Discuss best practices for communicating fraud risk and fraud awareness with our audit clients and management.

Transcription

1 1

2 Explore the expectations defined by the internal auditing profession and our organizations for the knowledge, skills and abilities needed to successfully carry out our fraud and fraud risk finding responsibilities. Discover new ideas and approaches to meeting our internal audit responsibilities and improving the ways we perform our jobs and sell change to management and others. Discuss best practices for communicating fraud risk and fraud awareness with our audit clients and management. Look for new ways to apply our audit methodology to finding fraud risks and evaluating the efficiency and effectiveness of our organization s internal controls, operations and governance functions.

3 Welcome Session Delivery and Ground Rules Housekeeping Start 8:30 Stop 4:30 Breaks 10:00 and 2:30 (15 minutes) Lunch 12:00 1:00 Cell phones, Computers Security

4 1. Introduction 2. How fraud is defined 3. The different types of fraud 4. The historical development of the auditor s fraud finding responsibilities 5. What various sources of professional guidance say about our responsibilities 6. What the fraud statistics say and what they indicate 7. Why fraud happens 8. What we need to see, to see fraud and fraud risks 9. Tools we can use to help find fraud risks and operational risks 10. Some of the BIG Frauds and what we can learn from them 11. Ways we can help educate the audit client and raise fraud risk awareness 12. Conclusion 4

5

6 MONEY PEOPLE CULTURE HISTORY SOCIOLOGY/PSYCHOLOGY ACCOUNTING ANALYSIS DECISION MAKING 6

7 Understand our fraud finding responsibilities? Identify the areas most susceptible to fraud risks? Design audit program steps to find fraud indicators? Help my company prevent fraud? Use computer techniques to help detect fraud? Recognize fraud symptoms? Identify the red flags of fraud? Help educate my organization on fraud awareness

8 Knowledge and Skills 2 Very Knowledgeable Not Very Experienced 1 Not Very Experienced or Knowledgeable 3 Very Experienced and Knowledgeable 4 Very Experienced Not Very Knowledgeable Years of Experience

9 1. The Fraud Triangle 2. The ACFE Report to the Nations 3. Fraud statistics 4. Fraud surveys 5. Fraud stories 6. Professional standards 7. The profile of a fraudster 8. Red flags 9. Data analytics 10. Words of wisdom 9

10 Have You Ever Been to a Seminar Like The One In This Picture?

11 According to the AICPA, ACFE and IIA: Fraud is any intentional act or omission designed to deceive others and resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

12 Definition of Fraud Fraud Awareness Reasons for Fraud Examples of Fraud Potential Fraud Indicators Typical Roles & Responsibilities for Fraud 12

13 Micro - Standard day to day fraud. Macro - Fraud that is large enough to threaten the existence of the organization. Systemic - Fraud is a way of life, it's part of the system. 13

14 Source: The IIA Acceptance of bribes or kickbacks Diversion of profitable transactions Embezzlement Intentional concealment of events, transactions, or data Claims for goods and services not provided Intentional failure to act when action is required by the organization or by law Unauthorized/illegal use of proprietary information Unauthorized/illegal manipulation of IT networks or operating systems Theft 14

15 Source: The IIA Sale or assignment of fictitious assets Bribes, kickbacks, payoffs Improper valuation of transactions, assets, liabilities or income Improper related party transactions Failure to record or disclose significant information Prohibited business activities Tax fraud

16 4 - History Words of Wisdom "I can calculate the movement of the stars, but not the madness of men. Sir Isaac Newton in the year After losing a bundle of money in the South Sea Bubble, a company doomed by insider dealing and inflated stock prices. 16

17 4 - The historical development of the auditor s fraud finding responsibilities A Practical Matter for Auditors by Lawrence Dicksee According to this 1892 textbook, the objective of an audit was the detection of fraud, technical errors, and errors of principle. The detection of fraud is the most important portion of the auditor's duties." 17

18 4 - The historical development of the auditor s fraud finding responsibilities Legal History In 1895 a British court ruled that it was the auditor's responsibility to report to shareholders all dishonest acts, but that the auditor could not be expected to uncover all fraud committed in a company, although they should conduct all audits with reasonable care. 18

19 4 - The historical development of the auditor s fraud finding responsibilities What the Public Thinks A study by a CPA malpractice insurer found that 74 percent of respondents believe audits are designed to uncover all types of fraud. 19

