The Reason why u need FRA Passage of the Sarbanes-Oxley Act (SOX) caused more and more companies, public and private, to assess their vulnerability to fraud and abuse. Section 404(a) of the Act requires management of public companies to assess and report on its internal financial reporting controls, largely to ensure that financial statements are fairly presented in accordance with generally accepted accounting principles (GAAP). Fraudulent financial reporting that leads to a material misstatement in the financial statements is one key risk management should assess. This assessment focuses on accounts, processes, GAAP disclosures and the assertions in the financial statements and other required disclosures. Countries in Asia do not necessarily have their own version of SOX. But they have seen the benefits in SOX in the prevention of occupational fraud. Fraud Risk Assessment is now an integral part of good corporate governance. Such assessments aren’t new. Organizations have assessed business and organizational risks for years. But fraud risk analysis has rarely been the primary focus. Times have changed, and now many companies and organizations are considering conducting specific fraud risk assessments. Prevent, Deter and Detect Fraud A fraud risk assessment is designed to examine the controls specifically created to prevent, deter and detect fraud. This assessment is fraud scheme and scenario-based. Fraud risk assessments also communicate a companywide policy of zero tolerance for fraud and abuse. To conduct an effective fraud risk assessment, follow these steps: 1. Organize and define the assessment objectives with company management and your internal audit committee. Form a team of fraud and control experts, and get senior management and audit committee buy-in: Ask them to communicate their endorsement and sponsorship of both the process and a strong antifraud program to the entire organization. 2. Determine the business and accounting process(es) to be assessed and investigated. Usually, the initial processes selected are those where fraud or abuse has previously occurred or that management has identified as critical business processes that may be susceptible to fraud or abuse. 3. Identify potential schemes and scenarios specific to the process(es) to be examined against current controls. Fraud schemes and scenarios should be selected based on the specific business process, the industry, physical location of the process operation and any known frauds or abuses concerning the process. 4. Determine the likelihood of a fraud occurring within each scheme and scenario. The Public Company Accounting Oversight Board has defined risk levels as remote, more than remote or reasonably possible, and probable. If assessing a public company, assess the risk levels in relation to SOX compliance efforts. 5. After the fraud risks for individual processes have been identified, documented, and rated as to risk level, match the controls within each process to the identified fraud risks. Determine the effectiveness of each control in preventing or providing a means of early detection for the fraud risk. Group the risks as to their probability of occurring within the process. 6. Estimate the probable loss in dollars should the fraud or abuse occur. Try to place a value on loss of reputation if that is a possible outcome. 7. Prepare recommendations for strengthening controls and present to management. Fraud Risk Assessment Benefits Some benefits of a fraud risk assessment are obvious — compliance with Sarbanes-Oxley, protection of company assets, and a possible increase in profitability due to a reduction in fraud losses, waste and abuse. But another important benefit doesn’t appear in financial statements or government filings: the enhanced reputation of a highly ethical company that supports a strong internal and external antifraud policy and program.
Citation preview
1. 3/19/2009ACFE Regent Emeritus Tommy SeahpresentsFraud Risk
ManagementA Paradigm Shift20091 .. financial institutionsmust have
in place, all thenecessary measures to deter orprevent fraud and
constantlyreview all its controls andmeasures and also have in
placea f d management function tfraud tf ti toprevent loopholes
that fraudsters can exploit. who said that ? 2 march 05, 2009 at
Shangri-Lahotel and the guest of honour was Ms Teo Swee Lian,
DeputyManaging Di t MASMi Director, MAS. 31
2. 3/19/2009 Why is Internal Control Important? Financial
Reporting Promotes integrity of data used in making business
decisions Assists in fraud prevention and detection through the
creation of an auditable trail of evidence Operations Promotes
efficiency and effectiveness of operations through standardized
Laws and Regulations processes Ensures the safeguarding of Helps
maintain compliance assets through control with laws and
regulationsthrough periodic monitoring activities4Limitations of
Internal Control Errors may arise from misunderstandings of
instructions, mistakes of judgment, fatigue, etc. Controls that
depend on the segregation of duties may be circumvented by
collusion Management may override the structure Compliance may
deteriorate over time The Existing model Financial ControlThe Fraud
ExaminerThe Certified System Investigator CFECSI Compliance TheRisk
ManagementCPA,LLB, CSI Trinity CPA,CFA CSIof Controls Internal
AuditCPA(CIA) CSI, CISA 62 3. 3/19/2009The Spectrum of Risk
www.cfe-in-practice.net Liquidity RiskBACOperational Credit Risk
Risk What is Risk ?D EReputationalMarket Risk Risk 7
www.cfe-in-practice.net External Audit Internal audit (COSO +
COBIT+ ISO Forensic auditInvestigative auditing (Specific, Post
event)( suspicious, unusual activities, allegations) Eg. NKF,
CAOE.g.. Money Laundering penetration Test 8 Fraud Control
Principle F dC t lP i i l3 4. 3/19/2009 If an organisation accepts
that it is exposed to fraud and no organisation is immune to fraud
the next step is to apportion responsibility for fraud risk
management.Copyright (c)2006www.cfe-in-practice.net 10 The Paradigm
ShiftFinancialControl The Fraud ExaminerThe CertifiedThe CPASystem
Investigator CFE CSIRiskComplianceManagement CPA,LLB, CSI CPA,CFA
CSI S.T.A.RStrategic Tracking and Resolution InvestigationFRM Unit
Internal AuditUnit CPA(CIA) CSI,CISA 11WHY is there a need for the
paradigm shift ? Historically, the management of fraud riskdoes not
lie with any oneparticular department or practitioner.Copyright
(c)2006www.cfe-in-practice.net 12 4 5. 3/19/2009 It can be handled
internally or be outsourced, and how it is handled is affected by
many variables such as organizational size, industry sector,
geographical location, cultural dynamics - and management
perception of the problem.Copyright (c)2006 www.cfe-in-practice.net
13 Regardless of these variables, any fraud prevention and control
model should aim to achieve one, or all, of the five primary
objectives:Copyright (c)2006 www.cfe-in-practice.net 14 The five
primary objectives: _ Prevention _ Deterrence _ Disruption _
Identification _ Civil action/criminal prosecutionCopyright (c)2006
www.cfe-in-practice.net 15 5 6. 3/19/2009The Fraud Triangle.Fraud
RiskFraud Risk ManagementManagement Perceived OpportunityAuditors
DomainWho Commits Fraud? What type of individual commits FRAUD?It
is not limited to any one type of person.www.cfe-in-practice.org
Married Active religious members Children Good education First-time
offenders Good employees Dont abuse alcohol6 7. 3/19/2009
Optimistic High self-esteem Achieving Family harmony Socially
conforming Self control Kind Sympathetic Conclusion: Fraud
Perpetrators Look Exactly Like Us!Who Commits Fraud? While people
who commit rape, murder, bank robbery and otherproperty offenses
have distinguishing characteristics, fraudperpetrators look more
like more citizens than criminals! Bank Robbers Normal
CitizensFraud Perpetrators Sample Sample S l Sample S l Major
DifferencesNo Significant Differences The Red Flags of fraud
www.cfe-in-practice.net Given the right circumstances,
circumstances,Alcohol Gambling almost everyone can rationalize that
it is OK toProfile of A Person commit fraud..TextWho Commits Fraud
Drugs Sex217 8. 3/19/2009 1 STEP 1: EVALUATE THE ORGANIZATION'S
FRAUD RISK FACTORSTo identify which factors increase the risk for
fraud within an organization, examiners should analyze industry and
business operations hold discussions with managementoperations,
management, review previous frauds committed against or on behalf
of the company, review company performance, and evaluate similar
frauds that occurred at competitors' organizations. 7 STEP 2:
IDENTIFY POSSIBLE FRAUD SCHEMESThe ability to identify specific
schemes resulting from fraud risk factors depends on the examiner's
knowledge of this area. F d specialists, i l diFraud i liincluding
i di id l with certifiedindividuals i hifi d fraud examiner (CFE)
designations and Certified Systems Investigator (CSI) are ideal for
this step of the process, as they possess specialized knowledge of
fraud detection and investigation.88 9. 3/19/2009 STEP3: PRIORITIZE
IDENTIFIED FRAUD RISKSFraud is not just an ordinary risk, but also
an inherent and significant one. Once the fraud schemes database is
populated, management and internal auditing should identify the
frauds that pose the greatest risk for the organization.9 Examiners
should consider the following factors when prioritizing fraud
risks:Financial impact to the organization. Reputation risk of
negative publicity associated with fraud. Loss of productivity.
Potential criminal/civil actions taken against theorganization.
(Such as Data Breach EU95/46 on PII) Loss of company assets.11 STEP
4: EVALUATE MITIGATING CONTROLSInternal s Auditors with CFE
qualifications are well- positioned to review and counsel on the
existence and operational effectiveness of internal controls. In p
step four, the examiner/auditor should evaluate the high-priority
frauds and determine if the necessary controls are in place to
reduce the risk of occurrence. This step takes time, as the auditor
should attempt to identify more than one control for each fraud
scheme.129 10. 3/19/2009 www.cfe-in-practice.net Determination by
Determination by Area Scheme 28 Fraud Consideration at all stages
of engagementPerform Pre-EngagementPROFESSIONAL
SKEPTICISIMActivitiesGATHER AN ASEESSMENTATION FRAUD RISKS Perform
Preliminary PlanningNDDOCUMDevelop Audit PlanPerform Audit Plan
Conclude & Report Fraud Risk Factors&Risk of Fraud10 11.
3/19/2009Questions? CFE-In-Practice www.cfe-in-practice.net Tommy
Seah Managing Partner CFE-In-Practice www.cfe-in-practice.com phone
+65 65171900 www.cfe-in-practice.net 32 11
