ISACA在A Professional Practices Framework for IS Audit/Assurance中提到舞弊的項目

ISACA Procedure and Guideline

2001 Audit Charter 4. Terminology Audit engagement: A specific audit assignment, task or review activity, such as an audit, control self-assessment review, fraud examination or consultancy.
2005 Due Professional Care 2.1 Professional Scepticism and Competency 2.1.3 Exercising due professional care should make professionals consider the possible existence of inefficiencies, misuses, errors and exclusions, incompetence, conflicts of interest, or fraud. It should also make professionals attentive for specific conditions or activities where these issues can occur
2006 Proficiency 2.1 Professional Competence 2.1.9 Professionals should possess the ability to recognise possible fraud indicators
2201 Engagement Planning 2.3 Scope and Business Knowledge 2.3.1 Before beginning an audit engagement, the work of professionals should be planned in a manner appropriate for meeting the audit objectives. As part of the planning process, professionals should obtain an understanding of the enterprise and its processes. This will assist them in determining the significance of the resources being reviewed as they relate to the objectives of the enterprise. In this way, professionals can focus on the areas most sensitive to fraudulent or inaccurate practices. They should establish the scope of the audit work and also perform a preliminary assessment of the internal controls over the function being reviewed.
2203 Performance and Supervision 2.4 Evidence 2.4.5 Appropriate analysis and interpretation should be performed by professionals to support the audit findings and form conclusions. Evidence and information received should be compared with expectations identified or developed by professionals. Professionals should be aware of:• Unexpected differences• The absence of differences when they were expected

• Potential errors • Fraud or illegal acts

• Non-compliance with laws or regulations

• Unusual or nonrecurring activities

4. Terminology Design effectiveness:
If the company’s controls are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements, they are considered to be designed effectively. Source: PCAOB, Auditing Standard No. 5, 2007
2204 Materiality 2.3 Materiality and Controls 2.3.11 Control deficiencies are always material in areas where they have been overridden resulting in fraud or illegal acts.
2207 Irregularity and Illegal Acts 2.1 Irregularities and Illegal Acts 2.1.2 Irregularities and illegal acts can be committed by an employee at any level within the enterprise and may include activities such as, but not limited to:• Fraud, which is any act involving the use of deception to obtain illegal advantage• Deliberate misrepresentation of facts with the aim of gaining illegal advantage or hiding irregularities or illegal acts

• Acts that involve non-compliance with laws and regulations, including the failure of IT systems to meet applicable laws and regulations

• Unauthorised disclosure of data that is subject to privacy laws

• Acts that involve non-compliance with enterprise agreements and contracts with third parties, such as banks, suppliers, vendors, service providers and stakeholders • Manipulation, falsification, forgery or alteration of records or documents (whether in electronic or paper form)

• Suppression or omission of the effects of transactions from records or documents (whether in electronic or paper form)

• Inappropriate or deliberate leakage of confidential information

• Recording of transactions in financial or other records (whether in electronic or paper form) that lack substance and are known to be false (e.g., false disbursement, payroll fraud, tax evasion)

• Misappropriation and misuse of assets

• Skimming or defalcation, which is the misappropriation of cash before it is recorded in the financial records of an enterprise

• Acts, whether intentional or unintentional, that violate intellectual property (IP) rights, such as copyright, trademark or patents

• Granting unauthorised access to information and systems

• Errors in financial or other records that arise due to unauthorised access to data and systems

2.1.3 The determination of whether a particular act is illegal generally would be based on the advice of an informed expert qualified to practice law or may have to await final determination by a court of law. Professionals should be concerned primarily with the effect or potential effect of the irregular action, irrespective of whether the act is suspected or proven as illegal.
2.1.4 Not all irregularities should be considered fraudulent activities. The determination of fraudulent activities depends on the legal definition of fraud in the respective jurisdiction. Fraudulent irregularities include, but are not limited to:• Deliberate circumvention of controls with the intent to conceal the perpetuation of fraud• Unauthorised use of assets or services

• Abetting or helping to conceal these types of activities

Non-fraudulent irregularities may include:

• Intentional violations of established management policy

• Intentional violations of regulatory requirements

• Deliberate misstatements or omissions of information concerning the area under audit or the enterprise as a whole

• Gross negligence

• Unintentional illegal acts

2.6 Responding to Irregularities and Illegal Acts 2.6.2 Professionals should demonstrate an attitude of professional scepticism. Indicators (sometimes called ‘Fraud or Red Flags’) of persons committing irregularities or illegal acts are: • Overrides of controls by management • Irregular or poorly explained management behaviour • Consistently over performing, compared to set targets • Problems with, or delays in, receiving requested information or evidence • Transactions not following the normal approval cycles • Increase in activity of a certain customer • Increase in complaints from customers • Deviating access controls for some applications or users
2.6.4 Professionals should then consult with audit management to determine their next actions which may involve reporting the ‘event’ to enterprise management, passing further action to internal fraud investigators, and/or reporting to law enforcement or regulators
2.8 External Reporting 2.8.1 External reporting of fraud, irregularity or illegal acts may be a legal or regulatory obligation. The obligation may apply to enterprise management or the individuals involved in detecting the irregularities, or both. Legal reporting requirements for the auditor are subject to local jurisdiction and supercede internal policy and/or contractual agreements. Additional situations that may require external reporting include:• Compliance with legal or regulatory requirements• Court order

• Funding agency or government agency in accordance with requirements for the audits of entities that receive governmental financial assistance

• External auditor requests

2.8.6 Where professionals are aware that management is required to report fraudulent activities to an outside organisation, the professionals should formally advise management of this responsibility
2401 Reporting 2.2 Required Contents of the Audit Engagement Report 2.2.3 Professionals’ examination or review report about the effectiveness of control procedures should include the following elements:• A paragraph stating that because of the inherent limitations of any internal control, misstatements due to errors or fraud may occur and go undetected. In addition, the paragraph should state that projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or that the level of compliance with the policies or procedures may deteriorate. An audit engagement is not designed to detect all weaknesses in control procedures because it is not performed continuously throughout the period and the tests performed on the control procedures are on a sample basis.
2.4 Additional Communication 2.4.4 Professionals should obtain written representations from management acknowledging, at a minimum, the following assertions:• Management has no knowledge of any fraud or suspected fraud, irregularities and illegal acts related to the subject area under review, including management and employees with responsibility for internal control not already disclosed.• Management has no knowledge of any allegations of fraud or suspected fraud, irregularities and illegal acts affecting the area under review received in communications from employees, clients, contractors or others not already disclosed.

• Acknowledgement of responsibility for the design and implementation of programs and controls to prevent and detect fraud, irregularities and illegal acts.






About The Author

Related posts

Leave a Reply