coso webinar slides - assessing fraud risk - september 2014
DESCRIPTION
A 2014 Protiviti webinar on Assessing Fraud Risk - COSOTRANSCRIPT
COSO 2013: Assessing Fraud Risk
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
2
Today’s Presenters
Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley office. Keith has over 25 years of experience in finance and accounting including 15+ years with Protiviti/Arthur Andersen’s Internal Audit practice and more than 10 years corporate experience in both Finance and Operations prior to joining Protiviti. He has been involved in all aspects of a company’s internal audit function from establishing a charter and developing a risk-based internal audit plan, to developing and executing work programs, through reporting at the audit committee and board level. Email: [email protected]
Keith Kawashima, Managing Director, California
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
3
Today’s Presenters
Pamela Verick is a Director in Protiviti’s Investigations & Fraud Risk Management solution. Pam has over 22 years of risk management experience, including creation of fraud governance systems and fraud risk management programs, planning and execution of fraud risk assessments, and conducting investigations to address fraud, misconduct and potential violations of the Foreign Corrupt Practices Act as well as equivalent anti-bribery laws and regulations. She also assists with compliance and ethics programs for both the public and private sector. Email: [email protected]
Pamela Verick, Director, McLean, Virginia
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
4
Today’s Presenters
Scott Moritz is the leader of Protiviti’s Fraud, Anti-Corruption and Investigations practice. He has more than 27 years of investigative and regulatory compliance experience working with a variety of organizations, government and regulatory agencies to identify, triage, investigate and remediate a wide variety of risks. With extensive experience investigating transnational crime, corruption and money laundering, Scott is widely regarded as a leading authority on the evaluation, design, remediation, implementation and administration of corporate compliance programs, codes of conduct, training and internal audit programs. Email: [email protected]
Scott Moritz, Managing Director, New York
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
5
Today’s Presenters
Jeff Tecau is a Director with Protiviti in Orlando, FL and has 16 years of Audit and Consulting experience. At Protiviti, Jeff has focused on internal auditing and financial and accounting related consulting and helps lead Protiviti’s Internal Audit and Financial Advisory practice in the Florida market. Prior to Protiviti, Jeff spent time in external audit with PricewaterhouseCoopers and was a Senior Analyst in the Financial Planning and Analysis group of a Fortune 500 energy companyEmail: [email protected]
Jeff Tecau, Director, Orlando
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
6
Today We Will Cover…
Fraud Principle 8
Historic View of Fraud Documentation for SOX
Fraud Risk Assessment Frequently Asked Questions
Fraud Risk Assessment Case Study
Historic View of Fraud Documentation for SOX
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
8
Common Definitions of Fraud
Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.
- Institute of Internal Auditors
All means by which one individual can get an advantage over another by false suggestions or suppression of the truth. It includes all surprise, trick, cunning or dissembling, and any unfair way by which another is cheated.
- Black’s Law Dictionary
“
”
”
An intentional act that results in a material misstatement in financial statements that are the subject of an audit. Two types of misstatements are relevant to the auditor’s consideration of fraud: fraudulent financial reporting and misappropriation of assets.
- AU Sec. 316 / Statement on Auditing Standards No. 99 (“SAS 99”)
“
”
The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.
- 2014 Report to the Nations on Occupational Fraud and Abuse
“
”
“
Any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and / or the perpetrator achieving a gain.
