1 / 79

6. Business Process Evaluation and Risk Management (15%)

6. Business Process Evaluation and Risk Management (15%). Focus on Anti-Fraud Business Process Evaluation & Fraud Reduction Risk Management 5% Extra Credit Project Jo Garcia & Maria Fernandez.

Download Presentation

6. Business Process Evaluation and Risk Management (15%)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 6. Business Process Evaluation and Risk Management (15%) Focus on Anti-Fraud Business Process Evaluation & Fraud Reduction Risk Management 5% Extra Credit Project Jo Garcia & Maria Fernandez

  2. How many public companies over the last five years had to restate their financial statements due to material accounting irregularities? 1,000 Historically, what percentage of CFOs report that the CEO has pressured them to misrepresent accounting? Fraud Quiz 56% A business school study showed what percentage of CEO participation in SEC enforcement actions involving fraud? 70% What percentage of SEC enforcement actions involving fraud were perpetrated by senior management? 90%

  3. According to government and private studies, how much does the average company lose – in terms of percentage of revenue – to fraud and abuse? Illustration: Manufacturing Company A has $100 million revenues earns $30 million per year. Comparable companies sell at 4x EBITDA 1. What is 6% of Company A’s revenues? What is the potential uplift if all fraud could be eliminated? What is the potential percentage increase in earnings? What is the potential uplift in enterprise value? Fraud Quiz (2)

  4. So, What Is Fraud? Black’s Law Dictionary Intentional perversion of truth False representation of a matter of fact Whether by words or conduct False, misleading, concealment of that which should have been disclosed For the purpose of inducing another In reliance upon perversion of truth To part with some valuable thing belonging to him or to surrender a legal right

  5. So, What Is Fraud? Black’s Law Dictionary: “An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some valuable thing belonging to him or to surrender a legal right; a false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations, or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury.”

  6. Against the Corporation Corporation as victim Corporate risks: Financial Legal, and Reputation Potential civil recovery by Corporation Perspectives On Fraud: Prosecutors, Regulators & Lawyers By the Corporation Corporation as “victimizer” Corporation benefits: Financially Other Corporation subject to potential civil and/or criminal liability

  7. “Good” Fraud Acquirer Underpays Misconduct that if discovered, reduces costs and increases earnings Perspectives On Fraud: Bad Fraud & Good Fraud “Bad” Fraud Acquirer Overpays Earnings management False revenue recognition schemes Costs and expenses schemes Understatement of liabilities Illegal conduct Liability for past conduct Impact upon future earnings

  8. Perspective On Fraud:Post-Sarbanes

  9. Legal & Regulatory Risk: • U.S., state and foreign law • Sarbanes-Oxley • Final SEC Rules • FCPA et. al. • SAS 99 Perspective On Fraud:Post-Sarbanes Financial Risk: • U.S. Dept of Commerce/ACFE: Average U.S. company loses equivalent of 6% of revenues to fraud • 6% of Revenue = ? • Cost savings opportunities and potential – despite statistical exaggeration Reputation Risk: • Management • Audit Committee • Audit • Internal Audit • External Audit

  10. The Board/Audit Committee • Oversight of prevention/mitigation • Supervision of special investigations Management • C-Suite • Business Leaders • General Counsel, Ethics & Compliance Auditors • External Auditor – “Integrated Audit” • Internal Audit • External Audit Roles, Responsibilities, Stakeholders Government • Congress • SEC • PCAOB • Other Regulators • Federal and State Prosecutors

  11. Fraudulent Financial Reporting a/k/a “Earnings Management”, a/k/a “Cooking The Books” Improper Revenue Recognition Overstatement of Assets Understatement of Liabilities Management Disclosure & Analysis Fraud

  12. Common Revenue Recognition Schemes Premature Revenue Recognition Side agreements Liberal return of product Channel Stuffing Fictitious Revenue Recognition Fictitious sales Round tripping Construction Related Schemes Sham related party transactions

  13. Common Overstatement Asset Schemes Cash Balance Schemes Inventory Schemes Inflating quantity Inflating value Accounts Receivable Schemes Creating fictitious receivables Artificially inflating value of receivables Investment Schemes Fictitious investments Overstating value of investments

  14. Common Understatement of Liability Schemes Improper Capitalization of Expenses Software development Research and development Start Up Costs Improper Expensing of Capitalized Costs Off Balance Sheet Entity Schemes Overstatement of Liability Reserves (“Cookie Jar” Reserves)

  15. Common Misappropriation of Assets Schemes Cash Theft of cash receipts Unrecorded/understated sales or receivables Lapping Fraudulent Disbursements Payroll Inventory Fixed Assets

  16. Expenditures For An Improper Purpose Payments to Government Officials Domestic payments Political Campaign Violations FCPA bribery payments FCPA “books and records” violations Commercial Bribery

  17. Assets/Revenue Obtained By Fraud Fraud Against Employees/Joint Venture Partners Fraud Against Suppliers Fraud Against Customers Government Commercial parties Consumers Sample Schemes Antitrust Defective pricing Shipment of damaged goods

  18. Expenses Avoided By Fraud Tax Crimes Failure to Pay False Statements Evasion Fraud Against Suppliers & Customers Improper Labor Practices Environmental, Health & Safety Violations Money Laundering

  19. Senior Management Fraud Use of Corporate Assets to Commit Illegal Conduct Insider Trading Unauthorized Compensation Failure to Pay Taxes Travel Expense Fraud or Abuse Receipt of Free or Below Market Goods and Services From Vendors, Suppliers, Etc. Related Party Transactions Conflicts of Interest CV and Academic Deception

  20. The Legal Landscape: Reactive to Proactive 1970’s & Before: Standard Reactive Approach Federal: Mail & Wire Fraud, SEC Fraud State: General Business Fraud Statutes Inchoate Crimes: Conspiracy/Aiding & Abetting Corporate Criminal Liability Beginning of Corporation As Cop: CTRs 1980’s – 1990s: Shift Toward Proactive Organized Crime Techniques Applied to Economic Crime More Specialized Criminal Legislation RICO Money Laundering Statute Corporate As Cop Continues: SARs

  21. The 21st Century Landscape Civil and Criminal Legislation FCPA Patriot Act Sarbanes-Oxley Act of 2002 Rules & Regulations SEC Final Rules for Implementation of Sarbanes-Oxley SEC Audit Committee Rules U.S. Sentencing Guidelines` SEC Accounting Bulleting (SAB) 99 Professional Standards COSO I Statement of Auditing Standards (SAS) 99 Public Company Accounting Oversight Board Standards For Integrated Audit Institute for Internal Auditors (IIA) Standards ABA Rules for Professional Responsibility

  22. 2004 Hot Topic: Prevention and Timely Detection What Are The Elements of An Effective Antifraud Program?

  23. 2004 Hot Topic: Prevention and Timely Detection Final SEC Rules Require “Antifraud Programs & Controls” Independent Auditor Evaluates and Tests on Annual Basis Also Relevant to Private Company, Particularly If Organization Aspires to Best Practices Anticipates Public Debt Offering, IPO or Sale to Public Company

  24. Snapshot of New Rules & Standards Migration From Federal Sentencing Guidelines to COSO FSG: Define 7 Criteria of Effective “Compliance” Program COSO: Define Effective “Controls” Final SEC Rules Management’s Assessment of Internal Controls Must Consider Fraud Prevention and Detection Controls SAS 99 Requires Fraud Auditing If Antifraud Controls Do Not Adequately Mitigate Fraud Risk Proposed PCAOB Standard Evaluation/ Testing of Design and Operating Effectiveness of Antifraud Programs and Controls (¶24) Mandatory Significant Deficiency If Internal Audit or Risk Assessment Is Inadequate, of If Senior Management Engages in Fraud of “Any Magnitude” (¶126)

  25. Control Activities Linking controls to identified fraud risks Information/Communication Information systems & technology Knowledge management Training Monitoring Ongoing monitoring by management Separate “after the fact” evaluations by internal audit Applying The COSO Framework Control Environment Code of conduct/ethics Ethics hotline Hiring and promotion Audit committee oversight Investigative process Remediation Fraud Risk Assessment Systematic process Level within organization Likelihood and significance

  26. Hiring and Promotion Procedures Background Investigations for Persons of Trust Also Consider Process for Agents, Vendors, Etc. Audit Committee Oversight Passive Not Adequate Active Discussion of Fraud Investigation / Remediation Standard Investigative Process Adequate Remediation to Prevent Recurrence Special Emphasis Is Placed On The Control Environment Codes of Conduct / Ethics Must Meet Requirements of Final SEC Rules Should Apply to All Accounting and Financial Oversight Personnel Must Be Communicated Effectively Whistleblower Hotlines Must Meet Requirements of Final SEC Rules Audit Committee Oversight and Independent of Management

  27. Companies Must Now Specifically And Explicitly Assess Fraud Risk Systematic Rather Than Haphazard or Informal “Scheme and Scenario” Approach Address Financial reporting Misappropriation of assets Expenditures and liabilities for improper purposes Fraudulently obtained revenues and assets, and costs and expenses avoided by fraud Fraud by senior management Extend to Business Unit and Significant Account Levels Likelihood: Identify Fraud Risks That Are “More Than Remote” Significance: Identify Fraud Risks That Are “More Than Inconsequential in Amount” Consider Risks of Management Override

  28. Linking Control Activities To Fraud Risk Assessment Management Should Identify Processes, Controls, and Other Procedures That Are Needed to Mitigate Identified Risks Should Occur Throughout Organization, at All Levels and in All Functions Very Broad, e.g., Approvals, Authorizations, Verifications, Reconciliations, Segregation of Duties, Reviews of Operating Performance, Background Investigations, Physical Security

  29. Sample Tools: Incentives Inventory

  30. Sample Tools: Opportunities Inventory

  31. Sample Tools: Fraud Risk Matrix

  32. Information and Communication Information Systems & Technology Controls Technology enabled fraud , e.g., holding books open Prevention and detection of unauthorized access Inappropriate modification of computer programs System override Ability to investigate computer misuse Knowledge Management Identified fraud risks Strengths and weaknesses of antifraud control activities Suspicions and allegations about fraud; and Remediation efforts. Training Frequency Scope and sufficiency

  33. Fraud Monitoring and Auditing Management: On-going, Day to Day Monitoring Embedded into normal operating activities Includes regular management and supervisory activities Should leverage available information technology Internal Audit: Separate, After-the-Fact Evaluation Scope and frequency contingent upon risk and effectiveness of ongoing monitoring Must address fraud risk in planning and executing internal audit cycle IA must include knowledgeable and experienced fraud professionals Fraud auditing is different than forensic investigation

  34. Determination by Area Determination by Scheme Determine area of operations at risk Determine schemes to which you are most vulnerable Fraud Auditing Is Different From Fraud Investigation Identify potential fraud schemes Identify units/processes where schemes most likely to occur Identify red flags and indicators associated with schemes Build audit steps to search for indicators: Analytics, External and Internal Interviews, Tests of Details, Computer Assisted Auditing Techniques Conduct further inquiry if red flag is detected or suspected

  35. Today’s organizations are concerned about: • Risk Management • Governance • Control • Assurance (and Consulting) 6. Business Process Evaluation and Risk Management (15%)

  36. ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO. 6. Business Process Evaluation and Risk Management (15%)

  37. Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day. 6. Business Process Evaluation and Risk Management (15%)

  38. Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. 6. Business Process Evaluation and Risk Management (15%)

  39. Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. 6. Business Process Evaluation and Risk Management (15%)

  40. The ERM Framework Entity objectives can be viewed in the context of four categories: • Strategic • Operations • Reporting • Compliance 6. Business Process Evaluation and Risk Management (15%)

  41. The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or subsidiary • Business unit processes 6. Business Process Evaluation and Risk Management (15%)

  42. The ERM Framework Enterprise risk managementrequires an entity to take a portfolio view of risk. 6. Business Process Evaluation and Risk Management (15%)

  43. The ERM Framework • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level 6. Business Process Evaluation and Risk Management (15%)

  44. The ERM Framework The eight components of the framework are interrelated … 6. Business Process Evaluation and Risk Management (15%)

  45. Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture. 6. Business Process Evaluation and Risk Management (15%)

  46. Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. 6. Business Process Evaluation and Risk Management (15%)

  47. Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. 6. Business Process Evaluation and Risk Management (15%)

  48. Event Identification Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile. 6. Business Process Evaluation and Risk Management (15%)

  49. Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives. 6. Business Process Evaluation and Risk Management (15%)

  50. Risk Assessment Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis. 6. Business Process Evaluation and Risk Management (15%)

More Related