure that all allegations and offenders are managed uniformly. Additionally, if the type of conduct that is considered unacceptable is not accurately detailed, there might be legal problems in terminating a dishonest employee.

75
Q

A fraud risk assessment report should contain a detailed, comprehensive list of every assessment finding and all suggested responses so that management can address each issue within the company, no matter how small.

A. True
B. False

A

B. False

See pages 4.736 in the Fraud Examiner’s Manual

Less is often more when it comes to reporting the results of the fraud risk assessment. The team should not make the report a tedious list of things that management will have to sort through and prioritize. Instead, the report should be presented in a way that focuses on what matters, clearly highlighting things that are most important and that will make the most impact on the organization’s fraud risk management efforts.

76
Q

An organization’s fraud risk management program should include which of the following components?

A. A way to disclose conflicts of interest
B. Quality assurance activities
C. Whistleblower protection policies
D. All of the above

A

D. All of the above

See pages 4.829-4.833 in the Fraud Examiner’s Manual

According to Managing the Business Risk of Fraud: A Practical Guide, the following are ten essential components for effectively managing fraud risk:

  • Statement of commitment—A written statement of commitment to the program from the board of directors and senior management
  • Fraud awareness—A formal fraud risk awareness program for all employees
  • Affirmation process—A requirement for directors, employees, and contractors to explicitly affirm that they have read, understood, and complied with the organization’s code of conduct and fraud risk management program
  • Conflict disclosure—A system for directors, employees, and contractors to self-disclose to the organization any potential or actual conflicts of interest
  • Fraud risk assessment—The proactive identification and assessment of the organization’s fraud risks
  • Reporting procedures and whistleblower protection—Systems and support for receiving fraud allegations from employees and other parties
  • Investigation process—A formalized process that is undertaken following all reports of suspected fraud
  • Corrective action—Policies that reflect the consequences and processes for individuals who commit or condone fraudulent activity and that identify and remediate any control deficiencies that allowed the fraud to occur
  • Process evaluation and improvement (quality assurance)—Formal procedures to periodically evaluate the fraud risk management program’s effectiveness
  • Continuous monitoring—Ongoing review of the program to ensure it is addressing the organization’s current needs and risks
77
Q

An entity’s corporate culture is MOST EFFECTIVELY assessed by using a checklist of initiatives to make sure all the elements of a strong tone at the top are in place.

A. True
B. False

A

B. False

See pages 4.613 in the Fraud Examiner’s Manual

A strong corporate culture can most often be observed by its outcome, rather than by any individual component. Fostering a culture of ethics and compliance is more beneficial than simply implementing a checklist of initiatives; similarly, a culture of corruption can exist even in companies with seemingly sound policies in place.

78
Q

Which of the following is an effective way to help prevent fraud through an organization’s performance measurement and management programs?

A. Including ethics-based metrics as a component of performance evaluations
B. Tying employee compensation to aggressive organizational performance goals
C. Establishing loosely defined job descriptions that allow employees to have flexibility in their roles
D. Giving employees sole responsibility for identifying their own training needs and performance deficiencies

A

A. Including ethics-based metrics as a component of performance evaluations

See pages 4.616 in the Fraud Examiner’s Manual

Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards, and training should be provided on a consistent basis to ensure that employees maintain the skills needed to perform their tasks effectively. Management should also quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

Additionally, it is easy for employees to waver between performance goals that motivate them to challenge themselves and those that are so ambitious that the only way they can meet them is to perpetrate fraud. When employee compensation, including bonuses, or job security is tied to unachievable performance goals, employees have the incentive to mastermind creative (i.e., fraudulent) approaches to meet them. Including ethics-based metrics—those that focus on how employees do business, not just how much business they do—as a component of performance goals and evaluation can be an especially effective way to foster ethical behavior and reinforce the importance of ethics as the guiding factor in making business decisions.

79
Q

The individuals conducting the fraud risk assessment should incorporate their existing biases regarding employees and processes into their assessment of overall fraud risk.

A. True
B. False

A

B. False

See pages 4.707-4.708 in the Fraud Examiner’s Manual

The people leading and conducting the fraud risk assessment should be mindful about any personal biases they might have regarding the organization and the people within it, and they should take steps to reduce or eliminate all biases that might affect the fraud risk assessment process. For example, if an employee on the fraud risk assessment team has a history of conflicts with someone in the accounts payable department, they might allow that experience to affect their evaluation of the fraud risks related to that area of the business. To compensate for this bias, someone else should perform the fraud risk assessment work related to the accounts payable department’s activities.

80
Q

The risk that an organization might be victimized by an individual who is able to combine the three elements of the Fraud Triangle is called _______________.

A. Audit risk
B. Insider risk
C. Fraud risk
D. Environmental risk

A

C. Fraud risk

See pages 4.701 in the Fraud Examiner’s Manual

Cressey’s Fraud Triangle teaches that there are three interrelated elements that enable someone to commit fraud: the motive or pressure that drives a person to want to commit the fraud, the opportunity that enables them to commit the fraud, and the ability to rationalize the fraudulent behavior. The vulnerability that an organization encounters from individuals capable of combining all three elements of the Fraud Triangle is fraud risk. Fraud risk can come from sources that are both internal and external to the organization, and it is one of the many types of risks managed by an organization.

81
Q

The fraud risk assessment should include input from both management and auditors to ensure a holistic view of the organization’s risks, but it should exclude all others to maintain the independence and objectivity of the assessment process.

A. True
B. False

A

B. False

See pages 4.709 in the Fraud Examiner’s Manual

Risk assessments created or performed by management and auditors without the input of the staff performing the operational tasks will be ineffective. It is crucial to include members of all levels of the organization in the risk assessment process to ensure that all relevant risks are addressed and reviewed from many different perspectives. Additionally, asking employees at lower levels of the organization specific questions about the company culture or eliciting ideas to strengthen anti-fraud controls can provide incredibly valuable information that might not be obtainable from any other source.

82
Q

A fraud risk management program must include systems specifically designed to monitor, identify, and address breaches in compliance.

A. True
B. False

A

A. True

See pages 4.828 in the Fraud Examiner’s Manual

The fraud risk management program must include systems specifically designed to monitor, identify, and address breaches in compliance. Such breaches might include failures in the design or operation of anti-fraud controls, as well as outright occurrences of fraud. A specific individual or team should be assigned responsibility for monitoring compliance with the fraud risk management program and for managing suspected instances of noncompliance. Formal sanctions for intentional noncompliance must be well-publicized and carried out in a consistent and firm manner.

83
Q

Which of the following should be emphasized in an employee reporting program?

I. Fraud, waste, and abuse occur in only a few companies.
II. The company actively encourages employees with information to disclose it.
III. The employee’s name must be disclosed.
IV. The report need not be made to one’s immediate supervisor.

A. I, II, III, and IV
B. I, II, and IV
C. II and III
D. II and IV

A

D. II and IV

See pages 4.609 in the Fraud Examiner’s Manual

An anonymous reporting channel, such as an ethics hotline, is an integral part of an anti-fraud control system. Employees must be made aware of the existence of the reporting mechanism, taught how to use it, and be able to trust that they can report suspicious activity anonymously or confidentially (where permitted by law) without fear of reprisal. In addition, it should be made clear to employees that reports of suspicious activity will be promptly and thoroughly evaluated.

Education about a reporting program should specifically emphasize that:

  • Fraud, waste, and abuse occur in nearly all companies.
  • Such conduct costs the company jobs and profits.
  • The company actively encourages any employee with information to disclose it.
  • The employee can provide information anonymously and without fear of retaliation for good-faith reporting.
  • There is an exact method for reporting an incident (e.g., a telephone number or online form).
  • The report need not be made to one’s immediate superiors.
84
Q

In addition to the specific risks related to each of the primary categories of fraud, the fraud risk assessment team should consider:

A. Reputational risk
B. Incentives for individuals to engage in fraud
C. Risks to information technology
D. All of the above

A

D. All of the above

See pages 4.716-4.717 in the Fraud Examiner’s Manual

The fraud risk assessment team should brainstorm to identify the inherent fraud risks that could apply to the organization. In addition to each of the major areas of fraud risks—fraudulent financial reporting, asset misappropriation, corruption, and fraud from external sources—certain other types of risks must be considered, including the risk of regulatory and legal misconduct, reputational risk, and risk to information technology (IT). Brainstorming should also include discussions regarding incentives, pressures, and opportunities to commit fraud, including the incentive programs and how those might affect employee behavior, as well as the potential for management to override controls.

85
Q

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components. Which of the following is NOT one of the principles pertaining to the review and revision component?

A. The organization identifies risk that impacts its performance and ability to meet objectives.
B. The organization assesses substantial changes that might affect its strategy and objectives.
C. The organization reviews its risk and performance.
D. The organization pursues improvement in enterprise risk management.

