fraud risk assessments - wsuccess.com
TRANSCRIPT
FRAUD RISK ASSESSMENTS: ARE WE ASSESSING THE RIGHT RISKS?
October 16, 2012
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Your Presenter
• Partner in Risk business unit, Crowe Horwath LLP
• National leader of fraud, ethics, anit-corruption practice
• Formerly with PricewaterhouseCoopers and a national
consulting practice
• More than 24 years experience
• Chief Audit Executive at several public companies
• Lecturer, teacher, researcher, author
2
Jonathan Marks CPA/CFF/CITP,CFE
FRAUD RISK ASSESSMENTS: ARE WE ASSESSING THE RIGHT RISKS?
October 16, 2012
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
The views expressed herein may not necessarily reflect those of Crowe Horwath LLP. Thus,
Crowe Horwath LLP is not, by means of this presentation, rendering business, accounting,
legal advice, or other professional advice or services.
This presentation is not a substitute for such professional advice or services, nor should it be
used as a basis for any decision or action that may affect your business. Before making any
decision or taking any action that may affect your business, you should consult a qualified
professionals. Crowe Horwath LLP, its affiliates, and related entities shall not be responsible
for any loss sustained by any person or entity that relies on this publication.
All materials including but not limited to graphics, photographs, and text appearing in this
presentation are protected by copyright.
We endeavor to give attribution to materials used by other professionals and their respective
organizations.
Should we mention your company’s name, we do so for learning purposes only, and there is
no intent to disparage the company or any individuals.
Reproduction or redistribution in any form is strictly prohibited.
Disclaimer, Trademark, & Copyright Notice
Never Put the Game in the Hands of the Referees!
© 2012 Crowe Horwath LLP
Key Goal for Today
Developing a Process to Identify the Right
Risks
7 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
FRAUD AND ANTI-FRAUD OVERVIEW
8 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Components of fraud
Act or actions that can be
internal or external (fraud
schemes)
Concealment
(deception or
deflection)
Conversion
Crowe’s Anti-Fraud Framework
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 10
Polling Question 1
For fraud risks to be effectively managed, they
must first be identified using a formal risk
assessment.
True or False?
11 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
CORPORATE GOVERNANCE
12 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Refresh on Corporate Governance
Corporate governance is the systems and
processes an organization has in place to protect
the interests of its diverse stakeholder groups, e.g.,
shareholders, employees, customers, vendors,
community, etc.
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 13
Board of Directors & Committees
Clarifies the direction and values of the Organization
Oversees performance of the organization
Protects stakeholder interests
Challenge
Each Organization needs to have a
solution that takes its unique market and
growth incentives into account to deter
misaligning the entity’s goals and mission
with more aggressive and potentially fraudulent
behavior.
Board of
Directors &
Committees
Enterprise Risk
Management
Legal &
Regulatory
Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication
& Trust
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 14
Legal & Regulatory
Provides guidance on legal and regulatory matters to the business and
stakeholders
Coordinates regulatory responses
Challenge
Maintaining an understanding of the
compliance requirements for reporting
suspicious or fraudulent activity
in the entity’s dynamic regulatory
environment.
Board of Directors &
Committees
Enterprise Risk
Management
Legal &
Regulatory Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication
& Trust
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 15
Business Practices & Ethics
Targets integrity risks to the organization
Emphasizes clear and well defined business practices
Corporate governance policies
Business strategy
Business processes & procedures
Performance goals & measures
Compensation systems
Human resource policies &
Challenge
Establishing Ethical Business Practices
that keep up with the expectations of
stakeholders and assist to deter fraud.
Board of Directors
Committees
Enterprise Risk
Management
Legal &
Regulatory
Monitoring
Business
Practices &
Ethics
Disclosure &
Transparency
Communication
& Trust
16 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
10-80-10
17
10
80
10
Unethical
Situational
Ethical
Ethical
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Disclosure & Transparency
Emphasizes understandability, relevance, reliability, comparability of
information for stakeholders
Provides stakeholders as much relevant information as possible without
compromising competitive advantage
Challenge
Ensuring that stakeholders receive
the appropriate level of information they
need in an understandable way to evidence
the entity’s approach to fraud deterrence
and detection.
Board of Directors
Committees
Enterprise Risk
Management
Legal &
Regulatory
Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication
& Trust
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 18
Enterprise Risk Management
Emphasizes managing risks across the enterprise using common
methods and processes
Advocates integrating risk management functions to improve
performance, becoming more cost effective and strategic over-time
Challenge
Aligning risk management practices with
anti-fraud measures.
Board of Directors
Committees
Enterprise
Risk
Management
Legal &
Regulatory
Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication
& Trust
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 19
Monitoring
• Advocates continuous improvement in governance processes through monitoring,
e.g., corporate governance audits
• Coordinates monitoring activities:
• Internal Audit
• Regulatory Compliance
• Board Self-Assessment
• Legal/In-house Counsel
• Internal Reporting
• Ethics Officer/Function
Challenge
Coordinating multiple fraud monitoring
procedures both internal and external across the
organization to cover all appropriate areas.
Board of Directors
Committees
Enterprise Risk
Management
Legal &
Regulatory
Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication
& Trust
20 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Communication & Trust
• Communication is valuable and includes clarifying information, timely
delivery, and multiple correspondence channels.
• Advocates two way dialogue throughout the organization.
• Function as the “HUB” of Corporate Governance by assisting in the moving
and improving Corporate Governance over time.
• Trust in people and information.
• Includes both character (integrity and intent) and
competence capabilities and results)
Challenge
Finding ways to improve fraud awareness
between all stakeholders and the various
components of the Corporate Governance
Framework.
Board of Directors Committees
Enterprise Risk
Management
Legal &
Regulatory
Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication &
Trust
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 21
22 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Crowe’s Corporate Governance Framework
23
Board of Directors
& Committees
Enterprise Risk
Management
Legal &
Regulatory Monitoring
Business Practices &
Ethics
Disclosure &
Transparency
Communication
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
DEVELOPING A BEST IN CLASS FRAUD RISK ASSESSMENT
24 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
– Who Should be Involved?
• Executive Management
• Audit Committee
• Key Line Management
• External and Internal Audit
• Compliance & Legal
– Develop a common lexicon. What does the term “red flag” mean?
– Evaluate the Culture & Environment
– Communicate! Communicate! Communicate!
© 2012 Crowe Horwath LLP
Getting Started
Polling Question 2
A fraud risk assessment is a process aimed at
proactively identifying and addressing
vulnerabilities to both internal and external fraud.
True or False?
26 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Typical Fraud Risk Assessment
– Step 1 - Evaluate Fraud Risk Factors
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 27
Typical Fraud Risk Assessment
– Step 2 - Identify Possible Fraud Schemes and Scenarios
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 28
Typical Fraud Risk Assessment
– Step 3 – Analyze / Prioritize Identified Fraud Risks
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 29
Typical Fraud Risk Assessment
– Step 4 – Evaluate Mitigating Controls
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 30
Polling Question 3
• Can anti-fraud controls be correlated with
significant decreases in the cost and duration of
occupational fraud schemes?
Yes or No?
31 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
New Recipe!
• Culture & Environment
• Schemes/Acts (Brainstorming or One-on-one)
• Concealment Strategies
• Conversion Methods
• Red Flags – Data
– Documents
– Lack of Controls
– Behavior
“Link and label all (internal and external)
Risks
Process(es)
Application(s)/Technology
Location(s)
People
Third Party Agents
Account(s)
© 2012 Crowe Horwath LLP
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
When identifying fraud schemes, consider the
company's strategic plan. Why? Management
might do whatever it takes to achieve the desired
results!
…books and
records don’t
commit fraud,
people do!