- Managing the Business Risk of Fraud: A Practical Guide
“
”
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
9
Fraud Assessment Embedded Within Overall Risk Assessment
Phase I: Assess Current State and
Identify Relevant Processes
Phase II:Document Critical
Processes and Controls
Phase III:Evaluation &
Testing Controls
Phase IV: Remediation of
Control Weaknesses
Set Foundation
Project Management Knowledge Sharing Communication Continuous Improvement
Planning & Scoping Stage Design, Document, & Testing Stage
Select financial reporting elements
Define control units
Prioritize financial reporting elements
Define process classification scheme
Link business processes to priority financial reporting elements
Select and prioritize business processes
Inventory existing policies & procedures
Map processes to locations
Select processes and controls to document and test
Baseline reports
Consider controls across all levels
• Entity-level
• Process level
• IT controls
• Anti-fraud
• Outsourced processes
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
10
Linking to Key Business Processes
Equity Fln Report Fixed Assets Inventory Payroll Procure to Pay Revenue Tax Treasury IT
Stock Comp and Administration
Recording Stock Compensation
Presentation and Disclosure
Overall
Period-end Close
Consolidation
Financial Reporting and Disclosure
Overall
Asset Acquisition/Capitalization
Asset Depreciation
Asset Disposal
Asset Management
Overall
Standard Cost
Inventory Valuation
Inventory Reserves
Inventory Management
Overall
Employee Master File Maintenance
Payroll Master File Maintenance
Time and Expense Reporting
Payroll Processing and Recording
Incentive Compensation
Overall
Purchasing
Receiving
Accounts Payable and Cash Disbursements
Manage Travel & Entertainment Expense
Month-end Accrual
Overall
Order Management
Revenue Recognition(Shipping & Billing)
AR Aging & Collections
AR Reserves
Revenue Reserves
Overall
Income Taxes, Sales & Use Taxes and Property Taxes
Overall
Cash Management
Investments
Borrowings
Overall
IT - General Controls
Overall
L M M M M M M M L L L L L M M M M M M M M M M M L L M M M M H H H H H H M M M M M M M M
M M L M M M H M M M
ASSETS
CURRENT ASSETS
Cash and cash equivalents M M M M M M M M M M M M M M M M M M
Short Term Investment M M M M M M
Account Receivable H H H H H H H
Allowance for accounts receivable H H H H H
Accounts receivable, net of allowances
Raw Materials
Inventory Material in transit
Finished Goods M M M M M M
Inventory reserve M M
Inventories
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
11
• Controls specifically established to prevent and detect fraud that is reasonably possible to result in a material misstatement of the financial statements
• Identification of specific controls that mitigate the risk of material fraud within key processes
Scope of Anti-Fraud Program
Evaluation should take place at both the Company level and the Process level
Misappropriation of assetsEmbezzlement and theft that could materially affect the financial statements
Expenditures and liabilities incurred for improper or illegal purposes
Bribery and Influence payments that can result in reputation loss
Fraudulently obtained revenue and assets and/or avoidance of costs and expenses
Scams and tax fraud that can result in reputation loss
Fraudulent financial reportingInappropriate earnings management or “cooking the books” - e.g., improper revenue recognition, intentional overstatement of assets, understatement of liabilities, etc.
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
12
Audit Standard 5 (“AS5”)Fraud Considerations
Focus on potential fraud that could result in a material misstatement of the financial statements
Management is responsible to prevent, detect, and deter fraud
Anti-fraud control deficiencies are considered at least a significant deficiency
Identification of fraud on the part of senior management (whether or not material) is an indicator of a material weakness
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
13
Documentation Objectives
• The PCAOB required objectives for documentation are:
– Understand the flow of transactions related to relevant assertions
– Verify that all points have been identified within the company’s processes at which a misstatement could arise that, individually or in combination with other misstatements, would be material
– Identify the controls that management has implemented to address these potential misstatements
– Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition or disposition of the company's assets that could result in a material misstatement of the financial statements
• Process documentation is used by external auditors for walkthroughs
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
14
Which SOX Requirements Have FCPA Implications?
SOX Section 302 - Responsibility of Corporate Officers for the Accuracy and Validity of Corporate Financial Reports
SOX Section 404 - Reporting on the State of a Company’s Internal Controls over Financial Reporting
SOX Section 802 - Criminal Penalties for Altering Documents
Referenced From A Resource Guide to the U.S. Foreign Corrupt Practices Act Department of Justice and Securities and Exchange Commission (2012)
Fraud Principle 8
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
16
What’s Driving Today’s Fraud Risk Assessment Activities?
COSO Internal Control – Integrated Framework – Principle 8 (May 2013)
The organization considers the potential for fraud in assessing risks to the achievement of objectives. This includes management’s
assessment of the “risks relating to the fraudulent reporting and safeguarding of the entity’s assets,” along with “possible acts of
corruption” by entity personnel and outsourced service providers.
Managing the Business Risk of Fraud: A Practical Guide (July 2008)
Non-binding guidance on topic of fraud risk management issued in collaboration
between IIA, AICPA and ACFE. Includes consideration of fraud risk assessment.
IIA Standard 2120.A2 (January 2009)
The internal audit activity must evaluate the potential for the occurrence for fraud and how the organization manages fraud risk.
IIA Standard 1210.A2 (revised January 2009)
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary
responsibility is detecting and investigating fraud.
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
17
Evolving Perspectives on Fraud Risk
Fraudulent Financial Reporting
Misappropriation
of Assets
PCAOB
AS5,
AU Sec.316,
SAS 99Fraudulent Reporting
Safeguarding
of Assets
Corruption
Management Override
COSO 2013
Principle 8
“Financial Statements” “Objectives”(Operations, Reporting,
Compliance)
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
18
COSO 2013 – Principle 8Often Referred to as “Fraud Principle,” “Principle 8” or “Fraud Principle 8”
What it says:
1. “The organization considers the potential for fraud in assessing risks to the achievement of objectives.”
2. Actions conducted under Principle 8 are closely linked to Principle 7 (Identifies and Analyzes Risk).
What it doesn’t say:
1. How fraud should be defined.
Instead, the focus is placed on types of fraud to be considered.
2. What department within the organization should assess fraud risk.
States that risk assessment includes management’s assessment of the risks related to the fraudulent reporting and safeguarding of assets, as well as possible acts of corruption.
3. Which techniques should be used to assess fraud risk.
No specific fraud risk assessment methodology is prescribed.
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
19
COSO 2013 – Principle 8Linkage with Principle 7
Principle 7
Risk Assessm
ent
Principle 8
FraudRisk Identification
Risk Analysis
Risk Response
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
20
COSO 2013 – “Fraud Principle 8”Key Driver in Today’s Fraud Risk Assessment Activities
• POF 31: Considers various types of fraud
• POF 32: Assesses incentives and pressures
• POF 33: Assesses opportunities
• POF 34: Assesses attitudes and rationalizations
• Many organizations have integrated their assessment of fraud risks and controls with their ICFR assessment
• Approach to addressing will depend on how effectively the organization has considered and documented fraud risk in the past
• For those that have documented controls to address common fraud scenarios, this could be incorporated into the mapping:
‒ Inventory elements of the fraud risk management program currently in place (entity level)
‒ Document an overall summary of significant fraud risks (process level), along with assessment of their likelihood and potential impact
• Reconsider the existing fraud risk management program in context of current fraud risk profile
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
21
Factors Impacting Fraud Risk – COSO 2013 – Fraud Principle 8Key Characteristics Reflect “The Fraud Triangle”
OPPORTUNITYRefers to the ability of an
individual or group to “actually acquire, use or dispose of assets,
which may be accompanied by altering the entity’s records.” Often driven by thought that activities will be undetected,
opportunity is created by weak control and monitoring activities, poor management oversight, and management override of control.
ATTITUDES AND RATIONALIZATIONS
Can more easily rationalize, or justify, committing fraud based on
perception, right or wrong, of company’s fraud philosophy, state
of its internal control framework and “how business is done.”
INCENTIVE / PRESSUREIncentives to commit fraudulent acts or pressures that result in the intentional loss of assets, fraudulent reporting or
corruption.
THE FRAUD TRIANGLE
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
22
Elements of Fraud Risk Management ProgramSample Entity Level Control Activities
Control Environment
• Board / Audit Committee Oversight • Management roles and responsibilities • Code of Business Conduct• Conflicts of Interest Policy• Fraud Control Policy• Investigation Protocols / Policy• Ombudsman Program• Whistleblower Policy
Risk Assessment • Fraud risk assessment (including corruption / bribery)
Control Activities • Due diligence (employees and third parties)
Information & Communication
• Reporting mechanisms, including hotline• Ethics training• Fraud awareness training
Monitoring Activities
• Continuous monitoring (i.e., management)• Fraud/ ethics audit procedures (i.e., Internal Audit, Compliance)• Investigation / case management system• Discipline / remediation• Quality assurance review
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
23
COSO 2013 - Fraud Principle 8Types of Fraud
Fraudulent reporting – occurs when an organization’s reports are intentionally prepared with omissions or misstatements.
Safeguarding of assets – refers to protection from the unauthorized, inappropriate and intentional acquisition, use or disposal of organization’s assets.
Corruption – involves improper use of an employee’s influence in business transactions which violates duty to employer for purpose of obtaining benefit for themselves or someone else.
