Detection, Prevention, and Investigation of Fraud. Paul McCormack

Transcription

1 Detection, Prevention, and Investigation of Fraud Paul McCormack

2 The Fraud Triangle Opportunity Rationalization Pressure

3 The Fraud Triangle - Revisited Arrogance Competence Opportunity Rationalization Pressure Source: Crowe Horwath, Playing Offense in a high Risk Environment, 2010

4 2012 Report to Nations: Initial Detection of Occupational Frauds

5 2012 Report to Nations: Source of Tips

6 Department Notified Issue HR Issue HR Generalist / Compliance Employee s Manager Legal Internal Audit Internal Fraud Fraud Department Tip Received Security Workplace Violence Security Human Resources External Auditors Financial Statement Fraud Board of Directors Internal Audit For Discussion Purposes Only

7 Do s and Don ts Strike the right tone Position the hotline correctly the first time Make sure all executives on board Address concerns raised by senior executives early in the process Engage legal, HR and subject matter experts Don t reinvent the wheel Don t rule out a third-party solution on the basis of cost alone Don t forget about foreign operations If your company operates overseas, make sure hotline is appropriate Don t launch the hotline and forget it exists Reaffirm its importance and report results (where appropriate) Ensure that senior executives routinely mention the hotline in their speeches and written communications to employees Display hotline related posters in employee break rooms

8 2012 Report to Nations: Size of Victim Median Loss

9 2012 Report to Nations: Primary Control Weakness Observed

10 Position of Perpetrator Frequency

11 Position of Perpetrator Median Loss

12

13 Gender of Perpetrator Based on Region

14 Gender of Perpetrator Median Loss

15 Position of Perpetrator Median Loss Based on Gender

16 Age of Perpetrator Frequency

17 Age of Perpetrator Median Loss

18 Tenure of Perpetrator Frequency

19 Tenure of Perpetrator Median Loss

20 Perpetrator s Criminal Background

21 Perpetrator s Employment Background

22 Behavioral Red Flags of Perpetrators Based on Position

23 Result of Cases Referred to Law Enforcement

24 2012 Report to Nations: Recovery of Losses

25 No Centralized Case Database Siloed approach to case investigation & management Incomplete understanding of risk across entire operation Duplication of efforts Limited ability to track, report and trend case types Increased legal risk due to inconsistent action Inability to leverage best practices Customized Database Deployed Fully integrated, cross functional view of case management Risk more readily identified and measured Integrated approach with defined roles & responsibilities Robust monthly reporting and trending analysis available Cases are handled consistently, regardless of geography Investigation procedures developed and deployed companywide

26 Build Buy VERSUS Pros: Cheaper Customized Refine and revise as needed Leverage company knowledge Cons: Time-consuming Lack of in-house expertise Requires ongoing investment and maintenance 24 hour support often lacking Not viewed by tipster as anonymous Subject to compromise/attack Pros: Trained investigators 24/7 support Multi-lingual support Incorporates best practices Handle a variety of complaints Scalable Cons: Cost-prohibitive One size fits all Not experts in company / industry Inaccurate or incomplete reports Difficult to unwind

27 Identify an executive sponsor Executive sponsor is typically responsible for communications with senior executives / the board of directors Develop a project charter Document why the project is being undertaken, detail overall objectives and identify key stakeholders Create management steering committee Committee is staffed with key stakeholders Primary purpose is to provide guidance and support to project team Consulted on a regular basis to ensure project is meeting expectations Develop clearly defined goals and expectations In partnership with the steering committee develop project specific goals Goals and resulting project timeline will serve as the foundation for the team s work Implement frequent status reporting Every two weeks, produce a status report for project steering committee

28 Create Business Case Current State Assessment Future State Design Database Construction & User Testing Implementation Post- Implementation Goals & objectives Detail assumptions Provide cost / benefit analysis Project timeline and deliverables Map existing case tracking process Identify gaps / areas for improvement Data location and structure Existing update, maintenance and reporting process List of internal customers Number of users and location Share findings with management steering committee Design database to meet project goals and objectives Share design framework with management committee for approval Document desired reporting functionality and share with stakeholders / end users for approval Establish database ownership Build database & conduct rigorous user testing Incorporate user feedback Meet I.T. resources to ensure robust data security in place Manage soft launch Receive approval to proceed with implementation Prepare user training materials & conduct onsite / web based training sessions Deploy database to US user group Provide ongoing support. Assist with report enhancement & development as requested

29 Anti-Fraud Controls Median Loss

30 Anti-Fraud Controls - Duration

31 Red Flags Limited segregation of duties Sudden or gradual changes in personality and/or physical appearance Declines offer(s) to learn additional skills, promotions or the opportunity to work in another office Overly protective of workspace Employee works irregular hours. They arrive very early and routinely stay late Employee refuses to take time off and never calls in sick, despite being visibly ill

32 Red Flags Employee appears to have overcommitted to numerous business ventures outside of office Company documents show signs of being altered. Important documents routinely go missing Employee appears to be involved in all aspects of the office The processes that the employee follows when completing their work are exceptionally confusing. The employee adamantly refuses to change their approach

33 Prevention Hotline managed by 3 rd party Segregation of duties Surprise audits enhance the perception of detection Frequent risk assessments Reverse engineer fraud in the news Fraud awareness training employee and management Code of conduct / fraud policy Employee support program Tone at the top

34 Prevention Think like a fraudster Can you envision how to commit fraud? Internal control creation and deployment process Mandatory vacation / Job rotation Perform bank reconciliation ideally daily Ensure that bank statements etc. cannot be intercepted, altered, or destroyed Know your suppliers Monitor employee and internet access Include and enforce a right to audit clause in vendor contracts Employees involved in bidding process receive annual training in ethics and compliance Establish a gift policy

35

36 Paul McCormack (404)