Fraud risk assessment methodologies

BROWSE BY TAG Expert Archive: Security Management,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

First, it's important to understand that the audit committee's primary role is to address fraud risk levels, determine the level of risk posed by management if they override the organization's internal controls, and ultimately prevent this type of behavior.

The following are common types of management fraud:

1. Premature revenue recognition or the creation of fictitious revenue.
2. Overstating assets
3. Misrepresenting expenses and liabilities

Below is a three-part checklist containing questions that relate to three specific factors that can increase management risk levels: incentives, opportunities and attitude. Understanding these factors can help auditors develop ways to prevent and respond to management override of internal controls. Keep in mind, a "yes" does not mean fraud has occurred, but it's a strong indication that it has or will occur. It also helps the audit committee understand how to handle the situation appropriately.

Questions to ask regarding incentives, to gauge the level of pressure management may be under that would lead them to override internal controls.

1. Is the organization financially stable or is the profitability threatened by conditions in the industry, economy or operating practices of the organization?
2. Do outside parties pressure management to meet requirements connected to reporting negative financial results? Do they pressure management to provide other information that is contrary to the scenarios the organization truly faces?
3. Is their personal financial situation directly affected by the financial strength and performance of the organization? Is their personal financial situation/compensation significantly affected or contingent upon achieving certain target goals?
4. Are they pressured to meet target goals including, profitability, budgets or publicized projections?
5. Are earnings expected to be handled in a manner that places pressure on lower level personnel to meet the expectations of those above them?
6. Do lower level personnel believe there will be consequences if they fail to exceed or reach target goals?

Opportunities that can be exploited by management

1. Is there an inherent opportunity in the way the organization conducts its operations that could or would be contusive to fraudulent behavior or fraudulent financial reporting?
2. Are unrealistic or greatly inconsistent statistics used in lieu of actual results to create and report financial projections for the organization?
3. Have monitoring management practices and activities been ineffective? Is there a likelihood of internal control override? Does the complexity of the organization lead to a confusing and convoluted structure that creates instabilities?
4. Does inadequate monitoring result in deficient internal controls?
5. Have the apparent skill sets and capabilities of the accounting and finance units lead you to believe that they need major improvement?

Attitudes exhibited by management

1. Is it apparent that management is not upholding ethical standards?
2. Is non-financial management excessively involved with determining accounting principles and projections in a manner that would create significant estimates?
3. Has there been a known history of disregard or violation of laws and regulations?
4. Have they demonstrated an excessive interest in increasing the organization's stock price or earnings?
5. Does the management have a trend of committing to the goals of creditors, analysts or other third parties to achieve their unrealistic goals or aggressive forecasts?
6. Has management failed to correct reportable conditions in a timely basis, either in the past or during this current yearly audit?
7. Does management use inappropriate means and methods to minimize reported earnings for tax-related reasons?
8. Has management tried to justify marginal and inappropriate accounting?
9. Have relations between auditors been strained as a result of frequent disputes, demands, restrictions or domineering management behavior?
10. Have they failed to identify or monitor business risks in a timely and appropriate manner?
11. Do they hesitate to address issues that result from potentially adjusted or affected financial statements?
12. Is a less than professional and diligent attitude pervasive among management, independent auditors and internal auditors when discussing the organization's internal controls and anti-fraud elements?
13. Given the audit committee's knowledge of how the organization and industry operate, are reports from management's financial discussions/analysis and results of operations in great disagreement or inconsistent with one another?

The following resources also provide steps for carrying out a fraud assessment:
www.community.nsw.gov.au/ documents/fraud_risk_guideto.pdf etd.lib.fsu.edu/theses/available/etd-04062004-221318/ unrestricted/02CarpenterDissertation.pdf

For a course on how to conduct a fraud risk assessment:
http://www.misti.com/default.asp?Page=10&Type=3&pcID=5278&eID=2857&More=

For a book with checklists on conducting a fraud risk assessment, visit:
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471481688.html

More Information

• Visit our resource center for news, tips and expert advice on how to define and perform proper Risk Management procedures
• Understand risk management processes, from defining an acceptable level of risk to conducting a risk analysis, with this guide.