© 2015 Association of Certified Fraud Examiners, Inc.
Creating a Fraud Risk Assessment and
Implementing a Continuous Monitoring
Program
Christopher DiLorenzo,
CFE, CPA, CIA, CRMA
Creating a Robust Fraud Risk
Assessment and Implementing a
Continuous Monitoring Program CHRISTOPHER M. DILORENZO, CPA, CIA, CFE, CRMA, CISA
VICE PRESIDENT, INTERNAL AUDIT
SCIENTIFIC GAMES CORPORATION
© 2014 Scientific Games Corporation. All Rights Reserved.
Speaker Profile CHRISTOPHER M. DILORENZO, CPA, CIA, CFE, CRMA, CISA
Christopher M. DiLorenzo is currently the vice president and chief audit
executive (CAE) for Scientific Games Corporation (SG) based in their Las
Vegas corporate headquarters. SG recently acquired Bally Technologies where
DiLorenzo had been a member of the internal audit function for the prior 11
years and CAE for the last five years. Prior to working for Bally Technologies,
he worked in the internal audit department of the Mandalay Resort Group and
was also in public accounting with both Andersen and Deloitte. Currently he is
responsible for executing SG’s global internal audit program, which includes
areas such as testing for Sarbanes-Oxley compliance, operational audits, and
aiding in forensic investigations.
© 2014 Scientific Games Corporation. All Rights Reserved.
Topics for Today
How to create robust risk assessments
Understanding fraud
Creating a fraud risk assessment
How to develop a continuous monitoring program
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments WHAT MAKES THE ASSESSMENT ROBUST?
Comprehensive
Detailed
Authorized/empowered
Adaptive to change
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Determine the department’s minimum requirements.
SOX Compliance
Specific regulatory or compliance requirements
Audit committee minimum requirements
Evaluate other areas.
Enterprise and strategic risk
Fraud considerations
Operational/other compliance risk
Combine and create the robust plan.
THE ASSESSMENT MUST BE COMPREHENSIVE
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Internal Control over Financial Reporting (SOX)
Perform your SOX assessment using a recognized framework, e.g., COSO
2013.
Will include
– Areas specific to financial reporting
– General computer controls
– Entity-level and tone at the top
Build your SOX plan.
THE ASSESSMENT MUST BE COMPREHENSIVE
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Enterprise and strategic risk
Review your company’s ERM program.
Review the company’s overall strategy and objectives.
Align results to your overall plan.
THE ASSESSMENT MUST BE COMPREHENSIVE
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Fraud considerations
Evaluate all fraud risks to your company.
Use the ACFE’s fraud tree to determine and classify your scenarios.
Align results to your overall plan.
THE ASSESSMENT MUST BE COMPREHENSIVE
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Operational/other compliance risk
Create an audit universe.
Address the details of the universe.
Begin to build your operational/compliance plan
THE ASSESSMENT MUST BE COMPREHENSIVE
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Why does the risk need to be mitigated?
How risky is it?
What can we do about it?
Where does it need to be addressed?
Who can address it?
When is the timing within our plan?
Why does the risk need to be mitigated?
THE ASSESSMENT MUST BE DETAILED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Why does the risk need to be mitigated?
What could go wrong?
Always add the “…” in your risk statements.
– Purchase orders are not approved, which may lead to …
– Improper segregation of duties exist for cash disbursements,
which may lead to …
THE ASSESSMENT MUST BE DETAILED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
How risky is it?
Make it measurable.
How impactful is it if this risk were to occur?
How likely is it?
Others
THE ASSESSMENT MUST BE DETAILED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
What can we do about it?
Covered in SOX procedures?
Covered in fraud auditing procedures?
Covered in operational audit procedures?
Covered in continuous monitoring procedures?
Unable to be addressed by audit?
THE ASSESSMENT MUST BE DETAILED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Where does it need to be addressed?
Corporate?
Subsidiaries?
Domestic?
International?
THE ASSESSMENT MUST BE DETAILED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Who can/will address it?
Do I have the resources?
Can I automate it?
Can I engage an expert third party?
