Prevention

Lecture 3
Presented by Mr. Zuberi O.
Outline
• Accounting Systems & Internal Controls
◦ Introduction
◦ ITGCs
◦ Application controls
◦ COSO Controls
• Preventing Fraud
• Potential red flags and Fraud detection
techniques
• Fraud Auditing/Investigations
• Fraud Report
Activity....

Accounting System could be:

◦ Manual
◦ Computerized

Impacts of computerized processing

system impacts the audit examination.
Issues Introduced in a
Computerized Environment
1. Input errors
2. Systematic vs. random processing
errors
3. Lack of an audit trail
4. Inappropriate access to computer files
and programs
5. Reduced human involvement in
processing transactions

Mod H-4
 Impact of Computerized Processing on the
Evaluation of Internal Control

Phase Effect(s)
Effect(s)
Understanding Understand and document controls
related to computerized processing of
transactions
Assessment Consider controls related to
computerized processing of transactions
in preliminary assessment of control risk

Testing Identify , test, and evaluate degree of

compliance of controls related to
computerized processing of transactions

Mod H-5
Types of Computer Controls
General Controls
Relate to all applications of a computerized
processing system (pervasive)
Deficiencies will affect processing of various types
of transactions
Automated Application Controls
Relate to specific business activities
Directly address management
assertions

Mod H-6
Categories of General Controls
1. Hardware controls
2. Program development controls
3. Program change controls
4. Computer operations controls
5. Access to programs and data controls

Mod H-7
Hardware Controls

Provide reasonable assurance that data are not

altered or modified as transmitted through
system
“Built into” equipment by computer
manufacturer
Examples
◦ Parity check
◦ Preventative maintenance on equipment

Mod H-8
Program Development Controls
• Acquisition and development of new
programs is properly authorized and
conducted with organization policies
• Appropriate users participate in process
• Programs and software are tested and
validated prior to use
• Programs and software have appropriate
documentation

Mod H-9
Mod H-10
Program Change Controls
• Modifications to existing programs are
properly authorized and conducted with
entity policies
• Appropriate users participate in process
• Programs are tested and validated prior to
use
• Programs have appropriate
documentation
• Additional controls related to “emergency”
change requests and migrating new
programs into operations

Mod H-11
Computer Operations Controls
• Relate to processing of transactions and
backup and recovery of data
• Processing environments
0
Batch processing: Similar transactions
collected and processed simultaneously
◦ Real-time processing: Transactions
processed as they occur without delay

Mod H-12
Examples of Computer Operations
Controls
• Methods of resolving processing failures
• Separation of duties
◦ Systems analysts
◦ Programmers
◦ Computer operators
• Files and data
◦ Labels to ensure use of appropriate file
◦ Storage in remote, protected locations (disaster
recovery)
◦ Grandfather-father-son

Mod H-13
Access to Programs and Data
Controls
• Relate to restricting use of programs and
data to authorized users
• Examples
0
Passwords
◦ Automatic terminal logoff
◦ Review access rights and compare to usage
(through logs)
◦ Report and communicate security breaches

Mod H-14
 General Controls and Assertions

Assertion Explanation Examples

Accuracy Ensure accuracy of data • Hardware controls
and testing computer • Program development
programs prior to controls
implementation • Program change
controls
• Computer operations
controls
Occurrence Restricting • Computer operations
inappropriate access controls
reduces probability of • Access to programs and
fictitious transactions data controls

Mod H-15
Application Controls:
1. Input Controls
• Provide reasonable assurance that
input is properly authorized and
accurately entered for processing
◦ All transactions input
◦ Transactions input once and only once
◦ Transactions input accurately

Mod H-16
 Examples of Input Controls

• Valid character
Data entry and tests
formatting
• Valid sign tests
Authorization and • Missing data tests
approval controls • Sequence tests
Check digits • Limits and
reasonableness
Record counts tests
Batch totals • Error correction
and resubmission
Hash totals

Mod H-17
Summary of Input Controls
All Transactions
transactions entered only
Input
entered once
accurate
Data entry and formatting X

C heck digits X

R ecord counts X X

B atch totals X X X

Hash totals X X X

Valid character test X

Valid sign tests X

Missing data tests X

Mod H-18
Summary of Input Controls
(Continued)

