Audit’s Role in
Creating an Anti-Fraud
EnvironmentThe IIA Los Angeles Chapter
October 2, 2017
John J. Hall, CPA(970) 926-0355
To create and maintain a
business environment where:
Objective
1. The likelihood of fraud and otherwrongdoing is minimized
2. Incidents that do occur aredetected promptly
3. Incidents are handled efficiently,effectively, fairly and consistently
In many organizations,
Internal Auditors
know more about
Fraud Risk Management
than anyone else.
Value-Add Opportunity
Provide the Missing Structure
1. Deterrence and Prevention
2. Early Detection
3. Effective Handling
Fraud Risk ManagementFramework
ORGANIZATIONS (and their auditors)MUST BE PREPARED AT ALL THREE LEVELS
1. Visible and Vocal Leadership
2. Active Fraud Risk Brainstorming
3. Policy on Fraud Responsibilities
4. Anti-Fraud Controls
5. Anti-Fraud Behaviors
6. Anti-Fraud “How To” Skills Training
7. Defense Against SpecialChallenges
8. Fraud Response in Place
8 Anti-Fraud Actions
CUMULATIVE IMPACT
Visible and Vocal
Executive
Leadership
Deterrence and Prevention
Every Fraud CaseShould RaiseOne Question
Nothingmeaningful happens
and is sustainedwithout visible, vocal
CEO involvement
The CEO Must Lead the Charge
Leaders at all
levels must
talk about it
explicitly
Tone: Top, Middle & Bottom
Employee
expectations
should be
actively stated
Tone: Top, Middle & Bottom
1. Never assume that others know whatyou expect
2. Put it on the agenda at a staffmeeting
3. Say, “We’ve never talked about fraudprevention and detection before –Here’s what I expect of you”
4. Include your thoughts on risks,awareness, prevention, earlydetection and proper response
Clarify Fraud Expectations
The Curse of Knowledge
No one understandsanything untilyou tell them
Explicit Communication
Active Meaningful
Fraud Risk
Brainstorming
Deterrence and Prevention
Fraud Risk
Brainstorming:
Think Like A Thief(when you don’t know how)
THE CHALLENGE
“Be aware of fraud risks”
is imprecise and
leads to
confusion and
uncertainty
1. How could someone exploit
weaknesses in our controls
and daily behaviors?
2. How could someone override
or circumvent our controls?
3. How could someone conceal
their wrongful actions?
Three Question Script
Ask and Answer
…begin (plan)
with the
PRESUMPTION
that a fraud event
has already occurred
THE SECRET SAUCE
Fraud Loss ScorecardHIGH LOW
1 Disbursements $ XXX $ XXX
2 Inventory
3 Construction/Facilities
4 Health Care Costs
5 Payroll
6 T&M contracts
7 T&E reimbursement
8 Other – Unique to You
TOTAL $ XXX $ XXX
Managing the
Business Risk
of Fraud:
A PracticalGuide
Policy on
Fraud
Responsibilities
Deterrence and Prevention
1. Positive message
2. Manager and staff responsibilities
3. Exposure awareness
4. Procedures & behaviors to prevent
5. Procedures & behaviors to detect
6. What to do / what not to do
7. Emphasis on SUSPECTED acts
8. Annual certification?
Policy on Fraud Responsibilities
1. Not a police-state mentality
2. Managing fear and distrust
3. Not ‘gloom and doom’
4. Just good management to
state requirements
5. Inclusive ‘call to arms’
Balance is Important
1. Prevent what you can
2. Catch what slips through
3. Speak up about the SOC!
Require Reporting?
1. Consider making reporting of
suspected violations mandatory.
2. Periodic employee sign off is a good
way to track awareness.
3. Add a sign off where employees
acknowledge that they are not aware
of violations by others.
1. Make it as positive as possible
1. Fraud ‘Hotline’ in place, understoodand trusted
2. Consider retaining a third-partyservice to administer your hotline
3. Tell everyone exactly how thehotline works
Make it Easy to Report
Clear Instructions
Do Not Ensure
Clear Actions
But it’s a good start
MGM Resorts
When YOUSee Something
YOU SaySomething
Anti-Fraud
Controls
Deterrence and Prevention
Anti-Fraud Controls1. Fraud exposures are identified.
2. Specific control procedures andbehaviors are developed,implemented and maintained toboth prevent these events fromhappening and to detect thempromptly should they occur.
3. Controls include emphasis on bothhard control procedures and softcontrol behaviors.
Effective
Internal Controls
Procedures
Behaviors
1. Leadership words and deeds
2. Culture of quality
3. Finance and accounting knowledge
4. Exposure assessment
5. Limited access
6. Policies, procedures and systems
7. Transaction initiation, review and approval
8. Effective screening (and re-screening)
Control Procedures
Enterprise levelFunctional levelTransaction level
High
Low High
BEHAVIORS
PROCEDURES
High
Low High
BEHAVIORS
PROCEDURES
High
Low High
BEHAVIORS
PROCEDURES
I
IIIV
III
High
Low High
BEHAVIORS
PROCEDURES
I
IIIV
III
10 Reasons
Anti-Fraud Controls
Break Down
(How Many Have You Seen in 2017?)
10 ReasonsControls Break Down
1. Blind trust
Dallas ISD Purchasing Cards
“Secretarycharges
$383,788,has no receipts”
Dallas MorningNews
July 2, 2006
10 ReasonsControls Break Down
1. Blind trust
2. Willful blindness
10 ReasonsControls Break Down
1. Blind trust
2. Willful blindness
3. Not having the information needed toassure transactions are proper
Valid business license and TIN
Sent one low value item
UPS receipt – False security
10 ReasonsControls Break Down
1. Blind trust
2. Willful blindness
3. Not having the information needed toassure transactions are proper
4. Culture of not questioning thestrange, odd and curious
10 ReasonsControls Break Down
1. Blind trust
2. Willful blindness
3. Not having the information needed toassure transactions are proper
4. Culture of not questioning thestrange, odd and curious
5. Situational incompetence
10 ReasonsControls Break Down
6. The process mentality
10 ReasonsControls Break Down
6. The process mentality
7. Not enough time to do the controlprocedures
10 ReasonsControls Break Down
6. The process mentality
7. Not enough time to do the controlprocedures
8. Not enforcing documentationrequirements
10 ReasonsControls Break Down
6. The process mentality
7. Not enough time to do the controlprocedures
8. Not enforcing documentationrequirements
9. Intentional override
10 ReasonsControls Break Down
6. The process mentality
7. Not enough time to do the controlprocedures
8. Not enforcing documentationrequirements
9. Intentional override
10. Acceptance of the situation
High
Low High
BEHAVIORS
PROCEDURES
I
IIIV
III
Anti-Fraud
Behaviors
Deterrence and Prevention
SIMPLICITY
4 Behaviors
1. Most fraud leaves clues in therecords or behavior. Know and lookfor these clues.
2. Look in management reports,complaints, shortages, variances,month end cost center reports.
3. If it looks odd to you, it probablyis…
Look for Strange, Odd & Curious
1. Verify important details.
2. Utilize a“show me how you…”rather than a “do you…” approach.
3. Make sure people know that they’reresponsible for their signature:
Journal entries
Exceptions
Disbursements
Reconciliations
Overrides
Use “How Do I Know”
1. If something looks or feels wrong toyou in your area, it probably is. Youare in the best position to know.
2. Choose to follow up to determine thecause of indicators and behaviors.
3. If you’re not sure, check details.
4. If you’re still not sure, get help!Refer suspicions for resolution.
When in Doubt, Doubt
4 Behaviors
Anti-Fraud
“How To”
Skills Training
Deterrence and Prevention
Agenda
1. Managers and staff
2. Internal auditors
3. External auditors
4. Third parties
5. The fraudster
6. Luck or accident
How Fraud is Detected
Managers, supervisors and
key control employees
want to be part of the solution –
but often do not know how
The Core Issue
Which of the four options below would make the mostsignificant impact on helping your organization be moreeffective in fighting fraud, misconduct, and wrongdoing?
Implementing a Fraud Policy
Conducting an organization-wideComprehensive Fraud Exposure Analysis,including the creation of a Fraud Risk Inventory
Providing awareness, prevention and earlyDetection Skills Training for managers and staff
A
DCatching and Prosecuting Wrongdoers
B
C
Which of the four options below would make the mostsignificant impact on helping your organization be moreeffective in fighting fraud, misconduct, and wrongdoing?
Implementing a Fraud Policy
Conducting an organization-wideComprehensive Fraud Exposure Analysis,including the creation of a Fraud Risk Inventory
Providing awareness, prevention and earlyDetection Skills Training for managers and staff
14%
10%Catching and Prosecuting Wrongdoers
14%
62%
1. All new hires
2. All new supervisors
3. Executives and Board members
4. Relevant third parties
5. Periodic reminders for everyone
Who Do We Train?
Include real cases and documentsFind a way to say what happened
1. General knowledge of fraud risks
2. What can happen in their areas
3. What it looks like in documents,reports and behaviors they see
4. Suggestions on prevention
5. Suggestions on prompt detectionwhen prevention fails
What Skills Are Needed
1. Group live
2. Technology-based Teleseminars
Webinars
Video
3. 1 on 1 coaching by supervisors
4. 1 on 1 by auditors
5. Written
How Do We Deliver Training?
Good Questions Before Approving:
1. Invoices from suppliers
2. Out of pocket cost reimbursement
3. Purchasing card transactions
4. Time sheets
5. Invoices from contractors
6. One time wire transfers
7. Journal entries
Newsletter Article Ideas
TheChecklistManifesto
Atul Gawande
Defense Against
Special
Challenges
Deterrence and Prevention
Unique to Organization
Industry Specific
Third Party Relationships
Black Swan Events
Override
SPECIAL CHALLENGES
Fraud Response
In Place And
Ready To Go
Deterrence and Prevention
1. Response mechanism
2. Investigation
3. Loss recovery
4. Control weaknesses
5. External authorities
6. Publicity
7. Morale and HR concerns
Effective Fraud Handling
1. Be ready to respond to fraudincidents before they surface.
2. Identify the skills andrelationships that might beneeded, and assemble them inadvance.
Build Response Before Needed
3. Think through what message todeliver to employees, customers,the press and others. Craft thatmessage now.
4. Be clear on who is authorized toinvestigate, handle requests forinformation, and interact withany outside parties.
Build Response Before Needed
1. Managing “It’s best not to…”
2. Debunking “They won’t do anything”
3. Fraud by management
4. Fraud for the organization
5. Protection of confidential information
6. Fear of litigation
Report to the Authorities?
Get Competent AdviceBe Consistent
1. Be clear: who talks to the press
2. Craft the message in advance
3. Don’t be pulled into speculation
4. Make sure all employees know what to
do (and what to avoid) if approached
by the press
5. It’s OK to smile politely, say nothing,
and walk away
What if the Press Finds Out?
1. Our first priority is protection of theinnocent
2. Share what we can at the appropriatetime
3. Emphasize the lessons learned
4. Assure that the handling is professional,fair and respectful
5. Take confident action and do the rightthing – for them
What About the Employees?
1. Visible and Vocal Leadership
2. Active Fraud Risk Brainstorming
3. Policy on Fraud Responsibilities
4. Anti-Fraud Controls
5. Anti-Fraud Behaviors
6. Anti-Fraud “How To” Skills Training
7. Defense Against SpecialChallenges
8. Fraud Response in Place
8 Anti-Fraud Actions
CUMULATIVE
Deterrence, PreventionPrompt Detection, and
Efficient Handling
John J. Hall
www.JohnHallSpeaker.com
(970) 926 0355
Questions, Comments,Further Info on How We Can Help
www.JohnHallSpeaker.com