Fraud Risk Assessment - ACUA

1 1 Office of Internal AuditACUA 2013 Annual ConferencePresented by:Lori Tesch CPA, CFE, CFF, CGMAD irector, Forensic Audits Fraud Risk Assessment1 September 2013 Understand what a Forensic/ Fraud Risk Assessment is and it s key elements Discuss the development and design of an effective Assessment Examine tools for executing the Assessment report results Incorporate results into the Audit Plan and sustain the program Objectives2 September 2013 Definitions3 Fraud Risk Organization s vulnerability to overcoming the three elements of Fraud Internal and external sourcesSeptember 20132 Definitions4 Fraud Risk AssessmentProcess to identify where Fraud may occur and who may be committing itSeptember 2013 Identifying Fraud5 September 2013 Identify the Fraudster6 September 20133 Key Elements7 Identify inherent Fraud risk Assess likelihood and significance Respond to reasonably likely and significant inherent and residual Fraud risksSeptember 2013 What makes a good Fraud Risk Assessment ?

2 8 Understand where it falls within an Effective Anti- Fraud ProgramCode of EthicsFraud Prevention PoliciesCommunication & TrainingControls MonitoringFraud Response PlanFraud Risk AssessmentSeptember 20139 What makes a good Fraud Risk Assessment ? Necessary ElementsCollaborationThe Right SponsorIndependence & ObjectivityWor ki ng Knowledge of BusinessTrustAccess to All PeopleThink the UnthinkableSustainabilitySeptember 20134 Development and Design10 Package it right One size does NOT fit all Keep it simpleSeptember 2013 Development and Design11 Prepare the Organization Team Technique Agreement EducateSeptember 2013 Team12 Accounting & FinanceInternal AuditNonfinancial/ OperationsRisk ManagementExternal ConsultantsGeneral CounselEthics or ComplianceBusiness LeadersSeptember 20135 Technique13 Survey Interview Facilitated SessionSeptember 2013 Agreement and Education14 Obtain sponsor s agreement Educate the employees Promote the processSeptember 2013 Assessing Possible Risks15 Likelihood Significance People/departmentSeptember 20136 Online Resources16 Prevention Checkup - ACFEM anaging the Business Risk of FraudCGMA Fraud Risk ManagementSeptember 2013 Tools17 Survey Software Questionnaire

3 Self-AssessmentSeptember 2013 report Results18 report objective not subjective - results KISS Focus on what really matters Identify clear and measurable actionsSeptember 20137 report Results19 September 2013 Reporting20 September 2013 Reporting21 September 20138 Reporting22 September 2013 Reporting23 September 2013 Incorporate with Audit Process24 Combine results Focus on high priority risks Design test proceduresSeptember 20139 Sustain the Program25 Begin a dialogue across the organization Continue to look for Fraud in high risk areas Hold responsible parties accountable Monitor key controlsSeptember 2013 Final Thoughts261. There is no standard2. Just like a Fraud investigation, no two are alike3. Ongoing, continuous processSeptember 2013 Final Thoughts27 September 201310 Final Thoughts28 September 2013 Final Thoughts29 September 2013 Auditor Humor5 In God we trust, everybody else gets audited304 What do you call an Auditor without an opinion?3 We re not happy until you re not happy2 If your mother tells you she loves check it out1 There were Thirteen before the auditor questioned three of themI don t know, I ve never heard of oneSeptember 20131131 September 2013 Page 1 of 2 Fraud RISK Assessment FORM Identified Fraud risks and Schemes1 Likelihood2 Significance3 People and/or Department4 Existing Anti- Fraud Controls5 Controls Effectiveness Assessment6 Residual Risks7 Fraud Risk Response8 FINANCIAL REPORTING: MISAPPROPRIATION OF ASSETS: CORRUPTION: Page 2 of 2 1.

4 Identified Fraud risks and Schemes: This column should include a full list of the potential Fraud risks and schemes that may face the organization. This list will be different for different organizations and should be formed by discussions with employees and management and brainstorming sessions. 2. Likelihood of Occurrence: To design an efficient Fraud risk management program, it is important to assess the likelihood of the identified Fraud risks so that the organization establishes proper anti- Fraud controls for the risks that are deemed most likely. For purposes of the Assessment , it should be adequate to evaluate the likelihood of risks as remote, reasonably possible, and probable. 3. Significance to the Organization: Quantitative and qualitative factors should be considered when assessing the significance of Fraud risks to an organization. For example, certain Fraud risks may only pose an immaterial direct financial risk to the organization, but could greatly impact its reputation, and therefore, would be deemed to be a more significant risk to the organization.

5 For purposes of the Assessment , it should be adequate to evaluate the significance of risks as immaterial, significant, and material. 4. People and/or Department Subject to the Risk: As Fraud risks are identified and assessed, it is important to evaluate which people inside and outside the organization are subject to the risk. This knowledge will assist the organization in tailoring its Fraud risk response, including establishing appropriate segregation of duties, proper review and approval chains of authority, and proactive Fraud auditing procedures. 5. Existing Anti- Fraud Internal Controls: Map pre-existing controls to the relevant Fraud risks identified. Note that this occurs after Fraud risks are identified and assessed for likelihood and significance. By progressing in this order, this framework intends for the organization to assess identified Fraud risks on an inherent basis, without consideration of internal controls. 6. Assessment of Internal Controls Effectiveness: The organization should have a process in place to evaluate whether the identified controls are operating effectively and mitigating Fraud risks as intended.

