Name of Members:

Gabriela N S (041711333139)
Cancelyn S P (041711333144)
Aurellia K (041711333158)
Gabriela M H (041711333161)
Dheanisa K P (041711333162)
Natasya Z S (041711333175

TECHNICAL LITERATURE AND RISK ASSESSMENT

The notion of risk assessment has been part of the technical literature for audits,
suggesting or outright requiring that audits incorporate risk assessment. Standards in recent years
reflect increased coverage on risks. For public companies, the PCAOB’s Auditing Standards No.
5 (AS5), An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit
of Financial Statements (adopted in 2007). AS5 furthered AS2 concepts and emphasized the
importance of a top-down, risk-based approach to internal control audits, and the importance of
understanding the entity’s environment (size, industry, etc.).
The American Institute of Certified Public Accountants (AICPA) adopted the ‘‘Risk
Suite’’ of standards, Statement on Auditing Standards (SAS) Nos. 104–111 in 2006. Broadly
speaking, the Risk Suite addresses risk assessment in the context of financial statement audits
and internal control. More specific to fraud, the AICPA’s SAS No. 99, Consideration of Fraud in
a Financial Statement Audit, provides guidance for financial auditors, including brainstorming
during the planning phase, and forced recognition of certain potential frauds, especially revenue
manipulation.
The Institute of Internal Auditors (IIA) promotes the idea that all of the internal audit
function audits and activities should begin with a risk assessment (e.g., sections 2010 and 2600
of Standards of Professional Practice in Internal Audit [SPPIA]). The Information Systems Audit
and Control Association (ISACA) also has the same requirement in its technical literature.
Statement on Information Systems Auditing Standards (SISAS), Use of Risk Assessment in
Audit Planning, outlines certain requirements related to fraud for information technology audits.
Many other ISACA standards address risk assessment as well, most notably SISAS 8, Audit
Considerations for Irregularities.
RISK ASSESSMENT FACTORS
Corporate Environment Factors
The Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation (RTTN)
surveyed its members regarding frauds that were resolved, and a total of 959 cases were
reported. One of the statistics relates to the industries represented by these cases. While the
statistical results could indicate the type of industry that is most likely to hire a Certified Fraud
Examiner (CFE) to investigate a fraud, the results also could indicate industries more susceptible
to fraud.
The 2008 RTTN results are:
 Industry by Frequency:
 Banking/Financial services (14.5% of all cases reported)
 Government/Public administration (11.7%)
 Health care (8.4%)
 Manufacturing (7.2%)
 Retail (7%)

 Industry by Median Loss:

 Telecommunications ($800,000/16 cases)
 Agriculture/Forestry/Fishing/Hunting ($450,000/13 cases)
 Manufacturing ($441,000/65 cases)
 Technology ($405,000/28 cases)
 Construction ($330,000/42 cases)
A risk assessment should also consider the current economy. In good times, people steal; in bad
times, people steal more! A 2008–2009 survey by the ACFE asked 507 CFEs to report on the
level of fraud since the beginning of the economic crisis. More than half indicated that the
number of frauds had increased during that time. Also, 49 percent reported an increase in the
dollar amount of the fraud losses during the same period.
Corporate Fraud Environment: Potential for Fraud
Factors :
- Management Style
- Management Orientations
- Management Structure and Control
- CEO Characteristics
- Authority
- Planning
- Performance
- Reporting
- Primary Management Concern
- Reward System
- Business Ethic
- Values and Beliefs
- Internal Relationships
 - External Relationships / competitor
- Peer relationship
- Success basis / formula
- Human resource problem
- Financial Concern
- Company Royalty
- Growth Pattern

Internal Factors

1. Failure to create an honest culture

2. Failure to articulate and communicate minimum standards of performance and personal conduct
3. Inadequate orientation and training on legal, ethical, fraud, and security issues
4. Inadequate company policies with respect to sanctions for legal, ethical, and security breaches
5. Failure to counsel and take administrative action when performance level or personal behavior
falls below acceptable standards, or violates entity principles and guidelines
6. Ambiguity in job roles, duties, responsibilities, and areas of accountability
7. Lack of timely or periodic audits, inspections, and follow-through to ensure compliance with
entity goals, priorities, policies, procedures, and governmental regulations.

