- According to the ACFE's Fraud Tree, occupational fraud is divided into how many primary categories?
Correct answer: Three
Three is correct because the ACFE Fraud Tree classifies all occupational fraud into three primary categories: corruption, asset misappropriation, and financial statement fraud. Each branch then subdivides into specific scheme types.
- Which of the following are the three primary branches of the ACFE Fraud Tree?
- Skimming, larceny, and billing
- Bribery, extortion, and kickbacks
- Pressure, opportunity, and rationalization
- Corruption, asset misappropriation, and financial statement fraud
Correct answer: Corruption, asset misappropriation, and financial statement fraud
Corruption, asset misappropriation, and financial statement fraud are the three primary branches of the Fraud Tree. Skimming and larceny are subtypes within asset misappropriation, and pressure/opportunity/rationalization describe the fraud triangle, not the tree.
- In the ACFE Fraud Tree classification, which category of occupational fraud is the most common but typically causes the smallest median loss?
- Bribery
- Asset misappropriation
- Corruption
- Financial statement fraud
Correct answer: Asset misappropriation
Asset misappropriation is correct because it is by far the most frequently occurring category of occupational fraud yet produces the lowest median loss of the three branches. Financial statement fraud is the least common but most costly.
- Within the ACFE Fraud Tree, which category of occupational fraud is the least frequent but causes the largest median loss?
- Corruption
- Financial statement fraud
- Skimming
- Asset misappropriation
Correct answer: Financial statement fraud
Financial statement fraud is correct because it occurs least often among the three branches yet produces the highest median loss, since it typically involves manipulating large reported figures rather than stealing discrete assets.
- Asset misappropriation schemes are generally divided into which two main subcategories?
- Cash schemes and noncash (inventory and other assets) schemes
- Skimming and larceny
- Corruption and financial statement schemes
- Billing and payroll
Correct answer: Cash schemes and noncash (inventory and other assets) schemes
Cash schemes and noncash schemes are correct because asset misappropriation in the Fraud Tree first splits into the theft or misuse of cash versus the theft or misuse of inventory and other noncash assets.
- A clerk takes cash from a customer payment before it is ever recorded in the company's books. This off-book theft of incoming funds is best classified as which scheme?
- Check tampering
- Billing
- Cash larceny
- Skimming
Correct answer: Skimming
Skimming is correct because the cash was stolen before being entered into the accounting records, making it an off-book scheme. Cash larceny, by contrast, is the theft of cash that has already been recorded.
- What is the defining characteristic that distinguishes skimming from cash larceny?
- Skimming requires two perpetrators; larceny requires one
- Skimming involves checks while larceny involves currency
- Skimming occurs before the cash is recorded; larceny occurs after it is recorded
- Skimming is a corruption scheme; larceny is a billing scheme
Correct answer: Skimming occurs before the cash is recorded; larceny occurs after it is recorded
The timing relative to recording is the defining distinction: skimming is an off-book scheme taking funds before they enter the records, while cash larceny is an on-book scheme taking funds already recorded.
- Cash larceny is best described as which of the following?
- The theft of cash that has already been recorded in the victim organization's books
- Submitting fraudulent invoices for payment
- Altering a payee on a company check
- The theft of cash before it is recorded in the books
Correct answer: The theft of cash that has already been recorded in the victim organization's books
The theft of recorded cash is correct because cash larceny is an on-book scheme: the funds appear in the accounting records and are then stolen, which is what separates it from skimming.
- An employee creates a fictitious vendor and submits invoices from that vendor for payment to a company she controls. This is an example of which type of scheme?
- A billing scheme (shell company)
- Cash larceny
- Skimming
- Payroll fraud
Correct answer: A billing scheme (shell company)
A shell-company billing scheme is correct because the employee uses a fictitious vendor to generate invoices that cause the company to issue fraudulent payments. Billing schemes are a form of fraudulent disbursement.
- Billing schemes, payroll schemes, and check tampering all fall under which broader category of asset misappropriation?
- Financial statement fraud
- Corruption
- Skimming
- Fraudulent disbursements
Correct answer: Fraudulent disbursements
Fraudulent disbursements is correct because these schemes cause the organization to issue payments through normal disbursement channels for fraudulent purposes, distinguishing them from the direct theft of cash.
- Which of the following is a recognized subtype of billing scheme?
- Pass-through (pay-and-return) schemes
- Ghost employee schemes
- False void refunds
- Lapping
Correct answer: Pass-through (pay-and-return) schemes
Pass-through schemes are a billing-scheme subtype in which an employee sets up an intermediary entity that buys goods and resells them to the employer at inflated prices. Ghost employees are payroll fraud, and false voids are register schemes.
- An accounts payable clerk intercepts a signed company check and changes the payee name to himself before cashing it. This conduct is best classified as which scheme?
- Check and payment tampering
- A billing scheme
- Skimming
- Expense reimbursement fraud
Correct answer: Check and payment tampering
Check and payment tampering is correct because the employee physically altered an organization's check by changing the payee. Tampering schemes involve forging, altering, or intercepting the organization's own payment instruments.
- Forged maker, forged endorsement, altered payee, and concealed check schemes are all variants of which fraud category?
- Register disbursement schemes
- Check and payment tampering
- Cash larceny
- Conflicts of interest
Correct answer: Check and payment tampering
Check and payment tampering is correct because each listed variant involves manipulating the organization's own checks or electronic payments, whether by forging signatures, forging endorsements, or altering the payee.
- A payroll supervisor adds a nonexistent worker to the payroll and diverts that worker's paychecks to himself. This is an example of which scheme?
- A billing scheme
- An expense reimbursement scheme
- Skimming
- A ghost employee scheme
Correct answer: A ghost employee scheme
A ghost employee scheme is correct because a fictitious or terminated person is kept on the payroll so that paychecks can be diverted to the fraudster. It is a form of payroll fraud.
- A 'ghost employee' in a payroll fraud scheme refers to which of the following?
- An employee who falsified a timesheet for overtime
- A worker whose wages were garnished
- A person on the payroll who does not actually work for the company
- An employee who works two jobs simultaneously
Correct answer: A person on the payroll who does not actually work for the company
A person on the payroll who does not actually work for the company is correct: a ghost employee may be fictitious or a former employee kept active so the fraudster can collect the paychecks.
- An employee submits a restaurant receipt for a personal dinner and claims it as a business meal on her expense report. This conduct is best classified as which scheme?
- Mischaracterized expense reimbursement fraud
- A billing scheme
- A ghost employee scheme
- Cash larceny
Correct answer: Mischaracterized expense reimbursement fraud
Mischaracterized expense reimbursement fraud is correct because a genuine personal expense is falsely characterized as a legitimate business expense to obtain reimbursement.
- Mischaracterized expenses, overstated expenses, fictitious expenses, and multiple reimbursements are the four primary types of which scheme?
- Expense reimbursement fraud
- Skimming
- Check tampering
- Corruption
Correct answer: Expense reimbursement fraud
Expense reimbursement fraud is correct because the ACFE identifies these four categories as the main forms of expense reimbursement schemes, all involving false claims for business expenses.
- A cashier processes a fictitious refund at the register and pockets the cash, even though no merchandise was returned. This is an example of which scheme?
- A ghost employee scheme
- Check tampering
- A register disbursement scheme
- Skimming
Correct answer: A register disbursement scheme
A register disbursement scheme is correct because the fraud is committed by entering a false refund or void at the point of sale to remove cash from the register, with the disbursement recorded on the books.
- The two principal types of register disbursement schemes are:
- Skimming and larceny
- Bribery and kickbacks
- Forged makers and forged endorsements
- False refunds and false voids
Correct answer: False refunds and false voids
False refunds and false voids are correct because both manipulate the cash register to justify removing currency: a false refund records a return that did not occur, and a false void cancels a legitimate sale.
- Improperly recognizing revenue before it is earned in order to inflate reported earnings is an example of which scheme?
- Cash larceny
- Financial statement fraud
- A register disbursement scheme
- Asset misappropriation
Correct answer: Financial statement fraud
Financial statement fraud is correct because timing and improper revenue recognition manipulate the reported financial statements to mislead users, rather than diverting a specific asset.
- Which of the following is a common financial statement fraud method?
- Recording fictitious revenue
- Adding a ghost employee
- Skimming cash sales
- Submitting a fake expense report
Correct answer: Recording fictitious revenue
Recording fictitious revenue is correct because it directly overstates earnings on the financial statements. The other options are asset misappropriation schemes, not financial statement manipulation.
- The corruption branch of the ACFE Fraud Tree includes which of the following scheme types?
- Forged checks and ghost employees
- Ponzi, pyramid, and identity theft
- Bribery, illegal gratuities, economic extortion, and conflicts of interest
- Skimming, larceny, and billing
Correct answer: Bribery, illegal gratuities, economic extortion, and conflicts of interest
Bribery, illegal gratuities, economic extortion, and conflicts of interest are correct because these four schemes constitute the corruption branch of the Fraud Tree, all involving the wrongful use of influence in a transaction.
- A purchasing agent accepts a secret payment from a supplier in exchange for steering contracts to that supplier. This is best classified as which scheme?
- Skimming
- A register disbursement scheme
- A kickback (bribery)
- Conflict of interest disclosure
Correct answer: A kickback (bribery)
A kickback is correct because the agent received an undisclosed payment from a vendor to influence a business decision in the vendor's favor, which is the classic structure of commercial bribery.
- What is the key distinction between bribery and an illegal gratuity?
- A gratuity is always larger than a bribe
- Bribery is intended to influence a business decision; a gratuity is a reward given after the decision
- Bribery involves only public officials; gratuities involve only private parties
- A gratuity requires a written agreement; bribery does not
Correct answer: Bribery is intended to influence a business decision; a gratuity is a reward given after the decision
The influence-versus-reward distinction is correct: a bribe is paid to influence a decision, whereas an illegal gratuity is given to reward a decision that has already been made.
- An employee who has an undisclosed economic interest in a vendor and approves transactions benefiting that vendor has committed which type of scheme?
- Skimming
- Check tampering
- A conflict of interest
- A ghost employee scheme
Correct answer: A conflict of interest
A conflict of interest is correct because the employee participated in a transaction in which he had an undisclosed personal economic interest, a corruption scheme distinct from bribery because the benefit flows from the employee's own hidden stake.
- Which element most clearly characterizes a conflict of interest scheme?
- The theft of recorded cash
- An undisclosed economic or personal interest that influences the employee's duties
- A fictitious refund processed at a register
- A forged endorsement on a company check
Correct answer: An undisclosed economic or personal interest that influences the employee's duties
An undisclosed personal interest is correct because conflicts of interest hinge on an employee's failure to disclose a competing interest that affects how they carry out their job responsibilities.
- A Ponzi scheme pays returns to existing investors primarily from which source?
- Funds contributed by new investors rather than legitimate profits
- Profits earned from genuine business operations
- Interest paid by a federally insured bank
- Dividends from publicly traded securities
Correct answer: Funds contributed by new investors rather than legitimate profits
Funds from new investors is correct because a Ponzi scheme has no real underlying profits; it sustains the illusion of returns by paying earlier investors with money taken from later investors.
- What typically causes a Ponzi scheme to collapse?
- The operator pays taxes on the returns
- Investors reinvest all of their returns
- The SEC raises interest rates
- The flow of new investor money slows or a wave of redemptions occurs
Correct answer: The flow of new investor money slows or a wave of redemptions occurs
A slowing of new money or a surge in redemptions is correct because the scheme depends on continuous new contributions to pay promised returns; once inflows can no longer cover redemptions, it fails.
- Which feature most distinguishes a classic pyramid scheme from a Ponzi scheme?
- Returns are guaranteed by the government
- No product or recruitment is involved
- Returns are paid by a single central operator
- Participants earn money primarily by recruiting new participants
Correct answer: Participants earn money primarily by recruiting new participants
Recruitment-based earnings is correct because a pyramid scheme rewards participants for enrolling others, whereas a Ponzi scheme is run by a central operator who pays returns directly to investors.
- A multi-level marketing operation in which compensation depends mainly on recruiting new members rather than selling a genuine product is best described as which scheme?
- A Ponzi scheme
- A pyramid scheme
- A billing scheme
- A skimming scheme
Correct answer: A pyramid scheme
A pyramid scheme is correct because compensation flows from recruiting additional participants rather than from legitimate product sales, which is the hallmark that distinguishes an illegal pyramid from lawful direct sales.
- In a business email compromise (BEC) scheme, a fraudster most commonly does which of the following?
- Adds a ghost employee to the payroll
- Processes a false refund at a cash register
- Steals physical checks from the mailroom
- Impersonates an executive or vendor by email to trick an employee into transferring funds
Correct answer: Impersonates an executive or vendor by email to trick an employee into transferring funds
Impersonating an executive or vendor by email is correct because BEC relies on a spoofed or compromised email account to deceive an employee into authorizing fraudulent wire transfers or changing payment details.
- A fraudster sends an email that appears to come from the company's CEO urgently requesting a wire transfer to a new account. This is best classified as which type of fraud?
- A conflict of interest
- Cash larceny
- A register disbursement scheme
- Business email compromise
Correct answer: Business email compromise
Business email compromise is correct because the scheme uses a deceptive email impersonating a trusted authority to induce an unauthorized funds transfer, a hallmark CEO-fraud variant of BEC.
- Identity theft is best defined as which of the following?
- The recruitment of new investors to pay older ones
- The unauthorized use of another person's identifying information for fraudulent purposes
- The alteration of a company check's payee
- The theft of cash before it is recorded
Correct answer: The unauthorized use of another person's identifying information for fraudulent purposes
The unauthorized use of another's identifying information is correct because identity theft involves wrongfully obtaining and using personal data such as Social Security numbers or account credentials to commit fraud.
- A criminal opens new credit card accounts using a victim's Social Security number and date of birth. This conduct is best classified as which type of fraud?
- Skimming
- Identity theft
- Check tampering
- A pyramid scheme
Correct answer: Identity theft
Identity theft is correct because the criminal used another person's personal identifying information without authorization to open fraudulent accounts, the defining act of identity theft.
- Phishing emails that attempt to harvest login credentials are most directly associated with which fraud category in the schemes section?
- Financial statement fraud
- Conflicts of interest
- Cyberfraud
- Cash larceny
Correct answer: Cyberfraud
Cyberfraud is correct because phishing is a technology-enabled deception used to steal credentials or data, falling under the cyberfraud category that includes BEC, malware, and phishing.
- Which of the following best describes 'lapping' in a skimming context?
- Forging the maker signature on a company check
- Recording fictitious revenue to inflate earnings
- Crediting one customer's payment with a later customer's payment to conceal the theft of the first
- Adding a fictitious worker to the payroll
Correct answer: Crediting one customer's payment with a later customer's payment to conceal the theft of the first
Crediting one customer's account with a later payment is correct because lapping conceals stolen receivables by continually applying incoming payments to previously stolen accounts, delaying detection.
- An employee diverts an incoming customer check and never records the sale, then writes off the customer's account as a bad debt to hide the theft. This concealment supports which underlying scheme?
- A register disbursement scheme
- A conflict of interest
- A payroll scheme
- A receivables skimming scheme
Correct answer: A receivables skimming scheme
A receivables skimming scheme is correct because the incoming payment was stolen before being recorded (off-book), and writing off the account as bad debt is a common technique to conceal skimmed receivables.
- Channel stuffing, in which a company ships excessive product to distributors to record premature sales, is an example of which fraud type?
- Corruption
- Financial statement fraud (improper revenue recognition)
- Asset misappropriation
- Identity theft
Correct answer: Financial statement fraud (improper revenue recognition)
Financial statement fraud is correct because channel stuffing inflates reported revenue by recording sales that have not truly been earned, manipulating the financial statements rather than stealing an asset.
- An employee uses the company credit card to buy personal electronics and codes the purchase as office supplies. This is best classified as which scheme?
- A billing scheme involving personal purchases
- Skimming
- A conflict of interest
- A ghost employee scheme
Correct answer: A billing scheme involving personal purchases
A billing scheme involving personal purchases is correct because the employee caused the company to pay for personal items by disguising them as legitimate business expenditures, a fraudulent disbursement.
- Which statement about asset misappropriation is most accurate?
- It is the least common category and produces the largest median loss
- It is the most common occupational fraud category but generally produces the smallest median loss
- It always involves manipulating financial statements
- It is a subtype of corruption
Correct answer: It is the most common occupational fraud category but generally produces the smallest median loss
Most common with the smallest median loss is correct: asset misappropriation occurs far more frequently than corruption or financial statement fraud, yet each instance tends to involve smaller dollar amounts.
- A fraudster registers a vendor name nearly identical to a legitimate supplier and submits invoices to be paid. The deceptive vendor exists only to receive payments. This is best classified as which scheme?
- A register disbursement scheme
- A shell-company billing scheme
- Cash larceny
- Expense reimbursement fraud
Correct answer: A shell-company billing scheme
A shell-company billing scheme is correct because the vendor is a fictitious entity created solely to submit invoices and collect fraudulent payments, a core billing-scheme variant.
- Which of the following is the best example of economic extortion within the corruption branch?
- An employee fails to disclose a financial interest in a supplier
- A vendor voluntarily offers a kickback to win a contract
- An employee inflates an expense report
- An employee demands a payment from a vendor under threat of withholding business
Correct answer: An employee demands a payment from a vendor under threat of withholding business
Demanding payment under threat is correct because economic extortion is the flip side of bribery: instead of being offered a payment, the employee coerces a payment by threatening adverse business consequences.
- In a 'forged maker' check tampering scheme, the fraudster:
- Forges the endorsement of the intended payee
- Issues a fictitious refund at a register
- Alters the payee after the check is signed
- Forges the signature of an authorized check signer
Correct answer: Forges the signature of an authorized check signer
Forging the authorized signer's signature is correct because a forged-maker scheme involves the fraudster signing the check as if they were an authorized maker, distinct from altering or forging an endorsement.
- An employee submits the same airfare receipt on two separate expense reports filed weeks apart. This is best classified as which type of expense reimbursement fraud?
- Fictitious expenses
- Multiple reimbursements
- Mischaracterized expenses
- Overstated expenses
Correct answer: Multiple reimbursements
Multiple reimbursements is correct because the employee submitted the same legitimate expense more than once to be paid for it repeatedly, one of the four recognized expense reimbursement fraud types.
- A salesperson alters a hotel receipt to show a higher amount than was actually paid. This is best classified as which type of expense reimbursement fraud?
- Overstated expenses
- Mischaracterized expenses
- Multiple reimbursements
- Fictitious expenses
Correct answer: Overstated expenses
Overstated expenses is correct because the employee inflated the amount of a genuine business expense to obtain a reimbursement larger than what was actually spent.
- Which of the following best describes a 'pass-through' (pay-and-return) billing scheme?
- An employee processes a false refund at a register
- An employee adds a nonexistent worker to the payroll
- An employee writes a check to a fictitious vendor and cashes it
- An employee buys goods through a hidden intermediary and resells them to the employer at a markup
Correct answer: An employee buys goods through a hidden intermediary and resells them to the employer at a markup
Using a hidden intermediary to mark up goods is correct because in a pass-through scheme the employee inserts a controlled middleman that purchases real goods and resells them to the employer at inflated prices, skimming the difference.
- Understating liabilities and expenses to inflate reported net income is an example of which fraud category?
- Identity theft
- Asset misappropriation
- Financial statement fraud
- Corruption
Correct answer: Financial statement fraud
Financial statement fraud is correct because deliberately understating liabilities or expenses overstates earnings and net worth on the financial statements, misleading users of those statements.
- Which of the following schemes does NOT belong to the asset misappropriation branch of the Fraud Tree?
- Cash larceny
- Skimming
- Bribery
- Check tampering
Correct answer: Bribery
Bribery is correct because it is part of the corruption branch, not asset misappropriation. Skimming, check tampering, and cash larceny are all asset misappropriation schemes.
- An employee steals merchandise from the company warehouse and sells it for personal profit. This is best classified as which subtype of asset misappropriation?
- Check tampering
- A billing scheme
- Cash skimming
- Noncash (inventory) misappropriation
Correct answer: Noncash (inventory) misappropriation
Noncash misappropriation is correct because the stolen item is physical inventory rather than cash, placing it in the noncash branch of asset misappropriation schemes.
- A bartender rings up some drinks but pockets the cash for others without entering the sales. What scheme has occurred?
- Unrecorded-sales skimming
- A register disbursement scheme
- Cash larceny
- A billing scheme
Correct answer: Unrecorded-sales skimming
Unrecorded-sales skimming is correct because the bartender took cash from sales that were never entered into the system, making the theft off-book skimming rather than the theft of recorded funds.
- An employee removes currency from the cash register at the end of a shift and the register's recorded total no longer matches the cash on hand. What scheme is most likely?
- A conflict of interest
- Cash larceny
- A pass-through billing scheme
- Skimming
Correct answer: Cash larceny
Cash larceny is correct because the sales were already recorded in the register total and the cash was then stolen, creating a shortage between recorded and actual cash, the signature of on-book theft.
- Which red-flag pattern most strongly suggests a shell-company billing scheme?
- An employee who frequently works overtime
- A vendor that consistently ships goods early
- A vendor with a P.O. box address, no phone, and invoices in round-dollar amounts just under approval limits
- A customer who pays invoices late
Correct answer: A vendor with a P.O. box address, no phone, and invoices in round-dollar amounts just under approval limits
The P.O. box, missing phone, and round-dollar invoices below approval thresholds are correct because shell-company vendors often lack legitimate business attributes and structure invoices to avoid additional review.
- Which of the following best illustrates a ghost employee scheme red flag?
- A paycheck deposited to the same bank account as another active employee
- A vendor invoice without a purchase order
- A customer payment posted to the wrong account
- An employee who declines to take vacation
Correct answer: A paycheck deposited to the same bank account as another active employee
A paycheck routed to another active employee's account is correct because ghost-employee fraudsters frequently direct the fictitious worker's pay to their own bank account, producing duplicate deposit details.
- An accounts payable employee intercepts an outgoing check, deposits it, and then deletes the transaction from the accounting system. The deletion is an example of which check tampering subtype?
- A concealed check scheme
- An altered payee scheme
- A forged endorsement scheme
- A forged maker scheme
Correct answer: A concealed check scheme
A concealed check scheme is correct because the fraudster hides the fraudulent disbursement by manipulating or deleting records, concealing that the check was issued and cashed.
- Recording sales to fictitious customers in order to boost reported revenue is an example of which financial statement fraud method?
- Improper asset valuation
- Concealed liabilities
- Improper disclosures
- Fictitious revenue
Correct answer: Fictitious revenue
Fictitious revenue is correct because revenue is recorded for sales that never occurred, directly inflating reported earnings, one of the five primary financial statement fraud categories.
- The five primary categories of financial statement fraud schemes include fictitious revenues, timing differences, concealed liabilities, improper disclosures, and which fifth category?
- Ghost employees
- Bribery
- Cash larceny
- Improper asset valuation
Correct answer: Improper asset valuation
Improper asset valuation is correct because it rounds out the five financial statement fraud categories, involving overstating assets such as inventory or receivables to misstate the financial position.
- A government contracting officer accepts cash from a bidder in return for sharing competitors' sealed bid amounts. This is best classified as which scheme?
- Economic extortion
- An illegal gratuity
- A conflict of interest
- Bribery
Correct answer: Bribery
Bribery is correct because the officer accepted a payment intended to influence an official action, namely awarding an advantage in the bidding process, which is the essence of a bribe.
- A manager steers her department's contracts to a company secretly owned by her spouse without disclosing the relationship. This is best classified as which scheme?
- An illegal gratuity
- Economic extortion
- A conflict of interest
- Bribery
Correct answer: A conflict of interest
A conflict of interest is correct because the manager has an undisclosed personal interest, through her spouse's ownership, that influences her business decisions, rather than receiving an outside payment.
- An investment promoter promises 'guaranteed' 20% monthly returns with no risk and pays early investors using deposits from newcomers. This is best classified as which scheme?
- A billing scheme
- Identity theft
- A Ponzi scheme
- A pyramid scheme
Correct answer: A Ponzi scheme
A Ponzi scheme is correct because the promoter, acting as a central operator, pays purported returns to earlier investors from new investors' deposits while no genuine profit-generating activity exists.
- Which characteristic is a hallmark warning sign of a Ponzi scheme?
- Investments registered with regulators
- Consistently high returns regardless of market conditions
- Returns that fluctuate with the broader market
- Audited statements from an independent national firm
Correct answer: Consistently high returns regardless of market conditions
Consistently high returns regardless of market conditions is correct because real investments fluctuate; suspiciously steady, above-market returns are a classic indicator that returns are being fabricated.
- A program charges members a large entry fee and pays them bonuses for each new recruit they enroll, with little or no genuine product sold. This is best classified as which scheme?
- A Ponzi scheme
- A skimming scheme
- A pyramid scheme
- A conflict of interest
Correct answer: A pyramid scheme
A pyramid scheme is correct because revenue and payouts depend on continuous recruitment of fee-paying members rather than retail product sales, the defining trait of an illegal pyramid.
- A fraudster compromises a supplier's email account, then emails the buyer new banking details so future payments go to the fraudster. This is best classified as which scheme?
- A register disbursement scheme
- Cash larceny
- A vendor-impersonation business email compromise
- A ghost employee scheme
Correct answer: A vendor-impersonation business email compromise
A vendor-impersonation BEC is correct because the fraudster used a compromised supplier email to redirect legitimate payments by changing banking details, a common BEC variant.
- Malicious software that encrypts an organization's files and demands payment to restore access is best categorized under which schemes-section topic?
- Cyberfraud
- Financial statement fraud
- Conflicts of interest
- Cash larceny
Correct answer: Cyberfraud
Cyberfraud is correct because ransomware is a technology-enabled extortion attack, falling within the cyberfraud category alongside phishing, malware, and business email compromise.
- A thief rummages through a victim's trash to recover discarded bank statements and then uses the account details to commit fraud. This data-gathering tactic supports which scheme?
- A pyramid scheme
- Skimming
- Identity theft
- Check tampering
Correct answer: Identity theft
Identity theft is correct because dumpster diving for personal financial documents is a method of obtaining identifying information to misuse, which underpins identity theft.
- A fraudster files a tax return using a victim's name and Social Security number to claim a refund. This is best classified as which type of fraud?
- Identity theft (tax-related)
- Cash larceny
- A Ponzi scheme
- A conflict of interest
Correct answer: Identity theft (tax-related)
Tax-related identity theft is correct because the fraudster used another individual's personal identifying information without authorization to file a fraudulent return, a recognized identity-theft variant.
- Which scheme is characterized as off-book because the stolen funds never enter the victim's accounting system?
- Financial statement fraud
- Check tampering
- Cash larceny
- Skimming
Correct answer: Skimming
Skimming is correct because the funds are taken before being recorded, leaving no trace in the books, which is precisely why it is described as an off-book scheme.
- An employee voids a legitimate completed sale in the POS system and removes the corresponding cash. This is best classified as which scheme?
- A ghost employee scheme
- Skimming
- A pass-through billing scheme
- A false void register disbursement scheme
Correct answer: A false void register disbursement scheme
A false void register disbursement scheme is correct because the employee canceled a real sale to justify removing cash, with the void recorded in the register, making it an on-book register disbursement.
- Which statement best contrasts a billing scheme with check tampering?
- Billing schemes involve only cash; check tampering involves only inventory
- In a billing scheme the fraudster submits false claims so the company issues a payment; in check tampering the fraudster manipulates the company's own checks
- Billing schemes are corruption; check tampering is financial statement fraud
- Billing schemes require forgery; check tampering does not
Correct answer: In a billing scheme the fraudster submits false claims so the company issues a payment; in check tampering the fraudster manipulates the company's own checks
The submit-false-claims versus manipulate-checks contrast is correct because billing schemes trigger an authorized payment through fraudulent documentation, while check tampering involves directly forging or altering the organization's payment instruments.
- An employee adds a terminated coworker back to the active payroll and reroutes the pay to himself. This is which type of payroll scheme?
- A commission scheme
- A falsified hours scheme
- An expense reimbursement scheme
- A ghost employee scheme using a former employee
Correct answer: A ghost employee scheme using a former employee
A ghost employee scheme using a former employee is correct because a real but no-longer-employed person is kept active so the fraudster can collect their pay, a recognized ghost-employee variant.
- A claims-processing employee submits a reimbursement for a conference she never attended, including a fabricated registration receipt. This is best classified as which type of expense reimbursement fraud?
- Multiple reimbursements
- Overstated expenses
- Mischaracterized expenses
- Fictitious expenses
Correct answer: Fictitious expenses
Fictitious expenses is correct because the entire expense was invented and supported by a fabricated receipt, distinguishing it from inflating or mischaracterizing a real expense.
- Which of the following is most consistent with improper asset valuation as a financial statement fraud method?
- Recording a sale that never occurred
- Overstating inventory by failing to write down obsolete goods
- Misclassifying a personal meal as a business expense
- Hiding a known lawsuit liability
Correct answer: Overstating inventory by failing to write down obsolete goods
Overstating inventory by not writing down obsolete goods is correct because it inflates the reported value of assets, the defining feature of improper asset valuation in financial statement fraud.
- Which of the following best describes an illegal gratuity?
- A payment demanded under threat of harm
- A payment made before a decision to influence it
- An undisclosed ownership interest in a vendor
- Something of value given to reward an official action that has already been taken
Correct answer: Something of value given to reward an official action that has already been taken
A reward for an action already taken is correct because an illegal gratuity is given after the fact to reward a decision, whereas a bribe is offered beforehand to influence the decision.
- Which of the following scenarios is the clearest example of a noncash asset misappropriation rather than a cash scheme?
- An employee submits an inflated mileage claim
- A cashier pockets currency before recording the sale
- A warehouse worker steals laptops from inventory and resells them
- A clerk forges a company check
Correct answer: A warehouse worker steals laptops from inventory and resells them
Stealing laptops from inventory is correct because the misappropriated item is a physical noncash asset, while the other options involve cash, checks, or reimbursements.
- A fraudster intercepts an outgoing company check and signs the back as the payee to deposit it into his own account. This is which check tampering subtype?
- An altered payee scheme
- A concealed check scheme
- A forged maker scheme
- A forged endorsement scheme
Correct answer: A forged endorsement scheme
A forged endorsement scheme is correct because the fraudster forged the payee's endorsement to negotiate a check made out to someone else, distinct from forging the maker's signature.
- Why is financial statement fraud often considered the most damaging branch of occupational fraud despite being the least frequent?
- It typically involves manipulating large reported figures, producing the highest median loss
- It is always committed by low-level employees
- It is impossible to detect
- It only occurs in private companies
Correct answer: It typically involves manipulating large reported figures, producing the highest median loss
Manipulating large reported figures is correct because financial statement fraud distorts material amounts in the statements, leading to the largest median losses even though it occurs least often.
- An employee responsible for both receiving customer payments and recording them takes cash and conceals it through lapping. Which control weakness most enabled this?
- Lack of segregation of duties
- Mandatory vacation policies
- Excessive external audits
- Too many approval signatures
Correct answer: Lack of segregation of duties
Lack of segregation of duties is correct because allowing one person to both receive and record payments created the opportunity to steal and conceal funds through lapping without independent checks.
- In a kickback scheme, who typically initiates the arrangement and benefits from the inflated transaction?
- A bank reverses a fraudulent charge
- A vendor pays an employee who in turn approves overpriced or unnecessary purchases
- A customer overpays an invoice by mistake
- An auditor adjusts the financial statements
Correct answer: A vendor pays an employee who in turn approves overpriced or unnecessary purchases
A vendor paying an employee to approve overpriced purchases is correct because kickbacks involve a vendor secretly compensating an inside employee in exchange for favorable, often inflated, business.
- A retail clerk takes part of a sale and records the sale for less than the actual amount, an example of understated-sales skimming. What makes this an off-book scheme?
- A check was forged to take the money
- The theft was disclosed to management
- The portion of the sale taken was never fully recorded in the books
- The cash was recorded and then removed
Correct answer: The portion of the sale taken was never fully recorded in the books
The unrecorded portion of the sale is correct because understated-sales skimming records less than the true sale amount, so the stolen funds never fully enter the books, defining it as off-book.
- Which scheme involves stealing cash that has already been entered into the cash register or accounting system?
- Cash larceny
- A billing scheme
- A conflict of interest
- Skimming
Correct answer: Cash larceny
Cash larceny is correct because by definition it is the theft of funds that have already been recorded, the on-book counterpart to skimming.
- An employee responsible for petty cash removes currency and replaces missing funds with falsified receipts. This on-book theft of recorded funds is best classified as which scheme?
- Cash larceny from petty cash
- Identity theft
- Skimming
- A pass-through billing scheme
Correct answer: Cash larceny from petty cash
Cash larceny from petty cash is correct because the petty cash was already recorded as an asset, and the employee stole it and used false receipts to conceal the shortage.
- Which document trail is most useful for detecting a shell-company billing scheme?
- Vendor master file additions matched against business registration and physical address checks
- Customer satisfaction surveys
- Employee vacation schedules
- Marketing campaign budgets
Correct answer: Vendor master file additions matched against business registration and physical address checks
Matching vendor master file additions against registration and address verification is correct because shell vendors are fictitious, so verifying their legitimacy exposes the scheme.
- A purchasing employee approves invoices from a vendor that bills for goods never delivered. This is which billing-scheme subtype?
- A nonaccomplice (false) invoicing scheme for goods not received
- A forged maker scheme
- A ghost employee scheme
- A false void register scheme
Correct answer: A nonaccomplice (false) invoicing scheme for goods not received
A false invoicing scheme for undelivered goods is correct because the company pays for items it never received, a core billing-scheme variant involving fraudulent invoices.
- Which scheme would most likely be revealed by reconciling the payroll register to the human resources active-employee list?
- A conflict of interest
- A ghost employee scheme
- A Ponzi scheme
- A false refund scheme
Correct answer: A ghost employee scheme
A ghost employee scheme is correct because reconciling payroll to HR records exposes names being paid who are not legitimately employed, the signature of ghost-employee fraud.
- A supervisor inflates the hours reported for a real, willing accomplice employee and they split the extra pay. This is best classified as which payroll scheme?
- A check tampering scheme
- A ghost employee scheme
- A falsified-hours-and-salary scheme
- A skimming scheme
Correct answer: A falsified-hours-and-salary scheme
A falsified-hours scheme is correct because a genuine employee's reported hours are overstated to generate excess pay, a payroll scheme distinct from paying a nonexistent ghost.
- A sales rep claims reimbursement for client entertainment that was actually a personal vacation. This is best classified as which expense reimbursement fraud type?
- Fictitious expenses
- Mischaracterized expenses
- Multiple reimbursements
- Overstated expenses
Correct answer: Mischaracterized expenses
Mischaracterized expenses is correct because a real personal expense was falsely presented as a legitimate business expense to obtain reimbursement.
- An employee buys a low-cost meal but alters the receipt to read a much higher amount before submitting it. This is best classified as which expense reimbursement fraud type?
- Multiple reimbursements
- Fictitious expenses
- Mischaracterized expenses
- Overstated expenses
Correct answer: Overstated expenses
Overstated expenses is correct because the actual cost of a real expense was inflated to claim a larger reimbursement than was spent.
- Which scheme is detected by analyzing voids and refunds at the point of sale grouped by cashier?
- Financial statement fraud
- A register disbursement scheme
- A conflict of interest
- A Ponzi scheme
Correct answer: A register disbursement scheme
A register disbursement scheme is correct because clustering excessive voids or refunds under one cashier reveals the false transactions used to remove cash from the register.
- A cashier issues refunds to a gift card she controls for returns that never happened. This is best classified as which scheme?
- A billing scheme
- Skimming
- A false refund register disbursement scheme
- Check tampering
Correct answer: A false refund register disbursement scheme
A false refund register disbursement scheme is correct because the cashier recorded fictitious refunds at the register and directed the value to herself.
- Recording revenue in the current period that should be recognized in a later period is best described as which financial statement fraud method?
- Improper asset valuation
- Concealed liabilities
- Improper disclosures
- Timing differences (improper timing of revenue recognition)
Correct answer: Timing differences (improper timing of revenue recognition)
Timing differences is correct because the fraud shifts when revenue is recognized to inflate current-period results, distinct from inventing sales outright.
- A company fails to disclose a material pending lawsuit in its financial statement footnotes. This is best classified as which financial statement fraud method?
- Timing differences
- Concealed liabilities and improper disclosures
- Improper asset valuation
- Fictitious revenue
Correct answer: Concealed liabilities and improper disclosures
Concealed liabilities and improper disclosures is correct because hiding a material legal obligation withholds information that users need, misstating the company's true financial position.
- A city inspector refuses to approve a permit unless the applicant pays him personally. This is best classified as which corruption scheme?
- An illegal gratuity
- A kickback offered by a vendor
- A conflict of interest
- Economic extortion
Correct answer: Economic extortion
Economic extortion is correct because the official coerced a payment by threatening to withhold a required approval, distinguishing it from a voluntarily offered bribe.
- Which of the following best illustrates a conflict of interest in purchasing?
- A buyer awards a contract to a firm in which he secretly holds an ownership stake
- A buyer accepts a payment to award a contract
- A buyer is threatened into approving a payment
- A buyer steals cash from the register
Correct answer: A buyer awards a contract to a firm in which he secretly holds an ownership stake
A buyer awarding a contract to a firm he secretly owns is correct because the undisclosed ownership interest, not an outside payment, drives the corrupt decision, defining a conflict of interest.
- Which feature is most diagnostic of a Ponzi scheme versus a legitimate fund?
- Returns are paid from incoming investor capital rather than investment gains
- Returns track a published market index
- The fund undergoes independent audits
- The manager discloses all holdings
Correct answer: Returns are paid from incoming investor capital rather than investment gains
Returns paid from incoming capital is correct because a Ponzi scheme lacks genuine earnings and relies on new deposits to fund 'returns,' unlike a legitimate fund.
- A pyramid scheme collapses primarily because:
- Members stop buying the real product
- Audit fees increase
- The pool of potential new recruits becomes exhausted
- Regulators lower interest rates
Correct answer: The pool of potential new recruits becomes exhausted
Exhaustion of new recruits is correct because pyramid payouts depend on ever-expanding recruitment; when new members can no longer be found, the structure cannot sustain payments.
- A finance employee receives a spoofed email appearing to be from a known vendor with updated wire instructions and changes the payment details. This is best classified as which scheme?
- A register disbursement scheme
- Business email compromise (vendor impersonation)
- Cash larceny
- A ghost employee scheme
Correct answer: Business email compromise (vendor impersonation)
Business email compromise via vendor impersonation is correct because a deceptive email posing as a trusted vendor induced the employee to redirect payments to the fraudster.
- A criminal uses stolen personal data to take over a victim's existing bank account and drain it. This is best classified as which scheme?
- Account takeover identity theft
- A conflict of interest
- Skimming
- A pyramid scheme
Correct answer: Account takeover identity theft
Account takeover identity theft is correct because the fraudster used another person's identifying information to seize control of and misuse an existing account.
- Which of the following is the best example of asset misappropriation involving the misuse rather than theft of a company asset?
- An employee uses the company vehicle for a personal moving business on weekends
- An employee accepts a kickback
- An employee fabricates a footnote disclosure
- An employee inflates reported revenue
Correct answer: An employee uses the company vehicle for a personal moving business on weekends
Using the company vehicle for a personal business is correct because misuse of a company asset for personal benefit is a form of noncash asset misappropriation, distinct from financial statement or corruption schemes.
- A controller writes company checks to himself and records them as payments to a legitimate vendor. This combines check tampering with which concealment technique?
- Recruiting new investors
- Recording the disbursement to a real vendor account to hide it
- Forging an endorsement only
- Issuing a false refund
Correct answer: Recording the disbursement to a real vendor account to hide it
Recording the disbursement against a real vendor account is correct because disguising a self-payment as a normal vendor payment conceals the check tampering within ordinary transactions.
- Which scheme is most directly associated with the term 'pay-and-return' overbilling?
- A register disbursement scheme
- A billing scheme
- A ghost employee scheme
- Identity theft
Correct answer: A billing scheme
A billing scheme is correct because pay-and-return is a recognized billing-scheme tactic in which a vendor intentionally overbills and a colluding employee facilitates the overpayment.
- A sales manager records goods 'sold' to a related party that has the right to return them all next quarter, inflating current revenue. This is best classified as which scheme?
- Financial statement fraud through improper revenue recognition
- Cash larceny
- A conflict of interest
- A billing scheme
Correct answer: Financial statement fraud through improper revenue recognition
Financial statement fraud through improper revenue recognition is correct because revenue is booked on transactions lacking economic substance to inflate reported results.
- Which describes the relationship between corruption and asset misappropriation in the Fraud Tree?
