MONDAY: 24 April 2023. Afternoon Paper. Time Allowed: 3 hours.
Answer ALL questions by indicating the letter (A, B, C or D) that represents the correct answer. This paper is made up of one hundred (100) Multiple Choice Questions. Each question is allocated one (1) mark.
1. Which of the following is NOT an area, factor or consideration related to fraud risk governance scorecard?
A. Organisational commitment to fraud risk governance
B. Fraud risk governance support by the board of directors
C. Establishing a comprehensive fraud risk policy
D. None of the above
2. Which of the following is NOT an area, factor or consideration related to fraud risk assessment scorecard?
A. Involving appropriate levels of management in the fraud risk assessment
B. Analysing internal and external factors
C. Identifying management override of controls as a risk only, if there is inadequate oversight over management
D. Considering various types of fraud
3. Which of the following statements is ACCURATE in regard to a fraud risk assessment report?
A. The report should contain a detailed, comprehensive list of the assessment findings
B. The report should contain a detailed, comprehensive list of the information gathered
C. The results of the risk assessment should be reported in a simple framework
D. None of the above
4. Which of the following is NOT an area, factor or consideration related to fraud control principle scorecard?
A. Promoting fraud deterrence through preventive and detective controls
B. Integrating the preventive and detective controls with the fraud risk assessment
C. Considering organisational specific factors relevant business processes
D. Analysing internal and external factors
5. Which of the following is NOT an area, factor or consideration related to fraud investigation and corrective action scorecard?
A. Establishing fraud investigation and response plan and protocols
B. Conducting investigations
C. Communicating investigation results
D. Utilising a combination of fraud control activities
6. Which of the following is NOT accurate in regard to a fraud risk assessment process?
A. The assessment team must be perceived as independent and objective by the organisation for the process to be effective
B. Management and auditors should share ownership of the process and accountability for its success
C. Conducting an effective fraud risk assessment requires thinking like a fraudster
D. None of the above
7. Which of the following statements is ACCURATE in regard to fraud risk assessment?
A. The auditor should not incorporate the results of a fraud risk assessment into the annual audit plan
B. The auditor should ignore the results of a fraud risk assessment and conduct an independent fraud risk assessment
C. The auditor should conduct a comprehensive fraud risk assessment before conducting an audit
D. None of the above
8. A well-designed and effective system of internal controls can:
A. Eliminate risk of fraud
B. Reduce risks of fraud to be within the organisation’s risk appetite
C. Eliminate fraud
D. All the above
9. Which of the following statements is ACCURATE in regard to fraud risk assessment reporting frameworks?
A. Fraud risk assessment frameworks have been developed to fit any organisation.
B. Fraud risk assessment results can be reported in a micro or macro framework
C. Fraud risk assessment results can only be reported in a standard framework
D. None of the above
10. The fraud risk assessment team, should NOT consider which of the following fraud risks in addition to the specific risks related to each of the three categories of occupational fraud:
A. Reputation risk
B. Law and regulatory risk
C. Information and technology risk
D. None of the above
11. Corporate espionage, and hacking schemes are all fraud risks pertaining to which of the following fraud categories?
A. Occupational fraud
B. External fraud
C. Information technology
D. None of the above
12. A fraud risk assessment report should reflect which of the following assessment team’s opinion formed during the assessment engagement:
A. Professional subjective opinion
B. Expert opinion
C. Qualified opinion
D. None of the above
13. A Forensic auditor can only evaluate an area as high risk, only if the assessment has found which of the following?
A. The residual risk is high
B. The inherent risk is high
C. There have been previous incidences
D. All the above
14. Which of the following is NOT accurate in regard to an effective internal control system?
A. It reduces the perception of detection
B. It reduces fraud risks
C. It balances preventive and detective controls
D. All the above
15. Which of the following BEST describes management decision to accept a risk, rather than mitigate the risk?
A. Mitigating the risk
B. Transferring the risk
C. Avoiding the risk
D. None of the above
16. If management decides to mitigate risks, which of the following BEST describes what management should do?
A. Transferring the risk
B. Put preventive and detective controls
C. Assuming the risk
D. None of the above
17. There are various factors that influence the level of fraud risk faced by an organisation. Which of the following is NOT one of them?
