auditing for fraud - clark schaefer...
TRANSCRIPT
2
Introductions What is Fraud? Today’s Fraud, Internal audit, IT and fraud Managing Fraud as an organization; How Technology changed the game
Today’s Agenda
Clark Schaefer Consulting
Regional consultancy headquartered in
Cincinnati, Ohio
Clients range from Fortune 100 to large
private companies
Specializing in project work that is centered
around three core competencies:
Accounting & Finance
Control/Risk (i.e. Internal Audit/IT Audit)
Technology (i.e. Systems Changes/IT Security) 4
Introductions
Sarah Ackerman, CISSP, CISA Technology practice leader Responsible for overall engagement quality
of services provided to clients
Areas of expertise include information
security, risk management, IT audit, and
other technology and risk/control services,
with in-depth knowledge of a variety of
standards, frameworks, and regulations
Introductions
6
Rich Thompson, CPA, CIA
Senior Consultant
Specializes in Audit, Risk Assessment, and Accounting
Internal Audit experience in Healthcare, Retail , &
Government
Sara O’Banion Consultant
Specializes in IT, Fraud and Audit
Works with clients to improve processes, analyze data
and develop effect solutions.
© 2015 American Institute of CPAs - All Rights Reserved, Why Employees Commit Fraud
Why Does Fraud Occur?
Opportunity
Rationalization Pressure
Fraud
Triangle
Understand Fraud on Two Levels
Definition
– fraud
noun \ˈfro ̇d\
: the crime of using dishonest methods to take something
valuable from another person
: deliberate deception to secure unfair or unlawful gain
: a copy of something that is meant to look like the real thing in
order to trick people
Reality
– Limited only by your imagination
• How would you hide it?
• How would you move it?
10
Improper segregation of duties
Lack of/weak internal controls
Too much trust
Poor “tone at the top”
Flexible, uncontrolled management override
Opportunity
Element that companies have the most control over
Copyright © 2015, Association of Government Accountants
How has IT changed this theory?
Ability to create fraudulent documents
Potential for exposure (e.g., hacking, phishing, viruses)
Data mining
Internal
Meeting shareholder
expectations
Too much work
Consequences of poor
performance
Pressure
Copyright © 2015, Association of Government Accountants
External
Personal financial problems
Lifestyle needs
Illicit activities
Hostility toward employer
Unfair wages
Following along with everyone else
“Intending” to pay it back
Belief that the company won’t miss the money
Rationalization
Copyright © 2015, Association of Government Accountants
Impact of Fraud
Annual Revenue (Trillions)
© 2015 Time Inc. All rights reserved
© 2012 Certified Fraud Examiners Inc. Report to the Nations
0 1 2 3 4
$3.7
$0.49
$0.38
$0.20
$0.19
$0.18
Global Fraud
Data analysis
– Complex and occasionally time consuming
investigations
Data collection – Large samples/ clusters of data if misread could give a
false negative or a false positive.
Traditional Ways to Identify Fraud
How can internal audit work to minimize risk?
How can you “fix” it?
Non-Traditional ways to Identify Fraud
Data Analysis
– Automation: Data analysis software
• Allows management to identify and respond quickly to red
flags, reducing the risk of fraud escalation.
Data Collection
– Cloud technology and advanced computing tools
• Effective automation of data collection, improved data quality,
and a reduction in the time required for data validation.
16
Non-Traditional Ways to Identify Fraud with IT
Let data mining work FOR you
Link analysis
Data visualization
Predictive modeling
17
Corruption:
Dishonest or illegal behavior, especially by powerful
people. The misuse of entrusted power for personal
gain.
Asset Misappropriation: Theft or embezzlement of company assets
Financial Statement Fraud:
Deliberate misrepresentation, misstatement or omission
of financial statement data
Fraud Tree
Median Loss Per Case $
Percent of Cases
0 25 50 75 100
Asset
Misappropriation
85.4%
32.8% Corruption
Financial
Statement
Fraud
4.8%
$4,100,000
0 $3M $6M
$130,000
$250,000
87% first time offenders with
clean employment histories
84% never punished or
terminated for fraud
Perpetrators of Fraud
Position
The majority of occupational frauds were
committed by staff at the employee or managerial
level
19% 36% 42%
Owner/Executive Manager Employee
Median Loss by Position
The higher the perpetrator’s level of authority,
the greater the losses tend to be.
Employee: $75,000
Manager: $130,000
Owner/ Executive: $500,000
Department * 77% of frauds originated in
one of these departments
FRAUD IS NOT LIMITED
TO ANY ONE DEPARTMENT
Accounting: 17% Operations: 15%
Sales: 13% Executives/Upper
Management: 12%
Customer Service: 8% Purchasing: 7%
Finance: 5% All Other Depts.: 23%
Fraud Indicators: A few to consider
General
– Too good to be true? It is
– Lack of transparency
– Lack of oversight
Personal
– Financial difficulties – borrowing money from fellow employees
– Someone with extraordinary investment losses or medical expenses
– Changes in a staff member’s lifestyle or behavior
– Overly defensive or argumentative
– Failure to accept a promotion or transfer
Organization
– Management regularly overriding internal controls
– High personnel turnover
– Inventory shortages
– Unrealistic performance expectations
25
Reasons Why Audits Don’t Catch Fraud
Detecting Fraud is HARD!
Lack of skill and experience
Improper planning
Inappropriate design of audit program, sample
selection, or target assertions
Inability to gather sufficient, appropriate audit
evidence
Failure to exercise professional skepticism
Traditional Training
Day-to-day coaching
Intercompany training
– New hire training process, training individuals as they obtain
more responsibility, etc.
IIA/ACFE auditing courses
Seminars/conferences
Certifications
– CIA, CFE, CISA
Continuing education
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow Up
Standard Audit Steps
Annual Audit Plan
How much of IA’s budget is dedicated to “canned”
audits?
How much is spent with management mandated
activities (e.g., MAR, 10-Q assistance)?
How much time set aside for consultative and ad-hoc
activities?
How are you incorporating your IT audits?
– Together as part of the team or separate?
Fraud Planning – High Level
Enterprise-wide risk assessment
What risks are associated with the company’s
overarching goals?
What are the positive and negative outcomes of
meeting/failing to meet those goals?
What message does upper management send about
meeting goals (“tone at the top”)?
Fraud Planning – High Level (cont.)
Enterprise-Wide Risk Assessment
Incentives
Attached to performance goals, used as motivational
tool
Increase risk that an employee will act fraudulently in
order to obtain them
Especially if consequences of not meeting goals are
severe enough
Risk Assessment
Assess the likelihood and significance of
inherent and residual fraud risk
Should include period of fraud brainstorming
where auditors consider all of the controls
identified
This is also a time to consider the personnel
involved with the processes being audited
Are there any non-remediated items?
Are there any solutions that are different from the
audit recommendation?
Were there any “agree to disagree” items?
Are the previous tests insufficient for the current
audit?
Prior Audits
Planning: Identify the Culture
Tone at the Top
– What message does senior level management send to employees
in regards to ethical behavior?
Fraud is NOT OKAY!
– Are resources being provided to employees telling them how they
can identify fraud and help stop it?
Is there an affirmation process for upper
management’s compliance with code of conduct,
fraud, etc.?
Do policies deter fraud by detailing the consequences
of committing fraud?
Are there annual anti-fraud trainings?
Are there authority limitations on employees and
managers? Are there restrictions on management
overrides?
Are the appropriate internal controls in place (e.g.,
segregation of duties) to prevent fraud?
Identifying Fraud Prevention
Are there anonymous opportunities for whistleblowers?
Are there process controls to detect fraud, such as physical inventory counts, reconciliations, etc.?
Are there technological measures (e.g., data analysis) to detect anomalies or trends that could indicate fraud?
Can the internal audit function assist in detecting fraud?
Pre-Work: Identifying Fraud Detection
Techniques
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow - Up
Standard Audit Steps
Obtain process flow charts in order to identify potential
control weaknesses, lack of segregation of duties, etc.
Process Flows and Walkthroughs
Performs walkthroughs to
examine that the processes
are being performed as
designed, and controls listed
exist and are effective
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow - Up
Standard Audit Steps
Audit – Risk Assessment
For repeated audits
– Are previous tests adequate?
– Can a redesign give you greater assurance?
For new audits
– Are the controls well thought out?
– Are the controls too cumbersome?
Don’t hesitate to actually…….
43
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow - Up
Standard Audit Steps
Test Planning & Design
Reperformance
Examination
Confirmation
Analytical Procedures
Observation
Cost
($)
Design your audit to have the strongest level of testing
available, taking into consideration budget and scope.
Reliability Level
Interview /
Inquiry
Set clear expectations
Discuss the nature, timing, and extent of audit
procedures
Ensure procedures are performed efficiently and
effectively
Review documentation to make sure it sufficiently
details tests performed
Don’t be afraid to discuss fraud!
Supervision
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow - Up
Standard Audit Steps
What is the overall risk of the process being audited?
Are there any other conclusions that can be drawn
from the completed testing?
Was testing designed to uncover red flags?
Do any tests need to be re-performed or redesigned?
Has the audit team fully thought through the
implications of any unexpected items?
Fieldwork Review
If no exceptions were found the first time, was the
sample accurate for the:
Period tested
Specific transaction amounts
–Round dollar amounts
–Common amounts
Specific vendors
–High # of transactions
–High # of disputes
Substantive Testing
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow - Up
Standard Audit Steps
“Tone at the Top”
While no manager or process owner is going to be
happy about a potential finding being brought to
them, their response and the way that they address the
matter can be an indicator of fraud or other problems.
Potential Findings Meetings
Audit Plan
Pre-work
Narrative Interviews
Process Flows &
Walkthroughs
Risk Assessment
Test Fieldwork
Review
Reporting
Follow Up
Standard Audit Steps
Avoid the temptation to skip this step
Look for remediation that has not been completed
Thoroughly assess all “alternative” remediation plans
Follow Up
Either assurance gained or
improvements made to
existing audit process
Fraud detected
Additional process
improvement
recommendations
Improved internal
controls
Possible recovery of
stolen funds
Key Outcomes
Fraud investigation post mortem – lessons learned
Need for a peer review?
Opportunity of continuous monitoring or process
automation?
Final Opportunities
End User Risk
Company information is now accessed by and
saved to non-company devices
Company information is now accessed anywhere
at any time, on personal devices with software
that is not owned or approved by organization
Project Risk
Subsidiary systems may not
be equipped to handle the
larger volume of the parent
company
Aggressive deadlines could result in short-cutting
the systems development and/or change
management process
Systems may not be properly secured
NDA Compliance
Change Management
Vendor Selection
Device Registration
Device Monitoring
Intrusion Detection
Project Management
Access Controls
Access Monitoring
Possible Fraud Testing
Creating a culture to prevent fraud
61
Governance
Risk
Assessment
Prevention &
Detection
Investigate &
Resolve
Create ever evolving
procedures
Identify major new initiatives
and assess impact on the
organization
Actively work to
acquire/create systems to
minimize risk
For identified instances of
fraud, review and adjust
process as required
Creating a culture to prevent fraud (cont.)
Governance
Develop a fraud risk program
with written policies to set clear
expectations
Roles and responsibilities documented for all areas of the organization,
including:
– Board of Directors
– Audit Committee
– Management
– Staff
Documentation should include escalation and investigation procedures
to cover what to do if fraud is identified
Consider the changing face of IT:
o Last year’s program may not work this year
o Update controls continuously to ensure they are current
Creating a culture to prevent fraud (cont.)
63
Risk
Assessment
Fraud risk assessments should
include three key elements.
Risks to the organization should be periodically
assessed to identify areas to focus mitigation
Indentify Inherent Risk
Assess Impact, Likelihood
Address significant
risks
Creating a culture to prevent fraud (cont.)
64
Prevention &
Detection
Preventative controls should be established to
prevent (or at least minimize) key risks identified
during the risk assessment.
Examples of controls:
HR procedures (hiring,
terminations, etc)
Anti-fraud training
Authority limits
Transaction level procedures
KEY IS DOCUMENTATION
Creating a culture to prevent fraud (cont.)
65
Prevention &
Detection
In addition, controls should be established to
detect fraud when preventative controls fail
Examples of controls:
Whistleblower hotlines
Process controls
Proactive procedures
(continuous auditing)
AGAIN: KEY IS
DOCUMENTATION
Creating a culture to prevent fraud (cont.)
66
Investigate &
Resolve
For each fraud item communicated,
procedures need to be established to:
Receive the allegation
Evaluate the allegation
Escalate the allegation
All items should be investigated and
resolved using standardized process in a
timely manner.
Reporting should be established with a formal
investigation process.
For More Information
If you wish to discuss any aspects of this presentation in
more detail, please feel free to contact us:
Clark Schaefer Consulting, LLC.
120 East 4th Street, Suite 1100
Cincinnati, Ohio 45202
www.clarkschaefer.com
Or send an e-mail directly to Sarah at:
69
Building Your Toolkit Series: Managing
Risk While Improving Your Operations
Date: Wednesday December 2, 2015
Time: 8:00 AM to 12:30 PM
Location: Radisson Cincinnati Riverfront, West Fifth
Street Covington, KY 41011
Cost: $99/per person; includes breakfast and lunch
To register: https://Building Your Toolkit Series:
Managing Risk While Improving Your Operations/register
CPE: Earn up to 4 CPE credits
For any questions regarding this event or how to register
please contact:
DeAnna Bird, [email protected], (513) 768-7100
70
Building Your Toolkit Series: Managing
Risk While Improving Your Operations
71
Risk and Governance Accounting IT and Security
Maximizing Your
Enterprise and IT Risk
Assessment Process
Checking the Pulse of
Your Accounting
Function
Protecting Your
Intellectual Property
Internal Audit: How to
Prioritize and Get the
Biggest Bang for Your
Buck
Improving Your
Financial Reporting
Process: An Exercise in
Process Improvements
Building an Effective
Security Awareness
Program
Understanding and
Addressing Your Cyber
Risk
Building Your
Accounting Tools for
Fraud Prevention/
Detection
Essential Building
Blocks: Data
Classification and
Management
Round Table Lunch:
Can’t We Just All Get Along? Creating A Workplace For Boomers,
Millennials and Everyone In Between