Date post: | 19-Jan-2017 |
Category: |
Data & Analytics |
Upload: | chris75308 |
View: | 678 times |
Download: | 0 times |
Strategies for Implementing a Formal and Effective Anti-Fraud
Program
Josh Shilts CPA/CFF, CFE
MIS Training Institute Session 13 - Slide 2
We will NOT discuss: The definition of Fraud Types & Categories of Fraud Why people commit fraud
What we will do: Discuss steps for you to use in implementing your anti-
fraud program (“AFP”) Assess and understand fraud management & forensic
accounting techniques Understand what is necessary for an anti-fraud program
to be effective in your organization Review tools that can be used by you in implementing
an anti-fraud program
Key Points
MIS Training Institute Session 13 - Slide 3
Anti-Fraud Program Objective
Prevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud’s effects on the organization…
MIS Training Institute Session 13 - Slide 4
Before We Begin, Remember…
The design of an organization’s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization…
YOU CAN’T DO IT ALONE
MIS Training Institute Session 13 - Slide 5
BenchmarkWhat are we doing now?
“Routine” Audits SOX & other regulatory audits Code of Conduct Management Oversight (financial
reconciliation, expense reporting reviews, etc.)
Pre -Implementation Steps
What can we be doing? Continuous Assurance Training (auditors, business
owners) Anti-fraud audit procedures Enhanced Due Diligence
procedures (employee hiring, vendor on-boarding, etc.)
Management Buy-In Potential cost savings
Ex. 5% (per ACFE the avg. loss) X Gross Expenses
Operational Improvements Strengthen Control Environment Identify Operational Efficiencies Risks lead to Opportunities
VS.
MIS Training Institute Session 13 - Slide 6
Benchmark/GAP Analysis Identify “Best Practices” and other sources
to Benchmark existing activities against to identify elements already established…
Analyze current procedures and protocols to determine if applicable to anti-fraud initiatives…
Engage others within your organization and executive management to provide feedback on existing practices…Document and present your analysis…
Element ActivityExceeds
Expectations
Meets Expectatio
ns
Does Not Meet
ExpectationsResponsible
Party(s)Enhancement Opportunities
Prevention Anti-Fraud Training X Compliance
Begin training within specific departments (i.e. Acctg.)
Investigation &
Corrective Action
Investigative process is
clearly definedX Compliance
& SecurityFormalize investigation process and define specific roles & responsibilities
Detection Analytical Reviews X Internal Audit
Review analytical programs to determine if enhancement areas existAssign activities to meet element objectives and determine if your
program is meeting those defined objectives…
MIS Training Institute Session 13 - Slide 7
Established Benchmark GuidanceAssess current procedures against established
frameworks/guidance…
Identify opportunities for improvement (e.g. modify or implement procedures, protocols, etc)...
IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008
IIA’s International Professional Practices Framework (“IPPF”) – Practice Guide: “Internal Auditing and Fraud”, December 2009
MIS Training Institute Session 13 - Slide 8
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is to detect and investigate fraud;
1220.A1 – Internal auditors must exercise due professional care by considering the...probability of significant errors, fraud, or noncompliance...;
2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk;
2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives; and
2060 – The chief audit executive must report periodically to senior management and the board of directors on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board of directors.
IIA Fraud Standards
Guidance provided by The IIA’s International Professional Practices Framework
MIS Training Institute Session 13 - Slide 9
Governance - The program should include a written policy (or policies) to convey the expectations of the board of directors and the executive management team regarding managing fraud risk.
Fraud Risk Assessment - An organization’s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate.
Prevention - Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.
Detection - Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
Investigation & Corrective Action - A reporting process should be in place to solicit input on potential fraud and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely. The investigative function should be coordinated between appropriate parties selected by management.
Anti-Fraud Program Elements
MIS Training Institute Session 13 - Slide 10
Benchmark/Gap AnalysisElements of
Effective Anti-Fraud
Management
Executive Leadershi
pCompliance Legal Audit Security Accountin
g HR
Tone at the Top XCode of Conduct X X Establish & Maintain System of Internal Controls X XInternal Control Reviews XDeter & Detect Potential Conflicts of Interest X XHotline Administration XInvestigation of Fraud Allegations X X X XReferral to Law Enforcement XFraud & Compliance Awareness Training X XCivil Litigation and Recovery of Losses Due to Fraud XCorrective Actions / Remediation to Prevent Recurrences of Fraud
X
Proactive Fraud Auditing XFraud Risk Assessment X XEmployee Assistance Program X
Responsibility matrices can assist you in identifying and assigning responsibilities…
Use the matrix to benchmark, clearly define roles & responsibilities and periodic evaluations…
MIS Training Institute Session 13 - Slide 11
Governance
Image obtained from the ACFE’s article “Who Owns Fraud? Uniting Everyone to Effectively Manage the Anti-Fraud Program” by Dan Tropey, CPA and Mike Sherrod, CFE, CPA
MIS Training Institute Session 13 - Slide 12
Governance Best Practices Formal Anti-Fraud Policy – conveying the expectations of the
board of directors and executive management. The policy (or policies) can include:
Organization’s Definition of Fraud Organization’s attitude toward fraud (i.e. Zero-Tolerance,
Materiality) Relationship between anti-fraud and Code of Conduct Summary of Fraud Control Strategies Overview of Fraud Risk Management functions Procedures for Reporting Fraud (i.e. Whistleblower Hotline) HR Employment Conditions and Processes Investigation Procedures (e.g. Confidentiality Protocol,
Privilege, Fraud Response Management, Root-Cause Analysis) Department/Committee Roles & Responsibilities Attitude towards retaliation
MIS Training Institute Session 13 - Slide 13
Identify
Analyze
Asses
s
Implement
Monito
r
Plan
Risk Assessment Process
MIS Training Institute Session 13 - Slide 14
Risk Assessment - Categories
*Refer to the 2010 Report to the Nations on Occupational Fraud and Abuse, ACFE
Present your “FRA” at a level that board members/executive management can understand…
Use these categories and a Top-Down approach to build your Fraud Scheme Repository …
MIS Training Institute Session 13 - Slide 15
Risk Assessment – Fraud Scheme Mngt.
Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization’s activities & risks…
The repository schemes can then be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories…
Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process
Extortion Corruption
Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable.
Fraudulent Disbursement – Billing
SchemeAsset
Misappropriation
Management has decided to book revenue for items shipped and ships items to meet expectations.
Financial – Fictitious Revenues
Fraudulent Statements
KPIs Mitigation Actions1. Hotline Statistics 1. SOX Controls2. SEC Enforcement Actions 2. Audit Procedures
Fraud Scheme Sub Risk Category
MIS Training Institute Session 13 - Slide 16
Risk Assessment - MeasuresKPIs and Mitigating Activities provide “real” data to support your assessment; however, Management should be updated and risks ranked by using the…
Magnitude (i.e. Significance):High (3) = > $10 MillionMed (2) = Between $4 Million and $10 MillionLow (1) = < $4 Million
Likelihood (i.e. Controls, Mitigating Activity):Strong (1) = Preferred PracticeGood (2) = AdequateLow (3) = Needs Improvement
Likelihood (i.e. Pressure, Occurrence):High (3) = Significant pressureMed (2) = Moderate pressureLow (1) = Little to no pressure
Magnitude + Likelihood [(Controls) + (Pressure)] = Rank$s should reflect your Organization’s Appetite
MIS Training Institute Session 13 - Slide 17
Risk Assessment - Presentation
Magnitude
Major >$50M 5
Substantial >$25M 4
Moderate >$ 10M 3
Minor >$1M 2
Insignificant <$1M 1
Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.)
1 2 3 4 5
Remote Unlikely Possible Likely Almost Certain
Likelihood
12
11
3
10
4
6
5
14
13
2
15
9
8
1
7
Heat Map
Other Measures(1) Velocity – Measurement of the rate of change…
· Measure as Immediate, Rapid or Slow
(2) Risk – Gross & ResidualGross before Mitigating Activities and Residual Measures After
· Measure as High, Medium or Low
MIS Training Institute Session 13 - Slide 18
PreventionPrevention techniques are as varied as the industries and size of businesses we work in…
Company/Department
Policies & Procedures
Training
Internal Audit Activity
“Tone at the Top”
Background Checks
External Audit
Vendor Due Diligence
Established Authority
Limits
Exit Interviews
Evaluation Performance &
Compensation Programs
Security CamerasSegregation of Duties
IT Access Controls
SOX/ICFR
Perception of Detection
Anti-Retaliation Policy
MIS Training Institute Session 13 - Slide 19
Prevention – Keep your Ears on the Track
Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment…
1. Integrate current activities with anti-fraud objectives
2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities
3. Adjust preventive activities based upon new ideas, frauds, etc.
4. Seek feedback from business owners
5. Try to stay ahead of the Fraudster by educating yourself and your team
MIS Training Institute Session 13 - Slide 20
DetectionStructured
Audits Fraud Training/Planning embedded in plan Fraud-Specific Audits Other Department Audits
Continuous Assurance Base review areas on Assessment Analytic Tools
SOX/IFRS Control Reviews
Whistleblower Programs
Analytical Financial Data Reviews
UnstructuredEmails , Instant Messages
Key Word Searches Base on high risk areas
Memos, Contracts, Invoice Details, etc. Dates, $s, names, etc.
MIS Training Institute Session 13 - Slide 21
Detection – Use Existing KnowledgeLeading & Lagging Indicators
1. Hotline Complaints2. Fraud Risk Research Stats3. New Audits w/ Fraud
Objectives
1. Ratio Analysis2. Prior Audit Findings3. Hotline Complaint Trends
Audit Planning & Testing Training
SOX/ICFR Testing Continuous Monitoring Focus Areas
Fraud Risk Assessment
Audit Planning
Policy ObjectivesManagement/Employee Awareness
MIS Training Institute Session 13 - Slide 22
Detection – Fraud MaterialityMateriality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy
FRAUD HAS NO MATERIALITY
1. Define your company’s fraud appetite
2. Review local laws/regulations for guidance on criminal fraud amounts
3. Project potential total losses over time
ASSESS & DECIDE
MIS Training Institute Session 13 - Slide 23
Concept of Forensic Accountant vs. Fraud Manager
Forensic accountants are experienced auditors, accountants, and investigators of legal and financial documents that are hired to look into possible suspicions of fraudulent activity within a company…
Whereas various individuals are fraud managers in that they assist in the deterrence and/or detection of fraud or indications of fraud…
MIS Training Institute Session 13 - Slide 24
Investigation & Corrective Action1. A reporting process should be in place to solicit input
on potential fraud.2. A coordinated approach to investigation and corrective action
should be used to help ensure potential fraud is addressed appropriately and timely (“Fraud Response Plan”).
3. The investigative function should be coordinated between appropriate parties selected by management (Who is the quarterback?).
4. The function should clearly define the roles and responsibilities of identifying, responding and reporting to an alleged fraud. Including internal and external resources. Build the investigation team based upon skill sets.
5. Each part of the investigative process should be clearly documented and reported. Legal should be involved within the process to provide guidance.
6. Maintain consistent disciplinary procedures. “Set the tone” within the organization with respect to fraud.
7. As part of this process management should review the investigation’s findings to determine what the appropriate follow-up should be.
8. The investigative team should also review periodically their process to determine if there are improvement opportunities (i.e. learning roundtables).
MIS Training Institute Session 13 - Slide 25
Investigation & Corrective Action Corrective actions can include a root-cause analysis, internal
control or process improvement reviews and/or criminal or civil actions…
Coordinate remediation action steps across business units
Utilize the investigation findings to determine the likelihood of the potential fraud risk from
reoccurring and learn how to effectively mitigate the action
Determine the value of your actions and present
to management
MIS Training Institute Session 13 - Slide 26
Now What?Prioritize Your Next Steps
• Management Buy In• Explain the value (Regulations or $
Savings)• Find your place at the “Table”
• Internal Audits Role• Define your Plan
• Risk Assessment, Detection/Prevention• Measure, Assess and Adjust
• Manage resources efficiently and effectivelyNEVER Stop Thinking of New Ways to Prevent or Detect Fraud
MIS Training Institute Session 13 - Slide 27
Questions