CFE-Fraud-Prevention-and-Deterrence Certified Fraud Examiner - Fraud Prevention and Deterrence Exam Question and Answers

Rational Choice Theory Overview:

This theory posits that individuals consciously weigh the benefits and risks of committing a crime and make calculated decisions to engage in criminal behavior if the perceived benefits outweigh the risks.

Deterrence Mechanism:

Crime can be deterred by reducing opportunities (e.g., strong internal controls) and increasing the likelihood of detection and punishment (e.g., effective monitoring systems).

Why Other Options are Incorrect:

A. Routine activities theory:Focuses on the convergence of motivated offenders, suitable targets, and lack of guardianship.

B. Differential association theory:Explains crime as learned behavior through interaction with others.

D. Social conflict theory:Suggests crime results from societal inequalities and power struggles.

Why C is Correct:

Rational choice theory explicitly addresses crime prevention through increased risks and reduced opportunities​​.

References for All Questions:

ACFE Fraud Examination Guide​​.

Criminological theories as applied to fraud prevention and deterrence​​.

Corporate governance frameworks and corruption-related risks​​.

Integrity in Fraud Examination:

Integrity involves critical thinking, independence, and prioritizing ethical principles over personal gain. Healthy debate and differences of opinion are integral to maintaining objectivity.

Why Option D is Incorrect:

Avoiding differences of opinion contradicts the need for professional skepticism and robust analysis in fraud examination.

Conclusion:Integrity does not require the avoidance of differences of opinion, making D the correct answer.

ï‚· Components of COSO Enterprise Risk Management (ERM):

The COSO ERM framework emphasizes the integration of risk management with strategy and performance, comprising the following components:

Governance and culture.

Strategy and objective-setting.

Performance.

Review and revision.

Information, communication, and reporting.

ï‚· Why D is Correct:

Governance and culture set the foundation for an organization’s risk management practices by establishing oversight, ethical values, and the operating structure.

ï‚· Why Other Options are Incorrect:

A (Independent monitoring):Monitoring is part of internal control, not specifically ERM.

B (Operating environment):Not a COSO ERM component.

C (Risk tolerance):A concept within ERM but not a standalone component​​.

Risks Associated with Specialized Departments:

While specialization improves efficiency, it can create silos that hinder communication, coordination, and oversight, increasing fraud risk.

Isolated departments may lack cross-functional checks and balances.

Conclusion:Specialized departments often increase fraud risk if not managed with proper controls and oversight.

Purpose of the Task:

The team seeks candid feedback on ethical tone, which requires a confidential and direct interaction method.

Comparison of Techniques:

A. Interviews:Effective for obtaining one-on-one feedback in a private setting.

B. Focus groups:Group dynamics may inhibit candid responses due to peer pressure.

C. Anonymous feedback mechanisms:These provide insights but lack the depth and follow-up opportunities of interviews.

D. Surveys:While useful for broad input, surveys are less effective for detailed exploration of ethical tone.

Conclusion:Interviews are the most helpful technique for gathering one-on-one candid feedback.

Integration of Fraud Risk Assessment in Audits:

The fraud risk assessment provides valuable input but does not replace the auditor’s independent responsibility to identify and assess fraud risks.

Why B is Correct:

Professional auditing standards require auditors to perform their own risk assessments, and the fraud risk assessment is only a tool to enhance this process.

Why Other Options are Correct:

A, C, and D reflect appropriate uses of fraud risk assessments in the audit process, such as increasing awareness and designing effective audit tests​​.

References for All Questions:

ACFE Code of Professional Ethics and Fraud Examination Guide​​.

COSO frameworks for corporate governance and fraud risk management​​.

Standards for incorporating fraud risk assessments into the audit process​​.

Privilege of Fraud Examination Reports:

Reports prepared by fraud examiners are not inherently privileged. Privilege depends on the legal framework, the purpose of the report, and whether the attorney-client privilege or work-product doctrine applies.

Without specific legal protection, reports may be subject to disclosure.

Conclusion:Fraud examination reports are not automatically privileged.

