Auditing for Fraud Planning & Approaches
Today s Agenda Introductions What is Fraud? Internal audit and fraud Managing Fraud as an organization 2
Today s Agenda Introductions 3
Clark Schaefer Consulting? Public accounting industry based consultancy headquartered in Cincinnati, Ohio Clients range from Fortune 100 to large private companies Specializing in project work that is centered around three core competencies: Accounting & Finance Control/Risk (i.e. Internal Audit/IT Audit) Technology (i.e. Systems Changes/IT Security) 4
Introductions Donald Dickhaus, CPA, CISA Director: Accounting/Finance, Internal Audit Service Lines Oversight of accounting/internal audit projects Responsible for regulatory service methodology Adam Treinen Client Development Manager Manages client relationships across all projects Works with operations to identify methodology to address client issues.
Today s Agenda What is Fraud? 6
What do you think of when you think of fraud?
Definition of Fraud fraud noun \ˈfroḋ\ : the crime of using dishonest methods to take something valuable from another person : deliberate deception to secure unfair or unlawful gain : a copy of something that is meant to look like the real thing in order to trick people 2015 Merriam-Webster, Incorporated
Why does fraud occur? Opportunity Fraud Triangle Pressure Rationalization 2015 American Institute of CPAs - All Rights Reserved, Why Employees Commit Fraud
Opportunity Element that companies have the most control over Improper segregation of duties Lack of/weak internal controls Too much trust Poor tone at the top Flexible, uncontrolled management override Copyright 2015, Association of Government Accountants
Pressure Internal Meeting shareholder expectations Too much work Consequences of poor performance External Personal financial problems Lifestyle needs Illicit activities Copyright 2015, Association of Government Accountants
Rationalization Hostility toward employer Unfair wages Following along with everyone else Intending to pay it back Belief that the company won t miss the money Copyright 2015, Association of Government Accountants
Impact of Fraud Global Fraud $3.7 $0.49 $0.38 $0.20 $0.19 $0.18 0 1 2 3 4 Annual Revenue (Trillions) 2012 Certified Fraud Examiners Inc. Report to the Nations 2015 Time Inc. All rights reserved
Types of Fraud Occupational Employee against Employer External Fraud Dishonest vendors and/or customers Unknown 3 rd parties How can internal audit work to minimize risk?
Fraud Tree Corruption: Dishonest or illegal behavior, especially by powerful people Asset Misappropriation: Theft or embezzlement of company assets Financial Statement Fraud: Deliberate misrepresentation, misstatement or omission of financial statement data
Median Loss Per Case $ 0 $3M $6M Asset Mis. $130,000 85.4% Corruption $250,000 32.8% F/S Fraud 4.8% $4,100,000 0 25 50 75 100 Percent of Cases
What does someone committing fraud look like?
Perpetrators of Fraud 87% first time offenders with clean employment histories 84% never punished or terminated for fraud
Position The majority of occupational frauds were committed by staff at the employee or managerial level 19% 36% 42% Employee Manager Owner/Executive
Median Loss by Position The higher the fraudster s level of authority, the greater the losses tend to be. Employee: $75,000 Manager: $130,000 Owner/ Executive: $500,000
Department * 77% of frauds originated in one of these departments Accounting: 17% Operations: 15% Sales: 13% Executives/Upper Management: 12% Customer Service: 8% Purchasing: 7% Finance: 5% All Other Depts.: 23% THERE IS NOT ONE DEPARTMENT WHERE FRAUD ALWAYS HAPPENS!
Today s Agenda Internal Audit and Fraud 22
The Situation An Accounts Receivable Clerk responsible for processing $20 million in receivables has just been indicted for theft of funds from a travel hockey club for which she is the volunteer treasurer. The A/R process was audited 6 months before with no exceptions noted. The A/R Clerk voluntarily resigned from her position within the company. As internal auditors, should we be worried?
What do you do? Do nothing and rely on the prior audit Toss out the prior audit and re-perform the entire A/R Audit Review the prior audit and determine if testing was adequate to detect fraud. Then based on review, perform additional testing What would Clark Schaefer Consulting suggest?
What do you do? Do nothing and rely on the prior audit Toss out prior audit and re-perform the entire A/R Audit Review the prior audit and determine if testing was adequate to detect fraud. Then based on review, perform additional testing What would Clark Schaefer Consulting suggest?
Possible Considerations Customer List Customer Statements Cash Payments Payment Disputes Deposit to Invoice Reconciliation Process Flow (separation of duties) Customer Discounts & Refunds Segregation of Duties
Could Internal Audit have done anything different to detect the fraud prior to her resignation?
Why didn t the auditors catch this? Detecting Fraud is HARD! Lack of skill and experience Improper planning Inappropriate design of audit program sample selection or target assertions Inability to gather sufficient appropriate audit evidence Failure to exercise professional skepticism
Training Day-to-day coaching Intercompany training New hire training process, training individuals as they obtain more responsibility, etc. IIA/ACFE auditing courses Seminars/conferences Certifications CIA, CFE, CISA Continuing education
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Fraud Planning High Level Annual Audit Plan How much of IA s budget is dedicated to canned audits? How much is spent with management mandated activities (i.e. MAR, 10-Q assistance)? How much time set aside for consultative and ad-hoc activities?
Prior Audits Are there any non-remediated items? Are there any solutions that are different from the audit recommendation? Were there any agree to disagree items? Are the previous tests insufficient for the current audit?
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Pre-Work: Identify the Culture Tone at the Top What message does senior level management send to employees in regards to ethical behavior? Fraud is NOT OKAY! Are resources being provided to employees telling them how they can identify fraud and help stop it?
Pre-Work: Identifying Fraud Prevention Is there an affirmation process for upper management s compliance with code of conduct, fraud, etc.? Do policies deter fraud by detailing the consequences of committing fraud? Are there annual anti-fraud trainings? Are there authority limitations on employees and managers? Are there restrictions on management overrides? Are the appropriate internal controls in place (i.e. segregation of duties) to prevent fraud
Pre-Work: Identifying Fraud Detection Techniques Are there anonymous opportunities for whistleblowers? Are there process controls to detect fraud, such as physical inventory counts, reconciliations, etc.? Are there technological measures (i.e. data analysis) to detect anomalies or trends that could indicate fraud? Is there an internal audit function that may assist in detecting fraud?
Fraud Detection Techniques Are resources available to employees to report fraud? Tip Management Review Internal Audit 0 10 20 30 40 50 Percent of Cases (%)
Preventative Controls deter fraud opportunity but at what cost?
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Narrative Interviews Are you getting varying answers pertaining to a process? Do you have a supervisor or manager who insists on being present for all staff interviews? How much has the process changed since the last audit?
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Process Flows and Walkthroughs Obtain process flow charts in order to identify potential control weaknesses, lack of segregation of duties, etc. Performs walkthroughs to examine that the processes are being performed as designed, and controls listed exist and are effective
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Fraud Planning High Level Enterprise Wide Risk Assessment What risks are associated with the company s overarching goals? What are the positive and negative outcomes of meeting/failing to meet those goals? What message does upper management send about meeting goals ( tone at the top )?
Enterprise Wide Risk Assessment Incentives attached to performance goals are used as a motivational tool, but increase the risk that an employee will act fraudulently in order to obtain those incentives (especially if the consequences of not meeting those goals are severe enough).
Risk Assessment Assess the likelihood and significance of inherent and residual fraud risk This should include a period of fraud brainstorming where auditors consider all of the controls identified. This is also a time to consider the personnel involved with the processes being audited.
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Cost ($) Test Planning & Design Design your audit to have the strongest level of testing available, taking into consideration budget and scope. Reperformance Examination Confirmation Analytical Procedures Observation Interview / Inquiry Reliability Level
Supervision Set clear expectations Discuss the nature, timing, and extent of audit procedures Ensure procedures are performed efficiently and effectively Review documentation to make sure it sufficiently details tests performed Don t be afraid to discuss fraud!
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Fieldwork Review What is the overall risk of the process being audited? Are there any other conclusions that can be drawn from the completed testing? Was testing designed to uncover red flags? Do any tests need to be re-performed or redesigned? Has the audit team fully thought through the implications of any unexpected items?
Substantive Testing If no exceptions were found the first time, was the sample accurate for the: Period tested Specific transaction amounts (i.e. round dollar amounts, common amounts) Specific vendors (high # of transactions, high # of disputes)
Additional Tests Re-performing Invoice to Deposit Reconciliations Customer Balance Confirmations Staff Interviews Bank Statement Reviews
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Potential Findings Meetings Tone at the Top While no manager or process owner is going to be happy about a potential finding being brought to them, their response and the way that they address the matter can be an indicator of fraud or other problems.
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Follow Up Avoid the temptation to skip this step Look for remediation that has not been completed Thoroughly assess all alternative remediation plans
Key Outcomes Either assurance gained or improvements made to existing audit process Fraud detected Additional process improvement recommendations Improved internal controls Possible recovery of stolen funds
Final Opportunities Fraud Investigation Post Mortem Lessons Learned Need for a Peer Review? Opportunity of Continuous Monitoring or Process Automation?
Today s Agenda Managing Fraud as an organization 60
The Situation During an Enterprise Risk Assessment, the Audit Department learns the company is: Purchasing a new critical system and outsourcing the implementation and migration to an overseas firm Allowing staff to access the company network using personal electronic devices Completing the acquisition of a smaller company and rolling one of their systems out to the entire parent company on a very aggressive time-table
So What? None of this is illegal None of this is out of the ordinary All of these things could potentially benefit the company
Outsourcing Risk The company now has vendors accessing company information from all over the world. Information may now be housed on non-company computers International laws and regulations pertaining to confidentiality, availability and integrity may be applicable
End User Risk Company information is now accessed by and saved to non-company devices Company information is now accessed anywhere at any time Personal Devices contain software not owned or approved by the company
Project Risk Subsidiary System may not be equipped to handle the larger volume of the parent company Aggressive deadline could result in short-cutting the Change Management process Subsidiary System may not be properly secured
Possible Fraud Testing NDA Compliance Change Management Vendor Selection Device Registration Device Monitoring Intrusion Detection Project Management Access Controls Access Monitoring
Creating a culture to prevent fraud Governance Risk Assessment Prevention & Detection Investigate& Resolve Establish the culture Applies to all members Know where highest level of risk of fraud exists Actively work to create systems to minimize risk For identified instances of fraud, review and adjust process as required 67
Governance Governance Develop a fraud risk program as a written policies with clear expectations Roles and responsibilities documented for all areas of the organization, including: Board of Directors Audit Committee Management and Staff Documentation includes procedures on what to do if fraud is identified.
Creating a culture to prevent fraud Risks to the Organizations should be periodically assessed to identify areas to focus mitigation Risk Assessment Fraud risk assessments should include three key elements. Indentify Inherent Risk Assess Likelihood Address significant risks 69
Creating a culture to prevent fraud Preventative controls should be established to prevent key risks identified during the risk assessment. Examples of controls: Prevention & Detection HR procedures (hiring, terminations, etc) Anti-fraud training Authority limits Transaction level procedures KEY IS DOCUMENTATION 70
Creating a culture to prevent fraud In addition, controls to detect fraud when preventative controls fail, should be established Prevention & Detection Examples of controls: Whistleblower hotlines Process controls Proactive procedures (continuous auditing) AGAIN: KEY IS DOCUMENTATION 71
Creating a culture to prevent fraud Finally, a reporting process should be established to allow for input on fraud. Following input a formal investigation process must be established. For each fraud item communicated, procedures need to be established to: Receive the allegation Evaluating the allegation Investigation procedures Investigate& Resolve All items should be investigated and resolved using the standard process in a timely manner. 72
Key Takeaway INTERNAL AUDIT SHOULD BE A PARTNER, NOT THE POLICE 73
Questions? 74
For More Information If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us: Clark Schaefer Consulting, LLC. 120 E 4 th Street, Suite 1100 Cincinnati, Ohio 45202 www.clarkschaefer.com Or send an e-mail directly to Don at: ddickhaus@clarkschaefer.com 75