fraud risk management · 2020-02-24 · cash disbursement fraud check for duplicates or multiple...

© 2020 Association of Certified Fraud Examiners, Inc.

Fraud Risk Management

Specific Anti-Fraud Controls

(Process or Transaction Level)


Discussion Questions

1. Does your organization have adequate staffing

to enforce separation of duties? Are there

departments or functions within your

organization where some incompatible duties

could be better segregated to decrease the risk

of fraud?



2. Identify one or two of your organization’s most

significant fraud risks. Look over the controls

identified in this section to address those risks.

a. Are there any controls listed that your organization

has not implemented? Are there controls your

organization has implemented to address this risk

that are not included on the list?



2. Identify one or two of your organization’s most

significant fraud risks. Look over the controls

identified in this section to address those risks.

b. Using the table in your workbook, complete a fraud

risk assessment for the two risks identified in step

2a. For each risk, identify, classify, and assess the

operating effectiveness of four internal controls,

then arrive at a residual risk rating and risk

response.


Identified

Fraud

Risks and

Schemes

Personnel/

Departments

Involved

Likelihood

(1, 2, or 3)

Impact

(1, 2, or

3)

Internal

Control

No.

Internal

Control

Description

(P)

Preventive or

(D) Detective

Control

Describe

Testing/

Monitoring of

Control

Control

Effectiveness

(1, 2, or 3)

Residual Risk

Rating

(Low, Moderate,

High)

Fraud

Risk

Response


Learning Objective

▪ Understand how to design and implement

internal controls to address the risk of specific

fraud schemes.


Controls for Financial Statement Fraud

▪ Anchor in effective oversight of management.

▪ Gain a solid understanding of the business.

▪ Maintain an appropriate level of skepticism.

▪ Consider incentives, pressures, and

rationalizations to commit fraud.

▪ Explore fraud risk scenarios.

▪ Assess the financial reporting culture.


Controls for Financial Statement Fraud

▪ Review transactions subsequent to the balance

sheet date.

▪ Internal audit focus.

▪ Review capitalization policies.

▪ Analyze compliance with loan covenants.

▪ Look for anomalies in inventory documentation.

▪ Review procedures for accounting estimates.

▪ Review journal entries.

▪ Review changes in accounting policies and

practices.


Controls for Theft of Incoming Cash

▪ Separate recordkeeping duties.

▪ Post signs offering a discount to customers who

do not receive a receipt.

▪ Use management oversight or video cameras to

safeguard cash-handling areas.

▪ Perform surprise cash counts.



▪ Use pre-numbered forms for sales receipts and

sales returns.

▪ Require management approval for voids and

refunds.

▪ Place a restrictive endorsement on checks upon

receipt.

▪ Deposit cash daily and itemize deposit slips.



▪ Place cash funds in a time-lock safe.

▪ Do not keep excessive cash on hand.

▪ Use cash registers that have adequate security

features.

▪ Maintain separate register drawers for each

cashier.


Controls for Accounts Receivable Fraud

▪ Separate recordkeeping duties.

▪ Set guidelines and procedures for opening mail.

▪ Use multi-part deposit slips.

▪ Install video cameras in the mail room and other

vulnerable areas.

▪ Use a lockbox system for cash receipts.


Controls for Accounts Receivable Fraud

▪ Require supervisory approval for:

• Changes to A/R master file

• Write-offs and discounts

• All accounts to be sent to a collection agency

▪ Scan journal entries for illogical debits to A/R.

▪ Monitor A/R for an unusual number of write-offs,

debits, or overdue accounts.

▪ Monitor employee activities.


Controls for Inventory Fraud

▪ Maintain effective physical security.

▪ Install video cameras in vulnerable areas.

▪ Implement access controls over computerized

inventory and accounting systems.

▪ Perform surprise counts of inventory.

▪ Use pre-numbered sales and inventory forms.


Controls for Inventory Fraud

▪ Require approval for:

• Adjustments to inventory records

• Scrap sales

• Sales returns

▪ Test for unusual inventory shrinkage.


Controls for Fixed Assets Fraud

▪ Create and communicate a policy on personal

use of company fixed assets.

▪ Attach identification tags to fixed assets and

track them in an up-to-date list.

▪ Secure the perimeter of the business.

▪ Use pre-numbered and multi-part requisitions,

purchase orders, and receiving documents.


