iia presentation - memphis

8/4/2019 IIA Presentation - Memphis

http://slidepdf.com/reader/full/iia-presentation-memphis 1/178

David D Varner & Company

³Conducting A Fraud RiskAssessment & Implementing ADetection Methodology Using ACL´

Institute Of Internal Auditors

Memphis Chapter

12/05/08

T opics We¶ll Explore«Fraud Risk & Organizational RelationshipsData Compilation & Analysis T echniquesImplementing & Optimizing ACL for Fraud Detection

Fraud Detection MethodologiesWhistle Blower ProgramsFraud Examination & Event Response T echniquesInterviewing & Interrogation T echniquesManagement CommunicationsDo¶s & Don¶ts

Workshop Objectives«understand the key components of a fraud risk assessmentevaluate and define fraud risk elements by business unit and businessprocessdevelop a fraud risk scoring and weighting methodologydevelop effective surveys and questionnaires and execute effectiveinterviewscreate an efficient data compilation and analysis processwrite a persuasive fraud risk assessment reportunderstand the components of an effective deterrence methodologyidentify red flags and other indicators of frauddevelop an effective fraud examination and event response strategycommunicate with Management about fraud risks and events

H ow We¶re Going T o Get T here«

LectureExercises

Case Studies & ArticlesVideos & Clips

Active Discussion

H ow We¶re Going T o Get T here«

Risk AssessmentDeterrent Mechanisms

Detection MethodologiesCommunication Protocols

Disclaimer«

T his is not legal advice!T his is not tax advice!

T his is not medical advice!NOR is it relationship advice!You will not sue me!

Who Is Your Speaker?

MBA ± Elon UniversityBS Accounting ± UNCGCertified Internal Auditor Certified Financial Services Auditor Certified Fraud Examiner Certified Management AccountantCertified Financial Manager

Who¶s In T he Audience?

Who Are You?Where Do You Work?

What Do You Do T here?

4 Ground Rules

If you have a question«stop me & Ask!You have to laugh at least once!

Share your experiences!T here are absolutely no absolutes infraud

Let¶s Get Started!

³ Understanding T he ComponentsOf A Fraud Risk Assessment´

Module 1.1

Components

T ypes Of FraudMain Players

Risk Factors Assessment Model

Broad Fraud Categories Asset Misappropriation ± Any scheme that involves theft or misuse of

organizational assets.Corruption ± Any scheme in which an individual uses their

influence to obtain an unauthor-ized benefit contraryto their organ-izational duty.

Financial Statement Misrepresentation ± Falsification of the organization¶s financial

statements to make it appear more or less profitable.

Asset Misappropriation

Non-Cash

Disbursements

Asset MisappropriationCash

Larceny

Skimming

Cash On H and

From T he Deposit

Receivables

Refunds

Unrecorded

Understated

Write-Off Schemes

Lapping Schemes

Unconcealed

Asset Misappropriation

Non-Cash

Misuse

Larceny

Asset Requisitions

Asset T ransfers

False Sales & Shipping

Purchasing & Receiving

Unconcealed Larceny

Asset MisappropriationFraudulent Disbursements

Billing Schemes

Payroll Schemes

Expense Reimbursements

Check T ampering

Register Disbursements

Shell CompanyNon-accomplice Vendor

Personal Purchases

Mischaracterized ExpensesOverstated ExpensesFictitious Expenses

Multiple Reimbursements

Ghost EmployeesCommission Schemes

Worker¶s compensationFalsified Wages

Forged Maker

Forged Embezzlement Altered Payee

Concealed Checks Authorized Maker

False VoidsFalse Refunds

Corruption

Bribery

Illegal Gratuities

Conflicts of Interest

Economic Extortion

Corruption

Conflicts Of Interest

Sales Schemes

Purchases Schemes

Corruption

Bribery

Bid Rigging

Invoice Kickbacks

Common Model

H igh RiskH igh Risk

MediumMedium

RiskRisk

MediumMedium

RiskRisk

LowLow

RiskRisk

LowLow

H ighH igh

IIMMPPAACCTT

PROBABILITYPROBABILITY

What Can Go Wrong?