THE ASSESSMENT MUST BE DETAILED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Power comes from the internal audit charter
Audit committee approval
Management buy-in/involvement
THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Power comes from the internal audit charter.
Audit committee approved a charter for internal audit.
Validate it at least annually.
Include wording such as:
The responsibilities and scope of activities of the Internal Audit
Department include developing an annual audit plan using an appropriate
risk-based methodology, including any risk or control concerns identified
by management, and submitting it to the Audit Committee for review. The
plan should be adjusted, as necessary, in response to changes in the
organization’s business, risks, operations, programs, systems and
controls.
THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
Audit committee approval
Present your assessment to the audit committee and get their
input/approval.
Management buy-in
Involve management in your process.
Have them help you identify risks.
Get their input on the attributes of the risks.
THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED
© 2014 Scientific Games Corporation. All Rights Reserved.
Robust Risk Assessments
The risk assessment process is never “over.”
It must be regularly reviewed and updated, along with your plan.
Change is constant.
THE ASSESSMENT MUST BE ADAPTIVE TO CHANGE
© 2014 Scientific Games Corporation. All Rights Reserved.
Understanding Fraud FRAUD TRIANGLE
© 2014 Scientific Games Corporation. All Rights Reserved.
Understanding Fraud
Estimated that 5% of revenues are lost due to fraud each year
Median loss per incident was $145,000
22% of the cases were at least $1M.
Median fraud duration lasted 18 months before detection.
The presence of anti-fraud controls is associated with decreases in cost and
duration of the scheme.
COSO 2013 (principle 8) requires:
The organization considers the potential for fraud in assessing risks to the
achievement of objectives
INITIAL DETECTION
© 2014 Scientific Games Corporation. All Rights Reserved.
Understanding Fraud
According to the 2014 ACFE Report to the Nations > 72% of the frauds
detected were as a result of:
Tips (42.2%)
Management review (16%)
Internal audit (14.1%)
INITIAL DETECTION
© 2014 Scientific Games Corporation. All Rights Reserved.
Understanding Fraud INITIAL DETECTION
Obtained from the AFCE 2014 Report to the Nations
© 2014 Scientific Games Corporation. All Rights Reserved.
Understanding Fraud
2014 ACFE Report to the Nations provided that in nearly one-third of the
cases reported, the victim organization lacked the appropriate internal
controls to prevent the fraud.
Additionally, one-fifth of the reported cases could have been prevented if
managers had done a sufficient job reviewing transactions, accounts, or
processes.
CONTROL WEAKNESSES THAT CONTRIBUTED TO FRAUD
© 2014 Scientific Games Corporation. All Rights Reserved.
Understanding Fraud CONTROL WEAKNESSES THAT CONTRIBUTED TO FRAUD
© 2014 Scientific Games Corporation. All Rights Reserved.
Fraud Risk Assessment Policy
The fraud risk assessment is completed by identifying fraud risks applicable
to the company and determining their likelihood and impact. The results of
this assessment are mapped to internal audit’s SOX, operational and
continuous monitoring plans. This plan is updated each year and is presented
to the audit committee typically during the month of December.
AN EXAMPLE POLICY
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Using SOX processes, audit universe areas, and other applicable business
functions, create a listing of areas where fraud could occur.
For each area, brainstorm the applicable fraud scenarios in each of the areas
identified using the ACFE’s fraud tree.
© 2014 Scientific Games Corporation. All Rights Reserved.
Fraud Tree
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Each scenario should clearly identify:
Who the fraudster is
The result of the fraud (or the “…”)
How the fraudster benefits (or the conversion)
Identify the company’s internal control environment that will prevent or
detect this event.
If unknown, investigation is needed.
Clearly document how the control function will work given the scenario.
Identify if internal control gaps exist.
Provide to business leaders over each process area and solicit their input—
update accordingly.
Repeat this exercise for each business entity/location.
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Define your risk parameters.
What are you going to consider?
Are all parameters created equal?
Determine how risky the fraud scenario is.
HOW RISKY IS IT?
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Fraud risks rated using residual risk only.
Residual: risk of an event happening given the known control environment.
EXAMPLE RISK ASSESSMENT APPROACH
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Fraud risks are rated on two attributes.
Likelihood
1 = Strong control environment
5 = Weak or nonexistent control environment
Impact (if occurring for 36 months prior to detection)
If risk is financial reporting related, rating is guided by materiality.
– 1 = Immaterial; 5 = Material
All other areas are rated using a much lower reasonableness threshold.
– 1 = lower dollar and minimal disturbance to the business
– 5 = higher dollar and considerable disturbance to the business
Sum likelihood and impact to come up with the final fraud risk rating.
EXAMPLE RISK ASSESSMENT APPROACH
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Fraud scenarios were then placed into one of four groups.
Immaterial
Impact deemed a 1: Scenario will be revisited during the next
assessment.
SOX Testing
Planned SOX testing provided a large enough level of comfort that no
additional procedures would be planned.
Operational review
An operational review is required to provide comfort over the fraud
scenario.
Partial SOX /partial operational
Scenario partially addressed with already planned SOX procedures, but
requires additional/supplemental procedures for full coverage.
EXAMPLE RISK ASSESSMENT APPROACH
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment
Continuous monitoring program
Lastly, each fraud scenario was questioned to determine if continuous
monitoring procedures could be automated to give regular assurance over
the scenario.
If yes, an action plan was created and turned over to our IT auditing function
for evaluation and implementation.
EXAMPLE RISK ASSESSMENT APPROACH
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment EXAMPLE RESULTS
AreaRisks
IdentifiedImmaterial SOX Operational
Both
(partial)
Continuous
Monitoring
Candidates
Business 1 102 - 60 28 14 64
Business 2 48 9 15 18 6 31
Business 3 46 11 18 15 2 30
Business 4 47 28 - 19 - 30
Business 5 46 10 17 14 5 30
Business 6 29 6 18 5 - 16
Business 7 53 10 24 15 4 34
Business 8 51 9 24 14 4 32
Business 9 48 9 23 9 7 31
Business 10 51 10 14 22 5 32
Business 11 50 9 30 9 2 33
Covered by
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment EXAMPLE RESULTS—ACCOUNTS PAYABLE
# Fraud Scenario Primary Fraud
Category Type Conversion Internal Controls L I Overall
Test Bucket
1
A buyer engages a company that the buyer has a undisclosed relationship resulting in the company
paying more than fair market value for goods/services obtained and/or sub-standard service.
Corruption Conflicts of
Interest Employee receives
kickback.
1. Budget to Actual Review (E-SOX); 2. Segregation of duties (buyer can't add directly to vendor file).
x x 2x SOX
Testing
2
A buyer receives a bribe or invoice kickbacks from a company in return for choosing that company to provide service to the company resulting in the
company paying more than fair market value for goods/services obtained and/or sub-standard
goods/service.
Corruption Invoice Kickbacks Employee receives
kickback. 1. Budget to Actual Review (E-SOX); 2. Bidding controls
x x 2x
Partial SOX;
Partial Operatio
nal Reviews
3 AP colludes with a check signer and/or invoice
authorizer and makes payments to a dormant or fictitious vendor
Asset Misappropriation
Larceny Employee receives
undue funds.
1. B of A Online System Controls 2. Supplier master file data is reviewed 3. Systematic deactivation of inactive suppliers
x x 2x SOX
Testing
4 An employee characterizes a personal expense as a
business-related expense. Asset
Misappropriation Mischaracterized
Expenses
Employee's personal expenses paid by the
company.
1. Expense report reviewer 2. Required to use company card
x x 2x Operatio
nal Reviews
5 An employee overstates a business expense to obtain
a fraudulent reimbursement from the company. Asset
Misappropriation Overstated Expenses
Employee receives undue payment by the
company.
1. Expense report reviewer 2. Required to use company card
x x 2x Operatio
nal Reviews
6 An employee creates fictitious expenses to submit as
business-related expenses to obtain fraudulent reimbursement from the company.
Asset Misappropriation
Fictitious Expenses
Employee receives undue payment by the
company.
1. Expense report reviewer 2. Required to use company card
x x 2x Operatio
nal Reviews
7 An employee uses the same expense multiple times
to obtain fraudulent reimbursement from the company.
Asset Misappropriation
Multiple Reimbursement
Employee receives undue payment by the
company.
1. Expense report reviewer 2. Required to use company card
x x 2x Operatio
nal Reviews
© 2014 Scientific Games Corporation. All Rights Reserved.
Creating Your Assessment EXAMPLE RESULTS—ACCOUNTS PAYABLE
# Fraud Scenario Primary Fraud
Category Type Conversion Internal Controls L I Overall
Test Bucket
8 An unauthorized employee obtains company check
stock and fraudulently uses the check stock to create unauthorized payments.
Asset Misappropriation
Forged Maker
Employee receives undue payment by
the company.
1. If possible, checks not issued to acronyms 2. Checks under $5k do not need signature, or over $5k with a PO. Checks over $5k w/o PO requires signature 3. Balance sheet account reconciliations
x x 2x SOX
Testing
9 A accounts payable member diverts a check to a third
party and forges the check endorsement to divert funds to the accounts payable member.
Asset Misappropriation
Forged Endorsement
Employee receives undue payment by
the company.
1. AP aging analysis 2. Balance sheet account reconciliations
x x 2x SOX
Testing
10 A accounts payable member diverts a check to a third
party and alters the payee to divert funds to the accounts payable member.
Asset Misappropriation
Altered Payee
Employee receives undue payment by
the company.
1. AP does not write checks to acronyms in the payee
x x 2x Operatio
nal Reviews
11 An authorized check signer obtains check stock and
issues a payment for personal gain. Asset
Misappropriation Authorized
Maker
Employee receives undue payment by
the company.
1. AP aging analysis 2. Balance sheet account reconciliations
x x 2x SOX
Testing
12 A member of the AP team intentionally overpays a
vendor in an effort to intercept the subsequent refund check for personal gain.
Asset Misappropriation
Larceny AP member steals company refund.
Segregation of duties x x 2x Operatio
nal Reviews
13 Accounts payable member under the direction of a
controller records account payable amounts incorrectly (e.g., as assets).
Fraudulent Statements
Concealed Liabilities &
Expenses
Company outlook is better than actual.
AP only able to post to expenses/liability x x 2x SOX
Testing
14
Accounts payable member acting alone or in collusion with a controller does not record account payable
amounts in the proper period to improve company's financial position.
Fraudulent Statements
Timing Differences
Company outlook is better than actual.
1. AP accrual; 2. Invoice approval; 3. 3-way match
x x 2x SOX
Testing
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach
Brainstorming—for each risk event identified as a continuous monitoring
candidate:
Create theoretical of how we can systematically monitor.
Identify the resources required to pursue the solutions to identified
scenarios.
Data or documentation access
Access to relevant business personnel
Verify (or understand) the work flow of transactions.
Identify data tables for where your data is maintained.
Planning Design Development Testing Review Deployment
PLANNING PHASE
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach
Data mining
Review the available data sources and attempt to identify the data that will
be needed to meet the specific continuous monitoring objectives.
Document the identified data sources and data fields in a diagram for easy
reference
Logic design
Considerations for logic design:
The scope and materiality of the fraud risk
The information needed to perform planned follow-up procedures
Document the design procedures in a way that can be easily understood
and re-performed as applicable.
Planning Design Development Testing Review Deployment
DESIGN PHASE
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach PLAN: A/P TRANSACTIONS CODED TO NON-EXPENSE ACCOUNTS
RISK
X-3-AP-012: Accounts payable member, under the direction of a controller or higher, records account payable invoices incorrectly (e.g., as assets or revenue) in order to materially impact the financial statements and improve the overall outlook of the company. Impact: X, Likelihood: Y
PROCESSES IN-SCOPE Accounts payable invoice creation Accounts payable approval process
CURRENT MITIGATING SOX CONTROLS B-01.01.01—Journal Entries Are Reviewed & Approved: All journal entries and supporting documentation are reviewed by a member of finance at least one level above the
preparer. B-01.01.02—Evaluation Process for Non-Routine Transactions: Appropriate accounting treatment for transactions that are both non-routine and significant is researched for
appropriate GAAP treatment and documented. Related memos are reviewed by at least one level above the preparer. In addition, the accounting treatment for non-routine and significant transactions is reviewed by the audit committee.
B-04.02.09—Invoice Review: Non-inventory invoices (or PO's) for goods/services are approved prior to payment according to the company's approval matrix by a member of the department in receipt of the goods/services (exception: utility invoices).
DEVELOPMENT TEAM Name, Manager, IT Audit Manager Name, Senior IT Internal Auditor Name, Staff IT Internal Auditor Name, Staff Internal Auditor
ANALYTIC LOGIC
Obtain API transactions from the GL table in MAPICS related to AP-Trade (account number xxxxx).
Exclude all transactions coded to an expense account. Identify transactions in which the AP-Trade account
was debited. Identify accounts that were debited in transactions
where AP-Trade was credited. Compare activity change between quarters and identify material account variances for transactional follow-up ($1M or greater in activity increase).
ANALYTIC OUTPUT
A summary of account activity for non-expense accounts that were credited in an API transaction in which the AP-Trade account was debited.
A summary of account activity for non-expense accounts that were debited in an API transaction in which the AP-Trade account was credited and the total activity change from last quarter was over the materiality threshold ($1M).
A listing of all transactions contained in the aforementioned account summaries
FOLLOW-UP TESTING
Determine if the transactions are legitimate by obtaining backup documentation and/or inquiry with relevant personnel.
Testing Notes: Invoice documentation is located in Intellichief.
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach
Implement design elements into a functional program, e.g., ACL scripts, SQL
queries, manual analytic procedures, etc.
Maintain documentation throughout development to track development
procedures.
Comments within ACL Scripts
A narrative of development procedures
Annotations on development documents to describe their content
Review output.
Verification that the analytic is properly identifying irregularities
Verification that the output fulfills the design requirements
DEVELOPMENT PHASE
Planning Design Development Testing Review Deployment
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach
Execute the analytic to generate a list of potential exceptions or “red flags.”
Analyze exceptions to determine if they are false positives, errors in the
development of the analytic, or true exceptions.
Obtain documentation or support for the potential exceptions.
Obtain physical documentation from appropriate parties.
Obtain access to systems and databases to retrieve other supporting
documentation.
Perform inquiries with appropriate parties to obtain a better understanding
of the exception.
Adjust the logic or output of the program, as necessary, based on the
findings during the preliminary testing.
Document test procedures performed.
TESTING PHASE
Planning Design Development Testing Review Deployment
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach
Development review
Detailed review of analytic design, development, and testing by a peer or
supervisor to ensure the program is functioning and all necessary
documentation is properly recorded
User review with business auditors
High-level review of analytic output to be subsequently review by the
business auditor
Ensures that the analytic meets business auditor needs
REVIEW PHASE
Planning Design Development Testing Review Deployment
© 2014 Scientific Games Corporation. All Rights Reserved.
Continuous Monitoring Approach
Identify how often monitoring should be performed, e.g., daily, monthly,
quarterly, etc.
Ensure that personnel are properly trained on the execution of the designed
analytic and the follow-up procedures.
Have a plan for communicating test results within the department as well as
to relevant upper management, as deemed necessary.
Have consistent communication regarding unique findings or analytic
improvements with your script developers. This is vital to keeping the
continuous monitoring program current, efficient, and effective.
DEPLOYMENT PHASE
Planning Design Development Testing Review Deployment
© 2014 Scientific Games Corporation. All Rights Reserved.
Final Thoughts
With that, we’ve discussed:
How to create robust risk assessments
Understanding fraud
Creating a fraud risk assessment
How to develop a continuous monitoring program
Remember that, by nature of this topic, robust implies that this is not an
overnight project. Implementing this type of an approach takes time, but you’ll
be rewarded for that time.
CREATING A ROBUST FRAUD RISK ASSESSMENT AND IMPLEMENTING A CONTINUOUS MONITORING PROGRAM
© 2015 Association of Certified Fraud Examiners, Inc.
Creating a Fraud Risk Assessment and
Implementing a Continuous Monitoring
Program
Christopher DiLorenzo,
CFE, CPA, CIA, CRMA