sunera canada ulc effective fraud risk assessment · 2. assemble risk assessment team: – the team...

Sunera Canada ULC

Effective Fraud Risk Assessment

October21,2016

2016 Annual Fraud Program

Copyright © 2014 Sunera LLC. 2

Sunera LLC Snapshot

§ Professional consultancy with core competency in Governance, SOx, NI 52-109, Internal Audit, IT Audit, IT Strategy & Risk, Information Security, Data Privacy, Data Analytics, Project Risk Management, and Financial Advisory.

§ Founded in 2005, Sunera has grown significantly over the course of our history.

– Sunera is an organization under Cyber Risk Management LLC, and includes our sister organizations ANRC (Cyber-Security Training) and APTEC (Identity Governance and Access Management).

§ Delivered more than 3,500 projects for 750 clients across a spectrum of industries, Sunera is adept in servicing all of our clients, which range in size from the Fortune 1000, as well as smaller cost-conscious organizations.

§ Employs 350+ full-time professionals in 20+ offices across Canada (Calgary, Vancouver and Toronto) and the United States.

§ Market leader in Data Analytics and Continuous Controls Monitoring.

§ Certified SAP integration partner with specific expertise in SAP Security, GRC and controls.

§ Registered with NASBA to offer CPEs for our external specialized training courses.


Shawn Hendry, Managing Partner, Sunera Canada

§ Managing Partner for Sunera Canada§ Working with our clients for the past 10+ years with Sunera in Calgary, Vancouver

and Toronto§ Certified Internal Auditor (CIA), Certified in Risk Management Assurance (CRMA),

Certified Information Systems Auditor (CISA), Certified in Governance of Enterprise Information Technology (CGEIT)

§ Prior to joining Sunera, Shawn was a Senior Manager with KPMG in their Risk Advisory Service practice in Victoria and the Director of Audit and Risk Assessment for CanWest Global Communications which was previously Canada’s largest media group.


Agenda

§ BREAKING NEWS

§ Introduction to Fraud

§ ACFE – Report to the Nations – Interesting Facts

§ COSO – Fraud Risk Management Guide

§ Fraud Risk Program § Fraud Risk Assessment Methodology

§ Steps in Performing a Fraud Risk Assessment

§ Other Key Elements of a Fraud Risk Program


Managing the Business Risk of Fraud: A Practical Guide


BREAKING NEWS! - COSO Issues New Fraud Risk Management Guide – Sept 28, 2016


Intro to Fraud

n Fraud, in all its forms, costs billions in damage each year.

n COSO’s new definition of fraud is succinct: “Fraud is any intentional act or omission designed to deceive others, resulting in

the victim suffering a loss and/or the perpetrator achieving a gain.”

n Occupational frauds are those committed in connection with the fraudster’s occupation. Examples include:

• Stealing money or inventory or services• Claiming overtime for hours not worked• Filing fraudulent expense reports

• Giving friends or relatives unauthorized discounts on company merchandise or services

• Adding ghost employees to the payroll• Adjusting financials to improve bonus or other compensation


Types of Fraud

Schemes in which the employee steals or misuses an organization’s assets

u Skimming cash receipts

u Falsifying voids and refunds

u Tampering with company checks

u Overstating expenses

AssetMisappropriation

Schemes involving the intentional misreporting of an organization’s financial information with the intent to mislead others

u Creating fictitious revenues

u Concealing liabilities or revenues

Schemes in which a fraudster wrongfully uses his influence in a business transaction for the purpose of obtaining a benefit for himself or another person

u Conflicts of interest

u Illegal gratuities

u Bribery

FraudulentReportingCorruption


What Causes People to Commit Fraud?


Asset Misappropriation Sub-Schemes


GROUPACTIVITY


BREAKING NEWS! - COSO Issues New Fraud Risk Management Guide – Sept 28, 2016


COSO New Fraud Risk Management Guide

• The Guide is an update to the 2007 Managing the Business Risk of Fraud guide.

• The Guide is consistent with the 17 principles of internal control as defined in the COSO 2013 Internal Control - Integrated Framework and ERM Framework.

• The Guide advocates comprehensively managing fraud risk, starting with establishment of a fraud risk management policy, performance of a fraud risk assessment, selection and development of appropriate controls and reporting, followed by monitoring that will influence subsequent fraud risk management activities.

• COSO makes a point to call out the distinction between internal control issues that can result in errors compared with those that permit fraud to occur.

• “The fundamental difference is intent,” COSO says. “An organization that simply adds the fraud risk assessment to the existing internal control assessment may not thoroughly examine and identify possibilities for intentional acts designed to misstate financial information, misstate nonfinancial information, misappropriate assets, or perpetrate illegal acts or corruption.”

• The Guide is meant for use by many people who can have a role to play in mitigating risk; board members and audit committee members, senior management, management at other levels in the organization, internal auditors, external auditors, other professional service providers, and educators.


COSO New Fraud Risk Management Guide

• Guide explains that fraud deterrence is achieved when an organization implements a fraud risk management process that:

• Establishes a visible and rigorous fraud governance process.• Creates a transparent and sound anti-fraud culture.• Includes a thorough fraud risk assessment periodically.• Designs, implements, and maintains preventive and detective fraud control

processes and procedures.• Takes swift action in response to allegations of fraud, including actions against

those involved in wrongdoing where appropriate.

• The Guide recommends that each organization establish a comprehensive fraud risk management program. In order to support this recommendation, the Guide includes tools and resources for conducting a fraud risk assessment, writing an anti- fraud policy and establishing a comprehensive anti-fraud program.


Fraud Risk Management Principles

The Guide now goes beyond fraud risk assessment to align 5 principles of fraud risk management with the 17 principles of internal control as follows:


Fraud Risk Management Principles


Emphasis on Data Analytics

Perhaps the biggest change is the focus on data analytics: The Guide recommends that each organization have “a strategy for proactively using data analysis activities to assess areas of high fraud risk and to monitor fraud mitigation activities and controls.”

As compared to the Managing the Business Risk of Fraud guide, “analytics” which was referenced very infrequently, the updated Guide references “data analytics” in multiple locations to monitor fraud.


What Should Organizations Do Now?

The Guide sets out a process for ongoing, comprehensive fraud management.


Options for Meeting the Requirements

Choose one of the Guide’s two options:

I. A comprehensive fraud risk assessment in support of Principle 8 of the 2013 COSO Internal Control Framework, or

II. A fraud risk management program that includes a comprehensive risk assessment and is based on COSO’s five principles.

For a fraud risk assessment (I), consider whether you should update existing assessments or launch a new assessment. If new, then:

– Who will conduct the assessment? – What subject-matter resources will be required? – What department will provide the budget? – What assessment criteria will the organization use? – How will the organization determine risk tolerance for specific types of fraud?

For a fraud risk management program (II), consider the organization’s governance and design:

– How will a fraud risk management program align with existing programs and resources (i.e., anti-fraud, cyber-security, compliance and ethics or anti-corruption)?

– Who should lead the program? – How should the organization incorporate anti-fraud management into its existing corporate governance

framework in order to facilitate board oversight and management actions?


GROUP ACTIVITY


Impacts of Fraud

u All organizations are subject to fraud risks. Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, and images of many organizations around the globe.

u Regulations such as the COSO 2013, U.S. Foreign Corrupt Practices Act of 1977 (FCPA), the 1997 Organization for Economic Co-operation and Development Anti-Bribery Convention, the U.S. Sarbanes-Oxley Act of 2002, the U.S. Federal Sentencing Guidelines of 2005, and similar legislation throughout the world have increased management’s responsibility for fraud risk management.

u Fewer pay increasesu Increased layoffsu Greater pressure to increase sales and revenueu Decreases in employee benefitsu Low employee morale


Fraud Risk Program - Governance

§ Five key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

– Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including written policies to convey the expectations of the BOD and senior management regarding managing fraud risk.

– Principle 2: Fraud risk exposure should be assessed periodically to identify specific potential schemes and events that the organization needs to mitigate.

– Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.

– Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.

– Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action.

©2008SuneraLLCAllRightsReserved


Fraud Risk Program - Overview

§ Each organization needs to consider its size and complexity when determining what type of formal fraud program is most appropriate. The program should consider the following elements:

– Commitment– Fraud Awareness– Affirmation Process– Conflict Disclosure

– Investigation Process– Corrective Action– Continuous Monitoring

©2008SuneraLLCAllRightsReserved


What is a Fraud Risk Assessment

§ An assessment of the potential for fraud to affect an organization’s ability to maintain operations and reputation

§ Identifies and addresses vulnerability to both internal and external fraud

§ Allows an organization to understand where fraud could occur and the effect

§ Allows management to make decisions on what, how and if whether there are things that need to be addressed

§ Overall, a Fraud Risk Assessment allows us to understand the fraud potential and then protect ourselves and stakeholders.


Fraud Risk Assessment Methodology

The following fraud risk assessment methodology is based upon guidance from the association of fraud examiners, AICPA and the IIA:

– Identify fraud risk factors– Determine who is likely to commit fraud– Evaluate significance of fraud– Evaluate likelihood of fraud– Identify anti-fraud controls– Map controls to relevant fraud risk– Assess the effectiveness of anti-fraud controls– Respond to the residual fraud risk


Steps in Performing an FRA – 6 Step Process

1. Gather Fraud risks: – Fraud risk identification begins with gathering information on fraud risk

from regulatory bodies, industry sources, key guidance setting groups (e.g., COSO, and professional organizations (e.g., IIA, CISA, ACFE, etc.).

2. Assemble Risk Assessment Team: – The team will include senior management, business unit leaders, and

process owners (e.g., finance, sales, procurement, and operations), as they are ultimately the most knowledgeable of business activities and will be accountable for the effectiveness of the fraud risk management efforts.

3. Identify your inherent fraud risk: – Determine which fraud risks that may apply to your area or departments.

Brainstorming session can be conducted with appropriate staff to explicitly consider all types of fraud schemes and scenarios, incentives, pressures, and opportunities to commit fraud, and include IT fraud risks.


Inherent Risk vs. Residual Risk

The initial assessment of fraud risk considers the inherent risk of particular frauds occurring in the absence of internal controls. After all relevant fraud risks have been identified, internal controls are mapped to the identified risks. Fraud risks that remain unaddressed by appropriate controls comprise the population of residual fraud risks.

nInherent Risk: Risk in the absence of any action that might alter the risk’s likelihood or impact. (e.g., risk that a fraud could cause a significant monetary loss- High)

nResidual Risk: Risk that remains after any taken action. (e.g., fraud insurance is maintained thereby reducing monetary exposure to an acceptable level -Low)


Steps in Performing an FRA (continued)

4. Assess likelihood and significance of the inherent fraud risk With the FRA team, assess the relative likelihood and potential significance of each identified fraud risk. Assessing the likelihood and significance of each potential fraud risk is a subjective process and should include considerations in the financial reporting, business operations, brand reputation, legal, and regulatory compliance areas.

Likelihood•# of instances where a particular fraud occurred in the past (i.e.: fraudulent expense reports)•The prevalence of the fraud risk in your industry

•# of individual transactions flowing through the process• complexity of the risk or transaction

• # of people involved in reviewing or approving the process (manual or automated)

•# of departments or people that have incentives or pressure to reach tight financial goals.

Significance

• departmental financial significance to the FS

• brand value and reputation• potential criminal, civil, and regulatory

liability (PCI, etc.)• known fraud impact (if occurred in past)


25%

10%

1% 0%0%

5%

10%

15%

20%

25%

30%

Likely<25%

Possible25% - 10%

Remote10% - 1%

Extraordinary>1%

Likelihood of Occurrence- Example

Risk Measurements

You can categorize the likelihood of potential frauds occurring in as many buckets as deemed reasonable, otherwise three categories are generally adequate: remote, reasonably possible, and probable.

Each risk is assessed to determine its relevance to your organization during the next 12 months.


$0.3 $1.3 $6.3

$12.0

$25.0

$125.0

$0

$20

$40

$60

$80

$100

$120

$140

Mill

ions

Financial Impact- Example

You can categorize the significance of potential frauds in as many buckets as deemed reasonable, otherwise three categories are generally adequate: inconsequential, more than inconsequential, and material. Example below considers 5 categories.

Risk Measurements


Fraud Risk Evaluation - Likelihood

§ First step is to measure the likelihood and impact

– Likelihood: Measure of inherent risk without consideration of existing controls• Remote- the risk is seen as unlikely to occur within the next 12 months• Reasonably Possible – the risk is seen as likely to occur within the next 12 months• Probable – the risk is expected to occur within the next 12 months

– The following factors should be considered when assessing likelihood:• # of instances where a particular fraud occurred in the past (i.e.: fraudulent expense reports)• the prevalence of the fraud risk in your industry• # of individual transactions flowing through the process• complexity of the risk or transaction• # of people involved in reviewing or approving the process (manual or automated)• # of Departments or people that have incentives or pressure to reach tight financial goals.


Fraud Risk Evaluation - Impact

§ The following should be considered when measuring impact– Negligible – The risk will not substantively impede the organization– Moderate – The risk will cause a large impact to the organization, yet not material– Material – The risk will cause material impact to the organization

§ The following factors should be considered when assessing impact:– Departmental financial significance to the FS– Brand value and reputation– Potential criminal, civil, and regulatory liability (PCI, etc.)– Known fraud impact (if occurred in the past)

§ Once the likelihood and impact is assessed, the next step is to determine controls in place at the organization to address the risk and assess residual risk


Steps in Performing an FRA (continued)

5. Assess Residual Risks: Determine what current activity is in place (considering process, people, departments, and regulations) that mitigate the identified risks

6. Define Fraud Prevention Techniques: Document key fraud risk events that should be established to mitigate possible impacts. This includes documenting key process controls, preventative fraud activities (fraud awareness training, policies, background checks), and detective fraud activities (e.g. hotlines, data mining tools, FS reviews).


GROUPACTIVITY


Example of a FRA Worksheet


Top Fraud Risk Processes – Client Example

Process #FraudSchemesevaluated

ScoringRisk(residual)

AccountsPayable&Disbursements

14 Low

AccountsReceivable&Revenue

12 Low

CapitalAssets(FixedAssets) 5 MediumCapitalizedSoftwareDevelopment

5 Low

FinancialReporting 15 Medium

Payroll 6 Low

Tax 3 High

Treasury(cash/investment) 14 High

TOTAL 74


Fraud Schemes

Fraud Areas MitigatingFactors ExposureScoreFraudulentFinancialReporting

• Intentionalmanipulation

• Concealment• Improper disclosures

• AuthorityLimits• Ethicspolicy• Managementreview• Restricted access

Low

AssetsMisappropriation

• Employee• Customer• Vendor• Proprietary business

• PhysicalSecurity• VendorAgreements• InventoryCounts• CreditReview

Low

Corruption • Bribery• Kickbacks• Misuse ofCustomer

data

• HiringPolicies• CodeofConduct• Approval Authorization

Matrix

Medium

RegulatoryMisconduct

• Theftoftradesecrets• Environmental

• PenetrationTesting/VulnerabilityAssessment

• Ethics Policy• EH&SPolicies

Low


Procurement

Bribes & KickbacksConflicts of Interest

Bidding SchemesVendor & Contract Maintenance

Manipulation of Purchase Orders

Unjustified Sole Source Awards

Likelihood

Sign

ifica

nce

Legend

Likelihood: Current fraud red flag identified at location. (remote, probable, and reasonably possible)

Significance: Potential financial impact if fraud occurs (immaterial, significant, material)


Key Fraud Risk

(#) fraud risks were identified in total, but the top 10 fraud risks based on likelihood and significance without controls were as follows:

1 – TBD 12 – TBD 23 – TBD 34 – TBD 45 – TBD 56 – TBD 67 – TBD 78 – TBD 89 – TBD 910 – TBD 10

TBD1

TBD6

TBD4

TBD3

TBD5

TBD2

-

1.00

2.00

3.00

4.00

- 1.00 2.00 3.00 4.00

RemoteRe

ason

ablyPossib

le

Prob

able

NegligibleModerateMaterial

FraudRiskAssessment


Effectiveness of Anti-Fraud Controls

All fraud risks had anti-fraud controls to help prevent or detect the related fraud risk.

xxx has a strong corporate governance (Tone at the Top) and anti-fraud measures as follows:

• Anonymous Whistleblower hotline• Code of ethics policy and annual training at all levels including BOD• Zero tolerance policy – holding people accountable for ethical violations

Anti-Fraud controls could be further enhanced by:• A• B• C


Fraud Risk Program – Continuous Monitoring

§ The fraud risk management program, including related documents, should be revised and reviewed based on the changing needs of the organization, recognizing that documentation is static, while organizations are dynamic.

§ The organization should develop ongoing monitoring and measurements to evaluate, remedy, and continuously improve the organization’s fraud detection techniques.

– If deficiencies are found, management should ensure that improvements and corrections are made as soon as possible.

– Management should institute a follow-up plan to verify that corrective or remedial actions have been taken.


Fraud Risk Program – Continuous Monitoring (cont.)

§ Measurable criteria includes:– Number of known fraud schemes committed against the organization.– Number and status of fraud allegations received that required investigation.– Number of fraud investigations resolved.– Number of employees who have/have not completed ethics training sponsored

by the organization.– Number of whistleblower allegations received via the organization’s hotline.– Number of messages supporting ethical behavior delivered to employees by

executives.– Number of vendors who have/have not signed the organization’s ethical

behavior requirements.– Number of fraud audits performed by internal auditors.– Number of fraud controls. Detective vs. preventive. Number tested. Number

operating effectively.


Questions

www.sunera.com

ShawnHendryManagingPartner,SuneraCanada

[email protected]

Ifyouhaveanyquestionspleasecontact:

sunera canada ulc effective fraud risk assessment · 2. assemble risk assessment team: – the team...

Documents