3 | P a g eBRIEF CONTENTSSection # 01: DETECTION AND INVESTIGATION OF FRAUDS 05What is fraud 05Symptoms of frauds 05i) Irregularities in Source Documents 06ii) Faulty Journal Entries 06iii) Inaccuracies in Ledgers 07iv) Extravagant Lifestyles 07v) Unusual Behaviors 08Section # 02: MOTIVES FOR FINANCIAL STATEMENT FRAUD 09Who commits fraud? 09Elements or motives of fraud 10i) The Element of Pressure 10ii) The Element of Opportunity 10iii) Element of Rationalization 11Section # 03: INTERNAL CONTROL SYSTEM 12What is internal control? 12Internal control system description 12Internal control system weakness 13
4 | P a g eSection # 04: MONITORING 15Monitoring employees and having a whistle-blowing system 15Section # 05: RISK ASSESSMENT & CONTROL ACTIVITIES 17What is risk? 17Risk assessment 17Preventing fraud through control activities 181. Adequate Separation of Duties 182. Proper Authorization of Transactions and Activities 183. Adequate Documents and Records 194. Physical Control over Assets and Records 195. Independent Checks on Performance 20
5 | P a g eSECTION # 01:DETECTION AND INVESTIGATION OF FRAUDWhat is fraud?There are two principal methods of getting something from others illegally. Either you physicallyforce someone to give you what you want (using a gun, knife, or other weapon), or you trickthem out of their assets. The first type of theft we call robbery, and the second type we callfraud. Robbery is generally more violent and more traumatic than fraud and attracts much moremedia attention, but losses from fraud far exceed losses from robbery. Although there are manyformal definitions of fraud, probably the most common is the following:“Fraud is a generic term, and embraces all the multifarious means which human ingenuity candevise, which are resorted to by one individual, to get an advantage over another by falserepresentations. No definite and invariable rule can be laid down as a general proposition indefining fraud, as it includes surprise, trickery, cunning and unfair ways by which another ischeated. The only boundaries defining it are those which limit human.”Fraud is deception that includes the following elements:1. A representation2. About a material point,3. Which is false,4. And intentionally or recklessly so,5. Which is believed6. And acted upon by the victim7. To the victim’s damageSYMPTOMS OF FRAUDA person’s lifestyle may change, a document may be missing, a general ledger may be out ofbalance, someone may act suspiciously, a change in an analytical relationship may not makesense, or someone may provide a tip that fraud is occurring. Unlike videos in robbery or bodies
6 | P a g ein a murder, however, these factors are only symptoms rather than conclusive proof of fraud.Symptoms of financial statement frauds can be separated as:Irregularities in Source DocumentsCommon fraud symptoms involving source documents (either electronic or paper)—such aschecks, sales invoices, purchase orders, purchase requisitions, and receiving reports—include thefollowing:• Missing documents• Stale items on bank reconciliations• Excessive voids or credits• Common names or addresses of payees or customers• Increased past-due accounts• Increased reconciling items• Alterations on documents• Duplicate payments• Second endorsements on checks• Document sequences that do not make sense• Questionable handwriting on documents• Photocopied documentsFaulty Journal EntriesAccounting is a language, just as English and Japanese are languages. For example, consider thefollowing journal entry:Legal Expense ...........................................5,000Cash ...........................................5,000In the English language, this entry says, “An attorney was paid $5,000 in cash.”The problem with the language of accounting is that it can be manipulated to tell a lie, just as canEnglish or Japanese or any other language. For example, with the above entry, how do you know
7 | P a g ethat an attorney was actually paid $5,000? Instead, maybe an employee embezzled $5,000 incash and attempted to conceal the fraud by labeling the theft as a legal expense. Smartembezzlers sometimes conceal their actions in exactly this way, realizing that the fraudulentlegal expense will be closed to Retained Earnings at the end of the accounting period, making theaudit trail difficult to follow. And, if the fraudulent employer routinely pays large amounts oflegal expenses, this small fraud could easily go unnoticed.Inaccuracies in LedgersTwo common fraud symptoms relating to ledgers are as follows:1. A ledger that does not balance; that is, the total of all debit balances does not equal the totalof all credit balances.For example, a perpetrator may embezzle inventory (an asset) but not reflect the reduction ofinventory in the accounting records. In this case, the actual inventory balance, as determined by aphysical count, is lower than the recorded amount of inventory, and the ledger does not balance.2. Master (control) account balances that do not equal the sum of the individual customer orvendor balances.The second ledger symptom is indicative of manipulation of an individual customer’s orvendor’s balance without altering the master receivable or payable account in the ledger. In thiscase, the sum of the individual customer or vendor balances does not agree with the masteraccount balance.Extravagant LifestylesMost people who commit fraud are under financial pressure. Sometimes the pressures are real;sometimes they merely represent greed. Once perpetrators meet their financial needs, theyusually continue to steal, using the embezzled funds to improve their lifestyles. Often, they buynew cars.For example, Kay embezzled nearly $3 million from her employer. She and her husband workedtogether to perfect the scheme over a period of seven years. Because they knew they mightsomeday get caught, they explicitly decided not to have children. With their stolen funds, theypurchased a new, expensive home (supposedly worth $500,000) and five luxury cars—a
