1 Fraud Risk Program Draft Copy. 2 Mission Statement To formally document the risks of fraud and policy abuse to demonstrate due diligence around fraud

1

Fraud Risk Program

Draft Copy

2

Mission Statement

• To formally document the risks of fraud and policy abuse to demonstrate due diligence around fraud prevention and to formalize mitigation strategies with better alignment of proactive fraud prevention and early detection efforts with Internal Audit activities.

DRAFT

3

What is a Fraud Risk Assessment?

• Fraud and reputation risk assessments focus on fraud schemes and scenarios.

• Purpose is to identify and document risks and controls for various scenarios & schemes that can affect the company and its shareholders by:– Significantly impacting the organizations reputation– Exposing the company to criminal or civil liability– Creating a financial reporting irregularity

• Ensure compliance with corporate governance requirements.

Information taken from PWC Article “Deeper & Broader: Performing Fraud & Reputation Risk Assessments”

DRAFT

4

Risk Assessment BenchmarkingCompany Summary Positives Negatives Microsoft learning's

Kmart Multidisciplinary steering team created to assess the fraud risk across Kmart and to develop a program that would minimize the risk of overlooking fraud during the audit planning stage. Outputs were:(1) Documentation of significant fraud related risks, mapped to SOX controls.(2) Creation of a Fraud Risk Map that provides graphical representation of where fraud falls in significance and likelihood.

(1) Buy in and involvement of multiple parts of the organization to identify frauds that have occurred or have yet to occur.

(1) Does not take regional or international risks into consideration. Kmart stores are only in US, Puerto Rico & Virgin Islands.(2) Appears to be solely an attempt to document the types of frauds and identifying those that need preventative controls.(3) Involvement from different areas of the company requires significant investments in time.

(1) Documentation of past case history and unknown frauds drives the formulation of a risk assessment.(Risk Assessment Phase)

(2) Mapping of documented risks to SOX controls.(Control Documentation Phase)

(3) Creation of a Fraud Risk Map.(Control Documentation Phase)

7-11 Risk Assessment that identified scenarios, assesses likelihood and impact. Outputs were:(1) Development of a matrix that identifies high level scenarios.(2) Assessment of Likelihood and Impact using Low, Medium, High and Very High(3) Brief description of Antifraud elements for each scenario.(4) Identified Gaps and remediation steps where necessary.

(1) Easy to read matrix that shows schemes with easy to understand Likelihood and Risk terminology.

(1) Very high level, schemes are summarized to a high degree.(2) Appears to be solely an attempt to document the types of frauds and identifying those that need preventative controls.(3) Does not show any type of further integration of risks.

(1) Documentation of past case history and unknown frauds drives the formulation of a risk assessment.(Risk Assessment Phase)

Reynolds American Internal Audit driven risk assessment project that leveraged management expertise to ensure assessment was comprehensive. Outputs were:(1) Development of a fraud audit program to provide a structured approach to fraud in every audit to ensure consideration of fraud risks in each audit and to identify potential fraud schemes and mitigating controls.(2) Development of separate fraud control matrices from the existing SOX matrices.(3) Use of information developed to promote early fraud detection.

(1) Engagement with Internal Audit to discuss fraud risks for each audit.(2) Detailed audit approach for each identified risk.(3) Integration of fraud testing into SOX 404 testing.

(1) Significant time with management of processes needed for documentation, assessment and testing of fraud controls.(2) Does not take regional or international risks into consideration.

(1) Requirement for audits to use the fraud risk assessment questionnaire when meeting with subsidiary management.

Fonterra Global Assurance driven process that creates a fraud survey for distribution to management to mitigate fraud risk. Involvement of business unit management to assess the current operating environment and gaps in antifraud control as part of their responsibility to maintain strong controls and promote an antifraud culture. Outputs were:(1) Fraud Survey outputs were put into a Business Unit Risk Map that rolls to a Enterprise wide Risk Map. (2) Creation of an Annual Fraud Review - fraud susceptible areas are integrated in the Annual Fraud Review paper after management comment and feedback.(3) Management Assessment and Remediation - management identifies areas that are currently under remediation and relocates on the fraud risk map.(4) IA gets involved for further audit or engagement with those non-compliant or high fraud risk entities.