- They are two separate primary branches of occupational fraud
- Both are subtypes of financial statement fraud
- Asset misappropriation is a subtype of corruption
- Corruption is a subtype of asset misappropriation
Correct answer: They are two separate primary branches of occupational fraud
They are two separate primary branches is correct because the Fraud Tree treats corruption and asset misappropriation as distinct top-level categories, alongside financial statement fraud.
- A homebuyer is offered a 'no documentation' mortgage where income is fabricated to qualify for a larger loan. This financial scheme is best classified as:
- Mortgage fraud (a financial crime scheme)
- A conflict of interest
- A register disbursement scheme
- A ghost employee scheme
Correct answer: Mortgage fraud (a financial crime scheme)
Mortgage fraud is correct because falsifying income to obtain a loan is a financial crime scheme within the financial transactions and schemes section.
- An employee creates fake customer accounts and books sales to them to meet revenue targets, knowing the receivables will never be collected. This is best classified as which scheme?
- Skimming
- Fictitious revenue financial statement fraud
- Bribery
- A pyramid scheme
Correct answer: Fictitious revenue financial statement fraud
Fictitious revenue financial statement fraud is correct because sales to nonexistent customers were recorded to inflate revenue, a textbook fictitious-revenue scheme.
- Which of the following best distinguishes a Ponzi scheme from a pyramid scheme in terms of structure?
- A Ponzi has no operator; a pyramid has one operator
- A Ponzi always sells products; a pyramid never does
- A Ponzi is legal; a pyramid is illegal
- A Ponzi relies on a central operator paying returns; a pyramid relies on participants recruiting downstream members
Correct answer: A Ponzi relies on a central operator paying returns; a pyramid relies on participants recruiting downstream members
The central-operator versus recruitment distinction is correct because Ponzi schemes funnel money to one operator who pays returns, while pyramids spread payouts through layered recruitment by participants.
- A fraudster sets up a near-identical domain to a company's and emails an employee posing as the CFO to request gift card purchases. This is best classified as which scheme?
- A conflict of interest
- Business email compromise
- Financial statement fraud
- Cash larceny
Correct answer: Business email compromise
Business email compromise is correct because a look-alike domain was used to impersonate an executive and induce fraudulent purchases, a common BEC tactic.
- Synthetic identity fraud, in which a criminal combines real and fabricated personal details to create a new identity, is a variant of which scheme?
- A pyramid scheme
- Skimming
- Identity theft
- A billing scheme
Correct answer: Identity theft
Identity theft is correct because synthetic identity fraud misuses personal identifying information, blending real and fake data, to create and exploit a fraudulent identity.
- Which control most directly reduces the opportunity for cash larceny at the register?
- Independent reconciliation of register totals to cash on hand by someone other than the cashier
- Removing surveillance cameras
- Eliminating receipts
- Allowing the cashier to perform their own reconciliation
Correct answer: Independent reconciliation of register totals to cash on hand by someone other than the cashier
Independent reconciliation by someone other than the cashier is correct because comparing recorded sales to actual cash by an independent person detects on-book cash larceny shortages.
- Which scheme is best described as the theft of incoming checks that are then converted by forging the company's endorsement?
- A pyramid scheme
- A check tampering scheme involving stolen incoming checks
- A ghost employee scheme
- A register disbursement scheme
Correct answer: A check tampering scheme involving stolen incoming checks
A check tampering scheme involving stolen incoming checks is correct because intercepting checks and forging endorsements to convert them is a payment-tampering technique.
- Which is the strongest indicator that an expense reimbursement scheme of the 'multiple reimbursements' type is occurring?
- Expenses are always small
- Receipts are always missing
- The same receipt or expense is claimed on more than one report
- Reimbursements are always denied
Correct answer: The same receipt or expense is claimed on more than one report
The same expense claimed on multiple reports is correct because submitting one expense more than once for repeated payment is the defining feature of the multiple-reimbursements scheme.
- Which scheme typically requires the fraudster to have access to add or modify entries in the vendor master file?
- A false void register scheme
- A shell-company billing scheme
- Cash larceny from a register
- Skimming of unrecorded sales
Correct answer: A shell-company billing scheme
A shell-company billing scheme is correct because creating a fictitious vendor to bill the company requires the ability to add that vendor to the master file.
- A manager pressures the accounting team to capitalize ordinary repair costs as long-term assets to boost current earnings. This is best classified as which scheme?
- Financial statement fraud through improper capitalization
- Bribery
- Identity theft
- A billing scheme
Correct answer: Financial statement fraud through improper capitalization
Financial statement fraud through improper capitalization is correct because recording expenses as assets understates current costs and overstates earnings and assets, a financial statement manipulation.
- Which corruption scheme involves a third party offering something of value to influence a decision before it is made?
- Bribery
- An illegal gratuity
- Economic extortion
- A conflict of interest
Correct answer: Bribery
Bribery is correct because it is the offering or giving of something of value to influence an official or business decision before the decision is made.
- A warehouse manager writes off good inventory as 'damaged,' then sells it personally. This is best classified as which scheme?
- A register disbursement scheme
- A Ponzi scheme
- Financial statement fraud
- Noncash asset misappropriation concealed by false write-offs
Correct answer: Noncash asset misappropriation concealed by false write-offs
Noncash asset misappropriation concealed by false write-offs is correct because physical inventory was stolen and the theft was hidden by recording the goods as damaged.
- Which scheme is detected by comparing direct deposit bank account numbers across the employee population for duplicates?
- Financial statement fraud
- A ghost employee scheme
- Bribery
- A pyramid scheme
Correct answer: A ghost employee scheme
A ghost employee scheme is correct because ghost employees' pay is often routed to a real fraudster's account, producing duplicate bank account numbers across the payroll.
- An employee accepts a luxury vacation from a supplier as thanks for renewing the supplier's contract, with no prior agreement. This is best classified as which scheme?
- Economic extortion
- A billing scheme
- An illegal gratuity
- A conflict of interest
Correct answer: An illegal gratuity
An illegal gratuity is correct because the benefit was given to reward a decision already made, without a prior agreement to influence it, distinguishing it from a bribe.
- Affinity fraud, in which a fraudster exploits membership in a common religious or ethnic group to promote a fraudulent investment, is most often used to perpetrate which scheme?
- A register disbursement scheme
- Check tampering
- A Ponzi scheme
- Cash larceny
Correct answer: A Ponzi scheme
A Ponzi scheme is correct because affinity fraud commonly recruits trusting members of a shared community into investment frauds that pay early investors with later investors' money.
- Which best describes 'smishing' in the cyberfraud context?
- A scheme to forge company checks
- A scheme to add ghost employees
- Fraudulent text messages designed to trick victims into revealing information or sending money
- A scheme to inflate inventory values
Correct answer: Fraudulent text messages designed to trick victims into revealing information or sending money
Fraudulent text messages is correct because smishing is SMS-based phishing, a cyberfraud technique that uses deceptive texts to steal data or funds.
- Card skimming, in which a device captures payment-card data at an ATM or terminal, primarily enables which downstream scheme?
- A conflict of interest
- Identity theft and payment card fraud
- Financial statement fraud
- A ghost employee scheme
Correct answer: Identity theft and payment card fraud
Identity theft and payment card fraud is correct because captured card data is used to commit unauthorized transactions and misuse of the victim's identity.
- Which of the following is the clearest example of a fraudulent disbursement?
- An employee accepts a kickback from a supplier
- An employee takes cash before it is recorded
- An employee causes the company to issue a check to a fictitious vendor
- An employee misstates revenue in the ledger
Correct answer: An employee causes the company to issue a check to a fictitious vendor
Issuing a check to a fictitious vendor is correct because fraudulent disbursements cause the company to pay out money through its normal disbursement process for an illegitimate purpose.
- A bookkeeper records a personal loan repayment as a 'consulting expense' and pays it with a company check. This combines check tampering with which technique?
- Issuing a false refund
- Forging a customer endorsement
- Misclassifying the disbursement in the general ledger to conceal it
- Recruiting new investors
Correct answer: Misclassifying the disbursement in the general ledger to conceal it
Misclassifying the disbursement is correct because labeling a personal payment as a consulting expense conceals the fraudulent check within ordinary expense accounts.
- Which scheme is most likely indicated by a vendor whose invoices always fall just below the threshold requiring a second approver?
- Identity theft
- A Ponzi scheme
- A register disbursement scheme
- A billing scheme structured to avoid approval controls
Correct answer: A billing scheme structured to avoid approval controls
A billing scheme structured to avoid approval controls is correct because invoices set just under approval limits are a classic tactic to keep fraudulent payments below additional scrutiny.
- Which best describes how 'lapping' delays detection of skimmed receivables?
- Later payments are applied to earlier accounts so no single account appears overdue for long
- Revenue is recognized early
- Checks are forged and concealed
- Inventory is written off as damaged
Correct answer: Later payments are applied to earlier accounts so no single account appears overdue for long
Applying later payments to earlier accounts is correct because lapping continuously rolls payments forward, masking the shortage so no account stays conspicuously delinquent.
- Which scheme would a sudden, unexplained rise in 'sales returns and allowances' at a single store most likely indicate?
- Bribery
- A ghost employee scheme
- A Ponzi scheme
- A false refund register disbursement scheme
Correct answer: A false refund register disbursement scheme
A false refund register disbursement scheme is correct because spikes in refunds without corresponding returned merchandise point to fictitious refunds used to remove cash.
- Which of the following is most consistent with a corruption scheme rather than asset misappropriation?
- An employee steals petty cash
- An employee secretly arranges for a supplier to overcharge in exchange for a personal payment
- An employee skims cash before recording
- An employee forges a company check
Correct answer: An employee secretly arranges for a supplier to overcharge in exchange for a personal payment
Arranging supplier overcharges for a personal payment is correct because it involves collusion and abuse of influence in a transaction, the hallmark of corruption rather than direct asset theft.
- A start-up promoter raises money claiming proprietary technology that does not exist and uses new investments to pay 'profits' to earlier backers. This is best classified as which scheme?
- A billing scheme
- Check tampering
- A Ponzi scheme
- A pyramid scheme
Correct answer: A Ponzi scheme
A Ponzi scheme is correct because a central operator paid fabricated returns from new investor money, with no genuine profit-generating technology behind the claims.
- Which scenario best illustrates the 'opportunity' an employee exploits in a skimming scheme, from a schemes-classification standpoint?
- Routine surprise cash counts
- A published list of all vendors
- A mandatory two-week vacation
- Sole control over receiving and recording customer cash payments
Correct answer: Sole control over receiving and recording customer cash payments
Sole control over receiving and recording cash is correct because skimming requires the ability to take incoming cash before it is recorded, which unsupervised handling of receipts enables.
- Which scheme is characterized by inflating the value of receivables to present a stronger balance sheet?
- Skimming
- Bribery
- A ghost employee scheme
- Improper asset valuation financial statement fraud
Correct answer: Improper asset valuation financial statement fraud
Improper asset valuation financial statement fraud is correct because overstating receivables inflates reported assets, misrepresenting the company's financial position.
- An employee colludes with an outside vendor to submit invoices for inflated quantities, splitting the overpayment. This is best classified as which scheme?
- A billing scheme involving collusion with a vendor
- A false void scheme
- Identity theft
- A ghost employee scheme
Correct answer: A billing scheme involving collusion with a vendor
A billing scheme involving vendor collusion is correct because inflated invoices cause excess payments that the colluding insider and vendor share, a recognized billing-scheme variant.
- Which is the best example of identity theft used to facilitate employment fraud?
- A worker forges a company check
- A worker inflates their hours
- A worker uses another person's Social Security number to obtain a job
- A worker submits a duplicate receipt
Correct answer: A worker uses another person's Social Security number to obtain a job
Using another's Social Security number to obtain a job is correct because misusing someone's personal identifying information for employment is an identity-theft variant.
- Which scheme is most directly concealed by 'force-balancing' the cash drawer (entering a false amount so it appears to reconcile)?
- Cash larceny
- Bribery
- A pyramid scheme
- A conflict of interest
Correct answer: Cash larceny
Cash larceny is correct because force-balancing falsifies the reconciliation to hide a shortage created when recorded cash was stolen.
- Which of the following best characterizes a 'bust-out' scheme?
- An auditor conceals a liability
- A business builds credit, makes large purchases on credit, then disappears without paying
- An employee skims unrecorded sales
- A company inflates inventory values
Correct answer: A business builds credit, makes large purchases on credit, then disappears without paying
Building credit then disappearing without paying is correct because a bust-out is a planned financial crime scheme that maximizes credit purchases before abandoning the obligations.
- Which scheme would a comparison of payroll headcount to badge-access or timekeeping records most directly help detect?
- A register disbursement scheme
- A Ponzi scheme
- A ghost employee scheme
- A conflict of interest
Correct answer: A ghost employee scheme
A ghost employee scheme is correct because employees being paid who never badge in or appear in time records strongly indicate nonexistent ghost workers.
- Which corruption subtype is present when an employee fails to disclose that a vendor he approves is owned by a close family member?
- A conflict of interest
- Economic extortion
- Bribery
- An illegal gratuity
Correct answer: A conflict of interest
A conflict of interest is correct because the undisclosed family ownership creates a competing interest that improperly influences the employee's business decisions.
- A scammer convinces a victim they have won a lottery but must first pay 'taxes and fees' to collect. This consumer fraud is best classified as:
- A ghost employee scheme
- An advance-fee fraud scheme
- Financial statement fraud
- Check tampering
Correct answer: An advance-fee fraud scheme
An advance-fee fraud scheme is correct because the victim is induced to pay upfront fees to receive a promised payout that never materializes, a consumer fraud scheme.
- Which scheme is best detected by analyzing whether a single employee both creates vendors and approves their invoices?
- A billing scheme enabled by inadequate segregation of duties
- A Ponzi scheme
- A false refund scheme
- Identity theft
Correct answer: A billing scheme enabled by inadequate segregation of duties
A billing scheme enabled by inadequate segregation of duties is correct because one person controlling both vendor setup and approval can create and pay fictitious invoices undetected.
- Which best describes how a 'forged maker' check scheme differs from an 'altered payee' check scheme?
- Both forge endorsements only
- A forged maker fakes the authorized signature; an altered payee changes the payee on an otherwise valid check
- A forged maker is a register scheme; an altered payee is a billing scheme
- Neither involves the company's own checks
Correct answer: A forged maker fakes the authorized signature; an altered payee changes the payee on an otherwise valid check
Faking the signature versus changing the payee is correct because a forged-maker scheme fabricates the signer's authorization, while an altered-payee scheme modifies who an already-authorized check is payable to.
- Which scheme typically produces no missing-cash discrepancy because the funds were never recorded in the first place?
- A register false void
- Cash larceny
- Petty cash larceny
- Skimming
Correct answer: Skimming
Skimming is correct because off-book theft leaves no record of the funds, so a comparison of recorded cash to actual cash will not reveal a shortage.
- A controller books a large unearned customer deposit as revenue to hit a quarterly target. This is best classified as which scheme?
- Financial statement fraud via premature revenue recognition
- A billing scheme
- Bribery
- Skimming
Correct answer: Financial statement fraud via premature revenue recognition
Financial statement fraud via premature revenue recognition is correct because recognizing a deposit before the revenue is earned overstates current-period income.
- Which is the best example of a noncash 'misuse' scheme versus a noncash 'theft' scheme?
- An employee removes raw materials and never returns them
- An employee permanently steals company laptops
- An employee resells stolen inventory
- An employee borrows company equipment for personal use and returns it later
Correct answer: An employee borrows company equipment for personal use and returns it later
Borrowing equipment and returning it is correct because misuse involves temporary unauthorized use rather than permanent removal, which would be theft.
- Which scheme is indicated when a salesperson records fictitious orders near period-end and then reverses them after the reporting deadline?
- Cash larceny
- A ghost employee scheme
- Identity theft
- Financial statement fraud through fictitious or prematurely recognized sales
Correct answer: Financial statement fraud through fictitious or prematurely recognized sales
Financial statement fraud through fictitious or premature sales is correct because booking and then reversing sales around the deadline manipulates reported revenue.
- An employee in accounts receivable steals a customer's cash payment and posts a fake credit memo to zero out the customer's balance. This concealment supports which scheme?
- Bribery
- A register disbursement scheme
- A ghost employee scheme
- Receivables skimming concealed with a fraudulent credit memo
Correct answer: Receivables skimming concealed with a fraudulent credit memo
Receivables skimming concealed with a fraudulent credit memo is correct because the incoming payment was taken before recording, and a false credit memo hid the missing balance.
- Which scheme is the clearest example of corruption committed against a government procurement process?
- A contractor's cashier skims cash
- A contractor inflates its own revenue
- A contractor pays a public official to receive confidential competitor bids
- A contractor forges its own checks
Correct answer: A contractor pays a public official to receive confidential competitor bids
Paying a public official for confidential bids is correct because it is a bribery/corruption scheme abusing influence in the procurement process, not an internal asset or statement fraud.
- Which best describes 'pump and dump' as a financial/investment scheme?
- Forging the maker on a check
- Adding ghost employees to payroll
- Inflating a stock's price with false promotion, then selling at the peak and leaving others with losses
- Stealing cash before it is recorded
Correct answer: Inflating a stock's price with false promotion, then selling at the peak and leaving others with losses
Inflating then selling is correct because pump-and-dump artificially boosts a security's price through false hype so the perpetrators can sell high, an investment fraud scheme.
- Which control most directly addresses the opportunity for expense reimbursement fraud?
- Eliminating receipt requirements
- Allowing self-approval of expenses
- Independent review of expense reports against original itemized receipts
- Paying reimbursements in cash only
Correct answer: Independent review of expense reports against original itemized receipts
Independent review against original itemized receipts is correct because comparing claims to genuine receipts detects mischaracterized, overstated, fictitious, and duplicate expenses.
- A fraudster registers a business solely to issue invoices to a former employer for services never rendered. This is best classified as which scheme?
- A ghost employee scheme
- A shell-company billing scheme
- A register false void
- Identity theft
Correct answer: A shell-company billing scheme
A shell-company billing scheme is correct because a fictitious or non-operating entity exists only to bill the victim for nonexistent goods or services.
- Which of the following best illustrates a kickback within construction contracting?
- An accountant misstates project revenue
- A clerk skims petty cash
- A subcontractor pays the project manager to approve inflated change orders
- A laborer steals tools from the site
Correct answer: A subcontractor pays the project manager to approve inflated change orders
A subcontractor paying the project manager for inflated change orders is correct because the secret payment to influence approvals is a classic kickback corruption scheme.
- Which scheme would surveillance footage showing refunds processed with no customer present most directly support?
- A false refund register disbursement scheme
- A Ponzi scheme
- A conflict of interest
- Skimming of unrecorded sales
Correct answer: A false refund register disbursement scheme
A false refund register disbursement scheme is correct because refunds entered with no customer present indicate fictitious refunds used to extract cash from the register.
- Which best characterizes the difference between bribery and a conflict of interest?
- Bribery is legal; a conflict of interest is not
- Bribery involves an outside payment to influence a decision; a conflict of interest involves the employee's own undisclosed interest
- Bribery involves inventory; a conflict of interest involves cash
- Bribery is a financial statement scheme; a conflict of interest is not
Correct answer: Bribery involves an outside payment to influence a decision; a conflict of interest involves the employee's own undisclosed interest
Outside payment versus the employee's own interest is correct because bribery centers on a payment from a third party, while a conflict of interest arises from the employee's hidden personal stake.
- A scammer poses as a romantic partner online and persuades the victim to send money for a fabricated emergency. This consumer fraud is best classified as:
- Financial statement fraud
- A ghost employee scheme
- A register disbursement scheme
- A romance/social-engineering scam
Correct answer: A romance/social-engineering scam
A romance/social-engineering scam is correct because the fraudster builds trust to manipulate the victim into sending money, a consumer fraud relying on social engineering.
- Which scheme is most associated with the manipulation of inventory counts to overstate ending inventory and thus net income?
- Bribery
- Improper asset valuation financial statement fraud
- Skimming
- A ghost employee scheme
Correct answer: Improper asset valuation financial statement fraud
Improper asset valuation financial statement fraud is correct because overstating inventory reduces cost of goods sold and inflates reported net income, a financial statement manipulation.
- Which scheme requires the perpetrator to convert the company's own outgoing payment instrument for personal benefit?
- Skimming
- Check and payment tampering
- Cash larceny
- A pyramid scheme
Correct answer: Check and payment tampering
Check and payment tampering is correct because the fraudster manipulates the organization's own checks or electronic payments, distinguishing it from stealing incoming cash.
- Which of the following best illustrates 'capability' enabling a complex billing scheme, from a schemes-detection perspective?
- An employee with no system access
- An employee with authority to add vendors and approve payments without independent review
- An employee subject to daily supervisor review
- An employee in an unrelated department
Correct answer: An employee with authority to add vendors and approve payments without independent review
An employee with authority to add vendors and approve payments is correct because that combined access provides the practical ability to create and pay fraudulent invoices.
- A fraudster files for unemployment benefits using stolen identities of real workers. This is best classified as which scheme?
- A Ponzi scheme
- Skimming
- Identity theft (benefits fraud)
- A conflict of interest
Correct answer: Identity theft (benefits fraud)
Identity theft for benefits fraud is correct because the fraudster misused other people's personal identifying information to claim benefits, an identity-theft variant.
- Which scheme is most likely when a vendor's invoices are paid promptly but the goods never appear in receiving records?
- A billing scheme for goods not received
- A ghost employee scheme
- Skimming
- A register false void
Correct answer: A billing scheme for goods not received
A billing scheme for goods not received is correct because payments without matching receiving records indicate invoices for nonexistent deliveries.
- Which best describes 'check kiting' as a financial crime scheme?
- Exploiting the float between banks by writing checks against nonexistent funds across accounts
- Forging an employee's timesheet
- Recording fictitious revenue
- Stealing inventory and reselling it
Correct answer: Exploiting the float between banks by writing checks against nonexistent funds across accounts
Exploiting bank float is correct because check kiting uses the timing delay in clearing checks among accounts to create artificial balances from nonexistent funds.
- Which scheme is most consistent with an employee who approves their own travel advances and never submits reconciling receipts?
- A register disbursement scheme
- Expense reimbursement fraud through unsupported advances
- A Ponzi scheme
- Bribery
Correct answer: Expense reimbursement fraud through unsupported advances
Expense reimbursement fraud through unsupported advances is correct because self-approved, unreconciled advances allow the employee to retain company funds claimed as expenses.
- Which of the following is the strongest example of financial statement fraud through improper disclosure?
- Stealing cash from the register
- Forging a company check
- Omitting a material related-party transaction from the financial statement notes
- Adding a ghost employee
Correct answer: Omitting a material related-party transaction from the financial statement notes
Omitting a material related-party transaction is correct because failing to disclose information users need to understand the statements is an improper-disclosure financial statement fraud.
- Which best describes how skimming of refunds differs from a register disbursement false refund?
- Both add ghost employees
- Both forge company checks
- Skimming takes unrecorded incoming funds; a false refund records a fictitious refund to remove recorded cash
- Both are off-book
Correct answer: Skimming takes unrecorded incoming funds; a false refund records a fictitious refund to remove recorded cash
The off-book skim versus recorded false refund is correct because skimming takes funds before recording, while a register false refund creates a recorded transaction to justify removing cash.
- An executive arranges round-trip 'sales' with another company where each buys equal amounts from the other to inflate both companies' revenues. This is best classified as which scheme?
- Skimming
- A billing scheme
- Financial statement fraud through round-tripping
- Identity theft
Correct answer: Financial statement fraud through round-tripping
Financial statement fraud through round-tripping is correct because reciprocal sales with no economic substance artificially inflate reported revenue on both sides.
- Which scheme is best described as occupational fraud committed by an employee against the employing organization?
- Only money services fraud
- Only consumer investment fraud
- Only identity theft by outsiders
- Any of corruption, asset misappropriation, or financial statement fraud committed by an insider
Correct answer: Any of corruption, asset misappropriation, or financial statement fraud committed by an insider
Insider corruption, asset misappropriation, or financial statement fraud is correct because occupational fraud is defined as the use of one's occupation for personal enrichment through misuse of the employer's resources.
- A grocery cashier scans items at a discount for friends without authorization. This is best classified as which scheme?
- Bribery
- A noncash/under-ringing asset misappropriation scheme
- Check tampering
- A Ponzi scheme
Correct answer: A noncash/under-ringing asset misappropriation scheme
An under-ringing asset misappropriation scheme is correct because the cashier abused position to give away company value (discounted goods) for personal benefit, an asset misappropriation variant.
- Which of the following best illustrates a corruption scheme involving 'something of value' that is not cash?
- A cashier steals currency
- A clerk skims unrecorded sales
- An accountant overstates inventory
- A vendor provides free home renovations to a manager who keeps awarding contracts
Correct answer: A vendor provides free home renovations to a manager who keeps awarding contracts
Free home renovations for continued contract awards is correct because 'something of value' in bribery includes non-cash benefits exchanged to influence business decisions.
- Which scheme is most likely behind a pattern of slightly inflated mileage claims across many trips?
- A ghost employee scheme
- Overstated expense reimbursement fraud
- A Ponzi scheme
- Check tampering
Correct answer: Overstated expense reimbursement fraud
Overstated expense reimbursement fraud is correct because consistently inflating mileage on real trips claims reimbursement above what was actually incurred.
- Which best describes a 'salami slicing' scheme?
- Inflating ending inventory
- Recruiting investors to pay earlier ones
- Forging endorsements on checks
- Stealing tiny amounts repeatedly so each theft is too small to notice
Correct answer: Stealing tiny amounts repeatedly so each theft is too small to notice
Stealing tiny amounts repeatedly is correct because salami slicing takes small, individually unnoticeable sums that accumulate into significant losses, an asset misappropriation technique.
- Which scheme is most likely indicated by duplicate invoice numbers paid to the same vendor in a short window?
- A ghost employee scheme
- A register false void
- Identity theft
- A billing scheme using duplicate invoices
Correct answer: A billing scheme using duplicate invoices
A billing scheme using duplicate invoices is correct because paying the same invoice twice, or near-duplicates, is a common billing-fraud red flag.
- A fraud ring uses stolen card numbers to buy goods online and reship them for resale. The use of others' card data makes this primarily which scheme?
- Identity theft / payment card fraud
- A conflict of interest
- Financial statement fraud
- A ghost employee scheme
Correct answer: Identity theft / payment card fraud
Identity theft / payment card fraud is correct because misusing other people's payment-card identity data to make purchases is an identity-theft-based scheme.
- Which best contrasts financial statement fraud with asset misappropriation in terms of who usually benefits?
- Both always enrich only outsiders
- Neither benefits anyone
- Financial statement fraud often benefits the organization's reported results; asset misappropriation directly enriches the individual
- Both always enrich only the company
Correct answer: Financial statement fraud often benefits the organization's reported results; asset misappropriation directly enriches the individual
Benefiting reported results versus enriching the individual is correct because financial statement fraud typically makes the company look better, while asset misappropriation diverts assets to the perpetrator.
- Which scheme would a sudden increase in 'miscellaneous' or 'consulting' expense accounts paid to new vendors most likely indicate?
- A register false refund
- A Ponzi scheme
- Cash larceny
- A billing scheme routed through vague expense accounts
Correct answer: A billing scheme routed through vague expense accounts
A billing scheme routed through vague expense accounts is correct because fraudsters often hide fictitious payments in catch-all accounts to avoid scrutiny.
- An employee with check-signing authority writes checks to a relative for fictitious 'commissions.' This is best classified as which scheme?
- Skimming
- A fraudulent disbursement combining check authority and a fictitious payee
- Identity theft
- A pyramid scheme
Correct answer: A fraudulent disbursement combining check authority and a fictitious payee
A fraudulent disbursement with a fictitious payee is correct because the employee abused signing authority to issue company checks for fabricated obligations to an accomplice.
- Which best describes how a conflict-of-interest purchase scheme harms the employer?
- The employer overpays or transacts on unfavorable terms because of the employee's hidden interest
- The employer's cash is skimmed before recording
- The employer's inventory is stolen
- The employer's checks are forged
Correct answer: The employer overpays or transacts on unfavorable terms because of the employee's hidden interest
Overpaying due to the employee's hidden interest is correct because conflicts of interest cause the employer to enter transactions skewed by the employee's undisclosed personal stake.
- Which scheme is most consistent with a worker who is never absent, refuses to share duties, and resists any review of their accounts receivable work?
- A pyramid scheme
- A skimming/lapping scheme that requires constant concealment
- A Ponzi scheme
- A register false void
Correct answer: A skimming/lapping scheme that requires constant concealment
A skimming/lapping scheme requiring constant concealment is correct because lapping must be continuously maintained, so perpetrators often refuse vacations and oversight to keep the scheme hidden.
- Which of the following best describes 'wash trading' as a market fraud scheme?
- Stealing recorded cash from a drawer
- Forging a maker signature
- Buying and selling the same security to create misleading trading volume
- Adding ghost employees
Correct answer: Buying and selling the same security to create misleading trading volume
Buying and selling the same security to fake volume is correct because wash trading creates the false appearance of market activity to deceive other investors.
- Which scheme is indicated when payroll continues issuing checks to an employee after their documented termination date?
- A ghost employee scheme using a terminated worker
- A register false refund
- A Ponzi scheme
- A conflict of interest
Correct answer: A ghost employee scheme using a terminated worker
A ghost employee scheme using a terminated worker is correct because continuing to pay someone after termination signals their records were kept active so a fraudster could collect the pay.
- Which best describes the financial crime of 'invoice redirection'?
- Recording fictitious revenue
- Forging a timesheet
- Stealing physical inventory
- Deceiving a payer into sending payment for a genuine invoice to a fraudster's account
Correct answer: Deceiving a payer into sending payment for a genuine invoice to a fraudster's account
Deceiving a payer into redirecting a genuine invoice payment is correct because invoice redirection (a BEC variant) changes legitimate payment details so funds go to the fraudster.
- Which scheme would benchmarking each cashier's refund rate against peers most directly help uncover?
- A Ponzi scheme
- Bribery
- A register disbursement scheme
- Financial statement fraud
Correct answer: A register disbursement scheme
A register disbursement scheme is correct because a cashier with an abnormally high refund or void rate compared to peers signals fictitious refunds or voids used to take cash.
- An executive backdates compensation entries and misstates expense to flatter earnings. This is best classified as which scheme?
- A billing scheme
- Skimming
- A pyramid scheme
- Financial statement fraud through understated expenses
Correct answer: Financial statement fraud through understated expenses
Financial statement fraud through understated expenses is correct because manipulating recorded expense distorts reported earnings, a financial statement manipulation.
- Which of the following best illustrates an off-book corruption payment?
- A vendor pays an employee in cash that never touches the company's accounts to win business
- An accountant overstates inventory
- A clerk forges a company check
- An employee skims unrecorded sales
Correct answer: A vendor pays an employee in cash that never touches the company's accounts to win business
A vendor paying an employee in untraceable cash is correct because corrupt payments are often made off the books, outside the victim organization's records, to influence decisions.
- Which scheme is most consistent with a 'free trial' that silently converts to recurring high charges the consumer never authorized?
- Check tampering
- A ghost employee scheme
- Skimming
- A deceptive recurring-billing consumer fraud scheme
Correct answer: A deceptive recurring-billing consumer fraud scheme
A deceptive recurring-billing consumer fraud scheme is correct because charging consumers for unauthorized ongoing fees through misleading 'free trial' offers is a consumer fraud scheme.
- Which best describes the role of 'opportunity' in classifying why asset misappropriation is so common?
- It always requires collusion
- It requires no internal access
- Most employees have access to some cash, inventory, or disbursement process they can exploit
- Only executives can commit it
Correct answer: Most employees have access to some cash, inventory, or disbursement process they can exploit
Broad access to assets is correct because nearly all employees can reach some cash, goods, or payment process, giving widespread opportunity for asset misappropriation.
- Which scheme is best detected by tracing a check's bank-cleared image to confirm the actual payee and endorsement?
- A conflict of interest
- A Ponzi scheme
- Check and payment tampering
- Skimming
Correct answer: Check and payment tampering
Check and payment tampering is correct because comparing the cleared check image to records reveals altered payees or forged endorsements characteristic of tampering.
- Which of the following is the clearest example of a fraudulent disbursement disguised as payroll?
- Overstating ending inventory
- Skimming cash before it is recorded
- Accepting a vendor kickback
- Adding a ghost employee and routing their net pay to the fraudster
Correct answer: Adding a ghost employee and routing their net pay to the fraudster
Adding a ghost employee and routing pay is correct because it causes the company to disburse funds through payroll to a nonexistent worker for the fraudster's benefit.
- Which scheme is most likely when an investment 'fund' refuses redemptions, citing constantly shifting reasons, while still soliciting new money?
- A ghost employee scheme
- A Ponzi scheme nearing collapse
- A register false void
- Check tampering
Correct answer: A Ponzi scheme nearing collapse
A Ponzi scheme nearing collapse is correct because blocking redemptions while seeking new investors signals the operator cannot pay existing investors without fresh inflows.
- Which best describes the difference between a pyramid scheme and a legitimate multi-level marketing company?
- A legitimate MLM never pays recruiters
- A pyramid sells only real products
- There is no difference
- A legitimate MLM derives revenue from real product sales; a pyramid derives it mainly from recruitment fees
Correct answer: A legitimate MLM derives revenue from real product sales; a pyramid derives it mainly from recruitment fees
Product sales versus recruitment fees is correct because lawful MLMs are sustained by genuine retail sales, whereas illegal pyramids depend on continual recruitment payments.
- Which scheme is indicated when a manager consistently approves a single vendor's bids while declining to document why competitors were rejected, and that vendor secretly pays the manager?
- Skimming
- Financial statement fraud
- A bribery/kickback corruption scheme
- A register false refund
Correct answer: A bribery/kickback corruption scheme
A bribery/kickback corruption scheme is correct because secret payments to steer business to a favored vendor are the defining structure of commercial bribery.
- Which scheme is best described as creating fictitious assets, such as fake bank confirmations, to support overstated balances?
- Skimming
- A ghost employee scheme
- A register false void
- Improper asset valuation financial statement fraud
Correct answer: Improper asset valuation financial statement fraud
Improper asset valuation financial statement fraud is correct because fabricating support for nonexistent or inflated assets misstates the balance sheet, a financial statement fraud.
- Which of the following is the best example of a consumer-facing investment fraud rather than occupational fraud?
- A promoter sells worthless 'pre-IPO' shares to the public
- A clerk skims store cash
- A buyer takes a vendor kickback
- A controller forges payroll checks
Correct answer: A promoter sells worthless 'pre-IPO' shares to the public
Selling worthless pre-IPO shares to the public is correct because it targets outside investors with a fraudulent investment, unlike occupational frauds committed against an employer.
- Which scheme is most consistent with an employee who creates a vendor, has goods shipped to a personal address, and approves the resulting invoice?
- Identity theft
- A billing scheme for personal purchases via a controlled vendor
- A Ponzi scheme
- Cash larceny
Correct answer: A billing scheme for personal purchases via a controlled vendor
A billing scheme for personal purchases via a controlled vendor is correct because the employee used a fraudulent vendor and approval authority to obtain goods at the company's expense.
- Which scheme is best uncovered by matching shipping/receiving documents to vendor invoices?
- A conflict of interest unrelated to purchases
- A billing scheme for goods not received
- Identity theft
- A Ponzi scheme
Correct answer: A billing scheme for goods not received
A billing scheme for goods not received is correct because reconciling invoices to actual receiving documents exposes payments for deliveries that never occurred.
- Which describes 'identity cloning' within identity theft?
- A fraudster assumes a victim's identity to live and work as that person over time
- A fraudster forges a company check
- A fraudster inflates inventory
- A fraudster skims cash
Correct answer: A fraudster assumes a victim's identity to live and work as that person over time
Assuming a victim's identity to live as them is correct because identity cloning is an identity-theft variant where the fraudster impersonates the victim continuously.
- Which scheme is most likely when reported gross margin improves sharply but operating cash flow stays flat or declines?
- A register false refund
- Skimming of cash sales
- A ghost employee scheme
- Financial statement fraud inflating non-cash revenue or assets
Correct answer: Financial statement fraud inflating non-cash revenue or assets
Financial statement fraud inflating non-cash revenue is correct because rising reported profits unmatched by cash flow can signal fictitious revenue or inflated assets rather than real earnings.
- Which best describes the corruption scheme of 'bid rigging'?
- Competitors or insiders collude to control who wins a contract and at what price
- An accountant overstates assets
- A clerk skims unrecorded cash
- A cashier under-rings sales
Correct answer: Competitors or insiders collude to control who wins a contract and at what price
Colluding to control bid outcomes is correct because bid rigging manipulates a supposedly competitive process through corrupt collusion, a corruption scheme.
- Which scheme is indicated when an employee deletes the audit trail after issuing a company check to themselves?
- A pyramid scheme
- A concealed check tampering scheme
- Skimming
- A Ponzi scheme
Correct answer: A concealed check tampering scheme
A concealed check tampering scheme is correct because suppressing or deleting records of a self-issued check hides the fraudulent disbursement.
- Which of the following best illustrates expense reimbursement fraud through fictitious expenses?
- An employee submits the same receipt twice
- An employee inflates a real meal receipt
- An employee submits a fabricated taxi receipt for a ride that never happened
- An employee mislabels a personal trip as business
Correct answer: An employee submits a fabricated taxi receipt for a ride that never happened
A fabricated taxi receipt for a ride that never happened is correct because the entire expense is invented, defining the fictitious-expenses category.
- Which scheme is most consistent with a vendor whose ownership traces back to an employee's spouse and whose prices exceed market rates?
- Skimming
- A Ponzi scheme
- A register false refund
- A conflict of interest in purchasing
Correct answer: A conflict of interest in purchasing
A conflict of interest in purchasing is correct because undisclosed family ownership combined with above-market pricing reflects a hidden interest steering the company's spending.
- Which scheme is best described as recording a sale before the goods are shipped or the service is performed?
- Skimming
- A ghost employee scheme
- Premature revenue recognition financial statement fraud
- A register false void
Correct answer: Premature revenue recognition financial statement fraud
Premature revenue recognition financial statement fraud is correct because booking revenue before it is earned misstates the timing of income to inflate current results.
- Which best describes the asset misappropriation subtype of 'misappropriation of intangible assets'?
- Forging an endorsement
- Skimming cash before recording
- Issuing a false refund
- Stealing trade secrets or proprietary data for personal gain
Correct answer: Stealing trade secrets or proprietary data for personal gain
Stealing trade secrets or proprietary data is correct because intangible assets like confidential information can be misappropriated, a noncash asset misappropriation form.
- Which scheme would matching vendor addresses to employee home addresses most directly help detect?
- A Ponzi scheme
- Cash larceny
- A register false void
- A shell-company billing scheme
Correct answer: A shell-company billing scheme
A shell-company billing scheme is correct because a vendor address matching an employee's home strongly suggests a fictitious vendor controlled by that employee.
- Which scheme is most consistent with a worker who is paid for overtime while badge records show they had already left for the day?
- Identity theft
- A Ponzi scheme
- A register false refund
- A falsified-hours payroll scheme
Correct answer: A falsified-hours payroll scheme
A falsified-hours payroll scheme is correct because claiming overtime not actually worked overstates compensable hours, a payroll fraud variant.
- Which best describes 'malware-enabled fraud' in the schemes section?
- Using malicious software to steal data or credentials that enable fraudulent transactions
- Overstating ending inventory
- Skimming unrecorded cash
- Forging a maker signature
Correct answer: Using malicious software to steal data or credentials that enable fraudulent transactions
Using malicious software to steal data is correct because malware is a cyberfraud tool that captures credentials or data to facilitate fraudulent transactions.
- Which scheme is indicated when a single approver signs off on invoices, receiving reports, and vendor setup with no second review?
- A Ponzi scheme
- A register false refund
- Identity theft
- A billing scheme enabled by concentrated control
Correct answer: A billing scheme enabled by concentrated control
A billing scheme enabled by concentrated control is correct because one person controlling vendor setup, receiving, and approval can fabricate and pay invoices unchecked.
- Which of the following best characterizes corruption as a Fraud Tree branch?
- Schemes that only take unrecorded cash
- Schemes that only manipulate the financial statements
- Schemes that only steal physical inventory
- Schemes in which an employee misuses influence in a transaction to gain a benefit, often with a third party
Correct answer: Schemes in which an employee misuses influence in a transaction to gain a benefit, often with a third party
Misusing influence in a transaction with a third party is correct because corruption involves the wrongful exercise of influence, distinguishing it from outright asset theft or statement manipulation.
- Which scheme is best detected by comparing the timing of large revenue entries to shipping records near period-end?
- Financial statement fraud through cut-off manipulation
- A ghost employee scheme
- Skimming
- Check tampering
Correct answer: Financial statement fraud through cut-off manipulation
Financial statement fraud through cut-off manipulation is correct because revenue recorded without matching shipments near period-end signals improper sales cut-off to inflate results.
- Which of the following best illustrates an employee skimming through 'unrecorded sales' at a service business?
