Fraud Risk Management · Five principles of FRM • One aligned with each of the five components of...

© 2017 Association of Certified Fraud Examiners, Inc.

Fraud Risk Management

Fraud Risk Management—Overview

© 2017 Association of Certified Fraud Examiners, Inc. 2 of 27

Discussion Questions

1. Does your organization follow a specific risk

management model? If so, which one? Do you

think this model adequately addresses the risks

your organization faces? Why or why not?

© 2017 Association of Certified Fraud Examiners, Inc. 3 of 27

Discussion Questions

2. What are some of the risks your organization

faces? Where does the risk of fraud fit into your

organization’s risk hierarchy?

© 2017 Association of Certified Fraud Examiners, Inc. 4 of 27

Discussion Questions

3. Does your organization have a formal risk

management function? If so, are anti-fraud

initiatives integrated into the risk management

initiatives?

© 2017 Association of Certified Fraud Examiners, Inc. 5 of 27

Discussion Questions

4. How does your organization categorize the

risks that are identified in the risk management

process?

© 2017 Association of Certified Fraud Examiners, Inc. 6 of 27

Learning Objectives

▪ Analyze the current state of the risk

management landscape.

▪ Compare different risk management

frameworks.

▪ Recognize what fraud risk is and the factors

that influence it.

▪ Understand the reasons for effectively

managing fraud risk.

▪ Determine who is responsible for managing

fraud risk within an organization.

© 2017 Association of Certified Fraud Examiners, Inc. 7 of 27

Introduction to Risk Management

▪ Risk management

involves:

• Identification of risks

• Prioritization of risks

• Treatment of risks

• Monitoring of risks

© 2017 Association of Certified Fraud Examiners, Inc. 8 of 27

Introduction to Risk Management

▪ Balances risk appetite with the ability to meet

strategic, operational, reporting, and

compliance objectives

▪ Requires a proactive, rather than reactive,

approach

© 2017 Association of Certified Fraud Examiners, Inc. 9 of 27

2016 Report on Current State

of Risk Management Initiatives

▪ Risk management initiatives appear relatively

immature:

• 25% describe their risk management implementation

as “systematic, robust, and repeatable.”

• 40% described their risk management processes as

“very immature” or “developing.”

© 2017 Association of Certified Fraud Examiners, Inc. 10 of 27

2016 Report on Current State

of Risk Management Initiatives

▪ 56% are “minimally” or “not at all” satisfied with

the nature and extent of reporting of key risk

indicators to senior executives.

▪ More than half do not have risk oversight

activities formally assigned to a board

subcommittee.

▪ Boards of directors are placing greater

expectations on management to strengthen risk

oversight.

© 2017 Association of Certified Fraud Examiners, Inc. 11 of 27

Risk Management Frameworks

▪ An entity’s risk management program should be

specifically tailored to its unique needs.

▪ However, the use of a framework can provide

guidance and structure in developing the

program.

© 2017 Association of Certified Fraud Examiners, Inc. 12 of 27

COSO Enterprise Risk Management—

Integrated Framework (2004)

5. Risk response

6. Control activities

7. Information and

communication

8. Monitoring

1. Internal environment

2. Objective setting

3. Event identification

4. Risk assessment

© 2017 Association of Certified Fraud Examiners, Inc. 13 of 27

COSO Enterprise Risk Management—

Integrated Framework (2004)

© 2017 Association of Certified Fraud Examiners, Inc. 14 of 27

COSO Enterprise Risk Management:

2016 Draft Revision

▪ Five interrelated components:

1. Risk governance and culture

2. Risk, strategy, and objective-setting

3. Risk in execution

4. Risk information, communication, and reporting

5. Monitoring enterprise risk management performance

© 2017 Association of Certified Fraud Examiners, Inc. 15 of 27

ISO 31000

▪ Lays out 11 principles of effective risk

management

▪ Provides guidance on developing both a

framework and a process for managing risk that

is based on those principles

© 2017 Association of Certified Fraud Examiners, Inc. 16 of 27

ISO 31000:2009

Risk Management Principles

Creates valueIntegral part of organizational

processes

Part of decision making

Explicitly addresses

uncertainty

Systematic, structured, and

timely

Based on the best available

informationTailored

Takes human and cultural factors

into account

Transparent and inclusive

Dynamic, iterative, and responsive to

change

Facilitates continual

improvement and enhancement

© 2017 Association of Certified Fraud Examiners, Inc. 17 of 27

ISO 31000:2009

(Source: ISO 31000:2009, Risk Management—Principles and Guidelines )

© 2017 Association of Certified Fraud Examiners, Inc. 18 of 27

Choosing a Risk Management Framework

▪ Might start with COSO or ISO framework as is

▪ But should customize to the organization and its

needs based on:

• Organizational structure

• Nature of operations

• Environment(s)

• Size

• Nature of risks

© 2017 Association of Certified Fraud Examiners, Inc. 19 of 27

Fraud Risk Management Guide 2016

▪ Published by COSO in collaboration with ACFE

▪ Five principles of FRM

• One aligned with each of the five components of

internal control

▪ Supported by individual points of focus for each

principle

▪ Not formally linked to COSO ERM 2016D, but

several obvious connections

© 2017 Association of Certified Fraud Examiners, Inc. 20 of 27

IC ↔ FRM ↔ ERM

IC 2013 Component FRM 2016 Principle ERM 2016D Component

Control environment

The organization establishes and communicates a Fraud Risk Management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

Risk governance and culture

Risk assessment The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

Risk, strategy and objective-setting

© 2017 Association of Certified Fraud Examiners, Inc. 21 of 27

IC ↔ FRM ↔ ERM

IC 2013 Component FRM 2016 Principle ERM 2016D Component

Control activities The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

Risk in execution

Information & communication

The organization establishes a communication process to obtain information about potential fraud and deploys a coordinate approach to investigation and corrective action to address fraud appropriately and in a timely manner.

Risk information, communication & reporting

© 2017 Association of Certified Fraud Examiners, Inc. 22 of 27

IC ↔ FRM ↔ ERM

IC 2013 Component FRM 2016 Principle ERM 2016D Component

Monitoring activities

The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

Monitoring risk management performance

© 2017 Association of Certified Fraud Examiners, Inc. 23 of 27

IC ↔ FRM ↔ ISO 31000

IC 2013 Component

FRM 2016 PrincipleISO 31000

FrameworkISO 31000

Process

Control environment

The organization establishes and communicates a Fraud Risk Management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

Mandate and

commitment (4.2)

Design of

framework for

managing risk (4.3)

Establish the

context (5.3)

Risk assessment

The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

Design of

framework for

managing risk (4.3)

Implementing risk

management (4.4)

Risk Assessment

(5.4):

− Identification

− Analysis

− Evaluation

© 2017 Association of Certified Fraud Examiners, Inc. 24 of 27

IC ↔ FRM ↔ ISO 31000

IC 2013 Component

FRM 2016 PrincipleISO 31000

FrameworkISO 31000

Process

Control

activities

The organization selects, develops,

and deploys preventive and detective

fraud controls activities to mitigate the

risk of fraud events occurring or not

being detected in a timely manner.

Implementing risk

management (4.4)

Risk Treatment (5.5)

Information and

communication

The organization establishes a

communication process to obtain

information about potential fraud and

deploys a coordinate approach to

investigation and corrective action to

address fraud appropriately and in a

timely manner.

Implementing risk

management (4.4)

Monitoring and

review of the

framework (4.5)

Communication

and Consultation

Throughout the

Process (5.2)

© 2017 Association of Certified Fraud Examiners, Inc. 25 of 27

IC ↔ FRM ↔ ISO 31000

IC 2013 Component

FRM 2016 PrincipleISO 31000

FrameworkISO 31000

Process

Monitoring

activities

The organization selects, develops, and

performs ongoing evaluations to ascertain

whether each of the five principles of

fraud risk management is present and

functioning and communicates Fraud Risk

Management Program deficiencies in a

timely manner to parties responsible for

taking corrective action, including senior

management and the board of directors.

Monitoring and

review of the

framework (4.5)

Continual

improvement of

the framework

(4.6)

Monitoring and

Review of Controls,

Risks, etc. (5.6)

© 2017 Association of Certified Fraud Examiners, Inc. 26 of 27

IC ↔ ISO 31000

© 2017 Association of Certified Fraud Examiners, Inc. 27 of 27

The Fraud Risk Management Process

Establish a fraud risk management policy as part of organizational

governance.

Perform a comprehensive fraud risk assessment.

Select, develop, and deploy preventive

and detective fraud control activities.

Establish a fraud reporting process and coordinated approach to investigation

and corrective action.

Monitor the fraud risk management process,

report results, and improve the process.

© 2017 Association of Certified Fraud Examiners, Inc. 28 of 27

What Is Fraud Risk?

▪ The vulnerability that an organization has to

those capable of overcoming the three

elements of the fraud triangle

▪ Comes from both internal and external sources

▪ Differs from other risks because fraud, by

definition, entails intentional misconduct

designed to evade detection

© 2017 Association of Certified Fraud Examiners, Inc. 29 of 27

Types of Fraud Risk

▪ Inherent risk—risk present before management

takes action

▪ Residual risk—risk that remains after

management takes action

© 2017 Association of Certified Fraud Examiners, Inc. 30 of 27

Factors Influencing Fraud Risk

▪ The nature of the business

▪ Economic conditions

▪ The operating environment

▪ The ethics and values of the company and its

people

▪ Technology

▪ The legal environment

▪ The effectiveness of internal controls

© 2017 Association of Certified Fraud Examiners, Inc. 31 of 27

Who Is Responsible for

Managing Fraud Risk?

▪ Team responsible for executing, monitoring,

and ensuring success:

• Executive management

• Audit committee

• Investigations group

• Compliance

• Controller’s group

• Internal audit

• IT

• Security

• Legal department

• Human resources

© 2017 Association of Certified Fraud Examiners, Inc. 32 of 27

Who Is Responsible for

Managing Fraud Risk?

▪ The team should have a

designated leader.

▪ Synergy and

communication are keys.