John E. “Jack” Little, CFE, CPA, and Jenny Mak
Organizations of all sizes should regularly evaluate the systems they have in place to deter fraud, abuse and misconduct. This involves an organized review of current policies, procedures and controls that safeguard and protect an organization’s assets from unnecessary risk.
As part of a project in the spring 2015 Fraud Examination class in the Dyson School of Applied Economics and Management at Cornell University, a checklist was developed to aid in the evaluation of such systems. The class focused on understanding different types of fraud through textbook readings, guest speakers and local fraud cases. We began creating the checklist by reviewing a white paper authored by a group of forensic investigators from KPMG titled Fraud Risk Management, Developing a Strategy for Prevention, Detection and Response. The document provides an overview of the fundamentals involved in deterring the risk of fraud and abuse within organizations.
Applying key concepts from this resource, the class converted it into a checklist that can be used to gather information, document controls and procedures, and evaluate existing policies. The checklist focuses on three key areas of control: prevention, detection and response. Additionally, it indicates the specific KPMG document page number from which the question was developed for ease of guidance and reference. The checklist works in a way such that opportunities for improvement in the system of internal controls, policies and procedures become apparent when the questions are answered and the comments written up.
Once this checklist was designed, the student group moved to apply it to the systems used by Cornell University. Students first completed the checklist with information that was readily available online. Later, students met with the University Audit Office and Cornell Human Resources, both of whom provided additional information via interviews and discussions. After the meetings, the student circled back around to complete any gaps in the checklist. A copy of the completed checklist can be found here.
At the conclusion of our work, the class came to believe that the systems and controls in place at Cornell University were adequate. However, we had a number of suggestions for improvements to those systems and controls to strengthen the processes. Those recommendations were:
- Consider having a more formal fraud risk assessment conducted by independent outside consultants.
- Expand its use of data analytics within the internal audit function of the University Audit Office.
- To continue improvement in campus-wide training programs for fraud deterrence.
- To implement a universal acknowledgment by employees documenting their familiarity with Cornell’s policies and procedures for the deterrence of fraud, abuse and misconduct.
In a closing meeting with University Auditor Glen Mueller and Audit Director Mark Perry, the student group presented the completed checklist and recommendations. Since the final meeting, the University Audit Office has made a shift towards continuous monitoring through the use of data analytics and is actively working towards implementing the use of ACL software to track fraud.
It is our hope that by sharing this checklist, there will be a benefit for both practitioners and management of organizations who must consider a review of their systems of fraud deterrence.
John E. “Jack” Little, CFE, CPA, is the senior lecturer of accounting at the Dyson School of Applied Economics and Management at Cornell University in Ithaca, New York, and a local practitioner. His email address is: firstname.lastname@example.org.
Jenny Mak is senior in the Dyson School of Applied Economics and Management at Cornell University and will graduate with a Bachelor’s of Science with concentrations in accounting and finance in December. Upon graduation she will begin her career in the profession and will sit for the CPA Exam. Her email address is: email@example.com.