IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Fraud and SAS 99

December 17th, 2007 · 2 Comments

There are three conditions (that are in line with the ACFE Fraud Triangle) that are present where fraud exists – incentives, opportunities, and rationalizations.  These breakdown as:

  1. Incentives – Perpetrator is under pressure or receives a benefit from action (ex: default mortgage)
  2. Opportunity – Capability to execute fraud (ex: low possibility of detection, no controls, no monitoring)
  3. Rationalize – Fraudulent Action is acceptable (For example: “everybody” cheats on expense reports)

Taken together these provide an enhanced likelihood of a fraud occurring and the size of the impact rises equally given the combination of each condition.  Of course, all do not need to exist for a fraud to occur, but portions of these conditions must be present for a fraud to be impactful.  SAS 99 highlights that professionals must maintain “professional skepticism” and should never accept less-than-persuasive evidence provided by respondents.

General recommendations highlighted (certainly not a complete accounting) in SAS 99 include:

  • Team should brain storm to determine possible areas of fraud
  • Open queries should be conducted to determine if fraud has been reported (to hotlines, managers, HR, or the Audit Committee)
  • Using a risk approach, the audit team should consider risk in areas where the capability of fraud is highest
  • Good assessments include clear methods of identifying and measuring fraud vulnerabilities.
  • Establish an open, collaborative, and cross-organizational forum identifying fraud risks

There are numerous areas at risk of fraud in an organization, but as in any risk the organization faces it is important to include the conditions that contribute to likelihood and impact of a fraud.  Organizations must merge these fraud considerations with the information governance program across the enterprise.  Check out SAS 99 for a great start for an organization, and consider a CFE accredited professional or designated team within your enterprise.

Additional resources:
NSW Audit Self Assessment Checklist (old but still relevant 1998)
NSW Better Practices for Fraud Control Improvements


James DeLuccia IV

Tags: Monitoring and Performance Reviews · Policy and Procedures · Risk Awareness · Technology Intelligence · Tone at the Top

2 responses so far ↓

Leave a Comment