Fraud Risk Management -...

Fraud Risk Management.Finnish RM Association

February 14, 2008

Mikko Routti

ERS Country Leader, Deloitte & Touche

Petri Tahvanainen

Director, Forensic&Dispute Services, Deloitte&Touche

2 © Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.

Aggregate member firm revenue growth(in billions of US$)

*Member firms divested certain practices during 2004. After exclusionof the divested practices from each year, revenue growth for thecontinuing businesses was 11.1 percent.

FY04* FY05 FY06

+10.0% +12,5% +10,0%

$16.2

$18.2

$20.0

Aggregate member firm revenue growthby functional area(in billions of US$)

*From FY05 to FY06

Note: Due to rounding, numbers may not tally with the total.

FY04 FY05 FY06

TaxConsultingFinancial Advisory ServicesAudit

7.4

1.2

3.9

3.8

3.9

4.3

1.3

8.7

4.3

4.5

1.5

9.8

$16.2

$18.2

$20.0 Growth*10.1%

4.4%

13.1%12.0%

Deloitte is the World’s Largest Professional Services Firm


Deloitte Globally

North America131 offices in 2 countries

LACRO(Latin America and Caribbean)69 offices in 28 countries

Africa46 offices in 21 countries

Europe297 offices in 47 countries

Middle East29 offices in 16 countries

Asia Pacific113 offices in 26 countries


Deloitte Finland

HelsinkiHelsinki

9 offices

350 professionals

Turku

Tampere

Jyväskylä

Mikkeli

Kuopio

Oulu

Kemi

Rovaniemi


Audit / Enterprise Risk Service

Audit ERSTax

FinancialAdvisoryServices

Strategy &Operations

TechnologyIntegration

EnterpriseApplications

HumanCapital

Outsourcing

Consulting

Audit and ERSServices

Tax

Enterprise Risk Management

Internal Audit

Control Assurance

Security & Privacy Services

Business Continuity Management

Contract, Risk & Compliance

Capital Markets

IT system audit

Corporate Governance

Forensic Services

FinancialServices

Consulting


Case study # 1

SocGen uncovers €5bn fraud• By Martin Arnold in London and Peter Thal

Larsen in Davos

• Published: January 24 2008 07:19 | Lastupdated: January 29 2008 12:21

• Société Générale said on Thursday it haddiscovered €7bn ($10.26bn) of losses from arogue trader in European stock futures and bigUS subprime mortgage writedowns, forcing theFrench bank into an emergency €5.5bn shareissue.

• Daniel Bouton, SocGen’s long-standing chiefexecutive and chairman, offered to resign, butthis was rejected by the board after reviewingthe colossal losses – including €2.05bn ofwritedowns on exposure to US mortgages andbond insurers


Case Study # 2

Päivän uutiskommentti: Ei kai sentään lahjuksia...[TE Esko Rantanen 24.10.2006]

• Suomi täysin voimaton itärajan laittoman rahastuksen edessä.

• Venäläiset kieltävät maksavansa lahjuksia.

• Tässä kaksi otsikkoa Suomen suurimmasta sanomalehdestä maanantaina.

• Tullihallituksen virallinen ensireaktio oli hämmästys. Viranomaiselta tämä oli oikea reaktio. Tulli eitietysti voi mutu-tuntumalta vaatia venäläisiä korjaamaan tapansa. Pitäisi olla konkreettisiatodisteita. Ongelma on, ettei kukaan julkisesti todista nimellään.

• Tullihallitus antoikin tänään tiedotteen, jossa se puhui hiukan eri asiasta ja korosti tullihallituksen jaVenäjän tullin yhteistyötä.

• Kukaan tuskin hirveästi yllättyy, jos joku kertoo venäläisten virkamiesten ottavan lahjuksia.Käytännössä lahjus on puolihyväksytty maan tapa, jolla virkamies saa kohentaa pientä palkkansa.Lahjusta nimitetäänkin usein kahvikassa-avustukseksi. Toki Venäjän presidentti Vladimir Putin ontaistellut lahjontaa vastaan ja esimerkiksi koko Vaalimaan Venäjän puoleinen tullihallinto onvaihdettu.

• Suomalaisia keljuttaa ylimääräinen rahastus

• Pahin ongelma lienee Imatran-Svetogorskin raja-asemalla. Suomen Kuljetus ja Logistiikka ry:nSKAL:n toimitusjohtaja Seppo Sainio tietää ylimääräisen maksun vaihtelevan kymmenen ja sadaneuron välillä. Aina maksua ei peritä kuljettajilta, vaan ylimääräisen maksun voi maksaakuljetusliikkeen asiakas.