- Forging a payroll check
- Stealing recorded cash from the safe
- Overstating inventory
- Performing a side job for a client on company time and pocketing the cash without recording it
Correct answer: Performing a side job for a client on company time and pocketing the cash without recording it
Performing an unrecorded side job for cash is correct because the revenue never entered the company's books, the defining off-book trait of skimming.
- Which scheme is most consistent with a vendor that submits invoices with sequential numbers used only for one customer?
- A Ponzi scheme
- A register false refund
- A shell-company billing scheme serving a single victim
- A ghost employee scheme
Correct answer: A shell-company billing scheme serving a single victim
A shell-company billing scheme serving a single victim is correct because a vendor billing only one customer with tidy sequential invoices suggests a fictitious entity created for that target.
- Which best describes an 'employee embezzlement' in Fraud Tree terms?
- A consumer investment scheme
- An asset misappropriation in which an employee entrusted with assets diverts them for personal use
- A financial statement misstatement only
- A bribery scheme by a vendor
Correct answer: An asset misappropriation in which an employee entrusted with assets diverts them for personal use
An asset misappropriation by a trusted employee is correct because embezzlement is the diversion of assets entrusted to the employee, a core asset misappropriation form.
- Which scheme would a tip that 'a manager always insists on personally handling one supplier' most likely point to?
- A register false void
- Skimming of cash sales
- Identity theft
- A corruption scheme such as a kickback or conflict of interest
Correct answer: A corruption scheme such as a kickback or conflict of interest
A corruption scheme such as a kickback or conflict of interest is correct because insistence on exclusive control of one supplier relationship is a classic corruption red flag.
- Which of the following best describes 'short and over' analysis for detecting cash schemes?
- Reviewing footnote disclosures
- Reviewing cash drawer overages and shortages to spot patterns of larceny
- Reviewing inventory valuations
- Reviewing investor recruitment trees
Correct answer: Reviewing cash drawer overages and shortages to spot patterns of larceny
Reviewing drawer overages and shortages is correct because recurring shortages can reveal cash larceny, where recorded cash is stolen from the drawer.
- Which scheme is most consistent with an employee submitting expenses in a currency conversion that consistently favors them?
- A Ponzi scheme
- Overstated expense reimbursement fraud through manipulated conversions
- A ghost employee scheme
- A register false refund
Correct answer: Overstated expense reimbursement fraud through manipulated conversions
Overstated expense reimbursement fraud through manipulated conversions is correct because skewing exchange rates inflates the reimbursed amount above the true cost.
- Which best describes 'social engineering' as it relates to cyberfraud schemes?
- Forging a maker signature
- Overstating inventory in the ledger
- Skimming unrecorded cash
- Manipulating people into divulging information or taking actions that enable fraud
Correct answer: Manipulating people into divulging information or taking actions that enable fraud
Manipulating people into enabling fraud is correct because social engineering exploits human trust, underpinning phishing, BEC, and related cyberfraud schemes.
- Which scheme is indicated when a company repeatedly records large fourth-quarter sales that are reversed in the first quarter every year?
- Skimming
- A ghost employee scheme
- Financial statement fraud through recurring fictitious or premature sales
- Check tampering
Correct answer: Financial statement fraud through recurring fictitious or premature sales
Financial statement fraud through recurring fictitious or premature sales is correct because a consistent book-then-reverse pattern around year-end signals manipulation of reported revenue.
- Which scheme is best described as a vendor and employee splitting the proceeds of intentionally overpriced purchases?
- Skimming
- A kickback scheme
- Identity theft
- A register false void
Correct answer: A kickback scheme
A kickback scheme is correct because the corrupt employee approves inflated purchases and shares the excess with the colluding vendor, a corruption scheme.
- Which best characterizes how an investor can spot a likely Ponzi scheme before collapse?
- Returns vary with the market and strategies are transparent
- Promised returns are unusually consistent and high, with vague or secretive strategies
- The fund is registered and audited
- Statements reconcile to independent custodians
Correct answer: Promised returns are unusually consistent and high, with vague or secretive strategies
Consistent high returns with secretive strategies is correct because such hallmarks suggest fabricated returns rather than genuine, market-exposed investing.
- Which scheme is most consistent with new participants discovering they are 'paying to work' through mandatory purchases of inventory they must resell?
- Skimming
- A pyramid scheme disguised as a sales opportunity
- Check tampering
- A Ponzi scheme
Correct answer: A pyramid scheme disguised as a sales opportunity
A pyramid scheme disguised as a sales opportunity is correct because requiring participants to buy inventory while emphasizing recruitment over genuine sales is a pyramid hallmark.
- Which scheme is best detected by verifying that each refund at a register is tied to an original sale transaction?
- A false refund register disbursement scheme
- A conflict of interest
- A Ponzi scheme
- A ghost employee scheme
Correct answer: A false refund register disbursement scheme
A false refund register disbursement scheme is correct because requiring refunds to match an original sale exposes fictitious refunds processed to remove cash.
- Which best describes the asset misappropriation scheme of 'inventory shrinkage' caused by theft?
- Investors are recruited
- Revenue is recorded twice
- Checks are forged
- Physical inventory disappears faster than legitimate sales and adjustments explain
Correct answer: Physical inventory disappears faster than legitimate sales and adjustments explain
Unexplained physical inventory loss is correct because shrinkage beyond normal causes signals theft of noncash assets, an asset misappropriation indicator.
- Which scheme is most consistent with an employee who insists on receiving and opening all incoming mail containing customer checks?
- Financial statement fraud
- A check-theft skimming scheme
- A register false void
- A Ponzi scheme
Correct answer: A check-theft skimming scheme
A check-theft skimming scheme is correct because controlling incoming mail lets an employee intercept and divert customer checks before they are recorded.
- Which best describes a 'fictitious vendor' as used in billing schemes?
- A real vendor that delivers goods
- A customer who overpays
- A nonexistent or non-operating entity set up to receive fraudulent payments
- A government auditor
Correct answer: A nonexistent or non-operating entity set up to receive fraudulent payments
A nonexistent or non-operating entity is correct because fictitious vendors exist only on paper to channel fraudulent disbursements to the perpetrator.
- Which scheme is indicated when a company classifies recurring operating costs as 'extraordinary' to make ongoing earnings look stronger?
- Skimming
- Bribery
- Financial statement fraud through improper classification
- A ghost employee scheme
Correct answer: Financial statement fraud through improper classification
Financial statement fraud through improper classification is correct because mislabeling recurring costs distorts the presentation of ongoing performance, a financial statement manipulation.
- Which best describes the corruption scheme present when a loan officer approves an unqualified borrower in exchange for a hidden fee?
- Skimming
- Bribery
- Financial statement fraud
- A register false refund
Correct answer: Bribery
Bribery is correct because the officer accepted a secret payment to influence a lending decision, the defining structure of a bribe.
- Which scheme is most consistent with an investment program that pays referral bonuses for enrolling others and has no real product?
- Check tampering
- A pyramid scheme
- Skimming
- A Ponzi scheme
Correct answer: A pyramid scheme
A pyramid scheme is correct because compensation depends on recruiting new fee-paying participants rather than selling a genuine product.
- Which scheme is best uncovered by confirming that listed employees have valid, non-duplicated tax identification records?
- A register false refund
- A ghost employee scheme
- A conflict of interest
- A Ponzi scheme
Correct answer: A ghost employee scheme
A ghost employee scheme is correct because invalid or duplicated identifiers among 'employees' indicate fabricated workers on the payroll.
- Which best describes 'vishing' as a cyberfraud technique?
- Forging a company check
- Inflating inventory values
- Skimming unrecorded cash
- Voice phone calls used to deceive victims into revealing information or sending money
Correct answer: Voice phone calls used to deceive victims into revealing information or sending money
Voice calls used to deceive is correct because vishing is voice phishing, a cyberfraud method that uses phone calls to manipulate victims.
- Which scheme is indicated when an employee creates a duplicate payee record with a slightly different spelling to route payments to themselves?
- A billing scheme using a near-duplicate vendor record
- A register false void
- A Ponzi scheme
- Cash larceny
Correct answer: A billing scheme using a near-duplicate vendor record
A billing scheme using a near-duplicate vendor record is correct because near-duplicate payees are used to slip fraudulent payments past controls that watch for exact duplicates.
- Which best describes the difference between embezzlement and larceny in a workplace context?
- Embezzlement is legal; larceny is not
- Embezzlement involves only checks; larceny involves only cash
- There is no difference
- Embezzlement involves assets lawfully entrusted to the employee; larceny involves taking assets not entrusted to them
Correct answer: Embezzlement involves assets lawfully entrusted to the employee; larceny involves taking assets not entrusted to them
Entrusted versus not-entrusted is correct because embezzlement misuses assets the employee was authorized to handle, while larceny is the taking of assets the person had no rightful access to.
- Which scheme is most consistent with revenue that grows steadily while receivables grow much faster and remain uncollected?
- A ghost employee scheme
- A register false refund
- Financial statement fraud through fictitious or uncollectible sales
- Skimming
Correct answer: Financial statement fraud through fictitious or uncollectible sales
Financial statement fraud through fictitious or uncollectible sales is correct because revenue rising alongside ballooning, uncollected receivables suggests sales were recorded that will never be paid.
- Which best describes 'pretexting' in fraud schemes?
- Overstating inventory
- Forging an endorsement
- Using a fabricated scenario to obtain personal information or access for fraud
- Recruiting downstream investors
Correct answer: Using a fabricated scenario to obtain personal information or access for fraud
Using a fabricated scenario to obtain information is correct because pretexting is a social-engineering technique that invents a pretext to extract data enabling fraud such as identity theft.
- Which scheme is most consistent with a manager approving overtime for friends who did not work it, then sharing the proceeds?
- A falsified-hours payroll scheme with an accomplice
- A Ponzi scheme
- A register false refund
- Identity theft
Correct answer: A falsified-hours payroll scheme with an accomplice
A falsified-hours payroll scheme with an accomplice is correct because overstating hours for real, colluding employees to split excess pay is a payroll fraud variant.
- Which best characterizes 'occupational fraud' per the ACFE definition?
- Only identity theft by outsiders
- Using one's occupation for personal enrichment through deliberate misuse of the employer's resources
- Only securities fraud by promoters
- Any consumer scam against the public
Correct answer: Using one's occupation for personal enrichment through deliberate misuse of the employer's resources
Using one's occupation for personal enrichment is correct because occupational fraud is defined by an employee abusing their position and the employer's resources for personal gain.
- Which scheme is most consistent with an employee writing company checks payable to 'cash' and converting them personally?
- A pyramid scheme
- Identity theft
- A check tampering scheme using checks payable to cash
- Skimming
Correct answer: A check tampering scheme using checks payable to cash
A check tampering scheme using checks payable to cash is correct because issuing and converting checks made out to 'cash' is a payment-tampering method to divert funds.
- Which best describes a corruption scheme where an employee secretly owns a competitor and diverts the employer's customers to it?
- A register false refund
- A conflict of interest causing diversion of business
- Financial statement fraud
- Skimming
Correct answer: A conflict of interest causing diversion of business
A conflict of interest causing diversion of business is correct because the employee's undisclosed competing ownership improperly redirects the employer's opportunities for personal gain.
- Which scheme is most consistent with an unexpected surge in investors demanding withdrawals causing an operator to abruptly halt all payouts?
- A ghost employee scheme
- A register false refund
- Check tampering
- A Ponzi scheme that has run out of new money
Correct answer: A Ponzi scheme that has run out of new money
A Ponzi scheme that has run out of new money is correct because a redemption surge exposes that the operator was paying returns from new deposits, not real profits.
- Which best describes the key fraud-classification reason expense reimbursement schemes persist?
- Receipts are always independently audited
- Employees cannot submit expenses
- Reimbursements are often approved with limited verification of supporting receipts
- Reimbursements are never paid
Correct answer: Reimbursements are often approved with limited verification of supporting receipts
Limited verification of supporting receipts is correct because weak review of claims gives employees the opportunity to mischaracterize, overstate, fabricate, or duplicate expenses.
- Which scheme is most consistent with an employee who controls a register and processes frequent small 'no sale' openings followed by shortages?
- Financial statement fraud
- Cash larceny from the register
- Bribery
- A Ponzi scheme
Correct answer: Cash larceny from the register
Cash larceny from the register is correct because repeated no-sale openings paired with shortages indicate recorded cash being removed from the drawer.
- Which best characterizes 'invoice padding' within a billing scheme?
- Recruiting new investors
- Adding unauthorized or inflated charges to otherwise legitimate invoices
- Recording fictitious revenue
- Forging an endorsement
Correct answer: Adding unauthorized or inflated charges to otherwise legitimate invoices
Adding unauthorized or inflated charges is correct because padding inflates legitimate invoices so the company overpays, a billing-scheme technique.
- Which scheme is most consistent with a vendor whose only contact is an employee's personal cell phone and whose invoices lack detail?
- A Ponzi scheme
- A shell-company billing scheme
- A ghost employee scheme
- A register false refund
Correct answer: A shell-company billing scheme
A shell-company billing scheme is correct because a vendor reachable only through an employee and submitting vague invoices indicates a fictitious entity the employee controls.
- Which best describes 'identity theft via account application fraud'?
- Using stolen personal data to open new accounts in the victim's name
- Forging a maker signature
- Stealing recorded cash
- Overstating inventory
Correct answer: Using stolen personal data to open new accounts in the victim's name
Using stolen data to open new accounts is correct because new-account fraud is an identity-theft variant exploiting the victim's identifying information.
- Which scheme is most consistent with a controller who books a fake gain on the sale of an asset that was never sold?
- Skimming
- A ghost employee scheme
- Financial statement fraud through fictitious transactions
- A register false refund
Correct answer: Financial statement fraud through fictitious transactions
Financial statement fraud through fictitious transactions is correct because recording a gain on a nonexistent sale fabricates income to flatter the statements.
- Which best describes the corruption scheme present when a regulator accepts payment to overlook violations?
- Financial statement fraud
- Skimming
- Bribery of a public official
- A register false refund
Correct answer: Bribery of a public official
Bribery of a public official is correct because accepting payment to ignore violations is the corrupt acceptance of value to influence official action.
- Which scheme is most consistent with a 'recovery scam' that targets prior fraud victims by promising to recover their losses for an upfront fee?
- A ghost employee scheme
- Skimming
- Check tampering
- An advance-fee fraud scheme
Correct answer: An advance-fee fraud scheme
An advance-fee fraud scheme is correct because the victim pays upfront for a promised recovery that never occurs, a consumer fraud scheme often targeting prior victims.
- Which scheme is most consistent with the same fabricated expense appearing on both a personal credit card claim and a corporate card claim?
- A register false refund
- A Ponzi scheme
- A ghost employee scheme
- Multiple reimbursements expense fraud
Correct answer: Multiple reimbursements expense fraud
Multiple reimbursements expense fraud is correct because claiming the same expense through two channels seeks duplicate payment for one cost.
- Which best describes the asset misappropriation subtype where an employee uses a company purchasing card for personal items?
- Financial statement fraud
- Bribery
- A Ponzi scheme
- A purchasing-card (P-card) abuse scheme
Correct answer: A purchasing-card (P-card) abuse scheme
A purchasing-card abuse scheme is correct because using a company P-card for personal purchases misappropriates company funds, a fraudulent disbursement form.
- Which scheme is most consistent with a manager who blocks rotation of duties in cash handling and resists audits of their area?
- Identity theft
- A Ponzi scheme
- A concealed cash scheme such as skimming or larceny
- A pyramid scheme
Correct answer: A concealed cash scheme such as skimming or larceny
A concealed cash scheme such as skimming or larceny is correct because resistance to rotation and audit is a behavioral red flag that someone is hiding ongoing cash theft.
- Which best describes 'related-party transaction fraud' in financial statements?
- Adding a ghost employee
- Recording transactions with undisclosed affiliated entities to inflate results or hide losses
- Skimming cash before recording
- Forging an endorsement
Correct answer: Recording transactions with undisclosed affiliated entities to inflate results or hide losses
Recording undisclosed related-party transactions is correct because using affiliated entities to manipulate or conceal results is a financial statement fraud method.
- Which scheme is most consistent with a cashier who keeps a stash of customer receipts to support fictitious refunds later?
- A register disbursement scheme using fabricated documentation
- A Ponzi scheme
- Skimming
- Bribery
Correct answer: A register disbursement scheme using fabricated documentation
A register disbursement scheme using fabricated documentation is correct because saved receipts support false refunds entered to remove cash from the register.
- Which best characterizes the difference between a Ponzi scheme and ordinary embezzlement?
- A Ponzi defrauds outside investors with fake returns; embezzlement diverts an employer's entrusted assets
- Both target only investors
- Neither involves deception
- Both target only employers
Correct answer: A Ponzi defrauds outside investors with fake returns; embezzlement diverts an employer's entrusted assets
Defrauding investors versus diverting employer assets is correct because a Ponzi targets outside investors with fabricated returns, while embezzlement misuses assets entrusted by an employer.
- Which scheme is most consistent with an employee inflating the headcount on a contractor invoice they approve in exchange for a cash payment from the contractor?
- Identity theft
- Skimming
- A pyramid scheme
- A corruption scheme combining a kickback with a billing inflation
Correct answer: A corruption scheme combining a kickback with a billing inflation
A corruption scheme combining a kickback with billing inflation is correct because the secret payment to approve inflated charges is bribery/kickback corruption.
- Which best describes the asset misappropriation scheme of 'cash register theft via under-ringing'?
- Forging a maker signature
- Ringing a sale for less than the amount collected and keeping the difference
- Recording fictitious revenue
- Recruiting new investors
Correct answer: Ringing a sale for less than the amount collected and keeping the difference
Ringing a sale for less than collected is correct because under-ringing skims the difference between the true sale and the recorded amount, an off-book cash scheme.
- Which scheme is most consistent with a startup that reports rapidly growing 'users' tied to revenue that auditors cannot trace to real customers?
- Financial statement fraud through fabricated revenue metrics
- Skimming
- A register false refund
- A ghost employee scheme
Correct answer: Financial statement fraud through fabricated revenue metrics
Financial statement fraud through fabricated revenue metrics is correct because revenue that cannot be traced to genuine customers indicates fictitious revenue manipulation.
- Which best describes 'check washing' as a payment fraud technique?
- Chemically erasing a check's ink to alter the payee or amount
- Recruiting new investors
- Skimming unrecorded cash
- Overstating inventory
Correct answer: Chemically erasing a check's ink to alter the payee or amount
Chemically erasing a check's ink is correct because check washing alters a genuine check's payee or amount, a payment-tampering method.
- Which scheme is most consistent with a 'guaranteed' high-yield program that requires you to recruit others to unlock your own payouts?
- A ghost employee scheme
- A hybrid pyramid-Ponzi scheme
- A register false refund
- Check tampering
Correct answer: A hybrid pyramid-Ponzi scheme
A hybrid pyramid-Ponzi scheme is correct because conditioning payouts on recruitment (pyramid) while promising guaranteed returns funded by new money (Ponzi) combines both fraud structures.
- Which best describes the corruption scheme of an 'illegal gratuity' to a public official?
- Giving something of value to reward an official act already performed
- Demanding payment under threat
- Stealing recorded cash
- Overstating inventory
Correct answer: Giving something of value to reward an official act already performed
Giving value to reward an official act already performed is correct because an illegal gratuity rewards a completed act, in contrast to a bribe paid to influence a future decision.
- Which scheme is most consistent with an employee who routes all customer complaints about missing credits to themselves and resolves them quietly?
- Bribery
- A Ponzi scheme
- A register false void
- A receivables skimming scheme with active concealment
Correct answer: A receivables skimming scheme with active concealment
A receivables skimming scheme with active concealment is correct because intercepting and quietly resolving complaints about missing credits hides skimmed payments from detection.
- Which best characterizes the financial statement fraud method of 'cookie jar reserves'?
- Forging an endorsement
- Overstating reserves in good periods to release them and smooth earnings later
- Skimming cash before recording
- Recruiting downstream members
Correct answer: Overstating reserves in good periods to release them and smooth earnings later
Overstating reserves to release later is correct because cookie-jar reserves manipulate the timing of earnings, a financial statement fraud technique.
- Which scheme is most consistent with a vendor that only ever invoices for 'consulting' with no deliverables and is approved by one manager?
- A shell-company billing scheme for fictitious services
- A Ponzi scheme
- A ghost employee scheme
- A register false refund
Correct answer: A shell-company billing scheme for fictitious services
A shell-company billing scheme for fictitious services is correct because vague consulting invoices with no deliverables, approved by a single manager, indicate a fictitious vendor used to extract payments.
- Which best describes the asset misappropriation scheme of 'theft of incoming inventory before it is logged'?
- Forging a maker signature
- Recruiting new investors
- Recording fictitious revenue
- Diverting received goods before they are entered into inventory records
Correct answer: Diverting received goods before they are entered into inventory records
Diverting received goods before logging is correct because stealing inventory prior to its entry into records is an off-book noncash asset misappropriation.
- Which scheme is most consistent with an employee who creates fake customer refunds in an e-commerce system payable to their own digital wallet?
- A false refund disbursement scheme in a digital channel
- Bribery
- A Ponzi scheme
- Financial statement fraud
Correct answer: A false refund disbursement scheme in a digital channel
A false refund disbursement scheme in a digital channel is correct because processing fictitious refunds payable to a controlled wallet removes funds, the digital analog of a register false refund.
- Which best characterizes 'corruption' losses relative to asset misappropriation losses in occupational fraud studies?
- Corruption causes no losses
- Corruption schemes tend to cause larger median losses than asset misappropriation
- Corruption always causes the smallest losses
- Corruption is identical in loss to skimming
Correct answer: Corruption schemes tend to cause larger median losses than asset misappropriation
Corruption causing larger median losses than asset misappropriation is correct because corruption schemes, while less frequent than asset misappropriation, typically involve bigger amounts.
- Which scheme is most consistent with a payroll clerk who diverts amounts withheld from employees (such as benefits deductions) to a personal account?
- A register false refund
- A Ponzi scheme
- Identity theft
- A payroll fraud scheme diverting withholdings
Correct answer: A payroll fraud scheme diverting withholdings
A payroll fraud scheme diverting withholdings is correct because misappropriating amounts withheld from employees through the payroll process is a payroll fraud variant.
- Which best describes the financial crime of 'insurance fraud' through staged losses?
- Skimming unrecorded cash
- Recruiting downstream investors
- Forging a maker signature
- Deliberately causing or faking a loss to collect insurance proceeds
Correct answer: Deliberately causing or faking a loss to collect insurance proceeds
Deliberately faking a loss to collect proceeds is correct because staging losses to trigger insurance payouts is a financial crime scheme involving deception of the insurer.
- Which scheme is most consistent with an employee who consistently approves vendor invoices minutes before period-end close with minimal documentation?
- A register false refund
- Identity theft
- A billing scheme exploiting weak period-end review
- A Ponzi scheme
Correct answer: A billing scheme exploiting weak period-end review
A billing scheme exploiting weak period-end review is correct because rushing thinly documented invoices through at close is a tactic to push fraudulent payments past scrutiny.
- Which best describes 'identity theft via medical records'?
- Skimming cash before recording
- Forging a company check
- Using a victim's personal and insurance information to obtain medical services or drugs
- Overstating inventory
Correct answer: Using a victim's personal and insurance information to obtain medical services or drugs
Using a victim's information to obtain medical services is correct because medical identity theft misuses personal and insurance identifying data, an identity-theft variant.
- Which scheme is most consistent with a sales executive who books bill-and-hold transactions to pull future revenue into the current quarter without genuine customer demand?
- Financial statement fraud through improper bill-and-hold revenue
- Skimming
- A register false refund
- A ghost employee scheme
Correct answer: Financial statement fraud through improper bill-and-hold revenue
Financial statement fraud through improper bill-and-hold revenue is correct because recording revenue on goods not actually shipped or demanded improperly accelerates revenue recognition.
- Which best characterizes a 'kiting'-style payroll abuse versus a ghost employee scheme?
- Ghost employee schemes pay nonexistent workers, while falsified-hours schemes overpay real workers
- Both overpay only real workers
- Both pay only nonexistent workers
- Neither involves the payroll system
Correct answer: Ghost employee schemes pay nonexistent workers, while falsified-hours schemes overpay real workers
Ghost workers versus overpaid real workers is correct because ghost employee schemes fabricate payees, while falsified-hours schemes inflate compensation for genuine employees.
- Which scheme is most consistent with a manager who steers business to a vendor that quietly remodels the manager's home at no charge?
- Skimming
- A bribery/kickback corruption scheme using non-cash value
- Financial statement fraud
- A register false refund
Correct answer: A bribery/kickback corruption scheme using non-cash value
A bribery/kickback corruption scheme using non-cash value is correct because the free remodeling is 'something of value' given to influence the manager's business decisions.
- Which scheme is most consistent with an employee who deletes legitimate sales records and pockets the corresponding cash before the daily close?
- Skimming through deleted unrecorded sales
- A pyramid scheme
- Cash larceny from a safe
- A conflict of interest
Correct answer: Skimming through deleted unrecorded sales
Skimming through deleted unrecorded sales is correct because removing the sale from the records before close means the cash was never recorded, the off-book hallmark of skimming.
- Which best describes the asset misappropriation scheme of 'theft of scrap or returned goods'?
- Recording fictitious revenue
- Recruiting new investors
- Forging a maker signature
- Diverting scrap, returns, or salvage inventory for personal resale
Correct answer: Diverting scrap, returns, or salvage inventory for personal resale
Diverting scrap, returns, or salvage for personal resale is correct because misappropriating these noncash assets is a recognized inventory-theft variant.
- Which scheme is most consistent with a finance employee who is tricked by a spoofed law-firm email into wiring an 'urgent confidential acquisition' payment?
- A ghost employee scheme
- Financial statement fraud
- Business email compromise impersonating a trusted professional
- Cash larceny
Correct answer: Business email compromise impersonating a trusted professional
Business email compromise impersonating a trusted professional is correct because a fraudulent email posing as a law firm induced an unauthorized wire, a BEC variant.
- Which best characterizes the corruption scheme present when two competing bidders secretly agree to take turns winning contracts?
- Financial statement fraud
- Skimming
- Bid rotation, a form of bid rigging
- A register false refund
Correct answer: Bid rotation, a form of bid rigging
Bid rotation as bid rigging is correct because competitors colluding to alternate winning bids corruptly subverts the competitive process.
- Which scheme is most consistent with a controller who records depreciation far slower than warranted to keep reported assets and earnings high?
- Skimming
- A ghost employee scheme
- Bribery
- Financial statement fraud through improper asset valuation
Correct answer: Financial statement fraud through improper asset valuation
Financial statement fraud through improper asset valuation is correct because understating depreciation overstates net assets and income, misstating the financial position.
- Which best describes the difference between a false refund and a false void register scheme?
- Both forge company checks
- A false refund records a fake return; a false void cancels a real completed sale
- Neither involves the register
- Both add ghost employees
Correct answer: A false refund records a fake return; a false void cancels a real completed sale
A fake return versus canceling a real sale is correct because false refunds fabricate returns while false voids reverse genuine sales, both removing cash from the register.
- Which scheme is most consistent with a customer-service rep who uses captured account credentials to redirect a victim's funds to a money mule?
- Account takeover identity theft using stolen credentials
- Cash larceny
- A pyramid scheme
- A conflict of interest
Correct answer: Account takeover identity theft using stolen credentials
Account takeover identity theft using stolen credentials is correct because misusing another person's account credentials to move their money is an identity-theft variant.
- Which best characterizes the corruption scheme present when an employee accepts a vacation in exchange for steering a contract, with the deal arranged beforehand?
- Economic extortion
- Bribery using a non-cash benefit
- An illegal gratuity
- A conflict of interest
Correct answer: Bribery using a non-cash benefit
Bribery using a non-cash benefit is correct because the vacation was given by prior agreement to influence the contract decision, making it a bribe rather than an after-the-fact gratuity.
- Which scheme is most consistent with a promoter who claims a 'secret algorithm' generates steady profits but actually pays withdrawals from new deposits?
- Check tampering
- A Ponzi scheme disguised by a fake strategy
- Skimming
- A pyramid scheme
Correct answer: A Ponzi scheme disguised by a fake strategy
A Ponzi scheme disguised by a fake strategy is correct because returns come from new investor money rather than a real algorithm, the defining trait of a Ponzi.
- Which best describes the payroll scheme present when an employee inflates sales figures to earn unearned commissions?
- A commission payroll fraud scheme
- Skimming
- Bribery
- A ghost employee scheme
Correct answer: A commission payroll fraud scheme
A commission payroll fraud scheme is correct because falsifying sales to claim commissions not actually earned overstates payroll compensation, a payroll fraud variant.
- Which scheme is most consistent with a fraudster who recruits members promising big returns once they each enroll several paying recruits beneath them?
- Check tampering
- A Ponzi scheme
- Skimming
- A pyramid scheme
Correct answer: A pyramid scheme
A pyramid scheme is correct because payouts depend on each member recruiting paying participants beneath them rather than on selling a genuine product.
- Which best describes the asset misappropriation scheme present when an employee writes off a real customer's balance after stealing that customer's incoming payment?
- Cash larceny from a safe
- Bribery
- Receivables skimming concealed by a fraudulent write-off
- A pyramid scheme
Correct answer: Receivables skimming concealed by a fraudulent write-off
Receivables skimming concealed by a fraudulent write-off is correct because the incoming payment was taken off-book and the account was written off to hide the missing balance.
- Which stage of money laundering involves the initial introduction of illicit cash into the financial system?
- Layering
- Integration
- Structuring
- Placement
Correct answer: Placement
The correct stage is placement, which is the first phase of money laundering where 'dirty' cash is physically introduced into the financial system, such as by depositing it into a bank account or buying monetary instruments. Layering and integration occur only after the funds have already entered the system.
- In the three-stage money laundering model, what is the primary purpose of the layering stage?
- To physically deposit cash into a financial institution for the first time
- To file the required reports with financial regulators
- To create complex layers of transactions that obscure the audit trail and conceal the source of funds
- To return laundered funds to the criminal as apparently legitimate income
Correct answer: To create complex layers of transactions that obscure the audit trail and conceal the source of funds
The purpose of layering is to create complex layers of financial transactions to obscure the audit trail and distance the funds from their illegal origin. The initial deposit describes placement, and returning funds as legitimate income describes integration.
- A criminal moves laundered funds back into the legitimate economy by purchasing a business and reporting the income as business profits. Which money laundering stage does this represent?
- Layering
- Integration
- Placement
- Smurfing
Correct answer: Integration
This is integration, the final stage in which laundered money is reintroduced into the legitimate economy in a way that makes it appear to be lawfully earned income, such as through a business or real estate. Placement is the initial deposit of cash, and layering is the movement of funds to obscure the trail.
- Why is the placement stage generally considered the most vulnerable point at which money launderers can be detected?
- Integration creates a paper trail that regulators automatically review
- Funds have already been fully legitimized and are easy to trace
- Transactions are spread across many jurisdictions making them visible
- Large amounts of physical cash must enter the financial system, triggering reporting and scrutiny
Correct answer: Large amounts of physical cash must enter the financial system, triggering reporting and scrutiny
Placement is the most vulnerable stage because it requires moving large volumes of physical currency into the financial system, where it triggers reporting thresholds and attracts the attention of financial institutions. Once funds are layered or integrated, the cash has already cleared the most heavily monitored choke point.
- Which of the following best describes the overall goal of money laundering?
- To conceal the illegal origin of proceeds so they appear to come from a legitimate source
- To transfer ownership of stolen physical goods
- To avoid paying income tax on legally earned money
- To physically destroy currency obtained through crime
Correct answer: To conceal the illegal origin of proceeds so they appear to come from a legitimate source
The goal of money laundering is to conceal the illegal source of criminal proceeds so the funds appear legitimate. It is not about destroying currency or evading tax on lawful income; it specifically disguises the origin of unlawfully obtained money.
- A subject makes multiple cash deposits of $9,500 at different bank branches on the same day to avoid a reporting requirement. This conduct is known as:
- Kiting
- Structuring
- Netting
- Integration
Correct answer: Structuring
This is structuring, the practice of breaking a large cash transaction into smaller amounts that fall below the $10,000 reporting threshold to evade the filing of a Currency Transaction Report. Kiting involves exploiting float between accounts and is unrelated to evading reporting thresholds.
- Why is structuring (smurfing) illegal even when each individual deposit is below the reporting threshold?
- Cash deposits are prohibited above $1,000
- The intent to evade the reporting requirement is itself a federal offense regardless of the size of each deposit
- Banks are forbidden from accepting deposits on the same day
- Each deposit individually exceeds the $10,000 limit
Correct answer: The intent to evade the reporting requirement is itself a federal offense regardless of the size of each deposit
Structuring is illegal because the intent to evade the reporting requirement is a crime in itself, even though no single transaction exceeds the threshold. The illegality stems from the purpose of avoiding the report, not from any individual deposit being over the limit.
- In money laundering terminology, what does the term 'smurf' refer to?
- A regulator who enforces the Bank Secrecy Act
- An auditor who reviews currency transactions
- A person who makes numerous small cash deposits to help evade reporting thresholds
- A bank officer who files Suspicious Activity Reports
Correct answer: A person who makes numerous small cash deposits to help evade reporting thresholds
A 'smurf' is an individual recruited to make many small cash deposits, each below the reporting threshold, to help launder funds and evade detection. The term does not describe compliance personnel, auditors, or regulators.
- The Bank Secrecy Act (BSA) primarily requires financial institutions to:
- Guarantee the secrecy of all customer account information from the government
- Insure deposits up to a statutory maximum
- Reimburse customers for losses caused by fraud
- Maintain records and file reports that help detect and prevent money laundering
Correct answer: Maintain records and file reports that help detect and prevent money laundering
The Bank Secrecy Act requires financial institutions to keep records and file reports, such as CTRs and SARs, that assist the government in detecting and preventing money laundering and other financial crimes. Despite its name, it compels disclosure to authorities rather than guaranteeing customer secrecy.
- Which U.S. statute is widely regarded as the foundational anti-money laundering law requiring recordkeeping and reporting by financial institutions?
- The Fair Credit Reporting Act
- The Sherman Antitrust Act
- The Bank Secrecy Act
- The Securities Exchange Act
Correct answer: The Bank Secrecy Act
The Bank Secrecy Act is the foundational U.S. anti-money laundering statute that established recordkeeping and reporting obligations for financial institutions. The other statutes address antitrust, consumer credit reporting, and securities markets, none of which serve as the core AML framework.
- An AML compliance program required under U.S. anti-money laundering regulations must include all of the following EXCEPT:
- Independent testing of the program
- Ongoing employee training
- A guarantee that the institution will reimburse any customer victimized by laundering
- The designation of a compliance officer
Correct answer: A guarantee that the institution will reimburse any customer victimized by laundering
An effective AML program requires a designated compliance officer, employee training, internal policies and controls, and independent testing, but it does not require the institution to reimburse customers victimized by laundering. Victim reimbursement is not a component of a statutory AML program.
- A financial institution must file a Currency Transaction Report (CTR) when a customer conducts a cash transaction exceeding:
- $3,000
- $10,000
- $5,000
- $25,000
Correct answer: $10,000
A CTR is required for any cash transaction that exceeds $10,000 in a single business day. The $3,000 figure relates to recordkeeping for certain monetary instrument purchases, not the CTR filing threshold.
- Two cash deposits of $6,000 each are made by the same customer on the same business day at the same bank. How should the institution treat these transactions for CTR purposes?
- Aggregate them, because together they exceed $10,000 in a single day, requiring a CTR
- Ignore them, because each is individually below $10,000
- File a CTR only if the customer requests one
- File two separate CTRs, one for each deposit
Correct answer: Aggregate them, because together they exceed $10,000 in a single day, requiring a CTR
The bank must aggregate multiple cash transactions by the same customer in one business day; because the combined $12,000 exceeds the $10,000 threshold, a single CTR is required. Treating each deposit in isolation would defeat the purpose of the reporting rule.
- Which statement about the Currency Transaction Report (CTR) is most accurate?
- It replaces the need for any other BSA reporting
- It is an objective report triggered automatically by a cash transaction crossing a dollar threshold
- It is filed only when the institution suspects criminal activity
- It is filed at the customer's discretion
Correct answer: It is an objective report triggered automatically by a cash transaction crossing a dollar threshold
A CTR is an objective, threshold-based report filed whenever a cash transaction exceeds $10,000, regardless of any suspicion of wrongdoing. Suspicion-based filing describes the Suspicious Activity Report, which is a separate requirement.
- A bank employee notices transactions that appear designed to evade reporting requirements. Which report should the institution file?
- A Suspicious Activity Report (SAR)
- A Currency Transaction Report (CTR)
- A 1099 information return
- A chain of custody log
Correct answer: A Suspicious Activity Report (SAR)
The institution should file a Suspicious Activity Report, which is required when transactions suggest possible money laundering, structuring, or other illicit activity. A CTR is filed automatically for large cash transactions and is not the appropriate vehicle for reporting suspicious conduct.
- Which feature distinguishes a Suspicious Activity Report (SAR) from a Currency Transaction Report (CTR)?
- A SAR is always filed for transactions over $10,000
- A SAR is filed by the customer, while a CTR is filed by the bank
- A SAR is a public record available to anyone
- A SAR is based on the institution's suspicion of illicit activity rather than a fixed dollar threshold
Correct answer: A SAR is based on the institution's suspicion of illicit activity rather than a fixed dollar threshold
A SAR is triggered by the institution's judgment that activity is suspicious, not by a fixed dollar amount, whereas a CTR is an objective threshold-based filing. SARs are confidential, and disclosing their existence to the subject is prohibited.
- Under anti-money laundering rules, it is generally prohibited for a financial institution to:
- File both a SAR and a CTR on the same customer
- File a SAR without first obtaining a court order
- Notify a customer that a Suspicious Activity Report has been filed about them
- Train employees about money laundering red flags
Correct answer: Notify a customer that a Suspicious Activity Report has been filed about them
It is prohibited to 'tip off' a customer that a SAR has been filed about their activity; this confidentiality protects ongoing investigations. No court order is needed to file a SAR, and an institution may file both a SAR and a CTR when circumstances warrant.
- Benford's Law describes the expected frequency distribution of which feature in many naturally occurring datasets?
- The leading digits of numbers
- The alphabetical ordering of vendor names
- The total number of transactions
- The sum of all values in the dataset
Correct answer: The leading digits of numbers
Benford's Law predicts the frequency of leading (first) digits in many naturally occurring sets of numbers, with smaller digits like 1 appearing as the first digit far more often than larger digits. It says nothing about transaction counts, totals, or alphabetical ordering.
- According to Benford's Law, which leading digit is expected to occur most frequently in a conforming dataset?
Correct answer: 1
Under Benford's Law, the digit 1 appears as the leading digit about 30 percent of the time, more often than any other digit, with frequency declining for larger digits. The digit 9 appears least often, and 0 is never a leading digit.
- In a fraud examination, a sharp deviation from the Benford's Law distribution in an expense dataset most appropriately indicates that the examiner should:
- Refund all flagged transactions
- Discard the dataset as unreliable
- Conclude immediately that fraud has occurred
- Investigate the anomalous figures further as a possible indicator of manipulation
Correct answer: Investigate the anomalous figures further as a possible indicator of manipulation
A deviation from Benford's Law is a red flag suggesting possible manipulation, signaling that the examiner should investigate the anomalous figures further; it is not by itself proof of fraud. The technique directs attention to where fabricated or altered numbers may cluster.
- Why might invoice amounts that fraudsters fabricate just below an approval limit (such as many figures starting with the digit 4 near a $5,000 limit) cause a dataset to fail a Benford's Law test?
- Benford's Law requires every digit to appear equally often
- Genuine invoices never begin with the digit 4
- Benford's Law applies only to revenue, not expenses
- Fabricated numbers tend to cluster unnaturally, distorting the natural leading-digit distribution
Correct answer: Fabricated numbers tend to cluster unnaturally, distorting the natural leading-digit distribution
Fabricated figures clustered just under an approval threshold distort the natural leading-digit distribution that Benford's Law predicts, causing the dataset to fail the test. Benford's Law does not expect equal digit frequencies, and it can be applied across many types of financial data.
- An admission-seeking interview is generally conducted:
- To collect general background information from third parties
- At the very start of an examination before any evidence is gathered
- Only with cooperative, neutral witnesses
- When the examiner is reasonably certain of the subject's guilt and seeks to obtain a confession
Correct answer: When the examiner is reasonably certain of the subject's guilt and seeks to obtain a confession
An admission-seeking interview is reserved for situations in which the examiner is reasonably certain of the subject's guilt and the objective is to obtain a confession. It is conducted after evidence has been developed, not as an opening, information-gathering conversation with neutral parties.
- In an admission-seeking interview, what is the purpose of presenting a 'theme' or rationalization to the subject?
