Corporate Resiliency Managing g the Growing Risk of Fraud and Corruption Toby Bishop, Director, Deloitte Forensic Center Deloitte Financial Advisory Services LLP Contents Why corporate resiliency? What can we do differently? A COSO-consistent approach to fraud risk management Fraud risk management improvement opportunities Evaluating your organization s fraud risk management capability Questions & answers Conclusion 1 1
Why corporate resiliency? A convergence of factors Globalization Risk surprises Risk management process issues Greater enforcement 3 2
suggest a different risk management strategy may be desirable Recognize the prevailing risks of fraud and corruption Plan to survive and succeed despite them Corporate Resiliency 4 What can we do differently? 3
Some steps toward corporate resiliency 1. Fraud risk ownership and oversight 2. Proactive risk management strategies 3. Advance preparation of responses to fraud 4. Focus on antifraud performance, not just compliance 6 ACOSO it t h A COSO-consistent approach to fraud risk management 4
A COSO-consistent approach to fraud risk management Tone at the top Code of conduct/ethics Whistleblower hotline Investigation process Creating a Control Environment Identify fraud risk factors, fraud risks and fraud schemes Monitoring effectiveness of antifraud programs and controls Monitoring Activities AFPC Performing Fraud Risk Assessments Effective communication of antifraud programs and controls throughout Sharing Information and Communication Designing and Implementing Antifraud Control Activities (AFPC = Antifraud Programs & Controls) Link or map identified fraud risks to control activities 8 F d i k t Fraud risk management improvement opportunities 5
The Antifraud Roadmap Evaluate Identify Action Plan Mitigate Monitor Respond Evaluate current status and effectiveness of an organization s approach to implementing antifraud programs and controls Assess, define, and document fraud risks and control effectiveness. Establish fraud risk profile by analysis of risk against controls. Develop a fraud action plan based on findings and identify activities that defines next steps to address an organization's antifraud program activities. Enhance, implement, and maintain preventative and detective control activities, which mitigate fraud risks identified during assessment. Enable continuous monitoring activities through technology and ongoing review activities to alert management of potential fraud. Incorporate findings into annual fraud risk assessment process. Assist in responding to potential occurrences of fraud. Culture/ Attitude Survey Fraud Risk Assessment Fraud Risk Action Plan Fraud Awareness Training Continuous Monitoring Tools Fraud Case Management Tools Diagnosis Mitigate Deficiencies Data Analytics Fraud Response 10 Management s fraud risk assessment sample detailed documentation Fraud Risk Factor Fraud Risk Fraud Scheme/ Scenarios Account Balance Affect Potential Person(s) involved Type Likelihood Significance Inherent Risk Control Activities Control Type CDER CIER CRR Residual Risk 1 Public Overstatement of companies for the same amount within a Accounts Transactions may include sales between Revenue/ Company/U nrealistic Sales short time period, or they may involve a receivable Earnings Roundtrip loan to or investment in a customer so Expectations Transactions that the customer has the ability to purchase the goods (vendor financing). Liberal exchange or return policies without appropriate reserve improper accounting for liberal or unconditional right of return Other sham transactions or on products shipped for trial or evaluation purposes Sales agents Finance Management F2 4 4 8 High 22.1.1.1. Business Approval Matrix Prior to booking a contract, does a member of Sales accounting (or local equivalent) review the contract package to ensure that all appropriate p approvals and required documentation have been obtained in accordance with the documented policy (business approval matrix)? P 2 2 4 12 effective residual controls risk 22.1.1.2 standard contract review checklist is such review documented in the standard contract review checklist and signed off sales accounting management (or local equivalent) for all contracts? P 22.1.1.3 Revenue Recognition Review Contracts > $1M Prior to booking, are contracts with either a gross value of greater than $1 million or have non standard terms reviewed for revenue recognition considerations by the revenue recognition senior manager? Is such review and approval documented? d? (Such review is typically done in the proposal stage) (Corporate) P 22.1.1.4 Internal Audit Review contracts > $1M Internal audit anticipates that management can override controls and performs procedures, such as confirming the particulars of the contract with the customer in writing, on a regular basis to test against the override of controls. D 11 6
Management s fraud risk assessment sample heat map summary 7 2 3 1 1. Intentionally recording sales prematurely 2. Bribery/corruption 3. Creating fictitious sales 8 6 5 4 4. Fraudulent claims by retail customers 5. Intentional overcharges by vendors 6. Intentional overstatement of assets used to secure finance Significan nce 10 Likelihood Sample fraud & corruption risk heat map only. Ratings will vary by 9 company. 7. Unauthorized trades in financial markets 8. Unsupportable product performance statements 9. False employee expense report claims 10. Employee embezzlements 12 Whistleblowing and the new race to report The Dodd-Frank Wall Street Reform and Consumer Protection Act Section 922 Created awards of 10-30 percent of monetary sanctions For whistleblowers who report to the SEC Original information Leading to securities law enforcement actions that recover more than $1 million 13 7
Whistleblowing and the new race to report The Dodd-Frank Wall Street Reform and Consumer Protection Act Section 922 Created awards of 10-30 percent of monetary sanctions For whistleblowers who report to the SEC Original information Leading to securities law enforcement actions that recover more than $1 million 14 Potential strategic use of technology to deter and detect fraud Significan nce Focused use to test transactions and timely detect unexpected high-risk violations Generally reactive use to assess the extent of violations identified Likelihood Data mining and continuous auditing to detect expected violations Selective use to test and enhance processes and controls and to deter fraud Treating basic CAATS skills as a core competency for all internal auditors could enhance fraud deterrence and detection Sampling 100% and publicizing it enhances deterrence and detection Reconciling data provided to G/L helps ensure data is complete 15 8
Evaluating your organization s fraud risk management capability Evaluating your organization s fraud risk management performance Managing the Business Risk of Fraud A Practical Guide Produced by IIA, AICPA and ACFE Free download at www.theiia.org/guidance/additionalresources/managing-the-business-risk-of-fraud/ Corporate Resiliency Self-Assessment Tool Found on pages 42-44 of the book Corporate Resiliency: Managing the Growing Risk of Fraud and Corruption by Toby Bishop and Frank Hydoski (Wiley, 2009) www.deloitte.com/us/corporateresiliency Deloitte Anti-fraud Programs & Controls Diagnostic Ask your Deloitte partner for more information 17 9
Anti-fraud Programs and Controls Diagnostic Sample Results Survey Results The radar chart is comprised of 5 key components of Antifraud Program and Controls derived from COSO s Internal Control Integrated Framework. The chart provides a graphical representation of review results. Evaluation helps identify opportunities for performance improvement, not just the minimum standards for compliance with SOX 404 Non-Existent COSO Consistent 18 Deloitte Forensic Center resources Book: Corporate Resiliency: Managing the Growing Risk of Fraud and Corruption (Wiley, 2009) Article: Mapping Your Fraud Risks, in Harvard Business Review (October 2009) More information at: www.deloitte.com/forensiccenter 19 10
What questions do you have? Conclusion 1) Discoveries of fraud are expected to increase 2) Companies would be wise to prepare 3) Understand, d prioritize iti and manage your company's fraud risks 4) Have a robust program to prevent, deter, detect, and respond to fraud 5) Proactive tools and data analytics may help you identify frauds earlier Corporate resiliency doesn't guarantee survival and success, but a lack of resiliency 21 11
Contact information Toby Bishop Director, Deloitte Forensic Center Deloitte Financial Advisory Services, LLP +1 312 486 5636 tobybishop@deloitte.com Deloitte Forensic Center www.deloitte.com/forensiccenter 22 Disclosure This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, or other professional advice di or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. 23 12
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Member of Deloitte Touche Tohmatsu Limited 13