What is Fraud ?

• 1

• 2

• 3

• 4


Questions to Risk Managers - Fraud

• Who owns Fraud Risk?

• Cultural issues Finland, Europe, Americas, Asia, Africa

• Code of Ethics, Code of Conduct

• Is it still a hot potato (messenger of bad news gets shot)

• Should risk managers get involved ?

• Co-operation with Internal Audit

• Linkage to D&O, Crime etc insurance


• Our approach to fraud risk assessment consists of a five-step process:

Model Fraud Risk Assessment Approach

1.Evaluate Fraud

Risk Factors

3.Analyze Fraud

Risks &Schemes &

EvaluateMitigatingControls

4.Evaluate Fraud RiskAssessment Results& Prioritize Residual

Fraud Risks

2.Identify

PossibleFraud

Schemes &Scenarios

5.Risk Treatment


Some criminology...

Motivation(aggravated by personal and

professional pressure)

Opportunity toperpetrate fraud and not

be caught

Moral self-justification of the

fraudulent act


The different means of perpetrating fraud“Star” arrangement

Supplier company(obtains the contract)

Company n°2(purchase ofequipment)Company n°2(purchase ofequipment)

Company n°3(successful bidder)Company n°3(successful bidder)

Company n°4(lease of machine)Company n°4(lease of machine)

Company n°5(sub-contracting)Company n°5(sub-contracting)

Company n°1(studies)Company n°1(studies)

Company n°7(investments)Company n°7(investments)

Company n°7(Fictive employees)Company n°7(Fictive employees)

Employer groupingN°6

(leasing of employees)Employer grouping

N°6(leasing of employees)

(Source: IFACI publication, Fraud Detection and Prevention)

EXAMPLE

© Deloitte & Touche Oy, Group of Companies 2008. All rights reserved.

Starting Point - COSO Internal Control Framework.

Internal Environment

Objective Setting

Risk Assessment

Event Identification

Risk Response

Control Activities

Information & Communication

Monitoring

Entity-level

Division

Business unit

Subsidiary/Process/Project

Strategic

Operations

Financial Reporting

Compliance

COMPONENTS ORGANISATION LEVELS OBJECTIVES

Source: COSO - The Committee ofSponsoring Organizations of theTreadway Commission, EnterpriseRisk Management Framework(Exposure Draft), 2003.


Antifraud Programs and Controls—The COSO FrameworkCreating a Control Environment

• Elements of the control environment are discussed in Steps and Considerations andinclude:– tone at the top

– oversight by the audit committee and board of directors

– internal audit involvement

– code of ethics/conduct

– ethics hotline and whistleblower program

– training

– responses to control deficiencies and allegations of fraud


Fraud Programs & Controls

• Fraud Risk Assessment

Opportunity

Incentives/Pressures

Attitu

des &

Ration

aliza

tion

• What would the fraud look like?

• What are the effects on the booksand records?

• What type of fraud is the areasusceptible to?

• Where could the fraud occur?

• Who has the ability to commit a fraud?

• What is the likelihood that it may occur?


Key Worksteps

EvaluateFraud Risk

Factors

1) Identify fraud risk factors at the entity level, significantlocations, significant accounts and business processlevel. Consider whether each fraud risk factor indicatesthe existence of an incentive / pressure, opportunity orattitudes / rationalizations.1

16


1. Evaluate Fraud Risk Factors• 1.1 Identify fraud risk factors at the entity level, significant location, significant account

and business process level. Consider whether each fraud risk factor indicates theexistence of an incentive, pressure, opportunity or attitude and rationalization.

Personnel from various levels of the organization should be involved in theprocess.

Management

Business process owners

IT management

Audit Committee

Internal Audit

Entity’s industry

Size

Operations

Geographical locations

Organizational structure

General economic climate

Management should consider and evaluate the facts and circumstances fortheir organizations in determining the areas to consider in the fraud riskassessment process.


1. Evaluate Fraud Risk Factors

In identifying and evaluating fraud risk factors, management should consider:

Past fraud within the organization,actual and alleged

Compliance with laws andregulations

Tone at the top

Strength of the organization’s ITdepartment

Unrealistic performanceexpectations

Unusual internal trends

Unusual financial trends

Employee morale

Industry fraud, actual and alleged

Industry analyst reports

Analyst expectations

Current market conditions

Investor expectations

Internal Considerations External Considerations


Key Worksteps

IdentifyPossible

FraudSchemes &

IdentifyPotentialParties toFraud &Type ofFraud

2) Identify fraud risks

3) Brainstorm specific fraud schemes that could result fromthe specific risks identified.

