taking fraud risk management€¦ · risk management program to effectively manage an...

The Canadian Olympic

Committee Emblem is

protected by copyright

and trademark in

Canada.

The Emblem

presented in this ppt

slide was approved by

Canadian Olympic

Committee Marketing

authority. Do not

resize or/and

reposition the Emblem

or copy the Emblem

onto other

slides/applications.

For more details about

the use of the

Canadian Olympic

Committee Emblem,

please visit Gateway

or contact your local

marketing

professional.

Note: This message

will not print nor

appear during your

presentation.

October 28, 2012

Taking Fraud Risk Management To the Next Level

Daniel Williams

CGA, CFE, CIA, CISA, CAMS, PMP

© Deloitte & Touche LLP and affiliated entities.

Topics

1. Introduction

2. The Prevalence of Fraud

3. The Impact of Fraud

4. Managing Fraud Risk

5. Performing a Fraud Risk Assessment

6. Evaluating & Enhancing a Fraud Management Program

7. Leveraging the Whistleblower Program

8. Effective Response Protocols

1


Introduction

2


Objectives

1. Walk through how to build an effective fraud risk management program and

identify some of the key elements that are often missing or inadequate

2. Show how the effectiveness of key fraud response protocols will help to

minimize the damage to an organization should an incident occur

3


The Prevalence of Fraud

4


The Prevalence of Fraud

“The average fraud scheme lasted 24 months before it was detected”

“A typical organization loses a staggering 6% of its annual revenue to occupational fraud”

“The average organization loses more than $9 a day per employee to fraud and abuse”

“Fraud cases are estimated to have a median loss of $175,000 per incident”

“Public sector fraud cases are estimated to have a median loss of $100,000 per incident”

“Approximately 46% of fraud cases were detected by tips from employees, customers, vendors, etc.”

“The implementation of anti-fraud controls appears to have measurable impact on the organization’s

exposure to fraud. “

“Lack of adequate internal control was cited by 35% of respondents as a factor that allowed fraud to occur. “

- ACFE; 2010 Report to the Nation on Occupational Fraud and Abuse

5


The Impact of Fraud

6


The Impact of Fraud

• Financial losses to the organization

• Financial losses to stakeholders

• Civil litigation

• Regulatory fines

• Criminal litigation and prosecution

• Diversion of executive attention and organization resources

• Expensive compliance and/or monitoring programs

• Expensive investigation fees

• Reputation damage including:

– Loss of public trust

– Negative public perception

– Greater scrutiny from public advocates and leadership

– Negative media attention

7


The Impact of Fraud - Reputation Risk

Reputation risk is the risk of loss of brand image, or

stakeholders’ support such that the organization will be

unable to operate at its full capacity.

It is the risk of losing the ability to compete, due to

perceptions that the organization does not deal fairly

with its stakeholders or know how to manage its

business; furthermore, it is the risk a decline in

stakeholders' confidence that may impair the organization’s

ability to have support in the community and to efficiently

raise capital.

8


Managing Fraud Risk

9


Managing the Risk of Fraud

Fraud is predictable and manageable; however, only through diligent and

ongoing effort can an organization protect itself against acts of fraud.

• The IIA has developed five key principles for proactively establishing a Fraud

Risk Management Program to effectively manage an organization’s fraud risk:

1. As part of an organization’s governance structure, a fraud risk management program

should be in place including a written policy to convey the expectations of the board of

directors and senior management regarding fraud risk;

2. Fraud risk exposure should be assessed periodically by the organization to identify

specific potential fraud schemes and events that the organization must mitigate;

3. Prevention techniques to avoid potential key fraud risk events should be established,

where feasible, to mitigate possible impacts on the organization;

4. Detection techniques should be established to uncover fraud events when preventive

measures fail or unmitigated risks are realized;

5. A reporting process should be in place to solicit input on potential fraud, an a

coordinated approach to investigation and corrective action should be used to help

ensure potential fraud is addressed appropriately and timely.

10


What is Motivating Organizations to Develop a Comprehensive and Holistic Fraud

Management Strategy (what are the drivers?)

11

Stakeholder Confidence

Changing Business

Model

Advances in Technology

Globalization

Fraud Loss

• Stakeholders are becoming

increasingly aware of fraud risk

• Organizations that are perceived as

being vulnerable to fraud can lose

stakeholder confidence and

ultimately suffer business losses • Loss from reimbursing stakeholders

for losses incurred

• Loss from incident response,

investigation and recovery efforts

• Loss from diversion of resources in

response to fraud

• Geographical expansion and

changes in customer demography

introduce new threat factors requiring

businesses to prepare and respond

to emerging fraud risks • With fraudsters using sophisticated

technology , organizations must

continually enhance and refine

controls

• Technology tends to make fraud risk

more pervasive and can impact a

number of areas of operations

Fraud

Risk

Brand

Risk

• Ongoing modifications to services,

products and infrastructure exposes

the organization to new threats that

need to be considered


• Tone at the top

• Code of conduct/ethics

• Whistleblower hotline

• Investigation process

Applying the COSO Framework

Creating a Control

Environment

Performing Fraud Risk

Assessments

Designing and Implementing

Antifraud Control

Activities

Sharing Information and Communication

Monitoring Activities

FRMP

• Identify fraud risk

factors, fraud risks

and fraud schemes

• Link/map identified

fraud risks to

control activities

• Monitoring

effectiveness of

antifraud programs

and controls

• Effective communication of

antifraud programs and

controls throughout


Effective Fraud Risk Management Program

Response Detection

• Good governance

• Code of conduct and related

standards

• Fraud and misconduct risk

assessment

• Employee and third party due

diligence

• Communication and training

• Process-specific fraud risk

controls

Prevention

• Hotlines and whistleblower

mechanisms

• Auditing and monitoring

• Quality assurance

• Proactive data analysis

• Timely and consistent response

mechanisms

• Comprehensive internal

investigation protocols

• Comprehensive Enforcement

and accountability protocols

• Disclosure protocols

• Remedial action protocols

Elements of an Effective Fraud Risk Management Program

Deterrence

13


Completing a Fraud Risk Assessment

14


Step 1 – Define Fraud as it Relates to Your Organization

The first step in developing any fraud risk management program is to

define fraud as it relates to your organization.

