Audit’s Role in

Creating an Anti-Fraud

EnvironmentThe IIA Los Angeles Chapter

October 2, 2017

John J. Hall, CPA(970) 926-0355

John@JohnHallSpeaker.com

To create and maintain a

business environment where:

Objective

1. The likelihood of fraud and otherwrongdoing is minimized

2. Incidents that do occur aredetected promptly

3. Incidents are handled efficiently,effectively, fairly and consistently

In many organizations,

Internal Auditors

know more about

Fraud Risk Management

than anyone else.

Value-Add Opportunity

Provide the Missing Structure

1. Deterrence and Prevention

2. Early Detection

3. Effective Handling

Fraud Risk ManagementFramework

ORGANIZATIONS (and their auditors)MUST BE PREPARED AT ALL THREE LEVELS

1. Visible and Vocal Leadership

2. Active Fraud Risk Brainstorming

3. Policy on Fraud Responsibilities

4. Anti-Fraud Controls

5. Anti-Fraud Behaviors

6. Anti-Fraud “How To” Skills Training

7. Defense Against SpecialChallenges

8. Fraud Response in Place

8 Anti-Fraud Actions

CUMULATIVE IMPACT

Visible and Vocal

Executive

Leadership

Deterrence and Prevention

Every Fraud CaseShould RaiseOne Question

Nothingmeaningful happens

and is sustainedwithout visible, vocal

CEO involvement

The CEO Must Lead the Charge

Leaders at all

levels must

talk about it

explicitly

Tone: Top, Middle & Bottom

Employee

expectations

should be

actively stated

Tone: Top, Middle & Bottom

1. Never assume that others know whatyou expect

2. Put it on the agenda at a staffmeeting

3. Say, “We’ve never talked about fraudprevention and detection before –Here’s what I expect of you”

4. Include your thoughts on risks,awareness, prevention, earlydetection and proper response

Clarify Fraud Expectations

The Curse of Knowledge

No one understandsanything untilyou tell them

Explicit Communication

Active Meaningful

Fraud Risk

Brainstorming

Deterrence and Prevention

Fraud Risk

Brainstorming:

Think Like A Thief(when you don’t know how)

THE CHALLENGE

“Be aware of fraud risks”

is imprecise and

leads to

confusion and

uncertainty

1. How could someone exploit

weaknesses in our controls

and daily behaviors?

2. How could someone override

or circumvent our controls?

3. How could someone conceal

their wrongful actions?

Three Question Script

Ask and Answer

…begin (plan)

with the

PRESUMPTION

that a fraud event

has already occurred

THE SECRET SAUCE

Fraud Loss ScorecardHIGH LOW

1 Disbursements $ XXX $ XXX

2 Inventory

3 Construction/Facilities

4 Health Care Costs

5 Payroll

6 T&M contracts

7 T&E reimbursement

8 Other – Unique to You

TOTAL $ XXX $ XXX

Managing the

Business Risk

of Fraud:

A PracticalGuide

Policy on

Fraud

Responsibilities

Deterrence and Prevention

1. Positive message

2. Manager and staff responsibilities

3. Exposure awareness

4. Procedures & behaviors to prevent

5. Procedures & behaviors to detect

6. What to do / what not to do

7. Emphasis on SUSPECTED acts

8. Annual certification?

Policy on Fraud Responsibilities

1. Not a police-state mentality

2. Managing fear and distrust

3. Not ‘gloom and doom’

4. Just good management to

state requirements

5. Inclusive ‘call to arms’

Balance is Important

1. Prevent what you can

2. Catch what slips through

3. Speak up about the SOC!

Require Reporting?

1. Consider making reporting of

suspected violations mandatory.

2. Periodic employee sign off is a good

way to track awareness.

3. Add a sign off where employees

acknowledge that they are not aware

of violations by others.

