Conducting a Fraud Risk Assessment

Transcription

1 Conducting a Fraud Risk Assessment Approach, Pitfalls and Recommendations IAAIA Istanbul October 10-13, 2010 Jean Pierre Garitte, CIA, CCSA, CISA, CFE, RFA May 2010

2

3 Introduction and Overview Why Conduct a Fraud Risk Assessment? An Approach to Conducting a Fraud Risk Assessment Common Pitfalls in Conducting Fraud Risk Assessments Recommendations in Conducting Fraud Risk Assessments 2

4 Why Conduct A Fraud Risk Assessment?

5 Why Conduct A Fraud Risk Assessment? Traditional risk assessments link risks to the organization s key objectives. Fraud can be overlooked during this type of review if it is not considered a core company objective. A fraud risk assessment expands upon traditional risk assessment. It is scheme and scenario based rather than based on control risk or inherent risk. Assessment teams must be able to identify the potential schemes and scenarios impacting the industries and geographic markets in which the organization conducts business. Key Approach Evaluate fraud risk factors Identify possible fraud schemes and scenarios Prioritize identified fraud risks Evaluate whether mitigating controls exist or are effective Document the risk assessment process and conclusions Conduct periodic reviews and updates 4

6 Conducting A Fraud Risk Assessment Approach, Pitfalls and Recommendations

7 Planning the Fraud Risk Assessment Pitfalls Management does not take responsibility for the FRA The FRA is not risk-based The FRA is too broadly based Recommendations Management should own the FRA and have significant input into the FRA. Educate the Board on the FRA - get their support/buy-in The FRA should be risk-based The FRA should be focused on the higher risk areas 6

8 Planning the Fraud Risk Assessment Pitfalls The planned approach is contrary to the organizational culture The organization does not have the necessary skill sets to perform the FRA The FRA process does not include the appropriate people The FRA is not systematic and recurring Recommendations The planned approach should fit into the organizational culture consider a mixed approach, e.g., interviews and group brainstorms Hire in the necessary skill sets (employees/consultants) Consider who should be involved as part of the planning process The FRA should be systematic and recurring 7

9 Fraud Risk Assessment Overview Step Approach Output 1 Identify & Evaluate Fraud Risk Factors Identify fraud risk factors Schedule of fraud risk factors Sound knowledge of fraud risk environment Identify Possible Fraud Schemes & Scenarios Analyze and Prioritize Fraud Risks Evaluate Control Design & Implementation Identify fraud risks Identify specific fraud schemes Identify account balances and potential errors related to each fraud risk Analyze the likelihood and significance of possible fraud schemes Link fraud schemes to mitigating controls & evaluate control design and implementation Evaluate the results of fraud risk analysis against established criteria and prioritize risks for treatment List of fraud risks Catalog of fraud schemes Inherent Risk Rating (IRR) of entity Catalog of existing controls Fraud Control Risk Rating Fraud Risk Related Control Gap Analysis Residual Risk Rating (RRR) Identification of fraud risks requiring further treatment Fraud risks prioritized COMMUNICATION WITH MANAGEMENT 5 Risk Treatment Prepare Fraud Risk Action Plan Implement Plan Fraud Risk Action Plan Fraud Risks Treated 8

10 Conducting the FRA Step 1 Key Worksteps 1 Identify and Evaluate Fraud Risk Factors 1. Schedule interviews and develop approach 2. Identify fraud risk factors at the entity level, significant locations, significant accounts and business process level. Consider whether each fraud risk factor indicates the existence of an incentive / pressure, opportunity or attitudes / rationalizations. 3. For each identified fraud risk factor, identify the account balances and potential errors that may be affected and assess the fraud risks. 9

11 1. Identify and Evaluate Fraud Risk Factors Pitfalls Fraud Risk Factors are not considered Existing controls are considered The potential for management override of controls is not considered Interviews are not value-added Recommendations Use the Fraud Triangle to explain the significance of fraud risk factors and to initiate thinking Do not consider controls EXCEPT when considering the potential for management override Develop interview approach that matches area and culture 10

12 Conducting the FRA Step 2 Key Worksteps 2 Identify Possible Fraud Risks, Schemes and Scenarios 1. Identify fraud risks and determine if the fraud risks are pervasive or specific. 2. Brainstorm specific fraud schemes that could result from the specific risks identified. 3. For each fraud scheme, identify internal and external parties who could be involved with reference to incentives / pressure, opportunities, attitudes and rationalizations. 11

