Continuous Controls Monitoring: Putting Controls in Place is Not Enough


Published on

Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud Using Data Analytics. Recordings of these Webinars are available for purchase from our Website
This Webinar focused on fraud detection using data analytic software (Excel, ACL, IDEA)
FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web.
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts.
FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again.

  • Be the first to comment

  • Be the first to like this

Continuous Controls Monitoring: Putting Controls in Place is Not Enough

  1. 1. Continuous Controls Monitoring: Putting Controls in Place is Not Enough Special Guest Presenter: Chris Doxey, CAPP, CCSA, CICA September 11, 2013 Copyright © 2013 FraudResourceNet™ LLC
  2. 2. About Peter Goldmann, MSc., CFE  President and Founder of White Collar Crime 101 Publisher of White-Collar Crime Fighter Developer of FraudAware® Anti-Fraud Training Monthly Columnist, The Fraud Examiner, ACFE Newsletter  Member of Editorial Advisory Board, ACFE  Author of “Fraud in the Markets” Explains how fraud fueled the financial crisis. Copyright © 2013 FraudResourceNet™ LLC
  3. 3. About Jim Kaplan, MSc, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors  Auditor, Web Site Guru, Internet for Auditors Pioneer Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Copyright © 2013 FraudResourceNet™ LLC
  4. 4. Chris Doxey, CAPP, CCSA, CICA  Chris has held senior finance and controller positions at Digital Equipment Corporation, Compaq Computer Corporation, Hewlett Packard, MCI, APEX Analytix, and BSI Healthcare. She has a bachelor's degree in English, a bachelor's in accounting, a master's in business administration, and a graduate certificate in project management.  Chris brings her experience as a management consultant in the areas of compliance, auditing, internal controls, and fraud prevention to Doxey, Inc. Chris also serves as the Executive Director of the IOFM Controller Certification Program  Chris is a Certified Accounts Payable Professional (CAPP), holds a Certification in Controls Self Assessment (CSA), and is Certified Internal Controls Auditor (CICA). She has also written a controller’s best practices guide, numerous articles, and several whitepapers. Chris has published two handbooks: AP Leadership Skills and Implementing a Controls Self Assessment Program for Accounts Payable. She presents at several conferences and provides a multitude of webinars each year. Chris is a member of the Institute of Internal Auditors (IIA), the Institute for Internal Controls (TheIIC), and the Institute of Financial Operations (IFO). She is a member of the advisory board for TheIIC and is president of the Washington DC area chapter for both the IFO and TheIIC organizations.  Copyright © 2013 FraudResourceNet™ LLC
  5. 5. Webinar Housekeeping This webinar and its contents are the property of FraudResourceNet™ LLC. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We will be recording the webinar and you will be provided access to that recording within five-seven business days. Downloading or otherwise duplicating the webinar recording is expressly prohibited. You must answer the polling questions to qualify for CPE per NASBA unless you are viewing the Webinar with a group on a single screen. Please complete the evaluation to help us continuously improve our Webinars. Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout. Copyright © 2013 FraudResourceNet™ LLC
  6. 6. Disclaimers    The views expressed by the presenters do not necessarily represent the views, positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While FRN makes every effort to ensure information is accurate and complete, FRN makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. FRN specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the FRN website Any mention of commercial products is for information only; it does not imply recommendation or endorsement by FraudResourceNet LLC Copyright © 2013 FraudResourceNet™ LLC 5
  7. 7. Today’s Agenda         Introduction Fraud Statistics: The Growing Fraud Threat 2013 Updates to COSO Auditing for Fraud: Standards & Essentials Standards of Internal Control The Case for Continuous Controls Monitoring (CCM) Controls Self Assessment (CSA) Fraud Risk Assessment (FRA) 10 Top Recommendations CCM and Data Analytics Toolkit Conclusion Your Questions Copyright © 2013 FraudResourceNet™ LLC