Common Model

It¶s OKWorks well for a single unit or single process

Hard to compare to other units or processesDoes not work well when assess-ing large

organizations with com-plex processes thatoverlap

Financial Statement Misrepresentation

Asset/Revenue over/under

T iming Differences

Fictitious Revenues

Concealed Liabilities & Expenses

Improper Disclosures

Improper Asset Valuations

Main Players

Business UnitsBusiness Processes

Individuals

Main Players

BusinessBusiness ProcessesProcesses

Business UnitsUnits

IndividualsIndividuals

Risk Factors

Macro FactorsMicro Factors

Macro Risk Factors

Internal Control EnvironmentIncentive Systems

³T one At T he T op´

Micro Risk Factors

Opportunity ± Is there something to steal?

Means ± Can somebody steal it?

Motivation ± Would somebody steal it?

Severity ± H ow bad would it be?

Simple Assessment Model

Business ProcessesProcesses

Business UnitsBusiness Units

Macro FactorsMacro Factors

Micro FactorsMicro Factors

Weight X Raw Score = Risk RankingWeight X Raw Score = Risk Ranking

Why Should I Complete A FraudRisk Assessment?

It¶s expensiveIt¶s time consuming

I Don¶t want to knowManagement doesn¶t see valueOur employee ³ Family´ is honest

We don¶t hire thievesPeople are generally ³ good´

Exercise 1.1³ ACFE Fraud Prevention Check-

³ Understanding Fraud Risk &

Organizational Relationships´Module 1.2

Where¶s Most Of T he Risk At?

Asset MisappropriationCorruptionFinancial Statement Misrepresentation

Senior ManagementMiddle ManagementEmployees

FAC T:

³ Fraud Risk has an inherent relationship tothe dynamics and structure of an

Organization."

Q uestion :

³ What impacts the relationship betweenFraud Risk and an Organization the

most?´

Answer :

³ Degree of Goal Congruence´

What Is Goal Congruence?

³ Consistency or agreement of individualactions with organizational goals.´

What is the individual¶s motivation?

Degree Of Goal Congruence

OrganizationOrganizationEmployeesEmployees

ManagementManagement100100%

OrganizationOrganizationEmployeesEmployees

OrganizationOrganization

ManagementManagement 00%

ENRON?ENRON?

Rule Of T humb :

³T he tighter the degree of Goal Congruencethe less likely it is that fraud will occur.´

H ow T o Measure Goal Congruence

Not an exact scienceH eavy on qualitative factorsCan be supported by quantitative factors

Factors either increase or decrease the degree of Goal Congruence proportion-atelyFactors are subjective to your organizationCannot be compared between two organizations

H ow T o Measure Goal Congruence

Incentive SystemsSpecific BehaviorsSpecific DecisionsOther?

Simple«Right?

Exercise 1.2

³ Assessing Organizational GoalCongruence´

³ Evaluating & Defining Fraud Risk By

Business Unit & Business Process´

Module 1.3

Remember the Players?

Business ProcessesProcesses

Business UnitsBusiness Units

Macro FactorsMacro Factors

Micro FactorsMicro Factors

Weight X Raw Score = Risk RankingWeight X Raw Score = Risk Ranking

Setting Up T he Playing FieldT ake an inventory of the organization¶s business unitsand business processes.Establish weights ( H igh, Medium, Low) to incorporatethe business units impact on the business process.

Establish a scale (1-25) to assess each Micro RiskFactor.

Access a raw score for each risk factor for eachbusiness process.

Add them up. Apply appropriate weighting to the total for eachbusiness unit.

Setting Up T he Playing Field

BusinessProcess

³ A´

BusinessProcess

³ B´

BusinessProcess

³ c´

Business Unit³ 1´

Business Unit³ 2´

Business Unit³ 3´

Micro Risk Factors

Opportunity ± Is there something to steal?

Means ± Can somebody steal it?

Motivation ± Would somebody steal it?

Severity ± H ow bad would it be?

