GOVERNANCE, RISK AND COMPLIANCE. Internal Audit. Assessing Fraud Vulnerabilities. kpmg.com/in



Similar documents
Vital Risk Insights kpmg.com

Antifraud program and controls assessment grid*

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Whitepaper. Beyond Compliance: Implementing Effective Whistleblower Hotline Reporting Systems

Fraud Risk Management

Fraud Prevention and Deterrence

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Internal Controls and Fraud Detection & Prevention. Harold Monk and Jennifer Christensen

HR Function Optimization

Strategically Detecting And Mitigating Employee Fraud

Investment Management: Rising to the Risk and Compliance Challenge kpmg.com

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

The three lines of defence

Fraud and Role of Information Technology. September 2008

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

Fraud Awareness Training

ACFE FRAUD PREVENTION CHECK-UP

Procurement Fraud Identification & Role of Data Mining

Compliance Risk Management Survey A Point of View

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

Driving business performance Using data analytics

Types of Fraud and Recent Cases. Developing an Effective Anti-fraud Program from the Top Down

BDO NORDIC. Investigation, fraud prevention and computer forensics. You can guess. You can assume. Or you can know. And knowing is always better.

September 28, Audit s Role in Governance, Risk Management and Internal Control

Audit Committee Institute Evaluation of internal auditors

Fraud Risk Management Procedures

The Role of Internal Audit in Risk Governance

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

Impact of New Internal Control Frameworks

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER

Using data analytics and continuous auditing for effective risk management

Ensure Effective Controls and Ongoing Compliance

Service Provider Performance and Satisfaction (SPPS) Survey, India, 2013

Transforming risk management into a competitive advantage kpmg.com

Fraud Prevention and Detection in a Manufacturing Environment

IDC MarketScape: Worldwide Business Consulting Strategy for Digital Operations 2015 Vendor Assessment

CODE OF ETHICS FOR FINANCIAL PROFESSIONALS

Accenture Risk Management. Industry Report. Life Sciences

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

Compliance and Ethics at the Federal Reserve Bank of New York

Implementing the value chain of the future

COSO Internal Control Integrated Framework (2013)

OCC 98-3 OCC BULLETIN

Fraud Prevention, Detection and Response. Dean Bunch, Ernst & Young Fraud Investigation & Dispute Services

CONTINUOUS CONTROLS MONITORING

KPMG s Financial Management Practice. kpmg.com

Process Control Optimisation with SAP

Credit Union Liability with Third-Party Processors

How To Use The Sap Process Control Application

How To Transform It Risk Management

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

Strong Corporate Governance & Internal Controls: Internal Auditing in Higher Education

Running the business of IT metrics that matter

IMPROVING AUDIT READINESS BY MANAGING YOUR DYNAMICS ERP

Tel (03) Fax (03) ACIIA ADVOCACY PROJECT ASIAN STOCK EXCHANGE PERSPECTIVES ON INTERNAL AUDIT

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Information Security in Telecom Sector. kpmg.com/in

KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting

Complete Financial Crime and Compliance Management

IT Transformation. Moving Beyond Service Management to a Strategic Business Role. August kpmg.com

Fraud and the Government Internal Auditor

THE FRAUD PREVENTION CHECK-UP 1 HOW COMPLETING THIS CHECK-UP CAN BENEFIT YOUR ORGANIZATION

Drive to the top. The journey, lessons, and standards of global business services. kpmg.com

6/8/2016 OVERVIEW. Page 1 of 9

Policy-Standard heading. Fraud and Corruption Policy

Effective Model Risk Management for Financial Institutions: The Six Critical Components

Run SAP Risk Management in Utilities to Get Business Value Fast

APEC General Elements of Effective Voluntary Corporate Compliance Programs

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

Audit Phases. Phase 1: Planning and Risk Identification

Your mobile workforce is spread out, manage the complexity in one place. Powered by KPMG LINK Global Mobility Portal

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

3.6 - REPORT BY THE CHAIRMAN OF THE BOARD OF DIRECTORS ON CORPORATE GOVERNANCE, RISK MANAGEMENT AND INTERNAL CONTROLS

Management Consulting Services kpmg.com.tr

RSA ARCHER AUDIT MANAGEMENT

MANAGEMENT CONSULTING. e-commerce. Rhetoric, Reality and Opportunity. Supported by

Regulatory Compliance Management for Energy and Utilities

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

VICTIMS. Tend to be smaller companies (<100 employees) *

FRAUD PREVENTION STRATEGIES FOR HEALTH CARE A FORENSIC ACCOUNTANT S PERSPECTIVE

Best Practices for Managing Bank Transaction Risk Using a Continuous Data Analytics Approach

Retail. White Paper. Driving Strategic Sourcing Effectively with Supply Market Intelligence

Business Process Services. White Paper. Five Principles to Consider when Consolidating your Finance and Accounting Function

Business Process Services. White Paper. Improving Regulatory Compliance in the Mortgage Industry

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

Regional Municipality of Wood Buffalo

Introducing SAP Fraud Management. Jérôme Pugnet

Oracle Financial Services Broker Compliance

Qualification in Internal Audit Leadership (QIAL ) Exam Syllabus

Corporate governance statement

We believe successful global organisations can confront fraud, corruption and abuse PwC Finland Forensic Services

Economic crime has risen to

President s Management Advisory Board. Meeting Materials. September 7, :30 1:30pm EDT

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Risk Management. Group Standard

DATA ANALYSIS: THE CORNERSTONE OF EFFECTIVE INTERNAL AUDITING. A CaseWare IDEA Research Report

Transcription:

GOVERNANCE, RISK AND COMPLIANCE Internal Audit Assessing Fraud Vulnerabilities kpmg.com/in

1 Internal Audit Assessing Fraud Vulnerabilities Introduction Globalization has increased the scale and complexity of today s business environment. The velocity of change has created significant pressures on management to effectively maintain oversight of all operations. These challenging scenarios create various vulnerabilities in systems, procedures and frameworks for manipulation and frauds. The incentives and pressures to commit frauds viz. financial gain, meeting target etc have always existed. However, frauds happen when fraudsters get an opportunity to execute their intentions. The opportunity arises when they spot a weak link in the oversight process, inadequate controls, lack of proper accountability, unrestrained power to certain individuals, inadequate segregation and rotation of duties, excessive trust etc. Some of these are simplistic internal control failures. While managing these challenges, internal audit teams should ensure that they stay relevant in today s times and equip themselves with the necessary skills, knowledge and tools to enhance their ability to identify frauds and discharge their responsibilities. Internal audit functions need to evaluate how vulnerable are their internal procedures and abilities to discharge this role effectively and take measures to strengthen their approach. This paper defines certain key focus areas for internal audit teams to assist them in enhancing their role towards identifying vulnerabilities in the system for manipulation and fraud. According to KPMG in India s Fraud survey report 2012, 55 percent of the organizations surveyed had experienced fraud in the last 2 years. Executive management who are responsible for establishing a robust control environment and audit committees who responsible for effective oversight are increasingly depending on the audit functions (internal and external) and various other assurance providers to provide them with the necessary information to gain insights and assurance on the control environment. Though the audit functions are not primarily responsible for identifying frauds within an organization, they have an implicit responsibility to identify fraud. Internal auditors and external auditors are the third line of defense. However, they are the only independent line of defense for various stakeholders. According to KPMG s survey, internal audit review was considered by stakeholders as the second most reliant method to detect fraud.

Internal Audit Assessing Fraud Vulnerabilities 2 Internal audit plan is the fundamental document which is the basis for driving the assurance program within an organization. The audit plan is normally focused on critical areas that matter the most. This is identified based on critical risks, inputs from various stakeholders, past experiences etc. The plans are mainly geared to review the operational processes and the emphasis on strategic and cultural areas is often not included in the plans. To make them more holistic internal audit plans should include the following: Assessing organization culture and governance structure The starting point of a robust fraud risk management framework is the organization s governance structure. The audit of governance structure should include audit of budgeting process, ethics policies and its implementation, quality of organizational teams, amount of work pressure for individuals, effectiveness of monitoring procedures by senior management, rotation procedures, alignment of schedule of authority matrix, compliance framework, governance practices, performance incentives evaluation, segregation of duties etc. Any weaknesses in these areas will create vulnerability for frauds and hence it is important for internal auditors as part of their internal audit plan to focus on these areas as well. This should be done by conducting independent interviews with several senior and middle level management team members. As organizations expand into various geographies and countries, they are exposed to different cultures and value systems. Some cultures are inherently more democratic, have relatively flat hierarchies, their work relationships are relatively more formal etc. Some cultures, on the other hand, encourage respecting authority, informal / familial relationships at work etc. These cultural beliefs are deep seated. This could make certain cultures more conducive for / tolerant of frauds by superiors, authoritative figures etc. Hence, it is important for internal audit teams also to assess the culture within various business organizations. This can be done through various risk culture surveys among employees. The outcomes and findings of these surveys can be used as inputs to strengthen the business and operating culture. Benchmark processes to industry practices One of Internal Audit s primary responsibilities is to review all key processes followed in an organization and provide assurance on their effectiveness. Internal Audit teams should not only focus on evaluating processes based on the information they have within the organization but also continuously benchmark the processes /practices followed by leading companies within and outside their sectors. This will give them the ability to challenge various practices followed by the company to identify vulnerabilities and complacency within processes. Constructive challenge of areas will though up vulnerabilities in existing processes which may have been lying undetected under the garb of industry practices.

