The ACFE's Fraud Risk Assessment Tool can be used by fraud examiners to identify their clients' or employers' vulnerabilities to fraud.
The Fraud Risk Assessment Tool consists of 15 modules, each containing a series of questions designed to help organizations zoom in on areas of risk. The fraud professional and the client or employer should begin the risk assessment process by working together to answer the questions in each module. It is important that the client or employer select people within the organization who have extensive knowledge of company operations, such as managers and internal auditors, to work with the fraud professional. Upon completion of all of the questions, the fraud professional should review the results of the assessment with the client or employer in order to:
The Fraud Risk Assessment Tool may reveal certain residual fraud risks that have not been adequately mitigated due to lack of, or noncompliance with, appropriate preventive and detective controls. The fraud professional should work with the client to develop mitigation strategies for any residual risks with an unacceptably high likelihood or significance of occurrence. Responses should be evaluated in terms of their costs versus benefits and in light of the organization's level of risk tolerance.
Be aware, however, that this assessment only provides a snapshot of a particular point in time. The dynamic nature of organizations requires routine monitoring and updating of their financial risk assessment processes in order for them to remain effective.
The employee assessment questions are designed to assess the probability of a fraudulent event occurring within the organization based on:
In addition to clarifying what employees are responsible for, job descriptions signify what employees are not responsible for. Employees who perform duties outside of their job descriptions represent a significant red flag.
Organizational charts provide employees with a snapshot of an organization's division of work, levels of management, and reporting relationships.
Accounting policies and procedures, including those related to fraud, should be documented, implemented, and communicated to employees.
In order to safeguard assets and financial reporting, companies should develop and implement policies for determining how financial transactions are initiated, authorized, recorded, and reviewed.
The company should implement a formal ethics statement that (1) defines conduct that is unethical, (2) states that unethical acts will be punished, and (3) provides information on reporting unethical conduct.
Senior management sets the tone for ethical conduct throughout the organization. The tone should signal that fraud will not be tolerated.
The company should document and implement fraud policies and procedures that describe (1) fraudulent conduct, (2) punishment for engaging in fraudulent conduct, and (3) how to report fraudulent conduct.
The responsibility for compliance with fraud and ethics policies should be assigned to a senior member of management.
All employees should receive training on the ethics and antifraud policies of the company. The employees should sign an acknowledgment that they have received the training and understand the policies.
Organizations should provide employees, vendors, and customers with a confidential system for reporting suspected violations of the ethics and antifraud policies.
Promptly and thoroughly investigating all reported incidents of fraud can minimize losses.
A formal record of all reported incidents of fraud, including documentation of investigative activities and final disposition of each incident, should be maintained.
Before offering employment to an applicant, a company should conduct a pre-employment background check (where permitted by law).
Responsible personnel should be trained to perform loss prevention functions.
Internal audits that focus on high-risk areas for fraud can identify new vulnerabilities, measure the effectiveness of internal controls, and signal that fraud prevention is a high priority for the company.
The company should segregate the duties related to authorization, custody of assets, and recording or reporting of transactions.
Periodic audits of compliance with internal controls send the message to employees that the company is proactive in its antifraud efforts.
Management should establish appropriate lines of communication with employees (such as surveys, exit interviews, and open-door policies) to assess their attitudes toward the organization.
Employees with large personal debts or credit problems are a red flag of potential fraud and should be monitored by management.
Management should be observant of signs of employees spending far more than they are earning. It is common for employees who steal to use the proceeds for lifestyle improvements, including expensive cars and extravagant vacations.
Employees who gamble excessively pose a potential fraud risk to the company and should be monitored by management. Employee assistance programs can be made available to help employees with gambling addictions.
Employees who use alcohol or drugs excessively pose a potential fraud risk to the company and should be monitored by management. Employee assistance programs can be made available to help employees with alcohol or drug addictions.
Employees who resent their superiors should be monitored by management, as they pose a potential fraud risk to the company.
Employees with a close relationship to a vendor or competitor should be monitored for potential conflict of interest.
Employees should be required to provide annual financial disclosures that list outside business interests. Outside interests that conflict with the organization's interests should be prohibited.
High employee turnover, especially in areas particularly vulnerable to fraud, is a warning sign of fraud that should be investigated.
