201 Fraud Risk Assessment April 19, 2010 Monday 1:30 2:30 pm Paul M. Baran Mark P. Ruppert, CPA, CIA, CISA, CHFP. Round Up!

Transcription

1 201 Fraud Risk ment April 19, 2010 Monday 1:30 2:30 pm Paul M. Baran Mark P. Ruppert, CPA, CIA, CISA, CHFP Director, Internal Audit Director, Internal Audit Fraud Risk ment Round Up! Why? What is Fraud Risk? Completing a Fraud Risk ment Incorporating Fraud Risk into Corporate Compliance and Internal Audit Work s Addressing Fraud Risk on an Ongoing Basis and in Individual Audits 2 1

2 Fraud Risk ment Why? Federal Sentencing Guidelines require that compliance programs: address specific areas of potential fraud use audits and/or other risk evaluation techniques to monitor compliance and assist in the reduction of identified problem areas 3 3 Fraud Risk ment Why? United States Sentencing Guidelines (USSG) Effective 11/2004 = USSG amended to provide greater guidance regarding compliance program criteria for an effective program to prevent and detect violations of the law (USSC Guidelines Manual 8B2.1. Effective Compliance and Ethics Program) (a)(1) exercise due diligence to prevent and detect criminal conduct (a)(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (b)(1)establish standards and procedures to prevent and detect criminal conduct (c) periodically assess the risk of criminal conduct and take appropriate steps to..to reduce the risk of criminal conduct identified 4 2

3 Fraud Risk ment Why? Like Compliance Professionals, Internal Audit Professionals must also address fraud risk IIA Standards and Fraud Practice Guide Emphasize Internal Audit s Role in Addressing Fraud Programs & ment: Must evaluate how organization manages risk (IIA Standard 2120) Fraud Risk ment: CAE must report periodically to management /board on significant fraud risk exposures (IIA Standard 2060) Individual Audits: Must consider fraud when developing engagement objectives (IIA Standards 1220, 2210) Proficiency: the risk of fraud & the manner in which it is managed by the organization (IIA Standard 1210) 5 Fraud Risk ment Why? US government admits losing 10% of spending to fraud; US government realizes a $9.75 : 1 on fraud management Effective fraud management produces 8:1 ROI for financial services industry ACFE estimate: companies lose $1 trillion or 7% of revenue to misconduct PwC GECS survey 40% increase in fraud, before the recession paradox Economist Intelligence Unit: 85% of companies detected significant frauds over past 3 years) 10% suffer >$100 million Large companies - $23 million Small companies - $8.2 million average loss 3

4 Now More Than Ever, Compliance & Internal Audit Must Have the Fraud Triangle in Focus!!! Incentives / Pressures Loss avoidance Job Money Prestige Dissatisfaction with the company Management & 3 rd party pressures Community relationships Rationalization Job dissatisfaction Family & health priorities Everybody else syndrome Opportunity Insufficient internal controls External collaboration Management over-ride Internal collaboration Corrupt business customs Self-denial of consequences to company If Economic Downturn is the Perfect Storm for Fraud and Waste, will an Upturn be Even More Perfect? 7 So, Why Bother? It makes good business sense!! Demonstrate you administer an effective Compliance Program and Internal Audit Function by documenting an understanding of how and where fraud might occur. Minimize revenue leakage, cut costs, and safeguard assets. Safeguard company and employee reputation. Avoid and/or reduce criminal, civil and regulatory penalties, should misconduct occur. Help avoid/reduce government sanctions! 8 4

5 Fraud Risk: Defined / Applied Fraud: (defined) - Any intentional act committed to secure an unfair or unlawful gain Apply the Fraud Lens to Enterprise Risks Reputational Risk External and internal impression of the organization Operational Risk Loss of earnings or inefficient business operations Financial Risk Over statement of revenues, understatement of expenses Reporting Risk Non disclosure or false disclosure Compliance / Legal Risk Potential criminal, civil or regulatory liability Strategic Risk Impact on new products, services, or strategic alliances 9 Fraud Risk: Types and Categories "Leakage vs. Liability Fraud Misappropriation of Assets Revenue Leakage Expenditure Leakage Financial Reporting & Disclosure Manipulation Unauthorized Expenses / Disposal of Assets Unauthorized Receivables / Acquisition of Assets Good Fraud = Leakage related activities, that when prevented or detected early, leads to improved financial results ( Risk Type = Opportunity ) Bad Fraud = Liability related activities, that if not prevented, leads to government sanctions, and damage to brand value and reputation of individual members of the Board and senior management (Risk Type = Hazard ) 10 5