8 | P a g eMaserati, a Rolls-Royce, a Jeep Cherokee, and two Audis. They filled their home with expensiveartwork and glass collections. They bought a boat and several expensive computers, and theypaid cash to have their yard extensively landscaped. They frequently invited Kay’s coworkers toparties at their home and served expensive foods, including lobster flown in from the east coast.Yet none of the employees noticed the change in lifestyle. They did not note, for example, thatKay drove a different car to work every day of the week and that all her cars were extremelyexpensive.Unusual BehaviorsResearch in psychology reveals that when a person (especially a first-time fraud perpetrator)commits a crime, he or she becomes engulfed by emotions of fear and guilt. These emotionsexpress themselves as stress. The individual often exhibits unusual and recognizable behaviorpatterns to cope with the stress.No particular behavior signals fraud; rather, changes in behavior are signals. People who arenormally nice may become intimidating and belligerent. People who are normally belligerentmay suddenly become nice.Even perpetrators recognize their behavioral changes. A woman who stole over $400,000 said, “Ihad to be giving off signals. I could not look anyone in the eye.” A man who embezzled over$150,000 said, “Sometimes I would be so wound up I would work 12 or 14 hours a day, oftenstanding up. Other times I would be so despondent I could not get off the couch for over a weekat a time.”
9 | P a g eSECTION # 02:MOTIVES FOR FINANCIAL STATEMENT FRAUDWho commits fraud?Research shows that anyone can commit fraud. Fraud perpetrators usually can’t be distinguishedfrom other people on the basis of demographic or psychological characteristics. Most fraudperpetrators have profiles that look like those of other honest people.Several years ago, a study was conducted to determine the physical and behavioralcharacteristics of fraud perpetrators. In this study, fraud perpetrators were compared with (1)prisoners incarcerated for property offenses and (2) a sample of noncriminal, college students.The personal backgrounds and psychological profiles of the three groups were compared. Theresults indicated that incarcerated fraud perpetrators were very different from other incarceratedprisoners. When compared to other criminals, they were less likely to be caught, turned in,arrested, convicted, and incarcerated. They were also less likely to serve long sentences. Inaddition, fraud perpetrators were considerably older. While only 2 percent of the propertyoffenders were female, 30 percent of fraud perpetrators were women. Fraud perpetrators werebetter educated, more religious, less likely to have criminal records, less likely to have abusedalcohol, and considerably less likely to have used drugs. They were also in better psychologicalhealth. They enjoyed more optimism, self-esteem, self-sufficiency, achievement, motivation, andfamily harmony than other property offenders. Fraud perpetrators also seemed to express moresocial conformity, self-control, kindness, and empathy than other property offenders.When fraud perpetrators were compared with college students, they differed only slightly. Fraudperpetrators suffered more psychic pain and were more dishonest, more independent, moresexually mature, more socially deviant, and more empathetic than college students. However,fraud perpetrators were much more similar to college students than they were to propertyoffenders.It is important to understand the characteristics of fraud perpetrators because they appear to bevery much like people who have traits that organizations look for in hiring employees, seeking
10 | P a g eout customers and clients, and selecting vendors. This knowledge helps us to understand that (1)most employees, customers, vendors, and business associates and partners fit the profile of fraudperpetrators and are capable of committing fraud and (2) it is impossible to predict in advancewhich employees, vendors, clients, customers, and others will become dishonest. In fact, whenfraud does occur, the most common reaction by those around the fraud is denial. Victims cannotbelieve that trusted colleagues or friends have behaved dishonestly.ELEMENTS OR MOTIVES OF FRAUDThe Element of PressureStudies suggest that approximately 95 percent of all frauds involve either financial or vice-related pressures. Common financial pressures associated with fraud that benefits perpetratorsdirectly include the following:1. Greed2. Living beyond one’s means3. High bills or personal debt4. Poor credit5. Personal financial losses6. Unexpected financial needsThis list is not comprehensive, and these pressures are not mutually exclusive. However, eachpressure in this list has been associated with numerous frauds.The Element of OpportunityA perceived opportunity to commit fraud, conceal it, or avoid being punished are the essentialpart for the motives of fraud. In this section, we will discuss fraud opportunities. At least sixmajor factors increase opportunities for individuals to commit fraud within an organization. Thefollowing list of these factors is not exhaustive, but it does provide a sufficient number ofsettings to illustrate the role of opportunities in the fraud triangle.1. Lack of controls that prevent and/or detect fraudulent behavior
