Knowledge Alert. Emerging Trends in Fraud Risks

Similar documents
STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

Effective implementation of COSO s new anti-fraud guidance

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk

Fraud Risk Management

Prince William County Public Schools Annual Audit Plan

Implementation Guides

Fraud Risk Management

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

OUTSMART FRAUD. Strategic Internal Controls to Prevent Business Fraud

GoldSRD Audit 101 Table of Contents & Resource Listing

Key Elements of Antifraud Programs and Controls

PHARMACEUTICALS. Forensic Services. Helping to protect your business from fraud, misconduct and non-compliance ADVISORY

Quality Assurance and Improvement Program (QAIP)

FCPA COMPLIANCE PROGRAMS

Internal Control Questionnaire and Assessment

ACFE FRAUD PREVENTION CHECK-UP ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

The Internal Auditor s Duties Outside of Auditing

Fraud Prevention, Detection, and Internal Controls

Internal Controls Integrating COSO

EFFICIENT USE OF AUDIT COMMITTEES

Using Data Analytics as a Management Tool to Identify Organizational Risks

INTEGRATING FORENSIC INVESTIGATION TECHNIQUES INTO INTERNAL AUDITING

Contract and Procurement Fraud. Fraud in Procurement without Competition

Corporate Governor. Providing vision and advice for management, boards of directors and audit committees Winter 2015

The Governing Body of Blackfen School for Girls adopted this Anti-Fraud policy on. Date: Name Signature

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

AMERICAN EXPRESS COMPANY AUDIT AND COMPLIANCE COMMITTEE CHARTER (as amended and restated as of September 26, 2017)

Fraud Policy. Approved by Board of Governors (via Audit Committee)

NOVEMBER 2015 IFBEC MODEL SUPPLIER CODE OF CONDUCT

Seattle Public Schools The Office of Internal Audit

Internal Controls: Need Them, Have Them, Love Them

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Internal Audit Appendix: IIA Standards

Internal Audit Mandate

Fraud, bribery and corruption Protecting reputation and value

Understanding Internal Controls Office of Internal Audit

Internal Control Questionnaire and Assessment

Audit Committee Member Roles and Responsibilities

PostNL group procedure

Using Transactional Analysis for

Office of the Utah Legislative Auditor General. Fraud Prevention. Utah Government Finance Officers Association. Spring 2017 Conference

Week 3: Fraud, Procure to Pay Process Controls

THE NEW AND REVISED INTERPRETATIONS CONTAINED IN THIS DOCUMENT ARE EFFECTIVE ON AUGUST 31, 2017 UNLESS OTHERWISE NOTED.

Fiscal Oversight Fundamentals

INTERNAL AUDIT OF PROCUREMENT AND CONTRACTING

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

Henkel s Compliance Management System (CMS)

Public Company Accounting Oversight Board

SOSi SUPPLIER CODE OF CONDUCT

Auditing Standards and Practices Council

EPCOR Utilities Inc. Ethics Policy

RELM WIRELESS CORPORATION (the Company ) CODE OF BUSINESS CONDUCT AND ETHICS

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

AMETEK, Inc. Code of Ethics and Business Conduct

CODE OF BUSINESS CONDUCT AND ETHICS. FRONTIER AIRLINES, INC. Adopted May 27, 2004

Code of business conduct

TNT POLICY Title TNT Policy on Fraud, Corruption and Bribery

Chapter 7 Internal Controls

Global Supplier Code of Business Conduct & Ethics

Mr. Jim Sylph Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY 10017

FOUNDATIONS IN ACCOUNTANCY Paper FAU (UK) Foundations in Audit (United Kingdom)

Managing Fraud Risks. Procurement & Contacting. John J. Hall, CPA (970)

TEEKAY TANKERS LTD. STANDARDS OF BUSINESS CONDUCT POLICY

- Excessive gambling or investment habits - Strong challenge to beat the system - Undue family pressure such as divorce - Overwhelming desire for pers

Benchmarking Report Share, Compare, Validate SAMPLE. Year: 2017 Your Organization Date

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Fraud Risk Management

A Discussion About Internal Controls February 2016

Corporate Governance Statement. APN Property Group August 2017

Ethical leadership and corporate citizenship. Applied. Applied. Applied. Company s ethics are managed effectively.

CITY OF CORPUS CHRISTI

Engagement Planning. Assessing Fraud Risks

CGMA Competency Framework

Audit Committee Performance Evaluation

Butte County Office of Education

POLICY The following are the principles of the Conduent Global Ethics Policy that govern all practices concerning business ethics:

FRAUD AND PROFESSIONAL ETHICS IN HIGHER EDUCATION

Duplicate Payments: Causes, Implications, and Solutions

CORPORATE GOVERNANCE KING III COMPLIANCE REGISTER 2017

Fraud Detection and Prevention

CARNIVAL CORPORATION & PLC

OVERVIEW 4/19/10. Internal Controls and the Audit Process May 4, 2010 OVERVIEW. Definition and historical perspective of internal auditing

CODE OF ETHICS AND BUSINESS CONDUCT

Strengthening Control and integrity: A Checklist for government Managers

Internal Oversight Division. Internal Audit Strategy

Computer Programs and Systems, Inc. Code of Business Conduct and Ethics

May 3, To the Jail Board Members and Management Western Tidewater Regional Jail Authority 2402 Godwin Blvd Suffolk, Virginia 23434

Company LOGO C B T. An Educational Computer Based Training Program

Several unallowable expenditures and exceptions to policy were noted.

Internal Audit Policy and Procedures Internal Audit Charter

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

CHAPTER 7. Internal Control. Review Questions

[RELEASE NOS ; ; FR-77; File No. S ]

Supplier Code of Conduct

AUDITING. Auditing PAGE 1

ETHICS AND BUSINESS INTEGRITY POLICY

Managing Fraud Risk: New Professional Guidance

The Audit Committee of the Supervisory Board of CB&I

Transcription:

Knowledge Alert Emerging Trends in Fraud Risks January 2010 i

Disclaimer Copyright 2010 by The Institute of Internal Auditors (IIA) located at 247 Maitland Avenue, Altamonte Springs, FL 32701, U.S.A. All rights reserved. Published in the United States of America. Except for the purposes intended by this publication, readers of this document may not reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt the statistical and other data contained herein without the permission of The IIA. The information included in this document is general in nature and is not intended to address any particular individual, internal audit activity, or organization. The objective of this document is to share tools, resources, information, and/or other knowledge that is accurate, unbiased, and timely. However, based on the date of issuance and changing environments, no individual, internal audit activity, or organization should act on the information provided in this document without appropriate consultation or examination. ii

Table of Contents Executive Summary... 1 Leading Internal Audit Practices Pertaining to Fraud Management... 2 Fraudulent Activities Have Been on the Rise Since 2008... 5 Employee-related Fraud Has Had a Major Impact in Organizations... 6 Assurance and Consulting Activities Are a Source of Added Value... 8 Fraud Risks Management Programs Are Becoming a Higher Priority... 12 Leading Practices... 15 Appendix A: List of 20 Questions... 18 Appendix B: List of Key Fraud Management Oversight Functions... 19 iii

Executive Summary Fraud negatively impacts organizations in ways that extend far beyond financial losses. According to the latest IIA Practice Guide, Internal Auditing and Fraud, the full cost of fraud is immeasurable in terms of time, productivity, and reputation. Consequently, it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection activities, as well as a fraud risk assessment process to identify fraud risks within the organization. 1 To identify emerging trends in fraud risks, The IIA distributed a survey asking members to describe the state of internal audit efforts pertaining to fraud risk and their opinions on current and emerging fraud trends. 2 As expected, the survey found that the majority of Snapshot of Survey Results This Knowledge Alert discusses the following four key results, as revealed by a recent Flash survey of 293 CAEs and internal audit directors and managers working in different industry groups: 1. There has been a significant increase of fraud occurrences since the onset of the economic crisis in 2008. 2. Employee-related fraud has had a major impact in organizations. While theft of company property and resources was the most common fraud noted, employeerelated frauds and fraud related to third parties and vendors were significant. In addition, theft of company information and data may be an area of growing exposure. 3. Internal auditing can add value to the organization s fraud risk management efforts through its assurance and consulting activities. 4. Programs in companies to manage fraud risks are becoming a higher priority. respondents (76 percent) work in organizations where there is a program designed to manage fraud risks. These programs are either formal (34 percent) or informal (42 percent). The top three components included in the program include policies addressing the reporting of suspected frauds, procedures for reporting suspected frauds, and processes designed to detect fraud (refer to Table 1 for a summary of all responses). Additionally, 61 percent of respondents stated that the fraud management programs are integrated with another program, including ethics and compliance, risk management, and governance. 1 Internal Auditing and Fraud (December 2009; PDF, 1.84 MB), pg. 2 2 Emerging Trends in Fraud Risk (December 2009); a total of 3,776 IIA members were invited to participate in the survey of which 293 chief audit executives (CAEs) and internal audit directors and managers responded, representing an 8 percent response rate. Of these respondents, the majority work in organizations with annual revenues of US $500 million or more (64 percent) and internal audit activities consisting of 3 6 internal auditors (40 percent). The top industries represented in the survey are financial services/banking/real estate (51 percent), manufacturing (12 percent), and health services (9 percent). 1

Table 1. Fraud Management Program Elements Program Element Percentage Policies addressing the reporting of suspected frauds 89% Procedures for reporting suspected frauds 87% Procedures designed to detect fraud 66% Corporate or board-level policies designed to prevent fraud 63% Business unit procedures designed to prevent fraud 62% Policies addressing responsibilities for fraud investigations 58% Procedures to be followed in fraud investigations 53% Procedures on conducting fraud risk assessments 34% Policies requiring a periodic fraud risk assessment 33% Policies outlining fraud detection activities 27% The survey also highlighted four key findings that describe the overall state of fraud risk activities and emerging trends in the area: 1. There has been a significant increase of fraud occurrences since the onset of the economic crisis in 2008. 2. Employee-related fraud has had a major impact in organizations. While theft of company property and resources was the most common fraud noted, embezzlement and expense-account fraud, when combined, point to an even greater prevalence in employee-related fraud. In addition, fraud related to third parties and vendors as well as theft of company information and data may be areas of growing exposure. 3. Internal auditing can add value to the organization s fraud risk management efforts through its assurance and consulting activities. 4. Programs in companies to manage fraud risks are becoming a higher priority. In particular, these programs are receiving more attention and starting to become more effective. Leading Internal Audit Practices Pertaining to Fraud Management An effective internal audit activity can help organizations address fraud. Although management and the board are ultimately responsible for fraud deterrence, internal auditors can assist management by determining whether the organization has adequate internal controls and fosters an adequate control environment. 3 Leading practices identified in the survey pertaining to the role of internal auditors in fraud management are: 3 Internal Auditing and Fraud (December 2009), pg. 2 2

