Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
1. ACCA-IIA Singapore Seminar Part 1
Part 3 Fraud Risk Management
Leveraging your internal control process to
prevent and manage internal fraud
Tuesday, 6 October 2015
9:00am – 5:00pm
1
2. Principle 2
Fraud risk exposure should be assessed
periodically by the organization to
identify specific potential schemes and
events that the organization needs to
mitigate.
2
3. Key Principles
3
1. Fraud Risk
Management
Program
2. Fraud Risk
Assessment
3. Fraud
Prevention
4. Fraud
Detection
5. Escalation,
Investigation
and Correction
Fraud Risk Assessment
• Risk Identification
• Probability and Impact
Analysis
• Response
4. Fraud Risk Assessment
How might a fraud perpetrator exploit
weaknesses in the system of controls?
How could a perpetrator override or
circumvent controls?
What could a perpetrator do to conceal the
fraud?
4
5. Fraud Risk
Assessment
3 Key
Elements
Identify inherent fraud
risk
Gather information to obtain the
population of fraud risks that could
apply to the organization.
Included in this process is the explicit
consideration of all types of fraud
schemes and scenarios; incentives,
pressures, and opportunities to commit
fraud; and IT fraud risks specific to the
organization.
Assess likelihood and
significance of inherent
fraud risk
Assess the relative likelihood and
potential significance of identified
fraud risks.
Based on historical information,
known fraud schemes, and
interviews with staff, including
business process owners.
Respond to reasonably
likely and significant
inherent and residual
fraud risks
Decide what the response should be to
address the identified risks and perform a
cost-benefit analysis of fraud risks over
which the organization wants to implement
controls or specific fraud detection
procedures.
5
6. Fraud Risk Assessment Framework
Identified
Fraud Risks and Schemes
Likelihood Significance
People
and/or
Department
Existing
Anti-fraud
Controls
Controls
Effectiveness
Assessment
Residual
Risks
Fraud Risk
Response
Financial reporting
Revenue recognition
-Backdating agreements
-Channel stuffing
- Inducing distributors to accept more product
than necessary
-Holding books open
- Via recording detail transactions in a sub-ledger
-Via recording top-side journal entries
-Additional revenue risks
Management estimates
-Self insurance
- Altering underlying detail claims and estimate
data
- Fraudulently changing underlying assumptions
in estimation of liability
- Allowance for bad debts
- Altering underlying A/R aging to manipulate
computation
- Fraudulent input from sales persons or credit
department on credit quality
-Additional estimates
Disclosures
-Footnotes
6
7. Fraud Risk Assessment Framework
Identified
Fraud Risks and Schemes
Likelihood Significance
People
and/or
Department
Existing
Anti-fraud
Controls
Controls
Effectiveness
Assessment
Residual
Risks
Fraud Risk
Response
Misappropriation of assets
Cash/check
- Point of sale
-Accounts receivable application process
-Master vendor file controls override
- Additional risks
-Inventory
-Theft by customers
-Theft by employees
-Other assets at risk
Corruption
-Bribery
-Aiding and abetting
Other Risks
7
8. Risk Assessment Team
Accounting/finance personnel, who are familiar
with the financial reporting process and internal
controls.
Nonfinancial business unit and operations
personnel, to leverage their knowledge of day-to-
day operations, customer and vendor
interactions, and general awareness of issues
within the industry.
Risk management personnel, to ensure that the
fraud risk assessment process integrates with the
organization's ERM program.
Legal and compliance personnel, as the fraud
risk assessment will identify risks that give rise to
potential criminal, civil, and regulatory liability if
the fraud or misconduct were to occur.
8
9. Internal audit personnel, who will be familiar with the
organization's internal controls and monitoring functions.
In addition, internal auditors will be integral in developing
and executing responses to significant risks that cannot
be mitigated practically by preventive and detective
controls.
If expertise is not available internally, external
consultants with expertise in applicable standards, key
risk indicators, anti-fraud methodology, control activities,
and detection procedures.
Management, including senior management, business unit
leaders, and significant process owners (e.g., accounting, sales,
procurement, and operations) should participate in the
assessment, as they are ultimately accountable for the
effectiveness of the organization's fraud risk management
efforts.
9
11. Population of FraudRisk
Understanding the organization's
business processes
Identifying potential fraud schemes
1. through interviewing of staff;
2. brainstorming with staff;
3. reviewing complaints from the whistleblower
hotline;
4. performing analytical procedures.
11
12. Major Categories of Fraud
Fraudulent
Financial
Statement
Misappropriation
of Assets
Corruption
12
13. Fraud Risk Assessment Source (4)
How to identify possible
misappropriation of assets
TANGIBLE
INTANGIBLE
Q (1) What are the necessary “controls” relevant to the prevention and
detection of misappropriation of assets?
Q. (2) What are the relevant questions to ask?
Group Discussion
13
14. Fraud Risk Assessment Source(4)
Corruption = Misuse of entrusted power for private gain
• US Foreign Corruption Practice Act 1977 – Apply to whom?
• UK Bribery Act
• National Law – Singapore ??? (Prevention of Corruption Act)
PRC ??? (刑法 Criminal Law)
Hong Kong – Prevention of Bribery Ordinance
Group Discussion
• Does US Foreign Corruption Practice Act or UK Bribery Act apply to
your organization?
• What are the controls to prevent and detect corruption?
• What are the Corruption Perception Index in your country, your
overseas operations?
(See Transparency International Website) (p26) 14
15. Types of Fraud
1)Intentionalmanipulationoffinancialstatements,whichcanleadto:
a) Inappropriately reported revenues.
b) Inappropriately reported expenses.
c) Inappropriately reflected balance sheet amounts, including
reserves.
d) Inappropriately improved and/or masked disclosures.
e) Concealing misappropriation of assets.
f) Concealing unauthorized receipts and expenditures.
g) Concealing unauthorized acquisition, disposition, and use
of assets.
15
16. 2)Misappropriationof:
a) Tangible assets by:
i) Employees.
ii) Customers.
iii) Vendors.
iv) Former employees and others outside the
organization.
b) Intangible assets.
c) Proprietary business opportunities.
3) Corruption including:
a) Bribery and gratuities to:
i) Companies.
ii) Private individuals.
iii) Public officials.
b)Receiptofbribes,kickbacks,andgratuities.
c)Aidingandabettingfraudbyotherparties(e.g.,customers,vendors).
16
17. Information Technology and Fraud Risk
Fraudulent Financial Reporting
Unauthorized access to accounting applications
Override of system controls
Misappropriation of Assets
Theft of tangible assets
Theft of intangible assets
Corruption
Misuse of customer data
Examples of IT risks by area include:
17
18. Other Risks
Regulatory and Legal Misconduct
Regulatory and legal misconduct includes a wide range of
risks,
such as conflicts of interest, insider trading, theft of
competitor trade secrets, anti-competitive practices,
environmental violations, and trade and customs
regulations in areas of import/export.
Depending on the particular organization and the nature
of its business, some or all of these risks may be
applicable and should be considered in the risk
assessment process.
18
19. Other Risks
Reputation Risk
Reputation risk is evaluated differently by different individuals,
either as a separate risk or the end result of other risks (e.g.,
operational, regulatory, or financial reporting).
Fraudulent acts can damage an organization's reputation with
customers, suppliers, and the capital markets. For example,
fraud leading to a financial restatement damages an organization's
reputation in the capital markets, which could increase the
organization's cost of borrowing and depress its market
capitalization. Because the board is responsible for the longevity of
the organization and has responsibilities to multiple stakeholders,
it should evaluate its performance regularly with respect to
reputation risks and ensure that consideration of reputation risk is
part of the organization's risk assessment process.
19
20. Assessing Likelihood and Significance of Potential
Fraud Risk
0.
0.3
0.5
0.8
1.
1.3
0. 0.3 0.5 0.8 1.
Likelihood
Significance
Department / People
20
21. #6 #3
#4
#1
#2 #5
#7
Likelihood and significance
(grey = higher risk)
Risks
#1 –Shell company scheme
#2 – Overpayment scheme
#3 – Phony contractor scheme
#4 – Personal travel expenses
#5 – Fraudulent auditor/
inspector expenses
#6 – Check Tampering
#7 – Orders for personal
supplies Likelihood
Source :
How Internal Auditing Can Help with a Company’s Fraud Issues
QFINANCE by Gail Harden
21
22. Fraud Risk Assessment Accounts Receivable Process Owner:
<Insert Process Owner Name>
Fraud
Risk
Likelihood Significance Control Activity Preventive or
Detective
Has Audit
tested
Control?
Date
tested
Result Action
Plan
Theft of cash receipts
and. written off as bad
debts
High High Reconciliation
of bad debt expense
reserve
With supervisory
review.
Detective Yes 1/10/06 OK
Person posting
Receivables does not
also have system Access
to make Journal entries
to bad debt expense.
Preventative Yes 1/10/06 OK
Procedure exists and is
followed to turn over
delinquent
Accounts to a third-
party collections agency.
Preventative Yes 1/10/06 OK
Source :
How Internal Auditing Can Help with a Company’s Fraud Issues
QFINANCE by Gail Harden
22
23. Fraud
Risk
Likelihood Significance Control Activity Preventive or
Detective
Has Audit
tested
Control?
Date
tested
Result Action
Plan
Accounts
Receivables
reconciled to the
general
ledger by
Individual with
no conflicting
duties.
Detective Yes 1/10/06 OK
Accounting
Manager
authorization
required
to write off
uncollectible
accounts.
Preventative Yes 1/10/06 OK
Rebilling
of past
due items
to change
the # of
days past
due (To
change
DSO’s for
example).
Medium Medium Policy disallows
cancelling
And rebilling
Invoices unless the
Original was billed
to the
wrong client,
or some other
extenuating
circumstances.
Preventative Yes
Source :
How Internal Auditing Can Help with a
Company’s Fraud Issues
QFINANCE by Gail Harden23
24. Fraud
Risk
Likelihood Significance Control Activity Preventive or
Detective
Has Audit
tested
Control?
Date
tested
Result Action
Plan
All credits
require the use
of a request
form and
approval from
management
According to an
authorization
matrix.
Preventative Yes 1/10/06 OK
Duties to input
billing and
credits to the AR
system,
approvals for
credits, and
Collections
Activities are
segregated.
Preventative Yes 1/10/06 OK
Source :
How Internal Auditing Can Help with a Company’s Fraud Issues
QFINANCE by Gail Harden24
25. Fraud
Risk
Likelihood Significance Control Activity Preventive or
Detective
Has Audit
tested
Control?
Date
tested
Result Action
Plan
Kitting – writing
Checks against
Insufficient funds
or unavailable
funds and hoping
the funds are
Deposited or
become available
before the checks
clear the
account.
Medium Low The Accounting
Manager has a
“cash card”
where cash
Receipts and
Disbursements
are logged. He
Monitors the
cash level and
Transfers money
from
Savings when
Necessary to
cover
disbursements.
The Controller
Approves the
disbursement
Batches and also
has access to
monitor the
daily cash
position.
Preventative Yes 1/10/06 OK
Source :
How Internal Auditing Can Help with a
Company’s Fraud Issues
QFINANCE by Gail Harden
25
26. Fraud
Risk
Likelihood Significance Control
Activity
Preventive or
Detective
Has Audit
tested
Control?
Date
tested
Result Action
Plan
ZBA Accounts
– type of bank
Account where
funds are
Transferred from a
deposit
Account to a
disbursement
account as
disbursements
Are Presented for
payment.
Preventative Company
does not
currently
use ZBA
accounts.
Positive pay set up
with the bank. This
is a practice
where the Company
sends a file to the
bank of all the
disbursements
Generated and the
bank will only pay
those that are on
the file.
Preventative Company is in
Progress to set
up this type of
arrangement.
Source: http://www.qfinance.com
Source :
How Internal Auditing Can Help with a Company’s
Fraud Issues
QFINANCE by Gail Harden 26
27. Response to Residual Fraud Risks
Depending on risk tolerance
Varies from organization to
organization
a. Accepting the risks?
b. Increasing the controls over the area to
mitigate the risk?
c. Designing internal audit procedures to
address specific fraud risks
27
28. Fraud Risk Management
28
Identity Potential
Inherent Risk
Assess Likelihood of the
Identified Fraud Risk
Evaluate Potential
Suspects
Evaluate their possible
methods
Identify & map out the
existing prevention and
detective controls to
reduce fraud risks
Evaluate whether the
identifier controls are
operating effectively &
efficiently
Identify & evaluate fraud
risks regarding
ineffective or non-
existent controls
Respond to residual
fraud risks Source: Managing the business risk of
fraud 2008 ACFE
29. Source: Managing the business risk of
fraud 2008 ACFE 29
Physical Controls to Defer Theft & Fraud
KEY EMPLOYEES Senior Executives
Fraudulent Financial Reports
Skimming Schemes
Cash Larceny Scheme
Theft of Proprietary Information
Theft of Inventory & Equipment
Cheques Tempering Schem
Expenses Scheme
Cash Register Scheme
Corruption and FCPA
Purchasing and Billing Scheme
Payroll Scheme
Ghost Workers
Conflict of Interest
Fraud Risk Assessment