Fraud Factors

For financial statement frauds, clearly the executives of the entity are the most likely would be
fraudster and thus a risk assessment would necessarily include those individuals. For asset
misappropriation, an employee in a trusted position is likely to be the culprit. For corruption, it might be
the same but it includes somebody outside the entity working with someone inside. The statistics from the
ACFE RTTNs can provide some assistance in making these determinations, as can a productive
brainstorming of a cross- functional team.

RISK ASSESSMENT BEST PRACTICE

In order to develop an effective risk assessment, management should take a conscientious, formal
approach rather than an ad hoc approach. That approach includes the people and the process.

 Leaders For organizational management, the appropriate person normally would be someone
who has sufficient independence, such as someone from the internal audit function, if one exists,
and the ability to effectively support risk management.
 Team The team should be chosen carefully. Although it should start with the internal expert
and/or consultant, it must include a broad cross-section of the entity.
 Frequency and Alignment with Finance An annual frequency would allow fraud risk
assessments to align with the typical financial planning and/or financial reporting time frames.

Risk Management Checklists and Documentation

Risk management checklist is designed to assist accountants in assessing and managing the risk
of fraud in their organizations and those of their clients. Generally, all ‘‘No’’ answers require
investigation and follow-up, the results of which should be documented. Where there is such
additional documentation, the purpose of the ‘‘Ref’’ column is to cross-reference the checklist to
the appropriate source.
Using the checklist does not guarantee fraud prevention or detection and the checklist is not
intended as a substitute for audit or similar procedures. If fraud prevention is an especially vital
concern or if fraud is suspected, a systematic assessment beyond a checklist should be performed
and/or a specialist’s advice should be sought.

Fraud Schemes Checklist

Another approach to risk assessment is to use an appropriate taxonomy of fraud schemes. The
columns of this form of risk assessment include:
- The fraud scheme
- An assessment of inherent risk for that fraud in the particular entity or business process
- The factor internal controls has in mitigating that risk
- The ‘‘residual risk’’ left over after the mitigation of existing internal controls related to this
fraud scheme in this entity or business process
- Business processes, where the scheme is likely to occur, if it does occur
- Red flags, which could be used to detect this scheme

Different Entities to Assess

If an organization is large enough, it is recommended that a different assessment and team be
used for each major business unit, each significant business process that crosses business units,
the corporate unit, and any other entity or element that the leaders and team identify. It is
possible the company is so large that different layers may be necessary. A potentially more
effective, though more challenging, way to assess risk at a high level in large organizations is by
accounting or business processes as these can more accurately reflect the fraud risks present and
can more easily align with fraud schemes.

Fraud Schemes

using other taxonomies, or good judgment about specific schemes that are risks to this particular
industry or entity, one should make any necessary additions or deletions. Herein is the value of using
brainstorming—teams using shared criteria to make sure that important schemes are not missed and
that irrelevant schemes are not considered (at least for specific entities certain fraud schemes may be
irrelevant).

Measures and Relationships

Measuring risk in a quantitative sense is usually quite difficult. Some base must be used as a corollary to
the impact of potential losses of a possible fraud. Such a determination should be made and agreed on
by the team according to shared, planned criteria. The critical and difficult job of measuring risks is again
a testament to the importance of selecting a diversified, organization-encompass-ing team able to make
logical decisions during the risk-assessment process.

Inherent Risk

The assessment could be a probability (1 to 100 percent) or simply low, medium, or high risk. A number
of factors can be considered here, some of which are industry, strategy, market volatility, and
organizational structure.

Controls Assessment

Auditors and other key people on the team should determine what controls are in place to mitigate the
specific fraud scheme. The assessment would, of course, match the method of assessing inherent risk
(percentage or tier).

Residual Risk

A simple mathematical function of subtracting the level of control mitigation from the inherent risk will
leave the residual risk. Again, it would take the form of whatever was chosen for inherent risk. Residual
risk will inevitably require one of two responses: no action, as the remaining risk is accepted, or action to
mitigate or remediate through additional prevention or detection procedures (even potentially including
the purchase of insurance).

