building an anti-fraud control plan · building an anti-fraud control plan patrick risch, cfe, cia,...
TRANSCRIPT
Building an Anti-Fraud Control Plan
Patrick Risch, CFE, CIA, CCSA
BNP Paribas Fortis, Fraud Prevention & Detection
President ACFE Chapter Belgium
2
DISCLAIMER
The views expressed in this presentation are the views of the speaker and do not
necessarily reflect the views or policies of
• BNP Paribas Fortis or any other company of the Group BNP Paribas
• Any organisation of which the speaker is a member
The purpose of this presentation is to share ideas and promote discussion. Examples
are purely for illustrational purposes, and may have been modified or simplified in order
to clarify a point.
Neither the speaker, nor the company and organisations he belongs to, accepts
responsibility for any consequence of the use of (parts of) the framework presented
today.
However, we invite you to participate in the discussion today and later on.
Patrick Risch
3
Outline
Introduction
Fraud Risk Framework
• The need to manage fraud risk
• Why do people commit fraud?
• Steps in Fraud Risk Management
• Fraud Risk Management: putting it into practice
• Three lines of defense
• Fraud and the Three Lines of Defense
Anti-Fraud control plan
Conclusion
4 | 14-11-2013 | Patrick Risch
5 | 14-11-2013 | Patrick Risch
6 | 14-11-2013 | Patrick Risch
7 | 14-11-2013 | Patrick Risch | 19-04-2011 | Patrick Risch
8
Outline
Introduction
• Purpose of the presentation
• BNP Paribas Fortis
Fraud Risk Framework
• The need to manage fraud risk
• Why do people commit fraud?
• Steps in Fraud Risk Management
• Fraud Risk Management: putting it into practice
• Three lines of defence
• Fraud and the Three Lines of Defence
Anti-Fraud control plan
Conclusion
9
The need to manage fraud risk
You only see what you’re looking for
• Will you see the fraudulent loans that
are not reimbursed?
• Will you see the fraudulent travel
expenses?
Looking for the real cost of fraud …
• … and it’s impact on business
| 24-03-2014 | Patrick Risch
10
Why do people commit fraud?
Some people are honest all of the time.
Some people are dishonest all of the time.
Most people are honest some of the time.
Some people are honest most of the time.
Tommie Singleton, PhD,
University of Alabama
Honest Dishonest
Situational
11
A fraud-deterrent control environment
Avoid hiring Bad People
Do not isolate Good People
Put Situational People
in a healthy control environment
• No opportunity
• Balanced target settings and
good care for people
• Organisational culture that cherishes
integrity, compliance and team spirit
| 24-03-2014 | Patrick Risch
12
Conclusion
There will always be fraud …
• Mindset of people
• Pressure
• Opportunity
So we have to manage the risk
The earlier we detect it,
the better
• Reputation
• Financial
13
Fraud Risk Management
Preventive
medicine
Surgery
Autopsy
14
Fraud Risk Management
Prevention and
Early Detection Fraud Case Management
Repair and
Remediation
15
Fraud Risk Management: Putting it into practice
Anti-Fraud Policy
• Set the tone at the top
• Walk the talk
• Expected behaviour
• Consequences
• Implementation of anti-fraud framework in the organisation
| 24-03-2014 | Patrick Risch
16
Who deals with fraud risk?
| 24-03-2014 | Patrick Risch
Operational Management
Dedicated fraud specialists
17 Patrick Risch
Three lines of defence … and fraud
First line of defence - Operational management
• Ownership, responsibility and accountability for
assessing, controlling and mitigating risks
Second line of defence - Risk management/Compliance
• Facilitates and monitors the implementation of the
framework
• Assist the risk owners in reporting
Third line of defence - Internal Audit
• Provide assurance to the organisation’s board and
senior management
18 Patrick Risch
Three lines of defence … and fraud
First line of defence - Operational management
• Ownership, responsibility and accountability for assessing, controlling
and mitigating risks
Training on how to
recognise fraud
Training on how to
react when
confronted with fraud
Tone at the top Preventive controls
Detective controls
Investigate incidents
Learning
organisation
Mr./Mrs.
Anti-Fraud
19
Three lines of defence … and fraud Prevention and Early Detection Case Management Repair and Remediation
1st L
ine
• Install a culture of fraud
risk awareness
• Provide Fraud Awareness
Training to staff
• Include Fraud Risk in the
overall Risk Assessment
process
• Incorporate fraud
preventive and detective
controls in the operating
procedures: segregation of
duties, monitor adherence
to policies and procedures
…
• Ensure that a Fraud Alert
Line is installed and known
to everyone in the
organisation
• Set up a process for the
management of fraud
cases
• Make the necessary
accounting entries and
register losses.
• Reimburse customers
• Take disciplinary action
towards the perpetrator
• Take legal action against
the fraudsters
• Improve internal control
• Recovery activities
• Communication: internal,
external (prepare press
release)
• Investigate all fraud cases
in a professional and
objective way
| 24-03-2014 | Patrick Risch
20 Patrick Risch
Three lines of defence … and fraud
Second line of defence - Risk management/Compliance
• Facilitates and monitors the implementation of the framework
• Assist the risk owners in reporting
Policy setting
Oversight
Set the example
Independent view Proposing detective
controls
Give advice Knowledge centre
Methodology
21
Three lines of defence … and fraud Prevention and Early Detection Case Management Repair and Remediation
2n
d lin
e
• Oversight on Fraud Risk
Management activities
within the organisation
• Give guidance, advice and
recommendations to Line
Management
• Fraud Risk Assessment
methodology and oversight
on roll out
• Knowledge Centre on
Fraud Risk
• Report on fraud risk
exposure
• Post Mortem analysis and
recommendations to Line
Management
• Monitoring of evolution of
Fraud Risk exposure
| 24-03-2014 | Patrick Risch
22 Patrick Risch
Three lines of defence … and fraud
Third line of defence - Internal Audit
• Provide assurance to the organisation’s board and senior management
ASSURANCE
Fraud Risk
Framework Incidents
23
Three lines of defence … and fraud
Prevention and Early
Detection
Case Management Repair and Remediation
3rd
Lin
e • Provide assurance to the organisation’s board and senior management, that
fraud risk is managed in an effective way by the organisation.
| 24-03-2014 | Patrick Risch
24 Patrick Risch
Conclusion
Prevention and
Early Detection
Investigation of
Fraud Cases
Fraud Repair
And Remediation
Install a culture of fraud risk awareness
Provide Fraud Awareness Training to staff
Include Fraud Risk in the overall Risk
Assessment process
Incorporate fraud preventive and detective
controls in the operating procedures:
segregation of duties, monitor adherence to
policies and procedures …
Ensure that a Fraud Alert Line is installed
and known to everyone in the
organisation
Set up a process for the management of
fraud cases
Make the necessary accounting
entries and register losses.
Reimburse customers
Take disciplinary action towards the
perpetrator
Take legal action against the
fraudsters
Improve internal control
Recovery activities
Communication: internal, external
(prepare press release)
Investigate fraud cases in a professional
and objective way
Oversight on Fraud Risk Management
activities within the organisation
Give guidance, advice and
recommendations to Line Management
Fraud Risk Assessment methodology and
oversight on roll out
Knowledge Centre on Fraud Risk
Report on fraud risk exposure Post Mortem analysis and
recommendations to Line
Management
Monitoring of evolution of Fraud Risk
exposure
Provide assurance to the organisation’s board and senior management, that fraud risk is managed in an effective way by the
organisation.
25
Three lines of defence … and fraud investigations
First line of defence activity
• Linked with operational activities of the business
• Subject to policy and oversight by the second line, and periodical
control by the third line.
But: need for an independent and objective inquiry
• Specific skills and competences
• Destruction or falsification of evidence,
• Cover up management responsibilities
• Confidentiality
| 24-03-2014 | Patrick Risch
26
Three lines of defence … and fraud investigations
• External fraud
• part of the business-as-usual processes, usually well-known to the
operational management.
• investigation of incidents by the operational department
• Internal fraud
• a dedicated competence centre or third party investigators
| 24-03-2014 | Patrick Risch
27
Outline
Introduction
• Purpose of the presentation
• BNP Paribas Fortis
Fraud Risk Framework
• The need to manage fraud risk
• Why do people commit fraud?
• Steps in Fraud Risk Management
• Fraud Risk Management: putting it into practice
• Three lines of defence
• Fraud and the Three Lines of Defence
Anti-Fraud control plan
Conclusion
28
Anti-Fraud Control Plan
Purpose of the control plan
• Give reasonable assurance that
• the framework is in place and is functioning as intended
• Major risks are under control
Formal controls on a continuous basis
• In the first line
• In the second line
• Control of controls
• Direct controls
| 24-03-2014 | Patrick Risch
29
Anti-Fraud Control Plan
The framework = the policy
• Training
• Risk assessment
• Consequence management
• Governance
• Operational incidents reporting
| 24-03-2014 | Patrick Risch
30 | 17-04-2012 | Patrick Risch
Anti-Fraud Control Plan - Training
Control objectives 1st LoD control 2nd LoD control
Training program and
materials contain relevant
topics
Review curriculum
Review course material
Attend training
Every newcomer in the
organisation has received a
basic anti - fraud training
Compare list of
newcomers with
attendees to training
Control of Controls
Every staff member
receives periodical
refresher training
Compare attendance
list with payroll
Control of Controls
Every new people manager
receives a dedicated
training on professional
ethics and fraud
Control of Controls Compare list of new
people managers
with attendance list
31 | 17-04-2012 | Patrick Risch
Anti-Fraud Control Plan – Risk Assessment
Control objectives 1st LoD control 2nd LoD control
Annually risk assessment
exercise , taking into
account all fraud event
types
Participate in risk
assessment meetings
Each internal fraud incident
is reviewed by a
multidisciplinary working
group.
Compare list of incidents
(extract case
management tool) with
minutes working group
meetings
Participate in working
group
Control of Controls
External fraud incidents
above a threshold
(individually or cumulative
according to fraud type) is
reviewed by a
multidisciplinary working
group.
Compare list of incidents
(extract case
management tool) with
minutes working group
meetings
Participate in working
group
Control of Controls
32 Patrick Risch
Anti-Fraud Control Plan – Consequence management
Control objectives 1st LoD control 2nd LoD control
Internal fraudsters are
sanctioned appropriately
Sanctioning policy is in place
Give formal advice on
sanctions
Monitor sanctions in all internal
fraud cases
All relations with external
fraudsters are terminated
Verify termination
of relationship with
external fraudsters
Control of controls
33 Patrick Risch
Anti-Fraud Control Plan – Governance
Control objectives 1st LoD
control
2nd LoD control
A Fraud Risk Manager has
been appointed formally at
an appropriate level in the
organisation
by Appointment is validated
Management Team
Fraud Risk Manager has
targets covering the different
responsibilities of the fraud
risk framework
Review of target setting
34 Patrick Risch
Anti-Fraud Control Plan – Operational Incidents reporting
Control objectives 1st LoD control 2nd LoD control
All fraud incidents are
included correctly in the
operational risk reporting.
Compare incidents
listed in the case
management tool with
the operational risk
reporting
Control of controls
35
Anti-Fraud Control Plan
Major risk = strongly business dependent
• Are controls in place to cover the most important fraud risks?
• Are these controls effective?
| 24-03-2014 | Patrick Risch
36
Control on manual
transactions (signatures )
- A 4 eyes principle is in
place for all outgoing
payments above a
treshold
Anti-Fraud Control Plan – Some examples
| 24-03-2014 | Patrick Risch
Control objectives 1st LoD control 2nd LoD control
All staff members have
respected mandatory
block leave
Control in June (planning)
and September (status)
Control of controls
Control of effectiveness by
verification of accesses
during leave
Control on feasability in
case of batch transactions
Access rights are fully
revised on the occasion
of a transfer
Checklist for transfers Control of controls
Detailled control for risky
functions or transfers
Information is secured
safely outside business
hours ( Clear Desk
Policy)
Control patrol twice a year
at all desks
Unannounced direct
control
37
Outline
Introduction
• Purpose of the presentation
• BNP Paribas Fortis
Fraud Risk Framework
• The need to manage fraud risk
• Why do people commit fraud?
• Steps in Fraud Risk Management
• Fraud Risk Management: putting it into practice
• Three lines of defence
• Fraud and the Three Lines of Defence
Anti-Fraud control plan
Conclusion
38 Patrick Risch
Conclusion
• Managing fraud risk is more than managing fraud
incidents
• A fraud risk management framework, adapted to
the needs of the needs of your organisation
• Make sure that all aspects of fraud risk
management are allocated somewhere
• Role of management
• Let audit play its role
• Ensure coherence with the overall roles of risk
and control governance
• Create a second line function to maintain oversight
• Put in place a control plan to ensure fraud risk is
managed adequately