Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

Similar documents
Effective implementation of COSO s new anti-fraud guidance

report that their financial impact of all fraud, corruption and/or money laundering incidents is over per incident

AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk

Surveillance Program Design and Behavioral Analytics Implementation

Fraud Risk Management

Fraud Risk Management

NYSARC/CP Compliance Seminar: Risk Assessments. May 2, 2016 Robert Hussar and Melissa Zambri

Building and operating the UK s infrastructure. Establishing your roadmap to success

Managing Fraud Risk: New Professional Guidance

Third Party Risk Management ( TPRM ) Transformation

Risk Advisory Services Developing your organisation s governance for competitive advantage

A Discussion About Internal Controls February 2016

Internal Controls Integrating COSO

Business resilience in the provider care sector. Actively adapting to a changing environment

Growing opportunity, growing business. EY s financial services practice in ASEAN

Fisher & Paykel Healthcare Limited Review of Directors Fees Summary of EY report dated 19th June 2017

ESTERLINE ANTI-CORRUPTION PROGRAM CHARTER

Measuring digital advertising revenue to infringing sites

Leading Practices to Leverage Forensic Data Analytics in Compliance Monitoring and Investigation

Bearing the Bad News Reporting to the Board on Internal Corruption. Peter Dent, National Leader Deloitte Forensics September 11, 2013

Continuous Monitoring: Getting Results Today!

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Present and functioning: Fine-tuning your ICFR using the COSO update

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

Session 4C: Model Governance: What Could Possibly Go Wrong? (Part I) Moderator: Dwayne Allen Husbands, FSA, MAAA

Governing the cloud. insights for 5executives. Drive innovation and empower your workforce through responsible adoption of the cloud

COMPLIANCE AT LARGER INSTITUTIONS. November 11 13, Robert F. Roach Chief Compliance Officer New York University

Internal Audit How the Internal Audit Function Facilitates Internal Controls. Office of the City Auditor City of Tallahassee

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Risk reduction? Value creation?

Minimizing fraud exposure with effective ERP segregation of duties controls

Best practice workshop. Training course outline

Synergies between Risk Modeling and Customer Analytics

2013 COSO Internal Control Framework Update. September 5, 2013

Using Transactional Analysis for

Global Benchmark. Role of data analytics for internal fraud detection

The winning tax transformation trinity. Data, technology and operations

FINAL ASSESSMENT M.C. DEAN, INC.

Compliance Auditing Done Right

Session 7: Corporate Governance

The Road to Continuous Assurance. Jason A. Gross, CPA, CIA, CFE, CISA, ACDA Vice President, Controls Management Siemens Financial Services, Inc.

The trouble with culture:

CGMA Competency Framework

Siemens Compliance System

Quality Assessments what you need to know

26th Annual Health Sciences Tax Conference

Internal Control Questionnaire and Assessment

Developing high performance teams. 2 3 October 2017

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

AUDITING. Auditing PAGE 1

Effective Risk Management With AML Risk Assessment. January 25, 2017

SETTING POLICIES and GUIDELINES for CONDUCTING INTERNAL INVESTIGATIONS

Managing Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

Are you Fit for Funding

Peter Fuss Senior Advisory Partner Automotive Ernst & Young

Infrastructure and Capital Projects

EY Advisory: Driving business performance

Crowe Activity Review System

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Fraud Prevention, Detection, and Internal Controls

Fraud Risk Management

Global Expectations for Addressing Fraud Risk and the Investigative Process

Developing Effective Anti-Corruption Ethics and Compliance Programmes. Sven Biermann

The Road to Continuous Assurance. Jason A. Gross, CPA, CIA, CFE, CISA, ACDA Vice President, Controls Management Siemens Financial Services, Inc.