All Transactions
transactions entered only
Input
entered once
accurate
Sequence tests X
X
Limit and reasonableness
t ests
Error correction and X
r esubmission

Mod H-19
Processing Controls
• Provide reasonable assurance that
◦ Transactions are processed accurately
◦ All transactions are processed
◦ Transactions are processed once and only once
• Examples
◦ Test processing accuracy of programs
◦ File and operator controls
◦ Run-to-run totals
◦ Control total reports
◦ Limit and reasonableness tests
◦ Error correction and resubmission

Mod H-20
Output Controls
• Provide reasonable assurance that
◦ Output reflects accurate processing
0
Only authorized persons receive output or
have access to files generated from processing
• Examples
◦ Review of output for reasonableness
◦ Control total reports
◦ Master file changes
◦ Output distribution limited to appropriate
person(s)

Mod H-21
Computer Abuse/Fraud
• Use of computer technology by
perpetrator to achieve gains at the
expense of a victim
• Controls
◦ Preventative: Stop fraud from entering system
◦ Detective: Identify fraud when it enters
system
◦ Damage-limiting: Reduce monetary impacts of
fraud and control to specified levels

Mod H-22
Section II

FIGHTING FRAUD
Learning Objectives
• Become familiar with the different ways that
organizations can fight fraud.
• Understand the importance of fraud prevention.
• Understand how to create a culture of honesty and high
ethics.
• Understand why hiring the right kind of employees can
greatly reduce the risk of fraud.
• Understand how to assess and mitigate the risk of
fraud.
• Know different ways to investigate fraud
• Be familiar with legal actions to take once fraud is
discovered
Learning Objectives
• Understand the importance of early fraud
detection.

• Understand different approaches to fraud

investigation.
• Be familiar with the different options for
legal action that can be taken once fraud
has occurred.
 How Organizations
Fight Fraud
Organizations fight fraud by
implementing:

1. Fraud prevention Remember this ...

2. Early fraud detection There are four fraud-fighting activities that organi¬
zations can use: (1) fraud prevention, (2) proactive
3. Fraud investigation fraud detection methods, (3) fraud investigation
once fraud is suspected, and (4) legal follow-up
4. Follow-up legal action of fraud perpetrators. Many organizations focus
and/or resolution on the last two, which are the most costly and
least effective. An overview of these four fraud¬
fighting activities is given in this chapter.
Fraud Prevention

• Fraud prevention is the most cost-

effective way to reduce fraud

• Involves two fundamental activities:

0
Sustain a culture of honesty and high
ethics
◦ Assess the risks for fraud, develop concrete
responses to mitigate the risks, and
eliminate the opportunities for fraud
Fraud Prevention

Sustain a Culture of Honesty & High

Ethics
Five critical elements:
1. Have top management model appropriate
behavior
2. Hire the right kind of employees
3. Communicate expectations and require
periodic written acceptance to the
expectations
4. Create a positive work environment
5. Enforce policies for handling fraud
Fraud Prevention

• Tone at the Top (Proper Modeling)

• Research on Why People Lie
◦ Have fear of punishment or adverse
consequences
◦ Have a habit of lying
◦ Seen others lie or have had negative modeling
◦ Feel if they tell the truth they won’t get what
they want
 Fraud Prevention

Employees

Proactive hiring procedures

include:

Background investigations
References
Tests for honesty
Fraud Prevention

• Communicating Expectations

I . Identify and codify appropriate values

and ethics

2. Training employees in fraud awareness

3. Communicating consistent expectations

about punishment of violators
 Fraud Prevention

Environment

• Fraud occurs less frequently

when employees have
◦ Positive feelings about an
organization
◦ A sense of ownership in the
organization
Fraud Prevention

• Proper Handling of Fraud and Fraud

Perpetrators

• Ensure that

◦ Facts are investigated thoroughly

◦ Firm and consistent actions are taken against
perpetrators
◦ Risks and controls are assessed and improved
◦ Communication and training are ongoing
Fraud Prevention

Eliminate Fraud Opportunities

Organizations should:
1. Identify and measure fraud risks
2. Implement preventative and detective
controls
3. Create widespread monitoring by
employees
4. Have internal and external auditors
 Early Fraud Detection

