INTEGRATING FRAUD INTO YOUR AUDIT PROGRAM · Integrating Fraud Into Your Audit Program What is The...
Transcript of INTEGRATING FRAUD INTO YOUR AUDIT PROGRAM · Integrating Fraud Into Your Audit Program What is The...
© Fraud Auditing, Inc. Section 1 - Slide 2 01/15/19
TODAYS AGENDA
Integrating Fraud Into Your Audit Program What is The Fraud Risk Universe How to Write a Fraud Risk Statement Understanding How Fraud Concealment Impacts Your
Audit Strategies for Fraud Testing
My goal for today: Create the opportunity for discussion Help you think about fraud differently Answer your questions to the best of my ability
© Fraud Auditing, Inc. Section 1 - Slide 3 01/15/19
Part 1: What is fraud Part 2: Fraud risk structure Part 3: How to write the fraud risk statement Part 4: Integrating into the audit program Part 5: Practical exercise
© Fraud Auditing, Inc. Section 1 - Slide 4 01/15/19
WHAT IS FRAUD FROM A LEGAL PERSPECTIVE
Blacks Law Dictionary Eight Edition: A knowing misrepresentation of the truth or
concealment of a material fact to induce another to act to his or her detriment
Provides definition of specific types of fraud: Civil fraud Criminal fraud Promissory Etc.
© Fraud Auditing, Inc. Section 1 - Slide 5 01/15/19
WHAT IS FRAUD FROM AND AUDITORS PERSPECTIVE
Acts committed on, by, or for the organization Acts are committed by an internal or external source Acts are intentional and concealed
Acts are illegal Acts also cause: financial misstatement, policy violation, ethical lapse, or a perception issue
Acts cause a loss of company funds, company value, or reputation, or any other unauthorized benefit loss (whether received personally or by others)
© Fraud Auditing, Inc. Section 1 - Slide 6 01/15/19
LOGIC VS EXPERIENCE
You can compute the number of fraud risk statements in your scope with mathematical precision
By understanding permutation fraud analysis:
I may not know what the perpetrator is doing, but I know everything the perpetrator can do!
The goal of logic analysis is two fold: Ensure the completeness of your analysis Create time for data interpretation
© Fraud Auditing, Inc. Section 1 - Slide 7 01/15/19
DOES THE AUDITOR UNDERSTAND?
Threat and vulnerability analysis Organization’s fraud risk structure How to create a comprehensive fraud risk
register Resources necessary to implement fraud
auditing
© Fraud Auditing, Inc. Section 1 - Slide 8 01/15/19
THREATS, VULNERABILITIES AND FRAUD RISKS
Vulnerabilities: Points in the internal control structure that can be exploited
Threats: Possible danger that someone might exploit a vulnerability in our internal control structure thereby causing monetary or non monetary harm
Risk: Threat, probability and business impact
Fraud Risk: An intentional act and concealed act which is designed to cause harm to the organization
© Fraud Auditing, Inc. Section 1 - Slide 9 01/15/19
WHAT IS A VULNERABILITY
Governance structure or organization How and where we conduct business Non compliance with a internal control Sophistication of concealment Collusion or extortion Fraud risk factors
© Fraud Auditing, Inc. Section 1 - Slide 10 01/15/19
UNDERSTANDING THE PROGRESSION THE THREE LEVELS
Organization
• Threat and vulnerability assessment • Assign responsibility • Primary and secondary fraud categories
Business System
• Fraud risk assessment • Assess probability • Inherent schemes
Audit Program
• Fraud risk assessment • Build audit program • Fraud risk statement
© Fraud Auditing, Inc. Section 1 - Slide 11 01/15/19
Part 1: What is fraud Part 2: Fraud risk structure Part 3: How to write the fraud risk statement Part 4: Integrating into the audit program Part 5: Practical exercise
© Fraud Auditing, Inc. Section 1 - Slide 12 01/15/19
THE FRAUD RISK UNIVERSE
PRIMARY FRAUD CLASSIFICATION
SECONDARY FRAUD
CLASSIFICATION
INHERENT FRAUD SCHEME
FRAUD RISK STATEMENT
© Fraud Auditing, Inc. Section 1 - Slide 13 01/15/19
FRAUD RISK UNIVERSE
Offender and victim Type of fraud or category of fraud
Fraud Risk
Structure
Inherent Scheme Fraud Risk
Statement
Generic description of a fraud risk. Comprised of an entity and action
How the inherent scheme occurs within your business system
© Fraud Auditing, Inc. Section 1 - Slide 14 01/15/19
FRAUD RISK STATEMENTS
• Generic or high level • Entity / action • Easy to understand
Inherent Fraud Risk
• Description of a threat facing the organization that has an element of deceit or concealment
• Five components • Drives the audit program
Fraud Risk Statement
• How someone would perpetrate a fraud risk statement against your organization
• Five components • Internal control vulnerability
Fraud Scenario
© Fraud Auditing, Inc. Section 1 - Slide 15 01/15/19
TYPES OF FRAUD RISK STATEMENTS
Common to all business systems Company specific Industry specific Unauthorized access Internal control inhibitor
© Fraud Auditing, Inc. Section 1 - Slide 16 01/15/19
Offender and Victim
Primary Category
Secondary Category
Inherent Scheme to the Fraud
Risk Statement
FRAUD RISK IDENTIFICATION PROCESS
© Fraud Auditing, Inc. Section 1 - Slide 17 01/15/19
OFFENDER AND THE VICTIM
Employee against employer Employer against employee Employer against government Employer against consumer or investing
community Professional crime groups against companies or
government STARTING POINT FOR THREAT ANALYSIS
© Fraud Auditing, Inc. Section 1 - Slide 18 01/15/19
PRIMARY FRAUD RISK CATEGORIES
Asset Misappropriation
Corruption / Extortion
Financial Reporting
Revenue Obtained Improperly
Expense Avoidance
Government Regulation Avoidance
Improper Obtain / Loss Information
Computer Fraud
Management Override Concerns
Other Areas
© Fraud Auditing, Inc. Section 1 - Slide 19 01/15/19
Asset misappropriation: application of another's property or money dishonestly to ones own use (source Blacks Law Dictionary)
Corruption: is the use of entrusted power for personal gain (source Transparency international) Conceptually, corruption is a form of behaviour which departs from ethics, morality, tradition, law and civic virtue.
Financial reporting: Financial statement fraud is the process of intentionally misleading the reader of the financial statements. It is the deliberate misrepresentation, misstatement, or omission of financial data to provide the impression that the organization is financially sound.
DEFINITIONS OF MAJOR CATEGORIES
© Fraud Auditing, Inc. Section 1 - Slide 20 01/15/19
SECONDARY FRAUD RISK CATEGORIES
Asset Misappropriation • Theft of monetary funds • Theft of tangible asset • Misuse of assets • Lack of business purpose • Related party/conflict of
interest • Dispose of asset below FMV • Acquire of asset above FMV
© Fraud Auditing, Inc. Section 1 - Slide 21 01/15/19
SECONDARY FRAUD RISK CATEGORIES
Financial Reporting • False transaction • Improper recognition of
transaction • Improper accounting treatment
for class of transactions • Failure to record or write-off
© Fraud Auditing, Inc. Section 1 - Slide 22 01/15/19
SECONDARY FRAUD RISK CATEGORIES
Financial Reporting Assertions • Class of transactions or events: • Occurrence • Completeness • Accuracy • Cutoff • Classification
© Fraud Auditing, Inc. Section 1 - Slide 23 01/15/19
SECONDARY FRAUD RISK CATEGORIES
Financial Reporting Assertions • Account balances at year end: • Evidence • Rights and obligations • Completeness • Valuation and allocation
© Fraud Auditing, Inc. Section 1 - Slide 24 01/15/19
SECONDARY FRAUD RISK CATEGORIES
Financial Reporting Assertions • Presentation and disclosure: • Occurrence and rights and
obligations • Completeness • Classification and
understandability • Accuracy and valuation
© Fraud Auditing, Inc. Section 1 - Slide 25 01/15/19
INHERENT SCHEME LINKS TO THE AUDIT PROCESS
Fraud Impact
Fraud Conversion
Fraud Concealment
Internal Control
Permutation Analysis
How The Scheme Occurs
Person(s) Committing
Inherent Fraud
Scheme
© Fraud Auditing, Inc. Section 1 - Slide 26 01/15/19
INHERENT FRAUD SCHEMES
Each business system has a finite and predictable list of inherent fraud schemes
Each inherent fraud scheme has a finite and predictable list of fraud permutations
Each inherent fraud scheme permutation creates a finite and predictable list of fraud scenarios
Each inherent fraud scheme has two components Entity Action
© Fraud Auditing, Inc. Section 1 - Slide 27 01/15/19
INHERENT FRAUD SCHEME EXAMPLE: DISBURSEMENT OF FUNDS
False entity: vendor False billing: receive no goods or services Pass Through billing: receive goods or services
Real entity: vendor Over billing: over pay on some aspect or some way Disguised expenditure: personal or theft conversion
THE PREDICTABLE PHASE
© Fraud Auditing, Inc. Section 1 - Slide 28 01/15/19
Each inherent scheme links to a person(s) that commit the scheme Person Committing: Operations manager falsely
accepts product with known defect Entity: Real vendor that is complicit Action: Over billing
Actions may have multiple categories Primary Category: Overbilling by vendor Secondary Category: Product Substitution
INHERENT FRAUD SCHEMES
© Fraud Auditing, Inc. Section 1 - Slide 29 01/15/19
AT WHAT LEVEL SHOULD YOUR DESCRIBE THE FRAUD ACTION STATEMENT Vendor overbills the company Vendor commits product substitution scheme Product substitution
Fitness issue Knock off scheme Counterfeit Manufacturer false label
Chemical Composition Country of Origin
© Fraud Auditing, Inc. Section 1 - Slide 30 01/15/19
JUST A DIFFERENT LOOK AT INHERENT SCHEME
Person Entity
False
Real
Action How To
© Fraud Auditing, Inc. Section 1 - Slide 31 01/15/19
JUST A DIFFERENT LOOK AT INHERENT SCHEME
Accounts Payable Manager
Vendor False
Real
Take over Identify
Change Address
© Fraud Auditing, Inc. Section 1 - Slide 32 01/15/19
GROUP DISCUSSION
How does the fraud risk structure help the auditor in developing their audit scope?
© Fraud Auditing, Inc. Section 1 - Slide 33 01/15/19
Part 1: What is fraud Part 2: Fraud risk structure Part 3: How to write the fraud risk statement Part 4: Integrating into the audit program Part 5: Practical exercise
© Fraud Auditing, Inc. Section 1 - Slide 34 01/15/19
BUILDING THE FRAUD RISK STATEMENT
Fraud Impact
Fraud Conversion
Fraud Concealment
Internal Control
Permutation Analysis
How The Scheme Occurs
Person(s) Committing
Inherent Fraud
Scheme
© Fraud Auditing, Inc. Section 1 - Slide 35 01/15/19
JUST A REMINDER: THE FRAUD RISK UNIVERSE
PRIMARY FRAUD CLASSIFICATION
SECONDARY FRAUD
CLASSIFICATION
INHERENT FRAUD SCHEME
FRAUD RISK STATEMENT
© Fraud Auditing, Inc. Section 1 - Slide 36 01/15/19
HOW TO BUILD A FRAUD RISK STATEMENT
Customize Merging Business process and permutation analysis
© Fraud Auditing, Inc. Section 1 - Slide 37 01/15/19
ELEMENTS OF A FRAUD RISK STATEMENT
What are the combinations? Permutation analysis
Opportunity: person committing Entity: Vendor, employee, customer or intangible
False: Created or assumed Real: Complicit or not complicit
Fraud action statement: Primary & secondary Impact statement: Monetary or non-monetary Fraud conversion statement: How person
committing financial benefits from the fraud action statement
© Fraud Auditing, Inc. Section 1 - Slide 38 01/15/19
ILLUSTRATION OF A FRAUD RISK STATEMENT
SEE PERSON COMMMITTING
Budget owner acting alone or in collusion with a direct report / cause a shell company to be set up on the vendor master file / process a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds
© Fraud Auditing, Inc. Section 1 - Slide 39 01/15/19
ILLUSTRATION OF A FRAUD RISK STATEMENT
SEE PERSON COMMITTING
Accounts payable acting alone / cause a shell company to be set up on the vendor master file / process a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds
© Fraud Auditing, Inc. Section 1 - Slide 40 01/15/19
FRAUD OPPORTUNITY OR PERSON COMMITTING: THE PERSON THE DRILL DOWN PROCESS No internal control Via internal controls: job opportunity
Direct access Indirect access Other access
Internal control inhibitors Non performance internal controls System override features Logical collusion Management override
© Fraud Auditing, Inc. Section 1 - Slide 41 01/15/19
Exploitation
Circumvention
Avoidance
INTERNAL CONTROLS
Internal Control Inhibitor
© Fraud Auditing, Inc. Section 1 - Slide 42 01/15/19
FRAUD ENTITY: THE DRILL DOWN PROCESS
Entity is defined as: Employee Customer Vendor Intangible item
There are two types of entities False entity Real entity
© Fraud Auditing, Inc. Section 1 - Slide 43 01/15/19
FALSE ENTITY: PERMUTATIONS Created by perpetrator
Name only Legally created
Stand alone Embedded with other legal entities
Assumed by perpetrator Exists in accounts payable, changes information Does not exist in accounts payable, causes vendor to be
added to the file Occasional take over of vendor identity Theft of vendor check, false endorsement
© Fraud Auditing, Inc. Section 1 - Slide 44 01/15/19
REAL ENTITY: PERMUTATIONS
Vendor alone Vendor is complicit with internal source Vendor is complicit with external source Vendor is not complicit Vendor is extorted
© Fraud Auditing, Inc. Section 1 - Slide 45 01/15/19
FRAUD ACTION STATEMENT
It is the event that is committed by the person committing the scheme
Starts with the primary and secondary category of fraud
Fraud action must be tailored to the primary and secondary categories
Fraud action must be tailored to the specific account Specific accounts may have different transactions
© Fraud Auditing, Inc. Section 1 - Slide 46 01/15/19
FRAUD ACTION STATEMENT ANOTHER CONSIDERATION: TRANSACTION TYPES
ILLUSTRATION: What is the impact on the fraud action statement
Sales person takes over the identity of a dormant customer with a credit limit
Sales person takes over the identity of a dormant customer with no credit limit
© Fraud Auditing, Inc. Section 1 - Slide 47 01/15/19
FRAUD SCENARIO: HOW DOES FRAUD OCCUR IN YOUR COMPANY?
Starts with the fraud risk statement Build the fraud scenario Understand the organizations’ business process Understand the internal controls and
vulnerabilities Brain storming Fraud risk assessment Goal: To describe the internal control
vulnerabilities that would allow the fraud scenario to occur!
© Fraud Auditing, Inc. Section 1 - Slide 48 01/15/19
FRAUD RISK STATEMENT LINKS TO THE AUDIT PROGRAM
Report & Conclusions
Fraud Audit Procedure
Fraud Data Analytics
Internal Controls
Fraud Risk Assessment
Audit Objectives
Audit Scope
Fraud Risk
Statement
© Fraud Auditing, Inc. Section 1 - Slide 49 01/15/19
HOW DOES THE PERPETRATOR CONCEAL FRAUD?
Each scheme has typical concealment strategies; but how the strategy is implemented varies
Strategies used to hide the truth False documents
False representations False approvals
Control inhibitors Control avoidance
Blocking the flow of information Below the control “radar”
© Fraud Auditing, Inc. Section 1 - Slide 50 01/15/19
FRAUD SOPHISTICATION CHART DETECTION OF FRAUD
FRAUD DETECTION BAR
© Fraud Auditing, Inc. Section 1 - Slide 51 01/15/19
SOPHISTICATION OF CONCEALMENT
Level of sophistication of concealment will vary based on perpetrators’ knowledge and/or pressures
Range of sophistication to conceal
X
© Fraud Auditing, Inc. Section 1 - Slide 52 01/15/19
FRAUD CONCEALMENT MASTER FILE DATA
• Must look at transactions • No match
High Concealment
• Limited linkage between vendor and perpetrator
• Close match Medium
Concealment
• Linkage between vendor and perpetrator
• Exact match
Low Concealment
© Fraud Auditing, Inc. Section 1 - Slide 53 01/15/19
FRAUD CONCEALMENT ILLUSTRATION USING A BANK ACCOUNT
NUMBER
• Different bank • No match
High Concealment
• Same bank, different account number
• Close match Medium
Concealment
• Same bank and same account number
• Exact match
Low Concealment
© Fraud Auditing, Inc. Section 1 - Slide 54 01/15/19
FRAUD CONCEALMENT TRANSACTIONAL FILE DATA
• Relies on auditors professional experience
• No match
High Concealment
• Limited linkage between vendor and perpetrator
• Close match Medium
Concealment
• Red flags visible to naked eye • Exact match
Low Concealment
© Fraud Auditing, Inc. Section 1 - Slide 56 01/15/19
FRAUD RED FLAGS
Condition(s) which: can be observed through the audit process link to the fraud concealment strategy
Associated with: Types of events
Data Documents Controls Behaviors Industry
Sophistication of concealment
© Fraud Auditing, Inc. Section 1 - Slide 57 01/15/19
RED FLAG PREMISE
•Red flags cause an increased sensitivity to fraud propensity •Not all red flags hold the same weight as to the fraud propensity •Weight of the red flag(s) correlate to the predictability of fraud occurrence
© Fraud Auditing, Inc. Section 1 - Slide 58 01/15/19
CORRELATION OF CONCEALMENT TO RED FLAG
Perpetrator
How to hide Concealment Create a false
document
Auditor
How to find Red flag What does a false
document look like
© Fraud Auditing, Inc. Section 1 - Slide 59 01/15/19
FRAUD CONVERSION: HOW THE PERPETRATOR BENEFITS
Conversion of funds to the perpetrator Embezzlement of company funds Theft of company assets Kickbacks from vendor or customer Selling company asset below FMV Disguised third party payments Disguised compensation
© Fraud Auditing, Inc. Section 1 - Slide 61 01/15/19
FRAUD CONVERSION: THE INVESTIGATION PROCESS
Person
The Act
The Money
© Fraud Auditing, Inc. Section 1 - Slide 62 01/15/19
FRAUD RISK MATRIX
See Fraud Risk Matrix: Separate Hand Out
© Fraud Auditing, Inc. Section 1 - Slide 63 01/15/19
PRACTICAL EXERCISE
Based on a current audit, write a fraud risk statement using the format describe for a ghost employee:
Person committing: Type of entity Fraud action statement Fraud Impact Fraud conversion
© Fraud Auditing, Inc. Section 1 - Slide 64 01/15/19
GHOST EMPLOYEE FRAUD RISK STATEMENT
Budget owner or payroll function causes a fictitious person to be set up on the employee master file, the budget owner or payroll submits time and attendance records for the fictitious person causing the diversion of funds.
Budget owner or payroll function causes a real non-complicit employee that terminates employment not to be removed from the payroll for a permanent period of time and the budget owner or payroll submits time and attendance records for the terminated employee and either changes the bank account for direct deposit or diverts the paper check causing the diversion of funds.
© Fraud Auditing, Inc. Section 1 - Slide 65 01/15/19
Part 1: What is fraud Part 2: Fraud risk structure Part 3: How to write the fraud risk statement Part 4: Integrating into the audit program Part 5: Practical exercise
© Fraud Auditing, Inc. Section 1 - Slide 66 01/15/19
FRAUD RISK STATEMENT LINKS TO THE AUDIT PROGRAM
Report & Conclusions
Fraud Audit Procedure
Fraud Data Analytics
Internal Controls
Fraud Risk Assessment
Audit Objectives
Audit Scope
Fraud Risk
Statement
© Fraud Auditing, Inc. Section 1 - Slide 67 01/15/19
NECESSARY SKILLS
Auditing: Fraud Investigation: Fraud
What is the difference between auditing for fraud and
investigation fraud?
© Fraud Auditing, Inc. Section 1 - Slide 68 01/15/19
COMPARISON OF APPROACHES
Control Test Evidence of
Fraud Test Authenticity of
Investigation Legal
© Fraud Auditing, Inc. Section 1 - Slide 69 01/15/19
COMPARISON OF APPROACHES (CONTINUED)
Investigation
Control Test
Fraud Test
Internal control Audit No fraud
known
Refute or corroborate Legal Alleged
fraud
Uncover fraud Audit No fraud
alleged
© Fraud Auditing, Inc. Section 1 - Slide 70 01/15/19
COMPARISON OF APPROACHES (CONTINUED)
Investigation
Control Test
Fraud Test
Test controls
Random and non biased
Built around
allegation None
Authenticity procedure
Focused and biased
© Fraud Auditing, Inc. Section 1 - Slide 71 01/15/19
ILLUSTRATION OF A FRAUD RISK STATEMENT
Budget owner acting alone or in collusion with a direct report / cause a shell company to be set up on the vendor master file / process a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds
© Fraud Auditing, Inc. Section 1 - Slide 72 01/15/19
HOW THE FRAUD SCENARIO DRIVES THE AUDIT PROGRAM
Cause a shell company to be set up on the vendor master file
Process a contract and approves a fake invoice for goods or services not received
Two aspects Sample Selection Audit Test
© Fraud Auditing, Inc. Section 1 - Slide 73 01/15/19
INTEGRATING FRAUD INTO THE AUDIT PROGRAM
1: Respond to fraud when control assessment suggests 2: Test controls be aware to red flags 3: Integrate fraud audit procedures into internal audit of internal controls 4: Perform fraud audit
© Fraud Auditing, Inc. Section 1 - Slide 74 01/15/19
INTEGRATING FRAUD INTO THE AUDIT PROGRAM THE SAMPLE SELECTION Test control / Red
Flag Fraud Audit
Procedure Fraud Audit
Random or Judgment Random or Judgment Fraud Data
Analytics, sample is focused and biased
© Fraud Auditing, Inc. Section 1 - Slide 75 01/15/19
SAMPLE SELECTION: USING FRAUD DATA ANALYTICS
Scenario
Strategy
Concealment Entity Transaction
Plan
© Fraud Auditing, Inc. Section 1 - Slide 76 01/15/19
ILLUSTRATION OF FRAUD TESTING
RED FLAG
INTEGRATE
Invoice Number
FRAUD AUDIT
© Fraud Auditing, Inc. Section 1 - Slide 77 01/15/19
RESPONSE TO THE RED FLAGS: CREATED VENDOR INVOICE
False document: vendor invoice
No telephone # No website Small business
software Vague description(s) Invoice number
CONCEALMENT RED FLAG
© Fraud Auditing, Inc. Section 1 - Slide 78 01/15/19
AUDIT PROCEDURE DESIGN TO DETECT FRAUD
Must be designed for the specific fraud
scenario
Correlation between evidence considered and fraud detection
Must consider the concealment strategies
corresponding to the specific fraud scenario
Design audit approach based on the mechanics
of the fraud scenario and concealment
strategy
Fraud Audit Procedure
Discussion Point: Why does the audit procedure need to be specific to the scenario and consider the concealment?
© Fraud Auditing, Inc. Section 1 - Slide 79 01/15/19
FRAUD AUDIT PROCEDURE
Telephone number Web site Invoice number Line item description
Call the number Review web site Review A/P payment
history Line item description
Missing numeric or Alpha
Line item string Description
consistent with web search
© Fraud Auditing, Inc. Section 1 - Slide 80 01/15/19
FRAUD AUDIT
The full Monty Sample is based on fraud data analytics Sample is biased and focused solely on the fraud risk
statement Testing is a fraud audit procedure
© Fraud Auditing, Inc. Section 1 - Slide 81 01/15/19
Part 1: What is fraud Part 2: Fraud risk structure Part 3: How to write the fraud risk statement Part 4: Integrating into the audit program Part 5: Practical exercise
© Fraud Auditing, Inc. Section 1 - Slide 82 01/15/19
PRACTICAL EXAMPLE
Based on the fraud risk statement written for your ghost employee fraud risk statement, what would be the red flags that you could incorporate into your audit program?
Based on the fraud risk statement what would be your fraud audit procedure.
© Fraud Auditing, Inc. Section 1 - Slide 83 01/15/19
ILLUSTRATION OF A FRAUD RISK STATEMENT
Budget owner or payroll function / causes a fictitious person to be set up on the employee master file / the budget owner or payroll submits time and attendance records for the fictitious person / causing the diversion of funds