anti fraud program

Strategies for Implementing a Formal and Effective Anti-Fraud

Program

Josh Shilts CPA/CFF, CFE

MIS Training Institute Session 13 - Slide 2

We will NOT discuss: The definition of Fraud Types & Categories of Fraud Why people commit fraud

What we will do: Discuss steps for you to use in implementing your anti-

fraud program (“AFP”) Assess and understand fraud management & forensic

accounting techniques Understand what is necessary for an anti-fraud program

to be effective in your organization Review tools that can be used by you in implementing

an anti-fraud program

Key Points


Anti-Fraud Program Objective

Prevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud’s effects on the organization…


Before We Begin, Remember…

The design of an organization’s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization…

YOU CAN’T DO IT ALONE


BenchmarkWhat are we doing now?

“Routine” Audits SOX & other regulatory audits Code of Conduct Management Oversight (financial

reconciliation, expense reporting reviews, etc.)

Pre -Implementation Steps

What can we be doing? Continuous Assurance Training (auditors, business

owners) Anti-fraud audit procedures Enhanced Due Diligence

procedures (employee hiring, vendor on-boarding, etc.)

Management Buy-In Potential cost savings

Ex. 5% (per ACFE the avg. loss) X Gross Expenses

Operational Improvements Strengthen Control Environment Identify Operational Efficiencies Risks lead to Opportunities

VS.


Benchmark/GAP Analysis Identify “Best Practices” and other sources

to Benchmark existing activities against to identify elements already established…

Analyze current procedures and protocols to determine if applicable to anti-fraud initiatives…

Engage others within your organization and executive management to provide feedback on existing practices…Document and present your analysis…

Element ActivityExceeds

Expectations

Meets Expectatio

ns

Does Not Meet

ExpectationsResponsible

Party(s)Enhancement Opportunities

Prevention Anti-Fraud Training X Compliance

Begin training within specific departments (i.e. Acctg.)

Investigation &

Corrective Action

Investigative process is

clearly definedX Compliance

& SecurityFormalize investigation process and define specific roles & responsibilities

Detection Analytical Reviews X Internal Audit

Review analytical programs to determine if enhancement areas existAssign activities to meet element objectives and determine if your

program is meeting those defined objectives…


Established Benchmark GuidanceAssess current procedures against established

frameworks/guidance…

Identify opportunities for improvement (e.g. modify or implement procedures, protocols, etc)...

IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008

IIA’s International Professional Practices Framework (“IPPF”) – Practice Guide: “Internal Auditing and Fraud”, December 2009


1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is to detect and investigate fraud;

1220.A1 – Internal auditors must exercise due professional care by considering the...probability of significant errors, fraud, or noncompliance...;

2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk;

2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives; and

2060 – The chief audit executive must report periodically to senior management and the board of directors on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board of directors.

IIA Fraud Standards

Guidance provided by The IIA’s International Professional Practices Framework


Governance - The program should include a written policy (or policies) to convey the expectations of the board of directors and the executive management team regarding managing fraud risk.

Fraud Risk Assessment - An organization’s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate.

Prevention - Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.

Detection - Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.

Investigation & Corrective Action - A reporting process should be in place to solicit input on potential fraud and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely. The investigative function should be coordinated between appropriate parties selected by management.

Anti-Fraud Program Elements


Benchmark/Gap AnalysisElements of

Effective Anti-Fraud

Management

Executive Leadershi

pCompliance Legal Audit Security Accountin

g HR

Tone at the Top XCode of Conduct X X Establish & Maintain System of Internal Controls X XInternal Control Reviews XDeter & Detect Potential Conflicts of Interest X XHotline Administration XInvestigation of Fraud Allegations X X X XReferral to Law Enforcement XFraud & Compliance Awareness Training X XCivil Litigation and Recovery of Losses Due to Fraud XCorrective Actions / Remediation to Prevent Recurrences of Fraud

X

Proactive Fraud Auditing XFraud Risk Assessment X XEmployee Assistance Program X

Responsibility matrices can assist you in identifying and assigning responsibilities…

Use the matrix to benchmark, clearly define roles & responsibilities and periodic evaluations…


Governance

Image obtained from the ACFE’s article “Who Owns Fraud? Uniting Everyone to Effectively Manage the Anti-Fraud Program” by Dan Tropey, CPA and Mike Sherrod, CFE, CPA


Governance Best Practices Formal Anti-Fraud Policy – conveying the expectations of the

board of directors and executive management. The policy (or policies) can include:

Organization’s Definition of Fraud Organization’s attitude toward fraud (i.e. Zero-Tolerance,

Materiality) Relationship between anti-fraud and Code of Conduct Summary of Fraud Control Strategies Overview of Fraud Risk Management functions Procedures for Reporting Fraud (i.e. Whistleblower Hotline) HR Employment Conditions and Processes Investigation Procedures (e.g. Confidentiality Protocol,

Privilege, Fraud Response Management, Root-Cause Analysis) Department/Committee Roles & Responsibilities Attitude towards retaliation


Identify

Analyze

Asses

s

Implement

Monito

r

Plan

Risk Assessment Process


Risk Assessment - Categories

*Refer to the 2010 Report to the Nations on Occupational Fraud and Abuse, ACFE

Present your “FRA” at a level that board members/executive management can understand…

Use these categories and a Top-Down approach to build your Fraud Scheme Repository …


Risk Assessment – Fraud Scheme Mngt.

Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization’s activities & risks…

The repository schemes can then be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories…

Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process

Extortion Corruption

Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable.

Fraudulent Disbursement – Billing

SchemeAsset

Misappropriation

Management has decided to book revenue for items shipped and ships items to meet expectations.

Financial – Fictitious Revenues

Fraudulent Statements

KPIs Mitigation Actions1. Hotline Statistics 1. SOX Controls2. SEC Enforcement Actions 2. Audit Procedures

Fraud Scheme Sub Risk Category


Risk Assessment - MeasuresKPIs and Mitigating Activities provide “real” data to support your assessment; however, Management should be updated and risks ranked by using the…

Magnitude (i.e. Significance):High (3) = > $10 MillionMed (2) = Between $4 Million and $10 MillionLow (1) = < $4 Million

Likelihood (i.e. Controls, Mitigating Activity):Strong (1) = Preferred PracticeGood (2) = AdequateLow (3) = Needs Improvement

Likelihood (i.e. Pressure, Occurrence):High (3) = Significant pressureMed (2) = Moderate pressureLow (1) = Little to no pressure

Magnitude + Likelihood [(Controls) + (Pressure)] = Rank$s should reflect your Organization’s Appetite


Risk Assessment - Presentation

Magnitude

Major >$50M 5

Substantial >$25M 4

Moderate >$ 10M 3

Minor >$1M 2

Insignificant <$1M 1

Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.)

1 2 3 4 5

Remote Unlikely Possible Likely Almost Certain

Likelihood

12

11

3

10

4

6

5

14

13

2

15

9

8

1

7

Heat Map

Other Measures(1) Velocity – Measurement of the rate of change…

· Measure as Immediate, Rapid or Slow

(2) Risk – Gross & ResidualGross before Mitigating Activities and Residual Measures After

· Measure as High, Medium or Low


PreventionPrevention techniques are as varied as the industries and size of businesses we work in…

Company/Department

Policies & Procedures

Training

Internal Audit Activity

“Tone at the Top”

Background Checks

External Audit

Vendor Due Diligence

Established Authority

Limits

Exit Interviews

Evaluation Performance &

Compensation Programs

Security CamerasSegregation of Duties

IT Access Controls

SOX/ICFR

Perception of Detection

Anti-Retaliation Policy


Prevention – Keep your Ears on the Track

Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment…

1. Integrate current activities with anti-fraud objectives

2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities

3. Adjust preventive activities based upon new ideas, frauds, etc.

4. Seek feedback from business owners

5. Try to stay ahead of the Fraudster by educating yourself and your team


DetectionStructured

Audits Fraud Training/Planning embedded in plan Fraud-Specific Audits Other Department Audits

Continuous Assurance Base review areas on Assessment Analytic Tools

SOX/IFRS Control Reviews

Whistleblower Programs

Analytical Financial Data Reviews

UnstructuredEmails , Instant Messages

Key Word Searches Base on high risk areas

Memos, Contracts, Invoice Details, etc. Dates, $s, names, etc.


Detection – Use Existing KnowledgeLeading & Lagging Indicators

1. Hotline Complaints2. Fraud Risk Research Stats3. New Audits w/ Fraud

Objectives

1. Ratio Analysis2. Prior Audit Findings3. Hotline Complaint Trends

Audit Planning & Testing Training

SOX/ICFR Testing Continuous Monitoring Focus Areas

Fraud Risk Assessment

Audit Planning

Policy ObjectivesManagement/Employee Awareness


Detection – Fraud MaterialityMateriality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy

FRAUD HAS NO MATERIALITY

1. Define your company’s fraud appetite

2. Review local laws/regulations for guidance on criminal fraud amounts

3. Project potential total losses over time

ASSESS & DECIDE


Concept of Forensic Accountant vs. Fraud Manager

Forensic accountants are experienced auditors, accountants, and investigators of legal and financial documents that are hired to look into possible suspicions of fraudulent activity within a company…

Whereas various individuals are fraud managers in that they assist in the deterrence and/or detection of fraud or indications of fraud…


Investigation & Corrective Action1. A reporting process should be in place to solicit input

on potential fraud.2. A coordinated approach to investigation and corrective action

should be used to help ensure potential fraud is addressed appropriately and timely (“Fraud Response Plan”).

3. The investigative function should be coordinated between appropriate parties selected by management (Who is the quarterback?).

4. The function should clearly define the roles and responsibilities of identifying, responding and reporting to an alleged fraud. Including internal and external resources. Build the investigation team based upon skill sets.

5. Each part of the investigative process should be clearly documented and reported. Legal should be involved within the process to provide guidance.

6. Maintain consistent disciplinary procedures. “Set the tone” within the organization with respect to fraud.

7. As part of this process management should review the investigation’s findings to determine what the appropriate follow-up should be.

8. The investigative team should also review periodically their process to determine if there are improvement opportunities (i.e. learning roundtables).


Investigation & Corrective Action Corrective actions can include a root-cause analysis, internal

control or process improvement reviews and/or criminal or civil actions…

Coordinate remediation action steps across business units

Utilize the investigation findings to determine the likelihood of the potential fraud risk from

reoccurring and learn how to effectively mitigate the action

Determine the value of your actions and present

to management


Now What?Prioritize Your Next Steps

• Management Buy In• Explain the value (Regulations or $

Savings)• Find your place at the “Table”

• Internal Audits Role• Define your Plan

• Risk Assessment, Detection/Prevention• Measure, Assess and Adjust

• Manage resources efficiently and effectivelyNEVER Stop Thinking of New Ways to Prevent or Detect Fraud


Questions

anti fraud program

Data & Analytics