Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

COSO webinar slides - Assessing Fraud Risk - September 2014

2,428 views

Published on

A 2014 Protiviti webinar on Assessing Fraud Risk - COSO

Published in: Business
  • Be the first to comment

COSO webinar slides - Assessing Fraud Risk - September 2014

  1. 1. COSO 2013: Assessing Fraud Risk
  2. 2. Keith Kawashima, Managing Director, California © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 2 Today’s Presenters Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley office. Keith has over 25 years of experience in finance and accounting including 15+ years with Protiviti/Arthur Andersen’s Internal Audit practice and more than 10 years corporate experience in both Finance and Operations prior to joining Protiviti. He has been involved in all aspects of a company’s internal audit function from establishing a charter and developing a risk-based internal audit plan, to developing and executing work programs, through reporting at the audit committee and board level. Email: Keith.Kawashima@protiviti.com
  3. 3. Pamela Verick, Director, McLean, Virginia © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 3 Today’s Presenters Pamela Verick is a Director in Protiviti’s Investigations & Fraud Risk Management solution. Pam has over 22 years of risk management experience, including creation of fraud governance systems and fraud risk management programs, planning and execution of fraud risk assessments, and conducting investigations to address fraud, misconduct and potential violations of the Foreign Corrupt Practices Act as well as equivalent anti-bribery laws and regulations. She also assists with compliance and ethics programs for both the public and private sector. Email: Pam.Verick@protiviti.com
  4. 4. Scott Moritz, Managing Director, New York © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 4 Today’s Presenters Scott Moritz is the leader of Protiviti’s Fraud, Anti-Corruption and Investigations practice. He has more than 27 years of investigative and regulatory compliance experience working with a variety of organizations, government and regulatory agencies to identify, triage, investigate and remediate a wide variety of risks. With extensive experience investigating transnational crime, corruption and money laundering, Scott is widely regarded as a leading authority on the evaluation, design, remediation, implementation and administration of corporate compliance programs, codes of conduct, training and internal audit programs. Email: Scott.Moritz@protiviti.com
  5. 5. Jeff Tecau, Director, Orlando © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 5 Today’s Presenters Jeff Tecau is a Director with Protiviti in Orlando, FL and has 16 years of Audit and Consulting experience. At Protiviti, Jeff has focused on internal auditing and financial and accounting related consulting and helps lead Protiviti’s Internal Audit and Financial Advisory practice in the Florida market. Prior to Protiviti, Jeff spent time in external audit with PricewaterhouseCoopers and was a Senior Analyst in the Financial Planning and Analysis group of a Fortune 500 energy company Email: Jeff.Tecau@protiviti.com
  6. 6. Historic View of Fraud Documentation for SOX © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 6 Today We Will Cover… Fraud Principle 8 Fraud Risk Assessment Frequently Asked Questions Fraud Risk Assessment Case Study
  7. 7. Historic View of Fraud Documentation for SOX
  8. 8. An intentional act that results in a material misstatement in financial statements that are the subject of an audit. Two types of misstatements are relevant to the auditor’s consideration of fraud: fraudulent financial reporting and misappropriation of assets. - AU Sec. 316 / Statement on Auditing Standards No. 99 (“SAS 99”) © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 8 Common Definitions of Fraud Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage. - Institute of Internal Auditors All means by which one individual can get an advantage over another by false suggestions or suppression of the truth. It includes all surprise, trick, cunning or dissembling, and any unfair way by which another is cheated. - Black’s Law Dictionary “ ” ” “ ” The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets. - 2014 Report to the Nations on Occupational Fraud and Abuse “ ” “ Any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and / or the perpetrator achieving a gain. - Managing the Business Risk of Fraud: A Practical Guide “ ”
  9. 9. Planning & Scoping Stage Design, Document, & Testing Stage Prioritize financial reporting elements © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 9 Fraud Assessment Embedded Within Overall Risk Assessment Phase I: Assess Current State and Identify Relevant Processes Phase II: Document Critical Processes and Controls Phase III: Evaluation & Testing Controls Phase IV: Remediation of Control Weaknesses Set Foundation Project Management Knowledge Sharing Communication Continuous Improvement Select financial reporting elements Define control units Define process classification scheme Link business processes to priority financial reporting elements Select and prioritize business processes Inventory existing policies & procedures Select processes and controls to document and test Map processes to locations Baseline reports Consider controls across all levels • Entity-level • Process level • IT controls • Anti-fraud • Outsourced processes
  10. 10. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 10 Linking to Key Business Processes Equity Fln Report Fixed Assets Inventory Payroll Procure to Pay Revenue Tax Treasury IT Stock Comp and Administration Recording Stock Compensation Presentation and Disclosure Overall Period-end Close Consolidation Financial Reporting and Disclosure Overall Asset Acquisition/Capitalization Asset Depreciation Asset Disposal Asset Management Overall Standard Cost Inventory Valuation Inventory Reserves Inventory Management Overall Employee Master File Maintenance Payroll Master File Maintenance Time and Expense Reporting Payroll Processing and Recording Incentive Compensation Overall Purchasing Receiving Accounts Payable and Cash Disbursements Manage Travel & Entertainment Expense Month-end Accrual Overall Order Management Revenue Recognition (Shipping & Billing) AR Aging & Collections AR Reserves Revenue Reserves Overall Income Taxes, Sales & Use Taxes and Property Taxes Overall Cash Management Investments Borrowings Overall IT - General Controls Overall L M M M M M M M L L L L L M M M M M M M M M M M L L M M M M H H H H H H M M M M M M M M M M L M M M H M M M ASSETS CURRENT ASSETS Cash and cash equivalents M M M M M M M M M M M M M M M M M M Short Term Investment M M M M M M Account Receivable H H H H H H H Allowance for accounts receivable H H H H H Accounts receivable, net of allowances Raw Materials Inventory Material in transit Finished Goods M M M M M M Inventory reserve M M Inventories
  11. 11. Scope of Anti-Fraud Program Evaluation should take place at both the Company level and the Process level © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 11 • Controls specifically established to prevent and detect fraud that is reasonably possible to result in a material misstatement of the financial statements • Identification of specific controls that mitigate the risk of material fraud within key processes Misappropriation of assets Embezzlement and theft that could materially affect the financial statements Expenditures and liabilities incurred for improper or illegal purposes Bribery and Influence payments that can result in reputation loss Fraudulently obtained revenue and assets and/or avoidance of costs and expenses Scams and tax fraud that can result in reputation loss Fraudulent financial reporting Inappropriate earnings management or “cooking the books” - e.g., improper revenue recognition, intentional overstatement of assets, understatement of liabilities, etc.
  12. 12. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 12 Audit Standard 5 (“AS5”) Fraud Considerations Focus on potential fraud that could result in a material misstatement of the financial statements Management is responsible to prevent, detect, and deter fraud Anti-fraud control deficiencies are considered at least a significant deficiency Identification of fraud on the part of senior management (whether or not material) is an indicator of a material weakness
  13. 13. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 13 Documentation Objectives • The PCAOB required objectives for documentation are: – Understand the flow of transactions related to relevant assertions – Verify that all points have been identified within the company’s processes at which a misstatement could arise that, individually or in combination with other misstatements, would be material – Identify the controls that management has implemented to address these potential misstatements – Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition or disposition of the company's assets that could result in a material misstatement of the financial statements • Process documentation is used by external auditors for walkthroughs
  14. 14. Referenced From A Resource Guide to the U.S. Foreign Corrupt Practices Act Department of Justice and Securities and Exchange Commission (2012) © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 14 Which SOX Requirements Have FCPA Implications? SOX Section 302 - Responsibility of Corporate Officers for the Accuracy and Validity of Corporate Financial Reports SOX Section 404 - Reporting on the State of a Company’s Internal Controls over Financial Reporting SOX Section 802 - Criminal Penalties for Altering Documents
  15. 15. Fraud Principle 8
  16. 16. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 16 What’s Driving Today’s Fraud Risk Assessment Activities? COSO Internal Control – Integrated Framework – Principle 8 (May 2013) The organization considers the potential for fraud in assessing risks to the achievement of objectives. This includes management’s assessment of the “risks relating to the fraudulent reporting and safeguarding of the entity’s assets,” along with “possible acts of corruption” by entity personnel and outsourced service providers. Managing the Business Risk of Fraud: A Practical Guide (July 2008) Non-binding guidance on topic of fraud risk management issued in collaboration between IIA, AICPA and ACFE. Includes consideration of fraud risk assessment. IIA Standard 2120.A2 (January 2009) The internal audit activity must evaluate the potential for the occurrence for fraud and how the organization manages fraud risk. IIA Standard 1210.A2 (revised January 2009) Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
