Fraud Risk Management

for Internal Auditors

9th Annual Fraud Conference The Institute of Internal Auditors

Puget Sound Chapter March 16, 2017

John@JohnHallSpeaker.com

(970) 926-0355

1

JOHNJ.HALL

CONTEXT JOHNJ.HALL

1.  Deterrence and Prevention

2.  Early Detection

3.  Effective Handling

3 Campaign Levels

ORGANIZATIONS MUST BE PREPARED AT ALL THREE LEVELS

JOHNJ.HALL

In many organizations, the Internal Audit Team knows more about

Fraud Risk Management than anyone else.

Opportunity Knocks

JOHNJ.HALL

How can I use this?

HCIUT? TRY B4 TOSS

JOHNJ.HALL

Correct Flawed Beliefs •  Beliefs lead to Actions •  Flawed Beliefs lead to

Flawed Actions

CRITICAL FIRST STEP (most organizations ignore)

JOHNJ.HALL

1.  We don’t have much fraud 2.  Our controls will prevent it 3.  Managers and employees review

reports 4.  Our people know what their fraud

responsibilities are 5.  Most people would never commit

wrongdoing or fraud

Five Flawed Beliefs

2

JOHNJ.HALL

How Much Fraud Do You Have?

$ ________

JOHNJ.HALL

Your fraud losses are 1% of revenue.

Here’s how to cut it in half in 18 months. THE FRAUD PIE

JOHNJ.HALL JOHNJ.HALL

1.  We don’t have much fraud 2.  Our controls will prevent it 3.  Managers and employees review

reports 4.  Our people know what their fraud

responsibilities are 5.  Most people would never commit

wrongdoing or fraud

Five Flawed Beliefs

JOHNJ.HALL

Completely Honest

Pressure Attitude

Opportunity

Honesty Scale

JOHNJ.HALL

The Fraud Triangle

Pressure

Attitude Opportunity

3

JOHNJ.HALL

People (and Organizations)

Change Over Time Completely

Honest

JOHNJ.HALL

Action 1

Recruit the CEO and

Their Direct Reports JOHNJ.HALL

Nothing Meaningful Happens Without

Visible, Vocal CEO Involvement

Here’s Why

Recruit the CEO

JOHNJ.HALL

1.  The Chief Executive must lead the charge 2.  Talk about it – explicitly 3.  Invest in being actively involved in

employee awareness and training 4.  Make people feel safe to report

suspicions 5.  Appoint a trusted leader for the anti-fraud

campaign and insist on results

Visible and Vocal Leadership

4

JOHNJ.HALL

Policy on Fraud

Responsibilities ★★★★

JOHNJ.HALL

1.  Positive message 2.  Manager and staff responsibilities 3.  Exposure awareness 4.  Procedures & behaviors to prevent 5.  Procedures & behaviors to detect 6.  What to do / what not to do 7.  Emphasis on SUSPECTED acts 8.  Annual certification -- ???

Policy on Fraud Responsibilities

JOHNJ.HALL

1.  Make it as positive as possible

2.  Fraud ‘Hotline’ in place, understood and trusted

3.  Consider retaining a third-party service to administer your hotline

4.  Tell everyone exactly how the hotline works

Make it Easy to Report

JOHNJ.HALL

Sample Policy on

Fraud Responsibilities

TEXT audit

to 720-613-2620

Example Policy on Fraud Responsibilities

www.JohnHallSpeaker.com

Page 1

John@JohnHallSpeaker.com

POLICY ON FRAUD RESPONSIBILITIES

Introduction

Like all organizations, ours is faced with risks from wrongdoing, misconduct, dishonesty and

fraud. As with all business exposures, we must be prepared to manage these risks and their

potential impact in a professional manner.

The impact of misconduct and dishonesty may include:

• the actual financial loss incurred

• damage to the reputation of our organization and our employees

• negative publicity

• the cost of investigation

• loss of employees

• loss of customers

• damaged relationships with our contractors and suppliers

• litigation

• damaged employee morale

Our goal is to establish and maintain a business environment of fairness, ethics and honesty for

our employees, our customers, our suppliers and anyone else with whom we have a relationship.

To maintain such an environment requires the active assistance of every employee and manager

every day.

Our organization is committed to the deterrence, detection and correction of misconduct and

dishonesty. The discovery, reporting and documentation of such acts provides a sound

foundation for the protection of innocent parties, the taking of disciplinary action against

offenders up to and including dismissal where appropriate, the referral to law enforcement

agencies when warranted by the facts, and the recovery of assets.

Purpose The purpose of this document is to communicate company policy regarding the deterrence and

investigation of suspected misconduct and dishonesty by employees and others, and to provide

specific instructions regarding appropriate action in case of suspected violations.

JOHNJ.HALL

Nothing important happens unless all supervisors

are committed to fighting fraud

JOHNJ.HALL

NotFound

Found

How?

