1

STUDY UNIT THREE

CONTROL FRAMEWORKS AND FRAUD

3.1 Control Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

3.2 Enterprise Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Risk Management Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4 Fraud -- Nature, Prevention, and Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.5 Fraud -- Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

This study unit is the first of two covering Section II: Internal Control / Risk from The IIA’s CIA
Exam Syllabus. This section makes up 25% to 35% of Part 1 of the CIA exam and is tested at the
awareness level. The relevant portion of the syllabus is highlighted below. (The complete syllabus is in
Appendix B.)

II. INTERNAL CONTROL / RISK (25%–35%)

A. Types of Controls (e.g., preventive, detective, input, output, etc.)
B. Management Control Techniques

C. Internal Control Framework Characteristics and Use (e.g., COSO, Cadbury)

1. Develop and implement an organization-wide risk and control framework
D. Alternative Control Frameworks
E. Risk Vocabulary and Concepts
F. Fraud Risk Awareness
1. Types of fraud
2. Fraud red flags

3.1 CONTROL FRAMEWORKS

1. Available Control Frameworks
a. Several bodies have published control frameworks that provide a comprehensive
means of ensuring that the organization has considered all relevant aspects of
internal control.
1) The use of a particular model or control design not mentioned here may be
specified by regulatory or legal requirements.
2) Some of the better-known frameworks are described below and on the following
page.
b. United States
1) Internal Control – Integrated Framework is widely accepted as the standard for
the design and operation of internal control systems.
2) The Watergate investigations of 1973-74 revealed that U.S. companies were
bribing government officials, politicians, and political parties in foreign countries.
The result was the Foreign Corrupt Practices Act of 1977.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
2 SU 3: Control Frameworks and Fraud

3) The private sector also responded by forming the National Commission on

Fraudulent Financial Reporting (NCFFR) in 1985.
a)
The NCFFR is known as the Treadway Commission because James C.
Treadway was its first chair.
b) The Treadway Commission was originally sponsored and funded by five
professional accounting organizations based in the United States.
c) This group of five became known as the Committee of Sponsoring
Organizations of the Treadway Commission (COSO).
d) The Commission recommended that this group of five organizations
cooperate in creating guidance for internal control.
4) The result was Internal Control – Integrated Framework, published in 1992,
which was modified in 1994 and again in 2013.
c. Canada
1) Guidance on Control (commonly referred to as CoCo based on its original
title Criteria of Control), published by the Canadian Institute of Chartered
Accountants (CICA).
d. United Kingdom
1) Internal Control: Guidance for Directors on the Combined Code (commonly
referred to as the Turnbull Report after Nigel Turnbull, chair of the committee
that drafted the report), published by the Financial Reporting Council (FRC) of
the UK and re-released as Internal Control: Revised Guide for Directors on the
Combined Code.
2) The UK Committee on the Financial Aspects of Corporate Governance (known
informally as the Cadbury Committee after its chairman Sir Adrian Cadbury)
issued its report about the same time as the Treadway Commission in the U.S.
3) It was subsequently blended with the reports of two other organizations.
The resulting Combined Code includes such recommendations for sound
governance as requiring that the CEO and chairperson be separate individuals.
e. Information Technology
1) COBIT is the best-known framework specifically for IT controls. When originally
published, COBIT was an acronym for Control Objectives for Information and
Related Technology. COBIT 5 is the most recent version.
2) Electronic Systems Assurance and Control (eSAC), published by The Institute of
Internal Auditors Research Foundation, is an alternative control model for IT.
2. COSO Framework
a. Definition of Internal Control
1) The COSO model defines internal control as follows:
Internal control is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting, and
compliance.
2) Thus, internal control is
a) Intended to achieve three classes of objectives
b) An ongoing process
c) Effected by people at all organizational levels, e.g., the board,
management, and all other employees
d) Able to provide reasonable, but not absolute, assurance
e) Adaptable to an entity’s structure

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 3

b. Objectives
1) The three classes of objectives direct organizations to the different (but
overlapping) elements of control.
a) Operations
i) Operations objectives relate to achieving the entity’s mission.
● Appropriate objectives include improving (1) financial
performance, (2) productivity, (3) quality, (4) innovation, and
(5) customer satisfaction.
ii) Operations objectives also include safeguarding of assets.
● Objectives related to protecting and preserving assets assist in
risk assessment and development of mitigating controls.
● Avoidance of waste, inefficiency, and bad business decisions
relates to broader objectives than safeguarding of assets.
b) Reporting
i) To make sound decisions, stakeholders must have reliable, timely,
and transparent financial information.
ii) Reports may be prepared for use by the organization and
stakeholders.
iii) Objectives may relate to
Financial and nonfinancial reporting.
●

Internal or external reporting.

●

c) Compliance
i) Entities are subject to laws, rules, and regulations that set minimum
standards of conduct.
● Examples include taxation, environmental protection, and
employee relations.
● Compliance with internal policies and procedures is an
operational matter.
d) The following is a useful memory aid for the COSO classes of objectives:
O = Operations
R = Reporting
C = Compliance
2) Achievement of Objectives
a) An internal control system is more likely to provide reasonable assurance
of achieving the reporting and compliance objectives than the operational
objectives.
b) Reporting and compliance objectives are responses to standards
established by external parties, such as regulators.
i) Thus, achieving these objectives depends on actions almost entirely
within the entity’s control.
c) However, operational effectiveness may not be within the entity’s control
because it is affected by human judgment and many external factors.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
4 SU 3: Control Frameworks and Fraud

c. Components of Internal Control

1) Supporting the organization in its efforts to achieve objectives are the following
five components of internal control:
a) Control environment
b) Risk assessment
c) Control activities
d) Information and communication
e) Monitoring
2) A useful memory aid for the COSO components of internal control is, “Controls
stop CRIME.”
C = Control activities
R = Risk assessment
I = Information and communication
M = Monitoring
E = Control environment
d. Control Environment
1) The control environment is a set of standards, processes, and structures that
pervasively affects the system of internal control. Five principles relate to the
control environment.
a) The organization demonstrates a commitment to integrity and ethical
values by
i) Setting the tone at the top. Through words and actions, the board
of directors and management communicate their attitude toward
integrity and ethical values.
ii) Establishing standards of conduct. The board and management
create expectations that should be understood at all organizational
levels and by outside service providers and business partners.
iii) Evaluating the performance of individuals and teams based on the
established standards of conduct.
iv) Correcting deviations in a timely and consistent manner.
b) The board demonstrates independence from management and exercises
oversight for internal control. The board
i) Establishes oversight responsibility. The board identifies and accepts
its oversight responsibilities.
ii) Applies relevant experience by defining, maintaining, and periodically
evaluating the skills and expertise needed among its members to
ask difficult questions of management and take appropriate actions.
iii) Operates independently. The board includes enough members who
are independent and objective in evaluations and decision making.
● For example, in some jurisdictions, all members of the audit
committee must be outside directors.
iv) Provides oversight. The board is responsible for oversight of
management’s design, implementation, and conduct of internal
control.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 5

c) Management establishes, with board oversight, structures, reporting

lines, and appropriate authorities and responsibilities. Management
i) Considers all structures of the entity. Variables considered in
establishing organizational structures include the following:
●Nature of the business
●Size and geographic scope of the entity
● Risks, some of them outsourced, and connections with outside
service providers and partners
● Assignment of authority to different management levels
● Definition of reporting lines
● Reporting requirements
ii) Establishes and evaluates reporting lines. The trend in corporate
governance has been to allow employees closer to day-to-day
operations to make decisions.
iii) Designs, assigns, and limits authorities and responsibilities.
d) The organization demonstrates a commitment to attract, develop, and
retain competent individuals in alignment with objectives.
i) Policies and practices reflect expectations of competence. Internal
control is strengthened when management specifies what
competencies are needed for particular jobs.
ii) The board and management evaluate competence and address
shortcomings. Employees and outside service providers have the
appropriate skills and knowledge to perform their jobs.
iii) The organization attracts, develops, and retains individuals. The
organization is committed to hiring individuals who are competent
and have integrity. Ongoing training and mentoring are necessary
to adapt employees to the control requirements of a changing
environment.
iv) Senior management and the board plan and prepare for succession.
e) The organization holds individuals accountable for their internal control
responsibilities in pursuit of objectives. Management and the board
i)
Enforce accountability through structures, authorities, and
responsibilities
ii) Establish performance measures, incentives, and rewards
iii) Evaluate performance measures, incentives, and rewards for
ongoing relevance
iv) Consider excessive pressures
v) Evaluate performance and reward or discipline individuals
e. Risk Assessment
1) The risk assessment process encompasses an assessment of the risks
themselves and the need to manage organizational change. This process is a
basis for determining how the risks should be managed. Four principles relate
to risk assessment.
a) The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to five types of objectives.
i) Operations
ii) External financial reporting
iii) External nonfinancial reporting
iv) Internal reporting
v) Compliance
Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
6 SU 3: Control Frameworks and Fraud

b) The organization identifies risks to the achievement of its objectives

across the entity and analyzes risks to determine how the risks should be
managed. Management must focus carefully on risks at all levels of the
entity and take the necessary actions to manage them.
c) The organization considers the potential for fraud in assessing fraud
risks to the achievement of objectives. The organization must
i) Consider various types of fraud,
ii) Assess incentives and pressures,
iii) Assess opportunities, and
iv) Assess attitudes and rationalizations.
d) The organization identifies and assesses changes that could
significantly affect the system of internal control.
i)
Significant changes could occur in an organization’s external
environment, business model, and leadership. Thus, internal
controls must be adapted to the entity’s changing circumstances.
f. Control Activities
1) These policies and procedures help ensure that management directives are
carried out. Whether automated or manual, they are applied at various levels
of the entity and stages of processes. They may be preventive or detective,
and segregation of duties is usually present. Three principles relate to control
activities.
a)
The organization selects and develops control activities that contribute
to the mitigation of risks to the achievement of objectives to acceptable
levels.
b) The organization selects and develops general control activities over
technology to support the achievement of objectives.
c) The organization deploys control activities through policies that
establish what is expected and procedures that put policies into action.
g. Information and Communication
1) Information systems enable the organization to obtain, generate, use, and
communicate information to (a) maintain accountability and (b) measure and
review performance. Three principles relate to information and communication.
a)
The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
b) The organization internally communicates information, including
objectives and responsibilities for internal control, necessary to support
the function of internal control.
c) The organization communicates with external parties regarding matters
affecting the functioning of internal control.
h. Monitoring Activities
1) Control systems and the way controls are applied change over time. Monitoring
is a process that assesses the quality of internal control performance over time
to ensure that controls continue to meet the needs of the organization. The
following are two principles related to monitoring activities:
a) The organization selects, develops, and performs ongoing or separate
evaluations (or both) to determine whether the components of internal
control are present and functioning.
b) The organization evaluates and communicates control deficiencies in a
timely manner.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 7

2) Changes in the external or internal environment create risks to the organization’s

internal control system. To ensure the internal control system remains capable
of achieving its objectives, the organization should maintain an effective
monitoring program. The stages in the monitoring-for-change continuum are as
follows:
a) Control Baseline
i) Monitoring must begin with an understanding of internal control’s
design and whether the controls that have been implemented are
effective at accomplishing the organization’s objectives.
ii) This baseline understanding of internal control provides a starting
place for making suggestions on how to improve efficiency and
effectiveness.
b) Change Identification
i) Ongoing or separate evaluation (or both) are used to identify whether
changes in process or risks are being addressed. As part of these
evaluations, the organization should confirm that controls continue
to meet their objectives of helping to manage or mitigate related
risks.
c) Change Management
i) The organization should verify that the internal control system
manages the changes and establishes a new control baseline for
the modified controls.
d) Control Revalidation
i)
Control revalidation is the process of using monitoring procedures to
confirm the conclusion that controls are effective. This is a form of
continuous monitoring.
i. Relationship of Objectives, Components, and Organizational Structure
1) The COSO model may be displayed as a cube with rows, slices, and columns.
The rows are the five components, the slices are the three objectives, and the
columns represent an entity’s organizational structure.

Figure 3-1

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
8 SU 3: Control Frameworks and Fraud

3. CoCo Model
a. The CoCo model is thought to be more suited for internal auditing purposes. It consists
of 20 criteria grouped into 4 components:
1) Purpose
2) Commitment
3) Capability
4) Monitoring and Learning
b. The following is a useful memory aid for the components of the CoCo model:
P = Purpose Police
C = Commitment Can
C = Capability Catch
M = Monitoring Many
L = Learning Lawbreakers
4. COBIT -- A Framework for IT Governance and Management
a. COBIT is the best-known control and governance framework that addresses
information technology.
1) In its original version, COBIT was focused on controls for specific IT processes.
2) Over the years, information technology has gradually come to pervade every
facet of the organization’s operations. IT can no longer be viewed as a function
distinct from other aspects of the organization.
a) The evolution of COBIT has reflected this change in the nature of IT within
the organization.
5. COBIT 5 -- Five Key Principles
a. Principle 1: Meeting Stakeholder Needs
1) COBIT 5 asserts that value creation is the most basic stakeholder need. Thus,
the creation of stakeholder value is the fundamental goal of any enterprise,
commercial or not.
a) Value creation in this model is achieved by balancing three components:
i) Realization of benefits
ii) Optimization (not minimization) of risk
iii) Optimal use of resources
2) COBIT 5 also recognizes that stakeholder needs are not fixed. They evolve
under the influence of both internal factors (e.g., changes in organizational
culture) and external factors (e.g., disruptive technologies).
a) These factors are collectively referred to as stakeholder drivers.
3) In response to the identified stakeholder needs, enterprise goals are established.
a) COBIT 5 supplies 17 generic enterprise goals that are tied directly to the
balanced scorecard model.
4) Next, IT-related goals are drawn up to address the enterprise goals.
a) COBIT 5 translates the 17 generic enterprise goals into IT-related goals.
5) Finally, enablers are identified that support pursuit of the IT-related goals. An
enabler is broadly defined as anything that helps achieve objectives.
a) The seven categories of enablers are listed in item 5.d. on the next page.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 9

6) COBIT 5 refers to the process described on the previous page as the goals
cascade. It can be depicted graphically as follows:

Figure 3-2
b. Principle 2: Covering the Enterprise End-to-End
1) COBIT 5 takes a comprehensive view of all of the enterprise’s functions and
processes. Information technology pervades them all; it cannot be viewed as a
function distinct from other enterprise activities.
a) Thus, IT governance must be integrated with enterprise governance.
2) IT must be considered enterprise-wide and end-to-end, i.e., all functions and
processes that govern and manage information “wherever that information may
be processed.”
c. Principle 3: Applying a Single, Integrated Framework
1) In acknowledgment of the availability of multiple IT-related standards and best
practices, COBIT 5 provides an overall framework for enterprise IT within which
other standards can be consistently applied.
2) COBIT 5 was developed to be an overarching framework that does not address
specific technical issues; i.e., its principles can be applied regardless of the
particular hardware and software in use.
d. Principle 4: Enabling a Holistic Approach
1) COBIT 5 describes seven categories of enablers that support comprehensive IT
governance and management:
a) Principles, policies, and frameworks
b) Processes
c) Organizational structures
d) Culture, ethics, and behavior
e) Information
f) Services, infrastructure, and applications
g) People, skills, and competencies

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
10 SU 3: Control Frameworks and Fraud

2) The last three of these enablers also are classified as resources, the use of
which must be optimized.
3) Enablers are interconnected because they
a) Need the input of other enablers to be fully effective and
b) Deliver output for the benefit of other enablers.
e. Principle 5: Separating Governance from Management
1) The complexity of the modern enterprise requires governance and management
to be treated as distinct activities.
a) In general, governance is the setting of overall objectives and the
monitoring of progress toward those objectives. COBIT 5 associates
governance with the board of directors.
i) Within any governance process, three practices must be addressed:
evaluate, direct, and monitor.
b) Management is the carrying out of activities in pursuit of enterprise goals.
COBIT 5 associates these activities with executive management under
the leadership of the CEO.
i) Within any management process, four responsibility areas must be
addressed: plan, build, run, and monitor.
6. The eSAC Model
a. In the eSAC (Electronic Systems Assurance and Control) model, the entity’s internal
processes accept inputs and produce outputs.
1) Inputs: Mission, values, strategies, and objectives
2) Outputs: Results, reputation, and learning
b. The eSAC model’s broad control objectives are influenced by the COSO
Framework:
1) Operating effectiveness and efficiency
2) Reporting of financial and other management information
3) Compliance with laws and regulations
4) Safeguarding of assets
c. The following are eSAC’s IT business assurance objectives:
1) Availability. The entity must ensure that information, processes, and services are
available at all times.
2) Capability. The entity must ensure reliable and timely completion of transactions.
3) Functionality. The entity must ensure that systems are designed to user
specifications to fulfill business requirements.
4) Protectability. The entity must ensure that a combination of physical and logical
controls prevents unauthorized access to system data.
5) Accountability. The entity must ensure that transactions are processed under
firm principles of data ownership, identification, and authentication.
d. The following is a useful memory aid for the eSAC IT business assurance objectives:
A = Availability A
C = Capability Court
F = Functionality Finds
P = Protectability People
A = Accountability Accountable

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 11

7. Guides to the Assessment of IT Risks (GAIT)

a. GAIT methodology gives management and auditors guidance for assessing the scope
of IT general controls using a top-down and risk-based approach.
1) GAIT methodology is consistent with the Public Company Accounting Oversight
Board’s Auditing Standard 5 and other control frameworks, e.g., COSO.
b. The four principles of the GAIT methodology are as follows:
1) The identification of risks and related controls in IT general control processes
should be a continuation of the top-down and risk-based approach used to
identify significant accounts, risks to those accounts, and key controls in the
business processes.
2) The IT general control process risks that need to be identified are those that
affect critical IT functionality in financially significant applications and related
data.
3) The IT general control process risks that need to be identified exist, for example,
in application program code, networks, and operating systems.
4) Risks in IT general control processes are mitigated by the achievement of IT
control objectives, not individual controls.
8. Soft Controls
a. The COSO and CoCo models emphasize soft controls (see Roth, “Taking a Hard Look
at Soft Controls,” Internal Auditor, February 1998). For example, the communication
of ethical values and the fostering of mutual trust are soft controls in the CoCo model.
In the COSO model, soft controls are part of the control environment.
1) Soft controls should be distinguished from hard controls, such as compliance
with specific policies and procedures imposed upon employees from above.
b. Soft controls have become more necessary as technology advances have empowered
employees. Technology has given them access to large amounts of critical
information and enabled them to make decisions formerly made by those higher in
the organizational structure.
1) In addition to making many hard controls obsolete, technology advances also
have permitted the automation of hard controls, for example, the embedding of
audit modules in computer programs.
c. One approach to auditing soft controls is control self-assessment (CSA). It is the
involvement of management and staff in the assessment of internal controls within
their workgroup.
d. Hard and soft controls can be associated with particular risks and measured. The
vulnerability addressed can be stated as the product of the probability of occurrence
and the significance of the occurrence (V = P × S).

3.2 ENTERPRISE RISK MANAGEMENT

1. The COSO ERM Framework
a. Enterprise Risk Management – Integrated Framework describes a model that
incorporates the earlier COSO control framework while extending it to the broader
subject of enterprise risk management (ERM).
1) ERM is based on key concepts applicable to many types of organizations. The
emphasis is on (a) the objectives of a specific entity and (b) establishing a
means for evaluating the effectiveness of ERM.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
12 SU 3: Control Frameworks and Fraud

b. The COSO Framework defines ERM as follows:

Enterprise risk management is a process, effected by an entity’s
board of directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
2. COSO Risk Vocabulary
a. Risk is the possibility that an event will occur and adversely affect the achievement of
objectives.
1) Inherent risk is the risk in the absence of a risk response.
2) Residual risk is the risk after a risk response.
3) Risk universe refers to all risks that could possibly affect an entity.
a) In a financial statement audit, audit risk is the risk that the auditor
expresses an inappropriate opinion on materially misstated financial
statements.
b. Risk appetite is the amount of risk an entity is willing to accept in pursuit of value.
It reflects the entity’s risk management philosophy and influences the entity’s culture
and operating style.
1) Risk appetite is considered in evaluating strategies, setting objectives, and
developing risk management methods.
c. An opportunity is the possibility that an event will positively affect the achievement of
objectives.
3. ERM Components
a. The internal environment reflects the entity’s (1) risk management philosophy, (2) risk
appetite, (3) integrity, (4) ethical values, and (5) overall environment. It sets the tone
of the entity.
b. Objective setting precedes event identification. ERM ensures that (1) a process is
established and (2) objectives align with the mission and the risk appetite.
c. Event identification relates to internal and external events affecting the organization.
It differentiates between opportunities and risks. Impact factors are potential results of
an event.
d. Risk assessment considers likelihood and impact as a basis for risk management. The
assessment considers the inherent risk and the residual risk.
e. Risk responses are actions taken to reduce the impact or likelihood of adverse events.
They include control activities. They should be consistent with the entity’s risk
tolerances and appetite.
f. Control activities are policies and procedures to ensure the effectiveness of risk
responses.
g. The information and communication component identifies, captures, and
communicates relevant and timely information.
h. Monitoring involves ongoing management activities or separate evaluations. The full
ERM process is monitored.
4. Five Strategies for Risk Response
a. Risk avoidance ends the activity from which the risk arises. For example, the risk of
having a pipeline sabotaged in an unstable region can be avoided by simply selling
the pipeline.
b. Risk acceptance acknowledges the risks of an activity and no action is taken to affect
risk likelihood or impact. This term is synonymous with self-insurance.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 13

c. Risk reduction (mitigation) lowers the level of risk associated with an activity. For
example, the risk of systems penetration can be reduced by maintaining a robust
information security function within the entity.
d. Risk sharing transfers some loss potential to another party. Examples are purchasing
insurance, hedging, and entering into joint ventures.
e. Risk exploitation seeks risk to pursue a high return on investment.
5. Responsibilities
a. Senior Management
1) The CEO sets the tone at the top of the entity and has ultimate responsibility for
ERM.
2) Senior management should ensure that sound risk management processes are
in place and functioning.
3) Senior management also determines the entity’s risk management philosophy.
For example, officers who issue definitive policy statements, insist on written
procedures, and closely monitor performance indicators exhibit one type of risk
management philosophy. Officers who manage informally and take a relaxed
approach to performance monitoring exhibit a different philosophy.
a)
If senior management establishes a consistent risk management
philosophy, all parts of the entity can respond to risk appropriately.
b. Board of Directors
1) The board has an oversight role. It should determine that risk management
processes are in place, adequate, and effective.
2) Directors’ attitudes are a key component of the internal environment. They must
possess certain qualities for them to be effective.
a)
A majority of the board should be outside directors.
b)
Directors generally should have years of experience either in the industry
or in corporate governance.
c) Directors must be willing to challenge management’s choices. Complacent
directors increase the chances of adverse consequences.
c. Risk Committee and Chief Risk Officer
1) Larger entities may wish to establish a risk committee composed of directors that
also includes managers, the individuals most familiar with entity processes.
a)
A chief risk officer (CRO) may be appointed to coordinate the entity’s risk
management activities. The CRO is a member of, and reports to, the risk
committee.
d. Internal Auditing
1) According to The IIA, internal auditors may be directed by the board to evaluate
the effectiveness and contribute to the improvement of risk management
processes.
2) The internal auditors’ determination of whether risk management processes are
effective is a judgment resulting from the assessment that
a) Entity objectives support and align with its mission.
b) Significant risks are identified and assessed.
c) Appropriate risk responses are selected that align risks and the entity’s risk
appetite.
d) Relevant risk information is captured and communicated in a timely
manner across the entity, enabling staff, management, and the board to
carry out their responsibilities.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
14 SU 3: Control Frameworks and Fraud

6. Graphical Depiction
a. The COSO ERM Framework is depicted as a matrix in the form of a cube with rows,
slices, and columns.
1) The rows are the eight components, the slices are the four categories of
objectives, and the columns are the organizational units of the entity.
b. The entity should make the appropriate response at each intersection of the
Framework, such as control activities for achieving reporting objectives at the division
level.
COSO ERM Framework

Figure 3-3
7. ERM Limitations
a. Limitations of ERM arise from the possibility of
1) Faulty human judgment,
2) Cost-benefit considerations,
3) Simple errors or mistakes,
4) Collusion, and
5) Management override of ERM decisions.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 15

3.3 RISK MANAGEMENT PROCESSES

At one time, external audit professionals thought of risk only in the context of an audit (e.g., the probability
of not discovering a material financial statement misstatement). Today, after extensive research and many
scholarly publications, risk is recognized as something that must be examined and mitigated in every aspect
of an organization’s operations. Thus, CIA candidates should understand the distinct responsibilities of
(1) the internal audit activity and (2) senior management and the board for enterprise-wide risk.

Performance Standard 2120

Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes.

1. Importance of Internal Audit’s Role in Risk Management

a. The IIA issued the following Interpretation to clarify internal audit’s role:

Interpretation of Standard 2120

Determining whether risk management processes are effective is a judgment resulting from the
internal auditor’s assessment that:
● Organizational objectives support and align with the organization’s mission;
● Significant risks are identified and assessed;
● Appropriate risk responses are selected that align risks with the organization’s risk
appetite; and
● Relevant risk information is captured and communicated in a timely manner across
the organization, enabling staff, management, and the board to carry out their
responsibilities.
The internal audit activity may gather the information to support this assessment during
multiple engagements. The results of these engagements, when viewed together, provide an
understanding of the organization’s risk management processes and their effectiveness.
Risk management processes are monitored through ongoing management activities, separate
evaluations, or both.

b. Two Implementation Standards link the assessment of risk to specific risk areas.

Implementation Standard 2120.A1

The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
● Achievement of the organization’s strategic objectives;
● Reliability and integrity of financial and operational information;
● Effectiveness and efficiency of operations and programs;
● Safeguarding of assets; and
● Compliance with laws, regulations, policies, procedures, and contracts.
Implementation Standard 2120.A2
The internal audit activity must evaluate the potential for the occurrence of fraud and
how the organization manages fraud risk.

c. Establishing a risk-based audit model and participating in the organization’s risk

management processes are both ways in which the internal audit activity adds value.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
16 SU 3: Control Frameworks and Fraud

2. Responsibility for Aspects of Organizational Risk Management

a. The division of responsibility is described in detail in Practice Advisory 2120-1,
Assessing the Adequacy of Risk Management Processes.
1) “Risk management is a key responsibility of senior management and the board.
To achieve its business objectives, management ensures that sound risk
management processes are in place and functioning. Boards have an oversight
role to determine that appropriate risk management processes are in place and
that these processes are adequate and effective. In this role, they may direct
the internal audit activity to assist them by examining, evaluating, reporting,
and/or recommending improvements to the adequacy and effectiveness of
management’s risk processes” (para. 1).
2) “Management and the board are responsible for their organization’s risk
management and control processes. However, internal auditors acting in
a consulting role can assist the organization in identifying, evaluating, and
implementing risk management methodologies and controls to address those
risks” (para. 2).
3) “In situations where the organization does not have formal risk management
processes, the chief audit executive (CAE) formally discusses with
management and the board their obligations to understand, manage, and
monitor risks within the organization and the need to satisfy themselves that
there are processes operating within the organization, even if informal, that
provide the appropriate level of visibility into the key risks and how they are
being managed and monitored” (para. 3).
4) “The CAE is to obtain an understanding of senior management’s and the board’s
expectations of the internal audit activity in the organization’s risk management
process. This understanding is then codified in the charters of the internal audit
activity and the board. Internal auditing’s responsibilities are to be coordinated
between all groups and individuals within the organization’s risk management
process. The internal audit activity’s role in the risk management process of an
organization can change over time and may encompass:
a) No role.
b) Auditing the risk management process as part of the internal audit plan.
c) Active, continuous support and involvement in the risk management
process such as participation on oversight committees, monitoring
activities, and status reporting.
d) Managing and coordinating the risk management process” (para. 4).
5) “Ultimately, it is the role of senior management and the board to determine the
role of internal audit in the risk management process. Their view on internal
audit’s role is likely to be determined by factors such as the culture of the
organization, ability of the internal audit staff, and local conditions and customs
of the country. However, taking on management’s responsibility regarding the
risk management process and the potential threat to the internal audit activity’s
independence requires a full discussion and board approval.” (para. 5).
6) “The techniques used by various organizations for their risk management
practices can vary significantly. Depending on the size and complexity of the
organization’s business activities, risk management processes can be:
a) Formal or informal.
b) Quantitative or subjective.
c) Embedded in the business units or centralized at a corporate
level” (para. 6).

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 17

7) “The organization designs processes based on its culture, management

style, and business objectives. [Author’s note: The assumption is that the
objective of the choices made is to maximize stakeholder (shareholder)
value.] For example, the use of derivatives or other sophisticated capital
markets products by the organization could require the use of quantitative risk
management tools. Smaller, less complex organizations could use an informal
risk committee to discuss the organization’s risk profile and to initiate periodic
actions. The internal auditor determines that the methodology chosen is
sufficiently comprehensive and appropriate for the nature of the organization’s
activities” (para. 7).
8) “Internal auditors need to obtain sufficient and appropriate evidence to determine
that the key objectives of the risk management processes are being met to form
an opinion on the adequacy of risk management processes” (para. 8).

3.4 FRAUD -- NATURE, PREVENTION, AND DETECTION

1. Definition from The IIA Glossary
a. Fraud is “any illegal act characterized by deceit, concealment, or violation of trust.
These acts are not dependent upon the threat of violence or physical force. Frauds
are perpetrated by parties and organizations to obtain money, property, or services;
to avoid payment or loss of services; or to secure personal or business advantage.”
2. Effects of Fraud
a. Monetary losses from fraud are significant, but its full cost is immeasurable in terms of
time, productivity, and reputation, including customer relationships.
b. Thus, an organization should have a fraud program that includes awareness,
prevention, and detection programs. It also should have a fraud risk assessment
process to identify fraud risks.
3. Causative Factors of Fraud
a. Pressure or incentive is the need the fraudster is trying to satisfy by committing the
fraud.
b. Opportunity is the fraudster’s ability to commit the fraud.
1) This characteristic is the one that the organization can most influence, e.g., by
means of controls and procedures.
c. Rationalization is the fraudster’s ability to justify the fraud.
4. Examples of Fraud
a. Asset misappropriation is stealing cash or other assets (supplies, inventory,
equipment, and information). The theft may be concealed, e.g., by adjusting records.
An example is embezzlement, the intentional appropriation of property entrusted to
one’s care.
b. Skimming is theft of cash before it is recorded, for example, accepting payment from a
customer but not recording the sale.
c. Disbursement fraud involves payment for fictitious goods or services, overstatement of
invoices, or use of invoices for personal reasons.
d. Expense reimbursement is payment for fictitious or inflated expenses, for example, an
expense report for personal travel, nonexistent meals, or extra mileage.
e. Payroll fraud is a false claim for compensation, for example, overtime for hours not
worked or payments to fictitious employees.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
18 SU 3: Control Frameworks and Fraud

f. Financial statement misrepresentation often overstates assets or revenue or

understates liabilities and expenses. Management may benefit by selling stock,
receiving bonuses, or concealing another fraud.
g. Information misrepresentation provides false information, usually to outsiders in the
form of fraudulent financial statements.
h. Corruption is an improper use of power, e.g., bribery. It often leaves little accounting
evidence. These crimes usually are uncovered through tips or complaints from third
parties. Corruption often involves the purchasing function.
i. Bribery is offering, giving, receiving, or soliciting anything of value to influence an
outcome. Bribes may be offered to key employees such as purchasing agents. Those
paying bribes tend to be intermediaries for outside vendors.
j. A conflict of interest is an undisclosed personal economic interest in a transaction that
adversely affects the organization or its shareholders.
k. A diversion redirects to an employee or outsider a transaction that would normally
benefit the organization.
l. Wrongful use of confidential or proprietary information is fraudulent.
m. A related party fraud is receipt of a benefit not obtainable in an arm’s-length
transaction.
n. Tax evasion is intentionally falsifying a tax return.
5. Division of Responsibilities
a. Control is the principal means of preventing fraud.
1) Management is primarily responsible for establishing and maintaining control.
2) Internal auditors are primarily responsible for preventing fraud by examining and
evaluating the adequacy and effectiveness of control.
a)They are not responsible for designing and implementing fraud prevention
controls.
b. Internal auditors are not expected to detect all fraud.

Implementation Standard 1210.A2

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the
manner in which it is managed by the organization, but are not expected to have the
expertise of a person whose primary responsibility is detecting and investigating fraud.

1) According to Implementation Standard 1220.A1, internal auditors must exercise

due professional care by considering, among other things, the “probability of
significant errors, fraud, or noncompliance.”
2) Thus, internal auditors must consider the probability of fraud when developing
engagement objectives (Implementation Standard 2210.A2).
6. Components of a Fraud Prevention System
a. Fraud prevention involves actions to discourage fraud and limit the exposure when it
occurs. A strong ethical culture and setting the correct tone at the top are essential to
prevention.
b. Overlapping control elements of a fraud prevention program are presented below
and on the next page. They are based on the COSO control framework described in
Subunit 3.1.
1) The control environment includes such elements as a code of conduct, ethics
policy, or fraud policy.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
 SU 3: Control Frameworks and Fraud 19

2) A fraud risk assessment generally includes the following:

a) Identifying and prioritizing fraud risk factors and fraud schemes
b) Mapping existing controls to potential fraud schemes and identifying gaps
c) Testing operating effectiveness of fraud prevention and detection controls
d) Documenting and reporting the fraud risk assessment
3) Control activities are policies and procedures for business processes that include
authority limits and segregation of duties.
4) Fraud-related information and communication practices promote the fraud risk
management program and the organization’s position on risk. The means used
include fraud awareness training and confirming that employees comply with
the organization’s policies.
a) A fraud hotline can open the channel of communication for employees to
report suspected improprieties.
5) Monitoring evaluates antifraud controls through independent evaluations of the
fraud risk management program and use of it.
7. Responsibility for Detection
a. Internal auditors are not responsible for the detection of all fraud, but they always must
be alert to the possibility of fraud.

Implementation Standard 2120.A2

The internal audit activity must evaluate the potential for the occurrence of fraud and
how the organization manages fraud risk.

b. An internal auditor’s responsibilities for detecting fraud include evaluating fraud

indicators and deciding whether any additional action is necessary or whether an
investigation should be recommended.

3.5 FRAUD -- INDICATORS

1. Low-Level Fraud vs. Executive Fraud
a. Fraud committed by staff or line employees most often consists of theft of property or
embezzlement of cash. The incentive might be relief of economic hardship, the desire
for material gain, or a drug or gambling habit.
1) Stealing petty cash or merchandise, lapping accounts receivable, and creating
nonexistent vendors are common forms of low-level fraud.
b. Fraud at the executive level is very different. The incentive is usually either maintaining
or increasing the stock price, receiving a large bonus, or both.
1) This type of fraud consists most often of producing false or misleading financial
statements.
2. Terminology of Fraud Indicators
a. A document symptom is any kind of tampering with the accounting records to conceal
a fraud. Keeping two sets of books or forcing the books to reconcile are examples.
b. Situational pressure can be personal (e.g., financial difficulties in an employee’s
personal life) or organizational (e.g., the desire to release positive news to the
financial media).
c. Opportunity to commit is especially a factor in low-level employee fraud. Poor controls
over cash, merchandise, and other organizational property, as well as lack of
compensating accounting controls, are enabling factors.

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].
20 SU 3: Control Frameworks and Fraud

d. A lifestyle symptom is an unexplained rise in an employee’s social status or level of

material consumption.
e. Rationalization occurs when a person attributes his or her actions to rational and
creditable motives without analysis of the true and especially unconscious motives.
Feeling underpaid is a common rationalization for low-level fraud.
f. A behavioral symptom (i.e., a drastic change in an employee’s behavior) may indicate
the presence of fraud. The guilt and the other forms of stress associated with
perpetrating and concealing the fraud may cause noticeable changes in behavior.
3. Procedures for Detection
a. The nature and extent of the procedures performed to detect fraud depend on the
circumstances of the engagement, including the features of the organization and the
internal auditor’s risk assessment.
1) Accordingly, no text can feasibly present lists of all procedures relative to fraud.
However, analytical procedures are routinely performed in many engagements.
They may provide an early indication of fraud.
a) Analytical procedures are performed to assess information collected in an
engagement. The assessment compares information with expectations
identified or developed by the internal auditor.
4. Some Indicators of Possible Fraud
a. Frauds and their indicators (often called “red flags”) take different forms:
1) Lack of employee rotation in sensitive positions such as cash handling
2) Inappropriate combination of job duties
3) Unclear lines of responsibility and accountability
4) Unrealistic sales or production goals
5) An employee who refuses to take vacations or refuses promotion
6) Established controls not applied consistently
7) High reported profits when competitors are suffering from an economic downturn
8) High turnover among supervisory positions in finance and accounting areas
9) Excessive or unjustifiable use of sole-source procurement
10) An increase in sales far out of proportion to the increase in cost of goods sold

Copyright © 2016 Gleim Publications, Inc. All rights reserved. Duplication prohibited. Reward for information exposing violators. Contact [email protected].