Who should be involved?

© 2014 CPEinteractive, Inc. 95

• Accounting & Finance personnel who are SME’s on processes & controls.

• Risk management personnel to ensure proper integration with ERM.

• Legal & Compliance personnel to ensure appropriate response to potential criminal, civil & regulatory issues.

• Internal Audit

Many others will participate and be interviewed.

Methodology & Framework

© 2014 CPEinteractive, Inc. 96

Determine a Fraud Risk Assessment Framework.Include:

Fraud Schemes & Scenarios

Likelihood & Significance

People & Departments

Existing Fraud Controls

Controls Effectiveness

Residual Risks

Fraud Risk Response

Fraud Risk Assessment Framework example

© 2014 CPEinteractive, Inc. 97

Fraud Risk Assessment Framework example (2)

© 2014 CPEinteractive, Inc. 98

Let’s go!

© 2014 CPEinteractive, Inc. 99

Completing the Fraud Risk Assessment Framework

Difference between FRA & ERM

© 2014 CPEinteractive, Inc. 100

Traditional risk assessments link risks to the organization's key objectives. Therefore, fraud can be overlooked during this type of review if it is not considered a core company objective.

Fraud Risk Assessment Framework

© 2014 CPEinteractive, Inc. 101

1 2 3 4 5 6 7 8

Completing the Fraud Risk Assessment Framework

© 2014 CPEinteractive, Inc. 102

1. Identify potential inherent fraud risks.

2. Assess the likelihood of the identified fraud risks.

3. Assess the significance of the fraud risks.

4. Identify which people and departments are most likely to commit fraud and the methods they are likely to use.

Completing the Fraud Risk Assessment Framework (2)

© 2014 CPEinteractive, Inc. 103

5. Identify and map existing controls to relevant fraud risks.

6. Evaluate whether the identified controls are operating effectively and efficiently.

7. Identify and evaluate residual fraud risks resulting from ineffective or nonexistent controls.

Completing the Fraud Risk Assessment Framework (3)

© 2014 CPEinteractive, Inc. 104

8. Addressing the Identified Fraud Risks

Establish an acceptable level of risk (management).

Rank and prioritize identified risks.

Estimate likely cost of each risk.

Use a heat map.

Fraud Risk Response.

Assign Responsibility – Fraud Responsibility Matrix

Step One

© 2014 CPEinteractive, Inc. 105

Identifying potential fraud risks through Brainstorming

Brainstorming to identify risks

© 2014 CPEinteractive, Inc. 106

Formal Process

Identify leader / facilitator

Set Agenda

Open discussions

Fraud schemes & scenarios assessment

Review and feedback from senior management and Board

Follow up and revisit issues

Effective fraud scheme & scenario assessment

© 2014 CPEinteractive, Inc. 107

Identifies where and how fraud and corruption may occur.

Common understanding of fraud risk

Identifies fraud threats to business objectives

Provides the basis for an effective Fraud Control Plan.

Identifies and reviews the effectiveness of Key Policies, Guidelines and other controls used to minimize fraud

Increases employee awareness of fraud prevention risks and controls across the entity.

Fraud scheme & scenario assessment

© 2014 CPEinteractive, Inc. 108

Utilize Fraud Tree

Brainstorm potential for fraud around each branch on Fraud Tree

Create a Fraud Risk Exposures List

Many useful tools for various industries can be found on the ACFE, IIA, & AICPA websites.

109

Fraud Risk Exposure List

© 2014 CPEinteractive, Inc. 110

1. Intentional manipulation of financial statements can lead to:a. Inappropriately reported revenues

1. Fictitious revenues2. Premature revenue recognition3. Contract revenue and expense recognition

b. Inappropriately reported expenses1. Period recognition of expenses

c. Inappropriately reflected balance sheet amounts, including reserves1. Improper asset valuation

1. Inventory2. Accounts receivable3. Mergers and acquisitions4. Capitalization of intangible items

2. Misclassification of assets3. Inappropriate depreciation methods

Identifying Incentives, Pressures & Opportunities

© 2014 CPEinteractive, Inc. 111

Brainstorm motives• Strategy needs time• Few more pennies per share to hit

expectations or bonus• Saving for a rainy day

Pressures• Personal & Professional

Opportunities• Manual processes• Lack of segregation of duties

Step Two

© 2014 CPEinteractive, Inc. 112

Determining Likelihood Evaluate the likelihood of risks as:

• remote, reasonably possible, and probable.

Historical information

Prevalence in industry

# of transactions

Complexity of transactions

Review process - # of reviews & levels of approvers

Interviews with process owners and staff

Heat Maps

Step Three

© 2014 CPEinteractive, Inc. 113

Determining Significance Evaluate significance as:

• Immaterial, significant & material.

Quantitative & qualitative factors should be considered• For example, financially immaterial but could greatly

impact reputation

Interviews with process owners and staff.

Heat Maps

Cost Analysis

Heat Map – Likelihood & Significance

© 2014 CPEinteractive, Inc. 114

Estimating Likely Cost of a Risk

© 2014 CPEinteractive, Inc. 115

Step Four

© 2014 CPEinteractive, Inc. 116

People & Departments subject to fraud• Evaluate which people inside and outside the

organization are subject to the risk

• Evaluate incentives & pressures

• Appropriate segregation of duties

• Proper review and approval chains of authority

• Determine relationships that may be prone to collusion

• Identify potential fraud opportunities

Step Five

© 2014 CPEinteractive, Inc. 117

Identifying Existing fraud controls

Identify known fraud controls

Map pre-existing fraud controls to identified fraud risks

Identify risks without existing controls

Step Six

© 2014 CPEinteractive, Inc. 118

Evaluating existing control effectiveness

Examine existing controls testing from IA & SOX, but focus specifically on control measures aimed at preventing or detecting fraud.

Identify whether or not controls can be circumvented and consider the susceptibility of controls to management override.

Concentrate on fraud schemes and scenarios.

Conduct testing for any controls identified that are not otherwise tested

Utilize Fraud Prevention Scorecard

Utilize Fraud Detection Scorecard

Fraud Prevention Scorecard

© 2014 CPEinteractive, Inc. 119

Needs significant improvement

Needs some improvement

Strong or acceptable risk

Fraud Detection Scorecard

© 2014 CPEinteractive, Inc. 120

Needs significant improvement

Needs some improvement

Strong or acceptable risk

Step Seven

© 2014 CPEinteractive, Inc. 121

Determining Residual Risks

Fraud risks not adequately mitigated by existing controls.

Fraud risks without controls.

Step Eight

© 2014 CPEinteractive, Inc. 122

Fraud Risk Response & Action

Understand Organizations Fraud Risk Tolerance

Determine Action & Response

Assign responsibility

Step Eight (3)

© 2014 CPEinteractive, Inc. 123

Fraud Risk Response & Action

Immediate Action Required

Continuous Monitoring

Action Required

Periodic Monitoring

No Action Required

Step Eight (2)

© 2014 CPEinteractive, Inc. 124

Fraud Risk Response & Action

Avoid the risk • Stop activity

Transfer the risk • Insurance

Mitigate the risk • Controls

Assume the risk

Combination approach

Action & Response

© 2014 CPEinteractive, Inc. 125

Fraud Responsibility Matrix

© 2014 CPEinteractive, Inc. 126

Elements of a Good Fraud Risk Assessment

© 2014 CPEinteractive, Inc. 127

Collaboration between management and auditors

The right sponsor

Independence/objectivity of the team members

A good working knowledge of the business

Access to people at all levels of the organization

Engendered trust

The ability to think the unthinkable

A plan to keep it alive and relevant

Delivering results of Fraud Risk Assessment

© 2014 CPEinteractive, Inc. 128

Package it right—use the language of the business.

Remember that one size does not fit all.

Keep it simple.

Report objective—not subjective—results.

Focus on what really matters.

Identify actions that are clear and measurable

Each business unit or department should be aware of their vulnerabilities and responsible for mitigating the respective Fraud Risks

DEVIL IS IN THE DETAILS© 2014 CPEinteractive, Inc. 129

Exercise #3 – WMA Medical

Case Study – Devil is in the Details

Hand Out & Exercise

OTHER RISKS© 2014 CPEinteractive, Inc. 131

Reputational Risks

© 2014 CPEinteractive, Inc. 132

Fraud can damage reputation and willingness of vendors, customers, and banks to do business with organization

Financial restatement can damage stock value

Media attention for fraud can damage brand value

Fraud can negatively impact an organization’s ability to borrow and increase cost of debt

Regulatory & Legal Risks

© 2014 CPEinteractive, Inc. 133

Conflicts of interest

Insider trading

Theft of trade secrets

Anti-competitive practices

Environmental violations

Trade and customs violations (import / export)

PREVENTION & DETECTION© 2014 CPEinteractive, Inc. 134

Prevention Programs

© 2014 CPEinteractive, Inc. 135

Human Resource Procedures• Performing Background Checks

• Anti-fraud training

• Evaluating Performance and compensation programs

• Conduct exit interviews

Authority Limits• Level of authorities should commensurate with level of

responsibility

• IT access controls

Prevention Programs (2)

© 2014 CPEinteractive, Inc. 136

Transaction-Level Procedures• Review of third-party & related-party transactions

• Fraud auditing / continuous monitoring for vendors and invoices • Why is this preventive?

• Preventive and approval measures for all related-party transactions

Detection Programs

© 2014 CPEinteractive, Inc. 137

Whistleblower Hotlines

Process Controls

Data Analysis

Continuous Auditing & Monitoring

Monitor common fraud threats for organization & industry

Prevention & Detection Program

© 2014 CPEinteractive, Inc. 138

Document fraud prevention & detection techniques

Assess the organization’s fraud prevention & detection• Conduct annual assessment of overall program• Use Prevention Scorecard

Periodically reassess techniques being used

Continuous monitoring

Engage outside independent experts to evaluate fraud program

Keep it going…

© 2014 CPEinteractive, Inc. 139

Key components of a sound anti-fraud program:

Tone at the TopOversight by Audit Committee & Board of Directors Ethics Policy & Code of Conduct Policies & Procedures for HR, Expenses, Fraud Fraud Risk Scenario Assessment Ethics Hotline & Whistleblower Program Delegation of Authority (Authority Matrix) Fraud Training & Education Process to respond to control deficiencies and

allegations of fraud

Internal Audit’s Role (again)

© 2014 CPEinteractive, Inc. 140

Objective assurance that fraud program is in place, effective and sufficient.

Fraud risk assessment should be part of annual audit plan considerations

Participate / conduct fraud risk assessment

Understand fraud schemes, scenarios and red flags

Dependent on organization, conduct / participate in fraud investigations

Summary of Concepts

© 2014 CPEinteractive, Inc. 141

• An good Fraud Risk Assessment requires work.

• Must have an appropriate level sponsor.

• Must involve the right people with the right knowledge.

• Needs to be based on fraud tree and known schemes and scenarios.

• Needs to be reassessed regularly.