- To confuse the subject about the facts
- To threaten the subject with immediate arrest
- To document the subject's alibi for the record
- To allow the subject to morally justify the conduct, making a confession easier to obtain
Correct answer: To allow the subject to morally justify the conduct, making a confession easier to obtain
Themes or rationalizations let the subject save face and morally minimize the conduct, which lowers psychological resistance and makes obtaining a confession easier. The technique is not about threats, deception about facts, or recording an alibi.
- During an admission-seeking interview, after a subject makes an initial admission, the examiner should next:
- Destroy any notes taken during the conversation
- Obtain a detailed confession covering the specifics of the offense
- End the interview immediately to preserve the admission
- Promise the subject leniency in exchange for cooperation
Correct answer: Obtain a detailed confession covering the specifics of the offense
Once an initial admission is made, the examiner works to obtain a detailed confession that establishes the specifics, such as amounts, methods, and time periods. Ending abruptly, promising leniency, or destroying notes would undermine the value and integrity of the confession.
- Which of the following is most commonly cited as a verbal indicator that an interview subject may be being deceptive?
- Overly specific denials or unprompted protestations of honesty
- Providing a clear, chronological account of events
- Asking the interviewer to repeat a question once
- Maintaining a relaxed posture throughout
Correct answer: Overly specific denials or unprompted protestations of honesty
Deceptive subjects often give overly specific denials or volunteer unprompted protestations of honesty, which can signal an attempt to appear truthful. A clear chronological account, an occasional clarifying request, and relaxed posture are not in themselves reliable deception indicators.
- When evaluating possible deception, a fraud examiner should treat nonverbal cues such as fidgeting or avoiding eye contact as:
- Irrelevant to any assessment of credibility
- Conclusive evidence that the subject is lying
- Possible indicators that must be considered in context rather than proof of lying
- Grounds for immediately terminating the interview
Correct answer: Possible indicators that must be considered in context rather than proof of lying
Nonverbal cues like fidgeting are only possible indicators that must be assessed in context and in clusters, not as conclusive proof of deception. Such behaviors can have innocent explanations, so they inform but never by themselves establish that a subject is lying.
- Why should a fraud examiner establish a behavioral baseline early in an interview?
- So that later changes from the subject's normal behavior can be more reliably interpreted
- Because baselines are legally required before any questioning
- To shorten the interview by skipping background questions
- To intimidate the subject into confessing
Correct answer: So that later changes from the subject's normal behavior can be more reliably interpreted
Establishing a baseline of the subject's normal verbal and nonverbal behavior allows the examiner to interpret later deviations more reliably as potential signs of stress or deception. Baselines are an interviewing technique, not a legal prerequisite, and they are not used for intimidation.
- Which of the following is an example of a nonpublic source of information in a fraud investigation?
- A target's confidential bank account records
- A company's filings with a securities regulator
- County real property tax records
- Published court filings
Correct answer: A target's confidential bank account records
Confidential bank account records are nonpublic information generally obtainable only through legal process such as a subpoena. Property tax records, court filings, and securities regulator filings are all publicly available sources.
- A fraud examiner gathering background on a subject should generally begin with public records because they:
- Are always more reliable than testimony
- Are inadmissible in court
- Can be accessed without legal process and provide leads at low cost and risk
- Require a subpoena to obtain
Correct answer: Can be accessed without legal process and provide leads at low cost and risk
Public records can be obtained without legal process and offer an efficient, low-risk way to develop leads early in an examination. They do not require a subpoena, and their reliability and admissibility vary depending on the record and how it is authenticated.
- Which of the following sources would typically require legal authorization, such as a subpoena, before a fraud examiner could obtain it?
- Recorded property deeds
- Articles of incorporation filed with the state
- A subject's public social media profile
- A subject's private medical and tax records
Correct answer: A subject's private medical and tax records
Private medical and tax records are protected nonpublic information that usually require legal authorization such as a subpoena to obtain. Articles of incorporation, recorded deeds, and openly posted social media content are publicly accessible without compulsory process.
- Which of the following is a common public record useful for identifying assets owned by a fraud subject?
- The subject's private email correspondence
- Internal company payroll files
- County real property and deed records
- A bank's confidential customer profile
Correct answer: County real property and deed records
County real property and deed records are public and are commonly searched to identify real estate assets held by a subject. Private email, internal payroll files, and confidential bank profiles are nonpublic and require other means to access.
- A public records search of corporate filings is most useful to a fraud examiner for:
- Reading employees' personal text messages
- Recovering deleted accounting entries
- Identifying the officers, registered agents, and ownership links of a company
- Obtaining the company's confidential trade secrets
Correct answer: Identifying the officers, registered agents, and ownership links of a company
Searching public corporate filings helps establish a company's officers, registered agents, and ownership connections, which can reveal hidden relationships such as shell companies. Such filings do not expose trade secrets, personal messages, or deleted internal records.
- Court records obtained through a public records search can help a fraud examiner by revealing:
- Privileged attorney-client communications
- Sealed grand jury testimony
- The subject's confidential bank balances
- Prior lawsuits, judgments, or liens involving the subject
Correct answer: Prior lawsuits, judgments, or liens involving the subject
Public court records can reveal prior litigation, judgments, and liens that shed light on a subject's history and financial condition. Confidential bank balances, privileged communications, and sealed grand jury materials are not part of accessible public court records.
- The net worth method is primarily used by fraud examiners to:
- Calculate a company's required reserves
- Estimate unreported or illicit income by measuring increases in a subject's net worth over time
- Audit a firm's internal controls
- Determine the fair market value of a company
Correct answer: Estimate unreported or illicit income by measuring increases in a subject's net worth over time
The net worth method estimates a subject's unknown or illicit income by measuring increases in net worth plus living expenses that exceed known legitimate income sources. It is an indirect proof technique for hidden income, not a business valuation or controls audit tool.
- In the net worth method, a significant increase in a subject's assets that cannot be explained by known legitimate income suggests:
- A failure of the company's revenue recognition policy
- A decrease in the subject's liabilities
- An error in the chain of custody
- The presence of unreported or illicitly obtained income
Correct answer: The presence of unreported or illicitly obtained income
When a subject's net worth rises by more than their known legitimate income can explain, the unexplained increase points to unreported or illicit income. This indirect method infers hidden funds from the unexplained accumulation of wealth.
- Which formula best represents the logic of the net worth method of tracing illicit income?
- Total assets minus total liabilities, multiplied by the tax rate
- Cash inflows minus cash outflows, equals working capital
- Increase in net worth plus living expenses, minus known legitimate income, equals unexplained income
- Gross revenue minus cost of goods sold, equals net profit
Correct answer: Increase in net worth plus living expenses, minus known legitimate income, equals unexplained income
The net worth method computes the increase in net worth, adds living expenses, and subtracts known legitimate income; any remaining amount is unexplained income that may be illicit. The other formulas describe taxation, gross profit, and cash flow, not indirect income tracing.
- When collecting digital evidence from a computer hard drive, the best practice is to:
- Create a forensic image (bit-for-bit copy) and analyze the copy rather than the original
- Reformat the drive after copying important files
- Delete temporary files before imaging
- Open and review files directly on the original drive
Correct answer: Create a forensic image (bit-for-bit copy) and analyze the copy rather than the original
Best practice is to create a forensic image, a bit-for-bit copy, and conduct the analysis on that copy so the original evidence is preserved unaltered. Working directly on the original, deleting files, or reformatting would change or destroy evidence and compromise admissibility.
- A hash value (such as MD5 or SHA-1) is used in digital forensics primarily to:
- Compress evidence files to save storage space
- Encrypt the contents of a seized hard drive
- Verify that a forensic image has not been altered from the original
- Recover deleted files from unallocated space
Correct answer: Verify that a forensic image has not been altered from the original
A hash value provides a digital fingerprint that verifies a forensic image is identical to the original and has not been altered, supporting the integrity of the evidence. Hashing is not an encryption, file-recovery, or compression technique.
- Why should a fraud examiner avoid powering on and browsing a suspect's computer before it is forensically imaged?
- It will permanently encrypt the hard drive
- It automatically notifies the suspect
- Doing so can alter metadata and overwrite data, compromising the integrity of the evidence
- It violates the chain of custody by default
Correct answer: Doing so can alter metadata and overwrite data, compromising the integrity of the evidence
Powering on and browsing the system can change file access dates, modify metadata, and overwrite recoverable data, compromising the evidence's integrity. The risk is data alteration; merely turning on a machine does not encrypt the drive or alert the suspect.
- The chain of custody documentation is intended to establish that evidence:
- Has been altered to improve clarity
- Is more persuasive than witness testimony
- Has been securely handled and accounted for from the moment of collection to its presentation
- Was obtained without a search warrant
Correct answer: Has been securely handled and accounted for from the moment of collection to its presentation
Chain of custody documentation establishes that evidence has been continuously secured and accounted for from collection through presentation, demonstrating it was not tampered with. It does not concern warrant requirements, comparative persuasiveness, or alteration of the evidence.
- A break in the chain of custody for a piece of evidence is most likely to result in:
- An increase in the evidence's credibility
- A challenge to the admissibility or weight of that evidence in court
- Automatic dismissal of the entire case
- A requirement to file a Suspicious Activity Report
Correct answer: A challenge to the admissibility or weight of that evidence in court
A break in the chain of custody can lead opposing counsel to challenge the evidence's admissibility or the weight a fact-finder gives it, because its integrity is in doubt. It does not automatically dismiss a case, increase credibility, or trigger a SAR filing.
- Which of the following should a chain of custody record include for each item of evidence?
- A list of unrelated case exhibits
- The examiner's personal opinion of guilt
- Who collected it, when and where, and every person who subsequently handled it
- The market value of the item only
Correct answer: Who collected it, when and where, and every person who subsequently handled it
A proper chain of custody record documents who collected each item, the date, time, and location, and every individual who handled it afterward, so the evidence can be authenticated. It is not a place for valuations, opinions of guilt, or unrelated exhibits.
- A well-written fraud examination report should:
- Use vague language to avoid liability
- Present facts objectively and avoid stating conclusions of law such as 'the subject is guilty'
- Declare the subject guilty to strengthen the case
- Omit evidence that contradicts the examiner's theory
Correct answer: Present facts objectively and avoid stating conclusions of law such as 'the subject is guilty'
A fraud examination report should present the facts objectively and refrain from offering legal conclusions such as guilt, which are for the trier of fact to decide. Omitting contradictory evidence or using deliberately vague language undermines the report's credibility and fairness.
- Why should a fraud examiner avoid expressing opinions about a subject's guilt or innocence in the examination report?
- Opinions make the report shorter
- Determinations of guilt are legal conclusions reserved for the court, and such opinions can expose the examiner to liability
- Reports are never read by attorneys
- Guilt is irrelevant to fraud examinations
Correct answer: Determinations of guilt are legal conclusions reserved for the court, and such opinions can expose the examiner to liability
Guilt and innocence are legal determinations reserved for the court, so stating such opinions exceeds the examiner's role and can create liability, including for defamation. The examiner's job is to report facts and findings, leaving legal conclusions to the trier of fact.
- Which quality is most important in a fraud examination report intended to support potential litigation?
- Speculation about the subject's motives
- Persuasive emotional language about the subject
- Brevity achieved by omitting key evidence
- Accuracy and clear, fact-based support for every assertion
Correct answer: Accuracy and clear, fact-based support for every assertion
Accuracy and clear, fact-based support for each assertion are essential so the report withstands scrutiny in litigation. Emotional language, omission of key evidence, and speculation weaken the report and can damage the examiner's credibility.
- What is the key difference between a lay (fact) witness and an expert witness?
- An expert witness cannot be cross-examined
- A lay witness must hold a professional certification
- A lay witness is paid while an expert witness is not
- An expert witness may offer opinions within their area of expertise, while a lay witness generally testifies only to facts they personally observed
Correct answer: An expert witness may offer opinions within their area of expertise, while a lay witness generally testifies only to facts they personally observed
The key distinction is that an expert witness may render opinions within their field, whereas a lay witness is generally limited to facts personally perceived. Both types of witnesses can be cross-examined, and certification is associated with expertise, not lay testimony.
- A fraud examiner serving as an expert witness should maintain which posture on the stand?
- Concealment of any assumptions underlying the analysis
- Refusal to answer questions from opposing counsel
- Objective and impartial, advocating for their opinion rather than for a party
- Aggressive advocacy for the side that retained them
Correct answer: Objective and impartial, advocating for their opinion rather than for a party
An expert witness should remain objective and impartial, advocating for their own well-supported opinions rather than acting as an advocate for the retaining party. Refusing to answer or hiding assumptions would damage the expert's credibility and the admissibility of the testimony.
- Before allowing expert testimony, courts commonly require that the expert's methodology be:
- Kept secret from the opposing party
- Based solely on the expert's intuition
- Identical to the methodology used by every other expert
- Reliable and relevant to the issues in the case
Correct answer: Reliable and relevant to the issues in the case
Courts act as gatekeepers and generally require that an expert's methodology be reliable and relevant to the case before admitting the testimony. The methodology must be disclosed, need not match other experts' approaches exactly, and cannot rest on mere intuition.
- Which of the following is the best example of direct evidence of a fraud?
- The subject's access to the accounting system
- An unexplained increase in the subject's lifestyle
- A pattern of round-dollar journal entries
- A witness who personally saw the subject alter the company's books
Correct answer: A witness who personally saw the subject alter the company's books
Direct evidence proves a fact without requiring inference, such as a witness who personally observed the subject altering the books. Lifestyle changes, suspicious entry patterns, and mere access are circumstantial, requiring inference to connect them to the fraud.
- Circumstantial evidence in a fraud case is best described as evidence that:
- Requires an inference to connect it to the fact in question
- Consists only of eyewitness testimony
- Is always inadmissible in court
- Directly proves the ultimate fact without any inference
Correct answer: Requires an inference to connect it to the fact in question
Circumstantial evidence requires the trier of fact to draw an inference to link it to the matter at issue, unlike direct evidence which proves a fact without inference. Circumstantial evidence is admissible and can be highly persuasive, especially when it forms a consistent pattern.
- For evidence to be admissible in court, it generally must be:
- Based exclusively on hearsay
- Relevant, material, and competent (reliable and properly obtained)
- Gathered without any documentation
- Favorable only to the prosecution
Correct answer: Relevant, material, and competent (reliable and properly obtained)
Admissible evidence must be relevant to the case, material to a fact at issue, and competent, meaning reliable and properly obtained. Evidence need not favor a single side, must be properly documented, and hearsay is generally excluded unless an exception applies.
- A confession obtained through coercion is most likely to be:
- Admitted because confessions are always reliable
- Required to be corroborated by a SAR
- Excluded from evidence as involuntary
- Treated as expert testimony
Correct answer: Excluded from evidence as involuntary
A coerced confession is generally excluded as involuntary because its reliability and the manner of obtaining it are constitutionally and legally suspect. Confessions are not automatically reliable, are not expert testimony, and SAR filings are unrelated to confession admissibility.
- A key characteristic of a common law legal system, as compared with a civil law system, is its reliance on:
- A single comprehensive code that judges apply mechanically
- Religious doctrine as the primary source of law
- Judicial precedent (case law) to interpret and develop the law
- Decisions made solely by administrative agencies
Correct answer: Judicial precedent (case law) to interpret and develop the law
Common law systems rely heavily on judicial precedent, where prior court decisions guide the interpretation and development of the law. Civil law systems instead rely primarily on comprehensive written codes, distinguishing the two traditions.
- The adversarial system, in which opposing parties present evidence to a neutral judge or jury, is most associated with:
- Common law jurisdictions
- Inquisitorial systems
- Religious law systems
- Civil law jurisdictions
Correct answer: Common law jurisdictions
The adversarial model, with opposing parties presenting their cases to a neutral fact-finder, is characteristic of common law jurisdictions. Civil law systems typically use an inquisitorial approach in which the judge takes a more active investigative role.
- In a civil law (code-based) system, the judge's role typically differs from that in a common law system in that the judge:
- Is bound strictly by prior case precedent
- Serves only to instruct the jury
- Takes a more active, investigative role rather than acting mainly as a neutral referee
- Cannot question witnesses
Correct answer: Takes a more active, investigative role rather than acting mainly as a neutral referee
In civil law systems, the judge tends to take an active, investigative role in developing the facts, reflecting the inquisitorial tradition. By contrast, common law judges act more as neutral referees and are guided by binding precedent.
- The federal mail fraud statute generally requires proof of a scheme to defraud and:
- Use of the mails in furtherance of the scheme
- Money laundering proceeds
- An interstate wire transmission
- A loss of at least $1 million
Correct answer: Use of the mails in furtherance of the scheme
Mail fraud requires a scheme to defraud combined with use of the mails to further that scheme. There is no minimum loss amount, an interstate wire is the element of wire fraud rather than mail fraud, and laundering proceeds is a separate offense.
- Wire fraud differs from mail fraud primarily in that wire fraud requires:
- A completed money transfer of over $10,000
- Use of interstate wire, radio, or television communications to further the scheme
- Use of the postal service to further the scheme
- A victim located outside the United States
Correct answer: Use of interstate wire, radio, or television communications to further the scheme
Wire fraud requires use of interstate wire, radio, or television communications, such as phone calls, emails, or electronic transfers, to advance the scheme. Use of the mails is the distinguishing element of mail fraud, and there is no foreign-victim or dollar-threshold requirement.
- A fraudster sends deceptive emails across state lines to solicit investments in a fake company. This conduct most directly violates which federal statute?
- The mail fraud statute
- The chain of custody rule
- The Bank Secrecy Act
- The wire fraud statute
Correct answer: The wire fraud statute
Sending deceptive interstate emails to further a fraudulent scheme falls squarely under the wire fraud statute, which covers electronic communications. Mail fraud requires use of the postal system, the BSA governs AML reporting, and chain of custody is an evidence-handling principle.
- Whistleblower protection laws generally prohibit an employer from:
- Disciplining an employee for poor performance unrelated to reporting
- Filing a Suspicious Activity Report
- Investigating any reported allegations
- Retaliating against an employee who reports suspected fraud or legal violations
Correct answer: Retaliating against an employee who reports suspected fraud or legal violations
Whistleblower protections prohibit retaliation, such as termination or demotion, against employees who report suspected fraud or violations in good faith. They do not bar legitimate investigations, performance-based discipline unrelated to the report, or required regulatory filings.
- During an internal investigation interview of an employee, the fraud examiner should be mindful that the employee:
- Has no rights because the matter is internal
- Forfeits all employment protections upon questioning
- Must confess before the interview can end
- Generally retains certain legal rights and should not be subjected to coercion or false imprisonment
Correct answer: Generally retains certain legal rights and should not be subjected to coercion or false imprisonment
Even in internal investigations, employees retain legal rights, and examiners must avoid coercion, threats, or detaining the employee in a way that could constitute false imprisonment. Conducting an internal inquiry does not strip employees of their protections or compel a confession.
- Which federal law is notable for providing whistleblower protections and reporting incentives related to securities fraud?
- The Sherman Antitrust Act
- The Sarbanes-Oxley Act (and related Dodd-Frank provisions)
- The Bank Secrecy Act
- The Fair Labor Standards Act
Correct answer: The Sarbanes-Oxley Act (and related Dodd-Frank provisions)
The Sarbanes-Oxley Act, supplemented by Dodd-Frank, established important whistleblower protections and incentives for reporting securities and corporate fraud. The other statutes address antitrust, wage-and-hour rules, and AML reporting rather than whistleblower protection.
- Forensic accounting is best described as the application of accounting skills to:
- Designing payroll software
- Setting a company's marketing budget
- Preparing routine annual tax returns for clients
- Investigative and litigation matters, often in anticipation of legal proceedings
Correct answer: Investigative and litigation matters, often in anticipation of legal proceedings
Forensic accounting applies accounting and investigative skills to legal and investigative matters, frequently in anticipation of litigation or dispute resolution. It is distinct from routine tax preparation, budgeting, or software design.
- How does a forensic accounting engagement typically differ from a traditional financial statement audit?
- A forensic engagement never results in a report
- A forensic engagement ignores documentary evidence
- An audit is designed primarily to obtain confessions
- A forensic engagement specifically investigates suspected irregularities, while an audit provides reasonable assurance that statements are free of material misstatement
Correct answer: A forensic engagement specifically investigates suspected irregularities, while an audit provides reasonable assurance that statements are free of material misstatement
A forensic accounting engagement is focused on investigating specific suspected irregularities and is often litigation-oriented, whereas an audit aims to provide reasonable assurance that financial statements are free of material misstatement. Forensic work relies heavily on documentary evidence and produces detailed reports.
- A drug trafficker deposits cash receipts into a cash-intensive restaurant he owns, commingling illicit funds with legitimate sales. This commingling most directly serves which money laundering objective?
- Reporting the funds to authorities
- Physically destroying the illicit cash
- Disguising the illicit funds as legitimate business revenue
- Increasing the restaurant's tax liability
Correct answer: Disguising the illicit funds as legitimate business revenue
Commingling illicit cash with a cash-intensive business's legitimate sales disguises the dirty money as ordinary business revenue, a classic laundering tactic. The aim is concealment of origin, not destruction of cash, voluntary reporting, or raising taxes.
- Wiring laundered funds through a series of accounts in multiple offshore jurisdictions is characteristic of which money laundering stage?
- Layering
- Placement
- Reporting
- Integration
Correct answer: Layering
Moving funds through multiple accounts and jurisdictions to obscure the trail is the hallmark of layering. Placement is the initial cash entry, and integration is the final reintroduction of funds as apparently legitimate wealth.
- Which transaction is most consistent with the integration stage of money laundering?
- Wiring money among shell companies abroad
- Exchanging cash for casino chips
- Buying real estate with previously layered funds and renting it out for 'legitimate' income
- Depositing a duffel bag of cash into several accounts
Correct answer: Buying real estate with previously layered funds and renting it out for 'legitimate' income
Buying real estate with layered funds and collecting rent reintroduces the money into the legitimate economy as apparently lawful income, which is integration. Depositing cash is placement, and wiring among shells or buying casino chips are placement or layering activities.
- Purchasing high-value monetary instruments such as cashier's checks with illicit cash is most commonly associated with which laundering stage?
- Placement
- Integration
- Settlement
- Layering
Correct answer: Placement
Converting illicit cash into monetary instruments like cashier's checks introduces the funds into the financial system, which is placement. Layering and integration come later as the funds are moved and ultimately legitimized.
- Trade-based money laundering, such as over- or under-invoicing exports, is primarily a technique used to:
- Inflate a company's stock price directly
- Move value across borders while disguising the illicit nature of the funds
- Avoid paying employees their wages
- Comply with customs reporting requirements
Correct answer: Move value across borders while disguising the illicit nature of the funds
Trade-based money laundering manipulates trade invoices to move value across borders and disguise illicit funds, exploiting the complexity of international trade. It is not a wage scheme, a direct stock manipulation, or a compliance measure.
- A business owner instructs an employee to deposit daily cash receipts in amounts always just under $10,000, across several banks. This pattern most strongly suggests:
- Legitimate cash management to reduce theft risk
- Compliance with the Bank Secrecy Act
- Structuring to evade currency transaction reporting
- A normal response to high sales volume
Correct answer: Structuring to evade currency transaction reporting
Consistently keeping deposits just under $10,000 across multiple banks is a strong indicator of structuring intended to evade CTR filing. The deliberate avoidance of the threshold, rather than the volume of sales, signals intent to evade reporting.
- Which of the following is a red flag of structuring that a bank employee should report?
- A customer breaking a $25,000 cash deposit into three same-day deposits of about $8,000 each
- A customer making a single $4,000 cash deposit
- A customer requesting account statements
- A customer wiring funds to a verified family member
Correct answer: A customer breaking a $25,000 cash deposit into three same-day deposits of about $8,000 each
Splitting a $25,000 deposit into multiple same-day amounts just under the threshold is a classic structuring red flag warranting a SAR. A single modest deposit, a verified family wire, and a routine statement request are ordinary activities.
- Recruiting multiple individuals to each deposit small amounts of illicit cash at different banks is referred to as:
- Smurfing
- Kiting
- Pyramiding
- Lapping
Correct answer: Smurfing
Using multiple people to make many small deposits to evade thresholds is called smurfing, a form of structuring. Kiting and lapping are unrelated schemes involving float and concealment of receivables shortages, and pyramiding refers to a fraudulent investment structure.
- Which of the following best describes a 'Know Your Customer' (KYC) requirement under AML rules?
- Offering customers the lowest possible fees
- Insuring customer deposits against fraud
- Guaranteeing customer privacy from all regulators
- Verifying the identity of customers and understanding the nature of their expected activity
Correct answer: Verifying the identity of customers and understanding the nature of their expected activity
KYC requires institutions to verify customer identities and understand their expected transaction profiles so unusual activity can be detected. It is a detection and prevention measure, not a privacy guarantee, pricing policy, or insurance program.
- Customer due diligence (CDD) under AML programs is intended primarily to:
- Maximize the bank's lending profits
- Assess the money laundering risk a customer poses and monitor for unusual activity
- Determine the customer's credit score for loans
- Set the interest rate on savings accounts
Correct answer: Assess the money laundering risk a customer poses and monitor for unusual activity
CDD aims to assess each customer's money laundering risk and enable monitoring for activity inconsistent with their profile. It is a risk and compliance function, not a lending, credit-scoring, or interest-rate-setting tool.
- Under the Bank Secrecy Act framework, which type of business is generally classified as a 'money services business' subject to AML obligations?
- A check-cashing and money-transfer outlet
- A retail clothing store
- A residential landlord
- A public elementary school
Correct answer: A check-cashing and money-transfer outlet
Check-cashing and money-transfer outlets are money services businesses subject to BSA registration and AML obligations because they handle currency and funds transfers. Landlords, clothing retailers, and schools are not money services businesses.
- The 'four pillars' historically required of a BSA/AML compliance program include internal controls, a designated compliance officer, training, and:
- Independent testing of the program
- A customer loyalty program
- A profit-sharing plan for employees
- A marketing department
Correct answer: Independent testing of the program
The traditional four pillars are internal controls, a designated compliance officer, ongoing training, and independent testing. Profit-sharing, marketing, and loyalty programs are unrelated to AML compliance requirements.
- A customer withdraws $11,000 in cash from a single account in one business day. What is the institution's obligation?
- File a SAR only if the withdrawal seems suspicious
- File a CTR only for deposits, not withdrawals
- File a Currency Transaction Report because the cash transaction exceeds $10,000
- Take no action because withdrawals are exempt
Correct answer: File a Currency Transaction Report because the cash transaction exceeds $10,000
A CTR is required for cash transactions exceeding $10,000, and the rule applies to withdrawals as well as deposits, so the $11,000 withdrawal must be reported. A SAR is a separate, suspicion-based filing and does not replace the mandatory CTR.
- A transaction of exactly $10,000 in cash by a single customer in one business day triggers which requirement?
- A SAR regardless of suspicion
- Two CTRs, one for the bank and one for the customer
- No CTR, because the rule applies to amounts exceeding $10,000, not equal to it
- A CTR, because $10,000 meets the threshold
Correct answer: No CTR, because the rule applies to amounts exceeding $10,000, not equal to it
The CTR requirement applies to transactions that exceed $10,000, so an amount of exactly $10,000 does not, by itself, trigger a CTR. However, examiners should note that a pattern of transactions right at the line can suggest structuring, which is separately reportable.
- CTR exemptions may be granted by financial institutions for certain customers, such as:
- Customers who refuse to provide identification
- Customers under criminal investigation
- Any customer who requests an exemption
- Established, eligible businesses that routinely conduct large cash transactions
Correct answer: Established, eligible businesses that routinely conduct large cash transactions
Institutions may exempt certain eligible, established customers, such as legitimate retail businesses that routinely handle large amounts of cash, from CTR filing under specified conditions. Exemptions are not granted on mere request, to investigation subjects, or to customers who refuse identification.
- Which scenario would most appropriately prompt a financial institution to file a Suspicious Activity Report?
- A customer's account activity has no apparent lawful purpose and is inconsistent with their known profile
- A customer asks about opening a savings account
- A customer makes a routine paycheck deposit
- A customer pays a utility bill online
Correct answer: A customer's account activity has no apparent lawful purpose and is inconsistent with their known profile
Activity that lacks an apparent lawful purpose and is inconsistent with the customer's known profile warrants a SAR because it may indicate illicit conduct. Routine paycheck deposits, bill payments, and account inquiries are normal and do not warrant a SAR.
- A financial institution that files a SAR in good faith is generally provided with which legal protection?
- Exemption from all CTR filings
- A statutory reward equal to the laundered amount
- Immunity from all future audits
- A safe harbor from civil liability for the disclosure
Correct answer: A safe harbor from civil liability for the disclosure
Institutions filing SARs in good faith receive a safe harbor from civil liability for the disclosure, encouraging reporting. The protection does not exempt them from audits, provide a reward equal to laundered sums, or relieve them of CTR obligations.
- Which of the following is true regarding the confidentiality of a SAR?
- It is published in a public registry
- Its existence and contents generally may not be disclosed to the subject of the report
- It must be shared with the subject's employer
- It must be provided to the subject within 30 days
Correct answer: Its existence and contents generally may not be disclosed to the subject of the report
SAR confidentiality rules prohibit disclosing the existence or contents of a SAR to the person who is its subject, protecting investigations. SARs are not provided to subjects, published publicly, or shared with employers.
- Benford's Law is least likely to apply, and therefore should not be used as a fraud test, when a dataset:
- Consists of assigned numbers with built-in minimums or maximums, such as ZIP codes or sequential check numbers
- Includes payment amounts from many vendors
- Contains naturally occurring financial amounts spanning several orders of magnitude
- Includes thousands of invoice totals
Correct answer: Consists of assigned numbers with built-in minimums or maximums, such as ZIP codes or sequential check numbers
Benford's Law does not apply to datasets of assigned or constrained numbers such as ZIP codes or sequential check numbers, so it is not a valid fraud test there. It works best on naturally occurring values spanning several orders of magnitude, like invoice totals.
- After running a Benford's Law test, an examiner finds the digit 9 appears as the leading digit far more often than expected. The most appropriate next step is to:
- Examine the population of figures beginning with 9 for signs of fabrication or threshold gaming
- Delete all entries beginning with 9
- Report the entire company for money laundering
- Conclude that the books are accurate
Correct answer: Examine the population of figures beginning with 9 for signs of fabrication or threshold gaming
An unexpected spike in a particular leading digit directs the examiner to scrutinize that subpopulation for fabrication or threshold manipulation, not to draw a conclusion of accuracy. The test identifies where to investigate, not grounds to delete data or file reports.
- Benford's Law analysis is best categorized as which type of fraud examination tool?
- A legal rule governing evidence admissibility
- A data analysis technique used to identify anomalies warranting further investigation
- A chain of custody procedure
- An interview method for obtaining confessions
Correct answer: A data analysis technique used to identify anomalies warranting further investigation
Benford's Law analysis is a data analysis technique that flags numerical anomalies for further investigation. It is not an interviewing method, a rule of evidence, or a chain of custody procedure.
- In the structure of an admission-seeking interview, an examiner typically uses an 'alternative question' such as offering a face-saving versus a more sinister explanation. The purpose is to:
- Trick the subject into waiving all legal rights
- Encourage the subject to choose the more acceptable explanation, which itself constitutes an admission
- Calculate the subject's net worth
- Establish the chain of custody
Correct answer: Encourage the subject to choose the more acceptable explanation, which itself constitutes an admission
An alternative question presents two explanations, one face-saving and one harsher, so that the subject's choice of either constitutes an admission of the conduct. It is an interview technique, not a means of waiving rights, establishing custody, or computing net worth.
- Why should an admission-seeking interview generally be conducted in a private setting with limited interruptions?
- It eliminates the need to document the confession
- Privacy reduces the subject's resistance and discourages denial, making a confession more attainable
- Privacy is required by the Bank Secrecy Act
- It allows the examiner to use physical coercion
Correct answer: Privacy reduces the subject's resistance and discourages denial, making a confession more attainable
A private, interruption-free setting lowers the subject's resistance and discourages public denials, increasing the chance of obtaining a confession. Privacy is not a BSA requirement, and it does not authorize coercion or remove the need to document the confession.
- During an admission-seeking interview, repeatedly interrupting the subject's attempts to deny the conduct is a technique used to:
- Calibrate the subject's truthful baseline
- Prevent the subject from entrenching a firm denial before an admission can be sought
- Violate the subject's legal rights intentionally
- Gather background biographical data
Correct answer: Prevent the subject from entrenching a firm denial before an admission can be sought
Interrupting attempts at denial keeps the subject from solidifying a firm denial, which becomes harder to overcome once stated, thereby preserving the path to an admission. It is not aimed at violating rights, collecting background data, or baselining truthful behavior.
- Which interview behavior pattern, considered alongside other cues, may suggest deception?
- Calm acknowledgment of unfavorable facts
- Consistent recall of both major and minor details
- Prompt, direct answers to difficult questions
- Selective memory in which the subject recalls trivial details but forgets key facts
Correct answer: Selective memory in which the subject recalls trivial details but forgets key facts
Selective memory, recalling trivia while forgetting central facts, can be a deception cue when seen with other indicators. Consistent recall, calm acknowledgment of unfavorable facts, and prompt direct answers are more typical of truthful subjects.
- An examiner notices a subject repeatedly stalls by asking for questions to be repeated and answers questions with questions. These verbal cues are best interpreted as:
- Proof that the subject is guilty
- Conclusive proof that the subject is innocent
- Irrelevant to credibility assessment
- Possible signs of evasion that should be evaluated alongside other evidence
Correct answer: Possible signs of evasion that should be evaluated alongside other evidence
Stalling and answering questions with questions can be evasion cues, but they must be weighed with other evidence rather than treated as conclusive. Such behaviors prove neither guilt nor innocence on their own and are relevant to, but not determinative of, credibility.
- Why should an examiner avoid relying on a single nonverbal cue, such as a lack of eye contact, to conclude a subject is lying?
- Truthful subjects never make eye contact
- Individual cues are unreliable in isolation and can have innocent or cultural explanations
- Eye contact is the only valid deception indicator
- Nonverbal cues are inadmissible as evidence by statute
Correct answer: Individual cues are unreliable in isolation and can have innocent or cultural explanations
A single nonverbal cue is unreliable on its own because it may have innocent, situational, or cultural explanations; cues should be assessed in clusters and context. There is no statute making them inadmissible, and eye contact is not a uniquely valid indicator.
- Which of the following is generally considered a publicly available source of information for a fraud examiner?
- A bank's internal customer notes
- A target's protected health records
- Uniform Commercial Code (UCC) filings
- A subject's confidential credit report
Correct answer: Uniform Commercial Code (UCC) filings
UCC filings, which record secured interests in property, are public records accessible without legal process. Credit reports, health records, and a bank's internal notes are protected nonpublic information requiring proper authorization.
- When using open-source intelligence such as social media in an investigation, a fraud examiner should:
- Assume social media is always inadmissible
- Accept all online statements as factual
- Avoid documenting where the information was found
- Verify and corroborate the information, since online content may be inaccurate or fabricated
Correct answer: Verify and corroborate the information, since online content may be inaccurate or fabricated
Open-source information such as social media must be verified and corroborated because it can be inaccurate, outdated, or fabricated. Examiners should document the source for authentication rather than accept content uncritically or assume blanket inadmissibility.
- A fraud examiner needs a subject's telephone toll records. These records are generally:
- Posted on the carrier's public website
- Freely available in a public directory
- Published in court filings automatically
- Nonpublic and obtainable only through legal process such as a subpoena
Correct answer: Nonpublic and obtainable only through legal process such as a subpoena
Telephone toll records are nonpublic and generally require legal process such as a subpoena to obtain. They are not available in public directories, court filings, or on carrier websites.
- A fraud examiner wants to determine whether a subject has filed for bankruptcy. The most direct public source is:
- A confidential consumer credit file
- Federal bankruptcy court records
- The subject's employer's payroll system
- The subject's private bank statements
Correct answer: Federal bankruptcy court records
Bankruptcy filings are matters of public record available through federal bankruptcy courts. Private bank statements, payroll systems, and confidential credit files are nonpublic sources.
- Which public record would most directly reveal whether a creditor has placed a lien on a subject's vehicle or equipment?
- The subject's personal diary
- UCC financing statements filed with the state
- The subject's medical chart
- Internal emails of the creditor
Correct answer: UCC financing statements filed with the state
UCC financing statements are public filings that record secured creditors' interests in personal property such as vehicles and equipment. Diaries, internal emails, and medical charts are not public records of secured interests.
- Searching a state's business entity database can help a fraud examiner detect a shell company by revealing:
- The personal text messages of its officers
- A company with no apparent operations sharing an address or registered agent with the subject
- The company's secret customer list
- The company's confidential bank balance
Correct answer: A company with no apparent operations sharing an address or registered agent with the subject
A business entity search can expose shell companies by showing entities that share an address or registered agent with the subject and have no apparent operations. It does not disclose confidential balances, customer lists, or personal messages.
- The net worth method is classified as an example of which broad category of proof in fraud examinations?
- Direct documentary proof of each transaction
- Eyewitness testimony
- Chain of custody documentation
- Indirect (circumstantial) methods of proving income
Correct answer: Indirect (circumstantial) methods of proving income
The net worth method is an indirect, or circumstantial, method of proving income by inference from changes in net worth, used when direct transaction records are unavailable. It is not direct documentary proof, eyewitness testimony, or custody documentation.
- In applying the net worth method, which of the following must the examiner reasonably establish to make the analysis credible?
- The subject's blood type
- The market value of the examiner's own assets
- A reliable starting net worth (a firm 'beginning' point) for the subject
- The exact wording of the subject's confession
Correct answer: A reliable starting net worth (a firm 'beginning' point) for the subject
A credible net worth analysis requires a reliable starting (beginning) net worth so that increases over the period can be measured accurately. The subject's biological details, confession wording, or the examiner's assets are irrelevant to the computation.
- The expenditures (sources and application of funds) method, a relative of the net worth method, infers hidden income by comparing:
- The subject's height against population averages
- A subject's known income against their total expenditures and asset acquisitions
- The number of bank branches against deposits
- A company's revenue against its competitors' revenue
Correct answer: A subject's known income against their total expenditures and asset acquisitions
The expenditures method compares a subject's known legitimate income against their total spending and asset purchases; spending that exceeds known income suggests hidden income. The other comparisons have nothing to do with tracing illicit funds.
- In digital forensics, 'unallocated space' on a storage device is significant because it:
- Is always encrypted and cannot be examined
- Contains only the operating system files
- May contain remnants of deleted files that can be recovered as evidence
- Is automatically overwritten before imaging
Correct answer: May contain remnants of deleted files that can be recovered as evidence
Unallocated space may hold remnants of deleted files that forensic tools can often recover, making it a valuable evidence source. It is not inherently encrypted, is not limited to operating system files, and should be preserved through imaging before any overwriting.
- Metadata associated with an electronic document is useful to a fraud examiner because it can reveal:
- When a file was created, modified, and by whom
- The market value of the document
- The document's printing cost
- The subject's physical fingerprints
Correct answer: When a file was created, modified, and by whom
Metadata can reveal creation and modification dates and the user associated with the file, which helps establish timelines and authorship in a fraud examination. It does not provide market value, physical fingerprints, or printing costs.
- To preserve potentially relevant electronic evidence once litigation is reasonably anticipated, an organization should:
- Email the data to all employees
- Encrypt the data so no one can access it
- Implement a litigation hold to suspend routine deletion of relevant data
- Accelerate destruction of all old records
Correct answer: Implement a litigation hold to suspend routine deletion of relevant data
A litigation hold suspends routine data deletion to preserve relevant electronic evidence once litigation is reasonably anticipated, and failing to do so can lead to spoliation sanctions. Accelerating destruction, encrypting to block access, or broadly emailing data would jeopardize the evidence.
- Write-blocking hardware or software is used during digital evidence collection to:
- Prevent any modification of the original media while it is being imaged
- Speed up the imaging by skipping verification
- Encrypt the resulting forensic image
- Permanently erase the suspect drive after copying
Correct answer: Prevent any modification of the original media while it is being imaged
A write blocker prevents any writes to the original media during imaging, preserving the evidence in an unaltered state. It does not erase the source, skip verification, or encrypt the image.
- Best practice for handling original documentary evidence in a fraud examination is to:
- Distribute originals freely among the team
- Mark up the originals with the examiner's notes
- Mail the originals to the suspect for confirmation
- Secure the originals, work from copies, and log every transfer of the originals
Correct answer: Secure the originals, work from copies, and log every transfer of the originals
Examiners should secure original documents, work from copies, and log each transfer to maintain an unbroken chain of custody. Freely distributing, marking up, or mailing originals to the suspect would compromise their integrity and admissibility.
- Which scenario represents a proper handling of physical evidence to maintain chain of custody?
