Fraud Risk Management Fraud Risk Management Overview 2017 Association of Certified Fraud Examiners, Inc.
Discussion Questions 1. Does your organization follow a specific risk management model? If so, which one? Do you think this model adequately addresses the risks your organization faces? Why or why not? 2017 Association of Certified Fraud Examiners, Inc. 2 of 27
Discussion Questions 2. What are some of the risks your organization faces? Where does the risk of fraud fit into your organization s risk hierarchy? 2017 Association of Certified Fraud Examiners, Inc. 3 of 27
Discussion Questions 3. Does your organization have a formal risk management function? If so, are anti-fraud initiatives integrated into the risk management initiatives? 2017 Association of Certified Fraud Examiners, Inc. 4 of 27
Discussion Questions 4. How does your organization categorize the risks that are identified in the risk management process? 2017 Association of Certified Fraud Examiners, Inc. 5 of 27
Learning Objectives Analyze the current state of the risk management landscape. Compare different risk management frameworks. Recognize what fraud risk is and the factors that influence it. Understand the reasons for effectively managing fraud risk. Determine who is responsible for managing fraud risk within an organization. 2017 Association of Certified Fraud Examiners, Inc. 6 of 27
Introduction to Risk Management Risk management involves: Identification of risks Prioritization of risks Treatment of risks Monitoring of risks 2017 Association of Certified Fraud Examiners, Inc. 7 of 27
Introduction to Risk Management Balances risk appetite with the ability to meet strategic, operational, reporting, and compliance objectives Requires a proactive, rather than reactive, approach 2017 Association of Certified Fraud Examiners, Inc. 8 of 27
2016 Report on Current State of Risk Management Initiatives Risk management initiatives appear relatively immature: 25% describe their risk management implementation as systematic, robust, and repeatable. 40% described their risk management processes as very immature or developing. 2017 Association of Certified Fraud Examiners, Inc. 9 of 27
2016 Report on Current State of Risk Management Initiatives 56% are minimally or not at all satisfied with the nature and extent of reporting of key risk indicators to senior executives. More than half do not have risk oversight activities formally assigned to a board subcommittee. Boards of directors are placing greater expectations on management to strengthen risk oversight. 2017 Association of Certified Fraud Examiners, Inc. 10 of 27
Risk Management Frameworks An entity s risk management program should be specifically tailored to its unique needs. However, the use of a framework can provide guidance and structure in developing the program. 2017 Association of Certified Fraud Examiners, Inc. 11 of 27
COSO Enterprise Risk Management Integrated Framework (2004) 1. Internal environment 2. Objective setting 3. Event identification 4. Risk assessment 5. Risk response 6. Control activities 7. Information and communication 8. Monitoring 2017 Association of Certified Fraud Examiners, Inc. 12 of 27
COSO Enterprise Risk Management Integrated Framework (2004) 2017 Association of Certified Fraud Examiners, Inc. 13 of 27
COSO Enterprise Risk Management: 2016 Draft Revision Five interrelated components: 1. Risk governance and culture 2. Risk, strategy, and objective-setting 3. Risk in execution 4. Risk information, communication, and reporting 5. Monitoring enterprise risk management performance 2017 Association of Certified Fraud Examiners, Inc. 14 of 27
ISO 31000 Lays out 11 principles of effective risk management Provides guidance on developing both a framework and a process for managing risk that is based on those principles 2017 Association of Certified Fraud Examiners, Inc. 15 of 27
ISO 31000:2009 Risk Management Principles Creates value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured, and timely Based on the best available information Tailored Takes human and cultural factors into account Transparent and inclusive Dynamic, iterative, and responsive to change Facilitates continual improvement and enhancement 2017 Association of Certified Fraud Examiners, Inc. 16 of 27
ISO 31000:2009 (Source: ISO 31000:2009, Risk Management Principles and Guidelines ) 2017 Association of Certified Fraud Examiners, Inc. 17 of 27
Choosing a Risk Management Framework Might start with COSO or ISO framework as is But should customize to the organization and its needs based on: Organizational structure Nature of operations Environment(s) Size Nature of risks 2017 Association of Certified Fraud Examiners, Inc. 18 of 27
Fraud Risk Management Guide 2016 Published by COSO in collaboration with ACFE Five principles of FRM One aligned with each of the five components of internal control Supported by individual points of focus for each principle Not formally linked to COSO ERM 2016D, but several obvious connections 2017 Association of Certified Fraud Examiners, Inc. 19 of 27
IC FRM ERM IC 2013 Component FRM 2016 Principle ERM 2016D Component Control environment The organization establishes and communicates a Fraud Risk Management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Risk governance and culture Risk assessment The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. Risk, strategy and objective-setting 2017 Association of Certified Fraud Examiners, Inc. 20 of 27
IC FRM ERM IC 2013 Component FRM 2016 Principle ERM 2016D Component Control activities The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. Risk in execution Information & communication The organization establishes a communication process to obtain information about potential fraud and deploys a coordinate approach to investigation and corrective action to address fraud appropriately and in a timely manner. Risk information, communication & reporting 2017 Association of Certified Fraud Examiners, Inc. 21 of 27
IC FRM ERM IC 2013 Component FRM 2016 Principle ERM 2016D Component Monitoring activities The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors. Monitoring risk management performance 2017 Association of Certified Fraud Examiners, Inc. 22 of 27
IC FRM ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control environment The organization establishes and communicates a Fraud Risk Management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Mandate and commitment (4.2) Design of framework for managing risk (4.3) Establish the context (5.3) Risk assessment The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. Design of framework for managing risk (4.3) Implementing risk management (4.4) Risk Assessment (5.4): Identification Analysis Evaluation 2017 Association of Certified Fraud Examiners, Inc. 23 of 27
IC FRM ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Control activities The organization selects, develops, and deploys preventive and detective fraud controls activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. Implementing risk management (4.4) Risk Treatment (5.5) Information and communication The organization establishes a communication process to obtain information about potential fraud and deploys a coordinate approach to investigation and corrective action to address fraud appropriately and in a timely manner. Implementing risk management (4.4) Monitoring and review of the framework (4.5) Communication and Consultation Throughout the Process (5.2) 2017 Association of Certified Fraud Examiners, Inc. 24 of 27
IC FRM ISO 31000 IC 2013 Component FRM 2016 Principle ISO 31000 Framework ISO 31000 Process Monitoring activities The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors. Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Monitoring and Review of Controls, Risks, etc. (5.6) 2017 Association of Certified Fraud Examiners, Inc. 25 of 27
IC ISO 31000 2017 Association of Certified Fraud Examiners, Inc. 26 of 27
The Fraud Risk Management Process Establish a fraud risk management policy as part of organizational governance. Monitor the fraud risk management process, report results, and improve the process. Perform a comprehensive fraud risk assessment. Establish a fraud reporting process and coordinated approach to investigation and corrective action. Select, develop, and deploy preventive and detective fraud control activities. 2017 Association of Certified Fraud Examiners, Inc. 27 of 27
What Is Fraud Risk? The vulnerability that an organization has to those capable of overcoming the three elements of the fraud triangle Comes from both internal and external sources Differs from other risks because fraud, by definition, entails intentional misconduct designed to evade detection 2017 Association of Certified Fraud Examiners, Inc. 28 of 27
Types of Fraud Risk Inherent risk risk present before management takes action Residual risk risk that remains after management takes action 2017 Association of Certified Fraud Examiners, Inc. 29 of 27
Factors Influencing Fraud Risk The nature of the business Economic conditions The operating environment The ethics and values of the company and its people Technology The legal environment The effectiveness of internal controls 2017 Association of Certified Fraud Examiners, Inc. 30 of 27
Who Is Responsible for Managing Fraud Risk? Team responsible for executing, monitoring, and ensuring success: Executive management Internal audit Audit committee Investigations group Compliance Controller s group IT Security Legal department Human resources 2017 Association of Certified Fraud Examiners, Inc. 31 of 27
Who Is Responsible for Managing Fraud Risk? The team should have a designated leader. Synergy and communication are keys. 2017 Association of Certified Fraud Examiners, Inc. 32 of 27