3 Internal Audit Assessing Fraud Vulnerabilities Assess adequacy of Rotation Policy According to Association of Certified Fraud Examiners 2012, the amount of fraud losses is positively correlated with the number of years the perpetrator has worked for the organization. Median losses caused by perpetrators in the first year of their job amounted to USD 25,000 while those caused by perpetrators with more than ten years of experience at the organization caused a median loss of USD 229,000. This finding underlines the importance of employee rotation. Internal auditors should also evaluate assessing the quality of the company personnel performing certain roles and evaluate their skillsets to perform the job roles/ description assigned to them. Employees with low level of skill-sets (especially those who are performing the role of a checker) create vulnerabilities in the system for frauds being undetected or create vulnerability in the system for others to misuse. These assessments can be done by the internal auditors through discussions with process owners and understanding the manner in which they discharge their responsibilities. Internal auditors should also evaluate the time period since when an individual is performing the defined role. In the past, frauds have been highlighted mainly when there has been a rotation in the employee performing a specified role. Periodic rotation and mandatory leaves should be encouraged. governance levels and also the strength of its internal control environment. Such a practice should be followed both for domestic as well as international acquisitions. The global acquisitions should not be ignored on account of cost implications as the impact of any vulnerability may be severe and may not be recovered from the seller post a particular time period as per the purchase/ JV agreement. Building competencies and enhancing domain knowledge Internal audit functions need to also focus on enhancing their team skillsets and technology enablers to align them with the business requirements. Internal Audit team members need to have the necessary domain knowledge and also has skill sets in IT applications being used by the organization. Many internal audit functions have separate forensic experts who complement the internal audit teams in reviewing processes to assess fraud vulnerabilities. The Chief Internal Auditor should ensure that personnel from their team undergo the necessary certifications courses like Certified Fraud Examiner to enhance their skillets etc. Ensuring seamless audit policy across entities Internal Audit teams also play an important role after new acquisitions, big outsourcing deals, large scale expansion, formation of subsidiaries etc. Internal Audit should make sure that the company s policies are consistent in all subsidiaries and business units. Internal Audit functions should do dip stick reviews of the acquired entity or newly formed joint venture to assess the organizational culture,

Internal Audit Assessing Fraud Vulnerabilities 4 Internal Audit teams should have sufficient domain knowledge in the relevant industry / area. Each industry has its unique characteristics. Sound understanding of these characteristics, seasonality in industry performance, the role played by technology, competition etc will help the Internal Audit team detect unusual / suspicious activity better. Hence, Internal Audit should have the requisite domain expertise on the business processes namely technical processes, manufacturing, utility cost management, treasury, specialized procurement e.g. cotton procurement, fuel procurement, e-procurement, logistics and distribution which are prone to frauds. They may need to seek assistance from third party experts in areas of specialization e.g. Treasury reviews, IT security reviews, Commodity Hedging reviews, etc. Data analytics Considering the current geographic spread and also the segmental spread of companies across business, internal audit functions cannot function effectively without technology. The volume of data and information to be validated/ reviewed requires automated control dashboards / System GRC tools and data analytics to evaluate information. Internal audit functions need to invest in these technologies and tools to drive efficiencies and value. Adequate business analytical skills to relate information across various databases and also interpret data and what should be analyzed. This requires Internal Audit functions to have personnel who are experienced in data modeling and data analysis. Internal Audit teams should leverage on tools such as MIS, customized tools and softwares to prevent and detect frauds. Whistleblower Policy Whistleblower is arguably the most important channel of capturing employee or partner feedback on suspicious or potentially fraudulent behavior. According to KPMG in India Fraud Survey 2012, whistleblower was the most effective mode of fraud detection. An anonymous hotline or whistleblower should be available to all employees, vendors and partners across geographies and around the clock. This will encourage reporting or flagging of potentially fraudulent activity. An anonymous call should be followed by an initial investigation by internal auditors or an external consultant. If the investigators find any merit in the complaint, they should escalate the matter to the management. The Companies Bill 2012 mandates listed companies to establish a vigil mechanism or a whistleblower for directors and employees. Considering significant pressures on margins due to intense competition, organizations have increasing expectations that internal audit function costs need to be recovered and hence may also tend to evaluate internal audit function based on cost saving noted and process improvements identified. It is important for organizations to note that the internal audit function has an onerous and primary responsibility to ensure that the control environment within an organization is robust to protect stakeholder interests and hence they should mainly focus on risk and control evaluation and cost reduction opportunities should only be by-product where necessary and not a driving factor. Organizations and management should also take cognizance of the various internal audit findings and implement measures even if they are vulnerabilities at a particular date. E.g. in the rouge trading case in a financial institution, it was later discovered that the financial institution s data analytics center had detected and warned the management about various irregularities. However, the management did not act promptly on the warning. Hence organizations should take segregation of duties, access control violations, rotation of employees, absence of maker checker controls, unlimited value based limits in systems, etc issues very seriously even if there have been no anomalies identified or immediate impact noted.

5 Internal Audit Assessing Fraud Vulnerabilities Conclusion As the past has shown, tight controls and stringent penalties are not adequate in preventing frauds. Internal Audit professionals need to do much more in todays dynamic environment. Given the significant role Internal Audit plays in an organization s fraud risk management, it can no longer afford to take a back seat. It will have to be at the forefront in assisting management in setting up processes to prevent frauds in an organization.

Internal Audit Assessing Fraud Vulnerabilities 6

KPMG in India Contacts Rajeev Batra Partner and Co-head Governance, Risk and Compliance Services T: +91 22 3090 1710 E: rbbatra@kpmg.com Romal Shetty Partner and Co-head Governance, Risk and Compliance Services T: +91 180 3065 4100 E: romalshetty@kpmg.com kpmg.com/in The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2013 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. Printed in India.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information