department of national treasury ey bg 04072012. risk management/02. ev… · why do public entities...

National Treasury Public Entities Risk Management Forum

Fraud Risk Management – Overcoming Practical Challenges

Agenda

► What is Fraud Risk Management?► Why do Public Entities need Fraud Risk Management?► Minimum Requirements for an Effective Fraud Risk Management Programme► Fraud Risk Assessments: Acceptable Standards or Frameworks ► Fraud Risk Management Reports► The Chief Risk Officer (CRO) and Fraud Risk Management► Expectations of Assurance Providers on the Assessment and Management of

Fraud Risks► Challenges that Effect the Successful Implementation of Fraud Risk

Management Plans► Fraud Trends in the Public Sector► The Evolving Nature or Cybercrime► Project Ghost► Lessons Learned: Misuse Of Segregation of Duties and Registration of a

Fictitious Vendor

04 July 2012 National Treasury

What is Fraud Risk Management?

Fraud Risk Management enables an organisation to:► Discover; ► Reduce; ► Prevent; and ► Take action when fraud or misconduct is occurring.


Why do Public Entities need Fraud Risk Management?


► The Public Finance Management Act 1999, (Act No. 1 of 1999) (“PFMA”), Section 51.1(a)(i):► An accounting authority for a public entity, must ensure that that public entity has and

maintains effective, efficient and transparent systems of financial and risk management and internal control;

► As per Section 29.1.1(e) of the Treasury Regulations prescribed under the PFMA :► It is a requirement for Departments, Trading Entities, Constitutional Institutions, and Public

Entities to prepare a Corporate Plan, which includes a Fraud Prevention Plan;

► To set the proper tone at the top;

► Monitor internal controls in order to identify and detect fraud risks; and

► Set reactive protocols in the event that fraud is suspected.

Minimum Requirements for an Effective Fraud Risk Management Programme

1. Setting the proper tone► Effective governance structures;► Adequate and effective fraud-related policies (e.g. Code of Ethics, Anti-

Fraud Policy, Whistle Blowing Policy, Gifts Policy, Declaration of Interest Policy, etc); and

► Governance & Fraud Risk Awareness Training and Education (e.g. Fraud awareness training for bargaining and non–bargaining employees, Industrial Theatre Productions, fraud newsletters, z- cards, etc).

2. Proactive approach► Fraud risk assessments; ► Fraud resistance assessments; and► Fraud compliance checks.


Minimum Requirements for an Effective Fraud Risk Management Programme (Cont.)

3. Reactive approach► Fraud response plan; and► Investigations.

4. Detection► Forensic Data Analytics;► Forensic Technology Detection Services i.e.:

► Forensic Data Analytics;► Computer Forensics e.g. Hard drive imaging; and► Utilising software to identify potential relationships in electronic data i.e.

Employee / vendor, employee / appointee, etc.

► Whistle Blower Mechanism.


Fraud Risk Assessments: Acceptable Standards or Frameworks

► The King III report requires that Risk Assessments, including Fraud Risk Assessments, are conducted on a continual basis

► Compilation of / updates to the detailed Fraud Risk Register► Global industry research► Global fraud research► Actual fraud risks arising out of investigations conducted► Computer system fraud risk research i.e. BAS, SAP, etc.

► Summarise identified potential / actual fraud risks into top ten fraud risk categories

► Quantify the parameters (scoring system) of impact, likelihood, priority attention and risk control effectiveness, prior to the assessment taking place


Fraud Risk Assessments: Acceptable Standards or Frameworks (Cont.)

► Conduct workshops with the relevant process owners to determine the following:► Fraud risk relevance;► Current controls in place to mitigate inherent fraud risk i.e. identification of residual

fraud risk► Action plans to address identified residual fraud risk, as well as assigned

responsibility; and► Risk ranking i.e. consequence vs likelihood

► Compilation of a “Top 10 Fraud Risk Document”, detailing the outcomes of the workshops, approved by the relevant process owners and updated, at least, on an annual basis

► Outcomes of fraud risk assessment process to be continuously monitored and tracked


Fraud Risk Management Reports

Detailed Reports► Detailed reports submitted to the relevant risk manager(s)

for their consideration

1. Fraud Resistance Assessments and Fraud Compliance Checks► These reports typically include the following:

a) Executive summary;b) Annexure highlighting the applicable process, as well as the related

observations, internal control weaknesses / fraud exposures, recommendations for improvement and management comment


Fraud Risk Management Reports (Cont.)Example: Fraud Resistance Assessment Report


Process Observation Fraud Exposure / Internal Control Weakness

Recommendation Management Response / Action Plan

What does the policyand / or procedure state?

What where your observations with respect to the following:•Policies and/or procedures;•Detailed walkthrough; and•Gap analysis.

What are the fraud exposures and / or internal control weaknesses that may result from the observation?

Definitions & Examples:

Internal Control Weakness What happened / went wrong to allow the anomaly to occur? i.e. HR employees' access to the payroll system is not restricted.

Fraud ExposureWhat fraud exposure/s may result from the break down in internal control? i.e. HR employees may amend their own banking and salary details which are not authorised.

What can you recommend to mitigate the fraud exposure from happening in the future?Note: do not repeat what is stipulated in the policy / procedure

Management’s response / action plan is obtained once the report has been finalised and submitted

► The following table should accompany the Executive Summary as an annexure to the report:

Fraud Risk Management Reports (Cont.)Example: Fraud Compliance Check Report


Process Observation Fraud Exposure / Internal Control Weakness

Recommendation Management Response / Action Plan

What does the policyand / or procedure state?

What discrepancies did you observe between what employees areactually doing and the requirements as per the policies and procedures.

What are the fraud exposures and / or internal control weaknesses that may result from the observation?

Definitions & Examples:

Internal Control Weakness What happened / went wrong to allow the anomaly to occur? i.e. Policy and / or procedure is ambiguous.

Fraud ExposureWhat fraud exposure/s may result from the break down in internal control? i.e. Employees may abuse ambiguity to their own advantage and claim negligence.

What can you recommend to improve compliance to policies and procedures in the future?

Management’s response / action plan is obtained once the report has been finalised and submitted

► The following table should accompany the Executive Summary as an annexure to the report:

Fraud Risk Management Reports (Cont.)

2. Fraud Risk Assessments► These reports typically include the following:

a) Risk Ranking Matrix;b) Risk Description;c) Risk Owner;d) Strategic Challenge;e) Risk Root Causes;f) Current Controls / Action Plans; andg) Responsible Person.


Fraud Risk Management Reports (Cont.)

High-Level Reports► High-level reports submitted to the Chief Risk Officer

(CRO) for their consideration and further escalation► These reports typically include the following:

a) The objectives of the project;b) Status of the project;c) High-level summary of findings; d) Action plans to address findings; ande) Assigned responsibility and deadlines.


The Chief Risk Officer (CRO) and Fraud Risk Management

The Chief Risk Officer (CRO)► The CRO is a professional that brings structure and

formality to the way risk management is implemented and practiced in an organisation

► The CRO is responsible for leading, coordinating and consolidating the entire risk management effort of an institution by providing expert support, guidance and advice


The Chief Risk Officer (CRO) and Fraud Risk Management (Cont.)

Core Fraud Risk Management functions of the CRO► To provide expert guidance and support to line management on fraud risk

management processes;► To co-ordinate, facilitate and guide the process of identifying, assessing and

monitoring fraud risks at all business levels;► To collate, analyse, interpret and report on the outcomes of fraud risk

assessments;► To maintain the fraud risk register;► Depending on the entity’s structure, to develop the overall Fraud Risk

Management Strategy for approval by the Accounting Officer;► Depending on the entity’s structure, to develop appropriate tools and

techniques for identifying, assessing and responding to fraud risks; and► To promote advocacy of Fraud Risk Management.


The Chief Risk Officer (CRO) and Fraud Risk Management (Cont.)

Who should the CRO report to?► The accountability and reporting lines of CRO’s in the

Public Sector are not prescribed► The CRO should report at a level that has sufficient

authority and influence to ensure that fraud risk management enjoys the necessary organisational support and profile

► Ideally, the CRO should report to the Accounting Officer, however if this is not possible, it is recommended that the CRO reports to someone of sufficient influence to promote the organisational status of Fraud Risk Management


Expectations of Assurance Providers on the Assessment and Management of Fraud Risks

► Assurance providers are guided by the auditing statement ISA240 in addressing the risk of fraud

► Obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraudor error.

► ISA 240 does not require that assurance providers look for fraud, but requires a consideration of fraud risks within an entity when conducting an audit


Assurance Providers’ Expectations on the Assessment and Management of Fraud Risks (Cont.)

ISA240R Requirements


►Professional Skepticism

► Identification & Assessment

►Written representations

►Discussion among the Engagement team

►Responses ►Communication

►Risk assessment procedures

►Evaluation of audit evidence

►Documentation

Assurance Providers’ Expectations on the Assessment and Management of Fraud Risks (Cont.)

The Risk Assessment Process► The purpose of an entity’s risk assessment process is to

identify, analyse and manage risks that affect the entity’s ability to achieve its objectives.

► Assurance providers document their understanding of an entity’s risk assessment process for:a) Identifying business risks relevant to financial reporting;b) Evaluating the significance of the risks;c) Assessing the likelihood of their occurrence; andd) Document management actions to address and monitor those risks.


Challenges that Effect the Successful Implementation of Fraud Risk Management Plans

► Some of the challenges faced by entities when implementing Fraud Risk Management Plans are as follows:a) Capacity;b) Technical knowledge or skill;c) Lack of enforcement;d) Collaboration; ande) Funding.

► How do entities overcome these challenges?a) Subject matter experts should increase their skills sets to include other areas

within Fraud Risk Management;b) On-the-job training & knowledge transfer;c) Accountable individual(s) should be identified for the enforcement of fraud risk

management and should be measured against defined KPIs; and / ord) Outsource Fraud Risk Management function to external service providers, with the

intention of transferring both knowledge and skills from the chosen service provider to internal employees.


Fraud Trends in the Public Sector


Fraud Risk Description

► Procurement Irregularities ► Irregular awarding of tenders, bid rigging, etc.

► Bribery and kickbacks ► Any scheme in which a person offers, gives, receives, or solicits something of value for the purpose of influencing an official’s act or business decision without the knowledge or consent of the principal; and

► A payment by a vendor to an employee in order for the vendor to receive favourable treatment.

► Mismanagement of state funds ► Fruitless and wasteful expenditure

► Abuse of state resources ► Misuse of assets

► Asset misappropriation ► The theft of assets (including monetary assets / cash or supplies and equipment) by directors, others in fiduciary positions or an employee for their own benefit

► Accounting Fraud ► Altering / manipulating financial statements

► IP infringement, including theft of data ► This includes the illegal copying and / or distribution of fake goods in breach of patent or copyright, and the creation of false currency

► Insider Trading ► Generally buying or selling a security, in breach of a fiduciary duty or other relationship

► Money Laundering ► Actions intended to legitimise the proceeds of crime by disguising their true origin

The Evolving Nature of Cybercrime

► According to PWC’s 2011 Global Economic Crime Survey:► “Cybercrime is an economic crime committed using computers and

the internet.”► Cybercrime now ranks as one of the top four economic crimes► Reputational damage was the largest fear for 40% of the survey’s

respondents► 2 in 5 respondents had not received any cyber security training► A quarter of respondents said there is no regular formal review of

cybercrime threats by the CEO and the Board► The majority of respondents did not have, or were not aware of

having, a cyber crisis response plan in place


Project Ghost


Lessons Learned: Misuse of Segregation of Duties and Registration of a Fictitious VendorBackground► An employee, employed within a Treasury Department since 1993 as a Confirmation Clerk, created

a fictitious vendor in January 2006; ► The employee provided his own bank account (not his salary account) as the beneficiary bank

account of the vendor;► Approximately 508 payment transactions to the value of R5.5 million were made to the vendor from

2006 to date;► The employee had the authority on the SAP system to create, process goods received notes and

release payments up to R5,000; ► Some invoices include names of the depot owners who claim to have no knowledge of services

provided by the vendor; and► Payments allocated to various depots were allegedly concealed within other costs on the Treasury

Department’s monthly depot budget reports.

Control Weaknesses► Inadequate segregation of duties in respect of payment transactions on the SAP system was

highlighted in the monthly GRC reports and the compensation control did not operate effectively;► Depot owner’s signatures were not required on the invoices for payments made against their cost

centres; and


Lessons Learned: Misuse of Segregation of Duties and Registration of a Fictitious Vendor (Cont.)

Control Weaknesses (Cont.)► Lack of adequate review of monthly depot reports.

Action Taken and Way forward► A Pre-Arbitration hearing was held in the absence of the employee and he was dismissed;► A criminal case was registered with the SAPS;► Employee was given R15 000 bail and asked to surrender his passport and report to the SAPS 3

times a week;► The employee was charged with fraud in the Johannesburg Commercial Crimes Court. The

employee pleaded guilty on 513 charges of fraud and is awaiting sentencing.


Contact Details

Naph Nteo (Director)083 603 [email protected]

Keeran Madhav (Associate Director)083 601 [email protected]

Belinda Goosen (Senior Manager)082 329 [email protected]

Pumla Zondo (Assistant Manager)082 788 [email protected]


mailto:[email protected]




Thank you

department of national treasury ey bg 04072012. risk management/02. ev… · why do public entities...

Documents