20 Foreign Corrupt Practices Act Federal Sentencing Guidelines Sarbanes-Oxley SAS 99 PCAOB - AU Section 325 The IIA s International Professional Practices Framework (IPPF) (The Red Book) GAGAS (The Yellow Book)

21 5 - What various sources of professional guidance say about our responsibilities Foreign Corrupt Practices Act Result of U.S. Securities and Exchange Commission investigations in the mid-1970s. The Act was signed into law by President Jimmy Carter on December 19, Amended in 1998 by the International Anti-Bribery Act of 1998 which was designed to implement the anti-bribery conventions of the Organization for Economic Co-operation and Development. 21

22 5 - What various sources of professional guidance say about our responsibilities Federal Sentencing Guidelines The Federal Sentencing Guidelines are rules that set out a uniform sentencing policy for individuals and organizations convicted of felonies and serious (Class A) misdemeanors[1] in the United States federal courts system. The Guidelines do not apply to less serious misdemeanors. Organizations, like individuals, can be found guilty of criminal conduct, and the measure of their punishment for felonies and Class A misdemeanors is governed by Chapter Eight of the sentencing guidelines. Incorporated into the sentencing structure the preventive and deterrent aspects of systematic compliance programs. 22

23 5 - What various sources of professional guidance say about our responsibilities Federal Sentencing Guidelines Seven key criteria for establishing an effective compliance program 1. Document standards of conduct and internal controls that are reasonably likely to reduce violations 2. Oversight by high-level personnel 3. Due Care in delegating substantial discretionary authority 4. Effective Communication to all levels of employees 5. Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal 6. Consistent enforcement of compliance standards including disciplinary mechanisms 7. Reasonable steps to respond to and prevent further similar offenses upon detection 23 of a violation

24 5 - What various sources of professional guidance say about our responsibilities Sarbanes-Oxley Act -Section 404 Management is required to assess and report on the effectiveness of financial reporting internal controls on an annual basis. External auditors are required to evaluate their clients' antifraud programs and internal controls, and to issue an opinion on management's assessment of internal controls. 24

25 Requires brainstorming sessions to provide seasoned team members the opportunity to share their experiences with the client and discuss how a fraud might be perpetrated and concealed. Requires the auditor to ask management questions about their awareness and understanding of fraud. The standard also requires auditors to make inquiries of the audit committee, internal audit personnel and others within the entity. Requires the auditor to use the information gathered to identify risks. This section specifically requires that improper revenue recognition and management override of controls be considered. The auditor should consider which controls mitigate the identified fraud risks. The standard provides examples of conditions that may be identified during the audit that might indicate fraud. One example is management denying the auditors access to key IT operations staff including security, operations, and systems development personnel.

26 5 - What various sources of professional guidance say about our responsibilities SAS 99 Consideration of Fraud in a Financial Statement Audit SAS 99 requires auditors to plan the audit to provide reasonable assurance that financial statements are free of material fraud. It also provides expanded guidance and recommended procedures for the detection of material fraud. 26

27 5 - What various sources of professional guidance say about our responsibilities SAS 99 Consideration of Fraud in a Financial Statement Audit SAS 99 specifies that auditors should adopt an attitude of professional skepticism toward clients, conduct brainstorming sessions to assess the risk of material fraud and how it could be concealed, conduct an assessment of a client's overall antifraud programs, and look for red flags that may indicate fraud. PCAOB Auditing Standard 2 reinforces this guidance. 27

28 The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit. The written communication should be made prior to the issuance of the auditor's report on the financial statements. The auditor's communication should distinguish clearly between those matters considered significant deficiencies and those considered material weaknesses. 28

29 A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting, that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company's financial reporting. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. 29

30 5 - What various sources of professional guidance say about our responsibilities IIA IPPF1210.A2 (Red Book) International Professional Practices Framework This Practice Advisory says that internal auditors should possess sufficient knowledge to identify the risk indicators of fraud. Internal audit can assist with the prevention and detection of fraud by evaluating the adequacy and effectiveness of internal controls and by participating in the risk assessment process, which is a key step when evaluating whether internal controls are effective A2 The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. 30

31 5 - What various sources of professional guidance say about our responsibilities GAGAS Fraud 7.30 (Yellow Book) GAO Government Auditing Standards In planning the audit, auditors should assess risks of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions. 31

32 It is estimated that all of the fraud that s found represents only 10% of all of the fraud that s out there. Source: Early ACFE Article (circa 1992)

33 6 - What the fraud statistics say and what they indicate Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse The ACFE's 2012 Report to the Nations on Occupational Fraud and Abuse is based on data compiled from a study of 1,388 cases of occupational fraud that occurred worldwide between January 2010 and December All information was provided by the Certified Fraud Examiners (CFEs) who investigated those cases. 33

34 Never ask a barber if he thinks you need a haircut. Warren Buffett

35 Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse The Impact of Fraud The typical organization loses 5% of its revenues to fraud each year (a potential projected global fraud loss of more than $3.5 trillion). The median loss was $140,000. More than onefifth of these cases caused losses of at least $1 million. 35

36 6 - What the fraud statistics say and what they indicate Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse Fraud Detection The frauds lasted a median of 18 months before being detected. Asset misappropriation schemes were by far the most common type of occupational fraud (87%). Financial statement fraud schemes made up just 8%, but caused the greatest median loss at $1 million. 36

37 6 - What the fraud statistics say and what they indicate Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse Perpetrators of Fraud Perpetrators with higher levels of authority tend to cause much larger losses. The median loss among frauds committed by owner/executives was $573,000, the median loss caused by managers was $180,000 and the median loss caused by employees was $60,

38 6 - What the fraud statistics say and what they indicate Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse Perpetrators of Fraud The longer a perpetrator has worked for an organization, the higher fraud losses tend to be. The vast majority (77%) of all frauds were committed by individuals working in one of six departments: accounting, operations, sales, executive/upper management, customer service and purchasing. In 81% of cases, the fraudster displayed one or more behavioral red flags that are often associated with fraudulent conduct. 38

39 6 - What the fraud statistics say and what they indicate Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse Victims of Fraud Nearly half of victim organizations do not recover any losses that they suffer due to fraud. The presence of anti-fraud controls is notably correlated with significant decreases in the cost and duration of occupational fraud schemes. 39

40 6 - What the fraud statistics say and what they indicate Association of Certified Fraud Examiners ACFE Report to the Nations on Occupational Fraud and Abuse Initial Detection of Fraud 3 % of frauds were initially detected by external auditors 3% were from police notification 7% were discovered by accident 14% came from internal audits 15% came from management review 43 % came from employee tips 40

41 Notorious bank robber Willie Sutton was once asked, Why do you rob banks? Legend has it that Sutton s response was, Because that s where the money is.

42 Perceived Opportunity 42

43 / Information & Communication Monitoring Control Activities Risk Assessment Information & Communication Control Environment

44 Update considers changes in business and operating environments Environments changes... have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud COSO Cube (2013 Edition)

45 Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies

46

47 Page 1-5 Famous Words I have spent the best years of my life giving people the lighter pleasures, helping them have a good time, and all I get is abuse, the existence of a hunted man. Al Capone, one of the 20 th century s most notorious gangsters. 47

48 Famous Last Words They couldn't hit an elephant at this dist... Last words of General John Sedgwick, killed at the Battle of Spotsylvania in 1864.

49 Famous Last Words Take no prisoners!! June 25, 1876 The battle cry of General George Armstrong Custer as he led a charge by 210 soldiers against 1,800 well armed and very angry Sioux and Cheyenne warriors.

50 You only find out who is swimming naked when the tide goes out. Warren Buffett

51 Fraud happened because... Known conflicts of interest were not well managed Inadequate follow-up on unexplained variances Missing files were not investigated Results of internal/external audits or reviews were ignored Increases in cash transactions were not questioned Suspicious activity was not investigated Employees were inadequately trained to recognize fraud

52 1) Policies and Procedures 2) Laws, Rules, and Regulations 3) Auditors 4) Auditors 5) Auditors 6) Good People 52

53 1) Trust 2) A lack of control awareness by those responsible for designing and enforcing internal controls. 3) A lack of accountability and consequences. 4) The attitude that as long as we have money in the budget, it s okay to spend it. 5) The belief that taking financial advantage of a business entity is not as wrong as taking financial advantage of an individual. 6) Situational incompetence 53

54 54

55 Well, either you're closing your eyes to a situation you do not wish to acknowledge, or you are not aware of the caliber of disaster indicated by the presence of a pool table in your community. The Music Man (1962) 55

56 THE MAGINOT LINE Prior to WWII, the Maginot Line was seen as the premiere defensive installation in the world, proof of French military genius, and the phrase "Maginot Line" signified something impregnable. After the war, "Maginot mentality" meant banking too heavily on one possible outcome and failing to consider alternatives. Although considered impregnable, the chief effect it had was to create a false sense of security.

