Auditing for Fraud. Planning & Approaches

Auditing for Fraud Planning & Approaches

Today s Agenda Introductions What is Fraud? Today s Fraud, Internal audit, IT and fraud Managing Fraud as an organization; How Technology changed the game 2

Introductions 3

Clark Schaefer Consulting Regional consultancy headquartered in Cincinnati, Ohio Clients range from Fortune 100 to large private companies Specializing in project work that is centered around three core competencies: Accounting & Finance Control/Risk (i.e. Internal Audit/IT Audit) Technology (i.e. Systems Changes/IT Security) 4

Introductions Sarah Ackerman, CISSP, CISA Technology practice leader Responsible for overall engagement quality of services provided to clients Areas of expertise include information security, risk management, IT audit, and other technology and risk/control services, with in-depth knowledge of a variety of standards, frameworks, and regulations

Introductions Rich Thompson, CPA, CIA Senior Consultant Specializes in Audit, Risk Assessment, and Accounting Internal Audit experience in Healthcare, Retail, & Government Sara O Banion Consultant Specializes in IT, Fraud and Audit Works with clients to improve processes, analyze data and develop effect solutions. 6

Today s Agenda What is Fraud? 7

What do you think of when you think of fraud?

Understand Fraud on Two Levels Definition fraud noun \ˈfroḋ\ : the crime of using dishonest methods to take something valuable from another person : deliberate deception to secure unfair or unlawful gain : a copy of something that is meant to look like the real thing in order to trick people Reality Limited only by your imagination How would you hide it? How would you move it? 10

Opportunity Element that companies have the most control over Improper segregation of duties Lack of/weak internal controls Too much trust Poor tone at the top Flexible, uncontrolled management override How has IT changed this theory? Ability to create fraudulent documents Potential for exposure (e.g., hacking, phishing, viruses) Data mining Copyright 2015, Association of Government Accountants

Pressure Internal Meeting shareholder expectations Too much work Consequences of poor performance External Personal financial problems Lifestyle needs Illicit activities Copyright 2015, Association of Government Accountants

Rationalization Hostility toward employer Unfair wages Following along with everyone else Intending to pay it back Belief that the company won t miss the money Copyright 2015, Association of Government Accountants

Traditional Ways to Identify Fraud Data analysis Complex and occasionally time consuming investigations Data collection Large samples/ clusters of data if misread could give a false negative or a false positive. How can internal audit work to minimize risk? How can you fix it?

Non-Traditional ways to Identify Fraud Data Analysis Automation: Data analysis software Allows management to identify and respond quickly to red flags, reducing the risk of fraud escalation. Data Collection Cloud technology and advanced computing tools Effective automation of data collection, improved data quality, and a reduction in the time required for data validation. 16

Non-Traditional Ways to Identify Fraud with IT Let data mining work FOR you Link analysis Data visualization Predictive modeling 17

Fraud Tree Corruption: Dishonest or illegal behavior, especially by powerful people. The misuse of entrusted power for personal gain. Asset Misappropriation: Theft or embezzlement of company assets Financial Statement Fraud: Deliberate misrepresentation, misstatement or omission of financial statement data

Median Loss Per Case $ 0 $3M $6M Asset Misappropriation $130,000 85.4% Corruption $250,000 32.8% Financial Statement Fraud 4.8% $4,100,000 0 25 50 75 100 Percent of Cases

What Do Fraudsters Look Like?

Perpetrators of Fraud 87% first time offenders with clean employment histories 84% never punished or terminated for fraud

Position The majority of occupational frauds were committed by staff at the employee or managerial level 19% 36% 42% Employee Manager Owner/Executive

Median Loss by Position The higher the perpetrator s level of authority, the greater the losses tend to be. Employee: $75,000 Manager: $130,000 Owner/ Executive: $500,000

Department * 77% of frauds originated in one of these departments Accounting: 17% Operations: 15% Sales: 13% Executives/Upper Management: 12% Customer Service: 8% Purchasing: 7% Finance: 5% All Other Depts.: 23% FRAUD IS NOT LIMITED TO ANY ONE DEPARTMENT

Fraud Indicators: A few to consider General Too good to be true? It is Lack of transparency Lack of oversight Personal Financial difficulties borrowing money from fellow employees Someone with extraordinary investment losses or medical expenses Changes in a staff member s lifestyle or behavior Overly defensive or argumentative Failure to accept a promotion or transfer Organization Management regularly overriding internal controls High personnel turnover Inventory shortages Unrealistic performance expectations 25

Today s Fraud Internal Audit, IT and Fraud 26

Reasons Why Audits Don t Catch Fraud Detecting Fraud is HARD! Lack of skill and experience Improper planning Inappropriate design of audit program, sample selection, or target assertions Inability to gather sufficient, appropriate audit evidence Failure to exercise professional skepticism

Traditional Training Day-to-day coaching Intercompany training New hire training process, training individuals as they obtain more responsibility, etc. IIA/ACFE auditing courses Seminars/conferences Certifications CIA, CFE, CISA Continuing education

Non-Traditional Training Advance interviewing techniques Forensic accounting Trend analysis 29

Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow Up Risk Assessment

Fraud Planning High Level Annual Audit Plan How much of IA s budget is dedicated to canned audits? How much is spent with management mandated activities (e.g., MAR, 10-Q assistance)? How much time set aside for consultative and ad-hoc activities? How are you incorporating your IT audits? Together as part of the team or separate?

Fraud Planning High Level (cont.) Enterprise-wide risk assessment What risks are associated with the company s overarching goals? What are the positive and negative outcomes of meeting/failing to meet those goals? What message does upper management send about meeting goals ( tone at the top )?

Enterprise-Wide Risk Assessment Incentives Attached to performance goals, used as motivational tool Increase risk that an employee will act fraudulently in order to obtain them Especially if consequences of not meeting goals are severe enough

Risk Assessment Assess the likelihood and significance of inherent and residual fraud risk Should include period of fraud brainstorming where auditors consider all of the controls identified This is also a time to consider the personnel involved with the processes being audited

Prior Audits Are there any non-remediated items? Are there any solutions that are different from the audit recommendation? Were there any agree to disagree items? Are the previous tests insufficient for the current audit?

Planning: Identify the Culture Tone at the Top What message does senior level management send to employees in regards to ethical behavior? Fraud is NOT OKAY! Are resources being provided to employees telling them how they can identify fraud and help stop it?

Identifying Fraud Prevention Is there an affirmation process for upper management s compliance with code of conduct, fraud, etc.? Do policies deter fraud by detailing the consequences of committing fraud? Are there annual anti-fraud trainings? Are there authority limitations on employees and managers? Are there restrictions on management overrides? Are the appropriate internal controls in place (e.g., segregation of duties) to prevent fraud?

Pre-Work: Identifying Fraud Detection Techniques Are there anonymous opportunities for whistleblowers? Are there process controls to detect fraud, such as physical inventory counts, reconciliations, etc.? Are there technological measures (e.g., data analysis) to detect anomalies or trends that could indicate fraud? Can the internal audit function assist in detecting fraud?

Preventative Controls Deter Fraud Opportunity But at What Cost?