INTRO TO FRAUD AND INVESTIGATION

Fraud is any activity that relies on deception in order to achieve a gain. It is an intentional act
of deceit designed to reward the perpetrator or to deny the rights of a victim. Any deceit with
an intent to illegally gain a financial advantage over a person or entity is a fraud.
For an act to constitute fraud
a) The perpetrator must be aware the statement that the action, statement or claim is
false or altered
b) There is an intent to deceive for economic benefit
Many scientists have proposed theories to explain the reasons why fraud persists. According
to Donald R. Cressey, a renowned criminologist, a person is most likely to commit fraud
when he has enough motivation or pressure (financial pressure); an opportunity presents itself
(opportunity), and there is enough justification for acting (rationalisation).
Historically, fraud dates back to human existence but the documented cases was in 300 BC,
two Greek sea merchants, Hegestratos and Zenosthemis, devised a plan to enrich themselves
by taking out a bottomry, an insurance policy on their ship and cargo. According to the
agreement, they were required to repay loaned money with interest after selling their
merchandise. If they failed to repay the loan, the lender would gain possession of the ship and
its cargo.
After leaving the dock, both men decided to sink the ship so they could pocket all the loaned
money. However, they were caught in the act; Hegestratos lost his life while attempting to
escape, and Zenosthemis faced the law’s wrath in the Athenian courts.
Most common fraud types
Fraud can take different forms- insurance scams like the one Hegestratos tried to pull off is
just one of over 40 types of fraud today. For simplicity, we will touch on the most prevalent
ones:
● Phishing, smishing and vishing ● Credit card and debit card fraud ● Remote banking fraud
● Identity theft and identity fraud ● Advance fee fraud ● APP fraud ● Account takeover
● Card not present (CNP) fraud ● Covid 19 fraud ● Cyber fraud
● Ponzi schemes or other investment fraud

Fraud Triangle
Business owners are interested in understanding the mind set behind employee fraud because
it provides opportunity to put in place preventive measures.
In the 1970s, criminologist Donald R. Cressey published a model called the “fraud triangle.”
The fraud triangle outlines the three conditions that lead to higher instances of occupational
fraud: motivation, opportunity, and rationalization. When an employee has a reason for
committing fraud, gets a chance to do so without getting caught, and can come up with a
justification for their behaviour, they’re more likely to commit an occupational crime. Studies
affirmed that 80% of fraud occur when the three conditions avails.
Motivation
There are as many different motivations for fraud as there are people in the world, but they
can be sorted into a few main categories:
 Sudden changes in circumstances: a partner’s job loss, a surprise medical bill
 Disgruntlement: A sense of being wronged, being passed over for a promotion or
denied a raise
 Survival: inability to afford life-saving medicines or to put food on the table
 Status pressure: feeling compelled to keep up with peers’ earning or spending
 Peer pressure
 Personality trait
 Addition
Opportunity
Perhaps the easiest piece of the triangle for business owners to control is opportunity. No
matter how disgruntled or desperate an employee might feel, they can only commit fraud if
they’re given the chance to do so.
Standardized processes and rigorous oversight procedures are key to keeping operations
invulnerable to fraud. However, it’s not enough to just put these systems in place: the
opportunity for fraud still exists if security protocols are present but unmonitored, ineffective,
or unenforced. Similarly, lack of surveillance, internal control, regular audits among others
could give room for fraud to occur
Rationalization
The final piece of the fraud triangle is rationalization. Even when people have motivation and
opportunity, most will not choose to act unless they can justify to themselves why their fraud
is “okay.” Even those who could be incentivized to break the law given the right motivation
usually wouldn’t be willing to do so if it meant they were harming someone else.
But when it comes to defrauding a company, many fraudsters can convince themselves that
theirs is a victimless crime.
For instance, An accountant who sees how much their sales department spends entertaining
potential clients may justify skimming a few funds here and there for themselves.
Or an account lead on a work trip might charge unnecessary extras to their hotel room
because “everyone does it; it’s one of the perks of the job.”
An effective way to prevent these types of rationalizations is to champion transparency when
it comes to company finances. For instance, putting in place a policy that bonuses depend on
the company’s ability to hit a certain profit margin, employees will have a better
understanding of the importance of a few funds here and there.
When employees witness the company’s profits being reinvested in its workforce, they’re
more likely to engage emotionally in the success of the team.
Fraud Control
Fraud control is the process of preventing, detecting, and responding to fraudulent activities.
Organizations need to have fraud control policies that allow them to investigate and take
action against those suspected of fraud. They also need to implement internal controls that
make it harder for criminals to commit fraud and help them identify and minimize the losses
from fraud. Fraud control is an important element of fraud risk management and
organizational efficiency.
Fraud control policies allow organizations to have the power to investigate and react as
needed to those suspected of fraud, including possibly filing a lawsuit against them. In some
cases, alerting the police might be the appropriate response.
Fraud Prevention
Fraud prevention refers to a firm policy, functions and processes that keep fraud from
occurring. No strategy is fool proof, but Fraud prevention controls is an important element in
the overall fraud risk management framework. Organizations are required to continuously
assess the fraud risks and implement appropriate controls to prevent the occurrence of such
fraud risks.
Fraud prevention and detection are complementary strategies to reduce fraudulent activity
and losses. Fraud detection identifies fraudulent activity that has occurred or been attempted.
It responds to an existing threat. With fraud prevention, firms implement policies and
safeguards that make it harder for criminals to commit fraud
Effective internal controls help organizations prevent fraud and detect it early, thus mitigating
losses. A well-designed internal control system can lead to more effective and efficient
operations because, for example, it allows organizations to identify and improve upon
duplicate or unnecessary procedures and weaknesses in their systems.
Simply put, to protect an organization from fraud, it is necessary to lock down the system
of internal controls. Moreover, the internal control process should include three types of
internal controls: Preventive controls to prevent fraud from happening; Detective controls to
identify and minimize the harm of fraud that has already occurred; and Deterrence to attack
the root causes and enablers of fraud.
Fraud Detection
Fraud detection is defined as a process that detects scams and prevents fraudsters from
obtaining money or property through false means. Fraud is a serious business risk that needs
to be identified and mitigated in time, Fraud detection help to detects and prevents fraudsters
from obtaining money or property through false means. It is a set of activities undertaken to
detect and block the attempt of fraudsters from obtaining money or property fraudulently.
Fraud detection is prevalent across banking, insurance, medical, government, and public
sectors, as well as in law enforcement agencies.
While fraud detection identifies fraudulent activity that occurred or been attempted, Fraud
prevention form implement policies and safeguards that make it harder to commit fraud eg
screening, tech etc
Fraud detection generally involves data analysis-based techniques. These techniques are
broadly categorized as statistical data analysis techniques and artificial intelligence or AI-
based techniques
Fraud Deterrence
Fraud deterrence involves proactively identifying and removing the potential causes and
opportunities for fraud in an organisation. The goal is not only to prevent fraud from
occurring but also to discourage individuals within an organisation from attempting to
commit fraudulent acts. Elements of fraud deterrence strategy include
• Establishing a strong ethical culture
• Implementing internal control system
• Regularly monitoring and auditing
• Establishing reporting mechanism
• Enforcing consequences
• Risk assessments

INVESTIGATION TECHNIQUE
Fraud investigations aim to uncover what behaviours occurred, by whom, and how
Steps to Conducting a Successful Fraud Investigation
(1) Understanding Fraud and Its Implications
Fraud is a deliberate act of deception intended for personal gain or to cause a loss to another
party. It's a serious crime that can have far-reaching implications. The impact of fraud
extends beyond financial loss. It can damage the reputation of an organization, affect
employee morale, and even lead to legal consequences. Understanding the implications of
fraud is the first step towards conducting a successful investigation.
(2) Pre-Investigation: Setting the Stage
Before diving into a fraud investigation, it's crucial to set the stage properly. This involves
having a clear fraud policy in place and assembling a competent investigation team. A well-
defined process helps ensure that the investigation is thorough, legal, and effective. It also
provides a roadmap for the investigation team to follow. The pre-investigation stage is also
the time to consider the potential implications of the investigation. This includes the potential
impact on the reputation and the legal consequences of the investigation.
Establishing a Fraud Policy
A clear and documented fraud policy is a must for any organization. It defines what
constitutes fraud within the organization and outlines the steps to take when fraud is
suspected. Having a fraud policy in place provides guidance during an investigation and
serves as a deterrent to potential fraudsters.
Assembling the Investigation Team
The next step is to assemble an investigation team. The team must possess the required
knowledge to carry out the investigation. The team may include internal auditors, legal
advisors, human resources personnel, and external experts if necessary. The team's
composition may vary depending on the nature and complexity of the suspected fraud.
Remember, the team should always maintain secrecy and should be impartial during the
investigation.

