Fraud Risk Assessments
advertisement
Fraud Risk Program Draft Copy 1 Mission Statement • To formally document the risks of fraud and policy abuse to demonstrate due diligence around fraud prevention and to formalize mitigation strategies with better alignment of proactive fraud prevention and early detection efforts with Internal Audit activities. 2 What is a Fraud Risk Assessment? • Fraud and reputation risk assessments focus on fraud schemes and scenarios. • Purpose is to identify and document risks and controls for various scenarios & schemes that can affect the company and its shareholders by: – Significantly impacting the organizations reputation – Exposing the company to criminal or civil liability – Creating a financial reporting irregularity • Ensure compliance with corporate governance requirements. Information taken from PWC Article “Deeper & Broader: Performing Fraud & Reputation Risk Assessments” 3 Risk Assessment Benchmarking Company Kmart Summary Multidisciplinary steering team created to assess the fraud risk across Kmart and to develop a program that would minimize the risk of overlooking fraud during the audit planning stage. Outputs were: (1) Documentation of significant fraud related risks, mapped to SOX controls. (2) Creation of a Fraud Risk Map that provides graphical representation of where fraud falls in significance and likelihood. Positives (1) Buy in and involvement of multiple parts of the organization to identify frauds that have occurred or have yet to occur. Negatives (1) Does not take regional or international risks into consideration. Kmart stores are only in US, Puerto Rico & Virgin Islands. (2) Appears to be solely an attempt to document the types of frauds and identifying those that need preventative controls. (3) Involvement from different areas of the company requires significant investments in time. Microsoft learning's (1) Documentation of past case history and unknown frauds drives the formulation of a risk assessment. (Risk Assessment Phase) (2) Mapping of documented risks to SOX controls. (Control Documentation Phase) (3) Creation of a Fraud Risk Map. (Control Documentation Phase) 7-11 Risk Assessment that identified scenarios, assesses likelihood and impact. Outputs were: (1) Development of a matrix that identifies high level scenarios. (2) Assessment of Likelihood and Impact using Low, Medium, High and Very High (3) Brief description of Antifraud elements for each scenario. (4) Identified Gaps and remediation steps where necessary. (1) Easy to read matrix that shows schemes with easy to understand Likelihood and Risk terminology. (1) Very high level, schemes are summarized to a high degree. (2) Appears to be solely an attempt to document the types of frauds and identifying those that need preventative controls. (3) Does not show any type of further integration of risks. (1) Documentation of past case history and unknown frauds drives the formulation of a risk assessment. (Risk Assessment Phase) Reynolds American Internal Audit driven risk assessment project that leveraged management expertise to ensure assessment was comprehensive. Outputs were: (1) Development of a fraud audit program to provide a structured approach to fraud in every audit to ensure consideration of fraud risks in each audit and to identify potential fraud schemes and mitigating controls. (2) Development of separate fraud control matrices from the existing SOX matrices. (3) Use of information developed to promote early fraud detection. (1) Engagement with Internal Audit to discuss fraud risks for each audit. (2) Detailed audit approach for each identified risk. (3) Integration of fraud testing into SOX 404 testing. (1) Significant time with management of (1) Requirement for audits to use the fraud risk processes needed for documentation, assessment assessment questionnaire when meeting with and testing of fraud controls. subsidiary management. (2) Does not take regional or international risks into consideration. Fonterra Global Assurance driven process that creates a fraud survey for distribution to management to mitigate fraud risk. Involvement of business unit management to assess the current operating environment and gaps in antifraud control as part of their responsibility to maintain strong controls and promote an antifraud culture. Outputs were: (1) Fraud Survey outputs were put into a Business Unit Risk Map that rolls to a Enterprise wide Risk Map. (2) Creation of an Annual Fraud Review - fraud susceptible areas are integrated in the Annual Fraud Review paper after management comment and feedback. (3) Management Assessment and Remediation - management identifies areas that are currently under remediation and relocates on the fraud risk map. (4) IA gets involved for further audit or engagement with those non-compliant or high fraud risk entities. (1) Fraud Survey gets input from the (1) Time consuming team that is working in each (2) Requires recurring buy-in and action from business unit. management team to view the survey as a priority. (2) High Management participation in fraud surveys. (3) Integration with existing audit risk assessments. (4) Coordination of management and Internal Audit. (1) Creation of a Microsoft Fraud Survey that develops an understanding of where Fraud Risk lies and to develop a better understanding of the regions/accounts that may need further attention. (Survey Phase) (2) Annual FIU fraud review meeting to discuss trends in fraudulent activity, regions and schemes. (Fraud Experience Benchmarking Phase) 4 IA/FIU Fraud Risk Program • IA/FIU process takes the benefits of a standard fraud risk assessment and raises it to a new level with tight integration into a program of fraud prevention and early detection. • Documents the audit risk of how the company determines risk and audit priority. • Coordinates an assessment of the perceived risk by the “people in the trenches.” • Integrates perceived risk to the IA function within an embedded process. 5 IA/FIU Phased Process • Risk Assessment Phase – Now into May FY05 – – – – • Control Documentation Phase – Late Q1 FY06 – – • FIU - Additional detailed benchmarking with other corporations to facilitate the sharing of best practices in identifying and mitigating fraud risks. Survey Phase – Q1 and Q3 FY06 – • Specialization leaders - Detail control alignment to the scenario types. Specialization leaders - Mapping of each unit’s risks to a risk map, with each quadrant having defined risk actions. Fraud Experience Benchmarking Phase – H1 FY06 – • FIU - Develop an understanding of the external regulations/industry guidelines that exist on fraud prevention and detection. (DONE) FIU - Benchmark Fraud Risk Assessment procedures at other companies to the the company process. (DONE) FIU - Formal documentation and Identification of the types of risks that have been incurred and yet to occur at the company. (DONE) Specialization leaders - Assessment of the likelihood and significance of a fraud occurring in their area. (To occur in May) FIU - Assessment of the risk that is perceived by the Sr. Management team throughout the world. This will give good benchmarking to our internal expectations and cases received. Evaluation Phase – Q4 FY06 – FIU & IA - Re-visit the initial assessment of risk and coordinate the perceived risk of Management 6 to IA risk and learned best practices to the IA function. Risk Assessment Phase A. Organize the Assessment – B. Determine Units & Locations to Assess – C. Units determined by specialization lead, with regional breakdown for SMSG. Identify Potential Fraud & Misconduct Schemes & Scenarios – – – – D. Separate Cycle performed by IA/FIU on assessing the Fraud Risk at the company. FIU to prepare a “master fraud list” of known and potential fraud schemes involving company and break down to the specialization areas as defined in step B. FIU to compare Transparency International listing of Corruption Perceptions Index to the company revenue and headcount. FIU to compare recent well known corporate scandals to determine the viability of that specific fraud occurring at the company. Specialization leaders to focus on areas of fraud labelled as “A” or “B” risk. FIU preventative presentations and targeted efforts for company-wide “C” risk mitigation. Assess Likelihood of Fraud – Specialization leaders to assess the likelihood of the frauds on the “master fraud list” occurring based on a sliding scale: – – – – E. Assess Significance of Risk – Specialization leaders to assess the likelihood of the frauds on the “master fraud list” occurring based on a sliding scale (differs for each fraud type): – – – – F. * 1 - Remote (<5% chance of occurrence) 2 - Possible (5-50% chance of occurrence) 3 - Somewhat likely (51-75% chance of occurrence) 4 - Probable (>75% chance of occurrence) 1 - Negligible 2 - Serious 3 - Significant 4 - Material Mapping of Identified Risks to a quadrant view to show the likelihood and significance. Derived from PWC study on creating a Fraud Risk Assessment 7 Risk Assessment Phase – Schemes (Preliminary) ACFE Fraud Categorization Financial Statements Revenue Recognition A Antitrust Journal Entries Liability Reporting Asset Misappropriation Corruption Conflict of Interest B Channel Stuffing Reserves Identity Theft Treasury Purchase Orders C Fictitious Employee Pre-payments T&E Gift Cards Disclosures Vendors Insider Trading FCPA/Bribery Petty Cash Income Taxes Side Letters Benefits Kickbacks Former Employee Time & 8 Attendance Considerations in Assessing Fraud Risk • Specialization leaders to focus on “A” and “B” identified schemes. • Risk to be assessed is the inherent risk: – Think of the risk of this fraud occurring should minimal controls be in place. • Consider the account balances: – Treasury risk is rated as an “A” level risk, due to the large amount of cash on hand. Other misappropriation of assets are “C” level risks due to smaller potential impact on the organization. • Consider non-financial risks: – In fraud, reputation risks may be as significant, or more significant than financial loss. Please consider all risks that are attributable to the area being assessed. 9 Risk Assessment Phase - Schemes # Category Classification Assessment Level Scenario Type Scenario Example Potential Warning Signs Likelihood Significance Risk Quadrant 11 Corruption Conflict of Interest B Employee has an undisclosed interest Employee's spouse owns a consulting company and is in another company that is being used by the employee without proper disclosure or employed for work at the company. mitigation plan. Consistent use of a vendor without a process for analyzing bid and work quality. Vendor pricing higher than others in similar fields. Please Assign Likelihood & Significance 12 Corruption Kickbacks B Employee receives a kickback from a the company pays vendor for work at a premium price and vendor for directing work to that vendor. the company employee/vendor receives portion of the payment back in cash or other goods/services. Consistent use of a vendor without a process for analyzing bid and work quality. Vendor pricing higher than others in similar fields. Resistance to review other competing companies. Please Assign Likelihood & Significance 13 Corruption Identity Theft B Employee has committed identity theft Employee falsifies resume or application using another and is not the individual they represent individuals name and/or work/education history. to be. No SS# on file with corp, discrepancies between resumes submitted to recruiting. Please Assign Likelihood & Significance 14 Corruption Antitrust A the company not following antitrust legislation requirements. 15 Corruption FCPA/Bribery A Bribery performed by the company that the company Employee bribes an employee or violates the Foreign Corrupt Practices representative of a government entity. Act. Please Assign Likelihood & Significance 16 Financial Statements Insider Trading A Insider Trading the company Employees utilizing insider information to influence stock decisions. Please Assign Likelihood & Significance 17 Financial Statements Revenue Recognition A Adjustment of revenue data in the company Sales. Unauthorized adjustment of data from 3rd party to change the amount of reported revenue. 18 Financial Statements Journal Entries A Inappropriate journal entry is made to manipulate accounting system. Unauthorized journal entry moves expenses to the balance Unapproved JE's, lack of BS reconciliation sheet. process. Please Assign Likelihood & Significance 19 Financial Statements Liability Reporting A Under-reporting of liabilities on the financial statements. Movement of liabilities to off-balance sheet affiliates. Significant change in liabilites without corresponding outflows on the cash flow statement. Please Assign Likelihood & Significance 20 Financial Statements Revenue Recognition A Timing of Revenue Employee changes terms of contract to change the timing of revenue being recognized. Significant unexplained change in timings of revenue recognition, contracts that appear to have non-standard terms. Please Assign Likelihood & Significance 21 Financial Statements Channel Stuffing A the company stuffs channel with product to inflate reported revenue. Employee authorizes significant additional product to market, stuffing channel. Spikes in sell in vs. sell through reporting Please Assign Likelihood & Significance 22 Financial Statements Reserves A the company uses accounting estimates or reserves to manage earnings. Significant changes in reserves balances or methodology. Please Assign Likelihood & Significance 23 Financial Statements 24 Financial Statements FS Disclosures A Income Taxes A Estimates and reserves are used to manage earnings or misstate financial results. Innaccurate or misleading financial statement disclosures. Income Tax evasion by under-reporting earnings or making unlawful deductions. the company not providing full disclosure or misleading info within the footnotes. the company incorrectly classifies or under-reports income for tax purposes, or takes unlawful tax deductions. Please Assign Likelihood & Significance Please Assign Likelihood & Significance 25 Financial Statements Side Letters A Unauthorized side letter offers concessions that may affect revenue recognition. Employee sets agreement on non-standard contract terms authorizing concessions or services that affect revenue recognition. Please Assign Likelihood & Significance 26 Financial Statements Revenue Recognition A Incorrect license volumes being reported resulting in understated or overstated revenue. 27 Asset Misappropriation Treasury A Theft or use of treasury funds in an unauthorized manner. the company not following antitrust legislation requirements. Preventative Controls IA Notes FIU Notes Please Assign Likelihood & Significance Increased retailer rebates, unexplainable differences between other the company groups of similar size or product. Please Assign Likelihood & Significance Please Assign Likelihood & Significance Employee directs treasury funds to an unapproved investment or directs funds to a personal account. Please Assign Likelihood & Significance Definitions A Significant Adverse Impact upon the Enterprise B Prevent/Detect at Source C Manage through company-wide FIU fraud prevention & detection program Additional Considerations for FIU: 1 Is fraud being considered by M&A during acquisitions 2 Is there a double standard for high level vs. lower level employees, if so, why? 3 Current inconsistency in disciplinary actions for similar offenses, not always based on level of employee. 10 Risk Quadrants & Actions 4 Quadrant 3 – Detect & Monitor Quadrant 4 – Prevent at Source Significance Focus Audit Programs and Control documentation for risks in these areas. 3 2 Quadrant 1 – Low Control Quadrant 2 – Monitor 1 1 2 3 Likelihood 4 11 Risk Assessment Phase - Likelihood & Significance Asset Misappropriation Corruption Financial Statements Likelihood Remote Possible Somewhat Likely Probable <5% Chance of Occurrence 6%-50% Chance of Occurrence 51%-74% Chance of Occurrence >75% Chance of Occurrence <5% Chance of Occurrence 6%-50% Chance of Occurrence 51%-74% Chance of Occurrence >75% Chance of Occurrence <5% Chance of Occurrence 6%-50% Chance of Occurrence 51%-74% Chance of Occurrence >75% Chance of Occurrence Significance Negligible Serious Significant Material <$100M $100M-$300M $301M-$500M >$500M FIU to develop significance levels 12 Risk Assessment Phase – International 25 Least Corrupt Countries Rank 1 2 3 3 5 6 7 8 9 10 11 12 13 13 15 16 17 17 17 20 21 22 22 24 25 + No Office Country Finland New Zealand Denmark Iceland Singapore Sweden Switzerland Norway Australia Netherlands United Kingdom Canada Austria Luxembourg Germany Hong Kong Belgium Ireland USA Chile* Barbados+ France Spain Japan Malta+ 2004 CPI FY05 Revenue FC Score (000's) 9.7 187,645 9.6 114,605 9.5 282,562 9.5 11,241 9.3 100,497 9.2 353,761 9.1 336,979 8.9 195,773 8.8 644,276 8.7 572,581 8.6 2,083,437 8.5 860,866 8.4 207,778 8.4 11,477 8.2 2,096,960 8.0 101,131 7.5 231,632 7.5 120,412 7.5 18,058,433 7.4 30,378 7.3 0 7.1 1,060,348 7.1 393,001 6.9 3,880,728 6.8 0 FY05 Approved FTE HC 141 115 871 7 645 402 514 167 712 458 2,335 775 179 5 1,739 199 257 1,064 43,388 63 0 1,290 527 2,090 0 IA/FIU Ranking 1 1 2 1 2 1 1 1 2 1 3 2 1 1 2 1 1 2 3 2 Comments IA/FIU Ranking 1 2 3 Definition No known issues Issues known, sporadic Consistent issues, high risk To change 2 2 3 Benefits: • Provide SMSG Specialization Leader with aggregate of Regional Risk • Worldwide analysis of how HC and $$ allocation compares to known corruption indexes • Provide visibility to countries or regions that may need education on fraud risks 13 * Information taken from 2004 Transparency International Corruption Index Risk Assessment Phase – International 25 Most Corrupt Countries Rank 122 122 122 122 122 122 122 129 129 129 129 133 133 133 133 133 133 133 140 140 142 142 144 145 145 + No Office Country Bolivia* Guatemala+ Kazakhstan Kyrgyzstan+ Niger+ Sudan+ Ukraine Cameroon+ Iraq+ Kenya Pakistan Angola+ Congo, Democratic Republic+ Cote d´Ivoire Georgia+ Indonesia Tajikistan+ Turkmenistan+ Azerbaijan+ Paraguay* Chad+ Myanmar+ Nigeria Bangladesh Haiti+ 2004 CPI FY05 Revenue FC Score (000's) 2.2 3,375 2.2 0 2.2 12,478 2.2 0 2.2 0 2.2 0 2.2 42,550 2.1 0 2.1 0 2.1 15,434 2.1 11,331 2.0 0 2.0 0 2.0 12,334 2.0 0 2.0 42,374 2.0 0 2.0 0 1.9 0 1.9 482 1.7 0 1.7 0 1.6 17,324 1.5 1,300 1.5 0 FY05 Approved FTE HC 7 12 13 0 0 0 21 0 0 11 7 0 0 10 0 74 0 0 0 1 0 0 13 3 0 IA/FIU Ranking 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Comments IA/FIU Ranking 1 2 3 Definition No known issues Issues known, sporadic Consistent issues, high risk To change 14 * Information taken from 2004 Transparency International Corruption Index Risk Assessment Phase - Corporate Fraud Scandals Company Adelphia Enron Fraud (or Alleged Fraud) Descriptions How could this happen? (1) Fraudulently excluded billions of dollars in liabilities Very tight familial ownership of from its consolidated financial statements by hiding the company with few outsiders them on the books of off-balance sheet affiliates. allowed into the inner circle. (2) Falsified operations statistics and inflated earnings to meet Wall Street's expectations. (3) Concealed rampant self-dealing by the Rigas Family, including the undisclosed use of corporate funds for Rigas Family stock purchases and the acquisition of luxury condominiums in New York and elsewhere. (1) Setup a system of shell companies to hide liabilities, insure stock holdings and sell money losing assets. (2) Booked revenue from power swaps with other energy traders. (3) Booked loans as cash from operations. (4) Booked revenue for long term contracts before revenue was able to be recognized under GAAP. (5) Manipulation of electricity markets and pricing. Scenario assessed by (1) 18-Journal Entries (2) 19-Liability Reporting (3) 23-Financial Statement Disclosures Amount of Fraud Carried out by $2.4B ($2.3B of Founders family liabilities hidden and and 2 Sr. ~$100M of self Executives dealing) Explosive growth, extremely high (1) 19-Liability Reporting pressure to exceed targets, non- (2) 20-Revenue Recognition independent Board of Directors, significant bonuses paid for meeting targets to Sr. Management. CEO, CFO and top level executives Reasons Unlikely 1. Founders are involved in the day to day business decisions and are near the top of the worlds richest people, there would be no f inancial need to carry out these levels of f raud. 2. Board of Directors is independent other than 2 individuals and is made up of skilled members of the business community. 3. Accounting f irm is independent. 4. Strong emphasis on compliance through the creation of the Of f ice of Legal Compliance. 5. Standards of Business Conduct. Worldcom Tyco (1) Reduced liability reserve accounts and counted as revenue. (2) Classified operating costs as long term investments in order to capitalize and reduce P&L impacts. High pressure to hit targets, (1) 22-Reserves significant loans to CEO making (2) 18-Journal Entries stock price exceedingly important to the CEO, CFO putting extreme pressure on finance to please Wall Street. $11B (1) CEO & CFO authorized themselves interest-free or low interest loans for personal purchases of property, jewelry, and other frivolities. According to the SEC, these loans were never approved or repaid. (2) CEO & CFO were accused of issuing bonuses to themselves and other employees without approval of Tyco’s board of directors. It was alleged that these bonuses acted as loan forgiveness for employees who had borrowed company money or were used to buy the silence of those who suspected the former CEO and CFO of fraud. Company was tightly controlled by the CEO and the Board of Directors was not seen as a group that could question his authority. $600M (3) 23-Financial Statement Disclosures CEO, CFO and top level executives 6. Strong Internal Audit f unction with integrated FIU. 7. Strong and Independent Audit Committee. CEO, CFO, General Counsel 15 Control Documentation Phase Financial Statements # Scenario Type 1 Employee has an undisclosed interest in another company that is being employed for work at the company. 2 Employee receives a kickback from a vendor for directing work to that vendor. Significance Q1 - Preventative and/or Detective Controls Quadrant Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance 4 the company not following antitrust legislation requirements. Please Assign Likelihood & Significance 5 Bribery performed by the company that violates the Foreign Corrupt Practices Act. Please Assign Likelihood & Significance 6 Insider Trading Please Assign Likelihood & Significance 7 Adjustment of revenue data in the company Sales. Please Assign Likelihood & Significance 8 Inappropriate journal entry is made to manipulate accounting system. Please Assign Likelihood & Significance 9 Under-reporting of liabilities on the financial statements. Please Assign Likelihood & Significance 10 Timing of Revenue 11 the company stuffs channel with product to inflate reported revenue. 12 Estimates and reserves are used to manage earnings or misstate financial results. 13 Innaccurate or misleading financial statement disclosures. 15 Unauthorized side letter offers concessions that may affect revenue recognition. 16 Incorrect license volumes being reported resulting in understated or overstated revenue. Assets Likelihood 3 Employee has committed identity theft and is not the individual they represent to be. 14 Income Tax evasion by under-reporting earnings or making unlawful deductions. 17 Theft or use of treasury funds/IP/other assets in an unauthorized manner. (Think of the 10 areas in the FIU section below and how they apply to your area.) 18 Purchase Order creation after commencement of work. 19 Vendor fraudulently over-charging or double charging for services or goods. 20 the company pre-paying vendor for work to be completed. 21 Unauthorized use of gift cards for personal gain. FIU • Specialization Leaders to take scenarios matrix for their areas and map each risk to specific SOX controls. • Late Q1 timeframe for rollout – ensure that it doesn’t affect 404 deliverables. Corruption Category 22 Individual continues to use the company resources after leaving the company. 23 Petty cash theft. 24 Travel & Entertainment or ProCard expenditues are falsified. 25 Employee's not reporting sick or leave time. 26 Employee's not reporting partner as eligible for benefits at their place of employment. 27 Payment of payroll to ficticious or former employees. IA Notes Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance Please Assign Likelihood & Significance To be addressed via company-wide FIU fraud awareness presentations and FIU preventative efforts. 16 FIU Notes Fraud Experience Benchmarking Phase • Benchmark fraud prevention and detection within the company against other companies to better understand the trends in fraud and to build a fraud resource network within the business community. • Use of the Corporate Executive Board to facilitate a Fraud Summit that includes the other companies that have been heavily involved in fraud prevention and detection. • FIU annual meeting for discussing fraud trends in a formal setting. 17 Survey Phase • Creation of a fraud survey that would be circulated to large audience worldwide, in order to better identify trends and to get a better idea of the frauds that are not being reported to the FIU. Ideas for those to be included are: – – – – – – – – • • • Vice Presidents (US) General Managers (Regional) Country Managers (In Country) Controllers (all) Compliance Managers CFO’s (BG) LCA (Subsidiary) HR (Subsidiary) FIU to aggregate the data to see what the perceived risk by those in the field is, and where unknown risk may lie. 2 surveys – 1st would not be anonymous, 2nd would be 6 months later and be anonymous. Comparison of results would provide validation of responses. FIU to determine what vehicle is best for surveys – integrate with other surveys and ensure consistency with 302? 18 Evaluation Phase • Taking knowledge learned from previous phases, the FIU will work with IA to: – Use survey feedback to identify regions or countries that may have significant risk that has been unreported to the FIU. – Create a documented benchmark of how the FIU compares to similar investigative groups across the industry. – Develop a systematic plan for integrating fraud detection into the audit plan. 19
