340 likes | 1.01k Views
Auditors and Fraud. Presentation for UNCC January 2010 By: Steve Katzman, CIA, CISA, CISSP Sheri Brillhart, CIA. Agenda. Introductions Overview The Institute of Internal Auditors (IIA) Fraud Investigator Internal Auditor IA and the Fraud Investigator Fraud Prevention & Detection
E N D
Auditors and Fraud Presentation for UNCC January 2010 By: Steve Katzman, CIA, CISA, CISSP Sheri Brillhart, CIA
Agenda • Introductions • Overview • The Institute of Internal Auditors (IIA) • Fraud Investigator • Internal Auditor • IA and the Fraud Investigator • Fraud Prevention & Detection • IA Red Flags • Summary • Appendices A – D
Introductions • Steve Katzman, CIA, CISA, CISSP • Retired Military Master Sergeant • 4 years in Finance • The rest in technology and data communication • Moved into Auditing in 2000 • IIA Charlotte Chapter Vice President • Sheri Brillhart, CIA • Current in Risk Management for an accounting, tax and consulting firm • 8 years internal audit experience • Participation in a variety of fraud investigations, mainly with a large, multi-national manufacturing company
Overview • Fraud negatively impacts organizations in many ways, including: • financial, • reputation, • psychological • social implications • However, the full cost of fraud is immeasurable in terms of time, productivity, and reputation including customer relationships. • In these difficult economic times the problem is getting worse - as expected. The number of fraud instances and the dollar value of fraud that occurs reportedly may be up as much as 50%, and expectations are that these trends will continue: • Increased personal economic pressure on employees • Layoffs are depleting internal control systems
Overview • The 2008 Report to the Nation on Occupational Fraud & Abuse, published by The Association of Certified Fraud Examiners (ACFE) reported the following: • Survey participants estimated that U.S. organizations lose 7 percent of their annual revenues to fraud. • Occupational frauds are much more likely to be detected by a tip than by audits, controls or other means. 46 percent of the cases were detected by tips from employees, customers, vendors and other sources. • Lack of adequate controls was most commonly cited (35 percent) as the factor that allowed fraud to occur (and remember the comment from the prior page). Next most common were lack of management review (17 percent) and override of existing controls (17 percent).
Overview (Continued) • Although there are many definitions for fraud, we will use the following for this presentation: “Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain” A quote from “Managing the Business Risk of Fraud: A practical guide”, sponsored by the Institute of Internal Auditors (IIA), the American Institute of Certified Public Accountants (AICPA), and the Association of Certified Fraud Examiners (ACFE)
Overview (Continued) • The Fraud triangle (“means, motive and opportunity”) – Are they weighted equally? Opportunity Rationalization Pressure / Incentive
Overview (Continued) • Opportunity – (28% cite as largest contributing factor) • Weak internal controls • Lack of segregation of duties • Rationalization – (23% cite as largest contributing factor) • Everyone’s doing it, so I’m no different • I’ll return the money next month • They are underpaying me, so I deserve it • Pressure/Incentive – (49% cite as largest contributing factor) • We must make our earnings target so that bonuses will be paid • Extreme financial pressures or overwhelming personal debts • This will make me look like a star employee
Overview (Continued) • Where do the threats come from? • Accountants – commit highest % of frauds, 27% of all cases • Legal employees – inflict most damage, median cost of $1.1MM per incident • Executives/upper management – rank 2nd in both categories – 18% of all frauds and median cost of $850K per incident • Front-line employees – much lower average impact per incident • How do they do it? • Corruption • Fraudulent statements • Asset misappropriation
IIA Standards • 1200 – Proficiency and Due Professional Care • Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. (Awareness and Understanding) • Due Professional Care • Probability of significant errors, fraud, or non-compliance • 2060 – The Chief Auditor must report periodically to senior management and the board on Internal Auditing. • Report must include significant risk exposure and control issues, including Fraud, Governance issues, and other matters needed of requested by senior management and the board.
IIA Standards(continued) • 2120 – Risk Management – The IA activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risks. • 2210 – Engagement Objectives – The IA must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. • See Appendix A for some Questions to consider • See Appendix B for some ideas on the Fraud Risk Assessment
Fraud Investigator • Fraud investigators are usually responsible for the detection and investigation of fraud, and the recovery of assets. • They also perform a role in fraud prevention. • If a FIU is based within a corporate security department, it may be beneficial for them to work closely with or be involved in internal audit activities so the FIU employees will have access to internal and independent auditor findings. • Fraud investigators often work closely with legal counsel to bring legal action against the perpetrator. • The organizational alignment of a fraud investigation unit (FIU) can vary. • If a FIU is based within a corporate security department, it may be beneficial for them to work closely with or be involved in internal audit activities so the FIU employees will have access to internal and independent auditor findings.
The Internal Auditor • The Internal Auditor (IA) is tasked with assessing how management deals with the risks of doing business. • IA tests to determine: • If leadership is involved in the process by reviewing the governance, management and process controls put in place by the organization to reduce risks to an acceptable level • if the controls exist and to determine if they are effective in reducing those risks • As such the IA reviews for accuracy & correctness. • They also review the process to help ensure that the organization maintains data integrity throughout the process, safeguards confidentiality customer, vendor and employee information as well as protect proprietary company information • The fact that the auditor may be coming is a preventive Control.
The Internal Auditor and Fraud • While external auditors focus on misstatements in the financial statements that are material, internal auditors are often in a better position to detect the symptoms that accompany fraud. • Internal auditors usually have a continual presence in the organization that provides them with a better understanding of the organization and its control systems. • Specifically, internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness • IA may conduct proactive auditing to search for misappropriation of assets and information misrepresentation. This may include the use of computer-assisted audit techniques, including data mining, to detect particular types of fraud. • Internal auditors also can employ analytical and other procedures to find unusual items and perform detailed analysesof high-risk accounts and transactions to identify potential fraud.
IA and Fraud Investigation • The internal auditor is not a fraud investigator • To prosecute fraudulent actions, there must be a clear and accountable trail of evidence from discovery to presentation in court. • Both fraud investigators and auditors should stay aware of frauds being perpetrated within their industry. • Both areas need to build awareness through day to day interactions with the business units.
IA and Fraud Investigators – Working Together Skill sets and expertise that each may bring to an investigation: • Fraud Investigator/Certified Fraud Examiner (CFE) • Knowledge of investigation protocols • Assessment of quality and quantity of evidence required • Investigation documentation and reporting protocols • Access to appropriate resources (legal, law enforcement, technology specialists, etc.) • Independence (in many cases) • Internal Audit • Data Analysis • Documentation of evidence and findings • Assistance with interviews
Fraud Prevention • Complete fraud prevention is not possible and often the cost of preventing certain fraud scenarios exceeds the benefits. So, what can management do? • Policies outlining the ethics and expectations of the business along with the penalties of not following policies are a deterrent to Fraud. • Create the right “Tone at the Top” about fraud • Provide anti-fraud training (see Appendix C & D) • Perform background checks (think about the Charlotte police officer currently in the news…) • Evaluate Performance and Compensation Programs • How are employees incentivized (ties back into “Tone at the Top”) • Conduct exit interviews • Establish appropriate authority limits and segregated duties
Fraud Prevention (Continued) • So, what can management do? (continued) • Establish appropriate authority limits and properly segregated duties • Authorization of transactions • Execution of operations • Custody of assets • Recording of transactions • Review internal controls and management monitoring • Cash receipts and disbursements • Accounts receivable and sales • Inventory and cost of sales • Accounts payable, other liabilities and purchases • Payroll • Review HR practices – do they make sense? • Is confidential information kept secure? • Are employees required to sign a non-disclosure agreement (and code of ethics)? • Are related party transactions closely monitored?
Some Challenges Organizations Face in Managing Fraud Risk • Fraud is not considered “high risk” • “No fraud here” mentality • Availability and alignment in internal resources • Laws and regulations or cultural norms in non-US locations • Fraud Risk Management is not a corporate priority • Accountability for fraud risk is not widespread Source: Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today’s Largest Organizations by Protiviti
IA Red Flags • Segregation of Duties weakness • If a person has physical control as well as logical control of an asset, that person can make the paperwork fit the crime. • Weaknesses in SOD provide one side of the Fraud Triangle (Opportunity) • Not all Red flags or Testing Exceptions are fraud remember that fraud occurs when there is intentional deception for personal gain or even personal Revenge, etc. • Please note that when unemployment goes up, so does fraudulent acts, hacking, and other subversive activities. • Note that personal gain can be a gain to others so the fraud perpetrator gains a personal pat on the back, a feeling of accomplishment • Not all hackers are after money, some want that personal satisfaction that they outwitted the so-called professionals.
IA Red Flags – Page 2 • An Accounts Payable Clerk or purchase agent show up for work in a Maserati Spider. Is this the results of a relative last will and testimony, , a winner of the church raffle, a fraud, or what. • The auditor doesn’t have enough factual data to come to that decision, but it is a RED FLAG. • A review of profits from a business segment are lower then industry standards, prior year averages, etc. • Is this a RED FLAG, aging equipment, poor management, etc. • An audit finding that denotes a vendor address or Bank Account that is the same as an employee address. If the employee happens to work in Purchasing or Accounts Payable, is that a RED FLAG?
IA Red Flags – Page 3 • An auditor was doing a physical inspection of the building complex owned by his company and managed by another organization. • He noticed vending machines in each building and on each floor and asked how the funds were being recorded and transferred to the owner. • The manager stated that they took the change put it in their personal account and then sent a check to the owner. • Since the auditor determined that the process design was okay, there were no further inquiries and the information/observation didn’t make it into the Audit Report. • They never checked to find out that the owner has never received a check from that complex management team. They got the rent checks in their drop box.
IA Red Flags – Page 3 • As an IT auditor I was auditing an Electronic manufacturing company. • I was asked by the financial auditors to help then determine if they can rely on the computer inventory. • A check of the network, system and application user lists against the terminated employee list denoted that the employees laid off in two increments over the past four months still had access to everything that they had prior to the lay off. • Further checking into the application and specifically the inventory application, we found that out of 400 employees at the site, 360 could adjust Raw Material, WIP and Finished goods inventory. A part for their Circuit boards cost $125 Wholesale. Is this a Weakness or a RED FLAG or BOTH? • Please note that within weeks of our unsatisfactory audit report, a terminated workers gained access to the network and brought all applications down. Cost to the organization was 24 hours of recovery time and some lost data.
Appendix A – Questions To Consider Conducting timely and appropriate discussions about fraud with all levels of the organization, including the audit committee, demonstrates the proactive role the internal audit activity is taking in this area. Some of questions that internal auditors may ask about fraud on a regular basis include: • Does the organization have a fraud governance structure in place that assigns responsibilities for fraud investigations? • Does the organization have a fraud policy in place? • Has the organization identified laws and regulations relating to fraud in jurisdictions where it does business? • Does the organization’s fraud management program include coordination with internal auditing? • Does the organization have a fraud hotline? • Does the audit charter describe internal auditing’s roles and responsibilities relating to fraud? • Has responsibility for fraud detection, prevention, response, and awareness been assigned within the organization? • Do management and the CAE update the audit committee on fraud? • Does management promote fraud awareness and training within the organization? • Does management lead fraud risk assessments and include internal auditing in the assessment process?
Appendix A – More Questions To Consider • Are the results of fraud risk assessments considered in the audit planning process? • Are periodic fraud awareness and training programs provided to all employees? • Are automated tools available to those responsible for preventing, detecting, and investigating fraud? • Has management identified the types of potential fraud risks in its areas of responsibility? • Do management and the CAE know where to obtain guidance on fraud from professional organizations? • Do management and internal auditors know their professional responsibilities relating to fraud? • Has management incorporated appropriate controls to prevent, detect, and investigate fraud? • Does management have the appropriate skill sets in place to perform fraud investigations? • Do management and the internal audit activity periodically assess the effectiveness and efficiency of fraud controls? • Are fraud investigation workpapers and supporting documents appropriately secured and retained?
Appendix C – “Expectations Related to Fraud” It is expected that every manager and employee will: • Know the fraud related exposures in their areas of responsibility • Know the symptoms or indicators of fraud • Put in place methods to identify wrongdoing. • Make sure the transactions they personally approve are not fraudulent. • Personally monitor for those frauds that only they are in a position to detect. • Question and challenge the unusual. • Set an example of honest and ethical behavior by personal example and by not tolerating dishonest or unethical behavior in others. • Strive to prevent fraud by minimizing the exposures and reducing the opportunities and temptation. • Never inappropriately subordinate the needs of the organization to their own needs. • Recognize and respond to the new or increased exposures. • Not seek to achieve goals through dishonest or unethical means. Do not tolerate such behavior in subordinates. • Immediately refer suspected wrongdoing to Internal Audit or Security for investigation. • Do the right thing!
Appendix D – Sample Training for Invoice Approvers BEFORE APPROVING INVOICES FROM VENDORS AND CONTRACTORS “Good Questions to Ask!” Managers are encouraged to answer these basic questions before approving invoices and other payment documents: • How well do I know this vendor or contractor? Do I have first hand knowledge that they even exist! • Do I know that they actually provided the goods or services identified in the invoice or other billing statement? • Do I know that they are using the correct amounts for price, sales tax, freight, and other variables that make up the amount invoiced? • On what basis do I know that the prices are reasonable in the first place? What standard have I used in determining that the price charged is fair? • How do I know that the quantities make sense? On what basis have we agreed to purchase the stated quantities? • How do I know that the invoice is mathematically correct? • Do I know that this invoice has not already been paid?
Wrap Up Q&A
Contact Information • Steve Katzman, CIA, CISA, CISSP Sheri Brillhart Manager, Risk Management RSM McGladrey, Inc. 4725 Piedmont Row Drive, Suite 300 Charlotte, NC 28210 E-mail: sheri.brillhart@rsmi.com Phone: (704) 206-7200