- Multiple staff handle the item without any log
- An examiner seals the item in a tamper-evident container, labels it, and records each person who takes possession
- An examiner leaves the item unattended on a desk overnight
- The item is stored at an employee's home with no record
Correct answer: An examiner seals the item in a tamper-evident container, labels it, and records each person who takes possession
Sealing the item, labeling it, and recording each custodian maintains a documented, unbroken chain of custody. Leaving evidence unattended, handling it without a log, or storing it informally at home all create custody gaps that can undermine admissibility.
- The primary risk created by an undocumented gap in the chain of custody is that:
- The examiner earns additional fees
- Opposing counsel can argue the evidence may have been tampered with or substituted
- The court must accept the evidence without question
- The evidence automatically becomes more credible
Correct answer: Opposing counsel can argue the evidence may have been tampered with or substituted
An undocumented custody gap lets opposing counsel argue the evidence could have been altered or substituted, undermining its reliability. A gap weakens rather than strengthens credibility and does not compel a court to accept the evidence.
- Which element should generally be included in a comprehensive fraud examination report?
- Unsubstantiated rumors gathered during the inquiry
- A recommendation on the criminal sentence to impose
- The examiner's personal feelings about the subject
- A clear statement of the scope and the findings supported by evidence
Correct answer: A clear statement of the scope and the findings supported by evidence
A comprehensive report states the engagement's scope and presents findings supported by evidence. It should exclude personal feelings, unsubstantiated rumors, and recommendations about criminal sentencing, which are outside the examiner's role.
- To preserve objectivity in a fraud examination report, the examiner should:
- Present both inculpatory and exculpatory evidence discovered during the examination
- Exaggerate the strength of weak evidence
- Include only evidence that supports a finding of fraud
- Omit any evidence favorable to the subject
Correct answer: Present both inculpatory and exculpatory evidence discovered during the examination
Objectivity requires presenting both inculpatory and exculpatory evidence so the report is balanced and credible. Reporting only damaging evidence, exaggerating weak evidence, or omitting favorable evidence undermines fairness and the examiner's credibility.
- Using precise, defined terms and avoiding inflammatory language in a fraud report is important because:
- The report may be scrutinized in litigation, and loose or inflammatory wording can expose the examiner to liability
- Precise language shortens the investigation
- Defined terms are required by the Bank Secrecy Act
- Inflammatory language makes the report more persuasive to juries
Correct answer: The report may be scrutinized in litigation, and loose or inflammatory wording can expose the examiner to liability
Because the report may be examined closely in litigation, precise terminology and neutral language reduce the risk of liability, such as defamation claims, and bolster credibility. Inflammatory wording is a liability, not a persuasion advantage, and precision is a professional standard rather than a BSA requirement.
- An expert witness's credibility on the stand is most enhanced when the expert:
- Refuses to concede any point on cross-examination
- Explains complex findings clearly and acknowledges the limitations of the analysis
- Overstates the certainty of every conclusion
- Uses jargon to appear more knowledgeable
Correct answer: Explains complex findings clearly and acknowledges the limitations of the analysis
Credibility is strengthened when an expert communicates clearly and candidly acknowledges limitations, which signals objectivity. Refusing to concede valid points, hiding behind jargon, or overstating certainty tends to erode credibility.
- Which of the following can undermine a fraud examiner's effectiveness as an expert witness?
- A clear, well-documented methodology
- Objective, fact-based opinions
- Relevant professional credentials and experience
- Demonstrated bias or a financial interest in the outcome of the case
Correct answer: Demonstrated bias or a financial interest in the outcome of the case
Demonstrated bias or a financial stake in the outcome undermines an expert's effectiveness because it calls impartiality into question. Relevant credentials, a clear methodology, and objective opinions enhance, rather than undermine, the expert's value.
- When testifying, a fraud examiner who is a lay witness rather than an expert should generally limit testimony to:
- Opinions on the ultimate legal question of guilt
- Conclusions drawn from specialized analysis
- Speculation about the subject's intentions
- Facts personally observed or known, without offering expert opinions
Correct answer: Facts personally observed or known, without offering expert opinions
A lay witness should confine testimony to facts they personally observed or know, refraining from expert opinions or specialized conclusions. Offering opinions on guilt or speculating about intent exceeds the scope permitted for lay testimony.
- Hearsay is generally defined as:
- An out-of-court statement offered to prove the truth of the matter asserted
- Any statement made by an expert witness
- A confession made directly in court
- Physical evidence collected at a scene
Correct answer: An out-of-court statement offered to prove the truth of the matter asserted
Hearsay is an out-of-court statement offered to prove the truth of what it asserts and is generally inadmissible unless an exception applies. It is distinct from expert testimony, physical evidence, or an in-court confession.
- Which of the following is the best example of documentary evidence in a fraud case?
- An altered invoice produced by the suspect
- A polygraph examiner's intuition
- The suspect's general reputation
- A witness's recollection of a conversation
Correct answer: An altered invoice produced by the suspect
An altered invoice is documentary evidence, a tangible record relevant to the fraud. A witness's recollection is testimonial, intuition is not evidence, and reputation is character evidence with limited admissibility.
- For documentary evidence such as a contract to be admitted, a party typically must first:
- Prove it favors the prosecution
- Translate it into Latin
- Authenticate it by showing it is what it purports to be
- Have it notarized by the court
Correct answer: Authenticate it by showing it is what it purports to be
Documentary evidence must be authenticated, meaning the proponent must show it is genuinely what it claims to be, before it can be admitted. Admissibility does not depend on favoring a party, translation into Latin, or court notarization.
- Why can a pattern of strong circumstantial evidence sometimes be as persuasive as direct evidence in proving fraud?
- Circumstantial evidence requires no authentication
- Circumstantial evidence is exempt from the rules of evidence
- Direct evidence is never admissible
- Multiple consistent circumstances can collectively support a compelling inference of guilt
Correct answer: Multiple consistent circumstances can collectively support a compelling inference of guilt
A web of consistent circumstantial facts can collectively support a strong inference, sometimes rivaling direct evidence, which is why fraud cases often rest on circumstantial proof. Circumstantial evidence is still subject to the rules of evidence and must be authenticated, and direct evidence is admissible.
- In legal systems, the principle of 'stare decisis' (following precedent) is a defining feature of:
- Administrative tribunals only
- Civil law systems
- Inquisitorial systems exclusively
- Common law systems
Correct answer: Common law systems
Stare decisis, the doctrine of following precedent, is a defining feature of common law systems. Civil law systems place primary emphasis on codified statutes rather than binding precedent.
- A fraud examiner working an international matter should understand legal-system differences because:
- Common law countries prohibit fraud examinations
- Rules on evidence gathering, privacy, and procedure vary significantly between common law and civil law jurisdictions
- All countries follow identical evidence rules
- Civil law countries have no fraud statutes
Correct answer: Rules on evidence gathering, privacy, and procedure vary significantly between common law and civil law jurisdictions
Cross-border work requires understanding that evidence-gathering, privacy, and procedural rules differ markedly between common law and civil law jurisdictions. Evidence rules are not uniform worldwide, and both systems address fraud and permit examinations.
- In an inquisitorial (civil law) proceeding, who typically drives the investigation and development of evidence?
- The plaintiff's expert witness
- The opposing attorneys exclusively
- The jury foreperson
- The judge or examining magistrate
Correct answer: The judge or examining magistrate
In an inquisitorial civil law proceeding, the judge or examining magistrate takes the lead in investigating and developing the evidence. This contrasts with the adversarial common law model, where the opposing attorneys drive the presentation of evidence.
- Which mental state must the government generally prove to convict a defendant of mail or wire fraud?
- Good faith
- Strict liability with no intent
- Intent to defraud
- Mere negligence
Correct answer: Intent to defraud
Mail and wire fraud require proof of intent to defraud, a specific criminal mental state. Negligence is insufficient, the offenses are not strict liability, and good faith is a defense rather than an element of the crime.
- Mail and wire fraud statutes are valuable to federal prosecutors of fraud schemes largely because they:
- Carry no possibility of imprisonment
- Apply only to securities transactions
- Apply broadly to many schemes that use the mails or interstate communications
- Require no proof of a scheme to defraud
Correct answer: Apply broadly to many schemes that use the mails or interstate communications
These statutes are powerful because they apply broadly to a wide range of fraud schemes that involve the mails or interstate wire communications. They still require a scheme to defraud, are not limited to securities, and carry significant penalties including imprisonment.
- A con artist mails fraudulent lottery 'winner' notices to victims to extract advance fees. The use of the postal service to advance this scheme exposes the con artist to liability under:
- The Currency Transaction Report rule
- The wire fraud statute
- The mail fraud statute
- The chain of custody doctrine
Correct answer: The mail fraud statute
Using the postal service to further the fraudulent lottery scheme triggers liability under the mail fraud statute. Wire fraud covers interstate electronic communications, the CTR rule concerns cash reporting, and chain of custody is an evidence principle.
- A company terminates an employee shortly after she reported suspected accounting fraud to regulators. This action most likely raises a concern about:
- Proper chain of custody
- Legitimate net worth analysis
- Unlawful retaliation against a whistleblower
- A lawful CTR filing
Correct answer: Unlawful retaliation against a whistleblower
Firing an employee soon after she reported suspected fraud to regulators raises a concern of unlawful whistleblower retaliation, which is prohibited. The scenario has nothing to do with CTR filings, chain of custody, or net worth analysis.
- When detaining or restricting an employee during a workplace interview, an examiner who goes too far may commit which tort?
- Copyright infringement
- Breach of warranty
- Patent infringement
- False imprisonment
Correct answer: False imprisonment
Unreasonably restraining an employee's freedom of movement during an interview can constitute the tort of false imprisonment, so examiners must avoid coercive detention. Copyright, warranty, and patent issues are unrelated to interview conduct.
- An effective and protected internal reporting mechanism, such as a fraud hotline, should ideally allow employees to:
- Report only to the suspected wrongdoer
- Be identified and publicly named to the accused
- Report concerns anonymously and without fear of retaliation
- Receive a fee for each report regardless of accuracy
Correct answer: Report concerns anonymously and without fear of retaliation
A protected reporting mechanism lets employees report anonymously and free from retaliation, encouraging disclosure of wrongdoing. Publicly naming reporters, routing reports to the suspect, or paying per report regardless of accuracy would defeat the mechanism's purpose.
- Which engagement is most clearly within the scope of forensic accounting?
- Designing the company's logo
- Quantifying the financial loss from an embezzlement for use in litigation
- Preparing a company's marketing brochure
- Scheduling employee shifts
Correct answer: Quantifying the financial loss from an embezzlement for use in litigation
Quantifying embezzlement losses for litigation is a core forensic accounting engagement, combining accounting expertise with an investigative, dispute-oriented purpose. Marketing, design, and scheduling tasks are unrelated to forensic accounting.
- A defining feature of the forensic accountant's mindset, compared with a traditional accountant's, is:
- Professional skepticism oriented toward detecting intentional misstatement and concealment
- A preference for estimates over documentation
- A focus on minimizing the client's tax bill
- An assumption that all records are accurate
Correct answer: Professional skepticism oriented toward detecting intentional misstatement and concealment
Forensic accountants apply heightened professional skepticism aimed at detecting intentional misstatement and concealment, going beyond the traditional accountant's focus. They rely on documentation rather than assuming records are accurate or prioritizing tax minimization.
- A money launderer buys casino chips with illicit cash, gambles minimally, then cashes out and requests a casino check. Which stage does buying the chips primarily represent?
- Reporting
- Placement
- Layering only
- Integration
Correct answer: Placement
Buying casino chips with illicit cash introduces the funds into the financial system through the casino, which is placement. The subsequent cash-out and check request begin to add layers and lend an appearance of legitimacy, but the initial chip purchase is placement.
- Using shell companies and nominee owners to move funds is most directly aimed at accomplishing which money laundering objective?
- Paying lawful taxes on the funds
- Obscuring the true ownership and trail of the funds during layering
- Returning funds to charity
- Physically introducing cash into a bank
Correct answer: Obscuring the true ownership and trail of the funds during layering
Shell companies and nominees obscure true ownership and the audit trail, which is central to the layering stage. They are not used to deposit cash for the first time, pay taxes, or make charitable gifts.
- Which professional is most likely to be exploited as a 'gatekeeper' to facilitate the layering of laundered funds?
- An attorney or accountant who sets up complex entity structures
- A delivery driver
- A retail cashier
- A receptionist
Correct answer: An attorney or accountant who sets up complex entity structures
Professionals such as attorneys and accountants can be exploited as gatekeepers because they can create complex entity and transaction structures that facilitate layering. Cashiers, drivers, and receptionists do not have the means to construct such structures.
- The increasing use of cryptocurrencies in money laundering primarily challenges investigators because they can:
- Be physically deposited like cash at a teller
- Enable rapid, cross-border transfers with varying degrees of pseudonymity
- Never be traced under any circumstances
- Only be used inside a single bank
Correct answer: Enable rapid, cross-border transfers with varying degrees of pseudonymity
Cryptocurrencies challenge investigators by enabling rapid cross-border transfers with varying pseudonymity, complicating attribution. They are not confined to a single bank, can sometimes be traced through blockchain analysis, and are not physically deposited at a teller.
- An examiner reviewing a customer's history sees dozens of cash deposits ranging from $9,000 to $9,800 spread across many days and branches. The most likely explanation warranting investigation is:
- Random coincidence with no significance
- Routine handling of large legitimate cash sales
- A deliberate effort to structure transactions below the reporting threshold
- A bank software error generating duplicates
Correct answer: A deliberate effort to structure transactions below the reporting threshold
A persistent pattern of deposits clustered just below $10,000 across days and branches strongly indicates deliberate structuring to evade reporting and warrants investigation. Such a consistent pattern is unlikely to be coincidence or a software artifact.
- Which fact is essential to proving the offense of structuring?
- That the funds came from a foreign country
- The purpose of evading the currency transaction reporting requirement
- That a single deposit exceeded $10,000
- That the bank failed to file a CTR
Correct answer: The purpose of evading the currency transaction reporting requirement
Structuring requires proving the purpose of evading the currency transaction reporting requirement; the splitting is done specifically to avoid the threshold. A single deposit over the limit, a foreign origin, or a bank's filing failure are not elements of structuring.
- Enhanced due diligence (EDD) under AML programs is typically applied to:
- All customers equally regardless of risk
- Customers who request paper statements
- Higher-risk customers, such as politically exposed persons or those in high-risk jurisdictions
- Only customers with savings accounts
Correct answer: Higher-risk customers, such as politically exposed persons or those in high-risk jurisdictions
EDD applies heightened scrutiny to higher-risk customers, such as politically exposed persons (PEPs) and those connected to high-risk jurisdictions. It is risk-based, not applied uniformly to all customers or triggered by account type or statement preference.
- A 'politically exposed person' (PEP) is treated as higher risk in AML programs primarily because:
- They cannot be reported under any circumstances
- They are exempt from all KYC requirements
- Their position may create greater potential for involvement in bribery or corruption
- They are legally prohibited from holding bank accounts
Correct answer: Their position may create greater potential for involvement in bribery or corruption
PEPs are treated as higher risk because their prominent public positions create greater potential exposure to bribery and corruption proceeds. They are not barred from banking, are still subject to reporting, and require enhanced rather than waived KYC.
- Beneficial ownership requirements under AML rules are designed to:
- Eliminate the need for any customer identification
- Hide the identity of a company's owners
- Set the entity's tax rate
- Identify the natural persons who ultimately own or control a legal entity customer
Correct answer: Identify the natural persons who ultimately own or control a legal entity customer
Beneficial ownership rules require institutions to identify the natural persons who ultimately own or control an entity customer, preventing criminals from hiding behind shell companies. The purpose is transparency, not concealment, and it supplements rather than replaces customer identification.
- A customer makes a $7,000 cash deposit in the morning and a $5,000 cash deposit in the afternoon at the same bank on the same day. The institution should:
- File a SAR instead of a CTR automatically
- Aggregate the deposits and file a single CTR since the day's total exceeds $10,000
- File no CTR because neither deposit alone exceeds the threshold
- Wait until the next business day to decide
Correct answer: Aggregate the deposits and file a single CTR since the day's total exceeds $10,000
Because cash transactions by the same customer in one business day are aggregated, the $12,000 total requires a single CTR. Treating each deposit separately ignores the aggregation rule, and a SAR is a separate, suspicion-based filing.
- The information collected on a CTR primarily helps law enforcement by:
- Creating a record of large cash movements that can be analyzed for illicit activity
- Setting the customer's loan interest rate
- Determining the bank's deposit insurance premium
- Calculating the customer's credit score
Correct answer: Creating a record of large cash movements that can be analyzed for illicit activity
CTR data creates a record of large cash movements that law enforcement can analyze to detect money laundering and other crimes. It is unrelated to setting interest rates, insurance premiums, or credit scores.
- Which of the following customer behaviors is the strongest SAR red flag?
- A customer who closes an account and opens a new one for a better rate
- A customer who deposits a tax refund check
- A customer who appears nervous, avoids reporting thresholds, and cannot explain the source of large cash deposits
- A customer who sets up automatic bill payments
Correct answer: A customer who appears nervous, avoids reporting thresholds, and cannot explain the source of large cash deposits
A customer who is nervous, deliberately avoids reporting thresholds, and cannot explain large cash sources presents strong indicators of illicit activity warranting a SAR. Depositing a refund, automating bills, or switching accounts for a better rate are ordinary behaviors.
- If a financial institution detects a pattern of structuring by a customer, the appropriate response is to:
- File a Suspicious Activity Report documenting the suspected structuring
- Close the account without any filing
- Notify the customer to give them a chance to explain
- Reverse all the customer's transactions
Correct answer: File a Suspicious Activity Report documenting the suspected structuring
Detecting suspected structuring calls for filing a SAR to document the activity; tipping off the customer is prohibited. Simply closing the account without filing, or reversing transactions, does not satisfy the reporting obligation.
- An auditor applies a Benford's Law test to a vendor's invoice amounts and the distribution conforms closely to the expected pattern. This result indicates that:
- The dataset must be deleted
- There is no strong leading-digit anomaly, though it does not by itself prove the absence of fraud
- Every invoice is fraudulent
- Fraud has definitely occurred
Correct answer: There is no strong leading-digit anomaly, though it does not by itself prove the absence of fraud
Close conformity to Benford's Law means no strong leading-digit anomaly is present, but it does not prove fraud is absent, since not all fraud distorts digit distributions. Conformity is reassuring but not conclusive of integrity.
- Benford's Law tests are typically performed using:
- Physical inspection of a warehouse
- Computer-assisted data analysis software on large transaction populations
- Manual review of a single invoice
- Interviews with the suspect
Correct answer: Computer-assisted data analysis software on large transaction populations
Benford's Law tests are run with computer-assisted data analysis tools over large transaction populations to compare actual versus expected digit frequencies. They are not performed by reviewing one invoice, interviewing suspects, or inspecting a warehouse.
- In the sequence of fraud examination interviews, the admission-seeking interview generally comes:
- Before interviewing any witnesses
- Simultaneously with the initial complaint
- Last, after neutral and information-gathering interviews and evidence collection
- First, before any evidence is gathered
Correct answer: Last, after neutral and information-gathering interviews and evidence collection
The admission-seeking interview is conducted last, after neutral witnesses have been interviewed and sufficient evidence supports reasonable certainty of guilt. Conducting it first, before evidence or witness interviews, would be premature.
- When a subject in an admission-seeking interview offers a benchmark admission to a smaller, more acceptable version of the conduct, the examiner should view this as:
- Grounds to immediately arrest the subject
- Proof of the subject's innocence
- A foothold to develop toward a full and detailed confession
- A complete defense ending the inquiry
Correct answer: A foothold to develop toward a full and detailed confession
A partial or 'benchmark' admission is a foothold the examiner builds upon to obtain a full, detailed confession. It is not a defense, not proof of innocence, and fraud examiners do not have arrest authority.
- An interview subject responds to a direct accusation with a calm, unequivocal denial and consistent details. According to interview theory, this is:
- Conclusive proof of guilt
- More characteristic of a truthful subject than a deceptive one
- An automatic basis to seek a confession
- Always a sign of coaching
Correct answer: More characteristic of a truthful subject than a deceptive one
A calm, unequivocal denial with consistent details is more characteristic of truthful subjects, in contrast to the evasive or qualified denials often seen with deception. It is not proof of guilt, a basis to seek a confession, or necessarily a sign of coaching.
- Why must an examiner consider cultural and individual differences when interpreting behavioral cues for deception?
- Behaviors such as eye contact or expressiveness vary by culture and personality, so cues are not universal
- Cultural differences make all cues meaningless by law
- Only one culture's norms apply in interviews
- Personality has no effect on behavior
Correct answer: Behaviors such as eye contact or expressiveness vary by culture and personality, so cues are not universal
Behavioral cues like eye contact and expressiveness vary across cultures and individuals, so they must be interpreted in context rather than as universal indicators. Disregarding these differences risks misreading normal behavior as deception.
- Which best distinguishes public records from nonpublic information in an investigation?
- Public records cost money while nonpublic records are free
- Public records are unreliable and nonpublic records are always reliable
- Public records are always digital and nonpublic records are always paper
- Public records are accessible to anyone without legal process, while nonpublic information generally requires authorization or compulsion
Correct answer: Public records are accessible to anyone without legal process, while nonpublic information generally requires authorization or compulsion
The key distinction is accessibility: public records can be obtained by anyone without legal process, whereas nonpublic information usually requires legal authorization or compulsion such as a subpoena. Format, reliability, and cost are not the defining differences.
- A fraud examiner who improperly obtains nonpublic information through pretexting (deception) risks:
- Strengthening the chain of custody
- Receiving a regulatory award
- Automatically validating the evidence
- Legal liability and rendering the resulting evidence inadmissible or tainted
Correct answer: Legal liability and rendering the resulting evidence inadmissible or tainted
Using pretexting to obtain protected nonpublic information can create legal liability and taint the evidence, jeopardizing its admissibility. Improper collection does not earn rewards, strengthen custody, or validate evidence.
- A fraud examiner suspects a subject secretly owns a competing business. Which public source would most directly confirm the subject's registered ownership role?
- State business entity and corporate registration filings
- The competitor's confidential payroll
- The subject's personal therapy notes
- The subject's encrypted personal cloud storage
Correct answer: State business entity and corporate registration filings
State business entity and corporate registration filings publicly list officers and registered agents, which can confirm a subject's ownership role in a business. Therapy notes, confidential payroll, and encrypted personal storage are nonpublic.
- Property records searched during a fraud examination can help establish:
- The subject's daily schedule
- Real estate a subject owns and any associated mortgages or liens
- The subject's medical diagnoses
- The subject's email passwords
Correct answer: Real estate a subject owns and any associated mortgages or liens
Public property records reveal real estate ownership and associated mortgages or liens, useful for asset identification and tracing. They do not disclose schedules, passwords, or medical information.
- When relying on information from a public records database aggregator, a careful fraud examiner should:
- Accept all aggregator data as conclusive
- Assume the data is always current and complete
- Corroborate key findings against primary source records to confirm accuracy
- Avoid documenting where the data came from
Correct answer: Corroborate key findings against primary source records to confirm accuracy
Aggregator data can be outdated or erroneous, so a careful examiner corroborates key findings against primary source records before relying on them. Treating aggregator data as conclusive or undocumented, or assuming it is always current, risks error.
- A subject earns a documented salary of $80,000 per year but, over one year, acquired $300,000 in new assets while maintaining a normal lifestyle. The net worth method would flag this because:
- Lifestyle costs reduce net worth automatically
- The asset increase greatly exceeds known legitimate income, suggesting unexplained income
- The subject's salary fully explains the asset increase
- Asset increases are irrelevant to income analysis
Correct answer: The asset increase greatly exceeds known legitimate income, suggesting unexplained income
When the increase in assets vastly exceeds documented legitimate income, the net worth method flags the unexplained gap as possible illicit income. A salary of $80,000 cannot account for $300,000 in new assets in a single year.
- A limitation a fraud examiner must address when using the net worth method is:
- The requirement to obtain a confession first
- Accounting for legitimate sources such as gifts, inheritances, or loans that could explain increases
- The prohibition on using public records
- The need to ignore all of the subject's liabilities
Correct answer: Accounting for legitimate sources such as gifts, inheritances, or loans that could explain increases
A key limitation is that the examiner must account for legitimate non-income sources, such as gifts, inheritances, or loans, that could explain net worth increases before attributing them to illicit income. The method incorporates liabilities and relies on records, and no confession is required.
- Volatile data, such as the contents of a computer's RAM, is significant in digital forensics because it:
- Is lost when the device is powered off and may need to be captured before shutdown
- Is permanently stored on the hard drive
- Is automatically backed up to the cloud
- Cannot contain any useful evidence
Correct answer: Is lost when the device is powered off and may need to be captured before shutdown
Volatile data like RAM contents is lost when power is removed, so it may need to be captured live before shutdown to preserve potential evidence such as running processes or encryption keys. It is not permanently stored or automatically preserved.
- Email evidence in a fraud case can be authenticated and analyzed in part by examining the message's:
- Recipient's astrological sign
- Header information, including routing and timestamps
- Font color only
- Paper weight of a printout
Correct answer: Header information, including routing and timestamps
Email headers contain routing details and timestamps that help authenticate and analyze the message's origin and path. Font color, astrological details, and the paper weight of a printout are irrelevant to authentication.
- When seizing a mobile device as evidence, a recommended practice to prevent remote tampering is to:
- Reset it to factory settings immediately
- Install new apps to test functionality
- Connect it to public Wi-Fi for backup
- Isolate it from networks, such as by using a Faraday bag or enabling airplane mode
Correct answer: Isolate it from networks, such as by using a Faraday bag or enabling airplane mode
Isolating a seized mobile device from networks, for example with a Faraday bag or airplane mode, prevents remote wiping or tampering. Connecting to Wi-Fi, installing apps, or factory-resetting would risk altering or destroying evidence.
- Which document would a fraud examiner use to track the movement and handling of a seized laptop from collection through trial?
- A Currency Transaction Report
- A chain of custody log
- An expert's curriculum vitae
- A Benford's Law worksheet
Correct answer: A chain of custody log
A chain of custody log tracks who collected, handled, and stored the laptop and when, preserving evidentiary integrity from collection through trial. A CTR, a Benford's worksheet, and a CV serve entirely different purposes.
- Maintaining chain of custody is especially critical for digital evidence because:
- Digital evidence never changes
- Digital data can be altered easily, so demonstrating untampered handling supports its reliability
- Digital evidence is exempt from authentication
- Digital evidence cannot be copied
Correct answer: Digital data can be altered easily, so demonstrating untampered handling supports its reliability
Because digital data can be altered easily, a documented chain of custody helps demonstrate the evidence was not tampered with, supporting its reliability and admissibility. Digital evidence is not exempt from authentication, can change, and can certainly be copied.
- A fraud examination report's conclusions should be:
- Based on the examiner's gut feeling
- Supported by and traceable to the evidence documented in the report
- Hidden from the client to protect the case
- Stronger than the underlying evidence supports
Correct answer: Supported by and traceable to the evidence documented in the report
Conclusions in a fraud report must be supported by and traceable to the documented evidence so they withstand scrutiny. They should not rest on gut feeling, overstate the evidence, or be concealed from the client who commissioned the examination.
- Including an executive summary at the start of a lengthy fraud examination report primarily helps by:
- Giving readers a concise overview of the scope and key findings
- Concealing the report's conclusions
- Replacing the need for supporting evidence
- Adding inflammatory characterizations of the subject
Correct answer: Giving readers a concise overview of the scope and key findings
An executive summary gives readers a concise overview of the scope and key findings before the detailed sections. It supplements rather than replaces the supporting evidence and should remain objective, not inflammatory.
- A fraud examiner retained as a consulting (non-testifying) expert differs from a testifying expert in that the consulting expert:
- Must always testify at trial
- Sets the judge's schedule
- Assists the legal team but does not present opinions in court and is often shielded from disclosure
- Cannot review any case documents
Correct answer: Assists the legal team but does not present opinions in court and is often shielded from disclosure
A consulting expert assists the legal team behind the scenes without testifying, and their work is often protected from disclosure, unlike a testifying expert whose opinions and basis are disclosed. The consulting expert reviews documents but does not control the court.
- During cross-examination, a fraud examiner serving as an expert witness should:
- Change opinions to please whoever is asking
- Answer truthfully and concede valid points while standing by well-supported opinions
- Refuse to answer challenging questions
- Argue with opposing counsel to win the case
Correct answer: Answer truthfully and concede valid points while standing by well-supported opinions
On cross-examination an expert should answer truthfully, concede valid points, and maintain well-supported opinions, which preserves credibility. Arguing, refusing to answer, or shifting opinions to please the questioner undermines the expert's effectiveness.
- The 'best evidence rule' generally requires that, to prove the contents of a writing, a party should produce:
- A sworn summary instead of any document
- A photograph of the building where it was signed
- Only an expert's interpretation
- The original document when available, rather than a copy or oral description
Correct answer: The original document when available, rather than a copy or oral description
The best evidence rule generally requires the original writing to prove its contents when the original is available, though duplicates may be admissible under exceptions. A summary, expert interpretation, or unrelated photograph does not satisfy the rule.
- Which is an example of testimonial evidence in a fraud case?
- A surveillance video clip
- A spreadsheet of suspicious transactions
- A witness's sworn account of what they saw the suspect do
- A forged check recovered from a file
Correct answer: A witness's sworn account of what they saw the suspect do
Testimonial evidence consists of statements given by witnesses, such as a sworn account of what they observed. A forged check, a spreadsheet, and a video are documentary or physical evidence rather than testimonial.
- A privilege, such as the attorney-client privilege, affects evidence by:
- Eliminating the need to authenticate documents
- Guaranteeing that all communications are admissible
- Protecting certain confidential communications from compelled disclosure
- Requiring all communications to be made public
Correct answer: Protecting certain confidential communications from compelled disclosure
A privilege such as attorney-client protects certain confidential communications from compelled disclosure, which can keep otherwise relevant material out of evidence. It does not make communications admissible, public, or exempt from authentication.
- In which legal tradition would a court decision most likely create binding precedent for future similar cases?
- A common law jurisdiction
- A purely administrative regime
- A civil law jurisdiction
- An inquisitorial code-based system
Correct answer: A common law jurisdiction
Common law jurisdictions treat court decisions as binding precedent under stare decisis. Civil law and code-based inquisitorial systems give primary weight to written codes rather than to prior judicial decisions.
- A fraud examiner conducting interviews in a civil law country should expect that, compared with a common law country:
- No legal rules will apply to the investigation
- Confessions are never used as evidence
- The rules will be identical to common law countries
- Procedural and evidentiary rules and the judge's investigative role may differ significantly
Correct answer: Procedural and evidentiary rules and the judge's investigative role may differ significantly
In civil law countries, procedural and evidentiary rules and the judge's more investigative role often differ significantly from common law practice, which examiners must respect. The rules are not identical across systems, legal rules certainly apply, and confessions can be used as evidence.
- Which of the following is an element common to both mail fraud and wire fraud?
- A confession by the defendant
- A loss exceeding $1 million
- An offshore bank account
- A scheme or artifice to defraud
Correct answer: A scheme or artifice to defraud
Both mail fraud and wire fraud require a scheme or artifice to defraud, along with use of the mails or interstate wires respectively. Neither requires a minimum loss, an offshore account, or a confession.
- Even an unsuccessful fraud scheme can support a mail or wire fraud charge as long as:
- The defendant confessed in writing
- The defendant devised a scheme to defraud and used the mails or wires in furtherance of it
- The victims actually lost money
- An offshore account was used
Correct answer: The defendant devised a scheme to defraud and used the mails or wires in furtherance of it
Mail and wire fraud focus on the scheme and the use of the mails or wires in furtherance of it, so the offense can be complete even if the scheme failed and no loss occurred. Actual loss, a confession, or an offshore account are not required elements.
- A retaliatory act prohibited by whistleblower protections could include all of the following EXCEPT:
- Firing the whistleblower
- Demoting the whistleblower
- Conducting a fair, evidence-based investigation of the employee's allegation
- Cutting the whistleblower's pay in reprisal
Correct answer: Conducting a fair, evidence-based investigation of the employee's allegation
Investigating an allegation fairly is appropriate and is not retaliation; prohibited retaliation includes demotion, termination, or pay cuts imposed because of the protected report. The law targets reprisals, not legitimate inquiry.
- When interviewing a unionized employee who reasonably believes the interview may lead to discipline, the examiner should be aware that the employee may have the right to:
- Refuse to be interviewed under any circumstances forever
- Demand a financial reward for participating
- Request the presence of a union representative (a Weingarten right)
- Require that the interview be broadcast publicly
Correct answer: Request the presence of a union representative (a Weingarten right)
Under Weingarten rights, a unionized employee who reasonably fears discipline may request a union representative during an investigatory interview. The right is to representation, not to a reward, a permanent refusal, or public broadcast of the interview.
- A forensic accountant engaged to investigate suspected payroll fraud would most appropriately:
- Set the company's future payroll budget
- Hire the company's new employees
- Analyze payroll records and related evidence to detect anomalies and quantify any loss
- Design the payroll software interface
Correct answer: Analyze payroll records and related evidence to detect anomalies and quantify any loss
A forensic accountant investigating payroll fraud analyzes payroll records and supporting evidence to detect anomalies, identify schemes, and quantify losses. Budgeting, software design, and hiring are operational tasks outside the forensic engagement.
- Forensic accounting techniques such as data analysis and document examination support a fraud examination by:
- Eliminating the need for interviews
- Replacing the role of the courts
- Uncovering and documenting evidence of financial irregularities
- Guaranteeing a criminal conviction
Correct answer: Uncovering and documenting evidence of financial irregularities
Forensic accounting techniques help uncover and document evidence of financial irregularities that supports the examination. They do not guarantee convictions, replace the courts, or eliminate the need for interviews, which remain important evidence sources.
- A criminal organization purchases a chain of laundromats and reports inflated cash income from them to legitimize illicit funds. The use of these cash-intensive businesses is intended to support which stage?
- Structuring only
- Integration
- Layering only
- Placement only
Correct answer: Integration
Reporting inflated income from cash-intensive front businesses to legitimize illicit funds is integration, where the money re-enters the economy appearing lawful. While such businesses can also aid placement, the act of legitimizing the funds as reported income is integration.
- Which is a common red flag of money laundering that a fraud examiner might observe in account activity?
- Monthly mortgage payments of a consistent amount
- Occasional small ATM withdrawals
- Frequent large round-dollar transfers with no apparent business purpose
- Regular payroll deposits matching salary
Correct answer: Frequent large round-dollar transfers with no apparent business purpose
Frequent large round-dollar transfers lacking any apparent business purpose are a recognized money laundering red flag. Routine payroll deposits, consistent mortgage payments, and small ATM withdrawals are ordinary patterns.
- The Financial Action Task Force (FATF) is best described as:
- A U.S. bank that processes wire transfers
- An intergovernmental body that sets international standards to combat money laundering and terrorist financing
- A private accounting firm
- A consumer credit bureau
Correct answer: An intergovernmental body that sets international standards to combat money laundering and terrorist financing
FATF is an intergovernmental body that develops international standards and recommendations to combat money laundering and terrorist financing. It is not a bank, an accounting firm, or a credit bureau.
- Why do money launderers often move funds through jurisdictions with weak AML controls?
- Such jurisdictions guarantee higher interest rates
- They automatically legitimize all incoming funds
- Such jurisdictions offer less scrutiny and make tracing the funds more difficult
- They are required by international treaty to do so
Correct answer: Such jurisdictions offer less scrutiny and make tracing the funds more difficult
Launderers route funds through jurisdictions with weak AML controls because reduced scrutiny makes the money harder to trace. The choice is about evading oversight, not earning interest, complying with treaties, or any automatic legitimization.
- An AML 'red flag' indicating possible illicit activity in a new account would be:
- A customer reluctant to provide identification or background about the source of funds
- A customer providing complete and verifiable identification
- A customer setting up direct deposit of a paycheck
- A customer asking about account fees
Correct answer: A customer reluctant to provide identification or background about the source of funds
A customer who is reluctant to provide identification or explain the source of funds raises an AML red flag suggesting possible illicit activity. Providing complete identification, asking about fees, and setting up direct deposit are normal behaviors.
- The principal U.S. agency that receives BSA reports such as SARs and CTRs and shares financial intelligence with law enforcement is:
- The Consumer Financial Protection Bureau
- The Financial Crimes Enforcement Network (FinCEN)
- The Securities and Exchange Commission
- The Federal Trade Commission
Correct answer: The Financial Crimes Enforcement Network (FinCEN)
FinCEN is the U.S. financial intelligence unit that collects BSA reports such as SARs and CTRs and shares analysis with law enforcement. The FTC, SEC, and CFPB have different consumer, securities, and market mandates.
- A signed written confession obtained at the end of an admission-seeking interview should ideally include:
- An acknowledgment of the key facts, such as the act, the amounts, and that the statement was made voluntarily
- The examiner's personal opinion of guilt
- A promise of immunity from prosecution
- A list of unrelated company exhibits
Correct answer: An acknowledgment of the key facts, such as the act, the amounts, and that the statement was made voluntarily
A signed confession should capture the essential facts, such as the act, amounts, and time frame, and reflect that it was given voluntarily, which bolsters its reliability. It should not contain immunity promises, the examiner's opinions, or unrelated exhibits.
- Maintaining a calm, professional, and non-accusatory tone throughout the early phases of an admission-seeking interview helps the examiner by:
- Guaranteeing the subject will refuse to talk
- Ensuring the confession is involuntary
- Keeping the subject engaged and lowering resistance so an admission becomes more likely
- Eliminating the need for any evidence
Correct answer: Keeping the subject engaged and lowering resistance so an admission becomes more likely
A calm, professional tone keeps the subject engaged and reduces resistance, making an admission more attainable, while supporting the voluntariness of any confession. An accusatory or hostile approach risks shutting the subject down or producing an involuntary statement.
- When an interview subject answers a simple yes-or-no question with a long, rambling explanation, this verbal behavior may indicate:
- An automatic basis for arrest
- An attempt to avoid a direct answer that, with other cues, can suggest deception
- Conclusive proof of guilt
- Certain truthfulness with no further analysis needed
Correct answer: An attempt to avoid a direct answer that, with other cues, can suggest deception
Responding to a yes-or-no question with a long, rambling answer can be an avoidance technique that, combined with other indicators, may suggest deception. It is neither proof of truthfulness nor conclusive of guilt, and it provides no basis for arrest.
- A fraud examiner should structure interview questions to detect deception by:
- Avoiding follow-up questions entirely
- Asking only leading questions that suggest answers
- Telling the subject the desired answer in advance
- Asking open-ended questions and observing whether responses are consistent and complete
Correct answer: Asking open-ended questions and observing whether responses are consistent and complete
Open-ended questions encourage subjects to provide narrative responses whose consistency and completeness can be evaluated for signs of deception. Leading questions, avoiding follow-ups, or supplying the desired answer would contaminate the assessment.
- A fraud examiner needs a subject's account records held by a third-party financial institution. The proper way to obtain them in most cases is to:
- Impersonate the subject to the bank
- Hack into the bank's systems
- Bribe a bank employee for the records
- Use lawful process such as a subpoena or the subject's consent
Correct answer: Use lawful process such as a subpoena or the subject's consent
Account records held by a third-party institution are nonpublic and should be obtained through lawful process such as a subpoena or with the subject's consent. Impersonation, hacking, and bribery are illegal and would taint any resulting evidence.
- Which is an appropriate use of internet and social media sources in a fraud examination?
- Ignoring the need to verify information
- Treating every post as conclusive proof
- Identifying potential leads and relationships, then corroborating them with reliable evidence
- Fabricating accounts to entrap the subject
Correct answer: Identifying potential leads and relationships, then corroborating them with reliable evidence
Internet and social media sources are appropriately used to identify leads and relationships that are then corroborated with reliable evidence. Treating posts as conclusive, fabricating entrapment accounts, or skipping verification are improper.
- Which public record is most useful for confirming whether a court has entered a monetary judgment against a subject?
- Civil court judgment and docket records
- A private credit counseling file
- Internal corporate strategy memos
- The subject's personal bank PIN
Correct answer: Civil court judgment and docket records
Civil court judgment and docket records are public and confirm whether a monetary judgment has been entered against a subject. Bank PINs, internal corporate memos, and private counseling files are not public records.
- Voter registration and similar government records can sometimes assist a fraud examiner by:
- Disclosing the subject's medical conditions
- Helping confirm a subject's identity, address history, or aliases
- Providing the subject's confidential salary
- Revealing the subject's encrypted passwords
Correct answer: Helping confirm a subject's identity, address history, or aliases
Certain government records such as voter registrations can help confirm a subject's identity, address history, or aliases as part of a public records search. They do not disclose passwords, medical conditions, or confidential salary information.
- The net worth method is particularly useful in fraud cases where:
- Every transaction is fully documented and lawful
- A confession has already been obtained for all amounts
- Direct evidence of specific illicit transactions is unavailable but the subject's wealth has grown unexplainably
- The subject has no assets or income
Correct answer: Direct evidence of specific illicit transactions is unavailable but the subject's wealth has grown unexplainably
The net worth method shines when direct transaction evidence is lacking but a subject's wealth has grown beyond what legitimate income explains. It is unnecessary when transactions are fully documented or when a complete confession already covers the amounts.
- In a net worth analysis, 'living expenses' are added to the increase in net worth because:
- Funds spent on living expenses also had to come from somewhere, including potentially illicit income
- Living expenses are ignored in tracing analyses
- Living expenses reduce the need to prove income
- Living expenses are always illegal
Correct answer: Funds spent on living expenses also had to come from somewhere, including potentially illicit income
Living expenses are added because money spent on them also had to be funded, so including them captures the full amount the subject had to obtain, potentially from illicit sources. Ignoring living expenses would understate the unexplained income.
- A fraud examiner discovers that a key spreadsheet was modified after the relevant period. The most reliable way to establish the modification date is to:
- Examine the file's metadata and system logs through forensic analysis
- Guess based on the file name
- Assume the date shown on screen is always accurate
- Ask the suspect when they last opened it
Correct answer: Examine the file's metadata and system logs through forensic analysis
Forensic examination of file metadata and system logs provides the most reliable evidence of when a file was modified. Relying on the suspect's word, the file name, or the on-screen date alone can be misleading or manipulated.
- The principle that digital evidence collection should be performed by, or under the guidance of, qualified personnel exists primarily because:
- Only qualified personnel can read files
- Improper handling can alter or destroy evidence and compromise its admissibility
- Untrained staff are legally barred from touching computers
- Qualified personnel can guarantee a conviction
Correct answer: Improper handling can alter or destroy evidence and compromise its admissibility
Qualified handling matters because improper collection can alter or destroy digital evidence and compromise admissibility. The concern is preserving integrity, not that only experts can read files, a legal ban on others, or any guarantee of conviction.
- If multiple examiners must handle a single piece of evidence over time, chain of custody is best preserved by:
- Recording each transfer with the date, time, and identity of the person receiving it
- Allowing handoffs without any documentation
- Relying on memory to recall who had it
- Letting each examiner keep the item at home
Correct answer: Recording each transfer with the date, time, and identity of the person receiving it
Documenting each transfer with date, time, and the recipient's identity preserves an unbroken chain of custody across multiple handlers. Undocumented handoffs, informal home storage, and reliance on memory create gaps that opposing counsel can exploit.
- Evidence tags and sealed, labeled containers contribute to chain of custody by:
- Increasing the monetary value of the evidence
- Replacing the need for any written log
- Making tampering evident and uniquely identifying each item
- Allowing anyone to open the container undetected
Correct answer: Making tampering evident and uniquely identifying each item
Evidence tags and tamper-evident, labeled containers make any interference apparent and uniquely identify each item, supporting custody integrity. They do not increase value, permit undetected access, or substitute for a written custody log.
- Which writing practice helps keep a fraud examination report objective?
- Adding the examiner's emotional reactions
- Speculating about uncharged conduct
- Describing what the evidence shows without characterizing the subject's character or motives
- Labeling the subject a 'criminal' throughout
Correct answer: Describing what the evidence shows without characterizing the subject's character or motives
Objectivity is preserved by describing what the evidence shows without characterizing the subject's character or speculating about motives. Labeling the subject a criminal, speculating about uncharged conduct, or inserting emotional reactions undermines objectivity and invites liability.
- A fraud examination report should organize the supporting documents (exhibits) by:
- Clearly referencing and indexing them so readers can locate the evidence behind each finding
- Excluding them to keep the report short
- Replacing them with the examiner's summary only
- Mixing them randomly to discourage scrutiny
Correct answer: Clearly referencing and indexing them so readers can locate the evidence behind each finding
Exhibits should be clearly referenced and indexed so readers can trace each finding to its supporting evidence, reinforcing the report's reliability. Disorganizing, excluding, or merely summarizing exhibits weakens the report's credibility.
- An expert witness's report or testimony is more likely to be admitted when the underlying analysis is:
- Derived from a coin flip
- Copied from an unrelated case
- Based on sufficient facts or data and reliable principles applied to the case
- Based on undisclosed assumptions
Correct answer: Based on sufficient facts or data and reliable principles applied to the case
Expert opinions are more likely to be admitted when grounded in sufficient facts or data and reliable principles properly applied to the case. Undisclosed assumptions, arbitrary methods, or content copied from unrelated matters undermine admissibility.
- A fraud examiner asked to serve as an expert witness should decline or disclose if:
- They have a personal or financial conflict that could compromise their objectivity
- They hold relevant professional certifications
- They have prior experience in similar cases
- They can explain findings clearly
Correct answer: They have a personal or financial conflict that could compromise their objectivity
An expert should decline or disclose when a personal or financial conflict could compromise objectivity, since impartiality is central to credibility. Relevant certifications, experience, and clear communication are assets, not reasons to decline.
- Relevant evidence may still be excluded by a court if:
- It was properly authenticated
- Its probative value is substantially outweighed by the danger of unfair prejudice
- It is direct rather than circumstantial
- It helps prove a disputed fact
Correct answer: Its probative value is substantially outweighed by the danger of unfair prejudice
Even relevant evidence can be excluded when its probative value is substantially outweighed by the risk of unfair prejudice or similar concerns. Being helpful, authenticated, or direct does not by itself cause exclusion.
- The burden of proof in a criminal fraud case requires the prosecution to prove guilt:
- Beyond a reasonable doubt
- By clear and convincing evidence
- By the examiner's personal certainty
- By a preponderance of the evidence
Correct answer: Beyond a reasonable doubt
Criminal fraud cases require proof beyond a reasonable doubt, the highest standard. A preponderance of the evidence applies in civil cases, clear and convincing is an intermediate civil standard, and an examiner's personal certainty is not a legal standard.
- In a civil fraud action, the typical standard of proof the plaintiff must meet is:
- Beyond a reasonable doubt
- Absolute certainty
- A preponderance of the evidence (more likely than not)
- Proof by confession only
Correct answer: A preponderance of the evidence (more likely than not)
Civil fraud actions generally require proof by a preponderance of the evidence, meaning the claim is more likely true than not. Beyond a reasonable doubt is the criminal standard, and absolute certainty or a confession requirement are not the applicable civil standards.
- Understanding whether a jurisdiction is common law or civil law helps a fraud examiner anticipate:
- That fraud is legal there
- How evidence is gathered, presented, and weighed in proceedings
- The exact verdict in advance
- That no records will exist
Correct answer: How evidence is gathered, presented, and weighed in proceedings
Knowing whether a jurisdiction follows common law or civil law helps an examiner anticipate how evidence is gathered, presented, and weighed. It does not predict verdicts, legalize fraud, or imply the absence of records.
- A scheme that uses interstate phone calls and emails to deceive victims out of money implicates which statute most directly?
- The wire fraud statute
- The best evidence rule
- The mail fraud statute
- The Bank Secrecy Act
Correct answer: The wire fraud statute
Using interstate phone calls and emails to deceive victims out of money implicates the wire fraud statute, which covers electronic interstate communications. Mail fraud requires use of the mails, the BSA addresses AML reporting, and the best evidence rule is an evidentiary principle.
- Mail and wire fraud charges are frequently used alongside other charges in complex fraud cases because they:
- Apply only when no other crime occurred
- Require the lowest possible penalties
- Provide a flexible basis to prosecute schemes that touch the mails or interstate communications
- Eliminate the need to prove intent
Correct answer: Provide a flexible basis to prosecute schemes that touch the mails or interstate communications
These statutes offer prosecutors a flexible basis to charge a wide variety of schemes that use the mails or interstate communications, often alongside other charges. They carry significant penalties, can be charged with other crimes, and still require proof of intent to defraud.
- An organization can reduce the risk of whistleblower retaliation claims by:
- Establishing clear anti-retaliation policies and handling reports confidentially and fairly
- Publicly identifying every person who reports concerns
- Discouraging employees from reporting wrongdoing
- Punishing employees who raise good-faith concerns
Correct answer: Establishing clear anti-retaliation policies and handling reports confidentially and fairly
Clear anti-retaliation policies and confidential, fair handling of reports reduce both retaliation and the risk of related claims. Publicly identifying reporters, discouraging reporting, or punishing good-faith concerns increases legal exposure and undermines detection.
- During an investigation, balancing the organization's interests with employee rights requires the examiner to:
- Detain employees indefinitely until they confess
- Use any tactic necessary to obtain a confession
- Conduct interviews professionally without coercion, threats, or unlawful detention
- Threaten employees with false criminal charges
Correct answer: Conduct interviews professionally without coercion, threats, or unlawful detention
Examiners must balance organizational interests with employee rights by conducting interviews professionally, avoiding coercion, threats, and unlawful detention. Using any tactic, indefinite detention, or false threats violates employee rights and can create liability.
- A forensic accountant quantifying damages in a fraud case should base the calculation on:
- The examiner's optimism about the case
- The client's preferred outcome regardless of evidence
- An arbitrary round number
- Reliable evidence and accepted methodologies that can withstand cross-examination
Correct answer: Reliable evidence and accepted methodologies that can withstand cross-examination
Damage calculations must rest on reliable evidence and accepted methodologies so they hold up under cross-examination. Tailoring figures to the client's preference, arbitrary numbers, or optimism would not survive scrutiny and could expose the examiner to liability.
- Which task best illustrates the investigative orientation of forensic accounting rather than routine financial reporting?
- Preparing the company's standard income statement
- Recording routine monthly journal entries
- Tracing misappropriated funds through a web of bank accounts to identify the recipient
- Reconciling the bank statement at month-end
Correct answer: Tracing misappropriated funds through a web of bank accounts to identify the recipient
Tracing misappropriated funds through layered accounts to identify the recipient illustrates the investigative orientation of forensic accounting. Routine journal entries, monthly reconciliations, and standard financial statements are ordinary accounting functions.
- An examiner reviewing wire transfers notices funds rapidly passing in and out of an account with no apparent economic purpose, a pattern known as 'pass-through' or 'funnel' activity. This is most consistent with:
- Legitimate retail sales
- Routine payroll processing
- The layering stage of money laundering
- The integration stage only
Correct answer: The layering stage of money laundering
Funds rapidly passing through an account with no economic purpose is a layering pattern designed to obscure the trail. It is inconsistent with legitimate sales, integration alone, or payroll processing.
- An interviewer planning a series of fraud examination interviews should generally interview neutral third-party witnesses:
- Never, to avoid alerting the suspect
- Only if the suspect refuses to talk
- Before confronting the suspect in an admission-seeking interview
- After obtaining the suspect's confession
Correct answer: Before confronting the suspect in an admission-seeking interview
Neutral third-party witnesses are generally interviewed before the admission-seeking interview so the examiner can develop facts and corroboration first. Interviewing them only after a confession, or not at all, would forgo valuable evidence and context.
- A fraud examiner suspects an employee inflated expense reimbursements and wants to confirm the existence of claimed vendors. A useful public source is:
- State business registration records to verify whether the vendors are real registered entities
- The employee's personal medical file
- The employee's private diary
- The bank's confidential internal memos
Correct answer: State business registration records to verify whether the vendors are real registered entities
State business registration records can verify whether claimed vendors are real registered entities, helping confirm or refute the reimbursements. A diary, confidential bank memos, and medical files are nonpublic and unhelpful for verifying vendor existence.
- To support a tracing analysis, a fraud examiner builds a flow chart linking deposits, transfers, and withdrawals across accounts. The primary purpose of this technique is to:
- Establish the suspect's blood relationship to victims
- Calculate the company's tax liability
- Visualize and document the movement of funds to identify their ultimate source or destination
- Estimate the company's market share
Correct answer: Visualize and document the movement of funds to identify their ultimate source or destination
A funds-flow chart visualizes and documents how money moved across accounts, helping identify the source or destination of illicit funds. It is a tracing tool, not a means of computing taxes, market share, or family relationships.
- Before presenting digital evidence in court, the proponent typically must show that the data is authentic and that:
- It favors the proponent's narrative
- It was never copied or imaged
- Its integrity was maintained through proper handling and an unbroken chain of custody
- It was created by the opposing party only
Correct answer: Its integrity was maintained through proper handling and an unbroken chain of custody
Admitting digital evidence requires showing authenticity and that integrity was maintained through proper handling and an unbroken chain of custody. The data's authorship, the fact it was imaged, or whether it favors a narrative do not establish admissibility.
- When two parties dispute the contents of a financial agreement, the rule of evidence that favors producing the original document over secondhand descriptions is the:
- Hearsay rule
- Net worth method
- Chain of custody rule
- Best evidence rule
Correct answer: Best evidence rule
The best evidence rule favors producing the original document to prove its contents over secondhand descriptions. The hearsay rule addresses out-of-court statements, chain of custody addresses handling, and the net worth method is an income-tracing technique.
- A fraud examiner asked to evaluate whether suspicious cash deposits should be reported externally should recognize that filing decisions for SARs ultimately rest with:
- The customer who made the deposits
- The local police department
- The financial institution's compliance function, which assesses suspicion under AML rules
- The expert witness for the defense
Correct answer: The financial institution's compliance function, which assesses suspicion under AML rules
Within an institution, the compliance function is responsible for assessing suspicion and deciding whether to file a SAR under AML rules. The customer, local police, or a defense expert do not control the institution's SAR filing decision.
- An examiner notices that a vendor's invoice numbers are perfectly sequential with no gaps over a long period, which is unusual for a legitimately busy vendor. This anomaly is best handled by:
- Concluding fraud is proven beyond doubt
- Ignoring it as always normal
- Treating it as a red flag warranting further investigation rather than conclusive proof
- Filing a Currency Transaction Report
Correct answer: Treating it as a red flag warranting further investigation rather than conclusive proof
Unnaturally perfect sequential invoice numbering is a red flag warranting further investigation, not conclusive proof of fraud. It is not automatically normal, and it does not trigger a CTR, which concerns large cash transactions.
- A defendant argues that incriminating documents should be excluded because investigators cannot account for the documents' whereabouts for a two-week period. This argument attacks the evidence's:
- Hearsay status
- Materiality
- Relevance
- Chain of custody
Correct answer: Chain of custody
An argument that investigators cannot account for evidence over a period attacks the chain of custody, raising doubt about whether the documents were altered. It is distinct from challenges to relevance, materiality, or hearsay.
- In comparing legal systems, an examiner notes that a country's courts rarely cite past decisions and instead apply a detailed statutory code. This indicates the country most likely follows a:
- Common law tradition
- Civil law tradition
- Stare decisis-based system
- Pure adversarial system
Correct answer: Civil law tradition
Courts that rarely cite precedent and apply a detailed statutory code are characteristic of the civil law tradition. Common law systems, with adversarial procedure and stare decisis, rely heavily on prior decisions.
- An examiner determines that a subject used personal emails to send falsified financial figures to investors in another state. In addition to potential securities violations, this conduct could support a charge of:
- Wire fraud
- Money laundering placement
- Mail fraud
- Structuring
Correct answer: Wire fraud
Sending falsified figures to out-of-state investors via email could support a wire fraud charge because it uses interstate electronic communications to further a scheme. Mail fraud needs use of the mails, while structuring and placement relate to cash and AML, not this conduct.
- Which characteristic makes cash-intensive businesses attractive vehicles for laundering illicit funds?
- They are required to launder money
- They cannot legally accept cash
- Their high volume of legitimate cash makes it easier to commingle and conceal illicit cash
- They are exempt from all tax laws
Correct answer: Their high volume of legitimate cash makes it easier to commingle and conceal illicit cash
Cash-intensive businesses are attractive because their large legitimate cash flows make it easy to commingle and conceal illicit cash, blurring the line between clean and dirty money. They are not tax-exempt, can accept cash, and are not required to launder funds.
- Terrorist financing differs from traditional money laundering primarily in that terrorist financing:
- May involve legitimately sourced funds being directed toward illegal purposes
- Always involves only illegally obtained funds
- Never uses the financial system
- Is unrelated to AML controls
Correct answer: May involve legitimately sourced funds being directed toward illegal purposes
Terrorist financing can involve funds from legitimate as well as illegitimate sources, with the focus on the illegal destination or purpose, whereas laundering concerns concealing illicit origins. Both are addressed by AML/CFT controls and can involve the financial system.
- A bank teller who knowingly helps a customer break up cash deposits to stay under the reporting threshold may face liability because:
- Tellers are immune from all AML rules
- Assisting in structuring is itself unlawful even if the teller is not the customer
- Structuring is legal when a teller assists
- Only the customer can ever be liable
Correct answer: Assisting in structuring is itself unlawful even if the teller is not the customer
A teller who knowingly assists a customer in structuring can face liability, because aiding the evasion of reporting requirements is itself unlawful. Tellers are not immune from AML rules, liability is not limited to customers, and the assistance does not make structuring legal.
- A risk-based AML program means that an institution should:
- Ignore low-risk customers entirely
- Allocate greater monitoring and due diligence resources to higher-risk customers and products
- Treat every customer and product identically
- Apply controls only after a loss occurs
Correct answer: Allocate greater monitoring and due diligence resources to higher-risk customers and products
A risk-based program directs more monitoring and due diligence toward higher-risk customers and products while applying proportionate controls to lower-risk ones. It does not treat everyone identically, ignore low-risk customers, or wait until after a loss.
- Recordkeeping requirements under the BSA support fraud investigations by ensuring that:
- Only the customer can access transaction histories
- Customers keep all their own records secret
- Financial institutions retain transaction records that can later be examined for evidence
- Records are destroyed promptly to save space
Correct answer: Financial institutions retain transaction records that can later be examined for evidence
BSA recordkeeping ensures institutions retain transaction records that investigators can later examine for evidence of financial crime. The rules require retention rather than destruction and make records available to authorities, not just customers.
- Which of the following cash activities by a single customer in one business day would require a CTR?
- A $2,000 cash deposit
- A $15,000 cash deposit
- A $9,500 cash deposit
- An $8,000 check deposit
Correct answer: A $15,000 cash deposit
A $15,000 cash deposit exceeds the $10,000 threshold and requires a CTR. The $2,000 and $9,500 cash deposits fall below the threshold, and a check deposit is not a currency transaction for CTR purposes.
- A fraud examiner working with a bank should understand that a SAR's purpose is to:
- Alert authorities to potentially illicit activity so it can be investigated
- Penalize the customer immediately
- Replace a criminal indictment
- Reimburse the bank for losses
Correct answer: Alert authorities to potentially illicit activity so it can be investigated
A SAR alerts authorities to potentially illicit activity so it can be investigated; it is an early warning tool, not a penalty, a reimbursement mechanism, or a substitute for an indictment.
- Benford's Law would be an appropriate analytical test for which of the following datasets?
- A list of phone numbers
- A list of sequential employee badge numbers
- A large population of accounts payable disbursement amounts
- A set of fixed-price menu items
Correct answer: A large population of accounts payable disbursement amounts
A large population of accounts payable disbursement amounts spans multiple orders of magnitude and is appropriate for a Benford's Law test. Sequential badge numbers, fixed prices, and phone numbers are assigned or constrained and do not conform to Benford's expectations.
- If, during an admission-seeking interview, a subject persistently and credibly denies wrongdoing and the examiner's certainty wanes, the examiner should:
- Fabricate evidence to overcome the denial
- Be willing to reassess and not pressure a possibly innocent person into a false confession
- Continue until any statement is obtained
- Threaten the subject with arrest
Correct answer: Be willing to reassess and not pressure a possibly innocent person into a false confession
If a subject credibly denies wrongdoing and certainty fades, the examiner should reassess and avoid pressuring a possibly innocent person into a false confession. Continuing relentlessly, threatening arrest, or fabricating evidence is improper and can produce unreliable, inadmissible statements.
- A reliable approach to assessing credibility in an interview is to:
- Rely on a single 'tell' that always reveals lies
- Evaluate clusters of verbal and nonverbal cues together with the available evidence
- Use only the subject's first sentence
- Decide credibility before the interview begins
Correct answer: Evaluate clusters of verbal and nonverbal cues together with the available evidence
Credibility is best assessed by evaluating clusters of verbal and nonverbal cues alongside the available evidence, since no single cue reliably reveals lying. Relying on one tell, only the first sentence, or a pre-formed conclusion leads to error.
- Nonpublic information such as a subject's tax returns is generally protected, so a fraud examiner should:
- Obtain it through deception if necessary
- Assume it is freely available online
- Request it directly from the tax authority without authority
- Obtain it only through proper legal channels such as a subpoena or valid consent
Correct answer: Obtain it only through proper legal channels such as a subpoena or valid consent
Tax returns are protected nonpublic information that an examiner should obtain only through proper legal channels such as a subpoena or valid consent. Deception, assuming free availability, or unauthorized requests are improper and can taint the evidence.
- A fraud examiner reviewing a subject's litigation history through public court records is primarily seeking:
- The subject's confidential settlement amounts in sealed cases
- Prior cases, judgments, or patterns that may inform the current examination
- The subject's private banking PINs
- Privileged communications with the subject's lawyer
Correct answer: Prior cases, judgments, or patterns that may inform the current examination
Reviewing public court records for litigation history seeks prior cases, judgments, and patterns relevant to the examination. Sealed settlement details, banking PINs, and privileged attorney communications are not accessible through public records.
- After completing a net worth analysis, an examiner should present the unexplained income figure as:
- A number chosen to maximize the apparent loss
- An exact, indisputable amount with no assumptions
- A figure that ignores the subject's documented income
- An evidence-supported estimate, clearly stating assumptions and accounting for legitimate sources
Correct answer: An evidence-supported estimate, clearly stating assumptions and accounting for legitimate sources
The unexplained income should be presented as an evidence-supported estimate that states its assumptions and accounts for legitimate sources, so it withstands scrutiny. Overstating it as indisputable, inflating it, or ignoring documented income would undermine credibility.
- Maintaining detailed documentation of every step taken during a digital forensic examination is important because it:
- Allows the process to be repeated and verified, supporting the reliability of the findings
- Is unnecessary if the examiner is experienced
- Makes the evidence inadmissible
- Is required only for paper documents
Correct answer: Allows the process to be repeated and verified, supporting the reliability of the findings
Thorough documentation of each forensic step allows the process to be reviewed, repeated, and verified, which supports the reliability and admissibility of the findings. Documentation is needed regardless of experience and applies to digital as well as paper evidence.
- A defense attorney challenges digital evidence by pointing out that the forensic image's hash value does not match the value recorded at collection. This challenge suggests:
- The hash value is irrelevant to integrity
- The chain of custody is automatically perfect
- The evidence is more reliable than ever
- The evidence may have been altered, undermining its integrity
Correct answer: The evidence may have been altered, undermining its integrity
A mismatch between the current and recorded hash values suggests the data may have been altered, undermining the evidence's integrity and chain of custody. Far from increasing reliability, a hash mismatch is a serious problem, since hashing is precisely how integrity is verified.
- A fraud examination report intended to be used in potential legal proceedings should avoid:
- Citing the evidence supporting each finding
- Organizing findings in a logical sequence
- Stating the scope of the examination
- Drawing legal conclusions such as whether the subject is criminally liable
Correct answer: Drawing legal conclusions such as whether the subject is criminally liable
The report should avoid drawing legal conclusions such as criminal liability, which are for the court to decide. Citing supporting evidence, stating the scope, and organizing findings logically are all appropriate and expected.
- The distinction between a fact witness and an expert witness matters in a fraud case because it affects:
- Where the trial is held
- The amount of the alleged loss
- The color of the witness's clothing
- Whether the witness may offer opinions or must limit testimony to observed facts
Correct answer: Whether the witness may offer opinions or must limit testimony to observed facts
The fact-versus-expert distinction determines whether a witness may offer opinions or must confine testimony to observed facts. It does not affect clothing, venue, or the amount of the loss.
- Which statement about direct and circumstantial evidence is accurate?
- Direct evidence requires no authentication
- Both can be admissible, and a case may be proven using either or both
- Circumstantial evidence can never prove a case
- Only direct evidence is ever admissible
Correct answer: Both can be admissible, and a case may be proven using either or both
Both direct and circumstantial evidence can be admissible, and fraud cases are frequently proven using either or a combination of both. Circumstantial evidence can prove a case, and all evidence, including direct evidence, generally must be authenticated.
- In an adversarial common law trial, the responsibility for investigating and presenting evidence rests primarily with:
- An examining magistrate
- A government prosecutor in every case
- The opposing parties and their attorneys
- The judge acting as chief investigator
Correct answer: The opposing parties and their attorneys
In the adversarial common law model, the opposing parties and their attorneys are primarily responsible for investigating and presenting evidence, with the judge acting as a neutral arbiter. An investigating judge or examining magistrate is characteristic of the inquisitorial civil law tradition.
- A fraudster who never uses the mail or interstate communications but defrauds a neighbor in a purely local, in-person scheme is:
- Automatically guilty of wire fraud
- Immune from all fraud liability
- Less likely to be charged under the federal mail or wire fraud statutes
- Subject to mandatory CTR filing
Correct answer: Less likely to be charged under the federal mail or wire fraud statutes
A purely local, in-person scheme that uses neither the mails nor interstate communications is less likely to fit the federal mail or wire fraud statutes, which require those jurisdictional elements. The conduct may still violate state fraud laws but does not automatically constitute wire fraud or trigger CTR filing.
- Constructive discharge, where an employer makes conditions so intolerable that a whistleblower feels forced to resign, may be treated as:
- A lawful, neutral personnel action
- An automatic CTR trigger
- A chain of custody violation
- A form of prohibited retaliation
Correct answer: A form of prohibited retaliation
Constructive discharge, creating intolerable conditions to force a whistleblower to resign, may be treated as prohibited retaliation rather than a neutral action. It is unrelated to CTR filing or chain of custody.
- A forensic accountant differs from an internal auditor in that the forensic accountant typically:
- Investigates specific suspected wrongdoing, often in anticipation of litigation
- Focuses only on improving operational efficiency
- Sets the organization's strategic goals
- Never examines financial records
Correct answer: Investigates specific suspected wrongdoing, often in anticipation of litigation
A forensic accountant typically investigates specific suspected wrongdoing, frequently in anticipation of litigation, whereas an internal auditor focuses more broadly on controls and operations. The forensic role centers on examining financial records, not setting strategy.
- An examiner planning a workplace interview of a suspect employee should, to respect the employee's rights, avoid:
- Offering the employee water and breaks
- Explaining the purpose of the interview
- Locking the employee in a room or otherwise restricting their freedom to leave
- Documenting the employee's statements
Correct answer: Locking the employee in a room or otherwise restricting their freedom to leave
To respect employee rights and avoid false imprisonment, the examiner must not lock the employee in or otherwise restrict their freedom to leave. Offering breaks, explaining the purpose, and documenting statements are appropriate practices.
- During a tracing analysis, an examiner finds funds moved from a business account to a personal account, then to a relative's account, then to buy a luxury car. Documenting this sequence is important because it:
- Proves the relative committed the original fraud
- Determines the car's resale value
- Establishes the business's tax bracket
- Establishes the path of the funds and links the asset to the original misappropriation
Correct answer: Establishes the path of the funds and links the asset to the original misappropriation
Documenting the sequence establishes the funds' path and links the luxury car to the original misappropriation, supporting recovery and proof. It does not by itself prove the relative's culpability, set the car's resale value, or determine a tax bracket.
- When a financial institution files both a CTR for a large cash transaction and a SAR for related suspicious conduct, this reflects that:
- Only one report may ever be filed per customer
- The reports are interchangeable
- Filing one report excuses the other
- The two reports serve different purposes and can both apply to the same activity
Correct answer: The two reports serve different purposes and can both apply to the same activity
A CTR (objective, threshold-based) and a SAR (suspicion-based) serve different purposes and can both apply to the same activity. One does not excuse the other, they are not interchangeable, and there is no one-report-per-customer limit.
- An examiner who finds that an electronic accounting file was opened and edited outside of business hours by an unauthorized user ID has uncovered evidence best characterized as:
- Irrelevant to the examination
- Inadmissible by definition
- Circumstantial evidence supporting an inference of tampering
- Direct proof that a specific person committed fraud
Correct answer: Circumstantial evidence supporting an inference of tampering
Off-hours access by an unauthorized user ID is circumstantial evidence supporting an inference of tampering, requiring further linkage to a specific person. It is not direct proof of who committed fraud, is not inadmissible by definition, and is clearly relevant.
- A fraud examiner asked to gather a subject's criminal history should recognize that access to certain criminal records may be:
- Obtained only by impersonating the subject
- Never available under any circumstances
- Restricted by law, requiring authorized channels rather than open public access
- Always freely available to anyone for any purpose
Correct answer: Restricted by law, requiring authorized channels rather than open public access
Access to certain criminal history records can be restricted by law and may require authorized channels rather than open public access. Such records are not universally open to anyone, are not entirely unavailable, and impersonation would be improper.
- In a Benford's Law analysis of expenditures, the examiner compares the actual frequency of each leading digit to:
- The frequency predicted by Benford's Law
- The company's stock price
- A random number generator's output
- The total number of employees
Correct answer: The frequency predicted by Benford's Law
A Benford's Law analysis compares the actual leading-digit frequencies to those predicted by Benford's Law, flagging significant deviations for review. Employee counts, stock prices, and random generator output are not the benchmark.
- An examiner is told a key document existed but the original cannot be located, and only an unauthenticated photocopy remains. Under the rules of evidence, the examiner should anticipate:
- The copy will always be admitted without question
- The copy automatically becomes direct evidence
- Possible challenges to admitting the copy under the best evidence rule, requiring an explanation for the missing original
- The hearsay rule prohibits all copies
Correct answer: Possible challenges to admitting the copy under the best evidence rule, requiring an explanation for the missing original
When only an unauthenticated copy remains, the best evidence rule may prompt challenges, and the proponent must typically explain the original's absence and authenticate the copy. The copy is not automatically admitted, does not become direct evidence by default, and the hearsay rule is a separate consideration.
- A multinational company's fraud investigation spans both common law and civil law countries. A practical consequence the examiner must manage is that:
- Privacy laws are identical worldwide
- Evidence can be gathered freely without local limits
- Data privacy and evidence-gathering rules differ by jurisdiction and must each be respected
- A single country's rules govern the entire investigation
Correct answer: Data privacy and evidence-gathering rules differ by jurisdiction and must each be respected
In cross-border investigations, data privacy and evidence-gathering rules differ by jurisdiction and each must be respected to avoid legal exposure. No single country's rules govern everywhere, privacy laws are not uniform, and local limits cannot be ignored.
- A scheme operator emails fraudulent account statements to investors and mails physical 'dividend' checks that bounce. This conduct could potentially support charges under:
- Both the wire fraud and mail fraud statutes
- Only the chain of custody rule
- Only the Bank Secrecy Act
- Neither statute, because two methods were used
Correct answer: Both the wire fraud and mail fraud statutes
Using interstate emails could support wire fraud while mailing the bogus checks could support mail fraud, so the conduct may implicate both statutes. Using two methods does not negate liability, and neither the BSA nor the chain of custody rule defines this offense.
- A whistleblower's protection generally depends in part on whether the report was made:
- Only after receiving payment
- To the wrongdoer alone
- In good faith and concerned a reasonably believed violation
- Anonymously and never followed up
Correct answer: In good faith and concerned a reasonably believed violation
Whistleblower protections generally hinge in part on the report being made in good faith about a reasonably believed violation. Protection does not require anonymity, reporting solely to the wrongdoer, or prior payment.
- A forensic accountant testifying about a complex tracing analysis can improve the fact-finder's understanding by:
- Using clear demonstratives such as charts to explain the flow of funds
- Using only dense technical jargon
- Refusing to simplify the analysis
- Withholding the methodology used
Correct answer: Using clear demonstratives such as charts to explain the flow of funds
Clear demonstratives such as funds-flow charts help the fact-finder understand a complex tracing analysis. Dense jargon, refusing to simplify, or withholding methodology would hinder comprehension and weaken the testimony.
- A bank's monitoring system flags a customer who receives many incoming wires from unrelated parties and quickly forwards the funds overseas. This pattern is most consistent with the customer acting as a:
- Tax-exempt charity donor
- Routine payroll recipient
- Conduit or money mule in a layering scheme
- Long-term savings investor
Correct answer: Conduit or money mule in a layering scheme
Receiving many wires from unrelated parties and rapidly forwarding the funds overseas is consistent with the customer acting as a conduit or money mule in a layering scheme. It does not resemble ordinary saving, payroll receipt, or charitable giving.
- An examiner conducting an admission-seeking interview must ensure any confession is obtained:
- After depriving the subject of food and rest
- Through intimidation to ensure compliance
- By promising the subject will avoid all consequences
- Voluntarily, without coercion, threats, or improper promises
Correct answer: Voluntarily, without coercion, threats, or improper promises
A confession must be obtained voluntarily, without coercion, threats, or improper promises, or it risks being excluded and the examiner facing liability. Intimidation, blanket promises of no consequences, and depriving the subject of food or rest are improper and undermine voluntariness.
- A fraud examiner reviewing transactions notices that an employee's deposits, when tested, do not conform to expected leading-digit frequencies. The most defensible interpretation is that the data:
- Should be deleted from the analysis
- Confirms the employee is innocent
- Conclusively proves the employee laundered money
- Warrants targeted follow-up testing to determine whether figures were manipulated
Correct answer: Warrants targeted follow-up testing to determine whether figures were manipulated
Nonconformity to expected leading-digit frequencies warrants targeted follow-up testing to determine whether figures were manipulated, not a conclusion of guilt or innocence. Deleting the data would discard a valuable investigative lead.
- To establish that a copied bank statement accurately reflects the original in court, the examiner may rely on:
- The mere fact that it looks official
- Authentication, such as a custodian's testimony or certification that it is a true and accurate copy
- The subject's refusal to object
- An assumption that all bank documents are genuine
Correct answer: Authentication, such as a custodian's testimony or certification that it is a true and accurate copy
Authentication, such as a records custodian's testimony or a certification that the copy is true and accurate, helps establish that a copied statement reflects the original. Appearance, assumptions of genuineness, or a subject's silence do not by themselves authenticate a document.
- A subject reports modest legitimate income yet acquired multiple properties, luxury vehicles, and made large cash purchases within two years. The investigative method best suited to quantify potential illicit income here is the:
- Best evidence rule
- Benford's Law test
- Net worth method
- Chain of custody procedure
Correct answer: Net worth method
The net worth method is best suited to quantify potential illicit income when a subject's lifestyle and asset acquisitions far exceed modest legitimate income. The Benford's test analyzes digit distributions, while chain of custody and the best evidence rule are evidence-handling and admissibility concepts.
- Before a fraud examiner shares nonpublic personal financial information obtained during an examination, the examiner should consider:
- That privacy laws never apply to examiners
- Applicable privacy laws and confidentiality obligations governing such information
- Only the convenience of disclosure
- That confidentiality obligations are optional
Correct answer: Applicable privacy laws and confidentiality obligations governing such information
Sharing nonpublic personal financial information requires considering applicable privacy laws and confidentiality obligations to avoid liability. Convenience does not override these duties, privacy laws can apply to examiners, and confidentiality obligations are not optional.
- An examiner notices a company routinely deposits cash sales just under $10,000 across several nearby branches at day's end. The most appropriate characterization for reporting purposes is:
- Normal banking with no reporting concern
- Potential structuring that should be evaluated for a SAR
- An automatic CTR exemption
- A best evidence rule issue
Correct answer: Potential structuring that should be evaluated for a SAR
Routinely depositing cash just under $10,000 across multiple branches is potential structuring that should be evaluated for a SAR. It is not free of reporting concern, it does not create a CTR exemption, and it is unrelated to the best evidence rule.
- A forensic accountant asked to determine whether reported expenses were legitimate would most appropriately:
- Accept management's assurances without testing
- Examine supporting documentation and trace expenses to verify their authenticity and business purpose
- Estimate the expenses without reviewing records
- Assume all expenses are fraudulent by default
Correct answer: Examine supporting documentation and trace expenses to verify their authenticity and business purpose
The forensic accountant should examine supporting documentation and trace expenses to verify authenticity and business purpose. Accepting assurances untested, assuming fraud by default, or estimating without records would not be a sound investigative approach.
- When seizing paper documents as evidence, an examiner should immediately:
- Write notes on the original documents
- Discard duplicates without recording them
- Allow witnesses to take some home
- Inventory and label them and begin a chain of custody record
Correct answer: Inventory and label them and begin a chain of custody record
Upon seizing paper documents, the examiner should inventory and label them and begin a chain of custody record to preserve integrity. Discarding items without recording, allowing removal by witnesses, or writing on originals would compromise the evidence.
- Which best describes the appropriate handling of exculpatory evidence discovered during a fraud examination?
- It should be documented and disclosed, not concealed, to maintain objectivity and fairness
- It should be ignored if inconvenient
- It should be destroyed to strengthen the case
- It should be altered to appear inculpatory
Correct answer: It should be documented and disclosed, not concealed, to maintain objectivity and fairness
Exculpatory evidence must be documented and disclosed rather than concealed, to maintain the objectivity and fairness essential to a credible examination. Destroying, ignoring, or altering such evidence is unethical and can expose the examiner to serious liability.
- An expert witness whose methodology cannot be tested or has a high known error rate is at risk of:
- Receiving extra weight from the jury
- Automatic acceptance by the court
- Being immune from cross-examination
- Having the testimony excluded as unreliable
Correct answer: Having the testimony excluded as unreliable
An expert whose methodology cannot be tested or carries a high known error rate risks exclusion of the testimony as unreliable under the court's gatekeeping role. Such weaknesses do not lead to automatic acceptance, immunity from cross-examination, or added weight.
- A fraud examiner reviewing whether to interview a witness who may be hostile should plan to:
- Threaten the witness to ensure cooperation
- Prepare thoroughly, remain professional, and corroborate the witness's statements with other evidence
- Abandon the interview because hostility means no useful information
- Accept the witness's statements without any corroboration
Correct answer: Prepare thoroughly, remain professional, and corroborate the witness's statements with other evidence
With a potentially hostile witness, the examiner should prepare thoroughly, stay professional, and corroborate statements with other evidence. Abandoning the interview, threatening the witness, or accepting statements uncorroborated would be poor practice.
- Why is it important for a fraud examiner to understand the jurisdiction's rules on the admissibility of confessions?
- A confession obtained improperly may be excluded, jeopardizing the case
- Rules on confessions never vary by jurisdiction
- Confessions are always admissible regardless of how obtained
- Admissibility has no effect on the outcome
Correct answer: A confession obtained improperly may be excluded, jeopardizing the case
Understanding admissibility rules matters because a confession obtained improperly may be excluded, which can jeopardize the case. Confessions are not always admissible, the rules can vary by jurisdiction, and admissibility directly affects the outcome.
- A money launderer who buys gold, jewelry, and other high-value portable assets with illicit cash is using these purchases primarily to:
- Store and move value while distancing the funds from their illegal source
- Increase the transparency of the funds
- Report the funds to regulators
- Comply voluntarily with AML rules
Correct answer: Store and move value while distancing the funds from their illegal source
Buying portable high-value assets like gold and jewelry lets a launderer store and move value while distancing the funds from their illegal source. The purpose is concealment, not reporting, transparency, or voluntary compliance.
- An organization's AML training program is most effective when it:
- Focuses solely on sales techniques
- Discourages employees from reporting concerns
- Is given only to senior executives once
- Teaches relevant employees to recognize and escalate suspicious activity
Correct answer: Teaches relevant employees to recognize and escalate suspicious activity
Effective AML training teaches relevant employees to recognize red flags and escalate suspicious activity through proper channels. Limiting training to executives, focusing on sales, or discouraging reporting would undermine the program.
- A fraud examiner who locates a subject's assets through public property records can use that information to:
- Sell the property to recover losses directly
- Conceal the assets from the court
- Support potential recovery of misappropriated funds and document the subject's holdings
- Seize the property personally without legal process
Correct answer: Support potential recovery of misappropriated funds and document the subject's holdings
Information from public property records can support potential asset recovery and document the subject's holdings as part of the examination. An examiner cannot personally seize or sell property without legal process, nor conceal assets from the court.
- During an interview, a subject's repeated requests to take 'just a quick break' immediately after pointed questions, combined with evasive answers, should be:
- Used to justify detaining the subject
- Treated as conclusive proof of guilt
- Noted as possible stress indicators to be weighed with the overall evidence
- Disregarded as legally meaningless
Correct answer: Noted as possible stress indicators to be weighed with the overall evidence
Repeated break requests after pointed questions, combined with evasive answers, are possible stress indicators to weigh with the overall evidence, not conclusive proof of guilt. They should not be disregarded entirely, nor used to justify unlawful detention.
- An examiner must decide whether to obtain a subject's employment records held by a former employer. These records are best characterized as:
- Automatically posted in court files
- Nonpublic, generally requiring consent or legal process to obtain
- Privileged and never obtainable
- Public, available to anyone on request
Correct answer: Nonpublic, generally requiring consent or legal process to obtain
Employment records held by a private employer are nonpublic and generally require the subject's consent or legal process such as a subpoena to obtain. They are not openly public, not categorically privileged, and not automatically in court files.
- Why should a fraud examination report distinguish clearly between facts and the examiner's analysis or interpretations?
- Analysis should always replace the underlying facts
- Mixing them makes the report more persuasive
- Facts and analysis are legally identical
- Readers must be able to see what is established evidence versus the examiner's reasoning
Correct answer: Readers must be able to see what is established evidence versus the examiner's reasoning
Distinguishing facts from analysis lets readers see what is established evidence versus the examiner's reasoning, supporting transparency and credibility. Facts and analysis are not identical, blurring them harms credibility, and analysis should rest on, not replace, the facts.
- A forensic accountant retained early in a dispute can add value by:
- Setting the opposing party's legal strategy
- Avoiding any review of documents
- Helping identify relevant financial records and shaping the investigative approach
- Guaranteeing the client wins the case
Correct answer: Helping identify relevant financial records and shaping the investigative approach
Retained early, a forensic accountant can help identify relevant financial records and shape the investigative approach, strengthening the matter. They cannot guarantee a win, would not avoid reviewing documents, and do not set the opposing party's strategy.
- Which of the following is the correct sequence of the three classic money laundering stages?
- Layering, integration, placement
- Placement, layering, integration
- Placement, integration, layering
- Integration, placement, layering
Correct answer: Placement, layering, integration
The classic sequence is placement (introducing cash), then layering (obscuring the trail), then integration (returning funds as apparently legitimate). The other orderings misplace one or more stages.
- An examiner preparing to testify as an expert should review the case file primarily to:
- Identify ways to mislead the jury
- Memorize answers to avoid telling the truth
- Coordinate a script with one party
- Ensure their opinions are accurate and fully supported by the evidence
Correct answer: Ensure their opinions are accurate and fully supported by the evidence
An expert reviews the case file to ensure their opinions are accurate and fully supported by the evidence, which is essential to credibility. Memorizing to avoid the truth, misleading the jury, or scripting with a party would be improper and damaging.
- A bank customer suddenly begins making numerous cash deposits inconsistent with a stated retiree income and cannot explain the source. The institution should treat this as:
- An automatic CTR exemption
- Suspicious activity warranting evaluation for a SAR
- A routine matter requiring no action
- A chain of custody concern
Correct answer: Suspicious activity warranting evaluation for a SAR
Cash deposits inconsistent with a customer's stated income and lacking an explanation are suspicious and warrant evaluation for a SAR. This is not routine, does not create a CTR exemption, and is unrelated to chain of custody.
- In comparing evidence types, an authenticated original ledger showing falsified entries would be considered:
- Irrelevant character evidence
- Hearsay that is always excluded
- Documentary evidence that, once authenticated, can be admitted
- Testimonial evidence requiring no authentication
Correct answer: Documentary evidence that, once authenticated, can be admitted
An authenticated original ledger with falsified entries is documentary evidence that, once authenticated, can be admitted. It is not testimonial, is not automatically excluded as hearsay (business records may qualify under exceptions), and is not character evidence.
- A fraud examiner who needs to demonstrate that a subject's spending vastly exceeded reported income would most appropriately apply the:
- Expenditures (sources and application of funds) method
- Chain of custody log
- Best evidence rule
- Benford's Law leading-digit test
Correct answer: Expenditures (sources and application of funds) method
The expenditures method compares a subject's known income against total spending and asset acquisitions, making it ideal for showing that spending vastly exceeded reported income. The Benford's test, best evidence rule, and chain of custody serve different analytical and evidentiary purposes.
- The Fraud Triangle identifies three conditions that are generally present when an individual commits fraud. Which of the following are those three elements?
- Greed, ego, and access
- Capability, conspiracy, and concealment
- Pressure, opportunity, and rationalization
- Detection, deterrence, and discipline
Correct answer: Pressure, opportunity, and rationalization
Pressure, opportunity, and rationalization is correct because Donald Cressey's Fraud Triangle holds that fraud occurs when a person faces a perceived non-shareable financial pressure, perceives an opportunity to commit the act, and is able to rationalize it as acceptable.
- In the Fraud Triangle, which element refers to a perceived non-shareable financial problem that motivates an individual to commit fraud?
- Capability
- Pressure
- Opportunity
- Rationalization
Correct answer: Pressure
Pressure is correct because it represents the perceived non-shareable financial need or motivation, such as personal debt or addiction, that drives a person toward fraud. Opportunity and rationalization are the other two legs of the triangle.
- Which element of the Fraud Triangle is the one most directly within an organization's control through strong internal controls?
- Opportunity
- Rationalization
- Capability
- Pressure
Correct answer: Opportunity
Opportunity is correct because organizations can reduce the perceived ability to commit and conceal fraud by strengthening internal controls, segregating duties, and increasing oversight. Pressure and rationalization arise largely from individual circumstances and attitudes that are harder for an organization to control.
- An employee tells herself she is only 'borrowing' company funds and will pay them back, so what she is doing is not really stealing. Which element of the Fraud Triangle does this thinking represent?
- Opportunity
- Pressure
- Capability
- Rationalization
Correct answer: Rationalization
Rationalization is correct because the employee is justifying the act to herself in a way that lets her reconcile it with her self-image as an honest person, which is precisely what the rationalization leg of the triangle describes.
- The Fraud Triangle was originally developed from criminologist Donald Cressey's research into which group of offenders?
- Violent repeat offenders
- First-time shoplifters
- Organized crime members
- Embezzlers who violated positions of financial trust
Correct answer: Embezzlers who violated positions of financial trust
Embezzlers who violated positions of financial trust is correct because Cressey studied convicted trust violators and concluded that pressure, opportunity, and rationalization together explained why trusted individuals committed fraud.
- A trusted manager faces overwhelming gambling debts he cannot disclose to anyone, has unsupervised control over disbursements, and convinces himself the company 'owes' him for years of underpayment. His situation most clearly illustrates which framework?
- The fraud tree branches
- The COSO components
- The Fraud Triangle
- The money laundering stages
Correct answer: The Fraud Triangle
The Fraud Triangle is correct because the scenario presents all three legs at once: a non-shareable pressure (secret debt), opportunity (unsupervised control), and rationalization (the belief he is owed). Together these conditions are the classic Fraud Triangle picture.
- Why is the term 'perceived' important when describing the pressure and opportunity legs of the Fraud Triangle?
- Because only actual, not perceived, opportunities matter
- Because pressure and opportunity must be measured by external auditors
- Because fraud depends on how the individual subjectively views the pressure and opportunity, not on objective reality
- Because perception is irrelevant to fraud risk
Correct answer: Because fraud depends on how the individual subjectively views the pressure and opportunity, not on objective reality
Because fraud depends on the individual's subjective view is correct: the Fraud Triangle emphasizes the offender's own perception of a non-shareable pressure and a chance to act, so a person may commit fraud even when an outsider would not see the same pressure or opening.
- Of the three Fraud Triangle elements, which is generally considered the most difficult for an organization to influence directly?
- Rationalization
- Internal controls
- Opportunity
- Segregation of duties
Correct answer: Rationalization
Rationalization is correct because it resides in the individual's personal attitudes and justifications, which an organization can influence only indirectly through ethical tone and culture, unlike opportunity, which controls can reduce directly.
- The Fraud Diamond expands the Fraud Triangle by adding which fourth element?
- Concealment
- Conviction
- Capability
- Collusion
Correct answer: Capability
Capability is correct because the Fraud Diamond, proposed by Wolfe and Hermanson, adds capability to pressure, opportunity, and rationalization, recognizing that a person must also have the personal traits and skills to recognize and exploit an opening.
- According to the Fraud Diamond, which personal attribute is captured by the 'capability' element?
- The individual's position, intelligence, and confidence needed to commit and conceal the fraud
- The amount of the individual's outstanding debt
- The number of accomplices involved
- The dollar value of the assets stolen
Correct answer: The individual's position, intelligence, and confidence needed to commit and conceal the fraud
The individual's position, intelligence, and confidence is correct because the Fraud Diamond's capability element describes the personal traits, including authority, smarts, and ego, that allow someone to actually carry out and hide a fraud once an opportunity exists.
- Why did the developers of the Fraud Diamond argue that capability should be added to the Fraud Triangle?
- Because pressure is unnecessary to explain fraud
- Because rationalization always follows the act
- Because capability replaces the need for opportunity
- Because an opportunity can exist, but only a person with the right traits and skills will recognize and exploit it
Correct answer: Because an opportunity can exist, but only a person with the right traits and skills will recognize and exploit it
Because an opportunity can exist but only a capable person will exploit it is correct: the Fraud Diamond argues that many people face pressure and opportunity, yet a fraud is carried out only by someone with the position, intellect, and confidence to act, which is the capability element.
- A fraud risk assessment is best described as a process to:
- Identify, analyze, and respond to the risks that fraud could occur within an organization
- Calculate the company's income tax liability
- Determine an employee's eligibility for promotion
- Audit the accuracy of the prior year's financial statements
Correct answer: Identify, analyze, and respond to the risks that fraud could occur within an organization
Identify, analyze, and respond to fraud risks is correct because a fraud risk assessment systematically identifies where and how fraud could occur, evaluates the likelihood and significance of each risk, and informs the organization's response.
- When conducting a fraud risk assessment, after potential fraud risks are identified, the next step is typically to:
- Assess the likelihood and significance of each identified risk
- File a report with law enforcement
- Immediately terminate suspected employees
- Eliminate all internal controls
Correct answer: Assess the likelihood and significance of each identified risk
Assess the likelihood and significance of each risk is correct because once fraud risks are identified, the assessment evaluates how likely each is to occur and how damaging it would be, so that the organization can prioritize its responses.
- An effective fraud risk assessment should consider not only the likelihood of a fraud risk but also its:
- Alphabetical priority
- Significance, or the potential impact on the organization
- Popularity among employees
- Tax deductibility
Correct answer: Significance, or the potential impact on the organization
Significance, or potential impact, is correct because a fraud risk assessment weighs both how likely a risk is and how severe its consequences would be, allowing the organization to focus resources on the most likely and most damaging risks.
- Why should a fraud risk assessment specifically consider how management could override existing controls?
- Because override risk only affects small companies
- Because management override of controls is a pervasive risk that ordinary controls may not address
- Because override is the same as segregation of duties
- Because management is never a fraud risk
Correct answer: Because management override of controls is a pervasive risk that ordinary controls may not address
Because management override is a pervasive risk is correct: those with authority can bypass otherwise effective controls, so a thorough fraud risk assessment must explicitly evaluate the possibility of management override rather than assume controls cannot be circumvented.
- Who should be involved in performing an organization's fraud risk assessment?
- Only entry-level employees
- Only the external auditors
- A cross-functional team drawing on people with knowledge of the business and its processes
- Only the marketing department
Correct answer: A cross-functional team drawing on people with knowledge of the business and its processes
A cross-functional team is correct because identifying realistic fraud risks requires input from people across functions who understand the organization's operations, processes, and vulnerabilities, rather than relying on a single group.
- A fraud risk assessment should be:
- Conducted only after a fraud has already been discovered
- Limited to financial statement accounts only
- Performed once and never revisited
- An ongoing process that is periodically updated as the business changes
Correct answer: An ongoing process that is periodically updated as the business changes
An ongoing, periodically updated process is correct because fraud risks evolve with changes in operations, personnel, systems, and the external environment, so the assessment must be repeated and refreshed rather than treated as a one-time event.
- During a fraud risk assessment, mapping each identified fraud risk to existing controls helps the organization to:
- Identify gaps where risks are not adequately addressed by controls
- Avoid filing tax returns
- Reduce the number of employees
- Increase the company's revenue
Correct answer: Identify gaps where risks are not adequately addressed by controls
Identify control gaps is correct because linking each fraud risk to the controls intended to mitigate it reveals where coverage is missing or weak, so the organization can design additional anti-fraud responses where needed.
- The COSO Internal Control – Integrated Framework defines internal control in terms of how many integrated components?
Correct answer: Five
Five is correct because the COSO framework consists of five integrated components: control environment, risk assessment, control activities, information and communication, and monitoring activities.
- Which of the following is one of the five components of the COSO Internal Control – Integrated Framework?
- Expert testimony
- Chain of custody
- Control environment
- Money laundering
Correct answer: Control environment
Control environment is correct because it is the foundational component of COSO, setting the tone of the organization and influencing the control consciousness of its people. The other options relate to investigation or legal topics, not COSO's internal control components.
- In the COSO framework, the component often described as the foundation that sets the tone of the organization is the:
- Monitoring activities
- Control activities
- Control environment
- Information and communication
Correct answer: Control environment
Control environment is correct because COSO describes it as the foundation for all other components, encompassing integrity, ethical values, governance, and the overall tone set by management and the board.
- Segregation of duties, authorizations, and reconciliations are examples of which COSO component?
- Control activities
- Control environment
- Monitoring activities
- Risk assessment
Correct answer: Control activities
Control activities is correct because COSO defines control activities as the policies and procedures, such as approvals, reconciliations, and segregation of duties, that help ensure management's directives to mitigate risks are carried out.
- The COSO framework identifies three categories of objectives that internal control is designed to achieve. Which of the following is one of them?
- Marketing objectives
- Recruitment objectives
- Litigation objectives
- Operations objectives
Correct answer: Operations objectives
Operations objectives is correct because COSO groups objectives into operations, reporting, and compliance categories, with operations objectives addressing the effectiveness and efficiency of the entity's activities.
- In addition to the original internal control framework, COSO also publishes a widely used framework addressing which broader discipline?
- International trade law
- Securities underwriting
- Consumer credit reporting
- Enterprise risk management (ERM)
Correct answer: Enterprise risk management (ERM)
Enterprise risk management is correct because COSO issued an Enterprise Risk Management framework that broadens the focus beyond internal control to how organizations identify and manage risk in pursuit of their strategy and objectives.
- Within the COSO framework, ongoing evaluations and separate evaluations used to determine whether the components of internal control are present and functioning are part of which component?
- Risk assessment
- Monitoring activities
- Control environment
- Control activities
Correct answer: Monitoring activities
Monitoring activities is correct because COSO's monitoring component uses ongoing and separate evaluations to confirm that each component of internal control is present and operating effectively, with deficiencies reported and corrected.
- A company relies entirely on a single accounting clerk who records transactions, approves payments, and reconciles the bank account with no review. Which COSO control activity is most clearly lacking?
- Enterprise risk management
- Segregation of duties
- Information and communication
- Tone at the top
Correct answer: Segregation of duties
Segregation of duties is correct because allowing one person to record, approve, and reconcile transactions concentrates incompatible functions, removing the independent checks that segregation of duties, a core control activity, is meant to provide.
- Why is the control environment considered so important to anti-fraud efforts under the COSO framework?
- It eliminates the need for any control activities
- It is solely the responsibility of external auditors
- It is the only component that detects fraud after the fact
- It establishes the integrity, ethical values, and tone that influence the effectiveness of all other controls
Correct answer: It establishes the integrity, ethical values, and tone that influence the effectiveness of all other controls
It establishes integrity, ethical values, and tone is correct because the control environment underpins the entire system; if the tone at the top is weak, even well-designed control activities are likely to fail, making it foundational to fraud prevention.
- A formal fraud risk management program is best described as:
- A coordinated set of policies and activities to govern, assess, prevent, detect, and respond to fraud risk
- A one-time training session for new hires
- A schedule for filing currency transaction reports
- A marketing campaign promoting the company's ethics
Correct answer: A coordinated set of policies and activities to govern, assess, prevent, detect, and respond to fraud risk
A coordinated set of policies and activities is correct because a fraud risk management program integrates governance, risk assessment, prevention, detection, and response into an ongoing, organization-wide effort rather than a single isolated activity.
- Which of the following is a core component of an effective fraud risk management program?
- A prohibition on internal audits
- A guarantee that no fraud will ever occur
- An exemption from all regulatory requirements
- A documented fraud risk governance structure with board and management oversight
Correct answer: A documented fraud risk governance structure with board and management oversight
A documented fraud risk governance structure is correct because effective programs assign clear oversight responsibilities to the board and management, establishing accountability for the organization's anti-fraud efforts. No program can guarantee zero fraud or eliminate audits.
- According to widely used fraud risk management guidance, an organization should establish a fraud risk management policy that is:
- Reviewed only by external regulators
- Kept secret from employees to prevent imitation
- Applied only to the finance department
- Communicated to all personnel as part of the organizational culture
Correct answer: Communicated to all personnel as part of the organizational culture
Communicated to all personnel is correct because a fraud risk management policy is effective only when employees throughout the organization understand the expectations, reporting channels, and consequences, making communication essential to building an anti-fraud culture.
- Which activity best reflects the 'response' element of a comprehensive fraud risk management program?
- Establishing a coordinated approach for investigating and remediating detected fraud
- Reducing employee training
- Increasing the marketing budget
- Eliminating the whistleblower hotline
Correct answer: Establishing a coordinated approach for investigating and remediating detected fraud
Establishing a coordinated investigation and remediation approach is correct because the response element of a fraud risk management program ensures that when fraud is detected, the organization investigates consistently, takes corrective action, and addresses control weaknesses.
- Periodic review and continuous improvement of anti-fraud controls within a fraud risk management program is important primarily because:
- Controls only need to be reviewed if an external audit fails
- Fraud risks and schemes evolve over time, so controls must be reassessed and updated
- Reviews are required only when the company changes auditors
- Once designed, controls remain effective indefinitely
Correct answer: Fraud risks and schemes evolve over time, so controls must be reassessed and updated
Because fraud risks evolve over time is correct: a static program quickly becomes outdated as schemes, technology, and business operations change, so ongoing monitoring and improvement keep the fraud risk management program effective.
- Under the ACFE Code of Professional Ethics, a Certified Fraud Examiner shall not knowingly:
- Cooperate with law enforcement
- Document evidence properly
- Maintain professional competence
- Make a material misrepresentation or commit any illegal or unethical act
Correct answer: Make a material misrepresentation or commit any illegal or unethical act
Make a material misrepresentation is correct because the ACFE Code of Professional Ethics expressly prohibits CFEs from knowingly making material misrepresentations or engaging in illegal or unethical conduct, upholding the integrity of the profession.
- The ACFE Code of Professional Ethics requires that a Certified Fraud Examiner, at all times, demonstrate:
- Advocacy for the side paying the most
- A commitment to professionalism and diligence
- Loyalty to a single client regardless of facts
- A guarantee of a conviction
Correct answer: A commitment to professionalism and diligence
A commitment to professionalism and diligence is correct because the ACFE Code obligates CFEs to exhibit the highest level of integrity and to perform their work with professionalism and diligence, rather than acting as biased advocates.
- Under the ACFE Code of Professional Ethics, a Certified Fraud Examiner shall NOT express an opinion regarding:
- The documents they reviewed
- The results of their own factual analysis
- The methodology they applied
- The legal guilt or innocence of any person or party
Correct answer: The legal guilt or innocence of any person or party
The legal guilt or innocence of any person is correct because the ACFE Code prohibits CFEs from offering opinions on guilt or innocence, which are legal conclusions reserved for the trier of fact; CFEs report findings and may opine on whether evidence supports a conclusion of fraud.
- The ACFE Code of Professional Ethics requires a Certified Fraud Examiner to obtain evidence that:
- Is limited to verbal statements only
- Confirms a predetermined conclusion
- Always favors the party who hired them
- Provides a reasonable basis for any opinion rendered
Correct answer: Provides a reasonable basis for any opinion rendered
Provides a reasonable basis for any opinion is correct because the ACFE Code requires CFEs to base their conclusions on sufficient, relevant evidence, ensuring opinions are objective and supportable rather than driven by who retained them or by a predetermined result.
- Under the ACFE Code of Professional Ethics, confidential information obtained during a professional engagement must be:
- Sold to interested third parties
- Shared freely with anyone who asks
- Posted publicly to deter future fraud
- Kept confidential and not revealed without proper authorization
Correct answer: Kept confidential and not revealed without proper authorization
Kept confidential and not revealed without proper authorization is correct because the ACFE Code obligates CFEs to protect confidential information acquired in the course of their duties and to refrain from disclosing it unless authorized or legally required.
- A Certified Fraud Examiner is offered a much higher fee if she will slant her findings to favor the client's position. Under the ACFE Code of Professional Ethics, she should:
- Accept only if no one will find out
- Refuse, because she must remain objective and base conclusions on the evidence
- Accept and disclose the arrangement afterward
- Accept, because the client is paying for the engagement
Correct answer: Refuse, because she must remain objective and base conclusions on the evidence
Refuse to slant the findings is correct because the ACFE Code requires objectivity and conclusions supported by evidence; deliberately biasing results to please a paying client would violate the examiner's duty of professionalism and integrity.
- Under the ACFE Code of Professional Ethics, a Certified Fraud Examiner should only accept assignments for which the examiner:
- Can charge the highest possible fee
- Already knows the outcome
- Has a reasonable expectation of completing them with professional competence
- Will not need to document anything
Correct answer: Has a reasonable expectation of completing them with professional competence
Has a reasonable expectation of professional competence is correct because the ACFE Code directs CFEs to undertake only engagements they are competent to complete, ensuring the quality and reliability of their professional work.
- In corporate governance, the body charged with overseeing management and the organization's anti-fraud efforts on behalf of stakeholders is the:
- Accounts payable department
- Board of directors
- Marketing committee
- External print vendor
Correct answer: Board of directors
Board of directors is correct because the board provides governance oversight, holding management accountable and overseeing the organization's risk management and anti-fraud programs on behalf of shareholders and other stakeholders.
- Which subgroup of the board typically has direct oversight responsibility for financial reporting, internal controls, and the relationship with external auditors?
- The audit committee
- The shareholders' picnic committee
- The compensation committee
- The marketing committee
Correct answer: The audit committee
The audit committee is correct because it is the board committee charged with overseeing financial reporting, the internal control system, internal and external audit, and often the organization's fraud risk oversight.
- Primary responsibility for designing and implementing the internal controls that prevent and detect fraud rests with:
- The company's customers
- The external auditors
- Government regulators
- Management
Correct answer: Management
Management is correct because management bears primary responsibility for establishing and maintaining the system of internal controls and the anti-fraud program, while the board oversees and external auditors provide independent assurance, not the controls themselves.
- The concept of 'tone at the top' in corporate governance refers to:
- The acoustics of the boardroom
- The pitch used in marketing jingles
- The volume of the CEO's voice in meetings
- The ethical atmosphere and example created by senior management and the board
Correct answer: The ethical atmosphere and example created by senior management and the board
The ethical atmosphere set by senior leadership is correct because tone at the top describes how the integrity, values, and behavior modeled by the board and senior management shape the organization's ethical culture and influence employee conduct.
- The internal audit function contributes to anti-fraud governance primarily by:
- Setting executive compensation
- Approving its own findings without review
- Marketing the company's products
- Providing independent, objective evaluation of the effectiveness of controls and risk management
Correct answer: Providing independent, objective evaluation of the effectiveness of controls and risk management
Providing independent, objective evaluation is correct because internal audit assesses the design and operating effectiveness of internal controls and risk management, reporting to the audit committee and supporting the organization's anti-fraud governance.
- Effective corporate governance over fraud risk generally requires the board to:
- Avoid asking management difficult questions
- Be composed entirely of company executives
- Delegate all oversight to the marketing team
- Maintain independence from management so it can provide objective oversight
Correct answer: Maintain independence from management so it can provide objective oversight
Maintain independence from management is correct because board independence enables objective challenge and oversight of management; a board dominated by insiders cannot effectively hold management accountable for fraud risk and controls.
- The Treadway Commission and its sponsoring organizations are historically significant in anti-fraud governance because they:
- Issued passports to whistleblowers
- Studied fraudulent financial reporting and helped lead to the COSO internal control framework
- Set interest rates for banks
- Prosecuted individual fraudsters
Correct answer: Studied fraudulent financial reporting and helped lead to the COSO internal control framework
Studied fraudulent financial reporting and led to COSO is correct because the National Commission on Fraudulent Financial Reporting (the Treadway Commission) and its sponsoring organizations produced influential recommendations that gave rise to the COSO internal control framework.
- Which statement best describes the respective fraud-related roles of the board and management?
- Management designs and operates anti-fraud controls; the board oversees that management does so effectively
- Customers design the controls and management oversees customers
- The board operates the controls and management oversees the board
- External auditors design the controls and the board operates them
Correct answer: Management designs and operates anti-fraud controls; the board oversees that management does so effectively
Management designs and operates while the board oversees is correct because management is responsible for implementing the anti-fraud program and controls, and the board, often through its audit committee, oversees management's stewardship of those efforts.
- An anti-fraud whistleblower hotline is most effective at preventing and detecting fraud when it:
- Is never advertised to anyone
- Allows anonymous reporting and is well publicized to employees and third parties
- Is available only to senior executives
- Requires callers to identify themselves to a suspected fraudster
Correct answer: Allows anonymous reporting and is well publicized to employees and third parties
Allows anonymous reporting and is well publicized is correct because tips are the most common way occupational fraud is detected, and a hotline that permits anonymity and is widely known encourages reporting, increasing both deterrence and detection.
- According to research on how occupational fraud is detected, the single most common detection method is:
- Confession
- Tips
- Accidental discovery by police
- External audit
Correct answer: Tips
Tips is correct because ACFE research consistently finds that more occupational frauds are uncovered through tips than through any other method, which is why reporting mechanisms such as hotlines are a cornerstone of fraud prevention program design.
- A written code of conduct contributes to fraud prevention primarily by:
- Replacing the need for internal controls
- Setting clear ethical expectations and making rationalization of fraud more difficult
- Guaranteeing that no employee will ever commit fraud
- Increasing the company's stock price directly
Correct answer: Setting clear ethical expectations and making rationalization of fraud more difficult
Setting clear ethical expectations is correct because a code of conduct communicates the organization's values and rules, reinforcing an ethical culture and making it harder for would-be fraudsters to rationalize misconduct, though it does not by itself guarantee prevention.
- Mandatory vacation and job rotation policies help prevent and detect fraud chiefly because:
- They eliminate the need for segregation of duties
- They guarantee employees will not steal
- They force another person to perform the absent employee's duties, exposing concealed schemes
- They reduce the company's payroll costs
Correct answer: They force another person to perform the absent employee's duties, exposing concealed schemes
They force another person to perform the duties is correct because many ongoing concealment schemes require the perpetrator's constant attention; when someone else must step in during a mandatory absence or rotation, hidden frauds are more likely to surface.
- Pre-employment background checks support a fraud prevention program by:
- Guaranteeing the applicant will never commit fraud
- Eliminating the need for any ongoing monitoring
- Helping screen out applicants with a history of dishonesty before they are hired
- Replacing the organization's code of conduct
Correct answer: Helping screen out applicants with a history of dishonesty before they are hired
Helping screen out applicants with a history of dishonesty is correct because background checks reduce the chance of hiring individuals with relevant prior misconduct, lowering fraud risk at the point of entry, though they do not replace ongoing controls.
- Anti-fraud training for employees is an important prevention measure because it:
- Educates staff on recognizing red flags and on how and where to report concerns
- Replaces the need for a fraud risk assessment
- Is required only for the IT department
- Eliminates the need for management oversight
Correct answer: Educates staff on recognizing red flags and on how and where to report concerns
Educates staff on recognizing red flags and reporting is correct because well-trained employees become an effective line of defense, better able to spot warning signs and use reporting channels, which strengthens both deterrence and early detection.
- Establishing meaningful and consistent consequences for fraud and ethical violations supports prevention by:
- Reducing the perceived likelihood of getting caught
- Making rationalization easier
- Demonstrating that misconduct will not be tolerated, which strengthens deterrence
- Encouraging employees to take more risks
Correct answer: Demonstrating that misconduct will not be tolerated, which strengthens deterrence
Demonstrating that misconduct will not be tolerated is correct because visibly and consistently disciplining fraud raises the perceived cost of committing it, reinforcing deterrence and supporting the organization's ethical culture.
- The principle of 'perception of detection' in fraud prevention holds that fraud is deterred most effectively when:
- Controls are kept secret from everyone
- Potential offenders believe they are likely to be caught
- Employees are never trained on fraud
- Penalties are eliminated
Correct answer: Potential offenders believe they are likely to be caught
Potential offenders believe they are likely to be caught is correct because the perception of detection is one of the strongest deterrents; visible controls, audits, and monitoring raise the perceived risk of being caught, discouraging would-be fraudsters.
- Proactive data monitoring and analysis as part of a fraud prevention program is valuable because it:
- Can identify anomalies and potential fraud earlier, reducing losses and duration
- Is useful only after litigation begins
- Guarantees the elimination of all fraud
- Replaces the need for any human judgment
Correct answer: Can identify anomalies and potential fraud earlier, reducing losses and duration
Can identify anomalies and potential fraud earlier is correct because proactive monitoring of transactions and data helps surface suspicious patterns sooner, shortening the time a scheme goes undetected and reducing the associated losses.
- A surprise audit serves as an anti-fraud measure mainly because it:
- Is cheaper than any other control
- Notifies fraudsters well in advance
- Increases the perception that misconduct may be discovered at any time
- Eliminates the need for a code of conduct
Correct answer: Increases the perception that misconduct may be discovered at any time
Increases the perception of discovery is correct because the unpredictability of surprise audits heightens the perceived risk of detection, which deters potential fraudsters who can no longer rely on knowing when reviews will occur.
- White-collar crime is best characterized as:
- Violent street crime
- Crime committed only by manual laborers
- Financially motivated, nonviolent crime committed by individuals or organizations, often involving deceit and abuse of trust
- Property crime involving physical force
Correct answer: Financially motivated, nonviolent crime committed by individuals or organizations, often involving deceit and abuse of trust
Financially motivated, nonviolent crime involving deceit is correct because white-collar crime, a term coined by sociologist Edwin Sutherland, refers to nonviolent offenses committed for financial gain through deception and the abuse of trust, typically in occupational or business contexts.
- The term 'white-collar crime' is generally credited to which figure?
- Donald Cressey
- Benford
- Sarbanes and Oxley
- Edwin Sutherland
Correct answer: Edwin Sutherland
Edwin Sutherland is correct because the sociologist coined the term white-collar crime in the late 1930s to describe crimes committed by persons of respectability and high social status in the course of their occupations.
- In white-collar crime theory, what is the key distinction between occupational crime and organizational (corporate) crime?
- Occupational crime benefits the individual at the organization's expense, while organizational crime benefits the organization itself
- Occupational crime is legal and organizational crime is illegal
- There is no difference between the two
- Occupational crime is always violent and organizational crime is not
Correct answer: Occupational crime benefits the individual at the organization's expense, while organizational crime benefits the organization itself
Occupational crime benefits the individual while organizational crime benefits the organization is correct because occupational fraud is committed by an employee against the employer, whereas corporate or organizational crime is committed on behalf of and to benefit the organization.
- Sutherland's theory of differential association proposes that criminal behavior, including white-collar crime, is primarily:
- Caused solely by biological factors
- Impossible to explain
- Learned through interaction with others, including attitudes favorable to violating the law
- Random and unrelated to social influence
Correct answer: Learned through interaction with others, including attitudes favorable to violating the law
Learned through interaction with others is correct because differential association theory holds that criminal behavior, including white-collar offending, is learned in social interaction, including the techniques and the attitudes that favor breaking the law.
- The criminological concept of 'techniques of neutralization' is relevant to white-collar crime because it explains how offenders:
- Justify or rationalize their conduct to neutralize feelings of guilt
- Recruit new investors
- Physically conceal stolen cash
- Launder money across borders
Correct answer: Justify or rationalize their conduct to neutralize feelings of guilt
Justify or rationalize their conduct is correct because techniques of neutralization, such as denying responsibility or claiming entitlement, allow offenders to neutralize the guilt of wrongdoing, closely paralleling the rationalization leg of the Fraud Triangle.
- Compared with conventional street crime, white-collar crime is often more difficult to detect because it:
- Is typically concealed within legitimate business activities and records
- Is committed in public view
- Never involves documents
- Always leaves obvious physical evidence
Correct answer: Is typically concealed within legitimate business activities and records
Concealed within legitimate business activities is correct because white-collar offenses are embedded in ordinary transactions and records and lack the visible physical evidence of street crime, making them harder to detect and often requiring specialized examination.
- Routine activity theory, applied to fraud, suggests that a crime is more likely when which three conditions converge?
- A motivated offender, a suitable target, and the absence of a capable guardian
- Three accomplices, a getaway car, and a weapon
- A regulator, an auditor, and a judge
- High wages, low taxes, and full employment
Correct answer: A motivated offender, a suitable target, and the absence of a capable guardian
A motivated offender, a suitable target, and the absence of a capable guardian is correct because routine activity theory holds that crime occurs when these three elements converge, which in a fraud context underscores the deterrent value of capable oversight and controls.
- Which of the following is most consistent with the white-collar crime concept of organizational (corporate) crime?
- A company systematically falsifying emissions data to gain a competitive advantage
- A clerk pocketing a customer's payment
- An employee stealing petty cash for personal use
- A manager taking office supplies home
Correct answer: A company systematically falsifying emissions data to gain a competitive advantage
A company falsifying emissions data to gain advantage is correct because organizational crime is committed to benefit the organization itself, distinguishing it from occupational crimes in which individuals enrich themselves at the organization's expense.
- Behavioral red flags of fraud most commonly observed in perpetrators include:
- Living beyond one's means and unusually close association with a vendor or customer
- Consistently taking long vacations
- Frequently asking for help with tasks
- Routinely arriving late to work
Correct answer: Living beyond one's means and unusually close association with a vendor or customer
Living beyond one's means and an unusually close vendor relationship is correct because ACFE research identifies these as among the most common behavioral red flags displayed by occupational fraud perpetrators, often signaling financial pressure or corruption.
- An employee who refuses to take vacations or to allow anyone else to perform his duties is displaying a behavioral red flag because:
- He is simply very dedicated and poses no risk
- Vacation refusal has no relationship to fraud
- He may be guarding an ongoing scheme that requires his constant attention to conceal
- He is entitled to extra pay
Correct answer: He may be guarding an ongoing scheme that requires his constant attention to conceal
He may be guarding an ongoing scheme is correct because a fraudster often avoids time off so no one else handles his work and discovers the concealment, which is why reluctance to take vacation is a recognized behavioral red flag.
- Which of the following is a transactional (rather than behavioral) red flag of possible fraud?
- An employee who is wealthy from an inheritance
- An employee showing signs of irritability
- Frequent journal entries with little or no supporting documentation
- An employee experiencing a recent divorce
Correct answer: Frequent journal entries with little or no supporting documentation
Frequent unsupported journal entries is correct because it is a transactional red flag observable in the accounting records, whereas personal stressors and behavioral changes are behavioral red flags relating to the individual rather than the transactions.
- An employee with significant personal financial difficulties exhibits a red flag relevant to fraud because such pressure can:
- Provide the motivation described by the pressure element of the Fraud Triangle
- Guarantee the employee will commit fraud
- Replace the need for rationalization
- Eliminate the need for opportunity
Correct answer: Provide the motivation described by the pressure element of the Fraud Triangle
Provide the motivation described by the pressure element is correct because financial difficulty is a classic source of the non-shareable pressure in the Fraud Triangle; it is a warning sign, not proof, that an employee may be at heightened risk.
- Why must fraud examiners treat red flags as indicators warranting further inquiry rather than as proof of fraud?
- Red flags eliminate the need for any investigation
- Many red flags have innocent explanations and must be evaluated in context
- Red flags are always conclusive evidence of guilt
- Red flags can never appear in honest employees
Correct answer: Many red flags have innocent explanations and must be evaluated in context
Many red flags have innocent explanations is correct because indicators such as lifestyle changes or control weaknesses can have legitimate causes; they signal where to look further but, standing alone, do not establish that fraud has occurred.
- Which of the following is commonly considered an organizational red flag that increases fraud risk?
- Weak or absent internal controls and poor segregation of duties
- Mandatory job rotation
- A strong, well-publicized whistleblower hotline
- An active and independent audit committee
Correct answer: Weak or absent internal controls and poor segregation of duties
Weak or absent internal controls is correct because deficient controls create the opportunity element of fraud and are an organizational red flag, whereas hotlines, independent audit committees, and job rotation are anti-fraud measures that reduce risk.
- A manager who is highly defensive, displays a 'wheeler-dealer' attitude, and is unwilling to share duties is exhibiting which category of fraud warning sign?
- Behavioral red flags
- Chain of custody breaks
- Currency reporting thresholds
- Benford's Law anomalies
Correct answer: Behavioral red flags
Behavioral red flags is correct because attitudes and conduct such as defensiveness, a wheeler-dealer mindset, and refusal to share duties are personal behavioral indicators associated with fraud perpetrators, distinct from data anomalies or evidence-handling concepts.
- How does a fraud risk assessment relate to a fraud prevention program?
- The prevention program replaces the need for any assessment
- The assessment identifies where fraud is most likely so the prevention program can target controls to those risks
- They are unrelated activities
- The assessment is performed only after the prevention program fails
Correct answer: The assessment identifies where fraud is most likely so the prevention program can target controls to those risks
The assessment identifies where fraud is most likely so controls can be targeted is correct because the fraud risk assessment provides the foundation for an effective prevention program, ensuring that anti-fraud resources and controls are directed at the highest-priority risks.
- An organization's audit committee asks management to formally identify and rank the company's most significant fraud schemes by likelihood and impact. This task is best described as:
- Conducting a fraud risk assessment
- Drafting an expert witness report
- Filing a suspicious activity report
- Performing a digital forensic image
Correct answer: Conducting a fraud risk assessment
Conducting a fraud risk assessment is correct because identifying potential fraud schemes and ranking them by likelihood and impact is the core of a fraud risk assessment, which informs how the organization prioritizes its anti-fraud responses.
- A CFE notices that a company's leadership openly bends ethics rules and pressures staff to 'hit the numbers at any cost.' From a prevention standpoint, this culture is dangerous because it:
- Strengthens internal controls automatically
- Eliminates the pressure element of fraud
- Has no effect on fraud risk
- Erodes tone at the top and makes rationalization of fraud easier throughout the organization
Correct answer: Erodes tone at the top and makes rationalization of fraud easier throughout the organization
Erodes tone at the top and eases rationalization is correct because when leaders model unethical behavior, employees more readily justify their own misconduct, weakening the ethical foundation that fraud prevention depends upon.
- Which statement about the limitations of internal controls is most accurate from a fraud prevention perspective?
- Properly designed controls eliminate all possibility of fraud
- Controls are useful only for financial statement fraud
- Controls are unnecessary if employees are trustworthy
- Even well-designed controls can be circumvented by collusion or management override, so they reduce but do not eliminate fraud risk
Correct answer: Even well-designed controls can be circumvented by collusion or management override, so they reduce but do not eliminate fraud risk
Even well-designed controls can be circumvented is correct because collusion among employees and management override are inherent limitations of internal control; controls reduce fraud risk to an acceptable level but can never provide absolute assurance.
- An effective anti-fraud control environment depends most heavily on:
- The brand of accounting software used
- The size of the company's advertising budget
- The number of employees in the accounting department
- The integrity and ethical values demonstrated by management and the board
Correct answer: The integrity and ethical values demonstrated by management and the board
The integrity and ethical values of management and the board is correct because COSO places integrity and ethical values at the heart of the control environment; without them, other anti-fraud controls lose their effectiveness regardless of department size or software.
- Why is the rationalization element of the Fraud Triangle particularly relevant when designing an organization's ethics and compliance program?
- A strong ethical culture and code of conduct can make it harder for individuals to rationalize fraud
- Rationalization has nothing to do with culture
- Rationalization can be fully eliminated by stronger passwords
- Ethics programs increase rationalization
Correct answer: A strong ethical culture and code of conduct can make it harder for individuals to rationalize fraud
A strong ethical culture makes rationalization harder is correct because reinforcing clear values and expectations attacks the rationalization leg of the Fraud Triangle, reducing the ease with which employees can justify dishonest conduct to themselves.
- An employee who has the authority to both approve invoices and add new vendors, with no oversight, primarily illustrates which element of the Fraud Triangle?
- Capability
- Rationalization
- Pressure
- Opportunity
Correct answer: Opportunity
Opportunity is correct because concentrating incompatible duties without oversight creates the perceived ability to commit and conceal fraud, which is the opportunity element of the Fraud Triangle that organizations can mitigate through controls.
- Of the following, which would most effectively reduce the 'opportunity' element of fraud in a purchasing department?
- Increasing the sales commission rate
- Requiring independent approval and separating vendor setup from invoice payment
- Allowing one employee to control the entire process
- Reducing the frequency of bank reconciliations
Correct answer: Requiring independent approval and separating vendor setup from invoice payment
Requiring independent approval and separating duties is correct because segregating vendor setup from payment and requiring independent review removes the unchecked control that creates opportunity, directly attacking that leg of the Fraud Triangle.
- A comprehensive fraud risk management program should align its anti-fraud activities with the organization's:
- Office holiday calendar
- Product packaging design
- Daily lunch schedule
- Overall governance and enterprise risk management structure
Correct answer: Overall governance and enterprise risk management structure
Overall governance and enterprise risk management structure is correct because an effective fraud risk management program is integrated with the organization's broader governance and risk management, ensuring consistent oversight and accountability rather than operating in isolation.
- In a mature fraud risk management program, responsibility for setting the program's overall direction and providing oversight typically rests with:
- External customers
- Temporary contractors
- The mailroom staff
- The board of directors and senior management
Correct answer: The board of directors and senior management
The board of directors and senior management is correct because effective fraud risk governance assigns ultimate oversight and direction of the program to the board and senior leadership, who establish the policy, allocate resources, and hold the organization accountable.
- Which document typically formalizes an organization's commitment to managing fraud risk and assigns related roles and responsibilities?
- A marketing brochure
- A customer receipt
- A vendor invoice
- A fraud risk management policy
Correct answer: A fraud risk management policy
A fraud risk management policy is correct because it documents the organization's commitment to managing fraud risk, defines roles and responsibilities, and communicates expectations, serving as the formal foundation of the broader program.
- Under the ACFE Code of Professional Ethics, the requirement that a CFE conduct examinations with diligence primarily protects:
- The reliability and credibility of the examiner's work and the profession's reputation
- The fraudster's interests
- The marketing of the firm
- The examiner's right to higher fees
Correct answer: The reliability and credibility of the examiner's work and the profession's reputation
The reliability and credibility of the work and the profession is correct because diligence ensures examinations are thorough and dependable, protecting both the value of the examiner's conclusions and the public's trust in the CFE credential.
- A CFE who completes continuing professional education each year is fulfilling which broad ethical obligation?
- Avoiding documentation
- Maximizing billable hours
- Maintaining professional competence and currency of knowledge
- Guaranteeing convictions
Correct answer: Maintaining professional competence and currency of knowledge
Maintaining professional competence is correct because the ACFE expects members to keep their knowledge and skills current, and completing continuing education supports the ethical duty to provide competent professional services.
- A whistleblower hotline operated by an independent third party rather than internal staff is often preferred because it:
- Guarantees that reports will lead to convictions
- Eliminates the need for management oversight
- Makes reports public automatically
- Increases perceived confidentiality and may encourage more employees to report
Correct answer: Increases perceived confidentiality and may encourage more employees to report
Increases perceived confidentiality and encourages reporting is correct because employees may be more willing to report concerns when an independent operator handles the hotline, enhancing the program's reach and effectiveness in detecting and deterring fraud.
- Which combination of measures best reflects a layered approach to fraud prevention?
- A single annual external audit only
- Relying solely on employee honesty
- Ethical culture, internal controls, training, and a reporting hotline working together
- Posting a code of conduct with no enforcement
Correct answer: Ethical culture, internal controls, training, and a reporting hotline working together
Ethical culture, controls, training, and a hotline together is correct because effective fraud prevention layers multiple complementary measures, recognizing that no single control is sufficient and that prevention, deterrence, and detection reinforce one another.
- Anti-fraud measures are often grouped into preventive and detective controls. A preventive control is one that:
- Is designed to stop fraud from occurring in the first place
- Identifies fraud only after it has happened
- Is applied exclusively during litigation
- Replaces the organization's governance structure
Correct answer: Is designed to stop fraud from occurring in the first place
Designed to stop fraud from occurring is correct because preventive controls, such as segregation of duties and authorization requirements, aim to keep fraud from happening, whereas detective controls, such as reconciliations and monitoring, identify it after the fact.
- Reconciliations and independent reviews of transactions are best classified as which type of anti-fraud control?
- Preventive controls
- Marketing controls
- Detective controls
- Recruitment controls
Correct answer: Detective controls
Detective controls is correct because reconciliations and independent reviews are designed to discover errors or fraud that have already occurred, complementing preventive controls that aim to stop fraud before it happens.
- White-collar crime theory helps fraud prevention efforts by emphasizing that fraud is committed by:
- Only people with prior violent convictions
- Only senior executives
- Otherwise ordinary, often trusted individuals rather than only stereotypical criminals
- Exclusively outsiders to the organization
Correct answer: Otherwise ordinary, often trusted individuals rather than only stereotypical criminals
Otherwise ordinary, trusted individuals is correct because white-collar crime theory shows that fraud is frequently committed by respectable, trusted insiders, which is why prevention programs must apply controls and oversight broadly rather than profiling a narrow 'criminal type.'
- The observation that most occupational fraudsters are first-time offenders with no prior criminal record supports which prevention principle?
- Only repeat offenders commit fraud
- Background checks make all other controls unnecessary
- Background checks alone are insufficient, so ongoing controls and monitoring remain essential
- Trusted employees never require oversight
Correct answer: Background checks alone are insufficient, so ongoing controls and monitoring remain essential
Background checks alone are insufficient is correct because if most fraudsters have clean records, pre-employment screening cannot catch them; effective prevention therefore combines screening with continuing controls, monitoring, and an ethical culture.
- Which of the following is the strongest example of a behavioral red flag combined with a personal pressure that warrants attention?
- An employee who takes regular vacations
- An employee who requests cross-training
- An employee who consistently follows procedures
- An employee suddenly living far beyond his salary while complaining of financial trouble
Correct answer: An employee suddenly living far beyond his salary while complaining of financial trouble
Living far beyond his salary while complaining of financial trouble is correct because it combines two recognized indicators, lifestyle inconsistent with income and financial pressure, that together raise the concern level, though they still call for inquiry rather than assumptions of guilt.
- From a deterrence standpoint, publicizing that the company actively monitors transactions and disciplines fraud is intended to:
- Eliminate the audit committee
- Raise employees' perception of detection and consequences, discouraging fraud
- Reduce the need for ethics training
- Encourage employees to test the controls
Correct answer: Raise employees' perception of detection and consequences, discouraging fraud
Raise the perception of detection and consequences is correct because communicating active monitoring and consistent discipline strengthens deterrence by increasing the perceived likelihood and cost of getting caught, a core principle of fraud deterrence.
- Which COSO component is most directly concerned with the organization's processes for identifying and analyzing risks to achieving its objectives, including fraud risks?
- Risk assessment
- Control environment
- Monitoring activities
- Control activities
Correct answer: Risk assessment
Risk assessment is correct because this COSO component involves identifying and analyzing risks, including the consideration of fraud risk, to determine how those risks should be managed, providing the basis for designing control activities.
- The 2013 update to the COSO Internal Control – Integrated Framework introduced 17 principles that:
- Replaced the five components entirely
- Apply only to government agencies
- Address only money laundering
- Articulate the fundamental concepts associated with each of the five components
Correct answer: Articulate the fundamental concepts associated with each of the five components
Articulate the fundamental concepts associated with each component is correct because the 2013 update kept the five components and added 17 supporting principles that clarify the concepts underlying each, including an explicit principle on considering the potential for fraud.
- Which COSO principle is most directly aimed at fraud prevention and deterrence?
- The organization outsources its board
- The organization considers the potential for fraud in assessing risks to the achievement of objectives
- The organization minimizes employee headcount
- The organization maximizes quarterly sales
Correct answer: The organization considers the potential for fraud in assessing risks to the achievement of objectives
Considering the potential for fraud in assessing risks is correct because the COSO framework includes an explicit principle requiring entities to assess fraud risk, embedding fraud consideration directly into the internal control system.
- Information and communication, as a COSO component, supports anti-fraud efforts by ensuring that:
- Only executives are informed of any risks
- All employees receive identical salaries
- Relevant information, including how to report concerns, flows to the right people throughout the organization
- Financial records are destroyed annually
Correct answer: Relevant information, including how to report concerns, flows to the right people throughout the organization
Relevant information flows to the right people is correct because the information and communication component ensures employees understand their responsibilities and how to report issues, which is essential to both operating controls and surfacing potential fraud.
- A board that establishes an independent audit committee, approves a code of conduct, and oversees the whistleblower program is fulfilling its role in:
- Corporate governance over fraud risk
- Day-to-day transaction processing
- Operating the company's hotline phones
- Performing the external audit
Correct answer: Corporate governance over fraud risk
Corporate governance over fraud risk is correct because establishing oversight bodies, approving ethics policies, and overseeing reporting mechanisms are governance functions through which the board fulfills its anti-fraud oversight responsibilities.
- Which of the following best illustrates management fulfilling its anti-fraud responsibility?
- Delegating all responsibility for fraud to the external auditors
- Removing all approval requirements to speed transactions
- Designing and maintaining internal controls and setting an ethical example for employees
- Ignoring reported concerns to avoid disruption
Correct answer: Designing and maintaining internal controls and setting an ethical example for employees
Designing and maintaining controls and setting an ethical example is correct because management's anti-fraud responsibilities include implementing the control system and modeling integrity; it cannot offload these duties to external auditors or ignore reported concerns.
- The external auditor's role with respect to fraud in financial statements is generally to:
- Operate the company's anti-fraud program
- Obtain reasonable assurance that the statements are free of material misstatement, whether from error or fraud
- Design the company's internal controls
- Guarantee that no fraud of any kind exists
Correct answer: Obtain reasonable assurance that the statements are free of material misstatement, whether from error or fraud
Obtain reasonable assurance regarding material misstatement is correct because external auditors are responsible for reasonable, not absolute, assurance that financial statements are free of material misstatement from error or fraud; designing controls and running the anti-fraud program remain management's responsibilities.
- An organization that defines clear escalation and investigation procedures before any fraud occurs is strengthening which part of its fraud risk management program?
- The marketing component
- The response and remediation component
- The dividend policy
- The vendor onboarding speed
Correct answer: The response and remediation component
The response and remediation component is correct because predefining how the organization will investigate and respond to fraud ensures a consistent, prompt, and effective reaction, which is the response element of a comprehensive fraud risk management program.
- Why is documenting the fraud risk assessment process important to a fraud risk management program?
- It satisfies a money laundering reporting rule
- It creates a record that supports accountability, consistency, and future updates
- It replaces the need for any controls
- It is required to obtain a CTR exemption
Correct answer: It creates a record that supports accountability, consistency, and future updates
It creates a record supporting accountability and updates is correct because documentation demonstrates that risks were considered, supports consistent application over time, and provides a baseline that can be reviewed and refreshed as the organization changes.
- A company experiences rapid growth into new markets and adopts new software, but does not revisit its fraud risk assessment. The main concern is that:
- New fraud risks introduced by the changes may go unidentified and unaddressed
- The company will be required to file a SAR
- The Benford's Law test will fail automatically
- The chain of custody will be broken
Correct answer: New fraud risks introduced by the changes may go unidentified and unaddressed
New fraud risks may go unidentified is correct because significant changes in operations and systems create new vulnerabilities; failing to update the fraud risk assessment leaves those emerging risks unrecognized and uncontrolled.
- Which best describes the relationship between fraud deterrence and fraud prevention?
- They are identical and interchangeable terms
- Prevention applies only to violent crime
- Deterrence occurs only after fraud is detected
- Deterrence discourages potential offenders by raising perceived risk, while prevention reduces the opportunity to commit fraud
Correct answer: Deterrence discourages potential offenders by raising perceived risk, while prevention reduces the opportunity to commit fraud
Deterrence raises perceived risk while prevention reduces opportunity is correct because deterrence works on the would-be offender's calculus of getting caught, whereas prevention installs controls that limit the chance to commit fraud; together they reinforce one another.
- An employee assistance program that helps staff manage financial and personal difficulties can contribute to fraud prevention by:
- Helping relieve the personal pressures that can motivate fraud
- Guaranteeing no employee will steal
- Removing the need for internal controls
- Eliminating the opportunity element of fraud
Correct answer: Helping relieve the personal pressures that can motivate fraud
Helping relieve personal pressures is correct because such programs address the pressure leg of the Fraud Triangle by offering support for financial or personal crises, which can reduce one of the underlying motivations for fraud.
- When the developers of the Fraud Diamond describe a fraudster's 'capability,' they emphasize that the person typically holds:
- A prior violent criminal record
- A large amount of cash on hand
- No knowledge of the organization
- A position or function that grants the access needed to exploit the opportunity
Correct answer: A position or function that grants the access needed to exploit the opportunity
A position or function granting access is correct because the Fraud Diamond's capability element stresses that the individual must have the authority, role, or access necessary to turn an opportunity into an actual fraud, alongside the intelligence and confidence to do so.
- Two employees with identical pressures and the same opportunity behave differently: one commits fraud, the other does not. The Fraud Diamond would attribute the difference largely to:
- Their seniority dates alone
- The color of their offices
- The day of the week
- Differences in capability, such as the traits and skills needed to act
Correct answer: Differences in capability, such as the traits and skills needed to act
Differences in capability is correct because the Fraud Diamond adds capability precisely to explain why, given equal pressure and opportunity, only certain individuals with the necessary traits, skills, and confidence actually carry out the fraud.
- An organization that requires dual authorization for wire transfers above a set amount is implementing a control that primarily targets which leg of the Fraud Triangle?
- Opportunity
- Pressure
- Rationalization
- Capability
Correct answer: Opportunity
Opportunity is correct because requiring two people to authorize large transfers removes the unilateral ability to move funds, reducing the opportunity to commit and conceal fraud, the leg of the triangle most amenable to control.
- Which of the following statements about the Fraud Triangle is most accurate?
- All three elements are generally present when occupational fraud occurs
- The elements apply only to violent crime
- Pressure must always exceed opportunity numerically
- Only one element is ever needed for fraud to occur
Correct answer: All three elements are generally present when occupational fraud occurs
All three elements are generally present is correct because the Fraud Triangle holds that pressure, opportunity, and rationalization typically converge when occupational fraud occurs; weakening any one of the three reduces the likelihood of fraud.
- A code of conduct that requires employees to annually certify they have read and complied with it strengthens fraud prevention by:
- Reinforcing ethical expectations and reducing the ability to claim ignorance as a rationalization
- Replacing the need for internal controls
- Eliminating the audit function
- Guaranteeing no violations will occur
Correct answer: Reinforcing ethical expectations and reducing the ability to claim ignorance as a rationalization
Reinforcing ethical expectations and reducing ignorance claims is correct because annual certification keeps the code top of mind and undercuts a common rationalization, that the employee did not know the rules, thereby supporting an anti-fraud culture.
- Which of the following is the best example of management overriding controls, a risk that fraud risk assessments must specifically consider?
- A senior executive instructs staff to bypass the normal approval process to record questionable revenue
- A vendor submits an invoice on time
- A clerk forgets to file a routine report
- An employee takes an approved vacation
Correct answer: A senior executive instructs staff to bypass the normal approval process to record questionable revenue
A senior executive instructing staff to bypass approvals is correct because it exemplifies management override, where someone with authority circumvents otherwise effective controls, a pervasive risk that fraud risk assessments must address explicitly.
- From a governance perspective, why is it important that the internal audit function report functionally to the audit committee rather than solely to management?
- It allows internal audit to set its own salaries
- It lets management edit audit findings
- It exempts internal audit from documentation
- It preserves internal audit's independence and ability to objectively assess management's controls
Correct answer: It preserves internal audit's independence and ability to objectively assess management's controls
It preserves internal audit's independence is correct because reporting functionally to the audit committee protects internal audit from undue management influence, enabling objective evaluation of the controls and anti-fraud efforts that management itself operates.
- A fraud prevention program that includes positive pay for checks, vendor verification, and dual approvals is best described as relying primarily on:
- Preventive internal controls that reduce opportunity
- Whistleblower incentives only
- Marketing initiatives
- Detective controls applied after losses occur
Correct answer: Preventive internal controls that reduce opportunity
Preventive internal controls that reduce opportunity is correct because positive pay, vendor verification, and dual approvals are designed to stop fraudulent transactions before they happen, directly limiting the opportunity element of fraud.
- Why is an anonymous reporting mechanism especially valuable in light of how occupational fraud is most often detected?
- Because anonymous tips are always accurate
- Because anonymity replaces the need for investigation
- Because tips are the leading source of fraud detection and anonymity encourages more people to come forward
- Because anonymous reporting is required to file a CTR
Correct answer: Because tips are the leading source of fraud detection and anonymity encourages more people to come forward
Because tips lead detection and anonymity encourages reporting is correct: since tips uncover more occupational fraud than any other method, providing an anonymous channel removes a key barrier and increases the volume and value of reports.
- In white-collar crime theory, the idea that offenders are often respected members of their communities who exploit positions of trust implies that prevention programs should:
- Rely entirely on employees' reputations
- Exempt senior leaders from all controls
- Apply controls and oversight even to trusted, high-status individuals
- Focus only on low-level staff
Correct answer: Apply controls and oversight even to trusted, high-status individuals
Apply controls and oversight even to trusted individuals is correct because white-collar crime theory shows that trust and status do not preclude fraud; effective prevention therefore subjects everyone, including senior and respected staff, to appropriate controls and oversight.
- A fraud risk assessment that scores each identified scheme on both likelihood and significance is most directly used to:
- Calculate quarterly dividends
- Determine employee vacation schedules
- Set the company's product prices
- Prioritize which risks require the strongest anti-fraud responses
Correct answer: Prioritize which risks require the strongest anti-fraud responses
Prioritize which risks require the strongest responses is correct because scoring likelihood and significance lets the organization rank fraud risks and direct its limited anti-fraud resources to the most likely and most damaging schemes.
- Which of the following best reflects an ethical culture that supports fraud deterrence?
- Leaders consistently model integrity and hold everyone, including executives, accountable for misconduct
- Rules are enforced only against junior employees
- Ethics are discussed only during onboarding and never again
- Reported concerns are quietly ignored
Correct answer: Leaders consistently model integrity and hold everyone, including executives, accountable for misconduct
Leaders model integrity and hold everyone accountable is correct because consistent, even-handed enforcement and ethical leadership reinforce the message that fraud will not be tolerated, strengthening deterrence and the overall anti-fraud culture.
- An organization analyzes its processes and concludes that procurement carries a higher fraud risk than fixed-asset accounting. This conclusion is a product of:
- A fraud risk assessment ranking risks across processes
- A Benford's Law test
- An admission-seeking interview
- A chain of custody review
Correct answer: A fraud risk assessment ranking risks across processes
A fraud risk assessment ranking risks across processes is correct because comparing the relative fraud risk of different business processes and identifying where exposure is greatest is exactly what a fraud risk assessment produces, guiding control design.
- Which statement about the ACFE Code of Professional Ethics and conflicts of interest is most accurate?
- Conflicts of interest are encouraged to build relationships
- A CFE should avoid conflicts of interest and disclose any that cannot be avoided
- Conflicts of interest are irrelevant to fraud examiners
- A CFE may conceal conflicts of interest if profitable
Correct answer: A CFE should avoid conflicts of interest and disclose any that cannot be avoided
Avoid conflicts and disclose any that cannot be avoided is correct because the ACFE Code's emphasis on integrity and objectivity requires CFEs to steer clear of conflicts of interest and to make appropriate disclosures when conflicts arise, preserving impartiality.
- Which of the following would most undermine the deterrent value of an organization's anti-fraud program?
- Publicizing the whistleblower hotline
- Conducting surprise audits
- Failing to consistently discipline employees who commit fraud
- Requiring segregation of duties
Correct answer: Failing to consistently discipline employees who commit fraud
Failing to consistently discipline fraud is correct because inconsistent enforcement signals that misconduct carries little real consequence, eroding the perception of detection and punishment that deterrence depends on, while the other options strengthen the program.
- A company that conducts ethics training only once, at hiring, and never reinforces it is most likely weakening which aspect of fraud prevention?
- The ongoing communication and reinforcement of ethical expectations
- Its expert witness preparation
- Its currency transaction reporting
- Its chain of custody procedures
Correct answer: The ongoing communication and reinforcement of ethical expectations
Ongoing communication and reinforcement of ethical expectations is correct because anti-fraud culture must be continually reinforced; one-time training at hiring fades over time, weakening the sustained ethical messaging that prevention depends on.
- In the COSO framework, who is ultimately responsible for the overall system of internal control?
- Management, with oversight by the board of directors
- Individual line employees only
- The external auditors alone
- Government regulators
Correct answer: Management, with oversight by the board of directors
Management with board oversight is correct because COSO assigns responsibility for the internal control system to management, who designs and operates it, while the board provides governance and oversight; external auditors and regulators are not responsible for the system itself.
- Which of the following is the clearest example of a transactional red flag in the accounting records?
- An employee who is generally well-liked
- A surge in manual adjustments and round-number entries near period-end with weak support
- An employee who attends every staff meeting
- An employee who recently bought a new car with disclosed savings
Correct answer: A surge in manual adjustments and round-number entries near period-end with weak support
A surge in poorly supported manual adjustments near period-end is correct because it is a transactional red flag visible in the records, the kind of anomaly that can indicate manipulation, unlike the neutral personal characteristics listed.
- Why does a strong fraud prevention program emphasize both detective and preventive controls rather than relying on one type?
- Preventive controls can be circumvented, so detective controls are needed to catch what gets through
- Detective controls are illegal without preventive controls
- Preventive controls eliminate the need for governance
- Detective controls prevent all fraud automatically
Correct answer: Preventive controls can be circumvented, so detective controls are needed to catch what gets through
Preventive controls can be circumvented so detective controls are needed is correct because no preventive control is foolproof; combining preventive measures that reduce opportunity with detective measures that identify fraud that slips through provides a more robust defense.
- An organization's ethics policy that establishes a clear, confidential channel for raising concerns and a no-retaliation commitment primarily supports fraud prevention by:
- Guaranteeing convictions of all fraudsters
- Replacing the board's oversight role
- Eliminating the need for internal controls
- Encouraging employees to report suspected misconduct without fear
Correct answer: Encouraging employees to report suspected misconduct without fear
Encouraging employees to report without fear is correct because a confidential reporting channel paired with anti-retaliation assurances removes major barriers to coming forward, increasing the tips that are the leading means of detecting fraud.
- Which best explains why senior management's commitment is essential to an effective fraud risk management program?
- Only senior management can perform reconciliations
- Programs succeed automatically regardless of leadership
- Without leadership commitment and resources, anti-fraud policies are unlikely to be enforced or sustained
- Leadership commitment is required to file SARs
Correct answer: Without leadership commitment and resources, anti-fraud policies are unlikely to be enforced or sustained
Without leadership commitment and resources policies are unlikely to be sustained is correct because senior management sets the tone, allocates resources, and enforces the program; absent their genuine commitment, even well-written anti-fraud policies tend to fail in practice.
- A fraud examiner advising a client on prevention recommends building an 'anti-fraud culture.' This concept most centrally involves:
- Embedding shared values, ethical behavior, and accountability throughout the organization
- Hiring only certified accountants
- Increasing the marketing budget
- Eliminating the whistleblower hotline
Correct answer: Embedding shared values, ethical behavior, and accountability throughout the organization
Embedding shared values, ethical behavior, and accountability is correct because an anti-fraud culture is built when integrity and accountability are woven into everyday norms and leadership behavior, making fraud less tolerated and harder to rationalize.
- Which of the following best distinguishes management's responsibility from the external auditor's responsibility regarding fraud?
- The auditor is responsible for designing the controls and management audits them
- Neither has any responsibility for fraud
- Both have identical responsibilities
- Management is responsible for preventing and detecting fraud through controls; the auditor provides reasonable assurance about material misstatement
Correct answer: Management is responsible for preventing and detecting fraud through controls; the auditor provides reasonable assurance about material misstatement
Management prevents and detects through controls while the auditor provides reasonable assurance is correct because management owns the anti-fraud controls and program, whereas the external auditor's role is to obtain reasonable assurance that the financial statements are not materially misstated.
- The presence of a dominant CEO who overrides controls, combined with a weak board, represents which kind of fraud risk?
- A governance and tone-at-the-top weakness that elevates fraud risk
- A strength that reduces fraud risk
- A neutral factor with no effect on fraud
- A chain of custody issue
Correct answer: A governance and tone-at-the-top weakness that elevates fraud risk
A governance and tone-at-the-top weakness is correct because a dominant CEO unchecked by an effective board can override controls and set a poor ethical tone, conditions that significantly elevate fraud risk and undermine prevention.
- Which is the best example of using the Fraud Triangle proactively in prevention?
- Removing all controls to build trust
- Ignoring employee pressures entirely
- Waiting until fraud occurs and then assigning blame
- Designing controls to limit opportunity while building a culture that counters rationalization and supporting employees under pressure
Correct answer: Designing controls to limit opportunity while building a culture that counters rationalization and supporting employees under pressure
Designing controls to limit opportunity while countering rationalization and easing pressure is correct because proactively addressing all three legs of the Fraud Triangle, especially the opportunity that controls can reduce, is an effective prevention strategy.
- An organization that maps its fraud risks and then assigns an owner accountable for each mitigating control is strengthening:
- Accountability within its fraud risk management program
- Its money laundering reporting
- Its chain of custody documentation
- Its expert testimony preparation
Correct answer: Accountability within its fraud risk management program
Accountability within its fraud risk management program is correct because assigning clear ownership for each control ensures someone is responsible for its operation and effectiveness, a key governance feature of a mature fraud risk management program.
- Which of the following best illustrates the deterrence concept that increasing the perceived likelihood of detection reduces fraud?
- Only penalties, not detection, affect behavior
- Employees commit more fraud when controls are visible
- Detection has no effect on behavior
- Employees commit less fraud when they know transactions are routinely monitored and audited
Correct answer: Employees commit less fraud when they know transactions are routinely monitored and audited
Employees commit less fraud when detection seems likely is correct because deterrence theory holds that raising the perceived probability of being caught discourages would-be offenders, which is why visible monitoring and auditing are core deterrence tools.
- A company that experiences high employee turnover, low morale, and a 'whatever it takes' performance culture should recognize these as:
- Signs that no fraud could ever occur
- Evidence of strong governance
- Organizational red flags that can elevate fraud risk
- Indicators that controls are unnecessary
Correct answer: Organizational red flags that can elevate fraud risk
Organizational red flags that elevate fraud risk is correct because poor morale, high turnover, and intense results pressure can increase both pressure and rationalization for fraud, signaling conditions a prevention program should address.
- Which of the following is the most accurate statement about the goal of fraud deterrence?
- To eliminate the need for any detection efforts
- To guarantee that fraud will never occur
- To discourage individuals from committing fraud by altering their cost-benefit perception
- To prosecute fraud only after large losses
Correct answer: To discourage individuals from committing fraud by altering their cost-benefit perception
To discourage individuals by altering their cost-benefit perception is correct because deterrence aims to make the perceived risks and costs of committing fraud outweigh the perceived benefits, reducing the likelihood that individuals choose to commit it.
- Under the COSO framework, the explicit consideration of incentives and pressures, opportunities, and attitudes and rationalizations in assessing fraud risk closely mirrors which model?
- The Fraud Triangle
- The money laundering cycle
- The chain of custody
- The adversarial system
Correct answer: The Fraud Triangle
The Fraud Triangle is correct because COSO's guidance on assessing fraud risk directs entities to consider incentives/pressures, opportunities, and attitudes/rationalizations, which directly parallel the three legs of the Fraud Triangle.
- A fraud examiner is asked to help an organization that has never formally considered fraud risk. The most logical first step in building a prevention program is to:
- Cancel the external audit
- Conduct a fraud risk assessment to identify where the organization is most vulnerable
- Immediately fire several employees
- Launch a public advertising campaign
Correct answer: Conduct a fraud risk assessment to identify where the organization is most vulnerable
Conduct a fraud risk assessment first is correct because understanding where and how fraud could occur provides the foundation for designing targeted controls and a prevention program, making the assessment the logical starting point.
- Which of the following best describes the role of an organization's code of ethics in deterring fraud?
- It serves as the organization's external audit
- It sets behavioral expectations and signals that integrity is valued and violations have consequences
- It replaces the board of directors
- It physically prevents employees from accessing funds
Correct answer: It sets behavioral expectations and signals that integrity is valued and violations have consequences
It sets behavioral expectations and signals consequences is correct because a code of ethics communicates the organization's values and the repercussions of misconduct, supporting deterrence by shaping norms, though it does not physically prevent access or replace governance.
- Why is it important for a fraud risk management program to address third-party and vendor fraud risks, not just employee risks?
- Vendors are legally exempt from fraud
- Fraud can be perpetrated by or in collusion with outside parties, so the program must extend beyond employees
- Only employees can commit fraud
- Third parties never pose fraud risk
Correct answer: Fraud can be perpetrated by or in collusion with outside parties, so the program must extend beyond employees
Fraud can involve outside parties is correct because vendors, customers, and other third parties can commit fraud or collude with insiders; a comprehensive fraud risk management program therefore addresses external as well as internal fraud risks.
- In assessing the control environment for fraud risk, an examiner would view which of the following as a positive indicator?
- Unclear or undocumented ethical expectations
- A board and management that visibly prioritize integrity and ethical behavior
- A culture that punishes those who report concerns
- Frequent management override of controls
Correct answer: A board and management that visibly prioritize integrity and ethical behavior
A board and management prioritizing integrity is correct because a strong control environment built on demonstrated ethical leadership is a positive indicator that reduces fraud risk, in contrast to override, retaliation, and unclear expectations, which are negative indicators.
- Which approach best reflects 'designing controls to address the specific fraud risks identified'?
- Applying the same generic control everywhere regardless of risk
- Tailoring anti-fraud controls to the highest-rated risks from the fraud risk assessment
- Removing controls from high-risk areas to save time
- Letting each employee choose their own controls
Correct answer: Tailoring anti-fraud controls to the highest-rated risks from the fraud risk assessment
Tailoring controls to the highest-rated risks is correct because effective prevention links the fraud risk assessment to control design, concentrating anti-fraud measures where the assessed likelihood and impact are greatest rather than applying undifferentiated controls.
- Which statement about the relationship between the Fraud Triangle and white-collar crime theory is most accurate?
- The Fraud Triangle applies only to violent crime
- They contradict each other entirely
- The Fraud Triangle's rationalization element parallels criminological concepts explaining how offenders justify their conduct
- White-collar crime theory rejects the idea of rationalization
Correct answer: The Fraud Triangle's rationalization element parallels criminological concepts explaining how offenders justify their conduct
The rationalization element parallels criminological justification concepts is correct because the Fraud Triangle's rationalization leg aligns with white-collar crime theory's explanations, such as techniques of neutralization, of how respectable offenders justify their conduct to themselves.
- An effective fraud prevention program treats the elimination of fraud as:
- Unnecessary if the company is profitable
- A certainty achievable with enough controls
- An aspirational goal pursued by reducing risk to an acceptable level, since no program can guarantee zero fraud
- The sole responsibility of external auditors
Correct answer: An aspirational goal pursued by reducing risk to an acceptable level, since no program can guarantee zero fraud
An aspirational goal pursued by reducing risk to an acceptable level is correct because inherent limitations such as collusion and override mean no program guarantees zero fraud; the realistic objective is to reduce fraud risk to an acceptable level through layered controls and culture.
- A whistleblower policy is most likely to fail at deterring fraud if the organization:
- Keeps reports confidential
- Investigates reports promptly
- Publicizes the reporting channel
- Retaliates against those who report, discouraging future reports
Correct answer: Retaliates against those who report, discouraging future reports
Retaliating against reporters is correct because retaliation deters employees from coming forward, undermining the tips that are the leading means of fraud detection; confidentiality, prompt investigation, and publicity instead make the policy effective.
- Which of the following is the best example of a 'red flag' arising from the organizational environment rather than from an individual?
- An employee living beyond his means
- A consistently overridden approval process and a high-pressure earnings culture
- An employee with a close vendor relationship
- An employee who recently divorced
Correct answer: A consistently overridden approval process and a high-pressure earnings culture
A consistently overridden approval process and high-pressure culture is correct because these are organizational or environmental red flags tied to the entity's controls and culture, whereas the other options describe individual behavioral or personal red flags.
- Which is the most accurate description of how a fraud risk assessment treats existing controls?
- It eliminates controls in low-risk areas only
- It evaluates whether current controls adequately mitigate each identified fraud risk and where gaps remain
- It ignores existing controls entirely
- It assumes all existing controls are effective without testing
Correct answer: It evaluates whether current controls adequately mitigate each identified fraud risk and where gaps remain
It evaluates whether controls adequately mitigate each risk and where gaps remain is correct because a sound fraud risk assessment considers the effectiveness of existing controls against each risk, identifying residual risk and gaps that require additional anti-fraud responses.
- When fraud examiners say that 'opportunity' is the leg of the Fraud Triangle most influenced by the organization, they mean that:
- The organization controls employees' personal debts
- Opportunity cannot be affected by any action
- Sound internal controls and oversight can reduce the perceived chance to commit and conceal fraud
- The organization can dictate employees' moral justifications
Correct answer: Sound internal controls and oversight can reduce the perceived chance to commit and conceal fraud
Sound controls and oversight reduce the perceived chance to commit and conceal fraud is correct because while organizations cannot directly control employees' pressures or rationalizations, they can shrink opportunity through controls, segregation of duties, and monitoring.
- Which of the following is a hallmark of a strong anti-fraud governance structure?
- Concentration of all authority in one unmonitored executive
- Prohibiting the board from reviewing controls
- No defined responsibility for fraud risk
- Clear assignment of anti-fraud roles among the board, management, and internal audit
Correct answer: Clear assignment of anti-fraud roles among the board, management, and internal audit
Clear assignment of anti-fraud roles is correct because strong governance defines who is responsible for oversight, implementation, and independent assurance, ensuring accountability across the board, management, and internal audit rather than leaving responsibility undefined.
- A fraud prevention measure that periodically rotates duties among employees in sensitive roles primarily helps by:
- Eliminating the need for any documentation
- Disrupting ongoing schemes that depend on one person maintaining concealment
- Reducing the number of total controls needed
- Increasing the company's tax deductions
Correct answer: Disrupting ongoing schemes that depend on one person maintaining concealment
Disrupting ongoing schemes dependent on one person is correct because rotating duties forces a fresh set of eyes onto a role, making it harder for a single individual to sustain the concealment that many ongoing frauds require.
- Why do anti-fraud professionals consider tone at the top to be a foundation of fraud prevention?
- Because it has no measurable effect on behavior
- Because employees tend to model the ethical behavior demonstrated by leadership
- Because leaders are exempt from fraud risk
- Because tone at the top eliminates the need for controls
Correct answer: Because employees tend to model the ethical behavior demonstrated by leadership
Because employees model leadership's behavior is correct: when leaders demonstrate integrity, employees are more likely to behave ethically, whereas a poor tone at the top can normalize misconduct, making leadership example foundational to prevention.
- An organization's fraud risk management program assigns the audit committee responsibility for overseeing the program and ensuring management addresses identified risks. This reflects:
- Appropriate fraud risk governance and oversight
- A violation of the ACFE Code
- A money laundering control
- An improper delegation of operational duties
Correct answer: Appropriate fraud risk governance and oversight
Appropriate fraud risk governance and oversight is correct because charging the audit committee with overseeing the fraud risk management program and holding management accountable is a recognized governance practice that strengthens the program.
- Which of the following best captures why the perception of detection is often more important to deterrence than the actual rate of detection?
- Would-be offenders weigh their belief about getting caught, so visible controls deter even if not every fraud is caught
- Perception only matters after prosecution
- Detection has no role in deterrence
- Actual detection is irrelevant to losses
Correct answer: Would-be offenders weigh their belief about getting caught, so visible controls deter even if not every fraud is caught
Would-be offenders weigh their belief about getting caught is correct because deterrence operates on perception; if employees believe detection is likely, they are discouraged from committing fraud, which is why visibly promoting controls and monitoring matters.
- A robust fraud prevention program treats employee training as:
- A substitute for internal controls
- A one-time formality at hiring
- A recurring activity that keeps anti-fraud awareness and reporting knowledge current
- An optional benefit for senior staff
Correct answer: A recurring activity that keeps anti-fraud awareness and reporting knowledge current
A recurring activity that keeps awareness current is correct because ongoing training reinforces awareness of red flags and reporting channels over time, sustaining the human element of fraud prevention rather than treating it as a single onboarding step.
- Which statement most accurately reflects the ACFE Code of Professional Ethics regarding the examiner's obligations to the public and the profession?
- A CFE has no obligations to the profession
- A CFE owes loyalty only to the highest bidder
- A CFE shall, at all times, exhibit the highest level of integrity in performing all professional assignments
- A CFE may misrepresent facts to win a case
Correct answer: A CFE shall, at all times, exhibit the highest level of integrity in performing all professional assignments
Exhibit the highest level of integrity is correct because the ACFE Code requires members to demonstrate the highest integrity in all professional work, protecting the public interest and the credibility of the profession.
- How does a comprehensive fraud risk management program typically treat the trade-off between the cost of a control and the risk it mitigates?
- It implements every conceivable control regardless of cost
- It seeks controls whose benefits in reducing fraud risk justify their cost
- It ignores cost entirely in every case
- It avoids all controls to minimize cost
Correct answer: It seeks controls whose benefits in reducing fraud risk justify their cost
Seeks controls whose benefits justify their cost is correct because organizations have finite resources, so a sound program weighs the cost of each control against the fraud risk it reduces, concentrating investment where it provides the greatest risk reduction.
- Which of the following is the best illustration of an organization addressing the 'pressure' element of the Fraud Triangle through prevention?
- Eliminating the whistleblower hotline
- Removing all approval requirements
- Offering financial wellness resources and reasonable performance targets to ease undue stress
- Concealing controls from employees
Correct answer: Offering financial wellness resources and reasonable performance targets to ease undue stress
Offering financial wellness resources and reasonable targets is correct because addressing the pressure leg means reducing the undue personal and performance stresses that can motivate fraud, complementing controls that target opportunity.
- Which best describes the value of a fraud risk assessment to an organization's board and audit committee?
- It informs their oversight by showing where the organization is most exposed to fraud and whether responses are adequate
- It replaces the need for any board oversight
- It is solely a marketing exercise
- It is required only to file regulatory reports
Correct answer: It informs their oversight by showing where the organization is most exposed to fraud and whether responses are adequate
It informs oversight by showing exposure and adequacy of responses is correct because the assessment gives the board and audit committee a basis to evaluate whether management is adequately addressing the organization's most significant fraud risks.
- A company posts its code of conduct but tolerates senior leaders openly violating it without consequence. From a deterrence standpoint, the likely effect is that employees will:
- Be more deterred from committing fraud
- Increase their reporting of concerns
- Perceive that the rules are not genuinely enforced, weakening deterrence
- Conclude that controls are very strong
Correct answer: Perceive that the rules are not genuinely enforced, weakening deterrence
Perceive the rules are not enforced is correct because inconsistent enforcement, especially when leaders escape consequences, signals that the code is hollow, undermining the credibility of the program and weakening deterrence.
- Which of the following is the most accurate statement about the capability element in the Fraud Diamond relative to opportunity?
- Capability and opportunity are the same thing
- Opportunity opens the door, but capability is what enables a specific person to walk through it
- Capability makes opportunity unnecessary
- Opportunity always implies capability
Correct answer: Opportunity opens the door, but capability is what enables a specific person to walk through it
Opportunity opens the door but capability enables a person to walk through it is correct because the Fraud Diamond distinguishes the existence of an opening (opportunity) from the personal traits and position (capability) that allow a particular individual to exploit it.
- An anti-fraud program that establishes clear consequences, communicates them, and applies them consistently is leveraging which deterrence mechanism?
- Increasing the opportunity for fraud
- Raising the perceived certainty and severity of punishment for fraud
- Reducing the company's tax burden
- Eliminating the need for governance
Correct answer: Raising the perceived certainty and severity of punishment for fraud
Raising the perceived certainty and severity of punishment is correct because consistent, communicated consequences increase the perceived cost of committing fraud, which is a central deterrence mechanism alongside the perception of detection.
- Which of the following would a fraud examiner most likely recommend to strengthen an organization's control environment?
- Removing documentation requirements
- Reducing oversight of senior executives
- Adopting and modeling a strong code of ethics from the top of the organization
- Discouraging employees from reporting concerns
Correct answer: Adopting and modeling a strong code of ethics from the top of the organization
Adopting and modeling a strong code of ethics from the top is correct because the control environment depends on demonstrated ethical leadership; reinforcing values from the top strengthens the foundation on which all other anti-fraud controls rest.
- Why is collusion considered a significant limitation of internal controls in fraud prevention?
- When two or more people conspire, they can defeat segregation of duties and other controls designed to require independent action
- Collusion makes controls automatically stronger
- Collusion only affects external auditors
- Collusion is impossible in practice
Correct answer: When two or more people conspire, they can defeat segregation of duties and other controls designed to require independent action
When people conspire they can defeat segregation of duties is correct because many controls assume that separate individuals will act as independent checks; collusion breaks that assumption, which is why controls reduce but cannot eliminate fraud risk.