Joseph T. Wells
Audit | Tax | Advisory | Risk | Performance © 2012 Crowe Horwath LLP
Link People to Controls or
Actions
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 35
• Impact and likelihood
• Inherent Risk
• Residual Risk
Controls
New Recipe - Continued
© 2012 Crowe Horwath LLP
© 2012 Crowe Horwath LLP
38
Profiling in the Fight Against Fraud
Comprehensive Profile
Type
Element or Trait
Element or Trait
Element or Trait
Actions
Type
Source Dan Korem
Element or Trait
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
39
Possible Profile: White-collar criminal
Predictable – Unpredictable
Confident – Fearful
• Hot-tempered
• Egocentric
• Deceptive
• Secretive
• Moody
• Without a conscience
• Anxious
Control – Express
Ask – Tell
• Passionate
• Outgoing
• Friendly
RANDOM ACTOR SALESPERSON
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Focus on “Gatekeepers” and
“Random Actors” and their associates
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Dashboards as a Tool for Identifying Fraud
Risk and On-going Monitoring
• Example – Establish Ratio Criteria
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 41
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 42
Dashboards as a Tool for Identifying Fraud
Risk and On-going Monitoring
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 43
Dashboards as a Tool for Identifying Fraud
Risk and On-going Monitoring
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 44
Dashboards as a Tool for Identifying Fraud
Risk and On-going Monitoring
Fraud Risk Assessment
– The assessment should delve into the specific lines of the business of the
institution. The business unit review is more operational and focused on the
specific prevention and detection techniques in place for area.
– During the assessment for each individual area, the following should be
considered:
• Fraud loss history
• External fraud schemes
• Fraud Red Flags
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 45
Fraud Risk Assessment
– Identifying and Categorizing Red Flags
• What is a ‘Red Flag’?
– An observable event or action that links to a concealment strategy.
• The existence of one or more red flag items does not necessarily
mean that fraud exists. These are indicators that fraud might exist,
and the area or issue may warrant further attention.
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 46
Fraud Risk Assessment
– Identifying and Categorizing Red Flags
• Categories
– Data
– Documents
– Controls
– Behavior
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 47
Fraud Risk Assessment
– Data Red Flags
• Unusual timing of the transaction.
This includes the time of day, the day of the week, or the season.
• Frequency of transactions.
Transactions that are occurring too frequently or not frequently enough are
suspicious. Each organization has its own operating patterns, and the
transactions should be booked accordingly.
• Unusual amounts recorded.
Take notice of whether an account has many large, round numbers entered.
Consider whether some of the transactions in the account are far too large or
far too small.
• Questionable parties involved.
Should the organization be paying an outside party? Is a payment being made
to a related party? Is the company paying large sums to a vendor whose name
is not easily recognizable?
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 48
Fraud Risk Assessment
– Document Red Flags
• Missing or Altered Documents
• Evidence of backdating documents
• No original documents available
• Documents that conflict with one another
• Questionable or missing signatures on documents
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 49
Fraud Risk Assessment
– Control Red Flags
• Lack of controls in general
– Unwillingness to remediate gaps
– Poor “Tone from the Top”
• Segregation of duties (excuse!)
• Management does not have a clear position about conflicts of interest
• Lax rules regarding authorization of transactions
• Untimely or failure to reconcile accounts
50 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Fraud Risk Assessment
– Behavior Red Flags
• Rationalization and observed changes of contradictory behavior and past
behavior patterns
• Lack of stability
• Inadequate income for lifestyle
• Resentment of superiors and frustration with job
• Emotional trauma in home or work life
• Undue family, company or community expectations
10
80
10
Unethical
Situational
Ethics
Ethical
51 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
CLOSING THOUGHTS
52 © 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Be Alert to Crisis Situations,
or Constant Fire Drills
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance
Polling Question 4
The vast majority, over 75%, of all frauds were
committed by individuals working in one of six
departments: accounting, operations, sales,
executive/upper management, customer service
and purchasing?
True or False?
For More Information, Contact:
Jonathan Marks Partner & Leader of the Fraud, Ethics, & Anti-Corruption Practice
Mobile: 267.261.4947
Office: 212.572.5576
@jtmarkscpa http://www.linkedin.com/in/jonathantmarks
© 2012 Crowe Horwath LLP Audit | Tax | Advisory | Risk | Performance 55