Increase fraud awareness, communication, and training throughout the organization. Review systems in place and their corresponding policies, procedures, and controls. Perform regularly scheduled audits that monitor key, high-risk areas. Review/audit specific financial activities. Implement a continuous audit process. Perform risk assessments and risk-based audits. Increase the level of coordination and cooperation with internal and external groups and other programs. Increase fraud awareness, communication, and training with executive, senior and business line managers. Conduct or assist in fraud investigations. Perform data analysis and mining. In addition, the survey unveiled eight leading practices organizations can implement to ensure the effectiveness of their fraud management program or effort: 1. Implement a well-publicized fraud management program that has a dedicated role for monitoring compliance with program policies and procedures and is commensurate with the organization s business model. 2. Ensure the effectiveness of established controls or control processes. 3. Encourage strong tone at the top in support for the organization s fraud management program or effort. 4. Ensure internal audit plans encompass key fraud prevention activities. 5. Engage in effective activities pertaining to management, such as providing management training on internal control procedures, fostering ongoing communication among senior management, and sharing information to educate leadership regarding their role and responsibility to deter and detect fraud. 6. Implement a code of conduct or ethics program for all staff that is part of the organization's corporate governance structure. 7. Perform an annual fraud risk assessment and control self-assessment. 8. Implement or increase ERM efforts. Similarly, to ensure the effectiveness of fraud prevention efforts, CAEs need to recommend the establishment of the following key fraud prevention elements, as described by survey respondents: 1. A strong control environment that includes a code of conduct, ethics policy, or fraud policy to set the appropriate tone at the top; an ethics and compliance hotline or program to report concerns; hiring and promotion guidelines and practices; and oversight by the audit committee, board, or other oversight body. 2. A risk assessment that considers fraud risk factors and fraud schemes. 3

3. Control activities (i.e., policies and procedures for business processes) including appropriate authority limits and segregation of duties. 4. Information and communication to promote the importance of the fraud management program and the organization s position on fraud risks. 5. Monitoring that provides a periodic evaluation of anti-fraud controls using independent evaluations of the fraud management program by internal auditing or other groups and by implementing technology to aid in continuous monitoring and detection activities. The rest of this Knowledge Alert provides a more detailed explanation of these and other leading practices and survey findings. 4

Fraudulent Activities Have Been on the Rise Since 2008 According to survey results, there has been a significant increase of fraud occurrences since the onset of the economic crisis in 2008. The prevalence of fraudulent activity has been quite significant as well. Of the nearly one-third of organizations where fraud has occurred (31 percent), 43 percent stated that fraud occurrences have increased from 1 percent to 10 percent, 28 percent indicated fraud has increased from 11 percent to 20 percent, and 14 percent stated fraud has increased from 21 percent to 30 percent. In terms of the types of fraud that have been on the rise, theft of company property and resources was chosen as the number one fraud, followed by embezzlement and expenseaccount fraud. (Table 2 summarizes of all responses.) Three Common Fraud Characteristics According to new guidance provided by The IIA, the following are three common characteristics of fraud: 1) Pressure or incentive represents a need that an individual attempts to satisfy by committing fraud. Often, pressure comes from a significant financial need or problem, such as the need to keep one s job, earn a bonus, or meet or beat analyst financial estimates. 2) Opportunity is the ability to commit fraud and not be detected. Opportunity is created by weak internal controls, poor management, lack of board oversight, and through the use of one s position and authority to override controls. Failure to establish adequate procedures to detect fraudulent activity also increases the opportunities for fraud to occur. 3) Rationalization is the ability for a person to justify a fraud and is a crucial component in most frauds. Rationalization involves a person reconciling his/her behavior with the commonly accepted notions of decency and trust. The fraudster, for instance, may believe stealing is justified so he/she can pay for high medical bills. Of the three elements, opportunity is the one organizations can influence the most. Therefore, organizations need procedures and internal controls that deter employees from committing fraud and detect fraudulent activities. Source: Internal Auditing and Fraud (December 2009), The IIA, pg. 6 However, although noteworthy, the Table 2. Type of Fraud Seen on the Rise Since 2008 number of fraudulent activities detected Type of Fraud since the onset of the economic recession might be a lagging indicator on the prevalence of fraud as many fraudulent schemes are discovered after they take place. Consequently, it is possible that more fraudulent activities have taken place that will be visible at a later date. Several comments from survey participants justify this trend. According to one respondent, several fraudulent activities were detected in 2009, which started to be perpetrated before the economic downturn took place. Percentage Theft of company property and resources 52% Embezzlement 38% Expense-account fraud 37% Third-party/vendor fraud 33% Theft of company information and data 13% Financial statement or accounting irregularities 7% Foreign corrupt practices 4% 5

Employee-related Fraud Has Had a Major Impact in Organizations In organizations where fraud has been on the rise since the onset of the economic recession, theft of company property and resources was identified as the most common type of fraud discovered (refer to Table 2 on page 5). However, when analyzed closely survey results unveil another finding: embezzlement and expense-account fraud, when combined, point to an even greater prevalence in employeerelated fraud. This last finding makes sense as the recession has affected countless employees at a personal financial level, often involving the complete loss of income from one or more household members. In addition, fraud related to third parties and vendors as well as theft of company information and data may be areas of growing exposure. The growing trend toward third-party fraud and data theft could be explained by Typical Profile of a Fraudster Most frauds begin small and continue to grow as the scheme remains undetected. Perpetrators also primarily exploit inadequate internal controls for their own gain, resulting in substantial damage to the organization. The typical fraudster is male of middle age, employed by the organization for a number of years. He often works in the finance department and typically commits the deed driven by a desire for money and opportunity. Many studies indicate that most frauds are committed by members of management as managers generally have access to confidential information, thus enabling them to override internal controls. In addition, fraud perpetrators tend to be in positions of trust, educated, heads of households, and members of community organizations who are motivated by a personal need. Source: Internal Auditing and Fraud (December 2009), The IIA, pg. 5 the increase in outsourcing and offshoring activities as way to reduce operational expenses during the last couple of years. Respondents also were asked to identify if they have experienced a new type of fraud or scenario. Of the 38 responses provided in the open-ended question, 58 percent dealt with a financial fraudulent scheme, including: Inappropriate use of reward points on credit cards. Scams involving counterfeited check images, duplicated checks, or forged signatures. Customers using the company to apply for government guaranteed loans under false pretences. Duplicate billings for services using separate work orders and invoice numbers. Wire transfer fraud and credit card fraud by accessing the merchant s processing network. Use of electronic signatures on documents provided to support travel and entertainment approvals. 6

In spite of the rise in finance-related fraudulent activity, most organizations perform a fraud risk assessment as part of their public reporting on financial controls (42 percent). 4 The role of internal auditing in this process is mostly to manage the risk assessment process (42 percent). Other roles identified include to act as a consultant throughout the process (30 percent) or to facilitate it (22 percent). Finally, survey participants were asked to identify the top three risks that are most likely to impact organizations within the next 12 months. Similar to survey results illustrated on Table 3, employee-related frauds, theft of company property and resources, and fraud pertaining to third parties and vendors were the top three risks identified. Thus, organizations are expecting a continuation of the same kinds of fraudulent activities in 2010. Table 3. Top 10 Fraud Risks That Are Most Likely to Impact Organizations Within the Next 12 Months Total No. of Description of Fraud Risk Responses Employee-related fraud or risks (e.g., expense account fraud, worker's compensation fraud, personal use of company mobile devices, employees not understanding their job responsibilities, overstatement of 119 hours worked, new employees risks, abuse of employee discounts and other benefits, falsified time reporting, ghost employees, reduced/frozen salaries and bonuses) Theft of company property and resources (e.g., custodial risks, property theft or poor property management, misuse or improper use of company resources/assets, misappropriation of assets, 106 loss/theft of company property or resources) Fraud or risks pertaining to third-parties or vendors (e.g., bid rigging, competitor fraud, vendor curtailment, supplier failures, payments for services not rendered, medical providers committing fraud, managing vendors/contractors, contract compliance, overpaying contractors, fraudulent billings, fake vendors, 63 favoring a particular vendor or supplier for personal benefit, inappropriate vendor relationships or vendor selection process) Data/information risks (e.g., disclosing corporate data to competitors, skimming, release of confidential data, protecting credit card data, data integrity, data or information security breaches, theft of customer 38 information/corporate data, phishing scams, ID theft, stealing credit card data, intellectual property theft) Billing schemes/fraud (e.g., procurement fraud, overbilling contractors, invoice fraud) 26 Corruption (e.g., bribery of foreign officials, bribe/facilitation payments related to imports, side 25 agreements, letters, bribes/kickbacks) Fraud or risks pertaining to high unemployment rate/layoffs/frozen staff positions (e.g., reduction of audit 25 staff/coverage, downsizing without remapping processes or controls) Overall risks due to the impact of the economy (e.g., slow turnaround in the economy, reduced/constraint resources, reduced capital spending, employee stress, increased costs, lower revenues, increased need 21 of cash by employees) Risks due to management issues (e.g., questionable ethics by management, overall decision-making, management's view of internal auditing, lack of management oversight/integrity, insufficient management 17 oversight and monitoring of operating entities, management override, lack of management support at the C-level) IT risks (e.g., use of IT to cover up fraud, systems not capable of detecting fraud, risks associated with 15 new financial systems, IT security risks, access to IT systems, legacy systems requiring security updates) 4 Twenty-five percent of respondents indicated that public reporting on financial controls is not applicable to their organization. 7

Assurance and Consulting Activities Are a Source of Added Value Internal auditing was identified as the number one function responsible for the day-to-day management of the organization s fraud program. 5 To help CAEs ensure internal auditors add the most value, the survey asked participants to identify the role that the internal audit activity plays as part of the fraud management program. Overall, the survey found that internal auditors perform a variety of consulting and assurance activities that add value to the organization s fraud management efforts (refer to Table 4 for a summary of all responses). Table 4. Role of Internal Auditing as Part of the Fraud Management Program Response Percentage Conducts tests to determine if fraud is present in areas where potential fraud risks are present 73% Evaluates the design and operation of internal controls related to fraud risk management 71% Takes an active role in support of the organization s ethical culture 66% Performs its own fraud risk assessment 61% Is responsible for reporting cases of fraud to the audit committee 60% Provides assurance to the board and senior management that fraud risks are being identified and appropriately addressed 57% Conducts root-cause analyses of actual frauds to identify control improvement recommendations 51% Performs periodic monitoring of key fraud indicators 50% Provides assurance to the board and senior management that the organization s fraud program is effective 42% Participates, under the direction of another function, in investigation of suspected fraud 42% Has overall responsibility for investigations of suspected fraud 39% Works with external auditors regarding their fraud assessment 37% Participates in the organization s fraud risk assessment 32% Provides fraud or ethics training sessions to business units 30% Is responsible for the organization s fraud reporting mechanism or whistleblower hotline 29% Interviews and communicates regularly with those conducting the risk assessment and others in key positions to help them ensure all fraud risks have been considered appropriately 28% Conducts or participates in fraud-scenario analysis 24% Runs automated software routines specifically designed to identify possible fraudulent activities 21% Performs continuous monitoring of key fraud indicators 17% 5 Thirty-seven percent of respondents identified internal auditing as the number one function responsible for the fraud program. Other functions identified, in order of importance, include: legal or general counsel (11 percent), corporate security (7 percent), and the chief risk officer (or equivalent) or chief financial officer (or equivalent) (5 percent each). 8

For instance, in terms of assurance activities, internal auditors provide assurance to the board and senior management that the organization s fraud program is effective and that fraud risks are being identified and addressed appropriately. On the other hand, consulting activities include being an active participant in the organization s fraud risk assessment, evaluating the design and operation of internal controls related to fraud risk management, and providing fraud or ethics training sessions to business units. Additionally, the survey asked participants to identify the top three activities internal auditors can perform that can provide added value to the organization s overall fraud management efforts. Again, respondents identified a number of consulting and assurance efforts. The top three are: Internal Auditing s Role During Fraud Investigations According to the practice guide Internal Auditing and Fraud, the role of internal auditing during fraud investigations needs to be defined in the internal audit charter as well as in the organization s fraud policies and procedures. Acceptable roles for internal auditors include: Having the primary responsibility for fraud investigations. Acting as a resource during investigations. Refraining from involvement in investigations as they are either responsible for assessing the effectiveness of investigations or lack the appropriate resources to be involved in investigations. 1. Increase fraud awareness, communication, and training throughout the organization. 2. Review systems in place and corresponding policies, procedures, and controls. 3. Perform regularly scheduled audits that monitor key, high-risk areas. In organizations where the internal audit activity is responsible for fraud investigations, it may conduct an investigation using in-house staff, a third-party, or a combination of both. Appendix A of this report provides a list of 20 questions taken from the practice guide CAEs can ask about fraud on a regular basis to enhance the organization s fraud management program or efforts. Source: Internal Auditing and Fraud (December 2009), The IIA, pg. 23 Table 5 provides a detailed summary of the top 15 activities internal auditors can perform to add value to the organization s fraud management efforts. 9

Table 5. Top 15 Activities Internal Auditors Can Perform to Provide Added Value to Fraud Management Efforts Description of Value-added Activity Increase fraud awareness, communication, and training throughout the organization (e.g., help educate employees on awareness/antifraud efforts, educate process owners/customers, and help to promote companywide policies and procedures). Review systems in place and their corresponding policies, procedures, and controls (e.g., audit financial reporting controls, fraud detection and prevention controls, inventory/shipping/invoicing functions, and risk mitigation plans; verify internal control effectiveness in all financial and other high-risk areas; and review segregation of duties activities). Perform regularly scheduled audits that monitor key, high-risk areas (e.g., perform IT security assessments and other IT-targeted reviews; perform payroll control reviews, operational audits, risk-based audits, and financial control audits; and increase the audit scope on key business areas including HR, general ledger activity, and ethics and compliance). Review/audit specific financial activities (e.g., accounts receivable trends, cash management activities, disbursement cycles, record keeping reports, expense claims, customer accounts, changes in financial statement and balance sheet accounts, commissions paid versus revenues, credit card transactions for emerging trends, high risk/suspicious transactions and accounts, and procurement cards). Implement a continuous audit process to eliminate sample bias; audit credit and accounts payable activity; audit employee expenses; and continuously monitor controls, high-risk areas, financial transactions, IS, and control self-assessments. Perform risk assessments/risk-based audits. Increase level of coordination and cooperation with internal and external groups and other programs already in place. Review/audit key risk activities other than financial areas. Increase fraud awareness/communication/training/discussion with management/leadership. Conduct or assist in fraud investigations. Perform data analysis and mining. Include fraud risk assessment as a part of every audit. Perform regulatory control/compliance testing. Remain/be visible and accessible throughout the organization by conducting site visits and regular audit reviews of each location. Help develop a fraud plan for the organization. Finally, the survey asked a number of questions pertaining to the relationship between internal auditing and the individual department responsible for the organization s fraud program if other than internal auditing. The majority of responses (58 percent) indicate there is a high degree of coordination and information sharing between the two functions (refer to Table 6). (For a description of additional roles read Internal Auditing s Role During Fraud Investigations on page 9.) Also, although the internal audit activity is not primarily responsible for fraud detection activities only 18 percent of participants stated that this is the sole responsibility of internal auditing 61 percent of respondents stated there is an underlying expectation from management and the audit committee that internal auditors must help in this area. As a result, more than half of all the internal audit activities represented in the survey (56 percent) employ internal auditors with forensic or investigative skills including internal auditors with the certified fraud examiner designation, experienced fraud managers, and internal audit staff with investigative and forensic training. 10

Table 6. Relationship Between Internal Auditing and the Organization s Fraud Management Function Responses Percentage High-level of coordination and information sharing* 38% Not applicable internal auditing manages the program 36% Performs investigations jointly with fraud staff* 12% Clear responsibilities delineated for each function* 9% Little to no coordination and information sharing 4% Investigations are solely the responsibility of the fraud function 2% Fraud function does separate reporting on fraud to senior management and the audit committee 2% * These responses indicate a high degree of coordination and information sharing between the internal audit activity and fraud management function. 11

Fraud Risks Management Programs Are Becoming a Higher Priority Finally, survey results indicate that fraud risk management efforts or programs are becoming a higher priority. First, programs within companies that manage fraud risks are receiving increased attention. As explained earlier, 76 percent of respondents indicated they work in organization where there is either a formal (34 percent) or informal (42 percent) fraud risk management program in place. And 24 percent are planning on implementing a program in the future. Hence, fraud risk management is a topic of discussion in all of the organizations represented in the survey. Figure 1. Overall Effectiveness of Fraud Program Second, of the 76 percent of respondents who stated their organization has a formal or informal program, more than half stated that the fraud risk management program is somewhat effective to highly effective (refer to Figure 1). Furthermore, these respondents were asked to identify the current trend toward overall program effectiveness. According to survey results, 49 percent of respondents who work in an organization with a fraud risk management program stated that the program is starting to become more effective. Hence, even in organizations where fraud management efforts are ineffective, corrective actions are being put in place to increase the likelihood of detecting or preventing future fraud risks (refer to Figure 2). 12

Figure 2. Current Trend Toward Overall Fraud Program Effectiveness Third, organizations are starting to commit specific resources toward fraud management, including the creation of a dedicated fraud management unit or function. According to survey results, more than a quarter of all the organizations represented in the study (28 percent) have a dedicated business unit or department to manage or investigate fraud. In terms of staffing, 63 percent of all respondents have full-time staff (33 percent), parttime staff (19 percent), or a combination of both (11 percent) dedicated to the program or unit. Table 7 summarizes the total number of full-time staff equivalents dedicated to the organization s fraud program or unit. Table 7. Full-time Staff Equivalents Dedicated to Fraud Management Program or Unit Total No. of Staff Percentage 1 26% 2 5 37% 6 9 7% 10 15 3% 16+ 5% Not applicable 22% As organizations hire dedicated staff to enhance their fraud risk management efforts, CAEs need to ensure that the appropriate oversight is provided to effectively manage the program. As The IIA s new practice guide Internal Auditing and Fraud explains, oversight can take many forms and can be performed by many within and outside the organization under the overall oversight of the board of directors. 6 6 Internal Auditing and Fraud (December 2009), pg. 10 13

In addition to internal auditors, the following eight functions play a key role in the organization s fraud management program: Board of directors. Audit committee. Management. Legal counsel. External auditors. Loss prevention manager. Fraud investigators. Other employees, from the summer intern to the CEO. (Appendix B describes the main roles of each function.) Finally, another finding that further confirms fraud risk management is becoming a higher priority is the belief among respondents that fraud prevention is more important than fraud detection. For instance, the survey asked participants to identify their level of agreement with three statements pertaining to the value seen in fraud prevention versus fraud detection activities. Nearly all participants agree to highly agree that the organization s board/audit committee, senior management, and internal audit activity perceives more value in preventing fraud rather than detecting fraud (refer to Table 8 for a summary of all responses). This finding is not surprising considering that once fraud is detected, the organization may have incurred a significant financial loss. Hence, preventing fraud from occurring saves the organization more time, money, and other resources in the long run, especially in cases where the fraudulent activity leads to a criminal investigation. As many organizations start to enhance their fraud risk management efforts, this is a good time for CAEs to review their internal audit activities related to fraud risk and ensure they are consistent and aligned with what management is doing. Table 8. Value Given to Fraud Prevention Versus Fraud Detection Activities Our board/audit committee sees more value in preventing fraud rather than detecting fraud. Senior management sees more value in preventing fraud rather than detecting fraud. Internal auditing sees more value in preventing fraud rather than detecting fraud. 1 Highly Disagree 2 3 4 5 Highly Agree 3% 6% 25% 32% 35% 4% 10% 22% 35% 30% 2% 5% 5% 25% 62% 14

Leading Practices To obtain leading fraud management practices respondents were asked to describe the most effective strategies an organization can implement to prevent fraud. In order of importance, these strategies are: Implement a well-publicized fraud management program that: o Has a dedicated role for monitoring compliance with program policies and procedures. o Is commensurate with the organization s business model. o Ensures staff are aware of their responsibility to identify fraud. o Provides a tool for confidential reporting of suspected frauds, such as the implementation of an ethics and compliance (i.e., whistleblower) hotline. o Communicates to employees the critical elements contained in the organization s code of conduct. o Enables staff to question activities that are outside the norm. o Requires fraud training. o Outlines the actions to be taken against fraud perpetrators. o Publicizes fraud management efforts. o Celebrates good behavior. Leading Practices in Fraud Prevention Survey results unveiled eight leading practices in the area of fraud prevention. These are: 1. Implement a well-publicized fraud management program that has a dedicated role for monitoring compliance with program policies and procedures and is commensurate with the organization s business model. 2. Ensure the effectiveness of established controls or control processes. 3. Encourage strong tone at the top in support for the organization s fraud management program/efforts. 4. Ensure internal audit plans encompass key fraud prevention activities. 5. Engage in effective activities pertaining to management, such as providing management training on internal control procedures, fostering ongoing communication among senior management, and sharing information to educate leadership regarding their role and responsibility to deter and detect fraud. 6. Implement a code of conduct or ethics program for all staff that is part of the organization's corporate governance structure. 7. Perform an annual fraud risk assessment and control selfassessment. 8. Implement or increase ERM efforts. Ensure the effectiveness of established controls or control processes, including: o Vendor management activities such as vendor qualification and competitive bidding procedures. o Regular updates to master vendor files. o Expenditure reviews. o Inventory accountability, such as consequences for management personnel if 15

variances in inventory are detected, and routine/frequent checks and reconciliation of inventory. o Regular updates of security clearances. Encourage strong tone at the top by: o Ensuring senior management sets the proper tone at the top for fraud management. o Demonstrating the organization s commitment to implement effective internal controls in all programs. o Making a commitment to review internal controls and taking strong sanctions against those perpetrating fraud. o Ensuring senior management carries the message to employees about their commitment to prevent fraud and deal directly with fraud when identified. Ensure that audit plans encompass the following key activities: o Surprise audits, in addition to scheduled audits on randomly selected business units. o Regular internal audit presence in all parts of the organization. o Compliance monitoring of fraud policies and procedures. o Fraud audits and internal audit support for the fraud program. o Mechanisms to audit code of conduct compliance. o Hire antifraud professionals as part of the internal audit activity. o Systematically assess key controls and continuously audit fraud risk areas. Fraud Prevention Elements According to the practice guide Internal Auditing and Fraud, fraud prevention involves those actions taken to discourage fraud and limit fraud exposure when it occurs. Instilling a strong ethical culture and setting the correct tone at the top are, thus, essential elements in preventing fraud. To ensure the effectiveness of fraud prevention efforts, CAEs need to recommend the establishment of the following key fraud prevention elements: 1. A control environment that includes a code of conduct or ethics or fraud policy to set the appropriate tone at the top; an ethics and compliance hotline or program to report concerns; hiring and promoting guidelines and practices; and oversight by the audit committee, board, or other oversight body. 2. A risk assessment that considers fraud risk factors and schemes. 3. Control activities, i.e., policies and procedures for business processes, including appropriate authority limits and segregation of duties. 4. Communication to promote the importance of the fraud management program and the organization s position on fraud risks. 5. Periodic monitoring of anti-fraud controls through independent evaluations of the fraud management program by internal auditing or other groups and the implementation of technology to aid in continuous monitoring and detection activities. Source: Internal Auditing and Fraud (December 2009), The IIA, pp. 19 20 o Enable internal auditors to remain/be visible in the company. o IT audit activities pertaining to fraud risk (e.g., use of fraud detection software, automated matching and computer-assisted audit techniques, and data mining). 16