Micro Risk Factor Raw Score

Opportunity 25

Means 25

Motivation 25

Severity 25

Total 100

BusinessProcess

³ A´

BusinessProcess

³ B´

BusinessProcess

³ c´

Business Unit³ 1´

Business Unit³ 2´

Business Unit³ 3´

PayInvoices

SalesManagement

AccountsPayable

ManufactureProduct

Sell Product

ProductionDepartment

Raw Score = 100 Raw Score = 80 Raw Score = 4 0

³ Executing (no pun intended) T he

Fraud Risk Assessment´Module 1. 4

Key PointsRemember there are absolutely no absolutes in fraudEvery organization is differentT he initial process is very qualitative

Allow the process to evolve into something quantitative

You¶ll have to use judgment and interpretationYou can make it simple or complexT here are no right or wrong answers«just information to analyzeIncrementally work from BROAD to NARROWEasier than you might think

Primary Steps

Determine the level of precision neededIdentify tools & resources

Collect & compile InformationDistil the InformationInterpret & Apply

Level Of Precision

Wild Guess Darn Near Clairvoyant

H appy Medium

T ools & Resources

InterviewsSurveys & Q uestionnairesProcess Documentation (Examples : ISO,SOX)Management Reports (Examples : BudgetReports, Production Reports, Salary Data,

10 Q /K, Internal Audit Reports)Professional Experience

Collect & Compile

Identify the information sourceExtract the data

Dissect the data into its componentsOrganize the componentsDefine the data elements

Distil

What data elements are important?H ow does the data element relate to the riskfactor?

What does the data element tell me that I don¶talready know?

Objective :³T o translate the abstract into something definitive.´

Interpret & ApplyOrganize the data elementsConsider their impact on each risk factor Determine what can go wrong

Determine the level of risk for each risk factor inbroad terms (high, medium, Low)Determine the level of risk for each risk factor numericallyDocument logic and rational in narrative format(Important).

Interpret & Apply

Business Unit³ 3´

Business Unit³ 2´

Business Unit³ 1´

BusinessProcess

³ c´

BusinessProcess

³ B´

BusinessProcess

³ A´

PayInvoices

SalesManagement

AccountsPayable

ManufactureProduct

Sell Product

ProductionDepartment

W it A Mi t ! Wh t Ab t T h

Wait A Minute! What About T heMacro Factors

We didn¶t forget about themT hey apply to the risk assessment as awholeMuch easier to assessIllustrated Graphically

Much more of a yes/no assessmentDocument logic and rational in narrativeformat (Important).

Macro Factor Assessment

Incentive System

Internal ControlEnvironment

³T one´ At T he Top

Exercise 1.3

³Completing A Fraud Risk Assessment´

³ Writing A Persuasive Fraud Risk

Assessment Report´Module 1.5

Obstacles

You¶ve got a lot of ³ stuff´ to write aboutSomeone somewhere isn¶t going to behappy with the reportIt ³ forces´ Management to make a decisionIt would be a lot easier if you could justpresent it in a spread sheet

Report Structure

Brief introGraphical summaries

Light CommentaryRecommendations Appendix

± Detailed assessment methodology ± Supporting narratives

CAUT ION

CLM AH

T he Conundrum

You MUST provide Management options

By completing the Risk Assessment, you¶ve backedManagement into a corner and now they¶re ³ forced´

to make a decision

T he OptionsManagement can avoid the riskManagement can transfer the riskManagement can mitigate the riskManagement can accept the risk

Inaction is the same as accepting the risk!

Option ³ 1´

³ Avoid´Management may decide to avoid a risk by

eliminating an asset if the controlmeasures required to protect against anidentified threat are too expensive.

Option ³ 2´

³T ransfer´Management can transfer its risk, or at least

a significant portion of a risk, bypurchasing a fidelity insurance or bond.

Option ³ 3´

³ Mitigate´Management can appropriate

countermeasures such as preventiveand detective controls.

Option ³4 ´³ Assume´

Management may decide that it's more costeffective to assume the risk, rather than

eliminate the asset, buy insurance totransfer the risk, or implement counter measures to mitigate the risk.

T ipsDon¶t write a separate executive summaryT he first couple of pages should be heavy withgraphics

Relate risk rankings to supporting narratives in alinear fashionIf needed, use passive tense to sound lessaccusatory

Provide Management with options at the end of thereport

³ Recap´

³ Understanding T he Components Of An Effective Deterrence

Methodology´Module 2.1

³T he value of an internal audit

report is a function of what itprevents not what it detects!´

T ypes Of DeterrencePassive Deterrence ± Relies on individuals, processes, or systems performing routine

tasks.Active Deterrence ± Engages Individuals, processes, or systems to perform a specific

Passive DeterrenceJob RotationMandatory VacationWhistleblower H otline

Employee Support ProgramsInternal Audit / Fraud DepartmentAnti-Fraud PolicyCode of ConductIndependent Audit CommitteeManagement Certification of F/S

Active Deterrence

Surprise AuditsFraud T raining for Managers & ExecutivesFraud T raining for EmployeesExternal Audit of ICOFRManagement Review of ICExternal Audit of F/SProsecution of Offenders

³ D l i ff ti d t

³ Developing an effective deterrence

methodology is like a making asoup´

You start with a recipe

You add some basic ingredientsYour turn on the heatYou have a little tasteYou add some more ingredientsYou have another tasteYou experiment until it¶s just right

Key Components

Deterrence Mechanism ± Passive ± Active

Feedback MechanismEvaluation MechanismAdjustment Mechanism

Exercise 2.1

³ Developing An Effective DeterrenceMethodology´

³ Implementing An Effective

Whistle Blower Program´Module 2.2

h h l l

Why A Whistle Blower Program?

1. T ip2. Accident3. Internal Audit4 . Internal Control5. External Audit

6. Police Investigation

f h l l

T ypes of Whistle Blower Programs

H otlinesElectronicMail

Characteristics Of An Effective Whistle

Characteristics Of An Effective WhistleBlower Program

Backed By PolicyAnonymousEasily AccessedIncentivizedAdvertised

Filtering Mechanism

H ow Do You T hink T hey Rank?

Filtering Mechanism

Advertised

Incentivized

Easily Accessed

Anonymous

Backed By Policy

MailElectronicH otline

T h B Li

T he Bottom Line«

If you want to deter or catch fraud, you musthave an effective whistle blower program!

³T one At T he T op´

Video 1.1

³ Recap´

What Is A Fraud Detection

Methodology?

It¶s the processes and systems employed to

detect the types of fraud an organization is at riskfor.

Components

Risk MatrixSystem/Data SourceAutomated T oolManual T oolLinking MechanismProcedure Inventory

Analysis ScheduleReporting Procedure

Ri k M t i

Risk Matrix

Inventory of potential frauds by businessunit or business processSpring board off of the fraud riskassessmentDoesn¶t consider the risk of occurrence

A tomated T ools/S stems

Automated T ools/Systems

ACLIdeaExcel

AccessH ome GrownOther?

OracleSAPJD Edwards

H ome GrownOther?

SystemSystem ToolToolManualManual

ProcedureProcedure

LinkingMechanismMechanismDataData

Procedure Inventory

Lists all of the procedures to be performedMatches the risk to the proper procedureMaps the data source to the procedureIndicates the frequency of the procedure

Procedure Inventory

Analysis Schedule

Different from the procedure frequencyCan be daily, weekly, monthly, or quarterly

Reporting Procedures

Who will get the reportWhat will the report look likeWhen will the report be issuedWhere will the report come from

H ow will the report be created

T ying It All T ogether

Analysis

Reporting

T oolProcedure

³ Government Fraud´

Video 1.1

³ Identifying Indicators Of Fraud

(Red Flags)´Module 3.2

What is a red flag?

A red flag is a set of circumstances that are unusual innature or vary from the normal activity. It is a signal that

something is out of the ordinary and may need to be

investigated further. Remember that red flags do notindicate guilt or innocence but merely provide possiblewarning signs of fraud.

T ypes Of Indicators

EmployeeManagementGeneral Behavior Cash/Accounts ReceivablePayroll

Purchasing/Inventory

Employee

EmployeeEmployee lifestyle changes : expensive cars, jewelry,

homes, clothesSignificant personal debt and credit problemsBehavioral changes : these may be an indication of

drugs, alcohol, gambling, or just fear of losing the jobH igh employee turnover, especially in those areas whichare more vulnerable to fraudRefusal to take vacation or sick leaveLack of segregation of duties in the vulnerable area

Management

ManagementReluctance to provide information to auditorsManagers engage in frequent disputes with auditorsManagement decisions are dominated by an individual or small groupManagers display significant disrespect for regulatory bodies

T here is a weak internal control environmentAccounting personnel are lax or inexperienced in their dutiesDecentralization without adequate monitoringExcessive number of checking accountsFrequent changes in banking accountsFrequent changes in external auditorsCompany assets sold under market valueSignificant downsizing in a healthy marketContinuous rollover of loansExcessive number of year end transactions

H igh employee turnover rateUnexpected overdrafts or declines in cash balancesRefusal by company or division to use serial numbered documentsCompensation program that is out of proportionAny financial transaction that doesn¶t make sense - either common or businessService Contracts result in no productPhotocopied or missing documents

General Behavior

General Behavior Borrowing money from co-workersCreditors or collectors appearing at the workplaceGambling beyond the ability to stand the lossExcessive drinking or other personal habitsEasily annoyed at reasonable questioning

Providing unreasonable responses to questionsRefusing vacations or promotions for fear of detectionBragging about significant new purchasesCarrying unusually large sums of moneyRewriting records under the guise of neatness in presentation

Cash/Accounts Receivable

Excessive number of voids, discounts and returnsUnauthorized bank accountsSudden activity in a dormant banking accountsCustomer complaints that they are receiving non-payment noticesDiscrepancies between bank deposits and posting

Abnormal number of expense items, supplies, or reimbursement tothe employeePresence of employee checks in the petty cash for the employee incharge of petty cashExcessive or unjustified cash transactionsLarge number of write-offs of accounts

Bank accounts that are not reconciled on a timely basis

Payroll

PayrollInconsistent overtime hours for a cost center Overtime charged during a slack periodOvertime charged for employees who normally would not

have overtime wages

Budget variations for payroll by cost center Employees with duplicate Social Security numbers,

names, and addressesEmployees with few or no payroll deductions

Purchasing/Inventory

Purchasing/InventoryIncreasing number of complaints about products or serviceIncrease in purchasing inventory but no increase in salesAbnormal inventory shrinkageLack of physical security over assets/inventoryCharges without shipping documentsPayments to vendors who aren¶t on an approved vendor list

H igh volume of purchases from new vendorsPurchases that bypass the normal proceduresVendors without physical addressesVendor addresses matching employee addressesExcess inventory and inventory that is slow to turnover Purchasing agents that pick up vendor payments rather than have it mailed

³ Lost In T ranslation´

Lost In T ranslation

H ow do we go from Q ualitative

Indicators to a Q uantitative Metric?

Suggestions

Determine what the red flag would impact ± Account ± Business Unit ± Business Process ± Functional areaDetermine what the red flag¶s affect would beDetermine what metrics are availableDecide which is ³ most´ intuitive

Examples

ExamplesInvoices for the same amount

Invoices with sequential invoice numbersPayment address zip codes are within a certain radius of the organizationInvoices submitted by outside locationsA new vendor is setupVendor type does not match account codePayments fall just below the threshold requiring two signaturesVendor address matches employee addressVendors with more than one vendor code or payment address.Vendors with only PO BoxesOne time vendors.Reconciling differences between the G/L and bank statementsVendor account modificationWire/ACH transactionsLarge invoices (>$25,000.00) processed within 15 days of quarter-end closeBudget variances within purchase accounts are excessive.New hires

T erminationsLarge payments/bonusesManual checksPayroll bank account reconciling itemsOdd journal entries appear within the GL

³ Webne Interview´

Video 1.2

³ Optimizing ACL For Fraud

Detection´Module 3.3

Optimizing ACL

T ransfer the data into ACLApply the proceduresNot as simple as it looks!

Optimizing ACL

SystemSystem ACL ACLManualManual

ProcedureProcedure

LinkingMechanismMechanismDataData

Optimizing ACL

ACL ACL SuspectSuspect

ItemsItemsRed FlagRed FlagRisk

DataData

Apply ApplyExpressionExpression

Apply Script Apply Script

Case Study ± XYZ INC.

