The Institute of Internal Auditor Los
Angeles Chapter
Annual Fraud Conference
Fraud Risk Assessment:
Think Like a ‘Demon’ & Add IA Value
April 10, 2013
2:30p – 3:30p
Mark P. Ruppert
CPA, CIA, CISA, CHFP, CHC
Director, Internal Audit
(CAE)
Fraud Risk Assessment
 IA Perspective on Fraud Risk
 Why Care? Why Consider Fraud Risk?
 What is Fraud Risk?
 Engaging Management in the Fraud Risk Discussion:
• Fraud Risk Assessment
• ‘Angels & Demons’ Data Collection Exercise
 Incorporating Fraud Risk into Internal Audit Work Plans
 Addressing Fraud Risk on an Ongoing Basis and in Individual
Audits
2
IA’s Perspective:
Fraud Risk
Heightened Risk & Challenge:
• IIA professional standards
• Ever increasing legal &
compliance requirements
• Management and Board
expectations
• High risk environment for
fraud, corruption & abuse
• Ever increasing ingenuity on
the part of fraudsters
Huge IA Opportunity:
• Get a better sense of
management intuition around
fraud matters
• Improve organization’s financial
performance
• Protect brand value and
professional reputation
• Mitigate criminal, regulatory and
civil legal risk
• Enhance IA prestige/relevance
3
Fraud Risk Assessment
Why?
Federal Sentencing Guidelines require that
compliance programs:
• address specific areas of potential fraud
• use audits and/or other
risk evaluation techniques
to monitor compliance and assist in the
reduction of identified problem areas
4
Fraud Risk Assessment
Why?
United States Sentencing Guidelines (USSG)
Effective 11/2004 = USSG amended to provide greater guidance regarding
compliance program criteria for an effective program to prevent and detect
violations of the law:
(USSC Guidelines Manual §8B2.1. Effective Compliance and Ethics Program)
(a)(1) exercise due diligence to prevent and detect criminal conduct
(a)(2) otherwise promote an organizational culture that encourages
ethical conduct and a commitment to compliance with the law
– (b)(1)Establish standards and procedures to prevent and detect
criminal conduct
(c) periodically assess the risk of criminal conduct and take appropriate
steps to…..to reduce the risk of criminal conduct identified
5
Fraud Risk Assessment
Why?
Like Compliance Professionals, Internal Audit Professionals must also
address fraud risk…
IIA Standards and Fraud Practice Guide
Emphasize Internal Audit’s Role in Addressing Fraud
• Antifraud Programs & Controls Assessment: Must evaluate how
organization manages risk (IIA Standard 2120)
• Fraud Risk Assessment: CAE must report periodically to management
/board on significant fraud risk exposures (IIA Standard 2060)
• Individual Audits: Must consider fraud when developing engagement
objectives (IIA Standards 1220, 2210)
• Proficiency: Evaluate the risk of fraud & the manner in which it is
managed by the organization (IIA Standard 1210)
6
Fraud Risk Assessment
Why?
Look at what companies are saying! -- 2010 Global Fraud Trends*
 % of survey respondents hit by fraud in past year = 88%
• More “viruses” than “diseases”: under $100M
 “Fraudsters’ take” = increased 20% from 2009
• Up to $1.4M per $1B sales
* [Source: 2010 Global Fraud
Survey – Economist Intelligence
Unit/Kroll Consulting
(www.kroll.com)]
 Theft of information and electronic data = #1 reported fraud
• Overtakes Physical Theft for first time
• #3 & #4= Management Conflict of Interest, Vendor/Supplier Fraud
 Fear of fraud is dissuading 48% of companies from operating in other countries
• China & Africa = most affected (corruption #1 concern)
 Companies appear unprepared for heightened FCPA enforcement and lack adequate
understanding
• 2005-2009: 60 DOJ cases (more than 1977-2005)
• 2010: already 130 open cases
 Fraud is largely an inside job
• 44% employees, 11% agents/intermediaries
 Industry Lens: Fraud Prevalence
• Declining: Natural Resources, Construction, Health/Pharma/Bio, Travel,
Manufacturing
• Increasing: Financial, Professional Services, Tech/Media/Telecom, Retail, Consumer
7
Fraud Risk Assessment
Why?
• US government admits losing 10% of spending to fraud; US government
realizes a $9.75 : 1 on fraud management
• Effective fraud management produces 8:1 ROI for financial services industry
• ACFE estimate: companies
lose $1 trillion or 7% of
revenue to misconduct
• PwC GECS survey
– 40% increase in fraud,
before the recession
– Controls paradox
Don’t Intelligence Unit:
• Economist
85% of companies detected
Forget
significant frauds
Operational
over past 3 years)
– 10% suffer >$100 million
& Personal
– Large companies - $23 million
Impact!
– Small companies - $8.2 million average loss
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
8
Fraud Risk Assessment
Why?
To Address the Impact of Healthcare Reform:
Fed Unveils New Plan for Fraud Detection
 The What: Enhanced enforcement requirements detailed in the reform law = Medicare, Medicaid and CHIP
 The Why:
• Medicare ‘Improper Payments’ in 2009: 8% of 4.5 million claims per day = $24 Billion
• Goal to increase fraud detection and increase certainty of punishment
 The Impact: Depending on provider type = more work, more expense, getting personal
• Easier for CMS to suspend Medicare payments if credible fraud allegations & to prevent new
enrollments in higher-risk service areas
Provider Type
Risk
CMS Treatment
Hospitals, ASC, health centers, medical groups, clinics, physicians, publicly
traded providers/suppliers, skilled nursing facilities
Limited
Risk
Verify licenses and provider/supplier
specific regulatory requirements
O/P Rehab, currently enrolled DME/prosthetics/ortho/supplies providers,
currently enrolled home-health agencies & hospice organizations
Moderate
Risk
Limited + unscheduled or
unannounced site visits
Newly enrolled DME/prosthetics/ortho/supplies providers and home-health
agencies
High Risk
Moderate + criminal background
check & fingerprinting
 The When:
• Sept 2010: Proposed regs released (all 187 pages of it!)
• Sept – Nov 2010: Comment period
• March 2011: Implementation
* [Source: “Cracking Down”, Modern Healthcare – 9/27/10]
9
Now More Than Ever, Compliance & Internal Audit Must Have
the Fraud Triangle in Focus!!!
Incentives / Pressures
Rationalization
• Loss avoidance
• Job dissatisfaction
• Job
• Family priorities
• Money
• Health priorities
• Prestige
• “Everybody else”
syndrome
• Dissatisfaction with the
company
• Self-denial of
• Management & 3rd party
Opportunity
consequences to
company
• Insufficient internal controls
• “Survival” mode
• Temporary loans
• Community relationships
• External collaboration
• Loss of health coverage
• Management over-ride
• Internal collaboration
• Long term unemployment
• Corrupt business customs
pressures
If Economic Downturn is the “Perfect Storm” for Fraud and Waste,
will an Upturn be Even More Perfect?
10
So, Why Bother?
It makes good business sense!!
• Demonstrate you administer an effective Compliance Program
and Internal Audit Function by documenting an understanding of
how and where fraud might occur.
• Minimize revenue leakage, cut costs, and safeguard assets.
• Safeguard company and employee reputation.
• Avoid and/or reduce criminal, civil and regulatory penalties,
should misconduct occur.
• Help avoid/reduce government sanctions
• Increase IA relevance and add value!
Detected Losses
QUADRUPLE when
Anti-Fraud Controls are
Enhanced!
- pwc 2009 Global Economic
Crime Survey
11
Fraud Risk: Defined / Applied
Fraud: (defined)
- Any intentional*act
committed to secure
an unfair/unlawful gain
Federal Sentencing
Guidelines:
- Intent not required
“Apply the Fraud Lens
to Enterprise Risks”
Reputational Risk
• External and internal impression of the organization
Operational Risk
• Loss of earnings or inefficient business operations
Financial Risk
• Over statement of revenues, understatement of expenses
Reporting Risk
• Non disclosure or false disclosure
Compliance / Legal Risk
• Potential criminal, civil or regulatory liability
Strategic Risk
• Impact on new products, services, or strategic alliances
12
Fraud Risk:
Types and Categories
"Leakage” vs. “Liability” Fraud
GREEN Fraud = Leakage related
Revenue
Leakage
Financial
Reporting &
Disclosure
Manipulation
activities, that when prevented
or detected early, leads to
improved financial results
(“Risk Type = “Opportunity” )
Misappropriation
of Assets
Expenditure
Leakage
Unauthorized
Receivables /
Acquisition of
Assets
Unauthorized
Expenses /
Disposal of
Assets
RED Fraud
= Liability related activities, that if
not prevented, leads to government
sanctions, and damage to brand
value and reputation of individual
members of the Board and senior
management
(Risk Type = “Hazard”)
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
13
Fraud Risk Types:
“Leakage”
Expenditure Leakage
Illustrations:
Revenue
Leakage
Financial
Reporting &
Disclosure
Manipulation
• Orders from fictitious vendor
• Kickbacks in return for allowing
supplier to inflate price
Misappropriation
of Assets
Unauthorized
Receivables /
Acquisition of
Assets
• Advertiser charges for
advertising not delivered
• Vendors/contractors charge for
work not performed
Expenditure
Leakage
Unauthorized
Expenses /
Disposal of
Assets
• “Double dips” on p-card and
credit card
• Salesperson obtains
reimbursement for fictitious
travel expenses
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
14
Fraud Risk Type:
“Liability”
Unauthorized Expenses / Disposal of Assets
Revenue
Leakage
Financial
Reporting &
Disclosure
Manipulation
Illustrations:
• Payments to public officials for
permits or patents
• Payments to public officials for
Misappropriation
of Assets
Unauthorized
Receivables /
Acquisition of
Assets
patents
• Gifts to public officials to evade
taxes
• Payments to agents to facilitate
Expenditure
Leakage
Unauthorized
Expenses /
Disposal of
Assets
sales
• Illegal disposal of goods/waste
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
15
Fraud Risk Assessment
• A comprehensive fraud risk assessment (FRA) is critical to the
effectiveness of an organization’s overall antifraud programs and
controls.
• An FRA expands upon traditional risk assessment. It is scheme and
scenario based.
• The assessment considers the various ways that fraud and
misconduct can occur by and against the company.
• The execution of the assessment requires:
o Internal Audit to:
 “Think out of the box”!
 Get creative and get out into/work with the business!
o Management to:
 Be participative in the process
 Openly share schemes, scenarios, concerns, events
 Reinforces risk and the control ownership!
16
Fraud Risk Assessment:
A Five Component Process
Planning and
Obtaining Senior
Management
Support and
Sponsorship
Assess
Antifraud
Programs
and Controls
against PwC
Framework
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
Update
Audit
Risk
Universe
Integrate
into
Audit
Plan
Practical Execution – Theory to Practice:
– Approach
– Challenges
– Benefits
– Lessons learned
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
17
Identifying Significant Fraud Risk Exposures:
Planning
Planning and
Obtaining Senior
Management
Support and
Sponsorship
Assess
Antifraud
Programs and
Controls
against PwC
Framework
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
Update
Audit Risk
Universe
Integrate
into Audit
Plan
• Assemble team
Cedars-Sinai Plan:
• Consider scope and objectives
• Board and senior management support
 Overall antifraud program assessment
 Categories of fraud and depth within organization
 Controls evaluation
built into internal audit plan and
compliance work plan development and
approval processes.
• Combined Internal Audit and PwC
resources including PwC SMEs in key
areas.
 Risk response
 Use and sustainability
• Initial Internal Audit Team fraud risk
• Design process
discussion for full day.
 Format of deliverable (e.g., PwC template)
 Organize by business unit, function, geography or
combination
 Role and interviews of management
• Second phase, facilitated sessions with key
director-level groups.
• Roll results into annual planning processes
and individual project processes for
ongoing update.
 Sustainability
18
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Identifying Significant Fraud Risk Exposures:
Gaining Senior Management Sponsorship
Planning and
Obtaining Senior
Management
Support and
Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Vitally important that senior management
embrace and sponsor the assessment
• Senior management ideally would communicate
to middle management the importance of the
initiative (drafted by IA or Compliance)
• Recommend an initial meeting with C-suite
Update
Audit Risk
Universe
Integrate
into Audit
Plan
Cedars-Sinai C-Suite Buy-In:
• Internal Audit Planning and Compliance
Work Plan processes involve the C-suite
for input on risk and project selection.
• Plans are approved by C-suite.
• Plans presented to Audit Committee for
review, input and approval.
representatives to:
 Explain business benefits of FRA process
 Obtain their perspective of high impact
monetary, compliance and financial reporting
fraud risks
• Plans presented to Board for review, input
and approval.
Formal meeting C-Suite meeting not held
relative to kick off.
 Seek input regarding making process
efficient and effective
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
19
Identifying Significant Fraud Risk Exposures:
Evaluating Antifraud Program & Controls
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs
and Controls
• Begin with high level assessment of
how organization manages fraud risk
(e.g., PwC Antifraud, Corruption and
Misconduct Assessment Tool)
 Self-Evaluation:
“Where are we as an
organization?”
• Conduct
validation
procedures
as needed
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
Update
Audit Risk
Universe
Integrate
into Audit
Plan
Cedars-Sinai Assessment:
• Internal Audit Team Assessment
• PwC Tool
• Overall Assessment Results:
Corporate Fraud Policy
Coordinated Investigation Resources
Consistency in Criminal Prosecution
and Employee Discipline Decisions
High Level Fraud Risk & Individual Audit
Fraud Risk Considerations
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
20
Element
Criteria
Leading Practice
Control Environment
Management Accountability The organization should:
The organization:
(1) promote an organizational culture (1) demonstrates a strong "tone at the top"
that encourages ethical conduct and that flows up and down and across the
a commitment to compliance with organization,
the law, and
(2) views mitigating fraud, corruption and
(2) exercise due diligence to
misconduct as a core responsibility,
prevent and detect fraud, corruption, (3) has management participate actively in the
and other misconduct,
fraud, corruption and misconduct risk and controls
(3) implement effective programs and assessment,
controls intended to prevent, detect and (4) ensures that all suspected allegations of
respond to fraud, corruption and
misconduct are independently investigated, and
misconduct.
(5) takes appropriate, consistent remediation action
in instances of violations.
Operations, Finance and
Other "Front Line"
Personnel
Operations, finance and other "front line" Operations and finance personnel acknowledge
personnel should be equipped with the their responsibilities and are equipped with and
appropriate knowledge, skills and tools to apply knowledge, skills and tools to:
prevent, detect, and respond to fraud, (1) identify significant misconduct risks impacting
corruption and abuse.
their component of the organization,
(2) tailor control activities to mitigate the risk, and
(3) detect and report indications of misconduct.
Generally In Compliance
Sub-Standard
Description of Existing Policies and Procedures
The organization takes sufficient
actions with respect to prevention,
detection, investigation,
remediation, and monitoring of
fraud, corruption and misconduct.
Taken as a whole, the organization
fails to take sufficient action to prevent
and detect high impact fraud,
corruption and misconduct; and/or
management does not:
(1) view mitigating fraud, corruption
and misconduct as a core
responsibility,
(2) participate in the fraud, corruption
and misconduct risk and controls
assessment, or
(3) take appropriate, consistent
remediation action in instances of
violations.
(1) Describe the actions taken by the organization to
promote a culture that encourages ethical conduct.
- Corporate Compliance Function and Policies
- Code of Conduct
- New Manager Orientation training that includes
Corporate Compliance and Internal Audit
Presentations
- New Employee Orientation that includes review of
code of conduct and compliance plan.
- Hot line
- Media Response promoting acknoweldgement,
apology and corrective action as applicable.
- CEO who's mantra is "do the right thing"
Operations and finance personnel Operations and finance personnel
acknowledge responsibility for view other functions, e.g., legal,
compliance, internal audit, as
preventing, detecting and
responding to fraud, corruption and owning responsibility for
presenting and detecting fraud,
misconduct.
corruption and misconduct.
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Discussion Points
(1) Describe the actions taken by the organization to
cultivate a culture that curbing fraud, corruption and
misconduct is every employee's responsibility.
(2) Describe actions to equip front line personnel with
necessary knowledge, skills and tools to identify, prevent,
detect and respond to fraud, corruption and misconduct.
21
Predicting the Unpredictable is Key!!
Think Like A Criminal
When Assessing the Risk of Fraud, Corruption & Abuse!
How would a
criminal manage
your XYZ
business unit?
What if a criminal
were hired as a
XYZ associate?
What would happen if
a criminal were a
XYZ vendor or
customer?
What if a trusted
employee begins
to think like a
criminal?
22
Identifying Significant Fraud Risk Exposures:
Create “Straw” Schemes List: “the What”
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Create a list of inherent fraud risks
 Inventory of common and sector specific fraud and
abuse scenarios by selected process areas
 Past allegations, suspicions and investigations
 Industry research of frauds at other companies,
organizational vendors, customers, etc
 Brainstorming among business, compliance,
internal audit and fraud experts
 Operational, design and other deficiencies
identified during business reviews, compliance
monitoring activity and internal and external audits
Update
Audit Risk
Universe
Integrate
into Audit
Plan
Cedars-Sinai Inventory:
• Upcoding; Claims for Services not
Provided; A/R & Rate Manipulation /
Outliers
• Theft: Radiology Incident; Heparin
Incident; EMTALA
• Bribery: Siemens – 2008 global fraud
• Imaging Room; Chillers; Data
Manipulation; Vendor Relationships
• Look at potential impact of identified
control deficiencies; broken processes;
significant hand-off requirements, etc.
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
23
Identifying Significant Fraud Risk Exposures:
Create “Straw” Schemes List: “the How”
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Determine Fraud Risk Classifications
 i.e. - Revenue, Expenditure, Reporting
• Take your fraud risks and think/discuss
HOW they could occur
Update
Audit Risk
Universe
Integrate
into Audit
Plan
CSHS: practical application and lessons
learned
• Fraud classifications: Revenue,
Expense or Reporting Impact
• Brainstorm scenarios by organizational
 Think SCHEMES and SCENARIOS!
 Get creative!
lines of authority and three impact
areas
• Director and Manager Level Focus
 Never mind controls!!
 Utilize group facilitation sessions!
 Create your master Gross Risk list
Group Discussions; decision of
with/without VP’s
• Angels and Demons!!
• Scribe
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
24
Identifying Significant Fraud Risk Exposures:
Narrow to Significant Residual Risks
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Narrow list to capture high impact vulnerabilities
 Consider likelihood
Update
Audit Risk
Universe
Integrate
into Audit
Plan
CSHS: practical application and
lessons learned
• Two Hour facilitated Sessions
 Qualitative and quantitative impact, as well as, direct
and indirect consequences
 Establish thresholds (risk tolerance) to measure
impact on reputation, operations, financial, legal,
compliance, and strategic objectives
• Consider the design of existing controls
 Consider whether existing processes and controls
are able to withstand intentional misconduct
 Examine incentives pressures and opportunities to
collude, circumvent and override
Necessary for:
 Schemes
 Likelihood & Impact
 Controls
• Director/Manager but not both
• Scribe
• Focus on Schemes (how it’s done –
criminal perspective)
• Common beliefs / identified schemes
across sessions
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
25
Identifying Significant Fraud Schemes
Brainstorming Exercises!!
“Angels & Demons”
Select a Business Area: i.e.- Hospital Admissions
Demons : Identify Potential Fraud Schemes
Angels: Recommend & Evaluate
How it can
happen!
Why it
won’t!
Anti-fraud Controls
Schemes
Controls
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Impact/
Likelihood
26
Identifying Significant Fraud Schemes
Brainstorming Exercises!!
“Angels & Demons”
Demons - Identify Potential Fraud Risks & Schemes
This is how I
would do it
son…
This is how
it can
happen!
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
27
Identifying Significant Fraud Schemes
Brainstorming Exercises!!
“Angels & Demons”
Angels
- Recommend & Explain Anti-fraud Controls
Sorry, partnerit ain’t gonna
happen…
If you did, I
would know
because…
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
28
Identifying Significant Fraud Risk Exposures:
Tailor to Business Units & Functions
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Entity level of assessment = very limited business value
• Assessment needs to be conducted and tailored to
individual business units/functions, particularly in high risk
markets; focus on both internal and external risks
• Tailored assessments & group facilitation sessions
simultaneously reinforce that management “owns” risk
• Hold focus groups of management & staff to tailor
inventory
• Meet and validate results with business unit leaders
• Capture assessment for senior management and board
- Self Assessment; A&D Results (Gross & Residual
risk); discuss Risk Tolerance; plans to update
universe
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
Update
Audit Risk
Universe
Integrate
into Audit
Plan
CSHS: practical application
and lessons learned
• Provide fraud
background/concepts
• Business units – positive
response to facilitate
sessions and Angels and
Demons; engage audience
• Lot’s of Aha’s and Really?’s
in sessions
• Positive comments from
Senior Mgmt!
• Entity Level Assessment –
Proof remains to be seen.
29
Identifying Significant Fraud Risk Exposures:
Update Internal Audit Risk Universe
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Based upon final listing of scenarios
update audit risk universe for key risk
factors and indicators
• Refine any pre-existing audit risks based
upon additional risk assessment
procedures
• Incorporate into annual update process
of audit and/or compliance risk universe
Update
Audit
Risk
Universe
Integrate
into Audit
Plan
CSHS: practical application and
lessons learned
• If not already categorized in your
risk universe, add category or
metadata for easy identification
• Refining can be time consuming
• Annual update development in
progress, to be completed through:
 Improved annual interviewing
 Individual Audit Capture
 Complete redevelopment of risk
model using TeamMate in progress
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
30
Identifying Significant Fraud Risk Exposures:
Integrate into Audit Plan
Planning and
Obtaining Senior
Management Support
and Sponsorship
Assess
Antifraud
Programs and
Controls
Inventory of
High Impact
Scenarios &
Evaluate
Existing
Response
• Evaluate whether any current year audits
should be updated based on new risk universe
• Determine appropriate way to keep fraud risk
assessment process evolving rather than
static
 As new investigations or industry trends
occur
 Automated controls are added into
Update
Audit Risk
Universe
Integrate
into Audit
Plan
CSHS: practical application and
lessons learned
• In addition to current year
updates, could identify new
priority audits
 Annual interviewing
 Individual audits
 Possible facilitate session
repeats
environment
 Integrate into individual audit
plans as well by already having
the risk scenarios to consider
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
31
Integrating Fraud Risk Into Individual Compliance and Audit
Engagements:
• Planning
• Execution (cont’d)
 Brainstorming among team and forensics
 Fraud risk factors & indicators
 Past incidents
 Analytics - - not just ACL
 Past audits and business reviews
 Interview, interview, interview!!
 Management inquiries
 Industry research
• Completion
 Tailor procedures
 Documentation is essential
 Identify planning and how audit
tailored
• Execution
 Design and operating effectiveness of
existing response
 Consider need for substantive testing
Close the Loop!
Use findings to strengthen controls,
develop & deliver
education/awareness to process
owners & mgmt!
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
32
Creating Value While Meeting Fraud Standards
Raising Auditor Fraud Proficiency
• Skills
• Knowledge
 Scheme components
 Critical thinking!
 Preventive & detective controls
 Scheme and scenario risk assessment
 Key risk factors & indicators
 Assessing how organization manages
risk
 Detection procedures
 Operations knowledge
 Devising fraud audit procedures
 Forensic investigation
 Interviews
Raising Management Awareness
 Use of electronic data tools
In addition to scheme discussions and
fraud risk identification, management is
also getting interactive awareness
training
 Working ‘with’ the business!
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
33
Creating Value While Meeting Fraud Standards
Antifraud Tools of a Highly Equipped
Compliance and/or Internal Audit Function
• Specialized fraud examiners on staff
• Antifraud training for staff
• Investigative training for staff
• Use of Computer Assisted Audit Techniques to promote fraud detection
• Focused fraud risk assessment with inclusion of functional management
and employees of all levels
• Direct and regular interaction with senior management and audit
committee
• Use of specific and targeted fraud audit techniques – SAS 99
• Can lead and/or support investigation and/or remediation efforts
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
34
Creating Value While Meeting Fraud Standards
Other Activities Compliance and/or IA Departments
are Taking to Deliver Value
• Equip front line to serve as an effective first line of defense; fraud
education!!
• Conduct a “good” fraud risk assessment pilot at a high risk entity to
develop a sustainable and repeatable process
• Expand FCPA and other compliance reviews to identify opportunities to
cut revenue leaks, cut costs and safeguard assets
• Form a “fraud council” comprised of key business and corporate
stakeholders
• Host a “perfect crime” dinner and/ or facilitate “angels v. demons”
exercise for management, internal audit and/or compliance
• Create on-line or live interactive learning modules tailored to specific
functions, e.g., procurement, sales, controllers
pwc Fall 2010 IART – Fraud Risk Assessment – 11/4/10
35
Creating Value While Meeting Fraud Standards
Perspectives From IA Industry Leaders*
“ I currently see a lot more management awareness of the possibility of fraud, which in
turn is causing a lot more people to come forward and ask Internal Auditing, ‘Is this
right?, Is this appropriate?’’
--Richard Schmidt, Vice President of Internal Audit, Del Monte Foods
“ Internal auditing is often the only proactive source of fraud detection that
management has. Auditors are out there looking for indicators of fraud during every
engagement they conduct; no one else in the organization plays this vital role.”
--Kim Hatley, Assistant VP of Internal Audit, Hospital Corporation of America (HCA)
“ It is management’s responsibility to institute, establish and monitor controls and
uncover fraudsters. Internal Auditing’s job is to encourage management to
undertake what is necessary and then provide assurance to the audit committee
that management is getting it right.”
--Douglas Anderson, former Corporate Auditor, The Dow Chemical Co.
* [Source: Internal Auditor magazine, October 2010]
IIA - San Gabriel Valley Chapter: 2010 Fraud Symposium, 11/1/10
36
Don’t be this guy!
Stamp out…
?
Mark P. Ruppert, CPA, CIA, CISA, CHFP, CHC
Director, Internal Audit
Conflict of Interest Administrator
Cedars-Sinai Health System
Los Angeles, California
323-866-6900 office
323-866-6901 fax
Mark.Ruppert@cshs.org
37