Internal Controls
What components of the COSO Framework may have contributed to this fraud?
- Monitoring
- Risk Assessment
- Control Activities
- Information and Communication
- Control Environment
How is fraud typically caught?
- by accident
- whistleblowers
- weak controls allow them to continue
What components make up Risk of Material Misstatement?
How should Risk of Material Misstatement be assessed?
IR x CR
- RMM should be assessed as high
Fill in the blank:
Audit standards provide ________ assurance.
- reasonable (not absolute)
If the same person could authorize purchases and initiate vendor transactions, what internal control strategy was violated?
Monitoring
When should someone have stepped in?
- after unusual volume of purchases
- when spending sharply increased
- during yearly review
How should fraud risk affect the extent of audit procedures?
- larger sample sizes
- targeting high-risk transactions
- expanded coverage
- procedures become more extensive and persuasive
What responsibility do those charged with governance have in preventing long-term fraud of this nature?
-
Governance responsibilities include:
- Oversight of internal controls
- Reviewing internal audit findings
- Ensuring fraud risk assessments are performed
- Monitoring procurement risk areas
- Establishing tone at the top
If Monitoring is ineffective, which component of the Audit Risk Model is directly affected?
Control Risk increases
Why do small problems get ignored?
- they seem harmless
- people assume someone else is checking
- no one wants to accuse a coworker
How should fraud risk affect the timing of audit procedures?
- more year-end testing rather than interim
This type of fraud, common in internal auditing, involves employees stealing assets for personal gain
misappropriation of assets
Controls over procurement are ineffective. Inherent risk is high.
How does this affect your planned detection risk and substantive procedures?
- DR decreases
- substantive procedures increase
What was the biggest red flag?
- 8,000 tablets in one year
- 90% fake purchases
- millions spent on small orders
- luxury lifestyle
If this fraud lasted 8 years across multiple audits, what does that suggest about detection risk in prior years?
- detection risk high
- auditors over-relied on controls
- insufficient sampling
- risk assessment was flawed
Evaluate whether external auditors be held accountable for not detecting this fraud
- answers may vary
What is an internal control you would implement to prevent this this from happening?
- segregation of duties (custody, auth, recording)
- require two approvals
- stronger monitoring of purchases
- review total annual spending, not just per order
Why didn't anyone notice sooner?
- poor oversight
- too much trust
- lack of audits
- no one reviewed patterns
Given AR = IR x CR x DR, which component do you think was most misjudged in this case?
- IR underestimated?
- CR underestimated?
- DR set too high?
What lessons can we learn from the Yale fraud?
- Controls matter
- Ethics matter
- Speak up about red flags
- Never assume someone else is checking