Fraud Risk Checklist:
A Guide for Assessing the Risk of Internal Fraud
Fraud Risk Checklist:
A Guide for Assessing the Risk of Internal Fraud
Gary A. Rubin
Director of Finance
Accretive Health, Inc.
the source for financial solutions
200 Campus Drive
P.O. Box 674
Florham Park, New Jersey 07932-0674
www.ferf.org
an affiliate of financial executives international
Fraud Risk Checklist:
A Guide for Assessing the Risk of Internal Fraud
TABLE OF CONTENTS
Purpose
1
Introduction
1
Sources and Acknowledgements
3
Identifying potential risk factors for misstatements arising from
Fraudulent financial reporting
Items No. 1 to 48
4
Identifying potential risk factors for misappropriation of assets
Items No. 1 to 15
14
About the Author and Financial Executives Research Foundation, Inc.
16
Fraud Risk Checklist:
A Guide for Assessing the Risk of Internal Fraud
Purpose
The purpose of this checklist is to provide both the board of directors and
management with a series of questions to ask that can help in assessing the risk
of fraud. It also provides a possible structure for management to use in
documenting its thought process and conclusions.
INTRODUCTION
An integral part of complying with the requirements of Section 404 of the
Sarbanes- Oxley Act of 2002 is evaluating whether a company has developed
sufficient internal controls associated with fraud and management override. The
evaluation of the potential for fraud is specifically included within the COSO
framework of internal control.
The first part of any efficient evaluation of internal control is the assessment of
the relative exposures or risks of a situation occurring. While this type of risk
assessment is a routine skill for auditors, many members of management are not
familiar with the concept. This checklist provides both the board of directors and
management with a series of questions to ask that can help in assessing the risk
of fraud. It also provides a possible structure for management to use in
documenting its thought process and conclusions.
The questions included in this checklist were developed by reviewing readily
available literature on the subject of financial fraud. The principal source
documents include those listed under “Sources and Acknowledgements.”
The broad definition of fraud is “an intentional act to gain an unfair or unlawful
advantage or gain”. Fraud can include:
•
•
•
•
•
Fraudulent financial reporting - Many fraudulent financial reporting
schemes arise from improper revenue recognition. Other frauds typically
involve an overstatement of assets or an understatement of liabilities.
Misappropriation of assets - External and internal schemes, such as
embezzlement, payroll fraud and theft.
Revenues or assets gained by illegal or unethical acts – Over-billing
customers, or deceptive sales practices.
Expenditures for improper purpose - Commercial and public bribery, as
well as other improper payment schemes.
Fraudulently obtained revenue or inappropriately avoided expenses Schemes where an entity commits a fraud against its employees or third
parties, or when an entity improperly avoids expenses, such as income or
sales taxes.
1
•
Frauds against the company – Producing counterfeit products or
knowingly violating intellectual property rights.
Fraudulent financial reporting is a primary focus of the Sarbanes-Oxley Act.
However, the definition of internal control over financial reporting also
encompasses the preservation of assets. Therefore, this checklist focuses only
on these two types of fraud. While the other categories of fraud can be equally
damaging to a company’s reputation, and could invoke significant negative
financial consequences, they are outside the scope of this checklist.
To be most effective, the fraud risk assessment should be conducted by
individuals with significant business experience and a broad understanding of the
entity and its operations. Assessments are often most effective when completed
by a multi-functional team. Furthermore, it is often beneficial if the evaluation is
completed at different levels within an organization. For example, the board of
directors may want the chief internal auditor to evaluate the risks at an overall
company level. On the other hand, the corporate controller may be interested in
completing an evaluation on a particular subsidiary or operating group. In such
situations, the term “company” should be construed to refer to the subsidiary,
division or operating entity being evaluated.
