Fraud risk management training - Elsam Management Consultants

www.elsamconsult.com 1

EMAC

Fraud Risk Management

Part IIADVANCED RISK

MANAGEMENT WORKSHOPSTELLA MARIS HOSTEL

Bagamoyo 9TH -11TH April,2014


EMAC

Operational Risk Nature of fraud risk- Operational Risks What is fraud and fraud risk? Necessity of anti-fraud training Fraud risk factors Group exercise: fraud risk factors or 3 Cs

Coverage

www.elsamconsult.com

EMAC

• Operational risk attaches itself to people, systems and process

• Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

• It includes other risks such as legal risks, physical risks, political risks and environmental risks

• Fraud is part of operational risk in any organization Internal fraud such as tax evasion, assets

misappropriation, bribery, corruption and larceny External fraud such as theft, forgery, hacking and

information theft

3

Introduction


EMAC

Credit Risk

Market Risk

Operational Risk

Compliance Risk

Information Risk

Data Risk

Other Risk

Basic Strategic ERM Integrated

Evolution of Operational Risk


EMAC

• Joint McKinsey finds have shown that risk management has not been able to prove its value to organization

• Operational risk is seen as immature discipline that has often not proven its value to organization

• There is evidence that operational risk can be destructive as market loose faith in management and control following large events (Enron Case)

• The discipline is focused more on measurement than on management

Perception on operational Risk


EMAC

“obtaining a comprehensive measure of fraud’s financial impact is challenging, if not impossible due to the fact that fraud inherently involves efforts at concealment. Many fraud cases will never be detected, and of those that are, the full amount of losses might never be determined or reported. Consequently, any attempt to quantify the extent of all fraud losses will be, at best, an estimate”

Why is Fraud a Major Operational Risk


EMAC

The Cost of Fraud & Corruption


EMAC

• Fraud is a broad legal concept that generally refers to an intentional act committed to secure an unfair or unlawful gain.

• Misconduct is also a broad concept, generally referring to violations of laws, regulations, internal policies, and market expectations of ethical business conduct.

• It is an intentional act by one or more individuals among management , those charged with governance, employee or third parties involving the use of deception to obtain an unjust or illegal advantage

8

What is fraud?


EMAC

Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering loss and/ or the perpetrator achieving a gain. ACFE

Corruption is the abuse of public or private office for personal gain. It includes acts of bribery, embezzlement, nepotism or state capture. It is often associated with and reinforced by other illegal practices such as bid rigging, fraud or money laundering. OECD

What is fraud? Perspectives ..


EMAC

Fraud is …. Fraud is not …..

Intentional Taken by physical force

To trick or deceive someone out of his/her assets

Victimless

Theft Insignificant because no one is hurt

A crime Acceptable or justifiable

Characteristics of Fraud


EMAC

Fraud commonly includes activities such as theft, corruption, conspiracy, embezzlement, money laundering, bribery and extortion.

It involves using deception to dishonestly make a personal gain for oneself and / or create a loss for another.

Scope of Fraud


EMAC

• Pressure on employee to misappropriate cash or organizational assets

• Employees/people committing fraud are not career criminals, they are trusted employees

• Dr. Donald Cressey, a criminologist developed a model to get reasons for why people in trust commit fraud (Case Study II)

• Model is referred as fraud triangle

Why people commit fraud?


EMAC

• Most of fraudsters are first time offenders with no criminal past and therefore don’t view themselves as criminals (See Arthur Andersen case)• They must always justify the crime in a

way that makes it an acceptable and justifiable act (rationalization) e.g. I was underpaid, my employer cheated me, my employer is dishonest, I was entitled to the money or I was only borrowing money.

Causes of Fraud - Rationalization


EMAC Frau

d

Pressure or

Incentive

Rationalization

Opportunity

14

What causes fraud?- Fraud Triangle

All the three factors must be present for fraud to occur, if any one of the three is missing, fraud will not occur


EMAC

15

Why fraud happens?

Fraud Need/Rationalization•Every one Does it•Simply borrow-money

PressureUnrealistic Corporate Target can

Force Employees toCommit fraud

Opportunity- due to weak And override of controls


EMAC

• It is a perceived non-sharable financial pressure• Non-Shareable involves some sort of

embarrassment, shame or disgrace• It is the first motivation for crime• A person may have financial problem that cannot

be solved through legitimate means Consideration for illegal acts such as stealing cash or

falsifying a financial statement as a way to solve problem

It can be deep personal debt or a job/business is in jeopardy e.g. Desire for status symbol eg. Big house, nicer car; need to meet productivity targets; drug or gambling addition or inability to pay bills ( See the Enron Case Study)

It can sexual addiction and importance of status

Causes of Fraud (Pressure/Incentive)


EMAC

• It is a perceived opportunity defining method by which crime can be committed

• Involves uses of position of trust to solve financial problems

• It is critical that the fraudster be able to solve problem in secret since motivation is over the status

• Always the fraudster will act in secret e.g. forcing bank reconciliation to balance if he had paid a cheque to oneself ( See a case of TV show)

Causes of fraud (Opportunity)


EMAC

• Not applicable to professional fraudsters or predatory employees ( employees taking job with intent to stealing from the employer)

• Rationalization is only necessary for first commitment of fraud and afterwards it is abandoned

Fraud Triangle - Limitations


EMAC

• Reduce pressures on employees that might push them to committing fraud

• Reduced perceived opportunities to commit fraud

• Dispel rationalization for engaging in fraudulent conduct

• Sanctions does not work, why Fraudsters never think that they can be

caught in a perceived opportunity Fraudsters always rationalize their conduct Sanctions are only secondary

consideration

Fraud Triangle-Deterrence measures

EMAC

20

Types of fraudFraudulent Financial Reporting

Asset Misappropriation

Other Questionable or Improper Business Practices

Manipulation, falsification/alteration of records or documents

Misappropriation of assetsSuppression or omission of the effect of

transaction from records or documentsRecording transaction without substanceMisapplication of accounting principlesThese can be elaborated on th

is presentation


EMAC

Types of Internal Fraud


EMAC

• Aggressive application of accounting codes• Information provided unwillingly or after

unreasonable delay• Unsupported transactions• Fewer confirmation responses• Evidence of unduly lifestyle by officers or

employees• Long outstanding imprest balances• Poor documentation• False & improper entries in records• Unauthorized payments• Unauthorized use of corporate assets• Misapplication of funds

22

Fraud Indicators (Red Flags)


EMAC

Undue secrecy• Questionable practices• Significant manager or director transactions• Drop of sales or earnings• Aggressive accounting treatment• Posting of transactions to headquarters• Receipt of poor quality goods• Related party arrangements• Weak security checks for employees• Delay in submission of reports

23

Fraud Indicators (Red Flags)


EMAC

• Flouting directives and regulations• Personal interest • Uncorrected entries and stock adjustments• High fly management decisions• Incompatible functions done by one

person• Misuse of computer for private business• Frequent use of allocated issue voucher

even when the system is available• Questionable system adjustments

24

Fraud indicators (Red flags)


EMAC

• Unauthorized transactions• Cash shortages• Unexplained variation in prices• Missing documentation• Excessive refunds• Living beyond ones means• Drug and alcoholic abuse• High personal debt/loses• Compulsive gambling/stock speculation• Risk of increase IT, increases the risk of

manipulation, access control25

Fraud Indicators


EMAC

• Management Environment Pressure Management style and attitude

• Competitive and business environment e.g. technology

• Employee relationship ( spouse receiving non competitive contract)

• Attractive assets • Internal controls• Lack of separation of duties• Too much trust placed on few

employees26

Fraud Indicators


EMAC

Fraud Risk Indicators


EMAC

Common Red-Flags


EMAC

Red Flags Data


EMAC

• Although the level of fraud risk at an organisation may be assessed as low, individuals in the business can have a personal motivation to commit fraud– Personal pressures– Individual performance targets– Infiltration by organised crime

• Controls may be overridden or ignored by certain individuals:– Powerful (overrides controls, staff intimidated)– Successful (not to be bothered, too busy earning money)– Trusted (responsibility has moved beyond their job description)

30

Personal Fraud indicators


EMAC

31

Managing Fraud -Forces

Entity Governance and Responsibility

Code of Ethics Staff

Regulations

Director & Officer Liability

Internal Audit

Risk Management

Business Plan and Budget

Procurement and Finance Acts

Customer Service Surveys

Stakeholders pressures

Reputation and Credibility


EMAC

• Rapid increase of activities Weak competition• Rapidly growing sales• Relatively high profitability• ….. In such an environment, effective anti-

fraud measures can be ascribed low priority or be undetected because the current level of profitability allows for fraud losses to be absorbed within existing profit margins.

