2. MY GOAL
HAVE YOU WALK AWAY WITH THE KNOWLEDGE
AND TOOLS TO COMPLETE A FORMAL & USEFUL
FRAUD RISK ASSESSMENT!!!
3. Before We Begin, Remember…
The design of an organization’s formal and
effective anti-fraud program evolves from the
collaborative efforts of executive
management, oversight committees, and
specific departments within the organization…
5. OBJECTIVE
Prevent or detect the occurrence of fraud and implement
proactive solutions to reduce or eliminate fraud’s effects on
the organization…
Today’s Focus is on Element #4 - Fraud Risk Assessment
“An organization’s fraud risk exposure should be assessed
periodically by the organization to identify specific scenarios
that the organization needs to mitigate”
Anti-Fraud Program
Source: The IIA, ACFE and AICPA’s “Managing the Business Risk of Fraud: A Practical Guide”, April 2008.
6. One Size Doesn’t Fit All NOR Should IT
Management should tailor the
design of the assessment to fit the
needs and objectives of the
organization.
Assessment should be:
Efficient,
Practical,
Easy to Understand, and
Useful
NOT just for you and your department but for
everyone in the Organization…
8. 5 Easy Steps
1) IDENTIFY - Step one is identifying the specific risks your
organization is susceptible too while also considering how granular
you should monitor fraud risks…
2) ANALYZE & ASSESS – Fraud risks measurement varies, but the
types of measurements used may have a profound effect on how
your organization assesses a risk…
3) PRESENT – Who is your audience? Is there a prescribed format they
are already use to? These are the questions you need to consider…
4) PLAN & IMPLEMENT – Work with others and their schedules to
ensure your efficiency in completing the assessment. Allow
management time to digest and provide feedback and than work
with control owners to implement proactive mitigation solutions…
5) MONITOR – Oh yea, monitor, monitor and do some more
monitoring. Suggest an annual formal “refresh”, but the real value
stems from constant assessment.
9. IDENTIFY: Fraud Risk Categories
Present your “FRA” at a level that board members, executive management and
others within the organization can understand…
Don’t be so granular that you lose conveying the overall message. These aren’t
fraud experts, but rather individuals who are on a “need to know” basis…
Bribery
Larceny
Fake Expenses
False Voids
10. ANALYZE & ASSESS - Measures
KPIs and Mitigating Activities provide “real” data to support your assessment;
however, Management should be updated and risks ranked by using the…
(1) Magnitude (i.e. Significance):
High (3) = > $10 Million
Med (2) = Between $4 Million and $10 Million
Low (1) = < $4 Million
(2) Likelihood (i.e. Controls, Mitigating Activity):
Strong (1) = Preferred Practice
Good (2) = Adequate
Low (3) = Needs Improvement
(3) Likelihood (i.e. Pressure, Occurrence):
High (3) = Significant pressure
Med (2) = Moderate pressure
Low (1) = Little to no pressure
Magnitude + Likelihood [(Controls) + (Pressure)] = Rank
(1) Velocity – Measurement of the
rate of change… (Immediate, Rapid
or Slow)
(2) Risk – Gross & Residual
Gross before Mitigating Activities
and Residual Measures
After…(High, Medium or Low)
Other Measures
11. “ERM” should serve as
the model for your FRA
FRA should have the
same look and feel as
your ERM presentation
PRESENT: Enterprise Risk Management
Magnitude
Major >$500M 5
Substantial >$250M 4
Moderate >$ 100M 3
Minor >$10M 2
Insignificant <$10M 1
Define how Financial Impact
is measured (i.e. Net Income,
Revenues, etc.)
1 2 3 4 5
Remote Unlikely Possible Likely
Almost
Certain
Likelihood
1
2
4
3
STRATEGIC
OPERATIONAL
FINANCIAL
COMPLIANCE
FRAUD
Your FRA should serve as
a “Drill-Down” from the
ERM Fraud Risk
12. PRESENT: Fraud Risk Assessment
Magnitude
Major >$50M 5
Substantial >$25M 4
Moderate >$ 10M 3
Minor >$1M 2
Insignificant <$1M 1
Define how Financial Impact
is measured (i.e. Net Income,
Revenues, etc.)
1 2 3 4 5
Remote Unlikely Possible Likely
Almost
Certain
Likelihood
12
11
3
10
4
6
5
14
13
2
15
9
8
1
7
Theoretically the “SUM”
equals the value of FRAUD
as presented on the
Company’s Enterprise Risk
Management Map
FRAUD
FRAUD
1 + 2 + 3…+ 14 + 15 = FRAUD
13. PLAN/IMPLEMENT– Fraud Scheme Mngt.
Using the categories defined for presentation purposes build a granular fraud
scheme repository specific to your organization’s activities & risks…
The repository schemes can than be tracked and measured at a granular level
and rolled up to assist in measuring the sub-risk and categories…
Vendor A is required to pay the bidding manager
$2,000 to participate in the bidding process
Extortion Corruption
Funds are misappropriated to a shell company.
Vendor setup is colluding with accounts payable.
Fraudulent Disbursement
– Billing Scheme
Asset
Misappropriation
Management has decided to book revenue for items
shipped and ships items to meet expectations.
Financial – Fictitious
Revenues
Fraudulent
Statements
KPIs Mitigation Actions
1. Hotline Statistics 1. SOX Controls
2. SEC Enforcement Actions 2. Audit Procedures
Fraud Scheme Sub Risk Category
14. Prevention – Keep your Ears on the Track
Continue to improve & enhance these activities based on past experiences, new
concepts and information from your fraud risk assessment…
1. Integrate current activities with anti-fraud objectives
2. Continue to assess preventative activities as part audit and SOX
procedures and identify ways to improve prevention activities
3. Adjust preventive activities based upon new ideas, frauds, etc.
4. Seek feedback from business owners
5. Try to stay ahead of the Fraudster by educating yourself and your team
15. Detection – Use Existing Knowledge
Leading & Lagging Indicators
1. Hotline Complaints
2. Fraud Risk Research Stats
3. New Audits w/ Fraud Objectives
1. Ratio Analysis
2. Prior Audit Findings
3. Hotline Complaint Trends
AUDIT PLANNING & TESTING Training
SOX/ICFR Testing
Continuous Monitoring Focus Areas
Fraud Risk Assessment
Audit Planning
Policy ObjectivesManagement/Employee Awareness
16. MONITORING – It Never Stops!!!
Understand what you or your department is currently doing to
“monitor” or uncover additional fraud risks:
Audits
ICFR (e.g. “SOX”)
Continuous Assurance
Find new ways to monitor:
Review prior audits and ICFR Fraud Controls
Meet with counterparts in the Company
Read periodicals, journals, etc.
Statistical Analysis (internal and external data)
17. Now What?
NEVER Stop Thinking of New Fraud Risks
Think of NEW ways to convey your
message
TREAT your assessment like a tool
GET TO WORK!!!