The Canadian Olympic
Committee Emblem is
protected by copyright
and trademark in
Canada.
The Emblem
presented in this ppt
slide was approved by
Canadian Olympic
Committee Marketing
authority. Do not
resize or/and
reposition the Emblem
or copy the Emblem
onto other
slides/applications.
For more details about
the use of the
Canadian Olympic
Committee Emblem,
please visit Gateway
or contact your local
marketing
professional.
Note: This message
will not print nor
appear during your
presentation.
October 28, 2012
Taking Fraud Risk Management To the Next Level
Daniel Williams
CGA, CFE, CIA, CISA, CAMS, PMP
© Deloitte & Touche LLP and affiliated entities.
Topics
1. Introduction
2. The Prevalence of Fraud
3. The Impact of Fraud
4. Managing Fraud Risk
5. Performing a Fraud Risk Assessment
6. Evaluating & Enhancing a Fraud Management Program
7. Leveraging the Whistleblower Program
8. Effective Response Protocols
1
© Deloitte & Touche LLP and affiliated entities.
Introduction
2
© Deloitte & Touche LLP and affiliated entities.
Objectives
1. Walk through how to build an effective fraud risk management program and
identify some of the key elements that are often missing or inadequate
2. Show how the effectiveness of key fraud response protocols will help to
minimize the damage to an organization should an incident occur
3
© Deloitte & Touche LLP and affiliated entities.
The Prevalence of Fraud
4
© Deloitte & Touche LLP and affiliated entities.
The Prevalence of Fraud
“The average fraud scheme lasted 24 months before it was detected”
“A typical organization loses a staggering 6% of its annual revenue to occupational fraud”
“The average organization loses more than $9 a day per employee to fraud and abuse”
“Fraud cases are estimated to have a median loss of $175,000 per incident”
“Public sector fraud cases are estimated to have a median loss of $100,000 per incident”
“Approximately 46% of fraud cases were detected by tips from employees, customers, vendors, etc.”
“The implementation of anti-fraud controls appears to have measurable impact on the organization’s
exposure to fraud. “
“Lack of adequate internal control was cited by 35% of respondents as a factor that allowed fraud to occur. “
- ACFE; 2010 Report to the Nation on Occupational Fraud and Abuse
5
© Deloitte & Touche LLP and affiliated entities.
The Impact of Fraud
6
© Deloitte & Touche LLP and affiliated entities.
The Impact of Fraud
• Financial losses to the organization
• Financial losses to stakeholders
• Civil litigation
• Regulatory fines
• Criminal litigation and prosecution
• Diversion of executive attention and organization resources
• Expensive compliance and/or monitoring programs
• Expensive investigation fees
• Reputation damage including:
– Loss of public trust
– Negative public perception
– Greater scrutiny from public advocates and leadership
– Negative media attention
7
© Deloitte & Touche LLP and affiliated entities.
The Impact of Fraud - Reputation Risk
Reputation risk is the risk of loss of brand image, or
stakeholders’ support such that the organization will be
unable to operate at its full capacity.
It is the risk of losing the ability to compete, due to
perceptions that the organization does not deal fairly
with its stakeholders or know how to manage its
business; furthermore, it is the risk a decline in
stakeholders' confidence that may impair the organization’s
ability to have support in the community and to efficiently
raise capital.
8
© Deloitte & Touche LLP and affiliated entities.
Managing Fraud Risk
9
© Deloitte & Touche LLP and affiliated entities.
Managing the Risk of Fraud
Fraud is predictable and manageable; however, only through diligent and
ongoing effort can an organization protect itself against acts of fraud.
• The IIA has developed five key principles for proactively establishing a Fraud
Risk Management Program to effectively manage an organization’s fraud risk:
1. As part of an organization’s governance structure, a fraud risk management program
should be in place including a written policy to convey the expectations of the board of
directors and senior management regarding fraud risk;
2. Fraud risk exposure should be assessed periodically by the organization to identify
specific potential fraud schemes and events that the organization must mitigate;
3. Prevention techniques to avoid potential key fraud risk events should be established,
where feasible, to mitigate possible impacts on the organization;
4. Detection techniques should be established to uncover fraud events when preventive
measures fail or unmitigated risks are realized;
5. A reporting process should be in place to solicit input on potential fraud, an a
coordinated approach to investigation and corrective action should be used to help
ensure potential fraud is addressed appropriately and timely.
10
© Deloitte & Touche LLP and affiliated entities.
What is Motivating Organizations to Develop a Comprehensive and Holistic Fraud
Management Strategy (what are the drivers?)
11
Stakeholder Confidence
Changing Business
Model
Advances in Technology
Globalization
Fraud Loss
• Stakeholders are becoming
increasingly aware of fraud risk
• Organizations that are perceived as
being vulnerable to fraud can lose
stakeholder confidence and
ultimately suffer business losses • Loss from reimbursing stakeholders
for losses incurred
• Loss from incident response,
investigation and recovery efforts
• Loss from diversion of resources in
response to fraud
• Geographical expansion and
changes in customer demography
introduce new threat factors requiring
businesses to prepare and respond
to emerging fraud risks • With fraudsters using sophisticated
technology , organizations must
continually enhance and refine
controls
• Technology tends to make fraud risk
more pervasive and can impact a
number of areas of operations
Fraud
Risk
Brand
Risk
• Ongoing modifications to services,
products and infrastructure exposes
the organization to new threats that
need to be considered
© Deloitte & Touche LLP and affiliated entities.
• Tone at the top
• Code of conduct/ethics
• Whistleblower hotline
• Investigation process
Applying the COSO Framework
Creating a Control
Environment
Performing Fraud Risk
Assessments
Designing and Implementing
Antifraud Control
Activities
Sharing Information and Communication
Monitoring Activities
FRMP
• Identify fraud risk
factors, fraud risks
and fraud schemes
• Link/map identified
fraud risks to
control activities
• Monitoring
effectiveness of
antifraud programs
and controls
• Effective communication of
antifraud programs and
controls throughout
© Deloitte & Touche LLP and affiliated entities.
