Upload
phungtuyen
View
216
Download
1
Embed Size (px)
Citation preview
Who should be involved?
© 2014 CPEinteractive, Inc. 95
• Accounting & Finance personnel who are SME’s on processes & controls.
• Risk management personnel to ensure proper integration with ERM.
• Legal & Compliance personnel to ensure appropriate response to potential criminal, civil & regulatory issues.
• Internal Audit
Many others will participate and be interviewed.
Methodology & Framework
© 2014 CPEinteractive, Inc. 96
Determine a Fraud Risk Assessment Framework.Include:
Fraud Schemes & Scenarios
Likelihood & Significance
People & Departments
Existing Fraud Controls
Controls Effectiveness
Residual Risks
Fraud Risk Response
Fraud Risk Assessment Framework example
© 2014 CPEinteractive, Inc. 97
Fraud Risk Assessment Framework example (2)
© 2014 CPEinteractive, Inc. 98
Let’s go!
© 2014 CPEinteractive, Inc. 99
Completing the Fraud Risk Assessment Framework
Difference between FRA & ERM
© 2014 CPEinteractive, Inc. 100
Traditional risk assessments link risks to the organization's key objectives. Therefore, fraud can be overlooked during this type of review if it is not considered a core company objective.
Fraud Risk Assessment Framework
© 2014 CPEinteractive, Inc. 101
1 2 3 4 5 6 7 8
Completing the Fraud Risk Assessment Framework
© 2014 CPEinteractive, Inc. 102
1. Identify potential inherent fraud risks.
2. Assess the likelihood of the identified fraud risks.
3. Assess the significance of the fraud risks.
4. Identify which people and departments are most likely to commit fraud and the methods they are likely to use.
Completing the Fraud Risk Assessment Framework (2)
© 2014 CPEinteractive, Inc. 103
5. Identify and map existing controls to relevant fraud risks.
6. Evaluate whether the identified controls are operating effectively and efficiently.
7. Identify and evaluate residual fraud risks resulting from ineffective or nonexistent controls.
Completing the Fraud Risk Assessment Framework (3)
© 2014 CPEinteractive, Inc. 104
8. Addressing the Identified Fraud Risks
Establish an acceptable level of risk (management).
Rank and prioritize identified risks.
Estimate likely cost of each risk.
Use a heat map.
Fraud Risk Response.
Assign Responsibility – Fraud Responsibility Matrix
Step One
© 2014 CPEinteractive, Inc. 105
Identifying potential fraud risks through Brainstorming
Brainstorming to identify risks
© 2014 CPEinteractive, Inc. 106
Formal Process
Identify leader / facilitator
Set Agenda
Open discussions
Fraud schemes & scenarios assessment
Review and feedback from senior management and Board
Follow up and revisit issues
Effective fraud scheme & scenario assessment
© 2014 CPEinteractive, Inc. 107
Identifies where and how fraud and corruption may occur.
Common understanding of fraud risk
Identifies fraud threats to business objectives
Provides the basis for an effective Fraud Control Plan.
Identifies and reviews the effectiveness of Key Policies, Guidelines and other controls used to minimize fraud
Increases employee awareness of fraud prevention risks and controls across the entity.
Fraud scheme & scenario assessment
© 2014 CPEinteractive, Inc. 108
Utilize Fraud Tree
Brainstorm potential for fraud around each branch on Fraud Tree
Create a Fraud Risk Exposures List
Many useful tools for various industries can be found on the ACFE, IIA, & AICPA websites.
109
Fraud Risk Exposure List
© 2014 CPEinteractive, Inc. 110
1. Intentional manipulation of financial statements can lead to:a. Inappropriately reported revenues
1. Fictitious revenues2. Premature revenue recognition3. Contract revenue and expense recognition
b. Inappropriately reported expenses1. Period recognition of expenses
c. Inappropriately reflected balance sheet amounts, including reserves1. Improper asset valuation
1. Inventory2. Accounts receivable3. Mergers and acquisitions4. Capitalization of intangible items
2. Misclassification of assets3. Inappropriate depreciation methods
Identifying Incentives, Pressures & Opportunities
© 2014 CPEinteractive, Inc. 111
Brainstorm motives• Strategy needs time• Few more pennies per share to hit
expectations or bonus• Saving for a rainy day
Pressures• Personal & Professional
Opportunities• Manual processes• Lack of segregation of duties
Step Two
© 2014 CPEinteractive, Inc. 112
Determining Likelihood Evaluate the likelihood of risks as:
• remote, reasonably possible, and probable.
Historical information
Prevalence in industry
# of transactions
Complexity of transactions
Review process - # of reviews & levels of approvers
Interviews with process owners and staff
Heat Maps
Step Three
© 2014 CPEinteractive, Inc. 113
Determining Significance Evaluate significance as:
• Immaterial, significant & material.
Quantitative & qualitative factors should be considered• For example, financially immaterial but could greatly
impact reputation
Interviews with process owners and staff.
Heat Maps
Cost Analysis
Heat Map – Likelihood & Significance
© 2014 CPEinteractive, Inc. 114
Estimating Likely Cost of a Risk
© 2014 CPEinteractive, Inc. 115
Step Four
© 2014 CPEinteractive, Inc. 116
People & Departments subject to fraud• Evaluate which people inside and outside the
organization are subject to the risk
• Evaluate incentives & pressures
• Appropriate segregation of duties
• Proper review and approval chains of authority
• Determine relationships that may be prone to collusion
• Identify potential fraud opportunities
Step Five
© 2014 CPEinteractive, Inc. 117
Identifying Existing fraud controls
Identify known fraud controls
Map pre-existing fraud controls to identified fraud risks
Identify risks without existing controls
Step Six
© 2014 CPEinteractive, Inc. 118
Evaluating existing control effectiveness
Examine existing controls testing from IA & SOX, but focus specifically on control measures aimed at preventing or detecting fraud.
Identify whether or not controls can be circumvented and consider the susceptibility of controls to management override.
Concentrate on fraud schemes and scenarios.
Conduct testing for any controls identified that are not otherwise tested
Utilize Fraud Prevention Scorecard
Utilize Fraud Detection Scorecard
Fraud Prevention Scorecard
© 2014 CPEinteractive, Inc. 119
Needs significant improvement
Needs some improvement
Strong or acceptable risk
Fraud Detection Scorecard
© 2014 CPEinteractive, Inc. 120
Needs significant improvement
Needs some improvement
Strong or acceptable risk
Step Seven
© 2014 CPEinteractive, Inc. 121
Determining Residual Risks
Fraud risks not adequately mitigated by existing controls.
Fraud risks without controls.
Step Eight
© 2014 CPEinteractive, Inc. 122
Fraud Risk Response & Action
Understand Organizations Fraud Risk Tolerance
Determine Action & Response
Assign responsibility
Step Eight (3)
© 2014 CPEinteractive, Inc. 123
Fraud Risk Response & Action
Immediate Action Required
Continuous Monitoring
Action Required
Periodic Monitoring
No Action Required
Step Eight (2)
© 2014 CPEinteractive, Inc. 124
Fraud Risk Response & Action
Avoid the risk • Stop activity
Transfer the risk • Insurance
Mitigate the risk • Controls
Assume the risk
Combination approach
Action & Response
© 2014 CPEinteractive, Inc. 125
Fraud Responsibility Matrix
© 2014 CPEinteractive, Inc. 126
Elements of a Good Fraud Risk Assessment
© 2014 CPEinteractive, Inc. 127
Collaboration between management and auditors
The right sponsor
Independence/objectivity of the team members
A good working knowledge of the business
Access to people at all levels of the organization
Engendered trust
The ability to think the unthinkable
A plan to keep it alive and relevant
Delivering results of Fraud Risk Assessment
© 2014 CPEinteractive, Inc. 128
Package it right—use the language of the business.
Remember that one size does not fit all.
Keep it simple.
Report objective—not subjective—results.
Focus on what really matters.
Identify actions that are clear and measurable
Each business unit or department should be aware of their vulnerabilities and responsible for mitigating the respective Fraud Risks
DEVIL IS IN THE DETAILS© 2014 CPEinteractive, Inc. 129
Exercise #3 – WMA Medical
Case Study – Devil is in the Details
Hand Out & Exercise
OTHER RISKS© 2014 CPEinteractive, Inc. 131
Reputational Risks
© 2014 CPEinteractive, Inc. 132
Fraud can damage reputation and willingness of vendors, customers, and banks to do business with organization
Financial restatement can damage stock value
Media attention for fraud can damage brand value
Fraud can negatively impact an organization’s ability to borrow and increase cost of debt
Regulatory & Legal Risks
© 2014 CPEinteractive, Inc. 133
Conflicts of interest
Insider trading
Theft of trade secrets
Anti-competitive practices
Environmental violations
Trade and customs violations (import / export)
PREVENTION & DETECTION© 2014 CPEinteractive, Inc. 134
Prevention Programs
© 2014 CPEinteractive, Inc. 135
Human Resource Procedures• Performing Background Checks
• Anti-fraud training
• Evaluating Performance and compensation programs
• Conduct exit interviews
Authority Limits• Level of authorities should commensurate with level of
responsibility
• IT access controls
Prevention Programs (2)
© 2014 CPEinteractive, Inc. 136
Transaction-Level Procedures• Review of third-party & related-party transactions
• Fraud auditing / continuous monitoring for vendors and invoices • Why is this preventive?
• Preventive and approval measures for all related-party transactions
Detection Programs
© 2014 CPEinteractive, Inc. 137
Whistleblower Hotlines
Process Controls
Data Analysis
Continuous Auditing & Monitoring
Monitor common fraud threats for organization & industry
Prevention & Detection Program
© 2014 CPEinteractive, Inc. 138
Document fraud prevention & detection techniques
Assess the organization’s fraud prevention & detection• Conduct annual assessment of overall program• Use Prevention Scorecard
Periodically reassess techniques being used
Continuous monitoring
Engage outside independent experts to evaluate fraud program
Keep it going…
© 2014 CPEinteractive, Inc. 139
Key components of a sound anti-fraud program:
Tone at the TopOversight by Audit Committee & Board of Directors Ethics Policy & Code of Conduct Policies & Procedures for HR, Expenses, Fraud Fraud Risk Scenario Assessment Ethics Hotline & Whistleblower Program Delegation of Authority (Authority Matrix) Fraud Training & Education Process to respond to control deficiencies and
allegations of fraud
Internal Audit’s Role (again)
© 2014 CPEinteractive, Inc. 140
Objective assurance that fraud program is in place, effective and sufficient.
Fraud risk assessment should be part of annual audit plan considerations
Participate / conduct fraud risk assessment
Understand fraud schemes, scenarios and red flags
Dependent on organization, conduct / participate in fraud investigations
Summary of Concepts
© 2014 CPEinteractive, Inc. 141
• An good Fraud Risk Assessment requires work.
• Must have an appropriate level sponsor.
• Must involve the right people with the right knowledge.
• Needs to be based on fraud tree and known schemes and scenarios.
• Needs to be reassessed regularly.