  17. 17. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 17 Evolving Perspectives on Fraud Risk Fraudulent Financial Reporting Misappropriation of Assets PCAOB AS5, AU Sec.316, SAS 99 Fraudulent Reporting Safeguarding of Assets Corruption Management Override COSO 2013 Principle 8 “Financial Statements” “Objectives” (Operations, Reporting, Compliance)
  18. 18. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 18 COSO 2013 – Principle 8 Often Referred to as “Fraud Principle,” “Principle 8” or “Fraud Principle 8” What it says: 1. “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” 2. Actions conducted under Principle 8 are closely linked to Principle 7 (Identifies and Analyzes Risk). What it doesn’t say: 1. How fraud should be defined. Instead, the focus is placed on types of fraud to be considered. 2. What department within the organization should assess fraud risk. States that risk assessment includes management’s assessment of the risks related to the fraudulent reporting and safeguarding of assets, as well as possible acts of corruption. 3. Which techniques should be used to assess fraud risk. No specific fraud risk assessment methodology is prescribed.
  19. 19. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 19 COSO 2013 – Principle 8 Linkage with Principle 7
  20. 20. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 20 COSO 2013 – “Fraud Principle 8” Key Driver in Today’s Fraud Risk Assessment Activities • POF 31: Considers various types of fraud • POF 32: Assesses incentives and pressures • POF 33: Assesses opportunities • POF 34: Assesses attitudes and rationalizations • Many organizations have integrated their assessment of fraud risks and controls with their ICFR assessment • Approach to addressing will depend on how effectively the organization has considered and documented fraud risk in the past • For those that have documented controls to address common fraud scenarios, this could be incorporated into the mapping: ‒ Inventory elements of the fraud risk management program currently in place (entity level) ‒ Document an overall summary of significant fraud risks (process level), along with assessment of their likelihood and potential impact • Reconsider the existing fraud risk management program in context of current fraud risk profile
  21. 21. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 21 Factors Impacting Fraud Risk – COSO 2013 – Fraud Principle 8 Key Characteristics Reflect “The Fraud Triangle” OPPORTUNITY Refers to the ability of an individual or group to “actually acquire, use or dispose of assets, which may be accompanied by altering the entity’s records.” Often driven by thought that activities will be undetected, opportunity is created by weak control and monitoring activities, poor management oversight, and management override of control. ATTITUDES AND RATIONALIZATIONS Can more easily rationalize, or justify, committing fraud based on perception, right or wrong, of company’s fraud philosophy, state of its internal control framework and “how business is done.” INCENTIVE / PRESSURE Incentives to commit fraudulent acts or pressures that result in the intentional loss of assets, fraudulent reporting or corruption.
  22. 22. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 22 Elements of Fraud Risk Management Program Sample Entity Level Control Activities Control Environment • Board / Audit Committee Oversight • Management roles and responsibilities • Code of Business Conduct • Conflicts of Interest Policy • Fraud Control Policy • Investigation Protocols / Policy • Ombudsman Program • Whistleblower Policy Risk Assessment • Fraud risk assessment (including corruption / bribery) Control Activities • Due diligence (employees and third parties) Information & Communication • Reporting mechanisms, including hotline • Ethics training • Fraud awareness training Monitoring Activities • Continuous monitoring (i.e., management) • Fraud/ ethics audit procedures (i.e., Internal Audit, Compliance) • Investigation / case management system • Discipline / remediation • Quality assurance review
  23. 23. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 23 COSO 2013 - Fraud Principle 8 Types of Fraud Fraudulent reporting – occurs when an organization’s reports are intentionally prepared with omissions or misstatements. Safeguarding of assets – refers to protection from the unauthorized, inappropriate and intentional acquisition, use or disposal of organization’s assets. Corruption – involves improper use of an employee’s influence in business transactions which violates duty to employer for purpose of obtaining benefit for themselves or someone else. Management override – describes actions in which internal controls are intentionally overridden for an illegitimate purpose.