• …. Consider tough times ahead…. More competition, changing government regulations?

32

Business environment

EMAC

Elements of Fraudster

Makes false representation or willful omission regarding a material fact.

The fraudster knew the representation was false.

The target relied on this misappropriation.

The victim suffered damages or incurred a loss

EMAC

Fraudster

The analysis of the constantly changing nature of fraudster can held organizations stiffen their defenses against fraud

A typical fraudster is 35 to 45 years of age Employed in an executive Finance operations Sales and marketing Six years of employment Intelligent and passionate of work

EMAC

Characteristics of a Fraudster

Likely to be married. Member of a church or mosque Educated beyond high school. No arrest record. Age range from teens to over 60. Socially conforming. Employment tenure from 1 to 20 years. Acts alone 70% of the time. Growing use of technology

EMAC

Characteristics of a Fraudster First-time offenders.

Losses from fraud caused by managers and executives were 3.5 times greater than those caused by non-managerial employees.

Losses caused by men were 3 times those caused by women. [53% males; 47% females]

Losses caused by perpetrators 60 and older were 27 times those caused by perpetrators 25 or younger.

Losses caused by perpetrators with post-graduate degrees were more than 3.5 times greater than those caused by high school graduates.

EMAC

Characteristics of a FraudsterYesterday, today and tomorrow

Egotistical Risk taker Hard Worker Greedy Disgruntled or a

complainer Overwhelming

desire for personal gain

Pressured to performManagement frequently regards fraud risk as a single dot on

the risk matrix, not always fully appreciating its real nature and extent

EMAC

Characteristics of Fraudster

EMAC

Characteristics of Fraudster Impact of collusion

It account 29% of known fraud It is insiders who take the lead, since they tend to

identify the opportunity and to know the soft spots of the company’s defense

More than 42% of fraudsters had worked with the company more than six years

Collusion cannot be present when people act alone Most detection is mostly from informal tip off by 22%

and formal whistle blowing by 19% Cyber fraud is mostly perpetrated by collusion

We expect employees and managers managing fraud opportunities to continue to threaten companies future


EMAC

Where the fraudster works?


EMAC

Which source of fraud type?


EMAC

June 2013, Corruption swallows 25% of Africa GDP according to World Bank survey. Africa loses $148 billion annually because of corruption, a survey by World Bank has indicated

Corruption to increase costs of achieving the UN millennium Development Goals on water and sanitation by US $148 billion

Astonishing facts

EMAC

Tips for fraud Specialist “Finding fraud is like trying to load frogs on to a

wheelbarrow.”To be a forensic auditor, you have to have a knowledge of fraud, what fraud looks like, how it works, and how and why people steal. Source: Robert J. Lindquist "Finding fraud is like using a metal detector at a city

dump to find rare coins. You're going to have a lot of false hits."

- D. Larry Crumbley

“Fraud can be best prevented by good people asking the right questions at the right time.”

- Michael J. Comer

EMAC

Tips for Fraud Specialists

Changing techniques1. Tips from employees (26.3%).2. By accident (18.8%).3. Internal audit (18.6%).4. Internal controls (15.4%).5. External audits (11.5%).6. Tips from customers (8.6%).7. Anonymous tips (6.2%).8. Tips from vendors (5.1%).Therefore, 46.2% from tips.

EMAC

Tips for Fraud Specialist1. Strong Internal Controls (1.62)2. Background checks of new employees (3.70)3. Regular fraud audit (3.97)4. Established fraud policies (4.08)5. Willingness of companies to prosecute (4.47)6. Ethical training for employees (4.86)7. Anonymous fraud reporting mechanisms

(5.02)8. Workplace surveillance (6.07)

1 = Most effective8 = Least effective

Source: 2002 Wells Report

EMAC

Tips for Fraud Specialist Assume there may be wrong doing. The person may not be truthful. The document may be altered. The document may be a forgery. Officers may override internal

controls. Try to think like a crook. Think outside the box.

EMAC

Tips for Fraud SpecialistAccording to KPMG, typically, a fraudster is perceived as someone who is greed and deceitful by nature. However, as this analysis reveals, many fraudsters work within entities for several years without committing any fraud, before an influencing factor-financial worries, job dissatisfaction, aggressive targets, or simply an opportunity to commit fraud-tips the balance


EMAC

What are they?1. Reviewed and Strengthening of internal

controls2. Periodic compliance audit3. Employee hotline4. Appointed compliance personnel5. Establish and implement code of conduct for all

employees6. Conducted background check for hires with

budgetary responsibility7. Instituted fraud awareness training8. Tied employee evaluations to ethics or

compliance objectivesWhat is your answer on the above from 0-10 48

Do we have any fraud mitigation?

EMAC 49

EMAC

Iceberg Theory of Fraud

Covert AspectsAttitudesFeelings (Fear, Anger, etc.)ValuesNormsInteractionSupportivenessSatisfaction

Overt AspectsHierarchyFinancial ResourcesGoals of the OrganizationSkills and Abilities of PersonnelTechnological StatePerformance Measurement

Behavioral Considerations

Water line

Structural Considerations

The Iceberg Theory of Fraud


EMAC

50

Fraud Risk Management TechniquesManagement

Internal Audit Internal Controls Whistle-blowing

Reliance

?


EMAC

Fraud risk identificationFraud risk assessment Similar Procedures used in the ERM process discussed previously

Fraud Risk Identification and Assessment process


EMAC

What is fraud risk identification


EMAC

What is fraud risk assessment


EMAC

Fraud Risk Assessment


EMAC

Source of Date to Assess Fraud Risks


EMAC

Anti Fraud Programs


EMAC

Building blocks in Fraud Management


EMAC

• Good controls on paper are not strictly followed in practice

• Grey areas in the rules – open to interpretation• Lack of segregation of duties• Collusion• Management override• Failure of senior management to lead by

example• Bureaucracy &/or formulaic compliance• Failure to share knowledge of fraud

experience, control weaknesses and control improvements

• Clash of cultures

58

Controls Barriers

EMAC


Objectives of Fraud Risk Management

PreventionDetectionResponse

controls designed to reduce the risk of fraud and misconduct fromoccurring in the first placecontrols designed to discover fraud and misconduct when it occurs

controls designed to take corrective action and remedy the harmcaused by fraud or misconduct

http://www.elsamconsult.com/


appropriately if discovered

occurrence

fraud and misconduct

Fraud Risks Management - Measures

Detect

Respond

Prevent


Fraud Risk Management - components

EMAC

• Before an organisation can develop an effective program to prevent and detect fraud, it must first understand the types of fraud risk, including specific types of frauds and schemes, to which it may be vulnerable.


Fraud risk assessment

Likelihood

Sign

ifica

nce

/ Im

pact

Qualitative factors in the assessment include:• the accounting system• complexity, volume and nature of transactions• internal controls in place• compliance, training and monitoring

Incorporates the views of:• management;• control functions;• line employeesManagement are then able to:

• Prioritise identified risks and evaluate the existing controls• Link each risk to specific controls and commit resources to implement any enhancements

EMAC

Surveys suggest that:1. Over 50% of frauds are discovered as a result

of information provided by staff2. Losses after an introduction of a whistle-

blowing hotline can be reduced by up to 60%.3. Staff prefer the following reporting channels:

57%: a telephone hotline; 20%: conventional mail; and 16%: e-mail.


Fraud Risk Management Experiences

Source: 2006 ACFE Report to the Nation on Occupational Fraud & Abuse

EMAC


FRM – Hotline best practicesConfidentiality

Anonymity AvailabilityAssistance – Real TimeProceduresClassify & Notify

Communicate

All matters treated confidentially; reported on a need to know basisProcess should allow for anonymous submission & resolutionShould be available in remote outposts, not just head officeA ‘live’ response – operators need to be qualified, trained & able to provide adviceConsistent protocols to gather information and manage the callQualified staff assess the allegation; protocols establish basis for escalation & investigationPublicise the hotline prominently; commit to, & test for, non-retaliation

EMAC


FRM - Response• Objective is to take corrective action &

remedy the harm caused by fraud or misconduct:

• Examine the primary cause of the control breakdown, ensuring that risk is mitigated and controls are strengthened.

• Discipline those involved in the inappropriate actions, as well as those in management positions who failed to detect or prevent such events.

• Communicate to the wider population of employees that management took appropriate, responsive action.

EMAC

Consideration should be given to:• Data and information gathering;• Interviewing techniques;• Appropriate resource;• Analytical tools such as data mining;

and• Organisation intelligence information.

• My first fraud investigation Videowww.elsamconsult.com 66

FRM - Basis of Investigation


EMAC

• Once the symptoms of fraud are found and additional tests have indicated that there is a strong possibility of fraud, the review enters the formal investigation phase

• Investigator must know;Results of investigation can be used later as an educational tools for auditors, fraud investigators and other employees (See a Case of Forensic Accountant)

67

Fraud investigation

EMAC

• Briefing management, followed by terms of reference detailing the initial scope of work

• Communication with parties involved e.g. Internal audit, audit committee and accounting staff

• Determining the extent of fraud• Interviewing the defrauder ( only if fraud is

known with certainty) • Investigating the known area with detailed

audit test. E.g. Procurement tendering, wages, cash debtors and stock, payroll

• Report to the management on the findings, with copies to interested parties e.g. Internal auditor, audit committee.www.elsamconsult.com 68

Fraud investigation- stages

EMAC

• Circumstances which led to investigation

• Fraud discovered and their extent• Identity of the defrauder• Effects on the reported profit of

the past period• Effects on f/s of current periods


Investigation – details of report


EMAC

• IC weakness which allowed the fraud and recommendations for eliminating them

• Report of any interviewing with the defrauder, including offers of restitution etc, which may be relevant to management in deciding what action, if any they should take against him/her

• If there is any suggestion that the internal auditors has been negligent the extent of claim against him.

70

Investigation – details of report


EMAC

Investigator should Consider the potential effects in F/sWhere the fraud is material the auditor should modify the audit procedures so as to perform procedures appropriate to circumstances depending on the type of the fraud/error suspected, the likelihood of their occurrence and extent of damage in the F/s

71

Action upon proof of fraud or error

EMAC

• If some proof of fraud exists, management has several options

Cause a deeper audit to be done if amount of loss appears substantial

Terminate employee responsible if loss is minimal

File a claim to recover a loss from clients fidelity insurance agent

Arrange with law enforcement agents to probe into the matter




EMAC

• If some proof of fraud exists, management has several options

Engage a private investigator to probe into the loss and document it for claim purpose/prosecution

Disregard losses if minimal and tighten controls

Alert the directors, audit committees or the Board

73



EMAC

• Strong internal Control System is not a warrant from fraudEntity should have an effective anti-fraud and corruption strategy which is aimed at encouraging prevention, promote early detection and respond to concern raised

Awareness programs to employeesScreening job applicantsSound corporate policy on fraudAVOID atmosphere of distrust and paranoia by over-emphasising fraud deterrence measures. 74

Fraud deterrence measures


EMAC

• Management should ensure enforcement of compliance with operations SOPs

• Risk management function should be embedded in business activities

• Internal audit should be proactively risk based

Fraud Deterrence –three lines of defense

EMAC

• It is important to stick to facts, and to discount hearsay, rumour, or opinion and record what is relevant to the cause of the incident and its effect

• Audit reports on fraud and other improprieties should be addressed to the right person who can take actionwww.elsamconsult.com 76

Fraud Risk Reporting

EMAC

Report must contain all details of fraud Must provide framework to analyse the

fraud case Must enable the user to develop improved

management and security policies and detect and prevent fraud.

Investigation and reporting should proceed in such a way that the outcome will be litigated. Recording exact times, data, names of person and specific; description of evidence are critical in civil or criminal investigation or litigation


Fraud reporting


EMAC

Managing Fraud is Your professional Responsibility Management Commitment Recognize Relevant Fraud Schemes Identify High Key Risk indicators Establish Prevention/Detection /Responsive

Measures

Conclusion


EMAC

PRMIA GARP IRM PERI

Sources of Learning