A. The effectiveness of its internal controls
B. The culture of the organisation
C. The ethics of its leadership team
D. None of the above
18. Fraud risks that exist before management has put in place fraud-related controls are referred to as:
A. External risks
B. Residual risks
C. Internal risks
D. None of the above
19. Fraud risks that remain after management has put in place fraud-related controls are referred to as:
A. Inherent risk
B. Fraud risks
C. Residual risks
D. None of the above
20. In identifying fraud risks that pertain to an organisation, the fraud risk assessment team should specifically NOT discuss which of the following as potential fraud risks?
A. Management override of controls
B. Collusion
C. Low perception of detection
D. None of the above
21. Which of the following statement is ACCURATE in regard to ensuring the objectivity of the assessment team?
A. The assessment should be conducted by a consultant
B. The assessment should be conducted by the organisation with the assistance of a consultant
C. The assessment should be conducted by the risk department only
D. None of the above
22. Controls that are designed to stop fraud before it occurs, and to detect when fraud has already occurred, are referred to as which of the following respectively?
A. Detective, investigative controls
B. Preventive and detective controls
C. Investigative, deterrent controls
D. None of the above
23. Which of the following individuals or groups would be the MOST appropriate sponsor for a fraud risk assessment?
A. An Auditor
B. The Board
C. The CEO
D. The audit committee
24. Detective anti-fraud controls include all of the following EXCEPT:
A. Reducing pressure
B. Proactive data analysis techniques
C. Fraud reporting hotline
D. Continuous detection controls
25. Which of the following is NOT accurate regarding the communication of the fraud risk assessment process?
A. The communications should be in the form of a message from the risk assessment sponsor who must be a senior person who can command authority
B. The communication should be personalised, to enable all members of staff to embrace the process to make it more effective
C. The communication should be openly communicated throughout the business
D. None of the above
26. After the conclusion of the fraud risk assessment process, which of the following is NOT accurate in regard to how management should use the results
A. Use the results to promote awareness and education across the organisation
B. Evaluate progress against agreed action plans
C. Use the assessment results to monitor the performance of key internal controls
D. None of the above
27. Which of the following techniques for gathering information during a fraud risk assessment enables the fraud risk assessor to observe the interactions among several employees as they collectively discuss a question or issue?
A. Interviews
B. Survey
C. Hotline
D. Focus group
28. Which of the following is NOT accurate about the fraud risk assessment team?
A. Team members should have a good understanding of fraud, diverse knowledge, and skills in risk assessment.
B. Team members should have advanced education in risk management
C. Team members should be individuals with experience and good skills for gathering and eliciting information
D. None of the above
29. Which of the following is NOT accurate in regard to anti – fraud controls and fraud risks?
A. Risks that are present before mitigation are described as inherent risks
B. The objective of anti-fraud controls is to make the residual fraud risk significantly smaller than the inherent fraud risk
C. The objective of anti-fraud controls is to mitigate the inherent fraud risks
D. The objective of anti-fraud controls is to make the inherent fraud risk significantly smaller than the residual fraud risk
30. Which of the following members are NOT appropriate fraud risk assessment team members?
A. The risk officers
B. External auditors
C. Internal auditors
D. None of the above
31. During a fraud risk assessment, the assessment team should NOT consider which of the following:
A. Possibility for collusion
B. The inherent limitations of internal controls
C. Internal controls that might have been eliminated due to restructuring or expansion efforts
D. None of the above
32. All the following are true in regard to fraud risk assessment EXCEPT?
A. The results should be used to develop plans to mitigate fraud risk
B. It can help management identify individuals and departments which put the organisation at the greatest risk of fraud
C. It can help management eliminate fraud risks
D. All the above
33. Which of the following is NOT a fraud risk?
A. Unfair personnel practices
B. Management’s behaviour
C. Incapable guardians
D. None of the above
34. If an area is assessed as having a high fraud risk, which of the following procedures should management conduct?
A. Put specific detective measures to increase the perception of detection
B. Conduct a fraud detection audit
C. Transfer some risks
D. None of the above
35. The fraud risk assessment process should be conducted through which of the following methods?
A. Undercover
B. Overt
C. Open
D. Interviews
36. The response to a risk identified during a fraud risk assessment, if management decides to eliminate an activity or a product because the control measures required to mitigate the risk are too costly, is referred to as which one of the following?
A. Assuming the risk
B. Mitigating the risk
C. Avoiding the risk
D. Transferring the risk
37. Auditors should evaluate whether the organisation is appropriately managing the moderate-to-high fraud risks identified during the fraud risk assessment. Which one of the following evaluation methods should the auditor use?
A. Identifying within the moderate-to-high-risk areas whether there is a moderate-to-high risk of management override of internal controls
B. Designing and performing tests to evaluate whether the identified controls are operating effectively and efficiently
C. Identifying and mapping the existing controls that pertain to the low-to-high fraud risks identified in the fraud risk
D. All of the above
38. Preventive anti-fraud controls include all of the following EXCEPT:
A. Fraud awareness training
B. Segregation of duties
C. Hiring policies and procedures
D. None of the above
39. In response to a risk identified during a fraud risk assessment, if management decides to purchase an insurance policy to help protect the company against fraud risk associated with employee’s embezzlement, which one of the following BEST describes this type of response
A. Avoiding the risk
B. Mitigating the risk
C. Transferring the risk
D. None of the above
40. Which of the following is ACCURATE in regard to a fraud risk assessment?
A. The fraud risk assessment should include only management and auditor’s views to ensure a holistic view of the organisation’s fraud risks
B. The views of the management and the auditor are sufficient and would also help to maintain independence and objectivity of the assessment process
C. The fraud risk assessment team should apply only qualitative measures when assessing the organisation’s fraud risks
D. None of the above
41. Payment of bribes to procure business is a fraud risk pertaining to which of the following category of occupational fraud?
A. Corruption
B. Kickbacks
C. Economic extortion
D. Asset misappropriation
42. A process aimed at proactively identifying an organisation’s vulnerabilities to both internal and external fraud is referred to as:
A. A fraud risk examination
B. Fraud risk identification
C. Fraud risk detection
D. None of the above
43. The fraud triangle has three elements that explain the root causes of fraud. Which of the following BEST describe those root causes?
A. Asset misappropriation risks
B. Corruption
C. Environmental risks
D. None of the above
44. Theft of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations related to import and export are all fraud risks BEST described as:
A. External fraud risks
B. Asset misappropriation risk
C. Internal fraud risk
D. None of the above
45. The management of ABC company wants to develop a formal risk management program using a risk management framework as a guideline. In developing the program, management should tailor the framework to the organisation’s:
A. Market condition
B. Business environment
C. Organisation culture
D. None of the above
46. Weighing an organisation’s strategic, operational, reporting, and compliance objectives against the organisation’s risk appetite is BEST described as which one of the following?
A. Risk management
B. Risk evaluation
C. Risk treatment
D. None of the above
47. According to COSO, a process that is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, in order to provide reasonable assurance regarding the achievement of the entity’s objectives is referred to as:
A. Fraud risk assessment
B. Fraud prevention
C. Fraud risk management
D. None of the above
48. Which of the following is NOT accurate with regard to the objective of the fraud risk management program?
A. Management must do a cost and benefit analysis of the anti-fraud controls against the amount of risk it is willing to accept
B. Management should express risk appetite according to the organisation’s culture and operations
C. Management should consider previous incidences of fraud as an objective of a fraud risk management
program
D. None of the above
49. Which of the following is NOT a component an which an organisation should include in its fraud risk management program?
A. Disclosure of conflict of interest
B. Quality assurance activities
C. Whistleblower protection policies
D. None of the above
50. Which of the following is NOT an objective of a fraud risk management program?
A. Fraud deterrence
B. Fraud response
C. Fraud prevention
D. None of the above
51. In defining the objectives of the fraud risk management program, management can decide to express its risk appetite using different measurements. Which of the following is NOT one of those measurements?
A. Quantitatively
B. Qualitatively
C. Materiality
D. None of the above
52. The primary responsibility for designing, implementing, monitoring, and improving the fraud risk management program rests with which party?
