fraud risk assessments - wsuccess.com

FRAUD RISK ASSESSMENTS: ARE WE ASSESSING THE RIGHT RISKS?

October 16, 2012

© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance

Your Presenter

• Partner in Risk business unit, Crowe Horwath LLP

• National leader of fraud, ethics, anit-corruption practice

• Formerly with PricewaterhouseCoopers and a national

consulting practice

• More than 24 years experience

• Chief Audit Executive at several public companies

• Lecturer, teacher, researcher, author

2

Jonathan Marks CPA/CFF/CITP,CFE

FRAUD RISK ASSESSMENTS: ARE WE ASSESSING THE RIGHT RISKS?

October 16, 2012



The views expressed herein may not necessarily reflect those of Crowe Horwath LLP. Thus,

Crowe Horwath LLP is not, by means of this presentation, rendering business, accounting,

legal advice, or other professional advice or services.

This presentation is not a substitute for such professional advice or services, nor should it be

used as a basis for any decision or action that may affect your business. Before making any

decision or taking any action that may affect your business, you should consult a qualified

professionals. Crowe Horwath LLP, its affiliates, and related entities shall not be responsible

for any loss sustained by any person or entity that relies on this publication.

All materials including but not limited to graphics, photographs, and text appearing in this

presentation are protected by copyright.

We endeavor to give attribution to materials used by other professionals and their respective

organizations.

Should we mention your company’s name, we do so for learning purposes only, and there is

no intent to disparage the company or any individuals.

Reproduction or redistribution in any form is strictly prohibited.

Disclaimer, Trademark, & Copyright Notice

Never Put the Game in the Hands of the Referees!

© 2012 Crowe Horwath LLP

Key Goal for Today

Developing a Process to Identify the Right

Risks

7 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance

FRAUD AND ANTI-FRAUD OVERVIEW



Components of fraud

Act or actions that can be

internal or external (fraud

schemes)

Concealment

(deception or

deflection)

Conversion

Crowe’s Anti-Fraud Framework

© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 10

Polling Question 1

For fraud risks to be effectively managed, they

must first be identified using a formal risk

assessment.

True or False?


CORPORATE GOVERNANCE


Refresh on Corporate Governance

Corporate governance is the systems and

processes an organization has in place to protect

the interests of its diverse stakeholder groups, e.g.,

shareholders, employees, customers, vendors,

community, etc.


Board of Directors & Committees

Clarifies the direction and values of the Organization

Oversees performance of the organization

Protects stakeholder interests

Challenge

Each Organization needs to have a

solution that takes its unique market and

growth incentives into account to deter

misaligning the entity’s goals and mission

with more aggressive and potentially fraudulent

behavior.

Board of

Directors &

Committees

Enterprise Risk

Management

Legal &

Regulatory

Monitoring

Business Practices &

Ethics

Disclosure &

Transparency

Communication

& Trust


Legal & Regulatory

Provides guidance on legal and regulatory matters to the business and

stakeholders

Coordinates regulatory responses

Challenge

Maintaining an understanding of the

compliance requirements for reporting

suspicious or fraudulent activity

in the entity’s dynamic regulatory

environment.

Board of Directors &

Committees

Enterprise Risk

Management

Legal &

Regulatory Monitoring


Ethics

Disclosure &

Transparency

Communication

& Trust


Business Practices & Ethics

Targets integrity risks to the organization

Emphasizes clear and well defined business practices

Corporate governance policies

Business strategy

Business processes & procedures

Performance goals & measures

Compensation systems

Human resource policies &

Challenge

Establishing Ethical Business Practices

that keep up with the expectations of

stakeholders and assist to deter fraud.

Board of Directors

Committees

Enterprise Risk

Management

Legal &

Regulatory

Monitoring

Business

Practices &

Ethics

Disclosure &

Transparency

Communication

& Trust


10-80-10

17

10

80

10

Unethical

Situational

Ethical

Ethical


Disclosure & Transparency

Emphasizes understandability, relevance, reliability, comparability of

information for stakeholders

Provides stakeholders as much relevant information as possible without

compromising competitive advantage

Challenge

Ensuring that stakeholders receive

the appropriate level of information they

need in an understandable way to evidence

the entity’s approach to fraud deterrence

and detection.

Board of Directors

Committees

Enterprise Risk

Management

Legal &

Regulatory

Monitoring


Ethics

Disclosure &

Transparency

Communication

& Trust


Enterprise Risk Management

Emphasizes managing risks across the enterprise using common

methods and processes

Advocates integrating risk management functions to improve

performance, becoming more cost effective and strategic over-time

Challenge

Aligning risk management practices with

anti-fraud measures.

Board of Directors

Committees

Enterprise

Risk

Management

Legal &

Regulatory

Monitoring


Ethics

Disclosure &

Transparency

Communication

& Trust


Monitoring

• Advocates continuous improvement in governance processes through monitoring,

e.g., corporate governance audits

• Coordinates monitoring activities:

• Internal Audit

• Regulatory Compliance

• Board Self-Assessment

• Legal/In-house Counsel

• Internal Reporting

• Ethics Officer/Function

Challenge

Coordinating multiple fraud monitoring

procedures both internal and external across the

organization to cover all appropriate areas.

Board of Directors

Committees

Enterprise Risk

Management

Legal &

Regulatory

Monitoring


Ethics

Disclosure &

Transparency

Communication

& Trust


Communication & Trust

• Communication is valuable and includes clarifying information, timely

delivery, and multiple correspondence channels.

• Advocates two way dialogue throughout the organization.

• Function as the “HUB” of Corporate Governance by assisting in the moving

and improving Corporate Governance over time.

• Trust in people and information.

• Includes both character (integrity and intent) and

competence capabilities and results)

Challenge

Finding ways to improve fraud awareness

between all stakeholders and the various

components of the Corporate Governance

Framework.

Board of Directors Committees

Enterprise Risk

Management

Legal &

Regulatory

Monitoring


Ethics

Disclosure &

Transparency

Communication &

Trust



http://www.bearstearns.com/index.htm

http://www.citigroup.com/citigroup/homepage/index.htm

Crowe’s Corporate Governance Framework

23

Board of Directors

& Committees

Enterprise Risk

Management

Legal &

Regulatory Monitoring


Ethics

Disclosure &

Transparency

Communication


DEVELOPING A BEST IN CLASS FRAUD RISK ASSESSMENT


– Who Should be Involved?

• Executive Management

• Audit Committee

• Key Line Management

• External and Internal Audit

• Compliance & Legal

– Develop a common lexicon. What does the term “red flag” mean?

– Evaluate the Culture & Environment

– Communicate! Communicate! Communicate!


Getting Started

Polling Question 2

A fraud risk assessment is a process aimed at

proactively identifying and addressing

vulnerabilities to both internal and external fraud.

True or False?


Typical Fraud Risk Assessment

– Step 1 - Evaluate Fraud Risk Factors



– Step 2 - Identify Possible Fraud Schemes and Scenarios



– Step 3 – Analyze / Prioritize Identified Fraud Risks



– Step 4 – Evaluate Mitigating Controls


Polling Question 3

• Can anti-fraud controls be correlated with

significant decreases in the cost and duration of

occupational fraud schemes?

Yes or No?


New Recipe!

• Culture & Environment

• Schemes/Acts (Brainstorming or One-on-one)

• Concealment Strategies

• Conversion Methods

• Red Flags – Data

– Documents

– Lack of Controls

– Behavior

“Link and label all (internal and external)

Risks

Process(es)

Application(s)/Technology

Location(s)

People

Third Party Agents

Account(s)



When identifying fraud schemes, consider the

company's strategic plan. Why? Management

might do whatever it takes to achieve the desired

results!

…books and

records don’t

commit fraud,

people do!

Joseph T. Wells

Audit | Tax | Advisory | Risk | Performance © 2012 Crowe Horwath LLP

Link People to Controls or

Actions


• Impact and likelihood

• Inherent Risk

• Residual Risk

Controls

New Recipe - Continued


38

Profiling in the Fight Against Fraud

Comprehensive Profile

Type

Element or Trait

Element or Trait

Element or Trait

Actions

Type

Source Dan Korem

Element or Trait


39

Possible Profile: White-collar criminal

Predictable – Unpredictable

Confident – Fearful

• Hot-tempered

• Egocentric

• Deceptive

• Secretive

• Moody

• Without a conscience

• Anxious

Control – Express

Ask – Tell

• Passionate

• Outgoing

• Friendly

RANDOM ACTOR SALESPERSON



Focus on “Gatekeepers” and

“Random Actors” and their associates


Dashboards as a Tool for Identifying Fraud

Risk and On-going Monitoring

• Example – Establish Ratio Criteria


Fraud Risk Assessment

– The assessment should delve into the specific lines of the business of the

institution. The business unit review is more operational and focused on the

specific prevention and detection techniques in place for area.

– During the assessment for each individual area, the following should be

considered:

• Fraud loss history

• External fraud schemes

• Fraud Red Flags



– Identifying and Categorizing Red Flags

• What is a ‘Red Flag’?

– An observable event or action that links to a concealment strategy.

• The existence of one or more red flag items does not necessarily

mean that fraud exists. These are indicators that fraud might exist,

and the area or issue may warrant further attention.



– Identifying and Categorizing Red Flags

• Categories

– Data

– Documents

– Controls

– Behavior



– Data Red Flags

• Unusual timing of the transaction.

This includes the time of day, the day of the week, or the season.

• Frequency of transactions.

Transactions that are occurring too frequently or not frequently enough are

suspicious. Each organization has its own operating patterns, and the

transactions should be booked accordingly.

• Unusual amounts recorded.

Take notice of whether an account has many large, round numbers entered.

Consider whether some of the transactions in the account are far too large or

far too small.

• Questionable parties involved.

Should the organization be paying an outside party? Is a payment being made

to a related party? Is the company paying large sums to a vendor whose name

is not easily recognizable?



– Document Red Flags

• Missing or Altered Documents

• Evidence of backdating documents

• No original documents available

• Documents that conflict with one another

• Questionable or missing signatures on documents



– Control Red Flags

• Lack of controls in general

– Unwillingness to remediate gaps

– Poor “Tone from the Top”

• Segregation of duties (excuse!)

• Management does not have a clear position about conflicts of interest

• Lax rules regarding authorization of transactions

• Untimely or failure to reconcile accounts



– Behavior Red Flags

• Rationalization and observed changes of contradictory behavior and past

behavior patterns

• Lack of stability

• Inadequate income for lifestyle

• Resentment of superiors and frustration with job

• Emotional trauma in home or work life

• Undue family, company or community expectations

10

80

10

Unethical

Situational

Ethics

Ethical


CLOSING THOUGHTS



Be Alert to Crisis Situations,

or Constant Fire Drills


Polling Question 4

The vast majority, over 75%, of all frauds were

committed by individuals working in one of six

departments: accounting, operations, sales,

executive/upper management, customer service

and purchasing?

True or False?

For More Information, Contact:

Jonathan Marks Partner & Leader of the Fraud, Ethics, & Anti-Corruption Practice

Mobile: 267.261.4947

Office: 212.572.5576

[email protected]

@jtmarkscpa http://www.linkedin.com/in/jonathantmarks


mailto:[email protected]