Sunera Canada ULC. Effective Fraud Risk Assessment Annual Fraud Program. October 21, 2016

Size: px

Start display at page:

Download "Sunera Canada ULC. Effective Fraud Risk Assessment Annual Fraud Program. October 21, 2016"

Meryl Waters
5 years ago
Views:

1 Sunera Canada ULC Effective Fraud Risk Assessment 2016 Annual Fraud Program October 21, 2016

Sunera LLC Snapshot Professional consultancy with core competency in Governance, SOx, NI 52-109, Internal Audit, IT Audit, IT Strategy & Risk, Information Security, Data Privacy, Data Analytics,

2 Sunera LLC Snapshot Professional consultancy with core competency in Governance, SOx, NI , Internal Audit, IT Audit, IT Strategy & Risk, Information Security, Data Privacy, Data Analytics, Project Risk Management, and Financial Advisory. Founded in 2005, Sunera has grown significantly over the course of our history. Sunera is an organization under Cyber Risk Management LLC, and includes our sister organizations ANRC (Cyber-Security Training) and APTEC (Identity Governance and Access Management). Delivered more than 3,500 projects for 750 clients across a spectrum of industries, Sunera is adept in servicing all of our clients, which range in size from the Fortune 1000, as well as smaller cost-conscious organizations. Employs 350+ full-time professionals in 20+ offices across Canada (Calgary, Vancouver and Toronto) and the United States. Market leader in Data Analytics and Continuous Controls Monitoring. Certified SAP integration partner with specific expertise in SAP Security, GRC and controls. Registered with NASBA to offer CPEs for our external specialized training courses. Copyright 2014 Sunera LLC. 2

3 Shawn Hendry, Managing Partner, Sunera Canada Managing Partner for Sunera Canada Working with our clients for the past 10+ years with Sunera in Calgary, Vancouver and Toronto Certified Internal Auditor (CIA), Certified in Risk Management Assurance (CRMA), Certified Information Systems Auditor (CISA), Certified in Governance of Enterprise Information Technology (CGEIT) Prior to joining Sunera, Shawn was a Senior Manager with KPMG in their Risk Advisory Service practice in Victoria and the Director of Audit and Risk Assessment for CanWest Global Communications which was previously Canada s largest media group. Copyright 2014 Sunera LLC. 3

4 Agenda BREAKING NEWS Introduction to Fraud ACFE Report to the Nations Interesting Facts COSO Fraud Risk Management Guide Fraud Risk Program Fraud Risk Assessment Methodology Steps in Performing a Fraud Risk Assessment Other Key Elements of a Fraud Risk Program Copyright 2014 Sunera LLC. 4

7 Intro to Fraud n n n Fraud, in all its forms, costs billions in damage each year. COSO s new definition of fraud is succinct: Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain. Occupational frauds are those committed in connection with the fraudster s occupation. Examples include: Stealing money or inventory or services Claiming overtime for hours not worked Filing fraudulent expense reports Giving friends or relatives unauthorized discounts on company merchandise or services Adding ghost employees to the payroll Adjusting financials to improve bonus or other compensation Copyright 2014 Sunera LLC. 7

8 Types of Fraud Schemes in which a fraudster wrongfully uses his influence in a business transaction for the purpose of obtaining a benefit for himself or another person u Conflicts of interest u Illegal gratuities u Bribery Corruption Fraudulent Reporting Schemes involving the intentional misreporting of an organization s financial information with the intent to mislead others u Creating fictitious revenues u Concealing liabilities or revenues Asset Misappropriation Schemes in which the employee steals or misuses an organization s assets u Skimming cash receipts u Falsifying voids and refunds u Tampering with company checks u Overstating expenses Copyright 2014 Sunera LLC. 8

24 COSO New Fraud Risk Management Guide The Guide is an update to the 2007 Managing the Business Risk of Fraud guide. The Guide is consistent with the 17 principles of internal control as defined in the COSO 2013 Internal Control - Integrated Framework and ERM Framework. The Guide advocates comprehensively managing fraud risk, starting with establishment of a fraud risk management policy, performance of a fraud risk assessment, selection and development of appropriate controls and reporting, followed by monitoring that will influence subsequent fraud risk management activities. COSO makes a point to call out the distinction between internal control issues that can result in errors compared with those that permit fraud to occur. The fundamental difference is intent, COSO says. An organization that simply adds the fraud risk assessment to the existing internal control assessment may not thoroughly examine and identify possibilities for intentional acts designed to misstate financial information, misstate nonfinancial information, misappropriate assets, or perpetrate illegal acts or corruption. The Guide is meant for use by many people who can have a role to play in mitigating risk; board members and audit committee members, senior management, management at other levels in the organization, internal auditors, external auditors, other professional service providers, and educators. Copyright 2014 Sunera LLC. 24

25 COSO New Fraud Risk Management Guide Guide explains that fraud deterrence is achieved when an organization implements a fraud risk management process that: Establishes a visible and rigorous fraud governance process. Creates a transparent and sound anti-fraud culture. Includes a thorough fraud risk assessment periodically. Designs, implements, and maintains preventive and detective fraud control processes and procedures. Takes swift action in response to allegations of fraud, including actions against those involved in wrongdoing where appropriate. The Guide recommends that each organization establish a comprehensive fraud risk management program. In order to support this recommendation, the Guide includes tools and resources for conducting a fraud risk assessment, writing an anti- fraud policy and establishing a comprehensive anti-fraud program. Copyright 2014 Sunera LLC. 25

26 Fraud Risk Management Principles The Guide now goes beyond fraud risk assessment to align 5 principles of fraud risk management with the 17 principles of internal control as follows: Copyright 2014 Sunera LLC. 26

28 Emphasis on Data Analytics Perhaps the biggest change is the focus on data analytics: The Guide recommends that each organization have a strategy for proactively using data analysis activities to assess areas of high fraud risk and to monitor fraud mitigation activities and controls. As compared to the Managing the Business Risk of Fraud guide, analytics which was referenced very infrequently, the updated Guide references data analytics in multiple locations to monitor fraud. Copyright 2014 Sunera LLC. 28

30 Options for Meeting the Requirements Choose one of the Guide s two options: I. A comprehensive fraud risk assessment in support of Principle 8 of the 2013 COSO Internal Control Framework, or II. A fraud risk management program that includes a comprehensive risk assessment and is based on COSO s five principles. For a fraud risk assessment (I), consider whether you should update existing assessments or launch a new assessment. If new, then: Who will conduct the assessment? What subject-matter resources will be required? What department will provide the budget? What assessment criteria will the organization use? How will the organization determine risk tolerance for specific types of fraud? For a fraud risk management program (II), consider the organization s governance and design: How will a fraud risk management program align with existing programs and resources (i.e., anti-fraud, cyber-security, compliance and ethics or anti-corruption)? Who should lead the program? How should the organization incorporate anti-fraud management into its existing corporate governance framework in order to facilitate board oversight and management actions? Copyright 2014 Sunera LLC. 30

32 Impacts of Fraud u u All organizations are subject to fraud risks. Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, and images of many organizations around the globe. Regulations such as the COSO 2013, U.S. Foreign Corrupt Practices Act of 1977 (FCPA), the 1997 Organization for Economic Cooperation and Development Anti-Bribery Convention, the U.S. Sarbanes-Oxley Act of 2002, the U.S. Federal Sentencing Guidelines of 2005, and similar legislation throughout the world have increased management s responsibility for fraud risk management. u u u u u Fewer pay increases Increased layoffs Greater pressure to increase sales and revenue Decreases in employee benefits Low employee morale Copyright 2014 Sunera LLC. 32

33 Fraud Risk Program - Governance Five key principles for proactively establishing an environment to effectively manage an organization s fraud risk include: Principle 1: As part of an organization s governance structure, a fraud risk management program should be in place, including written policies to convey the expectations of the BOD and senior management regarding managing fraud risk. Principle 2: Fraud risk exposure should be assessed periodically to identify specific potential schemes and events that the organization needs to mitigate. Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization. Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized. Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action. Copyright 2014 Sunera LLC Sunera LLC All Rights Reserved

34 Fraud Risk Program - Overview Each organization needs to consider its size and complexity when determining what type of formal fraud program is most appropriate. The program should consider the following elements: Commitment Fraud Awareness Affirmation Process Conflict Disclosure Investigation Process Corrective Action Continuous Monitoring Copyright 2014 Sunera LLC Sunera LLC All Rights Reserved

35 What is a Fraud Risk Assessment An assessment of the potential for fraud to affect an organization s ability to maintain operations and reputation Identifies and addresses vulnerability to both internal and external fraud Allows an organization to understand where fraud could occur and the effect Allows management to make decisions on what, how and if whether there are things that need to be addressed Overall, a Fraud Risk Assessment allows us to understand the fraud potential and then protect ourselves and stakeholders. Copyright 2014 Sunera LLC. 35

36 Fraud Risk Assessment Methodology The following fraud risk assessment methodology is based upon guidance from the association of fraud examiners, AICPA and the IIA: Identify fraud risk factors Determine who is likely to commit fraud Evaluate significance of fraud Evaluate likelihood of fraud Identify anti-fraud controls Map controls to relevant fraud risk Assess the effectiveness of anti-fraud controls Respond to the residual fraud risk Copyright 2014 Sunera LLC. 36

37 Steps in Performing an FRA 6 Step Process 1. Gather Fraud risks: Fraud risk identification begins with gathering information on fraud risk from regulatory bodies, industry sources, key guidance setting groups (e.g., COSO, and professional organizations (e.g., IIA, CISA, ACFE, etc.). 2. Assemble Risk Assessment Team: The team will include senior management, business unit leaders, and process owners (e.g., finance, sales, procurement, and operations), as they are ultimately the most knowledgeable of business activities and will be accountable for the effectiveness of the fraud risk management efforts. 3. Identify your inherent fraud risk: Determine which fraud risks that may apply to your area or departments. Brainstorming session can be conducted with appropriate staff to explicitly consider all types of fraud schemes and scenarios, incentives, pressures, and opportunities to commit fraud, and include IT fraud risks. Copyright 2014 Sunera LLC. 37

38 Inherent Risk vs. Residual Risk The initial assessment of fraud risk considers the inherent risk of particular frauds occurring in the absence of internal controls. After all relevant fraud risks have been identified, internal controls are mapped to the identified risks. Fraud risks that remain unaddressed by appropriate controls comprise the population of residual fraud risks. ninherent Risk: Risk in the absence of any action that might alter the risk s likelihood or impact. (e.g., risk that a fraud could cause a significant monetary loss- High) nresidual Risk: Risk that remains after any taken action. (e.g., fraud insurance is maintained thereby reducing monetary exposure to an acceptable level - Low) Copyright 2014 Sunera LLC. 38

39 Steps in Performing an FRA (continued) 4. Assess likelihood and significance of the inherent fraud risk With the FRA team, assess the relative likelihood and potential significance of each identified fraud risk. Assessing the likelihood and significance of each potential fraud risk is a subjective process and should include considerations in the financial reporting, business operations, brand reputation, legal, and regulatory compliance areas. Likelihood # of instances where a particular fraud occurred in the past (i.e.: fraudulent expense reports) The prevalence of the fraud risk in your industry # of individual transactions flowing through the process complexity of the risk or transaction Significance departmental financial significance to the FS brand value and reputation potential criminal, civil, and regulatory liability (PCI, etc.) known fraud impact (if occurred in past) # of people involved in reviewing or approving the process (manual or automated) # of departments or people that have incentives or pressure to reach tight financial goals. Copyright 2014 Sunera LLC. 39

40 Risk Measurements You can categorize the likelihood of potential frauds occurring in as many buckets as deemed reasonable, otherwise three categories are generally adequate: remote, reasonably possible, and probable. Each risk is assessed to determine its relevance to your organization during the next 12 months. 30% Likelihood of Occurrence- Example 25% 25% 20% 15% 10% 10% 5% 1% 0% 0% Likely <25% Possible 25% - 10% Remote 10% - 1% Extraordinary >1% Copyright 2014 Sunera LLC. 40

Risk Measurements You can categorize the significance of potential frauds in as many buckets as deemed reasonable, otherwise three categories are generally adequate: inconsequential, more than

41 Risk Measurements You can categorize the significance of potential frauds in as many buckets as deemed reasonable, otherwise three categories are generally adequate: inconsequential, more than inconsequential, and material. Example below considers 5 categories. Financial Impact- Example $140 $120 $125.0 Millions $100 $80 $60 $40 $20 $0 $0.3 $1.3 $6.3 $12.0 $25.0 Copyright 2014 Sunera LLC. 41

42 Fraud Risk Evaluation - Likelihood First step is to measure the likelihood and impact Likelihood: Measure of inherent risk without consideration of existing controls Remote- the risk is seen as unlikely to occur within the next 12 months Reasonably Possible the risk is seen as likely to occur within the next 12 months Probable the risk is expected to occur within the next 12 months The following factors should be considered when assessing likelihood: # of instances where a particular fraud occurred in the past (i.e.: fraudulent expense reports) the prevalence of the fraud risk in your industry # of individual transactions flowing through the process complexity of the risk or transaction # of people involved in reviewing or approving the process (manual or automated) # of Departments or people that have incentives or pressure to reach tight financial goals. Copyright 2014 Sunera LLC. 42

43 Fraud Risk Evaluation - Impact The following should be considered when measuring impact Negligible The risk will not substantively impede the organization Moderate The risk will cause a large impact to the organization, yet not material Material The risk will cause material impact to the organization The following factors should be considered when assessing impact: Departmental financial significance to the FS Brand value and reputation Potential criminal, civil, and regulatory liability (PCI, etc.) Known fraud impact (if occurred in the past) Once the likelihood and impact is assessed, the next step is to determine controls in place at the organization to address the risk and assess residual risk Copyright 2014 Sunera LLC. 43

44 Steps in Performing an FRA (continued) 5. Assess Residual Risks: Determine what current activity is in place (considering process, people, departments, and regulations) that mitigate the identified risks 6. Define Fraud Prevention Techniques: Document key fraud risk events that should be established to mitigate possible impacts. This includes documenting key process controls, preventative fraud activities (fraud awareness training, policies, background checks), and detective fraud activities (e.g. hotlines, data mining tools, FS reviews). Copyright 2014 Sunera LLC. 44

47 Top Fraud Risk Processes Client Example Process Accounts Payable & Disbursements Accounts Receivable & Revenue # Fraud Schemes evaluated 14 Low 12 Low Capital Assets (Fixed Assets) 5 Medium Capitalized Software Development 5 Low Financial Reporting 15 Medium Payroll 6 Low Tax 3 High Treasury (cash/investment) 14 High TOTAL 74 Scoring Risk (residual) Copyright 2014 Sunera LLC. 47

48 Fraud Schemes Fraud Areas Mitigating Factors Exposure Score Fraudulent Financial Reporting Assets Misappropriation Intentional manipulation Concealment Improper disclosures Employee Customer Vendor Proprietary business Corruption Bribery Kickbacks Misuse of Customer data Regulatory Misconduct Theft of trade secrets Environmental Authority Limits Ethics policy Management review Restricted access Physical Security Vendor Agreements Inventory Counts Credit Review Hiring Policies Code of Conduct Approval Authorization Matrix Penetration Testing / Vulnerability Assessment Ethics Policy EH&S Policies Low Low Medium Low Copyright 2014 Sunera LLC. 48

49 Procurement Manipulation of Purchase Orders Legend Vendor & Contract Maintenance Bidding Schemes Unjustified Sole Source Awards Likelihood: Current fraud red flag identified at location. (remote, probable, and reasonably possible) Significance: Potential financial impact if fraud occurs (immaterial, significant, material) Significance Conflicts of Interest Bribes & Kickbacks Likelihood Copyright 2014 Sunera LLC. 49

50 Key Fraud Risk (#) fraud risks were identified in total, but the top 10 fraud risks based on likelihood and significance without controls were as follows: 1 TBD 1 2 TBD 2 3 TBD 3 4 TBD 4 5 TBD 5 6 TBD 6 7 TBD 7 8 TBD 8 9 TBD 9 10 TBD 10 Remote Reasonably Possible Probable Fraud Risk Assessment TBD 1 TBD2 TBD6 TBD3 TBD5 TBD Negligible Moderate Material Copyright 2014 Sunera LLC. 50

51 Effectiveness of Anti-Fraud Controls All fraud risks had anti-fraud controls to help prevent or detect the related fraud risk. xxx has a strong corporate governance (Tone at the Top) and anti-fraud measures as follows: Anonymous Whistleblower hotline Code of ethics policy and annual training at all levels including BOD Zero tolerance policy holding people accountable for ethical violations Anti-Fraud controls could be further enhanced by: A B C Copyright 2014 Sunera LLC. 51

52 Fraud Risk Program Continuous Monitoring The fraud risk management program, including related documents, should be revised and reviewed based on the changing needs of the organization, recognizing that documentation is static, while organizations are dynamic. The organization should develop ongoing monitoring and measurements to evaluate, remedy, and continuously improve the organization s fraud detection techniques. If deficiencies are found, management should ensure that improvements and corrections are made as soon as possible. Management should institute a follow-up plan to verify that corrective or remedial actions have been taken. Copyright 2014 Sunera LLC. 52

53 Fraud Risk Program Continuous Monitoring (cont.) Measurable criteria includes: Number of known fraud schemes committed against the organization. Number and status of fraud allegations received that required investigation. Number of fraud investigations resolved. Number of employees who have/have not completed ethics training sponsored by the organization. Number of whistleblower allegations received via the organization s hotline. Number of messages supporting ethical behavior delivered to employees by executives. Number of vendors who have/have not signed the organization s ethical behavior requirements. Number of fraud audits performed by internal auditors. Number of fraud controls. Detective vs. preventive. Number tested. Number operating effectively. Copyright 2014 Sunera LLC. 53

Fraud Risk Assessment CARRIE KENNEDY, PARTNER DUSTIN BIRASHK, PARTNER

Fraud Risk Assessment CARRIE KENNEDY, PARTNER DUSTIN BIRASHK, PARTNER Disclaimer The material appearing in this presentation is for informational purposes only and should not be construed as advice of