Developing and Implementing a Fraud Risk Assessment

Josh Shilts CPA/CFF, CFE

MY GOAL

HAVE YOU WALK AWAY WITH THE KNOWLEDGE AND TOOLS TO COMPLETE A FORMAL & USEFUL

FRAUD RISK ASSESSMENT!!!

Before We Begin, Remember…

The design of an organization’s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization…

We need ALL the help we can get…

OBJECTIVEPrevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud’s effects on the organization…

Today’s Focus is on Element #4 - Fraud Risk Assessment

“An organization’s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate”

Anti-Fraud Program

Source: The IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008.

One Size Doesn’t Fit All NOR Should IT

Management should tailor the design of the assessment to fit the needs and objectives of the organization.

Assessment should be:

Efficient,

Practical,

Easy to Understand, and

Useful

NOT just for you and your department but for everyone in the Organization…

Identify

Present

Risk Assessment Process

5 Easy Steps1) IDENTIFY - Step one is identifying the specific risks your

organization is susceptible too while also considering how granular you should monitor fraud risks…

2) ANALYZE & ASSESS – Fraud risks measurement varies, but the types of measurements used may have a profound effect on how your organization assesses a risk…

3) PRESENT – Who is your audience? Is there a prescribed format they are already use to? These are the questions you need to consider…

4) PLAN & IMPLEMENT – Work with others and their schedules to ensure your efficiency in completing the assessment. Allow management time to digest and provide feedback and than work with control owners to implement proactive mitigation solutions…

5) MONITOR – Oh yea, monitor, monitor and do some more monitoring. Suggest an annual formal “refresh”, but the real value stems from constant assessment.

IDENTIFY: Fraud Risk CategoriesPresent your “FRA” at a level that board members, executive management and others within the organization can understand…

Don’t be so granular that you lose conveying the overall message. These aren’t fraud experts, but rather individuals who are on a “need to know” basis…

Bribery

Larceny

Fake Expenses

False Voids

ANALYZE & ASSESS - MeasuresKPIs and Mitigating Activities provide “real” data to support your assessment; however, Management should be updated and risks ranked by using the…

(1) Magnitude (i.e. Significance):High (3) = > $10 MillionMed (2) = Between $4 Million and $10 MillionLow (1) = < $4 Million

(2) Likelihood (i.e. Controls, Mitigating Activity):Strong (1) = Preferred PracticeGood (2) = AdequateLow (3) = Needs Improvement

(3) Likelihood (i.e. Pressure, Occurrence):High (3) = Significant pressureMed (2) = Moderate pressureLow (1) = Little to no pressure

Magnitude + Likelihood [(Controls) + (Pressure)] = Rank

(1) Velocity – Measurement of the rate of change… (Immediate, Rapid or Slow)

(2) Risk – Gross & ResidualGross before Mitigating Activities and Residual Measures After…(High, Medium or Low)

Other Measures

“ERM” should serve as the model for your FRA

FRA should have the same look and feel as your ERM presentation

PRESENT: Enterprise Risk Management

Magnitude

Major >$500M 5

Substantial >$250M 4

Moderate >$ 100M 3

Minor >$10M 2

Insignificant <$10M 1

Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.)

1 2 3 4 5

Remote Unlikely Possible Likely Almost Certain

Likelihood

1

2

4

3

STRATEGIC

OPERATIONAL

FINANCIAL

COMPLIANCE

FRAUD

Your FRA should serve as a “Drill-Down” from the ERM Fraud Risk

PRESENT: Fraud Risk Assessment

Magnitude

Major >$50M 5

Substantial >$25M 4

Moderate >$ 10M 3

Minor >$1M 2

Insignificant <$1M 1

Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.)

1 2 3 4 5

Remote Unlikely Possible Likely Almost Certain

Likelihood

12

11

3

10

4

6

5

14

13

2

15

9

8

1

7Theoretically the “SUM” equals the value of FRAUD as presented on the Company’s Enterprise Risk Management Map

FRAUD

FRAUD

1 + 2 + 3…+ 14 + 15 = FRAUD

PLAN/IMPLEMENT– Fraud Scheme Mngt.Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization’s activities & risks…

The repository schemes can than be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories…

Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process Extortion Corruption

Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable.

Fraudulent Disbursement – Billing Scheme

Asset Misappropriation

Management has decided to book revenue for items shipped and ships items to meet expectations.

Financial – Fictitious Revenues

Fraudulent Statements

KPIs Mitigation Actions1. Hotline Statistics 1. SOX Controls

2. SEC Enforcement Actions 2. Audit Procedures

Fraud Scheme Sub Risk Category

Prevention – Keep your Ears on the Track

Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment…

1. Integrate current activities with anti-fraud objectives

2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities

3. Adjust preventive activities based upon new ideas, frauds, etc.

4. Seek feedback from business owners

5. Try to stay ahead of the Fraudster by educating yourself and your team

Detection – Use Existing KnowledgeLeading & Lagging Indicators

1. Hotline Complaints2. Fraud Risk Research Stats3. New Audits w/ Fraud Objectives

1. Ratio Analysis2. Prior Audit Findings3. Hotline Complaint Trends

AUDIT PLANNING & TESTING Training

SOX/ICFR Testing Continuous Monitoring Focus Areas

Fraud Risk Assessment

Audit Planning

Policy ObjectivesManagement/Employee Awareness

MONITORING – It Never Stops!!!

Understand what you or your department is currently doing to “monitor” or uncover additional fraud risks:

Audits

ICFR (e.g. “SOX”)

Continuous Assurance

Find new ways to monitor: Review prior audits and ICFR Fraud Controls

Meet with counterparts in the Company

Read periodicals, journals, etc.

Statistical Analysis (internal and external data)

Now What?

NEVER Stop Thinking of New Fraud Risks

Think of NEW ways to convey your message

TREAT your assessment like a tool

GET TO WORK!!!

Josh Shilts CPA/CFF, CFE(305) 373-5500 x2226jshilts@mbafcpa.com

Questions?