Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
National Treasury Public Entities Risk Management Forum
Fraud Risk Management – Overcoming Practical Challenges
Agenda
► What is Fraud Risk Management?► Why do Public Entities need Fraud Risk Management?► Minimum Requirements for an Effective Fraud Risk Management Programme► Fraud Risk Assessments: Acceptable Standards or Frameworks ► Fraud Risk Management Reports► The Chief Risk Officer (CRO) and Fraud Risk Management► Expectations of Assurance Providers on the Assessment and Management of
Fraud Risks► Challenges that Effect the Successful Implementation of Fraud Risk
Management Plans► Fraud Trends in the Public Sector► The Evolving Nature or Cybercrime► Project Ghost► Lessons Learned: Misuse Of Segregation of Duties and Registration of a
Fictitious Vendor
04 July 2012Page 2 National Treasury
What is Fraud Risk Management?
Fraud Risk Management enables an organisation to:► Discover; ► Reduce; ► Prevent; and ► Take action when fraud or misconduct is occurring.
04 July 2012 National TreasuryPage 3
Why do Public Entities need Fraud Risk Management?
04 July 2012 National TreasuryPage 4
► The Public Finance Management Act 1999, (Act No. 1 of 1999) (“PFMA”), Section 51.1(a)(i):► An accounting authority for a public entity, must ensure that that public entity has and
maintains effective, efficient and transparent systems of financial and risk management and internal control;
► As per Section 29.1.1(e) of the Treasury Regulations prescribed under the PFMA :► It is a requirement for Departments, Trading Entities, Constitutional Institutions, and Public
Entities to prepare a Corporate Plan, which includes a Fraud Prevention Plan;
► To set the proper tone at the top;
► Monitor internal controls in order to identify and detect fraud risks; and
► Set reactive protocols in the event that fraud is suspected.
Minimum Requirements for an Effective Fraud Risk Management Programme
1. Setting the proper tone► Effective governance structures;► Adequate and effective fraud-related policies (e.g. Code of Ethics, Anti-
Fraud Policy, Whistle Blowing Policy, Gifts Policy, Declaration of Interest Policy, etc); and
► Governance & Fraud Risk Awareness Training and Education (e.g. Fraud awareness training for bargaining and non–bargaining employees, Industrial Theatre Productions, fraud newsletters, z- cards, etc).
2. Proactive approach► Fraud risk assessments; ► Fraud resistance assessments; and► Fraud compliance checks.
04 July 2012 National TreasuryPage 5
Minimum Requirements for an Effective Fraud Risk Management Programme (Cont.)
3. Reactive approach► Fraud response plan; and► Investigations.
4. Detection► Forensic Data Analytics;► Forensic Technology Detection Services i.e.:
► Forensic Data Analytics;► Computer Forensics e.g. Hard drive imaging; and► Utilising software to identify potential relationships in electronic data i.e.
Employee / vendor, employee / appointee, etc.
► Whistle Blower Mechanism.
04 July 2012 National TreasuryPage 6
Fraud Risk Assessments: Acceptable Standards or Frameworks
► The King III report requires that Risk Assessments, including Fraud Risk Assessments, are conducted on a continual basis
► Compilation of / updates to the detailed Fraud Risk Register► Global industry research► Global fraud research► Actual fraud risks arising out of investigations conducted► Computer system fraud risk research i.e. BAS, SAP, etc.
► Summarise identified potential / actual fraud risks into top ten fraud risk categories
► Quantify the parameters (scoring system) of impact, likelihood, priority attention and risk control effectiveness, prior to the assessment taking place
04 July 2012 National TreasuryPage 7
Fraud Risk Assessments: Acceptable Standards or Frameworks (Cont.)
► Conduct workshops with the relevant process owners to determine the following:► Fraud risk relevance;► Current controls in place to mitigate inherent fraud risk i.e. identification of residual
fraud risk► Action plans to address identified residual fraud risk, as well as assigned
responsibility; and► Risk ranking i.e. consequence vs likelihood
► Compilation of a “Top 10 Fraud Risk Document”, detailing the outcomes of the workshops, approved by the relevant process owners and updated, at least, on an annual basis
► Outcomes of fraud risk assessment process to be continuously monitored and tracked
04 July 2012 National TreasuryPage 8
Fraud Risk Management Reports
Detailed Reports► Detailed reports submitted to the relevant risk manager(s)
for their consideration
1. Fraud Resistance Assessments and Fraud Compliance Checks► These reports typically include the following:
a) Executive summary;b) Annexure highlighting the applicable process, as well as the related
observations, internal control weaknesses / fraud exposures, recommendations for improvement and management comment
04 July 2012 National TreasuryPage 9
Fraud Risk Management Reports (Cont.)Example: Fraud Resistance Assessment Report
04 July 2012 National TreasuryPage 10
Process Observation Fraud Exposure / Internal Control Weakness
Recommendation Management Response / Action Plan
What does the policyand / or procedure state?
