CPA Leadership Institute Webinar July 8, 2015 John J. Hall, CPA John@JohnHallSpeaker.com
RISK MANAGEMENT Improve performance by acknowledging and controlling risks Solutions to protect and conserve the organization s resources Solutions to maximize return on the organization s resources
RISK MANAGEMENT Prevention/Deterrence Prompt Detection Effective Response
Example Risk Universe 1. Financial 2. Operations 3. Strategic 4. Knowledge 5. Fraud
Primary Fraud Risk Categories 1. Misappropriation 2. Results Manipulation 3. Corruption 4. Cyber Risks 5. Management Override
Results Manipulation FINANCIAL RESULTS OTHER RESULTS
Examples: Results Reporting 1. Financial a) Revenue and income schemes b) Tax collection, remittance & reporting 2. Program results a) Grantees b) Poverty, education c) Number served 3. Operating and market statistics 4. Product or service safety, quality or use
Corruption and Shadow Deals
Deal Documents Purchase Orders Contracts Engagement Letters Loans Account Agreements Sales Agreements Bids/Tenders Other Shadow Deal Kickbacks Gifts Entertainment
Examples: Corruption & Shadow Deals 1. Bribery 2. Kickbacks 3. Payoffs 4. Excessive gifts / entertainment 5. Bid-rigging 6. Extortion / blackmail
Override The Two Most Difficult Categories of Fraud 1. Fraud by executives 2. Fraud for the organization
Risk of Management Override www.aicpa.org
What Holds Us Back 1. Uncertainty about how to start 2. Uncertainty about what is involved 3. Lost momentum 4. Inadequate leadership support 5. Flawed beliefs 6. Flawed perception about the cost / benefit of anti-fraud initiatives
OUR PUPPOSE: Provide the Missing Structure
THERE ARE NO GUARANTEES About Preventing and Detecting Fraud But
CLIENTS CAN IMPROVE THEIR CHANCES Deterrence, Prevention Prompt Detection, and Efficient Handling
Importance of Context
Client Beliefs About Fraud Risks
Beliefs Drive Actions
Flawed Beliefs Drive Flawed Actions
Five Common Fraud Beliefs 1. We don t have much fraud 2. Our controls will prevent it 3. Managers review reports 4. Our people know what their responsibilities are 5. Most people would never commit wrongdoing or fraud
People Change
Honesty Scale Completely Honest Pressure Attitude Opportunity
The Fraud Triangle Pressure Attitude Opportunity
Campaign
Anti-Fraud Campaign 1. Deterrence and Prevention 2. Early Detection 3. Effective Handling ORGANIZATIONS MUST BE PREPARED AT ALL THREE LEVELS
Level 1: Deterrence and Prevention
Level 2: Early Detection
Level 3: Effective Handling
Effective Fraud Handling 1. Response mechanism 2. Investigation 3. Loss recovery 4. Control weaknesses 5. External authorities 6. Publicity 7. HR issues 8. Morale
Level 1: Deterrence and Prevention
Anti-Fraud Framework 1. Recruit the CEO 2. Fraud Exposure Analysis 3. Quantify and Track Losses 4. Anti-Fraud Internal Controls 5. Policy on Fraud Responsibilities 6. Fraud Skills Training 7. Look for Fraud Indicators 8. Fraud Response in Place
1. Recruit the CEO Nothing Meaningful Happens Without Visible, Vocal CEO Involvement
Visible and Vocal Leadership 1. The CEO must lead the charge 2. Appoint a trusted leader for the antifraud campaign and insist on results 3. Invest in being actively involved in employee awareness and training 4. Make people feel safe to report 5. Talk about it explicitly
Clarity Precision
Switch How to Change Things When Change is Hard Chip Heath Dan Heath
The Destination Must Be Clear Some is not a number; soon is not a time. Switch: How to Change Things When Change is Hard Chip Heath & Dan Heath
Explicit Communication No one understands anything until you tell them Beware the Curse of Knowledge
The Curse of Knowledge Made to Stick Chip and Dan Heath when we know something it becomes hard for us to imagine not knowing it. As a result we become lousy communicators. The better we become at generating great ideas new insights and novel solutions in our field of expertise, the more unnatural it becomes for us to communicate those ideas clearly.
Define Acceptable Behavior 1. Make sure managers know the rules for reporting financial and other results. 1. Employees, vendors, contractors and others need to know what s allowed and what isn t. 1. Make sure third parties know restrictions on gifts and entertainment and penalties for violations. 2. Consider making the Code of Conduct part of any agreements with third parties.
Leaders Set a Great Example 1. The phrase tone at the top has been used to focus on the statements, business practices and personal behavior of executives and other senior management members. 2. Remember, a leader includes anyone we look to for an indication of proper behavior. That includes everyone from factory floor supervisors right up to the Board. 3. Set a great example and counsel those who don t.
2. Fraud Exposure Analysis 1. Asks the question What could go wrong? 2. Create a robust list of fraud risks. 3. Use this list to provide training. 4. Develop prevention and early detection procedures for each risk identified. 5. Publicize the effort and the results. 6. Create awareness in honest employees, and fear in those tempted to commit wrongdoing.
Exposure Assessment Myths 1. Once and done covers it 2. One group can do this alone 3. Cost isn t justified 4. We know our risks 5. It s not my job Say: Managers are responsible for knowing the exposures to fraud in their areas, and for promptly detecting and reporting suspected wrongdoing.
ISSUE Brainstorming Fraud Risks: Thinking Like A Thief
Fraud Risk Assessment: Key Elements 1. How could someone exploit weaknesses in the system of controls? 2. How could someone override or circumvent controls? 3. What could someone do to conceal the fraud?
Managing the Business Risk of Fraud: A Practical Guide
Brainstorming Team 1. Finance and accounting 2. Business unit and operations 3. Risk management 4. Legal and compliance 5. Internal Audit and Inspector General 6. External consultants with fraud expertise Chief Risk Officer
3. Quantify and Track Losses 1. Very few organizations have taken the time to develop a complete list of their existing loss areas. 2. Begin by listing areas where losses have occurred in the past. Research these areas, and assign ranges of probable current loss levels. 3. Use that scorecard to track improvements over time.
Fraud Loss Scorecard HIGH LOW 1 Disbursements $ XXX $ XXX 2 Inventory 3 Construction/Facilities 4 Health Care Costs 5 Payroll 6 T&M contracts 7 T&E reimbursement 8 Other Unique to You TOTAL $ XXX $ XXX
4. Anti-Fraud Internal Controls 1. Fraud exposures are identified. 1. Specific control procedures and behaviors are developed, implemented and maintained to both prevent these events from happening and to detect them should they occur. 2. Controls include emphasis on both hard control procedures and soft control behaviors.
Internal Controls 2015 Lots of Fuss Misdirected Action
Effective Internal Controls Environment Behaviors
Controls Environment 1. Leadership words and deeds 2. Culture of quality 3. Policies, procedures and systems 4. Transaction initiation, review and approval 5. Effective screening (and re-screening) 6. Finance and accounting knowledge 7. Exposure assessment 8. Limited access Enterprise level Functional level Transaction level
Control Procedures Alone Do Not Prevent Fraud
Controls Behaviors 1. Competence, integrity, interest 2. Daily prevention-based behaviors 3. Pause at the moment of approval 4. HDIK? is the norm 5. Culture of Doubting 6. Daily detection-based behaviors 7. Real oversight and analysis 8. Coaching
BETTER! LOW BETTER!
BETTER! LOW ENVIRONMENT (HARD CONTROLS) BETTER!
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) LOW ENVIRONMENT (HARD CONTROLS) BETTER!
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) LOW ENVIRONMENT (HARD CONTROLS) BETTER!
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) III IV I II LOW ENVIRONMENT (HARD CONTROLS) BETTER!
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) III IV I II LOW ENVIRONMENT (HARD CONTROLS) BETTER!
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) III IV I II LOW ENVIRONMENT (HARD CONTROLS) BETTER!
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) III IV I II LOW ENVIRONMENT (HARD CONTROLS) BETTER!
Ten Reasons Controls Break Down
10 Reasons Controls Break Down 1. Blind trust
10 Reasons Controls Break Down 1. Blind trust 2. Willful blindness
10 Reasons Controls Break Down 1. Blind trust 2. Willful blindness 3. Situational incompetence
Pam D.
10 Reasons Controls Break Down 1. Blind trust 2. Willful blindness 3. Situational incompetence 4. Not having the information they need to assure transactions are proper
10 Reasons Controls Break Down 1. Blind trust 2. Willful blindness 3. Situational incompetence 4. Not having the information they need to assure transactions are proper 5. Not questioning the strange, odd and curious
10 Reasons Controls Break Down 6. The process mentality
10 Reasons Controls Break Down 6. The process mentality 7. Not enough time to do the control procedures
10 Reasons Controls Break Down 6. The process mentality 7. Not enough time to do the control procedures 8. Not enforcing documentation requirements
10 Reasons Controls Break Down 6. The process mentality 7. Not enough time to do the control procedures 8. Not enforcing documentation requirements 9. Acceptance of the situation
10 Reasons Controls Break Down 6. The process mentality 7. Not enough time to do the control procedures 8. Not enforcing documentation requirements 9. Acceptance of the situation 10. Intentional override
BETTER! HUMAN BEHAVIOR (SOFT CONTROLS) III IV I II LOW ENVIRONMENT (HARD CONTROLS) BETTER!
Creating and Maintaining Effective Controls is a Campaign Not an Event
5. Policy on Responsibilities 1. All organizations face the risk of fraud and everyone should know what their responsibilities are in this important area. 2. A Policy on Fraud Responsibilities is the perfect place to document these say it. 3. Employees and managers will have a onestop source explaining their role in deterrence, early detection, reporting, and effective incident response.
Policy on Fraud Responsibilities 1. Positive message 2. Manager and staff responsibilities 3. Exposure awareness 4. Procedures to prevent 5. Procedures to detect 6. What to do / what not to do 7. Emphasis on SUSPECTED acts 8. Annual certification
Sample Example Policy on Fraud Responsibilities POLICY ON FRAUD RESPONSIBILITIES Introduction Like all organizations, ours is faced with risks from wrongdoing, misconduct, dishonesty and fraud. As with all business exposures, we must be prepared to manage these risks and their potential impact in a professional manner. The impact of misconduct and dishonesty may include: the actual financial loss incurred damage to the reputation of our organization and our employees negative publicity the cost of investigation loss of employees loss of customers damaged relationships with our contractors and suppliers litigation damaged employee morale Our goal is to establish and maintain a business environment of fairness, ethics and honesty for our employees, our customers, our suppliers and anyone else with whom we have a relationship. To maintain such an environment requires the active assistance of every employee and manager every day. Our organization is committed to the deterrence, detection and correction of misconduct and dishonesty. The discovery, reporting and documentation of such acts provides a sound foundation for the protection of innocent parties, the taking of disciplinary action against offenders up to and including dismissal where appropriate, the referral to law enforcement agencies when warranted by the facts, and the recovery of assets. Purpose The purpose of this document is to communicate company policy regarding the deterrence and investigation of suspected misconduct and dishonesty by employees and others, and to provide specific instructions regarding appropriate action in case of suspected violations. www.johnhallspeaker.com Page 1 John@JohnHallSpeaker.com Policy on Fraud Responsibilities TEXT audit to 72000
Require Reporting? 1. Consider making reporting of suspected violations mandatory. 2. Periodic employee sign off is a good way to track awareness. 3. Add a sign off where employees acknowledge that they are not aware of violations by others.
Balance is Important 1. Not a police state mentality 2. Fear and distrust 3. Not gloom and doom 4. Just good management to state requirements
Make it Easy to Report 1. Make it as positive as possible 2. Fraud Hotline in place and trusted 3. Consider retaining a third-party service to administer your hotline 4. Tell your people exactly how the hotline works
When YOU See Something YOU Say Something
6. Fraud Skills Training 1. Don t expect team members to be able to handle fraud risks if they ve never been shown how to do so. 2. Most employees have never been taught the skills needed to be effective. 3. Sponsor or conduct fraud awareness and skills training programs specifically addressing what employees need to know to prevent, detect and handle fraud.
Explicit Weakness When expectations and authority exceed skills
Question from Live Seminars Lack of specific anti-fraud skills is a major weakness in our organization. How can we efficiently and effectively teach everyone what they need to know?
Which of the four options below would make the most significant impact on helping your organization be more effective in fighting fraud, misconduct, and wrongdoing? Implementing a Fraud Policy Conducting an organization-wide Comprehensive Fraud Exposure Analysis, including the creation of a Fraud Risk Inventory Providing awareness, prevention and early Detection Skills Training for managers and staff Catching and Prosecuting Wrongdoers A B C D
Which of the four options below would make the most significant impact on helping your organization be more effective in fighting fraud, misconduct, and wrongdoing? Implementing a Fraud Policy Conducting an organization-wide Comprehensive Fraud Exposure Analysis, including the creation of a Fraud Risk Inventory Providing awareness, prevention and early Detection Skills Training for managers and staff Catching and Prosecuting Wrongdoers 14% 14% 62% 10%
Fraud Prevention Skills Training 1. Group live 2. Technology-based Webinars Video 3. Written 4. 1 on 1 coaching
Training 1. All new hires 2. All new supervisors 3. Board members 4. Periodic reminders for everyone 5. Monthly or quarterly articles 6. Include real cases and documents 7. Find a way to say what happened
Target Audience 1. Board Audit Committee 15 to 30 minutes 2. Senior level executives 30 to 90 minutes 3. Mid-level managers in accounting, finance, technology and operations 2 to 4 hours 4. First level managers and supervisors 2 to 4 hours 5. Mixed group 1 to 4 hours, depending on desired topic coverage 6. Internal auditors 1 to 2 days
Anti Fraud Skills What fraud skills are needed: General knowledge of fraud risks Why soft controls are as important as hard controls What can happen in their areas What it will look like when it happens Suggestions on preventing Suggestions on prompt detection when prevention fails
7. Look for Fraud Indicators 1. Most fraud leaves clues in the records or behavior. Know and look for these clues. 2. Look in management exception reports, in complaints, in shortages, in variances, in month end cost center reports.
Four Daily Behaviors 1. Look for fraud indicators 2. Use How do I know? 3. When in doubt, doubt 4. Resolve or refer suspicions
Use How Do I Know 1. Verify important details. 2. Utilize a show me how you rather than a do you approach to verifying details. 3. Before signing-off on journal entries, exceptions, disbursements, reconciliations and other documents, make sure people know that they re responsible for the results.
When in Doubt, Doubt 1. If something looks or feels wrong to you in your area of responsibility, it probably is. You are in the best position to know. 2. Choose to follow up to determine the cause of indicators and behaviors that concern you. 3. If you re not sure, check details. 4. If you re still not sure, get help! Refer suspicions to others for resolution.
ANTI-FRAUD EXPECTATIONS Anti-Fraud Expectations The list below should give you suggestions of topics or themes to include in leading a discussion about fraud expectations with your staff or team. Don't just read off the list instead, pick five or six items that most relate to your own beliefs and tailor comments to your unique environment and culture. Be sure to: 1. Frame the discussion to the questions those listening to you will likely have 2. Stress the importance of a balanced message tie your request for help to the listeners normal pride in their work 3. Be explicit. Don't beat around the bush. Tell them what you expect and what you need them to do as a result. 4. Use a positive tone. Make it a call to arms that starts with, I need your help to fight this problem. 5. Include examples of what could go wrong in your area, including what it would look like in reports, variances, complaints and other indicators of a problem It is expected that every manager and employee will: 1. Know the fraud related exposures in their areas of responsibility, for example 2. Know what it would look like if it happened. For example 3. Use best-faith efforts to minimize the chance of fraud on their watch. Examples include 4. Make sure the transactions they personally approve are not fraudulent. 5. Personally monitor for those frauds that only they are in a position to detect. For example 6. Question and challenge the unusual. Here s an example of what I mean 7. Set an example of honest and ethical behavior by personal example and by not tolerating dishonest or unethical behavior in others. 8. Strive to prevent fraud by minimizing the exposures and reducing the opportunities and temptation. For example 9. Immediately refer suspected wrongdoing to Internal Audit or Security for investigation. For example www.johnhallspeaker.com (970) 926-0355 John@JohnHallSpeaker.com Example Expectations Script TEXT audit to 72000
8. Fraud Response in Place 1. Be ready to respond to fraud incidents before they surface. 2. Identify the skills and relationships that might be needed, and find them in advance. 3. Think through what message to deliver to employees, customers, the press and others. Craft the basics of that message now. 4. Know who will be authorized to investigate, handle requests for information, and coordinate with any outside parties.
Anti-Fraud Framework 1. Recruit the CEO 2. Fraud Exposure Analysis 3. Quantify and Track Losses 4. Anti-Fraud Internal Controls 5. Policy on Fraud Responsibilities 6. Fraud Skills Training 7. Look for Fraud Indicators 8. Fraud Response in Place
Switch How to Change Things When Change is Hard Chip Heath Dan Heath
Nudge Richard Thaler Cass Sunstein
Influence The Psychology of Persuasion Robert Cialdini
The Checklist Manifesto Atul Gawande
Questions, Comments, Feedback John J. Hall John@JohnHallSpeaker.com www.johnhallspeaker.com www.centersbi.com (970) 926 0355
Thank You www.johnhallspeaker.com