KnowledgeLeader provides best practice articles, tools, guides and other resources on fraud. This page contains some examples of the many resources and tools on fraud that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
2015 Vendor Risk Management Benchmark Study
The results of this year’s Vendor Risk Management Benchmark Study can be viewed as cause for optimism or concern, depending on your view of the world. That said, the findings are crystal clear on a crucial point: there is still a lot of vendor risk management work to be done.
Accounts Payable RCM
This document outlines risks and controls common to the "accounts payable" process in a risk control matrix (RCM) format.
AML Audit Checklist
The USA PATRIOT Act requires that all financial institutions maintain an anti-money laundering (AML) program that is tested by independent auditors. This audit checklist is intended to assist financial institutions in preparing for the independent tests of their AML programs. It identifies areas that are generally within the audit scope, and lists the types of information that the auditors will likely request.
AML Lookbacks: Top 10 Lessons Learned
If your institution is facing a lookback, consider the lessons in this perspective to maximize efficiency and value.
Balancing Customer Experience With Security and Fraud Controls
This article focuses on how the emergence of financial technology firms, widely referred to as fintech companies, is impacting the traditional financial services industry.
Beware of the Fake Presidents
What steps can be taken to reduce your organization’s susceptibility to fake president fraud? In this article, we will review this and other methods to protect your organization from fraud.
Beware of the Slippery Slope: When Gifts, Entertainment, Favors and Philanthropy Become Problematic
Protiviti's Scott Moritz discusses the various ways in which gifts, entertainment, favors and charitable giving can lead to some pretty negative outcomes.
Bogus Vendors are the Single Most Common Way Companies are Defrauded
In this article, Scott Moritz, Protiviti Managing Director, says the most common fraud committed against a company relates to vendors that either don’t exist, are corrupt, or are secretly owned by a company insider who is directing business to them.
Business Ethics Questionnaire
This questionnaire is designed to help risk management professionals determine how well their companies are addressing risks in this area and to bring awareness to ethics programs. It also provides guidelines on how to measure the performance of business ethics processes.
Chip Shot: The Long-View on the EMV Short Game
In this article, we discuss what EMV technology means for credit card security and where security gaps still linger.
Code of Business Conduct and Ethical Guidelines Policy
The purpose of this policy is to help employees understand the values and beliefs of an organization. Topics covered include: Foreign Corrupt Practices Act, employment practices, antitrust compliance, and ethics hotlines.
Code of Conduct Questionnaire
If there is one constant for success in a rapidly changing global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior. This document discusses important questions for boards and management to consider when designing and implementing an effective code of ethics.
Common Frauds: Insider, Outsider, and Frauds for the Company
This guide identifies various types of fraud committed by insiders, outsiders, and management.
Compliance Issue Resolution: Responsible Business Conduct in Financial Services
This article discusses four expectations for "responsible business conduct” in a 2013 bulletin published by the Consumer Financial Protection Bureau (CFPB).
Conducting Whistleblower Investigations, Part 1: Preparation
Preparation, of course, is best done in advance, and not in the heat of battle. It’s a good idea to have in an investigative plan and investigative protocols in place before they are needed.
Conducting Whistleblower Investigations, Part 2: Triage and Gathering of Evidence
Part of the investigative planning process includes breaking down the investigation into component parts and developing a list of investigative steps designed to gather information on each part in an effort to prove or disprove what has been alleged.
Conducting Whistleblower Investigations, Part 3: The Interview
This article focuses on the third and most crucial stage of investigations—confronting the subject in an investigative interview.
Corruption Risk Management Questionnaire
Anti-corruption has become a major global initiative. Still, it is naïve to expect that legislators, regulators, international trade organizations and other parties can eradicate customs and behaviors that have evolved over many centuries. This board of directors and management questionnaire focuses on corruption risk, the Foreign Corrupt Practices Act (FCPA) and other key considerations.
Customer Fraud Risk Key Performance Indicators (KPIs)
This tool template explains the business risks related to customer fraud and outlines best practices to counter credit card fraud, identity theft, theft of intellectual property and phony online auctions.
DOJ "Yates Memo” Reminds Us that People, Not Corporations, Commit Crimes
In this article, we detail the six steps that the Yates Memo sets out six steps to government attorneys should take to ensure individuals believed responsible for corporate crime are held accountable.
Electronic Discovery Questionnaire
Electronic discovery (or e-discovery) refers to the process by which relevant electronically stored information is produced as evidence when an organization faces legal or regulatory action. This document poses questions for the board and management to reduce the costs, burden and time associated with e-discovery.
Electronic Discovery: An Academic Exercise or Your Next Crisis?
Electronic discovery (or e-discovery) refers to the process by which relevant electronically stored information (ESI) is produced when an organization faces legal or regulatory action. This process is important because parties in a lawsuit can now demand from each other word processing documents, e-mails, voice mail and instant messages, blogs, backup tapes and database files. Failure to comply with these electronic production obligations can lead to serious sanctions, sometimes to the tune of millions of dollars, and increased compliance costs. The harsh consequences of non-compliance are growing exponentially. This issue of The Bulletin provides ideas for companies to implement practical approaches in proportion to their litigation risk exposure and ongoing operations that will significantly reduce the cost, burden and time associated with records retention and e-discovery.
This policy defines the conditions under which company email systems may be used for communication. It applies to all employees of a company and any other personnel granted access to the company's email system. Specific procedures are defined for email access, permissible uses, prohibited uses, privacy and disclosure, and email retention. The use of email and related resources should be for company business only. Employees may want to use email for personal communication that is not directly related to their role within the company, and a minimal amount of such use is acceptable; however, employees are expected to use good judgment and to limit the amount and frequency of such use.
Email Policy: Sample 2
This policy outlines a set of procedures governing the use of email on company computers. The scope of this policy includes email and Webmail (whether Company X Webmail or third-party, such as Yahoo! mail, Hotmail, etc.), the rules and limitations governing email use, and the enforcement of those rules. The topic of email retention is beyond the scope of this document. The classification of email types and the length of time that email must be retained (stored) in-house or in a specialized facility is covered in a separate policy.
Employee Termination Policy
The following policy outlines steps related to the employment termination process.
Entity-Level Controls Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Establishing an Effective Complaint and Confidential, Anonymous Reporting Process
Earlier this year, the Securities and Exchange Commission (SEC) issued rules, pursuant to Section 301 of Title III of the Sarbanes-Oxley Act of 2002 (SOX), requiring audit committees to establish procedures for "the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters." In this edition of The Bulletin, we address the issues that audit committees and management should consider as they collaborate to comply with this requirement.
Establishing an Effective Complaint and Confidential, Anonymous Reporting Process – Questionnaire
This questionnaire focuses on issues that audit committees and management should consider as they collaborate to comply with the SECs rules pursuant to Section 301 of the Sarbanes-Oxley Act of 2002. Section 301 focuses on establishing an effective complaint and confidential, anonymous reporting process. These requirements are important because the SEC’s rules direct the national securities associations to prohibit the listing of any security of a company that is not compliant with them.
Ethics Program Guide
An effective ethics program serves as a basis for policy-making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics programs.
Financial Disclosure Communication Questionnaire
This questionnaire is designed to facilitate communication of items that should be considered for disclosure in SEC filings. It does not include all possible disclosure items, but does include some examples of primary types of items that should be considered.
Fine-Tuning Your Corruption Risk Management
Last year, a former Morgan Stanley managing director pleaded guilty for his role in a conspiracy to evade the company’s internal accounting controls and violate the U.S. Foreign Corrupt Practices Act and the U.S. Department of Justice (DoJ) declined to bring enforcement action against the executive’s employer. Issue 42 discusses 10 lessons learned from the DoJ favorable opinion release for Morgan Stanley.
Focus on the "Tone of the Organization”
"Tone at the top” is a term often used to describe how an organization’s leadership creates an environment that fosters ethical and responsible business behavior. While leaders communicate the company’s vision, mission, core values and commitment to ethical behavior, what really drives the culture and resonates with employees is what they see and hear every day from their supervisors. While tone at the top is important and a vital foundation, is it enough? This issue of Board Perspectives: Risk Oversight explains why it is essential that the tone at the top be translated into an effective "tone in the middle" before it can reach the rest of the organization.
Foreign Corrupt Practices Act (FCPA) Audit Work Program
This audit program sample assists audit teams when reviewing compliance with the Foreign Corrupt Practices Act of 1977.
Foreign Corrupt Practices Act Policy
This policy outlines procedures for compliance with the Foreign Corrupt Practices Act.
Fraud Detection - Guidelines and Techniques
This guide identifies ways that fraud can be committed from an accounting, operations, and IT internal controls perspective, and includes examples of fraud detection techniques using Data Analysis, Trend Analysis, and Proportional Analysis.
Fraud Detection - Scenarios & Tests by Process
This guide provides examples of fraud, and analytical procedures used to detect them in six areas.
Fraud Detection Guide: Red Flags
This guide discusses the types, characteristics, indicators and symptoms of fraudulent activities that occur within companies.
Fraud Indicators: Financial Performance
This guide identifies some of the red flags within a entity's financial performance that indicate the potential existence of embezzlement, financial statement fraud, and other illegal acts (e.g., bribery, kickbacks, price-fixing, bid-rigging and tax evasion.)
This sample policy details the actions constituting fraud and non-fraud irregularities, investigation responsibilities, confidentiality statements, authorization for investigating suspected fraud, reporting procedures, and termination and administration procedures.
Fraud Prevention and Detection Audit Work Program
This audit program sample focuses on understanding current fraud prevention and detection program activities.
Fraud Prevention Process: Debit and Credit Card Transactions Audit Work Program
This audit work program identifies and evaluates the effectiveness of a debit and credit card service provider’s fraud prevention process. It views the reports utilized to monitor fraudulent activities involving debit and credit cards and system settings intended to identify potentially fraudulent transactions. For this audit, obtain the following documentation: organizational chart for the audited department; policies and procedures for the fraud department and any other departments involved in fraud prevention/detection via the system; a report of standard system settings including, if possible, a description of the setting; a list of reports generated via the system or utilized in the monitoring of fraudulent activities involving debit and credit cards including, if applicable, signature-based transactions; a copy of the latest report of the fraud department’s key performance measures.
Fraud Response Policy
This sample policy outlines a company's principles with respect to maintaining a fraud-free environment.
Fraud Response Policy: Sample 2
This sample policy aims to reinforce the company’s fraud management plan and set the company’s response to allegations of suspected or actual fraud.
Fraud Schemes and Scenarios
Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment.
Fraud/Integrity Risk Methodology
This methodology is a flexible framework upon which internal audit teams can build. It outlines an approach for addressing integrity risk within an organization, focusing exclusively on the Integrity Risk section of the Process Risk category of the Protiviti Risk Model. The methodology addresses key questions in this risk assessment process such as current management of and measurement of integrity risk.
Fraud: Internal Audit's Role in Detection and Prevention
This presentation discusses the fundamentals of fraud and the role of internal audit in detection and prevention of fraud.
Global Privacy Analysis Application Questionnaire: System Information Garnering
This questionnaire helps determine whether new technologies, information systems and initiatives or proposed programs and policies meet basic privacy requirements. The purpose of such an initiative is to provide documented assurance that privacy issues have been appropriately identified, adequately addressed or communicated to more senior management for further direction.
Happy Cow vs. Hedgehog: Getting Straight on Principle 8
Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 and for other purposes, but are still struggling with Principle 8—a critical part of the Risk Assessment component of COSO 2013.
Hotel Financial and Treasury Review Audit Work Program
This audit work program assists with a comprehensive review of the treasury area for a hotel or hospitality property.
Hotel Financial Reporting and Revenue Recognition Review Audit Work Program
This work program provides a comprehensive review of hotel revenue.
Improving Utilities’ Operational Efficiency with SAP HANA Advanced Analytics
SAP’s recent technological innovation, Enterprise HANA, offers exciting new opportunities for utility companies who are under substantial margin pressure due to growing capital expenditures, borrowing costs and regulatory controls on pricing for electric and gas services.
Insider Trading Policy
This policy outlines a set procedures for insider trading. Transactions must comply with these procedures in order to comply with securities laws as defined by the Security Exchange Commission.
Integrated Audit Plan – Audit Committee Report
This audit report provides a background on the PCAOB's Auditing Standard 5 (AS5) and covers its impact on a variety of areas.
Internal Audit Strategic Focus Questionnaire
This questionnaire explores internal audit’s strategic contributions and what management and boards should expect from audit going forward.
Internal Audit’s Expanded Role in Assessing AML Technology
The increasing complexity and integration of AML technologies require internal audit to transform the way it assesses AML systems in order to help protect the institution.
Internet Usage Policy
This sample policy defines the conditions under which an employee, contractor, vendor or other person may access and use the internet via a company’s private network.
Making Internal Audit a Value-Adding Contributor to Economic Recovery
The severity of the current global economic downturn has left organizations around the world searching for ways to contain costs, improve efficiencies, maintain customer satisfaction levels and protect their balance sheets. This unprecedented economic crisis has been nothing short of an urgent call to action for more robust risk management practices in organizations. Not only is it essential for internal audit to ensure that its activities are fully aligned with the expectations of the organization’s leadership, it is vital for the organization’s leaders to look to the internal audit function for the support they need. This issue of The Bulletin explores how internal audit can contribute to the organization as it recovers from crisis, and what management and boards of directors should expect of internal audit going forward.
Managing Corruption Risk Involving Foreign Officials and Avoiding Its Impact on Reputation
Civil and criminal fines stemming from anti-corruption noncompliance can be costly. Firms that paid bribes to foreign officials have been subjected to criminal and civil enforcement actions, resulting in large fines, as well as suspension and debarment from federal procurement contracting. In addition, reputation damage due to negative media attention can devastate the bottom line and impair shareholder value. To avoid these consequences, many firms have implemented detailed compliance programs intended to prevent, deter and detect improper payments by employees and agents. It is critical for management to ensure that a robust anti-corruption compliance program, including anti-corruption controls, is in place. This issue of The Bulletin briefs on how to manage corruption risk and uses the FCPA as a framework for this discussion.
Managing Corruption Risk
Consequences of corruption violations include criminal and civil enforcement actions, profit disgorgements, mega fines, and suspensions from government contracting, jail terms for employees and reputation-damaging headlines. To avoid these consequences, firms should consider an anti-corruption program intended to prevent, deter and detect improper payments by employees and agents. Companies should establish risk-based policies and procedures that provide reasonable assurance the organization and its agents are adhering to the provisions of applicable anti-corruption laws, and implementing adequate systems of internal controls. This issue of Board Perspectives: Risk Oversight shares how a robust anti-corruption program can save companies from the expensive consequences of corruption violations.
Managing Legal and Ethical Issues Guide
This guide highlights leading practices and performance measures organizations can use to manage ethical and legal issues.
Managing Outsourcing and Offshoring Risk – Questionnaire
As companies focus on managing their operations in a difficult economic environment, they seek to become leaner and more focused, efficient and effective. This document focuses on questions for board members and management to consider when managing risks related to outsourcing or offshoring business activities.
Measuring the Right Metrics and Leveraging Key Risk and Performance Indicators to Enhance the End-To-End Transaction Monitoring Program
Financial institutions ask themselves "How do we know whether our transaction monitoring (TM) systems and/or processes are optimized or not?" This article answers that question.
More Resources Are Required to Master Third-Party Risks
As corporate boards, auditors and regulators increase their scrutiny of vulnerabilities associated with third-parties, vendor risk management (VRM)—and particularly the danger of lost or compromised data through third-party service providers—remains cause for concern at most organizations.
Network Access and Infrastructure Audit Work Program
This audit program outlines steps to test the effectiveness of an organization’s network access and infrastructure. The test steps focus on the organization’s related policies and procedures, review and follow up of prior audit recommendations, custom reports, segregation of duties, business continuity/disaster recovery, laws and regulations, general ledger, outsourced processes, and fraud consideration regarding the network infrastructure.
"No Fraud Here?” Look Again, Says New Survey From Protiviti and Utica College
With regulators and prosecutors increasingly holding executives accountable for fraud prevention, there’s a strong incentive to replace the old refrain of "no fraud here” with the more proactive "not on my watch.”
Preparing for the Change to EMV and New Fraud and Security Risks: What U.S. Merchants Need to Know
This white paper provides an overview of the potential implications of the Europay, MasterCard and Visa (EMV) standard for U.S. merchants (including new risk areas) and offers tips for making a successful transition.
Procurement and Accounts Payable: Segregation of Duties Questionnaire
This is a segregation of duties overview, matrix, and questionnaire for the procurement and accounts payable process. It will assist internal auditors in identifying individuals who may be performing incompatible duties that could lead to a circumvention of internal controls.
Protecting Enterprise Value Through Your Anti-Fraud Program – Questionnaire
A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. This document focuses on key questions for board members and management when evaluating the anti-fraud program.
Protecting Enterprise Value Through Your Anti-Fraud Program
Simply stated, an anti-fraud program is a group of policies and procedures, backed by senior management, which fosters ethical and responsible business behavior. A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting enterprise value and preserving the reliability of public reporting. With the audit committee providing oversight, management is tasked with establishing, validating and monitoring effective internal controls to quickly prevent, deter and detect fraud. What is an anti-fraud program? Why is it important? How should companies evaluate their anti-fraud program? In this issue of The Bulletin, we will answer these and other questions. We will also provide observations and recommendations for management and audit committees to consider when evaluating their anti-fraud program.
Record Disposal and Retention Policy
This policy outlines procedures for document disposal and storage periods. It defines the requirements for document disposal, including recycling and shredding of paper, records, documents, forms, notes, and labels that may convey confidential information and ensuring that business-sensitive, client-related information is properly processed. It also records the minimum time required to maintain documents for all corporate functions and personnel. This policy applies to all pertinent and reasonable business-related documents included in an established chain of custody for such materials that ensures a secure method for containing, collecting, transporting, storing and transferring waste. In the event that a lawsuit, government or regulatory agency investigation is threatened, the legal department and executive management will notify the facilities manager or vendor to cease and desist activity of document disposal, such as daily shredding, until further notice.
Sarbanes-Oxley Year-End Audit Committee Report
This report to the audit committee focuses on the progress of the Sarbanes-Oxley Section 404 program.
Section 404 Compliance: Planning for Next Year
Year Two of Section 404 compliance for most accelerated filers is shaping up to be a year of incremental improvement. Management has taken a hard look at items such as number of key controls and testing scopes. This issue of The Bulletin focuses on some of the opportunities companies should consider as they plan for Year Three.
Segregation of Duties Questionnaire: Significant Cash Disbursement Applications
The following document outlines a set of steps to be followed when reviewing segregation of duties in significant cash disbursement applications.
Segregation of Duties in Significant Cash Receipts Applications Questionnaire
This form has been designed to highlight potentially conflicting duties performed by one individual which could impact the effectiveness of controls over a cash receipts application.
Segregation of Duties Questionnaire: Financial Controls
This segregation of duties questionnaire focuses on the treasury, revenue, and purchasing and accounts payable processes.
Segregation of Duties: Controls for Significant Accounting Applications
Segregation of duties is an integral part of the internal control environment. The following assessment form will assist you in understanding a function’s segregation of duties and related internal control effectiveness. Sales, accounts receivables, related cash collections are included.
Setting the 2006 Audit Committee Agenda
Much has happened since 2003 when the SEC adopted rules mandated by The Sarbanes-Oxley Act of 2002 (SOX) that, among other things, expanded and formalized the responsibilities of audit committees. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
Signature Authorities Policy
This policy establishes the authorization matrix for committing a company to legal obligations and financial commitments and in conducting financial transactions. Appropriate authorization must be obtained prior to ordering goods and services and in no event will payment be made prior to receiving proper authorization. Procedures relating to related-party transactions and the Foreign Corrupt Practices Act (FCPA) are also included. This policy is intended to apply to company operations worldwide, effective immediately.
Software Licensure Compliance Audit Work Program
This sample work program can be modified for scope considerations that will depend on the extent of the software agreement under review.
Spending Authority Review Audit Work Program
This work program provides steps and considerations for reviewing spending authority policies and processes.
Spreadsheet Risk Management FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Spreadsheet Risk Management FAQ, which is designed to answer frequently asked questions about spreadsheet risk based on real business need.
Spreadsheet Risk Management: Frequently Asked Questions - Second Edition
Many companies rely on spreadsheets as key applications that support operational and financial reporting processes. The increased regulation and compliance that now impact spreadsheet control is not surprising given past few years of numerous multimillion-dollar errors and fraud attributed to the use of spreadsheets. We also see companies filing reports of material weaknesses and deficiencies with the Securities and Exchange Commission (SEC) as a result of the lack of controls around their financial reporting spreadsheets. This regulatory pressure and increasing focus from auditors are forcing organizations to address the issue of spreadsheet risk management, though few really understand what the issue is and what they need to do about it. This booklet represents a pragmatic response to spreadsheet risk based on real business needs. Although this publication uses the term "spreadsheet,” much of the guidance applies equally to other end-user-developed applications, such as databases and reports.
Taking the Best Route to Managing Fraud and Corruption Risks
Given the dynamic nature of white-collar crime and fraud, it isn’t surprising that the Yates Memo is only the latest in a series of catalysts that prompted Protiviti and the Economic Crime and Justice Studies Department at Utica College to conduct a comprehensive survey of white-collar crime and the fraud risk management frameworks used to combat them. In this report, we detail notable findings that emerged from our survey.
The Challenges of Managing a Global AML Program
This article discusses the number of nuances that exist in the way AML requirements apply across the United States, the United Kingdom and Hong Kong.
The Company You Keep: A Case for Supplier Codes of Conduct
According to Protiviti and the Economic Crime and Justice Studies Department at Utica College, only a small fraction of companies conduct reasonable vendor due diligence.
The Panama Papers Leak Helps Bring Third-Party Risk Into Focus
Lessons learned from the recent Panama Papers leak and guidelines for a robust third-party anti-corruption program are outlined in this article by Protiviti Managing Director Scott Moritz.
Top 10 Lessons Learned From Implementing COSO 2013
In this issue of The Bulletin, we share 10 lessons learned from COSO 2013 successful implementations from a variety of sources—working with our clients, information gathered from thousands of attendees at our webinar series, and our annual SOX Compliance Survey.
Vendor Management: Realizing Opportunities in the Financial Services Sector
The building blocks of the vendor management framework presented in this paper can be assembled in ways that address each institution’s unique organizational structure and needs.
Vendor Fraud: Scott Moritz Answers Your Questions
Scott Moritz answers some of the top questions submitted by participants during a recent Protiviti webinar focused on investigating vendor fraud.
Whistleblower Policy and Procedures
This policy establishes standards and procedures to ensure that the accounting and audit-related complaint handling process complies with management’s and the audit committee’s objectives.
Who Are Your Customers, Business Partners and Employees? Information Drives an Effective Anti-Corruption Program
In this article, we outline the three most critical areas for which companies need to collect the right information, in order to deem their anti-corruption programs effective.
You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect
In this article, we discuss the critically important information that those who are charged with the responsibility of assessing the effectiveness of network security should be aware of.