fraud risk assessment: think like a ‘demon’ & add ia value
DESCRIPTION
The Institute of Internal Auditor Los Angeles Chapter. Annual Fraud Conference. Fraud Risk Assessment: Think Like a ‘Demon’ & Add IA Value. April 10, 2013 2:30p – 3:30p. Mark P. Ruppert CPA, CIA, CISA, CHFP, CHC Director, Internal Audit (CAE). Fraud Risk Assessment. - PowerPoint PPT PresentationTRANSCRIPT
Fraud Risk Assessment: Think Like a ‘Demon’ & Add IA Value
April 10, 20132:30p – 3:30p
Mark P. Ruppert CPA, CIA, CISA, CHFP, CHC
Director, Internal Audit (CAE)
The Institute of Internal Auditor Los Angeles Chapter
Annual Fraud Conference
Fraud Risk Assessment IA Perspective on Fraud Risk
Why Care? Why Consider Fraud Risk?
What is Fraud Risk?
Engaging Management in the Fraud Risk Discussion:• Fraud Risk Assessment• ‘Angels & Demons’ Data Collection Exercise
Incorporating Fraud Risk into Internal Audit Work Plans
Addressing Fraud Risk on an Ongoing Basis and in Individual Audits
2
IA Perspective on Fraud Risk
Why Care? Why Consider Fraud Risk?
What is Fraud Risk?
Engaging Management in the Fraud Risk Discussion:• Fraud Risk Assessment• ‘Angels & Demons’ Data Collection Exercise
Incorporating Fraud Risk into Internal Audit Work Plans
Addressing Fraud Risk on an Ongoing Basis and in Individual Audits
IA’s Perspective: Fraud Risk
Heightened Risk & Challenge:
• IIA professional standards
• Ever increasing legal & compliance requirements
• Management and Board expectations
• High risk environment for fraud, corruption & abuse
• Ever increasing ingenuity on the part of fraudsters
Huge IA Opportunity:
• Get a better sense of management intuition around fraud matters
• Improve organization’s financial performance
• Protect brand value and professional reputation
• Mitigate criminal, regulatory and civil legal risk
• Enhance IA prestige/relevance
3
4
Fraud Risk AssessmentWhy?
Federal Sentencing Guidelines require that
compliance programs:
• address specific areas of potential fraud• use audits and/or other risk evaluation techniques to monitor compliance and assist in the reduction of identified problem areas
Effective 11/2004 = USSG amended to provide greater guidance regarding compliance program criteria for an effective program to prevent and detect violations of the law:
(USSC Guidelines Manual §8B2.1. Effective Compliance and Ethics Program)
(a)(1) exercise due diligence to prevent and detect criminal conduct
(a)(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law– (b)(1)Establish standards and procedures to prevent and detect
criminal conduct
(c) periodically assess the risk of criminal conduct and take appropriate steps to…..to reduce the risk of criminal conduct identified
United States Sentencing Guidelines (USSG)
Fraud Risk AssessmentWhy?
5
• Antifraud Programs & Controls Assessment: Must evaluate how organization manages risk (IIA Standard 2120)
• Fraud Risk Assessment: CAE must report periodically to management /board on significant fraud risk exposures (IIA Standard 2060)
• Individual Audits: Must consider fraud when developing engagement objectives (IIA Standards 1220, 2210)
• Proficiency: Evaluate the risk of fraud & the manner in which it is managed by the organization (IIA Standard 1210)
Like Compliance Professionals, Internal Audit Professionals must also address fraud risk…
IIA Standards and Fraud Practice Guide Emphasize Internal Audit’s Role in Addressing Fraud
Fraud Risk AssessmentWhy?