Comprehensive and Detailed in Depth Explanation:

Government auditors typically cannot unilaterally withdraw from an audit engagement, even in cases where fraud is identified. Public-sector audits often follow mandates from higher authorities or statutes that require the auditor to continue and report findings to oversight bodies. Additionally, fraud and abuse (including misconduct and misuse of assets) are relevant to government audits under ISSAIs, contrary to A and B. Option D is incorrect because public-sector audit objectives are often broader, encompassing compliance, performance, and integrity aspects.

Effect of Documenting Organizational Hierarchies:

Properly documenting hierarchies improves fraud prevention by clarifying responsibilities, ensuring accountability, and establishing clear information flow.

This reduces ambiguity and limits opportunities for fraud.

Why the Statement is False:

Documenting and communicating hierarchies strengthens fraud prevention, rather than hindering it.

Conclusion:The statement is false because clear hierarchies enhance fraud prevention initiatives.

Fraud Risk Assessment Objectivity:

The assessment must remain unbiased, but any prior disagreements or conflicts may highlight areas where policies or procedures are unclear, increasing fraud risks.

Why C is Correct:

Incorporating disagreements provides context to evaluate risks objectively, ensuring that all relevant factors are considered without bias.

Why Other Options are Incorrect:

A:Confronting Brandon could create further conflict without adding value.

B:Delegating the task unnecessarily avoids responsibility.

D:Automatically designating the area as high-risk lacks justification and could undermine credibility​​.

References for All Questions:

ACFE Code of Professional Ethics and Fraud Examination Guide​​.

ISO 31000:2018 guidelines for risk management​​.

Criminological theories related to crime causation and fraud risk assessments​​.

Comprehensive and Detailed in Depth Explanation:

ISA 240 (The Auditor ' s Responsibilities Relating to Fraud in an Audit of Financial Statements) outlines the auditor ' s responsibility to assess and respond to the risk of material misstatement due to fraud. It does not impose a primary responsibility for fraud prevention and detection upon auditors—that responsibility lies with management (eliminating C). The standard also does not require auditors to actively raise fraud awareness within the organization (eliminating A), nor does it establish requirements for fraud risk management programs for management (eliminating D).

ï‚· ACFE Code of Professional Ethics:

CFEs must act with integrity and report material fraud findings to the appropriate authority within the organization.

ï‚· Why A is Correct:

Informing the board of trustees ensures that those responsible for governance can take appropriate action. Reporting to law enforcement (option B) may breach contractual obligations unless legally required.

ï‚· Why Other Options are Incorrect:

B:Reporting to law enforcement may overstep Daniela’s authority as an independent investigator.

C:Not disclosing the information violates ethical responsibilities.

D:Resignation avoids responsibility and does not fulfill ethical obligations​​.

Understanding Compliance Theory:

Compliance theory emphasizes preventing crime through incentives for voluntary adherence to laws and proactive administrative measures.

By addressing potential violations early, compliance theory aims to deter criminal behavior before it occurs.

Application of the Theory:

Examples include economic benefits for following regulations and monitoring mechanisms to identify early signs of noncompliance.

Conclusion:The statement accurately describes compliance theory.

The Fraud Risk Management chapter summarizes the components of COSO ERM 2017 and explains that review and revision concerns how well ERM capabilities and practices have increased value over time and how they will continue to drive value for the organization. The manual quotes this concept directly when discussing review and revision. This component is concerned with assessing substantial changes, reviewing risk and performance, and improving ERM practices as circumstances evolve. It is therefore the part of the framework most closely associated with continual reassessment and enhancement over time. Governance and culture, by contrast, address tone, oversight, and ethical values, while strategy and objective-setting concern alignment with mission and performance goals. Thus, option B is the correct answer according to the manual’s presentation of COSO ERM.

ï‚· ACFE Code of Professional Ethics:

The ACFE Code of Ethics prohibits fraud examiners from making absolute statements about the absence of fraud. Fraud cannot be definitively ruled out based on an examination ' s findings.

ï‚· Why B is Correct:

Stevens cannot state that the organization is " free of fraud, " as fraud detection is inherently limited by the scope and methods of the examination. Such a statement could mislead stakeholders and compromise ethical standards​​.

