managing fraud risk in the digital age · 2019-11-24 · coso fraud risk management framework the...
Post on 21-Jun-2020
4 Views
Preview:
TRANSCRIPT
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
1 FRAUD FACTS
2 COSO FRAUD RISK MANAGEMENT
FRAMEWORK
3 THE NEED FOR DIGITAL TOOLS
4 DATA ANALYTICS IN FRAUD RISK
MANAGEMENT
5 ACHIEVING REAL TIME MONITORING
6 PREDICTIVE ANALYTICS
Agenda
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
THE NEED FOR FRAUD PREVENTION
4
Sources: The Financial Cost of Fraud 2019 – The latest data from around the world (Jim Gee and Professor Mark Button) and ACFE Report to the Nations – 2018 Global Study on MENA
Employees at the following level perpetrated fraud:
41% by employees;
33% by managers; and
23% by Owners and Executives
Fraud cases reported by Departments:
13% from Purchasing and Sales;
12% from Operations Department; and
10% from Executives and Senior Management
Fraud Cases in MENA
involved Misappropriation
of Assets
80%
Private companies in
MENA victimized by
fraud
50% Banking &
Financial services
industry had the
highest cases
reported
19%
Increase in losses
owning to Fraud
since 2009
56.5%
18 Months Median Duration of Fraud
Scheme in MENA prior to
detection
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
COSO FRAUD RISK MANAGEMENT FRAMEWORK The COSO Framework’s Five Components:
6
• Setting the right “tone at the top”
with zero tolerance to fraud
• Establishing a Fraud Risk
Management Program that
includes fraud risk governance
policies, procedures
• Performing comprehensive
fraud risk assessments to
identify potential fraud
scenarios and inherent fraud
risks
• Evaluate the effectiveness of
the existing internal controls
• Implement actions to mitigate
residual fraud risks
• Designing and implementing fraud preventive and
detective controls activities
• Fraud awareness training session
• Establishing a trusted
communication process to
obtain information about
potential fraud
• Establishing a sound approach
to investigation and corrective
actions to address fraud
appropriately and in a timely
manner
• Performing on-going
evaluations to asses the fraud
risk management program and
report any deficiencies
identified Monitoring
Activities
Control
Environment
Fraud Risk
Assessment
Control
Activities
Information
&
Communication
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
“The goal is to turn data into information,
and information into insight.”
- Carly Fiorina, former Executive, President, and Chair of Hewlett-Packard Co.
8
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
THE NEED FOR DIGITAL TOOLS
9
9
Today, fraud is prevalent across most industries and has become increasingly sophisticated and
complicated. The ACFE reported that organizations lose around 5% of revenue to fraud every year
(almost a gross loss of USD 4 trillion a year).
Organizations implementing proactive data monitoring detect frauds
58% faster and experience losses that are 52% lower than
organization that don’t.
With an increase in transactional channels and different data streams, and the shift
towards real-time decision making, there is a pressing need for real-time fraud
detection solutions through the use of digital tools that are able to detect potential fraud
in real-time.
Organizations operate with growing volumes of data, it is absolutely necessary to
implement such processes of data analytics, in order to identify anomalies in their data
or behavioral patterns which may potentially be fraudulent.
ACFE 2018 Report to the Nations
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
DATA ANALYTICS IN FRAUD RISK
MANAGEMENT
The team will make recommended changes to the following key areas based on our analysis to drive improvements and efficiencies:
• E-mail and e-Communications (social media, collaborative tools (instant messaging, etc.)
• Confidential and Vital Records handling
• Legal Hold procedures
• Alternate storage media (Portable USB, etc.)
• Archive and Back-up
• Records Disposition
• Agree on Definition (Transfer, Convert, Archive, or Destroy)
• Release to 3rd Parties
• Conversion for permanent preservation
• Exception Handling procedures
Data analytics, as it applies to fraud examination, refers to the use of analytics software
to identify trends, patterns, anomalies, and exceptions within data:
• The standard common audit approach of sample testing is a valid audit approach,
however it is not as effective for fraud detection and prevention purposes;
• Fraud data analysis requires the effective use of technological tools to translate the data
and information of an organization into analytics test to provide deeper insight into how
well internal controls are operating;
• Data analytics enables organizations to connect information from different data sources in
order to analyze trends and identify anomalies which could be potential instances of
fraud or noncompliance;
• Proactive data analysis and continuous monitoring are effective tools for anti-fraud
controls and in helping reduce fraud losses and fraud scheme duration;
• Fraud investigation skills are applied to the data analysis results in order to review
potential instances of fraud or identified red flags.