6 Fraud Risk Types: Liability Expenditure Leakage Misappropriation of Assets Revenue Leakage Expenditure Leakage Financial Reporting & Disclosure Manipulation Unauthorized Expenses / Disposal of Assets Unauthorized Receivables / Acquisition of Assets Illustrations: Orders from fictitious vendor Kickbacks in return for allowing supplier to inflate price Advertiser charges for advertising not delivered Vendors/contractors charge for work not performed Double dips on p-card and credit card Salesperson obtains reimbursement for fictitious travel expenses 11 Fraud Risk Type: Leakage Unauthorized Expenses / Disposal of Assets Misappropriation of Assets Revenue Leakage Expenditure Leakage Financial Reporting & Disclosure Manipulation Unauthorized Expenses / Disposal of Assets Unauthorized Receivables / Acquisition of Assets Illustrations: Payments to public officials for permits Payments to public officials for patents Gifts to public officials to evade taxes Payments to agents to facilitate sales Illegal political contributions 12 6

7 Fraud Risk ment A comprehensive fraud risk assessment is critical to the effectiveness of an organization s overall antifraud programs and controls. A fraud risk assessment expands upon traditional risk assessment. It is scheme and scenario based rather than based on control risk or inherent risk. The assessment considers the various ways that fraud and misconduct can occur by and against the company. 13 FRA: Creating Value While Meeting Standards ing How Organization Manages Fraud Risk Control environment Board oversight Codes of ethics/conduct Anonymous reporting Other entity level activities Fraud event identification and risk assessment Identity entity level scheme & scenario risks likelihood & impact Conduct self-assessment at function & local business unit levels Develop a risk response Continuous reassessment Incident response & Investigate remediation Perform root cause analysis Search for other misconduct Enhance controls Monitoring activities Monitor fraud risk factors & indicators Audit for Red flags Develop new/ enhance existing controls Entity and business process level control activities Validate operating effectiveness controls design People Process Technology Three lines of defense business, finance and internal audit/compliance Identify significant risks, evaluate response, collusion, monitor/audit for red flags Disaggregate schemes into key risk indicators, develop data analytics, maximize available technology 14 7

8 Fraud Risk ment: Key Process Steps Management Support and Sponsorship Programs and against PwC Framework Audit Risk into Audit Let s Discuss: Application of methodology Executing it practically Challenges and benefits Lessons learned 15 ning Management Support and Sponsorship Assemble team Consider scope and objectives Board and senior management Overall antifraud program assessment support built into internal audit plan and compliance work plan development Categories of fraud and depth within organization and approval processes. evaluation Combined Internal Audit and PwC Risk response resources including PwC SMEs in key Use and sustainability areas. Design process Initial Internal Audit Team fraud risk Format of deliverable (e.g., PwC template) discussion for full day. Organize by business unit, function, geography or Second phase, facilitated sessions combination with key director-level groups. Role and interviews of management Sustainability against PwC Framework Cedars-Sinai : Roll results into annual planning processes and individual project processes for ongoing update. 16 8

9 Management Support and Sponsorship Gaining Senior Management Sponsorship Vitally important that senior management embrace and sponsor the assessment Senior management ideally would communicate to middle management the importance of the initiative (drafted by IA or Compliance) Recommend an initial meeting with C- suite representatives to: Explain business benefits of FRA process Obtain their perspective of high impact monetary, compliance and financial reporting fraud risks Seek input regarding making process efficient and effective Cedars-Sinai C-Suite Buy-In: Internal Audit Compliance Work processes involve the C-suite for input on risk and project selection. s are approved by C-suite. s presented to Audit Committee for review, input and approval. s presented to Board for review, input and approval. Formal meeting C-Suite meeting not held relative to kick off. 17 Evaluating Program & Management Support and Sponsorship Programs and Begin with high level assessment of how organization manages fraud risk (e.g., PwC, Corruption and Misconduct ment Tool) Where are we as an organization? Conduct validation procedures as needed Cedars-Sinai ment: Internal Audit Team ment PwC Tool Overall ment Results: Corporate Fraud Policy Coordinated Investigation Resources Consistency in Criminal Prosecution and Employee Discipline Decisions High Level Fraud Risk & Individual Audit Fraud Risk Considerations 18 9

10 Predicting the Unpredictable is Key Think Like A Criminal When ing the Risk of Fraud, Corruption & Abuse! How would a criminal manage your XYZ business unit? What would happen if a criminal were a XYZ vendor or customer? What if a criminal were hired as a XYZ associate? Create Straw Schemes List Management Support and Sponsorship Create a list of inherent entity level fraud risks common and sector specific fraud and abuse scenarios Past allegations, suspicions and investigations Industry research of frauds at other technology companies & and organizational vendors Brainstorming among business, compliance, internal audit and fraud experts Operational, design and other deficiencies identified during business reviews, compliance monitoring activity and internal and external audits Cedars-Sinai Inventory: Upcoding; Claims for Services not Provided; A/R & Rate Manipulation / Outliers Radiology Incident; Heparin Incident; EMTALA Siemens 2008 global fraud - bribery Imaging Room; Chillers; Data Manipulation; Vendor Relationships Look at potential impact of identified control deficiencies; broken processes; significant hand-off requirements, etc

11 Create Straw Schemes List Management Support and Sponsorship Determine Fraud Classifications List Sample Fraud Scenarios Revenue? Expenditure? Construction? Etc Etc. CSHS: practical application and lessons learned Fraud classifications: Revenue, Expense or Reporting Impact Brainstorm scenarios by organizational lines of authority and three impact areas Director and Manager Level Focus Group Discussions Angels and Demons Scribe 21 Narrow to Significant Residual Risks Management Support and Sponsorship Narrow list to capture high impact vulnerabilities Consider likelihood Qualitative and quantitative impact, as well as, direct and indirect consequences Establish thresholds to measure impact on reputation, operations, financial, legal, compliance, and strategic objectives design of existing controls Consider whether existing processes and controls are able to withstand intentional misconduct Examine incentives pressures and opportunities to collude, circumvent and override CSHS: practical application and lessons learned Two Hour facilitated Sessions Necessary for: Scribe Schemes Likelihood & Impact Focus on Schemes (how it s done criminal perspective) Common beliefs / identified schemes across sessions 22 11

12 Management Support and Sponsorship Tailor to Business Units & Functions Entity level of assessment = very limited business value ment needs to be conducted and tailored to individual business units and functions, particularly in high risk markets; focus on both internal and external risks Tailored assessments simultaneously reinforce that local management owns risk Hold focus groups of management and staff to tailor inventory Meet and validate results with business unit and function leaders CSHS: practical application and lessons learned Entity Level ment Proof remains to be seen. Business units positive response to facilitate sessions and Angels and Demons Lot s of Aha s and Really? s in sessions Senior Management and Board response to come Capture assessment for senior management and board 23 Internal Management Support and Sponsorship Audit Risk Based upon final listing of scenarios update audit risk universe for key risk factors and indicators Refine any pre-existing audit risks based upon additional risk assessment procedures Incorporate into annual update process of audit and/or compliance risk universe CSHS: practical application and lessons learned If not already categorized in your risk universe, add category or metadata for easy identification Refining can be time consuming Annual update development in progress, to be completed through: Improved annual interviewing Individual Audit Capture 24 12

13 Management Support and Sponsorship whether any current year audits should be updated based on new risk universe Determine appropriate way to keep fraud risk assessment process evolving rather than static As new investigations or industry trends occur Automated controls are added into environment CSHS: practical application and lessons learned In addition to current year updates, could identify new priority audits Again: Annual interviewing Individual audits Possible facilitate session repeats 25 Integrating Fraud Risk Into Individual Compliance and Audit Engagements: ning Brainstorming among team and forensics Past incidents Past audits and business reviews Management inquiries Industry research Tailor procedures Execution Design and operating effectiveness of existing response Consider need for substantive testing Execution (cont d) Fraud risk factors & indicators Analytics - - not just ACL Interview, interview, interview!! Completion Documentation is essential Identify planning and how audit tailored 26 13

14 Creating Value While Meeting Fraud Standards Raising Auditor Fraud Proficiency Knowledge Scheme components Presumptive controls Key risk factors & indicators Detection procedures Skills Scheme and scenario risk assessment ing how organization manages risk Devising fraud audit procedures Forensic investigation Interviews Use of electronic data tools 27 Creating Value While Meeting Fraud Standards Tools of a Highly Equipped Compliance and/or Internal Audit Function Specialized fraud examiners on staff training for staff Investigative training for staff Use of Computer Assisted Audit Techniques to promote fraud detection Focused fraud risk assessment with inclusion of functional management and employees of all levels Direct and regular interaction with senior management and audit committee Use of specific and targeted fraud audit techniques SAS 99 Can lead and/or support investigation and/or remediation efforts 28 14

15 Creating Value While Meeting Fraud Standards Other Activities Compliance and/or IA Departments are Taking to Deliver Value Equip front line to serve as an effective first line of defense Conduct a good fraud risk assessment pilot at a high risk entity to develop a sustainable and repeatable process Expand FCPA and other compliance reviews to identify opportunities to cut revenue leaks, cut costs and safeguard assets Form a fraud council comprised of key business and corporate stakeholders Host a perfect crime dinner and/ or facilitate angels v. demons exercise for management, internal audit and/or compliance Create on-line or live interactive learning modules tailored to specific functions, e.g., procurement, sales, controllers 29 Don t be this guy! Stamp out? Paul M. Baran Director, Internal Audit National Healthcare Practice PriceWaterhouseCoopers - Philadelphia office fax paul.m.baran@us.pwc.com Mark P. Ruppert, CPA, CIA, CISA, CHFP Director, Internal Audit Conflict of Interest Administrator Cedars-Sinai Health System office fax ruppertm@cshs.org 30 15