Creating a Fraud Risk Assessment and Implementing a Continuous Monitoring Program. Christopher DiLorenzo, CFE, CPA, CIA, CRMA

Transcription

1 Creating a Fraud Risk Assessment and Implementing a Continuous Monitoring Program Christopher DiLorenzo, CFE, CPA, CIA, CRMA 2015 Association of Certified Fraud Examiners, Inc.

2 Creating a Robust Fraud Risk Assessment and Implementing a Continuous Monitoring Program CHRISTOPHER M. DILORENZO, CPA, CIA, CFE, CRMA, CISA VICE PRESIDENT, INTERNAL AUDIT SCIENTIFIC GAMES CORPORATION

3 Speaker Profile CHRISTOPHER M. DILORENZO, CPA, CIA, CFE, CRMA, CISA Christopher M. DiLorenzo is currently the vice president and chief audit executive (CAE) for Scientific Games Corporation (SG) based in their Las Vegas corporate headquarters. SG recently acquired Bally Technologies where DiLorenzo had been a member of the internal audit function for the prior 11 years and CAE for the last five years. Prior to working for Bally Technologies, he worked in the internal audit department of the Mandalay Resort Group and was also in public accounting with both Andersen and Deloitte. Currently he is responsible for executing SG s global internal audit program, which includes areas such as testing for Sarbanes-Oxley compliance, operational audits, and aiding in forensic investigations.

4 Topics for Today How to create robust risk assessments Understanding fraud Creating a fraud risk assessment How to develop a continuous monitoring program

5 Robust Risk Assessments WHAT MAKES THE ASSESSMENT ROBUST? Comprehensive Detailed Authorized/empowered Adaptive to change

6 Robust Risk Assessments THE ASSESSMENT MUST BE COMPREHENSIVE Determine the department s minimum requirements. SOX Compliance Specific regulatory or compliance requirements Audit committee minimum requirements Evaluate other areas. Enterprise and strategic risk Fraud considerations Operational/other compliance risk Combine and create the robust plan.

7 Robust Risk Assessments THE ASSESSMENT MUST BE COMPREHENSIVE Internal Control over Financial Reporting (SOX) Perform your SOX assessment using a recognized framework, e.g., COSO Will include Areas specific to financial reporting General computer controls Entity-level and tone at the top Build your SOX plan.

8 Robust Risk Assessments THE ASSESSMENT MUST BE COMPREHENSIVE Enterprise and strategic risk Review your company s ERM program. Review the company s overall strategy and objectives. Align results to your overall plan.

9 Robust Risk Assessments THE ASSESSMENT MUST BE COMPREHENSIVE Fraud considerations Evaluate all fraud risks to your company. Use the ACFE s fraud tree to determine and classify your scenarios. Align results to your overall plan.

10 Robust Risk Assessments THE ASSESSMENT MUST BE COMPREHENSIVE Operational/other compliance risk Create an audit universe. Address the details of the universe. Begin to build your operational/compliance plan

11 Robust Risk Assessments THE ASSESSMENT MUST BE DETAILED Why does the risk need to be mitigated? How risky is it? What can we do about it? Where does it need to be addressed? Who can address it? When is the timing within our plan? Why does the risk need to be mitigated?

12 Robust Risk Assessments THE ASSESSMENT MUST BE DETAILED Why does the risk need to be mitigated? What could go wrong? Always add the in your risk statements. Purchase orders are not approved, which may lead to Improper segregation of duties exist for cash disbursements, which may lead to

13 Robust Risk Assessments THE ASSESSMENT MUST BE DETAILED How risky is it? Make it measurable. How impactful is it if this risk were to occur? How likely is it? Others

14 Robust Risk Assessments THE ASSESSMENT MUST BE DETAILED What can we do about it? Covered in SOX procedures? Covered in fraud auditing procedures? Covered in operational audit procedures? Covered in continuous monitoring procedures? Unable to be addressed by audit?

15 Robust Risk Assessments THE ASSESSMENT MUST BE DETAILED Where does it need to be addressed? Corporate? Subsidiaries? Domestic? International?

16 Robust Risk Assessments THE ASSESSMENT MUST BE DETAILED Who can/will address it? Do I have the resources? Can I automate it? Can I engage an expert third party?

17 Robust Risk Assessments THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED Power comes from the internal audit charter Audit committee approval Management buy-in/involvement

18 Robust Risk Assessments THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED Power comes from the internal audit charter. Audit committee approved a charter for internal audit. Validate it at least annually. Include wording such as: The responsibilities and scope of activities of the Internal Audit Department include developing an annual audit plan using an appropriate risk-based methodology, including any risk or control concerns identified by management, and submitting it to the Audit Committee for review. The plan should be adjusted, as necessary, in response to changes in the organization s business, risks, operations, programs, systems and controls.

19 Robust Risk Assessments THE ASSESSMENT MUST BE AUTHORIZED/EMPOWERED Audit committee approval Present your assessment to the audit committee and get their input/approval. Management buy-in Involve management in your process. Have them help you identify risks. Get their input on the attributes of the risks.

20 Robust Risk Assessments THE ASSESSMENT MUST BE ADAPTIVE TO CHANGE The risk assessment process is never over. It must be regularly reviewed and updated, along with your plan. Change is constant.

21 Understanding Fraud FRAUD TRIANGLE

22 Understanding Fraud INITIAL DETECTION Estimated that 5% of revenues are lost due to fraud each year Median loss per incident was $145,000 22% of the cases were at least $1M. Median fraud duration lasted 18 months before detection. The presence of anti-fraud controls is associated with decreases in cost and duration of the scheme. COSO 2013 (principle 8) requires: The organization considers the potential for fraud in assessing risks to the achievement of objectives

23 Understanding Fraud INITIAL DETECTION According to the 2014 ACFE Report to the Nations > 72% of the frauds detected were as a result of: Tips (42.2%) Management review (16%) Internal audit (14.1%)

24 Understanding Fraud INITIAL DETECTION Obtained from the AFCE 2014 Report to the Nations

25 Understanding Fraud CONTROL WEAKNESSES THAT CONTRIBUTED TO FRAUD 2014 ACFE Report to the Nations provided that in nearly one-third of the cases reported, the victim organization lacked the appropriate internal controls to prevent the fraud. Additionally, one-fifth of the reported cases could have been prevented if managers had done a sufficient job reviewing transactions, accounts, or processes.

26 Understanding Fraud CONTROL WEAKNESSES THAT CONTRIBUTED TO FRAUD

27 Fraud Risk Assessment Policy AN EXAMPLE POLICY The fraud risk assessment is completed by identifying fraud risks applicable to the company and determining their likelihood and impact. The results of this assessment are mapped to internal audit s SOX, operational and continuous monitoring plans. This plan is updated each year and is presented to the audit committee typically during the month of December.

28 Creating Your Assessment Using SOX processes, audit universe areas, and other applicable business functions, create a listing of areas where fraud could occur. For each area, brainstorm the applicable fraud scenarios in each of the areas identified using the ACFE s fraud tree.

29 Fraud Tree

30 Creating Your Assessment Each scenario should clearly identify: Who the fraudster is The result of the fraud (or the ) How the fraudster benefits (or the conversion) Identify the company s internal control environment that will prevent or detect this event. If unknown, investigation is needed. Clearly document how the control function will work given the scenario. Identify if internal control gaps exist. Provide to business leaders over each process area and solicit their input update accordingly. Repeat this exercise for each business entity/location.

31 Creating Your Assessment HOW RISKY IS IT? Define your risk parameters. What are you going to consider? Are all parameters created equal? Determine how risky the fraud scenario is.

32 Creating Your Assessment EXAMPLE RISK ASSESSMENT APPROACH Fraud risks rated using residual risk only. Residual: risk of an event happening given the known control environment.

33 Creating Your Assessment EXAMPLE RISK ASSESSMENT APPROACH Fraud risks are rated on two attributes. Likelihood 1 = Strong control environment 5 = Weak or nonexistent control environment Impact (if occurring for 36 months prior to detection) If risk is financial reporting related, rating is guided by materiality. 1 = Immaterial; 5 = Material All other areas are rated using a much lower reasonableness threshold. 1 = lower dollar and minimal disturbance to the business 5 = higher dollar and considerable disturbance to the business Sum likelihood and impact to come up with the final fraud risk rating.

34 Creating Your Assessment EXAMPLE RISK ASSESSMENT APPROACH Fraud scenarios were then placed into one of four groups. Immaterial Impact deemed a 1: Scenario will be revisited during the next assessment. SOX Testing Planned SOX testing provided a large enough level of comfort that no additional procedures would be planned. Operational review An operational review is required to provide comfort over the fraud scenario. Partial SOX /partial operational Scenario partially addressed with already planned SOX procedures, but requires additional/supplemental procedures for full coverage.

35 Creating Your Assessment EXAMPLE RISK ASSESSMENT APPROACH Continuous monitoring program Lastly, each fraud scenario was questioned to determine if continuous monitoring procedures could be automated to give regular assurance over the scenario. If yes, an action plan was created and turned over to our IT auditing function for evaluation and implementation.

36 Creating Your Assessment EXAMPLE RESULTS Area Risks Identified Immaterial SOX Operational Covered by Both (partial) Continuous Monitoring Candidates Business Business Business Business Business Business Business Business Business Business Business

37 Creating Your Assessment EXAMPLE RESULTS ACCOUNTS PAYABLE # Fraud Scenario Primary Fraud Category Type Conversion Internal Controls L I Overall Test Bucket 1 A buyer engages a company that the buyer has a undisclosed relationship resulting in the company paying more than fair market value for goods/services obtained and/or sub-standard service. Corruption Conflicts of Interest Employee receives kickback. 1. Budget to Actual Review (E- SOX); 2. Segregation of duties (buyer can't add directly to vendor file). x x 2x SOX Testing A buyer receives a bribe or invoice kickbacks from a company in return for choosing that company to provide service to the company resulting in the company paying more than fair market value for goods/services obtained and/or sub-standard goods/service. AP colludes with a check signer and/or invoice authorizer and makes payments to a dormant or fictitious vendor An employee characterizes a personal expense as a business-related expense. An employee overstates a business expense to obtain a fraudulent reimbursement from the company. An employee creates fictitious expenses to submit as business-related expenses to obtain fraudulent reimbursement from the company. An employee uses the same expense multiple times to obtain fraudulent reimbursement from the company. Corruption Asset Misappropriation Asset Misappropriation Asset Misappropriation Asset Misappropriation Asset Misappropriation Invoice Kickbacks Larceny Mischaracterized Expenses Overstated Expenses Fictitious Expenses Multiple Reimbursement Employee receives kickback. Employee receives undue funds. Employee's personal expenses paid by the company. 1. Budget to Actual Review (E- SOX); 2. Bidding controls 1. B of A Online System Controls 2. Supplier master file data is reviewed 3. Systematic deactivation of inactive suppliers 1. Expense report reviewer 2. Required to use company card Employee receives 1. Expense report reviewer 2. undue payment by the Required to use company card company. Employee receives 1. Expense report reviewer 2. undue payment by the Required to use company card company. Employee receives 1. Expense report reviewer 2. undue payment by the Required to use company card company. x x 2x x x 2x x x 2x x x 2x x x 2x x x 2x Partial SOX; Partial Operatio nal Reviews SOX Testing Operatio nal Reviews Operatio nal Reviews Operatio nal Reviews Operatio nal Reviews

38 Creating Your Assessment EXAMPLE RESULTS ACCOUNTS PAYABLE # Fraud Scenario Primary Fraud Category Type Conversion Internal Controls L I Overall Test Bucket 8 An unauthorized employee obtains company check Asset stock and fraudulently uses the check stock to create Misappropriation unauthorized payments. Forged Maker Employee receives undue payment by the company. 1. If possible, checks not issued to acronyms 2. Checks under $5k do not need signature, or over $5k with a PO. Checks over $5k w/o PO requires signature 3. Balance sheet account reconciliations x x 2x SOX Testing 9 A accounts payable member diverts a check to a third party and forges the check endorsement to divert funds to the accounts payable member. Asset Forged Misappropriation Endorsement A accounts payable member diverts a check to a third Asset 10 party and alters the payee to divert funds to the Misappropriation accounts payable member An authorized check signer obtains check stock and issues a payment for personal gain. A member of the AP team intentionally overpays a vendor in an effort to intercept the subsequent refund check for personal gain. Accounts payable member under the direction of a controller records account payable amounts incorrectly (e.g., as assets). Accounts payable member acting alone or in collusion with a controller does not record account payable amounts in the proper period to improve company's financial position. Asset Misappropriation Asset Misappropriation Fraudulent Statements Fraudulent Statements Altered Payee Authorized Maker Larceny Concealed Liabilities & Expenses Timing Differences Employee receives 1. AP aging analysis 2. Balance sheet undue payment by account reconciliations the company. Employee receives 1. AP does not write checks to acronyms in undue payment by the payee the company. Employee receives 1. AP aging analysis 2. Balance sheet undue payment by account reconciliations the company. AP member steals company refund. x x x x x x Segregation of duties x x 2x 2x 2x 2x SOX Testing Operatio nal Reviews SOX Testing Operatio nal Reviews Company outlook is better than actual. AP only able to post to expenses/liability x x 2x SOX Testing Company outlook is 1. AP accrual; 2. Invoice approval; 3. 3-way better than actual. match x x 2x SOX Testing

39 Continuous Monitoring Approach PLANNING PHASE Planning Design Development Testing Review Deployment Brainstorming for each risk event identified as a continuous monitoring candidate: Create theoretical of how we can systematically monitor. Identify the resources required to pursue the solutions to identified scenarios. Data or documentation access Access to relevant business personnel Verify (or understand) the work flow of transactions. Identify data tables for where your data is maintained.

40 Continuous Monitoring Approach DESIGN PHASE Planning Design Development Testing Review Deployment Data mining Review the available data sources and attempt to identify the data that will be needed to meet the specific continuous monitoring objectives. Document the identified data sources and data fields in a diagram for easy reference Logic design Considerations for logic design: The scope and materiality of the fraud risk The information needed to perform planned follow-up procedures Document the design procedures in a way that can be easily understood and re-performed as applicable.

41 RISK Continuous Monitoring Approach PLAN: A/P TRANSACTIONS CODED TO NON-EXPENSE ACCOUNTS X-3-AP-012: Accounts payable member, under the direction of a controller or higher, records account payable invoices incorrectly (e.g., as assets or revenue) in order to materially impact the financial statements and improve the overall outlook of the company. Impact: X, Likelihood: Y CURRENT MITIGATING SOX CONTROLS PROCESSES IN-SCOPE Accounts payable invoice creation Accounts payable approval process DEVELOPMENT TEAM Name, Manager, IT Audit Manager Name, Senior IT Internal Auditor Name, Staff IT Internal Auditor Name, Staff Internal Auditor B Journal Entries Are Reviewed & Approved: All journal entries and supporting documentation are reviewed by a member of finance at least one level above the preparer. B Evaluation Process for Non-Routine Transactions: Appropriate accounting treatment for transactions that are both non-routine and significant is researched for appropriate GAAP treatment and documented. Related memos are reviewed by at least one level above the preparer. In addition, the accounting treatment for non-routine and significant transactions is reviewed by the audit committee. B Invoice Review: Non-inventory invoices (or PO's) for goods/services are approved prior to payment according to the company's approval matrix by a member of the department in receipt of the goods/services (exception: utility invoices). ANALYTIC LOGIC Obtain API transactions from the GL table in MAPICS related to AP-Trade (account number xxxxx). Exclude all transactions coded to an expense account. Identify transactions in which the AP-Trade account was debited. Identify accounts that were debited in transactions where AP-Trade was credited. Compare activity change between quarters and identify material account variances for transactional follow-up ($1M or greater in activity increase). ANALYTIC OUTPUT A summary of account activity for non-expense accounts that were credited in an API transaction in which the AP-Trade account was debited. A summary of account activity for non-expense accounts that were debited in an API transaction in which the AP-Trade account was credited and the total activity change from last quarter was over the materiality threshold ($1M). A listing of all transactions contained in the aforementioned account summaries FOLLOW-UP TESTING Determine if the transactions are legitimate by obtaining backup documentation and/or inquiry with relevant personnel. Testing Notes: Invoice documentation is located in Intellichief.

42 Continuous Monitoring Approach DEVELOPMENT PHASE Planning Design Development Testing Review Deployment Implement design elements into a functional program, e.g., ACL scripts, SQL queries, manual analytic procedures, etc. Maintain documentation throughout development to track development procedures. Comments within ACL Scripts A narrative of development procedures Annotations on development documents to describe their content Review output. Verification that the analytic is properly identifying irregularities Verification that the output fulfills the design requirements

43 Continuous Monitoring Approach TESTING PHASE Planning Design Development Testing Review Deployment Execute the analytic to generate a list of potential exceptions or red flags. Analyze exceptions to determine if they are false positives, errors in the development of the analytic, or true exceptions. Obtain documentation or support for the potential exceptions. Obtain physical documentation from appropriate parties. Obtain access to systems and databases to retrieve other supporting documentation. Perform inquiries with appropriate parties to obtain a better understanding of the exception. Adjust the logic or output of the program, as necessary, based on the findings during the preliminary testing. Document test procedures performed.

44 Continuous Monitoring Approach REVIEW PHASE Planning Design Development Testing Review Deployment Development review Detailed review of analytic design, development, and testing by a peer or supervisor to ensure the program is functioning and all necessary documentation is properly recorded User review with business auditors High-level review of analytic output to be subsequently review by the business auditor Ensures that the analytic meets business auditor needs

45 Continuous Monitoring Approach DEPLOYMENT PHASE Planning Design Development Testing Review Deployment Identify how often monitoring should be performed, e.g., daily, monthly, quarterly, etc. Ensure that personnel are properly trained on the execution of the designed analytic and the follow-up procedures. Have a plan for communicating test results within the department as well as to relevant upper management, as deemed necessary. Have consistent communication regarding unique findings or analytic improvements with your script developers. This is vital to keeping the continuous monitoring program current, efficient, and effective.

46 Final Thoughts CREATING A ROBUST FRAUD RISK ASSESSMENT AND IMPLEMENTING A CONTINUOUS MONITORING PROGRAM With that, we ve discussed: How to create robust risk assessments Understanding fraud Creating a fraud risk assessment How to develop a continuous monitoring program Remember that, by nature of this topic, robust implies that this is not an overnight project. Implementing this type of an approach takes time, but you ll be rewarded for that time.

47 Creating a Fraud Risk Assessment and Implementing a Continuous Monitoring Program Christopher DiLorenzo, CFE, CPA, CIA, CRMA 2015 Association of Certified Fraud Examiners, Inc.