Organizational Risk Assessment and Fraud Overview
advertisement
Organizational Risk Assessment and Fraud Overview Presented By: Scott P. Johnson, Partner Rodrigo Macias, Senior Manager March 11, 2015 Agenda • • • • • • • Introductions and Overview Risk Assessment Process Fraud Overview Fraud Triangle and Red Flags Fraud Prevention/Investigation Case Studies Q&A Session Risk Assessment Process Risk Assessment – Internal Control • What is an Internal Control?: “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to: • Operations • Reporting • Compliance” Source: COSO Internal Control Framework 1 Risk Assessment – Optimal Risk Taking Expected Enterprise Value Insufficient Risk-Taking Optimal Risk-Taking “Sweet Spot” Risk Level Source: COSO Risk Assessment in Practice 2 Excessive Risk-Taking Risk Assessment Overview • What is a Risk Assessment? – Understanding the risk associated with a process and the impact the risk would have on the organization from an operational, financial, and strategic perspective if the risk would be realized • Risk Assessment vs. Compliance Audits? • Why do a Risk Assessment?: – – – – – – 3 Identify the “Sweet Spot” Internal Audit plan based on risk Limited personnel Assistance with prioritization Goes beyond compliance Eliminates redundancy Risk Assessment Overview • Types of Risk Assessment: – – – – 4 Entity Wide Departmental Procedural Regulatory Specific Risk Assessment Framework 5 Audit Universe Business Risks (Inherent Risks) & COSO Control Risks Customized Checklists Develop Risk Ratings Perform Risk Assessment Definitions of Risk Ratings Assess Risk Internal Audit Plan Based on Risk Revisit Annually /Major Change 6 Operational Legal /Regulatory Strategic Technology /Systems People /Culture Fraud Inherent Risk Rating Control Environment Risk Assessment Control Activities Information & Communication Monitoring COSO Control Rating L H H L M H H H 88 0 W W W W M 96 Operational Legal /Regulatory Strategic Technology /Systems People /Culture Fraud Inherent Risk Rating 2 Control Environment Risk Assessment Control Activities Information & Communication Monitoring COSO Control Rating Human Resources Financial Department /Process 2 Financial Procurement Public Reputation Department /Process Public Reputation Risk Assessment Heat Map L M M M H M M M 75 0 S S S M M 58 Fraud Overview Fraud Overview • Internal controls are only as good as the personnel performing the activities. 1% Never 25% 25% 49% Source: ACFE 7 Would if they could Looking Stealing Fraud Overview • 2014 ACFE Report To The Nations – Organizations lose approximately 5% of revenue due to fraud • Asset Misappropriation – 85.4% with median loss of $130,000 • Corruption – 36.8% with median loss of $200,000 • Financial Statements – 9.0% with median of $1 million – Fraud duration 18 months – Men (66.8%) vs. Women (33.2%) – 40% of cases were detected via Tip /Hotline 8 Fraud Overview 9 13 Fraud Overview 10 14 Fraud Overview 11 15 Fraud Overview 12 16 Fraud Overview 13 17 Fraud Triangle and Red Flags Fraud Triangle and Red Flags Opportunity Pressure 14 Rationalization Fraud Triangle and Red Flags Pressure (Albrecht book)* • Personal financial factors that may lead to fraud: 1. Financial difficulties (33%) a. High personal debts or financial losses b. Inadequate income 2. Living beyond one’s means (44%) • Personal habits that may lead to fraud: 1. Extensive stock market or other types of speculation (starting a new business) 2. Extensive gambling 3. Illicit affairs 4. Excessive use of alcohol or drugs (12%) *Steve Albrecht, Fraud Examination 15 Fraud Triangle and Red Flags Opportunity: 1. Amount of fraud would decrease if the opportunity did not exist a. Reasons for increased fraud risk: i. Crime requires a simple act ii. Chances of being detected are very slim iii. Punishment is very light b. Mitigation factors: i. ii. iii. iv. 16 What if security was tight? What if sound internal controls require an elaborate scheme? What if the likelihood of detection is high? What if punishment is severe? Fraud Triangle and Red Flags Opportunity (Continued): 2. Personally Created Opportunities: a.Familiarity with operations (including cover-up capabilities) b.Close association with suppliers, vendors, and other key people (22%) c. Unwillingness to share duties (21%) 3. Organizational Characteristics: a. b. c. d. e. Weak internal controls Absence of periodic rotation in job duties Constantly operating under a crisis environment Little attention to details Poor morale 4. Opportunity is the ONLY thing your organization can control! 17 Fraud Triangle and Red Flags Rationalization: 1. How can you be proactive and know who will rationalize fraudulent behavior? 2. Embezzlers don’t fit the criminal stereotypes; they appear to be trustworthy, sincere, likeable, sociable, etc. 3. Personal Emotions that may lead to fraud: a. b. c. d. e. f. 18 Strong community or social expectations to succeed (6%) Perception of being treated unfairly by the organization (9%) Resentment towards superiors Frustration with job Insatiable desire for self-enrichment or personal gain Wheeler – dealer attitude (18%) Fraud Prevention/Investigation Fraud Prevention/Investigation Prevention: • Employee support programs – can help alleviate pressure • Password controls • Forensic analytics – critical in larger operations due to large number of transactions. Decreases the chances of “eyeballing” a problem • Fraudulent activity to look out for: 1. 2. 3. Fraudulent vendors usually show a very high, year over year growth Employee using a company purchasing card for personal expenses, often has a geometric growth in total purchases Employee with fraudulent overtime scheme shows high growth in hourly totals, sometimes to impossible levels • Fraud Hotline (Not Frog Hotline?) • Fraud awareness training: reminding people that fraud is real and could be happening. A co-worker living beyond means is a classic red flag. (Not a silver bullet, just another opportunity to raise suspicion.) 19 Fraud Prevention/Investigation Prevention (continued): • Check log – simple but effective • Surprise audits • Job rotation • Mandatory vacation • Background and credit check • Physical safeguards • Control additional amount of new vendors and delete dormant vendors from system • Abnormal interactions with outside parties (errors, refunds, overpayments) can be reviewed by risk management or another independent person • Complete the Association of Certified Fraud Examiners (ACFE) Fraud Prevention Check-up 20 Fraud Prevention/Investigation Investigation: • • • • • Inform the audit committee, board, etc. Contact legal counsel Engage an independent fraud expert Stop the bleeding, i.e. eliminate access Secure computers, relevant accounting information, and other documents • Documentary evidence should typically be reviewed before interviews are conducted 21 Case Studies Case Studies • ING • City of Dixon, IL • City of Pasadena, CA 22 Case Studies ING Who?: Nathan J. Mueller, Accounting Manager When?: From June 2003 – August 2007 Amount?: $8.5 Million 23 Case Studies City of Dixon, IL Who?: Rita Crundwell, Comptroller/Treasurer When?: From 1988 - 2012 Amount?: $54 Million 24 Case Studies City of Pasadena Who?: Danny R. Wooten When?: From August 2003 – March 2014 Amount?: $6.4 Million 25 Questions? Scott P. Johnson, Partner 2121 N California Blvd. Ste. 750 Walnut Creek, CA 94596 P: 925-395-2818 E: sjohnson@mgocpa.com Kevin Starkey, Partner 225 Broadway, Suite 1750 San Diego, California 92101 P: 619-618-7211 E: kstarkey@mgocpa.com Rodrigo Macias, Senior Manager 12264 El Camino Real, Suite 402 San Diego, CA 92130 P: 858-792-2210 E: rmacias@mgocpa.com
