fraud risk management...ic ↔ frm ↔ iso 31000 ic 2013 component frm 2016 principle iso 31000...
TRANSCRIPT
![Page 1: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/1.jpg)
© 2019 Association of Certified Fraud Examiners, Inc.
Fraud Risk Management
Fraud Risk Management—Overview
![Page 2: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/2.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 2 of 27
Discussion Questions
1. Does your organization follow a specific risk
management model? If so, which one? Do you
think this model adequately addresses the risks
your organization faces? Why or why not?
![Page 3: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/3.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 3 of 27
Discussion Questions
2. What are some of the risks your organization
faces? Where does the risk of fraud fit into your
organization’s risk hierarchy?
![Page 4: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/4.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 4 of 27
Discussion Questions
3. Does your organization have a formal risk
management function? If so, are anti-fraud
initiatives integrated into the risk management
initiatives?
![Page 5: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/5.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 5 of 27
Discussion Questions
4. How does your organization categorize the
risks that are identified in the risk management
process?
![Page 6: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/6.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 6 of 27
Learning Objectives
▪ Analyze the current state of the risk
management landscape.
▪ Compare different risk management
frameworks.
▪ Recognize what fraud risk is and the factors that
influence it.
▪ Understand the reasons for effectively managing
fraud risk.
▪ Determine who is responsible for managing
fraud risk within an organization.
![Page 7: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/7.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 7 of 27
Introduction to Risk Management
▪ Risk management
involves:
• Identification of risks
• Prioritization of risks
• Treatment of risks
• Monitoring of risks
![Page 8: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/8.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 8 of 27
Introduction to Risk Management
▪ Balances risk appetite with the ability to meet
strategic, operational, reporting, and
compliance objectives
▪ Requires a proactive, rather than reactive,
approach
![Page 9: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/9.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 9 of 27
2019 the Current State of
Risk Management Initiatives
▪ Risk management initiatives appear relatively
immature:
• 23% describe their risk management as “mature” or
“robust.”
• 38% described their risk management as “very
immature” or “developing.”
![Page 10: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/10.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 10 of 27
2019 the Current State of
Risk Management Initiatives
▪ 41% are “minimally” or “not at all” satisfied with
the nature and extent of reporting of key risk
indicators to senior executives.
▪ 39% do not have risk oversight activities
formally assigned to a board subcommittee.
▪ External parties, such as regulators and
investors, are placing greater expectations on
management to strengthen risk oversight.
![Page 11: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/11.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 11 of 27
Risk Management Frameworks
▪ An entity’s risk management program should be
specifically tailored to its unique needs.
▪ However, the use of a framework can provide
guidance and structure in developing the
program.
![Page 12: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/12.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 12 of 27
COSO Enterprise Risk Management—
Integrating Strategy and Performance
Governance and culture
• Exercises board risk oversight
• Establishes operating structures
• Defines desired culture
• Demonstrates commitment to core values
• Attracts, develops, and retains capable individuals
Strategy and objective setting
• Analyzes business context
• Defines risk appetite
• Evaluates alternative strategies
• Formulates business objectives
Performance
• Identifies risk
• Assesses severity of risk
• Prioritizes risk
• Implements risk responses
• Develops portfolio view
Review and revision
• Assesses substantial changes
• Reviews risk and performance
• Pursues improvement in enterprise risk management
Information, communication,
and reporting
• Leverages information and technology
• Communicates risk information
• Reports on risk, culture, and performance
![Page 13: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/13.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 13 of 27
ISO 31000
▪ Lays out eight principles of effective risk
management
▪ Provides guidance on developing both a
framework and a process for managing risk that
is based on those principles
![Page 14: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/14.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 14 of 27
ISO 31000: 2018
Risk Management Principles
Integrated into organization
Structured and comprehensive
Based on the best available
information
Customized and proportionate
Takes human and cultural factors into
account
Inclusive
DynamicFacilitates continuous
improvement
![Page 15: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/15.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 15 of 27
ISO 31000:2018
(Source: ISO 31000:2018, Risk Management—Guidelines)
![Page 16: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/16.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 16 of 27
Choosing a Risk Management Framework
▪ Might start with COSO or ISO framework as is
▪ But should customize to the organization and its
needs based on:
• Organizational structure
• Nature of operations
• Environment(s)
• Size
• Nature of risks
![Page 17: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/17.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 17 of 27
Fraud Risk Management Guide 2016
▪ Published by COSO in collaboration with the
ACFE
▪ Five principles of FRM:
• One aligned with each of the five components of
internal control
▪ Supported by individual points of focus for each
principle
▪ Not formally linked to COSO ERM 2017, but
there are several connections
![Page 18: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/18.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 18 of 27
IC ↔ FRM ↔ ERMIC 2013
ComponentFRM 2016 Principle
ERM 2017
Component
Control
environment
The organization establishes and
communicates a fraud risk
management program that
demonstrates the expectations of the
board of directors and senior
management and their commitment to
high integrity and ethical values
regarding managing fraud risk.
Governance and
culture
Risk assessment The organization performs
comprehensive fraud risk assessments
to identify specific fraud schemes and
risks, assess their likelihood and
significance, evaluate existing fraud
control activities, and implement
actions to mitigate residual fraud risks.
Strategy and
objective-setting
![Page 19: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/19.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 19 of 27
IC ↔ FRM ↔ ERM
IC 2013
ComponentFRM 2016 Principle
ERM 2017
Component
Control activities The organization selects, develops, and
deploys preventive and detective fraud
control activities to mitigate the risk of
fraud events occurring or not being
detected in a timely manner.
Performance
Information and
communication
The organization establishes a
communication process to obtain
information about potential fraud and
deploys a coordinate approach to
investigation and corrective action to
address fraud appropriately and in a
timely manner.
Information,
communication, and
reporting
![Page 20: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/20.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 20 of 27
IC ↔ FRM ↔ ERM
IC 2013
ComponentFRM 2016 Principle
ERM 2017
Component
Monitoring
activities
The organization selects, develops, and
performs ongoing evaluations to
ascertain whether each of the five
principles of fraud risk management is
present and functioning and
communicates fraud risk management
program deficiencies in a timely manner
to parties responsible for taking
corrective action, including senior
management and the board of
directors.
Review and revision
![Page 21: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/21.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 21 of 27
IC ↔ FRM ↔ ISO 31000
IC 2013
ComponentFRM 2016 Principle
ISO 31000
Framework
ISO 31000
Process
Control
environment
The organization establishes and
communicates a fraud risk
management program that
demonstrates the expectations of the
board of directors and senior
management and their commitment to
high integrity and ethical values
regarding managing fraud risk.
Leadership and
commitment
Design
Establish the
scope, context,
and criteria
Risk
assessment
The organization performs
comprehensive fraud risk
assessments to identify specific fraud
schemes and risks, assess their
likelihood and significance, evaluate
existing fraud control activities, and
implement actions to mitigate residual
fraud risks.
Design
Implementation
Risk assessment:
− Identification
− Analysis
− Evaluation
![Page 22: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/22.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 22 of 27
IC ↔ FRM ↔ ISO 31000IC 2013
ComponentFRM 2016 Principle
ISO 31000
Framework
ISO 31000
Process
Control
activities
The organization selects, develops,
and deploys preventive and
detective fraud controls activities to
mitigate the risk of fraud events
occurring or not being detected in a
timely manner.
Integration
Implementation
Risk treatment
Information
and
communication
The organization establishes a
communication process to obtain
information about potential fraud
and deploys a coordinate approach
to investigation and corrective
action to address fraud
appropriately and in a timely
manner.
Implementation
Evaluation
Communication
and consultation
![Page 23: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/23.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 23 of 27
IC ↔ FRM ↔ ISO 31000
IC 2013
ComponentFRM 2016 Principle
ISO 31000
Framework
ISO 31000
Process
Monitoring
activities
The organization selects, develops,
and performs ongoing evaluations to
ascertain whether each of the five
principles of fraud risk management is
present and functioning and
communicates fraud risk management
program deficiencies in a timely
manner to parties responsible for
taking corrective action, including
senior management and the board of
directors.
Evaluation
Improvement
Monitoring and
review
![Page 24: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/24.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 24 of 27
The Fraud Risk Management Process
1. Establish a fraud risk management policy as part of organizational
governance.
2. Perform a comprehensive fraud
risk assessment.
3. Select, develop, and deploy preventive
and detective fraud control activities.
4. Establish a fraud reporting process and
coordinated approach to investigation and corrective action.
5. Monitor the fraud risk management process,
report results, and improve the process.
![Page 25: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/25.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 25 of 27
What Is Fraud Risk?
▪ The vulnerability that an organization has to
those capable of overcoming the three
elements of the Fraud Triangle
▪ Comes from both internal and external sources
▪ Differs from other risks because fraud, by
definition, entails intentional misconduct
designed to evade detection
![Page 26: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/26.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 26 of 27
Types of Fraud Risk
▪ Inherent risk—risk present before management
takes action
▪ Residual risk—risk that remains after
management takes action
![Page 27: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/27.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 27 of 27
Factors Influencing Fraud Risk
▪ The nature of the business
▪ Economic conditions
▪ The operating environment
▪ The ethics and values of the company and its
people
▪ Technology
▪ The legal environment
▪ The effectiveness of internal controls
![Page 28: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/28.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 28 of 27
Who Is Responsible for
Managing Fraud Risk?
▪ Team responsible for executing, monitoring,
and ensuring success:
• Executive management
• Audit committee
• Investigations group
• Compliance
• Controller’s group
• Internal audit
• IT
• Security
• Legal department
• Human resources
![Page 29: Fraud Risk Management...IC ↔ FRM ↔ ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates](https://reader030.vdocuments.mx/reader030/viewer/2022040317/5e2fb25ec137823e49015d3a/html5/thumbnails/29.jpg)
© 2019 Association of Certified Fraud Examiners, Inc. 29 of 27
Who Is Responsible for
Managing Fraud Risk?
▪ The team should have a
designated leader.
▪ Synergy and
communication are keys
to success.