5

JOHNJ.HALL

1.  Managers and staff 2.  Internal auditors 3.  External auditors 4.  Third parties 5.  The fraudster 6.  Luck or accident

How Fraud is Detected

JOHNJ.HALL

Every employee must be

recruited into anti-fraud efforts

JOHNJ.HALL

1.  Never assume that others know what you expect

2.  Put it on the agenda at a staff meeting

3.  Say, “We’ve never talked about fraud prevention and detection before – Here’s what I expect of you”

4.  Include your thoughts on risks, awareness, prevention, early detection and proper response

Clarify Fraud Expectations

JOHNJ.HALL

Example Expectations

Script

TEXT audit

to 720-613-2620

Anti-Fraud Expectations

www.JohnHallSpeaker.com (970) 926-0355

John@JohnHallSpeaker.com

ANTI-FRAUD EXPECTATIONS

The list below should give you suggestions of topics or themes to include in leading a

discussion about fraud expectations with your staff or team. Don't just read off the list –

instead, pick five or six items that most relate to your own beliefs and tailor comments to

your unique environment and culture. Be sure to:

1. Frame the discussion to the questions those listening to you will likely have

2. Stress the importance of a balanced message – tie your request for help to the

listeners normal pride in their work

3. Be explicit. Don't beat around the bush. Tell them what you expect and what you

need them to do as a result.

4. Use a positive tone. Make it a ‘call to arms’ that starts with, “I need your help to

fight this problem.”

5. Include examples of what could go wrong in your area, including what it would

look like in reports, variances, complaints and other indicators of a problem

It is expected that every manager and employee will:

1. Know the fraud related exposures in their areas of responsibility, for example…

2. Know what it would look like if it happened. For example…

3. Use best-faith efforts to minimize the chance of fraud on their watch. Examples

include…

4. Make sure the transactions they personally approve are not fraudulent.

5. Personally monitor for those frauds that only they are in a position to detect. For

example…

6. Question and challenge the unusual. Here’s an example of what I mean…

7. Set an example of honest and ethical behavior by personal example and by not

tolerating dishonest or unethical behavior in others.

8. Strive to prevent fraud by minimizing the exposures and reducing the

opportunities and temptation. For example…

9. Immediately refer suspected wrongdoing to Internal Audit or Security for

investigation. For example…

JOHNJ.HALL

Action 2

Active Fraud Risk

Brainstorming JOHNJ.HALL

Fraud Risk Brainstorming:

Think Like A Thief (when you don’t know how)

THE CHALLENGE

6

JOHNJ.HALL

“Be aware of fraud risks” is imprecise and

leads to confusion and

uncertainty

JOHNJ.HALL

Clarity Precision

JOHNJ.HALL

The Destination Must Be Clear

Some is not a number;

soon is not a time. “Switch: How to Change Things When Change is Hard”

Chip Heath & Dan Heath

JOHNJ.HALL

“If you confuse me, you lose me.”

– Rachel Hanfling

JOHNJ.HALL

B.S. Commonly Accepted

Abbreviation for ‘Brain Storming’

JOHNJ.HALL

The Simple Beauty of

“Hey Boss!” Questions

7

JOHNJ.HALL

1.  How could someone exploit weaknesses in our controls?

2.  How could someone override or circumvent our controls?

3.  What could someone do in our organization to conceal their wrongful actions?

Fraud Risk Brainstorming: 3 Key Questions

JOHNJ.HALL

…begin (plan) with the

PRESUMPTION that a fraud incident has already occurred

The Secret Sauce

JOHNJ.HALL

Planning Target

Complete Distrust

Complete Trust

Neutrality

JOHNJ.HALL

Work Target

Complete Distrust

Complete Trust Neutrality

JOHNJ.HALL JOHNJ.HALL

SAS 99

Required audit project team

brainstorming session •  ChiefAuditorpresentandac7ve•  Homeworkisassignedinadvance•  Many“HeyBoss…”ques7ons

8

Fraud Loss Scorecard HIGH LOW

1 Disbursements $ XXX $ XXX 2 Inventory

3 Construction/Facilities

4 Health Care Costs

5 Payroll

6 T&M contracts

7 T&E reimbursement

8 Other – Unique to You

TOTAL $ XXX $ XXX JOHNJ.HALL

Managing the Business Risk

of Fraud: A Practical

Guide

JOHNJ.HALL

Action 3

Anti-Fraud ‘How-To’

Skills Training ★★★★

JOHNJ.HALL

Effective Internal Controls

Procedures Behaviors

JOHNJ.HALL

Anti-Fraud Controls 1.  Fraud exposures are identified. 2.  Specific control procedures and

behaviors are developed, implemented and maintained to both prevent these events from happening and to detect them should they occur.

3.  Controls include emphasis on both hard control procedures and soft control behaviors.

JOHNJ.HALL

1.  Leadership words and deeds 2.  Culture of quality 3.  Finance and accounting knowledge 4.  Exposure assessment 5.  Limited access 6.  Policies, procedures and systems 7.  Transaction initiation, review and approval 8.  Effective screening (and re-screening)

Control Procedures

Enterprise level Functional level

Transaction level

9

JOHNJ.HALL

Control Procedures Alone

Do Not Prevent Fraud

JOHNJ.HALL

1.  Control design, implementation and maintenance

2.  No control is perfect 3.  It’s a cat and mouse endeavor 4.  Effective controls make a fraudster

change their method 5.  The cumulative nature of controls 6.  What about small organizations? 7.  Controls tend to break down over time

The Limits of Controls

JOHNJ.HALL

Effective Daily

Human Execution Of Controls

Prevents Fraud JOHNJ.HALL

MACRO Context

JOHNJ.HALL

HIGH

LOW HIGH

HUMAN FACTORS

(SOFT CONTROLS)

ENVIRONMENTAL FACTORS (HARD CONTROLS)

I

II

IV

III

90%

JOHNJ.HALL

Which of the four options below would make the most significant impact on helping your organization be more effective in fighting fraud, misconduct, and wrongdoing?

Implementing a Fraud Policy

Conducting an organization-wide Comprehensive Fraud Exposure Analysis, including the creation of a Fraud Risk Inventory

Providing awareness, prevention and early Detection Skills Training for managers and staff

14%

10% Catching and Prosecuting Wrongdoers

14%

62%

10

JOHNJ.HALL

1.  All new hires 2.  All new supervisors 3.  Board members 4.  Relevant third parties 5.  Periodic reminders for everyone

Who Do We Train?

Include real cases and documents Find a way to say what happened

JOHNJ.HALL

General knowledge of fraud risks What can happen in their areas Suggestions on prevention Suggestions on prompt detection when prevention fails What it looks like in documents, reports and behaviors they see

What Skills Are Needed

JOHNJ.HALL

1.  Group live 2.  Technology-based

ü  Teleseminars ü  Webinars ü  Video

3.  1 on 1 coaching by supervisors 4.  1 on 1 by auditors 5.  Written

How Do We Deliver Training?

JOHNJ.HALL

When YOU See

Something

YOU Say Something

JOHNJ.HALL

Good Questions Before Approving:

1.  Invoices from suppliers 2.  Out of pocket cost reimbursement 3.  Purchasing card transactions 4.  Time sheets 5.  Invoices from contractors 6.  One-time wire transfers 7.  Journal entries

Newsletter Article Ideas

JOHNJ.HALL

HIGH

LOW HIGH

HUMAN FACTORS

(SOFT CONTROLS)

ENVIRONMENTAL FACTORS (HARD CONTROLS)

I

II

IV

III

ç

ç

11

JOHNJ.HALL

Action 4

Look Ask

Doubt RESOLVE

JOHNJ.HALL

Three-Step Fraud Detection 1.  Think like a thief

a)  Individual and group brainstorming

2.  Use discovery techniques aggressively a)  Discovery-based tests b)   Targeted interviews c)  Continuous monitoring

3.  Determine the cause of all fraud indicators surfaced

a)  Root Cause Analysis

JOHNJ.HALL

A

B

C

ALL TRANSACTIONS

OK

KNOWN PROBLEMS

HIDDEN PROBLEMS

JOHNJ.HALL

Probability of 1 in Sample, if population = 100,000

Sample

Size

10

15

25

50

100

25 0.002 0.004 0.006 0.012 0.025

50 0.005 0.007 0.012 0.025 0.049

100 0.010 0.015 0.025 0.049 0.095

250 0.0250 0.037 0.061 0.118 0.221

500 0.049 0.072 0.118 0.222 0.394

1000 0.096 0.140 0.222 0.395 0.634

Number of Problem Transactions

JOHNJ.HALL

100% testing produces

reliable results JOHNJ.HALL

1.  Look for fraud indicators 2.  Use “How do I know?” 3.  When in doubt, doubt 4.  Resolve or refer suspicions

Four Daily Behaviors

12

JOHNJ.HALL

ü  ValidbusinesslicenseandTINü  Sentonelowvalueitemü  UPSreceipt–Falsesecurity

JOHNJ.HALL

Root Cause Analysis

If a condition exists is interesting

Why it exists is important

JOHNJ.HALL

1.  What happened? 2.  What were the root causes of the problem? 3.  What options are available that will deal

with the problem? 4.  What is the cost of acting upon each of the

available options? 5.  Which decision options will provide the

most cost-effective solution?

Root Cause Analysis

JOHNJ.HALL

Action 5

LEAD

JOHNJ.HALL

The Power Of

Presence

Kristi Hedges JOHNJ.HALL

“The Power of Presence” Kristi Hedges

“Every day is a bombardment of opportunities to

persuade, influence, motivate, attract or

inspire others”

13

Purpose =

JOHNJ.HALL

Simon Sinek

JOHNJ.HALL

Common Sense Must Become

Common Practice

JOHNJ.HALL

Move the Needle in 2017

JOHNJ.HALL

It’s your time. John J. Hall

John@JohnHallSpeaker.com

www.JohnHallSpeaker.com

(970) 926 0355

Questions, Comments, Feedback Let me know how I can help!