2
SOURCES AND ACKNOWLEDGEMENTS
The principal source for the information included in the foregoing discussion was
publicly available information included on the internet, particularly on the web
sites of the following organizations:
•
•
•
•
•
•
•
•
•
•
•
Deloitte Touche Tohmatsu
PricewaterhouseCoopers
KPMG, LLP and its affiliate, The 404 Institute
Ernst & Young
Crowe Chizek and Company, LLC
The American Institute of Certified Public Accountants
The Committee of Sponsoring Organizations of the Treadway Commission
Parsons Consulting
Protiviti
Marsh & McLennan Companies
Resources Global Professionals
Specific documents that listed individual risk factors include:
•
•
•
•
•
•
•
•
•
•
•
Management Override of Internal Controls – the Achilles’ Heel of Fraud
Prevention; The American Institute of Certified Public Accountants
Management Anti-Fraud Programs and Controls, an excerpt of Statement
of Auditing Standards No. 99; The American Institute of Certified Public
Accountants.
Fraud Risk Assessments—A Common Sense Approach; Marsh and
McLennan Companies
The Good Practice Guidelines for Assessing the Risk of Fraudulent
Financial Reporting; The National Commission on Fraudulent Financial
Reporting
Key
Elements
of
Anti-fraud
Programs
and
Controls;
PricewaterhouseCoopers
Excerpts from The CPA’s Handbook of Fraud and Commercial Crime
Prevention; The American Institute of Certified Public Accountants
Anti-fraud Programs and Controls; Deloitte & Touche
Identifying Fraudulent Financial Transactions; W. Steven Albrecht, Ph.D.,
CPA, CIA, CFE, Brigham Young University
Auditing for Internal Fraud; Michael Connelley, CFE, CPA
Managing the Risk of Fraud, a Guide for Managers; HM Treasury
Fraud Risk Management, Developing a Strategy for Prevention, Detection,
and Response; KPMG, LLP
The questions and risk factors included in the foregoing discussion do not include
every matter mentioned in each of the above documents. Many documents
contained similar risks, differing only slightly in wording or emphasis.
3
Item
No.
1
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
Are there circumstances that might foster the temptation to
engage in fraudulent financial reporting? Possible factors
include:
•
•
•
•
•
•
•
•
•
A significant portion of management’s compensation
results from bonuses, stock options, or other
incentives, the value of which is contingent upon the
entity achieving unduly aggressive targets for
operating results, financial position, or cash flow.
The company will be unable to consummate a
significant pending transaction, such as a business
combination or contract award, if poor financial
results are reported.
A management practice of committing to analysts,
creditors, and other third parties to achieve what
appear to be unduly aggressive or clearly unrealistic
forecasts.
The company’s profitability is below industry
standards or analyst expectations, and there is
significant pressure to report improved results.
The company is experiencing a poor or deteriorating
financial position, and management has personally
guaranteed significant debt.
There are threats of imminent bankruptcy,
foreclosure, or a hostile takeover.
There is uncertainty as to the status of the company’s
significant business contracts, licenses, patents or
other intellectual property.
The company is especially vulnerable to changes in
interest rates, energy costs, or other commodities that
fluctuate in price.
The company will need to report adverse financial
results as a result of a significant recent transaction,
such as a merger or acquisition.
4
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
2
Is there an unusual amount of interest in maintaining or
increasing the entity’s stock price or earnings trend? On the
other hand, is there an unusual amount of interest in
minimizing reported earnings for tax-motivated reasons? If
either situation is a possibility, consider if the company is using
unusually aggressive accounting practices.
3
What is senior management’s attitude regarding internal
control and the financial reporting process? Examples of
potentially inappropriate behaviors include:
•
•
•
Work paper
reference to
identified risk
An ineffective means of communicating and
supporting the entity’s values or ethics, or
communication of inappropriate values or ethics.
Management failing to correct known internal control
deficiencies on a timely basis.
Management setting unduly aggressive financial
targets and expectations for operating personnel.
4
Are there enough accounting and financial or informationtechnology staff to meet the company’s requirements? Is the
existing staff effective, and do they have appropriate training
and skills?
5
What is the nature of the corporate governance system?
Common components of good corporate governance systems
are:
•
•
•
•
Comments and
observations – e.g.,
the likelihood and
severity of the risk
An independent audit committee
Employee hotlines
Code of corporate conduct
Policies that prohibit retaliatory actions against
employees who provide information on suspected
violations of company directives
5
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
6
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
Do management attitudes support effective financial reporting?
Examples of a lack of support include:
•
•
Non-financial management’s excessive participation
in, or preoccupation with, the selection of accounting
principles or the determination of significant
estimates.
Financial reports do not provide full transparency to
readers, e.g., they are unduly complex or hard to
understand.
7
Has any new computer hardware or software been installed
recently? More sophisticated systems may not be fully
understood by all parties, allowing some individuals to conceal
inappropriate activities.
8
How does the company’s financial and operational
performance compare with industry norms? Is the company
undergoing unusually rapid growth in income or profitability?
9
What is the typical tenure of senior management, outside legal
counsel, or board members? High turnover can indicate
problems.
10
Are there positive relationships between the company and its
outside advisors, such as bankers or legal counsel?
11
Are there any significant relationships with vendors or
customers that seem unusual or questionable? Does the
company have an ongoing program to review vendor and
customer “quality”?
12
Have there been any new accounting, statutory, or regulatory
requirements issued that could impair the financial stability or
profitability of the company?
6
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
13
Is there a positive relationship with the Internal Revenue
Service or similar taxing authorities, as well as with other
regulatory bodies? The existence of significant disputes or
strained relationships with these parties could be an indicator
that the company is not conducting its affairs in a positive
fashion.
14
What is the nature of the relationship with the current or
predecessor auditor? Examples of matters that indicate a higher
risk include:
•
•
•
•
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
Frequent disputes with the current or predecessor
auditor on accounting, auditing, or reporting matters.
Unreasonable demands on the auditor, including
unreasonable time constraints regarding the
completion of the audit or the issuance of the
auditor’s reports.
Formal or informal restrictions on the auditor that
inappropriately limit his or her access to people or
information or his or her ability to communicate
effectively with the board of directors or audit
committee.
Domineering management behavior in dealing with
the auditor, especially involving attempts to influence
the scope of the auditor’s work.
15
Does the company have any significant operations in highly
competitive industries or those with a great deal of market
saturation? Have there been declines in its margins and/or other
profitability measures?
16
Are there significant operations in industries with increasing
business failures or declines in customer demand?
7
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
17
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
What is the level of integrity, both in the corporate culture as a
whole, and as manifested by specific individuals? A low level
of integrity may be indicated by:
•
•
•
•
Known history of securities-law violations, or claims
against the entity, members of its board of directors,
or its senior management. alleging fraud or violations
of securities laws.
Known history of violations of other laws and
regulations by members of senior management
Management exhibits a disregard or excessive
casualness toward complying with laws and
regulations.
Management or board members who are associated
currently, or in the past, with companies or
individuals of questionable character.
18
Have there been any changes in the methodology of developing
or calculating significant accounting estimates, especially when
the new methodology results in significantly different results
from the previous methodology?
19
Are there significant operations in industries undergoing rapid
changes? Such circumstances can result in a high vulnerability
to rapidly changing technology or rapid product obsolescence,
both of which can result in earnings pressure. Furthermore, this
environment can cause sudden declines in asset values that
need to be recognized in the financial statements.
20
Does a significant part of current-year earnings arise from one
or two transactions, or from changes in accounting estimates?
8
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
21
Are operating cash flow and earnings from operations in line
each other? Instances of companies that are not generating a
positive cash flow from operations, even if they report earnings
and/or earnings growth, are common indicators that financial
disclosures may be inappropriate.
22
How does the company discipline employees, if any, who
violate company policies or otherwise engage in unacceptable
practices? Have these methods been effective in the past?
23
Does the company develop and follow regular plans and
budgets? Consistently operating in a crisis mode is often a sign
of problems.
24
Have there been any significant changes in operations, such as
the introduction of new production processes? Difficulties in
implementing new operations may motivate individuals to hide
poor results by manipulating other parts of the financials.
25
Are strong accounting systems in place? Weak accounting
systems can arise for several reasons, including rapid growth in
business volume or complexity, which has not been matched by
increasing sophistication or capabilities in the accounting
systems.
26
Is the turnover in the company’s accounting staff consistent
with prior years and with other companies in the industry and
the local economy? If new staff members consistently resign
shortly after starting, this could indicate that the company is not
conducting its affairs in an ethical manner.
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
9
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
27
Has the company introduced new production processes or new
marketing programs? If these processes or programs involve
unusually large bonuses or other rewards to employees, they
may be tempted to manipulate production or sales records to
increase their earnings.
28
What is the methodology for reviewing the financial results of
subsidiary or operating components, especially if they are
located in different markets or are in different industries?
29
Is there any account balance that seems disproportionately high
or low, given the age and size of the company and the industry
within which it operates?
30
How does the company’s senior-level management monitor the
application of significant controls?
31
Does operations management promptly provide reasonable
answers to routine questions? Evasive or inadequate answers,
or claims that documents that support transactions or balances
are lost or missing, may be signs of trouble.
32
Are the company’s banks and other financial service providers
stable? Caution could be required with significant new
relationships and transactions, or when there are transactions
with new entities outside of the normal course of business.
33
Does the company have a good internal audit function in place?
34
Are the accounting estimates reasonable? Patterns of
accounting estimates that cluster at one particular end of the
range of reasonableness (i.e., always in a way that produces the
highest acceptable net income), may be red flags.
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
10
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
35
Does the company have significant assets, liabilities, revenues,
or expenses that are based on subjective estimates, judgments
or uncertainties, or that are subject to potentially significant
changes in the near term? Examples of such items include the
collectibility of receivables, or the realizability of a financial
instrument that is based on the subjective valuation of nonmarketable collateral.
36
Does the company have important related-party transactions
that are not in the ordinary course of business, or with related
entities that are not audited or audited by a different firm from
the company’s?
37
Do any unusual or highly complex transactions, especially
those close to year-end, pose difficult “substance over form”
questions?
38
Are there any key bank accounts or subsidiary or branch
operations in tax-haven jurisdictions, where there does not
appear to be a clear business justification for such accounts or
operations?
39
Is the organizational structure appropriate to the
circumstances? The existence of an overly complex structure
involving numerous or unusual legal entities, unusual
managerial lines of authority, or contractual arrangements
without apparent business purpose could make it easier to
commit or conceal fraudulent financial reporting.
40
Is there an unusually high degree of leverage? Is the company
likely to have difficulty meeting its debt repayment
requirements, or are there debt covenants that are difficult to
maintain?
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
11
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
41
Does the company have a stable and transparent ownership
structure, or is it difficult to determine the organization or
individual(s) that control(s) the entity? The potential for
fraudulent financial reporting generally increases when there is
a contest for ownership control of the company, or
management or owners perceive that a contest for ownership
control of the company could occur in the near future.
42
Are reasonable compensation programs in place?
Unrealistically aggressive sales or profitability incentive
programs may be a risk factor. This question should be given
additional consideration when new marketing or sales
arrangements are introduced.
43
How much due diligence is completed before senior
management makes significant decisions? Are such decisions
made quickly, without adequate review?
44
Are there good subsidiary records and controls over inventory
and similar assets? The existence of significant “book” to
“physical” adjustments, especially if such items occur
frequently, could be a cause for concern.
45
What is the delegation of authority and decision-making?
Excessive centralization of authority and decision-making by
one of a few individuals, at either the management level or at
the board of directors level, may require compensating
controls, such as effective oversight by the independent
members of the board of directors or audit committee.
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
12
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misstatements arising
from fraudulent financial reporting
46
Are standard human resources practices employed, such as
reviewing employee backgrounds before hiring?
47
Is there a systematic financial statement closing process, and is
there an adequate review of this process by higher-level entities
or management?
48
Is the organizational structure consistent and appropriate?
Frequent realignment of operating divisions (e.g., alignment by
product instead of geography) might help conceal fraudulent
manipulation of financial results.
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
13
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
1
Identifying potential risk factors for misappropriation of
assets
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
Are there assets that would be easy to convert to personal use?
Examples include:
•
•
•
Large amounts of cash on hand or processed.
Inventory or fixed-asset items that are physically
small, individually possess a high value, and bear
little or no permanent ownership identification.
Easily convertible assets, such as bearer bonds,
diamonds, or computer chips.
2
Does the company operate in an industry where there is a high
potential for customers to attempt to defraud or steal from the
company?