  8. 8. Fraud Statistics – 2012 ACFE Report to the Nations  The typical organization loses 5% of its revenues to fraud each year.  Applied to the 2011 Gross World Product, this figure translates to a potential projected annual fraud loss of more than $3.5 trillion.  The median loss caused by the occupational fraud cases was $140,000.  More than one-fifth of these cases caused losses of at least $1 million. Copyright © 2013 FraudResourceNet™ LLC
  9. 9. Fraud Statistics – 2012 ACFE Report to the Nations (Continued) The Effectiveness of Controls Organizations lacking internal controls experienced median fraud losses approximately 45% greater than organizations with the controls in place. Copyright © 2013 FraudResourceNet™ LLC 8
  10. 10. Fraud Statistics – 2012 ACFE Report to the Nations (Continued) Copyright © 2013 FraudResourceNet™ LLC 9
  11. 11. Primary Internal Control Weakness Observed by CFEs Copyright © 2013 FraudResourceNet™ LLC
  12. 12. Polling Question 1 The media loss caused per incident of occupational fraud is A. B. C. D. $199,000 $140,000 $120,000 $180,000 E. Copyright © 2013 FraudResourceNet™ LLC
  13. 13. 2013 Updates to COSO The COSO update articulates principles of effective internal control. Copyright © 2013 FraudResourceNet™ LLC
  14. 14. 2013 COSO Updates  Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:  Each component and each relevant principle is present and functioning  The five components are operating together in an integrated manner    Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology) Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives Copyright © 2013 FraudResourceNet™ LLC
  15. 15. 2013 Updates to COSO  Fraud Risk Consideration. Because the nature of fraud risk is so unique, one of the 17 principles states that it must be assessed as part of internal control.  Fraud risk is not limited to financial statements; it should also be included in compliance and operations risk assessments. Copyright © 2013 FraudResourceNet™ LLC
  16. 16. 2013 Updates to COSO Monitoring Activities The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Standards for Internal Control CSA CCM and CA Copyright © 2013 FraudResourceNet™ LLC FRA
  17. 17. Standards of Internal Control  Define the set of internal controls for the organization;  Link the control to the risk that is being mitigated;  Are updated when:  There is a change to the business or system environment;  A fraud has been perpetrated;  The cost of the control is not in line with the benefit to the organization; or when  A business process has been automated. Copyright © 2013 FraudResourceNet™ LLC
  18. 18. Polling Question 2 According to COSO, fraud risk is not limited to financial statements; it should also be included in compliance and operations risk assessments. A. True B. False C. Copyright © 2013 FraudResourceNet™ LLC
  19. 19. Controls Self Assessment (CSA) The most common approaches to performing CSA activities are facilitated team meetings, CSA surveys, and management’s focus on a specific internal control or area of their business. 1) A facilitated team meeting is the most popular form of CSA. The facilitated sessions consist of six to 15 employees who are subject on a day-to-day basis to the internal controls being evaluated. A trained facilitator guides the meeting, and another individual records the activity. 2) The survey approach uses questionnaires to elicit data about controls, risks, and processes. It differs from traditional internal control questionnaires used by auditors because the operational employees (not the auditors) use the survey results to self-evaluate the controls or processes. Copyright © 2013 FraudResourceNet™ LLC
  20. 20. Continuous Controls Monitoring (CCM) vs. Continuous Auditing (CA)  CCM enables management to continually review business process for adherence to and deviations from their intended levels of performance and effectiveness.  CA enables internal audit to continually gather and analyze data from processes that supports auditing activities. Copyright © 2013 FraudResourceNet™ LLC
  21. 21. Continuous Controls Monitoring (CCM) vs. Continuous Auditing (CA)  CCM enables management to:  Assess the effectiveness of controls and detect risk.  Improve business processes and activities while adhering to ethical and compliance standards.  Execute more timely quantitative and qualitative riskrelated decisions.  Increase the cost effectiveness of controls and monitoring through automated solutions. Copyright © 2013 FraudResourceNet™ LLC
  22. 22. Continuous Controls Monitoring (CCM) vs. Continuous Auditing (CA)  CA enables internal audit to:  Collect data from processes, transactions, and accounts that supports internal and external audit activities.  Achieve more timely, less costly compliance with policies, procedures, and regulations.  Shift to more pro-active reviews and more dynamic audit planning based on CA results.  Reduce the costs of internal audit activities. Copyright © 2013 FraudResourceNet™ LLC 21
  23. 23. Four Levels of CCM 1) User Access Controls Monitoring & Remediation 2) Application & Process Configuration Controls Monitoring 3) Master Data / Static Data Controls Monitoring 4) Business Transaction Monitoring Copyright © 2013 FraudResourceNet™ LLC 22
  24. 24. Continuous Controls Monitoring (CCM)  Continuous transaction monitoring is a powerful detective control that should be considered in the design of internal controls, especially relative to fraud detection.  Continuous control monitoring provides assurance that controls are in place to prevent or detect future transactions. Copyright © 2013 FraudResourceNet™ LLC
  25. 25. The Value of CCM  It is a detective control that management may place significant reliance on. When the inspection is automated, the cost relative to alternative manual controls may justify at least a partial shift from preventive to detective. It also helps if the detection can be performed promptly, minimizing the delay between processing a transaction and detecting an error  When considering the risk of fraud, it is important to have both effective preventive controls and detection procedures (in case the controls are circumvented). Continuous transaction monitoring provides a detective control in case preventive controls are ineffective or are bypassed (e.g., through collusion) Copyright © 2013 FraudResourceNet™ LLC 24
  26. 26. The Value of CCM  In some cases, complex testing may be required to detect an error. For example, financial systems have long found it difficult to detect and prevent duplicate payments.  Because the risk (in terms of the size of any single payment) is relatively low, it may be wise to accept the limitations of the financial system and rely on more thorough testing after-thefact. Copyright © 2013 FraudResourceNet™ LLC 25
  27. 27. Polling Question 3 Which type of meeting is the most popular form of CSA? a. b. c. d. Mandatory management meeting Facilitated team meeting Departmental meeting Special C-level meeting Copyright © 2013 FraudResourceNet™ LLC
  28. 28. Fraud Risk Assessment (FRA)  A FRA identifies where fraud may occur and who the perpetrators might be within a specific process. The process is scheme and scenario based.  It considers vulnerability to management override and potential schemes to circumvent existing control activities.  The FRA identifies the critical fraud risks to focus on and is on-going process.  The objectives of an FRA are to: 1. Identify the vulnerabilities for fraud; 2. Implement proactive measures such as specific internal controls to prevent the fraud from occurring. Copyright © 2013 FraudResourceNet™ LLC
  29. 29. Fraud Risk Assessment (FRA) The three phases of an FRA include: 1) Access - The current internal controls structure and identifies specific weaknesses where potential fraud could occur. 2) Respond - Fraud risks are linked to controls to determine: risk tolerance, cost benefit analysis, stakeholder expectations, and remediation monitoring. 3) Sustain – A report is developed to communicate the results of the FRA process, the fraud audit plan is developed and executed, and a continuous monitoring process in implemented. Copyright © 2013 FraudResourceNet™ LLC 28
  30. 30. 10 Top Recommendations The ACFE notes that the nature and threat of occupational fraud is truly universal. Here are some recommendations for processes to have in place when “controls are not enough”. 1. Hotlines: Providing individuals a means to report suspicious activity is a critical part of an anti-fraud program. 2. Anti-Retaliation: Management should actively encourage employees to report suspicious activity, as well as enact and emphasize an anti-retaliation policy. 3. Targeted Fraud Awareness Education: Training for employees and managers is a critical component of a wellrounded program for preventing and detecting fraud. Copyright © 2013 FraudResourceNet™ LLC 29
  31. 31. 10 Top Recommendations (Continued) 4. External Audits Are Not Enough: External audits should not be relied upon as an organization’s primary fraud detection method. Such audits were the most commonly implemented control in the ACFE’s study; however, they detected only 3% of the frauds reported and they ranked poorly in limiting fraud losses. 5. Fraud Risk Assessments (FRA): Assessing the threat of specific fraud schemes and performing a FRA can help identify those areas that merit additional investment in targeted antifraud controls. 6. The Control is Linked to the Risk: It’s not the number of internal controls that an organization has in place, but it’s the way that the controls were developed to address a specific risk. Copyright © 2013 FraudResourceNet™ LLC 30
  32. 32. 10 Top Recommendations (Continued) 7. Standards of Internal Controls should be implemented and updated to incorporate behavioral fraud flags and weaknesses found through CSA, CCM, and FRA programs. 8. Roles and Responsibilities for all internal programs, compliance initiatives, and remediation activities needs to be well defined to avoid duplication of efforts and to provide opportunities for leveraging test approaches and data. 9. Leveraging Opportunities: Programs can be developed to combine reviews and monitoring approaches with well-defined data requirements and test programs. 10.Reporting, Remediation, and Monitoring: All findings need to be reported, remediated, and monitoring to ensure the risk of recurrence is mitigated. Copyright © 2013 FraudResourceNet™ LLC 31
  33. 33. Example: Leveraging Testing Purchase to Pay, T&E, P-Cards, Payroll, Fraud, and General Ledger risk assessments and testing can be expanded to include FCPA. Business Process Purchase to Pay T&E P-Cards Payroll Fraud General Ledger Business Process Risk FCPA Risk Do all our vendors server clear business purposes? Is a vendor being used to carry out an FCPA impacted transaction? Are we applying T&E expenses appropriately? Are there FCPA impacted expenditures in our T&E transactions? Are we using P-Cards appropriately? Are there FCPA impacted expenditures in our PCard transactions? • • Are we paying foreign officials as employees? Do we know who all our employees are? Are we paying ghost employees? Are we losing money to fraud schemes? • Is the fraudulent activity aimed at circumventing FCPA rules? • Have we integrated our FCPA rules with our “tone at the top” and properly trained employees? Do all journal entries have a clear business purpose? Is there evidence that a journal entry is used for a non-approved purpose? Copyright © 2013 FraudResourceNet™ LLC
  34. 34. Polling Question 4 A FRA identifies where fraud may occur and who the perpetrators might be within a specific process: a. True b. False Copyright © 2013 FraudResourceNet™ LLC
  35. 35. Conclusion - It’s not all about automation!       To perform continuous monitoring of controls, you need a combination of techniques: automated monitoring, automated control testing, and other tests such as surveys and manual test procedures. Testing transactions does not provide positive assurance that controls are present and operating effectively. They only tell you that the transactions are clean. Some controls (such as the review by a manager of a reconciliation, the performance of a physical inventory count, or employee understanding of the code of conduct and other key policies) do not lend themselves to automated testing. You still need Standards of Internal Controls, Segregation of Duties, System Access, and Delegation of Authority Controls! Leverage testing approaches and applications to compliance programs when possible. Always define Roles and Responsibilities! Copyright © 2013 FraudResourceNet™ LLC
  36. 36. Polling Question 5 Hotlines are essential but not adequate for capturing all employee tips. You should also have (choose all that apply) A. B. C. D. E-mail channel Web-based reporting option Employee questionnaire P.O. Box Copyright © 2013 FraudResourceNet™ LLC
  37. 37. CCM and Data Analytics Toolkit        ACL  Caseware/IDEA  WEBCAAT  EZR Stats, LLC  Technology Insight  APEX Analytix  Infor Approva  Copyright © 2013 FraudResourceNet™ LLC 36
  38. 38. Questions? Any Questions? Don’t be Shy! Copyright © 2013 FraudResourceNet™ LLC
  39. 39. In the Queue  Protecting Your Organization from the Growing Threat of Cyber Fraud 9/18/13  A Primer on Social Networking and Fraud Risk 9/25/13 Copyright © 2013 FraudResourceNet™ LLC
  40. 40. Thank You! Website: Jim Kaplan FraudResourceNet™ 800-385-1625 Peter Goldmann FraudResourceNet™ 800-440-2261 Chris Doxey Doxey, Inc. 571-267-9107 Copyright © 2013 FraudResourceNet™ LLC