Fraud Risk Management Overview
Discussion Questions 1) Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization faces? Why or why not? 2 of 27
Discussion Questions 2) What are some of the risks your organization faces? Where does the risk of fraud fit into your organization s risk hierarchy? 3 of 27
Discussion Questions 3) Does your organization have a formal risk management function? If so, are anti-fraud initiatives integrated into the risk management initiatives? 4 of 27
Discussion Questions 4) How does your organization categorize the risks that are identified in the risk management process? 5 of 27
Learning Objectives Analyze current state of the risk management landscape. Compare different risk management frameworks. Recognize what fraud risk is and the factors that influence it. Understand the reasons for effectively managing fraud risk. Determine who is responsible for managing fraud risk within an organization. 6 of 27
Introduction to Risk Management Risk management involves: Identification of risks Prioritization of risks Treatment of risks Monitoring of risks 7 of 27
Introduction to Risk Management Balancing risk appetite with ability to meet strategic, operational, reporting, and compliance objectives Requires a proactive, rather than reactive, approach 8 of 27
Report on Current State of Risk Management Risk management initiatives appear relatively immature: 30% describe their risk management implementation as systematic, robust, and repeatable. 43% described their risk management processes as very immature or developing. 9 of 27
Report on Current State of Risk Management 43% minimally or not at all satisfied with the nature and extent of reporting of key risk indicators to senior executives. More than half do not have risk oversight activities formally assigned to a board subcommittee. Boards of directors are placing greater expectations on management to strengthen risk oversight. 10 of 27
Risk Management Frameworks An entity s risk management program should be specifically tailored to its unique needs. But, the use of a framework can provide guidance and structure in developing the program. 11 of 27
COSO Enterprise Risk Management Integrated Framework Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring 12 of 27
COSO Enterprise Risk Management Integrated Framework 13 of 27
COSO Internal Control Framework COSO ERM Framework ACFE Fraud Risk Management Control (Internal) environment (1) Internal environment (1) Internal environment Defined roles and reporting Communicate expectations Tone at the top Code of conduct, ethics policy Training -------- Objective setting (2) Objective setting Define program objectives Risk assessment (2) Risk assessment (4) Risk assessment Assemble the right team -------- Event identification (3) Catalogue and evaluate risks Evaluate existing fraud controls Create mitigating controls -------- Risk response (5) Risk reponse Control Activities (3) Control Activities (6) Control Activities Ensure compliance Investigate violations Monitoring (5) Monitoring (8) Monitor - mitigating controls Information and Communication (4) Information and Communication (7) Information and Communication Report Findings Evaluate risk assessment process 14 of 27
ISO 31000:2009 Lays out 11 principles of effective risk management Provides guidance on developing both a framework and a process for managing risk that is based on those principles 15 of 27
ISO 31000:2009 Risk Management Principles Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured, and timely Based on best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative, and responsive to change Facilitates continual improvement and enhancement 16 of 27
ISO 31000:2009 (Source: ISO 31000:2009, Risk Management Principles and Guidelines ) 17 of 27
What Is Fraud Risk? The vulnerability that an organization has to those capable of overcoming the three elements of the fraud triangle Comes from both internal and external sources Differs from other risks because fraud, by definition, entails intentional misconduct designed to evade detection 18 of 27
Types of Fraud Risk Inherent risk risk present before management takes action Residual risk risk that remains after management takes action 19 of 27
Factors Influencing Fraud Risk The nature of the business The operating environment The ethics and values of the entity and its people The effectiveness of internal controls 20 of 27
Business Case for Managing Fraud Risk Organizations that deny the true possibility of fraud are at the greatest risk. 21 of 27
Business Case for Managing Fraud Risk The typical organization stands to lose an estimated 5% of its annual revenues to fraud. Recovery is typically very little, if any. Additional time and money invested in: Investigating how frauds happened Pursuing action against perpetrators Remediating system weaknesses 22 of 27
Business Case for Managing Fraud Risk 23 of 27
Business Case for Managing Fraud Risk 24 of 27
Business Case for Managing Fraud Risk A proactive fraud risk management program: Directly increases the bottom line Sends a clear anti-fraud message Demonstrates a sound business strategy Enhances the organization s image and reputation Promotes goodwill Ensures compliance with laws and regulations 25 of 27
Who Is Responsible for Managing Fraud Risk? Team responsible for executing, monitoring, and ensuring success Executive management Audit committee Investigations group Compliance Controller s group Internal audit IT Security Legal department Human resources 26 of 27
Who Is Responsible for Managing Fraud Risk? Team should have designated leader. Synergy and communication are key. 27 of 27