ENTITY-LEVEL CONTROLS - Fraud

What is Fraud?
Fraud is the intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right. In the business community,
the primary goal of fraud is often monetary gain.

Fraud prevention programs are essential to set the right tone for an effective internal control framework. In addition, strong internal controls provide better
opportunities to detect and deter fraud. Because of this, it is important to assess whether management has implemented formal communication
mechanisms, internal controls, and internal or external oversight processes to effectively prevent or deter fraud. This could include the identification of fraud
risks in an entity-wide risk assessment program; or establishing a separate risk assessment program that considers the vulnerability of the company to
fraudulent activities.

Type of
deficiency
New/Changed Controls Controls Describe the basis for (Efficiency, Fin.
Does this control Describe specific activities, programs or controls in in current properly Control Documentation Test workpaper operating effectiveness conclusion (including Reporting, Management action plan to
# COSO Component Point of Focus/ Control Objective exist? place that satisfy the objective. year? designed? owner Test procedures reference reference effectively? evidence of operation) Deficiencies noted Compliance) address deficiencies
A positive workplace environment exists which
Control minimizes employees' sense of feeling abused,
1 Environment threatened, or ignored.
Effective policies exist that minimize the chance of
Control hiring or promoting individuals with low levels of
2 Environment honesty, especially for positions of trust.
A formal fraud policy exists, which defines fraud
and appropriate actions to be taken with respect to
instances of fraud. The policy is formally
Control communicated and available on the company
3 Environment intranet.

The company reacts to and deals with acts of

fraud, or suspected fraud, in a manner that sends
Control a strong message throughout the company that
4 Environment helps reduce the likelihood of future incidents.
Management has established a formal 'anti-fraud'
program, which outlines a process to identify and
Control evaluate the risk of fraud at both entity and
5 Environment process levels.
Management performs brainstorming sessions
Control focused on different ways employees could
6 Environment perpetrate fraud in the organization.
A whistleblower program is in place and is
periodically reviewed to ensure it is designed and
operating effectively (complaints are reviewed by
the C-Level executives, where appropriate, and
Control reports are communicated directly to the audit
7 Environment committee).
The fraud risk assessment process is formal and
incorporates the following key characteristics:
• A formal process for identifying and documenting
fraud risk
• Management explicitly considers potential fraud
schemes and scenarios or different frauds such as
fraudulent financial reporting, misappropriation of
assets, unauthorized or improper receipts and
expenditures, and fraud by senior management
• The level at which risk is considered (company-
wide, business unit and significant account) is
explicitly defined
• The level of likelihood of fraud (probable,
reasonably possible and remote) is defined
• The level of significance of fraud
(inconsequential, more than inconsequential or
material) is defined

8 Risk Assessment
Management considers significant business units
or significant processes in the fraud risk
9 Risk Assessment assessment.
Management reviews identified fraud risks with the
audit committee and seeks guidance from the
10 Risk Assessment audit committee on other associated risks.
The audit committee or board of directors
considers the potential for management override
of controls and its appropriate influence over the
11 Risk Assessment financial reporting process.

Source: www.knowledgeleader.com Page 1

Type of
deficiency
New/Changed Controls Controls Describe the basis for (Efficiency, Fin.
Does this control Describe specific activities, programs or controls in in current properly Control Documentation Test workpaper operating effectiveness conclusion (including Reporting, Management action plan to
# COSO Component Point of Focus/ Control Objective exist? place that satisfy the objective. year? designed? owner Test procedures reference reference effectively? evidence of operation) Deficiencies noted Compliance) address deficiencies

Management makes changes to the organization's

12 Control Activities processes to reduce or eliminate the risk of fraud.
Critical controls are identified to adequately
13 Control Activities address fraud risks.
On-going internal fraud communication programs
(e.g., posters, training seminars, conferences)
Information and exist and management and employees are
14 Communication required to participate in events as appropriate.

Communications to external parties regularly state

Information and the company's position on fraudulent activity and
15 Communication the potential consequences if fraud is detected.
Information and Training regarding code of ethics and other fraud
16 Communication areas exists and is effective.
Management considers the following related to
information system fraud risk:
(1) consider information technology in fraud risk
assessment,
(2) maintain adequate security and access
controls,
(3) employ information technology to prevent and
detect fraud or
Information and (4) have the ability to investigate computer misuse.
17 Communication
The audit committee or board of directors
evaluates management's identification of fraud
risks, implementation of antifraud measures, and
18 Monitoring the "tone-at-the-top".
Internal audit adequately addresses fraud risk in
19 Monitoring planning and executing the annual audit plan.
Internal auditors examine and evaluate the
adequacy of internal controls designed to reduce
fraud risk, or they conduct proactive auditing to
search for corruption, misappropriation of assets,
20 Monitoring and financial statement fraud.
Internal audit department includes knowledgeable
and experienced fraud professionals.
21 Monitoring
Management has implemented and continuously
monitors the operation of internal controls
22 Monitoring designed to mitigate the risk of fraud.
Management reports the results of internal reviews
of internal controls over financial reporting,
including noted instances of fraud, to the audit
23 Monitoring committee and external auditors.
A conflict of interest policy exists regarding
independence between employees and suppliers.
Violations of this policy are investigated.
24 Monitoring
Certified fraud examiners assist the audit
committee or board of directors with the fraud
25 Monitoring oversight process.

Source: www.knowledgeleader.com Page 2