RAISING FRAUD AWARENESS: BEST PRACTICES IN FRAUD RISK ASSESSMENTS NIDHI RAO, CPA, CFE, CFF, CIA OCTOBER 12, 2017

FRAUD DETECTION IS AS SIMPLE AS…

DISCUSSION THEMES Tales Cost Risk Assessment

Fraud Myths It couldn’t happen to us. If something happened, it would be discovered quickly. Damage wouldn’t be significant. Most people are honest and won’t commit fraud. Fraud will be detected by our auditors.

Ripped from the Headlines American Indian Charter School II Nancy Dobrowski, Ex-Burnham clerk pleads guilty to stealing more than $700,000 Former Fresno County Employees Accused of Stealing From the Dead

Ripped from the Headlines American Indian Charter School II Mount Sterling Administrator Joe Johnson sentenced to 10 years in prison for theft in office Sedwick County Victim of Phishing Scheme – loss $566K City puts two workers on leave amid fraud inquiry

THE COST OF FRAUD Annual Revenues 18 Months $150,000 Indirect Median Loss Indirect Costs Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

VICTIM ORGANIZATION 7.6% 9.0% 33.4% 36.8% 86.7% 85.4% Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

HOW FRAUD IS COMMITTED 7.6% 9.0% 33.4% 36.8% 86.7% 85.4% Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

FRAUDS BY CATEGORY Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

FRAUDS BY CATEGORY Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

DETECTION OF FRAUD SCHEMES Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

Median Loss Based on Presence of Anti-Fraud Controls VICTIM ORGANIZATIONS Median Loss Based on Presence of Anti-Fraud Controls Control Percent of Cases Control in Place Control Not in Place Percent Reduction Proactive Data Monitoring/Analysis 36.7% $92,000 $200,000 54.0% Employee Support Programs 56.1% $100,000 $183,000 45.4% Management Review 64.7% 50.0% Code of Conduct 81.1% $120,000 40.0% Internal Audit Department 73.7% $123,000 $215,000 42.8% Formal Fraud Risk Assessments 39.3% $187,000 46.5% Surprise Audits 37.8% $195,000 48.7% External Audit of ICOFR 67.6% $105,000 47.5% Fraud Training for Managers/Executives 51.3% $190,000 47.4% Hotline 60.1% Dedicated Fraud Department, Function or Team 41.2% $192,000 47.9% Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

Median Duration Based on Presence of Anti-Fraud Controls VICTIM ORGANIZATIONS Median Duration Based on Presence of Anti-Fraud Controls Control Percent of Cases Control in Place Control Not in Place Percent Reduction Surprise Audits 37.8% 12 Months 24 Months 50.0% Proactive Data Monitoring/Analysis 36.7% Dedicated Fraud Department, Function, or Team 41.2% Hotline 60.1% Formal Fraud Risk Assessments 39.3% Management Review 64.7% Independent Audit Committee 62.5% Internal Audit Department 73.7% External Audit of Internal Controls over Financial Reporting 67.6% Management Certification of Financial Statements 71.9% Code of Conduct 81.1% 13 Months 45.8% Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

VICTIM ORGANIZATIONS Source: ACFE’s 2016 Report To The Nations On Occupational Fraud and Abuse Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

Risk Assessment Methodologies – Best Practices Selective Fraud Presentation

12 Points of Focus Involve Appropriate Levels of Management – The fraud risk assessment team includes appropriate levels of management. Include Entity, Subsidiary, Division, Operating Unit, and Functional Levels – The fraud risk assessment team recognizes that frauds can happen at any level or component of the organization. Analyze Internal and External Factors – The fraud risk assessment team considers both internal and external factors and their impact on the achievement of objectives. Consider Various Types of Fraud – The fraud risk assessment team considers a wide range of possible fraud schemes and exposures.

12 Points of Focus Specifically Consider the Risk of Management Override of Controls – The fraud risk assessment team understands that catastrophic frauds have been perpetrated by senior members of management overriding existing and otherwise effective controls and focuses on these risks. Estimate the Likelihood and Significance of Risks Identified – The fraud risk assessment team carefully evaluates the probability that each particular fraud could occur and the potential effects on the organization if that particular fraud occurs. Assess Personnel or Departments Involved and All Aspects of the Fraud Triangle – The fraud risk assessment team focuses on incentives and pressures, opportunities, and attitudes and rationalizations to commit fraud.

12 Points of Focus Identify Existing Fraud Control Activities and Assess Their Effectiveness – The fraud risk assessment team identifies and evaluates existing controls for effectiveness to determine residual fraud risks that require mitigation. Determine How to Respond to Risks – The fraud risk assessment team’s ultimate goal is to formulate effective and appropriate responses to all fraud risks. Use Data Analytics Techniques for Fraud Risk Assessment and Fraud Risk Responses – The organization uses data analytics to improve the effectiveness and results of the fraud risk assessment.

12 Points of Focus Perform Periodic Reassessments and Assesses Changes to Fraud Risk – The organization repeats the risk assessment process periodically and considers changes affecting the organization – including changes in the external environment, operations, personnel, and leadership – that can affect fraud risks. Document the Risk Assessment – The organization understands that the risk assessment serves as the central element of the fraud risk management process and ensures that it is carefully and thoroughly documented.

Who Should be Involved? Considerations in assembling the right team: Individuals with diverse knowledge, skills, and perspectives to lead and conduct the assessment From multiple functions (consider each step in the risk event cycle) Multiple levels (up and down the org chart) The team can include both internal and external resources Independence Expertise in performing assessments

Identifying Risks Consider: Incentives, pressures, and opportunities for fraud/noncompliance Risk of management’s override of controls Population/listing of risks Different methods of perpetrating frauds Drivers of risk

Techniques for Identifying and Assessing Techniques to use: Interviews (structured or semi-structured) Focus groups/workshops (unstructured or semi-structured) Surveys Anonymous feedback mechanisms

Questions to Ask What financial reporting areas are susceptible to misstatement? What operational areas are susceptible to misappropriation of assets? Who is in the position to be able to defraud the organization or manipulate the financials? Are there any weaknesses in the internal control system that can be exploited? How could a perpetrator override or circumvent controls? What could a perpetrator do to conceal the fraud? Is a process in place to screen new vendors and employees? How are related parties identified? Are there any red flags of fraud and do the employees know how to identify red flags of fraud?

Internal Control Considerations Distinguish preventive vs. detective Consider risk of override General vs. risk-specific Reference specific policy or procedure that supports the control Map to specific risk(s)

Internal Control Design and Operation Review policies and procedures Consider the risk of override Interview management and employees Observe control activities Test samples of transactions for compliance Data analytics Conduct transaction walk-throughs Review previous audit reports including reports on fraud incidents

Assessing Whether Controls are Operating as Designed If assessment team does not perform controls testing, they need to gain understanding of: Timing—When was the last time the relevant controls were formally tested? Extent—How many transactions were tested and which attributes of the internal controls were tested? Results—Were deviations from expected internal controls discovered?

Keep it Alive ! Assessment Collect and Monitor Implement system for collecting new information and monitoring for signs of changes in risk profile At the conclusion of an assessment, implement the mitigation plan Update the assessment or prepare a new one

Q & A