A

A. The organization identifies risk that impacts its performance and ability to meet objectives.

See pages 4.803-4.805 in the Fraud Examiner’s Manual

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are:

  • Governance and culture
  • Strategy and objective-setting
  • Performance
  • Review and revision
  • Information, communication, and reporting

As part of its ERM activities, an organization should review how well the ERM capabilities and practices have increased value over time and how they will continue to drive value for the organization. The principles pertaining to review and revision are:

  • The organization assesses substantial changes that might affect its strategy and objectives.
  • The organization reviews its risk and performance.
  • The organization pursues improvement in ERM.

An organization identifying risks that impact its performance and ability to meet objectives is associated with the performance component of COSO’s ERM framework.

86
Q

Which of the following is TRUE about the fraud risk assessment process?

A. Management and auditors should share ownership of the process and accountability for its success
B. Conducting an effective fraud risk assessment requires thinking like a fraudster
C. The assessment team must be perceived as independent and objective by others for the assessment to be effective
D. All of the above

A

D. All of the above

See pages 4.706-4.707, 4.709 in the Fraud Examiner’s Manual

Both management and auditors have a responsibility for fraud risk management. However, each of these parties has unique knowledge and perspective of the fraud risks encountered by the organization. Consequently, the fraud risk assessment is most effective when management and auditors share ownership of the process and accountability for its success.

Additionally, a good fraud risk assessment can be conducted effectively either by people inside the organization or external sources. Either way, it is critical that the people leading and conducting the fraud risk assessment remain independent and objective throughout the assessment process. Additionally, they must be perceived as independent and objective by others.

Furthermore, most honest people are not naturally inclined to think like a criminal. In fact, many large-scale frauds that have occurred would have been deemed unthinkable by people closest to the events. But a necessary part of conducting an effective fraud risk assessment involves thinking like a fraudster. Thoughts of “it couldn’t happen here” should not be allowed to moderate the evaluation of fraud risk.

87
Q

Management must assign both a quantitative and qualitative measure to its risk appetite so that it can accurately measure the fraud risk management program’s effectiveness.

A. True
B. False

A

B. False

See pages 4.826 in the Fraud Examiner’s Manual

Management can choose whether to use a quantitative or qualitative measure to express risk appetite. An important component in defining the objective of the fraud risk management program is determining management’s risk appetite. Risk appetite should be expressed in a manner that is appropriate for the organization’s culture and operations, and it can be measured and expressed either qualitatively—low, medium, or high, for example—or quantitatively, using a numeric scale. For example, a company’s management might decide that it prefers to reduce the residual risk of fraud down to a low level, implying a desire for strong controls and monitoring of such controls over a particular area of the business. Another company might decide that any risk rated 3 or higher (on a risk scale of 1–5) is unacceptable. Risk appetite can also be broken down into specific types or sources of fraud, which allows for prioritization of fraud risk management strategies based on the assessed components.

88
Q

As part of its vendor due diligence procedures, an organization should avoid revealing that it is seeking information about potential vendors prior to starting a relationship with them.

A. True
B. False

A

B. False

See pages 4.812-4.813 in the Fraud Examiner’s Manual

The best way to obtain information about a third party is often directly from the third party itself. Before entering into a relationship with a new vendor, management should seek to obtain information from the vendor by using a questionnaire. This will provide the organization with some background information about the vendor that can also be cross-referenced during a background check.

89
Q

Having an auditor ask employees questions such as, “Has anyone ever asked you to do anything that you felt was illegal or unethical?” can be an effective method of uncovering fraud within an organization.

A. True
B. False

A

A. True

See pages 4.603-4.604 in the Fraud Examiner’s Manual

Fraud assessment questioning is a non-accusatory interview technique used as a part of a normal audit. It is based on the theory that employees’ attitudes are a good indicator of potential problems and that one of the most effective ways to assess potential fraud is to ask about it. Examples of questions that can be used in this approach include the following:

  • Part of my duty as an auditor is to find fraud, waste, and abuse. Do you understand that?
  • Do you think fraud is a problem for business in general?
  • Do you think this company has any particular problem with fraud?
  • Has anyone ever asked you to do anything that you felt was illegal or unethical?
  • If you felt that there was a problem in the company with respect to fraud, what would you do?
  • Do you have any indication that there is fraud occurring in the company now?
90
Q

Unless specific unacceptable conduct is detailed in an anti-fraud policy, there can be legal problems in terminating a dishonest employee.

A. True
B. False

A

A. True

See pages 4.622 in the Fraud Examiner’s Manual

In developing the anti-fraud policy, management should consult legal counsel regarding any necessary legal considerations with respect to the policy. One of the most important legal considerations is to ensure that all allegations and offenders are managed uniformly. Additionally, if the type of conduct that is considered unacceptable is not accurately detailed, there might be legal problems in terminating a dishonest employee.

91
Q

Requiring employees in certain functions (e.g., accounting clerks) to periodically rotate job duties can be an effective anti-fraud measure.

A. True
B. False

A

A. True

See pages 4.608 in the Fraud Examiner’s Manual

Some frauds are detected during sickness or unexpected absences of the perpetrator because they require continuous, manual intervention. Requiring employees in certain functions (e.g., accounting clerks) to periodically rotate job duties or accounts reviewed can increase the perception of detection in the potential perpetrator’s mind.

92
Q

In response to a risk identified during a fraud risk assessment, management decides to purchase a bond to help protect the company against the associated risk of loss. This response is known as:

A. Mitigating the risk
B. Avoiding the risk
C. Transferring the risk
D. Assuming the risk

A

C. Transferring the risk

See pages 4.734 in the Fraud Examiner’s Manual

When responding to the organization’s residual fraud risks, management may transfer some or all of the risk by purchasing fidelity insurance or a bond. The cost to the organization is the premium paid for the insurance or bond. The covered risk of loss is then transferred to the insurance company.

93
Q

The performance component of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance can BEST be described as:

A. The review of how well the enterprise risk management capabilities and practices have increased value over time and how they will continue to drive value for the organization
B. A continual, iterative process of obtaining information and sharing it throughout the entity
C. The formal process of setting strategy and defining business objectives
D. The identification and assessment of risks that might affect the organization’s ability to meet its strategic and business objectives and the prioritization and response to those risks

A

D. The identification and assessment of risks that might affect the organization’s ability to meet its strategic and business objectives and the prioritization and response to those risks

See pages 4.803-4.805 in the Fraud Examiner’s Manual

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are:

  • Governance and culture
  • Strategy and objective-setting
  • Performance
  • Review and revision
  • Information, communication, and reporting

The actual performance of ERM within an organization involves identifying and assessing risks that might affect the organization’s ability to meet its strategic and business objectives and then prioritizing and responding to those risks.

94
Q

If an organization determines that one of its potential customers presents a risk of engaging in illegal activity, but it concludes that the risk is unlikely to manifest, then the only recommended customer due diligence (CDD) procedure would be to identify the customer.

A. True
B. False

A

B. False

See pages 4.811 in the Fraud Examiner’s Manual

Standard customer due diligence (CDD) procedures involve identifying the customer, as well as verifying their identity. This type of due diligence is most widely used in situations where the customer presents a risk—that is, there is some opportunity for the customer to engage in illegal activity—but it is unlikely that the risk will manifest.

Standard CDD requires the organization to gather information that allows it to understand the nature of the business relationship with the potential customer and to ensure that the customer’s identity is legitimate (e.g., the customer is not using a stolen or synthetic identity, the customer is not a shell company). Performing this type of CDD allows the organization to better know its customer and reduce the likelihood of the transaction involving illegal activity.

95
Q

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), _________ is the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

A. Fraud prevention
B. Enterprise risk management
C. Corporate governance
D. Internal control

A

B. Enterprise risk management

See pages 4.802 in the Fraud Examiner’s Manual

n Enterprise Risk Management—Integrating with Strategy and Performance, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management (ERM) as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”

96
Q

To communicate their dedication to the fraud risk management program, the board of directors and senior management should provide a formal statement of commitment that:

A. Is provided to all employees, vendors, and customers
B. Acknowledges the organization’s vulnerability to fraud
C. Is in writing
D. All of the above

A

D. All of the above

See pages 4.830 in the Fraud Examiner’s Manual

As part of the fraud risk management program, the board of directors and senior management should communicate, in writing, their commitment to proactively preventing, detecting, and addressing fraud. This communication can be made as part of the organization’s written statement of values and principles, as part of the code of conduct, or in a separate short document, such as a letter, that is provided to all employees, vendors, and customers.

The statement of commitment should:

  • Be endorsed or authored by a senior executive or board member
  • Be provided to employees as part of the orientation process and be reissued periodically
  • Stress the importance of fraud risk mitigation
  • Acknowledge the organization’s vulnerability to fraud
  • Establish the responsibility of each person within the organization to support fraud risk management efforts
  • Reinforce management’s no-tolerance stance on fraudulent behavior
97
Q

When identifying the inherent fraud risks that could apply to the organization, the fraud risk assessment team should specifically discuss the potential for management to override controls, as well as the risk of regulatory and legal misconduct.

A. True
B. False

A

A. True

See pages 4.716-4.717 in the Fraud Examiner’s Manual

The fraud risk assessment team should brainstorm to identify the inherent fraud risks that could apply to the organization. In addition to each of the major areas of fraud risks—fraudulent financial reporting, asset misappropriation, corruption, and fraud from external sources—certain other types of risks must be considered, including the risk of regulatory and legal misconduct, reputational risk, and risk to information technology (IT). Brainstorming should also include discussions regarding incentives, pressures, and opportunities to commit fraud, including the incentive programs and how those might affect employee behavior, as well as the potential for management to override controls.