As simple as this may seem, it is crucial that a firm definition is developed

and applied consistently throughout the organization including:

– Any and all communications to staff;

– When developing a fraud risk assessment to determine if specific scenarios that can be

executed are, in fact, fraudulent;

– When developing and publishing policies and procedures (including the code of

conduct and the fraud risk management charter); and

– When developing and facilitating fraud awareness training.

15


Definition(s) of Fraud

“Fraud is criminal deception intended to financially benefit the deceiver”

- The Accountant’s Handbook of Fraud and Commercial Crime (CICA)

“Fraud is a generic term, embracing all multifarious means which human ingenuity can devise, and which are

resorted to by one individual to get an advantage over another by false suggestions or suppressions of truth,

and unfair way by which another is cheated”

- Black’s Law Dictionary

“Fraud is any act of deception carried out for the purpose of unfair, undeserved and/or unlawful gain, either

valuable financially or comprising a legal right”

- Wikipedia

“Fraud is any act of wrongdoing where the organization is knowingly misled for personal (or third party) gain”

- Deloitte

16


Step 2 – Determine Your Approach for Identifying Risks

Fraud risk identification includes:

• Gathering external information from regulatory bodies, industry sources, key guidance

setting groups (such as COSO), and professional bodies/service providers; and

• Consulting internal sources including:

– Examining the incentives, pressures and opportunities to commit fraud specifically within your

organization (i.e. – performance metrics, incentive programs, etc.);

– Reviewing past whistleblower complaints;

– Reviewing external audit management letters that identify issues pertaining to flaws in processes,

procedures or controls;

– Reviewing any fraudulent acts that may have occurred in the past;

– Reviewing incident reports and other analytical reports on errors, customer complaints, vendor

complaints, employee feedback, etc.; and

– Collaborating with employees across the organization to identify specific fraud scenarios that could

occur as well as weaknesses in the processes that would allow fraud to occur.

17


Engaging Employees to Identify Fraud Risk Scenarios

18

Employee

Engagement Time Required

Fraud Scenarios

Identified Pros Cons

Surveys/

Questionnaires

issued to employees

Minimal Minimal Generic

Minimal impact on

resources and little

effort required.

There is a risk that

you will not receive

open and honest

responses from

Interviews with the

Board and Executive Minimal Moderate Generic

Minimal impact on


effort required.

Board members may

not have a strong

understanding of day

to day operations.

Interviews with

Management Moderate Moderate High Level

Minimal impact on


effort required.

Management may

not have insight into

specific weaknesses

within the process.

Workshops with

Employees

(recommended)

High Significant Detailed

Detailed fraud

scenarios are identified.

Opportunity to educate

employees.

Significant impact on

resources and

significant effort

required.

Collaboration with a

Project Team

(recommended)

High Significant Detailed

Project team members

provide valuable input

and can be advocates

for remediation

strategies.

Moderate impact on

resources and

significant effort

required.


Step 3 – Identify Fraud Risk Scenarios

Fraud risk assessments differ somewhat from the more conventional methods

used to assess risk in that they are scheme/scenario-based. This requires

experienced personnel who are familiar with the more common fraud schemes

impacting today's organizations.

Fraud, by definition entails intentional misconduct, designed to evade

detection. As such, those performing a fraud risk assessment should

engage in strategic reasoning to anticipate the behavior of a potential

fraud perpetrator. In essence, you need to think like a criminal.

Initially, fraud scenarios are initially identified and assessed based on inherent

risk assuming the absence of controls.

It is difficult to take a “one-size-fits-all” approach by obtaining a list of generic

fraud risks and using it as the fraud risk assessment as a boiler plate listing will

most likely not include all fraud opportunities inherent to your organization.

19


Step 4.a – Determine Likelihood Assessment Criteria

• The Likelihood that an event will occur based on inherent factors such as:

– Access to assets by an individual

– Level of trust placed in an individual

– How difficult it is to commit the act without involving others

• Likelihood assessment criteria:

– High – a significant opportunity that can be executed by just one person

– Moderate – requires collusion with other and/or an activity outside of normal

operational processes/procedures

– Low - many people involved increasing the chance of being detected and an audit trail

is available for review by others

20


Step 4.b – Determine Consequence Assessment Criteria

• The Consequence of an event occurring is derived from two key factors:

– Qualitative (relating to reputation risk)

– Quantitative (relating to a specific dollar amount lost due to the fraud occurring)

• Consequence assessment criteria:

– High – significant loss of public trust and/or a high dollar value (i.e. - $200,000)

– Moderate – moderate public reaction and/or a moderate dollar value (i.e. - $30,000)

– Low – little to no public reaction and/or a low dollar value (i.e. - $5,000)

21


Step 5 – Map Existing Controls to Fraud Schemes

Once all fraud risk scenarios have been identified, the next step is to link

each risk to relevant internal controls that can mitigate each risk to an

acceptable level.

It is important to identify and leverage existing controls to determine if

they are designed effectively to actually prevent or detect fraud.

This can be a value-added activity:

– The mapping exercise provides Management with a gap analysis that will identify

residual fraud risks – risks that remain outside the organization’s tolerable range.

– A gap analysis will also identify inefficiencies/ineffectiveness in internal controls.

– The assessment may identify a misallocation of resources and or redundancies

in internal controls.

22


Step 6.a – Assess Internal Controls

How effective is the control in mitigating the risk of fraud?

Has the control been designed effectively – not just in principal but in

practice?

Objective-based versus activity-based controls.

23


Step 6.b – Assess the Control Environment

• This is not your typical control environment assessment.