(1) Fraud Survey gets input from the team that is working in each business unit.(2) High Management participation in fraud surveys.(3) Integration with existing audit risk assessments.(4) Coordination of management and Internal Audit.

(1) Time consuming(2) Requires recurring buy-in and action from management team to view the survey as a priority.

(1) Creation of a Microsoft Fraud Survey that develops an understanding of where Fraud Risk lies and to develop a better understanding of the regions/accounts that may need further attention.(Survey Phase)

(2) Annual FIU fraud review meeting to discuss trends in fraudulent activity, regions and schemes.(Fraud Experience Benchmarking Phase)

DRAFT

5

IA/FIU Fraud Risk Program

• IA/FIU process takes the benefits of a standard fraud risk assessment and raises it to a new level with tight integration into a program of fraud prevention and early detection.

• Documents the audit risk of how the company determines risk and audit priority.

• Coordinates an assessment of the perceived risk by the “people in the trenches.”

• Integrates perceived risk to the IA function within an embedded process.

DRAFT

6

IA/FIU Phased Process

• Risk Assessment Phase – Now into May FY05– FIU - Develop an understanding of the external regulations/industry guidelines that exist on fraud

prevention and detection. (DONE)– FIU - Benchmark Fraud Risk Assessment procedures at other companies to the the company

process. (DONE)– FIU - Formal documentation and Identification of the types of risks that have been incurred and

yet to occur at the company. (DONE)– Specialization leaders - Assessment of the likelihood and significance of a fraud occurring in

their area. (To occur in May)

• Control Documentation Phase – Late Q1 FY06– Specialization leaders - Detail control alignment to the scenario types.– Specialization leaders - Mapping of each unit’s risks to a risk map, with each quadrant having

defined risk actions.

• Fraud Experience Benchmarking Phase – H1 FY06– FIU - Additional detailed benchmarking with other corporations to facilitate the sharing of best

practices in identifying and mitigating fraud risks.

• Survey Phase – Q1 and Q3 FY06– FIU - Assessment of the risk that is perceived by the Sr. Management team throughout the world.

This will give good benchmarking to our internal expectations and cases received.

• Evaluation Phase – Q4 FY06– FIU & IA - Re-visit the initial assessment of risk and coordinate the perceived risk of Management

to IA risk and learned best practices to the IA function.

DRAFT

7

Risk Assessment Phase

A. Organize the Assessment– Separate Cycle performed by IA/FIU on assessing the Fraud Risk at the company.

B. Determine Units & Locations to Assess– Units determined by specialization lead, with regional breakdown for SMSG.

C. Identify Potential Fraud & Misconduct Schemes & Scenarios – FIU to prepare a “master fraud list” of known and potential fraud schemes involving company

and break down to the specialization areas as defined in step B.– FIU to compare Transparency International listing of Corruption Perceptions Index to the

company revenue and headcount.– FIU to compare recent well known corporate scandals to determine the viability of that specific

fraud occurring at the company.– Specialization leaders to focus on areas of fraud labelled as “A” or “B” risk. FIU preventative

presentations and targeted efforts for company-wide “C” risk mitigation.D. Assess Likelihood of Fraud

– Specialization leaders to assess the likelihood of the frauds on the “master fraud list” occurring based on a sliding scale:

– 1 - Remote (<5% chance of occurrence)– 2 - Possible (5-50% chance of occurrence)– 3 - Somewhat likely (51-75% chance of occurrence)– 4 - Probable (>75% chance of occurrence)

E. Assess Significance of Risk– Specialization leaders to assess the likelihood of the frauds on the “master fraud list” occurring

based on a sliding scale (differs for each fraud type):– 1 - Negligible– 2 - Serious– 3 - Significant– 4 - Material

F. Mapping of Identified Risks to a quadrant view to show the likelihood and significance.* Derived from PWC study on creating a Fraud Risk Assessment

DRAFT

8

Risk Assessment Phase – Schemes (Preliminary)

ACFE Fraud Categorization

Financial Statements

Asset Misappropriation

Revenue Recognition

Corruption

Journal Entries

Liability Reporting

Channel Stuffing

Disclosures

Reserves

Insider Trading

Income Taxes

Antitrust

Identity Theft

FCPA/Bribery

Kickbacks

Treasury

Purchase OrdersPre-payments

Gift CardsT&E

Petty Cash

Time & Attendance

Benefits

Fictitious Employee

Side Letters

Conflict of Interest

Former Employee

Vendors

A

CB

DRAFT

9

Considerations in Assessing Fraud Risk

• Specialization leaders to focus on “A” and “B” identified schemes.

