auditing for fraud - clark schaefer...

Auditing for Fraud

Planning & Approaches

2

Introductions What is Fraud? Today’s Fraud, Internal audit, IT and fraud Managing Fraud as an organization; How Technology changed the game

Today’s Agenda

3

Introductions

Clark Schaefer Consulting

Regional consultancy headquartered in

Cincinnati, Ohio

Clients range from Fortune 100 to large

private companies

Specializing in project work that is centered

around three core competencies:

Accounting & Finance

Control/Risk (i.e. Internal Audit/IT Audit)

Technology (i.e. Systems Changes/IT Security) 4

Introductions

Sarah Ackerman, CISSP, CISA Technology practice leader Responsible for overall engagement quality

of services provided to clients

Areas of expertise include information

security, risk management, IT audit, and

other technology and risk/control services,

with in-depth knowledge of a variety of

standards, frameworks, and regulations

Introductions

6

Rich Thompson, CPA, CIA

Senior Consultant

Specializes in Audit, Risk Assessment, and Accounting

Internal Audit experience in Healthcare, Retail , &

Government

Sara O’Banion Consultant

Specializes in IT, Fraud and Audit

Works with clients to improve processes, analyze data

and develop effect solutions.

7

What is Fraud?

Today’s Agenda

What do you think of when

you think of fraud?

© 2015 American Institute of CPAs - All Rights Reserved, Why Employees Commit Fraud

Why Does Fraud Occur?

Opportunity

Rationalization Pressure

Fraud

Triangle

Understand Fraud on Two Levels

Definition

– fraud

noun \ˈfro ̇d\

: the crime of using dishonest methods to take something

valuable from another person

: deliberate deception to secure unfair or unlawful gain

: a copy of something that is meant to look like the real thing in

order to trick people

Reality

– Limited only by your imagination

• How would you hide it?

• How would you move it?

10

Improper segregation of duties

Lack of/weak internal controls

Too much trust

Poor “tone at the top”

Flexible, uncontrolled management override

Opportunity

Element that companies have the most control over

Copyright © 2015, Association of Government Accountants

How has IT changed this theory?

Ability to create fraudulent documents

Potential for exposure (e.g., hacking, phishing, viruses)

Data mining

Internal

Meeting shareholder

expectations

Too much work

Consequences of poor

performance

Pressure


External

Personal financial problems

Lifestyle needs

Illicit activities

Hostility toward employer

Unfair wages

Following along with everyone else

“Intending” to pay it back

Belief that the company won’t miss the money

Rationalization


Impact of Fraud

Annual Revenue (Trillions)

© 2015 Time Inc. All rights reserved

© 2012 Certified Fraud Examiners Inc. Report to the Nations

0 1 2 3 4

$3.7

$0.49

$0.38

$0.20

$0.19

$0.18

Global Fraud

Data analysis

– Complex and occasionally time consuming

investigations

Data collection – Large samples/ clusters of data if misread could give a

false negative or a false positive.

Traditional Ways to Identify Fraud

How can internal audit work to minimize risk?

How can you “fix” it?

Non-Traditional ways to Identify Fraud

Data Analysis

– Automation: Data analysis software

• Allows management to identify and respond quickly to red

flags, reducing the risk of fraud escalation.

Data Collection

– Cloud technology and advanced computing tools

• Effective automation of data collection, improved data quality,

and a reduction in the time required for data validation.

16

Non-Traditional Ways to Identify Fraud with IT

Let data mining work FOR you

Link analysis

Data visualization

Predictive modeling

17

Corruption:

Dishonest or illegal behavior, especially by powerful

people. The misuse of entrusted power for personal

gain.

Asset Misappropriation: Theft or embezzlement of company assets

Financial Statement Fraud:

Deliberate misrepresentation, misstatement or omission

of financial statement data

Fraud Tree

Median Loss Per Case $

Percent of Cases

0 25 50 75 100

Asset

Misappropriation

85.4%

32.8% Corruption

Financial

Statement

Fraud

4.8%

$4,100,000

0 $3M $6M

$130,000

$250,000

What Do Fraudsters Look Like?

87% first time offenders with

clean employment histories

84% never punished or

terminated for fraud

Perpetrators of Fraud

Position

The majority of occupational frauds were

committed by staff at the employee or managerial

level

19% 36% 42%

Owner/Executive Manager Employee

Median Loss by Position

The higher the perpetrator’s level of authority,

the greater the losses tend to be.

Employee: $75,000

Manager: $130,000

Owner/ Executive: $500,000

Department * 77% of frauds originated in

one of these departments

FRAUD IS NOT LIMITED

TO ANY ONE DEPARTMENT

Accounting: 17% Operations: 15%

Sales: 13% Executives/Upper

Management: 12%

Customer Service: 8% Purchasing: 7%

Finance: 5% All Other Depts.: 23%

Fraud Indicators: A few to consider

General

– Too good to be true? It is

– Lack of transparency

– Lack of oversight

Personal

– Financial difficulties – borrowing money from fellow employees

– Someone with extraordinary investment losses or medical expenses

– Changes in a staff member’s lifestyle or behavior

– Overly defensive or argumentative

– Failure to accept a promotion or transfer

Organization

– Management regularly overriding internal controls

– High personnel turnover

– Inventory shortages

– Unrealistic performance expectations

25

26

Internal Audit, IT and Fraud

Today’s Fraud

Reasons Why Audits Don’t Catch Fraud

Detecting Fraud is HARD!

Lack of skill and experience

Improper planning

Inappropriate design of audit program, sample

selection, or target assertions

Inability to gather sufficient, appropriate audit

evidence

Failure to exercise professional skepticism

Traditional Training

Day-to-day coaching

Intercompany training

– New hire training process, training individuals as they obtain

more responsibility, etc.

IIA/ACFE auditing courses

Seminars/conferences

Certifications

– CIA, CFE, CISA

Continuing education

Non-Traditional Training

Advance interviewing techniques

Forensic accounting

Trend analysis

29

Audit Plan

Pre-work

Narrative Interviews

Process Flows &

Walkthroughs

Risk Assessment

Test Fieldwork

Review

Reporting

Follow Up

Standard Audit Steps

Annual Audit Plan

How much of IA’s budget is dedicated to “canned”

audits?

How much is spent with management mandated

activities (e.g., MAR, 10-Q assistance)?

How much time set aside for consultative and ad-hoc

activities?

How are you incorporating your IT audits?

– Together as part of the team or separate?

Fraud Planning – High Level

Enterprise-wide risk assessment

What risks are associated with the company’s

overarching goals?

What are the positive and negative outcomes of

meeting/failing to meet those goals?

What message does upper management send about

meeting goals (“tone at the top”)?

Fraud Planning – High Level (cont.)

Enterprise-Wide Risk Assessment

Incentives

Attached to performance goals, used as motivational

tool

Increase risk that an employee will act fraudulently in

order to obtain them

Especially if consequences of not meeting goals are

severe enough

Risk Assessment

Assess the likelihood and significance of

inherent and residual fraud risk

Should include period of fraud brainstorming

where auditors consider all of the controls

identified

This is also a time to consider the personnel

involved with the processes being audited

Are there any non-remediated items?

Are there any solutions that are different from the

audit recommendation?

Were there any “agree to disagree” items?

Are the previous tests insufficient for the current

audit?

Prior Audits

Planning: Identify the Culture

Tone at the Top

– What message does senior level management send to employees

in regards to ethical behavior?

Fraud is NOT OKAY!

– Are resources being provided to employees telling them how they

can identify fraud and help stop it?

Is there an affirmation process for upper

management’s compliance with code of conduct,

fraud, etc.?

Do policies deter fraud by detailing the consequences

of committing fraud?

Are there annual anti-fraud trainings?

Are there authority limitations on employees and

managers? Are there restrictions on management

overrides?

Are the appropriate internal controls in place (e.g.,

segregation of duties) to prevent fraud?

Identifying Fraud Prevention

Are there anonymous opportunities for whistleblowers?

Are there process controls to detect fraud, such as physical inventory counts, reconciliations, etc.?

Are there technological measures (e.g., data analysis) to detect anomalies or trends that could indicate fraud?

Can the internal audit function assist in detecting fraud?

Pre-Work: Identifying Fraud Detection

Techniques

Preventative Controls Deter Fraud

Opportunity… But at What Cost?