3/19/2009
ACFE Regent Emeritus
Tommy Seah
presents
Fraud Risk Management
A Paradigm Shift
2009
1
“………….. financial institutions
must have in place, all the
necessary measures to deter or
prevent fraud and constantly
review all its controls and
measures and also have in place
a f d management function t
fraud tf ti to
prevent loopholes that fraudsters
can exploit.” …… who said that ?
2
march 05, 2009 at Shangri-La
hotel and the guest of honour
was Ms Teo Swee Lian, Deputy
Managing Di t MAS
M i Director, MAS.
3
1

3/19/2009
Why is Internal Control Important?
Financial Reporting
• Promotes integrity of data
used in making business
decisions
• Assists in fraud prevention
and detection through the
creation of an auditable trail of
evidence
Operations
Promotes efficiency and
effectiveness of operations
through standardized Laws and Regulations
processes
Ensures the safeguarding of • Helps maintain compliance
assets through control with laws and regulations
through periodic monitoring
activities
4
Limitations of Internal Control
Errors may arise from
misunderstandings of instructions,
mistakes of judgment, fatigue, etc.
Controls that depend on the
segregation of duties may be
circumvented by collusion
Management may override the
structure
Compliance may deteriorate over
time
The Existing model
Financial
Control
The Fraud Examiner The Certified
System Investigator
CFE
CSI
Compliance The Risk
Management
CPA,LLB, CSI Trinity
CPA,CFA CSI
of
Controls
Internal Audit
CPA(CIA) CSI,
CISA
6
2

3/19/2009
The Spectrum of Risk
www.cfe-in-practice.net
Liquidity Risk
B
A C
Operational Credit Risk
Risk
What is Risk ?
D
E
Reputational Market Risk
Risk
7
www.cfe-in-practice.net
“External”
Audit
Internal audit
(COSO + COBIT+ ISO…
Forensic audit
Investigative auditing
(Specific, Post event)
( suspicious, unusual activities, allegations)
Eg. NKF, CAO
E.g.. Money Laundering penetration Test
8
Fraud Control Principle
F dC t lP i i l
3

3/19/2009
If an organisation accepts that it
is exposed to fraud – and no
organisation is immune to fraud –
the next step is to
apportion responsibility for fraud
risk management.
Copyright (c)2006 www.cfe-in-practice.net 10
The Paradigm Shift
Financial
Control
The Fraud Examiner The Certified
The CPA
System Investigator
CFE
CSI
Risk
Compliance Management
CPA,LLB, CSI CPA,CFA CSI
S.T.A.R
Strategic Tracking
and Resolution
Investigation FRM Unit
Internal Audit
Unit
CPA(CIA) CSI,
CISA
11
WHY is there a need for the paradigm shift ?
Historically, the management of fraud risk
does not lie with any one
particular department or practitioner.
Copyright (c)2006 www.cfe-in-practice.net 12
4

3/19/2009
It can be handled internally or be
outsourced,
and how it is handled is affected by
many variables such as organizational
size, industry sector, geographical
location, cultural dynamics - and
management
perception of the problem.
Copyright (c)2006 www.cfe-in-practice.net 13
Regardless of these
variables, any fraud
prevention and control
model should aim to
achieve one, or all, of
the five
primary objectives:
Copyright (c)2006 www.cfe-in-practice.net 14
The five
primary objectives:
_ Prevention
_ Deterrence
_ Disruption –
_ Identification
_ Civil action/criminal prosecution
Copyright (c)2006 www.cfe-in-practice.net 15
5

3/19/2009
The Fraud Triangle.
Fraud Risk Fraud Risk
Management Management
Perceived Opportunity
Auditor’s Domain
Who Commits Fraud?
What type of individual commits FRAUD?
It is not limited to any one type of person.
www.cfe-in-practice.org
Married
Active religious
members
Children
Good education
First-time offenders
Good employees
Don’t abuse alcohol
6

3/19/2009
Optimistic
High self-esteem
Achieving
Family harmony
Socially conforming
Self control
Kind
Sympathetic
Conclusion: Fraud Perpetrators Look Exactly Like Us!
Who Commits Fraud?
While people who commit rape, murder, bank robbery and other
property offenses have distinguishing characteristics, fraud
perpetrators look more like more citizens than criminals!
Bank Robbers
Normal Citizens Fraud Perpetrators
Sample
Sample
S l Sample
S l
Major Differences
No Significant Differences
The “Red Flags” of fraud
www.cfe-in-practice.net
Given the “right
circumstances”,
circumstances”, Alcohol
Gambling
almost
everyone can
rationalize that it
is OK to
Profile of A Person
commit fraud..Text
Who Commits
Fraud
Drugs
Sex
21
7

3/19/2009
1
STEP 1: EVALUATE THE ORGANIZATION'S FRAUD RISK FACTORS
To identify which factors increase the risk for fraud within
an organization, examiners should analyze industry and
business operations hold discussions with management
operations, management,
review previous frauds committed against or on behalf of
the company, review company performance, and evaluate
similar frauds that occurred at competitors' organizations.
7
STEP 2: IDENTIFY POSSIBLE FRAUD SCHEMES
The ability to identify specific schemes resulting from fraud
risk factors depends on the examiner's knowledge of this
area. F d specialists, i l di
Fraud i li including i di id l with certified
individuals i h ifi d
fraud examiner (CFE) designations and Certified Systems
Investigator (CSI) are ideal for this step of the process, as
they possess specialized knowledge of fraud detection and
investigation.
8
8

3/19/2009
STEP 3: PRIORITIZE IDENTIFIED FRAUD RISKS
Fraud is not just an ordinary risk, but also an inherent and
significant one. Once the fraud schemes database is
populated, management and internal auditing should
identify the frauds that pose the greatest risk for the
organization.
9
Examiners should consider the following factors when
prioritizing fraud risks:
Financial impact to the organization.
Reputation risk of negative publicity associated with fraud.
Loss of productivity.
Potential criminal/civil actions taken against the
organization. (Such as Data Breach EU95/46 on PII)
Loss of company assets.
11
STEP 4: EVALUATE MITIGATING CONTROLS
Internal s Auditors with CFE qualifications are well-
positioned to review and counsel on the existence
and operational effectiveness of internal controls. In
p
step four, the examiner/auditor should evaluate the
high-priority frauds and determine if the necessary
controls are in place to reduce the risk of
occurrence. This step takes time, as the auditor
should attempt to identify more than one control for
each fraud scheme.
12
9

3/19/2009
www.cfe-in-practice.net
Determination by Determination by
Area Scheme
28
Fraud Consideration at all stages of engagement
Perform Pre-Engagement
PROFESSIONAL SKEPTICISIM
Activities
GATHER AN ASEESS
MENTATION
FRAUD RISKS
Perform Preliminary Planning
ND
DOCUM
Develop Audit Plan
Perform Audit Plan
Conclude & Report
Fraud Risk Factors
&
Risk of Fraud
10

3/19/2009
Questions?
CFE-In-Practice www.cfe-in-practice.net
Tommy Seah
Managing Partner
CFE-In-Practice
www.cfe-in-practice.com
phone +65 65171900
www.cfe-in-practice.net
32
11