Fraud Risk Management -...
Transcript of Fraud Risk Management -...
Fraud Risk Management.Finnish RM Association
February 14, 2008
Mikko Routti
ERS Country Leader, Deloitte & Touche
Petri Tahvanainen
Director, Forensic&Dispute Services, Deloitte&Touche
2 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Aggregate member firm revenue growth(in billions of US$)
*Member firms divested certain practices during 2004. After exclusionof the divested practices from each year, revenue growth for thecontinuing businesses was 11.1 percent.
FY04* FY05 FY06
+10.0% +12,5% +10,0%
$16.2
$18.2
$20.0
Aggregate member firm revenue growthby functional area(in billions of US$)
*From FY05 to FY06
Note: Due to rounding, numbers may not tally with the total.
FY04 FY05 FY06
TaxConsultingFinancial Advisory ServicesAudit
7.4
1.2
3.9
3.8
3.9
4.3
1.3
8.7
4.3
4.5
1.5
9.8
$16.2
$18.2
$20.0 Growth*10.1%
4.4%
13.1%12.0%
Deloitte is the World’s Largest Professional Services Firm
3 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Deloitte Globally
North America131 offices in 2 countries
LACRO(Latin America and Caribbean)69 offices in 28 countries
Africa46 offices in 21 countries
Europe297 offices in 47 countries
Middle East29 offices in 16 countries
Asia Pacific113 offices in 26 countries
4 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Deloitte Finland
HelsinkiHelsinki
9 offices
350 professionals
Turku
Tampere
Jyväskylä
Mikkeli
Kuopio
Oulu
Kemi
Rovaniemi
5 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Audit / Enterprise Risk Service
Audit ERSTax
FinancialAdvisoryServices
Strategy &Operations
TechnologyIntegration
EnterpriseApplications
HumanCapital
Outsourcing
Consulting
Audit and ERSServices
Tax
Enterprise Risk Management
Internal Audit
Control Assurance
Security & Privacy Services
Business Continuity Management
Contract, Risk & Compliance
Capital Markets
IT system audit
Corporate Governance
Forensic Services
FinancialServices
Consulting
6 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Case study # 1
SocGen uncovers €5bn fraud• By Martin Arnold in London and Peter Thal
Larsen in Davos
• Published: January 24 2008 07:19 | Lastupdated: January 29 2008 12:21
• Société Générale said on Thursday it haddiscovered €7bn ($10.26bn) of losses from arogue trader in European stock futures and bigUS subprime mortgage writedowns, forcing theFrench bank into an emergency €5.5bn shareissue.
• Daniel Bouton, SocGen’s long-standing chiefexecutive and chairman, offered to resign, butthis was rejected by the board after reviewingthe colossal losses – including €2.05bn ofwritedowns on exposure to US mortgages andbond insurers
7 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Case Study # 2
Päivän uutiskommentti: Ei kai sentään lahjuksia...[TE Esko Rantanen 24.10.2006]
• Suomi täysin voimaton itärajan laittoman rahastuksen edessä.
• Venäläiset kieltävät maksavansa lahjuksia.
• Tässä kaksi otsikkoa Suomen suurimmasta sanomalehdestä maanantaina.
• Tullihallituksen virallinen ensireaktio oli hämmästys. Viranomaiselta tämä oli oikea reaktio. Tulli eitietysti voi mutu-tuntumalta vaatia venäläisiä korjaamaan tapansa. Pitäisi olla konkreettisiatodisteita. Ongelma on, ettei kukaan julkisesti todista nimellään.
• Tullihallitus antoikin tänään tiedotteen, jossa se puhui hiukan eri asiasta ja korosti tullihallituksen jaVenäjän tullin yhteistyötä.
• Kukaan tuskin hirveästi yllättyy, jos joku kertoo venäläisten virkamiesten ottavan lahjuksia.Käytännössä lahjus on puolihyväksytty maan tapa, jolla virkamies saa kohentaa pientä palkkansa.Lahjusta nimitetäänkin usein kahvikassa-avustukseksi. Toki Venäjän presidentti Vladimir Putin ontaistellut lahjontaa vastaan ja esimerkiksi koko Vaalimaan Venäjän puoleinen tullihallinto onvaihdettu.
• Suomalaisia keljuttaa ylimääräinen rahastus
• Pahin ongelma lienee Imatran-Svetogorskin raja-asemalla. Suomen Kuljetus ja Logistiikka ry:nSKAL:n toimitusjohtaja Seppo Sainio tietää ylimääräisen maksun vaihtelevan kymmenen ja sadaneuron välillä. Aina maksua ei peritä kuljettajilta, vaan ylimääräisen maksun voi maksaakuljetusliikkeen asiakas.
8 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
What is Fraud ?
• 1
• 2
• 3
• 4
9 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Questions to Risk Managers - Fraud
• Who owns Fraud Risk?
• Cultural issues Finland, Europe, Americas, Asia, Africa
• Code of Ethics, Code of Conduct
• Is it still a hot potato (messenger of bad news gets shot)
• Should risk managers get involved ?
• Co-operation with Internal Audit
• Linkage to D&O, Crime etc insurance
10 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
• Our approach to fraud risk assessment consists of a five-step process:
Model Fraud Risk Assessment Approach
1.Evaluate Fraud
Risk Factors
3.Analyze Fraud
Risks &Schemes &
EvaluateMitigatingControls
4.Evaluate Fraud RiskAssessment Results& Prioritize Residual
Fraud Risks
2.Identify
PossibleFraud
Schemes &Scenarios
5.Risk Treatment
11 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Some criminology...
Motivation(aggravated by personal and
professional pressure)
Opportunity toperpetrate fraud and not
be caught
Moral self-justification of the
fraudulent act
12 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
The different means of perpetrating fraud“Star” arrangement
Supplier company(obtains the contract)
Company n°2(purchase ofequipment)Company n°2(purchase ofequipment)
Company n°3(successful bidder)Company n°3(successful bidder)
Company n°4(lease of machine)Company n°4(lease of machine)
Company n°5(sub-contracting)Company n°5(sub-contracting)
Company n°1(studies)Company n°1(studies)
Company n°7(investments)Company n°7(investments)
Company n°7(Fictive employees)Company n°7(Fictive employees)
Employer groupingN°6
(leasing of employees)Employer grouping
N°6(leasing of employees)
(Source: IFACI publication, Fraud Detection and Prevention)
EXAMPLE
© Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Starting Point - COSO Internal Control Framework.
Internal Environment
Objective Setting
Risk Assessment
Event Identification
Risk Response
Control Activities
Information & Communication
Monitoring
Entity-level
Division
Business unit
Subsidiary/Process/Project
Strategic
Operations
Financial Reporting
Compliance
COMPONENTS ORGANISATION LEVELS OBJECTIVES
Source: COSO - The Committee ofSponsoring Organizations of theTreadway Commission, EnterpriseRisk Management Framework(Exposure Draft), 2003.
14 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Antifraud Programs and Controls—The COSO FrameworkCreating a Control Environment
• Elements of the control environment are discussed in Steps and Considerations andinclude:– tone at the top
– oversight by the audit committee and board of directors
– internal audit involvement
– code of ethics/conduct
– ethics hotline and whistleblower program
– training
– responses to control deficiencies and allegations of fraud
15 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Fraud Programs & Controls
• Fraud Risk Assessment
Opportunity
Incentives/Pressures
Attitu
des &
Ration
aliza
tion
• What would the fraud look like?
• What are the effects on the booksand records?
• What type of fraud is the areasusceptible to?
• Where could the fraud occur?
• Who has the ability to commit a fraud?
• What is the likelihood that it may occur?
16 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Key Worksteps
EvaluateFraud Risk
Factors
1) Identify fraud risk factors at the entity level, significantlocations, significant accounts and business processlevel. Consider whether each fraud risk factor indicatesthe existence of an incentive / pressure, opportunity orattitudes / rationalizations.1
16
17 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
1. Evaluate Fraud Risk Factors• 1.1 Identify fraud risk factors at the entity level, significant location, significant account
and business process level. Consider whether each fraud risk factor indicates theexistence of an incentive, pressure, opportunity or attitude and rationalization.
Personnel from various levels of the organization should be involved in theprocess.
Management
Business process owners
IT management
Audit Committee
Internal Audit
Entity’s industry
Size
Operations
Geographical locations
Organizational structure
General economic climate
Management should consider and evaluate the facts and circumstances fortheir organizations in determining the areas to consider in the fraud riskassessment process.
18 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
1. Evaluate Fraud Risk Factors
In identifying and evaluating fraud risk factors, management should consider:
Past fraud within the organization,actual and alleged
Compliance with laws andregulations
Tone at the top
Strength of the organization’s ITdepartment
Unrealistic performanceexpectations
Unusual internal trends
Unusual financial trends
Employee morale
Industry fraud, actual and alleged
Industry analyst reports
Analyst expectations
Current market conditions
Investor expectations
Internal Considerations External Considerations
19 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Key Worksteps
IdentifyPossible
FraudSchemes &
IdentifyPotentialParties toFraud &Type ofFraud
2) Identify fraud risks
3) Brainstorm specific fraud schemes that could result fromthe specific risks identified.
4) Identify account balances and potential errors related toeach fraud risk.
5) For each fraud scheme, identify internal and externalparties who could be involved with reference toincentives / pressure, opportunities, attitudes &rationalizations.
2
19
20 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
2. Identify Fraud Risks
• Fraud risks are potential events that will negatively impact the entity if they were tooccur.
• Every organization has inherent fraud risks that arise from internal and externalconditions relative to the entity’s industry, operations, geographical locations, size,organizational structure, and generic economic conditions. For example, SAS 99,paragraph 41 notes that material misstatements due to fraudulent financial reportingoften result from overstatements of revenues and therefore there is a risk of materialmisstatement due to fraud relating to revenue recognition.
• 2.2 Identify possible fraud risks
21 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
2. Identify Possible Fraud Schemes• 2.3 Brainstorm specific fraud schemes that could result from the specific risks identified,
without consideration of existing controls.
• A scheme is the mechanism, scenario, or sequence of actions by which:
Past fraud within the organization, actual and alleged
The industry in which the organization operates
The geographies in which the organization operates
• One or more related fraud schemes may exist for each fraud risk.Consider:
The financial statements may be improperly manipulated or misstated;
Assets may be misappropriated;
Improper or unauthorized expenditures may be made;
Self-dealings may occur; and
Laws and regulations may be violated.
22 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
2. Identify Possible Fraud Schemes & Parties
Consider:
C-suite
Business process owners
Employees
Agents (particularly in foreigncountries)
Independent contractors
Competitors
Customers
Licensees
Vendors
• 2.5 For each fraud scheme, identify internal and external parties who could be involvedwith reference to incentives/ pressure, opportunities, attitudes & rationalizations.
Internal Parties External Parties
23 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Key Worksteps
AnalyzeFraud
Schemes &EvaluateDesign &
Implemen-tation ofInternalControls
3
6) Analyze possible fraud schemes by:
Likelihood; andSignificance
to establish Inherent Risk Rating (IRR).
7) Map fraud schemes and scenarios to mitigating controlsand evaluate Control Design Effectiveness and ControlImplementation Effectiveness to establish the ControlRisk Rating (CRR).
23
24 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
3. Analyze Fraud Schemes• 3.6 Management identifies fraud schemes by type and analyzes possible fraud schemes
by likelihood & significance (including materiality and reputation).
Manipulation, falsification,or alteration of accountingrecords and supportingdocumentation
Misrepresentation in, orintentional omission from,the financial statements(events, transactions, orother significantinformation)
Embezzling receipts
Stealing assets
Causing an entity to payfor goods or services thathave not been received
Improper or unauthorizedexpenditures
Self-dealing
Violations of laws andregulations
Financial Statement Fraud Asset Misappropriation
Other
Misapplication ofaccounting principles,such as amount,classification, disclosure orpresentation
TYPE
25 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
3.6 Analyze Fraud Schemes by Likelihood
•The likelihood that a particular fraud scheme / scenario will occur and could result in amaterial misstatement in the financial statements or otherwise negatively impact the entity.
•The likelihood of each potential fraud scheme should be assessed without consideration ofcontrols (e.g., as if no controls are in place). Management should consider the likelihood ofthe fraud being perpetrated by an individual, as well as by two or more individuals actingcollusively.
•Likelihood is typically determined to be one of the following:
LIKELIHOOD
3Some likelihood of fraud activity
4Considerable likelihood of fraud activity
5Very high likelihood of fraud activity
2
1
Little likelihood of fraud activity
No likelihood of fraud activity
26 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
3.6 Analyze Fraud Schemes by Significance
•Evaluate whether each particular fraud scheme / scenario is of a magnitude that couldmaterially impact a particular stakeholder, result in a material misstatement in the financialstatements or otherwise negatively impact the entity.
•The typical rating scale used for significance is:
SIGNIFICANCE
3Moderate
4Major Consequences
5
2
1
Catastrophic Consequences
Minor
Insignificant
•Note: Significance is typically determined with reference to materiality and other factorssuch as loss of or damage to reputation and disruption to business resulting in financial lossas a result of fraud.
27 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
3.6 Establish Inherent Risk Rating
• A quantitative assessment of each fraud risk by likelihood and significance will enablemanagement to determine an Inherent Risk Rating (IRR). The Inherent Risk Rating is calculatedas the sum of both the likelihood and significance ratings.
8-106-75
IRR
45High34Medium23LowSL
Note: When analyzing fraud schemes, management may want to weigh thecomponents differently depending on the needs or risks that exist within theorganization.
28 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
3.7 Link Schemes/Scenarios to Mitigating Controls
• Antifraud control activities can be preventative or detective in nature
• Preventative controls are designed to mitigate specific fraud risks and can deter frauds fromoccurring
• Detective control activities are designed to identify fraud if it occurs. Detective controls can also beused as a monitoring activity to assess the effectiveness of antifraud controls and may provideadditional evidence of the effectiveness of antifraud programs and controls.
• Special consideration should be given to the risk of override of controls by management. Someprograms and controls that deal with management override include; (1) active oversight from theaudit committee; (2) whistle-blower programs and a system to receive and investigate anonymouscomplaints; and (3) reviewing journal entries and other adjustments for evidence of possiblematerial misstatement due to fraud.
29 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
3.8 Evaluate Mitigating Controls• 3.8 Evaluate the Control Design Effectiveness Rating (CDER) and Control
Implementation Effectiveness Rating (CIER) of the controls to determine if theysufficiently mitigate the risk of the identified fraud schemes (control gap analysis).
Evaluate controls to determine if they sufficiently mitigate the identified fraud risks or ifadditional emphasis should be placed on existing controls or new controls are required
Consider possible management override of controls
Consider the need for additional control activities (identify control gaps)
Management should also assess the company’s level of tolerance for acceptableresidual risk by considering inherent risks and the effect of mitigating controls toreduce that inherent risk.
30 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Key Worksteps
EvaluateFRA
Results &PrioritizeResidual
FraudRisks
8) Evaluation of the results from the Inherent Risk Rating(IRR) process and Control Risk Rating (CRR) processagainst established criteria to determine Residual RiskRating (RRR) of fraud schemes.
9) Identify and prioritize fraud schemes requiring furtherrisk treatment.4
30
31 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
4. Evaluate FRA Results & Prioritize Residual Risk
• 4.8 Evaluate the Fraud Risk Assessment Results.
Evaluate the results from the Inherent Risk Rating (IRR) process and ControlRisk Rating (CRR) against established criteria to determine Residual RiskRating (RRR) and if controls sufficiently mitigate the identified fraud risks or ifadditional emphasis should be placed on strengthening existing controls orimplementing new controls
Management identify and prioritize fraud risks requiring attention in terms ofurgency and allocating resources.
4.9 Prioritize residual fraud risks that require treatment.
32 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
4.8 Evaluate FRA Results
• Residual Fraud Risk Possible ratings for Residual Fraud Risk are “High,” “Medium”and “Low.” A “High” residual rating will almost always be the result of mitigating controlsbeing assessed as less than effective or controls being absent.
• During Step 4.9 fraud risk assessment results are assessed against the Residual RiskRating Matrix which is comprised of an Inherent Risk Rating (IRR) scale and ControlRisk Rating (CRR) scale. This provides the Residual Risk Rating for each fraud risk orscheme in terms of “High”, “Medium” and “Low”.
33 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
4.8 Chart Residual Risk Rating
•Residual fraud risk for each fraud scheme may be plotted on a Residual Risk Chart.
34 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
4.9 Prioritize FRA Results
• Management must decide what its risk tolerance attitude or appetite is based upon theresidual fraud risk assessment results and decide how it wishes to prioritize andaddress identified residual fraud risks requiring treatment.
• Management actions to address fraud risk should be detailed in a risk mitigation orFraud Risk Action Plan. In addition to control improvement actions, the plan should alsodetail specific personnel responsible for implementing control improvements and animplementation timetable.
35 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
Key Worksteps
RiskTreatment
10) Prepare a Fraud Risk Action Plan to treat and mitigatefraud risk schemes requiring attention.
11) Implement Fraud Risk Action Plan.
5
35
36 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
5. Risk Treatment
• 5.10 Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiringattention.
Controls should be implemented or enhanced for identified fraud schemeswhere controls are not already present, inadequately designed or poorlyimplemented.
These control enhancements to address fraud schemes should be detailed ina Fraud Risk Action Plan. In addition to control improvement actions, the planshould also detail specific personnel responsible for implementing controlimprovements and an implementation timetable.
Improvement actions contained in the Fraud Risk Action Plan may be actionsto improve the antifraud program of the entity or address specific fraudscheme control deficiencies, depending on the scope of the fraud riskassessment.
37 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.
5. Risk Treatment
• 5.11 Implement Fraud Risk Action Plan
Ensure overall responsibility is assigned to a senior manager tomonitor control implementation as detailed in the Fraud Risk ActionPlan.
This responsibility could be defined in the Fraud Control Policy of theentity or specified elsewhere.
The Audit Committee should oversee the entire process.
Member ofDeloitte Touche Tohmatsu© Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.