Effective Fraud Risk Management Program
Response Detection
• Good governance
• Code of conduct and related
standards
• Fraud and misconduct risk
assessment
• Employee and third party due
diligence
• Communication and training
• Process-specific fraud risk
controls
Prevention
• Hotlines and whistleblower
mechanisms
• Auditing and monitoring
• Quality assurance
• Proactive data analysis
• Timely and consistent response
mechanisms
• Comprehensive internal
investigation protocols
• Comprehensive Enforcement
and accountability protocols
• Disclosure protocols
• Remedial action protocols
Elements of an Effective Fraud Risk Management Program
Deterrence
13
© Deloitte & Touche LLP and affiliated entities.
Completing a Fraud Risk Assessment
14
© Deloitte & Touche LLP and affiliated entities.
Step 1 – Define Fraud as it Relates to Your Organization
The first step in developing any fraud risk management program is to
define fraud as it relates to your organization.
As simple as this may seem, it is crucial that a firm definition is developed
and applied consistently throughout the organization including:
– Any and all communications to staff;
– When developing a fraud risk assessment to determine if specific scenarios that can be
executed are, in fact, fraudulent;
– When developing and publishing policies and procedures (including the code of
conduct and the fraud risk management charter); and
– When developing and facilitating fraud awareness training.
15
© Deloitte & Touche LLP and affiliated entities.
Definition(s) of Fraud
“Fraud is criminal deception intended to financially benefit the deceiver”
- The Accountant’s Handbook of Fraud and Commercial Crime (CICA)
“Fraud is a generic term, embracing all multifarious means which human ingenuity can devise, and which are
resorted to by one individual to get an advantage over another by false suggestions or suppressions of truth,
and unfair way by which another is cheated”
- Black’s Law Dictionary
“Fraud is any act of deception carried out for the purpose of unfair, undeserved and/or unlawful gain, either
valuable financially or comprising a legal right”
- Wikipedia
“Fraud is any act of wrongdoing where the organization is knowingly misled for personal (or third party) gain”
- Deloitte
16
© Deloitte & Touche LLP and affiliated entities.
Step 2 – Determine Your Approach for Identifying Risks
Fraud risk identification includes:
• Gathering external information from regulatory bodies, industry sources, key guidance
setting groups (such as COSO), and professional bodies/service providers; and
• Consulting internal sources including:
– Examining the incentives, pressures and opportunities to commit fraud specifically within your
organization (i.e. – performance metrics, incentive programs, etc.);
– Reviewing past whistleblower complaints;
– Reviewing external audit management letters that identify issues pertaining to flaws in processes,
procedures or controls;
– Reviewing any fraudulent acts that may have occurred in the past;
– Reviewing incident reports and other analytical reports on errors, customer complaints, vendor
complaints, employee feedback, etc.; and
– Collaborating with employees across the organization to identify specific fraud scenarios that could
occur as well as weaknesses in the processes that would allow fraud to occur.
17
© Deloitte & Touche LLP and affiliated entities.
Engaging Employees to Identify Fraud Risk Scenarios
18
Employee
Engagement Time Required
Fraud Scenarios
Identified Pros Cons
Surveys/
Questionnaires
issued to employees
Minimal Minimal Generic
Minimal impact on
resources and little
effort required.
There is a risk that
you will not receive
open and honest
responses from
Interviews with the
Board and Executive Minimal Moderate Generic
Minimal impact on
resources and little
effort required.
Board members may
not have a strong
understanding of day
to day operations.
Interviews with
Management Moderate Moderate High Level
Minimal impact on
resources and little
effort required.
Management may
not have insight into
specific weaknesses
within the process.
Workshops with
Employees
(recommended)
High Significant Detailed
Detailed fraud
scenarios are identified.
Opportunity to educate
employees.
Significant impact on
resources and
significant effort
required.
Collaboration with a
Project Team
(recommended)
High Significant Detailed
Project team members
provide valuable input
and can be advocates
for remediation
strategies.
Moderate impact on
resources and
significant effort
required.
© Deloitte & Touche LLP and affiliated entities.
Step 3 – Identify Fraud Risk Scenarios
Fraud risk assessments differ somewhat from the more conventional methods
used to assess risk in that they are scheme/scenario-based. This requires
experienced personnel who are familiar with the more common fraud schemes
impacting today's organizations.
Fraud, by definition entails intentional misconduct, designed to evade
detection. As such, those performing a fraud risk assessment should
engage in strategic reasoning to anticipate the behavior of a potential
fraud perpetrator. In essence, you need to think like a criminal.
Initially, fraud scenarios are initially identified and assessed based on inherent
risk assuming the absence of controls.
It is difficult to take a “one-size-fits-all” approach by obtaining a list of generic
fraud risks and using it as the fraud risk assessment as a boiler plate listing will
most likely not include all fraud opportunities inherent to your organization.
19
© Deloitte & Touche LLP and affiliated entities.
Step 4.a – Determine Likelihood Assessment Criteria
• The Likelihood that an event will occur based on inherent factors such as:
– Access to assets by an individual
– Level of trust placed in an individual
– How difficult it is to commit the act without involving others
• Likelihood assessment criteria:
– High – a significant opportunity that can be executed by just one person
– Moderate – requires collusion with other and/or an activity outside of normal
operational processes/procedures
– Low - many people involved increasing the chance of being detected and an audit trail
is available for review by others
20
© Deloitte & Touche LLP and affiliated entities.
Step 4.b – Determine Consequence Assessment Criteria
• The Consequence of an event occurring is derived from two key factors:
– Qualitative (relating to reputation risk)
– Quantitative (relating to a specific dollar amount lost due to the fraud occurring)
• Consequence assessment criteria:
– High – significant loss of public trust and/or a high dollar value (i.e. - $200,000)
– Moderate – moderate public reaction and/or a moderate dollar value (i.e. - $30,000)
– Low – little to no public reaction and/or a low dollar value (i.e. - $5,000)
21
© Deloitte & Touche LLP and affiliated entities.
Step 5 – Map Existing Controls to Fraud Schemes
Once all fraud risk scenarios have been identified, the next step is to link
each risk to relevant internal controls that can mitigate each risk to an
acceptable level.
It is important to identify and leverage existing controls to determine if
they are designed effectively to actually prevent or detect fraud.
This can be a value-added activity:
– The mapping exercise provides Management with a gap analysis that will identify
residual fraud risks – risks that remain outside the organization’s tolerable range.
– A gap analysis will also identify inefficiencies/ineffectiveness in internal controls.
– The assessment may identify a misallocation of resources and or redundancies
in internal controls.
22
© Deloitte & Touche LLP and affiliated entities.
Step 6.a – Assess Internal Controls
How effective is the control in mitigating the risk of fraud?
Has the control been designed effectively – not just in principal but in
practice?
Objective-based versus activity-based controls.
23
© Deloitte & Touche LLP and affiliated entities.
Step 6.b – Assess the Control Environment
• This is not your typical control environment assessment.
• The assessment needs to consider:
– The maturity of the control environment as it relates to the sophistication, size and
scope of the organization;
– How effective the control environment is in preventing fraud; and
– How effective the control environment is in communicating appropriate standards of
conduct. It is not sufficient to say that management is communicating the right
message; rather we need to confirm that employees are actually receiving and
appreciating that message.
• The assessment includes:
– Reviewing documentation
– Enquiries of Management and employees
– Direct observation
24
© Deloitte & Touche LLP and affiliated entities.
Step 7 – Determine Residual Risk and Response
The final step is to determine what the acceptable level of risk for the
organization is and work towards addressing each fraud scenario that exceeds
the organization’s risk tolerance.
A detailed fraud risk assessment will help identify areas where residual risk may
not be appropriate and prioritize areas that require immediate attention.
The fraud risk assessment may also identify critical areas that were so highly
exposed to undue risk that it would require investigation of past transactions to
determine if inappropriate activity had taken place.
Finally, the fraud risk assessment will allow an organization to consider
necessary remediation strategies for each risk identified:
– Revise the existing process to reduce the inherent risk;
– Accept or increase the tolerated risk level based on the organization’s operating model;
– Reduce residual risk through increased control effectiveness.
25
© Deloitte & Touche LLP and affiliated entities.
Fraud Risk Assessment Template - SAMPLE
26
Fraud Risk Scenarios
Likelihood Assessment
Consequence Assessment
Inherent Risk
Internal Controls
Residual Risk
The CFO directs employees to hold the books open after year end to accrue additional revenues.
M M M A.1 A.2 B.3
L
The inventory manager misappropriates inventory and then makes an adjustment to the GL to cover up the theft.
L L L C.6 L
An supervisor colludes with another employee by authorizing fraudulent overtime claims.
H H H C.6 D.1 M
Ghost employees are added to the payroll by the HR Manager.
H L M N/A M
© Deloitte & Touche LLP and affiliated entities.
Additional Benefits
• Identify inefficiencies in operations, processes or controls that expose the organization to
the risk of to waste and error as well.
• Identify redundant internal controls or other risk management practices.
• Find ways to optimize/ enhance existing internal controls (which were initially designed to
support another program) in such a way as to have them also prevent/detect fraud.
• Revise or enhance various organizational process assets (such as the internal audit
charter, code of conduct/ethics and various policies and procedures)
– For example training materials can be enhanced to include information on fraud
awareness. The code of conduct/ethics can also include a fraud policy.
• Leverage and/or align with the organization’s Enterprise Risk Management Framework,
SOX program, anti-corruption/ compliance and ethics program, etc.
27
© Deloitte & Touche LLP and affiliated entities.
Additional Benefits: Example #1 (Procurement Function)
• Through conducting our fraud risk assessment, it was noted that third party suppliers
were sometimes engaged without going through the proper procurement process
• Suppliers were selected and being paid for services:
– Without being recognized as an “approved vendor” by the procurement function;
– Without going out to tender;
– Without undergoing the proper due diligence; and
– Without being formally added to the Accounts Payable system as an approved vendor for payment
• While the intent was not malicious, it did demonstrate that an opportunity to commit fraud
existed. More importantly, it presented several other risk scenarios:
– Suppliers/ services were engaged which are contrary to the organization’s goals/objectives;
– By engaging an alternate Supplier, the organization violated contractual terms/ conditions it had
with existing Suppliers;
– The organization engaged a Supplier that, due to weak/ questionable business practices, exposed
the organization to excessive risk (FCPA);
– An employee committed the organization to an inappropriate contractual arrangement with a
Supplier (i.e., unfavorable terms, inappropriate pricing, etc.)
– These suppliers were being paid outside the normal Accounts Payable process
28
© Deloitte & Touche LLP and affiliated entities.
Benefits: Example #2 (Accounts Payable Process)
• Through conducting our fraud risk assessment, it was noted that the organization’s
current Accounts Payable process was inefficient and, due to the high level of
inefficiency, exposed the organization to an excessive number of inherent risks.
– Management was unaware of this until all risks were identified through conducting a proper fraud
risk assessment and mapping the risks to the Accounts Payable Process flow;
– Given the current process, the cost of mitigation was too high (there are too many inherent risks
that would need to be addressed with control activities);
– The process was so weak that we were almost certain that fraud, waste or error was already taking
place but it was too costly to address it given the current process.
• The solution was to map all risk scenarios to the business process to find out where
they would fall along the process flow.
• We then determined what weaknesses in the process flow contributed to the inherent
risks identified.
• We designed a new process flow to address these weaknesses and limiting the number
of inherent risks found in the revised process.
• Finally, we identified and implemented internal controls to address the remaining
inherent risks.
29
© Deloitte & Touche LLP and affiliated entities.
Benefits: Example #2 (Accounts Payable Process)
30 = High Risk = Moderate Risk = Low Risk
Em
plo
ye
e 1
Em
plo
ye
e 2
Em
plo
ye
e 3
Em
plo
ye
e 4
Activity 1
Activity 2 Activity 3 Activity 4
Activity 5 Activity 6 Activity 7
Activity 8 Activity 9 Activity 10
Activity 11
© Deloitte & Touche LLP and affiliated entities.
Accountable for this duty.
Should not be performing this duty.
Acceptable to perform this duty.
The following key duties performed along the process must be separated to
ensure that the risk of fraud/error is mitigated and operational efficiencies are
achieved through specialization and standardization of activities.
Ven
dor
Invo
ice
Pro
cess
ing
Depar
tmen
t H
ead
Em
plo
yee
Acco
unts
Pay
able
Qual
ity
Ass
ura
nce
1. REQUISITION
- submits invoice, call in for payment etc.Y N N Y N N
2. INVOICE PROCESSING
- sets up invoice in system
- reviews invoice for completeness, validity and accuracy
N Y N N N N
3. AUTHORIZATION
- approves invoice for payment and applies spending authorityN N Y N N N
4. SECONDARY REVIEW
- reviews invoice for completeness and accuracyN N Y N N N
N N N Y N N
N N N N Y N
N N N N N Y
8. VENDOR MAINTENANCE
- updates vendors on changes related to all client account information
- monitors vendors for compliance with policies and standards
- modifies and maintains vendor master data
N N N N Y P
5. TERTIARY REVIEW
- reviews invoice for completeness, accuracy and validity
6. DISBURSEMENT
- issues payment
- maintains chain of custody over payments
7. QUALITY ASSURANCE
- compliance check
Benefits: Example #2 (Accounts Payable Process)
• We also took this opportunity to design a Segregation of Duties map to help with the
reconstruction process:
31
© Deloitte & Touche LLP and affiliated entities.
Evaluating & Enhancing a Fraud Management Program
32
- 33 -
A Model for Evaluating FRMP Maturity
Tribal & Heroic • Ad-hoc/chaotic • Depends primarily
on individual heroics, capabilities, and verbal wisdom
Specialist Silos • Independent risk
management activities
• Limited focus on the linkage between risks
• Limited alignment of risk to strategies
• Disparate monitoring and reporting functions
Top Down • Common
framework, program statement, policy
• Routine risk assessments
• Communication of top strategic risks to the Board
• Executive/Steering Committee
• Knowledge sharing across risk functions
• Awareness activities • Formal risk
consulting • Dedicated team
Systemic Risk Mgmt. • Coordinated risk mgmt,
activities across silos • Risk appetite is fully
define • Enterprise-wide risk
monitoring, measuring, and reporting
• Technology implementation
• Contingency plans and escalation procedures
• Risk management training
Risk Intelligence • Embedded in strategic
planning • Early warning risk
indicators • Development of
performance metrics and key risk indicators
• Linkage to performance measurement/ incentives
• Risk modeling/scenarios • Industry benchmarking
Sta
ke
ho
lde
r V
alu
e
- 34 -
A comprehensive Fraud Risk Management Program Framework encompasses seven domains that can help manage fraud, waste
and error across the enterprise
Enterprise strategy that defines the Fraud Management Program function, role and objectives, and
establishes a strategic roadmap
Fraud Risk Management Program oversight structure with well defined roles and responsibilities to
manage risks ensuring that there is adequate collaboration among the various forums/functions
Policies, standards and procedures defining risk management methodology and activities, risk
tolerance levels and integration points between risk management functions to ensure
consistency and quality across all program activities
Coordinated communication channels and programs to educate
stakeholders of responsibilities at all stages of the fraud
management lifecycle.
Tools and technology that drive commonalities in risk management process,
and support data accuracy, availability and timeliness.
Due diligence and ongoing oversight that an organization must exercise
throughout the fraud management lifecycle
Metrics and reports that provide a comprehensive view of
enterprise Fraud risk to the relevant stakeholders across the
enterprise.
Strategy
Governance
Risk Management *
Metrics and Reporting
Policies, Standards
and Procedures
Tools and Technology
Communication, Training and Awareness
Evaluating the Program Using a Common Framework
DRAFT – FOR DISCUSSION PURPOSES ONLY
© Deloitte & Touche LLP and affiliated entities.
How to Refine the Fraud Risk Management Strategy
35
Assess
Define target state by developing a
fraud management architectural
framework
Develop fraud management roles and
responsibilities
Identify stakeholders and establish
fraud management organization
Develop
Develop fraud management
governance materials
Design fraud management process
flows
Develop fraud risk assessment
questionnaire and risk ranking model
Execute
Conduct fraud management training
sessions
• Fraud Management Architectural
Framework
• Fraud Management Roles and
Responsibilities
• Fraud Management Organization
Structure
• Fraud risk governance interaction
model
• Forum, charter and mandate
Work Products
Develop fraud detection and
prevention technology controls
Operationalize fraud management
processes and controls
• Fraud Management Policy
• Fraud Management Process Flows
• Fraud Risk Assessment
Questionnaire
• Fraud Risk Ranking Model
• Fraud Management Technology
Architecture
• Fraud Management Monitoring and
Reporting Metrics
Work Products
• Fraud Management Training
Materials
• Program review and assessment
• Trend analysis and industry
benchmarking
• Continuous improvement
Work Products
1 2 3
Conduct organization readiness
review and gap analysis based on the
fraud management architectural
framework
Pro
gra
m M
an
ag
em
en
t
Develop fraud management
monitoring and reporting metrics
© Deloitte & Touche LLP and affiliated entities.
Governance
36
© Deloitte & Touche LLP and affiliated entities.
Governance
• By formally documenting the fraud governance framework and interaction model, the organization will
have clear insight into how to align the governance forums and drive synergy.
37
Observation: Groups, forums and functions do not interact or support each other; further, governance forums are
created without knowledge and/or approval of the organization.
Recommendation: Document the current governance framework and interaction model to identify gaps and
deficiencies. Then, determine how to realign the framework to encourage greater collaboration.
Enterprise Fraud Risk
Management Committee /
Owner
Enterprise Fraud Risk
Management Group
` `
Enterprise-wide Fraud Governance
Forum level Governance
Function 2
Business Unit 2
Forum 2
Function 3
Business Unit 1
Function 4
Business Unit 2
Function 1
Forum 1
Business Unit 1
Forum 3 Forum 4
Compliance
Internal Audit
Legal
Investigations
Ideal State
Inputs /
Outputs
Cross-Forum
Exchange Inputs /
Outputs
Inputs /
Outputs
Isolated Silo Isolated Silo
Output
only
- 38 -
Enterprise Fraud Risk Management (EFRM) Framework
Level 1
Nine Principles for Building an Enterprise
Fraud Risk Management Framework
Oversight
Common Risk Infrastructure
Risk Process
Risk Classes
The Risk Intelligent Enterprise
Risk Infrastructure
and Management
Risk
Ownership
Risk Governance Board of Directors
Executive Management
Business Units and
Supporting
Functions
Common Definition of Risk
Common Risk Framework
Roles & Responsibilities
Transparency for Governing Bodies
Common Risk Infrastructure
including management & reponse
Executive Management
Responsibility
Objective Assurance and
Monitoring
Business Unit Responsibility
Support of Pervasive Functions
Tone at the
top
People Process Technology
Governance Strategy Operations/ Compliance Reporting
& Planning Infrastructure
Identify Risks Assess & Evaluate
Risks
Integrate Risks
Respond to Risks
Design, Implement &
Test Controls
Monitor, Assure & Escalate
Line 3.A
Oversee & Endorse
Quasi-Independent
Line 1
Own & Execute
Line 2
Operate & Enable
Internal Audit
Line 3.B
Observe & Evaluate
Quasi-Independent
Independent
© Deloitte & Touche LLP and affiliated entities.
Establishing an EFRM Governance & Operating Model
1st Line of Defense
Risk Steering
Committee
Fraud Risk
Advisory Board
Identify critical
risk scenarios
Own fraud risk
for the business
Maintain
accountability for
FRM practices
Identify risks and
mitigation strategy
Manage and
resolve day-to-day
issues
Implement key
controls
Set FRM policies, procedures and
standards to govern O/O activity
Assist in developing TPRM
guidelines, tools and templates
Provide subject matter expertise to
1st Line of Defense
Promote consistency and quality of
FRM practices
Provide ongoing training
Define and implement Fraud
Risk Guiding Principles and
Strategy
Leverage the whistleblower
program to identify trends
and/or Program weaknesses
Provide regulatory
interpretation
and guidance
Perform periodic
audits and testing
to monitor policy
compliance
Internal Audit
Board of
Directors
Establish risk
tolerances and
advice on
complex risk
issues
2nd Line of Defense
Investigations
HR
Finance
Risk
Compliance
Technology
Legal
Corporate
Communications
Drive consistent process across LOBs
Provide enterprise FRM standard processes
and templates
Track issues and facilitate corrective actions
Interact with regulators on fraud risk and
information security topics
Centre of Excellence (COE)
FRM Office
Line of
Business Line of
Business Line of
Business
Line of
Business Line of
Business Line of
Business
3rd Line of Defense
1st Line of Defense
Implement internal controls and practices
consistent with company-wide policies &
procedures
Managers appointed by the Lines of Business
(LOBs) are responsible for identifying, assessing
and mitigating risk associated with their business
2nd Line of Defense
Design and assist in implementing company-wide
risk framework and oversee enterprise risks
Business partners work with the LOB’s to identify,
assess and mitigate all risks
Provide tools and resources to enable effective &
efficient execution of risk management activities
3rd Line of Defense
Independently test, verify and evaluate risk
management controls against internal policies
Assess design and operating effectiveness of the
program considering enhancements to
operations, increased customer base or
geographical expansion
Risk Officers
Maintain
accountability for
FRM practices and
identified risks
DRAFT – FOR DISCUSSION PURPOSES ONLY
© Deloitte & Touche LLP and affiliated entities.
Assessing & Enhancing Tools
40
- 41 -
Assessing and Enhancing Tools
A technology architecture for managing Fraud risk is an ecosystem of orchestrated processes and systems which, if designed
appropriately, can help ensure that all relevant data obtained across the Fraud lifecycle (including fraud scenarios, metrics, and
whistleblower logs, and incident reports) is available to facilitate risk assessment, classification, monitoring and reporting.
Risk Management / Monitoring Systems
Fraud Information Databases
Key Data Inventory
Risk Scenario Inventory
Performance Monitoring
Inte
rfa
ce
s w
ith
Da
tab
as
es
an
d R
isk
Sys
tem
s
Risk Metrics Calculation/ Modeling
Risk Aggregation
Scenario Risk Score calculation
Risk & Compliance Assessment
Third Party Event Monitoring
Infrastructure Components
Reporting / Notification Rules
Information Entitlements & Security
Key Risk Indicators
Risk Threshold/ Tolerance
Performance Metrics
Residual Risk Calculation
Reporting
Standardized
Reports
Dashboards
Analytics
Logging / Audit Trails
TPRM Tool Box
Feedback: promotes continuous improvement to data, systems and architecture
DRAFT – FOR DISCUSSION PURPOSES ONLY
© Deloitte & Touche LLP and affiliated entities.
Develop Industry-Specific Metrics
• Document, measure and monitor the organization’s risk appetite for Fraud Risk when
making various business decisions (i.e., whether to outsource to a third party, to expand
into a specific geographical region, etc.)
• Identify trends in fraudulent activity as well as allowing for the discernment of
weaknesses in the current process and/or applications that expose the organization and
its customers to undue risk.
• Determine the “true cost” of fraud including losses to the customer, incident response
costs, investigation and recovery cost and the impact on customer attrition.
• Make better decisions for how to manage fraud and what areas to focus resources on;
• Entertain the idea of implementing control activities that were initially perceived as being
costly to the organization
• Measure its performance in relation to loss mitigation, total cost of mitigation, total funds
recovered and cost of recovery.
42
Develop metrics to assess the performance of the FRMP and identify emerging
risks/issues. Having the right metrics in place enables an organization to:
© Deloitte & Touche LLP and affiliated entities.
Risk Appetite and Enterprise Fraud Risk Management (EFRM)
• Provides a structure for discussion of the balance
between business strategy and risk
• Provides guiding principles for management in
determining whether strategic/business activities and
risk levels are acceptable or not
• Provides a consistent view of risk across the
organization to facilitate decision making
• Enhances the risk awareness culture
• Establish thresholds to monitor against
• Allows the business to make decisions considering risk
Enterprise Risk Management Vision and Strategy
Governance
Culture
Methodology
Common Language
Risk Policies
Risk Appetite
Risk Assessment
Risk Measurement
Risk Monitoring
Reporting and Escalation
Independent Verification/
Testing
Components of an effective ERM Program
Articulating Risk Appetite
43
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Risk and Reward Scale
`
Risk Seeking Risk Tolerant Risk Neutral Risk Averse
Description Taking risk is
considered part of
company’s
strategy
Company takes an
aggressive
approach towards
taking risk
Company takes a
balanced approach
to risk taking
Company accepts
as little risk as
possible
Example risk
appetite by
business activity
New market
expansion and
acquisition
activities
Innovation, tax
activities
Operations,
financing activities
Health, safety,
environment,
security, fraud,
financial reporting,
regulatory
compliance, and
reputation
Risk Appetite
44
© Deloitte & Touche LLP and affiliated entities.
