Internal Audit s Role in Preventing, Deterring and Detecting Fraud Working as Part of a Fraud Management Team The Way Forward

Transcription

1 Internal Audit s Role in Preventing, Deterring and Detecting Fraud Working as Part of a Fraud Management Team The Way Forward Ottawa, ON 11/26/2015

2 Introduction and Objectives The main objectives of today s session are to: A Understand fraud and recent changes to the fraud management environment C B Discuss steps, resources and innovative best practices for IA Understand Internal Audit s role in fraud management 2 Deloitte LLP 2015

3 Fraud Recent fraud cases and trends Have things really changed?

4 Fraud - could it happen to us? Industries most commonly victimized were banking and financial services, government and public administration, and manufacturing The median loss caused by occupational fraud cases in our study was $145,000 22% of cases caused losses of at least $1 million The frauds reported lasted a median of 18 months before being detected Survey participants estimate that the typical organization loses 5% of its revenues to fraud each year Most occupational fraudsters are first-time offenders with clean employment histories Source: Association of Certified Fraud Examiners, Report on Fraud, Deloitte LLP 2015

5 The Basics - what is fraud? Key components of fraudulent activity 1. Loss: victim put at risk of and/or suffers loss. Commit Fraud 2. Intent: key difference from a simple error or mistake. 3. Deception: the principle modus operandus. Conceal the Fraud Convert to Gain 5 Deloitte LLP 2015

6 Fraud - behaves like a sophisticated virus AMBIGUOUS COMPLEX HIDDEN BY DESIGN EVOLVES Based on the spectrum of possible fraud, different methods of analysis may perform with varying levels of success at identifying different types and degrees of fraud. Fraud manifests itself in multiple ways and potentially through complex interactions of multiple variables. A judicious approach is to attack it from multiple points of view. Experienced fraud detection personnel and insurance experts will inevitably possess both explicit and tacit knowledge that should be codified into business decision rules. Types of fraud may be hidden because individuals within firms ( internal fraud ) are choosing to hide their actions. Customers, providers ( external fraud ) and others are defrauding the organization. Statistical fraud detection is also distinctive in the sense that the subject of study is constantly changing over time. The solution design should be comparably adaptable and self learning, giving analysts and investigators the ability to rapidly and efficiently test hypotheses, search databases for anomalous patterns, and update protocols accordingly. 6 Deloitte LLP 2015

7 Fraud High profile cases currently under investigation 7 Deloitte LLP 2015

8 What has change in the regulatory environment? There are many new laws, regulations and standards that are impacting how organizations are implementing antifraud programs. Examples include: Corruption of Foreign Public Officials Act (or Foreign Corrupt Practices Act in the U.S., U.K. Bribery Act 2010) COSO 2013 Framework Financial Administration Act/Policy on Internal Control 8 Deloitte LLP 2015

9 What has changed in the business environment? Access to information Public disclosure Social and electronic media Whistleblower protection 9 Deloitte LLP 2015

10 COSO & IFCR COSO 2013 Internal Control Framework Principle 8 Assess the risk of Fraud The COSO Cube Four Points of Focus: 1. Considers various types of fraud 2. Assesses incentive and pressures 3. Assesses opportunities 4. Assesses attitudes and rationalizations Source: 2013 COSO Framework & SOX Compliance 10 Deloitte LLP 2015

11 Internal Audit s Role No one size fits all approach

12 Helpful Resources IIA\AICPA\ACFE - Managing the Business Risk of Fraud IIA - Three Lines of Defense in Effective Risk Management and Control IIA Internal Auditing and Fraud Practice Guide ACFE Report to the Nations on Occupational Fraud and Abuse Source: IIA POSITION PAPER: THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL 12 Deloitte LLP 2015

13 Governance & Senior Management Best positioned to help ensure that fraud risk management is reflected in the organization s risk management and control processes. Prevention/Deterrence/Detection: Set tone at top through attention to fraud governance practices Ensure fraud exposures are identified and evaluated Ensure that management implement fraud structures and governance policies, and controls Ensure appropriate fraud reporting procedures and whistleblower protection is in place. 13 Deloitte LLP 2015

14 Audit Committee Reporting conduit between Senior Management and the Board: Understand details Identify significant information Communicate key messages clearly and concisely Prevention/Deterrence/Detection: Should be composed of independent board members. Should include at least one financial expert preferable with accounting/audit experience. Should regularly meet with CAE and CFO Should understand how internal and external audit strategies address fraud risk 14 Deloitte LLP 2015

15 Operational Management 1 st Line of Defence Operational Management Owns and manages fraud risk on a day-to-day basis Implements corrective actions and addresses control deficiencies Prevention/Deterrence/Detection: Create fraud aware and intolerant culture through words and actions Identify and assess fraud risk Design and implement adequate internal controls Implement corrective actions to address process gaps and control deficiencies Continuous communications and training regarding fraud risk 15 Deloitte LLP 2015