4) Identify account balances and potential errors related toeach fraud risk.

5) For each fraud scheme, identify internal and externalparties who could be involved with reference toincentives / pressure, opportunities, attitudes &rationalizations.

2

19


2. Identify Fraud Risks

• Fraud risks are potential events that will negatively impact the entity if they were tooccur.

• Every organization has inherent fraud risks that arise from internal and externalconditions relative to the entity’s industry, operations, geographical locations, size,organizational structure, and generic economic conditions. For example, SAS 99,paragraph 41 notes that material misstatements due to fraudulent financial reportingoften result from overstatements of revenues and therefore there is a risk of materialmisstatement due to fraud relating to revenue recognition.

• 2.2 Identify possible fraud risks


2. Identify Possible Fraud Schemes• 2.3 Brainstorm specific fraud schemes that could result from the specific risks identified,

without consideration of existing controls.

• A scheme is the mechanism, scenario, or sequence of actions by which:

Past fraud within the organization, actual and alleged

The industry in which the organization operates

The geographies in which the organization operates

• One or more related fraud schemes may exist for each fraud risk.Consider:

The financial statements may be improperly manipulated or misstated;

Assets may be misappropriated;

Improper or unauthorized expenditures may be made;

Self-dealings may occur; and

Laws and regulations may be violated.


2. Identify Possible Fraud Schemes & Parties

Consider:

C-suite

Business process owners

Employees

Agents (particularly in foreigncountries)

Independent contractors

Competitors

Customers

Licensees

Vendors

• 2.5 For each fraud scheme, identify internal and external parties who could be involvedwith reference to incentives/ pressure, opportunities, attitudes & rationalizations.

Internal Parties External Parties


Key Worksteps

AnalyzeFraud

Schemes &EvaluateDesign &

Implemen-tation ofInternalControls

3

6) Analyze possible fraud schemes by:

Likelihood; andSignificance

to establish Inherent Risk Rating (IRR).

7) Map fraud schemes and scenarios to mitigating controlsand evaluate Control Design Effectiveness and ControlImplementation Effectiveness to establish the ControlRisk Rating (CRR).

23


3. Analyze Fraud Schemes• 3.6 Management identifies fraud schemes by type and analyzes possible fraud schemes

by likelihood & significance (including materiality and reputation).

Manipulation, falsification,or alteration of accountingrecords and supportingdocumentation

Misrepresentation in, orintentional omission from,the financial statements(events, transactions, orother significantinformation)

Embezzling receipts

Stealing assets

Causing an entity to payfor goods or services thathave not been received

Improper or unauthorizedexpenditures

Self-dealing

Violations of laws andregulations

Financial Statement Fraud Asset Misappropriation

Other

Misapplication ofaccounting principles,such as amount,classification, disclosure orpresentation

TYPE


3.6 Analyze Fraud Schemes by Likelihood

•The likelihood that a particular fraud scheme / scenario will occur and could result in amaterial misstatement in the financial statements or otherwise negatively impact the entity.

•The likelihood of each potential fraud scheme should be assessed without consideration ofcontrols (e.g., as if no controls are in place). Management should consider the likelihood ofthe fraud being perpetrated by an individual, as well as by two or more individuals actingcollusively.

•Likelihood is typically determined to be one of the following:

LIKELIHOOD

3Some likelihood of fraud activity

4Considerable likelihood of fraud activity

5Very high likelihood of fraud activity

2

1

Little likelihood of fraud activity

No likelihood of fraud activity


3.6 Analyze Fraud Schemes by Significance

•Evaluate whether each particular fraud scheme / scenario is of a magnitude that couldmaterially impact a particular stakeholder, result in a material misstatement in the financialstatements or otherwise negatively impact the entity.

•The typical rating scale used for significance is:

SIGNIFICANCE

3Moderate

4Major Consequences

5

2

1

Catastrophic Consequences

Minor

Insignificant

•Note: Significance is typically determined with reference to materiality and other factorssuch as loss of or damage to reputation and disruption to business resulting in financial lossas a result of fraud.


3.6 Establish Inherent Risk Rating

• A quantitative assessment of each fraud risk by likelihood and significance will enablemanagement to determine an Inherent Risk Rating (IRR). The Inherent Risk Rating is calculatedas the sum of both the likelihood and significance ratings.

8-106-75

IRR

45High34Medium23LowSL

Note: When analyzing fraud schemes, management may want to weigh thecomponents differently depending on the needs or risks that exist within theorganization.


3.7 Link Schemes/Scenarios to Mitigating Controls

• Antifraud control activities can be preventative or detective in nature

• Preventative controls are designed to mitigate specific fraud risks and can deter frauds fromoccurring

• Detective control activities are designed to identify fraud if it occurs. Detective controls can also beused as a monitoring activity to assess the effectiveness of antifraud controls and may provideadditional evidence of the effectiveness of antifraud programs and controls.

• Special consideration should be given to the risk of override of controls by management. Someprograms and controls that deal with management override include; (1) active oversight from theaudit committee; (2) whistle-blower programs and a system to receive and investigate anonymouscomplaints; and (3) reviewing journal entries and other adjustments for evidence of possiblematerial misstatement due to fraud.


3.8 Evaluate Mitigating Controls• 3.8 Evaluate the Control Design Effectiveness Rating (CDER) and Control

Implementation Effectiveness Rating (CIER) of the controls to determine if theysufficiently mitigate the risk of the identified fraud schemes (control gap analysis).

Evaluate controls to determine if they sufficiently mitigate the identified fraud risks or ifadditional emphasis should be placed on existing controls or new controls are required

Consider possible management override of controls

Consider the need for additional control activities (identify control gaps)

Management should also assess the company’s level of tolerance for acceptableresidual risk by considering inherent risks and the effect of mitigating controls toreduce that inherent risk.


Key Worksteps

EvaluateFRA

Results &PrioritizeResidual

FraudRisks

8) Evaluation of the results from the Inherent Risk Rating(IRR) process and Control Risk Rating (CRR) processagainst established criteria to determine Residual RiskRating (RRR) of fraud schemes.

9) Identify and prioritize fraud schemes requiring furtherrisk treatment.4

30


4. Evaluate FRA Results & Prioritize Residual Risk

• 4.8 Evaluate the Fraud Risk Assessment Results.

Evaluate the results from the Inherent Risk Rating (IRR) process and ControlRisk Rating (CRR) against established criteria to determine Residual RiskRating (RRR) and if controls sufficiently mitigate the identified fraud risks or ifadditional emphasis should be placed on strengthening existing controls orimplementing new controls

Management identify and prioritize fraud risks requiring attention in terms ofurgency and allocating resources.

4.9 Prioritize residual fraud risks that require treatment.


4.8 Evaluate FRA Results

• Residual Fraud Risk Possible ratings for Residual Fraud Risk are “High,” “Medium”and “Low.” A “High” residual rating will almost always be the result of mitigating controlsbeing assessed as less than effective or controls being absent.

• During Step 4.9 fraud risk assessment results are assessed against the Residual RiskRating Matrix which is comprised of an Inherent Risk Rating (IRR) scale and ControlRisk Rating (CRR) scale. This provides the Residual Risk Rating for each fraud risk orscheme in terms of “High”, “Medium” and “Low”.


4.8 Chart Residual Risk Rating

•Residual fraud risk for each fraud scheme may be plotted on a Residual Risk Chart.


4.9 Prioritize FRA Results

• Management must decide what its risk tolerance attitude or appetite is based upon theresidual fraud risk assessment results and decide how it wishes to prioritize andaddress identified residual fraud risks requiring treatment.

• Management actions to address fraud risk should be detailed in a risk mitigation orFraud Risk Action Plan. In addition to control improvement actions, the plan should alsodetail specific personnel responsible for implementing control improvements and animplementation timetable.


Key Worksteps

RiskTreatment

10) Prepare a Fraud Risk Action Plan to treat and mitigatefraud risk schemes requiring attention.

11) Implement Fraud Risk Action Plan.

5

35


5. Risk Treatment

• 5.10 Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiringattention.

Controls should be implemented or enhanced for identified fraud schemeswhere controls are not already present, inadequately designed or poorlyimplemented.

These control enhancements to address fraud schemes should be detailed ina Fraud Risk Action Plan. In addition to control improvement actions, the planshould also detail specific personnel responsible for implementing controlimprovements and an implementation timetable.

Improvement actions contained in the Fraud Risk Action Plan may be actionsto improve the antifraud program of the entity or address specific fraudscheme control deficiencies, depending on the scope of the fraud riskassessment.


5. Risk Treatment

• 5.11 Implement Fraud Risk Action Plan

Ensure overall responsibility is assigned to a senior manager tomonitor control implementation as detailed in the Fraud Risk ActionPlan.

This responsibility could be defined in the Fraud Control Policy of theentity or specified elsewhere.

The Audit Committee should oversee the entire process.

Fraud Risk Management -...

Documents

Transcript of Fraud Risk Management -...