57 We build 10 foot walls to protect ourselves from people who have 15 foot ladders.

58 A little ole' man was sittin' on a step And a tear kinda trickled own his cheek. I said "What's the matter?" He said "A train just ran over me." I said "Hmm. How often does this happen?" He said "Everyday about this time." I said "Well, why do you just sit out here then?" He said "Cause I cannot believe that it is happenin. 58

59 Our audit philosophy is to audit your business, not just your books.

60 Missing documentation Denial of access to records Excessive inventory Paying a high price for goods or services Unsupported accounting adjustments Shortages (shrinkage) in inventory Deviation from specifications Shortages on delivery Goods purchased in excess of need 60

61 Page 3-2

62 WHAT SHOULD IT LOOK LIKE? Only one of these images of a penny is correct.

63 HOW DO WE KNOW? 63

64 Strange Odd Unusual 64

65 Beginner Novice Advanced Expert 65

66 Profile of a Fraudster Mark R. Simmons, CFE, CIA Male Intelligent Egotistical Inquisitive A risk taker A rule breaker A hard worker Under stress Greedy or has a genuine financial need Disgruntled at work or a complainer A big spender

67 A vital part of discovering fraud concerns the auditor s ability to ask questions and the implications of not asking them. This article focuses on the basics: how to approach the fraud issue with your client and the types of questions to ask. Experts claim that about 80% of all frauds are discovered through tips and complaints compared to 20% for other methods, including management oversight and audits. Fraud, by its nature, is easy to conceal and difficult to detect. The best clues usually don t come from the books but from the people who work with them. Asking questions is the most effective audit technique of all.

68 1. Conducting successful fraud risk interviews: Helps the auditor do a more thorough job of learning about fraud risks and other concerns. Helps to educate management about exposures and events that they need to be aware of in order to better carry out their job responsibilities. 2. Documenting these interviews provides the auditor with: Support of management s fraud risk assessment. Knowledge of controls and monitoring successes. Information and insights on past problems and how management has dealt with them.

69 1. Generic FRQ Questions The focus is on identifying components of the Fraud Triangle: 1. Opportunity 2. Pressure 3. Justification 2. Customized Questions Using resources such at the ACFE Fraud Encyclopedia and the ACFE Fraud Manual, identify risks specific to the area being audited. 3. Red Flag Questions Situations that may indicate specific control problems or operational issues. 69

70 Have you observed any examples of the following occurrences? a) A high number of customer or contractor complaints b) A rapid increase in the volume and or cost of products/services provided by a vendor c) A large volume and/or dollar value of change orders d) Questionable use of management overriding required procedures e) Invoices submitted for work where there is no clearly defined deliverable, such as for services rendered f) Other potential operational concerns If so, please explain the details. 70

71 If these warning signs exist, the potential for fraud is increased. Management should be aware of the existence of these red flags and, where possible, seek to eliminate the causes. These red flags should be required as part of the audit planning and preliminary steps. Concentration should be given to incorporating selected high risk area red flag questions into the Fraud Risk Questionnaire, modified for the specific audit assessment. 71

72

73 1. Cash? 2. Accounts Receivable? 3. Purchasing? 4. Financial Reporting? 5. Inventory? 6. Payroll? 7. Employee Benefits? 8. Insurance? 73

74 Cash Skimming cash receipts Lapping payments Phony expense reimbursements Fake refunds Fraudulent disbursements 74

75 Accounts Receivable Fraudulent Accounts Skimming Lapping Substitution of check-for-cash Improperly flagging accounts as old or not collectable Referring current accounts to collection agencies to hide stolen payments and receive kickbacks 75

76 Purchasing Bid Rigging Conflicts of Interest Kickbacks Shell companies Fictitious vendors Not providing the goods and services bargained for or providing lower quality or quantity Fictitious vendor expenses Sole source vendors that are not arms length transactions Providing inaccurate billing data 76

77 Financial Reporting Overstating assets or revenue Understating liabilities and expenses Fictitious revenues Timing differences Improper asset valuation Improper disclosure 77

78 Inventory Asset misappropriation Bill for goods not shipped False returns Shipping goods to unapproved locations Falsifying inventory records 78

79 Payroll Altering employee records Creating ghost employees Falsifying value of services Falsifying overtime Paying unauthorized overtime or benefits Under reporting vacation or sick time 79

80 Employee Benefits Cashing pension checks after death of pension recipient Fictitious benefit recipients Unapproved loans Benefits paid to ineligible recipients Theft of investment earnings 80

81 Insurance Cash loans without the knowledge of the insured Premiums collected but not remitted Fictitious claims Adding additional coverages and cost without the knowledge of the insured Fictitious policies 81

82 82

83 9 - Tools we can use to help find fraud risks and operational risks Computer Assisted Audit Techniques (CAATS) Look at voids and refunds. Search for duplicate payments. Look for high maintenance costs just before sale of an asset. Match vendor address and other information to employee information. Look at funds transfers. Search for duplicate addresses in payroll. (Could be ghost employees.) Employee accounts look for a large number of transactions, adjustments, credits. They could be giving away their employee discounts. 83

84 9 - Tools we can use to help find fraud risks and operational risks Top 25 When deciding what to look at consider testing the top 25 of a group. Top 25 travelers - expense reports Top 25 in OT (by job category) Top 25 bonus recipients Top 25 commission recipients Top 25 refund requestors Top 25 overriders of controls Top 25 new vendors 84

85 9 - Tools we can use to help find fraud risks and operational risks Books to Read Computer Aided Fraud Prevention and Detection: A Step by Step Guide Fraud Analysis Techniques Using ACL Both books are by David Coderre and viewable on Amazon. 85

86 9 - Tools we can use to help find fraud risks and operational risks Data Analysis Computer Aided Fraud Prevention and Detection Insurance Commissions paid on sales just before the cutoff/defaulted polices/commissions earned vs. premiums paid Payroll Overpayments Payments to people who are listed as being on leave without pay Payments to employees not on the payroll Multiple payments to the same employees in the same pay period Accounts Receivable Average days from delivery to billing date to receipt of goods/services by clerk or by customer Days for receivables by customer to compare to contract terms. Bad debts by customer or by sales person or by department. Identify duplicate invoices and/or duplicate payments 86

87 87 Area/Person What People Do Symptoms Audit Test Ways Around Tests Symptoms of Occurrence What Can Go Wrong Where could it happen? Who could do it? What activity should we look for? What does it look like? How can we test for it? How can it be hidden?

88 Words of Wisdom Quote From an IT Auditor Keep your B.S. radar turned all the way up to high. 88

89 Crédit Mobilier (The UP and the CP) Allied Crude Vegetable Oil Company ZZZZ Best Inc. Crazy Eddy Antar Regina Vacuum Phar Mor Waste Management Enron WorldCom 89

90 If the only tool you have is a hammer, you tend to treat everything as a nail. Abraham Maslow

91 Self-actualization Self-Esteem Belonging Safety Survival

92 1. Fraud Risk Questionnaires 2. Internal control training 3. Fraud awareness training 4. Positive organizational culture 5. Positive organizational identification 92

93 BELIEFS ACTIONS RESULTS 93

94 Famous Words You can get more with a kind word and a gun than you can with a kind word alone. Al Capone

95 1. Introduction 2. How fraud is defined 3. The different types of fraud 4. The historical development of the auditor s fraud finding responsibilities 5. What various sources of professional guidance say about our responsibilities 6. What the fraud statistics say and what they indicate 7. Why fraud happens 8. What we need to see, to see fraud and fraud risks 9. Tools we can use to help find fraud risks and operational risks 10. Some of the BIG Frauds and what we can learn from them 11. Ways we can help educate the audit client and raise fraud risk awareness 12. Conclusion 95

96 "Round up the usual suspects.

97 "Round up the usual suspects. Casablanca (1942)

98 How to Become an Experienced Auditor Good Judgment Comes From Experience, and Experience Comes From Bad Judgment. 98

99 Mark R. Kolman Steve Hooper