FRAUD-RELATED INTERNAL CONTROLS
GLOBAL Headquarters • the gregor building
716 West Ave • Austin, TX 78701-2727 • USA
FRAUD-RELATED INTERNAL CONTROLS
TABLE OF CONTENTS
I. THE NEED FOR INTERNAL CONTROLS
Threats to an Organization’s Internal Control Environment ..................................................................... 2
Why Threats Are Increasing............................................................................................................................. 4
How Internal Controls Curb Threats ............................................................................................................. 5
Overview of Internal Controls......................................................................................................................... 5
Types of Internal Controls ........................................................................................................................ 6
Internal Control Requirements Under Anti-Corruption Laws ................................................................... 8
The Sarbanes-Oxley Act ................................................................................................................................... 9
Public Company Accounting Oversight Board ...................................................................................... 9
Rules for Auditors ..................................................................................................................................... 11
Roles for Audit Committees.................................................................................................................... 12
Rules for Management ............................................................................................................................. 13
Management Assessment of Internal Controls Requirement............................................................. 14
Powers Granted to the SEC .................................................................................................................... 16
Criminal Penalties...................................................................................................................................... 16
Foreign Public Accounting Firms........................................................................................................... 17
Whistleblower Protection ........................................................................................................................ 17
Consideration by Appropriate State Regulatory Authorities .............................................................. 17
Internal Control Over Financial Reporting.................................................................................................. 17
Management’s Assessment of Internal Control ................................................................................... 18
Management’s Report on Internal Control ........................................................................................... 20
PCAOB Auditing Standard No. 5—An Audit of Internal Control over Financial Reporting
That Is Integrated with an Audit of Financial Statements ........................................................... 20
PCAOB Auditing Standard No. 3—Audit Documentation .................................................................... 24
AU Standard 230—Audit Documentation (Source: SAS No. 103) ........................................................ 25
AU Standard 240—Consideration of Fraud in a Financial Statement Audit .................................................... 25
Summary............................................................................................................................................................ 36
Review Questions ............................................................................................................................................ 38
II. THE COSO INTERNAL CONTROL—INTEGRATED FRAMEWORK
Understanding the Framework ...................................................................................................................... 42
Achievement of Objectives ..................................................................................................................... 43
A Process .................................................................................................................................................... 43
Affected by People.................................................................................................................................... 44
Reasonable Assurance .............................................................................................................................. 44
Adaptability to Entity Structure .............................................................................................................. 44
Objectives.......................................................................................................................................................... 44
Operations Objectives .............................................................................................................................. 45
Reporting Objectives ................................................................................................................................ 45
Compliance Objectives ............................................................................................................................ 46
Components and Principles of Internal Control......................................................................................... 46
Control Environment—Component 1 .................................................................................................. 47
Risk Assessment—Component 2 ........................................................................................................... 50
Control Activities—Component 3 ......................................................................................................... 57
Information and Communication—Component 4.............................................................................. 67
Fraud-Related Internal Controls
i
FRAUD-RELATED INTERNAL CONTROLS
II. THE COSO INTERNAL CONTROL—INTEGRATED FRAMEWORK (CONT.)
Monitoring Activities—Component 5 ................................................................................................... 68
Limitations of Internal Controls .................................................................................................................... 69
Preconditions of Internal Control .......................................................................................................... 69
Judgment .................................................................................................................................................... 70
External Events ......................................................................................................................................... 70
Breakdowns................................................................................................................................................ 70
Management Override .............................................................................................................................. 70
Collusion..................................................................................................................................................... 71
Outsource Service Providers .......................................................................................................................... 71
Interactions with External Parties ................................................................................................................. 72
Smaller Entities................................................................................................................................................. 72
Challenges .................................................................................................................................................. 73
Cost-Effective Internal Controls ............................................................................................................ 73
Summary............................................................................................................................................................ 74
Case Illustration: Springer’s Northwest Lumber & Supply ....................................................................... 75
Case Conclusion ........................................................................................................................................ 76
Review Questions ............................................................................................................................................ 78
III. COMPUTER-BASED CONTROLS: GENERAL CONTROLS
Developing a Security Plan ............................................................................................................................. 81
Segregation of Duties Within the System ..................................................................................................... 82
Project Development Controls ...................................................................................................................... 83
Physical Access Controls ................................................................................................................................ 85
Logical Access Controls .................................................................................................................................. 85
Passwords ................................................................................................................................................... 86
Physical Possession Identification .......................................................................................................... 87
Biometric Identification ........................................................................................................................... 88
Compatibility Tests ................................................................................................................................... 89
Data Transmission Controls .......................................................................................................................... 89
Data Encryption (Cryptography) ............................................................................................................ 90
Routing Verification Procedures............................................................................................................. 91
Parity ........................................................................................................................................................... 91
Message Acknowledgment Techniques ................................................................................................. 92
Data Transmission Controls for EDI and EFT ................................................................................... 92
Protect Telephone Lines .......................................................................................................................... 93
Documentation Standards .............................................................................................................................. 93
Minimizing System Downtime....................................................................................................................... 94
Disaster Recovery Plans .................................................................................................................................. 94
Priorities for the Recovery Process ........................................................................................................ 94
Backup Data and Program Files ............................................................................................................. 94
Specific Assignments ................................................................................................................................ 96
Complete Documentation ....................................................................................................................... 96
Backup Computer and Telecommunications Facilities ....................................................................... 96
Protection of Desktop Personal Computers and Client/Server Networks ............................................ 98
Protection of Laptops and Mobile Devices ............................................................................................... 100
Internet Controls............................................................................................................................................ 100
Prosecution of Computer Fraud Perpetrators ........................................................................................... 102
ii
Fraud-Related Internal Controls
FRAUD-RELATED INTERNAL CONTROLS
III. COMPUTER-BASED CONTROLS: GENERAL CONTROLS (CONT.)
Improving Fraud Detection Methods......................................................................................................... 104
Conduct Frequent Audits ...................................................................................................................... 104
Set Up a Fraud Hotline .......................................................................................................................... 104
Use Computer Consultants ................................................................................................................... 104
Monitor System Activities...................................................................................................................... 105
Use Certified Fraud Examiners and Forensic Accountants ............................................................. 106
Use Fraud Detection Software .............................................................................................................. 106
Utilize Human Resources ...................................................................................................................... 107
Summary.......................................................................................................................................................... 109
Integrative Case: Seattle Paper Products (SPP) ......................................................................................... 113
Case Conclusion ...................................................................................................................................... 113
Review Questions .......................................................................................................................................... 116
IV. COMPUTER-BASED CONTROLS: APPLICATION CONTROLS
Introduction .................................................................................................................................................... 119
Input.......................................................................................................................................................... 119
Processor .................................................................................................................................................. 120
Computer Instructions ........................................................................................................................... 120
Data ........................................................................................................................................................... 121
Output ...................................................................................................................................................... 121
Source Data Controls ....................................................................................................................................122
Input Validation Routines ............................................................................................................................ 124
Online Data Entry Controls ......................................................................................................................... 125
Program Development, Acquisition, and Modification Controls .......................................................... 126
Data Storage Controls ...................................................................................................................................128
Data Processing and File Maintenance Controls ...................................................................................... 130
Processing Test Data .............................................................................................................................. 131
Concurrent Audit Techniques ............................................................................................................... 132
Analysis of Program Logic .................................................................................................................... 134
Computer Audit Software...................................................................................................................... 135
Output Controls ............................................................................................................................................. 138
Application Controls: An Online Processing Example ........................................................................... 138
Data Entry ................................................................................................................................................ 138
File Updating ...........................................................................................................................................139
Preparing and Distributing Output ...................................................................................................... 140
Application Controls: A Batch Processing Example ................................................................................ 140
Summary.......................................................................................................................................................... 142
Integrative Case: Northwest Industries ...................................................................................................... 144
Case Conclusion ...................................................................................................................................... 144
Computer Audit Software Integrative Case: Seattle Paper Products ..................................................... 146
Case Conclusion ...................................................................................................................................... 146
Review Questions .......................................................................................................................................... 148
Fraud-Related Internal Controls
iii
FRAUD-RELATED INTERNAL CONTROLS
V. FRAUD SCHEMES: CASH RECEIPTS, THEFT OF CASH, INVENTORY, AND
OTHER ASSET FRAUDS
Fraud Scheme Classifications ....................................................................................................................... 152
Cash Receipts (Skimming) Fraud ................................................................................................................ 155
Unrecorded Sales..................................................................................................................................... 156
Stealing Mail Receipts ............................................................................................................................. 159
Understated Sales and Receivables ....................................................................................................... 162
Theft of Cash .................................................................................................................................................. 163
Theft of Cash from the Register ........................................................................................................... 163
Theft of Cash from a Deposit ............................................................................................................... 166
Theft and Misuse of Assets Other Than Cash .......................................................................................... 168
Review Questions .......................................................................................................................................... 174
VI. FRAUD SCHEMES: DISBURSEMENT FRAUD
Introduction .................................................................................................................................................... 177
Disbursement Fraud Schemes ..................................................................................................................... 177
Register Disbursement Frauds .............................................................................................................. 177
Payroll Fraud ............................................................................................................................................ 181
Expense Reimbursement Frauds .......................................................................................................... 185
False Billing Fraud .................................................................................................................................. 187
Review Questions .......................................................................................................................................... 193
VII. FRAUD SCHEMES: CHECK TAMPERING
Introduction .................................................................................................................................................... 195
Check Tampering Schemes .......................................................................................................................... 195
Forged Maker and Concealed Check Schemes................................................................................... 195
Authorized Maker Schemes ................................................................................................................... 201
Intercepted Check Schemes .................................................................................................................. 203
Review Questions .......................................................................................................................................... 208
VIII. FRAUD SCHEMES: CORRUPTION
Introduction .................................................................................................................................................... 211
Bribery, Economic Extortion, and Illegal Gratuities ................................................................................ 212
Kickback Schemes .................................................................................................................................. 212
Bid-Rigging Schemes .............................................................................................................................. 216
Conflict of Interest ........................................................................................................................................ 221
Commit ..................................................................................................................................................... 221
Conceal and Convert .............................................................................................................................. 222
Catch ......................................................................................................................................................... 222
Control ...................................................................................................................................................... 223
Review Questions .......................................................................................................................................... 224
IX. FINANCIAL STATEMENT FRAUD
Introduction .................................................................................................................................................... 227
Categories of Fraudulent Financial Statement Fraud ............................................................................... 228
Fictitious Revenues ................................................................................................................................. 228
Timing Differences ................................................................................................................................. 228
Concealed Liabilities and Expenses...................................................................................................... 229
iv
Fraud-Related Internal Controls
FRAUD-RELATED INTERNAL CONTROLS
IX. FINANCIAL STATEMENT FRAUD (CONT.)
Improper Disclosures ............................................................................................................................. 229
Improper Asset Valuation...................................................................................................................... 231
Concealment of Fraudulent Financial Statement Fraud .......................................................................... 232
Conversion Process in Financial Statement Frauds .................................................................................. 232
Catching Financial Statement Fraud ........................................................................................................... 232
Controlling Fraudulent Financial Reporting Fraud .................................................................................. 234
Financial Statement Analysis Techniques ............................................................................................ 235
Interviewing Company Personnel ............................................................................................................... 236
Interviewing Techniques ........................................................................................................................ 236
Interview Questions................................................................................................................................ 237
Conclusion ...................................................................................................................................................... 243
Review Questions .......................................................................................................................................... 245
X. PRACTICAL PROBLEMS................................................................................................................. 247
XI. SOLUTIONS TO REVIEW QUESTIONS ................................................................................ 255
XII. SOLUTIONS TO PRACTICAL PROBLEMS ......................................................................... 299
XIII. FINAL EXAMINATION .............................................................................................................E-1
XIV. INDEX ................................................................................................................................................. I-1
Fraud-Related Internal Controls
v