Engage in effective activities pertaining to management including: o Training of management on internal control procedures. o Fostering an appropriate leadership/management style to avoid the "rationalization" process that is present in fraud scenarios. o Ensuring ongoing communication among senior management. o Sharing information to educate leadership regarding their role/responsibility to deter and detect fraud. o Ensuring management support when new controls need to be implemented. o Ensuring careful management hiring decisions. o Building awareness of the type of fraud that can occur in a given area and the steps that can and should be taken to prevent fraud. Implement a code of conduct/ethics program for all staff that is part of the organization's corporate governance structure. The code of conduct/ethics must: o Communicate that fraud of any form will not be tolerated. o Establish an adherence to accountability standards. o Communicate to employees what integrity in the workplace means, including penalties for violations and noncompliance with the code of conduct. o Instill an ethical culture among all staff that makes each employee accountable for detecting fraud. Perform an annual fraud risk assessment and control self-assessment that: 7 o Evaluates fraud risks and inventories fraud scenarios. o Includes threat discussions and assessments. Implement or increase ERM efforts. When examined closely, these survey responses unveil a series of leading practices in the area of fraud management program implementation. According to respondents, once an organization establishes a fraud management program, at a minimum, the program must: Establish the proper tone at the top through the implementation of a code of conduct. Establish mechanisms to audit compliance to the code of conduct. Develop and enforce repercussions for noncompliance to the code of conduct. Communicate with all employees on a regular basis the critical elements contained in the code of conduct. Ensure organization leaders lead by example. Have clear and robust policies, procedures, and controls that are well understood by all employees, enforced by management, and closely monitored by internal auditing and senior and line managers. For additional fraud prevention practices from The IIA, read Fraud Prevention Elements on page 16. 7 A sample fraud management assessment can be downloaded from The IIA s Web site, www.theiia.org/ download.cfm?file=75536 (PDF, 536 KB). 17

Appendix A: List of 20 Questions The following are a series of 20 questions CAEs can ask about fraud on a regular basis to enhance the organization s fraud management program or efforts: 1. Does the organization have a fraud governance structure in place that assigns responsibilities for fraud investigations? 2. Does the organization have a fraud policy in place? 3. Has the organization identified laws and regulations relating to fraud in jurisdictions where it does business? 4. Does the organization s fraud management program include coordination with internal auditing? 5. Does the organization have a fraud hotline? 6. Does the audit charter describe internal auditing s roles and responsibilities relating to fraud? 7. Has responsibility for fraud detection, prevention, response, and awareness been assigned within the organization? 8. Do management and the CAE update the audit committee on fraud? 9. Does management promote fraud awareness and training within the organization? 10. Does management lead fraud risk assessments and include internal auditing in the assessment process? 11. Are the results of fraud risk assessments considered in the audit planning process? 12. Are periodic fraud awareness and training programs provided to all employees? 13. Are automated tools available to those responsible for preventing, detecting, and investigating fraud? 14. Has management identified the types of potential fraud risks in its areas of responsibility? 15. Do management and the CAE know where to obtain guidance on fraud from professional organizations? 16. Do management and internal auditors know their responsibilities relating to fraud? 17. Has management incorporated appropriate controls to prevent, detect, and investigate fraud? 18. Does management have the appropriate skill sets in place to perform fraud investigations? 19. Do management and the internal audit activity periodically assess the effectiveness and efficiency of fraud controls? 20. Are fraud investigation workpapers and supporting documents appropriately secured and retained? 18

Appendix B: List of Key Fraud Management Oversight Functions Function Description of Main Role Oversee and monitor management s actions to manage fraud risks by evaluating management s identification of fraud risks, implementation of anti-fraud measures, and tone at the top. Implement policies that encourage ethical behavior, including processes for Board of Directors employees, customers, and external business relationship partners to report instances where those policies are violated. Monitor the organization s fraud risk management effectiveness by appointing one executive-level member of management to be responsible for coordinating fraud risk management and reporting to the board. Evaluate management s identification of fraud risks and the implementation of antifraud measures. Audit Committee Provide the tone at the top that fraud will not be accepted in any form. Hire external auditors to report on the financial statements of the organization and provide recommendations on internal control. Implement and monitor processes and internal controls to oversee employee activities. Assess the vulnerability of the entity to fraudulent activity. Establish and maintain an effective internal control system at a reasonable cost. Management Hold discussions with investigators and legal counsel over the investigation process, including the development of policies and procedures for effective fraud investigations and for handling the results of investigations, reporting, and communications. The roles and responsibilities of in-house counsel will often be governed by the laws of each jurisdiction. A lawyer generally acts in the best interest of the organization and also is required to preserve client confidences. Legal Counsel The discovery of fraud can bring these two ethical duties into potential conflict. When faced with constituents in organization who intend to engage in fraud, a lawyer can urge reconsideration, advise the constituents to seek a separate legal opinion, or refer the matter to a higher authority within the organization. Plan and perform the audit of the organization s financial statements to obtain reasonable assurance about whether the financial statements are free of material misstatement and whether the misstatements were caused by error or fraud. External Auditors If fraud is discovered, external auditors must bring the matter to the attention of an appropriate level of management. In cases of fraud involving senior management, external auditors must report the matter to those charged with governance. Detect and investigate fraud and the recovery of assets. Often, fraud investigators work closely with legal counsel to bring legal action against a perpetrator. Fraud Investigators Lead investigators usually determine the knowledge, skills, and other competencies needed to carry out the investigation effectively and assign competent and appropriate people to the team. Function as the eyes and ears of the organization. Other Employees Report suspicious behavior through the use of the employee hotline, internal audit department, or a member of management. Source: Internal Auditing and Fraud, pp. 10 12 19

20

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback