Post on 07-Apr-2018
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 1/178
David D Varner & Company
³Conducting A Fraud RiskAssessment & Implementing ADetection Methodology Using ACL´
Institute Of Internal Auditors
Memphis Chapter
12/05/08
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 2/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 3/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 4/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 5/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 6/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 7/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 8/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 9/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 10/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 11/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 12/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 13/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 14/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 15/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 16/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 17/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 18/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 19/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 20/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 21/178
T opics We¶ll Explore«Fraud Risk & Organizational RelationshipsData Compilation & Analysis T echniquesImplementing & Optimizing ACL for Fraud Detection
Fraud Detection MethodologiesWhistle Blower ProgramsFraud Examination & Event Response T echniquesInterviewing & Interrogation T echniquesManagement CommunicationsDo¶s & Don¶ts
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 22/178
Workshop Objectives«understand the key components of a fraud risk assessmentevaluate and define fraud risk elements by business unit and businessprocessdevelop a fraud risk scoring and weighting methodologydevelop effective surveys and questionnaires and execute effectiveinterviewscreate an efficient data compilation and analysis processwrite a persuasive fraud risk assessment reportunderstand the components of an effective deterrence methodologyidentify red flags and other indicators of frauddevelop an effective fraud examination and event response strategycommunicate with Management about fraud risks and events
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 23/178
H ow We¶re Going T o Get T here«
LectureExercises
Case Studies & ArticlesVideos & Clips
Active Discussion
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 24/178
H ow We¶re Going T o Get T here«
Risk AssessmentDeterrent Mechanisms
Detection MethodologiesCommunication Protocols
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 25/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 26/178
Disclaimer«
T his is not legal advice!T his is not tax advice!
T his is not medical advice!NOR is it relationship advice!You will not sue me!
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 27/178
Who Is Your Speaker?
MBA ± Elon UniversityBS Accounting ± UNCGCertified Internal Auditor Certified Financial Services Auditor Certified Fraud Examiner Certified Management AccountantCertified Financial Manager
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 28/178
Who¶s In T he Audience?
Who Are You?Where Do You Work?
What Do You Do T here?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 29/178
4 Ground Rules
If you have a question«stop me & Ask!You have to laugh at least once!
Share your experiences!T here are absolutely no absolutes infraud
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 30/178
Let¶s Get Started!
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 31/178
³ Understanding T he ComponentsOf A Fraud Risk Assessment´
Module 1.1
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 32/178
Components
T ypes Of FraudMain Players
Risk Factors Assessment Model
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 33/178
Broad Fraud Categories Asset Misappropriation ± Any scheme that involves theft or misuse of
organizational assets.Corruption ± Any scheme in which an individual uses their
influence to obtain an unauthor-ized benefit contraryto their organ-izational duty.
Financial Statement Misrepresentation ± Falsification of the organization¶s finan- cial
statements to make it appear more or less profitable.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 34/178
Asset Misappropriation
Asset Misappropriation
Non-Cash
Disbursements
Cash
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 35/178
Asset MisappropriationCash
Larceny
Skimming
Cash On H and
From T he Deposit
Sales
Receivables
Refunds
Unrecorded
Understated
Write-Off Schemes
Lapping Schemes
Unconcealed
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 36/178
Asset Misappropriation
Non-Cash
Misuse
Larceny
Asset Requisitions
Asset T ransfers
False Sales & Shipping
Purchasing & Receiving
Unconcealed Larceny
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 37/178
Asset MisappropriationFraudulent Disbursements
Billing Schemes
Payroll Schemes
Expense Reimbursements
Check T ampering
Register Disbursements
Shell CompanyNon-accomplice Vendor
Personal Purchases
Mischaracterized ExpensesOverstated ExpensesFictitious Expenses
Multiple Reimbursements
Ghost EmployeesCommission Schemes
Worker¶s compensationFalsified Wages
Forged Maker
Forged Embezzlement Altered Payee
Concealed Checks Authorized Maker
False VoidsFalse Refunds
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 38/178
Corruption
Corruption
Bribery
Illegal Gratuities
Conflicts of Interest
Economic Extortion
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 39/178
Corruption
Conflicts Of Interest
Sales Schemes
Purchases Schemes
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 40/178
Corruption
Bribery
Bid Rigging
Invoice Kickbacks
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 41/178
Common Model
H igh RiskH igh Risk
MediumMedium
RiskRisk
MediumMedium
RiskRisk
LowLow
RiskRisk
LowLow
H ighH igh
H ighH igh
IIMMPPAACCTT
PROBABILITYPROBABILITY
What Can Go Wrong?