Business Processes

The business process owner should be documented as the responsible party for the area and, if
applicable, for responding to unacceptable residual risk. Considering the aggregated number and risk
ratings of all schemes by business process can also shed light on fraud risk

ANALISA KASUS

1. Sebutkan dan jelaskan secara detail jenis-jenis skema fraud (fraud schemes) yang dapat terjadi
di butik Cindy, dengan mempertimbangkan sistem pengendalian dan operasional yang
diterapkan?
Jawab:
● Fraudelent Statement
Dari beberapa jenis fraudelent statement, skema fraud yang dapat terjadi di butik Cindy ialah
Pendapatan Fiktif. Seperti yang kita ketahui, Pendapatan fiktif melibatkan pencatatan penjualan
barang atau jasa yang belum pernah terjadi, namun dokumen penjualan dibuat seolah-olah terjadi
penjualan baik dengan melibatkan pelanggan yang palsu maupun pelanggan yang sah. Dalam
kasus ini, Pendapatan fiktif bisa terjadi karena pihak yang mencatat transaksi penjualan dan kas
merupakan orang yang sama sehingga tidak ada pemisahan tugas antara yang mencatat transaksi
penjualan dan kas (deposit bank) yang menyebabkan pihak yang terkait penjualan fiktif tersebut
menerbitkan faktur tetapi barang masih ditahan.
● Asset Misappropriation Scheme
Dari beberapa jenis tindakan asset misappropriation schemes, skema fraud yang dapat terjadi di
butik Cindy ialah Pencurian (larceny). Pencurian (larceny) biasanya terjadi ketika kas dicuri
setelah kas dicatat pada buku perusahaan. Dan dalam kasus ini, pencurian itu bisa terjadi karena
seluruh karyawan butik Cindy, mulai dari pramuniaga sampai manajer, masing-masing memiliki
hak akses yang sama terhadap kas register sehingga bisa memungkinkan terjadinya pencurian
baik ditandai dengan tidak adanya penjelasan terhadap selisih kas yang terjadi maupun slip
deposito yang diubah atau disalahgunakan

2. Jelaskan prosedur-prosedur investigasi apa saja yang akan anda lakukan untuk menginvestigasi !
Apakah memang telah terjadi skema fraud di butik Cindy tersebut ?- Physical check- confirmation-
Documentation- Analitical review- Inquiries (tanya jawab)- Reperformance- Obervation

Memeriksa Fisik Dan MengamatiMemeriksa fisik lazimnya diartikan sebagai perhitungan uang tunai,
kertas berharga, persediaan, aset tetap, barang berwujud lainnya. Untuk audit investigatif, penulis tidak
membedakan pemeriksaan fisik dan pengamatan. Dalam kedua teknik ini investigator menggunakan
inderanya, untuk mengetahui dan memahami sesuatu.Meminta Informasi Dan KonfirmasiMeminta
informasi baik lisan maupun tertulis pada auditee, merupakan prosedur yang biasa dilakukan auditor.
Seperti dalam audit, juga dalam audit investigatif, permintaan informasi harus dibarengi, diperkuat, atau
dikolaborasi dengan informasi dari sumber lain dengan cara lain. Permintaan informasi sangat penting,
dan juga merupakan prosedur yang normal dalam suatu audit investigatif. Dalam audit investigatif kita
harus memperhatikan apakah pihak ketiga mempunyai kepentingan dalam audit investigatif.
Membandingkan Anggaran Dengan RealisasiHasil dari membandingkan data anggaran dan realisasi
dapat mengindikasikan adanya fraud. Hal yang perlu dipahami di sini adalah mekanisme pelaksanaan
anggaran, evaluasi atas pelaksanaan anggaran, dan insentif yang terkandung dalam sistem anggarannya.
Dalam entitas yang merupakan profit center atau revenue center, pejabat tertentu menerima insentif
sesuai dengan keberhasilan yang diukur dengan pelampauan anggaran. Investigator perlu
mengantisipasi kecenderungan realisasi penjualannya dibuat tinggi. Penjualan kredit dan pengiriman
barang secara besar-besaran pada akhir tahun merupakan indikasi mengenai hal itu. Pengembalian
barang sesudah akhir tahun memperkuat indikasi adanya fraud.Hubungan Antara Satu Data Keuangan
Dengan Data Keuangan LainBeberapa akun, baik dalam suatu maupun beberapa laporan keuangan,
dapat mempunyai keterkaitan yang dapat dimanfaatkan untuk reviu analitikal. Contoh: angka penjualan
dengan piutang dan persediaan rata-rata, angka penjualan dengan bonus bagian penjualan, penghasilan
bunga dengan saldo rata-rata tabunganMenggunakan Data Non KeuanganInti dari reviu analitikal
adalah mengenal pola hubungan, relationship pattern. Pola hubungan ini tidak mesti hanya antara satu
data keuangan dengan data keuangan lainMenghitung kembali tidak lain dari mengecek kebenaran
perhitungan. Ini prosedur yang sangat lazim dalam audit.