Comprehensive and Detailed in Depth Explanation:

ISA 265 requires that significant deficiencies in internal control identified during an audit be communicated in writing to those charged with governance. The auditor is not obligated to inform regulatory agencies unless required by law (eliminating A). Internal control audits are not separate engagements under standard financial statement audits (eliminating B). Withdrawalfrom the engagement is a last resort and only appropriate under severe circumstances beyond internal control issues (eliminating D).

Government auditors, like their private-sector counterparts, must adhere to International Standard on Auditing (ISA) 240, which provides guidance on the auditor’s responsibilities related to fraud. This standard applies to both private- and public-sector audits, emphasizing the importance of addressing risks of material misstatement due to fraud. Alicia must carefully evaluate fraud risks and incorporate relevant procedures, as mandated by ISA 240, ensuring a comprehensive audit approach.

​

====

COSO Definition of Internal Control:

COSO defines internal control as a process enacted by an entity ' s board, management, and personnel to provide reasonable assurance regarding objectives in operations, reporting, and compliance.

Analysis of Options:

A. Operational risk assessment:A component of internal control, not the overall process.

C. Fraud risk management:Focuses specifically on fraud risks, a subset of internal control.

D. Financial reporting:A specific objective addressed by internal control.

Conclusion:The correct answer is internal control, as defined by COSO.

For an ethics program to be effective, management must integrate the organization ' s ethical principles with the perceptions and expectations of stakeholders. By considering how stakeholders define success,the organization can design an ethics program that aligns with its values and operational goals. This inclusive approach promotes adherence to ethical standards and fosters a positive ethical culture within the organization. Merely having a written policy or restricting access to it does not ensure effectiveness.

​

====

The “Review and Revision” component is focused on evaluating how ERM practices contribute to organizational value and adapting them accordingly.

“As part of its ERM activities, the organization should review how well the ERM capabilities and practices have increased value over time and how they will continue to drive value.”

ï‚· Definition of Organizational Crime:

Organizational crime refers to illegal actions committed by a corporation or individuals acting on behalf of the organization to benefit the corporation or its leaders.

Examples include antitrust violations, environmental crimes, and fraudulent financial reporting.

ï‚· Why B is Correct:

A price-fixing scheme involves collusion among companies to manipulate prices, a clear example of organizational crime designed to benefit the involved corporations.

ï‚· Why Other Options are Incorrect:

Options A, C, and D represent individual crimes for personal gain, not organizational crimes​​.

The ACFE manual notes that codes of conduct not only serve as a reference for guiding behavior but also enable enforcement and internal discipline within a profession.

“A code of ethical conduct serves as a reference and benchmark for ethical guidance… [and] facilitates practical enforcement and internal discipline throughout a profession.”

International Standards on Auditing (ISAs) Requirements:

ISAs require auditors to communicate suspected or confirmed fraud to " those charged with governance " of the organization, as they have the responsibility for oversight.

ISA 240, “The Auditor ' s Responsibilities Relating to Fraud in an Audit of Financial Statements,” mandates that findings be reported to appropriate governance bodies before considering further actions.

Confidentiality and Legal Obligations:

Auditors must maintain confidentiality unless legal or regulatory frameworks require disclosure to authorities. Immediate reporting to law enforcement (option B) may breach confidentiality without proper internal escalation.

Why Option D is Correct:

Reporting to governance ensures proper internal actions are taken and protects the integrity of the audit process. It allows the organization to address the issue before external involvement if required.

Integrity in Fraud Examination:

Integrity involves trustworthiness, ethical behavior, and transparency. Admitting errors is a critical part of maintaining professional integrity.

Why D is Correct:

Refusal to admit errors is inconsistent with the ethical and professional standards of fraud examination.

Why Other Options are True:

A, B, and C align with the principles of integrity, emphasizing honesty, ethics, and impartiality​​.

References for All Questions:

COSO Enterprise Risk Management Framework​​.

ACFE Code of Professional Ethics and fraud examination best practices​​.

Strategies for fraud prevention and detection from professional auditing standards​​.

ï‚· Responsibilities of the Board of Directors:

The board is primarily responsible for oversight, governance, and ensuring the organization operates in the best interest of stakeholders. Key responsibilities include:

Acting as intermediaries between shareholders and management.

Safeguarding resources and assets.

Assessing management’s strategies and decisions.

ï‚· Why C is Correct:

Directing employees is a management responsibility, not a board function. The board focuses on oversight rather than operational execution.

ï‚· References:

ACFE governance principles emphasize the separation of oversight and operational roles​​.

Information, communication, and reporting involve the continual process of gathering and sharing relevant information across an organization to support decision-making and risk management. This ensures that all stakeholders are informed and that information flows effectively to enhance organizational performance.

====

ï‚· Professional Responsibility Under ACFE Code of Ethics:

The ACFE Code of Professional Ethics requires Certified Fraud Examiners (CFEs) to disclose material information to the proper authorities. When fraud is discovered, the CFE must act in the best interest of the organization while adhering to ethical standards.

In this scenario, Gray must report Green ' s involvement in unrelated fraud to ABC Corporation ' s board of directors. This ensures transparency and accountability without breaching client confidentiality unnecessarily.

ï‚· Relevant Principles from ACFE Code of Ethics:

Integrity:CFEs must act honestly and report findings to the appropriate parties.

Objectivity:The CFE must avoid conflicts of interest and ensure impartiality in all findings and disclosures.

ï‚· Board Reporting Responsibility:

Reporting to the board is appropriate because they are responsible for corporate governance and oversight. Law enforcement involvement should follow organizational protocols unless laws explicitly mandate direct reporting​​.

Comprehensive and Detailed in Depth Explanation:

The COSO framework outlines monitoring as one of its five core components, which involves evaluating the effectiveness of internal controls over time. Monitoring includes both ongoing evaluations and separate evaluations, which is exactly what Julia is initiating. This distinguishes monitoring (correct) from control activities (which pertain to execution of policies), risk assessment (which identifies and analyzes risks), and control environment (which is the tone at the top).

ï‚· Definition of Corporate Governance:

Corporate governance establishes the framework for decision-making and accountability within an organization. It includes roles, rights, and responsibilities of stakeholders such as the board, management, and shareholders.

ï‚· Why D is Correct:

The governance structure formalizes the distribution of roles and ensures clarity in accountability and oversight.

ï‚· Why Other Options are Incorrect:

A:Fraud risk management supports governance but is not its foundation.

B:Governance encompasses more than financial reporting accuracy.

C:Governance practices are essential even when owners are setting strategy​​.

A clearly defined organizational structure contributes to accountability and reduces fraud risks. According to the ACFE manual:

“An effectively documented and communicated structure helps prevent fraud by providing clear lines of authority and responsibility and ensuring appropriate oversight.”

Comprehensive and Detailed in Depth Explanation:

Fraud risk assessments can be effectively conducted by internal personnel or external consultants. The key is that they must be conducted objectively and with due professional care. There is no requirement that they be conducted only externally (eliminating A), nor should biases about the improbability of fraud influence the assessment scope (eliminating B). Management involvement can be helpful when balanced appropriately—it should not be unduly limited (eliminating D).

G20/OECD Principles Overview:

The G20/OECD Principles of Corporate Governance are international guidelines aimed at enhancing economic efficiency and promoting stable financial systems.

Equitable Treatment of Shareholders:

The principles stress fairness and the protection of all shareholders ' rights, particularly minority shareholders, ensuring they are treated equally.

Why D is Correct:

Equitable treatment is a fundamental tenet of the Principles, which strive to maintain trust and integrity in governance practices across jurisdictions​​.

References for All Questions:

ACFE Fraud Examination Standards​​.

ISA Standards and International Corporate Governance Best Practices​​.

G20/OECD Principles of Corporate Governance​.

ï‚· Key Elements of Routine Activities Theory:

This criminological theory asserts that crime is likely when three conditions converge:

Availability of suitable targets.

Absence of capable guardians (e.g., security or oversight).

Presence of motivated offenders.

ï‚· Why C is Correct:

Routine activities theory focuses on the environmental and situational factors that facilitate crime, making it distinct from other criminological theories.

ï‚· Why Other Options are Incorrect:

A (Rational choice theory):Focuses on individual decision-making.

B (Differential association theory):Emphasizes learning criminal behavior through interaction.

D (Social control theory):Focuses on societal bonds preventing crime​​.

Overview of Compliance Programs:An effective compliance program requires clear communication, enforcement, and promotion of ethical standards within an organization. Promoting compliance involves setting up positive incentives, such as rewards for ethical behavior, to encourage adherence to policies and regulations.

Role of Incentives:

Incentives serve as motivators for employees to align with the compliance culture. Examples include bonuses for meeting compliance goals, recognition for ethical behavior, and career advancement opportunities tied to compliance performance.

The U.S. Federal Sentencing Guidelines for Organizations emphasize that for a compliance program to be effective, it must include incentives to encourage proper behavior and discipline to deter violations.

Supporting Reference Materials:

The Association of Certified Fraud Examiners (ACFE) highlights the importance of integrating incentives into compliance programs. These incentives are seen as essential for fostering a culture of ethics and preventing fraud.

Industry standards and frameworks, such as COSO’s " Internal Control - Integrated Framework, " also stress the integration of incentives to promote adherence to internal controls and compliance standards​​.

Importance of Positive Reinforcement:

Positive reinforcement through incentives leads to higher employee morale, enhanced commitment to ethical practices, and a reduced likelihood of non-compliance.

A compliance program that merely penalizes non-compliance without rewarding adherence can fail to motivate employees to prioritize compliance.

Application in Fraud Prevention:

By actively incentivizing compliance, organizations can proactively mitigate risks of fraud and unethical practices. This aligns employees’ personal goals with the organization’s ethical standards.

The COSO definition of internal control is:

“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

This is the formal and widely accepted COSO definition.

The White-Collar Crime discussion on organizational structure explains that structural characteristics can affect how likely wrongdoing is to occur and remain undetected. In simple organizations with fewer specialized departments and less differentiation, there are generally fewer independent checks, fewer distinct perspectives, and less separation among functions. This can make it easier for misconduct to remain hidden because fewer people are positioned to identify irregularities or challenge suspicious activity. By contrast, greater specialization can sometimes make concealment more difficult because unusual conduct may be more visible to those with relevant expertise. The manual also repeatedly links effective controls and oversight to fraud detection. Consistent with that reasoning, a simple structure with few specialized departments can increase the likelihood that fraud will go undetected. Therefore, the statement is true.

Components of COSO’s Enterprise Risk Management Framework:

D. Review and revision:Ensures continuous improvement and adaptation of risk management practices to align with changing circumstances.

A. Event avoidance:Not explicitly listed as a component but is part of broader risk responses.

B. Risk tolerance:An element within risk management but not a separate component.

C. Compliance:A goal of ERM but not a framework component.

Conclusion:Review and revision is a core component of COSO ' s ERM framework.

Internal Auditor ' s Role in Fraud Risk Management:

Internal auditors are not directly responsible for establishing or maintaining anti-fraud controls (Option D). This responsibility lies with management.

They are also not responsible for obtaining reasonable assurance that financial statements are free of fraud (Option A). This is the role of external auditors.

Oversight of management ' s fraud risk actions (Option B) is primarily a governance role, not the auditor ' s direct responsibility.

Internal auditors focus on identifying and assessing fraud risks, evaluating controls, and recommending further action when necessary.

Conclusion:Option C aligns with the internal auditor ' s responsibilities as per the standards outlined in the ACFE ' s fraud risk management framework.

In the Understanding Criminal Behavior material, the manual explains that differential reinforcement theory, as summarized by Ronald Akers, holds that people learn social behavior through operant conditioning. Behavior is reinforced when positive rewards are gained or when punishment is avoided. The manual specifically states that behavior is reinforced when positive rewards are gained, which is positive reinforcement, and it is weakened by punishment or loss of reward. It also contrasts punishment with reinforcement by noting that reinforcement accentuates positive behavior, whereas punishment tends only to suppress behavior temporarily unless constantly applied. Because the question asks what strengthens behavior, positive reinforcement is the best and most direct answer under the manual’s discussion of conditioning and reinforcement.

ï‚· Auditor ' s Responsibility Under ISA Standards:

ISA 265 requires auditors to communicate significant deficiencies in internal control to those charged with governance in writing.

This ensures proper corrective actions are taken and maintains transparency in the audit process.

ï‚· Why B is Correct:

Written communication to governance authorities is the appropriate course of action to address control deficiencies without breaching confidentiality or overstepping regulatory boundaries.

ï‚· References:

ISA 265, “Communicating Deficiencies in Internal Control,” supports this approach​​.

ï‚· Professional Auditing Standards Requirement:

Standards such as the International Standards on Auditing (ISA) and Generally Accepted Auditing Standards (GAAS) require auditors to include elements of unpredictability in their audit procedures to reduce the risk of fraud.

ï‚· Purpose of Unpredictability:

By varying the scope, timing, and extent of audits, auditors prevent potential fraudsters from anticipating audit procedures and adjusting their behavior.

ï‚· Why A is Correct:

This aligns with established auditing principles to enhance fraud detection and maintain audit integrity​​.

ï‚· Definition of Professional Skepticism:

Professional skepticism requires maintaining a questioning mindset and critically assessing evidence throughout the fraud examination process.

ï‚· Why D is Correct:

Professional skepticism ensures that fraud examiners remain vigilant and rely on evidence to conclude whether fraud has occurred or not. It is dispelled only when sufficient evidence supports a clear conclusion.

ï‚· Why Other Options are Incorrect:

A:While skepticism is critical, it does not mean refusing to acknowledge credible evidence.

B:Assuming no fraud occurred contradicts the principle of skepticism.

C:Hypotheses should consider the nature of the assignment and available information​​.

Regulatory and Legal Misconduct:

This category includes practices that violate laws or regulations, such as anti-competitive behavior, insider trading, and conflicts of interest.

Why A is Correct:

Fraudulent customer payments are typically categorized under operational or financial fraud, not regulatory and legal misconduct.

Why Other Options are Incorrect:

B, C, and D:These practices involve violations of regulations or legal obligations, directly aligning with regulatory and legal misconduct​​.

References for All Questions:

ACFE Fraud Examination Guide and related professional standards​​.

International and jurisdictional auditing standards for public-sector auditors​​.

COSO and governance frameworks on fraud risk management​​.

The Management’s Fraud-Related Responsibilities chapter defines monitoring as the process that assesses the effectiveness of a control system over time. The manual states that this component should include both ongoing evaluations and periodic separate evaluations, and that the findings should be measured against predefined criteria. This wording matches the question almost exactly. Monitoring also includes timely evaluation and communication of internal control deficiencies to the appropriate parties for corrective action. Because Julia is establishing a process for continuous and separate reviews of control effectiveness over time, her initiative falls squarely within the monitoring component of COSO’s Internal Control—Integrated Framework. None of the other components focus on the continuing evaluation of whether controls remain present and functioning over time in this way.

ACFE research highlights that an unwillingness to share duties is one of the most common red flags exhibited by fraud perpetrators. This behavior often indicates a desire to conceal fraudulent activities.Most fraudsters do not have prior convictions, and frauds committed by executives tend to cause higher losses compared to those committed by staff-level employees.

====

Findings from the 2020 Report to the Nations:

Asset misappropriation:Most common form of occupational fraud (e.g., theft of cash or inventory). It is frequent but less costly.

Financial statement fraud:Most costly, involving significant manipulation of financial data.

Analysis of Options:

A. Asset misappropriation; corruption:Corruption is less costly than financial statement fraud.

B. Corruption, asset misappropriation:Incorrect order and does not match the costliest scheme.

C. Financial statement fraud; corruption:Incorrect pairing.

Conclusion:Asset misappropriation is most common, and financial statement fraud is most costly.

Importance of Documenting Organizational Hierarchies:

Clearly defined hierarchies help establish accountability, delineate responsibilities, and ensure the proper flow of information, reducing opportunities for fraud.

It minimizes ambiguity in roles and reporting lines, which are often exploited in fraudulent schemes.

Preventive Value:

By ensuring that employees know whom to report to and how to escalate concerns, organizations foster transparency and reduce fraud risk.

Conclusion:Proper documentation and communication of hierarchies are effective tools in fraud prevention.

In the manual’s discussion of routine activities theory, three important elements are identified as influencing crime: the availability of suitable targets, the absence of capable guardians, and the presence of motivated offenders. This framework assumes that opportunities for crime arise when these three conditions come together. The theory does not list a lack of societal ethics as one of its three core elements. While ethics can matter broadly in criminology and organizational behavior, the routine activities approach is focused more narrowly on the interaction between offenders, targets, and guardianship. Because the manual expressly names only those three elements, the option referring to a lack of societal ethics is the one that does not belong. Therefore, option D is the correct answer under the Fraud Prevention and Deterrence material.

This scenario is an example of punishment. Punishment involves introducing a consequence (in this case, the loss of responsibility for cross-departmental projects) to discourage undesirable behavior. The manager uses this approach to address Devon’s negative attitude and to promote better cooperation with other departments in the future.

====

Internal Audit Reporting Responsibilities:

Internal audit must maintain open communication with senior management and the board to ensure appropriate handling of fraud-related issues.

Establishing reporting protocols in advance ensures timely and consistent responses when fraud occurs.

Analysis of Other Options:

B. Periodic reporting is optional:Reporting fraud risks is a required responsibility.

C. Non-disclosure:Fails to fulfill the role of internal audit in governance and accountability.

D. No communication with the board:Misrepresents the internal audit ' s role in fraud oversight.

Conclusion:Discussing reporting protocols proactively with senior management and the board is the correct approach.

Employee background checks are considered a preventive control because they are designed to identify potentially risky hires before employment. The manual states that “background checks are a front-line preventive measure in combating fraud by screening out individuals who pose higher risk.”

Responsibilities of an External Auditor:

When significant internal control deficiencies are discovered, the auditor is required to report them to senior management and, where appropriate, the audit committee.

The purpose is to ensure that the organization is informed of the risks and can take corrective actions.

Analysis of Other Options:

A. Suspend the audit:Not required under auditing standards.

B. Report to law enforcement:Only if fraud or illegal activities are confirmed, which is not implied here.

D. Correct deficiencies independently:This is beyond the auditor ' s scope of responsibilities.

Conclusion:The correct response is to provide a written communication about the findings to senior management.

The Fraud Prevention Programs chapter states that management’s handling of known fraud incidents is an important part of the organization’s anti-fraud program. The manual explains that a company must make clear it has zero tolerance for fraud and that failing to punish perpetrators consistently makes the fraud prevention program less effective, if not useless. It further notes that having a public record of the incident can be important and specifically says that reporting known incidents of fraud to law enforcement can be an effective step in making the organization’s zero-tolerance stance clear. This approach reinforces deterrence, demonstrates seriousness, and supports consistent consequences. Therefore, among the listed choices, reporting known incidents of fraud to law enforcement is the most effective response.

Ethical Obligations Under ACFE Code:

CFEs are obligated to report material findings, including deficiencies that may facilitate fraud, even if no fraud is found.

Providing such insights aligns with the principles of due diligence and professional responsibility.

Professional Reporting Practices:

Including opinions on internal control deficiencies adds value to the examination and supports fraud prevention efforts.

Conclusion:White may include her opinion on control deficiencies in her report.

The Corporate Governance chapter explains that the Treadway Commission made four recommendations aimed at reducing the likelihood of fraud in financial reporting. These recommendations were directed to the board of directors’ audit committee and included having an independent audit committee, a written charter for the audit committee, adequate resources and authority, and informed, vigilant, and effective audit committee members. The manual specifically states that the existence of an audit committee and a written charter is not enough; the committee must also have adequate resources and authority to carry out its responsibilities. That language directly matches option C. The other choices either substitute the wrong committee, assign the charter to management instead of the audit committee, or improperly shift oversight of internal controls to shareholders.

Collusion between contractors is an example of external fraud risk because it involves external parties conspiring to defraud the organization. The other options describe internal fraud risks, such as actions committed by employees within the organization.

====

Focus of Risk Management:

Risk management seeks to balance the organization ' s risk appetite (the level of risk it is willing to accept) with its ability to achieve objectives.

Why D is Correct:

Effective risk management aligns the organization ' s risk tolerance with its strategic and operational goals to ensure sustainability and success.

Why Other Options are Incorrect:

A, B, and C:While internal controls, regulatory requirements, and resources are critical, the primary balance is between risk appetite and objectives​​.

References for All Questions:

ACFE Fraud Examination Guide and Risk Management Best Practices​​.

COSO frameworks for internal controls and fraud risk management​​.

Industry guidance on effective deterrence and governance practices​​.