Dedicating resources to fraud prevention is generally much more cost-effective than suffering the direct loss and aftermath of a white-collar crime. How well-versed are you in control measures that can help prevent fraud? Do you have what it takes to help your company or your clients ensure they are effectively managing the risk of fraud? Take this Fraud IQ quiz to see how your fraud prevention knowledge measures up.
1. In terms of preventing fraud, which of the following components of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework most adequately embodies an organization’s tone at the top?
a. Control activities
c. Control environment
d. Information and communication
2. Stability Inc. is a publicly held software company with 3,500 employees in locations on three continents. As part of the company’s fraud risk assessment, the company’s auditors are examining the organizational structure. Which of the following characteristics of the organizational structure would be least likely to help prevent fraud?
a. The chief audit executive reports directly to the audit committee.
b. The company’s reporting structure is a complex matrix, with many layers of oversight for each functional area.
c. There is an open, informal flow of communication between employees and management.
3. Which of the following internal controls would likely be most effective in helping to prevent fraud?
a. Hidden surveillance cameras
b. Secret cash counts
c. Covert email monitoring
d. Fake surveillance cameras
4. Hots and Hams, a chain of quick-service restaurants with locations in all 50 states, is revamping its employee background check policy to ensure that the company is not allowing known thieves in through the front door. Which of the following statements is NOT true?
a. Hots and Hams’ policy should include a provision for running credit checks on all potential employees at the time of hire.
b. Hots and Hams’ policy should include provisions for running criminal background checks both on new hires and on existing employees.
c. Hots and Hams’ policy should extend to employees at all levels throughout the organization.
5. According to the U.S. Department of Justice, which of the following is considered an element necessary to monitor compliance with the antibribery provisions of the Foreign Corrupt Practices Act (FCPA)?
a. A formal risk assessment
b. An antibribery policy
c. Employee anticorruption training
d. All of the above
6. Southwind Inc. was recently the victim of a fraud scheme in which the employee in charge of reconciling the bank account used the company’s routing number and checking account number to initiate fraudulent electronic check payments for her mortgage and personal credit cards, and then falsified the bank reconciliation to cover her tracks. To prevent this from happening again, Southwind’s accounting manager suggests implementing a positive pay system. The use of positive pay would most likely:
a. Be helpful in preventing this type of fraud in the future
b. NOT be helpful in preventing this type of fraud in the future
7. An effective hotline serves as:
a. A fraud detection control
b. A fraud prevention control
c. Both a fraud detection and a fraud prevention control
8. Which of the following is true regarding employee antifraud training?
a. Employees at all levels of the organization should receive identical antifraud training.
b. The training should be catered to the specifics of the organization.
c. Training all employees at the time of hire is sufficient.
d. All of the above.
9. The management of Jaxx Inc. has asked Thom Sanderson, CPA, to assess the company’s antifraud internal controls. During his assessment, Thom discovers that the company is particularly susceptible to data breaches in its customer service center. To help address this risk, Thom should recommend that Jaxx:
a. Institute a clean-desk policy among employees who collect sensitive customer data.
b. Provide secure trash bins for documents that need to be shredded.
c. Disable the USB ports on certain computer workstations.
d. All of the above.
10. Which of the following is NOT true regarding ethics policies?
a. If an organization doesn’t truly value integrity, its ethics policy might do more harm than good.
b. A thorough, well-designed ethics policy is a surefire way to prevent fraud.
c. An ethics policy should address the specific risks of employee misconduct that were identified in the organization’s risk assessment process.
1. (c) According to COSO, the control environment sets the moral tone of an organization and includes the integrity, ethical values and competence of the entity’s people, as well as management’s philosophy and operating style. If the tone set by management is poor—that is, if owners, executives and managers exhibit less-than-ethical behavior—employees at lower levels in the organization will see that such actions are tolerated and will be more likely to engage in unethical, or even fraudulent, behavior. As part of establishing an effective control environment, COSO recommends a written code of conduct that covers all employees, but emphasizes that, while the official policy should reflect desired behavior, corporate culture will determine what actually occurs. Consequently, in addition to instituting formal policies covering employee conduct, management must:
- Lead by example.
- Verbally communicate the entity’s values and standards to all employees.
- Establish and enforce penalties for improper behavior.
- Ensure that jobs are staffed by employees with requisite knowledge and skills.
- Establish appropriate reporting lines.
- Set human resources policies that ensure the organization hires, promotes and supports competent and trustworthy individuals.
2. (b) A complex, confused organizational structure can enable a fraudster in perpetrating and concealing his or her misdeeds. Conversely, a well-designed organizational structure that clearly denotes key areas of authority, provides proper channels of reporting (for example, the internal auditors reporting directly to the audit committee), and enables flow of communication and information between employees and management can be an effective fraud prevention measure. Such an organizational structure not only promotes transparency and goodwill among the staff, but also inherently enables employees to know how and to whom to report suspected wrongdoing.
3. (d) Perhaps the most effective way to prevent a fraudulent act is to increase in the perpetrator’s mind the perception that he or she will be caught. Consequently, the mere presence of a perceived detection method—even a nonfunctioning one, such as fake surveillance cameras—can deter a potential fraudster from following through with a scheme. Although fully functioning security cameras are certainly the more effective option, organizations lacking the resources to collect and review security footage might consider installing a fake surveillance camera as a deterrent. In contrast, controls that are unseen—for example, hidden surveillance cameras, secret cash counts and covert email monitoring—might increase the likelihood of fraud detection, but they will do little to prevent the fraud from occurring in the first place.
4. (a) By instituting and implementing a thorough employee background check policy, Hots and Hams’ management can minimize its chance of hiring or promoting dishonest and untrustworthy people. Several states have enacted laws restricting or prohibiting the use of credit checks for employment decisions; consequently, Hots and Hams should not include a blanket policy to run a credit check for all potential employees. However, the company’s policy should cover employees at all levels of the organization, from staff up through executives, as even executives have been known to pad their resume or lie about their criminal past. Additionally, Hots and Hams should extend its criminal check procedures to existing employees who are up for promotions. Management might also consider running recurring background checks on employees in key positions to ensure that those with certain responsibilities—such as significant accounting or financial functions—aren’t convicted of a crime during their tenure without the organization’s knowledge.
5. (d) In deferred prosecution agreements with organizations suspected of violating the FCPA, the U.S. Department of Justice frequently includes a summary of what it considers to be the minimum elements of an effective FCPA compliance program. These agreements typically provide that, at a minimum, an organization’s compliance program should include the following 13 items:
- A formal code of conduct that includes a clear and visible policy against violating the FCPA and other anticorruption laws.
- The support and commitment of senior management.
- Standards and procedures specifically designed to prevent corruption, including policies covering gifts; hospitality, entertainment and expenses; customer travel; political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion.
- A formal risk assessment, including an evaluation of foreign bribery risks, the results of which are used to develop the company’s anticorruption compliance program.
- An annual review of the company’s anticorruption standards and procedures.
- Senior management’s responsibility for implementation and oversight of the anticorruption policies, standards and procedures.
- An internal controls system designed to ensure that the company’s books, records and accounts are fair, accurate and not used for the purpose of committing or concealing bribery.
- Mechanisms to ensure that the company’s anticorruption policies, standards and procedures are communicated effectively to all employees and, where appropriate, agents and business partners.
- A system that provides guidance and advice to employees regarding anticorruption issues, allows for internal—and ideally confidential—reporting of violations, and results in responses to such requests and reports.
- Appropriate disciplinary measures for violations of anticorruption laws, policies and procedures, as well as remedial actions to prevent recurrences of such misconduct.
- Due diligence and compliance requirements for the retention of agents and business partners.
- The inclusion of anticorruption provisions in agreements and contracts with agents and business partners.
- Periodic testing of the anticorruption program to evaluate and improve its effectiveness.
6. (a) In a positive pay system, the organization provides the bank with an electronic list of checks written and electronic payments issued each day, and the bank verifies all transactions presented for payment against those on the list; any transactions not on the list are sent to the company for review. Because this system alerts the organization to any unexpected payments before they clear the bank, it is particularly useful in addressing the risk of fraudulent checks and electronic payments.
7. (c) An effective hotline is clearly an important means of detecting fraud. In fact, according to the ACFE’s 2010 Report to the Nations on Occupational Fraud and Abuse, more than 40% of frauds are detected via tip—nearly three times more than by any other detection method—and two-thirds of those tips were made through fraud hotlines. In addition, a well-publicized and widely supported hotline can also have a preventive effect; by giving all employees a clear and secure way to report any suspected wrongdoing, a reporting mechanism can increase the potential fraudster’s perception that he or she will be caught and thus might deter him or her from commencing the scheme.
8. (b) Because employees are on the front line to observe suspicious acts by their fellow staff members, employee antifraud education is the cornerstone of an effective fraud prevention program. Without training about how fraud hurts the organization and its staff, what constitutes fraud, how to identify the red flags of fraud, how to report any suspected wrongdoing, and the consequences of fraudulent actions, many employees might miss—or even willingly turn a blind eye to—the warning signs of theft and misconduct. To be most effective, such training should be based on the realities of the organization, rather than on generic antifraud messages that provide no real applicable value, and should be ongoing, with refresher training held at least annually. Additionally, while employees at all levels should be required to participate in the antifraud training program, managers and executives should be provided with supplemental training that addresses the added fraud prevention and detection responsibility—and ability—provided by their positions of authority.
9. (d) An estimated 70% of all data breaches come from inside the company. Therefore, companies must protect their data not only from the unknown outside perpetrators, but from dishonest employees as well. In addition to the general physical-access security measures of locks, surveillance cameras and access codes, good data security practices include:
- A policy that clearly explains which electronic files should be locked, where locked files should be stored, and who should have passwords to these files.
- The use of firewalls.
- Requiring employees to keep their desks free from any documents that might contain customer data or other proprietary information, particularly after hours—a general clean-desk policy can help provide very clear guidance.
- Secure trash cans for documents that are waiting to be shredded or burned.
- Encryption of all sensitive files.
- A thorough and stringent password policy for all employees at all levels of the organization.
- Disabling the USB ports on workstations of employees who have access to sensitive files, of employees who do not have a general need for an active USB port, or of employees who are in open areas that might be particularly vulnerable to access by unauthorized individuals (for example, the front desk).
- Monitoring of employee logons for attempts to access restricted files or for abnormal or excessive access to particular areas of the system.
- Educating employees on proper handling of sensitive or proprietary data.
10. (b) To be effective, an organization’s ethics policy should address the organization’s specific risks of employee misconduct, be based on input from both management and employees, and be clearly communicated to all staff members. However, without the full support of middle and upper management, even a well-designed ethics policy will not prevent wrongdoing. If employees perceive a dichotomy between the enacted ethics policy and management’s exhibited integrity and ethics, they will likely feel disenfranchised and unsupported in making ethical choices or reporting questionable behaviors.
If you answered nine or 10 questions correctly, congratulations. Your arsenal of antifraud knowledge is well-armed and ready to aid in the fight against fraudulent conduct. Keep up the good work.
If you answered seven or eight questions correctly, you’re on the right track. Use the resources listed on this page to continue to build on your knowledge of fraud prevention.
If you answered fewer than seven questions correctly, you might want to brush up on your antifraud knowledge. The resources that accompany this article are a good place to start. Enhancing your understanding of fraud prevention concepts will help ensure that you have what it takes to keep your assets protected from would be fraudsters.
Andi McNeal ( firstname.lastname@example.org ) is director of research for the Association of Certified Fraud Examiners.
To comment on this article or to suggest an idea for another article, contact Kim Nilsen, editorial director, at email@example.com or 919-402-4048.
- “What’s Your Fraud IQ?” May 2010, page 50
- “What’s Your Fraud IQ?” Jan. 2010, page 34
- “What’s Your Fraud IQ?” Sept. 2009, page 48
- “What’s Your Fraud IQ?” May 2009, page 52
Use journalofaccountancy.com to find past articles. In the search box, click “Open Advanced Search” and then search by title.
How Fraud Hurts You and Your Organization (#056513HS, CD-ROM)
For more information or to place an order, go to cpa2biz.com or call the Institute at 888-777-7077.
- Advanced Forensic Techniques for Accountants (#AFTA)
- Auditing Real-World Frauds: A Practical Case Application Approach (#ARWF)
- Forensic Accounting: Fraudulent Reporting and Concealed Assets (#FAFR)
- Forensics and Financial Fraud: Real- World Issues & Answers (#FFF)
Go to aicpalearning.org to access courses, and click on “AICPA On-Site Training” and search by “Acronym Index.” If you need assistance, please contact a training representative at 800-634-6780 (option 1).
Membership in the Forensic and Valuation Services (FVS) Section provides you with access to numerous specialized resources in the forensic and valuation services discipline areas, including practice guides and exclusive member discounts for products and events. Go to aicpa.org/FVS to learn more about the FVS Section.
More from the JofA: