5.3 Scenario Practice for Fraud Risks
Key Takeaways
- Red flags are indicators that warrant inquiry, not proof of fraud; a single flag justifies further investigation, not an accusation.
- Behavioral red flags (living beyond means, financial difficulties, control issues) are among the most common warning signs ACFE reports.
- Preventive controls stop fraud before it happens (segregation of duties, approvals); detective controls find it after (reconciliations, audits, surprise counts).
- When an auditor suspects fraud, the Standards-aligned response is to preserve evidence and escalate per policy, never to confront the suspect alone.
Reading Red Flags Correctly
A red flag is an indicator that conditions or behavior associated with fraud may be present. The exam's golden rule: a red flag is a reason to inquire, never proof of fraud. Choosing an answer that jumps from one anomaly to an accusation or termination is almost always wrong; the proportionate response is heightened skepticism and further work.
Red flags fall into two broad families:
| Type | What you observe | Examples |
|---|---|---|
| Behavioral / personal | Signals about the individual | Living beyond means, known financial difficulties, unusually close vendor ties, refusal to take vacation, control issues / wheeler-dealer attitude, recent divorce or addiction |
| Transactional / process | Signals in the data or process | Missing documents, duplicate payments, round-dollar amounts, payments just under approval limits, altered records, unexplained reconciling items, vendor address matching an employee address |
The ACFE consistently reports that behavioral red flags — especially living beyond one's means and financial difficulties — are present in the large majority of fraud cases. A perpetrator who suddenly drives a luxury car on a modest salary, then resists letting anyone else cover their duties, is displaying classic warning signs. But the auditor's job is to follow the evidence, not to convict on lifestyle alone. Within Section D, recognizing a flag and choosing the proportionate next step is tested far more often than naming the flag itself.
Preventive vs. Detective Controls
Distinguishing preventive from detective controls is one of the most frequently tested fraud concepts. The test is timing: does the control act before the act can occur, or does it find the act after it has occurred?
| Control type | Purpose | Examples |
|---|---|---|
| Preventive | Stop fraud from happening | Segregation of duties, authorization/approval limits, access controls and passwords, mandatory vacation policy, pre-employment background checks, physical safeguards over assets |
| Detective | Find fraud after it occurs | Reconciliations, surprise cash counts, internal audits, exception/variance reports, data analytics monitoring, whistleblower hotline, management review of unusual journal entries |
A few items trip people up:
- Segregation of duties is the flagship preventive control. Splitting custody, recording, authorization, and reconciliation among different people makes it hard for one person to both perpetrate and conceal fraud.
- A whistleblower hotline is detective — it surfaces fraud that has already started; ACFE data shows tips are by far the most common way occupational fraud is initially detected.
- Surprise audits / surprise cash counts are detective, but they also have a strong deterrent (preventive-by-fear) effect because perpetrators cannot predict them.
A balanced fraud-control environment needs both layers plus a strong tone at the top and code of conduct — the corrective and deterrent backbone that the fraud risk management framework (often the COSO-ACFE Fraud Risk Management Guide) describes.
Scenario: The Right Auditor Response
Work through a representative stem. During a payables audit, you notice three vendors share the same bank account and one address matches an employee's. What should you do first?
The wrong answers usually include: immediately confront the employee, tell the vendor's manager, or conclude fraud has occurred. The Standards-aligned sequence is:
- Maintain objectivity and professional skepticism — treat it as a red flag, not a verdict.
- Preserve the evidence — do not alter records; secure copies and maintain a clean trail (relevant to a later chain of custody).
- Expand procedures as appropriate to confirm or dispel the concern.
- Escalate per organizational policy and the engagement protocol — typically to the chief audit executive (CAE), who decides whether to involve management, legal, or fraud specialists.
The auditor does not lead the criminal investigation, confront suspects, or guarantee a conclusion. Remember the Standards limit: internal auditors are not expected to have the expertise of a dedicated fraud investigator. They detect indicators, evaluate how fraud risk is managed, and route the matter properly.
Drill discipline
For each scenario you practice, write the role, the cue (red flag), the governing rule, and the correct next action. If your instinct was to confront or conclude, flag it — that instinct loses points on the real exam, where escalate and preserve beats confront and accuse almost every time.
Awareness During Routine Engagements
The Standards require auditors to consider the potential for fraud during every engagement, even when fraud is not the engagement's objective. This is the fraud-awareness obligation, and the exam tests it directly. Practically, it means an auditor planning a routine operational or compliance audit still asks: given this process, what fraud schemes are plausible here, and how would I notice them?
A few scenario patterns recur:
| Cue in the stem | Plausible scheme | Awareness response |
|---|---|---|
| Same employee opens mail, deposits checks, and posts receivables | Skimming / lapping | Recommend segregation; test for unusual write-offs |
| Round-dollar payments just under the approval limit | Disbursement structuring | Run threshold analytics; review approver |
| Overtime spikes for employees who never take leave | Payroll / time fraud | Mandatory-vacation policy; ghost-employee testing |
| Sole-source awards to a manager's preferred vendor | Corruption / conflict of interest | Verify disclosures; review bid process |
The disciplined move is to treat fraud awareness as part of normal planning and fieldwork, not a separate special project. When a question describes an auditor who ignored an obvious fraud indicator because "fraud wasn't the scope," that is the wrong answer — professional skepticism and the consider-the-potential-for-fraud requirement apply throughout. Conversely, an auditor who derails an entire engagement into a full investigation on a single weak signal has over-reacted; the proportionate path is to note the indicator, do limited follow-up, and escalate if warranted.
An internal auditor notices an employee who is living far beyond their apparent means and who refuses to take any vacation. The most appropriate characterization of these observations is that they are:
Which of the following is a PREVENTIVE control rather than a detective control?
During an engagement, an auditor develops a reasonable suspicion that an employee is committing fraud. According to the Global Internal Audit Standards, the auditor should first: