Upload
phamnga
View
230
Download
1
Embed Size (px)
Citation preview
8/29/2016
DRAFT FOR DISCUSSION 1
Red flags……Now what?
Mohammad ShehabAndrew Cartwright
[email protected] [email protected] http://www.aub.edu.lb/safereporting
1
Red flags…… Now what?
• Most employees do not know what to do when they identify red flags even when the latter arehighly correlated with fraud.
• Management jumps to conclusions when detecting red flags and takes uncalculated actions thatmight aggravate the situation instead of solving the problems encountered.
• This session provides better practices to respond to identified red flags to help businesses indetecting possible frauds and drafting reasonable remedial action plans.
2
8/29/2016
DRAFT FOR DISCUSSION 2
Red flags…… Now what?
1.A quick overview2.Definitions, theory3.Questions of Principle – Better Practices
• Fraud Risk Management• Fraud Risk Assessment• Fraud Prevention• Fraud Detection• Reporting allegations, Assessment, Investigation
4.Some examples
3
Overview
“The variation is always in the system. A bad system
will beat a good person… every time.”
William Edwards Deming
4
8/29/2016
DRAFT FOR DISCUSSION 3
Overview
Red flags do not mean fraud Be proactive and know your business Always follow up – analyse, observe, enquire Red flags can identify areas for improvement
What is the economic substance? Does value leave the company? How?
The difference between canny businesspractices and unethical behavior can seemarbitrary to the uninformed
5
• Government, Publicly traded, Private, Private Not-For-Profit
• Laws, rulings, regulations, policies, procedures,contracts, standards, guidelines, better practices
• Country, sector, business opportunity, delivery channel,lines of business, business processes, product, service,supply chain, transaction, local, remote, manual,electronic, accounting systems, function, employee,customer, supplier, stakeholder, organizational culture,reputation
• The complex weave of people, activities, things, location,time and organization
Overview
6
8/29/2016
DRAFT FOR DISCUSSION 4
•2015
5
2015 data and graphs overlaid 2014 webtool
OverviewTransparency International (TI)
7
Lying,Cheating
StealingWaste
&Abuse
8
8/29/2016
DRAFT FOR DISCUSSION 5
What are the main assets of Google, Oracle,Microsoft, …? If an employee took data
Is it time toupdate ouroccupationalfraud tree?Or…?(Managing Bus RiskFraud p 27)
from an IT company, how best to classifythe conversion? Corruption orMisappropriation? Both? Intangible Assets
Intellectual Property
Misuse of Data
Theft
9
Definitions and theoryCressey’s hypothesis
• Perceived non-shareable financial need• Important to solve it in secret to maintain status
•• General and technical circumstances
• V• What makes it acceptable for the perpetrator?
• Making the fraud triangle….
Rationalization
Pressure
Perceived Opportunity
Rationalization
10
8/29/2016
DRAFT FOR DISCUSSION 6
Definitions and theoryRed flags and risk
• Situational pressures and opportunity (p.1.205)• (Cressey’s works in sociology and psychology)
• Vulnerability faced when an individual combines allthree elements (p.4.701)
• Classified by 3 conditions(AU §316.85 – SAS 99 and SAS 113)
What’s a Red Flag?
Fraud Risk
Fraud Risk Factors
11
Definition and examplesOpportunity
• The opportunity to commit fraud arises whenemployees have access to assets, includinginformation, that allows them to both commitand conceal.
• Weak or non-functioning internal controls• Poor management supervision, review and
approval• Misuse/abuse of one’s position and authority• Collusion
12
8/29/2016
DRAFT FOR DISCUSSION 7
Consider the opportunities!• What is your business? How big is it?• In what locations do you operate?• In what operations could a fraud occur?• What type of fraud is likely in the area?• What would the fraud look like?• What would it look like in the books and
records?• When could the fraud occur?• Report to the Nation CAN HELP
13
ACFE Report to the Nation 2016
14
8/29/2016
DRAFT FOR DISCUSSION 8
OverviewHow mature is your environment?
Internal Auditing and FraudIPPF Practice guide Pg 19
0
50
100
Level 1 -Initial (Chaotic)
Level 2 -Repeatable
Level 3 -Defined
Level 4 -Managed
Level 5 -Optimizing
Maturity Model (adapted from CMM model)
15
Questions of PrincipleBetter Practices
•• Do you have a fraud risk management program?
•• Do you assess fraud risk exposure periodically?
•• Have you established fraud prevention techniques?
•• Have you established fraud detection techniques?
•• Do you have a reporting process and a coordinated approach to
investigation?
Principle 1:
Principle 2:
Principle 3:
Principle 4:
Principle 5:
16
8/29/2016
DRAFT FOR DISCUSSION 9
8/29/2016 17
Red flags – Now What?1. Fraud Risk Management
• Roles and responsibilities• Policies• Quality assurance• Monitoring and review
• Code of ethical conduct• Risk appetite / risk management• Conflict disclosure• Safe-reporting / whistle-blower• Fraud policy
• Suspicious transactions• Fraud response
Do you have a culture of compliance?
17
• What are your processes?
• What weaknesses exist?
• How might the weaknesses be exploited?
• How can controls be overridden / exploited?
• How can the exploit be concealed?For example – Sales / Revenue
Red flags – Now What?2. Fraud Risk Assessment
18
8/29/2016
DRAFT FOR DISCUSSION 10
• Sales trends out of line with industry• Sales exactly meet budget or expectations• Sales on tax return differs from sales reported in financial
statements.• Mis-match between revenues and proportionate taxes• Excessive returns after period end• Side agreements identified in confirmations• Missing documentation• Unusual increase in the number of days sales in receivables• Customer invoice shows extended payment terms or unusual
return allowances
Red flags – Now What?2. Fraud Risk Assessment - Revenue
19
id e n ti fi e dF ra u d r is k s a n d S c h e m e s L ik e li-
h o o dS ig n ifi-c a n c e
p e o p lea n d /o r
D e p a rt-m e n t
e x is tin ga n ti-
fra u dC o n tro ls
C o n tro lse ffe c -
tiv e n e s sa s s e s s
m e n t
re s id u a lris k s
F ra u d ris kre s p o n s e
F ina nc ia l r e p o r t ingR e v e n u e r e c o g n it io n- B a c k d a tin g a g r e e m e n ts- C h a n n e l s tu f f in g- I n d u c in g d is tr ib u to r s to a c c e p t m o r e p r o d u c t th a n n e c e s s a r y- H o ld in g b o o k s o p e n- V ia r e c o r d in g d e ta il tr a n s a c tio n s in a s u b - le d g e r- V ia r e c o r d in g to p - s id e j o u r n a l e n tr ie s- A d d it io n a l r e v e n u e r is k sM a n a g e m e n t e s tim a te s- S e lf in s u r a n c e- A lte r in g u n d e r ly in g d e ta il c la im s a n d e s tim a te d a ta- F r a u d u le n tly c h a n g in g u n d e r ly in g a s s u m p tio n s in e s tim a tio n o f lia b ility- A llo w a n c e f o r b a d d e b ts- A lte r in g u n d e r ly in g A /R a g in g to m a n ip u la te c o m p u ta tio n- F r a u d u le n t in p u t f r o m s a le s p e r s o n s o r c r e d itd e p a r tm e n t o n c r e d it q u a lity- A d d it io n a l e s t im a te sD is c lo s u r e s- F o o tn o te s- A d d it io n a l d is c lo s u r e s
Red flags – Now What?2. Fraud Risk Assessment - Revenue
20
8/29/2016
DRAFT FOR DISCUSSION 11
identifiedFraud risks and
Schemes Likeli-hood
Signifi-cance
people and/orDepart-ment
existing anti-fraud Controls
Controlseffec-
tivenessassessment
residualrisks
Fraud risk response
Financial ReportingRevenue recognition• Backdating agreements
Reasonablypossible
Material Sales personnel Controlled contract administration system Tested by IA N/A Periodic testing by IA
• Channel stuffing Remote Insignificant N/A N/A N/A N/A N/A• Holding books open Reasonably
possibleMaterial Accounting Standard monthly close process
Reconciliation of invoice register to general ledgerEstablished procedures for shipping, invoicing, and revenue recognitionEstablished process for consolidation
Tested by IATested bymanagementTested by IATested by IA
Risk ofmanagement override
Testing of late journal entriesCut off testing by IA
• Late shipments Reasonablypossible
Significant Shipping dept. Integrated shipping system, linked to invoicing and sales registerDaily reconciliation of shipping log to invoice registerRequired management approval of manual invoices
Tested by IATested bymanagementTested by IA
Risk ofmanagement override
Cut off testing by IA
• Side letters/ agreements Probable Material Sales personnel Annual training of sales and finance personnel on revenue recognitionpracticesQuarterly signed attestation of sales personnel concerning extra contractualagreementsInternal audit confirming with customers that there are no otheragreements, written or oral, that would modify the terms of the writtenagreement
Tested bymanagementTested bymanagement
Risk ofoverride
Disaggregated analysis of sales, salesreturns, and adjustments bysalesperson
• Inappropriate journalentries
Reasonablypossible
Material Accounting & Finance Established process for consolidationEstablished, systematic access controls to the general ledgerStandard monthly and quarterly journal entry log maintained. Reviewprocess in place for standard entries, and nonstandard entries subject totwo levels of review
Tested by IATested by IATested bymanagement
Risk ofoverrideN/A N/A
Data mining of journal entrypopulation by IA for:• Unusual Dr/CR combinations• Late entries to accounts subject toestimation
Red flags – Now What?2. Fraud Risk Assessment - Revenue
21
8/29/2016 22
Red flags – Now What?3. Fraud Prevention
• Tone at the top• Culture of compliance• Awareness• Planning / organization• HR hiring and evaluation
procedures• Physical / Logical
Safeguards
• 3 Lines of Defense• Authority limits• Transaction Controls• Adequate Review and
Supervision• Timely, reliable, faithful,
complete and accuratereporting
Do you have effective controls?
22
8/29/2016
DRAFT FOR DISCUSSION 12
• Regular part of business
• Use external & internal information
• Formally and automatically communicate toappropriate leadership
• Use results to improve controls
• Take time to think about what you see
Red flags – Now What?Principle 4. Fraud Detection
23
• A review / investigation is a project• Do you have a plan that is clear about
• Scope and objectives• Resources• Time• Quality• Risk• Your protocol
• Begin with the end in mind
Red flags – Now What?Principle 5. Reporting / Investigation
24
8/29/2016
DRAFT FOR DISCUSSION 13
Owners
Individuals &/orevents
threats assets
mitigations
weaknesses
risk
wish to use/abuse and/or may harm
to
to
give rise to
leading to
value
wish to minimize
that increase
thatexploit
to reduce
that mayhavethat may be
reduced bymay be aware of
require
How does the value leave the company?
25
SafeReports
ManagementReview
InternalAudit
InternalControls
Accident
Other
Allegation
Categorize
EvaluationVerification
ObservationAnalysis
IT Forensics
ObjectiveSetting
InitialInterviews
InitialAssessment
Notification
EvidencePreservation
Document& Data
Collection
Stop Loss
InterviewsProfiling
Document& Data
Analysis
Investigation
Background &Assumptions
OpinionConclusions &
Recommendations
Informationand Document
Summary
Findings
Request forNecessaryDocuments
Exhibits
Reporting
QualityReview
AdministrativeResolution
CivilRestitution
CriminalProsecution
ExternalReporting
ImplementControl
Improvements
Remediation
Red flags – Now What?Principle 5. Reporting / Investigation
26
8/29/2016
DRAFT FOR DISCUSSION 14
• Remember that an error is just an error
• Be sceptical
• Always follow up
& ReportAnalyseObserveEnquire
DiscussEvaluateValidate
Red flags – Now What?Principle 5. Reporting / Investigation
27
• Appreciate the system• Access data, understand flows
• Understand the variation• Stratify with a focus on the unusual• Systemic, outliers, errors, …. fraud?• Documentation irregularities?
Red flags – Now What?Principle 5. Reporting / Investigation
28
8/29/2016
DRAFT FOR DISCUSSION 15
For example• Accounting Systems
• Revenues, receivables, receipts
• Purchases, payables, payments
• Inventory, conversion, cost of goods sold
• Personnel, payroll
Red flags – Now What?Principle 5. Reporting / Investigation
29
Interviews• People
• Assume people are trustworthy – develop a rapportand sensitivity to lying
• Be conversational
• Be persistent and non-confrontational
• Remember, you can learn a lot, just by listening
Red flags – Now What?Principle 5. Reporting / Investigation
30
8/29/2016
DRAFT FOR DISCUSSION 16
8/29/2016 31
Matching• People• Activities• Things
• Location• Time• Organization
(structures)
Your goal is to reveal the true economicsubstance of the transactions
Red flags – Now What?Principle 5. Reporting / Investigation
31
Procurement
32
8/29/2016
DRAFT FOR DISCUSSION 17
Case # 1: A Nurse or a Thief ???
33
Over Billing
34
8/29/2016
DRAFT FOR DISCUSSION 18
The AllegationsPlausible scenario
Lack ofsegregation of
duties
PreliminaryReview
Analysis and enquiryInventory count
Tracing to medical reportsReconciliation receiving vs. billingResults
Results did not supportthe allegationsWhat’s wrong?
Other hypothesis?
35
Over Billing
Barcode Reader
Windows switch user
Multiple Billing sessions
36
Error
8/29/2016
DRAFT FOR DISCUSSION 19
Comparison
37
Error
Lessons Learned
Fraud Policies and procedures
Presumption of innocence
No Department should investigate itself
Safe Reporting
38
Error
8/29/2016
DRAFT FOR DISCUSSION 20
Case # 2 & 3: Social Media & Fraud
Larceny
8/29/2016
DRAFT FOR DISCUSSION 21
Larceny
Larceny
8/29/2016
DRAFT FOR DISCUSSION 22
Lessons LearnedUnderstand the process in question.
CCTV in critical areas - installation and data storage.
Database should store passwords Encrypted.
Encrypted answers to security questions
Use different passwords for different systems
Disable administrative passwords used by former employees.
Enable and validate activity logs.
MisuseOfData
Larceny
Case # 4: Privacy & Emails
Is Business emailPrivate?
8/29/2016
DRAFT FOR DISCUSSION 23
Some Questions to consider– 1.Does email constitute an official university record? Or,
– 2.Is it personal information?– What if any privacy principles or rules apply?
– 3.What has the company officially said about email?
– 4.If email forms an official record, can anyone other than the user ever accessthe email?– Precedents?– What circumstances may apply?
– Continuity of service– Security– Audit– Legal– Other?
45
Some Questions to consider– 5.If anyone other than the user has access to email, who may, and under what
circumstances/methods?– Supervisors?– President?– Legal Counsel?– System Administrators?– Internal Audit?– External agencies?
– 6.What are the relevant policies?
– 7.What is a reasonable protocol?– For access to current email (i.e. today’s email boxes)– For access to historical backups (encrypted whole database files)
46
8/29/2016
DRAFT FOR DISCUSSION 24
Some Questions to consider– What are the grounds for believing the things to be searched for exist?
– What are the grounds for saying that the things to be searched for are at theplace to be searched?
– What are the grounds for saying– a) the offence has been committed as described or that– b) the operation requires the information, or that– c) an emergency exists the resolution for which may lie within?
– How will the things to be searched for afford evidence of the commission ofthe offence alleged?
– What are the grounds for saying that the place to be searched is at thelocation identified?
47
Some Questions to consider• The decision maker should be satisfied:
– that an offence has been committed or is suspected of being committed;– that the location of the search is specific (a building, receptacle, place,
record);– that the item sought will provide evidence of the commission of the
offence or that the possession thereof is an offence of itself;– that the grounds stated are current so as to lead credence to the
reasonable and probable grounds;– that there is a nexus between the various considerations set
out.
• What factual grounds exist to support the conclusion?
48
8/29/2016
DRAFT FOR DISCUSSION 25
Quaternary Privacy‐Levels Preservation in Computer Forensics Investigation Process6th International Conference on Internet Technology and Secured Transactions – 2011
Halboob, Abulaish, Alghathbar
TABLE 2. INVESTIGATION STEPS NEEDED FOR THE ENFORCEMENT OF QUATERNARYPRIVACY LEVELS
Main Invest igation steps Invest igat ion sub-steps Level-0 Level-1 Level-2 Level-3
Invest igat ion Planning and Preparing Awareness x x x x
Search warrant x x x x
Authorizat ion x x
Ident ificat ion of tools/equipments x x x x
Chain of custody x x x x
Securing crime scene x x x x
Digital Evidence Collection Normal select ion x x
Select ive Collect ion opt ional opt ional x x
Digital Evidence Preservat ion Evidence authent icity x x x x
Access control opt ional x opt ional x
Audit t rail opt ional x opt ional x
Digital Evidence Analysis Normal analysis x x
Effect ive and efficient analysis opt ional opt ional x x
Digital Evidence Presentat ion Report ing x x x x
Evidence presentat ion x x x x
Recommendat ion x x x x
Case closure x x x x
49
Balance privacy, confidentiality, anonymity, timeliness, reliability
Privacy Policy on Electronic Communication and Files
Clear Authority for investigations
Appropriate tools to investigate and search
Preserving electronic evidence
Searching and Seizing Computers and Obtaining Electronic Evidence inCriminal Investigations, July 2009 www.justice.gov
Lessons LearnedPrivacy
8/29/2016
DRAFT FOR DISCUSSION 26
Other thoughtsAccept that data loss will occur
Understand greatest areas of weakness
Focus on prevention rather than response
Policies, procedures, authorities and roles
Culture of compliance
Clear communication on a need to know basis
Trust is not a control
No department should investigate itself
Privacy
Case #5 - Cash Register and CreditCard Fraud - A Safe Report
In Canada –
• Some refunds were made by a storemanager that didn’t make sense
Initial Assessment?
• Let’s have a look at the sales journal
52
8/29/2016
DRAFT FOR DISCUSSION 27
Cash Register FraudRed FlagsRed Flag #1• Specific customers with several same day
equal value deposit / refund transactions
Credit card report?
Red Flag #2• Refund credit card different from deposit
credit card
53
Misappropriation
Credit Card FraudInvestigation
Is it systematic? Deliberate? Intentional?
Obtain supporting documents• monthly sales invoices and refunds with
original credit card transaction tapesattached
• all transactions from our credit cardprovider
54
Misappropriation
8/29/2016
DRAFT FOR DISCUSSION 28
Credit Card FraudInvestigation
Obtain supporting documents• deposits and refunds on our credit cards• corporate purchasing card transactions• an expense claim from several years before
Interview strategy• Outside in – Senior manager, one employee
55
Misappropriation
Credit Card FraudFindings
• 22 phantom customers
• 207 transactions, $133,123.54
• Charged to a corporate purchasing card
• Refunded to a personal credit card
http://www.oakbaynews.com/news/119857939.html
56
Misappropriation
8/29/2016
DRAFT FOR DISCUSSION 29
Trust is not a control
Segregation of duties
Avoid giving corporate credit cardsto personnel responsible for revenue systems
Match transactions across systems
Lessons Learned
Red Flags – Now What?Summary• Red flags are NOT evidence that fraud is
actually occurring.• Effective Internal Control limits fraud• Make sure people know to report• Be proactive and know your business• Always follow up - analyze observe enquire
58
8/29/2016
DRAFT FOR DISCUSSION 30
Questions of PrincipleBetter Practices
• Fraud Risk Management
• Assess Fraud Risk Exposure
• Establish Fraud Prevention Techniques
• Establish Fraud Detection Techniques
• Safe Reporting processDefined Approach to Investigation
Principle 1:
Principle 2:
Principle 3:
Principle 4:
Principle 5:
59
Red Flags – Now What?Next Steps• Build on what you have
• Build partnerships – share knowledge
• Proceed step by step, project by project
• Be skeptical and diligent
• Be non-confrontational
60
8/29/2016
DRAFT FOR DISCUSSION 31
61
Red Flags
“At the top, one works on the right problems with
the wrong information. At the bottom, one works
with the right information on the wrong problems.”
Arnold J. Meltsner
62
So Now What?
8/29/2016
DRAFT FOR DISCUSSION 32
?Andrew Cartwright Mohammad [email protected] [email protected]
http://www.aub.edu.lb/safereporting
63
Useful References
Red Flags of Fraud http://www.osc.state.ny.us/localgov/pubs/red_flags_fraud.pdf
Investigation of failure to uncover Madoff http://www.sec.gov/spotlight/secpostmadoffreforms/oig-509-exec-summary.pdf
The World's Largest Hedge Fund is a Fraud http://www.jdsupra.com/post/fileServer.aspx?fName=54539da2-994e-43b5-b271-19fbb7e723e3.pdf
Fraud Prevention Check Up http://www.acfe.com/fraud-prevention-checkup.aspx
ACFE Report to the Nation 2014 - Victim Organizations http://www.acfe.com/rttn-victim-organizations.aspx
ACFE Report to the Nation 2014 - Detection methods http://www.acfe.com/rttn-detection.aspx
64
8/29/2016
DRAFT FOR DISCUSSION 33
Useful References
Managing the Business Risk of Fraud - Executive Summary http://www.theiia.org/media/files/fraud-white-paper/Fraud%20Exec%20Summary.pdf
Managing the Business Risk of Fraud https://www.acfe.com/uploadedFiles/ACFE_Website/Content/documents/managing-business-risk.pdf
Android Malware Hummingbad http://www.dailydot.com/debug/hummingbad-malware-infects-85-million-android-device-makes-300000-per-month/
IIA - Internal Auditing and Fraud - MEMBERS
https://na.theiia.org/standards-guidance/Member%20Documents/Fraud_PG_FINAL__12-09-2009_.pdf
IIA - Auditing Anti-bribery and Anti-corruption Programs - MEMBERS
https://na.theiia.org/standards-guidance/Member%20Documents/PG-Auditing-Anti-bribery-and-Anti-corruption-Programs.pdf
IIA - GTAG - Fraud Prevention and Detection in an Automated World - MEMBERS
https://na.theiia.org/standards-guidance/Member%20Documents/GTAG_13_12_2009.pdf
Dilemmas in the General Theory of Planning http://www.uctc.net/mwebber/Rittel+Webber+Dilemmas+General_Theory_of_Planning.pdf
65
44%
33%
22%
21%
18%
17%
15%
12%
9%
9%
9%
8%
7%
7%
6%
6%
6%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Living Beyond Means
Financial Difficulties
Unusually Close Association with Vendor / Customer
Control Issues, unwillingness to Share Duties
'Wheeler- Dealer" Attitude
Divorce/ Family Problems
Irritability, Suspiciousness, or Defensiveness
Addiction Problems
Complained About Inadequate Pay
Past Employment-Related Problems
Refusal to Take Vacations
Excessive Pressure from Within Organization
Social Isolation
Complained About Lack of Authority
Excessive Family / Peer Pressure for Success
Instability in Life Circumstances
Past Legal Problems
Beha
viou
ral R
ed F
lags
Behavioural Red Flags Displayed by Perpetrators
ACFE Report to the Nation2014
66