6 Organizations should consider and review what monitoring procedures would be appropriate to implement to gain assurance that their internal control structure is operating as intended. 7. Residual risks : After consideration of the internal control structure, it may be determined that certain Fraud risks may not be mitigated adequately due to several factors, including (a) properly designed controls are not in place to address certain Fraud risks or (b) controls identified are not operating effectively. These residual risks should be evaluated by the organization in the development of the Fraud risk response. 8. Fraud Risk Response: Residual risks should be evaluated by the organization and Fraud risk responses should to address such remaining risk. The Fraud risk response could be implementing additional controls and/or designing proactive Fraud auditing techniques. ACFE Fraud Risk Assessment Instructions The Fraud Risk Assessment consists of 15 modules, each containing a series of questions designed to help organizations zoom in on areas of risk.

7 The Fraud professional and the client or employer should begin the risk Assessment process by working together to answer the questions in each module. It is important that the client or employer select people within the organization who have extensive knowledge of company operations, such as managers and internal auditors, to work with the Fraud professional. Upon completion of all of the questions, the Fraud professional should review the results of the Assessment with the client or employer in order to: Identify the potential inherent Fraud risks . Assess the likelihood and significance of occurrence of the identified Fraud risks . Evaluate which people and departments are most likely to commit Fraud and identify the methods they are likely to use. Identify and map existing preventive and detective controls to the relevant Fraud risks . Evaluate whether the identified controls are operating effectively and efficiently. Identify and evaluate residual Fraud risks resulting from ineffective or nonexistent controls.

8 Respond to residual Fraud risks . The Fraud Risk Assessment may reveal certain residual Fraud risks that have not been adequately mitigated due to lack of, or non-compliance with, appropriate preventive and detective controls. The Fraud professional should work with the client to develop mitigation strategies for any residual risks with an unacceptably high likelihood or significance of occurrence. Responses should be evaluated in terms of their costs versus benefits and in light of the organization's level of risk tolerance. Be aware, however, that this Assessment only provides a snapshot of a particular point in time. The dynamic nature of organizations requires routine monitoring and updating of their financial risk Assessment processes in order for them to remain effective. These questions are provided as a guide only. The user is free to modify the questions as appropriate to match the size and structure of the organization. Additional information on Fraud risk Assessment may be obtained from: ACFE's Fraud Resources Fraud Examiners Manual Corporate Fraud Handbook, Third Edition, by Joseph T.

9 Wells The ACFE would like to thank Larry Cook, CFE, for his invaluable contribution to the Fraud Risk Assessment . The Fraud Risk Assessment was originally developed by Mr. Cook, and we thank him for allowing us to build upon his foundation and share his Assessment process with our members. Copyright Notice: The modules and the questions are the property of the Association of Certified Fraud Examiners. The ACFE grants its members the right to use these modules and questions for their own use, or for the use of their clients or employers. Neither, these modules, nor any part thereof, may be sold in whole or in part unless as part of consulting or Fraud examination services to a client or employer. Modules 1 - Employee Assessment 2 - Management/Key Employee Assessment 3 - Physical Controls 4 - Skimming Schemes 5 - Cash Larceny Scheme 6 - Check Tampering Schemes 7 - Cash Register Schemes 8 - Purchasing and Billing Schemes 9 - Payroll Schemes 10 - Expense Schemes 11 - Theft of Inventory and Equipment 12 - Theft of Proprietary Information 13 - Corruption 14 - Conflicts of Interest 15 - Fraudulent Financial Reports 2013 Survey Software Review Rank#1#2#3#4#5#6#7#8#9#10 10-9 8-6 5-4 3-2 1-0 ExcellentGoodAveragePoorBadThe SurveySystemKeyPointSurveyGoldSurvey CrafterProfessionalStatPacSurveyProSurve yMonkeyiMagic SurveyDesignerSurvey SaidSurvey Toolsfor Windows10987654321 Overall RatingSurvey CreationSurvey AnalysisSurvey AdministrationEase of UseHelp & Product CostPricing$999$777*$100$495$495$1.

10 995$780**$149$199$695 Survey CreationCreate Custom QuestionsMultiple Choice SingleResponseMultiple Choice MultipleResponsesQuestion MatrixCommentSample SurveysSkip Pattern/ BranchingRequire AnswersRatingRestrict AccessCurb Ballot Box StuffingRankingSave Incomplete SurveysStock QuestionsCustom DesignRespondents Can UpdateAnswers Survey AnalysisGraphsBarPieLinePercentagesCross TabulationsFiltersPrint ResultsMeanMedianModeMaximum ValueMinimum ValueStandard DeviationFrequency TablesBanner TabulationsCorrelation Matrices Survey AdministrationOnlinePaperInterviewEmail Import/ExportExport ResultsExport SurveyImport ResultsImport Survey Help & SupportEmailUser Manual or GuidePhoneTutorialsFAQs Supported ConfigurationsWindows 8 Windows 7 Windows VistaWindows XPMac OSBASICFreeDESIGN FEATURES 10 questions per survey 100 responses per surveyNo white-label surveysEasy-to-use web-based survey tool31 survey templates15 types of questionsAll languages supported (Unicode)No page logicNo question logicNo random assignmentNo question & answer pipingNo question randomizationNo theme customizationNo survey brandingRandomize & sort answer choices15 pre-set visual themesSurvey completion progress barAuto-numbering for pages & questionsValidate/require survey responsesFully accessible & 508 compliantNo custom redirect upon survey completionNo custom "thank-you" pageNo printable PDF versionCOLLECTION FEATURESSend out your survey via weblink, email, or TwitterSELECT$17 per month** Billed $204 annuallySee monthly plan DESIGN FEATURESU nlimited questions Unlimited responsesNo white-label surveysEasy-to-use web-based survey tool51 survey templates15 types of questionsAll languages supported (Unicode)