controls and fraud detection - financial management institute of
TRANSCRIPT
RCGT Consulting Inc. 100% focused on federal government – from coast to coast to coast
Controls and Fraud Detection November 29, 2012
Financial Management Institute of Canada
Ottawa Convention Centre
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Today’s environment
In today‘s environment of staff turn-over, cost-cutting, and
a desire to do ―more with less,‖ internal auditors need to
have an awareness of fraud indicators more than ever.
Today’s discussion
Common control weaknesses, fraud detection methods
and fraud indicators – and how internal audit can make a
difference.
Every case of fraud or abuse will be different
2
Overview
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
On the Agenda
Understanding Fraud Risk
Why Should You be Concerned?
What is a Fraud Risk Assessment?
Effective Fraud Controls
Presenting Results with Impact
3
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
What is Fraud Risk?
Fraud involves intentional
and deliberate efforts to
conceal the true nature of a
transaction.
Fraud Risk is the
organization’s
vulnerabilities to those
capable of committing and
concealing fraud, and may
come from sources
internal and external to the
organization.
4
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Types of Schemes - Canadian Cases
©2012 Association of Certified Fraud Examiners, Inc. 5
5
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Case Distribution by Fraud Scheme
6 ©2012 Association of Certified Fraud Examiners, Inc.
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Anti-Fraud Control Effectiveness
7
While all controls were associated with a
reduced median loss, the presence of formal
management reviews, employee support
programs and hotlines were correlated with
the greatest decreases in financial losses.
Organizations lacking these controls
experienced median fraud losses
approximately 45% larger than organizations
with the controls in place.
On the other end of the spectrum, external
audits of financial statements — the most
commonly implemented control among the
victim organizations — showed the least
impact on the median loss suffered, with an
associated reduction of less than 3%.
©2012 Association of Certified Fraud Examiners, Inc. 7
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Median Loss Reduction
with Anti-Fraud Controls
©2012 Association of Certified Fraud Examiners, Inc. 8
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Federal Accountability Act
provide real protection to whistleblowers who disclose
government wrongdoing by introducing specific penalties
for offences, granting powers to the new Public Sector
Integrity Commissioner, creating a Public Servants
Disclosure Protection Tribunal to consider cases of reprisal,
providing public-sector employees with access to legal
counsel and continuing to ensure they have adequate
access to the courts, and providing a $1,000 reward to
public-service employees who have the courage to expose
wrongdoing in the workplace .
9
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Effective Hotlines
Although tips are consistently the most common fraud-
detection method, nearly half of the victim organizations
analyzed did not have a hotline mechanism in place at the
time of the fraud.
Organizations with hotlines had a larger percentage of
frauds reported by tip than in organizations without
hotlines.
©2012 Association of Certified Fraud Examiners, Inc. 10
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Why Should You be Concerned?
Professional standards
Legislative and policy requirements
Increased expectations by those charged with
governance, oversight, accountability
Economic downturn
= shrinking budgets + strained resources
Increasing transient workforce
Growing organizational complexities
Technology advancement
11
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Risk Management Program
12
Fraud Risk
Management
Program
Fraud Risk
Assessment
Fraud Awareness
and Education
Training
Fraud Policy
Fraud
Investigation
Fraud Prevention
and Detection
Fraud Reporting
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Risk Assessment
What is it?
Objective of the FRA is to help the
organization understand and identify
areas most vulnerable to
inappropriate activities.
Management can better identify
where and how fraud is most likely to
occur, identify gaps, and proactively
implement preventive, detective and
corrective measures to minimise
possible occurrences of fraud.
Planning/WP
• Assurance engagement
• RBAP
Stand-alone reporting
• Entity-wide
• Sector / processes
• Multi-year
13
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Risk Assessment – Where is the Value?
Provides a systematic and recurring approach
Improved understanding of fraud risks and
potential schemes
Identify potential control inadequacies and failures
Increased corporate awareness on the risk of fraud
Open communication with Sr. Management, DAC
14
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Risk Assessment – Where is the Value?
Insight on fraud risks in operating areas that otherwise
may not be considered
Can help determine if fraud occurred in risk areas
Helps to focus IA efforts on areas of highest risk
Supports the establishment of mitigating strategies
Compliance (i.e. IIA, MAF, FAA)
Value added and client expectations
15
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Risk Assessment Considerations
Management needs
Fraud risk tolerance
Inherent fraud risks
areas, activities, and individuals who put the organization
most at risk (internally and externally)
understanding of possible schemes
Mitigating controls
Residual fraud risk
Understand the gaps
Practical and valued recommendations and mitigation
strategies
16
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Planning the FRA
One size does not fit all !
Work with management to clarify its needs
Limit the scope
Identify the Right sponsor for access and participation
Choose the right expertise and team
Research for knowledge and insight
17
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
...Planning the FRA
When you arrive:
Discuss and/or determine risk tolerance
Consider sensitivities
Budget availability
Develop a structured, rational and tailored
approach
18
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Conducting the FRA
Practical Steps
Fraud awareness training and brainstorming workshops
Facilitate anonymous feedback
Identify inherent fraud risks
Assess likelihood and impact of inherent risks
Walkthrough processes
One-on-one interviews (bottom-up)
Structured, rational, and tailored approach
19
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
...Conducting the FRA
Practical Steps
Identify and map mitigating controls
Assess control design effectiveness (not operating)
Assess likelihood and significance of residual fraud risks
Document working papers and results
Report critical observations
Validate results with management
Structured, rational, and tailored approach
20
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Risk Control Matrix
Matrix Elements:
• Inherent Fraud Risk (IFR)
• Likelihood
• Significance
• IFR Rating
• Mitigating Controls
• Risk Tolerance
• Residual Fraud Risk
• Recommendations
Map fraud type by
activity with existing
controls to identify and
visualize risks that are
not addressed by the
control elements
21
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Warning Signs During FRA
× Reluctance to participate, withholding information
× Tips, complaints, allegations
× Management control override
× Deficient control mechanisms
× Lack of segregation of duties
× Disregard of compliance requirements
× Insufficient monitoring
× Numerous transaction errors, un-reconciled items
× Missing or incomplete documentation
22
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Reporting with Impact
Comprehensive Reporting
Executive summary
Objective
Scope
Limitation (i.e. assurance)
Approach
Findings & Residual risks
Risk Control Matrix
Risk Inventory
Rating Summaries
Flowchart
Recommendations
Higher than acceptable risks
Control design weakness
Testing operating effectiveness
Mitigating strategies
Assurance vs Consulting
Continuous auditing (CAATs)
Conclusion
23
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Summary of Fraud Risks
Inherent Fraud
Risks
Residual Fraud
Risks
Low
Residual Fraud
Risks
Medium
Residual Fraud
Risks
High
30 18 10 2
Division xxx
High Residual Fraud Risks
• Access to confidential information through hacking
• Prohibited building access outside normal hours
Recommendation
• Immediate access restriction, with proper access security code to
align with organization policy on security. Follow-up audit on
management action within a month and reporting results to the Board.
24
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Illustrating the results
Impact
Like
liho
od
Clear and
Relevant Disbursements
Conflicts of
interest
Corruption
Hig
h
High Low
Low
Phantom vendors
Ghost employees
Misuse of assets Skimming
Manipulation of
Earnings
Kickbacks
25
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
FRA Synopsis
FRA needs identification
Planning
Training and brainstorming
workshops
Identify and assess inherent
fraud risks Walkthroughs
Additional interviews and documentation
Identify and assess controls
design effectiveness
Document the fraud risk
control matrix
Identify and assess residual
fraud risk
Validate findings and
finalize documentation
Reporting
26
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Control Weakness Relationship to Fraud
An outright lack of controls was the most frequently
cited factor, noted as the primary weakness in more
than 35% of cases. This number jumps to more than
45% for those cases that occurred in small
businesses.
In 19% of the cases, the perpetrator overrode existing
controls to carry out his or her scheme; a similar
number of respondents stated that a lack of
management‘s review was the key control weakness
that contributed to the fraud.
©2012 Association of Certified Fraud Examiners, Inc.
27
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
‘Tone at the Top’
Interestingly, a poor tone at the top contributed to 9%
of all the fraud cases reported to us, but was cited as
the primary factor in 18% of cases that resulted in a
loss of $1 million or more.
This reinforces the importance of a proper ethical tone
from management in protecting an organization
against the largest frauds — those cases that have
the greatest potential to cripple the organization‘s
finances and reputation.
©2012 Association of Certified Fraud Examiners, Inc. 28
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Primary Control Weaknesses
Resulting in Fraud
©2012 Association of Certified Fraud Examiners, Inc. 29
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
What Level of Employee commits Fraud?
©2012 Association of Certified Fraud Examiners, Inc.
30
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Median Loss by Level of Employee
©2012 Association of Certified Fraud Examiners, Inc.
31
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Perpetrators in Canada (55 cases)
©2012 Association of Certified Fraud Examiners, Inc. 32
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Identifying Potential Perpetrators
Behavioral Red Flags Displayed by
Perpetrators
Most occupational fraudsters‘ crimes are motivated at least
in part by some kind of financial pressure. In addition, while
committing a fraud, an individual will frequently display
certain behavioral traits associated with stress or a fear of
being caught.
©2012 Association of Certified Fraud Examiners, Inc.
33
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Behavioral Red Flags
In 81% of all cases reported to us, the perpetrator had
displayed at least one behavioral red flag, and, within these
cases, multiple red flags were frequently observed. The
next chart shows the percentage of cases in which each
respective red flag was reported.
The fraudster living beyond his or her means (36%),
experiencing financial difficulties (27%), having an
unusually close association with vendors or customers
(19%) and displaying excessive control issues (18%) were
the four most commonly cited red flags in 2012, just as they
were in 2010.
©2012 Association of Certified Fraud Examiners, Inc.
34
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Behavioral Red Flags
The consistency of the distribution of red flags from year to
year is particularly remarkable. Despite the fact that the
group of perpetrators analyzed in our 2012 study was
completely different than the perpetrators included in our
2010 and 2008 studies, each group seems to have
collectively displayed behavioral red flags in largely the
same proportion.
©2012 Association of Certified Fraud Examiners, Inc.
35
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Behavioral Red Flags of Perpetrators
©2012 Association of Certified Fraud Examiners, Inc.
36
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
The most cost-effective way to limit fraud losses
is to prevent fraud from occurring. The following
checklist is designed to help test the effectiveness of
fraud prevention measures.
©2012 Association of Certified Fraud Examiners, Inc.
37
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
1. Is ongoing anti-fraud training provided to all
employees of the organization?
❑ Do employees understand what constitutes fraud?
❑ Have the costs of fraud to the company and everyone in it
— including lost profits, adverse publicity, job loss and
decreased morale and productivity — been made clear to
employees?
❑ Do employees know where to seek advice when faced with
uncertain ethical decisions, and do they believe that they can
speak freely?
❑ Has a policy of zero-tolerance for fraud been
communicated to employees through words and actions?
©2012 Association of Certified Fraud Examiners, Inc.
38
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
2. Is an effective fraud reporting mechanism in place?
❑ Have employees been taught how to communicate
concerns about known or potential wrongdoing?
❑ Is there an anonymous reporting channel available to
employees, such as a third-party hotline?
❑ Do employees trust that they can report suspicious activity
anonymously and/or confidentially and without fear of
reprisal?
❑ Has it been made clear to employees that reports of
suspicious activity will be promptly and thoroughly evaluated?
❑ Do reporting policies and mechanisms extend to vendors,
customers and other outside parties?
©2012 Association of Certified Fraud Examiners, Inc.
39
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
3. To increase employees‘ perception of detection,
are the following proactive measures taken and
publicized to employees?
❑ Is possible fraudulent conduct aggressively sought out,
rather than dealt with passively?
❑ Does the organization send the message that it actively
seeks out fraudulent conduct through fraud assessment
questioning by auditors?
❑ Are surprise fraud audits performed in addition to regularly
scheduled audits?
❑ Is continuous auditing software used to detect fraud and, if
so, has the use of such software been made known
throughout the organization?
©2012 Association of Certified Fraud Examiners, Inc.
40
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
4. Is the management climate/tone at the top one of
honesty and integrity?
❑ Are employees surveyed to determine the extent to which
they believe management acts with honesty and integrity?
❑ Are performance goals realistic?
❑ Have fraud prevention goals been incorporated into the
performance measures against which managers are
evaluated and which are used to determine performance-
related compensation?
❑ Has the organization established, implemented and tested
a process for oversight of fraud risks by the board of directors
or others charged with governance (e.g., the audit
committee)?
©2012 Association of Certified Fraud Examiners, Inc.
41
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
5. Are fraud risk assessments performed to proactively
identify and mitigate the company‘s vulnerabilities to
internal and external fraud?
6. Are strong anti-fraud controls in place and operating
effectively, including the following?
❑ Proper separation of duties
❑ Use of authorizations
❑ Physical safeguards
❑ Job rotations
❑ Mandatory vacations
©2012 Association of Certified Fraud Examiners, Inc.
42
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
7. Does the internal audit department, if one exists, have
adequate resources and authority to operate effectively and
without undue influence from senior management?
8. Does the hiring policy include the following (where
permitted by law)?
❑ Past employment verification
❑ Criminal and civil background checks
❑ Credit checks
❑ Drug screening
❑ Education verification
❑ References check
©2012 Association of Certified Fraud Examiners, Inc.
43
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Fraud Prevention Checklist
9. Are employee support programs in place to assist
employees struggling with addictions, mental/ emotional
health, family or financial problems?
10. Is an open-door policy in place that allows employees
to speak freely about pressures, providing management the
opportunity to alleviate such pressures before they become
acute?
11.Are anonymous surveys conducted to assess employee
morale?
©2012 Association of Certified Fraud Examiners, Inc.
44
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Auditing Tips
1. Scale the Audit aligned to risk areas.
2. Evaluate Entity-Level Controls (‗Tone at the Top‘)
3. Assess the Risk of Management Override and Mitigating Actions.
4. Evaluate Segregation of Duties and Alternative Controls.
5. Proper design and effectiveness of significant mitigating controls
6. Audit Information Technology Controls / Complex IT Environment.
7. Consider Financial Reporting Competencies and their Effect on Internal Control.
45
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Context Considerations
46
Characteristic
Internal
Auditing
Fraud &
Wrongdoing
Investigations
Regulatory &
Standards
Compliance
Timing Risk-based Allegation Stipulated
Users Management
(OPI, DAC) Public
Stakeholders Stakeholders
Purpose/
Objective
Audit Opinion (materiality, fairness)
Judicial / quasi
proceedings
Compliance
Scope Lines of enquiry Concerns Specific
Evidence Audit
Standards
IFA, Legal
Settings
Legal, Regulated,
Contractual
Relationship Cordial Adversarial Mixed
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Stages of an Investigation
Needs Identification
Selecting the Investigation
Team
Planning the Investigation
Establishing the Facts
the Facts Validating
Analysis and Conclusion
Reporting Outcome / Disposition
47
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Conclusion
1. Recognize and follow red flags, the fingerprints...
2. Avoid tunnel vision
3. Audit is not an investigation
4. Think ahead to possible outcomes and appearances
5. Ensure that you remain objective, reasonable and
fair.... and can always be seen to be so
6. Seek the advice of experienced parties at an early
stage……..and follow it.
Golden Rules
48
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
IIA References
IIA Standards
1210.A2
1220.A1
2060
2120.A2
2210.A2
IIA Practice Guides
Internal Auditing and Fraud,
December 2009
Managing the Business Risk of
Fraud, 2008
Fraud Prevention and
Detection in an Automated
World
www.theiia.org/guidance/standards-and-guidance/fraud
49
Raymond Chabot Grant Thornton Consulting Inc.
Controls and Fraud Detection
Annie Dugas, CPA, CA, CA-DIFA, CFE
Director
Forensic Accounting & Investigations Services
Raymond Chabot Grant Thornton Consulting Inc.
T: 613-760-3504
Questions ?
50
Saira Kanani, CFE, CGAP, CLEA
Manager
Forensic Accounting & Investigations Services
Raymond Chabot Grant Thornton Consulting Inc.
T: 613-760-3504