11 | P a g e2. Inability to judge quality of performance3. Failure to discipline fraud perpetrators4. Lack of access to information5. Ignorance, apathy, and incapacity6. Lack of an audit trailElement of RationalizationThe final component needed to complete the fraud triangle is rationalization. This is the abilityto persuade yourself that something you otherwise know is wrong is really OK. A lot of mentalgymnastics are obviously needed to do so, but that is the point. If a person goes through thosegymnastics, than what was wrong before is now acceptable. How can that happen?One easy way for this to happen is the “borrowing” approach. I have a serious problem so I willjust borrow this money until next payday. Then I’ll pay it back. Then on the next payday, theproblem has not gone away, so the thought is: I’ll borrow a little bit more and pay it back forsure next month. All internal restraint has been removed.Another approach is the entitlement mentality. I’ve worked so hard for this organization that Ideserve a raise. That’s all this is – just a raise. Or, I am making a big sacrifice working at thissalary because I could get another job at a much higher rate so I deserve a big raise. Even afterthis small raise I am still a bargain.The atmosphere created by senior management can lend itself to rationalization: I know what thetop bosses get away with, so the company will never miss this little amount.The scary part here is rationalization takes place in the mind and cannot be seen. The entire shiftin mind set could take place invisibly. It is possible this shift could manifest itself in commentsor a change in attitude but not likely. The rationalization most likely will never be visible.
12 | P a g eSECTION # 03:INTERNAL CONTROL SYSTEMWhat is internal control?In accounting and auditing, internal control is defined as a process affected by an organizationsstructure, work and authority flows, people and management information systems, designed tohelp the organization accomplish specific goals or objectives.INTERNAL CONTROL SYSTEM DESCRIPTIONThe most widely recognized way to deter or prevent fraud is by having a good system ofcontrols. The Institute of Internal Auditors’ Web site contains the following statement, forexample:“Internal auditors support management’s efforts to establish a culture that embraces ethics,honesty, and integrity. They assist management with the evaluation of internal controls used todetect or mitigate fraud.”As stated previously, definition of an internal control framework for an organization shouldinclude:1. A good control environment2. A good accounting system3. Good control activities4. Monitoring5. Good communication and information.The control environment is the overall tone of the organization that management establishesthrough its modeling and labeling, organization, communication, and other activities. Controlenvironment factors include the integrity, ethical values, and competence of the entity’s people,management’s philosophy and operating style, the way management assigns authority andresponsibility and organizes and develops its people, and the attention and direction provided by
13 | P a g ethe board of directors. The control environment also includes well-defined hiring practices, clearorganization, and a good internal audit department.The second element—having a good accounting system—is important so that the informationused for decision making and provided to stakeholders is valid, complete, and timely. Thesystem should also provide information that is properly valued, classified, authorized, andsummarized.Good control activities involve policies and practices that provide physical control of assets,proper authorizations, segregation of duties, independent checks, and proper documentation. Acontrol system that meets these requirements provides reasonable assurance that the goals andobjectives of the organization will be met and that fraud will be reduced. No internal controlstructure can ever be completely effective, regardless of the care followed in its design andimplementation. Even when an ideal control system is designed, its effectiveness depends on thecompetency and dependability of the people enforcing it.Internal Control WeaknessesFraud occurs when perceived pressure, perceived opportunity, and rationalization combine.Many individuals and organizations have pressures. Everyone rationalizes. When internalcontrols are absent or overridden, the risk of fraud is great.Internal control is comprised of the control environment, the accounting system, and controlprocedures. Common internal control weaknesses or failure that can become fraud symptomsinclude the following:1. Lack of segregation of duties2. Lack of physical safeguards3. Lack of independent checks4. Lack of proper authorization5. Lack of proper documents and records
14 | P a g e6. Overriding of existing controls7. Inadequate accounting systemMany studies have found that the element most common in frauds is the overriding of existinginternal controls.
