IIA Practice Guide: Fraud and Internal Audit - AIBAaiba-us.org/wp-content/uploads/2011/04/20100922AIBAFraud.pdf · IIA Practice Guide: Fraud and Internal Audit 2010 Western Regional

The Unique Alternative to the Big Four®

IIA Practice Guide: Fraud and Internal Audit

2010 Western Regional ConferenceSeptember 19-22, 2010 / Anaheim, CA, USA

© 2010 Crowe Horwath LLP 2Audit | Tax | Advisory | Risk | Performance


Disclaimer & Copyright Notice

The views expressed herein may not necessarily reflect those of Crowe Horwath

LLP. Thus, Crowe Horwath LLP is not, by means of this presentation, rendering

business, accounting, legal advice, or other professional advice or services.

This presentation is not a substitute for such professional advice or services, nor

should it be used as a basis for any decision or action that may affect your

business. Before making any decision or taking any action that may affect your

business, you should consult a qualified professionals. Crowe Horwath LLP, its

affiliates, and related entities shall not be responsible for any loss sustained by any

person or entity that relies on this publication.

All materials including but not limited to graphics, photographs, and text appearing

in this presentation are protected by Copyright.

Reproduction or redistribution in any form is prohibited.



The Fraud Environment



Definition of Fraud

IIA’s IPPF definition: Any illegal act characterized by deceit, concealment, or

violation of trust. These acts are not dependent upon the threat of violence or

physical force. Frauds are perpetrated by parties and organizations to obtain

money, property, or services; to avoid payment or loss of services; or to secure

personal or business advantage.

AICPA EDP Fraud Review Task Force: ―Any intentional act, or series of acts,

that is designed to deceive or mislead others and that has an impact or potential

impact on an organization’s financial statements.‖

The Accountant’s Handbook of Fraud & Commercial Crime: ―Fraud is criminal

deception intended to financially benefit the deceiver.‖



Should Fraud Be A Concern? You Bet it Should!

Of 4,000 high school students with A and B averages, 75 percent admit to

cheating to get ahead. 92 percent of those who said they cheated were never

caught. - Who’s Who Among American High School Students

Almost 80 percent of college students admit to cheating at least once. - The

Center for Academic Integrity

The percentage of resumes and job applications that contain lies and

exaggerations has been estimated between 30 and 80 percent. - Security

Management Magazine



Wheel of Misfortune

http://www.bearstearns.com/index.htm

http://www.citigroup.com/citigroup/homepage/index.htm



Putting the Freud in Fraud™



White Collar Crime

White collar crime involves embezzlement, forgery, or fraud committed in the

course of normal business practice, but is highly unethical and violates accepted

accounting principles or the public trust.

Like the crime of conspiracy, deception and cover up are the hallmarks of white

collar crime.

According to various studies conducted by the ACFE, approximately 95% of

white collar criminals have no previous criminal record. In fact, the higher the

monetary value of the economic crime, the less likely it is that the perpetrator will

have a previous criminal record.

White collar criminals know that people live on the hope of a better financial

future. The white collar criminal’s job is to feed people’s hope with their spin and

lies.



Verify

The white collar criminal hopes that you will never verify what they say or present

to you.

Even if you do verify, your skepticism of the criminal’s deceptive answers may be

corroded by your comfort level. In other words, you will accept the criminal’s

deceptive answers as factual.



Why the Fraud Triangle is

Not Good Enough Anymore



The Evolution

Knowing what might provoke an employee, even an otherwise lawful individual,

to blur the line between legal and illegal activity is the key to fighting fraud

effectively.

Famed criminologist Donald R. Cressey first identified three elements –

opportunity (including general knowledge and technical skill), pressure, and

rationalization – as the ―fraud triangle‖ in the 1950s to explain why people

commit fraud.

Cressey’s classic fraud triangle helps to explain many but not all situations.

Source: Donald R. Cressey, Other People’s Money: A Study in the Social Psychology of Embezzlement. New York: Free

Press, 1953.



Then…..1950’s

Fraud is more likely to occur when someone has:

1. Opportunity – Weak controls provide the opportunity for a person to commit fraud.

2. Pressure - Incentive to commit fraud

3. Rationalization – Ability to rationalize fraudulent behavior (attitude)

Source: Donald R. Cressey, Other People’s Money: A Study in the Social Psychology of Embezzlement. Free Press, 1953.



Then and Now

1950s

Straight-line reporting authority

Manual processes

Dual responsibility

Single suppliers

Local or regional service area

Step-up salary structure

2000s

Matrixed organizations

Automation

Autonomous authority

Multiple vendors and global trading

partners

Global reach

Performance-based pay



Now…

The fraud triangle

has morphed into a

Fraud Pentagon™ .

Unchecked, these

five elements -

pressure,

opportunity,

rationalization,

competence, and

arrogance - can

provoke employees

to commit fraud.



Elements of Fraud - Arrogance

Many frauds are committed by people in very senior positions with ―Big Egos‖.

They believe that the rules don’t apply to them.

They think they can circumvent internal controls and not get caught.

Bully-attitude

―..remember that many crimes are committed without economic gain for reasons of

ego, status, and sheer arrogance.‖

Source: Sam E. Antar, convicted felon.. Ex-CFO Crazy Eddie



Elements of Fraud - Competence

Competence gives the perpetrator the opportunity to turn desire into

reality.

There are six common traits of personal competence:

Functional authority within the organization

Sufficient intelligence to understand and exploit a situation

Strong ego and personal confidence

Strong coercive skills

Effective at being deceptive

High tolerance for stress



Greed is Good

―The point is, ladies and gentleman, that greed, for lack of a better word, is good.

Greed is right, greed works. Greed clarifies, cuts through, and captures the

essence of the evolutionary spirit. Greed, in all of its forms; greed for life, for

money, for love, knowledge has marked the upward surge of mankind. And

greed, you mark my words, will not only save Teldar Paper, but that other

malfunctioning corporation called the USA. Thank you very much. ‖

http://www.youtube.com/watch?v=7upG01-XWbY



The Business Case: The Impact of Fraud



ACFE 2010 Report on Fraud in the U.S.

Survey participants estimated that the typical

organization loses 5% of its annual revenue to

fraud. Applied to the estimated 2009 Gross World

Product, this figure translates to a potential global

fraud loss of more than $2.9 trillion.

The median loss caused by the occupational fraud

cases in our study was $160,000. Nearly one-quarter

of the frauds involved losses of at least $1 million.

Small organizations are disproportionately victimized

by occupational fraud. These organizations are

typically lacking in anti-fraud controls compared to

their larger counterparts, which makes them

particularly vulnerable to fraud.

Source: 2010 ACFE Report to the Nation



Perpetrators of Fraud

High-level perpetrators cause the greatest damage to their organizations.

Frauds committed by owners/executives were more than three times as costly as

frauds committed by managers, and more than nine times as costly as employee

frauds. More than 85% of fraudsters in the study had never been previously

charged or convicted for a fraud-related offense.

Fraud perpetrators often display warning signs that they are engaging in illicit

activity.




Initial Detection of Occupational Fraud

The frauds lasted a median of 18 months before being detected.

Occupational frauds are much more likely to be detected by tip than by any other

means. This finding has been consistent since 2002 when the ACFE began

tracking data on fraud detection methods.




Control Weaknesses that Contributed to Fraud

Survey participants were asked which of several circumstances they believed

was the most important contributing factor that allowed the fraud to occur.

Lack of internal controls, lack of management review, and override of existing

internal controls were the three most commonly cited factors that allowed fraud

schemes to succeed.




ACFE: Anti-Fraud Works!

Anti-fraud controls appear to help reduce the cost and duration of occupational

fraud schemes. The ACFE looked at the effect of 15 common controls on the

median loss and duration of the frauds. Victim organizations that had these

controls in place had significantly lower losses and time-to-detection than

organizations without the controls.



Median Loss - Presence of Anti Fraud Controls




Duration - Presence of Anti Fraud Controls




Per the 2010 ACFE Report to the Nation

In response to the discovery of the fraud, more than 80% of the victim

organizations in our study implemented or modified internal controls.

While this percentage is quite high, it indicates that nearly 1 out of 5 victims

retained the same control system — or lack thereof — that was ineffective in

preventing the reported fraud schemes.

Of those that did implement or modify their internal controls in response to the

fraud, more than 60% increased segregation of duties, more than 50% added

formal review of internal controls by management and 23% implemented

surprise audits.



The Cost of Fraud

“More money has been stolen at

the point of a pen than at the

point of a gun.”

*Source: Towards a Sociology of Organizational Crime, Frank Schmalleger, Ph.D 1991



The True Costs of Fraud

The true costs of fraud to an

organization go beyond dollar

losses.

These include:

Public scrutiny

Reputation loss

Government investigations

Loss of market capital

Severe financial penalties

Loss of investor confidence



Red Flags of Fraud



Employee Red Flags of Fraud

Wheeler-dealer attitude

Never out of balance

Secretive, territorial

Intellectual challenge to "beat the system"

Criminal record

Not taking vacations of more than two or three days

A department that does not enforce proper procedures for

authorization of transactions



Employee Red Flags of Fraud

Unusually high personal debts

Living beyond one's means

Excessive gambling habits

Alcohol problems

Drug problems

Feeling of being underpaid

Feeling of insufficient recognition for job performance

Poor credit rating

Consistent rationalization of poor performance



Examples of Fraud Schemes



Occupational

Fraud and

Abuse

Classification

System



Banking/Financial Services – Fraud Schemes

Banking / Financial Services ranked first in number of frauds, but ranked

12th out of 22 in median loss

Corruption - 33.9%

Cash on Hand - 21.5%

Billing - 12.4%

Check Tampering - 11.7%

Non-Cash - 11.1%

Skimming -10.7%

Larceny - 9.7%

Expense Reimbursements - 6.7%

Financial Statement Fraud - 5.4%

Payroll - 3.0%

Register Disbursements - 2.7%




Fraud Schemes – Banking Industry

“Classic” frauds:

DDA-related, e.g. check kiting, fraudulent official checks, misuse of dormant

accounts

Fraudulent, nonexistent or "compromised" loans or loan collateral

Money laundering

Payment/credit card fraud

Identity theft

Rogue securities traders (exceeding risk exposure & position limits)

Fraudulent wire transfers or other "automated" cash transactions

Theft of (vault) cash, covered by fraudulent balancing sheets, etc.



Fraud Schemes – Banking Industry (continued)

Current hot-button frauds:

Loan underwriting based on fraudulent input information

Fraudulent valuation of mortgage loan collateral

Fraudulent securities valuation and/or classification (as trading vs. investment)

Valuation of "exotic" investments in turbulent financial markets

Internet-based scams (e.g. ―phishing‖)

Fraudulent counterparties to derivative transactions

Fraudulent classification of bank assets and liabilities (for purposes of determining regulatory capital, loan concentration, legal lending limits)

Third party/outsourcing risks, e.g. third party responsible for replenishing ATM machines taking cash

Remote deposit capture – a form of third party risk due to insertion in the capture process



IPPF

Standards and Guidance



Relevant IPPF Standards

IIA Standard 1200: Proficiency and Due Professional Care

1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk

of fraud and the manner in which it is managed by the organization, but are not

expected to have the expertise of a person whose primary responsibility is

detecting and investigating fraud

IIA Standard 1220: Due Professional Care

1220.A1 – Internal auditors must exercise due professional care by considering:

Extent of work needed to achieve the engagement’s objectives.

Related complexity, materiality, or significance of matters to which assurance

procedures are applied.

Adequacy and effectiveness of governance, risk management, and control processes.

Probability of significant errors, fraud, or noncompliance.

Cost of assurance in relation to potential benefits.



Relevant IPPF Standards (continued)

IIA Standard 2060: Reporting to Senior Management and the Board

The chief audit executive (CAE) must report periodically to senior management

and the board on the internal audit activity’s purpose, authority, responsibility,

and performance relative to its plan. Reporting must also include significant risk

exposures and control issues, including fraud risks, governance issues, and

other matters needed or requested by senior management and the board.

IIA Standard 2120: Risk Management

2120.A2 – The internal audit activity must evaluate the potential for the

occurrence of fraud and how the organization manages fraud risk.

IIA Standard 2210: Engagement Objectives

2210.A2 – Internal auditors must consider the probability of significant errors,

fraud, noncompliance, and other exposures when developing the engagement

objectives.



Internal Audit Responsibilities

During Internal Audit Engagements

Consider fraud risks when assessing control design

Be on the lookout for red flags

Be alert to opportunities that can allow fraud

Has Management addressed previously reported control deficiencies

Evaluate indicators of fraud

Recommend investigation when appropriate

Communicate with the Board

Fraud audits and coordination with others

Roles and Responsibilities

Fraud concerns and issues

Fraud Risk Assessment

IA’s Role in Investigations should be defined in the Internal Audit Charter

Primary Responsibility

Need skill set

A Secondary Resource

No Involvement – need to maintain independence



Preventing and Detecting Fraud



IIA Guidance

An effective fraud management program includes:

Company ethics policy - ―tone at the top‖ from senior management.

Fraud awareness - understanding the nature, causes, and characteristics of fraud.

Fraud risk assessment - evaluating the risk of various types of fraud.

Ongoing reviews - an internal audit activity that considers fraud risk in every audit and

performs appropriate procedures based on fraud risk.

Prevention and detection - efforts taken to reduce opportunities for fraud to occur and

persuading individuals not to commit fraud because of the likelihood of detection and

punishment.

Investigation - procedures and resources to fully investigate and report a suspected

fraud event.



Importance of Control in Detecting or Limiting Fraud - Rankings by CFEs as to

importance of anti-fraud controls in detecting or limiting the fraud




Crowe’s Anti-Fraud Model



Be Curious



Be a ―Skeptoid‖



Have Courage



Closing Thoughts

Regardless of an organization’s industry, size, or fraud scheme used, the

majority of fraud is still detected by accident or tip.

Clear need for a proactive approach to fraud deterrence and detection

Trust is a professional hazard---verify, verify, verify, and verify!



Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate

and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any

other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or

any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member

of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance

specific to your organization from qualified advisers in your jurisdiction. © 2010 Crowe Horwath LLP

For more information, contact:

Mike Miller, CIA, CISA, CRP

Direct 973-422-4536

[email protected]

mailto:[email protected]

Documents

IIA Practice Guide: Fraud and Internal Audit - AIBAaiba-us.org/wp-content/uploads/2011/04/20100922AIBAFraud.pdf · IIA Practice Guide: Fraud and Internal Audit 2010 Western Regional