X
X
X
XX
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 42/178
Common Model
It¶s OKWorks well for a single unit or single process
Hard to compare to other units or processesDoes not work well when assess-ing large
organizations with com-plex processes thatoverlap
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 43/178
Financial Statement Misrepresentation
Financial Statement Misrepresentation
Asset/Revenue over/under
T iming Differences
Fictitious Revenues
Concealed Liabilities & Expenses
Improper Disclosures
Improper Asset Valuations
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 44/178
Main Players
Business UnitsBusiness Processes
Individuals
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 45/178
Main Players
BusinessBusiness ProcessesProcesses
Business UnitsUnits
IndividualsIndividuals
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 46/178
Risk Factors
Macro FactorsMicro Factors
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 47/178
Macro Risk Factors
Internal Control EnvironmentIncentive Systems
³T one At T he T op´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 48/178
Micro Risk Factors
Opportunity ± Is there something to steal?
Means ± Can somebody steal it?
Motivation ± Would somebody steal it?
Severity ± H ow bad would it be?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 49/178
Simple Assessment Model
Business ProcessesProcesses
Business UnitsBusiness Units
IndividualsIndividuals
Macro FactorsMacro Factors
Micro FactorsMicro Factors
Weight X Raw Score = Risk RankingWeight X Raw Score = Risk Ranking
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 50/178
Why Should I Complete A FraudRisk Assessment?
It¶s expensiveIt¶s time consuming
I Don¶t want to knowManagement doesn¶t see valueOur employee ³ Family´ is honest
We don¶t hire thievesPeople are generally ³ good´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 51/178
Exercise 1.1³ ACFE Fraud Prevention Check-
Up´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 52/178
³ Understanding Fraud Risk &
Organizational Relationships´Module 1.2
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 53/178
Where¶s Most Of T he Risk At?
Asset MisappropriationCorruptionFinancial Statement Misrepresentation
Senior ManagementMiddle ManagementEmployees
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 54/178
FAC T:
³ Fraud Risk has an inherent relationship tothe dynamics and structure of an
Organization."
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 55/178
Q uestion :
³ What impacts the relationship betweenFraud Risk and an Organization the
most?´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 56/178
Answer :
³ Degree of Goal Congruence´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 57/178
What Is Goal Congruence?
³ Consistency or agreement of individualactions with organizational goals.´
What is the individual¶s motivation?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 58/178
Degree Of Goal Congruence
OrganizationOrganizationEmployeesEmployees
ManagementManagement100100%
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 59/178
Degree Of Goal Congruence
OrganizationOrganizationEmployeesEmployees
7575%
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 60/178
Degree Of Goal Congruence
OrganizationOrganization
7575%
7575%
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 61/178
Degree Of Goal Congruence
OrganizationOrganization
ManagementManagement 00%
7575%
ENRON?ENRON?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 62/178
Rule Of T humb :
³T he tighter the degree of Goal Congruencethe less likely it is that fraud will occur.´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 63/178
H ow T o Measure Goal Congruence
Not an exact scienceH eavy on qualitative factorsCan be supported by quantitative factors
Factors either increase or decrease the degree of Goal Congruence proportion-atelyFactors are subjective to your organizationCannot be compared between two organizations
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 64/178
H ow T o Measure Goal Congruence
Incentive SystemsSpecific BehaviorsSpecific DecisionsOther?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 65/178
Simple«Right?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 66/178
Exercise 1.2
³ Assessing Organizational GoalCongruence´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 67/178
³ Evaluating & Defining Fraud Risk By
Business Unit & Business Process´
Module 1.3
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 68/178
Remember the Players?
Business ProcessesProcesses
Business UnitsBusiness Units
IndividualsIndividuals
Macro FactorsMacro Factors
Micro FactorsMicro Factors
Weight X Raw Score = Risk RankingWeight X Raw Score = Risk Ranking
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 69/178
Setting Up T he Playing FieldT ake an inventory of the organization¶s business unitsand business processes.Establish weights ( H igh, Medium, Low) to incorporatethe business units impact on the business process.
Establish a scale (1-25) to assess each Micro RiskFactor.
Access a raw score for each risk factor for eachbusiness process.
Add them up. Apply appropriate weighting to the total for eachbusiness unit.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 70/178
Setting Up T he Playing Field
BusinessProcess
³ A´
BusinessProcess
³ B´
BusinessProcess
³ c´
Business Unit³ 1´
Business Unit³ 2´
Business Unit³ 3´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 71/178
Micro Risk Factors
Opportunity ± Is there something to steal?
Means ± Can somebody steal it?
Motivation ± Would somebody steal it?
Severity ± H ow bad would it be?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 72/178
Setting Up T he Playing Field
Micro Risk Factor Raw Score
Opportunity 25
Means 25
Motivation 25
Severity 25
Total 100
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 73/178
Setting Up T he Playing Field
BusinessProcess
³ A´
BusinessProcess
³ B´
BusinessProcess
³ c´
Business Unit³ 1´
Business Unit³ 2´
Business Unit³ 3´
PayInvoices
SalesManagement
AccountsPayable
ManufactureProduct
Sell Product
ProductionDepartment
1
Raw Score = 100 Raw Score = 80 Raw Score = 4 0
.33
.66
.100
.0
.100
.0
.100
.0
.0
33
66
100
40
80
0
0
0
0
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 74/178
³ Executing (no pun intended) T he
Fraud Risk Assessment´Module 1. 4
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 75/178
Key PointsRemember there are absolutely no absolutes in fraudEvery organization is differentT he initial process is very qualitative
Allow the process to evolve into something quantitative
You¶ll have to use judgment and interpretationYou can make it simple or complexT here are no right or wrong answers«just information to analyzeIncrementally work from BROAD to NARROWEasier than you might think
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 76/178
Primary Steps
Determine the level of precision neededIdentify tools & resources
Collect & compile InformationDistil the InformationInterpret & Apply
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 77/178
Level Of Precision
Wild Guess Darn Near Clairvoyant
H appy Medium
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 78/178
T ools & Resources
InterviewsSurveys & Q uestionnairesProcess Documentation (Examples : ISO,SOX)Management Reports (Examples : BudgetReports, Production Reports, Salary Data,
10 Q /K, Internal Audit Reports)Professional Experience
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 79/178
Collect & Compile
Identify the information sourceExtract the data
Dissect the data into its componentsOrganize the componentsDefine the data elements
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 80/178
Distil
What data elements are important?H ow does the data element relate to the riskfactor?
What does the data element tell me that I don¶talready know?
Objective :³T o translate the abstract into something definitive.´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 81/178
Interpret & ApplyOrganize the data elementsConsider their impact on each risk factor Determine what can go wrong
Determine the level of risk for each risk factor inbroad terms (high, medium, Low)Determine the level of risk for each risk factor numericallyDocument logic and rational in narrative format(Important).
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 82/178
Interpret & Apply
Business Unit³ 3´
Business Unit³ 2´
Business Unit³ 1´
BusinessProcess
³ c´
BusinessProcess
³ B´
BusinessProcess
³ A´
PayInvoices
SalesManagement
AccountsPayable
ManufactureProduct
Sell Product
ProductionDepartment
166
100
40
80
0
0
0
0
33L L
L
L L
M
M
H
H
W it A Mi t ! Wh t Ab t T h
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 83/178
Wait A Minute! What About T heMacro Factors
We didn¶t forget about themT hey apply to the risk assessment as awholeMuch easier to assessIllustrated Graphically
Much more of a yes/no assessmentDocument logic and rational in narrativeformat (Important).
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 84/178
Macro Factor Assessment
Incentive System
Internal ControlEnvironment
³T one´ At T he Top
1 100
C
B
A
50
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 85/178
Exercise 1.3
³Completing A Fraud Risk Assessment´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 86/178
³ Writing A Persuasive Fraud Risk
Assessment Report´Module 1.5
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 87/178
Obstacles
You¶ve got a lot of ³ stuff´ to write aboutSomeone somewhere isn¶t going to behappy with the reportIt ³ forces´ Management to make a decisionIt would be a lot easier if you could justpresent it in a spread sheet
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 88/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 89/178
Report Structure
Brief introGraphical summaries
Light CommentaryRecommendations Appendix
± Detailed assessment methodology ± Supporting narratives
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 90/178
CAUT ION
CLM AH
EAD
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 91/178
T he Conundrum
You MUST provide Management options
By completing the Risk Assessment, you¶ve backedManagement into a corner and now they¶re ³ forced´
to make a decision
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 92/178
T he OptionsManagement can avoid the riskManagement can transfer the riskManagement can mitigate the riskManagement can accept the risk
Inaction is the same as accepting the risk!
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 93/178
Option ³ 1´
³ Avoid´Management may decide to avoid a risk by
eliminating an asset if the controlmeasures required to protect against anidentified threat are too expensive.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 94/178
Option ³ 2´
³T ransfer´Management can transfer its risk, or at least
a significant portion of a risk, bypurchasing a fidelity insurance or bond.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 95/178
Option ³ 3´
³ Mitigate´Management can appropriate
countermeasures such as preventiveand detective controls.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 96/178
Option ³4 ´³ Assume´
Management may decide that it's more costeffective to assume the risk, rather than
eliminate the asset, buy insurance totransfer the risk, or implement counter measures to mitigate the risk.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 97/178
T ipsDon¶t write a separate executive summaryT he first couple of pages should be heavy withgraphics
Relate risk rankings to supporting narratives in alinear fashionIf needed, use passive tense to sound lessaccusatory
Provide Management with options at the end of thereport
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 98/178
³ Recap´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 99/178
³ Understanding T he Components Of An Effective Deterrence
Methodology´Module 2.1
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 100/178
³T he value of an internal audit
report is a function of what itprevents not what it detects!´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 101/178
T ypes Of DeterrencePassive Deterrence ± Relies on individuals, processes, or systems performing routine
tasks.Active Deterrence ± Engages Individuals, processes, or systems to perform a specific
task.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 102/178
Passive DeterrenceJob RotationMandatory VacationWhistleblower H otline
Employee Support ProgramsInternal Audit / Fraud DepartmentAnti-Fraud PolicyCode of ConductIndependent Audit CommitteeManagement Certification of F/S
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 103/178
Active Deterrence
Surprise AuditsFraud T raining for Managers & ExecutivesFraud T raining for EmployeesExternal Audit of ICOFRManagement Review of ICExternal Audit of F/SProsecution of Offenders
³ D l i ff ti d t
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 104/178
³ Developing an effective deterrence
methodology is like a making asoup´
You start with a recipe
You add some basic ingredientsYour turn on the heatYou have a little tasteYou add some more ingredientsYou have another tasteYou experiment until it¶s just right
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 105/178
Key Components
Deterrence Mechanism ± Passive ± Active
Feedback MechanismEvaluation MechanismAdjustment Mechanism
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 106/178
Exercise 2.1
³ Developing An Effective DeterrenceMethodology´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 107/178
³ Implementing An Effective
Whistle Blower Program´Module 2.2
h h l l
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 108/178
Why A Whistle Blower Program?