16 Risk Management 2 nd Line of Defence Risk Management Function Supportive of management, but not independent Vary in their specific nature depending on the organization Prevention/Deterrence/Detection: Assist risk owners in identifying and targeting and prioritizing fraud risk exposures Identify shifts in organizations fraud risk exposures Identify known and emerging issues Identify shifts in the organization s appetite for risk Assist in identifying responses to fraud risk exposures 16 Deloitte LLP 2015

17 Internal Audit objective, systematic and disciplined 3 rd Line of Defence Internal Audit Provide highest level of independence within the organization Objective, systematic and disciplined Important for organizations of all sizes Prevention/Deterrence/Detection: Provide objective assurance to the board and senior management that fraud controls are sufficient for identified fraud risks Review completeness/accuracy of fraud risks identified Perform regular audits to determine whether all fraud risks have been considered appropriately Review management s fraud management capabilities 17 Deloitte LLP 2015

18 Staff The best single source of fraud detection The best single source of fraud detection - Staff All staff are responsible for management of fraud Tips are by far the most consistent and common method to detect fraud. Almost half of the tips come from employees Prevention/Deterrence/Detection: Have a basic understanding of fraud, including an awareness of red flags Understand their roles within the internal control framework Read and understand fraud related policies and procedures Report suspicious activities, including suspected incidents of fraud Cooperate in investigations 18 Deloitte LLP 2015

19 Fraud Prevention & Deterrence The way forward

20 Why Does fraud occur Dr. Donald Cressey s Fraud Triangle Model 1. Situational Pressure Lifestyle pressures Company pressures 2. Opportunity Lack of segregation of duties Lack of, improper use of, or circumvention of internal controls 3. Rationalization Underpaid, underappreciated, desperation Corporate culture, following suit, believing it will save jobs and the company 20 Deloitte LLP 2015

21 Consider the Role that IA can play Preventing/Deterring Fraud - Key ACFE findings: Primary Internal Control Weakness Observed by CFE The threat of likely detection is one of the most powerful factors in fraud prevention because it all but eliminates the fraudster s perceived opportunity. 1. Tone at the Top/ Fraud policies and procedures 2. The presence of anti-fraud controls is associated with reduced fraud losses and shorter fraud duration. 3. Fraud Risk Assessments A great training and awareness tool for management and staff. Source: ACFE 2013 Report to the Nations on Occupational Fraud 21 Deloitte LLP 2015

22 Key elements of an anti-fraud program Five areas of focus - organizations should consider the five key elements of the internal control integrated framework set out by COSO : 1. Performing fraud risk assessments 2. Creating a control environment 3. Designing and implementing antifraud control activities 4. Sharing information and communication 5. Monitoring activities 22 Deloitte LLP 2015

23 Fraud risk assessments Step #1 - Fraud Risk Assessments help organizations identify fraud scenarios they face, and determine whether existing controls are aligned to reduce the risk of fraud from occurring to an acceptable level. 23 Deloitte LLP 2015

24 Fraud Risk Assessments Scope - An FRA should be comprehensive, and be performed at all appropriate levels within the organization: 1. Entity Level consider internal and external factors. 2. Significant Accounts focus on accounts that could be materially misstated. 3. Significant Business Units and/or Locations consider different risk profiles. 24 Deloitte LLP 2015

25 Fraud risk assessments Fraud Risk Factors - Assessing the likelihood and significance is a subjective process. All risks are not equally likely or significant. Assessing inherent risks allows for the evaluation of controls in a rational manner. 1. Likelihood what factors influence the inherent probability that a specific fraud risk scenario will occur? 2. Significance what is the organizational impact if the specific fraud risk scenario was to occur? 25 Deloitte LLP 2015

26 Fraud risk assessments Evaluate Controls Internal Audit is often well positioned to assist 1. Document mitigating antifraud control activities related fraud risks categorized as medium and high risks. 2. Determine residual fraud risk remaining after consideration of the control activities 3. Evaluate the cost/benefit of implementing additional anti fraud controls. 26 Deloitte LLP 2015

27 Fraud risk assessments Assemble the right team Package it correctly xxx 1. The right sponsor 2. Access to people at all levels 3. Include individuals with diverse knowledge, skills, and perspectives 4. Team size will depend on organization size and methods used in the assessment 1. Use the language of the business. 2. Remember that one size does not fit all 3. Determine the best technique 4. Keep it simple and manageable 5. The team can include both internal and external resources 27 Deloitte LLP 2015

28 Fraud Detection Fraud Analytics - The way forward

29 Consider the Role that IA can play Detecting Fraud - Key ACFE findings: Initial Detection of Occupational Frauds 1. Tips are consistently and by far the most common detection method. Over 40% of all cases were detected by a tip more than twice the rate of any other detection method. 2. Organizations with hotlines were much more likely to catch fraud by a tip, which our data shows is the most effective way to detect fraud. Source: ACFE 2013 Report to the Nations on Occupational Fraud 29 Deloitte LLP 2015

30 The role of data monitoring and analysis ACFE findings: Of the controls analyzed, proactive data monitoring and analysis appears to be the most effective at limiting the duration and cost of fraud schemes; victim organizations that implemented this control experienced losses 60% smaller and schemes 50% shorter than organizations that did not. Organization Using Proactive Data Monitoring/Analysis: Medial Loss - $73,000 Duration 12 months Organization Not Using Proactive Data Monitoring/Analysis: Medial Loss - $181,000 Duration 24 months 30 Deloitte LLP 2015

31 Forensic analytics methodology 31 Deloitte LLP 2015

32 Fraud and corruption risk analytics Fraud and corruption analytics testing can be used as a red flag indicator or anomaly detection tool to identify anomalies in employee, vendor and customer data-sets, as well as invoice, payment and payroll transactions. Visualization and analysis tools accelerate our analysis and increase the impact. Important considerations Dig deeper to unwrap data! 1 Collect data from silo-ed environments to create a single version of the truth this leads to better detection of anomalies and patterns, increasing the ability to detect more complex fraud scenarios. 2 Start with enterprise-wide view Recognize data is never perfect Advanced analytical techniques assess/address data quality. 1 Highlight Data Points Use analytics tools to highlight a grouping of data points to be further analyzed. Tools help move from the what to the why 2 View Data View the underlying data attributes for data points in the trends as well as the outliers 32 3 Apply a risk score Use risk scoring techniques to highlight and focus on high risk scenarios, and reduce the occurrence of false positives/negatives. Deloitte LLP Analyze Data Points Output data and continue analysis by comparing to external datasets including benchmark data as well as other analytic tools. Use of multiple tools accelerates and deepens insights, providing granular and aggregate view of organizational data

33 Vendor Risk Analytics Each test generates a risk score, which is assigned to each vendor, employee, invoice or transaction that fails a test Adjust risk scores on-the-fly to properly reflect the unique risks associated with each business process High risk scores indicate data anomalies in vendors, employees and journal entry transactions Anomalies are examined to determine their causation and to determine if patterns exist Masked Reporting of results is provided in an visual environment to make it easy to understand and allows for drilldown to a detailed level for each test and transaction 33 Deloitte LLP 2015

34 Fee-for-service fraud A combination of hot spot analysis and clustering techniques identify fee for service fraud. In this example, patient records, clinic location, and demographic variables isolate a fraudulent health care provider. All the patients registered to the fraudulent clinic (highlighted) are residents of retirement or nursing homes. These patients are mainly elderly, low income seniors, as indicated by the heat map. Note that there are five other clinics providing similar services within 10 miles of the clustered data, while the fraudulent clinic is located nearly 20 miles away. 34 Miami-Dade County, Florida Deloitte LLP Miles

35 Consequences of poor fraud detection rules Analysis revealed that designing fraud thresholds are more complex than initially assumed. False negative there is fraud, the rule did not identify this. Missed opportunities & increased risk. True positive there is fraud and the rule identified fraud. Refinement of the threshold is required. False positive there is no fraud, but the rule presumed fraud. Unnecessary costs and potential customer negativity. 35 Deloitte LLP 2015

36 High cost of inaccurate and careless analytics Analytics are required to be completed in very compressed time frames - the following guiding principles enable forensic analysts in meeting the above challenges: Precise Repeatable Defendable Integrated data In cases involving legal and regulatory matters, analyses must be performed with very high precision A repeatable framework is required to process complex scenarios in a compressed time frame Black box models are not defendable only transparent and generally accepted techniques are used Fusing structured and unstructured data enables a more contextual interpretation and analysis 36 Deloitte LLP 2015

37 Fraud Investigation The way forward

38 Fraud investigations The Board and Senior Management should ensure that the organization develops a system for prompt, competent, and confidential review, investigation, and resolution of allegations involving potential fraud or misconduct. Internal Audit can Assist: 1. Evaluate the organizations fraud response policies and processes 2. Assist in certain aspects of the investigation 3. Assist in identifying corrective actions in response to findings Best Practices: 1. Engage experts early, as required Legal counsel Forensic accounts Computer forensics 2. Limit the number of individuals with knowledge 3. Define a communications strategy 38 Deloitte LLP 2015

39 Questions

40 Analytics and Visualization The Way Forward Contact Dean Bowes, CPA, CA-IFA, CFF, CIA, CISA, CCE Senior Manager, Deloitte Forensic T: (613) Join me on ca.linkedin.com/in/dean-bowes-cpaca-ifa-cce-cia-cisa-44611b15 Guy Crepeau, CPA, CA-IFA, CFE, CFF Senior Manager, Deloitte Forensic T: (613) Join me on ca.linkedin.com/in/gcrepeau 40 Deloitte LLP 2015

41