1. Make it as positive as possible

1. Fraud ‘Hotline’ in place, understoodand trusted

2. Consider retaining a third-partyservice to administer your hotline

3. Tell everyone exactly how thehotline works

Make it Easy to Report

Clear Instructions

Do Not Ensure

Clear Actions

But it’s a good start

MGM Resorts

When YOUSee Something

YOU SaySomething

Anti-Fraud

Controls

Deterrence and Prevention

Anti-Fraud Controls1. Fraud exposures are identified.

2. Specific control procedures andbehaviors are developed,implemented and maintained toboth prevent these events fromhappening and to detect thempromptly should they occur.

3. Controls include emphasis on bothhard control procedures and softcontrol behaviors.

Effective

Internal Controls

Procedures

Behaviors

1. Leadership words and deeds

2. Culture of quality

3. Finance and accounting knowledge

4. Exposure assessment

5. Limited access

6. Policies, procedures and systems

7. Transaction initiation, review and approval

8. Effective screening (and re-screening)

Control Procedures

Enterprise levelFunctional levelTransaction level

High

Low High

BEHAVIORS

PROCEDURES

High

Low High

BEHAVIORS

PROCEDURES

High

Low High

BEHAVIORS

PROCEDURES

I

IIIV

III

High

Low High

BEHAVIORS

PROCEDURES

I

IIIV

III

10 Reasons

Anti-Fraud Controls

Break Down

(How Many Have You Seen in 2017?)

10 ReasonsControls Break Down

1. Blind trust

Dallas ISD Purchasing Cards

“Secretarycharges

$383,788,has no receipts”

Dallas MorningNews

July 2, 2006

10 ReasonsControls Break Down

1. Blind trust

2. Willful blindness

10 ReasonsControls Break Down

1. Blind trust

2. Willful blindness

3. Not having the information needed toassure transactions are proper

Valid business license and TIN

Sent one low value item

UPS receipt – False security

10 ReasonsControls Break Down

1. Blind trust

2. Willful blindness

3. Not having the information needed toassure transactions are proper

4. Culture of not questioning thestrange, odd and curious

10 ReasonsControls Break Down

1. Blind trust

2. Willful blindness

3. Not having the information needed toassure transactions are proper

4. Culture of not questioning thestrange, odd and curious

5. Situational incompetence

10 ReasonsControls Break Down

6. The process mentality

10 ReasonsControls Break Down

6. The process mentality

7. Not enough time to do the controlprocedures

10 ReasonsControls Break Down

6. The process mentality

7. Not enough time to do the controlprocedures

8. Not enforcing documentationrequirements

10 ReasonsControls Break Down

6. The process mentality

7. Not enough time to do the controlprocedures

8. Not enforcing documentationrequirements

9. Intentional override

10 ReasonsControls Break Down

6. The process mentality

7. Not enough time to do the controlprocedures

8. Not enforcing documentationrequirements

9. Intentional override

10. Acceptance of the situation

High

Low High

BEHAVIORS

PROCEDURES

I

IIIV

III

Anti-Fraud

Behaviors

Deterrence and Prevention

SIMPLICITY

4 Behaviors

1. Most fraud leaves clues in therecords or behavior. Know and lookfor these clues.

2. Look in management reports,complaints, shortages, variances,month end cost center reports.

3. If it looks odd to you, it probablyis…

Look for Strange, Odd & Curious

1. Verify important details.

2. Utilize a“show me how you…”rather than a “do you…” approach.

3. Make sure people know that they’reresponsible for their signature:

Journal entries

Exceptions

Disbursements

Reconciliations

Overrides

Use “How Do I Know”

1. If something looks or feels wrong toyou in your area, it probably is. Youare in the best position to know.

2. Choose to follow up to determine thecause of indicators and behaviors.

3. If you’re not sure, check details.

4. If you’re still not sure, get help!Refer suspicions for resolution.

When in Doubt, Doubt

4 Behaviors

Anti-Fraud

“How To”

Skills Training

Deterrence and Prevention

Agenda

1. Managers and staff

2. Internal auditors

3. External auditors

4. Third parties

5. The fraudster

6. Luck or accident

How Fraud is Detected

Managers, supervisors and

key control employees

want to be part of the solution –

but often do not know how

The Core Issue

Which of the four options below would make the mostsignificant impact on helping your organization be moreeffective in fighting fraud, misconduct, and wrongdoing?

Implementing a Fraud Policy

Conducting an organization-wideComprehensive Fraud Exposure Analysis,including the creation of a Fraud Risk Inventory

Providing awareness, prevention and earlyDetection Skills Training for managers and staff

A

DCatching and Prosecuting Wrongdoers

B

C

Which of the four options below would make the mostsignificant impact on helping your organization be moreeffective in fighting fraud, misconduct, and wrongdoing?

Implementing a Fraud Policy

Conducting an organization-wideComprehensive Fraud Exposure Analysis,including the creation of a Fraud Risk Inventory

Providing awareness, prevention and earlyDetection Skills Training for managers and staff

14%

10%Catching and Prosecuting Wrongdoers

14%

62%

1. All new hires

2. All new supervisors

3. Executives and Board members

4. Relevant third parties

5. Periodic reminders for everyone

Who Do We Train?

Include real cases and documentsFind a way to say what happened

1. General knowledge of fraud risks

2. What can happen in their areas

3. What it looks like in documents,reports and behaviors they see

4. Suggestions on prevention

5. Suggestions on prompt detectionwhen prevention fails

What Skills Are Needed

1. Group live

2. Technology-based Teleseminars

Webinars

Video

3. 1 on 1 coaching by supervisors

4. 1 on 1 by auditors

5. Written

How Do We Deliver Training?

Good Questions Before Approving:

1. Invoices from suppliers

2. Out of pocket cost reimbursement

3. Purchasing card transactions

4. Time sheets

5. Invoices from contractors

6. One time wire transfers

7. Journal entries

Newsletter Article Ideas

TheChecklistManifesto

Atul Gawande

Defense Against

Special

Challenges

Deterrence and Prevention

Unique to Organization

Industry Specific

Third Party Relationships

Black Swan Events

Override

SPECIAL CHALLENGES

Fraud Response

In Place And

Ready To Go

Deterrence and Prevention

1. Response mechanism

2. Investigation

3. Loss recovery

4. Control weaknesses

5. External authorities

6. Publicity

7. Morale and HR concerns

Effective Fraud Handling

1. Be ready to respond to fraudincidents before they surface.

2. Identify the skills andrelationships that might beneeded, and assemble them inadvance.

Build Response Before Needed

3. Think through what message todeliver to employees, customers,the press and others. Craft thatmessage now.

4. Be clear on who is authorized toinvestigate, handle requests forinformation, and interact withany outside parties.

Build Response Before Needed

1. Managing “It’s best not to…”

2. Debunking “They won’t do anything”

3. Fraud by management

4. Fraud for the organization

5. Protection of confidential information

6. Fear of litigation

Report to the Authorities?

Get Competent AdviceBe Consistent

1. Be clear: who talks to the press

2. Craft the message in advance

3. Don’t be pulled into speculation

4. Make sure all employees know what to

do (and what to avoid) if approached

by the press

5. It’s OK to smile politely, say nothing,

and walk away

What if the Press Finds Out?

1. Our first priority is protection of theinnocent

2. Share what we can at the appropriatetime

3. Emphasize the lessons learned

4. Assure that the handling is professional,fair and respectful

5. Take confident action and do the rightthing – for them

What About the Employees?

1. Visible and Vocal Leadership

2. Active Fraud Risk Brainstorming

3. Policy on Fraud Responsibilities

4. Anti-Fraud Controls

5. Anti-Fraud Behaviors

6. Anti-Fraud “How To” Skills Training

7. Defense Against SpecialChallenges

8. Fraud Response in Place

8 Anti-Fraud Actions

CUMULATIVE

Deterrence, PreventionPrompt Detection, and

Efficient Handling

John J. Hall

John@JohnHallSpeaker.com

www.JohnHallSpeaker.com

(970) 926 0355

Questions, Comments,Further Info on How We Can Help

www.JohnHallSpeaker.com