Developing and Monitor Key Risk Indicators (KRI) to proactively identify, when
tolerable risk thresholds are exceeded
45
•Establish Data Points per KRI
• Identify Data Source(s)
per Data Point •Determine data usage
Identify Data Points
•Determine collection method
•Obtain data from relevant sources including existing reports and key databases
Gather Data
•Perform in-depth review of data elements at each step of process to ensure data quality and accuracy
Review Data Points
•Combine data points to generate KRI values
•Determine thresholds to monitor
Aggregate & Review KRI Values
Develop comprehensive risk reporting which takes into account a composite view of emerging risks or trends/behaviors
which may indicate that a risk has been, or is about to be realized.
KRI Information KRI Thresholds Outcome
KRI Ref No. KRI Description KRI Calculation
Formula Value RAG
1 Number of whistleblower complaints related to fraud Count 0 >0 0
2 Number of internal control operating deficiencies identified Count 0 1-2 >2 2
3 Count of significant breach events against applicable ethical standards,
as defined in supplier contract Count <3 3-5 >5 8
© Deloitte & Touche LLP and affiliated entities.
Metrics to Consider
46
Loss/Damage Quantification Trends/Weaknesses Exploited
Performance Response and Recovery
Total customer losses to be reimbursed.
Customer attrition costs due to experiencing a fraud incident.
Total effort expended per incident and the related costs.
Total incidents for each period.
Average legal fees per incident.
Number of employee hours diverted to incident response.
Cross-Channel losses resulting from incidents originating in a
specific department/division.
Successful bypass of internal controls – what controls are getting
targeted and bypassed the most?
Incidents of management override of controls.
Attack volume.
Incident by type and transaction.
Incident by geographic location.
Trends – time of day most attacks occur.
Trends – types of businesses targeted.
Total effort required to respond to each incident.
Response time for each incident.
Timeliness of investigation and wrap up.
Total funds recovered in a period.
Cost-benefit analysis as it relates to cost of recovery versus actual
funds recovered.
Phishing – time from notification to take down.
Phishing – success rate of take down.
Number of compromised customers in a period.
Number of repeat offences against a customer in a period.
Number of incidents identified by the organization compared to
incidents identified by the customer.
Number of fraudulent attacks denied versus successful attempts.
Total false positives recognized in a period.
Total incidents in a period.
Total incidents by theme.
Impact of remediation efforts on total incidents.
Monitoring KRIs based on geographical location, areas of operation, and/or services provided will help an organization
determine where to allocate resources in response to emerging risks.
© Deloitte & Touche LLP and affiliated entities.
Use metrics to determine the “true cost” of fraud
• An online banking division had been experiencing an increase in the following fraud scenarios:
- Access of a legitimate customer account by a fraudulent third party with the intention of acquiring sensitive client information (browsing); and
- Access of a legitimate customer account by a fraudulent third party with the intention of executing unauthorized transactions for personal gain.
• Perpetrators were successfully able to access client accounts through the deployment of financial malware.
• Once a perpetrator gains access to valid customer credentials, the perpetrator is then able to access the client account and commence with
fraudulent browsing on the account and/or the execution of fraudulent transactions.
Fraudulent Event Frequency and Detection Impact
• There have been 45 fraud incidents since October of the prior year
o October to June: 1-4 incidents occurred per month.
o July: 10 incidents occurred.
o August: 12 incidents occurred.
• Only half of all fraud incidents are detected by the bank. The other
half are discovered and reported by the customers.
• Business customers account for 80% of fraud.
• Average loss to the customer was $15,000 per incident.
• 235 to 660 employee hours are consumed for each fraud incident
depending on the severity.
• Hours consumed by employees for incident response are estimated
to be as follows:
o Contacting the client: 50 – 75;
o Freezing. closing and opening new accounts:150 – 300;
o Corporate Security: 25 to 250 (depending if an investigation is
warranted);
o IT: 0 – 15;
o Management: 10 – 20.
• At an average cost of $50 per hour, it is estimated to cost
approximately $11,750 to $33,000 in payroll expenses per incident.
• Investigation costs are averaging $10,000 per incident.
• Total costs do not consider the cost of customer attrition should
customers leave subsequent to falling victim to a fraud incident
and/or reimbursements made to clients.
47
For the months of July and August alone, the total cost incurred to mitigate, manage and respond to incidents of fraud was estimated
to be between $300,000 and $500,000.
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Extending the FRMP to Third Parties
48
- 49 - Deloitte Confidential
The presence and severity of each risk vary based on the nature
of the third party relationship. Determining factors include:
1. Third Party Profile
• Geographical location
• Type of service provided
• Nature and extent of customer interaction
2. Criticality of Outsourced Product/ Service
• The impact to the organization (financial, reputational, etc.) should
the third party be unable to meet its contractual obligations
3. Access to Confidential/Sensitive Information
• The impact to the organization should confidential information be
misappropriated and/or transferred across borders
4. Level and point of Integration with Operations
• At what point(s) within the process flow do third parties contribute to
the execution of the process
• How ingrained a third party’s people, practices and technology are in
support of the execution of a process (i.e., payroll, data processing)
5. Service Model Affecting Level of Oversight Over the Third Party
• Staff Augmentation
• Managed Service
• Co-sourcing
Note that a third party’s risk profile can be greatly enhanced if the third
party chooses to rely on a fourth party for support
Third Party Risk
Third Party Risk Management is the discipline of systematic measurement and management of risks associated with Third Parties throughout
the relationship lifecycle.
Potential Risks
Strategic
Reputation
Compliance
Transaction
Credit
Country
Business Continuity
Contractual
Financial Stability
Information Security/ Privacy
What is Third Party Risk
• Reliance on third-party relationships can significantly increase a organization’s strategic, reputation, compliance, and transaction risk. Increased risk most
often arises from poor planning, oversight, and control on the part of the organization and/or inferior performance or service on the part of the third party.
• The consequences can go well beyond direct financial loss to include damage to reputation, media embarrassment, regulatory scrutiny and loss of customers.
How Third Party Risk Manifests Itself
Drivers for Third Party Risk Management
Heightened Regulatory Awareness & Expectations (CFPB, FFIEC, OCC, FCPA)
Increased Reliance on Third and Fourth Parties as they become more accessible
Increased Outsourcing of Critical Services Increasing the Exposure to Continuity
of Business Risk
Increased Third Party Access to PII and Other
Confidential/Sensitive Data
Note that while you can outsource a
product/service, you cannot
outsource the risk
• Reliance on third-party relationships
can significantly increase an
organization’s fraud risk
• Organizations that outsource
products or services need to
understand that their Fraud Risk
Management Program is as strong
as the weakest practices in the Third
Parties they are outsourcing to
• Failure to extend the Fraud Risk
Management Program to Third
Parties an result in the organization
facing severe penalties and greater
regulatory scrutiny (FCPA, UK
Bribery Act, CFPB, Privacy Laws,
etc.)
- 50 - Deloitte Confidential
Key Elements of a Third Part Risk Management Program
The organization must first understand that each Third Party’s risk profile is unique and requires a tailored risk management strategy. The
appropriate strategy is dependent on the nature of the particular Third Party relationship, the type and materiality of the risks present, and the
ability of the organization to manage those risks. Therefore, a holistic risk management program with select risk management practices
targeted to address specific Third Party Risks must be in place across the entire Third Party Lifecycle
• Risk assessment
• Inherent Risk Profiling and
Vendor Selection Reviews
• Third party approval and tiering
process
• Review Vendor for the following
Financial Viability
Exit strategy
Sanction screening
Reputational reviews
Country risk reviews
Ability to meet compliance
obligations
• Contract negotiation and
legal/procurement approvals
• Contract Language Exception
Management
• Control assessments including
Information Security review
Physical Security Review
Vulnerability and Threat
Assessment
Business Continuity
assessment
SLA and Performance
monitoring
Compliance assessments
News and event monitoring
Reputational reviews
Country risk reviews
Contract reviews
• Exit strategy and contract review
• Termination Management to
confirm that the Vendor meets
the obligations of their contract
and all client data is removed per
the Vendor’s contractual
obligations
Evaluate & Select Contract & On-board Manage & Monitor Terminate & Off-board
Ongoing Program Management & Reporting
DRAFT – FOR DISCUSSION PURPOSES ONLY
Changes in environmental factors have increased the depth and frequency of regulatory reviews. A proactive organization will try to minimize
such regulatory scrutiny and possibility of penalties due to non-compliance. It also allows the organization to retain the flexibility in developing
and implementing risk management strategies on their own absent direction from a regulatory authority (i.e., MRA, consent order).
Applying the Third Party Risk Management Program Across the Third Party Lifecycle
© Deloitte & Touche LLP and affiliated entities. © Deloitte & Touche LLP and affiliated entities.
Leveraging the Whistleblower Program
51
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
52
The 2012 Corporate Governance and Compliance Hotline Benchmarking report is a compilation of 599,162 reports
throughout a fiive-year period covering 2007 to 2011. In 2011, 129,199 reports were taken from 1,128 organizations
representing 15,052,215 employees.
Source: The Network “2012 Corporate Governance and Compliance Hotline Benchmarking Report
“As organizations continue to either implement or improve their Whistleblower Programs, their ability to detect and
prevent fraud grows.”
Note that the percentage of
whistleblower complaints pertaining
to Fraud have significantly increased
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
53
Observation: Whistleblower Programs get used the most in industries focused on Retail or Service
Observation: There are 7 key types of incidents that are escalated via the Whistleblower Program
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
54
Observation: Phone is still the most popular intake method by far
Observation: Incidents of retaliation for reporting are on the rise
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
55
Observation: Organizations are finding creative ways to inform stakeholders of the Whistleblower Program
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
56
Observation: Minimal preference over the ability to report anonymously
Observation: Preference to not want to notify management
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
57
In 2011, 67% of all reports warranted an investigation and only 16% did not warrant an investigation. This is referred to
as the “actionability” of the report. Of the 67%, 41% resulted in a corrective action on being taken. In 2010 and 2011
there has been nearly a 10% increase from 2007 in the “other” category, which may be due to companies implementing
variations in the reporting outcomes.
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
Features of a Well-Designed Whistleblower Program
• Option for anonymity
• Organization-wide (global) and available 24/7, ideally by telephone, with professionally-trained
interviewers in all local languages
• Single hotline for all ethics-related issues
• Dual dissemination of the information received so that no single person controls the information, with
criteria for immediate escalation where warranted, and for notification of the audit committee when
financial irregularities or senior management are involved
• Case management protocols, including processes for the timely investigation of hotline reports and
documentation of the results
• Supports the collection and analysis of data to identify trending
• Management analysis of trends and comparison to norms
• Data security and retention policies and procedures (including geographical trends)
• Customization to comply with the laws of foreign jurisdictions and to address cultural differences
• Ongoing messaging to motivate everyone in the organization, as well as vendors, to use the hotline
58
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
• A significant number of fraud schemes are uncovered due to employee tips
• A whistleblower program provides employees with a way to report their concerns to the
appropriate stakeholders of the organizations
• Can only be effective if the following criteria are met:
1. The program is targeted to the relevant stakeholders
2. The stakeholders are aware that such a program exists
3. The stakeholders have a requirement to report
4. The stakeholders have a reasonable assurance of anonymity
5. The stakeholders have access to reporting mechanisms inexpensively and with as few
complications as possible and the program supports direct communication
6. The stakeholder feels comfortable communicating her/his concerns
7. The stakeholder believes that appropriate action will be taken
8. The stakeholder has reasonable assurance that she/he will not be persecuted for reporting her/his
concerns
59
Consider extending your whistleblower program out to
external parties as well
© Deloitte & Touche LLP and affiliated entities.
Effective Response Protocols
60
© Deloitte & Touche LLP and affiliated entities.
Develop a fraud policy with appropriate fraud response protocols and ownership of
fraud risk management
• It is essential that any violations, deviations, or other breaches of the code of conduct or controls, regardless of where
in the organization, or by whom, they are committed, be reported and dealt with consistently and in a timely manner.
• Appropriate punishment must be imposed, and suitable remediation completed.
• The board should ensure that the same rules are applied at all levels of the organization, including senior
management.
• The organization should ensure that the organization develops a system for prompt, competent, and confidential
review, investigation, and resolution of allegations involving potential fraud or misconduct.
• Protocols for the board’s involvement in such cases — which will vary depending on the nature, potential impact, and
seniority of persons involved — should be defined clearly and communicated to management by the board.
• The roles of the board, management, legal counsel, internal audit and others in the investigation process should be
clearly defined.
61
Formalize and document roles and responsibilities as well as fraud response protocols within an enterprise-wide fraud
policy. This is to help ensure that incidents are responded to in a timely manner to minimize the financial and
reputational impact
© Deloitte & Touche LLP and affiliated entities.
A Fraud Policy
Many organizations use a fraud policy to communicate the organization’s approach to
fraud. An effective fraud policy typically contains the following:
• A statement of the organization’s attitude to fraud (e.g., zero tolerance);
• A discussion on the commitment of leadership to address and respond to fraud risks;
• Alignment with the code of conduct/ethics;
• Alignment with the whistleblower policy;
• The allocation of responsibilities for the management of fraud including:
– Reporting suspicions of fraud including whistleblower arrangements (if used);
– The procedures employees should follow if fraud is identified;
– Guidance on training for the prevention/detection of fraud;
– Reference to the response plans and protocols that have been devised to deal with and minimize
the damage caused by an incident of fraud;
– Reference to the remedial action protocols in place.
62 Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Developing Investigation Standards
Management is ultimately responsible for developing standards and controls over the
investigation process, including:
– Developing policies and procedures for effective investigations;
– Preserving evidence;
– Handling the results of investigations;
– Reporting to the board; and
– Internal and external communications.
Such standards often documented in a fraud policy.
Internal audit may assist in the evaluation of the policy.
It is often important to assemble the investigation team without delay. If the
organization is likely to need external experts, the organization may want to pre-
qualify service providers so external resources are quickly available when
needed.
63 Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
The Key Elements of an Investigation
The investigation and response system should include a process for:
– Categorizing issues;
– Confirming the validity of the allegation;
– Defining the severity of the allegation;
– Escalating the issue or investigation when appropriate;
– Referring issues outside the scope of the program;
– Conducting the investigation and fact-finding;
– Resolving or closing the investigation;
– Listing types of information that should be kept confidential;
– Defining how the investigation will be documented; and
– Managing and retaining documents and information.
Investigations should be performed in accordance with protocols approved by the
board. A consistent process for conducting investigations can help the
organization mitigate losses and manage risks associated with the investigation.
Consider using investigation templates and checklists to standardize and formalize
the investigation process (including who to contact and when).
64 Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Internal Audit’s Role in Responding to Incidents of Fraud
It is acceptable for Internal Audit or other internal personnel to participate in the
investigation provided that those persons conducting the investigation are
sufficiently independent, objective and possess the relevant skills and expertise
necessary to:
– Conduct interviews;
– Collect and manage evidence;
– Compile and analyze evidence;
– Access and analyze public records;
– Access and analyze personal documents belonging to the perpetrator;
– Conduct computer forensic examinations; and
– Liaise with legal counsel to prepare evidence and provide a forensic report.
If in doubt – consult!
– To ensure that investigations are completed timely, effectively and efficiently, it is
always recommended that external resources be consulted.
65 Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Legal Counsel Considerations
It is in the best interest of the company (and its stakeholders), both
professionally and legally, to work effectively with legal counsel and to become
familiar with the relevant laws in the country the fraud investigation occurs.
Legal counsel may also be able to assess the impact the fraud will have on the
board and management and provide guidance on how to manage both internal
and external communications regarding the status of the fraud and the
investigation.
It is strongly recommended, in many cases, to use counsel to invoke attorney-
client privilege thus having the investigation being executed under the direction
of legal counsel. This will maximize the legal privilege attached to any work
performed by the investigation team.
66 Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Fraud Policy Decision Matrix
Similar to a RACI, a fraud policy decision matrix summarizes the roles and responsibilities
articulated in the fraud policy itself:
67 Private and Confidential
Investigations Internal Audit FinanceExecutive
Management
Risk
ManagementPublic Relations
Human
ResourcesLegal
1 Controls to prevent fraud S S S P SR S S S
2 Incident reporting P S S S SR S S S
3 Investigation of fraud P S S S
4 Referrals to law enforcement P S
5 Recovery of monies P S
6 Internal controls review P
7 Handle sensitive cases SR S S S P
8 Publicity/ press releases S P SR
9 Civil l itigation SR S S S P
10Corrective action/ recommendations
to prevent recurrencesSR SR P SR
11 Monitor recoveries S P
12 Proactive fraud auditing S P
13 Fraud education/training SR P S S S
14 Risk analysis of areas of vulnerability S S P
15 Trend analysis S SR P
16 Investigation case analysis P SR
17 Whistleblower complaint monitoring S SR P
P (Primary Responsibility) S (Secondary Responsibiltiy) SR (Shared Responsibiltiy)
Action Required
© Deloitte & Touche LLP and affiliated entities.
Incorporate Post Investigation Considerations into the FRMP
Resolution - consists of determining what actions will be taken by the organization once a fraud
scheme and perpetrator(s) have been fully investigated, and evidence has been reviewed.
Management and the Board are responsible for determining how to resolve the incident.
Reflection - The results of a fraud investigation may indicate that an occupational fraud had a
previously undiscovered adverse effect on the organization’s financial position and its operational
results. Senior management and the board need to be informed of this so they can decide on the
appropriate reporting requirements.
Remediation - After the fraud has been investigated and communicated, it is important for
management and internal audit to consider the lessons learned.
– How did the fraud occur?
– What weaknesses were exploited?
– What controls failed?
– Why wasn’t this caught and what were the red flags?
68 Private and Confidential
Develop a formalized process in which investigations, management and internal audit collaborate to identify deficiencies
in operations and/or internal controls that led to the fraud and determine optimal solutions to address this deficiency.
© Deloitte & Touche LLP and affiliated entities.
Questions & Answers
69
© Deloitte & Touche LLP and affiliated entities.
Questions & Answers
70
Daniel J. Williams CGA, CFE, CIA, CISA, CAMS, PMP
604.640.3286
604.351.5567