Delivering Risk & Fraud Assessments Your Board Wants ......Deliver Risk Assessment Report to stakeholders for review and feedback Receive and incorporate feedback Finalize Risk Assessment

© Aronson LLC | aronsonllc.com |

Delivering Risk & Fraud Assessments Your Board Wants & Needs

Greg Plotts, CPA, Partner &

Rob Eby, CPA, CGMA, Partner

https://www.facebook.com/MeetAronson/

https://twitter.com/Aronsonllc

https://www.linkedin.com/company/21619?trk=tyah

http://www.aronsonllc.com/

© Aronson LLC | aronsonllc.com

Agenda

• Enterprise Risk Assessment

Overview

• Fraud Assessment Overview

• Getting to Know the Perpetrator

• In the News

• Anti-Fraud Programs & Controls

• Data Analytics & Visualization

Testing Techniques

• Taking Action


Enterprise Risk Assessment Overview

4© Aronson LLC | aronsonllc.com

WHY conduct enterprise risk assessments?

All too confusing and overdone…Except when

we get in troubleMust do it…

But how do we do it better?

Keep Us Out of Trouble Make Our Business Better

Growing Number of Frauds

New Potential Security Breaches

CatastrophicReputational Consequences

Bigger Fines and Settlements for information disclosure

New/Expanded Regulations

Effective Use of Technology

Coordinated Risk Management Activities

Growing Threats & Vulnerabilities and Attacks

Enhanced Security Policies

Cost-Effective Compliance

Rationalized & Optimized Controls

Better Protect Key Assets & Information

GOAL



HOW do we conduct enterprise risk assessments?

Top-down Risk

Profile identified

and assessed

Bottom-up Risk

Profile identified and

assessed

Residual risk assessment and

evaluation of management controls

Consistent

methodology,

approach,

language, tools

A

B

Compare A to B to

make sure they

align

Inherent risk assessment, evaluation

of specific controls and residual risk

assessment

Operations

Audit Committee

HRFinanceAudit

Quality

Audit

Firm

Corporate

Governance

Group Risk Focal Point (Collation

and Reporting)

IT

• Identified and assessed locally by management and local risk

teams

• Consistent language, methodology and scoring parameters used

• Aligned to business objectives



Approach

Tim

e

line 1 – 2 weeks 1 – 2 weeks 1 week 2 weeks

Ob

ject

ives

► Understand the environment,

its policies, processes, and

controls

► Identify risks in the various risk

categories

► Rank and prioritize risks based on

established methodology

► Report risks based on likelihood and

impact

Aro

nso

n A

ctiv

itie

s

► Conduct entrance meeting to

discuss scope, approach,

deliverables and project plan

► Request and review all

applicable documentation

► Identify applicable risk

categories from the Risk

Universe

► Develop questionnaire for in-

person interview to identify

risks in the risk categories

► Interview key Senior Management

personnel and Board of Directors to

gain an understanding on their

perspective of risk

► Benchmark existing processes against

industry leading frameworks

► Collate all data point and identify risk

across all in-scope risk categories

► Identify risk factors that contribute to the

risks

► Rank and prioritize risks

► Identify gaps and develop

recommendations

► Develop draft of the Risk

Assessment Report

► Develop Risk Assessment Report

including recommendations

► Deliver Risk Assessment Report to

stakeholders for review and feedback

► Receive and incorporate feedback

► Finalize Risk Assessment Report

► If requested, present the Risk

Assessment Report to the Board of

Directors

Wo

rk

Pro

du

cts

► Entrance meeting

presentation

► Interview Questionnaire

► None ► Draft Risk Assessment Report ► Final Risk Assessment Report

Plan Identify Assess Report



HOW do we categorize, understand, and address risk?

• Risk Categories

– Strategic

– Financial

– Operational

– IT

– Compliance

• Risk Ranking

– Risk Level = Likelihood x Impact

– Low, Medium, and High scores

• Inherent Risks vs Residual Risks

• Managing Risks – Accept, Avoid, Mitigate, or Transfer



WHAT are we assessing?

Governance:

Board Performance

Tone at The Top

Control Environment

Corporate Social Responsibility

Planning and Resource Allocation:

Organizational Structure

3rd Party Relationships

Strategic Planning

Annual Budgeting

Forecasting

JV’s /Alliances and Partnerships

Outsourcing Arrangements

Major Initiatives:

Vision and Direction

Planning and Execution

Measurement & Monitoring

Technology Implementations

Technology Support

Strategic

Market Dynamics:

Competition

Macro-Economic Factors

Lifestyle Trends

Socio-Political

Communication & Investor Relations:

Media Relations and Investor

Communications

Marketing:

Marketing

Fundraising

Membership Development

Intermediary Relationships

People/Human Resources:

Culture

Recruiting & Retention

Development & Performance

Succession Planning

Compensation & Benefits

Information Technology:

IT Management

IT Confidentiality

IT Availability/Continuity

IT Spend

IT Integrity

IT Infrastructure

Operations

Business Interruptions:

Natural Events

Terror & Malicious Acts

Outages

Assets:

Real Estate

Physical Assets

Information Assets/Records

Core Operating Processes:

Portfolio Management

Pricing and Valuation

Investment Accounting

Investment Performance and

Attribution

Safeguarding of Client Assets

Service Provider Oversight

Contract Management

RISK UNIVERSE

Financial

Liquidity Risk Management: Liquidity Risk Cash Management Funding Insurance

Accounting and Reporting:

Accounting, Reporting and Disclosure

Internal Control

Credit Risk Management: Credit Risk Credit and Collections Settlement Risk Counterparty risk

Compliance

Code of Conduct :

Ethics

Fraud

Legal & Regulatory:

Federal Laws

International

Compliance

State Laws

Intellectual Property

Legal & Regulatory (Cont):

Litigation and Discovery

Response

Supervision

Customer Protection

Data Protection and

Privacy



Sample Heat Map

Strategic Operational IT Financial Compliance

Heatmap Risk Type Color Key



WHERE you can expect enterprise risk to take you?

Defined: 3

Integration with Business Processes has Begun

Risk Metric Requirements Defined

Assessment convergence has begun

Risk Processes Automation has Begun

Risk Awareness Program Implemented

Managed & Measurable: 4

Risk Processes Automation Consistent & Complete

Trending of Compliance and Risk Metrics

Risk Processes Monitored and Improved

Risk Metrics Aligned with Business Drivers

Optimized: 5

Risk Processes Quality Program Implemented

Risk Processes Fully Aligned with Business

Risk Processes Optimized for Efficiency

Risk Optimization Tied to Technology Investment

Managed: 2

Risk Appetite Statements Defined

Risk Processes Defined

Risk Processes Mapped with Framework

Risk Taxonomy & Threat Matrix

Initial: 1

Requirements Defined

Risk Processes Identified

Risk Taxonomy & Threat Matrix


Fraud Assessment Overview


News Story #1

• In June 2018, a former bookkeeper pleaded no contest to charges that she stole nearly $7 million from a nonprofit, an organization that serves the intellectually disabled.

• At age 71, she was sentenced to 25 years in prison and ordered to pay nearly $7 million in restitution.

• Hawaii News Now referred to it as one of the largest white-collar crime cases in Hawaii’s history.

• She used the money to buy 5 homes, fund lavish vacations, purchase cars, benefit family members, and gamble in Las Vegas.

• She forged approximately 628 checks over 19 years, amounting to about $50,000 a month.

• In several instances, the NFP had to borrow money from a board member in order to pay its bills.

• The theft was discovered during a routine audit.

• Additional losses are possible since financial institutions are only required to maintain records for up to seven years.



Defining Occupational Fraud

The Association of Certified Fraud Examiners (ACFE) defines Occupational Fraud & Abuse as:

“the use of one’s occupation for personal enrichment

through the deliberate misuse or misapplication of the

employing organization's resources or assets”



The Fraud Triangle

• Personal debt

• High medical bills

• Supporting a habit

• Work-related pressures

• “I’m not hurting anybody.”

• “This organization owes me.”

• “I’ll pay it back.”

• Inadequate segregation of duties

• Rapid turnover/lack of oversight

• Absence of mandatory vacations

• Constant “crisis” mode

• Controls not followed



How does an organization’s size relate to its occupational fraud risk?

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse



How does detection method relate to fraud duration and loss?




What is the breakdown of fraud schemes in nonprofits?

3%

9%

10%

17%

19%

19%

22%

22%

29%

34%

40%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Register Disbursements

Cash Larceny

Financial Statement Fraud

Skimming

Non-Cash

Check Tampering

Cash on Hand

Payroll

Expense Reimbursements

Corruption

Billing




Defining Fraud Schemes

• Billing schemes include: false vendors or shell companies; resubmitting valid invoices for

duplicate payment; and including personal expenses as company charges.

• Corruption includes: conflict of interest, bribes, kickbacks, bid rigging, and sales schemes.

• Non-cash schemes include: theft of inventory or company assets and misuse of company

assets.

• Skimming includes: theft of incoming payments before they are entered into the system

hidden by lapping receivables or unrecorded sales.



Defining Fraud Schemes (Cont.)

• Expense reimbursement schemes include: mischaracterized expenses, overstated

expenses, fictitious expenses, and duplicate reimbursements.

• Check tampering includes: forged maker, forged endorsement, and altered payee.

• Payroll schemes include: ghost employee, retaining an employee on payroll after

termination, falsified wages, and commission schemes.

• Cash on hand includes: theft of petty cash or stealing funds from company vault.

• Cash larceny includes: theft of cash or receipts after the transactions have been entered

into the general ledger.



What are the top concealment methods?

29%

30%

30%

31%

34%

42%

48%

55%

0% 10% 20% 30% 40% 50% 60%

Created Fraudulent Elec. Docs/Files

Created Fraudulent Journal Entries

Destroyed Phys. Docs

Altered Elec. Docs/Files

Altered Trans. in Acct. Sys.

Created Fraudulent Trans. in Acct. Sys.

Altered Phys. Docs

Created Fraudulent Phys. Docs




Case Study: False Vendor Invoices

• Nick is the A/P clerk at ABC, a rapidly growing company

• Nick’s responsibilities include A/P, cash disbursements, and new vendor approval

• Nick knows his bosses don’t pay attention to vendor invoices under $2,500

• Nick forms a shell company (XYZ), with a PO box address

• Nick adds XYZ as an ABC-approved vendor

• Nick generates a few $500 monthly invoices from XYZ for “consulting services” and arranges for ABC to pay them

• Thinking he’s in the clear, Nick later increases the XYZ invoices to $2,499 and submits them on a semi-monthly basis


Getting to Know the Perpetrator


How does the perpetrator’s level of authority relate to occupational fraud?




How does the perpetrator’s age relate to occupational fraud?




How does the perpetrator’s gender relate to occupational fraud?




How does the gender distribution of perpetrators vary by region?




How does the perpetrator’s tenure and education relate to occupational fraud?

TENURE

• Very few (9%) were with employer for <1 year.

– 44% for 1-5 years

– 23% for 6-10 years

– 24% for >10 years

• Median loss increases with tenure.

– $241,000 for >10 years

– $173,000 for 6-10 years

– $100,000 for 1-5 years

– $40,000 for <1 year

EDUCATION

• Most college-educated.

– 47% with college degree

– 14% with post-grad. degree

– 15% with some college

– 24% with HS diploma or less

• Median loss increases with

education.

– $230,000 with post-grad. degree

– $160,000 with college degree

– $130,000 with some college

– $75,000 with HS diploma or less




Do perpetrators tend to have prior experience?


PRIOR FRAUD CONVICTIONSPRIOR EMPLOYMENT-RELATED

DISCIPLINARY ACTIONS FOR FRAUD




Do fraud perpetrators also engage in non-fraud related misconduct?



What is the frequency and median loss by department of perpetrator?

Department Frequency Median Loss

Accounting 14% $212,000

Operations 14% $88,000

Senior Management 11% $729,000

Admin. Support 8% $91,000

Finance 6% $156,000

IT 3% $225,000

Marketing 2% $80,000

HR 1% $76,000

Board of Directors 1% $360,000




Attributes of an Embezzler

Superiority

ComplexGreed

Pressure

from

Above

Rule-Breaker

Mentality

Sense of

Entitlement

Thrill

SeekerWell-Educated

AddictionPosition

of Trust

Financial

Stress


Anti-Fraud Programs & Controls


Were losses recovered?

53%32%

15% Nothing Recovered

Partial Recovery

Recovered AllLosses




What are the common red flags?

12%

15%

16%

20%

30%

46%

0% 10% 20% 30% 40% 50%

Wheeler-dealer attitudde

Divorce/Addiction problems

Unwillingness to share duties

Unusually close to vendor/customer

Financial difficulties

Living beyond means




What is the frequency and median loss by initial detection of fraud?

Detection Method Frequency Median Loss

Tip 40% $147,000

Internal Audit 15% $100,000

Mgmt. Review 13% $135,000

By Accident 7% $250,000

Account Reconciliation 6% $85,000

External Audit 4% $470,000

Police 2% $1,000,000

Surveillance 2% $48,000

Confession 1% $500,000




What was the primary internal control weakness?

0% 5% 10% 15% 20% 25% 30% 35%

Lack of competent personnel

Poor tone at the top

Lack of management review

Override of existing controls

Lack of internal controls




How does the presence of anti-fraud controls relate to median loss?




How does the presence of anti-fraud controls relate to duration of fraud?




Effective Controls

Prevention

DeterrenceDetection

Prevention

• Code of conduct

• Employee counseling services

• Fraud training

• Employee background checks

• Mandatory vacations, job rotation

• Segregation of duties

Detection

• Fraud hotline

• Financial statement trend analysis

• Monthly financial statement preparation and

review

• Monthly reconciling of accounts

• Surprise (internal) audits

• External audit

• Employee exit interviews

Deterrence

• Prosecuting fraud perpetrators



Fraud/Whistleblower Hotlines

44%

51%

54%

54%

60%

63%

0% 20% 40% 60% 80%

2008

2010

2012

2014

2016

2018

% of Victim Organizations that Had a Fraud Hotline


Tips are the #1 fraud-detection method

Hotlines provide a reporting channel for

complaints from employees and/or

outsiders

– Confidential

– Anonymous

Many organizations (especially small

nonprofits/associations) do not have a

fraud hotline



Code of Conduct

• Conflicts of interest

• Confidentiality

• Relationships with customers and suppliers

• Gifts and entertainment

• Unethical behavior

• Use of corporate assets

• How to report fraud or unethical behavior

It is important to monitor the compliance with the code of conduct which may include requiring at least

annual confirmation of compliance and understanding the code.



Segregation of Duties

Human Resources

• Is there a mandatory vacation policy?

• Is the hiring function separate from payroll processing?

Cash Receipts

•Is the sales function separate from credit approval?

•Does the A/R clerk also handle customer complaints?

Cash Disbursements

•Does the person who signs checks also perform bank reconciliations?

•Do checks over a certain threshold require dual signatures?

•Who approves new vendors?

Financial Management

•Are financial statements prepared monthly and reviewed by an executive?

•Are A/R and A/P reports reconciled to the G/L on a monthly basis?


Data Analytics & Visualization Testing Techniques


Fraud Data Analytics & Visualization Process

• Define the fraud indicators you wish to test for based on experience and common fraud schemes. May be beneficial to hold a fraud brainstorming meeting to help define.

Define the Fraud Test

• Identify source IT system(s) which store the data required and extract this data in a controlled environment

• Clean the data and convert to a format suitable for analysis. Import into analysis software or excel for test execution.

Data Extraction & Cleansing

• Translate the fraud tests into suitable technical data tests and perform analysis to identify unusual trends, data anomalies and control breakdowns.

Data Analysis & Visualization

• Reports that provide data insights for process owners. The tests can be re-performed on a periodic basis to facilitate continuous monitoring.

Reporting and Monitoring



Example Fraud Test Definitions

Payroll

• Ghost employees

• Duplicate bank details

Payments analysis

• Adherence to limits

• Trend analysis

Vendor file

• Run checks of vendor addresses against employee addresses for any matches and be aware of any P.O. boxes

Accounts payable

• Weekend payments

• Payments to unauthorized vendors

• Run checks of duplicate invoice numbers, dates and amounts for items submitted more than once

• Check invoices against contract terms or purchase orders for amounts that don’t agree

Financial statement close

• Manual journal postings/adjustments

• Journals not balancing to 0

• Journals posted after hours

• GL accounts that are frequently reversed

• Dormant accounts that are suddenly being used


© Aronson LLC | aronsonllc.com

• Data becomes more understandable and

appealing

• Users can access and intake information more

efficiently

• Presents information in an easy to understand

format

• Data visualization can be used to

– Identify areas for improvement

– Predict revenue (streams)

– Detect fraud

Why is data visualization important?



How Can Data Visualization Detect Fraud?

• It will NOT detect fraud that is “off the books”

– It will provide analytics for existing information, which may lead to the discovery of off additional

activities

• Data Visualization allows managers and executives to consume information more effectively

and get a broader picture

• Data to visualize:

– Revenues from an odd area of the country

– Expenses changing over periods of time

– Revenues and expenses by department

– Expenses by vendor to shell companies



What do I need to look for in data visualization software?

Data Usability/Applicability

• Data that is not collected

cannot be visualized.

• Inaccurate data will produce

inaccurate results

User Competence

• Data visualization software

can be a very powerful tool,

but if the person using the tool

is not well versed in the

software, the results may not

be ideal.



Free Data Visualization Software

• Microsoft Power BI– Microsoft’s free data analysis tool built do go beyond Excel’s natural limitations

– It offers a simple and easy to use interface that is excellent for beginners

• Tableau Public– Tableau’s free data visualization tool for all users in a flexible end-to-end

analytics platform

• Openheatmap– Simple online tool for creating heatmaps that transforms traditional spreadsheet

geographical data into an easily digestible heatmap in a matter of seconds

• VIDI– Browser based software used to quickly map data with the goal of serving

people with detailed insight into a team’s preparedness

• D3.js– A JavaScript library used to produce dynamic and interactive data visualizations

within web browsers

– A very powerful tool for advanced users



Microsoft Power BI



Tips

Establish a baseline and then look for outliers or values that exceed averages.

Look at both high and low values that are unexpected.

Small anomalies may add up over time.

Group your data into meaningful classifications and compare between periods and, if applicable,

locations.

Data analytics should be repeated and ongoing in order to establish patterns and deviations from

regular expectations.

Communicate that monitoring activities are being conducted regularly so that employees are aware

that close attention is being paid.



Risks

• Data quality – The results from analytics tests are only as good as the input data.

• Data volumes – There may be significant data volumes and your data analytics testing

infrastructure should be capable of handling these volumes.

• Data security – Appropriate security protocols should be considered throughout the

extraction and analysis to protect the confidentiality and integrity of source data.


Taking Action


Fraud Prevention Check-Up

• ACFE has a Fraud Prevention Check-Up tool available here: http://www.acfe.com/fraud-prevention-

checkup.aspx

• Questions include:

– Risk Assessment

• To what extent has the organization established a process for oversight of fraud risks by the board of

directors or others charged with governance?

• To what extent has the organization created “ownership” of fraud risks by identifying a member of senior

management as having responsibility for managing all fraud risks?

– Anti-fraud controls

• To what extent has the organization implemented measures to eliminate or reduce each of the

significant fraud risks identified in its risk assessment?


http://www.acfe.com/fraud-prevention-checkup.aspx


Fraud Risk Assessment

• Understand the controls that are in place

– Are they being followed?

• What controls should be added?

– Prioritize based on level of risk

– Costs vs. benefits

• Are there ineffective controls in place that should be removed?

• Risk assessment should consider:

• fraud prevention controls

• fraud detection controls

• Trying to prevent all fraud generally is not cost-effective

• No guarantee you can prevent all fraud, no matter what controls you have



Fraud Investigations

Receive/Evaluate Allegation

Develop hypothesisPlan Investigation

Coordination among internal departments

Coordination with external service providers

Conduct Investigation

Interviews

Collect evidence

Analyze evidence

Prove or disprove hypothesis

Report results

Take Corrective Action

Criminal referral

Civil action

Disciplinary action

Insurance claim

Extended investigation

Modify internal controls



As the lead partner in Aronson LLC’s Nonprofit and Association Industry Services Group, Rob

Eby is a strategic leader with more than 25 years of professional experience. He is a results-

driven practitioner who specializes in assurance and consulting services for clients that include

schools, faith-based organizations, foundations, associations, and service organizations.

Rob’s diverse leadership experience spans the professional and personal divide. In addition to his

role at Aronson, he was a college professor and a winning high school soccer coach. He also sits

on the board of the Aronson Foundation and is a board member of Interfaith Works, a nonprofit

that serves the needs of poor and homeless populations in Montgomery County. Formerly an

executive for a nonprofit organization, Rob is uniquely qualified to understand the demands of

nonprofit accounting and leadership.

As an active participant in the accounting profession, Rob has taught numerous CPE classes and

presented financial accounting and auditing topics at events that include the Virginia Society of

CPA’s Annual Nonprofit Conference and the Greater Washington Society of CPA’s Annual

Nonprofit Symposium. He was a contributing author to ASAE’s The Financial Management

Handbook for Associations and Nonprofits, and the Nonprofit Controllers Manual, published by

Warren, Gorham and Lamont, Inc. As a nonprofit thought leader, Rob is a contributing author to

Aronson’s Nonprofit Report blog.

Rob earned his bachelor’s degree in accounting from Grove City College in 1986 and his master

of arts from Capital Bible Seminary. Rob is a member of the American Institute of Certified Public

Accountants and the Greater Washington Society of Certified Public Accountants.

301.231.6291

Rob Eby, CPA, CGMA

[email protected]


mailto:[email protected]


Greg Plotts, CPA, serves as a partner in Aronson’s Nonprofit & Association Services

Group. He is a proactive and collaborative leader with over 20 years of industry

experience.

Greg specializes in financial statement assurance and consulting matters for associations

and other exempt organizations. He has a wide range of experience with complex issues,

including internal controls, revenue recognition, fraud investigations, international audit

matters, foreign currency transactions, valuation of intangible assets, joint ventures,

mergers and acquisitions, and more.

Greg’s passion lies in building strong, productive relationships with both his clients and

team. He invests the time to listen and learn about his clients’ organizations, objectives,

and challenges. He then partners with them to implement the right strategic initiatives to

achieve their short- and long-term objectives. As an enthusiastic mentor, he is committed

to cultivating a positive and healthy team culture, where all members thrive and grow.

Prior to joining Aronson, Greg held steadily increasing leadership roles at both a “Big 4”

accounting firm and a regional accounting firm. Active in the community and profession,

his involvement builds on his knowledge and understanding of the nonprofit industry and

increases the value he brings to his clients.

301.231.6226

Greg Plotts, CPA

[email protected]


mailto:[email protected]



Documents

Delivering Risk & Fraud Assessments Your Board Wants ......Deliver Risk Assessment Report to stakeholders for review and feedback Receive and incorporate feedback Finalize Risk Assessment