creating a fraud risk assessment and implementing a ... · creating a robust fraud risk assessment...

© 2015 Association of Certified Fraud Examiners, Inc.

Creating a Fraud Risk Assessment and

Implementing a Continuous Monitoring

Program

Christopher DiLorenzo,

CFE, CPA, CIA, CRMA

Creating a Robust Fraud Risk

Assessment and Implementing a

Continuous Monitoring Program CHRISTOPHER M. DILORENZO, CPA, CIA, CFE, CRMA, CISA

VICE PRESIDENT, INTERNAL AUDIT

SCIENTIFIC GAMES CORPORATION

© 2014 Scientific Games Corporation. All Rights Reserved.

Speaker Profile CHRISTOPHER M. DILORENZO, CPA, CIA, CFE, CRMA, CISA

Christopher M. DiLorenzo is currently the vice president and chief audit

executive (CAE) for Scientific Games Corporation (SG) based in their Las

Vegas corporate headquarters. SG recently acquired Bally Technologies where

DiLorenzo had been a member of the internal audit function for the prior 11

years and CAE for the last five years. Prior to working for Bally Technologies,

he worked in the internal audit department of the Mandalay Resort Group and

was also in public accounting with both Andersen and Deloitte. Currently he is

responsible for executing SG’s global internal audit program, which includes

areas such as testing for Sarbanes-Oxley compliance, operational audits, and

aiding in forensic investigations.


Topics for Today

How to create robust risk assessments

Understanding fraud

Creating a fraud risk assessment

How to develop a continuous monitoring program


Robust Risk Assessments WHAT MAKES THE ASSESSMENT ROBUST?

Comprehensive

Detailed

Authorized/empowered

Adaptive to change


Robust Risk Assessments

Determine the department’s minimum requirements.

SOX Compliance

Specific regulatory or compliance requirements

Audit committee minimum requirements

Evaluate other areas.

Enterprise and strategic risk

Fraud considerations

Operational/other compliance risk

Combine and create the robust plan.

THE ASSESSMENT MUST BE COMPREHENSIVE



Internal Control over Financial Reporting (SOX)

Perform your SOX assessment using a recognized framework, e.g., COSO

2013.

Will include

– Areas specific to financial reporting

– General computer controls

– Entity-level and tone at the top

Build your SOX plan.




Enterprise and strategic risk

Review your company’s ERM program.

Review the company’s overall strategy and objectives.

Align results to your overall plan.




Fraud considerations

Evaluate all fraud risks to your company.

Use the ACFE’s fraud tree to determine and classify your scenarios.

Align results to your overall plan.




Operational/other compliance risk

Create an audit universe.

Address the details of the universe.

Begin to build your operational/compliance plan




Why does the risk need to be mitigated?

How risky is it?

What can we do about it?

Where does it need to be addressed?

Who can address it?

When is the timing within our plan?


THE ASSESSMENT MUST BE DETAILED




What could go wrong?

Always add the “…” in your risk statements.

– Purchase orders are not approved, which may lead to …

– Improper segregation of duties exist for cash disbursements,

which may lead to …




How risky is it?

Make it measurable.

How impactful is it if this risk were to occur?

How likely is it?

Others




What can we do about it?

Covered in SOX procedures?

Covered in fraud auditing procedures?

Covered in operational audit procedures?

Covered in continuous monitoring procedures?

Unable to be addressed by audit?




Where does it need to be addressed?

Corporate?

Subsidiaries?

Domestic?

International?




Who can/will address it?

Do I have the resources?

Can I automate it?

Can I engage an expert third party?




Power comes from the internal audit charter

Audit committee approval

Management buy-in/involvement

THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED



Power comes from the internal audit charter.

Audit committee approved a charter for internal audit.

Validate it at least annually.

Include wording such as:

The responsibilities and scope of activities of the Internal Audit

Department include developing an annual audit plan using an appropriate

risk-based methodology, including any risk or control concerns identified

by management, and submitting it to the Audit Committee for review. The

plan should be adjusted, as necessary, in response to changes in the

organization’s business, risks, operations, programs, systems and

controls.




Audit committee approval

Present your assessment to the audit committee and get their

input/approval.

Management buy-in

Involve management in your process.

Have them help you identify risks.

Get their input on the attributes of the risks.




The risk assessment process is never “over.”

It must be regularly reviewed and updated, along with your plan.

Change is constant.

THE ASSESSMENT MUST BE ADAPTIVE TO CHANGE


Understanding Fraud FRAUD TRIANGLE


Understanding Fraud

Estimated that 5% of revenues are lost due to fraud each year

Median loss per incident was $145,000

22% of the cases were at least $1M.

Median fraud duration lasted 18 months before detection.

The presence of anti-fraud controls is associated with decreases in cost and

duration of the scheme.

COSO 2013 (principle 8) requires:

The organization considers the potential for fraud in assessing risks to the

achievement of objectives

INITIAL DETECTION


Understanding Fraud

According to the 2014 ACFE Report to the Nations > 72% of the frauds

detected were as a result of:

Tips (42.2%)

Management review (16%)

Internal audit (14.1%)

INITIAL DETECTION


Understanding Fraud INITIAL DETECTION

Obtained from the AFCE 2014 Report to the Nations


Understanding Fraud

2014 ACFE Report to the Nations provided that in nearly one-third of the

cases reported, the victim organization lacked the appropriate internal

controls to prevent the fraud.

Additionally, one-fifth of the reported cases could have been prevented if

managers had done a sufficient job reviewing transactions, accounts, or

processes.

CONTROL WEAKNESSES THAT CONTRIBUTED TO FRAUD


Understanding Fraud CONTROL WEAKNESSES THAT CONTRIBUTED TO FRAUD


Fraud Risk Assessment Policy

The fraud risk assessment is completed by identifying fraud risks applicable

to the company and determining their likelihood and impact. The results of

this assessment are mapped to internal audit’s SOX, operational and

continuous monitoring plans. This plan is updated each year and is presented

to the audit committee typically during the month of December.

AN EXAMPLE POLICY


Creating Your Assessment

Using SOX processes, audit universe areas, and other applicable business

functions, create a listing of areas where fraud could occur.

For each area, brainstorm the applicable fraud scenarios in each of the areas

identified using the ACFE’s fraud tree.


Fraud Tree



Each scenario should clearly identify:

Who the fraudster is

The result of the fraud (or the “…”)

How the fraudster benefits (or the conversion)

Identify the company’s internal control environment that will prevent or

detect this event.

If unknown, investigation is needed.

Clearly document how the control function will work given the scenario.

Identify if internal control gaps exist.

Provide to business leaders over each process area and solicit their input—

update accordingly.

Repeat this exercise for each business entity/location.



Define your risk parameters.

What are you going to consider?

Are all parameters created equal?

Determine how risky the fraud scenario is.

HOW RISKY IS IT?



Fraud risks rated using residual risk only.

Residual: risk of an event happening given the known control environment.

EXAMPLE RISK ASSESSMENT APPROACH



Fraud risks are rated on two attributes.

Likelihood

1 = Strong control environment

5 = Weak or nonexistent control environment

Impact (if occurring for 36 months prior to detection)

If risk is financial reporting related, rating is guided by materiality.

– 1 = Immaterial; 5 = Material

All other areas are rated using a much lower reasonableness threshold.

– 1 = lower dollar and minimal disturbance to the business

– 5 = higher dollar and considerable disturbance to the business

Sum likelihood and impact to come up with the final fraud risk rating.




Fraud scenarios were then placed into one of four groups.

Immaterial

Impact deemed a 1: Scenario will be revisited during the next

assessment.

SOX Testing

Planned SOX testing provided a large enough level of comfort that no

additional procedures would be planned.

Operational review

An operational review is required to provide comfort over the fraud

scenario.

Partial SOX /partial operational

Scenario partially addressed with already planned SOX procedures, but

requires additional/supplemental procedures for full coverage.




Continuous monitoring program

Lastly, each fraud scenario was questioned to determine if continuous

monitoring procedures could be automated to give regular assurance over

the scenario.

If yes, an action plan was created and turned over to our IT auditing function

for evaluation and implementation.



Creating Your Assessment EXAMPLE RESULTS

AreaRisks

IdentifiedImmaterial SOX Operational

Both

(partial)

Continuous

Monitoring

Candidates

Business 1 102 - 60 28 14 64

Business 2 48 9 15 18 6 31

Business 3 46 11 18 15 2 30

Business 4 47 28 - 19 - 30

Business 5 46 10 17 14 5 30

Business 6 29 6 18 5 - 16

Business 7 53 10 24 15 4 34

Business 8 51 9 24 14 4 32

Business 9 48 9 23 9 7 31

Business 10 51 10 14 22 5 32

Business 11 50 9 30 9 2 33

Covered by


Creating Your Assessment EXAMPLE RESULTS—ACCOUNTS PAYABLE

# Fraud Scenario Primary Fraud

Category Type Conversion Internal Controls L I Overall

Test Bucket

1

A buyer engages a company that the buyer has a undisclosed relationship resulting in the company

paying more than fair market value for goods/services obtained and/or sub-standard service.

Corruption Conflicts of

Interest Employee receives

kickback.

1. Budget to Actual Review (E-SOX); 2. Segregation of duties (buyer can't add directly to vendor file).

x x 2x SOX

Testing

2

A buyer receives a bribe or invoice kickbacks from a company in return for choosing that company to provide service to the company resulting in the

company paying more than fair market value for goods/services obtained and/or sub-standard

goods/service.

Corruption Invoice Kickbacks Employee receives

kickback. 1. Budget to Actual Review (E-SOX); 2. Bidding controls

x x 2x

Partial SOX;

Partial Operatio

nal Reviews

3 AP colludes with a check signer and/or invoice

authorizer and makes payments to a dormant or fictitious vendor

Asset Misappropriation

Larceny Employee receives

undue funds.

1. B of A Online System Controls 2. Supplier master file data is reviewed 3. Systematic deactivation of inactive suppliers

x x 2x SOX

Testing

4 An employee characterizes a personal expense as a

business-related expense. Asset

Misappropriation Mischaracterized

Expenses

Employee's personal expenses paid by the

company.

1. Expense report reviewer 2. Required to use company card

x x 2x Operatio

nal Reviews

5 An employee overstates a business expense to obtain

a fraudulent reimbursement from the company. Asset

Misappropriation Overstated Expenses

Employee receives undue payment by the

company.


x x 2x Operatio

nal Reviews

6 An employee creates fictitious expenses to submit as

business-related expenses to obtain fraudulent reimbursement from the company.


Fictitious Expenses


company.


x x 2x Operatio

nal Reviews

7 An employee uses the same expense multiple times

to obtain fraudulent reimbursement from the company.


Multiple Reimbursement


company.


x x 2x Operatio

nal Reviews


Creating Your Assessment EXAMPLE RESULTS—ACCOUNTS PAYABLE

# Fraud Scenario Primary Fraud

Category Type Conversion Internal Controls L I Overall

Test Bucket

8 An unauthorized employee obtains company check

stock and fraudulently uses the check stock to create unauthorized payments.


Forged Maker

Employee receives undue payment by

the company.

1. If possible, checks not issued to acronyms 2. Checks under $5k do not need signature, or over $5k with a PO. Checks over $5k w/o PO requires signature 3. Balance sheet account reconciliations

x x 2x SOX

Testing

9 A accounts payable member diverts a check to a third

party and forges the check endorsement to divert funds to the accounts payable member.


Forged Endorsement


the company.

1. AP aging analysis 2. Balance sheet account reconciliations

x x 2x SOX

Testing

10 A accounts payable member diverts a check to a third

party and alters the payee to divert funds to the accounts payable member.


Altered Payee


the company.

1. AP does not write checks to acronyms in the payee

x x 2x Operatio

nal Reviews

11 An authorized check signer obtains check stock and

issues a payment for personal gain. Asset

Misappropriation Authorized

Maker


the company.

1. AP aging analysis 2. Balance sheet account reconciliations

x x 2x SOX

Testing

12 A member of the AP team intentionally overpays a

vendor in an effort to intercept the subsequent refund check for personal gain.


Larceny AP member steals company refund.

Segregation of duties x x 2x Operatio

nal Reviews

13 Accounts payable member under the direction of a

controller records account payable amounts incorrectly (e.g., as assets).

Fraudulent Statements

Concealed Liabilities &

Expenses

Company outlook is better than actual.

AP only able to post to expenses/liability x x 2x SOX

Testing

14

Accounts payable member acting alone or in collusion with a controller does not record account payable

amounts in the proper period to improve company's financial position.

Fraudulent Statements

Timing Differences

Company outlook is better than actual.

1. AP accrual; 2. Invoice approval; 3. 3-way match

x x 2x SOX

Testing


Continuous Monitoring Approach

Brainstorming—for each risk event identified as a continuous monitoring

candidate:

Create theoretical of how we can systematically monitor.

Identify the resources required to pursue the solutions to identified

scenarios.

Data or documentation access

Access to relevant business personnel

Verify (or understand) the work flow of transactions.

Identify data tables for where your data is maintained.

Planning Design Development Testing Review Deployment

PLANNING PHASE



Data mining

Review the available data sources and attempt to identify the data that will

be needed to meet the specific continuous monitoring objectives.

Document the identified data sources and data fields in a diagram for easy

reference

Logic design

Considerations for logic design:

The scope and materiality of the fraud risk

The information needed to perform planned follow-up procedures

Document the design procedures in a way that can be easily understood

and re-performed as applicable.


DESIGN PHASE


Continuous Monitoring Approach PLAN: A/P TRANSACTIONS CODED TO NON-EXPENSE ACCOUNTS

RISK

X-3-AP-012: Accounts payable member, under the direction of a controller or higher, records account payable invoices incorrectly (e.g., as assets or revenue) in order to materially impact the financial statements and improve the overall outlook of the company. Impact: X, Likelihood: Y

PROCESSES IN-SCOPE Accounts payable invoice creation Accounts payable approval process

CURRENT MITIGATING SOX CONTROLS B-01.01.01—Journal Entries Are Reviewed & Approved: All journal entries and supporting documentation are reviewed by a member of finance at least one level above the

preparer. B-01.01.02—Evaluation Process for Non-Routine Transactions: Appropriate accounting treatment for transactions that are both non-routine and significant is researched for

appropriate GAAP treatment and documented. Related memos are reviewed by at least one level above the preparer. In addition, the accounting treatment for non-routine and significant transactions is reviewed by the audit committee.

B-04.02.09—Invoice Review: Non-inventory invoices (or PO's) for goods/services are approved prior to payment according to the company's approval matrix by a member of the department in receipt of the goods/services (exception: utility invoices).

DEVELOPMENT TEAM Name, Manager, IT Audit Manager Name, Senior IT Internal Auditor Name, Staff IT Internal Auditor Name, Staff Internal Auditor

ANALYTIC LOGIC

Obtain API transactions from the GL table in MAPICS related to AP-Trade (account number xxxxx).

Exclude all transactions coded to an expense account. Identify transactions in which the AP-Trade account

was debited. Identify accounts that were debited in transactions

where AP-Trade was credited. Compare activity change between quarters and identify material account variances for transactional follow-up ($1M or greater in activity increase).

ANALYTIC OUTPUT

A summary of account activity for non-expense accounts that were credited in an API transaction in which the AP-Trade account was debited.

A summary of account activity for non-expense accounts that were debited in an API transaction in which the AP-Trade account was credited and the total activity change from last quarter was over the materiality threshold ($1M).

A listing of all transactions contained in the aforementioned account summaries

FOLLOW-UP TESTING

Determine if the transactions are legitimate by obtaining backup documentation and/or inquiry with relevant personnel.

Testing Notes: Invoice documentation is located in Intellichief.



Implement design elements into a functional program, e.g., ACL scripts, SQL

queries, manual analytic procedures, etc.

Maintain documentation throughout development to track development

procedures.

Comments within ACL Scripts

A narrative of development procedures

Annotations on development documents to describe their content

Review output.

Verification that the analytic is properly identifying irregularities

Verification that the output fulfills the design requirements

DEVELOPMENT PHASE




Execute the analytic to generate a list of potential exceptions or “red flags.”

Analyze exceptions to determine if they are false positives, errors in the

development of the analytic, or true exceptions.

Obtain documentation or support for the potential exceptions.

Obtain physical documentation from appropriate parties.

Obtain access to systems and databases to retrieve other supporting

documentation.

Perform inquiries with appropriate parties to obtain a better understanding

of the exception.

Adjust the logic or output of the program, as necessary, based on the

findings during the preliminary testing.

Document test procedures performed.

TESTING PHASE




Development review

Detailed review of analytic design, development, and testing by a peer or

supervisor to ensure the program is functioning and all necessary

documentation is properly recorded

User review with business auditors

High-level review of analytic output to be subsequently review by the

business auditor

Ensures that the analytic meets business auditor needs

REVIEW PHASE




Identify how often monitoring should be performed, e.g., daily, monthly,

quarterly, etc.

Ensure that personnel are properly trained on the execution of the designed

analytic and the follow-up procedures.

Have a plan for communicating test results within the department as well as

to relevant upper management, as deemed necessary.

Have consistent communication regarding unique findings or analytic

improvements with your script developers. This is vital to keeping the

continuous monitoring program current, efficient, and effective.

DEPLOYMENT PHASE



Final Thoughts

With that, we’ve discussed:

How to create robust risk assessments

Understanding fraud

Creating a fraud risk assessment

How to develop a continuous monitoring program

Remember that, by nature of this topic, robust implies that this is not an

overnight project. Implementing this type of an approach takes time, but you’ll

be rewarded for that time.

CREATING A ROBUST FRAUD RISK ASSESSMENT AND IMPLEMENTING A CONTINUOUS MONITORING PROGRAM

© 2015 Association of Certified Fraud Examiners, Inc.

Creating a Fraud Risk Assessment and

Implementing a Continuous Monitoring

Program

Christopher DiLorenzo,

CFE, CPA, CIA, CRMA

creating a fraud risk assessment and implementing a ... · creating a robust fraud risk assessment...

Documents