1 Fraud Risk Checklist : A Guide for Assessing the Risk of Internal Fraud Fraud Risk Checklist : A Guide for Assessing the Risk of Internal Fraud Gary A. Rubin Director of Finance Accretive Health, Inc. the source for financial solutions 200 Campus Drive Box 674. Florham Park, New Jersey 07932-0674. an affiliate of financial executives international Fraud Risk Checklist : A Guide for Assessing the Risk of Internal Fraud TABLE OF CONTENTS. Purpose 1. Introduction 1. Sources and Acknowledgements 3. Identifying potential risk factors for misstatements arising from Fraudulent financial reporting 4. Items No. 1 to 48. Identifying potential risk factors for misappropriation of assets 14. Items No. 1 to 15. About the Author and Financial Executives Research Foundation, Inc. 16. Fraud Risk Checklist : A Guide for Assessing the Risk of Internal Fraud Purpose The purpose of this Checklist is to provide both the board of directors and management with a series of questions to ask that can help in assessing the risk of Fraud .
2 It also provides a possible structure for management to use in documenting its thought process and conclusions. INTRODUCTION. An integral part of complying with the requirements of Section 404 of the Sarbanes- Oxley Act of 2002 is evaluating whether a company has developed sufficient internal controls associated with Fraud and management override. The evaluation of the potential for Fraud is specifically included within the COSO. framework of internal control. The first part of any efficient evaluation of internal control is the assessment of the relative exposures or risks of a situation occurring. While this type of risk assessment is a routine skill for auditors, many members of management are not familiar with the concept. This Checklist provides both the board of directors and management with a series of questions to ask that can help in assessing the risk of Fraud .
3 It also provides a possible structure for management to use in documenting its thought process and conclusions. The questions included in this Checklist were developed by reviewing readily available literature on the subject of financial Fraud . The principal source documents include those listed under Sources and Acknowledgements.. The broad definition of Fraud is an intentional act to gain an unfair or unlawful advantage or gain . Fraud can include: Fraudulent financial reporting - Many fraudulent financial reporting schemes arise from improper revenue recognition. Other frauds typically involve an overstatement of assets or an understatement of liabilities. Misappropriation of assets - External and internal schemes, such as embezzlement, payroll Fraud and theft. Revenues or assets gained by illegal or unethical acts Over-billing customers, or deceptive sales practices.
4 Expenditures for improper purpose - Commercial and public bribery, as well as other improper payment schemes. Fraudulently obtained revenue or inappropriately avoided expenses - Schemes where an entity commits a Fraud against its employees or third parties, or when an entity improperly avoids expenses, such as income or sales taxes. 1. Frauds against the company Producing counterfeit products or knowingly violating intellectual property rights. Fraudulent financial reporting is a primary focus of the Sarbanes-Oxley Act. However, the definition of internal control over financial reporting also encompasses the preservation of assets. Therefore, this Checklist focuses only on these two types of Fraud . While the other categories of Fraud can be equally damaging to a company's reputation, and could invoke significant negative financial consequences, they are outside the scope of this Checklist .
5 To be most effective, the Fraud risk assessment should be conducted by individuals with significant business experience and a broad understanding of the entity and its operations. Assessments are often most effective when completed by a multi-functional team. Furthermore, it is often beneficial if the evaluation is completed at different levels within an organization. For example, the board of directors may want the chief internal auditor to evaluate the risks at an overall company level. On the other hand, the corporate controller may be interested in completing an evaluation on a particular subsidiary or operating group. In such situations, the term company should be construed to refer to the subsidiary, division or operating entity being evaluated. 2. SOURCES AND ACKNOWLEDGEMENTS. The principal source for the information included in the foregoing discussion was publicly available information included on the internet, particularly on the web sites of the following organizations: Deloitte Touche Tohmatsu PricewaterhouseCoopers KPMG, LLP and its affiliate, The 404 Institute Ernst & Young Crowe Chizek and Company, LLC.
6 The American Institute of Certified Public Accountants The Committee of Sponsoring Organizations of the Treadway Commission Parsons Consulting Protiviti Marsh & McLennan Companies Resources Global Professionals Specific documents that listed individual risk factors include: Management Override of Internal Controls the Achilles' Heel of Fraud Prevention; The American Institute of Certified Public Accountants Management Anti- Fraud Programs and Controls, an excerpt of Statement of Auditing Standards No. 99; The American Institute of Certified Public Accountants. Fraud Risk Assessments A Common Sense Approach; Marsh and McLennan Companies The Good Practice Guidelines for Assessing the Risk of Fraudulent Financial Reporting; The National Commission on Fraudulent Financial Reporting Key Elements of Anti- Fraud Programs and Controls;. PricewaterhouseCoopers Excerpts from The CPA's Handbook of Fraud and Commercial Crime Prevention; The American Institute of Certified Public Accountants Anti- Fraud Programs and Controls; Deloitte & Touche Identifying Fraudulent Financial Transactions; W.
7 Steven Albrecht, , CPA, CIA, CFE, Brigham Young University Auditing for Internal Fraud ; Michael Connelley, CFE, CPA. Managing the Risk of Fraud , a Guide for Managers; HM Treasury Fraud Risk Management, Developing a Strategy for Prevention, Detection, and Response; KPMG, LLP. The questions and risk factors included in the foregoing discussion do not include every matter mentioned in each of the above documents. Many documents contained similar risks , differing only slightly in wording or emphasis. 3. Comments and Conclusions as to the relative Item Identifying potential risk factors for misstatements arising observations , Work paper Control(s) identified to residual exposure after from fraudulent financial reporting the likelihood and reference to mitigate the identified risk application of the identified No. severity of the risk control(s).
8 Identified risk 1 Are there circumstances that might foster the temptation to engage in fraudulent financial reporting? Possible factors include: A significant portion of management's compensation results from bonuses, stock options, or other incentives, the value of which is contingent upon the entity achieving unduly aggressive targets for operating results, financial position, or cash flow. The company will be unable to consummate a significant pending transaction, such as a business combination or contract award, if poor financial results are reported. A management practice of committing to analysts, creditors, and other third parties to achieve what appear to be unduly aggressive or clearly unrealistic forecasts. The company's profitability is below industry standards or analyst expectations, and there is significant pressure to report improved results.
9 The company is experiencing a poor or deteriorating financial position, and management has personally guaranteed significant debt. There are threats of imminent bankruptcy, foreclosure, or a hostile takeover. There is uncertainty as to the status of the company's significant business contracts, licenses, patents or other intellectual property. The company is especially vulnerable to changes in interest rates, energy costs, or other commodities that fluctuate in price. The company will need to report adverse financial results as a result of a significant recent transaction, such as a merger or acquisition. 4. Comments and Conclusions as to the relative Item Identifying potential risk factors for misstatements arising observations , Work paper Control(s) identified to residual exposure after from fraudulent financial reporting the likelihood and reference to mitigate the identified risk application of the identified No.
10 Severity of the risk control(s). identified risk 2 Is there an unusual amount of interest in maintaining or increasing the entity's stock price or earnings trend? On the other hand, is there an unusual amount of interest in minimizing reported earnings for tax-motivated reasons? If either situation is a possibility, consider if the company is using unusually aggressive accounting practices. 3 What is senior management's attitude regarding internal control and the financial reporting process? Examples of potentially inappropriate behaviors include: An ineffective means of communicating and supporting the entity's values or ethics, or communication of inappropriate values or ethics. Management failing to correct known internal control deficiencies on a timely basis. Management setting unduly aggressive financial targets and expectations for operating personnel.