11
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
USING DATA ANALYTICS IN FRAUD RISK
MANAGEMENT
12
The simple idea for using data analytics to detect fraud is to analyze an entire
population of transactional data in order to identify anomalies or other indicators of
fraudulent activities within an organization
Designed to identify the
anomalies and irregular
transactions that are outside
of the norm
1 Statistical
analysis
Designed to test for specific
fraud scenarios or schemes
that may indicate a high
probability of fraud
1 Analytic
testing
Designed to compare and
connect data from different
sources and systems in ways
that could not have been done
manually
1 Comparative
testing
The different ways data analysis can be used:
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
DATA ANALYTICS SOLUTION
Data Collection Engine & Data Cleansing
Data Store
Pre-defined Rules and Queries, Control
Mapping
Data Analytics Systems and Tools Configurable Rules, Custom Analytics
Algorithms
High impact reporting with visualization tools
Different Data Points and Sources
13
Identification of anomalies, non-compliance and red flags Apply investigative
skills and tools
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
TYPES OF DATA
14
Sources
Sources
Data
Unstructured data
• Email and instant messages
• Payment text descriptions
• Social media activity
• Corporate document repositories
• News feeds
Structured data
• Sales records
• Payment or expense details
• Payroll details
• Inventory records
• Financial reports
ACCOUNTING AND FINANCIAL
CUSTOMER DETAILS
VENDOR DETAILS
EXTERNAL BENCHMARKING
INTERNAL COMMUNICATION
HUMAN RESOURCES
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
INDICATIVE TESTS USING DATA ANALYTICS
Fraud Indicators Financial
Misstatements
Policy
Compliance Trend Indicators
Process
Inefficiency
Multiple Vendors
Same Bank Account
Payments to
Employees
Duplicate
Payments
PO Aging Analysis
Date
Sequence
Discrepancies
between related
documents via 3 way-
match (PO > GRN >
Invoice) Suspicious
Payment Date
Split Purchase Orders
Split Invoices
Payments to
Prohibited Vendors Segregation of duties
has been violated
AP Summary Report
Vendor / Employee
Correlation Report
PO / Invoice /
Payment
Correlation Report
Additional Charges:
situations where the
ratio of supplemental
charges on an invoice
(e.g. shipping,
handling, tax, etc.)
exceeds a specified %
or CURR threshold Suspicious
Purchase
Suspicious
Vendors
Below are some examples whereby data analysis that are conducted to detect potential fraud or suspicious
transactions:
15
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
BENEFITS OF DATA ANALYTICS
Mitigating Budget and
Resource
CONSTRAINTS
Significantly REDUCE
SAMPLING ERRORS and
improve internal controls
Reduce DEPENDENCY
on SME / Consultants
100% COVERAGE resulting in increase in
breadth and depth of coverage
PROACTIVE MONITORING of
fraud risks, REAL TIME
response
Once Process is setup
AVAILABILITY and RELIABILITY of
data is ascertained
Benefits of
Data
Analytics
Increase VISIBILITY and
CREDIBILITY within the organization
16
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
18
CONTINUOUS MONITORING IN FRAUD RISK
MANAGEMENT
It is important to detect fraud sooner rather than later in order to minimize losses and damages
caused by fraud. Continuous monitoring enables organizations to repeat the set up data analytic tests
against most recent and new transactions.
What does this mean?
Automating the process of data collection and generating data analytics
to detect potential fraudulent activities:
Running the scripts and fraud rules that have already been established to test
for different indicators of fraud on a regular basis. The frequency will depend
on the objective of each test and the size of the organization.
The exceptions identified will automatically be routed to the selected
department for further review.
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
19
Process Mining tools gather all process trails within a business and provides
data analysis in real time. It can identify control deficiencies and exceptions
in the process which may be indicators for fraud risks such as deviation in
the standard process, by-pass of controls or non-segregation of duties.
PROCESS MINING
In all organizations, many processes are running
simultaneously at any point in time
Each process is managed separately within its own
system. These process can become complex and it gets
difficult to obtain transparency
Large volumes of data is generated and maintained
within each system in silos
IMPACT OF PROCESS
• Full transparency of all
running processes
enables the detection of
all non-compliant
processes and fraud;
• Make improvements
and monitor in real time;
and
• Provides proactive
insights and fast root-
cause analysis
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
Data Analytics Process Mining
Smart algorithms
reconstruct, analyze and
understand the real
process.
Powerful analytics
capabilities to
automatically analyze data
flow through the process in
real time.
ACHIEVING REAL TIME MONITORING
By implementing data analytics and process mining techniques to monitor business transactions in real
time, management can identify and respond to potential fraud in real-time, reducing the risk of fraud
escalation and minimizing losses and damages suffered by fraud.
20
Real- Time
Monitoring
Highlight anomalies, bottlenecks and non-
compliance in real time and provide advice
on how to improve internal control for
mitigating fraud risks.
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
21
Gather data extracts based on
scripts. 2
Perform data analysis to test
for anomalies and identify
variants from the process,
gaps and bottlenecks 3
Assessment of analysis of root
cause of variant and high risk
anomalies that may indicate
potential fraud. 4
Further investigation warranted
on high risk anomalies and
provide recommendation to
enhance the control activities. 5
High impact reporting of
variants, gaps or bottlenecks
which can be visualized. 6
Understand business context
and process flows 1
Real Time Monitoring
for new variants
Data extracts are
automatically &
continuously refreshed
REAL TIME MONITORING
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
Initial
• No formal analytics approach, procedures or methodology
• Performed occasionally
• Tools are not readily available
• Limited skills and people dependent
Develop
• Recognized as added value
• Not yet institutionalized
• Relies on a core group
• Tools are available but are not applied consistently or correctly
Defined
• Enforced Analytics Policy
• Established Analytics Methodology
• Use of Analytics Championed by IA Management
• Quality of Analytics Results are evaluated
• Understanding the business purpose of analytics procedures of results
Managed
• Methodology is Institutionalized
• Management involved in the ongoing analytics efforts
• Management understands business issues and root causes
• Re-performance of Analytics Procedures
• Advanced Tools are used
Optimized
• Practices evolved through the first four phases are used to continually improve analytics processes, procedures and results
• Real Time Control Monitoring Tools
Improving Capability
REAL TIME MONITORING - ANALYTICS MATURITY
MODEL The following maturity model demonstrates how data analysis is used to achieve real time monitoring in an on-
going process:
22
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
APPLICATION OF REAL TIME MONITORING
Procure to Pay
Travel and Expenses Inventory Management
Receivables/ Cash &
Collection, Capex
Treasury Management
Process and EFT
Security
User Access
Management
Journal Entry Testing
(General Accounting
Testing)
Customer Care
Customer Lifecycle
Management
Sales (Direct and
Indirect)
Finance Supply Chain Network and IT Customer / Sales
Segregation of Duties
Vulnerability and
Access Control
Below are some elements/areas to cover in data analysis for real time monitoring:
23
© 2019 Protiviti Member Firm Middle East LLC CONFIDENTIAL – This document is for your organization’s internal use only and should not be copied or distributed to any third party.
Predictive analytics enables companies to discover potential fraudulent activity before it occurs.
Predicative analysis can assess the likelihood and probability of fraud events occurring. In order to
achieve a predictive analytic model, real time monitoring through the use of machine learning and
optimized data analytics must take place.
FUTURE OUTLOOK ON PREDICATIVE
ANALYTICS
Efficiency
The ability to automatically
apply complex mathematical
calculations to big data –
consistently allows for
accurate results while
analysing data pertaining to
fraudulent events.
Predicts Likely Events Better Decision Making
By using algorithms to build
models that uncover
connections, organizations
can make better decisions
without human intervention.
Automated Learning
Machine learning often uses
an iterative approach to learn
from data, hence learning can
be easily automated to flag
irregular or suspicious
events/transactions.
Through methods like
classification, regression,
prediction and gradient
boosting, patterns are used
to predict likely fraud events
on the basis of historical
data.
25
Protiviti is a global consulting firm that delivers deep expertise, objective
insights, a tailored approach and unparalleled collaboration to help
leaders face the future with confidence. Protiviti and our independently
owned Member Firms provide consulting solutions in strategy,
organizational transformation, operations, finance, technology, data,
analytics, governance and risk to our clients through our network of more
than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent
of Fortune Global 500® companies. We also work with smaller, growing
companies, including those looking to go public, as well as with
government agencies. Protiviti is a wholly owned subsidiary of Robert Half
(NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500
index.
top related