6
% of survey respondents hit by fraud in past year = 88%• More “viruses” than “diseases”: under $100M
“Fraudsters’ take” = increased 20% from 2009• Up to $1.4M per $1B sales
Theft of information and electronic data = #1 reported fraud• Overtakes Physical Theft for first time• #3 & #4= Management Conflict of Interest, Vendor/Supplier Fraud
Fear of fraud is dissuading 48% of companies from operating in other countries• China & Africa = most affected (corruption #1 concern)
Companies appear unprepared for heightened FCPA enforcement and lack adequate understanding
• 2005-2009: 60 DOJ cases (more than 1977-2005)• 2010: already 130 open cases
Fraud is largely an inside job• 44% employees, 11% agents/intermediaries
Industry Lens: Fraud Prevalence• Declining: Natural Resources, Construction, Health/Pharma/Bio, Travel,
Manufacturing• Increasing: Financial, Professional Services, Tech/Media/Telecom, Retail, Consumer 7
Look at what companies are saying! -- 2010 Global Fraud Trends** [Source: 2010 Global Fraud Survey – Economist Intelligence Unit/Kroll Consulting (www.kroll.com)]
Fraud Risk AssessmentWhy?
Fraud Risk AssessmentWhy?
• US government admits losing 10% of spending to fraud; US government realizes a $9.75 : 1 on fraud management
• Effective fraud management produces 8:1 ROI for financial services industry
• ACFE estimate: companies lose $1 trillion or 7% of revenue to misconduct
• PwC GECS survey–40% increase in fraud,
before the recession–Controls paradox
• Economist Intelligence Unit:85% of companies detected significant frauds over past 3 years)
–10% suffer >$100 million–Large companies - $23 million–Small companies - $8.2 million average loss
Don’t Forget
Operational & Personal
Impact! 8pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
The What: Enhanced enforcement requirements detailed in the reform law = Medicare, Medicaid and CHIP
The Why: • Medicare ‘Improper Payments’ in 2009: 8% of 4.5 million claims per day = $24 Billion• Goal to increase fraud detection and increase certainty of punishment
The Impact: Depending on provider type = more work, more expense, getting personal • Easier for CMS to suspend Medicare payments if credible fraud allegations & to prevent new
enrollments in higher-risk service areas
9
To Address the Impact of Healthcare Reform: Fed Unveils New Plan for Fraud Detection
* [Source: “Cracking Down”, Modern Healthcare – 9/27/10]
Fraud Risk AssessmentWhy?
The When:• Sept 2010: Proposed regs released (all 187 pages of it!)• Sept – Nov 2010: Comment period• March 2011: Implementation
Provider Type Risk CMS TreatmentHospitals, ASC, health centers, medical groups, clinics, physicians, publicly traded providers/suppliers, skilled nursing facilities
Limited Risk
Verify licenses and provider/supplier specific regulatory requirements
O/P Rehab, currently enrolled DME/prosthetics/ortho/supplies providers, currently enrolled home-health agencies & hospice organizations
Moderate Risk
Limited + unscheduled or unannounced site visits
Newly enrolled DME/prosthetics/ortho/supplies providers and home-health agencies
High Risk Moderate + criminal background check & fingerprinting
Now More Than Ever, Compliance & Internal Audit Must Have the Fraud Triangle in Focus!!!
Incentives / Pressures• Loss avoidance
•Job•Money•Prestige
• Dissatisfaction with the company
• Management & 3rd party pressures
• Community relationships• Loss of health coverage• Long term unemployment
Opportunity• Insufficient internal controls
• “Survival” mode• External collaboration• Management over-ride• Internal collaboration
• Corrupt business customs
Rationalization• Job dissatisfaction• Family priorities• Health priorities• “Everybody else” syndrome
• Self-denial of consequences to company
• Temporary loans
If Economic Downturn is the “Perfect Storm” for Fraud and Waste, will an Upturn be Even More Perfect?
10
So, Why Bother?
• Demonstrate you administer an effective Compliance Program and Internal Audit Function by documenting an understanding of how and where fraud might occur.
• Minimize revenue leakage, cut costs, and safeguard assets.
• Safeguard company and employee reputation.
• Avoid and/or reduce criminal, civil and regulatory penalties, should misconduct occur.
• Help avoid/reduce government sanctions
• Increase IA relevance and add value!
It makes good business sense!!
11
Detected Losses QUADRUPLE when
Anti-Fraud Controls are Enhanced!