• Three Primary Ways to

Detect Fraud
Remember this ...
1. By chance
Fraud detection involves activities to determine
whether or not it is likely that fraud is occurring.
2. By providing “whistle¬
Fraud detection allows companies to identify
blowing” systems suspicions or predications of fraud. Historically,
most frauds were caught by chance. In recent
3. By data mining years, two major proactive fraud detection devel¬
opments have occurred: (1) installing hotlines or
whistle-blower systems and encouraging employ¬
ees and others to report any suspicious activity
they see and (2) mining various databases look¬
ing for unusual trends, numbers, relationships,
or other anomalies that could indicate fraud.
Early Fraud Detection
• Whistle-blowing Systems
0
A reporting hotline or online system that
allows others to call in or submit an
anonymous tip of a fraud suspicion

• Examples:
◦ Internal systems/hotlines
◦ The Association of Certified Fraud Examiners
◦ Allegience
 Early Fraud Detection
• Mining Company Databases
◦ Mining databases for suspicious
trends, numbers, and other
anomalies.
Fraud Investigation
• Fraud investigation should occur only if a
predication of fraud exists.

• Predication refers to the circumstances,

taken as a whole, that would lead a
reasonable, prudent professional to
believe a fraud has occurred, is occurring,
or will incur.
Fraud Investigation
Considerations before
investigating fraud:

◦ Need management’s
approval

◦ Pursued only when

predication exists

◦ Investigators rely heavily on

interviews
Fraud Investigation
• Testimonial Evidence
◦ Evidence gathered from individuals

• Techniques:

◦ Interviewing

◦ Interrogation

◦ Honesty tests
Fraud Investigation
• Documentary Evidence
• Gathered from paper, computers, and other written or
printed sources
• Techniques:
◦ Document examination
◦ Data mining
◦ Public records searches
◦ Audits
◦ Computer searches
◦ Net worth calculations
◦ Financial statement analysis
◦ Corporate databases
◦ E-mail servers
Fraud Investigation
• Physical Evidence
◦ Fingerprints
◦ Tire marks
◦ Weapons
◦ Stolen property
◦ Identification numbers
◦ Marks on stolen objects
◦ Other tangible evidence
• Techniques:
◦ Forensic analysis by
experts
Fraud Investigation
Personal Observation

◦ Evidence that is sensed (seen, heard, felt, etc.)

by the investigators

Techniques:
◦ Invigilation
◦ Surveillance

Covert operations
Fraud Investigation
• The Fraud Element Triangle: Theft Act
• Catch perpetrators in the embezzlement act
or to gather information about the actual
theft acts

• The Fraud Element Triangle: Concealment

• Focus on records, documents, computer
programs and servers, and other places
where perpetrators conceal or hide their
dishonest acts
 Fraud Investigation

conversion

perpetrators spent or used

their stolen assets.
Conducting a Fraud Investigation

1. Undertaken only to “establish the truth”

2. Experienced and objective investigators
3. Confidentiality
4. Need to know
5. Evidence independently corroborated
6. No questionable investigative techniques
7. Fair and objective communication
Follow-Up Legal Action
• Organizations face the options to...

◦ take no legal action

◦ pursue civil remedies, and/or
◦ pursue criminal action against the
perpetrators
Follow-Up Legal Action
• No Legal Action

• What are consequences of taking no legal

action?
Follow-Up Legal Action
• Civil Action
◦ To recover money or other assets taken

• Quite rare with employee fraud - most of

the money is spent
• More common when other organizations
are involved

May sue the auditors or others with

“deep pockets”
Follow-Up Legal Action
• Criminal Action

0
Only be brought by law enforcement agencies
◦ Usually involve fines, prison terms, or both

More difficult to get a criminal conviction

than a judgment in a civil case
Fraud Report
• Once the investigation is completed, a fraud
report is prepared.
• This report includes all findings, conclusions,
recommendations, and corrective actions
taken.
• The report indicates all pertinent facts
uncovered relative to the who, what, where,
when, how, and why of the fraud. It also
includes recommendations for control
improvements that will minimize exposure
to similar occurrences in the future.
Characteristics of a good Fraud
report
◦ Objective
◦ Factual
◦ Unbiased
◦ Free from distortion
◦ general tone of the fraud report is neither
accusatory nor conclusive as to guilt.
◦ It should not contain recommendations for
disciplinary or legal action against anyone
suspected
DIY

• Appendix 10B of chapter 10 details

about the fraud report
ANY QUESTIONS

THANKS