  24. 24. 1 Fraudulent Financial Reporting © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 24 COSO 2013 – Fraud Principle 8 Fraudulent Reporting – Examples of Common Fraud Scenarios Fraudulent Non-Financial Reporting Misappropriation of Assets Illegal Acts 2 3 4
  25. 25. Unauthorized and willful acquisition, use or disposal of assets or 1 other resources © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 25 COSO 2013 – Fraud Principle 8 Safeguarding of Assets – Examples of Common Fraud Scenarios 2 Inappropriate use benefits an individual or group
  26. 26. 1 Intentional override of internal controls for illegitimate purposes © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 26 COSO 2013 – Fraud Principle 8 Management Override – Examples of Common Fraud Scenarios 2 Significantly influenced by control environment Not to be confused with Management Intervention for legitimate 3 purposes
  27. 27. 1 Illegal Acts © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 27 COSO 2013 – Fraud Principle 8 Corruption – Examples of Common Fraud Scenarios Conflicts of Interest Bribery Illegal Gratuities 2 3 4 5 Solicitation
  28. 28. Fraud Risk Assessment Frequently Asked Questions (“FAQs”)
  29. 29. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 29 FAQ 1: Who’s Typically Involved in a Fraud Risk Assessment? Audit Committee (provides oversight on behalf of Board of Directors) Project Sponsor General Counsel (if privileged) CFO or Internal Audit Director Steering Committee (Optional) C-Suite Senior Management Project Coordinator IA Resource Controller Participants Accounting / Finance Compliance / Legal Human Resources Operations (Sales, Marketing, R&D, Engineering, Supply Chain, Plant Manager, etc.)
  30. 30. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 30 FAQ 2: What Techniques Are Used to Identify Fraud Risk? One or More Work Steps May Be Utilized in Combination / Various Sequences Document review and analysis Fraud risk brainstorming session Fraud risk workshop Interviews Survey Data analysis
  31. 31. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 31 FAQ 3: What Risk Factors Should Be Considered During Fraud Risk Assessment? Examples include… • Degree of estimates and judgments in external financial reporting • Methodology for recording and calculating inventory and shrinkage • Reductions in allowances • Fraud schemes and scenarios impacting industry / market sectors • Geographic regions where the organization conducts business • Incentives that may motivate fraudulent behavior • Nature of automation • Unusual or complex transactions subject to significant management influence, especially period-end • Poor compliance culture • Lack of management oversight • “Controlling” or “domineering” management personalities • “Abnormal” management involvement in selection of accounting principles • Unusual ratios • Unexpected profitability • Rapid growth compared to peers • Recurring negative cash flows during periods of earnings growth • Last minute transactions • Inconsistencies in gross margin activity • Unsupported pricing discounts • Intentional inaccuracies or omissions in financial statements • Recording sales of goods and services that did not occur • Omissions of expenses or liabilities • Capitalized expenses − If capitalized as assets and not expensed during current period, income will be overstated. − As assets are depreciated, income in subsequent periods be understated. • Allowances that do not align with industry practices • Write-offs for loans to directors, officers and management • “Shifting” expenses between entities • “Off-books” accounts / “off balance sheet” entities
  32. 32. Samples from Client Engagements (“3-box”) Samples from Client Engagements (“5-box”) © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 32 FAQ 4: What Criteria Are Used to Assess Significance and Likelihood of Fraud Risk? Examples include… Significance / Impact Likelihood / Probability Low / inconsequential Low or remote Medium / more than inconsequential Medium or reasonably possible High / material High or probable Significance / Impact Likelihood / Probability Insignificant Rare Minor Remote Moderate / serious Reasonably possible High / major Probable Major / operational suspension Almost certain
  33. 33. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 33 FAQ 5: How Do Organizations Document Fraud Risk Assessment Activities? Examples include… 1 Process Narrative 2 Process Map (fraud risk assessment methodology) 3 Fraud Risk and Controls Matrix (“Fraud RCM”) 4 Report 5 Fraud Risk Heat Map
  34. 34. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 34 FAQ 6: How Does IT “Fit” Into Types of Fraud Outlined in Principle 8? Examples include… Fraudulent Reporting • Proper accounting and reporting of liabilities associated with IT infrastructure, systems and upgrades. • Appropriate disclosures regarding losses suffered as a result of cybercrime. Safeguarding of Assets • Loss of intellectual property, confidential data, sensitive data, personally identifiable information, etc. • Misuse or abuse of IT network / assets that result in loss of employee time and productivity. • Intentional misuse / abuse of company’s software licenses. Corruption • Bribery and kickbacks involving third parties and employees. • Illegal gratuities provided to IT personnel following system implementation. • Extortion related to the security of data and IT infrastructure. Management Override • Intentional override of controls to obtain unauthorized or otherwise impermissible access to accounting or information systems. • Intentional override of controls that results in destruction of electronic files.
  35. 35. Fraud Risk Assessment Case Study
  36. 36. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 36 Case Study Overview • Protiviti, acting as outsourced Internal Auditor, performed a fraud risk assessment for a closely held, NASDAQ traded client to evaluate the ways in which fraud could be perpetrated within the company. • The purpose of the fraud risk assessment was to (1) identify likely fraud scenario risks, (2) identify internal controls, management, or other governance-related activities that mitigate these risks, (3) determine if the controls mitigating these risks were documented in the SOX documentation, and (4) identify control gaps where fraud scenarios are not directly controlled. • This review focused on the risk assessment and review of control design as represented by management. Testing of the operating effectiveness of controls was not performed as part of this review as a majority of the client’s anti-fraud controls were to be tested later in FY2014 as part of SOX 404. • As the company had adopted the 2013 COSO Framework for purposes of Sarbanes-Oxley 404 compliance efforts, the 2013 COSO Framework was used to categorize the company’s anti-fraud activities.
  37. 37. Sample Deliverable Executive Summary Risk Assessment Control Activities Control Environment Monitoring Information & Communication Appendix © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 37 Components and Principles of Internal Control – Risk Assessment Description: Involves the identification and analysis by management of relevant risks to achieving predetermined objectives. The 2013 COSO Framework sets out seventeen principles representing the fundamental concepts associated with each component of internal control. The principles supporting the RISK ASSESSMENT component of internal control are: Risk Assessment Principles 1 The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2 The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3 The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4 The organization identifies and assesses changes that could significantly impact the system of internal control.
  38. 38. Sample Deliverable Executive Summary Risk Assessment Control Activities Control Environment Monitoring Information & Communication Appendix PROCESS RISK EXTERNAL Competitor Fraud Shareholder Expectations Capital Availability Investor Relations Political Legal Catastrophic Loss Healthcare Advancements CUSTOMER Demographic Shifts Concentration Preferences Discretionary Spending Awareness Assess and Prioritize Risk Select Focus Areas © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 38 Fraud Risk Assessment Process Overview Description: Involves the identification and analysis by management of relevant risks to achieving predetermined objectives. Identify Risk INFORMATION FOR DECISION MAKING RISK ENVIRONMENT RISK FINANCIAL Currency Exposure Reserves Adequacy Investment Treasury/ Cash Management Taxation Financial Reporting Pension Fund Reporting Regulatory Reporting Tax Reporting EMPOWERMENT Performance Incentives Leadership Authority / Limit Communications OPERATIONS Enrollment/Disenrollment Policy Processing Claims/PDE Processing Premiums Rebate Billing Agent commission processing Agent performance Marketing/Product Development Customer Service Contracts Procurement Project Management Vendor Management Member Services Employee Expertise Human Resources INFORMATION TECHNOLOGY Data Integrity Data Security/Access Availability of Information IT Infrastructure Program Change Control System Implementations GOVERNANCE Organizational Culture Ethical Behavior Board Effectiveness Succession Planning REPUTATION Image & Branding Direct to Customer Advertising Stakeholder Relations Product Integrity & Safety PROCESS INTEGRITY Management/Employee Fraud Claims Fraud Illegal Acts/Unauthorized Use/Abuse STRATEGIC DECISIONS Insurance Product Portfolio Business Continuity & DR M&A Integration Organization Structure Key Performance Indicators Resource Allocation OPERATIONAL DECISIONS Reinsurance Product/Service Pricing Bid Modeling Actuarial Reserve Development Forecast, Budget, & Planning REGULATORY SEC CMS (Medicare/Medicaid) Federal/State HIPAA Suppl. Health Insurance COMPLIANCE/LEGAL Market Conduct Claims/Litigation Debt Covenants Remediation • Review and understand company operations and key fraud risk categories as suggested by management to develop a universe of potential fraud scenarios that may occur • Conduct interviews with certain members of the Management team • Conduct limited surveying of the Management team • Aggregate information, prioritize areas of fraud risk, and conceptualize focus areas • Evaluate and prioritize fraud risks on a heat map on an inherent basis according to management commentary and other available information Internal Control Mapping • Develop an internal control map for fraud focus areas to identify management’s control activities • Identify internal control recommendations where fraud scenarios are not directly controlled • Validate and discuss results with Management The approach utilized in conducting the fraud risk assessment process:
  39. 39. Sample Deliverable Executive Summary Risk Assessment Control Activities Control Environment Monitoring Information & Communication Appendix 8 13 25 28 3 10 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 39 Fraud Inherent Risk Map FINANCIAL REPORTING 1 Earnings management 2 Manual journal entries DISBURSEMENTS 3 Improper use of corporate credit cards 4 Payment of false invoices 5 Billing for work not performed/overbilling 6 Creation of ghost vendors 7 Vendor over-allocation of costs 8 Theft/misuse of corporate financial information PAYROLL 15 Falsification of hours worked 16 Unauthorized adjustment of salary/wages 17 Workers compensation claims 18 Failure to remove employees from payroll 19 Duplicate or ghost employees Likelihood MEDIUM LOW LOW MEDIUM HIGH HIGH 1 4 5 9 12 Impact 2 7 6 PROCUREMENT 9 Awarding of work to related parties 10 Bribery/kickback to award bids 11 Bid rigging 12 Split purchases to avoid delegation of authority 13 Material ordered in excess of requirement 14 Unauthorized vendor access to systems 11 16 17 15 18 19 MISAPPROPRIATION OF ASSETS 20 Theft of blank checks 21 Misuse of company assets / theft of company assets 22 Unauthorized wire transfers 23 Check fraud 24 Scrap sales/embezzlement GOVERNANCE 25 Selective disclosure to Board or public 26 Management override of controls 27 Use of confidential information for personal gain 28 Decisions made to benefit the majority shareholder 21 22 23 24 26 27 14 20 Represents fraud risk scenarios selected for additional procedures. Note: Inherent risk rankings are those of management. Testing of the operating effectiveness of controls was not performed as part of this review.
  40. 40. Q & A
  41. 41. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 41 COSO Publications Internal Control-Integrated Framework (2013 Edition) Ordering COSO's framework online at www.coso.org (Guidance tab) Internal Control - Integrated Framework (3 volume set) Executive Summary, Framework and Appendices, and Illustrative Tools for Assessing Effectiveness of a System of Internal Control Internal Control - Integrated Framework, Internal Control Over External Financial Reporting - Compendium Only A Compendium of Approaches and Examples Internal Control-Integrated Framework, Compendium (4 volume set) Executive Summary, Framework and Appendices, and Illustrative Tools for Assessing Effectiveness of a System of Internal Control A Compendium of Approaches and Examples
  42. 42. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 42 Resources on COSO 2013 COSO Internal Control-Integrated Framework Frequently Asked Questions 2 2013 Internal Control – Integrated Framework - Executive Summary 1 The 2013 COSO Framework & SOX Compliance – One Approach to an Effective Transition 3 Access COSO Guidance and Thought Papers at: www.coso.org and click on ‘guidance’
  43. 43. Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements – Frequently Asked Questions Regarding Section 404 5 Guide to the Sarbanes-Oxley Act: IT Risks and Controls 6 Board Perspectives: Risk Oversight - COSO 2013: Why Should You Care 7 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 43 Protiviti Resources on COSO 2013 The Updated COSO Internal Control Framework: Frequently Asked Questions 4 Source: http://www.protiviti.com/en-US/Pages/Resource-Guides.aspx
  44. 44. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. 44

×