shilts fraud risk assessment deck fraud risk... today’s focus is on element #4 - fraud risk...

Download Shilts Fraud Risk Assessment Deck Fraud Risk... Today’s Focus is on Element #4 - Fraud Risk Assessment

Post on 08-Jul-2020




0 download

Embed Size (px)


  • Developing and Implementing a Fraud Risk Assessment

    Josh Shilts CPA/CFF, CFE




  • Before We Begin, Remember…

    The design of an organization’s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization…

  • We need ALL the help we can get…

  • OBJECTIVE Prevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud’s effects on the organization…

    Today’s Focus is on Element #4 - Fraud Risk Assessment

    “An organization’s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate”

    Anti-Fraud Program

    Source: The IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008.

  • One Size Doesn’t Fit All NOR Should IT

    Management should tailor the design of the assessment to fit the needs and objectives of the organization.

    Assessment should be:

     Efficient,

     Practical,

     Easy to Understand, and

     Useful

    NOT just for you and your department but for everyone in the Organization…

  • Identify


    Risk Assessment Process

  • 5 Easy Steps 1) IDENTIFY - Step one is identifying the specific risks your

    organization is susceptible too while also considering how granular you should monitor fraud risks…

    2) ANALYZE & ASSESS – Fraud risks measurement varies, but the types of measurements used may have a profound effect on how your organization assesses a risk…

    3) PRESENT – Who is your audience? Is there a prescribed format they are already use to? These are the questions you need to consider…

    4) PLAN & IMPLEMENT – Work with others and their schedules to ensure your efficiency in completing the assessment. Allow management time to digest and provide feedback and than work with control owners to implement proactive mitigation solutions…

    5) MONITOR – Oh yea, monitor, monitor and do some more monitoring. Suggest an annual formal “refresh”, but the real value stems from constant assessment.

  • IDENTIFY: Fraud Risk Categories Present your “FRA” at a level that board members, executive management and others within the organization can understand…

    Don’t be so granular that you lose conveying the overall message. These aren’t fraud experts, but rather individuals who are on a “need to know” basis…



    Fake Expenses

    False Voids

  • ANALYZE & ASSESS - Measures KPIs and Mitigating Activities provide “real” data to support your assessment; however, Management should be updated and risks ranked by using the…

    (1) Magnitude (i.e. Significance): High (3) = > $10 Million Med (2) = Between $4 Million and $10 Million Low (1) = < $4 Million

    (2) Likelihood (i.e. Controls, Mitigating Activity): Strong (1) = Preferred Practice Good (2) = Adequate Low (3) = Needs Improvement

    (3) Likelihood (i.e. Pressure, Occurrence): High (3) = Significant pressure Med (2) = Moderate pressure Low (1) = Little to no pressure

    Magnitude + Likelihood [(Controls) + (Pressure)] = Rank

    (1) Velocity – Measurement of the rate of change… (Immediate, Rapid or Slow)

    (2) Risk – Gross & Residual Gross before Mitigating Activities and Residual Measures After…(High, Medium or Low)

    Other Measures

  •  “ERM” should serve as the model for your FRA

     FRA should have the same look and feel as your ERM presentation

    PRESENT: Enterprise Risk Management

    M agnitude

    Major >$500M 5

    Substantial >$250M 4

    Moderate >$ 100M 3

    Minor >$10M 2


  • PRESENT: Fraud Risk Assessment

    M agnitude

    Major >$50M 5

    Substantial >$25M 4

    Moderate >$ 10M 3

    Minor >$1M 2


  • PLAN/IMPLEMENT– Fraud Scheme Mngt. Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization’s activities & risks…

    The repository schemes can than be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories…

    Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process Extortion Corruption

    Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable.

    Fraudulent Disbursement – Billing Scheme

    Asset Misappropriation

    Management has decided to book revenue for items shipped and ships items to meet expectations.

    Financial – Fictitious Revenues

    Fraudulent Statements

    KPIs Mitigation Actions 1. Hotline Statistics 1. SOX Controls

    2. SEC Enforcement Actions 2. Audit Procedures

    Fraud Scheme Sub Risk Category

  • Prevention – Keep your Ears on the Track

    Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment…

    1. Integrate current activities with anti-fraud objectives

    2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities

    3. Adjust preventive activities based upon new ideas, frauds, etc.

    4. Seek feedback from business owners

    5. Try to stay ahead of the Fraudster by educating yourself and your team

  • Detection – Use Existing Knowledge Leading & Lagging Indicators

    1. Hotline Complaints 2. Fraud Risk Research Stats 3. New Audits w/ Fraud Objectives

    1. Ratio Analysis 2. Prior Audit Findings 3. Hotline Complaint Trends


    SOX/ICFR Testing Continuous Monitoring Focus Areas

    Fraud Risk Assessment

    Audit Planning

    Policy ObjectivesManagement/Employee Awareness

  • MONITORING – It Never Stops!!!

    Understand what you or your department is currently doing to “monitor” or uncover additional fraud risks:

     Audits

     ICFR (e.g. “SOX”)

     Continuous Assurance

    Find new ways to monitor:  Review prior audits and ICFR Fraud Controls

     Meet with counterparts in the Company

     Read periodicals, journals, etc.

     Statistical Analysis (internal and external data)

  • Now What?

    NEVER Stop Thinking of New Fraud Risks

    Think of NEW ways to convey your message

    TREAT your assessment like a tool

    GET TO WORK!!!

  • Josh Shilts CPA/CFF, CFE (305) 373-5500 x2226