• The assessment needs to consider:

– The maturity of the control environment as it relates to the sophistication, size and

scope of the organization;

– How effective the control environment is in preventing fraud; and

– How effective the control environment is in communicating appropriate standards of

conduct. It is not sufficient to say that management is communicating the right

message; rather we need to confirm that employees are actually receiving and

appreciating that message.

• The assessment includes:

– Reviewing documentation

– Enquiries of Management and employees

– Direct observation

24


Step 7 – Determine Residual Risk and Response

The final step is to determine what the acceptable level of risk for the

organization is and work towards addressing each fraud scenario that exceeds

the organization’s risk tolerance.

A detailed fraud risk assessment will help identify areas where residual risk may

not be appropriate and prioritize areas that require immediate attention.

The fraud risk assessment may also identify critical areas that were so highly

exposed to undue risk that it would require investigation of past transactions to

determine if inappropriate activity had taken place.

Finally, the fraud risk assessment will allow an organization to consider

necessary remediation strategies for each risk identified:

– Revise the existing process to reduce the inherent risk;

– Accept or increase the tolerated risk level based on the organization’s operating model;

– Reduce residual risk through increased control effectiveness.

25


Fraud Risk Assessment Template - SAMPLE

26

Fraud Risk Scenarios

Likelihood Assessment

Consequence Assessment

Inherent Risk

Internal Controls

Residual Risk

The CFO directs employees to hold the books open after year end to accrue additional revenues.

M M M A.1 A.2 B.3

L

The inventory manager misappropriates inventory and then makes an adjustment to the GL to cover up the theft.

L L L C.6 L

An supervisor colludes with another employee by authorizing fraudulent overtime claims.

H H H C.6 D.1 M

Ghost employees are added to the payroll by the HR Manager.

H L M N/A M


Additional Benefits

• Identify inefficiencies in operations, processes or controls that expose the organization to

the risk of to waste and error as well.

• Identify redundant internal controls or other risk management practices.

• Find ways to optimize/ enhance existing internal controls (which were initially designed to

support another program) in such a way as to have them also prevent/detect fraud.

• Revise or enhance various organizational process assets (such as the internal audit

charter, code of conduct/ethics and various policies and procedures)

– For example training materials can be enhanced to include information on fraud

awareness. The code of conduct/ethics can also include a fraud policy.

• Leverage and/or align with the organization’s Enterprise Risk Management Framework,

SOX program, anti-corruption/ compliance and ethics program, etc.

27


Additional Benefits: Example #1 (Procurement Function)

• Through conducting our fraud risk assessment, it was noted that third party suppliers

were sometimes engaged without going through the proper procurement process

• Suppliers were selected and being paid for services:

– Without being recognized as an “approved vendor” by the procurement function;

– Without going out to tender;

– Without undergoing the proper due diligence; and

– Without being formally added to the Accounts Payable system as an approved vendor for payment

• While the intent was not malicious, it did demonstrate that an opportunity to commit fraud

existed. More importantly, it presented several other risk scenarios:

– Suppliers/ services were engaged which are contrary to the organization’s goals/objectives;

– By engaging an alternate Supplier, the organization violated contractual terms/ conditions it had

with existing Suppliers;

– The organization engaged a Supplier that, due to weak/ questionable business practices, exposed

the organization to excessive risk (FCPA);

– An employee committed the organization to an inappropriate contractual arrangement with a

Supplier (i.e., unfavorable terms, inappropriate pricing, etc.)

– These suppliers were being paid outside the normal Accounts Payable process

28


Benefits: Example #2 (Accounts Payable Process)

• Through conducting our fraud risk assessment, it was noted that the organization’s

current Accounts Payable process was inefficient and, due to the high level of

inefficiency, exposed the organization to an excessive number of inherent risks.

– Management was unaware of this until all risks were identified through conducting a proper fraud

risk assessment and mapping the risks to the Accounts Payable Process flow;

– Given the current process, the cost of mitigation was too high (there are too many inherent risks

that would need to be addressed with control activities);

– The process was so weak that we were almost certain that fraud, waste or error was already taking

place but it was too costly to address it given the current process.

• The solution was to map all risk scenarios to the business process to find out where

they would fall along the process flow.

• We then determined what weaknesses in the process flow contributed to the inherent

risks identified.

• We designed a new process flow to address these weaknesses and limiting the number

of inherent risks found in the revised process.

• Finally, we identified and implemented internal controls to address the remaining

inherent risks.

29



30 = High Risk = Moderate Risk = Low Risk

Em

plo

ye

e 1

Em

plo

ye

e 2

Em

plo

ye

e 3

Em

plo

ye

e 4

Activity 1

Activity 2 Activity 3 Activity 4



Activity 11


Accountable for this duty.

Should not be performing this duty.

Acceptable to perform this duty.

The following key duties performed along the process must be separated to

ensure that the risk of fraud/error is mitigated and operational efficiencies are

achieved through specialization and standardization of activities.

Ven

dor

Invo

ice

Pro

cess

ing

Depar

tmen

t H

ead

Em

plo

yee

Acco

unts

Pay

able

Qual

ity

Ass

ura

nce

1. REQUISITION

- submits invoice, call in for payment etc.Y N N Y N N

2. INVOICE PROCESSING

- sets up invoice in system

- reviews invoice for completeness, validity and accuracy

N Y N N N N

3. AUTHORIZATION

- approves invoice for payment and applies spending authorityN N Y N N N

4. SECONDARY REVIEW

- reviews invoice for completeness and accuracyN N Y N N N

N N N Y N N

N N N N Y N

N N N N N Y

8. VENDOR MAINTENANCE

- updates vendors on changes related to all client account information

- monitors vendors for compliance with policies and standards

- modifies and maintains vendor master data

N N N N Y P

5. TERTIARY REVIEW

- reviews invoice for completeness, accuracy and validity

6. DISBURSEMENT

- issues payment

- maintains chain of custody over payments

7. QUALITY ASSURANCE

- compliance check


• We also took this opportunity to design a Segregation of Duties map to help with the

reconstruction process:

31


Evaluating & Enhancing a Fraud Management Program

32

- 33 -

A Model for Evaluating FRMP Maturity

Tribal & Heroic • Ad-hoc/chaotic • Depends primarily

on individual heroics, capabilities, and verbal wisdom

Specialist Silos • Independent risk

management activities

• Limited focus on the linkage between risks

• Limited alignment of risk to strategies

• Disparate monitoring and reporting functions

Top Down • Common

framework, program statement, policy

• Routine risk assessments

• Communication of top strategic risks to the Board

• Executive/Steering Committee

• Knowledge sharing across risk functions

• Awareness activities • Formal risk

consulting • Dedicated team

Systemic Risk Mgmt. • Coordinated risk mgmt,

activities across silos • Risk appetite is fully

define • Enterprise-wide risk

monitoring, measuring, and reporting

• Technology implementation

• Contingency plans and escalation procedures

• Risk management training

Risk Intelligence • Embedded in strategic

planning • Early warning risk

indicators • Development of

performance metrics and key risk indicators

• Linkage to performance measurement/ incentives

• Risk modeling/scenarios • Industry benchmarking

Sta

ke

ho

lde

r V

alu

e

- 34 -

A comprehensive Fraud Risk Management Program Framework encompasses seven domains that can help manage fraud, waste

and error across the enterprise

Enterprise strategy that defines the Fraud Management Program function, role and objectives, and

establishes a strategic roadmap

Fraud Risk Management Program oversight structure with well defined roles and responsibilities to

manage risks ensuring that there is adequate collaboration among the various forums/functions

Policies, standards and procedures defining risk management methodology and activities, risk

tolerance levels and integration points between risk management functions to ensure

consistency and quality across all program activities

Coordinated communication channels and programs to educate

stakeholders of responsibilities at all stages of the fraud

management lifecycle.

Tools and technology that drive commonalities in risk management process,

and support data accuracy, availability and timeliness.

Due diligence and ongoing oversight that an organization must exercise

throughout the fraud management lifecycle

Metrics and reports that provide a comprehensive view of

enterprise Fraud risk to the relevant stakeholders across the

enterprise.

Strategy

Governance

Risk Management *

Metrics and Reporting

Policies, Standards

and Procedures

Tools and Technology

Communication, Training and Awareness

Evaluating the Program Using a Common Framework

DRAFT – FOR DISCUSSION PURPOSES ONLY


How to Refine the Fraud Risk Management Strategy

35

Assess

Define target state by developing a

fraud management architectural

framework

Develop fraud management roles and

responsibilities

Identify stakeholders and establish

fraud management organization

Develop

Develop fraud management

governance materials

Design fraud management process

flows

Develop fraud risk assessment

questionnaire and risk ranking model

Execute

Conduct fraud management training

sessions

• Fraud Management Architectural

Framework

• Fraud Management Roles and

Responsibilities

• Fraud Management Organization

Structure

• Fraud risk governance interaction

model

• Forum, charter and mandate

Work Products

Develop fraud detection and

prevention technology controls

Operationalize fraud management

processes and controls

• Fraud Management Policy

• Fraud Management Process Flows

• Fraud Risk Assessment

Questionnaire

• Fraud Risk Ranking Model

• Fraud Management Technology

Architecture

• Fraud Management Monitoring and

Reporting Metrics

Work Products

• Fraud Management Training

Materials

• Program review and assessment

• Trend analysis and industry

benchmarking

• Continuous improvement

Work Products

1 2 3

Conduct organization readiness

review and gap analysis based on the

fraud management architectural

framework

Pro

gra

m M

an

ag

em

en

t

Develop fraud management

monitoring and reporting metrics


Governance

36


Governance

• By formally documenting the fraud governance framework and interaction model, the organization will

have clear insight into how to align the governance forums and drive synergy.

37

Observation: Groups, forums and functions do not interact or support each other; further, governance forums are

created without knowledge and/or approval of the organization.

Recommendation: Document the current governance framework and interaction model to identify gaps and

deficiencies. Then, determine how to realign the framework to encourage greater collaboration.