Mitigating Corruption Risk When Acquiring Companies in High-Risk Jurisdictions

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

Internal Control Questionnaire and Assessment

AMETEK, Inc. Code of Ethics and Business Conduct

Audit of Entity Level Controls

Triple C Housing, Inc. Compliance Plan

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

Banking on gender differences? Similarities and differences in financial services preferences of women and men in a digital world

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

Internal Control Integrated Framework. May 2013

MiFID II Extraterritorial Impacts. Product Manufacturing and Distribution

Using Data Analytics as a Management Tool to Identify Organizational Risks

Success peak performance and personal branding December 2017

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Executive Steering Committee Meeting. Department of Revenue Building 2, Room 1250 July 27, 2016

Next Generation Controls(NGC) Moving towards a Robust Control Framework. August Risk

The Future of Accounts Payable

Enterprise intelligence in modern shipping

Protecting Fixed Assets: Internal Controls for Non Profits

Measuring Compliance Program Effectiveness

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

FCPA COMPLIANCE PROGRAMS

Comprehensive Enterprise Solution for Compliance and Risk Monitoring

Brexit: considerations for your Internal Audit operating model

Internal Audit Procurement Policies and Controls

ATTACHMENT C CORPORATE COMPLIANCE PROGRAM

Compliance Plans. Kelly S. McIntosh July 20, 2017

KPMG Intelligent Diligence An automated approach to KYC. kpmg.com/uk

Compliance Program Effectiveness Guide

Internal Controls In Higher Education

A Data Driven Company How Deloitte transformed itself. QlikView Business Discovery World Tour Eindhoven, 9 October 2013

Article from: CompAct. April 2013 Issue No. 47

Accenture Profit Recovery and Analytics

Global Enterprise Model (GEM) for Utilities

Transcription:

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale September 15, 2017 Vincent Walden Partner EY Atlanta Delores White Director, Internal Audit Southern Company Scott Hulsey Chief Compliance Officer GE Energy

Topics for discussion Background on COSO s new anti-fraud guidance Mapping COSO s five anti-fraud principles to your internal controls and analytics program Case examples and company perspectives Resources and reference guides ACFE tools demonstration Dashboard demonstration Page 2

COSO s Fraud Risk Management Guide Background & Summary COSO published a Fraud Risk Management Guide at the end of September ACFE is the co-author The Guide builds on Principle 8 of the 2013 internal controls framework Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Principle 8 addresses risk assessment, but the new guide addresses fraud risk management 5 Principles of Fraud Risk Management are identified These align to the 17 principles of internal controls from the 2013 Internal Controls Framework Page 3

Summary of Fraud Risk Management Components and Principles Control environment Risk assessment Control activities Information and communication Monitoring activities Principle 1 Principle 2 Principle 3 Principle 4 Principle 5 Source: 2016 COSO Fraud Risk Management Guidelines The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates fraud risk management program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors. Page 4

2008: First major attempt to increase fraud risk management and fraud risk assessments IIA, ACFE, AICPA Sponsors Fraud risk governance Fraud risk assessment Fraud prevention Fraud detection Fraud investigation and corrective action Page 5

2016 COSO Fraud Risk Management Guidelines 1) Establishment of a fraud risk management program 2) Performs comprehensive fraud risk assessments 3) Selects, develops, and deploys preventive and detective fraud control activities 4) Investigation program 5) Ongoing evaluations and corrective action of the overall program Source: 2016 COSO Fraud Risk Management Guidelines Page 6

COSO s Fraud Risk Management Guide Key Points The Guide is not a mandatory standard. But provides a framework that many companies will look to as a resource The Guide s key recommendations: Comprehensive assessment of the risks of fraud, as distinguished from the risks of internal control errors A strategy for proactively using data analysis activities A program leader that reports to the board of directors Page 7

Company perspective How did your company utilize the guide? What areas were most helpful? How did the five principles align with current processes? How did management receive the results of your Fraud Risk Assessment? Page 8

Page 9 Mapping COSO s five anti-fraud principles to your internal controls and analytics program

Control environment Principle 1 Fraud Risk Governance COSO 2013 Framework principles COSO Fraud Risk Management Guide Analytic considerations 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 1. The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Executive reporting Interactive dashboards Targeted analysis around metrics, compliance, and ratios Page 10

Management oversight example: Country risk-ranking dashboard Page 11

Risk assessment Principle 2 Fraud Risk Assessment COSO 2013 Framework principles Fraud Risk Management principles Analytic considerations 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. 2. The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks. Surveys and heat maps Media scans and external sources such as industry news Complaints database Page 12

