Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 30 th 2012, San Francisco. 7:45 -8:15 amRegistration and Breakfast 8:15 -8:20 amWelcome and Introductions Ed Byers, (Deloitte), Farhan Zahid,

Similar presentations

Presentation on theme: "November 30 th 2012, San Francisco. 7:45 -8:15 amRegistration and Breakfast 8:15 -8:20 amWelcome and Introductions Ed Byers, (Deloitte), Farhan Zahid,"— Presentation transcript:

1 November 30 th 2012, San Francisco

2 7:45 -8:15 amRegistration and Breakfast 8:15 -8:20 amWelcome and Introductions Ed Byers, (Deloitte), Farhan Zahid, (Deloitte) 8:20 -9:00 amEmerging Hot Issues  Security and Privacy – Husam Brohi, Michael Corey (PWC)  Vendor Compliance – Byron Tatsumi, (KPMG) 09:00 -09:50 amLeveraging Data Analytics to Enhance Your Internal Audit Function Dawei Qu, (BlueShield of California), Dale Livezey (Deloitte) 9:50 -10:10 am BREAK 10:10 -11:30 amEnterprise Risk Management and Impact to Your Audit Plan CAE Panel Discussion led by Shawn Kirshner (Accretive Solutions)

3 11:30 -12:20 pmRisks in Social Media Anna Tchernina, Willis Kao (Deloitte) 12:20 -1:20 pm GOURMET LUNCH (provided) 1:20 -2:10 pm Fraud Risk Management – The Things You Need To Know Paul Ritchie, (Deloitte) 2:10 – 3:00 pm Top 10 IT Internal Audit Risks Michael Juergens (Deloitte) 3:00 – 3:20 pm BREAK 3:20 – 4:40 pm Understanding Your Auditee – How to Communicate More Effectively Group Setting Howie Cumme (URS) Ed Byers, (Deloitte) Farhan Zahid (Deloitte)

4 Ed Byers, (Deloitte) Farhan Zahid, (Deloitte)

5  Logistics – Fire Exits and Restrooms  Breaks and Lunch  Phone calls  Questions and Answers

6 08:20 – 09:00 Various Presenters

7 08:20 – 08:40 Security and Privacy Husam Brohi, PWC Michael Corey, PWC 08:40 – 09:00 Vendor Compliance Byron Tatsumi, KPMG

8 Fortifying your defenses The role of internal audit in assuring data security and privacy

9 PwC CEOs/Boards are no longer ignoring Information and Technology (I&T) Risks I&T Risk is an enterprise-wide issue. Specific types of risks organizations are facing include: Connected IT infrastructure exists in an environment that is increasingly under threat against unauthorized access or disclosure of sensitive data and attacks originating from cyber-criminal groups and hackers. Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years. Boards are no longer willing to accept the risk that technology can pose to the business. Growing demand by business leaders to understand how security integrates with privacy (“what” data is sensitive to the business) and security (“how” they protect the data deemed sensitive). Increase in threats and vulnerabilities to sensitive data and corporate assets. Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities. 9

10 PwC Change and Complexity is Right Around the Corner Security and Privacy Hot Topics: Balancing Business Enablers vs Business Risks 10 Organizations looking to improve privacy management in the event of a breach have to continually plan and prepare. Organizations in all industries are under increased scrutiny by regulatory governance bodies. While risks associated with third parties and cloud computing continue to increase, many companies are less prepared to defend their data. Privacy and Data Loss Prevention Regulatory Compliance Third Parties and Cloud Computing Companies need to stay informed about the constantly changing threat environment, processes to identify potential vulnerabilities, and processes to resolve potential exposures. Mobile platforms, social media, and accelerated product life cycles are just the latest contributors to risk of an enterprise. The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies need to remain prepared for such cyber crises. Mobility and Social Media Technical threats and vulnerabilities Cyber Crime

11 PwC Stakeholders want focus in all critical risk areas Risk areas in which stakeholders and CAEs want/plan to add IA capabilities 11

12 PwC Acting today to protect data: The critical role of internal audit 12 What the audit committee should expect of internal audit  In the risk assessment report that it presents to the audit committee, internal audit should highlight the organization’s significant data security and privacy risks, including any new risks. Further, it should identify weaknesses in policies and controls.  Because the nature of information security risks is evolving continuously, internal audit functions need to stay ahead of the threat curve. stay plugged in to emerging security threats, and practices for protecting against them.  Internal audit’s role in ensuring that information security threats are properly considered becomes especially important when a company is ready to roll out a new business process, product or information system.  Internal Audit must also keep its ear to the ground and move quickly to conduct special audits for new information security threats, which some executives consider as important as regularly scheduled audits 1 2 3 Strengthen the Annual Risk Assessment to be relevant Having the right people Stay vigilant on key or triggering events

13 PwC Overcoming the barriers to internal audit playing an effective role Effective data privacy and security measures are not easy to effect. In fact, we commonly find four barriers in organizations that try to adopt them. 13 Exposures are changing constantly, policies and controls need to change alongside them. A mindset that believes adequate controls are already in place. 1 Implement cost/benefit analysis in risk assessment to assesses potential damage of various types of security breach. Cost. Achieving and maintaining effective information security can cost significant money and effort. 2 Hiring & training staff to be top of their game in this arena and/or outsourcing as needed to experts that have technical skills Low expectations. Internal Audit not viewed as capable of assessing complex security and privacy topics. 3 Establish responsibility and accountability. Define and assign a single point of responsibility for information security. Fragmented responsibilities. The job of maintaining effective information security controls is often split among many stakeholders 4

14 PwC Thank you… For more information, please contact: Michael Corey 415-505-2482 Husam Brohi 415-205-8068 14


16 16 IIA Conference November 30, 2012 Continuous Audit with Data Analytics

17 17 Speakers Dale Livezey Senior Manager, NorPac Regional Technology Leader Deloitte & Touche LLP Audit and Enterprise Risk Services San Francisco, CA 415-783-4208 Dawei Qu Internal Audit Manager Blue Shield of California Internal Audit Services San Francisco, CA 415-229-6604

18 18 Benefits of Data Analysis Type of Data Analysis Ad hoc query Repetitive Analysis Continuous Auditing Case Study Claims Denials Audit Accounts Payable Audit Agenda

19 19 Benefits of Data Analytics

20 20 More efficient and effective manual testing Assist in root cause analysis Test Validity and accuracy of reports Target and assess specific risk areas Identify control weakness / effectiveness gaps Data Analytics can help in many aspects of business process testing Overall more effective control testing services for our clients Data analysis improves the quality, effectiveness and efficiency of audits Performs 100% recalculations and verification of transactions in a timely and repeatable fashion Compares data from multiple / disparate systems Provides business insights and identifies process improvement opportunities Presents quantifiable results from analysis based on complete population Benefits of Analyzing Data

21 21 Benefits of Analyzing Data ApproachBenefit Profiling and trending Focus on specific areas of risk or interest Provide insights into transactional history and behavior Test internal controls effectiveness Identify hidden relationships between people, organizations and events Customized transactional analysis Geared towards a clients specific business process Reduction in manual testing procedures Perform proactive instead of reactive audits Identify potentially improper or fraudulent transactions Statistical Sample selection and evaluation More efficient and accurate selection procedures Reduces time spent on selections of little or no interest Analyze the full population of transactions instead of a traditional sampling approach Focus on risk! Report re-performance and metric recalculation Validate operational reporting systems and assist in the documentation of current reporting process Reduce manual testing procedures

22 22 Type of Data Analysis

23 23 Computer Aided Audit 1)Ad-Hoc Query: One time based specific analytic query or analysis at a point of time. No intention of repetitive testing Explorative and investigative 2) Repetitive: Periodic analysis of processes from multiple data resources Periodical Seek to improve the efficiency, consistency, and quality of audits

24 24 Continuous Audit 1)Definition: The independent application of automated tools to provide assurance on financial, compliance, strategic and operational data within a company. 2) Nature: Automated Continuous basis – Specified intervals Constantly search for errors, fraud and inefficiencies Advanced analytic tool involved: SAS and ACL 3) Example: Automated A/P review Automated J/E review Operational process review

25 25 What are Companies Doing? 1)25% have CA programs in 2009, compared to 11% in 2006 * 2)Benefits listed by survey participants : Auditors are aware of issues as they occur 100 percent of the population rather than a sample is evaluated Allow to create preventive controls for process owners 3) Challenges listed by survey participants: Implementation takes long Auditors need to have detailed knowledge of the underlying data structures to use the tool correctly Auditors and business owners have to the determine parameters used in the CA program Note: Statistic is based on IIA survey

26 26 Case Study 1 – SAS Medical Claims Denials Analytics Note: Numbers or findings have no meaning beyond being placeholders for the given example

27 27 Steps 1)Audit Planning 2) Data Readiness 3) Data Analysis 4) Risk based Sampling 5) Substantive Testing 6) Communication of Results

28 28 Audit Planning 1)Establish Testing Period: Jan to June of 2012 2) Determine Scope: all medical claims denied from Jan to June of 2012 3)Determine Frequency: quarterly 4) Define Audit Objective: Ensure claims were appropriately denied as per provider contract, member benefit and regulation 5) Select Audit Methodology: Perform data analysis to identify high risk denial areas Perform risk based sampling and substantive testing 6) Know your Deliverables: An excel based deck to present data analysis results An audit report to communicate findings of substantive testing

29 29 Data Readiness 1)Request Data: Pull data directly from corporate data marts Work with IT to extract relative data 2) Data Reconciliation Control total Key fields (numeric fields) tie-out 3)Data Quality Test Duplicate records Missing values of key fields Invalid value of key fields. For example, billed date of 01/32/2012; negative co-pay/deductable amount

30 30 Data Analysis Steps 1)Research the relative areas of high risks by partnering with business owners Measurement of compliance risk: system days per claim Measurement of operational risk:  locations per claim  denial ratio at provider level Measurement of financial risk: billed amount /claim 2)Design the profiling tests in relation to specific risks Determine the list of tests Map test to risk(s) 3)Develop testing routines in SAS 4)Review the data analysis results with business owners

31 31 Data Analysis – Profiling Tests 1)Population overview 2)Trend analysis of denial rate 3)Trend analysis of system date 4)Dollar stratification 5)Location count stratification 6)Profiling of providers (hospitals) 7)Profiling of explanation of benefit (EOB) codes

32 32 Data Analysis - RPM

33 33 Population Overview  The average billed amount for denied claims is significant higher than paid claims  Denied claims take longer to process compared to paid claim  Denied claims go through more locations to complete

34 34 Trend Analysis – Denial Rate  Facility (hospital) denial rate is significantly higher compared to overall average  Denial rate in May 2012 is high driven by the higher denial rate of facility claims

35 35 Trend Analysis – System Day  Manual claims take longer by the processing system to reject or pay.  Correlation exists between denial rate and manual system days in May  May population is worth to look into

36 36 Stratification  Yellow strata subjects to risk based sampling while purple might need drill down  Auditors may design strata according to relative limit approval controls Dollar Stratification Stratification on location

37 37 Profiling on Hospitals  The denial rate for top providers is significantly high compared the average (20%)  Provider #2 has a high denial rate in May  Hospitals #1, #2 and #5 are trending up on denial rate

38 38 Profiling on Explanation of Benefit  11% blank EOB is noted  This break-out can be compared against the industry benchmark to analyze the space of improvement

39 39 Profiling and Sampling Process Flow

40 40 Risk Based Sampling - Selections 1)Risk score is calculated for each claim 2) Total risk score is the sum of risk weight for each failed / hit profiling tests 3)Samples were selected from the claims with higher risk scores 4)Auditors professional judgment plays an important role on finalizing samples 5)Average number of risks tested per sample is 5.56

41 41 Communication of Findings Finding 1: During the data analysis, Internal Audit noted that 11% denied claims do not have explanation of benefit (EOB) codes. This was a result of an incorrect field mapping between the claims processing system and Claims data mart. Finding 2: During the data analysis and the subsequent detail testing, Internal Audit noted that the denial rate for hospital #2 in May is significant higher than other periods and other hospitals. This was a result of an insufficient communication on the changed provider contracts.

42 42 Case Study 2 – Accounts Payable

43 43 Agenda Final Assessment Project Snapshot Roles and Responsibilities Purpose and Scope

44  Internal Audit engaged Deloitte to help proof of concept  Account Payable  FCPA  Expenses Purpose and Scope Deloitte understands that the Company’s objectives for this engagement are:  Assist with developing ACL scripts, to serve as queries for use by limited members of various business units, as part of routine management oversight.  Obtain results of profiling analytics specifically on procurement and expense data provided by the Company.  Execute sample profiling scripts, as a test case, to assist with FCPA (Foreign Corrupt Privacy Act) related controls.  Assess the applicability of scripts executed, and determination of additional scripts to be considered for future development in the Procurement Cycle.

45 Project Snapshot Accounts Payable– List of Analytics performed  Vendor Analyses: Vendor Master Check Valid Vendor Analysis Vendors with PO Box Addresses Duplicate Vendor Analysis One Time Vendor  Invoice Analyses: Duplicate Invoices Payment Date vs. Invoice Date Analysis Benford Analysis  Disbursement Analyses: Payments to Vendors not in Vendor Master or Unauthorized/Restricted Payee Name / Vendor Name Mismatch Duplicate Disbursements Benford Analysis

46 Project Snapshot Accounts Payable – Continued…. Analytics - VENDOR MASTER CHECK

47 Project Snapshot Accounts Payable – Continued…. Analytics – Duplicate Vendors

48 Project Snapshot Accounts Payable – Continued…. Analytics – PAYMENT DATE VS. INVOICE DATE

49 Project Snapshot Accounts Payable – Continued…. Analytics – DUPLICATE DISBURSEMENTS

50 Project Snapshot Expense Report – List of Analytics performed  Line items flagged as “Policy Violation”  Expense booked in advance of the actual expense date.  Flight within US above $500  Hotels above $1000  Group Meals above $50  Duplicate Analysis 1 – Combination of Expense date, Expense line amount, Expense type, Employee name and Expense report number  Duplicate Analysis 2 – Combination of Expense date, Expense line amount, Expense type and Employee name  Missing Expense Receipt  Expense over Weekends  Expense over Holidays

51 Project Snapshot Expense Report – Continued…. Analytics - Flight within US above $500

52 Project Snapshot Expense Report – Continued…. Analytics – Duplicate Line Items

53 Project Snapshot Expense Report – Continued…. Analytics – Expenses booked in advance of the actual expense date

54 Project Snapshot FCPA Analytics– List of Analytics performed  Keyword search – Invoice line description  Keyword search – Expense line description  Payment Date vs. Invoice Date Analysis – Run as part of the AP Analytics

55 Project Snapshot FCPA – Continued…. Analytics – Keyword search – Expense line just

56 Final Assessment

57 Continued….

58 58 Questions?

59 09:50 – 10:10

60 10:10 – 11:30 CAE Panel Discussion led by Shawn Kirshner (Accretive Solutions)

61 61 Panel Members Janet Chapman General Auditor, Union Bank Cindy Overmyer SVP, Internal Audit Services, Kaiser Permanente Thierry Dessange Director, IT Audit, Safeway Pat Sammon Head of Audit & Advisory Services, Autodesk Kathy Guthormsen Director of Risk Management, Autodesk

62 Risks in Social Media Social media usage and risks 11:30 – 12:20 Willis Kao, (Deloitte) Anna Tchernina (Deloitte)

63 © 2012 Deloitte Global Services Limited Speaking with you today Willis Kao, Senior Manager 408 718 0566 San Jose Anna Tchernina, Senior Manager 415 254 4722 San Francisco 63

64 © 2012 Deloitte Global Services Limited Agenda 64 Welcome to the world of social business Social media risks deep dive Social media governance and risk management Lessons learned from audits Questions

65 © 2012 Deloitte Global Services Limited Social Media Revolution Video 65

66 © 2012 Deloitte Global Services Limited Welcome to the World of Social Business 66

67 Welcome to the world of social business! People matter most Transparent markets Real-time expectations Pervasive, mobile, cloud computing Big data and invaluable analytics Connected customers & ecosystem Cross-boundary collaboration 67

68 Are you smarter than a 5 th Grader? Do you use (personally) Facebook? LinkedIn? Twitter? Does your Company use - Facebook? LinkedIn? Twitter? Does your Company have a Social Media Policy? Are your employees allowed to use Social Media? 68

69 Social Media Includes Wikis, Social Networks, Blogs, Presence & Microblogging, Online Sharing of Videos & Media, and Social Bookmarking & Tagging.

70 Social media is an umbrella term for a host of sites and technology that facilitate social interaction, sharing, and creation of user-generated content, and aggregation of users’ opinions and recommendations. Common forms of social media Social Media Defined Social mediaDescriptionPopular examples Wikis A page or site designed to enable collaborative contribution and modification of content by users Blogs Short for web log; frequent online publications with commentary on current events, subjects, or one’s personal thoughts Social networking Site focused on building online communities, establishing connections, and providing avenues for social interaction Presence and Microblogging Brief real-time updates of personal commentary, news, or status (aka “Tweets”) Online photo and video sharing Media-centric online communities that facilitate the viewing, sharing, and “tagging,” or classification, of media content Online forums and/review sites Websites/Tools that allow users to search for peer reviews or advice on a product or service, as well as to contribute their own ratings and comments 70

71 Copyright © 2012 Deloitte Development LLC. All rights reserved. 71 Social media benefits Social media challenges Decrease Costs 2 Generate Prospects and Leads (Sales) 1 Increase Loyalty 3 Decrease time to market for new products Increase marketing effectiveness Develop new revenue opportunities Leverage “interest” based marketing & advertising Decrease R&D costs for new products by listening to your customers (and prospects) Focus on inexpensive social media tools instead of using the traditional expensive marketing channels Decrease customer support costs Increase customer insights and intelligence (“Voice of Customer”) Improve customer experience responsiveness Improve customer education, expertise and service Direct contact with the customer instead of indirect through the retail channels Manage Brand Reputation 4 Increase brand awareness through social media Protect brand and manage reputation Benefit from spontaneous reactions from the community by connecting like-minded peers Inconsistent message 2 Loss of Control 1 Confidential Information 3 The voice of the customer is amplified Companies no longer control the message or topic Messages might include negative publicity When engaging several employees in the social media world, their messages and responses may not always be consistent and aligned with the strategy of the company The use of social media sites enables users to circumvent company controls, opening up the potential to violate communication policies Education and training for employees is a key component to managing loss of information Productivity loss 4 Social media drives collaboration among co-workers but can also be a major distraction in the work place

72 Advertising departments Sales and Marketing staff Compliance professionals Internal Audit Risk Management Legal departments Operations and IT staff Recruiting/HR Customer service Senior Management Key departments affected 72

73 © 2012 Deloitte Global Services Limited Social media risks – deep dive 73

74 © 2012 Deloitte Global Services Limited Social Media usage presents behavioral, application and technology related risks. The risk landscape is vast and continuously evolving Anticipated Risks Legal & regulatory compliance Disclosure of confidential information Violation of copyright laws Protection of intellectual property rights Legal and financial ramifications for non- compliance with industry regulations Security & Privacy Identity theft, Social engineering Ability to retain and log social media communication; data retention Technical exploits: Malware, Viruses/Worms, Flash Vulnerabilities, XML injection Brand and reputation damage Posting unfavorable or confidential information on a public site Unclear behavioral expectation of end users to use social media Defamation, Copyright infringement Productivity loss Use of social media can be a distraction i.e. employees accessing non-work related social media sites Acceptable use of social media Social Media Risk Landscape 74

75 Malware and viruses Data leakage/theft “Owned” systems (zombies) System downtime Resources required to clean systems Brand hijacking Customer backlash/adverse legal actions Exposure of customer information Reputational damage Targeted phishing attacks on customers or employees Lack of control over content Enterprise’s loss of control/legal rights of information posted to the social media sites Customer service dissatisfaction Customer dissatisfaction with the responsiveness received in this arena, leading to potential reputational damage for the enterprise and customer retention issues. Social Media Risk Deep Dive 75

76 Record retention non-compliance Regulatory sanctions and fines Adverse legal actions Other threats and vulnerabilities…. Use of personal accounts to communicate work-related information Employee posting of pictures or information that link them to the enterprise Excessive employee use of social media in the workplace Employee access to social media via enterprise-supplied mobile devices Social Media Risk Deep Dive – Continued 76

77 © 2012 Deloitte Global Services Limited Social media governance and risk management 77

78 © 2012 Deloitte Global Services Limited Social Media Governance and Risk Management Strategy: Review the social media strategy, program goals, and organization model and assess whether these have been formalized and communicated to all relevant teams. Evaluate the alignment of the strategy with company goals. Policy: Review the social media policy and confirm that elements related to disclosure, ethics, community and privacy are included. Identify gaps and test awareness of the policy. Roadmap: Assess the adequacy of the social media roadmap, including whether it is global, or localized and whether short-term and long-term program milestones have been defined. Team Structure: Assess whether the roles of key owners and stakeholders in the social media program have been defined and clearly communicated (e.g. executive sponsorship, communications / PR, employees, Legal, IT, etc). 78

79 © 2012 Deloitte Global Services Limited Preparedness and Response Customer Profiles and Market Analyses: Review customer profile and market analyses and evaluate whether all products are covered, the appropriate target customers have been identified, including the desired relationship and engagement model. Tools and Analytics: Understand how customer interactions via social media are integrated with existing systems and databases. Assess whether formal alerting tools have been implemented to identify key topics, comments, commentators, and sentiment from website activity. Evaluate KPIs and metrics against best practices and alignment of metrics with the social media strategy. Processes: Test the policies and procedures that have been implemented to ensure that messaging is consistent with the social media strategy / plan Review and test policies, processes and procedures used for triage, crisis response, intake and response to customer insights. Understand how customer insights are monitored, tracked, and shared with relevant teams (product marketing, R&D, Support, etc) for resolution. 79

80 © 2012 Deloitte Global Services Limited Training and Education / Compliance Training and Education Evaluate the types of training programs implemented to share best practices and rules of the road within the social media team Understand how social media best practices are shared cross functionally with other functions in the organization, such as recruiting, sales, product, etc. Monitoring and Compliance: Understand whether compliance with the social media policy is monitored both internally and externally Perform procedures to test compliance with the social media policy internally and externally 80

81 © 2012 Deloitte Global Services Limited Lessons Learned from Recent Audits Crisis Management Plan Monitoring processes Bloggers disclosers Data leakage protection 81

82 It is here and it’s not going away There may be substantial business benefits with using social media to achieve business objectives As with any opportunity there is risk Bottom line 82

83 © 2012 Deloitte Global Services Limited Questions? 83

84 12:20 – 13:20

85 1:20 – 2:10 Paul Ritchie, Deloitte

86  What is Fraud and Why is it an Important Concern?  The Profile of a Fraudster  Fraud Risk Assessment, Schemes and Red Flags  Responding to Indicators of Fraud


88  As defined by the Institute of Internal Auditors: “Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.”

89  Internal: illegal acts of employees, managers and executives against the company  External: illegal acts of outsiders (non-employees) against a company  The activity: ◦ Is clandestine ◦ Violates the perpetrator’s fiduciary duties to the victim organization ◦ Is committed for the purpose of direct or indirect financial benefit to the perpetrator ◦ Costs the employing organization assets, revenue or reserves

90 Source: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.





95  Legal duty of care to shareholders  Statutory/regulatory requirements (SOX, SEC, FCPA, and Federal Sentencing Guidelines)  Direct financial impact to the organization  Indirect costs to the organization

96 A $250,000 fraud loss... XYZ Company Profit margin = 10% 0 500,000 1,000,000 1,500,000 2,000,000 2,500,000 Fraud Loss Revenue Fraud LossRevenue... will require an additional $2.5 million in revenue to maintain net income levels


98 Statistics from the 2012 ACFE Report to the Nation on Fraud


100  Long-time employee  Position of trust  Appears to be extremely dedicated  Unexplained cash or other wealth  Always willing to help out and put in extra hours

101  Gambler  Drug or alcohol problem  Behavioral changes  Extramarital affairs  Hostility to management  General disenchantment with compensation

102 Statistics from the 2012 ACFE Report to the Nation on Fraud

103  Direct correlation between length of time employed and size of fraud losses  Employees with 10 or more years of tenure caused median fraud losses of $229,000  Employees with less than one year of tenure caused median fraud losses of $25,000 Statistics from the 2012 ACFE Report to the Nation on Fraud

104  Male perpetrators accounted for 65% of cases with median fraud losses of $200,000  Female perpetrators accounted for 35% of cases with median fraud losses of $91,000 Statistics from the 2012 ACFE Report to the Nation on Fraud

105 10% of the Population: Would never engage in illegal conduct. 80% of the Population: Might engage in illegal conduct. 10% of the Population: Deviants and always on the lookout to cheat, steal, etc. (regardless of profession).

106  Overloading.  Attaching false time frames.  Taking advantage of perceived fears.  Killing time with trivia.  Exploiting expected scopes.  Exploiting historically low-risk areas. Statistics from the 2012 ACFE Report to the Nation on Fraud Exploiting complex areas. Predicting cycle audits. Stalling. Making staff unavailable. Filtering of information. Not updating procedures. Discrediting the auditor.

107  Maintain an attitude of professional skepticism  Investigate what does not make sense  If it seems to good to be true, it usually is – trust your instincts  Beware of trust over reason  Avoid placing faith in other people’s faith ◦ Verify and corroborate  Good interviewing and observation skills are key  Look for signs of deceptive behavior  Do not ignore information or data


109 The plan should be: ◦ Dynamic/Flexible. ◦ Comprehensive/Complete.  It integrates fraud risk assessment, appropriate cycle rotations, and management insight.  It directs resources to areas with highest risk.

110 1. Evaluate Fraud Risk Factors 3. Analyze Fraud Risks and Schemes and Evaluate Mitigating Controls 4. Evaluate Fraud Risk Assessment Results and Prioritize Residual Fraud Risks 2. Identify Possible Fraud Schemes and Scenarios

111 Color By Numbers ApproachCreativity and Thought Approach

112 Is systematic and recurring. Is dynamic and is updated when new or unique circumstances arise (e.g., changed operating environments, restructurings, acquisitions), at least annually. Is performed with the involvement of appropriate personnel. Considers possible internal and external fraud schemes and scenarios. Considers management override (e.g., journal entries, bias of estimates, non-routine transactions). Assesses risk at organization-wide, significant business unit, and significant account levels. Consider historical fraud or industry fraud risks. Results are monitored by the Audit Committee/Board.

113  Where is the potential for fraud (according to interview results and survey responses)  Areas where fraud has been detected  Manual and complex processes.  Timing to register transactions  Process involving cash management  Unclear – who reviews and who approves  Lack of controls – or knowledge of procedures

114  Think like a fraudster.  Facilitate a control self assessment.  Use information gathering techniques.  Communicate and build rapport.  All segments of an audit are connected.  Use an unpredictable and flexible audit approach.  Perform and understand data analytics.  Don’t lead the interviewee.  Pay attention to the details.


116  Deceptive behaviors ◦ Verbal or Non-Verbal  Remember: ◦ Disregard isolated and/or individual behaviors

117 Adjusting AttireFleeing Position Wiping Sweat Hand Wringing Scratching Covering Eyes and Face Biting Lip Crossing the Arms

118 Character Testimony Making Excuses Repetition of Oaths Answering with a Question Repeating Questions Overuse of Respect Selective Memory Changing Speech Patterns


120 Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Source: The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (

121  Expand sample, expand scope, or perform additional procedures. Look for additional instances or patterns.  Ask additional questions framed in the context of the internal audit (e.g., how could a situation like this occur?).  Maintain copies of documents and data files that support the red flags and symptoms of fraud.  When possible, maintain originals of documents.  Any indication of potential perpetrators?  Cease audit work if there appears to be a predication for suspecting fraud.

122 Forensic Investigation Audit Mindset All cases may end in litigation Professional Skepticism Frequency Non-recurring; random Recurring; scheduled Approach No management planning session Limited notification Meet with management to plan and scope the audit Relationship Potentially adversarial Professional skepticism Scope Document examination of particular issue; Review of outside data, interviews of potential persons of interest. Analysis of financial statements and/or other financial data; Interviews with management. Work Programs Programs developed and amended as needed Audit programs “Employer” Client’s Attorney, In-House Counsel, Special Committee Audit Committee/Client Management Objective Identify responsible parties; Quantify damages Issue an opinion on the client’s financial statements and related disclosures Report Audience Report is presented to counsel Opinions used by Board of Directors/Audit Committee/Shareholders/Public

123  Standardized response.  Consistent approach.  Clarified roles and responsibilities.  Internal and external reporting responsibilities.  Process for consensus and agreement.

124 Paul Ritchie Senior Manager, Deloitte Forensic Deloitte Financial Advisory Services LLP Tel. 415-783-6474

125 2:10 – 3:00pm Michael Juergens Deloitte & Touche LLP

126  IT controls continue to increase in importance to organizations ◦ Corporate reliance on technology increases ◦ Compliance requirements increase  Deficiencies in IT controls can have a significant impact on the organization

127 Where We Have Been Where We Need To Be

128  By no means a comprehensive list  Will vary by environment ◦ May be greater/lesser risk depending on industry, technology, business processes etc.  This list is based on what we see in the marketplace  Designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate these risks  List is in no particular order

129 Issue Traditional “bricks and mortar” channels are merging with e-commerce channels to create a single integrated approach to sales. Risk  Failure to evolve could impact long term enterprise viability  Will change sales approach and systems  Large integration and master data concerns Recommendation Understand current and planned changes to sales channels. Determine impact on systems, specific transactions processed, accounts impacted, and master data. Evaluate risk and then plan and execute audit procedures accordingly.

130 Issue As of October 2011, the SEC now requires public companies to disclose the risk of cyber incidents as part of Management’s Discussion and Analysis if "these issues are among the most significant factors that make an investment in the company speculative or risky." Risk  Failure to comply with SEC reporting requirements  Exposure to potential shareholder litigation if requirement not met  Audit Committee exposure Recommendation Challenge is that the reporting requirement lacks specificity. Organizations must determine what to report, if anything. Therefore, organizations must have a process for identifying exposures, evaluating impact, and then reporting and disclosing appropriately. IT audit should perform an assessment of this process to determine if it exists, and how comprehensive it is. Additional steps should be taken to evaluate how effective the process is.

131 Issue Software licensing contracts are complicated, and software lifecycles are complex. Economic downturn has caused software vendors to aggressively pursue licensing audits. Risk  Potential significant financial liabilities in case of an audit  Loss of potential savings  Failure to “sunset” unused applications Recommendation Perform a software asset management (SAM) audit. Consider use of International Organization for Standardization (ISO) and Information Technology Information Library (ITIL) SAM standards. Audit should include evaluating the process for SAM, review of contracts and software license baselines, and analysis of non-essential software and patch deployment.

132 Issue Emerging methods of payment processing (ISIS, GoogleWallet, PayPal). Risk  Failure to adopt impacts potential revenue  Impact on revenue cycle processes, systems and controls Recommendation Determine what changes are planned or underway to adopting new payment processing technologies. Determine impact on financial systems and processes (e.g. sales audit). Evaluate integration management. Identify new security and controls considerations and execute audit steps accordingly.

133 Issue Adoption of heterogeneous cloud solutions creates significant issues with management and integration of processes and data, as well as leads to the need for deployment of additional management solutions. Risk  Master data proliferation and management  Disparate cloud solutions impact business processes  Security management becomes much more complex e.g. Security Assertion Markup Language (SAML), OpenID  Need for effective service lifecycle management increases Recommendation Understand current and planned cloud services grid, and specific business control points, integration and workflow. Understand security management strategy, and deployment of new technologies/standards. Determine process and data risk and identify/test controls. Evaluate Service Organization Control (SOC) reports for vendors.

134 Issue 2011 saw the emergence of new regulations and legislation for records management and data retention. Regulators have significantly increased their scrutiny of the data lifecycle space. Risk  Large potential financial penalties for non-compliance  Impact on brand  Impact on customers and vendors Recommendation Gain an understanding of how DLM is operationalized throughout the organization, DLM awareness levels and how DLM compliance is achieved. Evaluate the organization’s DLM capability maturity and identify compliance gaps related to the DLM governance structure, policies, processes and procedures

135 Issue Significant increase in evaluation of spreadsheets and other end user computing solutions by auditors and regulators. Additional regulations promulgated (e.g. Solvency II). Uncontrolled EUCs still impacting financial statements and business operations. Risk  Loss of critical data  Potentially inaccurate financial or management reporting  Exposure to regulatory sanctions or fines Recommendation Perform an extensive EUC audit. Evaluate criteria such as criticality determination, governance model, and use of technical accelerators. Audits should also evaluate programming structure. A policy-based audit and/or access based audit is likely insufficient.

136 Issue IT Governance continues to play a large role in aligning the proliferation and use of technology with organizational objectives. Also, Institute of Internal Auditors (IIA) Standard 2210.A2 states: “The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. Risk  Noncompliance with IIA standards  Potential misalignment of IT resources with organization strategy Recommendation Assess capabilities across IT governance capabilities: Strategic Alignment, Risk Management, Value Delivery, Performance Management and Resource Management. Establish a baseline of understanding regarding current capabilities and maturity level of IT governance processes.

137 Issue Deployment of emerging technologies and unification of internal/external systems creates significant identity sprawl, and difficulties managing across platforms, applications and networks. To be efficient and compliant, federated identities are emerging. Our IT access audits and analysis are becoming more reliant on review-based controls. Risk  Unauthorized access to data or transactions  Regulatory fines or litigation  Brand impact Recommendation Understand corporate security perspective on identity management. Inventory systems, devices and technologies currently deployed or planned (consider external sources as well). Evaluate strategy and technical solutions for managing digital identity. Perform a detailed audit of critical technologies and controls.

138 Issue Proliferation of cheap 3D printing technology makes it possible to easily duplicate certain consumer products Risk  Loss of sales, market share  Impact on brand Recommendation Understand current product mix; identify products susceptible to duplication (small, higher value items are typical). Understand security and controls around schematics. Peruse pirate sites to identify proliferation of schematics. Consult with loss prevention teams to understand approach to managing remote duplication.

139  Need to understand which items may be relevant in your business and technical environment  Ensure that risk assessment and audit universe address relevant items  Don’t walk the plank alone – communicate with management and the audit committee  Plan resource requirements ◦ Be careful not to underestimate


141 Michael Juergens Principal, Deloitte & Touche LLP 213-688-5338 juergens/2/221/988


143 2:40 – 3:00

144 3:20 – 4:40 Group Setting Howie Cumme, URS Ed Byers, Deloitte Farhan Zahid, Deloitte

145  Agenda and Introduction  First Impressions  Building Trust  Personality Analysis – DISC Profiles  Getting The Truth  Navigating Politics  Wrapping Up

146  Interactive Session  Better understanding of yourself and human interactions  Building attraction and trust  Adapting to the situation  Challenging situations – tips and tricks


148  How many seconds to form a first impression?  1/10 th of second, 7 seconds, 12 seconds  All the correlations between judgments made after a 1/10-second glimpse and judgments made without time constraints were high, but of all the traits, trustworthiness was the one with the highest correlation.

149 Logical Complex, Certain Emotional Attachment, Uncertainty Primal Health/Status Reptilian Paleomammalian Neomammalian

150  You need to cater to the brain in the order it evolved Primal, Emotional and then Logical  Health and Appearance - Primal  Behavior and Body Language - Primal  Warmth and Introductions – Emotional  Personality, Professionalism and Preparation - Logical

151  Key to effective communication is to understand the style or method of communication desired by the auditee  The auditee’s behavior style is key!  Ineffective communication typically results when an auditor communicates in THEIR style vs. the AUDITEES desired style

152  The DISC profile is a simple tool to understand your behavior style and how to best work with others (e.g. SPOUSE!)  No behavior style is right/wrong – the key is to understand how to communicate effectively with others

153  Select a word that MOST describes you and a word that LEAST describes you  Put an M/L next to the word – DO NOT put a big “X” for example in the MOST/LEAST column  Use a coin to gently rub the rectangle after the word in the MOST/LEAST columns  Tally up the results in the tally box on page 5  Fill out graphs I, II, and III

154  Each style has its strengths, weaknesses, and needs – a weakness is an “overextension” of a style’s strength  There are typically key success factors in communicating to different styles  Understanding how to “match styles” is important – “evolve” if necessary  Good questions to ask different styles Note: refer to handouts which overviews these four areas

155  How do you communicate if you are presenting to two different styles (e.g. D & C)  Do not assume that all executives are “D’s” and all auditors are “C’s”  How can you assess a person’s behavior style by looking at their office (or other factors)  What have you learnt about yourself?  Key potential next steps

156  Friendliness/Rapport ◦ Warmth ◦ Connection ◦ Assertiveness  Flow of Conversation – Comfort  Professionalism and preparedness  Reassurance/Implications

157  Fear of the consequences  Focus on what you need to know  Professional reassurance – rationalism, unbiased  How to know if you are always getting the truth?  Sweaty palms?  Hesitation?  Avoidance of eye contact?

158 Tough to tell the difference between lies and an honest person under stress Indicators of lying: ◦ Level of detail being provided ◦ Tone of voice, unusual body language ◦ Inconsistency when changing viewpoints ◦ Concealment of anger, distress or fear ◦ Lifting just the inner part of the eyebrow (Distress>85%) ◦ Eyebrows raised and pulled together (Fear) ◦ Narrowed, tightened lips or lopsided smile (Anger) No absolute clues to lying, only indicators.

159  Is it always possible?  Internal and external politics affecting the meeting  Pressures in the room. Possibility of one on one time?  Ask questions again when necessary to each individual

160  “Leave the door open”  Follow up within 24 hours  Be genuine and smile  Finish with something memorable and relaxed



163 November 30 th 2012, San Francisco

Download ppt "November 30 th 2012, San Francisco. 7:45 -8:15 amRegistration and Breakfast 8:15 -8:20 amWelcome and Introductions Ed Byers, (Deloitte), Farhan Zahid,"

Similar presentations

Ads by Google