- pwc 2009 Global Economic Crime Survey
Fraud Risk: Defined / AppliedFraud: (defined)
- Any intentional act committed to secure
an unfair/unlawful gain
Reputational Risk•External and internal impression of the organization
Operational Risk•Loss of earnings or inefficient business operations
Financial Risk•Over statement of revenues, understatement of expenses
Reporting Risk•Non disclosure or false disclosure
Compliance / Legal Risk•Potential criminal, civil or regulatory liability
Strategic Risk•Impact on new products, services, or strategic alliances
“Apply the Fraud Lens to Enterprise Risks”
12
Fraud: (defined)- Any intentional act committed to secure
an unfair/unlawful gain
*
Federal Sentencing Guidelines:
- Intent not required
Fraud Risk: Types and Categories
"Leakage” vs. “Liability” Fraud
Financial Reporting & Disclosure
Manipulation
Unauthorized Receivables / Acquisition of
Assets
Unauthorized Expenses / Disposal of
Assets
Expenditure
Leakage
Misappropriation of Assets
Revenue Leakage
GREEN Fraud = Leakage related activities, that when prevented or detected early, leads to improved financial results
(“Risk Type = “Opportunity” )
RED Fraud = Liability related activities, that if
not prevented, leads to government sanctions, and damage to brand value and reputation of individual members of the Board and senior management
(Risk Type = “Hazard”)
13pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Fraud Risk Types: “Leakage”Expenditure Leakage
Financial Reporting & Disclosure
Manipulation
Unauthorized Receivables / Acquisition of
Assets
Unauthorized Expenses / Disposal of
Assets
Expenditure
Leakage
Misappropriation of Assets
Revenue Leakage
Illustrations: • Orders from fictitious vendor• Kickbacks in return for allowing
supplier to inflate price• Advertiser charges for
advertising not delivered• Vendors/contractors charge for
work not performed • “Double dips” on p-card and
credit card• Salesperson obtains
reimbursement for fictitious travel expenses
14pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Fraud Risk Type: “Liability”Unauthorized Expenses / Disposal of Assets
Financial Reporting & Disclosure
Manipulation
Unauthorized Receivables / Acquisition of
Assets
Unauthorized Expenses / Disposal of
Assets
Expenditure
Leakage
Misappropriation of Assets
Revenue Leakage
Illustrations: • Payments to public officials for
permits or patents• Payments to public officials for
patents• Gifts to public officials to evade
taxes• Payments to agents to facilitate
sales• Illegal disposal of goods/waste
15pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Fraud Risk Assessment• A comprehensive fraud risk assessment (FRA) is critical to the
effectiveness of an organization’s overall antifraud programs and controls.
• An FRA expands upon traditional risk assessment. It is scheme and scenario based.
• The assessment considers the various ways that fraud and misconduct can occur by and against the company.
• The execution of the assessment requires: oInternal Audit to:
“Think out of the box”! Get creative and get out into/work with the business!
oManagement to: Be participative in the process Openly share schemes, scenarios, concerns, events Reinforces risk and the control ownership!
16
Fraud Risk Assessment: A Five Component Process
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
Assess Antifraud Programs and Controls against PwC Framework
Inventory of High Impact Scenarios & Evaluate Existing Response
17
Practical Execution – Theory to Practice:–Approach–Challenges–Benefits–Lessons learned
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Inventory of High Impact Scenarios & Evaluate Existing Response
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Assemble team• Consider scope and objectives
Overall antifraud program assessment Categories of fraud and depth within organization Controls evaluation Risk response Use and sustainability
• Design process Format of deliverable (e.g., PwC template) Organize by business unit, function, geography or
combination Role and interviews of management Sustainability
Assess Antifraud Programs and Controls against PwC Framework
Identifying Significant Fraud Risk Exposures: Planning
Cedars-Sinai Plan:• Board and senior management support
built into internal audit plan and compliance work plan development and approval processes.
• Combined Internal Audit and PwC resources including PwC SMEs in key areas.
• Initial Internal Audit Team fraud risk discussion for full day.
• Second phase, facilitated sessions with key director-level groups.
• Roll results into annual planning processes and individual project processes for ongoing update.
Inventory of High Impact Scenarios & Evaluate Existing Response
18pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Vitally important that senior management embrace and sponsor the assessment
• Senior management ideally would communicate to middle management the importance of the initiative (drafted by IA or Compliance)
• Recommend an initial meeting with C-suite representatives to: Explain business benefits of FRA process Obtain their perspective of high impact
monetary, compliance and financial reporting fraud risks
Seek input regarding making process efficient and effective
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures: Gaining Senior Management Sponsorship
Cedars-Sinai C-Suite Buy-In:• Internal Audit Planning and Compliance
Work Plan processes involve the C-suite for input on risk and project selection.
