Continuous Controls Monitoring: Putting Controls in Place is Not Enough

Continuous Controls Monitoring:

Putting Controls in Place is Not Enough

Special Guest Presenter:Chris Doxey, CAPP, CCSA, CICA

September 11, 2013

Copyright © 2013 FraudResourceNet™ LLC


About Peter Goldmann, MSc., CFE

President and Founder of White Collar Crime 101 Publisher of White-Collar Crime Fighter Developer of FraudAware® Anti-Fraud Training

Monthly Columnist, The Fraud Examiner, ACFE Newsletter

Member of Editorial Advisory Board, ACFE Author of “Fraud in the Markets”

Explains how fraud fueled the financial crisis.

2


About Jim Kaplan, MSc, CIA, CFE

President and Founder of AuditNet®, the global resource for auditors

Auditor, Web Site Guru,Internet for Auditors PioneerRecipient of the IIA’s 2007 Bradford Cadmus Memorial Award.

Author of “The Auditor’s Guide to Internet Resources” 2nd Edition

3


Chris Doxey, CAPP, CCSA, CICA

Chris has held senior finance and controller positions at Digital Equipment Corporation, Compaq Computer Corporation, Hewlett Packard, MCI, APEX Analytix, and BSI Healthcare. She has a bachelor's degree in English, a bachelor's in accounting, a master's in business administration, and a graduate certificate in project management.

Chris brings her experience as a management consultant in the areas of compliance, auditing, internal controls, and fraud prevention to Doxey, Inc. Chris also serves as the Executive Director of the IOFM Controller Certification Program

Chris is a Certified Accounts Payable Professional (CAPP), holds a Certification in Controls Self Assessment (CSA), and is Certified Internal Controls Auditor (CICA). She has also written a controller’s best practices guide, numerous articles, and several whitepapers. Chris has published two handbooks: AP Leadership Skills and Implementing a Controls Self Assessment Program for Accounts Payable. She presents at several conferences and provides a multitude of webinars each year.

Chris is a member of the Institute of Internal Auditors (IIA), the Institute for Internal Controls (TheIIC), and the Institute of Financial Operations (IFO). She is a member of the advisory board for TheIIC and is president of the Washington DC area chapter for both the IFO and TheIIC organizations.

4


Webinar Housekeeping

This webinar and its contents are the property of FraudResourceNet™ LLC. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.

We will be recording the webinar and you will be provided access to that recording within five-seven business days. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

You must answer the polling questions to qualify for CPE per NASBA unless you are viewing the Webinar with a group on a single screen.

Please complete the evaluation to help us continuously improve our Webinars.

Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.


Disclaimers

6

The views expressed by the presenters do not necessarily represent the views, positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.

While FRN makes every effort to ensure information is accurate and complete, FRN makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. FRN specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the FRN website

Any mention of commercial products is for information only; it does not imply recommendation or endorsement by FraudResourceNet LLC


Today’s Agenda

Introduction Fraud Statistics: The Growing Fraud Threat 2013 Updates to COSO Auditing for Fraud: Standards & Essentials

Standards of Internal Control The Case for Continuous Controls Monitoring (CCM)Controls Self Assessment (CSA) Fraud Risk Assessment (FRA)

10 Top Recommendations CCM and Data Analytics Toolkit Conclusion Your Questions

7


Fraud Statistics – 2012 ACFE Report to the Nations

The typical organization loses 5% of its revenues to fraud each year.

Applied to the 2011 Gross World Product, this figure translates to a potential projected annual fraud loss of more than $3.5 trillion.

The median loss caused by the occupational fraud cases was $140,000.

More than one-fifth of these cases caused losses of at least $1 million.

8

Copyright © 2013 FraudResourceNet™ LLC9

The Effectiveness of Controls

Organizations lacking internal controls experienced median fraud losses approximately 45% greater than organizations with the controls in place.

Fraud Statistics – 2012 ACFE Report to the Nations (Continued)


Fraud Statistics – 2012 ACFE Report to the Nations (Continued)

10


Primary Internal Control Weakness Observed by CFEs

11


Polling Question 1

The media loss caused per incident of occupational fraud is

A. $199,000

B. $140,000

C. $120,000

D. $180,000

E.

12


2013 Updates to COSO

13

The COSO update articulates principles of effective internal control.


2013 COSO Updates

Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that: Each component and each relevant principle is present and functioning The five components are operating together in an integrated manner

Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component (e.g., governance, technology)

Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies

A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives

14



Fraud Risk Consideration. Because the nature of fraud risk is so unique, one of the 17 principles states that it must be assessed as part of internal control.

Fraud risk is not limited to financial statements; it should also be included in compliance and operations risk assessments.

15



16

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Monitoring Activities

Standards for Internal

ControlCSA CCM and

CAFRA


Standards of Internal Control

Define the set of internal controls for the organization;

Link the control to the risk that is being mitigated; Are updated when:

There is a change to the business or system environment;

A fraud has been perpetrated; The cost of the control is not in line with the benefit to

the organization; or when A business process has been automated.

17


Polling Question 2

According to COSO, fraud risk is not limited to financial statements; it should also be included in compliance and operations risk assessments.

A. True

B. False

C.

18


Controls Self Assessment (CSA)

The most common approaches to performing CSA activities are facilitated team meetings, CSA surveys, and management’s focus on a specific internal control or area of their business.1) A facilitated team meeting is the most popular form of CSA. The

facilitated sessions consist of six to 15 employees who are subject on a day-to-day basis to the internal controls being evaluated. A trained facilitator guides the meeting, and another individual records the activity.

2) The survey approach uses questionnaires to elicit data about controls, risks, and processes. It differs from traditional internal control questionnaires used by auditors because the operational employees (not the auditors) use the survey results to self-evaluate the controls or processes.

19


Continuous Controls Monitoring (CCM) vs. Continuous Auditing (CA)

CCM enables management to continually review business process for adherence to and deviations from their intended levels of performance and effectiveness.

CA enables internal audit to continually gather and analyze data from processes that supports auditing activities.

20



CCM enables management to: Assess the effectiveness of controls and detect risk. Improve business processes and activities while

adhering to ethical and compliance standards. Execute more timely quantitative and qualitative risk-

related decisions. Increase the cost effectiveness of controls and

monitoring through automated solutions.

21



CA enables internal audit to: Collect data from processes, transactions, and

accounts that supports internal and external audit activities.

Achieve more timely, less costly compliance with policies, procedures, and regulations.

Shift to more pro-active reviews and more dynamic audit planning based on CA results.

Reduce the costs of internal audit activities.

22


Four Levels of CCM

1) User Access Controls Monitoring & Remediation

2) Application & Process Configuration Controls Monitoring

3) Master Data / Static Data Controls Monitoring

4) Business Transaction Monitoring

23


Continuous Controls Monitoring (CCM)

Continuous transaction monitoring is a powerful detective control that should be considered in the design of internal controls, especially relative to fraud detection.

Continuous control monitoring provides assurance that controls are in place to prevent or detect future transactions.

24


The Value of CCM

It is a detective control that management may place significant reliance on. When the inspection is automated, the cost relative to alternative manual controls may justify at least a partial shift from preventive to detective. It also helps if the detection can be performed promptly, minimizing the delay between processing a transaction and detecting an error

When considering the risk of fraud, it is important to have both effective preventive controls and detection procedures (in case the controls are circumvented). Continuous transaction monitoring provides a detective control in case preventive controls are ineffective or are bypassed (e.g., through collusion)

25


The Value of CCM

In some cases, complex testing may be required to detect an error. For example, financial systems have long found it difficult to detect and prevent duplicate payments.

Because the risk (in terms of the size of any single payment) is relatively low, it may be wise to accept the limitations of the financial system and rely on more thorough testing after-the-fact.

26


Polling Question 3

Which type of meeting is the most popular form of CSA?a. Mandatory management meeting

b. Facilitated team meeting

c. Departmental meeting

d. Special C-level meeting

27


Fraud Risk Assessment (FRA)

A FRA identifies where fraud may occur and who the perpetrators might be within a specific process. The process is scheme and scenario based.

It considers vulnerability to management override and potential schemes to circumvent existing control activities.

The FRA identifies the critical fraud risks to focus on and is on-going process.

The objectives of an FRA are to:

1. Identify the vulnerabilities for fraud;

2. Implement proactive measures such as specific internal controls to prevent the fraud from occurring.

28


Fraud Risk Assessment (FRA)

The three phases of an FRA include: 1) Access - The current internal controls structure and

identifies specific weaknesses where potential fraud could occur.

2) Respond - Fraud risks are linked to controls to determine: risk tolerance, cost benefit analysis, stakeholder expectations, and remediation monitoring.

3) Sustain – A report is developed to communicate the results of the FRA process, the fraud audit plan is developed and executed, and a continuous monitoring process in implemented.

29


10 Top Recommendations

30

The ACFE notes that the nature and threat of occupational fraud is truly universal. Here are some recommendations for processes to have in place when “controls are not enough”.

1. Hotlines: Providing individuals a means to report suspicious activity is a critical part of an anti-fraud program.

2. Anti-Retaliation: Management should actively encourage employees to report suspicious activity, as well as enact and emphasize an anti-retaliation policy.

3. Targeted Fraud Awareness Education: Training for employees and managers is a critical component of a well-rounded program for preventing and detecting fraud.


10 Top Recommendations (Continued)

31

4. External Audits Are Not Enough: External audits should not be relied upon as an organization’s primary fraud detection method. Such audits were the most commonly implemented control in the ACFE’s study; however, they detected only 3% of the frauds reported and they ranked poorly in limiting fraud losses.

5. Fraud Risk Assessments (FRA): Assessing the threat of specific fraud schemes and performing a FRA can help identify those areas that merit additional investment in targeted anti-fraud controls.

6. The Control is Linked to the Risk: It’s not the number of internal controls that an organization has in place, but it’s the way that the controls were developed to address a specific risk.


10 Top Recommendations (Continued)

32

7. Standards of Internal Controls should be implemented and updated to incorporate behavioral fraud flags and weaknesses found through CSA, CCM, and FRA programs.

8. Roles and Responsibilities for all internal programs, compliance initiatives, and remediation activities needs to be well defined to avoid duplication of efforts and to provide opportunities for leveraging test approaches and data.

9. Leveraging Opportunities: Programs can be developed to combine reviews and monitoring approaches with well-defined data requirements and test programs.

10.Reporting, Remediation, and Monitoring: All findings need to be reported, remediated, and monitoring to ensure the risk of recurrence is mitigated.


Example: Leveraging Testing

Purchase to Pay, T&E, P-Cards, Payroll, Fraud, and General Ledger risk assessments and testing can be expanded to include FCPA.

33

Business Process

Business Process Risk FCPA Risk

Purchase to Pay Do all our vendors server clear business purposes?

Is a vendor being used to carry out an FCPA impacted transaction?

T&E Are we applying T&E expenses appropriately?

Are there FCPA impacted expenditures in our T&E transactions?

P-Cards Are we using P-Cards appropriately? Are there FCPA impacted expenditures in our P-Card transactions?

Payroll • Do we know who all our employees are? • Are we paying ghost employees?

Are we paying foreign officials as employees?

Fraud Are we losing money to fraud schemes? • Is the fraudulent activity aimed at circumventing FCPA rules?

• Have we integrated our FCPA rules with our “tone at the top” and properly trained employees?

General Ledger Do all journal entries have a clear business purpose?

Is there evidence that a journal entry is used for a non-approved purpose?


Polling Question 4

A FRA identifies where fraud may occur and who the perpetrators might be within a specific process:a. True

b. False

34


Conclusion - It’s not all about automation!

To perform continuous monitoring of controls, you need a combination of techniques: automated monitoring, automated control testing, and other tests such as surveys and manual test procedures.

Testing transactions does not provide positive assurance that controls are present and operating effectively. They only tell you that the transactions are clean.

Some controls (such as the review by a manager of a reconciliation, the performance of a physical inventory count, or employee understanding of the code of conduct and other key policies) do not lend themselves to automated testing.

You still need Standards of Internal Controls, Segregation of Duties, System Access, and Delegation of Authority Controls!

Leverage testing approaches and applications to compliance programs when possible.

Always define Roles and Responsibilities!

35


Polling Question 5

Hotlines are essential but not adequate for capturing all employee tips. You should also have (choose all that apply)

A. E-mail channel

B. Web-based reporting option

C. Employee questionnaire

D. P.O. Box

36


CCM and Data Analytics Toolkit

ACL http://www.acl.com/

Caseware/IDEA http://www.caseware.com/products/idea

WEBCAAT http://www1.webcaat.org/

EZR Stats, LLC http://www.ezrstats.com/

Technology Insight http://www.technology-insight.com/

APEX Analytix http://www.apexanalytix.com/

Infor Approva http://www.infor.com/product_summary/fms/approva-continuous-monito

ring/

37

http://www.acl.com/

http://www.acl.com/

http://www.acl.com/

http://www.caseware.com/products/idea

http://www1.webcaat.org/

http://www.ezrstats.com/

http://www.technology-insight.com/

http://www.apexanalytix.com/

http://www.infor.com/product_summary/fms/approva-continuous-monitoring/

http://www.infor.com/product_summary/fms/approva-continuous-monitoring/


Questions?

Any Questions?

Don’t be Shy!

38


In the Queue

Protecting Your Organization from the Growing Threat of Cyber Fraud 9/18/13

A Primer on Social Networking and Fraud Risk 9/25/13


Thank You!

40

Website: http://www.fraudresourcenet.com

Jim KaplanFraudResourceNet™

800-385-1625 [email protected]

Peter GoldmannFraudResourceNet™

[email protected]

Chris DoxeyDoxey, Inc.

[email protected]

http://www.fraudresourcenet.com/

mailto:[email protected]



Economy & Finance

Continuous Controls Monitoring: Putting Controls in Place is Not Enough