3
How much oversight of operations is in place, especially at
remote locations?
4
What are the applicant screening procedures for employees
who will have access to assets that are susceptible to
misappropriation?
5
Are there adequate record-keeping, as well as good physical
safeguards, over assets susceptible to misappropriation, such as
cash, investments, inventory, or fixed assets?
6
Is there effective oversight of the procedures applied to monitor
easily convertible assets and of the skills and integrity of the
employees in these areas?
14
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
Item
No.
Identifying potential risk factors for misappropriation of
assets
7
Does the company segregate duties or independently check
assets that are subject to misappropriation?
8
What kinds of systems are in place to authorize and approve
transactions (for example, in purchasing)?
9
Is there a policy that requires timely and appropriate
documentation for transactions (for example, credit for
merchandise returns)?
10
Do changes in work practices or systems require prior approval
before being implemented?
11
How extensive are the audit trails or documentation required
for transactions?
12
Does the company maintain a positive work environment?
Difficult working environments, in which employees do not
believe that they are adequately appreciated for their
performance, can foster inappropriate behaviors.
13
Does the company require mandatory vacations for employees
performing key control functions?
14
Does the company follow standard human resources practices,
such as reviewing employee backgrounds before hiring?
15
Are there policies that require management or other associates
to complete the work performed by all individuals when they
are absent? Instances where a particular customer, contractor,
or vendor will only work with or talk to a specific employee is
an indication that matters could be amiss.
Comments and
observations – e.g.,
the likelihood and
severity of the risk
Work paper
reference to
identified risk
15
Control(s) identified to
mitigate the identified risk
Conclusions as to the relative
residual exposure after
application of the identified
control(s)
About the author
Gary Rubin, CPA, is a member of the Kansas City Chapter of FEI. Gary is currently the Director
of Finance – Reporting and Internal Controls for Accretive Health, Inc.
Gary’s career includes 10 years as a senior manager with Deloitte & Touche. During this time, he
served as a research associate for the National Commission on Fraudulent Financial Reporting,
commonly known as the Treadway Commission. His research projects for the Treadway
Commission included developing the Good Practice Guidelines for Fraud Risk Assessment,
which is included in the Commission’s Final Report.
Gary subsequently served as the Chief Financial Officer for several public and privately owned
companies and provided professional services on accounting, financial reporting, internal controls
and corporate governance for a variety of organizations as an Associate with Resources Global
Professionals. Gary authored this report when he was associated with Resources Global
Professionals.
Gary can be reached at 913-980-9906.
About Financial Executives Research Foundation, Inc.
Financial Executives Research Foundation, Inc. (FERF) is the non-profit 501(c)3 research affiliate
of Financial Executives International (FEI). FERF researchers identify key financial issues and
develop impartial, timely research reports for FEI members and nonmembers alike, in a variety of
publication formats. The foundation relies primarily on voluntary tax-deductible contributions from
corporations and individuals.
The views set forth in this publication are those of the authors and do not necessarily represent
those of the Financial Executives Research Foundation Board as a whole, individual trustees,
employees, or the members of the Advisory Committee. Financial Executives Research
Foundation shall be held harmless against any claims, demands, suits, damages, injuries, costs,
or expenses of any kind or nature whatsoever, except such liabilities as may result solely from
misconduct or improper performance by the foundation or any of its representatives.
This and more than 80 other Research Foundation publications can be ordered by logging onto
http://www.ferf.org
Financial Executives Research Foundation, Inc.
200 Campus Drive
Florham Park, New Jersey 07932
Copyright © 2007 by Financial Executives Research Foundation, Inc.
All rights reserved. No part of this publication may be reproduced in any form or by any means
without written permission from the publisher.
International Standard Book Number 1-933130-65-2
Printed in the United States of America
First Printing
Authorization to photocopy items for internal or personal use, or the internal or personal use of
specific clients, is granted by Financial Executives Research Foundation, Inc., provided that an
appropriate fee is paid to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923.
Fee inquiries can be directed to Copyright Clearance Center at 978-750-8400. For further
information, please check Copyright Clearance Center online at: http://www.copyright.com
16
business / research