Current ClientManufacturer International OperationsImplemented ACL T o Detect Fraud For

A/P & PayrollUse SAPUse Direct Link

XYZ INC.

ACL ACL SuspectSuspect

ItemsItemsRed FlagRed FlagRisk

DataData

Apply ApplyExpressionExpression

Apply Script Apply Script

100 % Automated

XYZ INC.

Set Up ± T able Fields ± ACL Q ueries

± T est Summaries

³ Introduction T o ACL´

Module 3. 4

Basic T raining

Data ImportSampling T oolsAnalysis T oolFunctionsExpressionsScripts

³ ACL´

Video 1. 4

³ ACL ´

Video 1.5

³ Recap´

³ Responding T o A FraudEvent´

Module 3.5

Characteristics Of An Effective EventResponse Strategy

Response Strategy

Clearly defined roles and responsibilitiesProcedures for securing evidence

T imetable of critical eventsInitial action plan

³ Conducting T he Fraud Exam´

Module 3.6

You¶ve used ACL and analyzedall of the data, and now you thinkthere may be fraud«

What do you do?

Caution!If you are unsure of what to do, call a professional.T here can be EX TR E ME repercussions if you make

a mistake!

Basics

Analyzing DocumentsInterviewingCovert OperationsInformation Sources

Analyzing Documents

Chain Of CustodyObtaining Documentary EvidenceExamining Fraudulent DocumentsT ypes Of Forensic DocumentsH andling Documents As Physical EvidenceIdentifying WritingsT he Document Experts FindingsH ow T o Obtain H andwriting SamplesT ypewriters and computer PrintersPhotocopies³Dating´ A Document

Indented WritingsCounterfeit Printed DocumentsFingerprints

Interviews

PreparationCharacteristics Of A Good InterviewCharacteristics Of A Good Interviewer Q uestion T ypologyLegal Elements Of InterviewingElements Of ConversationsInhibitors Of CommunicationFacilitators Of CommunicationIntroductory Q uestionsInformational Q uestionsKinesic Interview And Interrogation

Criteria-Based Statement AnalysisT he Cognitive Interview T echnique

Covert Operations

Establishing An IdentityObjectivesProblems In Covert OperationsEntrapmentSurveillanceSources And InformantsUse Of Operatives

Sources Of Information

City GovernmentCounty GovernmentState GovernmentFederal GovernmentCommercial SourcesCredit RecordsCommercial Databases And Research ServicesDirectoriesBanks And Financial InstitutionsInternational OrganizationsMiscellaneous Sources

Online Services

³ Communicating With Management´

Module 4 .1

Now What?

You warned management about potentialfraudYou helped set up a deterrent mechanism

You employed a detection methodologyusing aclYou found something suspiciousYou investigated itYou deteremined It WAS Fraud

Characteristics Of An EffectiveReport

ReportClear ImpartialRelevantChronologicalCause & EffectReader FriendlyT imely

Writing the report

Understand the reader State the factsMake your ³ case´Support it with evidenceNo accusations

Avoid opinionsMake a self evident conclusion

Presenting Evidence

Avoid long written explanationsUse graphics where possible ± T imelines

± Correlations ± Patterns

T imelines

Correlations

Patterns

Understand your local lawsCall in experts if neededLimit the dissemination of informationMake sure the PC and all other storagedevices/mechanism are secured withcontrolled access

Involve legal counsel

Don¶ts

Don¶t boot the PCDon¶t boot the PCDon¶t boot the PCDon¶t AssumeDon¶t draw a conclusion as to guilt or innocence

³ A Few Good Expenses´

Video 1.6

iia presentation - memphis

Documents

memphis belle

catálogo memphis 2013

memphis book

memphis 2013 export

catalogo memphis

memphis study guide

concrete memphis 20

3 memphis - claudio calderar

el sol memphis 111

blaupunkt memphis mp66

1515011 김현진 memphis design

memphis underground · stewart home memphis underground...

presentation iia et afiia 2

7. memphis : land art

std testing memphis

memphis vendor spotlight

memphis advocacy presentation

gordon hester's memphis conference

memphis dry rub ribs

memphis iv.pdf