• Plans are approved by C-suite.• Plans presented to Audit Committee for
review, input and approval.• Plans presented to Board for review, input
and approval.Formal meeting C-Suite meeting not held
relative to kick off.
19pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Begin with high level assessment of how organization manages fraud risk (e.g., PwC Antifraud, Corruption and Misconduct Assessment Tool)
Self-Evaluation:“Where are we as an organization?”
• Conductvalidation procedures as needed
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures: Evaluating Antifraud Program & Controls
Cedars-Sinai Assessment: •Internal Audit Team Assessment•PwC Tool•Overall Assessment Results:
Corporate Fraud PolicyCoordinated Investigation ResourcesConsistency in Criminal Prosecution
and Employee Discipline DecisionsHigh Level Fraud Risk & Individual
Audit Fraud Risk Considerations
20pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Identifying Significant Fraud Risk Exposures: PwC Anti-Fraud Assessment Tool
21
Element Criteria Leading Practice Generally In Compliance Sub-Standard Description of Existing Policies and Procedures Discussion Points
Management Accountability The organization should: (1) promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law, and (2) exercise due diligence to prevent and detect fraud, corruption, and other misconduct,(3) implement effective programs and controls intended to prevent, detect and respond to fraud, corruption and misconduct.
The organization:(1) demonstrates a strong "tone at the top" that flows up and down and across the organization,(2) views mitigating fraud, corruption and misconduct as a core responsibility, (3) has management participate actively in the fraud, corruption and misconduct risk and controls assessment, (4) ensures that all suspected allegations of misconduct are independently investigated, and (5) takes appropriate, consistent remediation action in instances of violations.
The organization takes sufficient actions with respect to prevention, detection, investigation, remediation, and monitoring of fraud, corruption and misconduct.
Taken as a whole, the organization fails to take sufficient action to prevent and detect high impact fraud, corruption and misconduct; and/or management does not:(1) view mitigating fraud, corruption and misconduct as a core responsibility, (2) participate in the fraud, corruption and misconduct risk and controls assessment, or(3) take appropriate, consistent remediation action in instances of violations.
(1) Describe the actions taken by the organization to promote a culture that encourages ethical conduct.- Corporate Compliance Function and Policies- Code of Conduct- New Manager Orientation training that includes Corporate Compliance and Internal Audit Presentations- New Employee Orientation that includes review of code of conduct and compliance plan.- Hot line- Media Response promoting acknoweldgement, apology and corrective action as applicable.- CEO who's mantra is "do the right thing"
Control Environment
Operations, Finance and Other "Front Line" Personnel
Operations, finance and other "front line" personnel should be equipped with the appropriate knowledge, skills and tools to prevent, detect, and respond to fraud, corruption and abuse.
Operations and finance personnel acknowledge their responsibilities and are equipped with and apply knowledge, skills and tools to: (1) identify significant misconduct risks impacting their component of the organization, (2) tailor control activities to mitigate the risk, and (3) detect and report indications of misconduct.
Operations and finance personnel acknowledge responsibility for preventing, detecting and responding to fraud, corruption and misconduct.
Operations and finance personnel view other functions, e.g., legal, compliance, internal audit, as owning responsibility for presenting and detecting fraud, corruption and misconduct.
(1) Describe the actions taken by the organization to cultivate a culture that curbing fraud, corruption and misconduct is every employee's responsibility. (2) Describe actions to equip front line personnel with necessary knowledge, skills and tools to identify, prevent, detect and respond to fraud, corruption and misconduct.
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Predicting the Unpredictable is Key!!
Think Like A Criminal When Assessing the Risk of Fraud, Corruption & Abuse!
What would happen if a criminal were a XYZ vendor or customer?
How would a criminal manage your XYZ business unit?
What if a criminal were hired as a XYZ associate?
22
What if a trusted employee begins to think like a criminal?
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Create a list of inherent fraud risks Inventory of common and sector specific fraud
and abuse scenarios by selected process areas Past allegations, suspicions and investigations Industry research of frauds at other companies,
organizational vendors, customers, etc Brainstorming among business, compliance,
internal audit and fraud experts Operational, design and other deficiencies
identified during business reviews, compliance monitoring activity and internal and external audits
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures: Create “Straw” Schemes List: “the What”
Cedars-Sinai Inventory: • Upcoding; Claims for Services not
Provided; A/R & Rate Manipulation / Outliers
• Theft: Radiology Incident; Heparin Incident; EMTALA
• Bribery: Siemens – 2008 global fraud
• Imaging Room; Chillers; Data Manipulation; Vendor Relationships
• Look at potential impact of identified control deficiencies; broken processes; significant hand-off requirements, etc.
23pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Determine Fraud Risk Classifications i.e. - Revenue, Expenditure, Reporting
• Take your fraud risks and think/discuss HOW they could occur
Think SCHEMES and SCENARIOS!Get creative!Never mind controls!!Utilize group facilitation sessions!Create your master Gross Risk list
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures: Create “Straw” Schemes List: “the How”
CSHS: practical application and lessons learned • Fraud classifications: Revenue,
Expense or Reporting Impact• Brainstorm scenarios by organizational
lines of authority and three impact areas
• Director and Manager Level Focus Group Discussions; decision of with/without VP’s
• Angels and Demons!!• Scribe
24pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Narrow list to capture high impact vulnerabilities Consider likelihood Qualitative and quantitative impact, as well as, direct
and indirect consequences Establish thresholds (risk tolerance) to measure
impact on reputation, operations, financial, legal, compliance, and strategic objectives
• Consider the design of existing controls Consider whether existing processes and controls
are able to withstand intentional misconduct Examine incentives pressures and opportunities to
collude, circumvent and override
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures:Narrow to Significant Residual Risks
CSHS: practical application and lessons learned • Two Hour facilitated Sessions
Necessary for: Schemes Likelihood & Impact Controls
• Director/Manager but not both• Scribe• Focus on Schemes (how it’s done –
criminal perspective)• Common beliefs / identified schemes
across sessions
25pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
26
Identifying Significant Fraud SchemesBrainstorming Exercises!!
Angels: Recommend & Evaluate Anti-fraud Controls
Demons : Identify Potential Fraud Schemes
“Angels & Demons”Select a Business Area: i.e.- Hospital Admissions
How it can happen!
Why it won’t!
Schemes Impact/LikelihoodControls
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
27
Identifying Significant Fraud SchemesBrainstorming Exercises!!
Demons - Identify Potential Fraud Risks & Schemes
This is how it can
happen!
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
This is how I would do it
son…
“Angels & Demons”
28
Identifying Significant Fraud SchemesBrainstorming Exercises!!
If you did, I would know because…
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Sorry, partner- it ain’t gonna
happen…
“Angels & Demons”
Angels - Recommend & Explain Anti-fraud Controls
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Entity level of assessment = very limited business value • Assessment needs to be conducted and tailored to
individual business units/functions, particularly in high risk markets; focus on both internal and external risks
• Tailored assessments & group facilitation sessions simultaneously reinforce that management “owns” risk
• Hold focus groups of management & staff to tailor inventory
• Meet and validate results with business unit leaders
• Capture assessment for senior management and board- Self Assessment; A&D Results (Gross & Residual
risk); discuss Risk Tolerance; plans to update universe
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures:Tailor to Business Units & Functions
CSHS: practical application and lessons learned • Provide fraud
background/concepts• Business units – positive
response to facilitate sessions and Angels and Demons; engage audience
• Lot’s of Aha’s and Really?’s in sessions
• Positive comments from Senior Mgmt!
• Entity Level Assessment – Proof remains to be seen.
29pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
• Based upon final listing of scenarios update audit risk universe for key risk factors and indicators
• Refine any pre-existing audit risks based upon additional risk assessment procedures
• Incorporate into annual update process of audit and/or compliance risk universe
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures:Update Internal Audit Risk Universe
CSHS: practical application and lessons learned • If not already categorized in your
risk universe, add category or metadata for easy identification
• Refining can be time consuming• Annual update development in
progress, to be completed through: Improved annual interviewing Individual Audit Capture
Complete redevelopment of risk model using TeamMate in progress
30pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
• Evaluate whether any current year audits should be updated based on new risk universe
• Determine appropriate way to keep fraud risk assessment process evolving rather than static As new investigations or industry trends
occur Automated controls are added into
environment
Planning and Obtaining Senior Management Support and Sponsorship
Update Audit Risk Universe
Integrate into Audit Plan
Assess Antifraud Programs and Controls
Inventory of High Impact Scenarios & Evaluate Existing Response
Identifying Significant Fraud Risk Exposures: Integrate into Audit Plan
CSHS: practical application and lessons learned • In addition to current year
updates, could identify new priority audits
Annual interviewing Individual audits Possible facilitate session
repeats Integrate into individual audit
plans as well by already having the risk scenarios to consider
31pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Integrating Fraud Risk Into Individual Compliance and Audit Engagements:
•Planning
Brainstorming among team and forensics Past incidents Past audits and business reviews Management inquiries Industry research Tailor procedures
• Execution Design and operating effectiveness of
existing response Consider need for substantive testing
•Execution (cont’d) Fraud risk factors & indicators Analytics - - not just ACL Interview, interview, interview!!
• Completion Documentation is essential Identify planning and how audit
tailored
32
Close the Loop!Use findings to strengthen controls,
develop & deliver education/awareness to process
owners & mgmt!
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Creating Value While Meeting Fraud Standards
Raising Auditor Fraud Proficiency
• Knowledge Scheme components Preventive & detective controls Key risk factors & indicators Detection procedures Operations knowledge
• Skills Critical thinking! Scheme and scenario risk assessment Assessing how organization manages
risk Devising fraud audit procedures Forensic investigation Interviews Use of electronic data tools Working ‘with’ the business!
33
Raising Management AwarenessIn addition to scheme discussions and fraud risk identification, management is
also getting interactive awareness training
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Creating Value While Meeting Fraud Standards
Antifraud Tools of a Highly Equipped Compliance and/or Internal Audit Function
• Specialized fraud examiners on staff
• Antifraud training for staff
• Investigative training for staff• Use of Computer Assisted Audit Techniques to promote fraud detection• Focused fraud risk assessment with inclusion of functional management
and employees of all levels• Direct and regular interaction with senior management and audit
committee
• Use of specific and targeted fraud audit techniques – SAS 99
• Can lead and/or support investigation and/or remediation efforts
34pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Other Activities Compliance and/or IA Departments are Taking to Deliver Value
• Equip front line to serve as an effective first line of defense; fraud education!!
• Conduct a “good” fraud risk assessment pilot at a high risk entity to develop a sustainable and repeatable process
• Expand FCPA and other compliance reviews to identify opportunities to cut revenue leaks, cut costs and safeguard assets
• Form a “fraud council” comprised of key business and corporate stakeholders
• Host a “perfect crime” dinner and/ or facilitate “angels v. demons” exercise for management, internal audit and/or compliance
• Create on-line or live interactive learning modules tailored to specific functions, e.g., procurement, sales, controllers
Creating Value While Meeting Fraud Standards
35pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Perspectives From IA Industry Leaders*
“ I currently see a lot more management awareness of the possibility of fraud, which in turn is causing a lot more people to come forward and ask Internal Auditing, ‘Is this right?, Is this appropriate?’’ --Richard Schmidt, Vice President of Internal Audit, Del Monte Foods
Creating Value While Meeting Fraud Standards
36
“ It is management’s responsibility to institute, establish and monitor controls and uncover fraudsters. Internal Auditing’s job is to encourage management to undertake what is necessary and then provide assurance to the audit committee that management is getting it right.”
--Douglas Anderson, former Corporate Auditor, The Dow Chemical Co.
“ Internal auditing is often the only proactive source of fraud detection that management has. Auditors are out there looking for indicators of fraud during every engagement they conduct; no one else in the organization plays this vital role.”
--Kim Hatley, Assistant VP of Internal Audit, Hospital Corporation of America (HCA)
* [Source: Internal Auditor magazine, October 2010]
IIA - San Gabriel Valley Chapter: 2010 Fraud Symposium, 11/1/10
37
Mark P. Ruppert, CPA, CIA, CISA, CHFP, CHC
Director, Internal AuditConflict of Interest AdministratorCedars-Sinai Health SystemLos Angeles, California323-866-6900 office323-866-6901 [email protected]
Don’t be this guy!
Stamp out…
?