shilts fraud risk assessment deck
Post on 19-Jan-2017
371 Views
Preview:
TRANSCRIPT
Developing and Implementing a Fraud Risk Assessment
Josh Shilts CPA/CFF, CFE
MY GOAL
HAVE YOU WALK AWAY WITH THE KNOWLEDGE AND TOOLS TO COMPLETE A FORMAL & USEFUL
FRAUD RISK ASSESSMENT!!!
Before We Begin, Remember…
The design of an organization’s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization…
We need ALL the help we can get…
OBJECTIVEPrevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud’s effects on the organization…
Today’s Focus is on Element #4 - Fraud Risk Assessment
“An organization’s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate”
Anti-Fraud Program
Source: The IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008.
One Size Doesn’t Fit All NOR Should IT
Management should tailor the design of the assessment to fit the needs and objectives of the organization.
Assessment should be:
Efficient,
Practical,
Easy to Understand, and
Useful
NOT just for you and your department but for everyone in the Organization…
Identify
Present
Risk Assessment Process
5 Easy Steps1) IDENTIFY - Step one is identifying the specific risks your
organization is susceptible too while also considering how granular you should monitor fraud risks…
2) ANALYZE & ASSESS – Fraud risks measurement varies, but the types of measurements used may have a profound effect on how your organization assesses a risk…
3) PRESENT – Who is your audience? Is there a prescribed format they are already use to? These are the questions you need to consider…
4) PLAN & IMPLEMENT – Work with others and their schedules to ensure your efficiency in completing the assessment. Allow management time to digest and provide feedback and than work with control owners to implement proactive mitigation solutions…
5) MONITOR – Oh yea, monitor, monitor and do some more monitoring. Suggest an annual formal “refresh”, but the real value stems from constant assessment.
IDENTIFY: Fraud Risk CategoriesPresent your “FRA” at a level that board members, executive management and others within the organization can understand…
Don’t be so granular that you lose conveying the overall message. These aren’t fraud experts, but rather individuals who are on a “need to know” basis…
Bribery
Larceny
Fake Expenses
False Voids
ANALYZE & ASSESS - MeasuresKPIs and Mitigating Activities provide “real” data to support your assessment; however, Management should be updated and risks ranked by using the…
(1) Magnitude (i.e. Significance):High (3) = > $10 MillionMed (2) = Between $4 Million and $10 MillionLow (1) = < $4 Million
(2) Likelihood (i.e. Controls, Mitigating Activity):Strong (1) = Preferred PracticeGood (2) = AdequateLow (3) = Needs Improvement
(3) Likelihood (i.e. Pressure, Occurrence):High (3) = Significant pressureMed (2) = Moderate pressureLow (1) = Little to no pressure
Magnitude + Likelihood [(Controls) + (Pressure)] = Rank
(1) Velocity – Measurement of the rate of change… (Immediate, Rapid or Slow)
(2) Risk – Gross & ResidualGross before Mitigating Activities and Residual Measures After…(High, Medium or Low)
Other Measures
“ERM” should serve as the model for your FRA
FRA should have the same look and feel as your ERM presentation
PRESENT: Enterprise Risk Management
Magnitude
Major >$500M 5
Substantial >$250M 4
Moderate >$ 100M 3
Minor >$10M 2
Insignificant <$10M 1
Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.)
1 2 3 4 5
Remote Unlikely Possible Likely Almost Certain
Likelihood
1
2
4
3
STRATEGIC
OPERATIONAL
FINANCIAL
COMPLIANCE
FRAUD
Your FRA should serve as a “Drill-Down” from the ERM Fraud Risk
PRESENT: Fraud Risk Assessment
Magnitude
Major >$50M 5
Substantial >$25M 4
Moderate >$ 10M 3
Minor >$1M 2
Insignificant <$1M 1
Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.)
1 2 3 4 5
Remote Unlikely Possible Likely Almost Certain
Likelihood
12
11
3
10
4
6
5
14
13
2
15
9
8
1
7Theoretically the “SUM” equals the value of FRAUD as presented on the Company’s Enterprise Risk Management Map
FRAUD
FRAUD
1 + 2 + 3…+ 14 + 15 = FRAUD
PLAN/IMPLEMENT– Fraud Scheme Mngt.Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization’s activities & risks…
The repository schemes can than be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories…
Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process Extortion Corruption
Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable.
Fraudulent Disbursement – Billing Scheme
Asset Misappropriation
Management has decided to book revenue for items shipped and ships items to meet expectations.
Financial – Fictitious Revenues
Fraudulent Statements
KPIs Mitigation Actions1. Hotline Statistics 1. SOX Controls
2. SEC Enforcement Actions 2. Audit Procedures
Fraud Scheme Sub Risk Category
Prevention – Keep your Ears on the Track
Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment…
1. Integrate current activities with anti-fraud objectives
2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities
3. Adjust preventive activities based upon new ideas, frauds, etc.
4. Seek feedback from business owners
5. Try to stay ahead of the Fraudster by educating yourself and your team
Detection – Use Existing KnowledgeLeading & Lagging Indicators
1. Hotline Complaints2. Fraud Risk Research Stats3. New Audits w/ Fraud Objectives
1. Ratio Analysis2. Prior Audit Findings3. Hotline Complaint Trends
AUDIT PLANNING & TESTING Training
SOX/ICFR Testing Continuous Monitoring Focus Areas
Fraud Risk Assessment
Audit Planning
Policy ObjectivesManagement/Employee Awareness
MONITORING – It Never Stops!!!
Understand what you or your department is currently doing to “monitor” or uncover additional fraud risks:
Audits
ICFR (e.g. “SOX”)
Continuous Assurance
Find new ways to monitor: Review prior audits and ICFR Fraud Controls
Meet with counterparts in the Company
Read periodicals, journals, etc.
Statistical Analysis (internal and external data)
Now What?
NEVER Stop Thinking of New Fraud Risks
Think of NEW ways to convey your message
TREAT your assessment like a tool
GET TO WORK!!!
Josh Shilts CPA/CFF, CFE(305) 373-5500 x2226jshilts@mbafcpa.com
Questions?
top related