Management override – describes actions in which internal controls are intentionally overridden for an illegitimate purpose.
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
24
COSO 2013 – Fraud Principle 8Fraudulent Reporting – Examples of Common Fraud Scenarios
Fraudulent Non-Financial Reporting
Misappropriation of Assets
Illegal Acts
2
3
4
Fraudulent Financial Reporting1
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
25
COSO 2013 – Fraud Principle 8Safeguarding of Assets – Examples of Common Fraud Scenarios
Inappropriate use benefits an individual or group2
Unauthorized and willful acquisition, use or disposal of assets or other resources1
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
26
COSO 2013 – Fraud Principle 8Management Override – Examples of Common Fraud Scenarios
Significantly influenced by control environment2
Intentional override of internal controls for illegitimate purposes1
Not to be confused with Management Intervention for legitimate purposes3
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
27
COSO 2013 – Fraud Principle 8Corruption – Examples of Common Fraud Scenarios
Conflicts of Interest
Bribery
Illegal Gratuities
2
3
4
Illegal Acts1
Solicitation5
Fraud Risk Assessment Frequently Asked Questions
(“FAQs”)
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
29
FAQ 1: Who’s Typically Involved in a Fraud Risk Assessment?
Audit Committee(provides oversight on behalf of Board of Directors)
Project SponsorGeneral Counsel (if privileged)
CFO or Internal Audit Director
Steering Committee(Optional)
C-Suite
Senior Management
Project CoordinatorIA Resource
Controller
ParticipantsAccounting / Finance
Compliance / Legal
Human Resources
Operations (Sales, Marketing, R&D, Engineering, Supply Chain, Plant Manager, etc.)
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
30
FAQ 2: What Techniques Are Used to Identify Fraud Risk?One or More Work Steps May Be Utilized in Combination / Various Sequences
Document review and analysis
Fraud risk brainstorming session
Fraud risk workshop
Interviews
Survey
Data analysis
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
31
FAQ 3: What Risk Factors Should Be Considered During Fraud Risk Assessment? Examples include…
• Degree of estimates and judgments in external financial reporting
• Methodology for recording and calculating inventory and shrinkage
• Reductions in allowances• Fraud schemes and scenarios
impacting industry / market sectors
• Geographic regions where the organization conducts business
• Incentives that may motivate fraudulent behavior
• Nature of automation• Unusual or complex
transactions subject to significant management influence, especially period-end
• Poor compliance culture• Lack of management oversight• “Controlling” or “domineering”
management personalities• “Abnormal” management
involvement in selection of accounting principles
• Unusual ratios• Unexpected profitability• Rapid growth compared to
peers• Recurring negative cash flows
during periods of earnings growth
• Last minute transactions• Inconsistencies in gross
margin activity• Unsupported pricing discounts
• Intentional inaccuracies or omissions in financial statements
• Recording sales of goods and services that did not occur
• Omissions of expenses or liabilities
• Capitalized expenses− If capitalized as assets and not
expensed during current period, income will be overstated.
− As assets are depreciated, income in subsequent periods be understated.
• Allowances that do not align with industry practices
• Write-offs for loans to directors, officers and management
• “Shifting” expenses between entities
• “Off-books” accounts / “off balance sheet” entities
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
32
FAQ 4: What Criteria Are Used to Assess Significance and Likelihood of Fraud Risk? Examples include…
Significance / Impact Likelihood / Probability
Low / inconsequential Low or remote
Medium / more than inconsequential Medium or reasonably possible
High / material High or probable
Samples from Client Engagements(“3-box”)
Significance / Impact Likelihood / Probability
Insignificant Rare
Minor Remote
Moderate / serious Reasonably possible
High / major Probable
Major / operational suspension Almost certain
Samples from Client Engagements(“5-box”)
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
33
FAQ 5: How Do Organizations Document Fraud Risk Assessment Activities? Examples include…
Process Narrative1
Process Map (fraud risk assessment methodology)2
Fraud Risk and Controls Matrix (“Fraud RCM”)3
Report4
Fraud Risk Heat Map5
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
34
FAQ 6: How Does IT “Fit” Into Types of Fraud Outlined in Principle 8? Examples include…
Fraudulent Reporting
• Proper accounting and reporting of liabilities associated with IT infrastructure, systems and upgrades.
