ENTITY-LEVEL CONTROLS FRAUD QUESTIONNAIRE

WHAT IS FRAUD?

Fraud is the intentional perversion of truth in order to induce another to part with something of value or to
surrender a legal right. In the business community, the primary goal of fraud is often monetary gain.

Fraud prevention programs are essential to set the right tone for an effective internal control framework. In
addition, strong internal controls provide better opportunities to detect and deter fraud. Because of this, it is
important to assess whether management has implemented formal communication mechanisms, internal controls,
and internal or external oversight processes to effectively prevent or deter fraud. This could include the
identification of fraud risks in an entity-wide risk assessment program or establishing a separate risk assessment
program that considers the vulnerability of the company to fraudulent activities.

1 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

1 Control A positive
Environment workplace
environment exists
that minimizes
employees' sense
of feeling abused,
threatened or
ignored.

2 Control Effective policies

Environment exist that minimize
the chance of
hiring or promoting
individuals with low
levels of honesty,
especially for
positions of trust.

3 Control A formal fraud

Environment policy exists that
defines fraud and
appropriate actions
to be taken with
respect to
instances of fraud.
The policy is
formally
communicated and
available on the
company intranet.

4 Control The company

Environment reacts to and deals
with acts of fraud,
or suspected fraud,
in a manner that
sends a strong
message
throughout the
company that
helps reduce the
likelihood of future
incidents.

5 Control Management has

Environment established a
formal anti-fraud
program that

2 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

outlines a process
to identify and
evaluate the risk of
fraud at both entity
and process levels.

6 Control Management
Environment performs
brainstorming
sessions focused
on different ways
employees could
perpetrate fraud in
the organization.

7 Control A whistleblower
Environment program is in place
and is periodically
reviewed to ensure
that it is designed
and operating
effectively.
Complaints are
reviewed by the C-
level executives,
where appropriate,
and reports are
communicated
directly to the audit
committee.

8 Risk The fraud risk

Assessment assessment
process is formal
and incorporates
the following key
characteristics:
• A formal process
for identifying and
documenting fraud
risks.
• Management
explicitly considers
potential fraud
schemes and
scenarios or
different frauds
such as fraudulent
financial reporting,
misappropriation of

3 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

assets,
unauthorized or
improper receipts
and expenditures,
and fraud by senior
management.
• The level at
which the risk is
considered
(company-wide,
business unit and
significant account)
is explicitly
defined.
• The level of
likelihood of fraud
(probable,
reasonably
possible and
remote) is defined.
• The level of
significance of
fraud
(inconsequential,
more than
inconsequential or
material) is
defined.

9 Risk Management
Assessment considers
significant
business units or
significant
processes in the
fraud risk
assessment.

10 Risk Management
Assessment reviews identified
fraud risks with the
audit committee
and seeks
guidance from the
audit committee on
other associated
risks.

11 Risk The audit

committee or

4 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

Assessment board of directors

considers the
potential for
management
override of controls
and its appropriate
influence over the
financial reporting
process.

12 Control Management
Activities makes changes to
the organization's
processes to
reduce or eliminate
the risk of fraud.

13 Control Critical controls are

Activities identified to
adequately
address fraud
risks.

14 Information and Ongoing internal

Communication fraud
communication
programs (e.g.,
posters, training
seminars,
conferences) exist
and management
and employees are
required to
participate in
events as
appropriate.

15 Information and Communications to

Communication external parties
regularly state the
company's position
on fraudulent
activity and the
potential
consequences if
fraud is detected.

16 Information and Training regarding

code of ethics and

5 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

Communication other fraud areas

exists and is
effective.

17 Information and Management

Communication considers the
following related to
information system
fraud risk:
(1) Consider
information
technology in the
fraud risk
assessment.
(2) Maintain
adequate security
and access
controls.
(3) Employ
information
technology to
prevent and detect
fraud.
(4) Have the ability
to investigate
computer misuse.

18 Monitoring The audit

committee/board of
directors evaluates
management's
identification of
fraud risks,
implementation of
anti-fraud
measures, and the
"tone-at-the-top."

19 Monitoring Internal audit

adequately
addresses fraud
risks when
planning and
executing the
annual audit plan.

20 Monitoring Internal auditors

examine and
evaluate the

6 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

adequacy of
internal controls
designed to reduce
fraud risks, or they
conduct proactive
auditing to search
for corruption,
misappropriation of
assets and
financial statement
fraud.

21 Monitoring The internal audit

department
includes
knowledgeable
and experienced
fraud
professionals.

22 Monitoring Management has

implemented and
continuously
monitors the
operation of
internal controls
designed to
mitigate the risk of
fraud.

23 Monitoring Management
reports the results
of internal reviews
of internal controls
over financial
reporting, including
noted instances of
fraud, to the audit
committee and
external auditors.

24 Monitoring A conflict of
interest policy
exists regarding
independence
between
employees and
suppliers.
Violations of this

7 Source: www.knowledgeleader.com
Describe
Specific Describe the
Type of
Activities, New/ Basis for
Does Are Are Deficiency Management
Programs Changed Test Effectiveness
COSO Point of Focus/ This Controls Control Test Documentation Controls Deficiencies (Efficiency, Action Plan
# or in the Workpaper Conclusion
Component Control Objective Control Properly Owner Procedures Reference Operating Noted Fin. to Address
Controls in Current Reference (Including
Exist? Designed? Effectively? Reporting, Deficiencies
Place that Year? Evidence of
Compliance)
Satisfy the Operation)
Objective

policy are
investigated.

25 Monitoring Certified fraud

examiners assist
the audit
committee or
board of directors
with the fraud
oversight process.

8 Source: www.knowledgeleader.com