98
Q

There are specific anti-retaliation laws in every country that protect whistleblowers against adverse action for reporting misconduct in the workplace.

A. True
B. False

A

B. False

See pages 4.611 in the Fraud Examiner’s Manual

While the global landscape of legal protection offered to whistleblowers varies, more countries are beginning to enact measures that protect whistleblowers who suffer retaliation. Some countries have anti-retaliation laws to protect employees against retaliation in the workplace. In successful cases, these laws might offer remedies that reinstate employment, award back pay with interest, and recover attorneys’ fees or other litigation costs.

In jurisdictions that do not have formal legal protection for whistleblowers, countries often use their own employment laws and anti-corruption provisions as a framework; however, due to legalities, these employment laws and anti-corruption provisions might be limited in their ability to protect whistleblowers against retaliation in the workplace for reporting misconduct.

99
Q

Which of the following is one of the five fraud risk management principles described in the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE?

A. Fraud risk management monitoring activities
B. Fraud risk assessment
C. Fraud investigation and corrective action
D. All of the above

A

D. All of the above

See pages 4.820 in the Fraud Examiner’s Manual

The Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, describes five broad principles of fraud risk management, one for each of the five interrelated components of internal control listed in COSO’s Internal Control—Integrated Framework. Each principle is then supported by several points of focus. The principles and underlying points of focus combine to create a full framework that can be used to design, implement, and assess an effective fraud risk management program.

The following are the five principles provided in the Fraud Risk Management Guide:

  • Fraud risk governance
  • Fraud risk assessment
  • Fraud control activities
  • Fraud investigation and corrective action
  • Fraud risk management monitoring activities
100
Q

Which of the following is a factor that might prompt an organization to undertake enhanced due diligence procedures for a new customer?

A. The customer is a high-profile client.
B. The customer has business dealings in a country known for corruption.
C. The customer makes a very large purchase.
D. All of the above are factors that might prompt enhanced procedures.

A

D. All of the above are factors that might prompt enhanced procedures.

See pages 4.811 in the Fraud Examiner’s Manual

When certain customers present higher risks for engaging in illegal activity, organizations should undertake enhanced due diligence procedures. Factors that might prompt enhanced customer due diligence (CDD) include high-profile customers, large-value transactions, or foreign business dealings in countries known for corruption.

101
Q

Which of the following is among the board of directors’ responsibilities pertaining to fraud risk management?

A. Overseeing the organization’s fraud risk management activities
B. Raising awareness of the risks of fraud throughout the organization
C. Setting realistic expectations of management to enforce an anti-fraud culture
D. All of the above

A

D. All of the above

See pages 4.815-4.816 in the Fraud Examiner’s Manual

To ensure that the fraud risk management program is effective in both operation and design, it must be fully accepted by those charged with governing and overseeing the organization. Specifically, the board of directors must recognize the true and specific risks of fraud to the organization, as well as their potential impact, and respond by:

  • Setting an appropriate tone and realistic expectations of management to enforce an anti-fraud culture
  • Gaining sufficient knowledge of the organization’s activities and the environments in which it operates
  • Raising awareness of the risks of fraud throughout the organization
  • Developing a strategy to assess and manage fraud risks that aligns with the organization’s risk appetite and strategic plans
  • Overseeing the organization’s fraud risk management activities
    Maintaining open communications with senior management and other personnel
102
Q

The size of the fraud risk assessment team will depend on the size of the organization and the methods used to conduct the assessment.

A. True
B. False

A

A. True

See pages 4.711 in the Fraud Examiner’s Manual

Before conducting the fraud risk assessment, the organization should build a fraud risk assessment team consisting of individuals with diverse knowledge, skills, and perspectives that will lead and conduct the fraud risk assessment. The size of the team will depend on the size of the organization and the methods used to conduct the assessment. The team should have individuals who are credible and have experience in gathering and eliciting information. The team members might include internal and external sources, such as accounting and finance personnel, operations personnel, members of the legal department, internal auditors, internal security or investigative personnel, external consultants with fraud and risk expertise, and any business leader with direct accountability for the effectiveness of the organization’s fraud risk management efforts.

103
Q

For analytical review procedures performed during a financial statement audit to be most effective in uncovering fraud, the scheme must materially impact the financial statements.

A. True
B. False

A

A. True

See pages 4.603 in the Fraud Examiner’s Manual

Some internal fraud is discovered because of analytical review procedures performed during a financial statement audit. To uncover fraud using such techniques, however, the scheme must materially impact the financial statements. Auditors should be especially mindful of the following trends:

  • Increasing expenses
  • Increasing cost of sales
  • Increasing receivables/decreasing cash
  • Increasing inventories
  • Increasing sales/decreasing cash
  • Increasing returns and allowances
  • Increasing sales discounts
104
Q

Which of the following components would NOT be present in a well-designed organizational structure?

A. Reporting lines that are informally established and communicated
B. Documentation of organizational hierarchies, such as flowcharts
C. Organization-wide visibility into the proper flow of information
D. Written summaries that outline departmental roles and responsibilities

A

A. Reporting lines that are informally established and communicated

See pages 4.614 in the Fraud Examiner’s Manual

A well-designed organizational structure—with key areas of authority and clear and proper lines of reporting—can be an effective fraud prevention measure. A confused structure, in contrast, makes it easier for a fraudster to perpetrate and conceal their misdeeds. Establishing and communicating the proper flow of information to everyone in the organization is an essential component of a well-designed organizational structure. Flowcharts displaying organizational and departmental hierarchies can be a helpful tool for this purpose. To ensure that information is being properly received and that instructions are being carried out, such checks must be established.

105
Q

Which of the following statements is TRUE regarding the five fraud risk management principles described in the Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE?

A. Under the fraud risk assessment principle, an organization should perform comprehensive fraud risk assessments to identify specific fraud schemes
B. Under the fraud risk governance principle, an organization should communicate the expectations of those overseeing the fraud risk management program
C. Under the fraud risk management monitoring activities principle, an organization should develop ongoing evaluations for each fraud risk management principle
D. All of the above

A

D. All of the above

See pages 4.820-4.821, 4.823-4.824 in the Fraud Examiner’s Manual

The Fraud Risk Management Guide, a joint publication by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE, describes five broad principles of fraud risk management, one for each of the five interrelated components of internal control listed in COSO’s Internal Control—Integrated Framework: fraud risk governance, fraud risk assessment, fraud control activities, fraud investigation and corrective action, and fraud risk management monitoring activities. Each of these principles is then supported by several points of focus. The principles and underlying points of focus combine to create a full framework that can be used to design, implement, and assess an effective fraud risk management program.

Under the fraud risk governance principle, the organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

Under the fraud risk assessment principle, the organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

Under the fraud risk management monitoring activities principle, the organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates deficiencies in the fraud risk management program in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

106
Q

The governance and culture component of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance involves the formal process of setting strategy and defining business objectives.

A. True
B. False

A

B. False

See pages 4.803-4.805 in the Fraud Examiner’s Manual

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management—Integrating with Strategy and Performance is composed of a set of principles organized into five interrelated components and twenty supporting principles that are based on a holistic view of an organization’s risk portfolio. The five components of the enterprise risk management (ERM) framework are:

  • Governance and culture
  • Strategy and objective-setting
  • Performance
  • Review and revision
  • Information, communication, and reporting

The organization’s governance and culture form the foundation for the ERM program. Governance sets the organizational tone, reinforces the importance of risk management, and establishes the oversight responsibilities for managing risks while culture is reflected in decision-making.

The strategy and objective-setting component of the ERM framework involves the formal process of setting strategy and defining business objectives.

107
Q

Risk management includes which of the following activities involving the risks that threaten an organization?
A. Treatment
B. Identification
C. Monitoring
D. All of the above

A

D. All of the above

See pages 4.802 in the Fraud Examiner’s Manual

Risk management involves the identification, prioritization, treatment, and monitoring of risks that threaten an organization’s ability to provide value to its stakeholders, whether increasing profitability and shareholder value for a for-profit entity or achieving program-specific goals for a nonprofit or governmental agency. More specifically, risk management balances risk appetite—how much risk management is willing to accept—with the ability to meet the organization’s strategic, operational, reporting, and compliance objectives.

108
Q

A detailed anti-fraud policy that includes specific examples of fraud can give management legal grounds to investigate and punish violators.

A. True
B. False

A

A. True

See pages 4.619-4.620 in the Fraud Examiner’s Manual

To avoid being overly broad in nature, and thus difficult to enforce, anti-fraud policies should include specific examples of fraud. The scope of fraud within an organization might range from internal theft of cash in small amounts to a very large third-party billing scheme. Regardless of the materiality of a fraud, management should clearly define all types of fraud that could occur within the company. Doing so both provides specific guidance so employees can understand what actions constitute fraud and provides management with the legal grounds to investigate and punish violators.

Examples of fraudulent offenses include:

  • Using company equipment (e.g., office supplies, company vehicles, mobile phones, computers) for personal reasons
  • Stealing company assets (e.g., cash, receivables, inventory)
  • Inflating reported hours worked
  • Forging or altering checks and other documents
  • Disclosing proprietary information to competitors
  • Accepting bribes from or paying bribes to vendors or customers
  • Engaging in transactions in which the employee has an undisclosed conflict of interest
  • Destroying company records with malicious intent
  • Intentionally misstating financial statements
109
Q

During an audit, auditors should validate that the organization is appropriately managing the moderate-to-high fraud risks identified in the fraud risk assessment. Ways to do so include:

A. Designing and performing tests to evaluate whether the identified controls are operating effectively and efficiently
B. Identifying within the moderate-to-high fraud risk areas whether there is a moderate-to-high risk of management overriding controls
C. Identifying and mapping the existing controls that pertain to the moderate-to-high fraud risks identified in the fraud risk assessment
D. All of the above

A

D. All of the above

See pages 4.738-4.739 in the Fraud Examiner’s Manual

In the course of their work, auditors should validate that the organization is appropriately managing the moderate-to-high fraud risks identified in the fraud risk assessment by:

  • Identifying and mapping the existing preventive and detective controls that pertain to the moderate-to-high fraud risks identified in the fraud risk assessment
  • Designing and performing tests to evaluate whether the identified controls are operating effectively and efficiently
  • Identifying within the moderate-to-high fraud risk areas whether there is a moderate-to-high risk of management overriding controls
  • Developing and delivering reports that incorporate the results of their validation and testing of the fraud risk controls
110
Q

Which of the following is NOT a recommended way for management to respond to incidents of fraud within an organization?

A. Consistently punishing all fraud perpetrators
B. Reporting known incidents of fraud to law enforcement
C. Maintaining a policy of zero tolerance for fraud
D. Allowing all employees one warning before termination

A

D. Allowing all employees one warning before termination

See pages 4.616 in the Fraud Examiner’s Manual

The way that management responds to incidents of fraud within the organization plays an important role in its fraud prevention program. Specifically, it must be emphasized to all employees that the company maintains a policy of zero tolerance for fraud; otherwise, once an employee learns that small frauds are possible, larger frauds might be committed shortly thereafter. In addition, by not consistently punishing perpetrators, a company renders its fraud prevention program less effective or useless. Having a public record of the incident can also be important, so reporting known incidents of fraud to law enforcement can be an effective step in making the organization’s zero-tolerance stance clear.

111
Q

Fraud risk management programs should focus on activities that:

A. Respond to identified fraud by investigating the incident and taking remedial action
B. Detect fraud by identifying occurrences as soon as possible after they begin
C. Prevent fraud by proactively identifying, assessing, and addressing fraud risks
D. All of the above

A

D. All of the above

See pages 4.819-4.820 in the Fraud Examiner’s Manual

Fraud risk management programs must address fraud before, during, and after it occurs. Consequently, effective fraud risk management programs must incorporate policies and procedures designed to do all the following:

  • Prevent fraud—These activities focus on proactively identifying and assessing fraud risks and taking steps to address those risks; they are the first line of defense against fraud in the organization and generally include policies, procedures, training, and communication.
  • Detect fraud—These activities seek to identify fraud occurrences as soon as possible after they begin to limit the damage done.
  • Respond to identified fraud—These activities include investigating the allegation to determine the party or parties responsible, the means of the infraction, and the extent of the resulting damage; punishing the perpetrator, whether through employment sanctions or legal action; remediating the control weaknesses that allowed the fraud to be undertaken; and rebuilding stakeholders’ confidence in the organization.
112
Q

Detective anti-fraud controls include all the following EXCEPT:

A. Proactive data analysis techniques
B. A hotline
C. Hiring policies and procedures
D. Physical inspections

A

C. Hiring policies and procedures

See pages 4.721-4.722 in the Fraud Examiner’s Manual

Detective controls, which are intended to detect fraud if it does occur, include:

  • Establishing and marketing the presence of a confidential reporting system, such as a whistleblower hotline
  • Implementing proactive controls for the fraud detection process, such as independent reconciliations, reviews, physical inspections and counts, analysis, and audits
  • Implementing proactive fraud detection procedures, such as data analysis and continuous auditing techniques
  • Performing surprise audits

Hiring policies and procedures fall under the category of preventive controls, which are intended to prevent fraud before it occurs.

113
Q

Which of the following statements is TRUE regarding an organization’s fraud risk management program?