Enterprise Fraud Risk

Management Committee /

Owner

Enterprise Fraud Risk

Management Group

` `

Enterprise-wide Fraud Governance

Forum level Governance

Function 2

Business Unit 2

Forum 2

Function 3

Business Unit 1

Function 4

Business Unit 2

Function 1

Forum 1

Business Unit 1

Forum 3 Forum 4

Compliance

Internal Audit

Legal

Investigations

Ideal State

Inputs /

Outputs

Cross-Forum

Exchange Inputs /

Outputs

Inputs /

Outputs

Isolated Silo Isolated Silo

Output

only

- 38 -

Enterprise Fraud Risk Management (EFRM) Framework

Level 1

Nine Principles for Building an Enterprise

Fraud Risk Management Framework

Oversight

Common Risk Infrastructure

Risk Process

Risk Classes

The Risk Intelligent Enterprise

Risk Infrastructure

and Management

Risk

Ownership

Risk Governance Board of Directors

Executive Management

Business Units and

Supporting

Functions

Common Definition of Risk

Common Risk Framework

Roles & Responsibilities

Transparency for Governing Bodies

Common Risk Infrastructure

including management & reponse

Executive Management

Responsibility

Objective Assurance and

Monitoring

Business Unit Responsibility

Support of Pervasive Functions

Tone at the

top

People Process Technology

Governance Strategy Operations/ Compliance Reporting

& Planning Infrastructure

Identify Risks Assess & Evaluate

Risks

Integrate Risks

Respond to Risks

Design, Implement &

Test Controls

Monitor, Assure & Escalate

Line 3.A

Oversee & Endorse

Quasi-Independent

Line 1

Own & Execute

Line 2

Operate & Enable

Internal Audit

Line 3.B

Observe & Evaluate

Quasi-Independent

Independent


Establishing an EFRM Governance & Operating Model

1st Line of Defense

Risk Steering

Committee

Fraud Risk

Advisory Board

Identify critical

risk scenarios

Own fraud risk

for the business

Maintain

accountability for

FRM practices

Identify risks and

mitigation strategy

Manage and

resolve day-to-day

issues

Implement key

controls

Set FRM policies, procedures and

standards to govern O/O activity

Assist in developing TPRM

guidelines, tools and templates

Provide subject matter expertise to

1st Line of Defense

Promote consistency and quality of

FRM practices

Provide ongoing training

Define and implement Fraud

Risk Guiding Principles and

Strategy

Leverage the whistleblower

program to identify trends

and/or Program weaknesses

Provide regulatory

interpretation

and guidance

Perform periodic

audits and testing

to monitor policy

compliance

Internal Audit

Board of

Directors

Establish risk

tolerances and

advice on

complex risk

issues

2nd Line of Defense

Investigations

HR

Finance

Risk

Compliance

Technology

Legal

Corporate

Communications

Drive consistent process across LOBs

Provide enterprise FRM standard processes

and templates

Track issues and facilitate corrective actions

Interact with regulators on fraud risk and

information security topics

Centre of Excellence (COE)

FRM Office

Line of

Business Line of

Business Line of

Business

Line of

Business Line of

Business Line of

Business

3rd Line of Defense

1st Line of Defense

Implement internal controls and practices

consistent with company-wide policies &

procedures

Managers appointed by the Lines of Business

(LOBs) are responsible for identifying, assessing

and mitigating risk associated with their business

2nd Line of Defense

Design and assist in implementing company-wide

risk framework and oversee enterprise risks

Business partners work with the LOB’s to identify,

assess and mitigate all risks

Provide tools and resources to enable effective &

efficient execution of risk management activities

3rd Line of Defense

Independently test, verify and evaluate risk

management controls against internal policies

Assess design and operating effectiveness of the

program considering enhancements to

operations, increased customer base or

geographical expansion

Risk Officers

Maintain

accountability for

FRM practices and

identified risks



Assessing & Enhancing Tools

40

- 41 -

Assessing and Enhancing Tools

A technology architecture for managing Fraud risk is an ecosystem of orchestrated processes and systems which, if designed

appropriately, can help ensure that all relevant data obtained across the Fraud lifecycle (including fraud scenarios, metrics, and

whistleblower logs, and incident reports) is available to facilitate risk assessment, classification, monitoring and reporting.

Risk Management / Monitoring Systems

Fraud Information Databases

Key Data Inventory

Risk Scenario Inventory

Performance Monitoring

Inte

rfa

ce

s w

ith

Da

tab

as

es

an

d R

isk

Sys

tem

s

Risk Metrics Calculation/ Modeling

Risk Aggregation

Scenario Risk Score calculation

Risk & Compliance Assessment

Third Party Event Monitoring

Infrastructure Components

Reporting / Notification Rules

Information Entitlements & Security

Key Risk Indicators

Risk Threshold/ Tolerance

Performance Metrics

Residual Risk Calculation

Reporting

Standardized

Reports

Dashboards

Analytics

Logging / Audit Trails

TPRM Tool Box

Feedback: promotes continuous improvement to data, systems and architecture



Develop Industry-Specific Metrics

• Document, measure and monitor the organization’s risk appetite for Fraud Risk when

making various business decisions (i.e., whether to outsource to a third party, to expand

into a specific geographical region, etc.)

• Identify trends in fraudulent activity as well as allowing for the discernment of

weaknesses in the current process and/or applications that expose the organization and

its customers to undue risk.

• Determine the “true cost” of fraud including losses to the customer, incident response

costs, investigation and recovery cost and the impact on customer attrition.

• Make better decisions for how to manage fraud and what areas to focus resources on;

• Entertain the idea of implementing control activities that were initially perceived as being

costly to the organization

• Measure its performance in relation to loss mitigation, total cost of mitigation, total funds

recovered and cost of recovery.

42

Develop metrics to assess the performance of the FRMP and identify emerging

risks/issues. Having the right metrics in place enables an organization to:


Risk Appetite and Enterprise Fraud Risk Management (EFRM)

• Provides a structure for discussion of the balance

between business strategy and risk

• Provides guiding principles for management in

determining whether strategic/business activities and

risk levels are acceptable or not

• Provides a consistent view of risk across the

organization to facilitate decision making

• Enhances the risk awareness culture

• Establish thresholds to monitor against

• Allows the business to make decisions considering risk

Enterprise Risk Management Vision and Strategy

Governance

Culture

Methodology

Common Language

Risk Policies

Risk Appetite

Risk Assessment

Risk Measurement

Risk Monitoring

Reporting and Escalation

Independent Verification/

Testing

Components of an effective ERM Program

Articulating Risk Appetite

43

Copyright © 2012 Deloitte Development LLC. All rights reserved.

Risk and Reward Scale

`

Risk Seeking Risk Tolerant Risk Neutral Risk Averse

Description Taking risk is

considered part of

company’s

strategy

Company takes an

aggressive

approach towards

taking risk

Company takes a

balanced approach

to risk taking

Company accepts

as little risk as

possible

Example risk

appetite by

business activity

New market

expansion and

acquisition

activities

Innovation, tax

activities

Operations,

financing activities

Health, safety,

environment,

security, fraud,

financial reporting,

regulatory

compliance, and

reputation

Risk Appetite

44


Developing and Monitor Key Risk Indicators (KRI) to proactively identify, when

tolerable risk thresholds are exceeded

45

•Establish Data Points per KRI

• Identify Data Source(s)

per Data Point •Determine data usage

Identify Data Points

•Determine collection method

•Obtain data from relevant sources including existing reports and key databases

Gather Data

•Perform in-depth review of data elements at each step of process to ensure data quality and accuracy

Review Data Points

•Combine data points to generate KRI values

•Determine thresholds to monitor

Aggregate & Review KRI Values

Develop comprehensive risk reporting which takes into account a composite view of emerging risks or trends/behaviors

which may indicate that a risk has been, or is about to be realized.

KRI Information KRI Thresholds Outcome

KRI Ref No. KRI Description KRI Calculation

Formula Value RAG

1 Number of whistleblower complaints related to fraud Count 0 >0 0

2 Number of internal control operating deficiencies identified Count 0 1-2 >2 2

3 Count of significant breach events against applicable ethical standards,

as defined in supplier contract Count <3 3-5 >5 8


Metrics to Consider

46

Loss/Damage Quantification Trends/Weaknesses Exploited

Performance Response and Recovery

Total customer losses to be reimbursed.

Customer attrition costs due to experiencing a fraud incident.

Total effort expended per incident and the related costs.

Total incidents for each period.

Average legal fees per incident.

Number of employee hours diverted to incident response.

Cross-Channel losses resulting from incidents originating in a

specific department/division.

Successful bypass of internal controls – what controls are getting

targeted and bypassed the most?

Incidents of management override of controls.

Attack volume.

Incident by type and transaction.

Incident by geographic location.

Trends – time of day most attacks occur.

Trends – types of businesses targeted.

Total effort required to respond to each incident.

Response time for each incident.

Timeliness of investigation and wrap up.

Total funds recovered in a period.

Cost-benefit analysis as it relates to cost of recovery versus actual

funds recovered.

Phishing – time from notification to take down.

Phishing – success rate of take down.

Number of compromised customers in a period.

Number of repeat offences against a customer in a period.

Number of incidents identified by the organization compared to

incidents identified by the customer.

Number of fraudulent attacks denied versus successful attempts.

Total false positives recognized in a period.

Total incidents in a period.

Total incidents by theme.

Impact of remediation efforts on total incidents.

Monitoring KRIs based on geographical location, areas of operation, and/or services provided will help an organization

determine where to allocate resources in response to emerging risks.


Use metrics to determine the “true cost” of fraud

• An online banking division had been experiencing an increase in the following fraud scenarios:

- Access of a legitimate customer account by a fraudulent third party with the intention of acquiring sensitive client information (browsing); and

- Access of a legitimate customer account by a fraudulent third party with the intention of executing unauthorized transactions for personal gain.

• Perpetrators were successfully able to access client accounts through the deployment of financial malware.

• Once a perpetrator gains access to valid customer credentials, the perpetrator is then able to access the client account and commence with

fraudulent browsing on the account and/or the execution of fraudulent transactions.

Fraudulent Event Frequency and Detection Impact

• There have been 45 fraud incidents since October of the prior year

o October to June: 1-4 incidents occurred per month.

o July: 10 incidents occurred.

o August: 12 incidents occurred.

• Only half of all fraud incidents are detected by the bank. The other

half are discovered and reported by the customers.

• Business customers account for 80% of fraud.

• Average loss to the customer was $15,000 per incident.

• 235 to 660 employee hours are consumed for each fraud incident

depending on the severity.

• Hours consumed by employees for incident response are estimated

to be as follows:

o Contacting the client: 50 – 75;

o Freezing. closing and opening new accounts:150 – 300;

o Corporate Security: 25 to 250 (depending if an investigation is

warranted);

o IT: 0 – 15;

o Management: 10 – 20.

• At an average cost of $50 per hour, it is estimated to cost

approximately $11,750 to $33,000 in payroll expenses per incident.

• Investigation costs are averaging $10,000 per incident.

• Total costs do not consider the cost of customer attrition should

customers leave subsequent to falling victim to a fraud incident

and/or reimbursements made to clients.

47

For the months of July and August alone, the total cost incurred to mitigate, manage and respond to incidents of fraud was estimated

to be between $300,000 and $500,000.

Private and Confidential


Extending the FRMP to Third Parties

48

- 49 - Deloitte Confidential

The presence and severity of each risk vary based on the nature

of the third party relationship. Determining factors include:

1. Third Party Profile

• Geographical location

• Type of service provided

• Nature and extent of customer interaction

2. Criticality of Outsourced Product/ Service

• The impact to the organization (financial, reputational, etc.) should

the third party be unable to meet its contractual obligations

3. Access to Confidential/Sensitive Information

• The impact to the organization should confidential information be

misappropriated and/or transferred across borders

4. Level and point of Integration with Operations

• At what point(s) within the process flow do third parties contribute to

the execution of the process

• How ingrained a third party’s people, practices and technology are in

support of the execution of a process (i.e., payroll, data processing)

5. Service Model Affecting Level of Oversight Over the Third Party

• Staff Augmentation

• Managed Service

• Co-sourcing

Note that a third party’s risk profile can be greatly enhanced if the third

party chooses to rely on a fourth party for support

Third Party Risk

Third Party Risk Management is the discipline of systematic measurement and management of risks associated with Third Parties throughout

the relationship lifecycle.

Potential Risks

Strategic

Reputation

Compliance

Transaction

Credit

Country

Business Continuity

Contractual

Financial Stability

Information Security/ Privacy

What is Third Party Risk

• Reliance on third-party relationships can significantly increase a organization’s strategic, reputation, compliance, and transaction risk. Increased risk most

often arises from poor planning, oversight, and control on the part of the organization and/or inferior performance or service on the part of the third party.

• The consequences can go well beyond direct financial loss to include damage to reputation, media embarrassment, regulatory scrutiny and loss of customers.

How Third Party Risk Manifests Itself

Drivers for Third Party Risk Management

Heightened Regulatory Awareness & Expectations (CFPB, FFIEC, OCC, FCPA)

Increased Reliance on Third and Fourth Parties as they become more accessible

Increased Outsourcing of Critical Services Increasing the Exposure to Continuity

of Business Risk

Increased Third Party Access to PII and Other

Confidential/Sensitive Data

Note that while you can outsource a

product/service, you cannot

outsource the risk

• Reliance on third-party relationships

can significantly increase an

organization’s fraud risk

• Organizations that outsource

products or services need to

understand that their Fraud Risk

Management Program is as strong

as the weakest practices in the Third

Parties they are outsourcing to

• Failure to extend the Fraud Risk

Management Program to Third

Parties an result in the organization

facing severe penalties and greater

regulatory scrutiny (FCPA, UK

Bribery Act, CFPB, Privacy Laws,

etc.)

- 50 - Deloitte Confidential

Key Elements of a Third Part Risk Management Program

The organization must first understand that each Third Party’s risk profile is unique and requires a tailored risk management strategy. The

appropriate strategy is dependent on the nature of the particular Third Party relationship, the type and materiality of the risks present, and the

ability of the organization to manage those risks. Therefore, a holistic risk management program with select risk management practices

targeted to address specific Third Party Risks must be in place across the entire Third Party Lifecycle

• Risk assessment

• Inherent Risk Profiling and

Vendor Selection Reviews

• Third party approval and tiering

process

• Review Vendor for the following

Financial Viability

Exit strategy

Sanction screening

Reputational reviews

Country risk reviews

Ability to meet compliance

obligations

• Contract negotiation and

legal/procurement approvals

• Contract Language Exception

Management

• Control assessments including

Information Security review

Physical Security Review

Vulnerability and Threat

Assessment

Business Continuity

assessment

SLA and Performance

monitoring

Compliance assessments

News and event monitoring

Reputational reviews

Country risk reviews

Contract reviews

• Exit strategy and contract review

• Termination Management to

confirm that the Vendor meets

the obligations of their contract

and all client data is removed per

the Vendor’s contractual

obligations

Evaluate & Select Contract & On-board Manage & Monitor Terminate & Off-board

Ongoing Program Management & Reporting


Changes in environmental factors have increased the depth and frequency of regulatory reviews. A proactive organization will try to minimize

such regulatory scrutiny and possibility of penalties due to non-compliance. It also allows the organization to retain the flexibility in developing

and implementing risk management strategies on their own absent direction from a regulatory authority (i.e., MRA, consent order).

Applying the Third Party Risk Management Program Across the Third Party Lifecycle

© Deloitte & Touche LLP and affiliated entities. © Deloitte & Touche LLP and affiliated entities.

Leveraging the Whistleblower Program

51


Whistleblower Program

52

The 2012 Corporate Governance and Compliance Hotline Benchmarking report is a compilation of 599,162 reports

throughout a fiive-year period covering 2007 to 2011. In 2011, 129,199 reports were taken from 1,128 organizations

representing 15,052,215 employees.

Source: The Network “2012 Corporate Governance and Compliance Hotline Benchmarking Report

“As organizations continue to either implement or improve their Whistleblower Programs, their ability to detect and

prevent fraud grows.”

Note that the percentage of

whistleblower complaints pertaining

to Fraud have significantly increased



53

Observation: Whistleblower Programs get used the most in industries focused on Retail or Service

Observation: There are 7 key types of incidents that are escalated via the Whistleblower Program



54

Observation: Phone is still the most popular intake method by far

Observation: Incidents of retaliation for reporting are on the rise



55

Observation: Organizations are finding creative ways to inform stakeholders of the Whistleblower Program



56

Observation: Minimal preference over the ability to report anonymously

Observation: Preference to not want to notify management



57

In 2011, 67% of all reports warranted an investigation and only 16% did not warrant an investigation. This is referred to

as the “actionability” of the report. Of the 67%, 41% resulted in a corrective action on being taken. In 2010 and 2011

there has been nearly a 10% increase from 2007 in the “other” category, which may be due to companies implementing

variations in the reporting outcomes.



Features of a Well-Designed Whistleblower Program

• Option for anonymity

• Organization-wide (global) and available 24/7, ideally by telephone, with professionally-trained

interviewers in all local languages

• Single hotline for all ethics-related issues

• Dual dissemination of the information received so that no single person controls the information, with

criteria for immediate escalation where warranted, and for notification of the audit committee when

financial irregularities or senior management are involved

• Case management protocols, including processes for the timely investigation of hotline reports and

documentation of the results

• Supports the collection and analysis of data to identify trending

• Management analysis of trends and comparison to norms

• Data security and retention policies and procedures (including geographical trends)

• Customization to comply with the laws of foreign jurisdictions and to address cultural differences

• Ongoing messaging to motivate everyone in the organization, as well as vendors, to use the hotline

58



• A significant number of fraud schemes are uncovered due to employee tips

• A whistleblower program provides employees with a way to report their concerns to the

appropriate stakeholders of the organizations

• Can only be effective if the following criteria are met:

1. The program is targeted to the relevant stakeholders

2. The stakeholders are aware that such a program exists

3. The stakeholders have a requirement to report

4. The stakeholders have a reasonable assurance of anonymity

5. The stakeholders have access to reporting mechanisms inexpensively and with as few

complications as possible and the program supports direct communication

6. The stakeholder feels comfortable communicating her/his concerns

7. The stakeholder believes that appropriate action will be taken

8. The stakeholder has reasonable assurance that she/he will not be persecuted for reporting her/his

concerns

59

Consider extending your whistleblower program out to

external parties as well


Effective Response Protocols

60


Develop a fraud policy with appropriate fraud response protocols and ownership of

fraud risk management

• It is essential that any violations, deviations, or other breaches of the code of conduct or controls, regardless of where

in the organization, or by whom, they are committed, be reported and dealt with consistently and in a timely manner.

• Appropriate punishment must be imposed, and suitable remediation completed.

• The board should ensure that the same rules are applied at all levels of the organization, including senior

management.

• The organization should ensure that the organization develops a system for prompt, competent, and confidential

review, investigation, and resolution of allegations involving potential fraud or misconduct.

• Protocols for the board’s involvement in such cases — which will vary depending on the nature, potential impact, and

seniority of persons involved — should be defined clearly and communicated to management by the board.

• The roles of the board, management, legal counsel, internal audit and others in the investigation process should be

clearly defined.

61

Formalize and document roles and responsibilities as well as fraud response protocols within an enterprise-wide fraud

policy. This is to help ensure that incidents are responded to in a timely manner to minimize the financial and

reputational impact


A Fraud Policy

Many organizations use a fraud policy to communicate the organization’s approach to

fraud. An effective fraud policy typically contains the following:

• A statement of the organization’s attitude to fraud (e.g., zero tolerance);

• A discussion on the commitment of leadership to address and respond to fraud risks;

• Alignment with the code of conduct/ethics;

• Alignment with the whistleblower policy;

• The allocation of responsibilities for the management of fraud including:

– Reporting suspicions of fraud including whistleblower arrangements (if used);

– The procedures employees should follow if fraud is identified;

– Guidance on training for the prevention/detection of fraud;

– Reference to the response plans and protocols that have been devised to deal with and minimize

the damage caused by an incident of fraud;

– Reference to the remedial action protocols in place.

62 Private and Confidential


Developing Investigation Standards

Management is ultimately responsible for developing standards and controls over the

investigation process, including:

– Developing policies and procedures for effective investigations;

– Preserving evidence;

– Handling the results of investigations;

– Reporting to the board; and

– Internal and external communications.

Such standards often documented in a fraud policy.

Internal audit may assist in the evaluation of the policy.

It is often important to assemble the investigation team without delay. If the

organization is likely to need external experts, the organization may want to pre-

qualify service providers so external resources are quickly available when

needed.



The Key Elements of an Investigation

The investigation and response system should include a process for:

– Categorizing issues;

– Confirming the validity of the allegation;

– Defining the severity of the allegation;

– Escalating the issue or investigation when appropriate;

– Referring issues outside the scope of the program;

– Conducting the investigation and fact-finding;

– Resolving or closing the investigation;

– Listing types of information that should be kept confidential;

– Defining how the investigation will be documented; and

– Managing and retaining documents and information.

Investigations should be performed in accordance with protocols approved by the

board. A consistent process for conducting investigations can help the

organization mitigate losses and manage risks associated with the investigation.

Consider using investigation templates and checklists to standardize and formalize

the investigation process (including who to contact and when).



Internal Audit’s Role in Responding to Incidents of Fraud

It is acceptable for Internal Audit or other internal personnel to participate in the

investigation provided that those persons conducting the investigation are

sufficiently independent, objective and possess the relevant skills and expertise

necessary to:

– Conduct interviews;

– Collect and manage evidence;

– Compile and analyze evidence;

– Access and analyze public records;

– Access and analyze personal documents belonging to the perpetrator;

– Conduct computer forensic examinations; and

– Liaise with legal counsel to prepare evidence and provide a forensic report.

If in doubt – consult!

– To ensure that investigations are completed timely, effectively and efficiently, it is

always recommended that external resources be consulted.



Legal Counsel Considerations

It is in the best interest of the company (and its stakeholders), both

professionally and legally, to work effectively with legal counsel and to become

familiar with the relevant laws in the country the fraud investigation occurs.

Legal counsel may also be able to assess the impact the fraud will have on the

board and management and provide guidance on how to manage both internal

and external communications regarding the status of the fraud and the

investigation.

It is strongly recommended, in many cases, to use counsel to invoke attorney-

client privilege thus having the investigation being executed under the direction

of legal counsel. This will maximize the legal privilege attached to any work

performed by the investigation team.



Fraud Policy Decision Matrix

Similar to a RACI, a fraud policy decision matrix summarizes the roles and responsibilities

articulated in the fraud policy itself:


Investigations Internal Audit FinanceExecutive

Management

Risk

ManagementPublic Relations

Human

ResourcesLegal

1 Controls to prevent fraud S S S P SR S S S

2 Incident reporting P S S S SR S S S

3 Investigation of fraud P S S S

4 Referrals to law enforcement P S

5 Recovery of monies P S

6 Internal controls review P

7 Handle sensitive cases SR S S S P

8 Publicity/ press releases S P SR

9 Civil l itigation SR S S S P

10Corrective action/ recommendations

to prevent recurrencesSR SR P SR

11 Monitor recoveries S P

12 Proactive fraud auditing S P

13 Fraud education/training SR P S S S

14 Risk analysis of areas of vulnerability S S P

15 Trend analysis S SR P

16 Investigation case analysis P SR

17 Whistleblower complaint monitoring S SR P

P (Primary Responsibility) S (Secondary Responsibiltiy) SR (Shared Responsibiltiy)

Action Required


Incorporate Post Investigation Considerations into the FRMP

Resolution - consists of determining what actions will be taken by the organization once a fraud

scheme and perpetrator(s) have been fully investigated, and evidence has been reviewed.

Management and the Board are responsible for determining how to resolve the incident.

Reflection - The results of a fraud investigation may indicate that an occupational fraud had a

previously undiscovered adverse effect on the organization’s financial position and its operational

results. Senior management and the board need to be informed of this so they can decide on the

appropriate reporting requirements.

Remediation - After the fraud has been investigated and communicated, it is important for

management and internal audit to consider the lessons learned.

– How did the fraud occur?

– What weaknesses were exploited?

– What controls failed?

– Why wasn’t this caught and what were the red flags?


Develop a formalized process in which investigations, management and internal audit collaborate to identify deficiencies

in operations and/or internal controls that led to the fraud and determine optimal solutions to address this deficiency.


Questions & Answers

69


Questions & Answers

70

Daniel J. Williams CGA, CFE, CIA, CISA, CAMS, PMP

604.640.3286

604.351.5567

[email protected]

taking fraud risk management€¦ · risk management program to effectively manage an...

Documents