Forensic Audit Building a World Class Program PAUL E. ZIKMUND DIRECTOR GLOBAL INTEGRITY AND FORENSIC AUDIT
1 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Forensic AuditBuilding a World Class ProgramPAUL E. ZIKMUND
DIRECTOR GLOBAL INTEGRITY AND FORENSIC AUDIT
2 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
In response to a crisisConcern from the Board or Audit CommitteeExternal Auditors or Consultant’s recommendationsSarbanes OxleyBenchmarkingInternal need to enhance existing antifraud programs and controlsIncrease in fraud casesTarget of external investigationCentralized function to address fraud risk management programs and controls
Why the Need for Forensic Audit Program
3 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Recipe for Success
Sponsorship
Staffing
Execution & Results
Building the Network
ROI
4 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Organizational policies and proceduresHotlineEthics and Compliance programsCode of ConductExecutive sponsorshipVisibility to Board/Audit CommitteeEngagement by Business Segments/OpCo’sRespect from Legal & Human ResourcesClear understanding of roles and responsibilitiesAssignment of costs
Sponsorship & Support
5 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Proper background and experienceRecruit internally and externallyCombined set of skills (CFE, CIA, CPA, M.B.A.)Invest in trainingPrevious corporate investigative experience a plusLaw enforcement versus auditingProper headcountStrong external relationshipsWell networkedData Analytics & Computer Forensics skills a plus
Staffing
6 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
High-quality resultsBuild a brand (think like a consultant)Regionally basedTraining and awareness programsBe proactiveThink beyond investigations (Compliance, Internal Controls, ERM, etc.)Avoid territorialismSolicit feedback (example: have legal review your reports)Network, network, & network
Execution & Results
7 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Litigation SupportAudit Committee presentationsExecutive Management visibilityRegional awareness of the teamAttend training and awareness programsERMCorporate ComplianceInformation SystemsThink Big!Temporary assignments (rotation program)Develop policies and procedures
Build the Network
8 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Recovery of assetsRemediation of lossesInternal controls/root cause analysis feedbackInformal feedback on people and processesIncreased transparency of reporting fraud and misconductReduction in fraudGreater credibility from external agencies (DOJ, Auditors)Stronger control environmentAudit Committee assuranceConsistent approach to managing fraud risk
Return on Investment
9 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Lack of policies and proceduresLack of a champion or executive management support and sponsorshipImproperly positioned/located within the organizationImproperly staffed (headcount & skillsets)No budgetFailure to embed AFPC within organizational frameworkFear of travelMyopic thinkingFailure to networkBeing reactive
Roadblocks
11 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Proactive Fraud Risk Management Approach
4. Investigation
7. Analysis
11. Training
1. Prevention Programs
10. Testing For Compliance
12. Proactive Auditing 2. Incident (Fewer)
3. Incident Reporting
5. Action
6. Resolution8. Publication
9. Implementation of Controls
12 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
AFPCExternal Auditors
Internal Auditors
Management Board of Directors
Audit Committee
Compliance
Anti-Fraud Roles & Responsibilities
13 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
GIFA - Fraud Risk Management Process
Fraud Deterrence
Policies & ProceduresPolicies &
ProceduresFraud Risk
AssessmentFraud Risk
AssessmentAnti-Fraud
CultureAnti-Fraud
Culture
Fraud Detection
Forensic Audit
Techniques
Forensic Audit
TechniquesCAATsCAATs
Detective Processes &
Controls
Detective Processes &
Controls
Fraud Investigation
Investigation Guides
Investigation Guides
Evidence Management
Evidence Management ReportingReporting
Fraud Remediation
Root Cause Analysis
Root Cause Analysis
Recovery of Assets
Recovery of Assets
Internal Controls Review
Internal Controls Review
14 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
GIFA - Fraud Deterrence Sub-Process
Policies & Procedures
Code of ConductCode of Conduct
Fraud ResponsePolicies
Fraud ResponsePolicies
Human Resources
Policies
Human Resources
Policies
Fraud Risk Assessment
Identify Fraud Risk FactorsIdentify Fraud Risk Factors
Define Fraud Schemes & Scenarios
Define Fraud Schemes & Scenarios
Determine Residual
Fraud Risk
Determine Residual
Fraud Risk
Anti-Fraud Culture
Whistleblower Hotline
Whistleblower Hotline
Control Environment
Control Environment
Employee Surveys
Employee Surveys
Fraud Deterrence
Policies & Procedure
s
Policies & Procedure
s
Fraud Risk Assessme
nt
Fraud Risk Assessme
ntAnti-Fraud
CultureAnti-Fraud
Culture
Fraud Detection
Forensic Audit
Techniques
Forensic Audit
Techniques
CAATsCAATsDetective Processes & Controls
Detective Processes & Controls
Fraud Investigation
Investigation GuidesInvestigation Guides
Evidence Managem
ent
Evidence Managem
entReportingReporting
Fraud Remediation
Root Cause
Analysis
Root Cause
AnalysisRecovery of AssetsRecovery of Assets
Internal Controls Review
Internal Controls Review
15 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
GIFA - Fraud Detection Sub-Process
Forensic Audit
TechniquesAnalytical
ProceduresAnalytical
Procedures InterviewingInterviewingAnalysis of Financial
Transactions
Analysis of Financial
Transactions
CAATs ACL / IDEA software
ACL / IDEA software
Continuous Controls
Monitoring
Continuous Controls
MonitoringEvent-Driven
CAATsEvent-Driven
CAATs
Detective Controls
Segregation of Duties
Segregation of Duties
Monitoring & IT Controls
Monitoring & IT Controls
Safeguarding Company
Assets
Safeguarding Company
Assets
Fraud Deterrence
Policies & Procedure
s
Policies & Procedure
s
Fraud Risk Assessme
nt
Fraud Risk Assessme
ntAnti-Fraud
CultureAnti-Fraud
Culture
Fraud Detection
Forensic Audit
Techniques
Forensic Audit
Techniques
CAATsCAATsDetective Processes & Controls
Detective Processes & Controls
Fraud Investigation
Investigation GuidesInvestigation Guides
Evidence Managem
ent
Evidence Managem
entReportingReporting
Fraud Remediation
Root Cause
Analysis
Root Cause
AnalysisRecovery of AssetsRecovery of Assets
Internal Controls Review
Internal Controls Review
16 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
GIFA - Fraud Investigation Sub-Process
Investigative Guidelines
Processes & Flowcharts
Processes & Flowcharts
Fraud Response Team
Fraud Response Team
Defined Roles & ResponsibilitiesDefined Roles & Responsibilities
Evidence Management
Document Reviews & Labeling
Document Reviews & Labeling
Computer ForensicsComputer Forensics
Chain of CustodyChain of Custody
Reporting Report Guidelines
Report Guidelines
Attorney-Client Privilege
Attorney-Client Privilege
Presentation of Findings
Presentation of Findings
Fraud Deterrence
Policies & Procedure
s
Policies & Procedure
s
Fraud Risk Assessme
nt
Fraud Risk Assessme
ntAnti-Fraud
CultureAnti-Fraud
Culture
Fraud Detection
Forensic Audit
Techniques
Forensic Audit
Techniques
CAATsCAATsDetective Processes & Controls
Detective Processes & Controls
Fraud Investigation
Investigation GuidesInvestigation Guides
Evidence Managem
ent
Evidence Managem
entReportingReporting
Fraud Remediation
Root Cause
Analysis
Root Cause
AnalysisRecovery of AssetsRecovery of Assets
Internal Controls Review
Internal Controls Review
17 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
GIFA - Fraud Remediation Sub-Process
Root Cause Analysis
Internal Controls Review
Internal Controls Review
Issues Tracking System
Issues Tracking System
Management Accountability
Program
Management Accountability
Program
Recovery of Assets
Civil / Criminal Action
Civil / Criminal Action
Disciplinary Action
Disciplinary Action
Insurance Claims
Insurance Claims
Information & Communication
Awareness Programs
Awareness Programs
Policy & Procedure Updates
Policy & Procedure Updates
Surveys & Certification Programs
Surveys & Certification Programs
Fraud Deterrence
Policies & Procedure
s
Policies & Procedure
s
Fraud Risk Assessme
nt
Fraud Risk Assessme
ntAnti-Fraud
CultureAnti-Fraud
Culture
Fraud Detection
Forensic Audit
Techniques
Forensic Audit
Techniques
CAATsCAATsDetective Processes & Controls
Detective Processes & Controls
Fraud Investigation
Investigation GuidesInvestigation Guides
Evidence Managem
ent
Evidence Managem
entReportingReporting
Fraud Remediation
Root Cause
Analysis
Root Cause
AnalysisRecovery of AssetsRecovery of Assets
Internal Controls Review
Internal Controls Review
19 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Global Integrity & Forensic Audit – Policies & Procedures Overview
GIA Charter
Fraud Response
Policy
Fraud Response Protocols
Allegations Matrix
GIFA Investigation Guidelines
GIA Charter
Defines the purpose of GIA
Provides authority to conduct audits
Defines areas of responsibility
Fraud Response Policy
Details guiding principles for managing fraud risk
Assigns responsibility for addressing complaints
Fraud Response Protocols
Defines principles for conducting internal Compliance/GIFA investigations of fraud and misconduct
Details the 7-step protocol to address allegations or detection of fraud and/or misconduct
Allegations Matrix
Defines various types of allegations
Prioritizes allegations in three separate levels (A,B,C)
Identifies ownership for investigating the allegations
GIFA Investigative Guidelines
Serves as a guide and reference to enroll investigative procedures and processes during the collection of facts and evidence in matters where illegal, unethical or otherwise improper acts are alleged
Defines GIFA’s philosophy and core values
20 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Global Integrity & Forensic Audit - Vision & Mission
Vision – To ensure the development, implementation, and sustainability of a comprehensive fraud risk management process designed to reduce Bunge’s risk of asset loss, reputational damage, and legal liability resulting from incidents of fraud and misconduct.
Mission – To develop comprehensive anti-fraud programs and controls designed to deter, detect, investigate, and remediate incidents of fraud and misconduct within Bunge, including but not limited to:
Promptly respond to reports of illegal, unethical, or improper acts committed by company employees or non-employees who are engaged in company business,
Conducting fraud awareness training for company employees,
Completion of a fraud risk assessment,
Enhanced fraud detection through data analytics and forensic audit techniques,
Provide litigation support and forensic due diligence for legal and regulatory matters, and
Collaborate with compliance and risk management teams to evaluate risks, review processes, and analyze trending.
21 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Investigation of Fraud, Abuse, and/or MisconductAccounting Irregularities
Occupational Fraud (Embezzlement, Skimming, Fictitious Invoices, T&E, etc.)
Conflicts of Interest
Bribery & Corruption
Litigation SupportAntitrust, Intellectual Property, Securities Trading
Fraud Risk Assessment
Global Integrity & Forensic Audit - Scope of Work (1 of 2)
22 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Proactive Fraud Awareness TrainingInternal Audit (forensic audit techniques)
Operating Companies
Functions (Finance, Sales, etc.)
M&A Due DiligenceEthics & Integrity Case StudiesIT Investigative Technology/Computer ForensicsFCPA/Third-Party Compliance
Third-Party Proactive Reviews
Anti-bribery Audits
Security Audits/Surveys/Reviews
Global Integrity & Forensic Audit - Scope of Work (2 of 2)
23 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Scope of Work - Differentiation
Compliance policies & proceduresEthics programsCompliance investigations oversight (FCPA)Allegations matrixCompliance reporting 3rd-party compliance programs
Fraud investigationsAnti-fraud training & awarenessLitigation supportFraud protocols & investigation guidelines Security auditsM&A due diligenceFraud risk assessments
Physical security programs (facilities, cargo, inventory, etc.)Personal securityTravel securitySecurity policies and proceduresSecurity investigations (thefts, product tampering, etc.)
Compliance Function GIFA Security Function
25 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Legal Counsel
Legal adviceLitigation supportAttorney-client privilegeReview reports for languageCommunication with the Board, Audit Committee, Senior ManagementCo-sponsored training
26 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Human Resources
Investigative support• Interviewing• Prior disciplinary actions – incidents• Personnel files
Report distributionDisciplinary actionEmployee surveysStaffing (compensation, career planning)
27 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Information Technology
Electronic evidence collectionData retrieval – where/when/howEmail reviewsHard drive imagingInternet activityLog in/out data
28 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Security
Support investigationsPhysical access documentationInterviewing skillsPrior incidentsLocation background
29 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Outside Fraud Experts
Investigative experience/expertiseInterviewing skillsData-mining techniquesComputer forensicsReport-writing skillsForensic auditing expertiseExpert witness – render opinions
30 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Audit
Control weaknesses reviewRoot-cause analysesData miningDocument reviewEmail/electronic evidence reviewsProactive forensic auditsResource poolForensic rotation programFraud training programs
31 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Audit Committee/Management
Periodic updatesAnnual presentationImmediate notification of serious fraud issuesRoot-cause analysisPatterns of behaviorLegal liabilityOversight of investigative activitySponsorship
32 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
FindingsContinuous UpdatesKnowledge of Business & PeopleRemediation of FindingsProcess ImprovementsCause & Root Cause AnalysisInternal Control RecommendationsTraining & Awareness
Management
33 2012 ACFE ANNUAL FRAUD CONFERENCE ORLANDO, FL
Questions
“Association of Certified Fraud Examiners,”
“Certified Fraud Examiner,” “CFE,” “ACFE,” and
the ACFE Logo are trademarks owned by the
Association of Certified Fraud Examiners, Inc.
The contents of this paper may not be
transmitted, re-published, modified, reproduced,
distributed, copied, or sold without the prior
consent of the author.