• Risk to be assessed is the inherent risk:– Think of the risk of this fraud occurring should minimal controls

be in place.

• Consider the account balances: – Treasury risk is rated as an “A” level risk, due to the large

amount of cash on hand. Other misappropriation of assets are “C” level risks due to smaller potential impact on the organization.

• Consider non-financial risks:– In fraud, reputation risks may be as significant, or more

significant than financial loss. Please consider all risks that are attributable to the area being assessed.

DRAFT

10

Risk Assessment Phase - Schemes

DRAFT

# Category Classification Assessment Level

Scenario Type Scenario Example Potential Warning Signs Likelihood Significance Risk Quadrant Preventative Controls

IA Notes FIU Notes

11 Corruption Conflict of Interest B Employee has an undisclosed interest in another company that is being employed for work at the company.

Employee's spouse owns a consulting company and is used by the employee without proper disclosure or mitigation plan.

Consistent use of a vendor without a process for analyzing bid and work quality. Vendor pricing higher than others in similar fields.

Please Assign Likelihood & Significance

12 Corruption Kickbacks B Employee receives a kickback from a vendor for directing work to that vendor.

the company pays vendor for work at a premium price and the company employee/vendor receives portion of the payment back in cash or other goods/services.

Consistent use of a vendor without a process for analyzing bid and work quality. Vendor pricing higher than others in similar fields. Resistance to review other competing companies.


13 Corruption Identity Theft B Employee has committed identity theft and is not the individual they represent to be.

Employee falsifies resume or application using another individuals name and/or work/education history.

No SS# on file with corp, discrepancies between resumes submitted to recruiting.


14 Corruption Antitrust A the company not following antitrust legislation requirements.

the company not following antitrust legislation requirements.


15 Corruption FCPA/Bribery A Bribery performed by the company that violates the Foreign Corrupt Practices Act.

the company Employee bribes an employee or representative of a government entity.


16 Financial Statements

Insider Trading A Insider Trading the company Employees utilizing insider information to influence stock decisions.



Revenue Recognition

A Adjustment of revenue data in the company Sales.

Unauthorized adjustment of data from 3rd party to change the amount of reported revenue.

Increased retailer rebates, unexplainable differences between other the company groups of similar size or product.



Journal Entries A Inappropriate journal entry is made to manipulate accounting system.

Unauthorized journal entry moves expenses to the balance sheet.

Unapproved JE's, lack of BS reconciliation process.



Liability Reporting A Under-reporting of liabilities on the financial statements.

Movement of liabilities to off-balance sheet affiliates. Significant change in liabilites without corresponding outflows on the cash flow statement.



Revenue Recognition

A Timing of Revenue Employee changes terms of contract to change the timing of revenue being recognized.

Significant unexplained change in timings of revenue recognition, contracts that appear to have non-standard terms.



Channel Stuffing A the company stuffs channel with product to inflate reported revenue.

Employee authorizes significant additional product to market, stuffing channel.

Spikes in sell in vs. sell through reporting Please Assign Likelihood & Significance


Reserves A Estimates and reserves are used to manage earnings or misstate financial results.

the company uses accounting estimates or reserves to manage earnings.

Significant changes in reserves balances or methodology.



FS Disclosures A Innaccurate or misleading financial statement disclosures.

the company not providing full disclosure or misleading info within the footnotes.



Income Taxes A Income Tax evasion by under-reporting earnings or making unlawful deductions.

the company incorrectly classifies or under-reports income for tax purposes, or takes unlawful tax deductions.



Side Letters A Unauthorized side letter offers concessions that may affect revenue recognition.