• Appropriate disclosures regarding losses suffered as a result of cybercrime.
Safeguarding of Assets
• Loss of intellectual property, confidential data, sensitive data, personally identifiable information, etc.
• Misuse or abuse of IT network / assets that result in loss of employee time and productivity.
• Intentional misuse / abuse of company’s software licenses.
Corruption
• Bribery and kickbacks involving third parties and employees.
• Illegal gratuities provided to IT personnel following system implementation.
• Extortion related to the security of data and IT infrastructure.
Management Override
• Intentional override of controls to obtain unauthorized or otherwise impermissible access to accounting or information systems.
• Intentional override of controls that results in destruction of electronic files.
Fraud Risk Assessment Case Study
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
36
Case Study Overview
• Protiviti, acting as outsourced Internal Auditor, performed a fraud risk assessment for a closely held, NASDAQ traded client to evaluate the ways in which fraud could be perpetrated within the company.
• The purpose of the fraud risk assessment was to (1) identify likely fraud scenario risks, (2) identify internal controls, management, or other governance-related activities that mitigate these risks, (3) determine if the controls mitigating these risks were documented in the SOX documentation, and (4) identify control gaps where fraud scenarios are not directly controlled.
• This review focused on the risk assessment and review of control design as represented by management. Testing of the operating effectiveness of controls was not performed as part of this review as a majority of the client’s anti-fraud controls were to be tested later in FY2014 as part of SOX 404.
• As the company had adopted the 2013 COSO Framework for purposes of Sarbanes-Oxley 404 compliance efforts, the 2013 COSO Framework was used to categorize the company’s anti-fraud activities.
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
37
Components and Principles of Internal Control – Risk Assessment
Risk Assessment
Description: Involves the identification and analysis by management of relevant risks to achieving predetermined objectives.
The 2013 COSO Framework sets out seventeen principles representing the fundamental concepts associated with each component of internal control. The principles supporting the RISK ASSESSMENT component of internal control are:
Risk AssessmentPrinciples
1The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
2The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
3The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4The organization identifies and assesses changes that could significantly impact the system of internal control.
AppendixControl ActivitiesRisk Assessment Information & CommunicationControl EnvironmentExecutive Summary Monitoring
Sample Deliverable
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
38
Fraud Risk Assessment Process Overview
Risk Assessment
Description: Involves the identification and analysis by management of relevant risks to achieving predetermined objectives.
Identify Risk
INFORMATION FOR DECISION MAKING RISK
ENVIRONMENT RISK
FINANCIALCurrency Exposure
Reserves Adequacy
Investment
Treasury/ Cash Management
Taxation
Financial Reporting
Pension Fund Reporting
Regulatory Reporting
Tax Reporting
EMPOWERMENTPerformance Incentives
Leadership
Authority / Limit
Communications
OPERATIONSEnrollment/Disenrollment
Policy Processing
Claims/PDE Processing
Premiums
Rebate Billing
Agent commission processing
Agent performance
Marketing/Product Development
Customer Service
Contracts
Procurement
Project Management
Vendor Management
Member Services
Employee Expertise
Human Resources
INFORMATION TECHNOLOGY
Data Integrity
Data Security/Access
Availability of Information
IT Infrastructure
Program Change Control
System Implementations
PROCESS RISK
GOVERNANCEOrganizational Culture
Ethical Behavior
Board Effectiveness
Succession Planning
REPUTATIONImage & Branding
Direct to Customer Advertising
Stakeholder Relations
Product Integrity & Safety PROCESS INTEGRITYManagement/Employee Fraud
Claims Fraud
Illegal Acts/Unauthorized Use/Abuse
STRATEGIC DECISIONSInsurance Product Portfolio
Business Continuity & DR
M&A Integration
Organization Structure
Key Performance Indicators
Resource Allocation
OPERATIONAL DECISIONSReinsurance
Product/Service Pricing
Bid Modeling
Actuarial Reserve Development
Forecast, Budget, & Planning
REGULATORYSEC
CMS (Medicare/Medicaid)
Federal/StateHIPAA
Suppl. Health Insurance
CUSTOMERDemographic Shifts
Concentration
PreferencesDiscretionary Spending
Awareness
EXTERNALCompetitor
Fraud
Shareholder ExpectationsCapital AvailabilityInvestor Relations
Political
LegalCatastrophic Loss
Healthcare Advancements
COMPLIANCE/LEGALMarket Conduct
Claims/Litigation
Debt Covenants
Remediation
• Review and understand company operations and key fraud risk categories as suggested by management to develop a universe of potential fraud scenarios that may occur
• Conduct interviews with certain members of the Management team
• Conduct limited surveying of the Management team
• Aggregate information, prioritize areas of fraud risk, and conceptualize focus areas
Assess and Prioritize Risk
• Evaluate and prioritize fraud risks on a heat map on an inherent basis according to management commentary and other available information
Select Focus Areas
• Develop an internal control map for fraud focus areas to identify management’s control activities
• Identify internal control recommendations where fraud scenarios are not directly controlled
• Validate and discuss results with Management
Internal Control Mapping
The approach utilized in conducting the fraud risk assessment process:
AppendixControl ActivitiesRisk Assessment Information & CommunicationControl EnvironmentExecutive Summary Monitoring
Sample Deliverable
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
39
Fraud Inherent Risk Map
Risk Assessment
FINANCIAL REPORTING1 Earnings management
2 Manual journal entries
DISBURSEMENTS3 Improper use of corporate credit cards
4 Payment of false invoices
5 Billing for work not performed/overbilling
6 Creation of ghost vendors
7 Vendor over-allocation of costs
8 Theft/misuse of corporate financial information
PAYROLL15 Falsification of hours worked
16 Unauthorized adjustment of salary/wages
17 Workers compensation claims
18 Failure to remove employees from payroll
19 Duplicate or ghost employees
Likelihood
MEDIUM
LOW
LOW MEDIUM HIGH
HIGH
1
4 5
129
Imp
ac
t
2 67
8 13
PROCUREMENT
9 Awarding of work to related parties
10 Bribery/kickback to award bids
11 Bid rigging
12 Split purchases to avoid delegation of authority
13 Material ordered in excess of requirement
14 Unauthorized vendor access to systems
11
1716
15
18 19MISAPPROPRIATION OF ASSETS
20 Theft of blank checks
21 Misuse of company assets / theft of company assets
22 Unauthorized wire transfers
23 Check fraud
24 Scrap sales/embezzlement
GOVERNANCE
25 Selective disclosure to Board or public
26 Management override of controls
27 Use of confidential information for personal gain
28 Decisions made to benefit the majority shareholder
21
22
23 24
25
26
27
28
14 20
Represents fraud risk scenarios selected for additional procedures. Note: Inherent risk rankings are those of management. Testing of the operating effectiveness of controls was not performed as part of this review.
103
AppendixControl ActivitiesRisk Assessment Information & CommunicationControl EnvironmentExecutive Summary Monitoring
Sample Deliverable
Q & A
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
41
COSO Publications
Internal Control-Integrated Framework (2013 Edition)
Ordering COSO's framework online at www.coso.org (Guidance tab)
Internal Control - Integrated Framework(3 volume set)
Executive Summary, Framework and Appendices, and Illustrative Tools forAssessing Effectiveness of a System of Internal Control
Internal Control - Integrated Framework, Internal ControlOver External Financial Reporting - Compendium Only
A Compendium of Approaches and Examples
Internal Control-Integrated Framework, Compendium(4 volume set)
Executive Summary, Framework and Appendices, and Illustrative Tools for AssessingEffectiveness of a System of Internal Control A Compendium of Approaches and Examples
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
42
Resources on COSO 2013
COSO Internal Control-Integrated Framework Frequently Asked Questions
2
2013 Internal Control – Integrated Framework - Executive Summary
1
The 2013 COSO Framework & SOX Compliance – One Approach to an Effective Transition
3
Access COSO Guidance and Thought Papers at: www.coso.org and click on ‘guidance’
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
43
Protiviti Resources on COSO 2013
The Updated COSO Internal Control Framework: Frequently Asked Questions
4
Source: http://www.protiviti.com/en-US/Pages/Resource-Guides.aspx
Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements – Frequently Asked Questions Regarding Section 404
5
Guide to the Sarbanes-Oxley Act: IT Risks and Controls
6
Board Perspectives: Risk Oversight - COSO 2013: Why Should You Care
7
© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
44