A. Risk Officer
B. Internal Auditor
C. The Board of Directors
D. Management
53. Which of the following is NOT one of the board of directors’ responsibilities pertaining to fraud risk management?
A. Providing oversight over the organisation’s fraud risk management activities
B. Setting realistic expectations of management to enforce an anti-fraud culture
C. Designing and implementing fraud-related controls
D. None of the above
54. According to an organisation’s fraud risk management program, which of the following statement is NOT accurate in regard to employee’s responsibility?
A. Employees must be aware of how non-compliance might create a risk of fraud
B. Employees must cooperate with investigators during investigations of suspected or alleged fraud incidents, in compliance with anti-fraud policy
C. Employees are expected to assist in the design and implementation of fraud control activities
D. None of the above
55. Different parties in an organisation have different levels of responsibility for fraud. Which of the following parties is responsible for developing a strategy to assess and manage fraud risks to be within the organisation’s risk appetite?
A. The Internal Audit Department
B. The Management
C. The Board of Directors
D. None of the above
56. The audit committee has specific responsibilities for fraud risk management. Which of the following is one of those responsibilities?
A. Receiving annual reports on the status of reported or alleged fraud
B. Monitoring and proactively improving the fraud risk management program
C. Performing and regularly updating the fraud risk management program
D. None of the above
57. Risk management includes a number of activities in respect to risks that threaten an organisation. Which of the following is NOT one of those activities?
A. Monitoring
B. Identification
C. Treatment
D. Detection
58. According to the joint IIA, AICPA, and ACFE publication ‘Managing the Business Risk of Fraud: A Practical Guide’, who has the ultimate responsibility for fraud risk?
A. Internal Audit
B. The Board of Directors
C. Employees at all levels
D. Management
59. Which of the following is NOT one of the components of COSO’s Enterprise Risk Management-Integrated Framework?
A. Control activity
B. Internal environment
C. Objective settings
D. None of the above
60. Which of the following is NOT a function, where the audit committee has an oversight responsibility?
A. Operations function
B. Accounting function
C. Risk management function
D. None of the above
61. Which of the following is NOT accurate in regard to what should be included in a fraud risk management program?
A. On a case basis response plan
B. Measures and procedures to address internal control weaknesses that allowed the fraud to occur
C. Sanctions for fraud perpetrators
D. All the above
62. Which of the following statements is NOT accurate in regard to an organisation’s fraud risk management program?
A. It should have measures and procedures to address failures in the design or operation of anti-fraud controls
B. Unintentional non-compliance must be well-publicised and carried out in a consistent and firm manner
C. There should be a team, committee or an individual held responsible for monitoring compliance andresponding to suspected incidences of non-compliance
D. All of the above
63. All the following are types of detective anti-fraud controls EXCEPT:
A. Continuous audit techniques
B. Ethic performance goals
C. Surprise audits
D. Analytical data review
64. According to Dr. Donald Cressey, which of the following is NOT a root cause of fraud?
A. The nature of the business
B. The geographic regions in which it operates
C. The absence of internal controls
D. None of the above
65. Communication by board of directors and senior management in regard to their dedication and commitment to the fraud risk management program should be issued through a formal statement. Which of the following statements is NOT accurate?
A. The statement should be provided to all employees
B. The statement should not be provided to vendors, customers and consultants
C. The statement should acknowledge the organisation’s vulnerability to fraud
D. None of the above
66. Which of the following is NOT accurate in regard to the fraud risk assessment process?
A. The assessment team is expected to express a personal opinion based on results the exercise
B. The assessment team is expected to make a subjective judgement in regard to the residual risk
C. Fraud risk assessment team should not conduct a risk assessment in areas where employees will view them as not objective
D. None of the above
67. According to the COSO, which of the following is NOT a principle involved in the risk assessment process?
A. Identification of potential fraud
B. Assessing changes that could significantly impact the internal control system
C. Monitoring of the risk management strategy
D. None of the above
68. The fraud risk assessment team should identify specific fraud risks related to each of the three categories of fraud, and also identify other fraud risks. Which of the following is NOT one of those fraud risks?
A. Justification for engaging in fraud
B. Low perception of detection
C. Perceived situational pressure
D. None of the above
69. Which of the following is NOT one of the five components of the ERM Framework?
A. Governance and culture
B. Strategy and objective setting
C. Performance
D. Control activities
70. Which of the following is NOT correct according to the joint COSO/ACFE Fraud Risk Management Guide and Managing the Business Risk of Fraud in regard to employees and management?
A. All employees must understand the organisation’s ethical culture and the organisation’s commitment to that culture.
B. Only management and auditors should have good knowledge of fraud risks and red flags
C. All employees must understand their individual roles within the organisation’s fraud risk management framework
D. None of the above
71. Which of the following statements is NOT true?
A. The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting a material misstatement resulting from error
B. The risk of the auditor not detecting a material misstatement resulting from management fraud is greater than for employee fraud
C. The discovery of a material misstatement of the financial statements resulting from fraud does not, in itself, indicate a failure to comply with ISAs
D. Discovery of fraudulent transactions depends on the preparation and skill of the auditors.
72. Which of the following statements is NOT accurate in regard to fraud risk management?
A. Risk management involves the detection of risks
B. Risk management involves prioritisation and treatment of risks
C. Risk management involves monitoring of risks that threaten an organisation’s ability to provide value to its stakeholders
D. None of the above
73. Which of the following statements, in relation to fraud identification and detection is ACCURATE?
A. Identification and detection of fraud are similar but not identical
B. The terms “identification” and “detection” of fraud can be used interchangeably
C. Identification of fraud is the same as auditing for fraud
D. None of the above
74. The fraud risk assessment team should identify fraud risks on what basis?
A. Residual basis
B. Both inherent and residual basis
C. Inherent basis
D. None of the above
75. Which of the following statements is ACCURATE in regard to fraud risk appetite?
A. High tolerance for fraud and to risk tolerance terminology can be used interchangeably
B. The management and board should have Zero tolerance for fraud, but no Tolerance for fraud risk
C. The management and board should not have any risk appetite under any circumstances
D. None of the above
76. Which of the following statements is NOT accurate in regard to a fraud risk register?
A. A risk register is a document used as a risk management tool
B. A risk register can also be used to fulfill regulatory compliance
C. A risk register is a repository for all risks identified
D. None of the above
77. Fraud risks are assessed based on several criteria. Which of the following is NOT one of them?
A. The likelihood that the risk will materialise
B. The impact if the risk materialised
C. The effectiveness of the fraud related controls
D. The strength of the internal controls
78. Which one of the following defines treatment for residual risks that require designing and implementing more fraud related controls?
A. Transferring the risk
B. Avoid the risk
C. Assume the risk
D. None of the above
79. The board of director’s, responsibility for, risk oversight, establishing operating structures, and defining the desired culture, are examples of which of the following principles of COSO ERM 2017?
A. Strategy and objective setting
B. Review and revision
C. Information and communication
D. None of the above
80. An effective fraud risk management program does NOT have which one of the following components?
A. Inform the organisation that management will proactively conduct fraud detection activities
B. Enhances the organisation’s positive public image and reputation
C. Promotes goodwill with other organisations and the general public
D. None of the above
81. The Fraud Risk Management Principle related to organisation establishing and communicating a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity is related to which one of the following COSO integrated control framework components?
A. Fraud risk governance
B. Control activities
C. Information and communication
D. None of the above
82. The Fraud Risk Management Principle related to organisation, selecting, developing, and deploying preventive and detective fraud controls is related to which one of the following COSO integrated control framework:
A. Control environment
B. Risk assessment
C. Information and communication
D. None of the above
83. Which of the following statement BEST describes a fraud risk register?
A. Is a tool that documents the detected frauds
B. Is a tool that is used to list the identified risks
C. It is a tool that is used to document red flags identified
D. All the above
84. Which of the following is NOT accurate in regard to a fraud risk assessment framework?
A. It is a detailed report of the assessment team’s findings
B. It is a report that is used to document response plan
C. It is a report that is used to document individuals responsible for action
D. All the above
85. All parties in an organisation have some responsibility in fraud risk management. However, the level of responsibility differs. Which one of the following parties has the responsibility for evaluating the effectiveness of the fraud risk management program?
A. Ethics and compliance officer
B. Management
C. Board of directors
D. None of the above
86. Embezzlement or theft of inventory is a fraud risk pertaining to which of the following categories of occupational fraud?
A. Kickbacks
B. Economic extortion
C. Corruption
D. None of the above
87. When conducting risk identification, the fraud risk assessment team should specifically NOT discuss which of the following fraud risks?
A. The risk of management overriding controls
B. Reputational risk
C. Information and technology risk
D. None of the above
88. Which of the following is NOT one of the five broad principles of fraud risk management?
A. Risk governance
B. Fraud risk assessment
C. Information and communication
D. None of the above
89. Which of the following is one of the five broad principles of fraud risk management?
A. Monitoring
B. Control environment
C. Information and communication
D. None of the above
90. Which of the following principle relates to organisation establishing and communicating a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk?
A. Control environment
B. Fraud Risk Assessment Principle
C. Fraud Control Activities
D. None of the above
91. Which of the following principles is related to the organisation performing comprehensive fraud risk assessments to identify specific fraud schemes and, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks?
A. Fraud Risk Governance Principle
B. Fraud Risk Assessment
C. Fraud Investigation and Correction Action
D. None of the above
92. Which of the following principles relate to the organisation selecting, developing, and deploying preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner?
A. Fraud Risk Governance Principle
B. Fraud Control Activities
C. Fraud Risk Management Monitoring Activities Principle
D. None of the above
93. Which of the following is a fraud risk management principle related to the organisation establishing a communication process to obtain information about potential fraud, and deploys a coordinated approach to investigations and corrective action to address fraud appropriately and in a timely manner?
A. Fraud Risk Governance Principle
B. Fraud Control Activities
C. Fraud Risk Assessment Principle
D. None of the above
94. According to ‘Managing the Business Risk of Fraud’, which of the following is NOT a type of a fraud risk management component?
A. Affirmation process
B. Process evaluation and improvement (quality assurance)
C. Continuous monitoring
D. None of the above
95. Which of the following is NOT a principle for risk management provided by ISO 31000: 2018?
A. Is integrated into high-risk organisational activities
B. Is structured and comprehensive
C. Is customised and proportionate to the organisation’s operations and objectives
D. Is inclusive and provides for appropriate and timely consideration of stakeholders’ knowledge, views, and perceptions
96. According to Managing the Business Risk of Fraud, which of the following is NOT a component for effectively managing fraud risk:
A. Statement of commitment – a written statement of commitment to the program from the board of directors and senior management
B. Fraud awareness – an informal fraud risk awareness program for all employees
C. Affirmation process – a requirement for directors, employees, and contractors to explicitly affirm that they have read, understood, and complied with the organisation’s code of conduct and fraud risk management program
D. None of the above
97. Which of the following statement is NOT accurate in regard to management reinforcing an anti-fraud culture?
A. Management should visibly adhere to the same set of ethics policies that are required of all employees
B. Management should demonstrate to employees that unethical behaviour will not be tolerated
C. Create an environment in which employees fear management so that they can adhere to management’s instructions and policies
D. None of the above
98. The primary responsibility for designing, implementing, monitoring, and improving the fraud risk management program rests with senior management. Which of the following statement is NOT accurate in regard to what management must do?
A. Management must be very familiar with the organisation’s fraud risks.
B. Management must ensure that the organisation has specific and effective internal controls in place to prevent and detect fraud.
C. Management must set the right tone at the top and monitor the company culture to ensure it appropriately supports the organisation’s fraud prevention and detection
D. Management should only clearly communicate in words that fraud is not tolerated
99. Fraud risk management requires combined effort, where different parties have specific responsibilities. Which of the following statements is NOT accurate in regard to responsibilities for fraud risk management?
A. Management has the primary responsibility for designing, implementing and monitoring of the fraud controls
B. Board of directors has the primary responsibility for developing strategy and supporting the fraud risk
management initiatives
C. The auditor has the primary responsibility for fraud prevention and detection
D. None of the above
100. A Fraud Risk Management Program, like any other program must have objectives. Therefore, management must balance some factors in determining the program’s objectives. Which of the following is NOT an objective of the fraud risk management program?
A. Management’s risk appetite
B. The investment in anti-fraud controls
C. The prevention of frauds that are material in nature or amount
D. None of the above