Employee sets agreement on non-standard contract terms authorizing concessions or services that affect revenue recognition.



Revenue Recognition

A Incorrect license volumes being reported resulting in understated or overstated revenue.


27 Asset Misappropriation

Treasury A Theft or use of treasury funds in an unauthorized manner.

Employee directs treasury funds to an unapproved investment or directs funds to a personal account.


DefinitionsA Significant Adverse Impact upon the EnterpriseB Prevent/Detect at SourceC Manage through company-wide FIU fraud prevention & detection program

Additional Considerations for FIU:1 Is fraud being considered by M&A during acquisitions2 Is there a double standard for high level vs. lower level employees, if so, why?3 Current inconsistency in disciplinary actions for similar offenses, not always based on level of employee.

11

Risk Quadrants & Actions

Quadrant 3 – Detect & Monitor

Quadrant 4 – Prevent at Source

Quadrant 1 – Low Control

Quadrant 2 – Monitor

Likelihood

1 2 3 4

Significanc

e

1

2

3

4

Focus Audit Programs and Control documentation for risks in these areas.

DRAFT

12

Risk Assessment Phase - Likelihood & Significance

Asset Misappropriation Corruption Financial Statements

Remote <5% Chance of Occurrence <5% Chance of Occurrence <5% Chance of OccurrencePossible 6%-50% Chance of Occurrence 6%-50% Chance of Occurrence 6%-50% Chance of OccurrenceSomewhat Likely 51%-74% Chance of Occurrence 51%-74% Chance of Occurrence 51%-74% Chance of OccurrenceProbable >75% Chance of Occurrence >75% Chance of Occurrence >75% Chance of Occurrence

Negligible <$100MSerious $100M-$300MSignificant $301M-$500MMaterial >$500M

Significance

Likelihood

FIU to develop significance levels

DRAFT

13

Rank Country2004 CPI

ScoreFY05 Revenue FC

(000's)FY05 Approved

FTE HCIA/FIU

Ranking CommentsIA/FIU

Ranking Definition1 Finland 9.7 187,645 141 1 1 No known issues2 New Zealand 9.6 114,605 115 1 2 Issues known, sporadic3 Denmark 9.5 282,562 871 2 3 Consistent issues, high risk3 Iceland 9.5 11,241 7 15 Singapore 9.3 100,497 645 26 Sweden 9.2 353,761 402 17 Switzerland 9.1 336,979 514 18 Norway 8.9 195,773 167 19 Australia 8.8 644,276 712 2

10 Netherlands 8.7 572,581 458 111 United Kingdom 8.6 2,083,437 2,335 312 Canada 8.5 860,866 775 213 Austria 8.4 207,778 179 113 Luxembourg 8.4 11,477 5 115 Germany 8.2 2,096,960 1,739 216 Hong Kong 8.0 101,131 199 117 Belgium 7.5 231,632 257 117 Ireland 7.5 120,412 1,064 217 USA 7.5 18,058,433 43,388 320 Chile* 7.4 30,378 63 221 Barbados+ 7.3 0 022 France 7.1 1,060,348 1,290 222 Spain 7.1 393,001 527 224 Japan 6.9 3,880,728 2,090 325 Malta+ 6.8 0 0

+ No Office

Risk Assessment Phase – International

25 Least Corrupt Countries

* Information taken from 2004 Transparency International Corruption Index

Benefits:

• Provide SMSG Specialization Leader with aggregate of Regional Risk

• Worldwide analysis of how HC and $$ allocation compares to known corruption indexes

• Provide visibility to countries or regions that may need education on fraud risks

To change

DRAFT

14

Rank Country2004 CPI

ScoreFY05 Revenue FC

(000's)FY05 Approved

FTE HCIA/FIU

Ranking CommentsIA/FIU

Ranking Definition122 Bolivia* 2.2 3,375 7 1 1 No known issues122 Guatemala+ 2.2 0 12 1 2 Issues known, sporadic122 Kazakhstan 2.2 12,478 13 1 3 Consistent issues, high risk122 Kyrgyzstan+ 2.2 0 0 1122 Niger+ 2.2 0 0 1122 Sudan+ 2.2 0 0 1122 Ukraine 2.2 42,550 21 1129 Cameroon+ 2.1 0 0 1129 Iraq+ 2.1 0 0 1129 Kenya 2.1 15,434 11 1129 Pakistan 2.1 11,331 7 1133 Angola+ 2.0 0 0 1133 Congo, Democratic Republic+ 2.0 0 0 1133 Cote d´Ivoire 2.0 12,334 10 1133 Georgia+ 2.0 0 0 1133 Indonesia 2.0 42,374 74 1133 Tajikistan+ 2.0 0 0 1133 Turkmenistan+ 2.0 0 0 1140 Azerbaijan+ 1.9 0 0 1140 Paraguay* 1.9 482 1 1142 Chad+ 1.7 0 0 1142 Myanmar+ 1.7 0 0 1144 Nigeria 1.6 17,324 13 1145 Bangladesh 1.5 1,300 3 1145 Haiti+ 1.5 0 0 1

+ No Office

Risk Assessment Phase – International

25 Most Corrupt Countries

* Information taken from 2004 Transparency International Corruption Index

To change

DRAFT

15

Risk Assessment Phase - Corporate Fraud Scandals

DRAFT

Company Fraud (or Alleged Fraud) Descriptions How could this happen? Scenario assessed by Amount of Fraud Carried out by Reasons Unlikely Adelphia (1) Fraudulently excluded billions of dollars in liabilities

from its consolidated financial statements by hiding them on the books of off-balance sheet affiliates.(2) Falsified operations statistics and inflated earnings to meet Wall Street's expectations.(3) Concealed rampant self-dealing by the Rigas Family, including the undisclosed use of corporate funds for Rigas Family stock purchases and the acquisition of luxury condominiums in New York and elsewhere.

Very tight familial ownership of the company with few outsiders allowed into the inner circle.

(1) 18-Journal Entries(2) 19-Liability Reporting(3) 23-Financial Statement Disclosures

$2.4B ($2.3B of liabilities hidden and ~$100M of self dealing)

Founders family and 2 Sr. Executives

Enron (1) Setup a system of shell companies to hide liabilities, insure stock holdings and sell money losing assets.(2) Booked revenue from power swaps with other energy traders.(3) Booked loans as cash from operations.(4) Booked revenue for long term contracts before revenue was able to be recognized under GAAP.(5) Manipulation of electricity markets and pricing.

Explosive growth, extremely high pressure to exceed targets, non-independent Board of Directors, significant bonuses paid for meeting targets to Sr. Management.

(1) 19-Liability Reporting(2) 20-Revenue Recognition

CEO, CFO and top level executives

Worldcom (1) Reduced liability reserve accounts and counted as revenue.(2) Classified operating costs as long term investments in order to capitalize and reduce P&L impacts.

High pressure to hit targets, significant loans to CEO making stock price exceedingly important to the CEO, CFO putting extreme pressure on finance to please Wall Street.

(1) 22-Reserves(2) 18-Journal Entries

$11B CEO, CFO and top level executives

Tyco (1) CEO & CFO authorized themselves interest-free or low interest loans for personal purchases of property, jewelry, and other frivolities. According to the SEC, these loans were never approved or repaid.(2) CEO & CFO were accused of issuing bonuses to themselves and other employees without approval of Tyco’s board of directors. It was alleged that these bonuses acted as loan forgiveness for employees who had borrowed company money or were used to buy the silence of those who suspected the former CEO and CFO of fraud.

Company was tightly controlled by the CEO and the Board of Directors was not seen as a group that could question his authority.

(3) 23-Financial Statement Disclosures

$600M CEO, CFO, General Counsel

1. Founders are involved in the day to day business decisions and are near the top of the worlds richest people, there would be no f inancial need to carry out these levels of f raud.

2. Board of Directors is independent other than 2 individuals and is made up of skilled members of the business community.

3. Accounting f irm is independent.

4. Strong emphasis on compliance through the creation of the Off ice of Legal Compliance.

5. Standards of Business Conduct.

6. Strong Internal Audit function with integrated FIU.

7. Strong and Independent Audit Committee.

16

Control Documentation Phase

• Specialization Leaders to take scenarios matrix for their areas and map each risk to specific SOX controls.

• Late Q1 timeframe for rollout – ensure that it doesn’t affect 404 deliverables.

DRAFT

Category # Scenario Type Likelihood SignificanceQ1 - Preventative and/or

Detective Controls Quadrant IA Notes FIU Notes1 Employee has an undisclosed interest in another company that is

being employed for work at the company.Please Assign Likelihood & Significance

2 Employee receives a kickback from a vendor for directing work to that vendor.


3 Employee has committed identity theft and is not the individual they represent to be.


4 the company not following antitrust legislation requirements. Please Assign Likelihood & Significance

5 Bribery performed by the company that violates the Foreign Corrupt Practices Act.


6 Insider Trading Please Assign Likelihood & Significance

7 Adjustment of revenue data in the company Sales. Please Assign Likelihood & Significance

8 Inappropriate journal entry is made to manipulate accounting system. Please Assign Likelihood & Significance

9 Under-reporting of liabilities on the financial statements. Please Assign Likelihood & Significance

10 Timing of Revenue Please Assign Likelihood & Significance

11 the company stuffs channel with product to inflate reported revenue. Please Assign Likelihood & Significance

12 Estimates and reserves are used to manage earnings or misstate financial results.


13 Innaccurate or misleading financial statement disclosures. Please Assign Likelihood & Significance

14 Income Tax evasion by under-reporting earnings or making unlawful deductions.


15 Unauthorized side letter offers concessions that may affect revenue recognition.


16 Incorrect license volumes being reported resulting in understated or overstated revenue.


As

se

ts 17 Theft or use of treasury funds/IP/other assets in an unauthorized manner. (Think of the 10 areas in the FIU section below and how they apply to your area.)


18 Purchase Order creation after commencement of work. Please Assign Likelihood & Significance

19 Vendor fraudulently over-charging or double charging for services or goods.


20 the company pre-paying vendor for work to be completed. Please Assign Likelihood & Significance

21 Unauthorized use of gift cards for personal gain. Please Assign Likelihood & Significance

22 Individual continues to use the company resources after leaving the company.


23 Petty cash theft. Please Assign Likelihood & Significance

24 Travel & Entertainment or ProCard expenditues are falsified. Please Assign Likelihood & Significance

25 Employee's not reporting sick or leave time. Please Assign Likelihood & Significance

26 Employee's not reporting partner as eligible for benefits at their place of employment.


27 Payment of payroll to ficticious or former employees. Please Assign Likelihood & Significance

FIU

Co

rru

pti

on

Fin

an

cia

l S

tate

me

nts

To be addressed via company-wide FIU fraud awareness presentations and FIU preventative efforts.

17

Fraud Experience Benchmarking Phase

• Benchmark fraud prevention and detection within the company against other companies to better understand the trends in fraud and to build a fraud resource network within the business community.

• Use of the Corporate Executive Board to facilitate a Fraud Summit that includes the other companies that have been heavily involved in fraud prevention and detection.

• FIU annual meeting for discussing fraud trends in a formal setting.

DRAFT

18

Survey Phase

• Creation of a fraud survey that would be circulated to large audience worldwide, in order to better identify trends and to get a better idea of the frauds that are not being reported to the FIU. Ideas for those to be included are:

– Vice Presidents (US)– General Managers (Regional)– Country Managers (In Country)– Controllers (all)– Compliance Managers– CFO’s (BG)– LCA (Subsidiary)– HR (Subsidiary)

• FIU to aggregate the data to see what the perceived risk by those in the field is, and where unknown risk may lie.

• 2 surveys – 1st would not be anonymous, 2nd would be 6 months later and be anonymous. Comparison of results would provide validation of responses.

• FIU to determine what vehicle is best for surveys – integrate with other surveys and ensure consistency with 302?

DRAFT

19

Evaluation Phase

• Taking knowledge learned from previous phases, the FIU will work with IA to:– Use survey feedback to identify regions or countries

that may have significant risk that has been un-reported to the FIU.

– Create a documented benchmark of how the FIU compares to similar investigative groups across the industry.

– Develop a systematic plan for integrating fraud detection into the audit plan.

DRAFT