Fraud Risk Management

Similar documents
ISO/DIS 9001:2015 Risk-Based Thinking

Risk Associated with Meetings

Risky Business. Jaidev Iyer Operational Risk Expert, CEO J-Risk Advisors

TONGA NATIONAL QUALIFICATIONS AND ACCREDITATION BOARD

GOV : Enterprise Risk Management Policy

Kidsafe NSW Risk Management Plan. August 2014

Risk Assessment Mitigation Phase Risk Mitigation Plan Lessons Learned (RAMP B) November 30, 2016

RISK AND OPPORTUNITY ASSESSMENT GUIDE RISK CRITERIA

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

Understanding Enterprise Risk Management: An Overview

Risk Management. Webinar - July 2017

Risk Management Policy and Framework

RISK MANAGEMENT FRAMEWORK

Risk Management Framework

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

Risk Management Policy and Procedures.

Procedure: Risk management

Fraud Risk Assessment CARRIE KENNEDY, PARTNER DUSTIN BIRASHK, PARTNER

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Risk Management Framework

WHS Risk Assessment and Control Form

Applying COSO s Enterprise Risk Management Integrated Framework

Approved by: Diocesan Council 17 December 2015

Sunera Canada ULC. Effective Fraud Risk Assessment Annual Fraud Program. October 21, 2016

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Enterprise Risk Management Focusing on the Right Risks

RISK MANAGEMENT GUIDELINES

Policy Number: 040 Risk Management August 2018

RISK MANAGEMENT FRAMEWORK

Risk Management Policy

RISK AND BUSINESS CONTINUITY MANAGEMENT

Risk Management at the Deutsche Bundesbank March 2011

Boston Chapter AGA 2018 Regional Professional Development Conference. Brandeis University Professor Erich Schumann May 2018

COMPANION POLICY CP TO NATIONAL INSTRUMENT CERTIFICATION OF DISCLOSURE IN ISSUERS ANNUAL AND INTERIM FILINGS TABLE OF CONTENTS

Delivering Clarity to Credit Unions Through Expertise and Experience

Risk Management Policy

Risk Management Framework. Group Risk Management Version 2

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Risk Management Policy. September 2015

Enterprise Risk Management Program

Quality Control & Compliance Initiative. This document is publicly available to any staff member on the following network path:

13.1 Quantitative vs. Qualitative Analysis

Topic RISK MANAGEMENT Procedure Category Risk Management Updated 07/2011

Risk Diverse Environments: Prioritizing the Priorities

Version: th November 2010 RISK MANAGEMENT POLICY

International Standard on Auditing (Ireland) 240

Risk Assessment Workshop Pam Walaski, CSP, CHMM Director, Health and Safety GAI Consultants, Inc. Pittsburgh, PA

NATIONAL RISK MANAGEMENT SYSTEM

HSC Business Services Organisation Board

Event Risk Assessment Tool (ERAT) Version 1.0 RARE. UNLIKELY Could occur at some time. POSSIBLE Might occur at some time LIKELY ALMOST CERTAIN

Risk management procedures

GENERAL RISK CONTROL AND MANAGEMENT POLICY

Risk Management at Central Bank of Nepal

Practical aspects of determining and applying a risk appetite for SMEs

FINANCIAL STATEMENT FRAUD: DETAILED LOOK AT UNCOVERING CREATIVE ACCOUNTING FRAUD: P R E S E N T E D B Y : J O H N E K A D A H

Procedures for Management of Risk

BERGRIVIER MUNICIPALITY

Enterprise Risk Management (ERM) & Compliance

Perpetual s Risk Management Framework

Companion Policy CP to National Instrument Certification of Disclosure in Issuers Annual and Interim Filings.

Risk Management Policy

International Standard on Auditing (UK) 240 (Revised June 2016)

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

Risk Management Framework

Scouting Ireland Risk Management Framework

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

Business Auditing - Enterprise Risk Management. October, 2018

RISK REGISTER POLICY AND PROCEDURE

2.2 For Board Members to approve the five high risks the Trust is facing:

The Auditor s Responsibilities. Audit of Financial Statements

Integrated Risk Management Framework Sept Page 1 of 17

Event Risk Assessment Tool (ERAT) Version 2.0. Activity Being Assessed: RARE LIKELY ALMOST CERTAIN

RISK MANAGEMENT POLICY AND STRATEGY

The Risk Assessment Executives Are Begging For. Presentation Overview. Terminology

Board Risk Appetite Statement

Auditing and Assurance Standards Council

University System of Georgia s 2016 Georgia Summit Fraud in Higher Education

Guide to an ERM Risk Map and Working in Practice

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Risk Management FUN! Humor Me

AN INTRODUCTION TO RISK CONSIDERATION

Bournemouth Primary MAT Risk Management Policy

client user GUIDE 2011

Session 4 Mainstreaming Anti-Corruption into Climate Finance

GUIDELINE ACTIVITY RISK MANAGEMENT GUIDELINE

Risk-based land use planning

Risk Management Policies and Procedures

Internal Audit Report

Building a Risk Assessment Process from the Ground Up

Chapter 1. Introduction to Enterprise Risk Management and Insurance. Enterprise Risk Management. Risk Classification.