Requiring employees to take annual vacations can aid an employer in detecting an ongoing fraud scheme because the employer is more likely to discover a perpetrator running such a scheme when the perpetrator is removed from the scene.
If control is centered in the hands of a few key employees, those individuals should be under heightened security for compliance with internal controls and other policies and procedures.
Unrealistic productivity measurements and expectations can place undue pressure on employees and result in employees committing fraudulent acts in order to meet them.
Providing positive feedback and recognition to employees helps to reduce the likelihood of internal fraud and theft through boosting morale. Employees with positive feelings about an organization are less likely to commit fraud against the organization.
Management should promote a culture in which employees aren't afraid to deliver bad news. After all, the sooner management receives the bad news, the sooner it can respond.
Management can improve communication with employees by creating an atmosphere that encourages open communication. Employees should feel safe in sharing any thoughts, comments, complaints, or suggestions.
A lack of clear organizational responsibilities can lead to confusion and frustration for employees. Organizational charts and job descriptions can be used to clarify organizational responsibilities.
Management that does not seem to care about or reward appropriate employee behavior can contribute to low employee morale and increased risk of fraud against the company by employees.
The management/key employee assessment questions are designed to assess the probability of a fraudulent event occurring within the organization based on:
The board of directors should include independent board members who are not associated with or employed by the company. In theory, independent directors are not subject to the same pressures as management and, therefore, are more likely to act in the best interest of shareholders.
Independent audit committee members with financial and accounting expertise can be instrumental in preventing and detecting financial fraud.
Management should investigate the reasons for high turnover and implement measures to reduce it.
Management should investigate the reasons for their departure and implement measures to reduce turnover.
Management should determine the reason for the litigation, monitor the filings, and take corrective action where necessary.
Management should determine the reason for the offshore activities and accounts, ascertain compliance with U.S. laws, and monitor activity closely.
The organization should require senior managers to file annual financial disclosure reports and explain the purpose of any offshore bank accounts or business interests.
Key employees who are experiencing financial pressures represent a potential fraud risk to the company and should be monitored by management. Employee assistance programs can be made available to help employees with alcohol, drug, and other problems.
Management should be observant of signs of employees spending far more than they are earning. It is common for employees who steal to use the proceeds for lifestyle improvements, including expensive cars, extravagant vacations, or expensive clothing.
Key employees who have civil judgments or bankruptcies on record represent a potential fraud risk to the company and should be monitored by management.
Key employees with known criminal convictions should be subjected to increased review by management for compliance with internal controls and other policies and procedures.
If control is centered in the hands of one or two key employees, then those individuals should be under heightened scrutiny for compliance with internal controls and other policies and procedures.
Organizations should prohibit key employees from having friends or relatives report directly to them.
Key employees who have a close association with a vendor should be monitored for potential conflict of interest.
Key employees should be required to provide annual financial disclosures that list outside business interests. Interests that conflict with the organization's interests should be prohibited.
Organizations should require key employees to disclose any potential conflicts of interest and should closely monitor any such conflicts of interest.
Requiring key employees to take annual vacations can aid an employer in detecting an ongoing fraud scheme because the employer is more likely to discover a perpetrator running such a scheme when the perpetrator is removed from the scene.
Management should subject key employees with a significant amount of their net worth invested in the company to increased review for compliance with internal controls, especially those controls related to financial reporting.
Management should determine the reason for debt levels and monitor internal controls for financial reporting.
Organizations should monitor employees whose compensation is based primarily on company performance for compliance with internal controls, especially controls related to financial reporting.
Companies should remove any incentive to use inappropriate means to manipulate financial information.
Excessive pressure to increase the company's stock price can result in management manipulating financial results in order to meet expectations.
Large operating or investment losses can place undue pressure on management to manipulate results in order to cover up the losses.
Insufficient working capital can place undue pressure on management to manipulate financial results.
A lack of sufficient credit can place undue pressure on management to manipulate financial results in order to obtain credit.
Excessive pressure to report favorable earnings can result in management committing fraudulent acts in order to meet expectations.
Dependence on only a limited number of products or customers places a company at greater risk for fraudulent acts to occur.
Cash flow problems, which are a warning sign of possible fraud, can arise when a company experiences difficulty in collecting receivables.
Rapid expansion into new business or product lines can place tremendous financial pressure on a company.
A reduction in sales volume can place undue pressure on management to manipulate financial results.
Strong competition can place a company at greater risk for fraudulent acts to occur.
Situational pressures that may lead to fraudulent acts can arise when a company is under pressure to sell or merge with another company.
A frequent change in auditors is a red flag of fraud.
Delaying or avoiding supplying auditors with the information necessary to complete audits is an indicator of fraudulent activity.
The company should determine the reasons for the problems with regulatory agencies and implement measures to encourage compliance with regulations.
The company should implement proper accounting records.
The accounting department should be adequately staffed to allow for proper segregation of duties.
Questionable or unusual accounting practices should be disclosed.
Large year-end or unusual transactions should be investigated.
The internal audit department should be adequately staffed.
Organizations should establish and enforce an internal control system.
The physical controls assessment questions are designed to assess the probability of a fraudulent event occurring within the organization based on:
Before offering employment to an applicant, a company should conduct a pre-employment background check (where permitted by law).
The company should document and implement policies and procedures that describe (1) unethical conduct, (2) punishment for engaging in unethical conduct, and (3) how to report unethical conduct.
Senior management sets the tone for ethical conduct throughout the organization. The tone should signal that fraud will not be tolerated.
All employees should receive training on the ethics and antifraud policies of the company. The employees should sign an acknowledgment that they have received the training and understand the policies.
Organizations should provide a system for anonymous reporting of suspected violations of the ethics and antifraud policies.
Access to areas containing sensitive documents should be restricted to those individuals who need the information to carry out their jobs. Also, an audit trail of access should be maintained.
Access to computer systems should be restricted to those individuals who need the information to carry out their jobs. Also, an audit trail of access should be maintained.
Organizations should restrict access to areas with high value assets and should maintain a log of persons accessing such areas.
Entries, exits, areas with sensitive or high value assets, and sales areas can be monitored using CCTV and recording equipment.
Random, unannounced audits help prevent fraud perpetrators from having time to alter, destroy, and misplace records and other evidence of their offenses.
Professional loss prevention or security personnel can be used to monitor physical controls.
Promptly investigating incidents of suspected or reported fraud can minimize losses.
Skimming schemes include:
Periodic analytical review of sales accounts using vertical, horizontal, and ratio analysis can highlight discrepancies that point to skimming.
Periodic review of the inventory and receiving records using statistical sampling can highlight discrepancies that point to skimming.
Periodic review of the inventory and receiving records using trend analysis can highlight discrepancies that point to skimming.
Periodic review of the inventory and receiving records using physical inventory counts can highlight discrepancies that point to skimming.
Periodic review of the inventory and receiving records using verification of shipping and requisition documents can highlight discrepancies that point to skimming.
Inventory accounts should be reviewed periodically for write-offs.
Accounts receivable and allowance for uncollectible accounts should be reviewed periodically for write-offs of accounts receivable.
Cash accounts should be reviewed periodically for irregular entries.
Company mail should be opened by someone other than bookkeepers, cashiers, or other accounting employees who make journal entries.
Vouchers for credit and sales receipts should contain serial numbers.
The accounts receivable bookkeeper should be restricted from preparing the bank deposit.
The accounts receivable bookkeeper should be restricted from collecting cash from customers.
The accounts receivable bookkeeper should be restricted from access to the cash receipts.
The cashier should be restricted from accessing accounts receivable records.
The cashier should be restricted from accessing bank and customer statements.
Having different employees perform these tasks helps minimize the potential for the concealment of theft.
The employee who opens incoming checks should immediately stamp all incoming checks with the company's restrictive endorsement to protect against unintended parties cashing the checks.
A list of all checks and cash received should be prepared and reconciled daily against the bank deposit receipt and the cash receipts report.
The person who opens the mail should deliver all checks and cash to the person responsible for the daily bank deposit.
An employee should perform an independent verification of the bank deposit ticket to the remittance list generated by the employee who opened the mail.
Lockboxes decrease the potential for fraud and error by reducing employee handling of each transaction.
A safe can be used to physically secure excess cash on hand. Access to the safe should be restricted and an access log should be maintained.
Daily bank deposits should be made so that excess cash does not remain on the premises.
Pre-numbered cash receipts should be used for cash sales.
Employees who handle cash should be bonded in order to protect against theft.
The company should document and implement policies and procedures for turning over delinquent accounts for collection.
The person who handles customer complaints should be independent of the cashier or accounts receivable function.
