Developing and Implementing a Fraud Risk Assessment Josh Shilts CPA/CFF, CFE
MY GOAL HAVE YOU WALK AWAY WITH THE KNOWLEDGE AND TOOLS TO COMPLETE A FORMAL & USEFUL FRAUD RISK ASSESSMENT!!!
Before We Begin, Remember The design of an organization s formal and effective anti-fraud program evolves from the collaborative efforts of executive management, oversight committees, and specific departments within the organization
We need ALL the help we can get
Anti-Fraud Program OBJECTIVE Prevent or detect the occurrence of fraud and implement proactive solutions to reduce or eliminate fraud s effects on the organization Today s Focus is on Element #4 - Fraud Risk Assessment An organization s fraud risk exposure should be assessed periodically by the organization to identify specific scenarios that the organization needs to mitigate Source: The IIA, ACFE and AICPA s Managing the Business Risk of Fraud: A Practical Guide, April 2008.
One Size Doesn t Fit All NOR Should IT Management should tailor the design of the assessment to fit the needs and objectives of the organization. Assessment should be: Efficient, Practical, Easy to Understand, and Useful NOT just for you and your department but for everyone in the Organization
Risk Assessment Process Identify Present
5 Easy Steps 1) IDENTIFY - Step one is identifying the specific risks your organization is susceptible too while also considering how granular you should monitor fraud risks 2) ANALYZE & ASSESS Fraud risks measurement varies, but the types of measurements used may have a profound effect on how your organization assesses a risk 3) PRESENT Who is your audience? Is there a prescribed format they are already use to? These are the questions you need to consider 4) PLAN & IMPLEMENT Work with others and their schedules to ensure your efficiency in completing the assessment. Allow management time to digest and provide feedback and than work with control owners to implement proactive mitigation solutions 5) MONITOR Oh yea, monitor, monitor and do some more monitoring. Suggest an annual formal refresh, but the real value stems from constant assessment.
IDENTIFY: Fraud Risk Categories Present your FRA at a level that board members, executive management and others within the organization can understand Fake Expenses Larceny False Voids Bribery Don t be so granular that you lose conveying the overall message. These aren t fraud experts, but rather individuals who are on a need to know basis
ANALYZE & ASSESS - Measures KPIs and Mitigating Activities provide real data to support your assessment; however, Management should be updated and risks ranked by using the Magnitude + Likelihood [(Controls) + (Pressure)] = Rank (1) Magnitude (i.e. Significance): High (3) = > $10 Million Med (2) = Between $4 Million and $10 Million Low (1) = < $4 Million (2) Likelihood (i.e. Controls, Mitigating Activity): Strong (1) = Preferred Practice Good (2) = Adequate Low (3) = Needs Improvement (3) Likelihood (i.e. Pressure, Occurrence): High (3) = Significant pressure Med (2) = Moderate pressure Low (1) = Little to no pressure Other Measures (1) Velocity Measurement of the rate of change (Immediate, Rapid or Slow) (2) Risk Gross & Residual Gross before Mitigating Activities and Residual Measures After (High, Medium or Low)
PRESENT: Enterprise Risk Management Major >$500M 5 2 OPERATIONAL ERM should serve as the model for your FRA Magnitude Substantial >$250M 4 Moderate >$ 100M 3 STRATEGIC 1 FRAUD 4 FINANCIAL FRA should have the same look and feel as your ERM presentation Minor >$10M 2 Insignificant <$10M 1 3 COMPLIANCE Your FRA should serve as a Drill-Down from the ERM Fraud Risk 1 2 3 4 5 Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.) Remote Unlikely Possible Likely Likelihood Almost Certain
PRESENT: Fraud Risk Assessment Major >$50M 5 9 FRAUD Substantial >$25M 4 1 Magnitude Moderate >$ 10M 3 Minor >$1M 2 Insignificant <$1M 1 14 3 11 6 10 12 4 8 13 5 FRAUD 7 15 2 Theoretically the SUM equals the value of FRAUD as presented on the Company s Enterprise Risk Management Map Define how Financial Impact is measured (i.e. Net Income, Revenues, etc.) 1 2 3 4 5 Remote Unlikely Possible Likely Likelihood Almost Certain 1 + 2 + 3 + 14 + 15 = FRAUD
PLAN/IMPLEMENT Fraud Scheme Mngt. Using the categories defined for presentation purposes build a granular fraud scheme repository specific to your organization s activities & risks Fraud Scheme Sub Risk Category Vendor A is required to pay the bidding manager $2,000 to participate in the bidding process Funds are misappropriated to a shell company. Vendor setup is colluding with accounts payable. Management has decided to book revenue for items shipped and ships items to meet expectations. Extortion Fraudulent Disbursement Billing Scheme Financial Fictitious Revenues Corruption Asset Misappropriation Fraudulent Statements The repository schemes can than be tracked and measured at a granular level and rolled up to assist in measuring the sub-risk and categories KPIs 1. Hotline Statistics 1. SOX Controls Mitigation Actions 2. SEC Enforcement Actions 2. Audit Procedures
Prevention Keep your Ears on the Track 1. Integrate current activities with anti-fraud objectives 2. Continue to assess preventative activities as part audit and SOX procedures and identify ways to improve prevention activities 3. Adjust preventive activities based upon new ideas, frauds, etc. 4. Seek feedback from business owners 5. Try to stay ahead of the Fraudster by educating yourself and your team Continue to improve & enhance these activities based on past experiences, new concepts and information from your fraud risk assessment
Detection Use Existing Knowledge Leading & Lagging Indicators 1. Hotline Complaints 2. Fraud Risk Research Stats 3. New Audits w/ Fraud Objectives 1. Ratio Analysis 2. Prior Audit Findings 3. Hotline Complaint Trends SOX/ICFR Testing Management/Employee Awareness Audit Planning Fraud Risk Assessment Continuous Monitoring Focus Areas Policy Objectives AUDIT PLANNING & TESTING Training
MONITORING It Never Stops!!! Understand what you or your department is currently doing to monitor or uncover additional fraud risks: Audits ICFR (e.g. SOX ) Continuous Assurance Find new ways to monitor: Review prior audits and ICFR Fraud Controls Meet with counterparts in the Company Read periodicals, journals, etc. Statistical Analysis (internal and external data)
Now What? NEVER Stop Thinking of New Fraud Risks Think of NEW ways to convey your message TREAT your assessment like a tool GET TO WORK!!!
Questions? Josh Shilts CPA/CFF, CFE (305) 373-5500 x2226 jshilts@mbafcpa.com