1. 3/19/2009ACFE Regent Emeritus Tommy SeahpresentsFraud Risk ManagementA Paradigm Shift20091 .. financial institutionsmust have in place, all thenecessary measures to deter orprevent fraud and constantlyreview all its controls andmeasures and also have in placea f d management function tfraud tf ti toprevent loopholes that fraudsters can exploit. who said that ? 2 march 05, 2009 at Shangri-Lahotel and the guest of honour was Ms Teo Swee Lian, DeputyManaging Di t MASMi Director, MAS. 31

2. 3/19/2009 Why is Internal Control Important? Financial Reporting Promotes integrity of data used in making business decisions Assists in fraud prevention and detection through the creation of an auditable trail of evidence Operations Promotes efficiency and effectiveness of operations through standardized Laws and Regulations processes Ensures the safeguarding of Helps maintain compliance assets through control with laws and regulationsthrough periodic monitoring activities4Limitations of Internal Control Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. Controls that depend on the segregation of duties may be circumvented by collusion Management may override the structure Compliance may deteriorate over time The Existing model Financial ControlThe Fraud ExaminerThe Certified System Investigator CFECSI Compliance TheRisk ManagementCPA,LLB, CSI Trinity CPA,CFA CSIof Controls Internal AuditCPA(CIA) CSI, CISA 62 3. 3/19/2009The Spectrum of Risk www.cfe-in-practice.net Liquidity RiskBACOperational Credit Risk Risk What is Risk ?D EReputationalMarket Risk Risk 7 www.cfe-in-practice.net External Audit Internal audit (COSO + COBIT+ ISO Forensic auditInvestigative auditing (Specific, Post event)( suspicious, unusual activities, allegations) Eg. NKF, CAOE.g.. Money Laundering penetration Test 8 Fraud Control Principle F dC t lP i i l3 4. 3/19/2009 If an organisation accepts that it is exposed to fraud and no organisation is immune to fraud the next step is to apportion responsibility for fraud risk management.Copyright (c)2006www.cfe-in-practice.net 10 The Paradigm ShiftFinancialControl The Fraud ExaminerThe CertifiedThe CPASystem Investigator CFE CSIRiskComplianceManagement CPA,LLB, CSI CPA,CFA CSI S.T.A.RStrategic Tracking and Resolution InvestigationFRM Unit Internal AuditUnit CPA(CIA) CSI,CISA 11WHY is there a need for the paradigm shift ? Historically, the management of fraud riskdoes not lie with any oneparticular department or practitioner.Copyright (c)2006www.cfe-in-practice.net 12 4 5. 3/19/2009 It can be handled internally or be outsourced, and how it is handled is affected by many variables such as organizational size, industry sector, geographical location, cultural dynamics - and management perception of the problem.Copyright (c)2006 www.cfe-in-practice.net 13 Regardless of these variables, any fraud prevention and control model should aim to achieve one, or all, of the five primary objectives:Copyright (c)2006 www.cfe-in-practice.net 14 The five primary objectives: _ Prevention _ Deterrence _ Disruption _ Identification _ Civil action/criminal prosecutionCopyright (c)2006 www.cfe-in-practice.net 15 5 6. 3/19/2009The Fraud Triangle.Fraud RiskFraud Risk ManagementManagement Perceived OpportunityAuditors DomainWho Commits Fraud? What type of individual commits FRAUD?It is not limited to any one type of person.www.cfe-in-practice.org Married Active religious members Children Good education First-time offenders Good employees Dont abuse alcohol6 7. 3/19/2009 Optimistic High self-esteem Achieving Family harmony Socially conforming Self control Kind Sympathetic Conclusion: Fraud Perpetrators Look Exactly Like Us!Who Commits Fraud? While people who commit rape, murder, bank robbery and otherproperty offenses have distinguishing characteristics, fraudperpetrators look more like more citizens than criminals! Bank Robbers Normal CitizensFraud Perpetrators Sample Sample S l Sample S l Major DifferencesNo Significant Differences The Red Flags of fraud www.cfe-in-practice.net Given the right circumstances, circumstances,Alcohol Gambling almost everyone can rationalize that it is OK toProfile of A Person commit fraud..TextWho Commits Fraud Drugs Sex217 8. 3/19/2009 1 STEP 1: EVALUATE THE ORGANIZATION'S FRAUD RISK FACTORSTo identify which factors increase the risk for fraud within an organization, examiners should analyze industry and business operations hold discussions with managementoperations, management, review previous frauds committed against or on behalf of the company, review company performance, and evaluate similar frauds that occurred at competitors' organizations. 7 STEP 2: IDENTIFY POSSIBLE FRAUD SCHEMESThe ability to identify specific schemes resulting from fraud risk factors depends on the examiner's knowledge of this area. F d specialists, i l diFraud i liincluding i di id l with certifiedindividuals i hifi d fraud examiner (CFE) designations and Certified Systems Investigator (CSI) are ideal for this step of the process, as they possess specialized knowledge of fraud detection and investigation.88 9. 3/19/2009 STEP3: PRIORITIZE IDENTIFIED FRAUD RISKSFraud is not just an ordinary risk, but also an inherent and significant one. Once the fraud schemes database is populated, management and internal auditing should identify the frauds that pose the greatest risk for the organization.9 Examiners should consider the following factors when prioritizing fraud risks:Financial impact to the organization. Reputation risk of negative publicity associated with fraud. Loss of productivity. Potential criminal/civil actions taken against theorganization. (Such as Data Breach EU95/46 on PII) Loss of company assets.11 STEP 4: EVALUATE MITIGATING CONTROLSInternal s Auditors with CFE qualifications are well- positioned to review and counsel on the existence and operational effectiveness of internal controls. In p step four, the examiner/auditor should evaluate the high-priority frauds and determine if the necessary controls are in place to reduce the risk of occurrence. This step takes time, as the auditor should attempt to identify more than one control for each fraud scheme.129 10. 3/19/2009 www.cfe-in-practice.net Determination by Determination by Area Scheme 28 Fraud Consideration at all stages of engagementPerform Pre-EngagementPROFESSIONAL SKEPTICISIMActivitiesGATHER AN ASEESSMENTATION FRAUD RISKS Perform Preliminary PlanningNDDOCUMDevelop Audit PlanPerform Audit Plan Conclude & Report Fraud Risk Factors&Risk of Fraud10 11. 3/19/2009Questions? CFE-In-Practice www.cfe-in-practice.net Tommy Seah Managing Partner CFE-In-Practice www.cfe-in-practice.com phone +65 65171900 www.cfe-in-practice.net 32 11