A. A specific team or individual should be assigned responsibility for monitoring compliance and managing suspected instances of noncompliance
B. Formal sanctions for intentional noncompliance must be well-publicized and carried out in a consistent and firm manner
C. There should be measures in place to address failures in the design or operation of anti-fraud controls, as well as fraud occurrences
D. All of the above

A

D. All of the above

See pages 4.828 in the Fraud Examiner’s Manual

The fraud risk management program must include systems specifically designed to monitor, identify, and address breaches in compliance. Such breaches might include failures in the design or operation of anti-fraud controls, as well as outright occurrences of fraud. A specific individual or team should be assigned responsibility for monitoring compliance with the fraud risk management program and for managing suspected instances of noncompliance. Formal sanctions for intentional noncompliance must be well-publicized and carried out in a consistent and firm manner.

114
Q

Following the conclusion of the fraud risk assessment process, management should:

A. Use the results to promote awareness, education, and action planning
B. Track and measure progress against agreed-upon action plans
C. Use the assessment findings to monitor the performance of key controls
D. All of the above

A

D. All of the above

See pages 4.737 in the Fraud Examiner’s Manual

To make the most of the fraud risk assessment process, management should use the results to:

  • Begin a dialogue across the company that promotes awareness, education, and action planning to reduce fraud risk.
  • Look for fraud in high-risk areas.
  • Hold action owners accountable for progress against agreed-upon plans.
  • Keep the assessment process active and relevant.
  • Modify or create the code of conduct or ethics policy.
  • Monitor key controls.
115
Q

Which of the following factors influences the level of fraud risk encountered by an organization?

A. The ethics of its leadership team
B. The effectiveness of its anti-fraud controls
C. The geographic regions in which it operates
D. All of the above

A

D. All of the above

See pages 4.702 in the Fraud Examiner’s Manual

Many factors influence how at-risk an organization is to fraud. Some of the main factors are:

  • The nature of the business in which it is engaged (i.e., its industry and operations)
  • The environment in which it operates (e.g., physical storefront or internet-based, geographic location)
  • The effectiveness of the anti-fraud controls within the business processes
  • The ethics and values of the company and its employees
116
Q

A detailed anti-fraud policy should outline the types of actions that are considered to be fraud. Which of the following should be included on that list?

A. Disclosing proprietary information to competitors
B. Using company equipment for personal reasons
C. Forging or altering documents
D. All of the above

A

D. All of the above

See pages 4.619-4.620 in the Fraud Examiner’s Manual

To avoid being overly broad in nature, and thus difficult to enforce, anti-fraud policies should include specific examples of fraud. The scope of fraud within an organization might range from internal theft of cash in small amounts to a very large third-party billing scheme. Regardless of the materiality of a fraud, management should clearly define all types of fraud that could occur within the company. Doing so both provides specific guidance so employees can understand what actions constitute fraud and provides management with the legal grounds to investigate and punish violators.

Examples of fraudulent offenses include:

  • Using company equipment (e.g., office supplies, company vehicles, mobile phones, computers) for personal reasons
  • Stealing company assets (e.g., cash, receivables, inventory)
  • Inflating reported hours worked
  • Forging or altering checks and other documents
  • Disclosing proprietary information to competitors
  • Accepting bribes from or paying bribes to vendors or customers
  • Engaging in transactions in which the employee has an undisclosed conflict of interest
  • Destroying company records with malicious intent
  • Intentionally misstating financial statements
117
Q

Which of the following is an effective method of increasing the perception of detection?

A. Conducting surprise audits
B. Requiring strong management oversight
C. Forcing employees to take vacation time
D. All of the above

A

D. All of the above

See pages 4.602 in the Fraud Examiner’s Manual

Increasing the perception of detection might be the most effective fraud prevention method. Controls, for example, are not very effective in preventing theft and fraud if those at risk do not know of the presence of possible detection. In the audit profession, this means letting employees, managers, and executives know that auditors are actively seeking information concerning internal theft. This can be accomplished in several ways, such as surprise audits, employee anti-fraud education, enforcement of mandatory vacation and job-rotation policies, strong management oversight, and effective reporting programs.

118
Q

A fraud risk assessment report should reflect the assessment team’s subjective perspective and opinions that were formed during the assessment engagement.

A. True
B. False

A

B. False

See pages 4.735 in the Fraud Examiner’s Manual

Much instinct and judgment go into performing the fraud risk assessment. When reporting the results of the assessment, however, the team must report only the facts and keep all opinions and biases out of the report. A report that is interspersed with the assessment team’s subjective perspective will dilute and potentially undermine the results of the work.

CFE Fraud Prevention & Deterrence (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions