INTEGRATING FRAUD INTO YOUR AUDIT PROGRAM · Integrating Fraud Into Your Audit Program What is The Fraud Risk Universe How to Write a Fraud Risk Statement Understanding How Fraud

INTEGRATING FRAUD INTO YOUR AUDIT PROGRAM

© Fraud Auditing, Inc. Section 1 - Slide 2 01/15/19

TODAYS AGENDA

Integrating Fraud Into Your Audit Program What is The Fraud Risk Universe How to Write a Fraud Risk Statement Understanding How Fraud Concealment Impacts Your

Audit Strategies for Fraud Testing

My goal for today: Create the opportunity for discussion Help you think about fraud differently Answer your questions to the best of my ability


Part 1: What is fraud Part 2: Fraud risk structure Part 3: How to write the fraud risk statement Part 4: Integrating into the audit program Part 5: Practical exercise


WHAT IS FRAUD FROM A LEGAL PERSPECTIVE

Blacks Law Dictionary Eight Edition: A knowing misrepresentation of the truth or

concealment of a material fact to induce another to act to his or her detriment

Provides definition of specific types of fraud: Civil fraud Criminal fraud Promissory Etc.


WHAT IS FRAUD FROM AND AUDITORS PERSPECTIVE

Acts committed on, by, or for the organization Acts are committed by an internal or external source Acts are intentional and concealed

Acts are illegal Acts also cause: financial misstatement, policy violation, ethical lapse, or a perception issue

Acts cause a loss of company funds, company value, or reputation, or any other unauthorized benefit loss (whether received personally or by others)


LOGIC VS EXPERIENCE

You can compute the number of fraud risk statements in your scope with mathematical precision

By understanding permutation fraud analysis:

I may not know what the perpetrator is doing, but I know everything the perpetrator can do!

The goal of logic analysis is two fold: Ensure the completeness of your analysis Create time for data interpretation


DOES THE AUDITOR UNDERSTAND?

Threat and vulnerability analysis Organization’s fraud risk structure How to create a comprehensive fraud risk

register Resources necessary to implement fraud

auditing


THREATS, VULNERABILITIES AND FRAUD RISKS

Vulnerabilities: Points in the internal control structure that can be exploited

Threats: Possible danger that someone might exploit a vulnerability in our internal control structure thereby causing monetary or non monetary harm

Risk: Threat, probability and business impact

Fraud Risk: An intentional act and concealed act which is designed to cause harm to the organization


WHAT IS A VULNERABILITY

Governance structure or organization How and where we conduct business Non compliance with a internal control Sophistication of concealment Collusion or extortion Fraud risk factors


UNDERSTANDING THE PROGRESSION THE THREE LEVELS

Organization

• Threat and vulnerability assessment • Assign responsibility • Primary and secondary fraud categories

Business System

• Fraud risk assessment • Assess probability • Inherent schemes

Audit Program

• Fraud risk assessment • Build audit program • Fraud risk statement




THE FRAUD RISK UNIVERSE

PRIMARY FRAUD CLASSIFICATION

SECONDARY FRAUD

CLASSIFICATION

INHERENT FRAUD SCHEME

FRAUD RISK STATEMENT


FRAUD RISK UNIVERSE

Offender and victim Type of fraud or category of fraud

Fraud Risk

Structure

Inherent Scheme Fraud Risk

Statement

Generic description of a fraud risk. Comprised of an entity and action

How the inherent scheme occurs within your business system


FRAUD RISK STATEMENTS

• Generic or high level • Entity / action • Easy to understand

Inherent Fraud Risk

• Description of a threat facing the organization that has an element of deceit or concealment

• Five components • Drives the audit program

Fraud Risk Statement

• How someone would perpetrate a fraud risk statement against your organization

• Five components • Internal control vulnerability

Fraud Scenario


TYPES OF FRAUD RISK STATEMENTS

Common to all business systems Company specific Industry specific Unauthorized access Internal control inhibitor


Offender and Victim

Primary Category

Secondary Category

Inherent Scheme to the Fraud

Risk Statement

FRAUD RISK IDENTIFICATION PROCESS


OFFENDER AND THE VICTIM

Employee against employer Employer against employee Employer against government Employer against consumer or investing

community Professional crime groups against companies or

government STARTING POINT FOR THREAT ANALYSIS


PRIMARY FRAUD RISK CATEGORIES

Asset Misappropriation

Corruption / Extortion

Financial Reporting

Revenue Obtained Improperly

Expense Avoidance

Government Regulation Avoidance

Improper Obtain / Loss Information

Computer Fraud

Management Override Concerns

Other Areas


Asset misappropriation: application of another's property or money dishonestly to ones own use (source Blacks Law Dictionary)

Corruption: is the use of entrusted power for personal gain (source Transparency international) Conceptually, corruption is a form of behaviour which departs from ethics, morality, tradition, law and civic virtue.

Financial reporting: Financial statement fraud is the process of intentionally misleading the reader of the financial statements. It is the deliberate misrepresentation, misstatement, or omission of financial data to provide the impression that the organization is financially sound.

DEFINITIONS OF MAJOR CATEGORIES


SECONDARY FRAUD RISK CATEGORIES

Asset Misappropriation • Theft of monetary funds • Theft of tangible asset • Misuse of assets • Lack of business purpose • Related party/conflict of

interest • Dispose of asset below FMV • Acquire of asset above FMV



Financial Reporting • False transaction • Improper recognition of

transaction • Improper accounting treatment

for class of transactions • Failure to record or write-off



Financial Reporting Assertions • Class of transactions or events: • Occurrence • Completeness • Accuracy • Cutoff • Classification



Financial Reporting Assertions • Account balances at year end: • Evidence • Rights and obligations • Completeness • Valuation and allocation



Financial Reporting Assertions • Presentation and disclosure: • Occurrence and rights and

obligations • Completeness • Classification and

understandability • Accuracy and valuation


INHERENT SCHEME LINKS TO THE AUDIT PROCESS

Fraud Impact

Fraud Conversion

Fraud Concealment

Internal Control

Permutation Analysis

How The Scheme Occurs

Person(s) Committing

Inherent Fraud

Scheme


INHERENT FRAUD SCHEMES

Each business system has a finite and predictable list of inherent fraud schemes

Each inherent fraud scheme has a finite and predictable list of fraud permutations

Each inherent fraud scheme permutation creates a finite and predictable list of fraud scenarios

Each inherent fraud scheme has two components Entity Action


INHERENT FRAUD SCHEME EXAMPLE: DISBURSEMENT OF FUNDS

False entity: vendor False billing: receive no goods or services Pass Through billing: receive goods or services

Real entity: vendor Over billing: over pay on some aspect or some way Disguised expenditure: personal or theft conversion

THE PREDICTABLE PHASE


Each inherent scheme links to a person(s) that commit the scheme Person Committing: Operations manager falsely

accepts product with known defect Entity: Real vendor that is complicit Action: Over billing

Actions may have multiple categories Primary Category: Overbilling by vendor Secondary Category: Product Substitution

INHERENT FRAUD SCHEMES


AT WHAT LEVEL SHOULD YOUR DESCRIBE THE FRAUD ACTION STATEMENT Vendor overbills the company Vendor commits product substitution scheme Product substitution

Fitness issue Knock off scheme Counterfeit Manufacturer false label

Chemical Composition Country of Origin


JUST A DIFFERENT LOOK AT INHERENT SCHEME

Person Entity

False

Real

Action How To


JUST A DIFFERENT LOOK AT INHERENT SCHEME

Accounts Payable Manager

Vendor False

Real

Take over Identify

Change Address


GROUP DISCUSSION

How does the fraud risk structure help the auditor in developing their audit scope?




BUILDING THE FRAUD RISK STATEMENT

Fraud Impact

Fraud Conversion

Fraud Concealment

Internal Control

Permutation Analysis

How The Scheme Occurs

Person(s) Committing

Inherent Fraud

Scheme


JUST A REMINDER: THE FRAUD RISK UNIVERSE

PRIMARY FRAUD CLASSIFICATION

SECONDARY FRAUD

CLASSIFICATION

INHERENT FRAUD SCHEME

FRAUD RISK STATEMENT


HOW TO BUILD A FRAUD RISK STATEMENT

Customize Merging Business process and permutation analysis


ELEMENTS OF A FRAUD RISK STATEMENT

What are the combinations? Permutation analysis

Opportunity: person committing Entity: Vendor, employee, customer or intangible

False: Created or assumed Real: Complicit or not complicit

Fraud action statement: Primary & secondary Impact statement: Monetary or non-monetary Fraud conversion statement: How person

committing financial benefits from the fraud action statement


ILLUSTRATION OF A FRAUD RISK STATEMENT

SEE PERSON COMMMITTING

Budget owner acting alone or in collusion with a direct report / cause a shell company to be set up on the vendor master file / process a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds



SEE PERSON COMMITTING

Accounts payable acting alone / cause a shell company to be set up on the vendor master file / process a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds


FRAUD OPPORTUNITY OR PERSON COMMITTING: THE PERSON THE DRILL DOWN PROCESS No internal control Via internal controls: job opportunity

Direct access Indirect access Other access

Internal control inhibitors Non performance internal controls System override features Logical collusion Management override


Exploitation

Circumvention

Avoidance

INTERNAL CONTROLS

Internal Control Inhibitor


FRAUD ENTITY: THE DRILL DOWN PROCESS

Entity is defined as: Employee Customer Vendor Intangible item

There are two types of entities False entity Real entity


FALSE ENTITY: PERMUTATIONS Created by perpetrator

Name only Legally created

Stand alone Embedded with other legal entities

Assumed by perpetrator Exists in accounts payable, changes information Does not exist in accounts payable, causes vendor to be

added to the file Occasional take over of vendor identity Theft of vendor check, false endorsement


REAL ENTITY: PERMUTATIONS

Vendor alone Vendor is complicit with internal source Vendor is complicit with external source Vendor is not complicit Vendor is extorted


FRAUD ACTION STATEMENT

It is the event that is committed by the person committing the scheme

Starts with the primary and secondary category of fraud

Fraud action must be tailored to the primary and secondary categories

Fraud action must be tailored to the specific account Specific accounts may have different transactions


FRAUD ACTION STATEMENT ANOTHER CONSIDERATION: TRANSACTION TYPES

ILLUSTRATION: What is the impact on the fraud action statement

Sales person takes over the identity of a dormant customer with a credit limit

Sales person takes over the identity of a dormant customer with no credit limit


FRAUD SCENARIO: HOW DOES FRAUD OCCUR IN YOUR COMPANY?

Starts with the fraud risk statement Build the fraud scenario Understand the organizations’ business process Understand the internal controls and

vulnerabilities Brain storming Fraud risk assessment Goal: To describe the internal control

vulnerabilities that would allow the fraud scenario to occur!


FRAUD RISK STATEMENT LINKS TO THE AUDIT PROGRAM

Report & Conclusions

Fraud Audit Procedure

Fraud Data Analytics

Internal Controls

Fraud Risk Assessment

Audit Objectives

Audit Scope

Fraud Risk

Statement


HOW DOES THE PERPETRATOR CONCEAL FRAUD?

Each scheme has typical concealment strategies; but how the strategy is implemented varies

Strategies used to hide the truth False documents

False representations False approvals

Control inhibitors Control avoidance

Blocking the flow of information Below the control “radar”


FRAUD SOPHISTICATION CHART DETECTION OF FRAUD

FRAUD DETECTION BAR


SOPHISTICATION OF CONCEALMENT

Level of sophistication of concealment will vary based on perpetrators’ knowledge and/or pressures

Range of sophistication to conceal

X


FRAUD CONCEALMENT MASTER FILE DATA

• Must look at transactions • No match

High Concealment

• Limited linkage between vendor and perpetrator

• Close match Medium

Concealment

• Linkage between vendor and perpetrator

• Exact match

Low Concealment


FRAUD CONCEALMENT ILLUSTRATION USING A BANK ACCOUNT

NUMBER

• Different bank • No match

High Concealment

• Same bank, different account number


Concealment

• Same bank and same account number

• Exact match

Low Concealment


FRAUD CONCEALMENT TRANSACTIONAL FILE DATA

• Relies on auditors professional experience

• No match

High Concealment

• Limited linkage between vendor and perpetrator


Concealment

• Red flags visible to naked eye • Exact match

Low Concealment


AWARENESS OF THE RED FLAGS OF FRAUD


FRAUD RED FLAGS

Condition(s) which: can be observed through the audit process link to the fraud concealment strategy

Associated with: Types of events

Data Documents Controls Behaviors Industry

Sophistication of concealment


RED FLAG PREMISE

•Red flags cause an increased sensitivity to fraud propensity •Not all red flags hold the same weight as to the fraud propensity •Weight of the red flag(s) correlate to the predictability of fraud occurrence


CORRELATION OF CONCEALMENT TO RED FLAG

Perpetrator

How to hide Concealment Create a false

document

Auditor

How to find Red flag What does a false

document look like


FRAUD CONVERSION: HOW THE PERPETRATOR BENEFITS

Conversion of funds to the perpetrator Embezzlement of company funds Theft of company assets Kickbacks from vendor or customer Selling company asset below FMV Disguised third party payments Disguised compensation


FRAUD CONVERSION: THE INVESTIGATION PROCESS


FRAUD CONVERSION: THE INVESTIGATION PROCESS

Person

The Act

The Money


FRAUD RISK MATRIX

See Fraud Risk Matrix: Separate Hand Out


PRACTICAL EXERCISE

Based on a current audit, write a fraud risk statement using the format describe for a ghost employee:

Person committing: Type of entity Fraud action statement Fraud Impact Fraud conversion


GHOST EMPLOYEE FRAUD RISK STATEMENT

Budget owner or payroll function causes a fictitious person to be set up on the employee master file, the budget owner or payroll submits time and attendance records for the fictitious person causing the diversion of funds.

Budget owner or payroll function causes a real non-complicit employee that terminates employment not to be removed from the payroll for a permanent period of time and the budget owner or payroll submits time and attendance records for the terminated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of funds.




FRAUD RISK STATEMENT LINKS TO THE AUDIT PROGRAM

Report & Conclusions


Fraud Data Analytics

Internal Controls

Fraud Risk Assessment

Audit Objectives

Audit Scope

Fraud Risk

Statement


NECESSARY SKILLS

Auditing: Fraud Investigation: Fraud

What is the difference between auditing for fraud and

investigation fraud?


COMPARISON OF APPROACHES

Control Test Evidence of

Fraud Test Authenticity of

Investigation Legal


COMPARISON OF APPROACHES (CONTINUED)

Investigation

Control Test

Fraud Test

Internal control Audit No fraud

known

Refute or corroborate Legal Alleged

fraud

Uncover fraud Audit No fraud

alleged


COMPARISON OF APPROACHES (CONTINUED)

Investigation

Control Test

Fraud Test

Test controls

Random and non biased

Built around

allegation None

Authenticity procedure

Focused and biased



Budget owner acting alone or in collusion with a direct report / cause a shell company to be set up on the vendor master file / process a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds


HOW THE FRAUD SCENARIO DRIVES THE AUDIT PROGRAM

Cause a shell company to be set up on the vendor master file

Process a contract and approves a fake invoice for goods or services not received

Two aspects Sample Selection Audit Test


INTEGRATING FRAUD INTO THE AUDIT PROGRAM

1: Respond to fraud when control assessment suggests 2: Test controls be aware to red flags 3: Integrate fraud audit procedures into internal audit of internal controls 4: Perform fraud audit


INTEGRATING FRAUD INTO THE AUDIT PROGRAM THE SAMPLE SELECTION Test control / Red

Flag Fraud Audit

Procedure Fraud Audit

Random or Judgment Random or Judgment Fraud Data

Analytics, sample is focused and biased


SAMPLE SELECTION: USING FRAUD DATA ANALYTICS

Scenario

Strategy

Concealment Entity Transaction

Plan


ILLUSTRATION OF FRAUD TESTING

RED FLAG

INTEGRATE

Invoice Number

FRAUD AUDIT


RESPONSE TO THE RED FLAGS: CREATED VENDOR INVOICE

False document: vendor invoice

No telephone # No website Small business

software Vague description(s) Invoice number

CONCEALMENT RED FLAG


AUDIT PROCEDURE DESIGN TO DETECT FRAUD

Must be designed for the specific fraud

scenario

Correlation between evidence considered and fraud detection

Must consider the concealment strategies

corresponding to the specific fraud scenario

Design audit approach based on the mechanics

of the fraud scenario and concealment

strategy


Discussion Point: Why does the audit procedure need to be specific to the scenario and consider the concealment?


FRAUD AUDIT PROCEDURE

Telephone number Web site Invoice number Line item description

Call the number Review web site Review A/P payment

history Line item description

Missing numeric or Alpha

Line item string Description

consistent with web search


FRAUD AUDIT

The full Monty Sample is based on fraud data analytics Sample is biased and focused solely on the fraud risk

statement Testing is a fraud audit procedure




PRACTICAL EXAMPLE

Based on the fraud risk statement written for your ghost employee fraud risk statement, what would be the red flags that you could incorporate into your audit program?

Based on the fraud risk statement what would be your fraud audit procedure.



Budget owner or payroll function / causes a fictitious person to be set up on the employee master file / the budget owner or payroll submits time and attendance records for the fictitious person / causing the diversion of funds


THANK YOU

“That is all Folks” Source Pork Pig and Warner Brothers