2006 Symposium on Fraud Presentation

INGRAINING ANTI-FRAUD MEASURES INTO THE AUDIT PROCESS Yosief Ghirmai Director Internal Audit– West Region

Dan Samson Integrated Project Manager July 2006

Page 2 July 2006

MIS Training Institute Session K - Slide 2 OAF500 076 ©

AGENDA n  Fraud Overview n  Origins of Fraud n  Understanding Financial Statement Fraud n  Fraud Warning Signs n  Anti Fraud / Audit Processes n  Introduction to Raytheon Internal Audit n  Raytheon’s Committed Organizations n  Key Success Factors

Page 3 July 2006


FRAUD OVERVIEW n What is fraud?

–  The use of one’s occupation for personal enrichment due to use/misuse of company resources.

n How bad is it? –  85% of corporate fraud is committed by insiders (employees / management)

based on Ernst & Young’s 8th International Fraud Survey. –  6% of revenues will be lost to fraud annually –  21% of losses will be over $500K

n How is fraud found? –  40% based on tips –  19% by Internal Audit organizations –  19% by accident or chance –  18% based on functioning internal controls –  4% based on external controls

n Only 50% of companies have fraud-related policies.

Page 4 July 2006


HOW DOES FRAUD OCCUR?

Page 5 July 2006


THE ORIGINS OF FRAUD

THEN NOW

Page 6 July 2006


THEN NOW


Page 7 July 2006



Pressure

Opportunity Rationalization

The Fraud

Triangle

ü Customer demand steadily declining

ü Pending bankruptcy or delisting

ü Highly complex transactions

ü Significant related party transactions

ü Significant use of estimates

ü Ensuring goals are being met

ü The activity is not criminal

ü Competitors are doing it

ü Compensation is contingent on results

ü Unrealistic revenue and profit expectations

Page 8 July 2006


THE TRAJECTORY OF FRAUD n  Fraud starts out small n  Increases in complexity and aggressiveness n  Grows in magnitude and number of participants n  No way out

Page 9 July 2006


RESTATEMENTS IN 2004 n  253 of the restatements were associated with the audited financial

statements –  23% increase over 2003

n  Revenue recognition, equity accounting, reserves and contingencies were the leading cause of restatements.

0

100

200

300

400

500

1998 1999 2000 2001 2002 2003 2004

Restatements Resulting from Errors and Irregularities

28%

incr

ease

in 2

004

Page 10 July 2006


2004 FRAUD STATISTICS Ø  Fraud and abuse costs U.S. organizations more than $660 billion

annually.

Ø  The average organization loses about 6 percent of its total annual revenue to fraud and abuse committed by its own employees.

Ø  The median loss caused by males is about $160,000; by females, about $60,000.

Ø  Men commit nearly 53 percent of the offenses.

Ø  Median losses caused by men are nearly three times those caused by women.

Page 11 July 2006


2004 FRAUD STATISTICS Ø  Losses caused by managers are double those caused by employees.

Ø  Median losses caused by executives are 14 times those of their employees.

Ø  The most costly abuses occur in organizations with less than 100 employees.

Ø  The education industry experiences the lowest median losses.

Ø  Occupational fraud and abuses fall into three main categories: asset misappropriation, fraudulent statements, and bribery and corruption.

Page 12 July 2006


ERRORS VS. IRREGULARITIES n  Errors Involve:

– Mistakes in gathering and processing data

–  Incorrect use of estimates – Certain mistakes in applying

accounting principles

n  Irregularities Involve: – Manipulating, altering or

falsifying records –  Intentional omission of events,

transactions, or significant events

– Misapplication of accounting principles with intent to deceive

Page 13 July 2006


UNDERSTANDING FRAUD

Page 14 July 2006


THE SLIPPERY SLOPE

Utilize aggressive reserves

Delay / alter expense recognition

Accelerate revenue recognition

Make unsupportable entries

Exploit acquisition reserves

Fabricate additional revenues

Page 15 July 2006


UTILIZE AGGRESSIVE RESERVES n  Bad debt reserves n  Returns and allowances n  Inventory obsolescence n  Change pension assumptions n  Special charges

Page 16 July 2006


DELAY/ALTER EXPENSE RECOGNITION n  Fail to write down impaired assets n  Investment income offsets

expenses n  Shift expenses to earlier periods n  Capitalize operating expenses

Page 17 July 2006


MANIPULATE REVENUE RECOGNITION n  Channel stuffing n  Side agreements n  Quid pro quo n  LT contracts accelerated

Page 18 July 2006


USE “CREATIVE” ACCOUNTING n  No relationship to underlying transaction n  Book nonexistent inventory n  Fail to eliminate inter-company sales n  Abusing structured finance transactions

Page 19 July 2006


EXPLOIT ACQUISITION RESERVES n  Release questionable reserves into income n  Establish sham reserves n  Undervalue the target’s acquired assets

Page 20 July 2006


FABRICATE ADDITIONAL REVENUE n  Create phony sales invoices n  Merger hold backs n  Treat borrowing as operating revenue

Page 21 July 2006


FRAUD WARNING SIGNS

Page 22 July 2006


FRAUD WARNING SIGNS n  Balance Sheet

– Accounts receivable grows substantially faster than sales l  Example of aggressive revenue recognition

– Growth in A/P substantially exceeds revenue growth l  Failing to pay current expenses – will require larger cash outlays in future

periods (Bonus may be tied to CFFO)

n  Income Statement – Majority of net income comes from one-time gains

l  Core business may be deteriorating – Operating expense decline sharply relative to sales

l  Improperly capitalizing expenses or offsetting investment gains – Seller provides financing and/or extended payment terms

l  Quality of earnings may be suspect

Page 23 July 2006


FRAUD WARNING SIGNS n  Statement of Cash Flows

– Cash flow from operations materially lags net income l  Quality of earnings may be suspect

– Company cash flows come primarily from asset sales, borrowing, or equity offerings l  Sign of material weakness in core business

n  Footnotes, MD&A, Proxy & Auditor’s Letter – Change in accounting principles, estimates, and classification

l  Attempt to hide operating problems – Very acquisitive in recent past

l  Potential for making past poor performance and manipulating net income

Page 24 July 2006


WHERE DO WE GO FROM HERE?

Page 25 July 2006


WHY SPEND TIME ON FRAUD?

POLITICAL RISK

PUBLIC RELATIONS RISK

VALUATION RISK FINANCIAL RISK

REGULATORY RISK

CUSTOMER SERVICE RISK

ENVIRONMENTAL RISK

CREDIT RISK

LIQUIDITY RISK

REPUTATIONAL RISK

REPORTING RISK

“HOW CAN WE NOT?”

Page 26 July 2006


INTEGRATION OF ANTI-FRAUD TECHNIQUES Ø  Annual Audit Plan ü Corporate-wide risk assessments ü Enterprise Risk Management (ERM) ü Employee/Cultural Surveys

Ø  Consultation on Business Projects – “Think Fraud” ü Early participation ü Education ü Facilitate brain storming sessions on fraud risks of new and developing

systems, organizations, businesses, etc. ü Offer multiple solutions to fraud risks identified ü Added benefit – building bridges and partnerships w/o auditing

Page 27 July 2006


Ø  Audit Planning & Execution - SIX Sigma Tool Usage ü Identify “Burning Platform” or problem statement – “fraud risk within ___

process, organization, business, etc. ü Brainstorm fraud risks

§  Individually and then as a team ü Affinitize risks into categories

§  Common themes/categories ü Rank and rate fraud risks (likelihood + impact = total rank)

§  Prioritize those with overall highest rating ü Develop interrelationship diagrams

§  Systematically identify, analyze, and classify the cause and effect relationships among major fraud categories

ü Incorporate interviews, testing, and observation criteria into Audit Program to validate fraud risk has been mitigated.

INTEGRATION OF ANTI-FRAUD TECHNIQUES

Page 28 July 2006


INTEGRATION OF ANTI-FRAUD TECHNIQUES Ø  Ongoing: ü Maintain Open Door Policy ü Continue to be resource for fraud prevention and consulting ü Build and maintain bridges with customers ü If trust has been established, customer/s will seek you out when

concerns arise. ü Partnering with Ernst & Young on piloting industry specific fraud risk

profile

Page 29 July 2006


FRAUD RISK ASSESSMENT FACTORS* Ø  Potential Risk Factors to Consider when Planning an Audit: ü Sensitivity/public exposure ü Dollar impact/materiality ü Volume ü Growth ü Speed in reacting to change ü Potential or actual fraud ü Management attitude/style/effectiveness ü Pressure to achieve organizational goals, to produce ü Variance from business plans/budgets ü Employee turnover or lack of turnover ü Threat of outside intervention ü Process for monitoring risks

*Excerpted from MIS “Auditors and Managers Symposia” surveys

Page 30 July 2006


FRAUD RISK ASSESSMENT FACTORS* Ø  Potential Risk Factors to Consider when Planning an Audit: ü Training deficiencies ü Management integrity/control attitude ü Diversity ü Complexity ü Customer, employee, vendor feedback ü Last time audited ü Maturity of business ü Newness ü Pre-implementation reviews ü Environmental impact ü Society Changes ü Crisis management/business resumption


Page 31 July 2006


FRAUD RISK ASSESSMENT FACTORS* Ø  Potential Risk Factors to Consider when Planning an Audit: ü Liquidity ü Threat of penalties, litigation ü Control environment ü Stockholder impact ü Number/dispersed locations ü Market stability ü Senior management capability ü Major system change ü Disaster recovery ü Inflexible controls ü Unauthorized disclosure of information ü Degree of automation


Page 32 July 2006


FRAUD RISK ASSESSMENT FACTORS* Ø  Potential Risk Factors to Consider when Planning an Audit: ü Change in competition ü Economic stability ü Adequacy of policies and procedures ü Judgmental extent in transactions ü Vendor/union dependency ü “December” transactions ü Existence of a business plan ü Centralization vs. decentralization ü Outsourcing/loss of in-house expertise ü Acquisition/divesture ü Reorganization ü Qualified labor pool talent ü Role of external audit


Page 33 July 2006


FRAUD RISK ASSESSMENT FACTORS* Ø  Potential Risk Factors to Consider when Planning an Audit: ü Employee morale ü Downsizing ü Early retirement impact ü Decrease in benefits ü Internal political environment ü Benchmarking, quality of metrics ü Method of compensation ü Use of temporary personnel ü Employee satisfaction ü Things “going too well” ü Cultural differences ü Empowerment


Page 34 July 2006


n  Compliance n  Regulatory n  Advisory Services n  Special Investigations & Requests

MS

NCS

IDS

SAS

RAC

IIS

RTSC

CORP

TYPES OF AUDITS AND SERVICES

Page 35 July 2006


Anti-Fraud Program

An effective Fraud Prevention Program should be embedded in the culture of a company through activities that prevent and detect fraud, as well as comprehensive awareness and education of stakeholders.

Assess Risk of Fraud

A S S E S S C U L T U R E

A S S E S S C U L T U R E

Analyze Control

Structure

Monitor Fraud

Controls

Report Findings

from Monitoring Investigate

Fraud

Improve Program

Page 36 July 2006


Culture Components

Tone at the Top Executive management has an explicit and clear message related to fraud and the organization’s tolerance.

Control Environment The organization maintains a strong control environment and consciousness.

Communication The organization explicitly discusses expectations related to fraud and acceptable behavior, as well as encourages reporting of unusual or fraudulent activities.

Awareness The organization maintains formal programs to broadly and frequently communicate code of conduct, expectations, and how to access the fraud hotline.

Education The organization conducts formal training on fraud awareness and the expectation of process owners to identify and communicate unusual or fraudulent activities.

Response to Fraud Incidents

Executive management and the Audit Committee take swift and decisive actions to address fraud, as well as appropriately communicate the lessons learned.

Page 37 July 2006


Questions to Ask

n  Where could fraud occur? n  What controls should be in place to prevent or

detect fraud? n  How do you monitor these controls? n  How do you communicate the results of the

monitoring activities? n  What do you do when you find exceptions or

instances of fraud?


Analyze Control Structure

Monitor Fraud Controls

Report Findings from Monitoring

Investigate Fraud

Improve Program

Page 38 July 2006



Fraudulent Statements Asset Misappropriation Corruption §  Improper Revenue Recognition §  Improper Expense Recognition and/or Asset

Overstatement §  Tax Fraud §  Improper Disclosures and F/S Classification §  Incorrect Management Reports §  Incorrect Employment Credentials §  Improper Revenue Recognition §  Improper Expense Recognition and/or Asset

Overstatement §  Tax Fraud §  Improper Disclosures and F/S Classification §  Incorrect Management Reports §  Incorrect Employment Credentials

§  Theft of Cash on Hand §  Theft from Deposit §  Unrecorded Sales §  Theft of Checks §  Check Tampering §  Skimming Receivables §  Fraudulent Register Disbursements §  Fraudulent Expense Disbursements §  Payroll Fraud §  False Billing §  Theft of Assets §  Misuse of Assets §  Theft of Intellectual Property

§  Bribery §  Conflict of Interest §  Illegal Gratuities §  Economic Extortion

Rationalization Opportunity

FRAU

D

Pressure

n  Pressure –  Financial, personal, unrealistic corporate objectives, etc.

n  Real or Perceived Opportunity –  Weak controls/employees in positions of trust

n  Rationalization or Justifications –  Beliefs such as “the activity is not criminal,” “everyone is

doing it,” etc.

Page 39 July 2006


Establish a Fraud Risk Profile

Bribery

Theft of IP

Theft of Cash

Like

lihoo

d

Impact

Payroll Fraud

Improper Revenue

F/S Disclosure False Billing

Theft of Assets

False Expense Claims

Tax Fraud

Page 40 July 2006


Risk Based Approach to Fraud Controls

Review Company-

Level Controls

Review Existing

Monitoring & Transaction-

Level Controls

Fraud- Specific Controls

Review Company-

Level Controls

Review Existing

Monitoring & Transaction-

Level Controls

Review Company-

Level Controls

+

+ + High

Fraud Risk

Medium Fraud Risk

Low Fraud Risk

Page 41 July 2006


Validate Controls & Address Residual Risk of Fraud

Bribery

IP

Cash

Like

lihoo

d

Impact

Payroll

Revenue

Disclose

Billing

Assets

False Expense Claims

Tax

Test Fraud Controls

Residual Risk of Fraud

Control Issues

Fraud Indicators

Action Plan

Page 42 July 2006


Data Analysis Techniques

Formulate Fraud Hypothesis

Design Detection Techniques

Gather Required Data

Perform Tests

Evaluate Fraud Indicators

What are we looking for?

How is fraud concealed?

Where is fraud imprinted?

Are there fraud indicators?

What is the action?

Page 43 July 2006


Minimizing the Damage

Understand Fraud Event

Secure Evidence

Review Evidence

Interview Suspects and

Witnesses

Evaluate Findings, Report,

Remediate

•  What happened?

•  What is the damage?

•  Who was involved?

•  Where can we find it?

•  Is it relevant for legal action?

•  Are tools available?

•  What are we looking for?

•  Do we have the skills?

•  Can a confession be obtained?

•  How was fraud committed?

•  Can damages be recovered?

Page 44 July 2006


Learning from Experience


Analyze Control

Structure

Monitor Fraud

Controls

Report Findings

from Monitoring

•  Remediate ineffective controls

•  Optimize controls

•  Strengthen Whistle-Blower Program

•  Use advanced real-time techniques

•  Consolidate Fraud Reporting

•  Develop Fraud Response Plans

•  Re-Assess Risk of Fraud

Investigate Fraud

•  Develop Investigation Protocols

Improve Program

Page 45 July 2006


Government Contracting Fraud Schemes n  Labor

–  Improper charging to Government contracts due to wrong charge numbers, misunderstandings, to avoid cost overruns on fixed priced contracts and uncompensated overtime charging.

n  Material – Kickbacks and bribes are a high risk area. Up to 50% of all

subcontractors were involved in some type of scheme. l  Frequency in purchases under $10K due to lack of scrutiny l  Wide range of payoffs: buying lunch, cars, airline tickets, vacations,

appliances, and cash payoffs in the thousands.

n  Indirect Costs – Cost transfers as a result of improper charging – Purchases written off as scrap, obsolete or excess for company gains

Page 46 July 2006


Government Contracting Fraud Schemes n  Billing Systems

– Billing of fictitious costs for purposes of obtaining progress payments – Purchase material to obtain progress payments; then transferring

material to another contract once billed.

n  Forward Pricing – Bidding higher labor rates than actual performer (bid an engineer vs.

manufacturing employee) – Duplicative billing – charging Government for items that have been

already reimbursed under overhead – Material components counted twice – Failing to disclose internal documents on discounts

Page 47 July 2006


Investigations/Lessons Learned n  2102 contacts; 231 allegations of misconduct n  Labor reporting and misuse of asset violations – high volume (64% of

total); low impact to company due to minor nature of most n  Conflicts of interest, kickbacks, fraud, misuse of company funds/property

– lower volume, but higher $ risk (penalties) n  Financial accounting violation and Product Substitution – low volume;

high risk of penalty n  Mitigation factors

–  Thorough investigation –  Disclose as appropriate –  Make corrections voluntarily –  Discipline employees

A solid program reduces liability exposure

Page 48 July 2006


Raytheon’s Commitment

Page 49 July 2006


Internal Audit Charter § Objective and Reporting

–  Internal Audit is responsible for all internal auditing throughout Raytheon. –  Its primary objective is to assist management in the evaluation and

improvement of Raytheon’s risk management, control and governance processes. Risk being those events or circumstances that interfere with the achievement of Raytheon objectives and internal control being those measures taken by management that enable the achievement of Raytheon objectives, thereby reducing the likelihood of risk occurrence. Governance refers to all means and measures put in place by Raytheon to enhance shareholder value.

§ Scope and Methodology –  Internal Audit will review:

l  Effectiveness and efficiency of Raytheon’s business processes; l  Reliability and integrity of information; l  Compliance with applicable laws, regulations and policies/procedures; l  Means of safeguarding Raytheon’s assets; l  For all business activities/entities within the Company.

Page 50 July 2006


Internal Audit Charter § Scope and Methodology (Continued)

–  Processes l  Designing internal audit plans based on a documented, top-down business risk

assessment methodology; l  Performing corporate internal audits, generating recommendations that will add-value

to the business; l  Following-up the timely implementation of these recommendations with responsible

management. l  Internal Audit will execute its activities within the framework as set by The Standards

for the Professional Practice of Internal Auditing as promulgated by the Global Institute of Internal Auditors. Within its scope of work, Internal Audit will have unrestricted access to all records, functions, property, personnel and information in whatever form within the organization.

§ Organization –  Internal Audit is a centralized activity managed out of Headquarters with internal auditors

located throughout Raytheon, but organized in two regional audit groups and an IT audit group (total of 6 locations).

–  All internal auditors are managed (career development, remuneration, performance evaluations, etc.) by the Corporate Vice President of Internal Audit, Larry Harrington. It is his responsibility to maintain a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter within the budget set by the Chairman and CEO.

Page 51 July 2006


Internal Audit – Vision

“CREATING POSITIVE CHANGE WITH A SENSE OF URGENCY” §  What does this mean?

Raytheon Internal Audit department completed 30 audits in 2005.

§  What role does Internal Audit and Management play in achieving this Vision? Customer Satisfaction: Be a value added organization through customer

satisfaction surveys after each engagement to obtain a customer focused organization.

Growth: Audit planning encompasses areas that contribute to growth and provide a respective role in the acquisition and divestiture processes.

People: Highly educated, diverse, and certified team with a focus on continued education and leadership development.

Productivity: Clear and direct audit methodology that embarrasses Six Sigma ideas and tools. Formal audit plan that focuses on improving financial, operational, and compliance controls.

Page 52 July 2006


Audit Team §  The primary objective of this team is to ensure that Raytheon’s Financial

and Operations related risks are evaluated and assessed on a global basis. The audit team performs a variety of audits, and works in coordination within the Regional Audit Groups (including IT Audit Team), as well as other related departments on a Regional and Corporate basis, such as RCET, Ethics and ICE management.

§  The Audit team has a technically diverse background, which helps ensure that we are able to effectively audit various domains.

ü  65% of the management team have a Master’s Degree and 100% have at least

one certification; 70% of all staff have at least one certification and 40% of all hires are qualified Six Sigma specialists.

ü Core competency model and comprehensive training program established by leveraging Raytheon programs; career plans established with all new hires, and orientation and on boarding program in place.

ü Minimum outside turnover; four team members have taken positions in the finance organizations, two at SAS, one at RSL, and one with the Thales Joint Venture.

Page 53 July 2006


Internal Audit Advisory Committee

§  Internal Audit (IA) works closely, and coordinates its efforts, with other risk management organizations both internal and external to Raytheon. This is done to leverage the work and avoid duplication of effort – and, just as important, to minimize the disruption to Management.

§ Larry Harrington heads the Internal Audit Advisory Committee, which includes

representatives from the following groups: •  Internal Audit •  RCET •  Ethics organization •  ICE •  IT Controls/Governance & Risk Management •  Legal •  Corporate Security

Page 54 July 2006


Other Groups Evaluating Risk External Auditors (PwC) Are not employees of the organization. They are contracted by management to give an opinion on the reliability and accuracy of financial statements before their publication to external stakeholders. Their review can be mandatory in some countries, or may be requested by official governmental bodies in others.

Internal Controls Excellence (ICE) Corporate ICE team, works closely with segment and functional implementation managers to ensure that Raytheon’s internal controls over financial reporting properly designed and operating effectively.

Raytheon Company Evaluation Team (RCET) Small handpicked team of highly experienced individuals who bring a cross-section of expertise to conduct effective assessments for the CEO and Business Leaders on a wide range of business or enterprise issues. These range from specific Program Independent Assessments (PIAs) to broad issues that span multiple businesses.

Quality Auditors & Import/Export Auditors Quality Auditors are employees of the organization, but they only focus on the compliance with Quality Standards and Procedures (ISO 9000, TL 9000), whereas we focus on the overall efficiency / effectiveness of processes. Import/Export Auditors assess compliance to the regulatory requirements of import/export laws and regulations.

DCAA The Defense Contract Audit Agency, under the authority, direction, and control of the Under Secretary of the Defense (Controller), is responsible for performing all contract audits for the Department of Defense, and providing accounting and financial advisory services regarding contracts and subcontracts to all DoD Components responsible for procurement and contract administration. These services are provided in connection with negotiation, administration, and settlement of contracts and subcontracts. DCAA also provides contract audit services to other Government Agencies.

DCMA The Defense Contract Management Agency is an independent combat support agency within the Department of Defense (DoD). They are the Department's contract manager, responsible for ensuring Federal acquisition programs, supplies, and services are delivered on time, within cost and meet performance requirements.

Page 55 July 2006


KEY SUCCESS FACTORS

Together, we can:

“ Create Positive Change with a Sense of Urgency”

§  Hiring the right people

§  Establishing and Maintaining Excellent Working Relationships ü  Honest & Open ü  Fair and Reasonable ü  Responsive

§  Clear Understanding of Responsibilities & Expectations

§  Teams working together in partnership

Page 56 July 2006


For additional information, please contact: Yosief Ghirmai (972) 344-3193 [email protected]

Dan Samson (617) 901-6022 www.linkedin.com/in/danielasamson

Questions?

Documents

2006 Symposium on Fraud Presentation