15 | P a g eSECTION # 04:MONITORINGMONITORING EMPLOYEES AND HAVING A WHISTLE-BLOWING SYSTEMIndividuals who commit fraud and hoard stolen proceeds are virtually nonexistent. Almostalways, perpetrators use their stolen money to support habits, increase their lifestyle, or pay forexpenses already incurred. When managers and their colleagues pay close attention to lifestylesymptoms resulting from these expenditures, fraud can often be detected early. Most stolen fundsare spent in conspicuous ways. Fraud perpetrators usually buy automobiles, expensive clothes,or new homes; take extravagant vacations; purchase expensive recreational toys, such as boats,condominiums, motor homes, or airplanes; support extramarital relationships or outside businessinterests. Consider the case of Marjorie, bank proof operator:Marjorie first started working for the bank in 1980. During her first four years of employment,she took out a debt consolidation loan of approximately $12,000 and had 97 personal overdrafts.During the next seven years, while committing fraud, her salary never exceeded $22,000 peryear. Yet, colleagues and officers of the bank knew that she had done the following:1. Taken several expensive cruises.2. Built a home on a golf course, costing over $600,000.3. Purchased and was currently driving the following cars; Rolls Royce, Jeep Cherokee, Audiand Maserati.4. Held extravagant parties for employees and others at her home.5. Purchased expensive jewelry, including 16 diamonds and sapphires.Anyone paying attention would have realized that Marjorie’s lifestyle was inconsistent with herlevel of earnings. When a coworker finally asked her how she could afford everything, sheexplained that her husband had received a one-third inheritance of $250,000. The story wasn’ttrue, but even if it had been, the $83,333 that her husband had supposedly inherited wouldn’thave paid for the Maserati, let alone all the other luxuries that managers knew she had purchased.
16 | P a g eClose monitoring facilitates early detection. It also deters frauds because potential perpetratorsrealize that “others are watching.” It is because monitoring by colleagues is such an effectiveway to catch dishonest acts.In most cases of fraud we have studied, individuals suspected or knew that fraud was occurringbut were either afraid to come forward with information or didn’t know how to reveal theinformation. The new whistle-blowing laws should help in these cases.Even with advances in technology, the most common way in which fraud is detected is throughtips. In one empirical study, for example, the authors found that 33 percent of all frauds weredetected through tips, while only 18 percent were detected by auditors. A company thatexperienced over 1,000 frauds in one year determined that 42 percent were discovered throughtips and complaints from employees and customers. A good whistle-blowing program is one ofthe most effective fraud prevention tools. When employees know that colleagues have an easy,nonobligatory way to monitor each other and report suspected fraud, they are more reluctantto become involved in dishonest acts.
17 | P a g eSECTION # 05:RISK ASSESSMENT & CONTROL ACTIVITESRISK ASSESSMENTWhat is Risk ?A situation involving introduction to danger OR Risk is the effect (positive or negative) of anevent or series of events that take place in one or several locations.Risk = Probability x ImpactThe equation of risk usually answers the two basic questions, 1. Probability: How likely is it tohappen? and 2. Impact: How bad will it be if it happens?Risk AssessmentRisk assessment identifies the risks of doing business with e-business partners. A key part of theassessment focuses on the control environment of those organizations. Another part identifieskey risks in the electronic exchange of information and money, so that control procedurestailored to the special challenges that these exchanges present can be installed—procedures thatcounter the risk of data theft, sniffing, unauthorized access to passwords, falsified identity,spoofing, customer impersonation, false Web sites, and e-mail or Web site hijacking.A specialized branch of risk assessment is intrusion detection. Firms specializing in intrusiondetection try to gain access to networks and secure information, and they report their findingsdirectly to management. Normally, a security audit includes an investigation into technology,processes, controls, and other factors at a client.
18 | P a g ePREVENTING FRAUD THROUGH CONTROL ACTIVITIESControl activities are the policies and procedures that ensure that necessary actions are taken toaddress risks and frauds. As you also learned, control activities generally fall into the followingfive types:1. Adequate separation of duties.2. Proper authorization of transactions and activities.3. Adequate documents and records.4. Physical control over assets and records.5. Independent checks on performance.1. Adequate Separation of DutiesIn e-business, this control is useful for making sure that individuals who authorizetransactions are different from those who actually execute them. Probably the most commonfrauds in purchasing and sales transactions are kickbacks and bribery. Kickbacks occur whenone individual becomes too close to suppliers or customers. Adequate segregation of dutiesprevents bribery because employees don’t have complete control of transactions.2. Proper Authorization of Transactions and ActivitiesProper authorization is another key control in e-business. The most common authorizationcontrols are passwords, firewalls, digital signatures and certificates, and biometrics. Everytransaction must be properly authorized.For example, Biometrics, one of the most promising areas of technology and systemssecurity is biometrics—the use of unique features of the human body to create secure accesscontrols. Because each person possesses unique biological characteristics (for example, irisand retina patterns, fingerprints, voice tones, facial structures, and writing styles), scientistsand technology firms are developing specialized security devices that have the potential to behighly accurate in authenticating identity. Access and permission to execute a transaction isgranted or denied based on how similar the subsequent reading is to the reference template.
19 | P a g e3. Adequate Documents and RecordsDocuments and records (sales invoices, purchase orders, subsidiary records, sales journals,employee time cards, and even checks) are the physical objects by which transactions areentered and summarized. In e-business, these documents are present in electronic form. Thislack of hard-copy documentation, the very essence of e-business, creates new opportunitiesfor fraud. Documents and records typically are detective controls, not preventive controls.They are the audit trail and enable auditors and fraud examiners to investigate suspectedwrongdoing. Although most computer systems create records of transactions that can beaccessed or reconstructed, smart perpetrators figure out how to remove evidence oftransactions from serversand computers.Because many of the traditional document controls aren’t available in e-commerce,additional controls must be put in place. The primary electronic transaction and documentcontrol is encryption, which protects confidential and sensitive information (such as checksor purchase or sales transactions) from being “sniffed” or stolen.4. Physical Control over Assets and RecordsWhen records—electronic or paper—are not adequately protected, they can be stolen,damaged, or lost. Highly computerized companies need to go to special lengths to protectcomputer equipment, programs, and data files. As with other types of assets, physicalcontrols are used to protect computer facilities. Examples are locks on doors to the computerroom and terminals and adequate and safe storage space for software and data files. Inaddition to software-based security, the software and hardware that comprise the ITinfrastructure must be physically secure.Remember that authorized personnel who can access computers and servers can also executeunauthorized transactions or steal sensitive information. Sometimes physical infrastructure isso sensitive and critical to e-business operations that the system is placed in an isolatedlocation with only high-level security access.
20 | P a g e5. Independent Checks on PerformanceAs with traditional business, key component in e-business controls is the careful andcontinuous review of the other four components—the independent checks and internalverification. The need for independent checks arises because internal controls change overtime. Personnel forget or fail to follow procedures, or become careless—unless someoneobserves and evaluates their performance. The likelihood of fraudulent transactions goes upwhen controls break down.Independent checks are particularly important in preventing fraud in e-business.Organizations should always conduct checks on their e-business partners.“ONE OF THE BEST WAYS TO PREVENTFRAUD IS BY FOCUSING ON REDUCING OPPORTUNITIESTHROUGH SOUND SECURITY MEASURES AND A SOLIDINTERNAL CONTROL SYSTEM”