Controls and Fraud Detection - Financial Management Institute of

RCGT Consulting Inc. 100% focused on federal government – from coast to coast to coast

Controls and Fraud Detection November 29, 2012

Financial Management Institute of Canada

Ottawa Convention Centre

Raymond Chabot Grant Thornton Consulting Inc.

Controls and Fraud Detection

Today’s environment

In today‘s environment of staff turn-over, cost-cutting, and

a desire to do ―more with less,‖ internal auditors need to

have an awareness of fraud indicators more than ever.

Today’s discussion

Common control weaknesses, fraud detection methods

and fraud indicators – and how internal audit can make a

difference.

Every case of fraud or abuse will be different

2

Overview



On the Agenda

Understanding Fraud Risk

Why Should You be Concerned?

What is a Fraud Risk Assessment?

Effective Fraud Controls

Presenting Results with Impact

3



What is Fraud Risk?

Fraud involves intentional

and deliberate efforts to

conceal the true nature of a

transaction.

Fraud Risk is the

organization’s

vulnerabilities to those

capable of committing and

concealing fraud, and may

come from sources

internal and external to the

organization.

4



Types of Schemes - Canadian Cases

©2012 Association of Certified Fraud Examiners, Inc. 5

5



Case Distribution by Fraud Scheme

6 ©2012 Association of Certified Fraud Examiners, Inc.



Anti-Fraud Control Effectiveness

7

While all controls were associated with a

reduced median loss, the presence of formal

management reviews, employee support

programs and hotlines were correlated with

the greatest decreases in financial losses.

Organizations lacking these controls

experienced median fraud losses

approximately 45% larger than organizations

with the controls in place.

On the other end of the spectrum, external

audits of financial statements — the most

commonly implemented control among the

victim organizations — showed the least

impact on the median loss suffered, with an

associated reduction of less than 3%.




Median Loss Reduction

with Anti-Fraud Controls




Federal Accountability Act

provide real protection to whistleblowers who disclose

government wrongdoing by introducing specific penalties

for offences, granting powers to the new Public Sector

Integrity Commissioner, creating a Public Servants

Disclosure Protection Tribunal to consider cases of reprisal,

providing public-sector employees with access to legal

counsel and continuing to ensure they have adequate

access to the courts, and providing a $1,000 reward to

public-service employees who have the courage to expose

wrongdoing in the workplace .

9



Effective Hotlines

Although tips are consistently the most common fraud-

detection method, nearly half of the victim organizations

analyzed did not have a hotline mechanism in place at the

time of the fraud.

Organizations with hotlines had a larger percentage of

frauds reported by tip than in organizations without

hotlines.




Why Should You be Concerned?

Professional standards

Legislative and policy requirements

Increased expectations by those charged with

governance, oversight, accountability

Economic downturn

= shrinking budgets + strained resources

Increasing transient workforce

Growing organizational complexities

Technology advancement

11



Fraud Risk Management Program

12

Fraud Risk

Management

Program

Fraud Risk

Assessment

Fraud Awareness

and Education

Training

Fraud Policy

Fraud

Investigation

Fraud Prevention

and Detection

Fraud Reporting



Fraud Risk Assessment

What is it?

Objective of the FRA is to help the

organization understand and identify

areas most vulnerable to

inappropriate activities.

Management can better identify

where and how fraud is most likely to

occur, identify gaps, and proactively

implement preventive, detective and

corrective measures to minimise

possible occurrences of fraud.

Planning/WP

• Assurance engagement

• RBAP

Stand-alone reporting

• Entity-wide

• Sector / processes

• Multi-year

13



Fraud Risk Assessment – Where is the Value?

Provides a systematic and recurring approach

Improved understanding of fraud risks and

potential schemes

Identify potential control inadequacies and failures

Increased corporate awareness on the risk of fraud

Open communication with Sr. Management, DAC

14



Fraud Risk Assessment – Where is the Value?

Insight on fraud risks in operating areas that otherwise

may not be considered

Can help determine if fraud occurred in risk areas

Helps to focus IA efforts on areas of highest risk

Supports the establishment of mitigating strategies

Compliance (i.e. IIA, MAF, FAA)

Value added and client expectations

15



Fraud Risk Assessment Considerations

Management needs

Fraud risk tolerance

Inherent fraud risks

areas, activities, and individuals who put the organization

most at risk (internally and externally)

understanding of possible schemes

Mitigating controls

Residual fraud risk

Understand the gaps

Practical and valued recommendations and mitigation

strategies

16



Planning the FRA

One size does not fit all !

Work with management to clarify its needs

Limit the scope

Identify the Right sponsor for access and participation

Choose the right expertise and team

Research for knowledge and insight

17



...Planning the FRA

When you arrive:

Discuss and/or determine risk tolerance

Consider sensitivities

Budget availability

Develop a structured, rational and tailored

approach

18



Conducting the FRA

Practical Steps

Fraud awareness training and brainstorming workshops

Facilitate anonymous feedback

Identify inherent fraud risks

Assess likelihood and impact of inherent risks

Walkthrough processes

One-on-one interviews (bottom-up)

Structured, rational, and tailored approach

19



...Conducting the FRA

Practical Steps

Identify and map mitigating controls

Assess control design effectiveness (not operating)

Assess likelihood and significance of residual fraud risks

Document working papers and results

Report critical observations

Validate results with management

Structured, rational, and tailored approach

20



Fraud Risk Control Matrix

Matrix Elements:

• Inherent Fraud Risk (IFR)

• Likelihood

• Significance

• IFR Rating

• Mitigating Controls

• Risk Tolerance

• Residual Fraud Risk

• Recommendations

Map fraud type by

activity with existing

controls to identify and

visualize risks that are

not addressed by the

control elements

21



Warning Signs During FRA

× Reluctance to participate, withholding information

× Tips, complaints, allegations

× Management control override

× Deficient control mechanisms

× Lack of segregation of duties

× Disregard of compliance requirements

× Insufficient monitoring

× Numerous transaction errors, un-reconciled items

× Missing or incomplete documentation

22



Reporting with Impact

Comprehensive Reporting

Executive summary

Objective

Scope

Limitation (i.e. assurance)

Approach

Findings & Residual risks

Risk Control Matrix

Risk Inventory

Rating Summaries

Flowchart

Recommendations

Higher than acceptable risks

Control design weakness

Testing operating effectiveness

Mitigating strategies

Assurance vs Consulting

Continuous auditing (CAATs)

Conclusion

23



Summary of Fraud Risks

Inherent Fraud

Risks

Residual Fraud

Risks

Low

Residual Fraud

Risks

Medium

Residual Fraud

Risks

High

30 18 10 2

Division xxx

High Residual Fraud Risks

• Access to confidential information through hacking

• Prohibited building access outside normal hours

Recommendation

• Immediate access restriction, with proper access security code to

align with organization policy on security. Follow-up audit on

management action within a month and reporting results to the Board.

24



Illustrating the results

Impact

Like

liho

od

Clear and

Relevant Disbursements

Conflicts of

interest

Corruption

Hig

h

High Low

Low

Phantom vendors

Ghost employees

Misuse of assets Skimming

Manipulation of

Earnings

Kickbacks

25



FRA Synopsis

FRA needs identification

Planning

Training and brainstorming

workshops

Identify and assess inherent

fraud risks Walkthroughs

Additional interviews and documentation

Identify and assess controls

design effectiveness

Document the fraud risk

control matrix

Identify and assess residual

fraud risk

Validate findings and

finalize documentation

Reporting

26



Control Weakness Relationship to Fraud

An outright lack of controls was the most frequently

cited factor, noted as the primary weakness in more

than 35% of cases. This number jumps to more than

45% for those cases that occurred in small

businesses.

In 19% of the cases, the perpetrator overrode existing

controls to carry out his or her scheme; a similar

number of respondents stated that a lack of

management‘s review was the key control weakness

that contributed to the fraud.

©2012 Association of Certified Fraud Examiners, Inc.

27



‘Tone at the Top’

Interestingly, a poor tone at the top contributed to 9%

of all the fraud cases reported to us, but was cited as

the primary factor in 18% of cases that resulted in a

loss of $1 million or more.

This reinforces the importance of a proper ethical tone

from management in protecting an organization

against the largest frauds — those cases that have

the greatest potential to cripple the organization‘s

finances and reputation.




Primary Control Weaknesses

Resulting in Fraud




What Level of Employee commits Fraud?


30



Median Loss by Level of Employee


31



Perpetrators in Canada (55 cases)




Identifying Potential Perpetrators

Behavioral Red Flags Displayed by

Perpetrators

Most occupational fraudsters‘ crimes are motivated at least

in part by some kind of financial pressure. In addition, while

committing a fraud, an individual will frequently display

certain behavioral traits associated with stress or a fear of

being caught.


33



Behavioral Red Flags

In 81% of all cases reported to us, the perpetrator had

displayed at least one behavioral red flag, and, within these

cases, multiple red flags were frequently observed. The

next chart shows the percentage of cases in which each

respective red flag was reported.

The fraudster living beyond his or her means (36%),

experiencing financial difficulties (27%), having an

unusually close association with vendors or customers

(19%) and displaying excessive control issues (18%) were

the four most commonly cited red flags in 2012, just as they

were in 2010.


34



Behavioral Red Flags

The consistency of the distribution of red flags from year to

year is particularly remarkable. Despite the fact that the

group of perpetrators analyzed in our 2012 study was

completely different than the perpetrators included in our

2010 and 2008 studies, each group seems to have

collectively displayed behavioral red flags in largely the

same proportion.


35



Behavioral Red Flags of Perpetrators


36



Fraud Prevention Checklist

The most cost-effective way to limit fraud losses

is to prevent fraud from occurring. The following

checklist is designed to help test the effectiveness of

fraud prevention measures.


37




1. Is ongoing anti-fraud training provided to all

employees of the organization?

❑ Do employees understand what constitutes fraud?

❑ Have the costs of fraud to the company and everyone in it

— including lost profits, adverse publicity, job loss and

decreased morale and productivity — been made clear to

employees?

❑ Do employees know where to seek advice when faced with

uncertain ethical decisions, and do they believe that they can

speak freely?

❑ Has a policy of zero-tolerance for fraud been

communicated to employees through words and actions?


38




2. Is an effective fraud reporting mechanism in place?

❑ Have employees been taught how to communicate

concerns about known or potential wrongdoing?

❑ Is there an anonymous reporting channel available to

employees, such as a third-party hotline?

❑ Do employees trust that they can report suspicious activity

anonymously and/or confidentially and without fear of

reprisal?

❑ Has it been made clear to employees that reports of

suspicious activity will be promptly and thoroughly evaluated?

❑ Do reporting policies and mechanisms extend to vendors,

customers and other outside parties?


39




3. To increase employees‘ perception of detection,

are the following proactive measures taken and

publicized to employees?

❑ Is possible fraudulent conduct aggressively sought out,

rather than dealt with passively?

❑ Does the organization send the message that it actively

seeks out fraudulent conduct through fraud assessment

questioning by auditors?

❑ Are surprise fraud audits performed in addition to regularly

scheduled audits?

❑ Is continuous auditing software used to detect fraud and, if

so, has the use of such software been made known

throughout the organization?


40




4. Is the management climate/tone at the top one of

honesty and integrity?

❑ Are employees surveyed to determine the extent to which

they believe management acts with honesty and integrity?

❑ Are performance goals realistic?

❑ Have fraud prevention goals been incorporated into the

performance measures against which managers are

evaluated and which are used to determine performance-

related compensation?

❑ Has the organization established, implemented and tested

a process for oversight of fraud risks by the board of directors

or others charged with governance (e.g., the audit

committee)?


41




5. Are fraud risk assessments performed to proactively

identify and mitigate the company‘s vulnerabilities to

internal and external fraud?

6. Are strong anti-fraud controls in place and operating

effectively, including the following?

❑ Proper separation of duties

❑ Use of authorizations

❑ Physical safeguards

❑ Job rotations

❑ Mandatory vacations


42




7. Does the internal audit department, if one exists, have

adequate resources and authority to operate effectively and

without undue influence from senior management?

8. Does the hiring policy include the following (where

permitted by law)?

❑ Past employment verification

❑ Criminal and civil background checks

❑ Credit checks

❑ Drug screening

❑ Education verification

❑ References check


43




9. Are employee support programs in place to assist

employees struggling with addictions, mental/ emotional

health, family or financial problems?

10. Is an open-door policy in place that allows employees

to speak freely about pressures, providing management the

opportunity to alleviate such pressures before they become

acute?

11.Are anonymous surveys conducted to assess employee

morale?


44



Auditing Tips

1. Scale the Audit aligned to risk areas.

2. Evaluate Entity-Level Controls (‗Tone at the Top‘)

3. Assess the Risk of Management Override and Mitigating Actions.

4. Evaluate Segregation of Duties and Alternative Controls.

5. Proper design and effectiveness of significant mitigating controls

6. Audit Information Technology Controls / Complex IT Environment.

7. Consider Financial Reporting Competencies and their Effect on Internal Control.

45



Context Considerations

46

Characteristic

Internal

Auditing

Fraud &

Wrongdoing

Investigations

Regulatory &

Standards

Compliance

Timing Risk-based Allegation Stipulated

Users Management

(OPI, DAC) Public

Stakeholders Stakeholders

Purpose/

Objective

Audit Opinion (materiality, fairness)

Judicial / quasi

proceedings

Compliance

Scope Lines of enquiry Concerns Specific

Evidence Audit

Standards

IFA, Legal

Settings

Legal, Regulated,

Contractual

Relationship Cordial Adversarial Mixed



Stages of an Investigation

Needs Identification

Selecting the Investigation

Team

Planning the Investigation

Establishing the Facts

the Facts Validating

Analysis and Conclusion

Reporting Outcome / Disposition

47



Conclusion

1. Recognize and follow red flags, the fingerprints...

2. Avoid tunnel vision

3. Audit is not an investigation

4. Think ahead to possible outcomes and appearances

5. Ensure that you remain objective, reasonable and

fair.... and can always be seen to be so

6. Seek the advice of experienced parties at an early

stage……..and follow it.

Golden Rules

48



IIA References

IIA Standards

1210.A2

1220.A1

2060

2120.A2

2210.A2

IIA Practice Guides

Internal Auditing and Fraud,

December 2009

Managing the Business Risk of

Fraud, 2008

Fraud Prevention and

Detection in an Automated

World

www.theiia.org/guidance/standards-and-guidance/fraud

49

http://www.theiia.org/guidance/standards-and-guidance/fraud











Annie Dugas, CPA, CA, CA-DIFA, CFE

Director

Forensic Accounting & Investigations Services


T: 613-760-3504

E: [email protected]

Questions ?

50

Saira Kanani, CFE, CGAP, CLEA

Manager

Forensic Accounting & Investigations Services


T: 613-760-3504

E: [email protected]

mailto:[email protected]

mailto:[email protected]

Documents

Controls and Fraud Detection - Financial Management Institute of