shilts fraud risk assessment deck fraud risk... todayâ€™s focus is on element #4 - fraud risk...
Post on 08-Jul-2020
Embed Size (px)
Developing and Implementing a Fraud Risk Assessment
Josh Shilts CPA/CFF, CFE
HAVE YOU WALK AWAY WITH THE KNOWLEDGE AND TOOLS TO COMPLETE A FORMAL & USEFUL
FRAUD RISK ASSESSMENT!!!
Before We Begin, Remember…
The design of an organization’s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization…
We need ALL the help we can get…
OBJECTIVE Prevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud’s effects on the organization…
Today’s Focus is on Element #4 - Fraud Risk Assessment
“An organization’s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate”
Source: The IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008.
One Size Doesn’t Fit All NOR Should IT
Management should tailor the design of the assessment to fit the needs and objectives of the organization.
Assessment should be:
Easy to Understand, and
NOT just for you and your department but for everyone in the Organization…
Risk Assessment Process
5 Easy Steps 1) IDENTIFY - Step one is identifying the specific risks your
organization is susceptible too while also considering how granular you should monitor fraud risks…
2) ANALYZE & ASSESS – Fraud risks measurement varies, but the types of measurements used may have a profound effect on how your organization assesses a risk…
3) PRESENT – Who is your audience? Is there a prescribed format they are already use to? These are the questions you need to consider…
4) PLAN & IMPLEMENT – Work with others and their schedules to ensure your efficiency in completing the assessment. Allow management time to digest and provide feedback and than work with control owners to implement proactive mitigation solutions…
5) MONITOR – Oh yea, monitor, monitor and do some more monitoring. Suggest an annual formal “refresh”, but the real value stems from constant assessment.
IDENTIFY: Fraud Risk Categories Present your “FRA” at a level that board members, executive management and others within the organization can understand…
Don’t be so granular that you lose conveying the overall message. These aren’t fraud experts, but rather individuals who are on a “need to know” basis…
ANALYZE & ASSESS - Measures KPIs and Mitigating Activities provide “real” data to support your assessment; however, Management should be updated and risks ranked by using the…
(1) Magnitude (i.e. Significance): High (3) = > $10 Million Med (2) = Between $4 Million and $10 Million Low (1) = < $4 Million
(2) Likelihood (i.e. Controls, Mitigating Activity): Strong (1) = Preferred Practice Good (2) = Adequate Low (3) = Needs Improvement
(3) Likelihood (i.e. Pressure, Occurrence): High (3) = Significant pressure Med (2) = Moderate pressure Low (1) = Little to no pressure
Magnitude + Likelihood [(Controls) + (Pressure)] = Rank
(1) Velocity – Measurement of the rate of change… (Immediate, Rapid or Slow)
(2) Risk – Gross & Residual Gross before Mitigating Activities and Residual Measures After…(High, Medium or Low)
“ERM” should serve as the model for your FRA
FRA should have the same look and feel as your ERM presentation
PRESENT: Enterprise Risk Management
Major >$500M 5
Substantial >$250M 4
Moderate >$ 100M 3
Minor >$10M 2
PRESENT: Fraud Risk Assessment
Major >$50M 5
Substantial >$25M 4
Moderate >$ 10M 3
Minor >$1M 2
PLAN/IMPLEMENT– Fraud Scheme Mngt. Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization’s activities & risks…
The repository schemes can than be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories…
Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process Extortion Corruption
Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable.
Fraudulent Disbursement – Billing Scheme
Management has decided to book revenue for items shipped and ships items to meet expectations.
Financial – Fictitious Revenues
KPIs Mitigation Actions 1. Hotline Statistics 1. SOX Controls
2. SEC Enforcement Actions 2. Audit Procedures
Fraud Scheme Sub Risk Category
Prevention – Keep your Ears on the Track
Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment…
1. Integrate current activities with anti-fraud objectives
2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities
3. Adjust preventive activities based upon new ideas, frauds, etc.
4. Seek feedback from business owners
5. Try to stay ahead of the Fraudster by educating yourself and your team
Detection – Use Existing Knowledge Leading & Lagging Indicators
1. Hotline Complaints 2. Fraud Risk Research Stats 3. New Audits w/ Fraud Objectives
1. Ratio Analysis 2. Prior Audit Findings 3. Hotline Complaint Trends
AUDIT PLANNING & TESTING Training
SOX/ICFR Testing Continuous Monitoring Focus Areas
Fraud Risk Assessment
Policy ObjectivesManagement/Employee Awareness
MONITORING – It Never Stops!!!
Understand what you or your department is currently doing to “monitor” or uncover additional fraud risks:
ICFR (e.g. “SOX”)
Find new ways to monitor: Review prior audits and ICFR Fraud Controls
Meet with counterparts in the Company
Read periodicals, journals, etc.
Statistical Analysis (internal and external data)
NEVER Stop Thinking of New Fraud Risks
Think of NEW ways to convey your message
TREAT your assessment like a tool
GET TO WORK!!!
Josh Shilts CPA/CFF, CFE (305) 373-5500 x2226 firstname.lastname@example.org