Physical access to the accounting system should be restricted to those who require it to perform their job functions.
Cash larceny schemes include:
Cash register totals should be reconciled to the amount in the cash drawer. Any discrepancies should be investigated.
An employee other than the register worker should be responsible for preparing register count sheets and agreeing them to register tape totals.
Access to registers or the cash box should be closely monitored and access codes should be kept secure.
Customer complaints regarding short change or improper posting should be handled by someone other than the employee who receives the cash.
Register workers should be properly supervised by on-duty supervisors or CCTV recording of register activity.
CCTV cameras and digital recorders can be used to monitor register areas.
Receivable transactions should be reviewed for legitimacy and supporting documentation.
An independent listing of cash receipts should be prepared before the receipts are submitted to the cashier or accounts receivable bookkeeper.
Companies should assign a person independent of the cash receipts and accounts receivable functions to compare entries to the cash receipts journals with the bank deposit slips and bank deposit statements.
The primary way to prevent cash larceny is to segregate duties.
Having an employee other than the cashier or accounts receivable bookkeeper make the daily bank deposit is an important segregation of duties that can help to prevent cash larceny.
Many internal fraud schemes are continuous in nature and require ongoing efforts by the employee to conceal defalcations. By establishing mandatory job or assignment rotation, the concealment element is interrupted.
Many internal fraud schemes are continuous in nature and require ongoing efforts by the employee to conceal defalcations. By establishing mandatory vacations, the concealment element is interrupted.
Surprise cash counts help prevent fraud perpetrators from having time to alter, destroy, and misplace records and other evidence of their offenses.
Journal entries made to the cash accounts should be reviewed and analyzed on a regular basis.
A POS system will allow the organization to gather sales information in a comprehensive and timely format.
The POS system should be configured to track perpetual inventory.
The POS system should be configured to track exceptions, such as voids, refunds, no sales, overages, and shortages.
Register exception reports should be reviewed on a regular basis by management.
All employees, except for managers, should be prohibited from making changes to the POS system.
Access to the accounts receivable subledger and general ledger should be restricted to authorized employees. An audit trail of who accessed the ledgers, including time and date of access, should be kept.
Check tampering schemes can be classified into the following categories:
Blank checks, which can be used for forgery, should be stored in a secure area such as a safe or vault. Security to this area should be restricted to authorized personnel.
Companies should promptly destroy all unused checks from accounts that have been closed.
Companies can minimize the possibility of check tampering and theft by using electronic payment services to handle large vendor and financing payments.
Printed and signed checks should be mailed immediately after signing.
All new checks should be purchased from reputable, well-established check producers.
Companies can reduce their exposure to physical check tampering by using checks containing security features, such as high-resolution microprinting, security inks, and ultraviolet ink.
Companies should work in a cooperative effort with banks to prevent check fraud, establishing maximum dollar amounts above which the company's bank will not accept checks drawn against the account.
One method for a company to help prevent check fraud is to establish positive pay controls by supplying its banks with a daily list of checks issued and authorized for payment.
Check preparation should not be performed by a signatory on the account.
Companies should perform detailed comparisons of the payees on the checks and the payees listed in the cash disbursements journal.
Periodic rotation of personnel responsible for handling and coding checks can be an effective check disbursement control.
Companies should complete bank reconciliations immediately after bank statements are received. The Uniform Commercial Code states that discrepancies must be presented to the bank within 30 days of receipt of the bank statement in order to hold the bank liable.
Bank statements and account reconciliations should be independently audited for accuracy.
Cancelled checks should be independently reviewed for alterations and forgeries.
Checks for material amounts should be matched to the supporting documentation.
The list of voided checks should be verified against physical copies of the checks. Bank statements should be reviewed to ensure that voided checks have not been processed.
Missing checks may indicate lax control over the physical safekeeping of checks. Stop payments should be issued for all missing checks.
Questionable payees or payee addresses should trigger a review of the corresponding check and support documentation.
Checks payable to employees, with the exception of regular payroll checks, should be closely scrutinized for schemes such as conflicts of interest, fictitious vendors, or duplicate expense reimbursements.
Requiring dual signatures on checks can reduce the risk of check fraud.
Making payments by check or other recordable payment device can reduce the risk of disbursement frauds.
Handwritten checks are especially vulnerable to check fraud and should be prohibited.
The following are types of cash register schemes:
Companies should routinely evaluate refunds, voids, and discounts to search for patterns of activity that might signal fraud.
Signs asking customers to request and examine sales receipts should be posted at registers.
Cash disbursements should be recorded on pre-numbered forms and reconciled daily.
An explanation section or code should be included on cash disbursement forms.
Customers involved in voided sales and refunds should be randomly contacted to verify the accuracy of the transactions.
Access to the necessary control keys for refunds and voids should be restricted to supervisors.
All void or refund transactions should be approved by a supervisor and documented.
Documentation of void and refund transactions should be maintained on file.
Companies should thoroughly investigate any missing or altered register tape.
Companies should investigate any gaps in the register tape.
Multiple voids or refunds for amounts just under review limits should be investigated.
An employee other than the register worker should be responsible for preparing register count sheets and comparing them to register totals.
Customer complaints regarding payment errors should be thoroughly investigated.
Each cashier should be assigned a separate access code to the register.
Each cashier should have a separate cash drawer.
An over and short log should be kept for each person and/or register.
Over and short incidents should be thoroughly investigated and monitored.
All “no sale” receipts should be accounted for and attached to a daily cashier's report.
Companies should restrict access to register areas to authorized employees and supervisors.
Companies should periodically conduct integrity shopping on all cashiers.
The following are types of purchasing and billing schemes:
The organization should have a purchasing department that is separate from the payment function.
The purchasing department should be independent of the accounting, receiving, and shipping departments.
Management should approve all purchase requisitions.
Purchase orders should specify a description of items, quantities, prices, and dates.
Purchase order forms should be pre-numbered and accounted for.
The company should maintain a master vendor file.
Companies should require competitive bids for all purchases.
The receiving department should prepare receiving reports for all items received.
The receiving department should maintain a log of all items received.
Copies of receiving reports should be furnished to the accounting and purchasing departments.
Purchasing and receiving functions should be segregated from invoice processing, accounts payable, and general ledger functions.
Companies should match vendor invoices, receiving reports, and purchase orders before recording the related liability.
Purchase orders should be recorded in a purchase register or voucher register before being processed through cash disbursements.
Companies should implement procedures adequate to ensure that merchandise purchased for direct delivery to the customer is promptly billed to the customer and recorded as both a receivable and a payable.
Records of goods returned to vendors should be matched to vendor credit memos.
The accounts payable ledger or voucher register should be reconciled monthly to the general ledger control accounts.
Write-offs of accounts payable debit balances should require approval of a designated manager.
The master vendor file should be reviewed periodically for unusual vendors and addresses.
Vendor purchases should be analyzed for abnormal levels.
Companies should implement control methods to check for duplicate invoices and purchase order numbers.
Credit card statements should be reviewed monthly for irregularities.
All vendors with post office box addresses should be verified.
Voucher payments should be reviewed regularly for proper documentation.
Access to the accounts payable subledger and the general ledger should be restricted and an audit trail should be created.
The following are types of payroll schemes:
Organizations should check the employee payroll list periodically for duplicate or missing Social Security numbers that may indicate a ghost employee or overlapping payments to current employees.
Personnel records should be maintained independently of payroll and timekeeping functions.
Organizations should perform reference checks on all new hires.
Sick leave, vacations, and holidays should be reviewed for compliance with company policy.
Employees should complete and sign appropriate forms to authorize payroll deductions and withholding exemptions.
Payroll should periodically be compared with personnel records for terminations to ensure that terminated employees have been removed from the payroll.
Payroll checks should be pre-numbered and issued in sequential order.
The payroll bank account should be reconciled by an employee who is not involved in preparing payroll checks, does not sign the checks, and does not handle payroll distribution.
Payroll registers should be reconciled to general ledger control accounts.
Cancelled payroll checks should be examined for alterations and endorsements.
Access to payroll check stock and signature stamps should be restricted.
Payroll checks that do not have withholdings for taxes, insurance, etc., should be investigated.
The employee payroll list should be reviewed for duplicate or missing home addresses and telephone numbers.
Account information for automatically deposited payroll checks should be reviewed periodically for duplicate entries.
An employee separate from the payroll department should be assigned to distribute payroll checks.
Companies must require new employees to furnish proof of immigration status.
Changes to an employee's salary should require more than one level of management approval.
Overtime should be authorized by a supervisor.
Supervisors should verify and sign time timecards for each pay period.
Comparing commission expenses to sales figures to verify amounts is an important control procedure that can help to detect payroll fraud.
Someone separate from the sales department should calculate sales commissions.
The following are types of expense reimbursement schemes:
Companies should periodically review and analyze expense accounts using historical comparisons or comparisons with budgeted amounts.
Employee expense reimbursement claims should receive a detailed review before payment is made.
Employees should be required to submit detailed expense reports containing receipts, explanations, amounts, etc.
Companies should place a spending limit on expenses such as hotels, meals, and entertainment.
Companies should require receipts for all expenses to be reimbursed.
All expense reimbursement requests should be reviewed and approved by supervisors.
A policy requiring the periodic review of expense reports, coupled with examining the appropriate detail, can help deter employees from submitting personal expenses for reimbursement.
The following are types of schemes that involve the theft of inventory or equipment:
Companies should inventory company equipment and maintain a list of the equipment, serial numbers, and descriptions.
An employee who doesn't work in the department should be assigned to conduct the department's inventory.
Unexplained entries to the inventory records should be examined for source documentation.
Sizeable inventory increases without comparable sales increases may indicate an inventory overstatement fraud scheme and should be investigated.
Analytical reviews of beginning inventory, sales, cost of goods sold, and ending inventory should be conducted periodically. Any discrepancies should be investigated.
Any unusual volume of inventory adjustments, write-offs, or disposals should be investigated.
Organizations should document and implement inventory instructions and orders.
Physical inventory counts should be conducted by someone independent of the purchasing, receiving, and warehousing functions.
Pre-numbered inventory tags should be used.
Inventory tags should be controlled and accounted for.
Organizations should implement inventory procedures that prevent double counting.
Inventory counts should be subject to independent recounts.
The inventory should be reasonably identifiable for proper classification in the accounting system, such as description, condition, or stage of completion.
Differences between physical counts and inventory records should be investigated before inventory records are adjusted.
Scrap should be inventoried and scrap disposal should be accounted for.
The following duties should be segregated: requisition of inventory, receiving of inventory, disbursement of inventory, writing off of inventory as scrap, and receipt of proceeds from the sale of scrap inventory.
A receiving report should be prepared for all purchased goods.
Copies of receiving reports should be sent directly to the purchasing and accounting departments.
The receiving department should be provided with a copy of the purchase order on all items to be received.
Partial shipments should be annotated on purchase orders or attached as separate sheets.
Overage, shortage, and damage reports should be completed and sent to the purchasing and accounting departments.
Quantities of materials received should be counted and compared to purchase orders.
Companies should document and implement a written policy allowing management to inspect all desks, file cabinets, and other containers on company property.
Companies should document and implement an equipment removal authorization policy requiring written management approval to remove any company equipment from the company premises.
Companies should document and implement a policy requiring the inspection of packages, boxes, and other containers before they leave the company premises.
Companies should periodically monitor the removal of trash and trash receptacles.
Shipping and receiving areas should be adequately supervised to prevent theft.
High value items should be stored in secure or continuously monitored areas.
The shipping function should be separate from the purchasing and inventory functions.
Shipping documents should be pre-numbered and accounted for.
Shipping orders should be matched with sales orders and contracts to prevent inventory and vendor schemes.
Shipments of goods should be required to have authorized sales orders and sales contracts prior to shipping.
Shipping documents should be forwarded directly to the accounting department for recording inventory reduction and cost of sales.
The company should implement policies and procedures addressing the identification, classification, and handling of proprietary information.
Employees who have access to proprietary information should be required to sign nondisclosure agreements.
Employees who have access to proprietary information should be required to sign noncompete agreements to prevent them from working for competitors within a stated period of time.
Employees should be provided with training to make them aware of proprietary information, their responsibility to protect proprietary information, and company policies and procedures relating to proprietary information.
Companies should implement a procedure to identify what information should be classified as sensitive and for how long.
Sensitive documents should be properly classified and marked as confidential.
Sensitive information should be properly secured when not being used.
Access to sensitive information should be physically controlled and accounted for.
Organizations should promptly destroy sensitive information when it is no longer needed.
Companies should promptly investigate any compromises to the security of proprietary information to determine the source.
Employees should be required to use screensaver and/or server passwords to protect unattended computer systems.
Confidential documents should be shredded when discarded.
The following are types of schemes that involve corruption:
Organizations should implement a policy that addresses the receipt of gifts, discounts, and services offered by a supplier or customer.
Organizations should establish a bidding policy.
Organizations should review purchases for costs that are out of line.
Purchases should be reviewed to identify favored vendors.
Purchases should be reviewed and any excessive amounts should be investigated.
Pre-bid solicitation documents should be reviewed for any restrictions on competition.
Bid solicitation packages should be numbered and controlled.
Companies should restrict and monitor communication between bidders and purchasing employees.
All bids received should be kept confidential.
Companies should verify bidders' qualifications.
Companies should establish predetermined criteria upon which to award contracts.
Periodic rotation of purchasing account assignments can be an effective corruption control.
Organizations should periodically survey vendors regarding company purchasing practices.
The following are types of schemes that involve conflicts of interest:
Organizations should conduct periodic comparisons of vendor information with employee information, such as addresses and telephone numbers.
Vendors who employ former company employees should be under increased scrutiny for potential conflicts of interest.
Organizations should provide personnel with a confidential system for reporting concerns about vendors receiving favored treatment.
Employees should be required to provide annual disclosures that list business ownership, income, and investment information.
Organizations should require vendors to sign an agreement allowing vendor audits.
Vendor audits should be conducted by someone independent of the purchase, sales, billing, and receiving departments.
The following are types of financial statement fraud schemes:
Organizations should maintain accounting records in proper form.
The accounting department should be adequately staffed to allow for proper segregation of duties.
An effective internal audit staff can focus on high-risk areas for fraud and can identify new vulnerabilities, measure the effectiveness of internal controls, and signal that fraud prevention is a high priority for the company.
Organizations should establish and enforce an internal control system.
Embracing the concept of internal controls requires that senior managers and employees understand why internal controls are important and what adopting such measures means to them.
Senior managers should be visible in their support of internal controls.
Unrealistic financial goals and objectives can result in managers and employees committing fraudulent acts in order to meet them.
Any failure to meet financial goals and objectives should be researched.
Management should investigate any unstable or decreasing financial performance.
The company should strive to have stable relationships with its banks.
Management should determine the reasons for any unrealistic changes or increases in financial statement account balances.
Management should investigate any unrealistic account balances.
An inventory of physical assets should be conducted to verify that the physical assets exist in the amounts and values indicated on the financial statements.
The organization should determine the reasons for any significant changes in the nature of its revenues or expenses.
Situations in which one or a few large transactions account for a significant portion of any account balance or amount should be researched.
Any significant transactions that occur near the end of a period and positively impact results of operations should be scrutinized for legitimacy, especially if the transactions are unusual or highly complex.
The company should be able to explain any variances in financial results across periods.
Any inability to generate cash flows from operations while experiencing earnings growth should be investigated.
Insufficient working capital can place undue pressure on management to manipulate financial results.
Significant estimates, especially those that involve unusually subjective judgments or uncertainties, should be reviewed for reasonableness.
Significant estimates that are subject to potential significant change in the near term in a manner that may have a financially disruptive effect on the organization should be scrutinized.
Unusually rapid growth or profitability, especially when compared with that of other companies in the same industry, is a red flag of fraud and should be investigated.
The organization should increase review of its financial reporting during periods of high vulnerability.
Unrealistically aggressive sales or profitability incentive programs can place undue pressure on employees and result in employees committing fraudulent acts in order to meet them.
A threat of imminent bankruptcy, foreclosure, or hostile takeover places a company at increased risk for fraudulent activity to occur.
A high possibility of adverse consequences on significant pending transactions, such as business combinations or contract awards, if poor financial results are reported can place extreme pressure on management to manipulate results.
The existence of a poor or deteriorating financial position when management has personally guaranteed significant debts of the entity can result in management committing fraudulent acts in order to protect itself from financial harm.
A careful budgeting and planning process can help a firm to monitor progress toward its goals, control spending, and predict cash flow and profit.
Management should determine the reasons for any collection or cash flow problems.
Dependence on one or two key products can place tremendous pressure on a company, exposing it to increased risk of fraud.
Any complex issues should be explained in the footnotes.
Generally accepted accounting principles concerning disclosures require that financial statements (1) include all relevant and material information in the financials or footnotes and (2) not be misleading.