1. T ip2. Accident3. Internal Audit4 . Internal Control5. External Audit
6. Police Investigation
f h l l
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 109/178
T ypes of Whistle Blower Programs
H otlinesElectronicMail
Characteristics Of An Effective Whistle
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 110/178
Characteristics Of An Effective WhistleBlower Program
Backed By PolicyAnonymousEasily AccessedIncentivizedAdvertised
Filtering Mechanism
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 111/178
H ow Do You T hink T hey Rank?
Filtering Mechanism
Advertised
Incentivized
Easily Accessed
Anonymous
Backed By Policy
MailElectronicH otline
+ ++
++
+++
++
+
+
+
---
- -
T h B Li
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 112/178
T he Bottom Line«
If you want to deter or catch fraud, you musthave an effective whistle blower program!
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 113/178
³T one At T he T op´
Video 1.1
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 114/178
³ Recap´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 115/178
What Is A Fraud Detection
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 116/178
Methodology?
It¶s the processes and systems employed to
detect the types of fraud an organization is at riskfor.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 117/178
C t
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 118/178
Components
Risk MatrixSystem/Data SourceAutomated T oolManual T oolLinking MechanismProcedure Inventory
Analysis ScheduleReporting Procedure
Ri k M t i
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 119/178
Risk Matrix
Inventory of potential frauds by businessunit or business processSpring board off of the fraud riskassessmentDoesn¶t consider the risk of occurrence
A tomated T ools/S stems
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 120/178
Automated T ools/Systems
ACLIdeaExcel
AccessH ome GrownOther?
OracleSAPJD Edwards
H ome GrownOther?
Automated T ools/Systems
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 121/178
Automated T ools/Systems
SystemSystem ToolToolManualManual
ProcedureProcedure
LinkingMechanismMechanismDataData
Procedure Inventory
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 122/178
Lists all of the procedures to be performedMatches the risk to the proper procedureMaps the data source to the procedureIndicates the frequency of the procedure
Procedure Inventory
Analysis Schedule
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 123/178
Analysis Schedule
Different from the procedure frequencyCan be daily, weekly, monthly, or quarterly
Reporting Procedures
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 124/178
Reporting Procedures
Who will get the reportWhat will the report look likeWhen will the report be issuedWhere will the report come from
H ow will the report be created
T ying It All T ogether
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 125/178
T ying It All T ogether
Risk
Analysis
Reporting
Data
T oolProcedure
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 126/178
³ Government Fraud´
Video 1.1
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 127/178
³ Identifying Indicators Of Fraud
(Red Flags)´Module 3.2
What is a red flag?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 128/178
What is a red flag?
A red flag is a set of circumstances that are unusual innature or vary from the normal activity. It is a signal that
something is out of the ordinary and may need to be
investigated further. Remember that red flags do notindicate guilt or innocence but merely provide possiblewarning signs of fraud.
T ypes Of Indicators
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 129/178
T ypes Of Indicators
EmployeeManagementGeneral Behavior Cash/Accounts ReceivablePayroll
Purchasing/Inventory
Employee
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 130/178
EmployeeEmployee lifestyle changes : expensive cars, jewelry,
homes, clothesSignificant personal debt and credit problemsBehavioral changes : these may be an indication of
drugs, alcohol, gambling, or just fear of losing the jobH igh employee turnover, especially in those areas whichare more vulnerable to fraudRefusal to take vacation or sick leaveLack of segregation of duties in the vulnerable area
Management
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 131/178
ManagementReluctance to provide information to auditorsManagers engage in frequent disputes with auditorsManagement decisions are dominated by an individual or small groupManagers display significant disrespect for regulatory bodies
T here is a weak internal control environmentAccounting personnel are lax or inexperienced in their dutiesDecentralization without adequate monitoringExcessive number of checking accountsFrequent changes in banking accountsFrequent changes in external auditorsCompany assets sold under market valueSignificant downsizing in a healthy marketContinuous rollover of loansExcessive number of year end transactions
H igh employee turnover rateUnexpected overdrafts or declines in cash balancesRefusal by company or division to use serial numbered documentsCompensation program that is out of proportionAny financial transaction that doesn¶t make sense - either common or businessService Contracts result in no productPhotocopied or missing documents
General Behavior
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 132/178
General Behavior Borrowing money from co-workersCreditors or collectors appearing at the workplaceGambling beyond the ability to stand the lossExcessive drinking or other personal habitsEasily annoyed at reasonable questioning
Providing unreasonable responses to questionsRefusing vacations or promotions for fear of detectionBragging about significant new purchasesCarrying unusually large sums of moneyRewriting records under the guise of neatness in presentation
Cash/Accounts Receivable
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 133/178
Cash/Accounts Receivable
Excessive number of voids, discounts and returnsUnauthorized bank accountsSudden activity in a dormant banking accountsCustomer complaints that they are receiving non-payment noticesDiscrepancies between bank deposits and posting
Abnormal number of expense items, supplies, or reimbursement tothe employeePresence of employee checks in the petty cash for the employee incharge of petty cashExcessive or unjustified cash transactionsLarge number of write-offs of accounts
Bank accounts that are not reconciled on a timely basis
Payroll
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 134/178
PayrollInconsistent overtime hours for a cost center Overtime charged during a slack periodOvertime charged for employees who normally would not
have overtime wages
Budget variations for payroll by cost center Employees with duplicate Social Security numbers,
names, and addressesEmployees with few or no payroll deductions
Purchasing/Inventory
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 135/178
Purchasing/InventoryIncreasing number of complaints about products or serviceIncrease in purchasing inventory but no increase in salesAbnormal inventory shrinkageLack of physical security over assets/inventoryCharges without shipping documentsPayments to vendors who aren¶t on an approved vendor list
H igh volume of purchases from new vendorsPurchases that bypass the normal proceduresVendors without physical addressesVendor addresses matching employee addressesExcess inventory and inventory that is slow to turnover Purchasing agents that pick up vendor payments rather than have it mailed
³ Lost In T ranslation´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 136/178
Lost In T ranslation
H ow do we go from Q ualitative
Indicators to a Q uantitative Metric?
Suggestions
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 137/178
Suggestions
Determine what the red flag would impact ± Account ± Business Unit ± Business Process ± Functional areaDetermine what the red flag¶s affect would beDetermine what metrics are availableDecide which is ³ most´ intuitive
Examples
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 138/178
ExamplesInvoices for the same amount
Invoices with sequential invoice numbersPayment address zip codes are within a certain radius of the organizationInvoices submitted by outside locationsA new vendor is setupVendor type does not match account codePayments fall just below the threshold requiring two signaturesVendor address matches employee addressVendors with more than one vendor code or payment address.Vendors with only PO BoxesOne time vendors.Reconciling differences between the G/L and bank statementsVendor account modificationWire/ACH transactionsLarge invoices (>$25,000.00) processed within 15 days of quarter-end closeBudget variances within purchase accounts are excessive.New hires
T erminationsLarge payments/bonusesManual checksPayroll bank account reconciling itemsOdd journal entries appear within the GL
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 139/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 140/178
³ Webne Interview´
Video 1.2
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 141/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 142/178
³ Optimizing ACL For Fraud
Detection´Module 3.3
Optimizing ACL
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 143/178
Optimizing ACL
T ransfer the data into ACLApply the proceduresNot as simple as it looks!
Optimizing ACL
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 144/178
Optimizing ACL
SystemSystem ACL ACLManualManual
ProcedureProcedure
LinkingMechanismMechanismDataData
Optimizing ACL
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 145/178
Optimizing ACL
ACL ACL SuspectSuspect
ItemsItemsRed FlagRed FlagRisk
DataData
Apply ApplyExpressionExpression
Apply Script Apply Script
Case Study ± XYZ INC.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 146/178
Case Study ± XYZ INC.
Current ClientManufacturer International OperationsImplemented ACL T o Detect Fraud For
A/P & PayrollUse SAPUse Direct Link
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 147/178
XYZ INC.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 148/178
.
ACL ACL SuspectSuspect
ItemsItemsRed FlagRed FlagRisk
DataData
Apply ApplyExpressionExpression
Apply Script Apply Script
100 % Automated
XYZ INC.
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 149/178
Set Up ± T able Fields ± ACL Q ueries
± T est Summaries
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 150/178
³ Introduction T o ACL´
Module 3. 4
Basic T raining
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 151/178
g
Data ImportSampling T oolsAnalysis T oolFunctionsExpressionsScripts
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 152/178
³ ACL´
Video 1. 4
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 153/178
³ ACL ´
Video 1.5
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 154/178
³ Recap´
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 155/178
³ Responding T o A FraudEvent´
Module 3.5
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 156/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 157/178
Characteristics Of An Effective EventResponse Strategy
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 158/178
Response Strategy
Clearly defined roles and responsibilitiesProcedures for securing evidence
T imetable of critical eventsInitial action plan
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 159/178
³ Conducting T he Fraud Exam´
Module 3.6
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 160/178
You¶ve used ACL and analyzedall of the data, and now you thinkthere may be fraud«
What do you do?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 161/178
Caution!If you are unsure of what to do, call a professional.T here can be EX TR E ME repercussions if you make
a mistake!
Basics
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 162/178
Analyzing DocumentsInterviewingCovert OperationsInformation Sources
Analyzing Documents
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 163/178
Chain Of CustodyObtaining Documentary EvidenceExamining Fraudulent DocumentsT ypes Of Forensic DocumentsH andling Documents As Physical EvidenceIdentifying WritingsT he Document Experts FindingsH ow T o Obtain H andwriting SamplesT ypewriters and computer PrintersPhotocopies³Dating´ A Document
Indented WritingsCounterfeit Printed DocumentsFingerprints
Interviews
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 164/178
PreparationCharacteristics Of A Good InterviewCharacteristics Of A Good Interviewer Q uestion T ypologyLegal Elements Of InterviewingElements Of ConversationsInhibitors Of CommunicationFacilitators Of CommunicationIntroductory Q uestionsInformational Q uestionsKinesic Interview And Interrogation
Criteria-Based Statement AnalysisT he Cognitive Interview T echnique
Covert Operations
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 165/178
Establishing An IdentityObjectivesProblems In Covert OperationsEntrapmentSurveillanceSources And InformantsUse Of Operatives
Sources Of Information
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 166/178
City GovernmentCounty GovernmentState GovernmentFederal GovernmentCommercial SourcesCredit RecordsCommercial Databases And Research ServicesDirectoriesBanks And Financial InstitutionsInternational OrganizationsMiscellaneous Sources
Online Services
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 167/178
³ Communicating With Management´
Module 4 .1
Now What?
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 168/178
You warned management about potentialfraudYou helped set up a deterrent mechanism
You employed a detection methodologyusing aclYou found something suspiciousYou investigated itYou deteremined It WAS Fraud
Characteristics Of An EffectiveReport
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 169/178
ReportClear ImpartialRelevantChronologicalCause & EffectReader FriendlyT imely
Writing the report
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 170/178
Understand the reader State the factsMake your ³ case´Support it with evidenceNo accusations
Avoid opinionsMake a self evident conclusion
Presenting Evidence
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 171/178
Avoid long written explanationsUse graphics where possible ± T imelines
± Correlations ± Patterns
T imelines
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 172/178
Correlations
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 173/178
Patterns
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 174/178
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 175/178
Do¶s
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 176/178
Understand your local lawsCall in experts if neededLimit the dissemination of informationMake sure the PC and all other storagedevices/mechanism are secured withcontrolled access
Involve legal counsel
Don¶ts
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 177/178
Don¶t boot the PCDon¶t boot the PCDon¶t boot the PCDon¶t AssumeDon¶t draw a conclusion as to guilt or innocence
8/4/2019 IIA Presentation - Memphis
http://slidepdf.com/reader/full/iia-presentation-memphis 178/178
³ A Few Good Expenses´
Video 1.6