Auditing for Fraud Planning & Approaches
Today s Agenda Introductions What is Fraud? Today s Fraud, Internal audit, IT and fraud Managing Fraud as an organization; How Technology changed the game 2
Introductions 3
Clark Schaefer Consulting Regional consultancy headquartered in Cincinnati, Ohio Clients range from Fortune 100 to large private companies Specializing in project work that is centered around three core competencies: Accounting & Finance Control/Risk (i.e. Internal Audit/IT Audit) Technology (i.e. Systems Changes/IT Security) 4
Introductions Sarah Ackerman, CISSP, CISA Technology practice leader Responsible for overall engagement quality of services provided to clients Areas of expertise include information security, risk management, IT audit, and other technology and risk/control services, with in-depth knowledge of a variety of standards, frameworks, and regulations
Introductions Rich Thompson, CPA, CIA Senior Consultant Specializes in Audit, Risk Assessment, and Accounting Internal Audit experience in Healthcare, Retail, & Government Sara O Banion Consultant Specializes in IT, Fraud and Audit Works with clients to improve processes, analyze data and develop effect solutions. 6
Today s Agenda What is Fraud? 7
What do you think of when you think of fraud?
Why Does Fraud Occur? Opportunity Fraud Triangle Pressure Rationalization 2015 American Institute of CPAs - All Rights Reserved, Why Employees Commit Fraud
Understand Fraud on Two Levels Definition fraud noun \ˈfroḋ\ : the crime of using dishonest methods to take something valuable from another person : deliberate deception to secure unfair or unlawful gain : a copy of something that is meant to look like the real thing in order to trick people Reality Limited only by your imagination How would you hide it? How would you move it? 10
Opportunity Element that companies have the most control over Improper segregation of duties Lack of/weak internal controls Too much trust Poor tone at the top Flexible, uncontrolled management override How has IT changed this theory? Ability to create fraudulent documents Potential for exposure (e.g., hacking, phishing, viruses) Data mining Copyright 2015, Association of Government Accountants
Pressure Internal Meeting shareholder expectations Too much work Consequences of poor performance External Personal financial problems Lifestyle needs Illicit activities Copyright 2015, Association of Government Accountants
Rationalization Hostility toward employer Unfair wages Following along with everyone else Intending to pay it back Belief that the company won t miss the money Copyright 2015, Association of Government Accountants
Impact of Fraud Global Fraud $3.7 $0.49 $0.38 $0.20 $0.19 $0.18 0 1 2 3 4 Annual Revenue (Trillions) 2012 Certified Fraud Examiners Inc. Report to the Nations 2015 Time Inc. All rights reserved
Traditional Ways to Identify Fraud Data analysis Complex and occasionally time consuming investigations Data collection Large samples/ clusters of data if misread could give a false negative or a false positive. How can internal audit work to minimize risk? How can you fix it?
Non-Traditional ways to Identify Fraud Data Analysis Automation: Data analysis software Allows management to identify and respond quickly to red flags, reducing the risk of fraud escalation. Data Collection Cloud technology and advanced computing tools Effective automation of data collection, improved data quality, and a reduction in the time required for data validation. 16
Non-Traditional Ways to Identify Fraud with IT Let data mining work FOR you Link analysis Data visualization Predictive modeling 17
Fraud Tree Corruption: Dishonest or illegal behavior, especially by powerful people. The misuse of entrusted power for personal gain. Asset Misappropriation: Theft or embezzlement of company assets Financial Statement Fraud: Deliberate misrepresentation, misstatement or omission of financial statement data
Median Loss Per Case $ 0 $3M $6M Asset Misappropriation $130,000 85.4% Corruption $250,000 32.8% Financial Statement Fraud 4.8% $4,100,000 0 25 50 75 100 Percent of Cases
What Do Fraudsters Look Like?
Perpetrators of Fraud 87% first time offenders with clean employment histories 84% never punished or terminated for fraud
Position The majority of occupational frauds were committed by staff at the employee or managerial level 19% 36% 42% Employee Manager Owner/Executive
Median Loss by Position The higher the perpetrator s level of authority, the greater the losses tend to be. Employee: $75,000 Manager: $130,000 Owner/ Executive: $500,000
Department * 77% of frauds originated in one of these departments Accounting: 17% Operations: 15% Sales: 13% Executives/Upper Management: 12% Customer Service: 8% Purchasing: 7% Finance: 5% All Other Depts.: 23% FRAUD IS NOT LIMITED TO ANY ONE DEPARTMENT
Fraud Indicators: A few to consider General Too good to be true? It is Lack of transparency Lack of oversight Personal Financial difficulties borrowing money from fellow employees Someone with extraordinary investment losses or medical expenses Changes in a staff member s lifestyle or behavior Overly defensive or argumentative Failure to accept a promotion or transfer Organization Management regularly overriding internal controls High personnel turnover Inventory shortages Unrealistic performance expectations 25
Today s Fraud Internal Audit, IT and Fraud 26
Reasons Why Audits Don t Catch Fraud Detecting Fraud is HARD! Lack of skill and experience Improper planning Inappropriate design of audit program, sample selection, or target assertions Inability to gather sufficient, appropriate audit evidence Failure to exercise professional skepticism
Traditional Training Day-to-day coaching Intercompany training New hire training process, training individuals as they obtain more responsibility, etc. IIA/ACFE auditing courses Seminars/conferences Certifications CIA, CFE, CISA Continuing education
Non-Traditional Training Advance interviewing techniques Forensic accounting Trend analysis 29
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow Up Risk Assessment
Fraud Planning High Level Annual Audit Plan How much of IA s budget is dedicated to canned audits? How much is spent with management mandated activities (e.g., MAR, 10-Q assistance)? How much time set aside for consultative and ad-hoc activities? How are you incorporating your IT audits? Together as part of the team or separate?
Fraud Planning High Level (cont.) Enterprise-wide risk assessment What risks are associated with the company s overarching goals? What are the positive and negative outcomes of meeting/failing to meet those goals? What message does upper management send about meeting goals ( tone at the top )?
Enterprise-Wide Risk Assessment Incentives Attached to performance goals, used as motivational tool Increase risk that an employee will act fraudulently in order to obtain them Especially if consequences of not meeting goals are severe enough
Risk Assessment Assess the likelihood and significance of inherent and residual fraud risk Should include period of fraud brainstorming where auditors consider all of the controls identified This is also a time to consider the personnel involved with the processes being audited
Prior Audits Are there any non-remediated items? Are there any solutions that are different from the audit recommendation? Were there any agree to disagree items? Are the previous tests insufficient for the current audit?
Planning: Identify the Culture Tone at the Top What message does senior level management send to employees in regards to ethical behavior? Fraud is NOT OKAY! Are resources being provided to employees telling them how they can identify fraud and help stop it?
Identifying Fraud Prevention Is there an affirmation process for upper management s compliance with code of conduct, fraud, etc.? Do policies deter fraud by detailing the consequences of committing fraud? Are there annual anti-fraud trainings? Are there authority limitations on employees and managers? Are there restrictions on management overrides? Are the appropriate internal controls in place (e.g., segregation of duties) to prevent fraud?
Pre-Work: Identifying Fraud Detection Techniques Are there anonymous opportunities for whistleblowers? Are there process controls to detect fraud, such as physical inventory counts, reconciliations, etc.? Are there technological measures (e.g., data analysis) to detect anomalies or trends that could indicate fraud? Can the internal audit function assist in detecting fraud?
Preventative Controls Deter Fraud Opportunity But at What Cost?
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Process Flows and Walkthroughs Obtain process flow charts in order to identify potential control weaknesses, lack of segregation of duties, etc. Performs walkthroughs to examine that the processes are being performed as designed, and controls listed exist and are effective
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Audit Risk Assessment For repeated audits Are previous tests adequate? Can a redesign give you greater assurance? For new audits Are the controls well thought out? Are the controls too cumbersome? Don t hesitate to actually. 43
Think Like A Thief!!! 44
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Cost ($) Test Planning & Design Design your audit to have the strongest level of testing available, taking into consideration budget and scope. Reperformance Examination Confirmation Analytical Procedures Observation Interview / Inquiry Reliability Level
Supervision Set clear expectations Discuss the nature, timing, and extent of audit procedures Ensure procedures are performed efficiently and effectively Review documentation to make sure it sufficiently details tests performed Don t be afraid to discuss fraud!
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Fieldwork Review What is the overall risk of the process being audited? Are there any other conclusions that can be drawn from the completed testing? Was testing designed to uncover red flags? Do any tests need to be re-performed or redesigned? Has the audit team fully thought through the implications of any unexpected items?
Substantive Testing If no exceptions were found the first time, was the sample accurate for the: Period tested Specific transaction amounts Round dollar amounts Common amounts Specific vendors High # of transactions High # of disputes
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow - Up Risk Assessment
Potential Findings Meetings Tone at the Top While no manager or process owner is going to be happy about a potential finding being brought to them, their response and the way that they address the matter can be an indicator of fraud or other problems.
Standard Audit Steps Audit Plan Test Fieldwork Pre-work Review Narrative Interviews Reporting Process Flows & Walkthroughs Follow Up Risk Assessment
Follow Up Avoid the temptation to skip this step Look for remediation that has not been completed Thoroughly assess all alternative remediation plans
Key Outcomes Either assurance gained or improvements made to existing audit process Fraud detected Additional process improvement recommendations Improved internal controls Possible recovery of stolen funds
Final Opportunities Fraud investigation post mortem lessons learned Need for a peer review? Opportunity of continuous monitoring or process automation?
The NEW Fraud Challenge Managing fraud as an organization and how technology changed the game 57
End User Risk Company information is now accessed by and saved to non-company devices Company information is now accessed anywhere at any time, on personal devices with software that is not owned or approved by organization
Project Risk Subsidiary systems may not be equipped to handle the larger volume of the parent company Aggressive deadlines could result in short-cutting the systems development and/or change management process Systems may not be properly secured
Possible Fraud Testing NDA Compliance Change Management Vendor Selection Device Registration Device Monitoring Intrusion Detection Project Management Access Controls Access Monitoring
Creating a culture to prevent fraud Governance Create ever evolving procedures Risk Assessment Prevention & Detection Investigate & Resolve Identify major new initiatives and assess impact on the organization Actively work to acquire/create systems to minimize risk For identified instances of fraud, review and adjust process as required 61
Creating a culture to prevent fraud (cont.) Governance Develop a fraud risk program with written policies to set clear expectations Roles and responsibilities documented for all areas of the organization, including: Board of Directors Audit Committee Management Staff Documentation should include escalation and investigation procedures to cover what to do if fraud is identified Consider the changing face of IT: o Last year s program may not work this year o Update controls continuously to ensure they are current
Creating a culture to prevent fraud (cont.) Risks to the organization should be periodically assessed to identify areas to focus mitigation Risk Assessment Fraud risk assessments should include three key elements. Indentify Inherent Risk Assess Impact, Likelihood Address significant risks 63
Creating a culture to prevent fraud (cont.) Preventative controls should be established to prevent (or at least minimize) key risks identified during the risk assessment. Prevention & Detection Examples of controls: HR procedures (hiring, terminations, etc) Anti-fraud training Authority limits Transaction level procedures KEY IS DOCUMENTATION 64
Creating a culture to prevent fraud (cont.) In addition, controls should be established to detect fraud when preventative controls fail Prevention & Detection Examples of controls: Whistleblower hotlines Process controls Proactive procedures (continuous auditing) AGAIN: KEY IS DOCUMENTATION 65
Creating a culture to prevent fraud (cont.) Reporting should be established with a formal investigation process. For each fraud item communicated, procedures need to be established to: Receive the allegation Evaluate the allegation Escalate the allegation Investigate & Resolve All items should be investigated and resolved using standardized process in a timely manner. 66
Key Takeaway INTERNAL AUDIT SHOULD BE A PARTNER, NOT THE POLICE 67
Questions? 68
For More Information If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us: Clark Schaefer Consulting, LLC. 120 East 4 th Street, Suite 1100 Cincinnati, Ohio 45202 www.clarkschaefer.com Or send an e-mail directly to Sarah at: sackerman@clarkschaefer.com 69
Building Your Toolkit Series: Managing Risk While Improving Your Operations Date: Wednesday December 2, 2015 Time: 8:00 AM to 12:30 PM Location: Radisson Cincinnati Riverfront, West Fifth Street Covington, KY 41011 Cost: $99/per person; includes breakfast and lunch To register: https://building Your Toolkit Series: Managing Risk While Improving Your Operations/register CPE: Earn up to 4 CPE credits For any questions regarding this event or how to register please contact: DeAnna Bird, dbird@clarkschaefer.com, (513) 768-7100 70
Building Your Toolkit Series: Managing Risk While Improving Your Operations Risk and Governance Accounting IT and Security Maximizing Your Enterprise and IT Risk Assessment Process Internal Audit: How to Prioritize and Get the Biggest Bang for Your Buck Understanding and Addressing Your Cyber Risk Checking the Pulse of Your Accounting Function Improving Your Financial Reporting Process: An Exercise in Process Improvements Building Your Accounting Tools for Fraud Prevention/ Detection Protecting Your Intellectual Property Building an Effective Security Awareness Program Essential Building Blocks: Data Classification and Management Round Table Lunch: Can t We Just All Get Along? Creating A Workplace For Boomers, Millennials and Everyone In Between 71