Risk assessment example: Combining multiple risk factors to calculate an ambient country score Page 13

Control activities Principle 3 Fraud Control Activities COSO 2013 Framework principles Fraud Risk Management principles Analytic considerations 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 3. The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. ABaC analytics P2P, O2C, T&E, CRM analysis General ledger transaction analysis 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. http://www.ey.com/pz/en/home/eycounterfraudmanagementdemo Page 14

Utilizing data visualization to do more Plan and build tests for: Payment risk scoring Vendor risk scoring High-risk transactions Revenue recognition or sales commissions Conflicts of interests Antitrust/competition Additional tests for enhanced reviews: Inventory management Salaries & payroll Employee travel & entertainment FCPA/UKBA (corruption risks) Selected compliance topics Interactive dashboards in the hands of the business users Page 15

Data Visualization: Accounts Payable Monitoring High-risk payment descriptions Page 16

Payment systems example: Procure to pay payments focused Analyze payment activity based on a combination of risk factors What were the urgent payments in December? Were there any significant, potentially duplicate payments? What type of charitable contributions were made? Page 17

Payment systems example: Risk scoring vendor payments across multiple factors Page 18

Information and communication Principle 4 Incident Reporting, Investigation, and Response COSO 2013 Framework principles Fraud Risk Management principles Analytic considerations 13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. 4. The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. Case management Escalation and triage Review workflow management Page 19

Investigations tracking example Page 20

Monitoring activities Principle 5 Fraud Risk Management Monitoring Activities COSO 2013 Framework principles Fraud Risk Management principles Analytic considerations 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 5. The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates fraud risk management program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors. Investigative procedures Deep dive analysis Email and communications review Page 21

Countries in scope Enterprise monitoring example Data integration strategy Country 1 Country 2 Country 3 Country 4 Country 5 Country 6 Country 7 Data Sources General Ledger Accounts Payable Cash Disbursements Sales / Contra Revenue Vendor / Customer / Employee Master Files Investigations / Case Management Travel & Entertainment Due Diligence Industry Codes Gift Logs Country 8 Country 9 Country 10 Country 11 Country 12 Ambient Risk Urgent Payments Touch Point Vendors Country 13 Compliance Platform Dashboard Modules Global Dashboards Zone and Country Dashboards Investigations & Audit Procure to Pay Payments Duplicate Payments Procure to Pay Vendors High Risk Vendors Country 14 Data Pollution & Integrity Charitable & Political Contributions One Time Vendors Audit External Data AML / Sanctions Travel & Entertainment Order to Cash Page 22

Frequent compliance analytics risk areas, particularly in emerging markets Meals & Entertainment Marketing & Events CRM and Sales Information Security/Insider Threat Employee Payroll Sales, Distributor & Margin Analysis Vendor Payments / AP Inventory Capital Projects Third-Party Due Diligence & Watchlist, Shell Companies Accounting Reserves Charity & Donations Emerging monitoring activities may include Social Media Monitoring Advanced Email Monitoring Mobile Devices Page 23

ROI Considerations ACFE s 2016 Report to the Nations Companies without data monitoring/analytics in place suffered a median loss per incident of $200k vs. $92k with data analytics in place. Page 24

Monitoring Investigation Performance Metrics (KPIs) Resolution time Investigation costs Repeat incidents Incident location (business unit, operational area, or geography) Value of losses recovered and future losses prevented Corrective actions Internal control remediation, business process remediation, disciplinary action, training, insurance claims, extended investigations, civil actions, criminal referrals **Corrective actions for fraud related incidents is an evaluation component within the Federal Sentencing Guidelines Source: 2016 COSO Fraud Risk Management Guidelines Page 25

Page 26 Resources and reference guides

ACFE resources demonstration www.acfe.com/fraudrisktools.aspx Page 27

Company perspective Self Assessment Page 28

Thank you Page 29

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. Ernst & Young LLP, an equal opportunity employer, values the diversity of our work force and the knowledge of our people. 2016 Ernst & Young LLP. All Rights Reserved. SCORE no. XX0000 1603-1886034 ED none EY is committed to reducing its impact on the environment. This document was printed using recycled paper and vegetable-based ink. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback