- 1. Fraud and Internal Controls: Fraud Prevention, Detection and
Incident Handling
2. Are Business Entities Inherently Susceptible to Control
Breakdowns?
- All controls break down over time
- Skill levels may not match needs
- Politics and personalities
- High level override is fairly easy
3. Where Our Issues Overlap 4. Prevention/Deterrence Prompt
Detection Effective Response FRAUD RISK MANAGEMENT 5.
6. Risk Management
- acknowledging and controlling risks
- Solutions to protect and conserve
- the organizations resources
7. Example Risk Universe
8. Preventing Fraud: Assessing the Fraud Risk Management
Capabilities of Todays Largest Organizations www.protiviti.com 9.
Protiviti Preventing Fraud Report
- Organizations are at different maturity points in their
capabilities to evaluate, mitigate and monitor fraud risk.
- Organizations are struggling to understand what Fraud Risk
Management means in the context of their daily operations.
- Education and awareness are critical issues that need greater
attention in order to successfully manage fraud risk.
10. Example Risk Universe
11. Fraud Risk Management
- acknowledging and controllingfraudrisks
- Solutions to protect and conserve
- the organizations resources
12. Fraud Risk Management Includes:
Impact:
13. What do we mean by Fraud ? 14. Fraud Defined Managing the
Business Risk of Fraud: A Practical Guide
- is any intentional act or omission
- designed to deceive others,
- resulting in the victim suffering a loss
- the perpetrator achieving a gain.
15. Error versus Intent to Deceive 16. Key Elements
- Violates the perpetrators fiduciary duties to the victim
organization
- Committed for the purpose of direct or indirect financial
benefit
- Costs the organization assets, revenue or reserves
17. Three Categories Misappropriation Manipulated Results
Corruption 18. Corruption
- Using influence in a transaction to obtain unauthorized benefit
contrary to the persons duty to the employer
- Usually perpetrated by management, but often involves collusion
among internal and external parties
SHADOW DEALS 19. Corruption Examples
- Accepting or paying a bribe
- Engaging in a business transaction where there is an
undisclosed conflict of interest
20.
How Big? 21. MACRO Fraud Risks
- Actions by leaders / abuse
- Miss-use of restricted funds
- Lies in financial or program results
- Form 990 and other tax information
- Actions that damage reputation
22. MICRO Fraud Risks
- Receipts diversion/lapping
23. SYSTEMIC Fraud Risks
- Gift cards and travelers checks
24. Is it Wrong to Commit Fraud? ATTITUDE 25. DISCUSSION
- What keeps honest people honest?
-
-
-
-
- Beliefs, perceptions, attitudes
26. Three Cases Four Attitudes
- The activity was within reasonable ethical and legal limits
that is, not really illegal or immoral.
- The activity is within the individuals or organizations best
interest that the individual would be expected to undertake the
activity.
27. Three Cases Four Attitudes
- The activity is safe as it will never be found out or
publicized the classic crime and punishment issue of
discovery.
- Because the activity helps the organization, theorganization
will condone it and even protect the person who engages in it.
28. Single Largest Deterrent
29. DISCUSSION
- Therefore, why do some steal?
-
-
-
-
- Beliefs, perceptions, attitudes
30. Lets Agree
- Who commits fraud, and why?
31. Lets Agree
- Who commits fraud, and why?
- If they are already in, find them ASAP and getthem out
32. Completely Dishonest Completely Honest Pressure Attitude
Opportunity Honesty Scale 33. The Fraud Triangle Opportunity
Pressure Attitude 34.
- INCENTIVE OR PRESSURE :Inadequate compensation levels coupled
with an attitude of indifference by management and/or members of
governing bodies may create an incentive for employees to commit
fraud
- ATTITUDE :When employees are continually over-worked or asked
to work out of class without additional compensation they may
rationalize fraudulent acts as compensation for these additional
hours or efforts
- OPPORTUNITY :The lack of personnel or the lack of sufficiently
qualified personnel is prevalent in administrative and/or
accounting and finance functions in both government and
not-for-profit organizations.
35. For Consideration
Largest threat comes from inside the system 36. Management
Override Inherent Macro Risk ??? 37.
38. Cold Hard Facts
- Most fraud is done by those we trust
- Most will do itunder the right (or wrong) circumstances
- Limited resources available to manage risks effectively
- Knowledge level needed may not be available internally
39. 13 High Opportunity Areas
- Areas not understood well by leaders
- Costs allocated to other cost centers
- Areas experiencing rapid growth
40. 13 High Opportunity Areas
- Locations or functions about to be closed or sold
- Areas or locations with a history of problems or poor
performance
- Joint ventures or other similar arrangements
- Records are kept by outsiders
- Areas that are politically protected
41. SAS 99: Consideration of Fraud in a Financial Statement
Audit
- Auditor Responsibilities:
- The auditor has a responsibility to plan and perform the audit
to obtain reasonable assurance about whether the financial
statements are free of material misstatement, whether caused by
fraud or error(AU sec. 110.02)
42. SAS 99: Consideration of Fraud in a Financial Statement
Audit
- Auditor Responsibilities:
- This statement [SAS 99] established standards andprovides
guidance to auditors in fulfilling that responsibility,as it
related to fraud, in an audit of financial statements conducted in
accordance with generally accepted auditing standards (GAAS).
43. SAS 99: Consideration of Fraud Required audit team
brainstorming session 44. SAS 99: Consideration of Fraud Introduces
Human Psychology into the audit process 45. Professional
Skepticism
- Attitude involving two aspects
-
- recognize possibility of fraud
-
-
- set aside past experience and beliefs
-
-
- despite beliefs re: integrity
- Critical assessment of evidence
-
- not satisfied with less than persuasive evidence
46. Lessons from Psychology
- We self-correct for information that does not fit our
assumptions
- Our perceptions about those we audit probably are
incomplete
- Categories allow us to quickly analyze data sometimes
incorrectly
47. SAS 99: Consideration of Fraud Commission Conversion
Concealment 48. SAS 99: Consideration of Fraud Required Skills
Communication Technology Forensic Accounting 49.
50. Fraud Risk Management Program
- Prevention and Deterrence
ORGANIZATIONS MUST BE PREPARED AT ALL THREE LEVELS 51.
52. 9 Suggestions
- Effective Governance and Oversight
- Strong Control Procedures and Behaviors
- Hotline in Place and Trusted
53. Internal Controls
Controls may be: Effective internal control often includes a
combination of preventive and detective controls to achieve a
specific control objective 54. COSO Control Framework 55.
Two Factors 56. HI LOW HI HARD CONTROLS SOFT CONTROLS 57.
Internal Controls HARD CONTROLS Policies Procedures Systems Soft
Controls Simply: The competence, attention andintegrity of the
people 58. Internal Controls A process designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with laws and regulations
59. Business Controls Theprocesses designed to provide
reasonableassurance regarding theachievementofbusiness and
operating objectives Effectiveness and efficiency of operations
Measures HDWK 60. Managing the Business Risk of Fraud: A Practical
Guide July 7, 2008 61. Key Points
- Suitable fraud risk management oversight and expectations exist
(governance) Principle 1
- Fraud exposures are identified and evaluated (risk assessment)
Principle 2
- Appropriate processes and procedures are in place to manage
these exposures (prevention and detection) Principles 3 &
4
- Fraud allegations are addressed, and appropriate corrective
action is taken in a timely manner (investigation and corrective
action) Principle 5
62. Fraud Risk Assessment: Key Elements
- How might a fraud perpetrator exploit weaknesses in the system
of controls?
- How could a perpetrator override or circumvent controls?
- What could a perpetrator do to conceal the fraud?
63.
64. How Fraud is Detected
- Managers and employees paying attention
65. Fraud Detection Steps
- Use discovery techniques aggressively
- Determine the cause of all fraud indicators surfaced
66.
67. Comprehensive Fraud Exposure Analysis
- End Result: Fraud Risk Inventory
68. Creation of aFraud Risk Inventory
- What has happened in the past?
- Can we catch it right away?
69. FRAUD RISKS
70. FRAUD RISKS
- Inflate hours on time cards
- THINGS WE DONT KNOW ABOUT
71. FRAUD RISKS
72. Detection Prevention Indicator Fraud Risk
- Independent verification of all first time payments
- Periodic verification of little known suppliers
- Focus on service providers
- Verify receipt of goods or services prior to payment
- Reconcile all bank accounts immediately upon receipt of the
bank statement
- Examine all cancelled checks
- Periodically review all vendors and contractors for existence
and legitimacy
- REVIEW ALL MONTH END TRANSACTION REPORTS 100%
- Use Computer Data Mining Techniques to Surface Fraud
Indicators
- Cash Disbursements Fake Vendor:
- Fake documents are introduced into the payments system,
- The invoice is from a consultant for services rendered
- Approval signatures are forged
- Funds are disbursed by check,
- The check is deposited into the personal checkingaccount of a
volunteer
- The transaction is charged toConsulting Expenses in the
accounting system
- Unknown vendor / contractor
-
- Same as employee or volunteer
- No phone number on invoice
- Unknown charges on cost center reports
73. Control to Detect Control To Prevent Indicator Fraud
Risk
NATURE,TIMING andEXTENT ofAUDITPROCEDURES
- Fake documents are introduced into the payments system,
- The invoice is from a consultant for services rendered
- Approval signatures are forged
- Unknown vendor / contractor
-
- Same as employee or volunteer
- No phone number on invoice
- Independent verification of all first time payments
- Periodic verification of little known suppliers
- Focus on service providers
- Verify receipt of goods or services prior to payment
- Reconcile all bank accounts immediately upon receipt of the
bank statement
- Examine all cancelled checks
- Periodically review all vendors and contractors for existence
and legitimacy
- REVIEWALL MONTH END TRANSACTION REPORTS 100%
74. Detection Indicator Fraud Risk: Cash Disbursements Fake
Vendor Scheme
- Reconcile all bank accounts immediately upon receipt of the
bank statement
- Examine all cancelled checks
- Periodically review all vendors and contractors for existence
and legitimacy
- REVIEW ALL MONTH END TRANSACTION REPORTS 100%
- Use Computer Data Mining Techniques to Surface Fraud
Indicators
- Unknown vendor / contractor
-
- Same as employee or volunteer
- No phone number on invoice
- Unknown charges on cost center reports
75. Detection Controls Prevention Controls Indicator Fraud Risk
HARD CONTROLS Soft Controls 76. Fraud Controls
- Simply: The competence, attention and
Policies Procedures Systems 77.
78.
79. Effective Fraud Handling
80. Investigative Resources
- Experienced investigators
- Computer forensics specialists
81. Override / Collusion Shadow Deals Time SPECIAL CHALLENGES
82.
83. Last Thoughts
- Teach others what they need to know to be effective
- Look for fraud indicators.Design and perform discovery based
steps
- Follow up / formally refer all suspicions
84.
85.
- jhall @ hallconsulting.biz
Further Questions or Comments??