13 2. Identify Possible Fraud Risks Pitfalls The schemes are too general, not allowing for sufficient consideration of risks and preventing appropriate level of mapping to controls The schemes do not consider the potential for management override of controls The schemes do not consider the potential for collusion Recommendations Detail the schemes by considering: Why? Who? What? (assets, financial reporting) Where (locations, accounts) When? How? 12

14 IAAIA WORKSHOP 2010: CONSOLIDATED KEY FRAUD RISKS IN AIRLINE 1. Abuse of procurement process 2. Excess baggage / Ancillary revenue fraud 3. Theft includes in-flight, baggage, third party 4. Third party/ Supplier fraud billing, pricing, service level 5. Cargo false documentation include Weight / Description 6. Lost baggage fake claims 7. Seat allocation / unauthorised upgrades 8. Misuse of system access internal and external (hacking) 9. Misappropriation of company assets include disposal process 10. Payroll manipulation 13

15 IAAIA WORKSHOP 2010: CONSOLIDATED KEY FRAUD RISKS IN AIRLINE 11. Financial statement / reporting fraud / false disclosures 12. Revenue loss through abuse of position 13. Unauthorised use of credit cards (1 st and 3 rd party) 14. Frequent flyer programme abuse 15. Inventory / booking class manipulation 16. Agents making fictitious bookings (GDS) 17. Tariff / rate abuse (Cargo) 18. Abuse of travel benefits 19. Abuse of medical leave / unauthorised absence 20. Obtaining and retaining employment through deceptions 21. Employee expenses (falsification of claims) 14

16 ADDITIONAL FRAUD RISKS IN AIRLINE 1. Bribery of government officials 2. Theft of confidential information 3. Segregation of duties in outstations 4. Relationship with third parties 5. Override procurement process 6. Single supplier 7. Manipulation of bidders 8. Free of charge tickets 9. Gifts 15

17 Conducting the FRA Step 3 Key Worksteps Evaluate possible fraud schemes by: 3 Prioritize Identified Fraud Risks - Type - Likelihood - Significance - Pervasiveness Consider Inherent Risk Rating (IRR) 16

18 3. Prioritize Identified Fraud Risks Pitfalls All fraud risks are considered equally important Recommendations Prioritize the identified fraud risks based on likelihood and significance 17

19 3. Prioritize Identified Fraud Risks Evaluate possible fraud schemes by type, likelihood, significance and pervasiveness. Arrive at inherent risk level for each scheme. LIKELIHOOD SIGNIFICANCE PERVASIVENESS Remote More Than Remote Likely Inconsequential More Than Inconsequential Material Not Pervasive Pervasive INHERENT RISK RATING* Low Medium High * (Factor of Likelihood and Significance) 18

20 Conducting the FRA Step 4 Key Worksteps 4 Evaluate Whether Existing Controls Exist / Are Effective 1. Link fraud schemes to mitigating controls. Assess whether each mapped or linked control activity is preventative or detective in nature. 2. Evaluate the effectiveness of controls to determine if they sufficiently mitigate the risk of the identified fraud schemes (control gap analysis). 3. Evaluate the residual fraud risk. 19

21 4. Evaluate Mitigating Controls Antifraud control activities can be preventative or detective in nature. Special consideration should be given to the risk of override of controls by management. Some programs and controls that deal with management override include: active oversight from the audit committee whistle-blower programs and a system to receive and investigate anonymous complaints; and reviewing journal entries and other adjustments for evidence of possible material misstatement due to fraud. 20

22 4. Evaluate Mitigating Controls Pitfalls Where gaps are identified, no remediation efforts are made Future changes in risk are not incorporated into the FRA and remediation is not performed Effectiveness of controls is not evaluated Mapping is done inefficiently and without consideration of existing controls and documentation Recommendations Design and implement controls to close identified gaps The FRA should be iterative and should be reassessed at least annually as well as when there is a significant change in the control environment Evaluating the effectiveness of the controls Only map those controls identified as significant Identify entity level controls that will assist in mitigating remaining residual risk Leverage off existing efforts and controls 21

23 4. Control Risk Rating Evaluate the Control Risk Rating Evaluate controls to determine if they sufficiently mitigate the identified fraud risks and schemes or if additional emphasis should be placed on existing controls or new controls are required Consider both the design and the implementation of the control in mitigating the fraud risk Consider possible management override of controls Effective CONTROL RISK RATING Partially Effective Ineffective 22

24 Establish Residual Risk Rating High Medium Low RESIDUAL RISK RATING Residual risk is the risk remaining after factoring the inherent risk rating and control effectiveness rating for each identified fraud risk. A High rating would indicate immediate action is required and that item should be included in a fraud risk action plan. A Medium rating would indicate that attention is required to the fraud risk and control and that item may be included in a fraud risk action plan, depending on the control effectiveness rating. A Low rating would indicate that the item should be factored into ongoing monitoring plans. 23

25 Conducting the FRA Step 5 Key Worksteps 1. Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention. 2. Implement Fraud Risk Action Plan. 5 Risk Treatment 24

26 5. Risk Treatment Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention. Controls should be implemented or enhanced for identified fraud schemes where controls are not already present, inadequately designed or poorly implemented. Ensure overall responsibility is assigned to a senior manager to monitor control implementation as detailed in the Fraud Risk Action Plan. This responsibility could be defined in the Fraud Control Policy of the entity or specified elsewhere. The Audit Committee should oversee the entire process. 25

27 Conclusion

28 1. Identify and Evaluate Fraud Risk Factors Sample FRA Documentation 27

29 1. Identify and Evaluate Fraud Risk Factors For each identified fraud risk factor, identify the account balances and potential errors that may be affected and assess the fraud risks. Sample FRA Documentation 28

30 2. Identify Possible Fraud Risks Sample FRA Documentation 29

31 2. Identify Possible Fraud Schemes Sample FRA Documentation 30

32 3. Prioritize Identified Fraud Risks Sample FRA Documentation 31

33 4. Evaluate Mitigating Controls Sample FRA Documentation 32

34 4. Control Risk Rating Sample FRA Documentation 33

35 4. Establish Residual Risk Rating Sample FRA Documentation 34

36 Fraud risk register The Fraud Risk Register tailored to each organization summarizes and collates the outputs from each step of the fraud scenario risk assessment process. Below is a sample Fraud Risk Register filled out to indicate how a completed Register might look. Fraud Risk Register Reference Number Fraud Risk Probability Consequence Inherent Risk Rating Control Activities Control Risk Rating Residual Risk Rating Further action/ treatment required 1. Monitoring by country representatives Misappropriation / misuse of partner's program 1 Possible Major High 2. Certificate of expenditure Very Effective Medium No funds 3. Programme officer and field visits 1. Formal clearance process for creating Contracts (Procurement, legal and accounts) 2 Misappropriation / misuse of funds Unlikely Major Medium 2. Approval from project manager and Accounts for invoices Very Effective Low No before payment 1. Formal procedures for variations in place 3 Theft of petty cash Likely Major High Marginally Effective High Yes 1. All employees sign a confidentialy agreement at the time of joining 4 Breach of Confidentiality Possible Major High 2. Documented data privacy policies Marginally Effective High Yes 1. Ovetime claims to be approved by project managers 5 Payroll and expense cliam fraud Likely Moderate High Partially Effective High Yes 35

37 Approach and methodology Sample fraud risk treatment plan The starting point for the plan is a collation of the key findings from the previous steps in the risk assessment. These findings, along with discussion with senior management will determine how and where the organization will position its risk mitigation. Risk mitigation activities are the implementation of additional controls or the enhancement of existing controls where controls are not already present, inadequately designed or poorly implemented. The fraud risk treatment plan details the new controls and controls enhancements. Ensuring that time frames, cost and accountability are addressed and agreed upon by senior management is an important step in designing effective treatment plans. The following diagrams illustrate the progression in analyses throughout the fraud risk analysis, concluding at a post treatment plan scenario. Sample Fraud Risk Treatment Plan Reference Number 3 Fraud Risk Misappropriation / misuse of funds Residual Risk Rating Reason for Treatment Proposed Actions and Comments Person Responsible Due by Revised Residual Rating 1. Variation application and apporval to be authorise and reviewed by Contracts Pressure to process unapproved variations Medium section Contracts section Ongoing Low which lead to excess payments 4 5 Breach of Confidentiality Payroll and expense cliam fraud High High Loss or inappropriate dissemination of confidential information Employees may manipulate hours on monthly timesheets to claim overtime 1. Enforce clear desk policy 2. Create awareness regarding protecton of confidential information 3. Implement access controls for IT systems 1. Standard hours imposed on employees 2. Project manager to report hours in excess of budgeted hours for project HR, IT and Compliance HR, IT and Project Manager 2 months from date Ongoing Medium Medium 36

38 Airline testimonial

39 Questions?

40 Conducting a Fraud Risk Assessment Approach, Pitfalls and Recommendations IAAIA Istanbul October 10-13, 2010 Jean Pierre Garitte, CIA, CCSA, CISA, CFE, RFA May 2010