(3) The Investigation Process

Once the stage is set, the actual investigation process begins. This process involves several
steps, each crucial to the success of the investigation. From securing evidence to conducting
interviews, each step must be carried out carefully. The process also requires a keen
understanding of legal compliance and ethical considerations.
Initial Steps and Securing Evidence
The first step in the investigation process is to secure and preserve evidence. This is crucial as
evidence forms the backbone of any fraud investigation. Evidence can be in various forms,
including documents, electronic data, and witness testimonies. It's important to collect and
handle evidence in a way that maintains its integrity.
Here are some steps to consider:
a) Secure physical and digital evidence immediately.
b) Document the chain of custody.
c) Preserve the evidence in its original form.
d) Consult with legal counsel to ensure proper handling of evidence.
Legal Compliance and Ethical Considerations
Legal compliance and ethical considerations are paramount in a fraud investigation.
Investigators must be aware of laws and regulations related to evidence collection, privacy
rights, and interviewing techniques.
Any breach of these laws can jeopardize the investigation and lead to legal consequences for
the organization. It's also important to be impartial and avoid confirmation bias during the
investigation.
Conducting Interviews
Interviewing potential suspects and witnesses is a critical part of the investigation process. It's
important to plan and conduct these interviews in an effective manner and respectful of the
interviewee's rights.
Investigators should prepare for each interview by reviewing the evidence and formulating
questions. They should also be trained to assess the credibility of the interviewee and to
handle sensitive information carefully.
Analyzing Data and Forensic Accounting
Data analysis and forensic accounting play a significant role in fraud investigations. These
techniques can help detect fraudulent activities that may not be immediately apparent.
Forensic accountants can examine financial records for signs of fraud, while data analysis can
reveal patterns and anomalies. The use of technology, including data mining and predictive
analytics, can greatly enhance the effectiveness of these techniques.

(4) Documenting the Investigation

Documenting the investigation is a crucial part of the process. It involves recording every
step taken, from the initial suspicion of fraud to the final resolution. This documentation
serves as a record of the investigation. It can be used for legal proceedings, internal reviews,
or future reference.
It's important to maintain a clear and consistent format for documentation. This ensures that
the information is easily accessible and easy to comprehend.
Creating a Clear and Concise Report
Once the investigation is complete, a report should be created. This report should summarize
the investigation, including the evidence collected, the interviews conducted, and the
findings.
The report should be clear, concise, and objective. It should present the facts without bias and
include any recommendations for action. Creating a comprehensive report concludes the
investigation and provides a basis for any necessary follow-up actions. It's a critical step in
ensuring the effectiveness of the fraud investigation process.

(5) Post-Investigation Actions

After the investigation and reporting, the next step is to take corrective measures. These
actions depend on the findings of the investigation. They may include actions against the
fraudster, recovery of lost funds, or legal proceedings. It's important to follow through on
these actions to ensure accountability.
Furthermore, the organization must share the findings of the investigation with pertinent
stakeholders. This helps maintain transparency and trust within the institution.

Taking Corrective Measures

Corrective measures are a crucial part of the fraud investigation process. They serve to rectify
the situation and prevent future occurrences.Things that can be done include firing the person
committing fraud, putting stricter rules in place, or taking legal steps. The specific actions
will depend on the nature and severity of the fraud.
Preventing Future Fraud
Preventing future fraud is a key goal of any fraud investigation. This involves identifying the
weaknesses that allowed the fraud to occur and addressing them.
This could involve strengthening internal controls, improving employee training, or
enhancing fraud detection systems. It's also important to regularly review and update these
measures to ensure their effectiveness.
Avoiding fraud safeguards not just the assets of the organization, but also its reputation. It's a
critical part of maintaining trust and confidence among stakeholders.

Conclusion
In conclusion, conducting a successful fraud investigation is crucial for organizations to
protect their assets, reputation, and stakeholder trust. Conducting a successful fraud
examination and investigation requires careful planning, thorough execution, and diligent
follow-up. Organizations can effectively combat fraud, protect their resources, and maintain
the trust of their stakeholders by applying these steps.
It's important to ensure that these measures are fair, legal, and in line with the policies of the
organization. This helps maintain the integrity of the organization and deter future fraud.

INTERNAL CONTROL
Definition of internal control
Auditing Practices Committee defines internal control as “The whole system of controls,
financial and otherwise, established by the management in order to carry on the business of
the enterprise, in an orderly and efficient manner, ensure adherence to management policies,
safeguard the assets and secure as far as possible the completeness and accuracy of the record
International Standards on Auditing (ISA 400) states that internal control system means all
the policies and procedures adopted by the management of an entity to assist in achieving
management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of
its business, including adherence to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy and completeness of the accounting
records and the timely preparation of reliable financial information
In other words, IC is a system that ensures the smooth efficient of a financial, operational and
strategic activities of an organisation. It aims to protect resources against waste, fraud and
efficiency; ensure accuracy and reliable accounting and operational data; compliance with
laid down policies and evaluation same intervally.
Main IC Categories
 Preventive controls
 Detective Controls and
 Corrective controls
Objectives of internal control
Internal control is concerned with the controls operative in every area of corporate activity as
well as with the way in which individual controls inter-relate. The above definitions establish
four objectives of internal controls as:
a) Promoting operational efficiency
b) ensuring adherence to management policies
c) safeguarding the assets of the organisation and
d) to secure completeness and accuracy of the records, that is, ensuring the reliability of the
financial statement
Scope/components of internal control
There are five components of internal control, namely –
 The control environment
 The entity’s risk assessment process
 The information systems relevant to financial reporting
 Control activities and
 Monitoring of controls
The Control Environment
The control environment is the framework within which controls operate. It includes the
governance and management functions and the attitudes, awareness, and actions of those
charged with governance and management concerning the entity’s internal control and its
importance to the entity. While a strong control environment does not, by itself, ensure the
effectiveness of the overall internal control system, it is a positive factor when assessing the
risks of material misstatement. Management attitude towards control is a significant factor in
determining how controls operate. Controls are more likely to operate well in an environment
where they are considered important. The existence of internal audit function and budgetary
system strengthen the control environment.
When assessing the effectiveness of the control environment, the auditor should pay attention
to the following elements of control environment:
1. Communication and enforcement of integrity and ethical values – these influence the
effectiveness of the design, administration and monitoring of controls;
2. Commitment to competence – Management’s consideration of the competence levels for
particular jobs and how such levels translate into requisite skills and knowledge;
3. Management’s philosophy and operating style – their approach to taking and managing
business risks, attitudes and actions towards financing reporting as well as attitudes towards
information processing and accounting functions and personnel;
4. Participation by those charged with governance – their independence from management,
experience and stature, extent of involvement in control activities and scrutiny of activities
and appropriateness of actions and interaction with internal and external auditors.
5. Organisational structure – The framework within which an entity’s activities are planned,
executed, controlled and reviewed.
6. Assignment of authority and responsibility - how authority and responsibility for operating
activities are assigned and how reporting relationships and authorization hierarchies are
established.
7. Human resource policies and practices – recruitment, orientation, training, evaluating,
counseling, promoting, compensation and remedial actions.
The auditor assesses whether these elements of the control environment have been
implemented using a combination of inquiries of management and observation and inspection
Entity’s Risk Assessment Process
ISA 315 requires the auditor to obtain an understanding of whether the entity has a process
for:
 Identifying business risks relevant to financial reporting objectives;
 Estimating the significance of the risks;
 Assessing the likelihood of their occurrence;
 Deciding upon actions to address those risks.
The auditor should note whether has established such a process or not, and discuss with
management whether relevant business risks have been identified and how they have been
addressed.
Information System relevant to Financial Reporting.
Information system relevant to financial reporting consists of the procedures and records to
initiate, record, process and report entity transactions and to maintain accountability for the
related assets, liabilities and equity.
In respect of this component, the auditor looks into the following areas:
 The classes of transactions in the entity’s operations that are significant to the financial
statements.
 The procedures by which those transactions are initiated, recorded, processed, corrected
and reported in the financial statements.
 The related accounting records, supporting information, and specific accounts in the
financial statements, in respect of initiating, recording, processing and reporting transactions.
 How the information system captures events and conditions, other than transactions, that
are significant to the financial statements.
 The financial reporting process used to prepare the entity’s financial statements, including
significant accounting estimates and disclosures.
 Controls surrounding journal entries used to record non-recurring, unusual transactions or
adjustments.
The auditor should note how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting.
Control Activities.
Control activities are those policies and procedures that help ensure that management
directives are carried out. They include all activities designed to prevent or detect and correct
errors. The elements or types of control activities include:
Segregation of duties: This requires that no one person initiates, authorizes, processes,
records and maintains custody of assets arising from a transaction. That is, functions involved
in a given transaction should be separated and carried out by different persons.
Physical controls: This concerns physical custody of assets and the design of procedures to
limit access to authorized personnel only. It involves limiting direct access e.g. by locking up
documents and other values in safes or warehouses or through the use of usernames and
passwords and other digital techniques to restrict access to computer files etc.
Authorisation and Approval: Every transaction should require authorization or approval by an
appropriate person. Authorisation limits should also be specified.
Management controls: These include all supervisory controls by management over and above
daily routine supervision, performance reviews, internal audit and other special review
procedures.
Supervision: All the activities of staff should be supervised by appropriate line personnel.
Responsibilities for supervision should be communicated to people concerned.
Organisation: There should be functional organization chart, defining lines of authority and
responsibilities, including lines of reporting. The delegation of authority and responsibility
should be clearly specified.
Arithmetical and Accounting controls: These involve ensuring that all transactions are
authorized, completely captured, correctly recorded and accurately processed. Procedures
include checking the arithmetical accuracy of the records, reconciliations, use of control
accounts, sequence or continuity checks etc.
Personnel: Procedures should be designed to ensure that personnel have the appropriate skill
sets, are competent, possess integrity and are motivated to carry out the tasks assigned to
them. Systems are as good as the people operating them.
ISA 315 requires that the auditor obtains an understanding of control activities relevant to the
audit and how the entity responds to risks arising from IT.
Monitoring of Controls
Monitoring of controls is a process to assess the effectiveness of internal control performance
over time. It includes assessing the design and operation of controls on a timely basis and
taking necessary corrective actions modified for changes in conditions.
The auditor should obtain an understanding of the major control activities that the entity uses
to monitor internal control over financial reporting, and how the entity initiates corrective
actions to deficiencies in its controls. He should also understand the sources of information
used in monitoring activities and the basis on which management considers it reliable.

THE ESSENTIAL FEATURES OF INTERNAL CONTROL

The detailed nature of the controls operative within any commercial organisation will depend
upon:
a) The nature and size of the business conducted
b) The number of administrative staff employed
c) The volume of transactions
d) The materiality of transactions concerned
e) The importance placed upon internal controls by the organisations own management
f) The management style of the entity particularly the trust placed in the integrity and honesty
of the key personnel and the latter’s ability to supervise and control their own subordinate
staff
g) The geographical distribution of the enterprises and many other factors.
Limitations of Accounting and control systems
Internal control systems have inherent limitations which include:
i. The possibility of controls being by-passed or overridden by management
ii. Collusion between employees, rendering ineffective segregation of duties as a control
measure
iii. The potential for human error – the system is as effective as the personnel that implement
it.
iv. Controls may be designed to cope with routine and not non-routine transactions, that is,
the one-off or unusual transactions tend not to be the subject of internal control;
v. The costs of controls not outweighing their benefits that is, a requirement that the cost of
an internal control is not disproportionate to the potential loss which may result from its
absence;
vi. changes in environment making controls inadequate
Problems of Internal control system in small companies
 It is not possible to achieve full segregation of duties in small companies as in large
companies due to small complement of staff;
 This may lead top management to depend on close personal involvement in operations
with little need to install formalised controls;
 This may also make them to override control and purposely exclude some transactions
from accounting records;
 The auditor must therefore design an audit program which will be detailed enough to
establish the accuracy and completeness of transaction;
 He will have to carry out detailed vouching and verification of assets and liabilities in the
financial statements
Based on the above, we can sum up common IC deficiencies in SMEs as
-In adequate documentations/records
-Lack of separation of duties
-Unclearly defined job roles and responsibilities
-No formal ethical roles and procedures
-No oversight and review
-Improperly defined business cycle
-Lack of control with authorisation of transactions
-Lack of physical and logical security
-Ineffective information system
-Inadequate disaster recovery, backups and business continuity plans
Internal controls in a computerized environment
Controls in a computerized environment include both manual procedures and procedures
designed into computer programmes. Two types of controls exist, namely general controls
and application controls.
General IT controls These consist of policies and procedures that support the effective
functioning of application controls. They include controls over data centre and network
operations, system software acquisition, access security, change and maintenance, application
system acquisition, development and maintenance.
Application Controls These are manual or automated procedures that operate at a business
process level. They are designed to ensure the integrity of the accounting records. They relate
to procedures used to initiate, record, process and report transactions or other financial data.
The purpose of such controls is to ensure that all transactions are authorized and recorded,
and are processed completely, accurately and on a timely basis.
Major computer based information system
-Customer Relationship Management (CRM)
-Enterprise Resource Planning (ERP)
-Supply Chain Management (SCM)
-Data Warehousing (DW)
Summary
Internal control as a process enables an entity to achieve organizational objectives in
operational effectiveness and efficiency, reliable financial reporting, and compliance with
laws, regulations and policies. Every control system is designed to ensure the orderly and
efficient conduct of business, safeguard the assets of the entity, prevent and detect fraud,
ensure the completeness and accuracy of accounting records and the timely production of
financial information. A complete system of internal control therefore should have the
following five components namely: a good control environment, sound entity’s risk
assessment process, information systems relevant to financial reporting, functional control
activities and effective monitoring system