Controls for Fixed Assets Fraud

▪ Require authorization for purchases,

improvements, and retirements, and for

additions to and deletions from fixed asset

accounts.

▪ Change access codes and locks when

employees are terminated.

▪ Perform a periodic fixed asset inventory count,

and reconcile it to the fixed asset subledger.


Controls for Investment Fraud

▪ Hold securities in the organization’s name.

▪ Keep securities in a safe deposit box under dual

control.

▪ Maintain a current list of all investments held by

the organization, including a record of expected

income payments.


Controls for Investment Fraud

▪ Require high-level authorization for investment

transactions.

▪ Require approval for write-downs.

▪ Implement separation of duties.

▪ Maintain access controls over investment

accounts and related software.


Controls for Accounts Payable and

Cash Disbursement Fraud

▪ Separate duties and functions.

▪ Use physical and software controls to restrict

access to A/P and disbursements systems.

▪ Restrict access to vendor master file and flag

any changes made.

▪ Maintain an approved vendor list independently

of the purchasing department.




▪ Check for duplicates or multiple payments to

the same vendor in one day.

▪ Require proper authorization of all transactions.

▪ Pay only from original invoices, not statements.

▪ Require matching of invoices to purchase

orders and receiving reports prior to payment.

▪ Make all disbursements via check or wire.

▪ Severely restrict the use of manual checks.




▪ Use positive pay or reverse positive pay.

▪ Request bank notification if a duplicate debit is

pending posting.

▪ Require dual approval when a new vendor is

set up for electronic payment.

▪ Require dual signatures for payment amounts

over an established threshold.

▪ Never sign blank checks.


Controls for Payroll Fraud

▪ Separate duties and functions.

▪ Use an imprest payroll bank account.

▪ Encourage the use of direct deposit.

▪ Keep signed paychecks in a secure location.

▪ Log and secure unclaimed paychecks.


Controls for Payroll Fraud

▪ Require employees to provide identification to

collect paycheck or stub.

▪ Match the payroll against personnel files.

▪ Have supervisors verify time worked.

▪ Require advanced authorization for overtime

and paid time off.


Controls for Expense

Reimbursement Fraud

▪ Have a clear policy stating:

• Types of reimbursable expenses

• Reimbursement limits

• Required time frame for submitting expense reports

▪ Require original receipts for all expense

reimbursements.


Controls for Expense

Reimbursement Fraud

▪ Require detailed expense reports:

• Explanation, including specific business purpose

• Time and date

• Location

• Amount of the expense

• Supervisor’s review and approval


Controls for Fraud Related to Borrowing

▪ Require that the board

of directors approves

all debt transactions.

▪ Separate duties in

financing activities.


Controls for Equity Fraud

▪ Separate duties in equity transactions.

▪ Require that the board of directors approves all

dividends and stock sales.

▪ Use pre-numbered stock certificates.

▪ Announce dividend rates to shareholders

before the checks are issued.

▪ Safeguard unissued shares of stock.


Controls for Corruption

▪ The controls that

address payables and

disbursements fraud

can also be effective

in preventing and

detecting corruption

schemes.


ISO 37001

▪ Communicate anti-bribery policy and program.

▪ Appoint compliance manager.

▪ Provide anti-bribery training and guidance.

▪ Perform bribery risk assessment, including third

parties.

▪ Ensure that controlled organizations and third

parties implement controls.


ISO 37001

▪ Verify that personnel will comply with the policy

and program.

▪ Control benefits provided to individuals and

third parties.

▪ Implement financial, procurement, and other

controls.

▪ Implement whistleblower procedures and

investigate suspected bribery.


Controls for Conflicts of Interest

▪ Ensure that a strong ethics policy is in place.

▪ Detection of conflicts of interest is quite difficult;

focus should be on prevention through ethical

climate.

▪ Conduct occasional staff interviews, and have a

reporting mechanism available.


Controls for Fraud by Vendors

▪ Enforce an exhaustive process for approving

new vendors.

▪ Issue internal conflict of interest questionnaires,

and address any potential conflicts.

▪ Count inventory as it is delivered.

▪ Perform vendor compliance audits.

▪ Carefully review and approve invoices prior to

payment.


Controls for Data Security Breaches

▪ Access restriction

and review

▪ Firewalls

▪ Physical control

over equipment

▪ Monitoring of

access attempts

and successes

fraud risk management · 2020-02-24 · cash disbursement fraud check for duplicates or multiple...

Documents