What where your observations with respect to the following:•Policies and/or procedures;•Detailed walkthrough; and•Gap analysis.
What are the fraud exposures and / or internal control weaknesses that may result from the observation?
Definitions & Examples:
Internal Control Weakness What happened / went wrong to allow the anomaly to occur? i.e. HR employees' access to the payroll system is not restricted.
Fraud ExposureWhat fraud exposure/s may result from the break down in internal control? i.e. HR employees may amend their own banking and salary details which are not authorised.
What can you recommend to mitigate the fraud exposure from happening in the future?Note: do not repeat what is stipulated in the policy / procedure
Management’s response / action plan is obtained once the report has been finalised and submitted
► The following table should accompany the Executive Summary as an annexure to the report:
Fraud Risk Management Reports (Cont.)Example: Fraud Compliance Check Report
04 July 2012 National TreasuryPage 11
Process Observation Fraud Exposure / Internal Control Weakness
Recommendation Management Response / Action Plan
What does the policyand / or procedure state?
What discrepancies did you observe between what employees areactually doing and the requirements as per the policies and procedures.
What are the fraud exposures and / or internal control weaknesses that may result from the observation?
Definitions & Examples:
Internal Control Weakness What happened / went wrong to allow the anomaly to occur? i.e. Policy and / or procedure is ambiguous.
Fraud ExposureWhat fraud exposure/s may result from the break down in internal control? i.e. Employees may abuse ambiguity to their own advantage and claim negligence.
What can you recommend to improve compliance to policies and procedures in the future?
Management’s response / action plan is obtained once the report has been finalised and submitted
► The following table should accompany the Executive Summary as an annexure to the report:
Fraud Risk Management Reports (Cont.)
2. Fraud Risk Assessments► These reports typically include the following:
a) Risk Ranking Matrix;b) Risk Description;c) Risk Owner;d) Strategic Challenge;e) Risk Root Causes;f) Current Controls / Action Plans; andg) Responsible Person.
04 July 2012 National TreasuryPage 12
Fraud Risk Management Reports (Cont.)
High-Level Reports► High-level reports submitted to the Chief Risk Officer
(CRO) for their consideration and further escalation► These reports typically include the following:
a) The objectives of the project;b) Status of the project;c) High-level summary of findings; d) Action plans to address findings; ande) Assigned responsibility and deadlines.
04 July 2012 National TreasuryPage 13
The Chief Risk Officer (CRO) and Fraud Risk Management
The Chief Risk Officer (CRO)► The CRO is a professional that brings structure and
formality to the way risk management is implemented and practiced in an organisation
► The CRO is responsible for leading, coordinating and consolidating the entire risk management effort of an institution by providing expert support, guidance and advice
04 July 2012 National TreasuryPage 14
The Chief Risk Officer (CRO) and Fraud Risk Management (Cont.)
Core Fraud Risk Management functions of the CRO► To provide expert guidance and support to line management on fraud risk
management processes;► To co-ordinate, facilitate and guide the process of identifying, assessing and
monitoring fraud risks at all business levels;► To collate, analyse, interpret and report on the outcomes of fraud risk
assessments;► To maintain the fraud risk register;► Depending on the entity’s structure, to develop the overall Fraud Risk
Management Strategy for approval by the Accounting Officer;► Depending on the entity’s structure, to develop appropriate tools and
techniques for identifying, assessing and responding to fraud risks; and► To promote advocacy of Fraud Risk Management.
04 July 2012 National TreasuryPage 15
The Chief Risk Officer (CRO) and Fraud Risk Management (Cont.)
Who should the CRO report to?► The accountability and reporting lines of CRO’s in the
Public Sector are not prescribed► The CRO should report at a level that has sufficient
authority and influence to ensure that fraud risk management enjoys the necessary organisational support and profile
► Ideally, the CRO should report to the Accounting Officer, however if this is not possible, it is recommended that the CRO reports to someone of sufficient influence to promote the organisational status of Fraud Risk Management
04 July 2012 National TreasuryPage 16
Expectations of Assurance Providers on the Assessment and Management of Fraud Risks
► Assurance providers are guided by the auditing statement ISA240 in addressing the risk of fraud
► Obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraudor error.
► ISA 240 does not require that assurance providers look for fraud, but requires a consideration of fraud risks within an entity when conducting an audit
04 July 2012 National TreasuryPage 17
Assurance Providers’ Expectations on the Assessment and Management of Fraud Risks (Cont.)
ISA240R Requirements
04 July 2012 National TreasuryPage 18
►Professional Skepticism
► Identification & Assessment
►Written representations
►Discussion among the Engagement team
►Responses ►Communication
►Risk assessment procedures
►Evaluation of audit evidence
►Documentation
Assurance Providers’ Expectations on the Assessment and Management of Fraud Risks (Cont.)
The Risk Assessment Process► The purpose of an entity’s risk assessment process is to
identify, analyse and manage risks that affect the entity’s ability to achieve its objectives.
► Assurance providers document their understanding of an entity’s risk assessment process for:a) Identifying business risks relevant to financial reporting;b) Evaluating the significance of the risks;c) Assessing the likelihood of their occurrence; andd) Document management actions to address and monitor those risks.
04 July 2012 National TreasuryPage 19
Challenges that Effect the Successful Implementation of Fraud Risk Management Plans
► Some of the challenges faced by entities when implementing Fraud Risk Management Plans are as follows:a) Capacity;b) Technical knowledge or skill;c) Lack of enforcement;d) Collaboration; ande) Funding.
► How do entities overcome these challenges?a) Subject matter experts should increase their skills sets to include other areas
within Fraud Risk Management;b) On-the-job training & knowledge transfer;c) Accountable individual(s) should be identified for the enforcement of fraud risk
management and should be measured against defined KPIs; and / ord) Outsource Fraud Risk Management function to external service providers, with the
intention of transferring both knowledge and skills from the chosen service provider to internal employees.
04 July 2012 National TreasuryPage 20
Fraud Trends in the Public Sector
04 July 2012 National TreasuryPage 21
Fraud Risk Description
► Procurement Irregularities ► Irregular awarding of tenders, bid rigging, etc.
► Bribery and kickbacks ► Any scheme in which a person offers, gives, receives, or solicits something of value for the purpose of influencing an official’s act or business decision without the knowledge or consent of the principal; and
► A payment by a vendor to an employee in order for the vendor to receive favourable treatment.
► Mismanagement of state funds ► Fruitless and wasteful expenditure
► Abuse of state resources ► Misuse of assets
► Asset misappropriation ► The theft of assets (including monetary assets / cash or supplies and equipment) by directors, others in fiduciary positions or an employee for their own benefit
► Accounting Fraud ► Altering / manipulating financial statements
► IP infringement, including theft of data ► This includes the illegal copying and / or distribution of fake goods in breach of patent or copyright, and the creation of false currency
► Insider Trading ► Generally buying or selling a security, in breach of a fiduciary duty or other relationship
► Money Laundering ► Actions intended to legitimise the proceeds of crime by disguising their true origin
The Evolving Nature of Cybercrime
► According to PWC’s 2011 Global Economic Crime Survey:► “Cybercrime is an economic crime committed using computers and
the internet.”► Cybercrime now ranks as one of the top four economic crimes► Reputational damage was the largest fear for 40% of the survey’s
respondents► 2 in 5 respondents had not received any cyber security training► A quarter of respondents said there is no regular formal review of
cybercrime threats by the CEO and the Board► The majority of respondents did not have, or were not aware of
having, a cyber crisis response plan in place
04 July 2012 National TreasuryPage 22
Project Ghost
04 July 2012 National TreasuryPage 23
Lessons Learned: Misuse of Segregation of Duties and Registration of a Fictitious VendorBackground► An employee, employed within a Treasury Department since 1993 as a Confirmation Clerk, created
a fictitious vendor in January 2006; ► The employee provided his own bank account (not his salary account) as the beneficiary bank
account of the vendor;► Approximately 508 payment transactions to the value of R5.5 million were made to the vendor from
2006 to date;► The employee had the authority on the SAP system to create, process goods received notes and
release payments up to R5,000; ► Some invoices include names of the depot owners who claim to have no knowledge of services
provided by the vendor; and► Payments allocated to various depots were allegedly concealed within other costs on the Treasury
Department’s monthly depot budget reports.
Control Weaknesses► Inadequate segregation of duties in respect of payment transactions on the SAP system was
highlighted in the monthly GRC reports and the compensation control did not operate effectively;► Depot owner’s signatures were not required on the invoices for payments made against their cost
centres; and
04 July 2012 National TreasuryPage 24
Lessons Learned: Misuse of Segregation of Duties and Registration of a Fictitious Vendor (Cont.)
Control Weaknesses (Cont.)► Lack of adequate review of monthly depot reports.
Action Taken and Way forward► A Pre-Arbitration hearing was held in the absence of the employee and he was dismissed;► A criminal case was registered with the SAPS;► Employee was given R15 000 bail and asked to surrender his passport and report to the SAPS 3
times a week;► The employee was charged with fraud in the Johannesburg Commercial Crimes Court. The
employee pleaded guilty on 513 charges of fraud and is awaiting sentencing.
04 July 2012 National TreasuryPage 25
Contact Details
Naph Nteo (Director)083 603 [email protected]
Keeran Madhav (Associate Director)083 601 [email protected]
Belinda Goosen (Senior Manager)082 329 [email protected]
Pumla Zondo (Assistant Manager)082 788 [email protected]
04 July 2012 National TreasuryPage 26
Thank you