Upload
others
View
27
Download
0
Embed Size (px)
Citation preview
Fraud Risk Management
for Internal Auditors
9th Annual Fraud Conference The Institute of Internal Auditors
Puget Sound Chapter March 16, 2017
(970) 926-0355
1
JOHNJ.HALL
CONTEXT JOHNJ.HALL
1. Deterrence and Prevention
2. Early Detection
3. Effective Handling
3 Campaign Levels
ORGANIZATIONS MUST BE PREPARED AT ALL THREE LEVELS
JOHNJ.HALL
In many organizations, the Internal Audit Team knows more about
Fraud Risk Management than anyone else.
Opportunity Knocks
JOHNJ.HALL
How can I use this?
HCIUT? TRY B4 TOSS
JOHNJ.HALL
Correct Flawed Beliefs • Beliefs lead to Actions • Flawed Beliefs lead to
Flawed Actions
CRITICAL FIRST STEP (most organizations ignore)
JOHNJ.HALL
1. We don’t have much fraud 2. Our controls will prevent it 3. Managers and employees review
reports 4. Our people know what their fraud
responsibilities are 5. Most people would never commit
wrongdoing or fraud
Five Flawed Beliefs
2
JOHNJ.HALL
How Much Fraud Do You Have?
$ ________
JOHNJ.HALL
Your fraud losses are 1% of revenue.
Here’s how to cut it in half in 18 months. THE FRAUD PIE
JOHNJ.HALL JOHNJ.HALL
1. We don’t have much fraud 2. Our controls will prevent it 3. Managers and employees review
reports 4. Our people know what their fraud
responsibilities are 5. Most people would never commit
wrongdoing or fraud
Five Flawed Beliefs
JOHNJ.HALL
Completely Honest
Pressure Attitude
Opportunity
Honesty Scale
JOHNJ.HALL
The Fraud Triangle
Pressure
Attitude Opportunity
3
JOHNJ.HALL
People (and Organizations)
Change Over Time Completely
Honest
JOHNJ.HALL
Action 1
Recruit the CEO and
Their Direct Reports JOHNJ.HALL
Nothing Meaningful Happens Without
Visible, Vocal CEO Involvement
Here’s Why
Recruit the CEO
JOHNJ.HALL
1. The Chief Executive must lead the charge 2. Talk about it – explicitly 3. Invest in being actively involved in
employee awareness and training 4. Make people feel safe to report
suspicions 5. Appoint a trusted leader for the anti-fraud
campaign and insist on results
Visible and Vocal Leadership
4
JOHNJ.HALL
Policy on Fraud
Responsibilities ★★★★
JOHNJ.HALL
1. Positive message 2. Manager and staff responsibilities 3. Exposure awareness 4. Procedures & behaviors to prevent 5. Procedures & behaviors to detect 6. What to do / what not to do 7. Emphasis on SUSPECTED acts 8. Annual certification -- ???
Policy on Fraud Responsibilities
JOHNJ.HALL
1. Make it as positive as possible
2. Fraud ‘Hotline’ in place, understood and trusted
3. Consider retaining a third-party service to administer your hotline
4. Tell everyone exactly how the hotline works
Make it Easy to Report
JOHNJ.HALL
Sample Policy on
Fraud Responsibilities
TEXT audit
to 720-613-2620
Example Policy on Fraud Responsibilities
www.JohnHallSpeaker.com
Page 1
POLICY ON FRAUD RESPONSIBILITIES
Introduction
Like all organizations, ours is faced with risks from wrongdoing, misconduct, dishonesty and
fraud. As with all business exposures, we must be prepared to manage these risks and their
potential impact in a professional manner.
The impact of misconduct and dishonesty may include:
• the actual financial loss incurred
• damage to the reputation of our organization and our employees
• negative publicity
• the cost of investigation
• loss of employees
• loss of customers
• damaged relationships with our contractors and suppliers
• litigation
• damaged employee morale
Our goal is to establish and maintain a business environment of fairness, ethics and honesty for
our employees, our customers, our suppliers and anyone else with whom we have a relationship.
To maintain such an environment requires the active assistance of every employee and manager
every day.
Our organization is committed to the deterrence, detection and correction of misconduct and
dishonesty. The discovery, reporting and documentation of such acts provides a sound
foundation for the protection of innocent parties, the taking of disciplinary action against
offenders up to and including dismissal where appropriate, the referral to law enforcement
agencies when warranted by the facts, and the recovery of assets.
Purpose The purpose of this document is to communicate company policy regarding the deterrence and
investigation of suspected misconduct and dishonesty by employees and others, and to provide
specific instructions regarding appropriate action in case of suspected violations.
JOHNJ.HALL
Nothing important happens unless all supervisors
are committed to fighting fraud
JOHNJ.HALL
NotFound
Found
How?
5
JOHNJ.HALL
1. Managers and staff 2. Internal auditors 3. External auditors 4. Third parties 5. The fraudster 6. Luck or accident
How Fraud is Detected
JOHNJ.HALL
Every employee must be
recruited into anti-fraud efforts
JOHNJ.HALL
1. Never assume that others know what you expect
2. Put it on the agenda at a staff meeting
3. Say, “We’ve never talked about fraud prevention and detection before – Here’s what I expect of you”
4. Include your thoughts on risks, awareness, prevention, early detection and proper response
Clarify Fraud Expectations
JOHNJ.HALL
Example Expectations
Script
TEXT audit
to 720-613-2620
Anti-Fraud Expectations
www.JohnHallSpeaker.com (970) 926-0355
ANTI-FRAUD EXPECTATIONS
The list below should give you suggestions of topics or themes to include in leading a
discussion about fraud expectations with your staff or team. Don't just read off the list –
instead, pick five or six items that most relate to your own beliefs and tailor comments to
your unique environment and culture. Be sure to:
1. Frame the discussion to the questions those listening to you will likely have
2. Stress the importance of a balanced message – tie your request for help to the
listeners normal pride in their work
3. Be explicit. Don't beat around the bush. Tell them what you expect and what you
need them to do as a result.
4. Use a positive tone. Make it a ‘call to arms’ that starts with, “I need your help to
fight this problem.”
5. Include examples of what could go wrong in your area, including what it would
look like in reports, variances, complaints and other indicators of a problem
It is expected that every manager and employee will:
1. Know the fraud related exposures in their areas of responsibility, for example…
2. Know what it would look like if it happened. For example…
3. Use best-faith efforts to minimize the chance of fraud on their watch. Examples
include…
4. Make sure the transactions they personally approve are not fraudulent.
5. Personally monitor for those frauds that only they are in a position to detect. For
example…
6. Question and challenge the unusual. Here’s an example of what I mean…
7. Set an example of honest and ethical behavior by personal example and by not
tolerating dishonest or unethical behavior in others.
8. Strive to prevent fraud by minimizing the exposures and reducing the
opportunities and temptation. For example…
9. Immediately refer suspected wrongdoing to Internal Audit or Security for
investigation. For example…
JOHNJ.HALL
Action 2
Active Fraud Risk
Brainstorming JOHNJ.HALL
Fraud Risk Brainstorming:
Think Like A Thief (when you don’t know how)
THE CHALLENGE
6
JOHNJ.HALL
“Be aware of fraud risks” is imprecise and
leads to confusion and
uncertainty
JOHNJ.HALL
Clarity Precision
JOHNJ.HALL
The Destination Must Be Clear
Some is not a number;
soon is not a time. “Switch: How to Change Things When Change is Hard”
Chip Heath & Dan Heath
JOHNJ.HALL
“If you confuse me, you lose me.”
– Rachel Hanfling
JOHNJ.HALL
B.S. Commonly Accepted
Abbreviation for ‘Brain Storming’
JOHNJ.HALL
The Simple Beauty of
“Hey Boss!” Questions
7
JOHNJ.HALL
1. How could someone exploit weaknesses in our controls?
2. How could someone override or circumvent our controls?
3. What could someone do in our organization to conceal their wrongful actions?
Fraud Risk Brainstorming: 3 Key Questions
JOHNJ.HALL
…begin (plan) with the
PRESUMPTION that a fraud incident has already occurred
The Secret Sauce
JOHNJ.HALL
Planning Target
Complete Distrust
Complete Trust
Neutrality
JOHNJ.HALL
Work Target
Complete Distrust
Complete Trust Neutrality
JOHNJ.HALL JOHNJ.HALL
SAS 99
Required audit project team
brainstorming session • ChiefAuditorpresentandac7ve• Homeworkisassignedinadvance• Many“HeyBoss…”ques7ons
8
Fraud Loss Scorecard HIGH LOW
1 Disbursements $ XXX $ XXX 2 Inventory
3 Construction/Facilities
4 Health Care Costs
5 Payroll
6 T&M contracts
7 T&E reimbursement
8 Other – Unique to You
TOTAL $ XXX $ XXX JOHNJ.HALL
Managing the Business Risk
of Fraud: A Practical
Guide
JOHNJ.HALL
Action 3
Anti-Fraud ‘How-To’
Skills Training ★★★★
JOHNJ.HALL
Effective Internal Controls
Procedures Behaviors
JOHNJ.HALL
Anti-Fraud Controls 1. Fraud exposures are identified. 2. Specific control procedures and
behaviors are developed, implemented and maintained to both prevent these events from happening and to detect them should they occur.
3. Controls include emphasis on both hard control procedures and soft control behaviors.
JOHNJ.HALL
1. Leadership words and deeds 2. Culture of quality 3. Finance and accounting knowledge 4. Exposure assessment 5. Limited access 6. Policies, procedures and systems 7. Transaction initiation, review and approval 8. Effective screening (and re-screening)
Control Procedures
Enterprise level Functional level
Transaction level
9
JOHNJ.HALL
Control Procedures Alone
Do Not Prevent Fraud
JOHNJ.HALL
1. Control design, implementation and maintenance
2. No control is perfect 3. It’s a cat and mouse endeavor 4. Effective controls make a fraudster
change their method 5. The cumulative nature of controls 6. What about small organizations? 7. Controls tend to break down over time
The Limits of Controls
JOHNJ.HALL
Effective Daily
Human Execution Of Controls
Prevents Fraud JOHNJ.HALL
MACRO Context
JOHNJ.HALL
HIGH
LOW HIGH
HUMAN FACTORS
(SOFT CONTROLS)
ENVIRONMENTAL FACTORS (HARD CONTROLS)
I
II
IV
III
90%
JOHNJ.HALL
Which of the four options below would make the most significant impact on helping your organization be more effective in fighting fraud, misconduct, and wrongdoing?
Implementing a Fraud Policy
Conducting an organization-wide Comprehensive Fraud Exposure Analysis, including the creation of a Fraud Risk Inventory
Providing awareness, prevention and early Detection Skills Training for managers and staff
14%
10% Catching and Prosecuting Wrongdoers
14%
62%
10
JOHNJ.HALL
1. All new hires 2. All new supervisors 3. Board members 4. Relevant third parties 5. Periodic reminders for everyone
Who Do We Train?
Include real cases and documents Find a way to say what happened
JOHNJ.HALL
General knowledge of fraud risks What can happen in their areas Suggestions on prevention Suggestions on prompt detection when prevention fails What it looks like in documents, reports and behaviors they see
What Skills Are Needed
JOHNJ.HALL
1. Group live 2. Technology-based
ü Teleseminars ü Webinars ü Video
3. 1 on 1 coaching by supervisors 4. 1 on 1 by auditors 5. Written
How Do We Deliver Training?
JOHNJ.HALL
When YOU See
Something
YOU Say Something
JOHNJ.HALL
Good Questions Before Approving:
1. Invoices from suppliers 2. Out of pocket cost reimbursement 3. Purchasing card transactions 4. Time sheets 5. Invoices from contractors 6. One-time wire transfers 7. Journal entries
Newsletter Article Ideas
JOHNJ.HALL
HIGH
LOW HIGH
HUMAN FACTORS
(SOFT CONTROLS)
ENVIRONMENTAL FACTORS (HARD CONTROLS)
I
II
IV
III
ç
ç
11
JOHNJ.HALL
Action 4
Look Ask
Doubt RESOLVE
JOHNJ.HALL
Three-Step Fraud Detection 1. Think like a thief
a) Individual and group brainstorming
2. Use discovery techniques aggressively a) Discovery-based tests b) Targeted interviews c) Continuous monitoring
3. Determine the cause of all fraud indicators surfaced
a) Root Cause Analysis
JOHNJ.HALL
A
B
C
ALL TRANSACTIONS
OK
KNOWN PROBLEMS
HIDDEN PROBLEMS
JOHNJ.HALL
Probability of 1 in Sample, if population = 100,000
Sample
Size
10
15
25
50
100
25 0.002 0.004 0.006 0.012 0.025
50 0.005 0.007 0.012 0.025 0.049
100 0.010 0.015 0.025 0.049 0.095
250 0.0250 0.037 0.061 0.118 0.221
500 0.049 0.072 0.118 0.222 0.394
1000 0.096 0.140 0.222 0.395 0.634
Number of Problem Transactions
JOHNJ.HALL
100% testing produces
reliable results JOHNJ.HALL
1. Look for fraud indicators 2. Use “How do I know?” 3. When in doubt, doubt 4. Resolve or refer suspicions
Four Daily Behaviors
12
JOHNJ.HALL
ü ValidbusinesslicenseandTINü Sentonelowvalueitemü UPSreceipt–Falsesecurity
JOHNJ.HALL
Root Cause Analysis
If a condition exists is interesting
Why it exists is important
JOHNJ.HALL
1. What happened? 2. What were the root causes of the problem? 3. What options are available that will deal
with the problem? 4. What is the cost of acting upon each of the
available options? 5. Which decision options will provide the
most cost-effective solution?
Root Cause Analysis
JOHNJ.HALL
Action 5
LEAD
JOHNJ.HALL
The Power Of
Presence
Kristi Hedges JOHNJ.HALL
“The Power of Presence” Kristi Hedges
“Every day is a bombardment of opportunities to
persuade, influence, motivate, attract or
inspire others”
13
Purpose =
JOHNJ.HALL
Simon Sinek
JOHNJ.HALL
Common Sense Must Become
Common Practice
JOHNJ.HALL
Move the Needle in 2017
JOHNJ.HALL
It’s your time. John J. Hall
www.JohnHallSpeaker.com
(970) 926 0355
Questions, Comments, Feedback Let me know how I can help!