Risk Evaluation, Treatment and Reporting

An Update On Association Policies, Health Checks & Guidelines To A Safer Hockey Association. Lauren Woods Member Engagement & Operations

Energize Your Enterprise Risk Management

Hazard Identification, Risk Assessment and Control Procedure

Fraud Risk Assessment

INTERNATIONAL STANDARD ON AUDITING 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

Internal Audit Report

MUSTER AG RISK MANAGEMENT

Managing business risks in SMSEs

Transcription:

Fraud Risk Management Fraud Risk Assessment Part 2 2017 Association of Certified Fraud Examiners, Inc.

Fraud Risk Assessment Frameworks Frameworks are helpful for performing, evaluating, and reporting the results of the fraud risk assessment. Specific needs and the culture of the organization must be considered and accounted for. 2017 Association of Certified Fraud Examiners, Inc. 2 of 27

Fraud Risk Assessment Framework 1. Identify potential inherent fraud risks and schemes. 2. Assess the likelihood of identified inherent fraud risks. 3. Assess the impact of identified inherent fraud risks. 4. Evaluate which people and departments are most likely to commit fraud. 2017 Association of Certified Fraud Examiners, Inc. 3 of 27

Fraud Risk Assessment Framework 5. Identify and map existing controls to relevant fraud risks. 6. Evaluate whether the identified controls are operating effectively and efficiently. 7. Identify, evaluate, and respond to residual fraud risks that need to be mitigated. 2017 Association of Certified Fraud Examiners, Inc. 4 of 27

Fraud Risk Assessment Framework Identified Fraud Risks and Schemes Likelihood Impact Personnel / Departments Involved Existing Fraud Control Activities Control Activities Effectiveness Residual Fraud Risk Fraud Risk Response Financial Reporting: Asset Misappropriation: Corruption and Illegal Acts: External Risks: Other Risks: 2017 Association of Certified Fraud Examiners, Inc. 5 of 27

Step 1: Identify Potential Inherent Risks Use knowledge gathered from: Individuals throughout the entity Actual frauds and fraud investigations External sources To brainstorm: Incentives, pressures, and opportunities for fraud Risk of management s override of controls Population of internal and external fraud risks Risk of regulatory and legal misconduct Reputation risk (as byproduct of fraud risk) 2017 Association of Certified Fraud Examiners, Inc. 6 of 27

2017 Association of Certified Fraud Examiners, Inc. 7 of 27

Step 2: Assess the Likelihood of Identified Risks Subjective, and often difficult, process that allows management to apply preventive and detective controls rationally Two common approaches: The probability that the fraud will be attempted The frequency with which a fraud risk will occur Usually assessed using scale Can be qualitative or quantitative 2017 Association of Certified Fraud Examiners, Inc. 8 of 27

Step 2: Assess the Likelihood of Identified Risks Rating Based on Annual Frequency Based on Annual Probability of Occurrence Descriptor Definition Descriptor Definition 5 Very frequent >20 times per year Almost certain >90% chance of occurrence 4 Frequent 6 to 20 times per year Likely 65% to 90% chance of occurrence 3 Reasonably frequent 2 to 5 times per year Reasonably possible 35% to 65% chance of occurrence 2 Occasional 1 time per year Unlikely 1 Rare <1 time per year Remote 10% to 35% chance of occurrence <10% chance of occurrence 2017 Association of Certified Fraud Examiners, Inc. 9 of 27

Considerations in Assessing the Likelihood of Identified Risks Past instances of the particular fraud Prevalence of the fraud risk in the industry Internal control environment of the organization Resources available to address fraud Support of fraud prevention efforts by management Ethical standards and culture of the organization Number of individual transactions involved Number of people involved Complexity of the fraud risk Unexplained losses Complaints by customers or vendors Fraud surveys and statistics 2017 Association of Certified Fraud Examiners, Inc. 10 of 27

Considerations in Assessing the Likelihood of Identified Risks Risk trend is the direction of movement of a particular risk that impacts an organization. Might be part of likelihood or might be a separate assessment factor. 2017 Association of Certified Fraud Examiners, Inc. 11 of 27

Step 3: Assess the Impact of Identified Risks As with likelihood, assessed using predetermined scale Can be qualitative or quantitative Need to consider both financial and nonfinancial factors 2017 Association of Certified Fraud Examiners, Inc. 12 of 27

Step 3: Assess the Impact of Identified Risks Rating Descriptor Definition 5 Catastrophic 4 Major 3 Moderate 2 Minor 1 Incidental Financial loss to company is in excess of $10 million International long-term media coverage Widespread employee morale issues; multiple senior leaders leave Incident must be reported to authorities and significant sanctions and financial penalties result Financial loss to company is between $100,000 and $10 million National long-term media coverage Widespread employee morale problems and turnover Incident must be reported to authorities and sanctions against company result Financial loss to company is between $10,000 and $100,000 Short-term regional or national media coverage Widespread employee morale problems Incident must be reported to authorities and immediate corrective action is necessary Financial loss to company is between $1,000 and $10,000 Limited local media coverage General employee morale problems Incident is reportable to authorities, but no follow-up Financial loss to company is less than $1,000 No media coverage Isolated employee dissatisfaction Event does not need to be reported to authorities 2017 Association of Certified Fraud Examiners, Inc. 13 of 27

Considerations in Assessing the Impact of Identified Risks Financial statement and monetary impact Financial condition of the organization Value of the threatened assets Criticalness of the threatened assets Revenue generated by the threatened assets Impact on operations, brand value, and reputation Financial damages caused to employees or third parties Criminal, civil, and regulatory liabilities Requirements to report fraud to governmental authorities Reputational damage among stakeholders Adverse media coverage Competitive advantages to competing companies Decline in employee morale Lost productivity Loss of key staff Data loss Work stoppages Time and resources spent investigating and following up 2017 Association of Certified Fraud Examiners, Inc. 14 of 27

Considerations in Assessing the Impact of Identified Risks Risk velocity is the speed with which a particular risk occurs. It might be part of impact or it might be a separate assessment factor. 2017 Association of Certified Fraud Examiners, Inc. 15 of 27

Step 4: Evaluate Who Is Most Likely to Commit Fraud Use the assessment of incentives and pressures to identify individuals and departments most likely to commit fraud. 2017 Association of Certified Fraud Examiners, Inc. 16 of 27

Step 5: Identify and Map Existing Controls to Inherent Risks Preventive versus detective General versus process-specific Reference specific policy or procedure that supports the control 2017 Association of Certified Fraud Examiners, Inc. 17 of 27

Step 6: Evaluate Whether Controls Are Operating Effectively and Efficiently Review accounting policies and procedures. Consider the risk of override. Interview management and employees. Observe control activities. Test samples of transactions for compliance. Conduct transaction walk-throughs. Review previous audit reports. Review previous reports on fraud incidents, shrinkage, and unexplained shortages. 2017 Association of Certified Fraud Examiners, Inc. 18 of 27

Step 6: Evaluate Whether Controls Are Operating Effectively and Efficiently If assessment team does not perform controls testing, they need to gain understanding of: Timing When was the last time the relevant controls were formally tested? Extent How many transactions were tested and which attributes of the internal controls were tested? Results Were deviations from expected internal controls discovered? 2017 Association of Certified Fraud Examiners, Inc. 19 of 27

Step 6: Evaluate Whether Controls Are Operating Effectively and Efficiently Control Risk Rating Description 5 Very effective reduces 81 100% of the risk 4 Effective reduces 61 80% of the risk 3 Moderately effective reduces 41 60% of the risk 2 Marginally effective reduces 21 40% of the risk 1 Not effective reduces 20% or less of the risk 2017 Association of Certified Fraud Examiners, Inc. 20 of 27

Step 7: Measure Residual Fraud Risks Identify residual fraud risks that have not been adequately mitigated due to: Lack of appropriate controls Noncompliance with established control measures Evaluate the likelihood and impact of these residual risks. 2017 Association of Certified Fraud Examiners, Inc. 21 of 27

Addressing the Identified Fraud Risks Establish an acceptable level of risk to use as a basis for response (management). Rank and prioritize identified risks. Estimate the likely cost of each risk. Use a heat map. 2017 Association of Certified Fraud Examiners, Inc. 22 of 27

Estimating Likely Cost of a Risk Risk Likely cost Likelihood of occurrence Potential loss Rank Risk of lost business and reputation damage from a disruption in data processing $100,000 (lost revenue) 2% $2,000 (2% x $100,000) 3 Risk of lost revenues from losing a major client $500,000 (lost revenue) 15% $75,000 (15% x $500,000) 1 Risk of employee embezzlement $150,000 7% $10,500 (7% x $150,000) 2 2017 Association of Certified Fraud Examiners, Inc. 23 of 27

Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 24 of 27

Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 25 of 27

Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 26 of 27

Using Heat Maps 2017 Association of Certified Fraud Examiners, Inc. 27 of 27

Responding to Residual Fraud Risks Avoid the risk. Transfer the risk. Mitigate the risk. Reduce the likelihood. Reduce the impact. Assume the risk. Use a combination approach. 2017 Association of Certified Fraud Examiners, Inc. 28 of 27

Documenting Risk Mitigation Plans Described new/revised internal control(s) Is the new control applicable to one or multiple fraud risks? Is it preventive or detective? Anticipated effect (i.e. reduction in impact and/or likelihood) Consider plotting effect on heat map Who is responsible for enacting? Anticipated completion date 2017 Association of Certified Fraud Examiners, Inc. 29 of 27

Reporting the Assessment Results Report objective not subjective results. Keep it simple. Focus on what really matters. Identify actions that are clear and measurable. 2017 Association of Certified Fraud Examiners, Inc. 30 of 27

Making an Impact with the Fraud Risk Assessment Use the results to: Begin a dialogue across the company. Look for fraud in high-risk areas. Hold responsible parties accountable for progress. Keep the assessment process alive and relevant. Modify or create the code of conduct or ethics policy. Monitor key controls. 2017 Association of Certified Fraud Examiners, Inc. 31 of 27

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback