Managing Fraud Risk: New Professional Guidance Mohammed Ahmed & Toby J.F. Bishop Deloitte Financial Advisory Services LLP September 10, 2007 Objectives Make you aware of the new guidance Show how you can take advantage of it in your work Illustrate how it will bring greater focus on key compliance and ethics program elements Discuss how to use it to obtain greater management support The views expressed herein are our own and not necessarily those of Deloitte Financial Advisory Services LLP. Mention of any product is for educational purposes only and does not indicate an endorsement of that product. 1 1
Purpose of Guidance Inform management and boards of better practices for managing fraud risk Show linkage between managing fraud risk, corporate governance and ethics & compliance programs Help manage a challenging and costly business risk Encourage process enhancements Drive greater quality and consistency 2 Why Develop New Guidance? High jump record: 2.45 meters Pole vault record: 6.14 meters Tools can raise performance 3 2
Fraud Guidance Project Joint project of IIA, AICPA & ACFE Led by Dave Richards, president of The IIA Over 30 experienced practitioners contributing knowledge To be released in exposure draft form this Fall 4 Managing Fraud Risk Guidance Sections on: Fraud Risk Governance Fraud Risk Assessment Fraud Prevention Fraud Detection Investigation and Response Appendices with reference materials 5 3
Fraud Risk Governance Fraud Risk Governance Rising risks and penalties relating to fraud and corruption require an organizational response Board and senior management need to direct anti-fraud and anti-corruption activities Strong corporate governance is a foundation A fraud control policy is an important tool in fraud risk governance 7 4
Fraud Risk Governance The Board: Helps set the tone at the top for senior management Has responsibility to ensure management designs effective fraud risk management policies Oversees management s fraud risk assessment and antifraud controls Appoints a senior executive responsible for fraud risk management Ensures adequate resources are provided Monitors effectiveness of fraud risk management program 8 Fraud Risk Governance Management: Sets the tone at the top for employees Implements effective fraud risk management policies Defines fraud risk management roles & responsibilities Provides fraud awareness training for employees Performs regular fraud risk assessments and evaluates anti-fraud controls Manages investigation and resolution of issues identified Periodically evaluate and improve the effectiveness of the fraud risk management program 9 5
Fraud Risk Assessment Fraud Risk Assessment Structured rational approach Fraud risk identification Assessment of significance and likelihood Determination of fraud risk response Brainstorming Consider risk of management override of controls Population of fraud risks Inherent risk and residual risk Board oversight of cost/benefit decisions in fraud risk responses based on risk tolerance 11 6
Example of a Strong Fraud Risk Assessment 12 Typical Weaknesses Appropriate personnel are not involved in the process Assessment consists of an identification of risk factors only, and does not include an identification of schemes & scenarios Potential perpetrators are not identified (which can lead to insufficient consideration of management override) Does not adequately consider collusive fraud and management override of controls Lack of monitoring by the Audit Committee/Board 13 7
Example of a Weak Fraud Risk Assessment 14 Fraud Prevention 8
Fraud Prevention Prevention is rarely absolute it s also deterrence A regular internal controls framework has limitations in effectively preventing fraud The risk assessment process drives the prevention control activities Successful fraud prevention is dependent upon continuous communication and reinforcement 16 Fraud Prevention Entity-level controls Fraud awareness training Code of conduct Background investigations Exit interviews Process-level controls IT access controls Segregation of duties Can be preventive and detective 17 9
Fraud Detection Fraud Detection Hotline/helpline Multilingual, 24x7x365 Single case management system Benchmarking Process-level detection controls Proactive fraud auditing by internal auditors Data analysis technology Continuous auditing Email analysis 19 10
Fraud Detection Sample performance measures: Number of fraud audits performed by internal auditors Number of hotline/helpline calls received Number of fraud allegations received that required investigation Number and value of fraud losses detected 20 Hotline Benchmarking Report 2006 Corporate Governance and Compliance Hotline Benchmarking Report Published November 2006 by The Network, CSO Executive Council and the ACFE Based on 200,000 incident reports over 4 years Addresses effectiveness of a key antifraud control Permits benchmarking by industry segment 21 11
Hotline Benchmarking Report Testing effectiveness considerations Assess employee communication and training Evaluate employee confidence in hotline by survey Evaluate objective data: Report frequency Incident mix Tone at the top (anonymity use) Local management (prior notification) Case resolution See Bishop/Temkin article in April 2007 issue of Compliance & Ethics Magazine 22 Fraud Investigation & Response 12
Fraud Investigation & Response Board oversight of process Cases involving senior management or financial reporting Predefined roles & responsibilities Predefined investigation protocols Reporting of results Recovery/corrective actions Include business process and control remediation Consistency of discipline organization-wide (using a case management system may assist) 24 Fraud Investigation & Response Sample performance measures: Average time to resolve an issue (of each type) Proportion of incidents that repeat past wrongdoing Value of losses recovered and future losses prevented 25 13
Conclusion Conclusion Managing Fraud Risk will get attention from boards and management Changes will be expected to enhance fraud risk management practices Compliance & ethics personnel can use this publication to support enhanced management of fraud risks and to strengthen ethics and compliance programs 27 14
What Questions Do You Have? Mohammed Ahmed mahmed@deloitte.com (212) 436-4703 Toby Bishop tobybishop@deloitte.com (312) 486-5636 28 About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas audit, tax, consulting, and financial advisory services and serves more than 80 percent of the world s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names. In the United States, Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP, and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nation s leading professional services firms, providing audit, tax, consulting, and financial advisory services through nearly 40,000 people in more than 90 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the U.S. member firm s Web site at www.deloitte.com 15