“RAISE THE RED FLAG” · WorldCom Scandal CMS Energy Round Trip Trades 2003 Massive Mutual Fund Fraud HealthSouth indicted on 85 counts of conspiracy Martha Steward Freddie Mac

“RAISE THE RED FLAG”AN AUDITORS WORKING GUIDE TO EVALUATING FOR FRAUD

Lynn Fountain, CGMA, [email protected]

1Copyright 2017 - Lynn Fountain - No duplication

Raise The Red Flag• RaisetheRedFlag combinesprinciplesandtheoriesoffraudpreventionanddetectionwithreal-worldscenariosandhands-onprocedures.

• Whetheryouaredeterminingyourinternalauditdepartment’spreparednesstosupportyourorganization’santi-fraudeffortsorinvestigatingactualallegationsoffraud, RaisetheRedFlag providesvaluabletechniquesandapproachesyoucanputintopracticerightaway.

• Withprofessionalskepticismandaquestioningmind,internalauditorswillknowwhentoraisetheredflag– andwhattodoaboutit

Copyright 2017 - Lynn Fountain - No duplication 2

Introduction• Thetopicoffraudcontinuestobeontheradarofinvestors,shareholders,andregulators.

• RecentfraudsurveybyKrollAdvisoryfoundthattheproportionofcompaniesthatsufferedanincidentwasapproximately75%.

• However,ongoingtechnologicaladvancesinITinfrastructure,newandemergingfraudmethodsarecontinuallybeingidentified.


Introduction• Auditorsarenotexpectedtohavethespecialtyexpertiseofforensicinvestigators.

• Shouldmaintainadequateknowledgeoftheaspectsoffraudandaskepticalmindwhenreviewingpotentialviolations.

• Fraudcontinuestoevolveandauditorsmuststayabreastofitsrootcausesandsuggestedmitigationandinvestigationtechniques.

• WhetheryouarepartofalargeIAorsmallIAgroup,itisimportantforallauditprofessionalstounderstandprocessesthatcouldinvolvefraud.


US Fraud Stats – Kroll Global Fraud Report

2015-2016 2013-2044Prevalenceofcompaniesaffectedbyfraud

75% 66%

Average% ofrevenuelosttofraud

.9% 1.2%

Areasoffrequentloss • Theftofphysicalassets–22%• Vendor, supplier,

procurement- 19%• Informationtheft,lossor

attack- 17%

• Managementconflictofinterest-21%

• Informationtheft,lossorattack–20%

• Theftphysicalassets–20%

Biggestdriverofincreasedexposure

• Highstaffturnover – 34%• Increasedoffshoringand

outsourcing– 15%• Increasedcollaboration

betweenfirms– 14%

• ITcomplexity– 44%


Agenda• Thepsychologyoffraud.• Examinehowpastfraudincidentshaveimpactedtheauditor’srole.

• IPPFresponsibilitiestocomplywithfraud.• EmployingCOSO2013conceptswithininternalauditfraudwork.

• Understandingfraudredflags- actualfraudandcontrolgaps.

• Fraudevaluationvs.fraudinvestigation.• Newagedigitalfraud.• Fraudreporting.


PSYCHOLOGY OF WHITE COLLAR CRIMEConnection to Fraud Triangle and Fraud Diamond


Fraud Defined• Fraudisanyintentional actoromissiondesignedtodeceiveothers.• Resultsinthevictimsufferingalossand/ortheperpetratorachievingagain.

• Organizationdon’twanttobelievefraudcanoccurintheircompany.• Iffraudisidentified,thereisadesireto“handleitourselves”.

• Auditorsandorganizationsmustbeawareofcertainpsychologicalaspectsoffraud.


Companies affected by Fraud and Vulnerable To ITTypesofFraud %

Companiesimpactedinpast12months

%Describingthemselvesashighlyormoderatelyvulnerable

IPtheft 45% 37%

Theftofphysicalassets 22% 62%

Vendor, supplierorprocurementfraud

17% 49%

Information theft 14% 51%

ManagementCOI 12% 36%

Regulatoryor compliancebreach 12% 40%

Corruptionandbribery 11% 40%

Internal financialfraud 9% 43%

Companyfundmisappropriation 7% 40%

Moneylaundering 4% 34%

Marketcollusion 2% 26%


Perpetrators ofknownfraud %offirmshitbyfraudwheresomeoneinnamedgroupwasperpetrator

Junioremployees 45%

Seniorormiddlemanagement 36%

Moneylaundering 34%

Agents andintermediaries 23%

Vendors,Suppliers 18%

JVpartners 8%

Regulators 7%

Customers 5%

Governmentalofficials 3%

Other 3%

Source: Kroll 2015/2016 Fraud Report

Top 5 Drivers of Increased Fraud Risk• Highstaffturnover– 33%• Increasedoutsourcing/offshoring– 16%• Entrytonew/riskermarkets– 13%• Complexityofproductsorservicessold– 11%• Increasedcollaborationbetweenfirms– 10%


Source: Kroll 2015/2016 Fraud Report

Fraud Evolution• Whydoesthetopicoffraudseemsoprevalent?• Majorcorporatedownfalls,• Newlegislation/regulation,• High-profilecases,• Increasedfraudawarenessbyconsumers,

• Enhancedinformationtechnologyprocessesandcyberfraud,

• Moresophisticatedfraudsters.


Psychological Dynamics of Fraud• Isallfraudintoday’sbusinessworldconnectedafinancialloss?• Ultimatelyitmaybeextrapolatedtosomelossbutistherealternativemotivepossibilities?• Doeseveryonesharethesamemoralcompass?• Howdoindividualsdefinewhatisright/wrong?• Iseverythingalwaysblackandwhite?(Shouldmedicalmarijuanabelegal?)

• Howdoperceptionsimpactreality?• Howdotoday’spressuresimpactthepsychologyofindividualswhomaycommitfraudulentacts?


Fraud Theories

Fraud Triangle Fraud Diamond


Think Out of The Box• Thefraudtrianglelistspressureasthefirstlegwithopportunityandrationalizationfallingnext.

• Today’sbusinessenvironmentbegsthequestionofwhether“pressure”istrulylegone.

• Individualswhoperpetratefraudmaydosobecausetheyfirst:• Recognizethe“opportunity”andthen…• Findsomewayto“rationalize”theirbehavior.

• Pressureiscertainlyanelementbutmaynotalwaysbethedrivingforce.


Opportunity Considerations• Auditorsrecognizeopportunitycantiecloselytopoorlydesignedcontrols,controlgapsorcontrolavoidance.

• Controlgapscreateopportunityforthefraudstertotakeadvantageofanduseittoperpetuatefraud.


Opportunity Considerations• Opportunityextendsbeyondthisdefinedconcept.

• Personwhoidentifiesopportunitytoperpetuateafraudthroughapoorlydesignedcontroldoesnotnecessarilyhavetobeapersoninatrustpositionoracurrentfinancialpredicament.

• Inoriginalfraudtriangletheory,thepersonmustseesomewayhecanusehispositionoftrusttosolvehisfinancialproblemwithalowperceivedriskofgettingcaught.


Added Dimension: Capability Concept• Individualswhocommitfraudhavecertaintraitsthatallowthemtohavethecapability tocarrythroughontheiractions.

• Technical skillstounderstandopportunityandtakeadvantage.

• Coercionskillstoconvinceotheremployeestomisstateinformation,becomplicitin/concealthefraud,orassistwithcarryingouttheactualfraud.

• Deceptionskillstolieandmaintainlieovertime.


Added Dimension: Capability Concept• Ability todealwiththestressofcontinuingthedeception.

• Organizationalpositioning providesopportunitynotavailabletoothers.

• Intelligencetounderstand/exploitinternalcontrolweakness.

• Egotobelievetheywillnotbedetected.• Stressmanagementskillsthatallowthepersontomanagestresswellasthefraud.


The Psychology Behind Fraud• Auditorlesson- takethecapabilitytraitsintoconsiderationwhenattemptingtoprioritizeormeasurethefraudthreatpotentialofidentifiedcontrolweaknesses.

• Inclusionofthisconsiderationmayassisttheauditorinappropriatelycalibratingcontrolfindings.

• Considerhowyourorganizationsetstheir“moralcompass”.

• Doesmanagementuseconsistenttheorieswhendetermining“whatisright”?


Examples – Digging Deeper• AuditorInquiry:“Tellmeabouthowtheresourcingforyourdepartmenthasbeenmanagedoverthepastfewyears.”

• Listenfor“clues”thatrepresentpressureonresourcingissues.• Indicationofhighturnover?Canyouidentifyrootcause?• Constraintstofillopenpositions?Impactonemployees?Excessiveovertime?Areemployeesrequiredtoonresponsibilitiesnotpartofnormaljob?

• ResourcingissuesduetoLTperiodsofPTObycertainemployees– isthereunduepressureonotheremployees?

• Isthereexcessiveovertimewhichmayputpressureonpersonnel?Isthereareasonwhythedepartmenthasnotbeenabletoaddresources?


Lessons Learned• Rememberthefraudtriangle!

• Rationalization,opportunity,pressure.• Considerimplicationsofthefrauddiamond.• Managementmustmakebesteffortstodefineblackvs.white.(Difficultconcept).

• Leavingjudgmentsopenforinterpretationwillimpactoutcomes.• Withoutcleardefinitionoutcomesbecomedependentonindividualmoralities.

• Theclearerthepath……


Past Fraud Incidents


2000

SECallegesEnronFalseFilings

Xeroxfalsifiedearningsfor5years

2001

SECinitiatesEnroninvestigation

BristolMyersinflatedrevenuesby$1.5M(channelstuffing

2002

AAConvictedandbeginstofallapart

Adelphia($3.1Binoffbalancesheetloans

AOL,Tyco,WorldComScandal

CMSEnergyRoundTripTrades

2003

MassiveMutualFundFraud

HealthSouthindictedon85countsofconspiracy

MarthaSteward

FreddieMacEarningSmoothing

HCApays$1.7Btosettle9yearfraud.

2004-2006

FannieMaetorestateearningsbackto2001

Stewardconvicted

Ebbersconvicted

Skilling/Layconvicted

Broadcomandoptionsscandal



2007

NewCenturyandBearSternsBankruptcy

FannieMaylossescontinue

WSJaccusesbanksofLiborScandal

SalyamCEOresignsandadmitsfraud

Madoffsentencedto15years

2010

FormerLouisianaUniversityDeanpleadsguiltytofraud

BPagreestopay$20B

AuditorsforWAMUtestifyinfrontofcongress

2008-2009 2011

J&Jagreesto$77MFCPAsettlement

FirstcompanyconvictedunderFCPA

DirectoratGoldmanSach,pays$10Mtosecurebailforchargesofinsidertrading.

Olympusscandal

2012-2013

GlaxoSmithKlinefraud

CapitolOnefined$210Mdeceivingcustomers

Wal-MartAllegations

FiestaBowlchiefguiltyfunnelingpoliticalcontributions

BestBuyScandalLiborRigging

911Firefighterdisabilityfraudclaims

Targetcreditcardhacking



20162014- 2015

Portfoliomanager- SACCapitalAdvisershedgefundfoundguiltyon5countsofinsidertrading.Resultedinconvictionsof77people.

JPMorganChasepaid$2.6BtotheU.S.govt.B.MadoffvictimstosettleallegationsthebankfailedtotellauthoritiesaboutsuspicionsoffraudatMadoff'sfund.

WorldHealthAlternativesCEOsentencedfor$41Mfraudscheme.

TheIRSpaid$3.6Binfraudulenttaxrefundstoidentitythieves.

Sept.2016,MichaelHudson orderedtopayrestitutionof$3.1MtoFrisch’sRestaurant,$505KtoTravelersInsuranceand$970KtotheIRSforwirefraudandfalseIRSreturns.

LogitechInternationalpaid$7.5Mforfraudulentlyinflatingfiscalyear2011financialresultstomeetearningsguidanceandcommittingotheraccounting-relatedviolationsduringa5yr.period.

ThreeexecutivesatEner1paidpenaltiesforthecompany’smateriallyoverstatedrevenuesandassetsforyear-end2010andoverstatedassetsinthefirstquarterof2011.

FRAUD AND THE IPPF FRAMEWORK


Auditors and the IPPF• Asinternalauditors,welooktoTheIIA’sIPPFtoguidehowwecanmosteffectivelyexecuteourresponsibilities.

• ThemannerinthesestandardsareappliedmayvarydependentonmanyfactorsincludingIA’sstatedcharterandstaffing.

• Fraudandallofitsimplicationsisoneofthoseareasthathasbeenmanagedavarietyofwaysbyorganizations.

• WiththeimpetusoftheCOSO2013updateorganizations’responsibilitiesforassessingtheriskoffraudhavebecomeclearer.


IPPF Standards Related to Fraud• DoesyourorganizationunderstandandrecognizetheIIAstandardrequirements?

• WhenwasthelasttimeyoureviewedtherequirementswithyourCFO/CEOorauditcommittee?

• Manyauditcommittee’sandmanagementdonotfullyunderstandandembracetheIIAstandards.Why?


Auditors and the IPPF• InternalauditorscanapplytheprinciplesinCOSO’s2013tosolidifytheirroleandhowtheyworkwithmanagementonvariousfraudinitiatives.

• AuditorsshouldensuretheirworkdirectlysupportstheStandards,includingStandard2120.A2,RiskAssessment:• “Theinternalauditactivitymustevaluatethepotentialfortheoccurrenceoffraudandhowtheorganizationmanagesfraudrisk.”

• HowdoesyourorganizationmeetStandard2120.A2?


When Management Objects?• Managers mayperceivethatincluding“fraud”testsduringanauditreflectsbadlyontheirabilitiestomanageaprocessarea.• Includingfraudtestsmayseemlikeanaccusationaboutimproperactsoccurringwithintheirsphereofcontrol.


When Management Objects?• IAmustbeabletoprovidemanagementwithsufficientinformationaboutwhysuchevaluationsareappropriate.

• ConsiderclarifyingtheIndividualObjectivityStandard1210.A2:• “Internalauditorsmusthavesufficientknowledgetoevaluatetheriskoffraudandthemannerinwhichitismanagedbytheorganization,butarenotexpectedtohavetheexpertiseofapersonwhoseprimaryresponsibilityisdetectingandinvestigatingfraud.”


IPPF Standards and Auditor’s Challenge• TheIIAisnotalawmaking/enforcingbody.• Theyestablishguidelinesandstandardsthatarenotalwaysrecognizedbyallorganizations.

• Therearenopenaltiestoorganization’sfornotfollowingstandards.

• Auditor’sdonotcarrya“licensetopractice”

• ProfessionisnotviewedinthesamemannerasthosethatmaycarryalicensetopracticelikelawyersandCPAs.


IPPF Standards• Auditorsmusttakeapro-activeapproachtoeducatingmanagementandtheboardontheIIAstandardsandrelatedbenefits.

• Thisincludesensuringmanagementunderstandsthestandardsrelatedtotherequirementsforfraudevaluations.

• HOWEVER– InternalAuditmustensuretheyarequalifiedandpreparedtoengageinthevarioustypesoffraudrelatedwork.• Don’tjustdoitbecauseitsoundsinteresting.

• WhatroleshouldIAplay?


1. ClarifytomanagementtheIPPFstandards.2. Establishinternalprocedurestosupportinternalauditors

whenexecutingoncompetencyandprofessionalskepticism.3. Haveastructuredfraudmethodologyinplaceforinternal

audit.4. Ensureprofessionalsassignedtofraudworkhavethe

organizationalknowledgeandperceivedstandingtoadequatelyexecuteontheirprofessionalskepticism.

5. Neversendanauditoronafraudinterviewalone.6. Encourageauditorstocheckthefactstwiceand assess

evidencewithoutbeingoverlycriticalorsuspicious.7. Followalltrailsofevidence.


Potential Steps• ClarifytomanagementtheIPPFstandards.

• Internalauditorshaveguidelinesjustlikelawyersanddoctors.

• Ensureyourgrouphastheabilitytomeetthecompetencystandardsrelatedtofraudevaluations.• Ifyoudon’thaveadequatequalifications,executionmaybeadifficultthing.

• Establishinternalprocedurestosupportinternalauditorswhenexecutingoncompetencyandprofessionalskepticism.


Internal Steps• Haveastructuredfraudmethodologyinplaceforinternalaudit.• Methodology shoulddefinehow,when,whyetc.youwillgetinvolvedwithissuesthatmaybeinvolvedinfraud.

• Protocol shouldincludecommunicationprocedureswithmanagement,theboardandanyregulatoryauthorities.

• Involve yourLegalgroup– Knowtherulesofevidence.• Understandthedifferencebetweenidentifyingredflagsandidentifyingfraud.

• Knowthedifferencebetweendoingafraudinvestigationversusafraudevaluation.

• Understand thetypesoffraudprevalentinyourindustry.


Internal Steps• Ensureprofessionalsassignedtofraudworkhavetheorganizationalknowledgeandperceivedstandingtoadequatelyexecuteontheirprofessionalskepticism.

• Acknowledge noteveryoneusesthesameapproach.• Noteveryonewillcometothesameconclusionormakethesameintuitiveinterpretation.

• Quickestwaytostopprofessionalsfromexercisingaquestioningmindistotightentheropeeverytimeamisjudgmentoccurs.


Internal Steps• Neversendanauditoronafraudinterviewalone.

• Evenanexperiencedauditor,canhaveahesaid/shesaidexperience.

• Encourageauditorstocheckthefactstwiceand assessevidencewithoutbeingoverlycriticalorsuspicious.

• Executingprofessionalskepticismrequiresemployingabalanceofquestioningmindandensuringfactsarecorrect.

• Managementmaydistrustobservationsofauditorswhojumptoconclusionsordonothaveallthefacts.


Internal Steps• Followalltrailsofevidence.

• Itcanbetemptingtoacceptanansweratfacevalue.• Remember,oneperson’sperceptionofblack/whitemaybedifferentthananotherperson’s.

• Itisnotsufficienttointerviewonlytoplevelexecutives.• Ifyouquestionaccuracyoftheinformation,youmustuseduecaretofollowuponthatquestion.

• Importanttoindependently/objectivelypursueallavenuesofinquiry.


INTERNAL AUDIT’S RESPONSIBILITY


Determining Your Role• ConsiderFraudAwareness:

• Fraudawarenesswithinanorganizationassistsinminimizingcollusionactivities.

• Personnelbecomeawareoftheconsequencesofbecominginvolvedintheunacceptablebehavior.

• Lackofawarenesstacticsislikeasilent“acceptance”ofbehavior.

• Toexecutefraudawarenessroll,auditor’smustunderstandthebusiness.• Understandthemanytypesoffraudthatcanoccurinyourindustry.

• Obtainstatisticsonfraudincidentsandemergingtrends.


Internal Audit’s Role• Whatarethekeystoright-sizingIA’sresponsibilityforfraudactivities?• Intoday’sworldofdoingworkfaster,moreefficiently,andwithfewerresources,itisdifficulttobalancerequirements.

• Theunexpectedoftenoccursandresourcesgetpulledindifferentdirections.

• Participationinfraudworkcanbeoneofthoseareaswheretheunexpectedoccursandtimeallocationisnotsufficient.

• Considerthesestepsandwhendefiningyourroleandtimeallocation.


Types of Roles• Considerthepotentialthattheremaybea“requiredrole”anda“potentialrole”forIAwhenitcomestofraudwork.• Requiredrole:MeettheintentoftheIIARiskAssessmentStandard.

• Potentialrole:Involvementinfraudevaluations,investigationsorholisticriskassessments.


Required Role• MeetingStandard2120.A2:Theinternalauditactivitymustevaluatethepotentialfortheoccurrenceoffraudandhowtheorganizationmanagesfraudrisk.

• Considerthismeansmorethanperiodicevaluationthroughtheannualauditassessment.

• Whatwouldbeinvolvedinfulfillingtherequiredrole?


Potential Steps: Required Role• Internalauditmusthaverelevantmethodologiesinplacerelatedtothefollowing:• Inclusionoffraudriskevaluationwithintheannualauditplan.

• Providedirectionforevaluationofthepotentialforfraudriskwithineachindividualaudit.

• Includeaprotocolforauditorstofollowwhenredflagsareidentifiedeitherduringanauditorthroughanotherindependentmanner.


Potential Steps: Required Role• Internalauditmustprovideadequatesupportforstaffincluding:• Ensurestaffhaverequiredtrainingandunderstandingtoevaluatethepotentialforfraudredflags.

• Ensurestaffcanadequatelyexecuteprofessionalskepticismwhenexecutingprojects.

• Ensurestaffunderstandthesensitivitiesofthetopicandthepropercommunicationprotocols.


Defining Potential Role • DoestheIAdepartmenthaverelevantpersonnelexpertise?

• DoesdepartmentalCFEhavethe“experience”tobeinvolvedinsignificantfraudinvestigations?

• Isthereaprotocolforhowtimewillbeassignedandreallocatedintheeventafraudprojectarises?• Willcompletionoftheauditplanbeimpacted?• Howdoesmanagement/auditcommitteeviewIA’srole?

• WhatdoesyourIAchartersay?• Whatisthelegaldepartment’sroleandwhomanagesthehotline?

• Isthereacleardefinitionofvariancebetweenfraudevaluations/fraudinvestigationsandrequirementsofeach?


Steps: Potential Role1. Ensureroleisagreedtoby

managementandtheAC.2. Developaninternalholisticfraud

methodologythatdifferentiatesbetweenassessments,evaluationsandinvestigations.

3. Definerequirementsforeachtypeoffraudwork.(e.g.:auditorskillset,background,needforspecialtyexperience).


Steps: Potential Role4. Identifyhowprojectswillbe

resourced(e.g.internally,externally).5. Establishapre-defined

communicationprotocolforvarioustypesoffraudwork.(Knowwhenanevaluation,investigationorassessmentshouldbemovedtothenextstep).

6. Haveadefinedmethodologyforprojectdocumentation.(Knowwhentoconsultwithlegal).


Steps: Potential Role7. EnsureprofessionalsinIA

assignedtofraudworkhavetherequiredexperience,organizationalknowledgeandperceivedstandingtoadequatelyexecuteontheirprofessionalskepticism.

8. Ensureauditorshavethepropersupport(resourcesandmoral)relatedtotheproject.


Steps: Potential Role9. Encourageauditorstocheckthe

factstwiceandassessevidencewithoutbeingoverlycriticalorsuspicious.

• Executingprofessionalskepticismrequiresemployingabalanceofaquestioningmindandensuringallfactsarecorrect.

• Managementmaydistrustobservationsofauditorswhojumptoconclusionsordonothaveallthefacts.


Right-Sizing Steps1. Clarifyyourdepartmentcharter.

• ClarifytheroleIAwillplayinfraudawarenessanddetection.• Determinehowthatrolewillworkwithinyourauditplan.

2. ValidatethattheACandmanagementagreewithrole.• EnsurerolesasidentifiedinthecharterarefullyunderstoodbytheACandmanagement.

• Ifthereisa“dropeverything”perceptionwhenitcomestotheneedforIAtobeinvolvedinafraudinvestigation,thismustbeclearlyunderstoodbymanagementandtheboard.


Right Sizing Steps3. Evaluatetheneedforfraudspecificauditors.

• Ifthecompanyisinahighriskfraudindustry,IAmayhavededicatedfraudauditors.

• Whenplanningworkload,don’tfallintotrapofonlyconsideringpasthours.Circumstanceschange,businessevolve.Timeallocationresourcesmayneedtochange.

4. Beproactivewhenidentifyingtheneedforoutsideexperts.• Ifyourcharterincludesinvolvementinfraudinvestigations,butIAdoesnottypicallyhaveresourcesfortheeffort,ensurethecharterprovidestheabilitytoenlistoutsideexperts.


Right Sizing Steps5. Assessneedtouseothersubjectmatterexperts.

• Assistanceofindividualsfromotherbusinessareas.• Establishrelevantrelationshipsupfront.(Subjectmatterexperts)

6. Considerallocationof“specializedhours”asaplaceholder.• Isthis“padding”theauditplan?• Theallocationof“specializedhours”canincludecomplianceissues,regulatoryissues,orfraudinvestigations.

• Ensureyouhaveadequatelyassessedyourpotentialneedsfortheauditplanandsupportitwithyourfraudriskassessment,pastexperience,andevaluationofongoingandemergingrisksinyourbusiness.


COSO 2013 AND THE CRITICAL LINK TO FRAUD


COSO and Fraud• WhenexaminingtheCOSO’sdefinitionofCE;akeyphrasehelpsunderstandhowandwhythetopicoffraudcanimpactanorganizationscontrolenvironmentandculture.• “Thecontrolenvironmentsetsthetoneofanorganization,influencingthecontrolconsciousnessofitspeople. Itisthefoundationforallothercomponentsofinternalcontrol,providingdisciplineandstructure.”


COSO and Fraud• Whenexecutingyourfiduciarydutyrelatedtofraudevaluations,rememberconceptsoftheIIAstandardsaswellasCOSO2013andprinciple8.• Challenge:HowdoyoumeetthePrincipleonFraudrelatedtoCOSO2013.


COSO and Fraud• Keyphrase

• “influencingthecontrolconsciousnessofitspeople”.

• Phraserecognizessomeoftheattributesidentifiedinthefraudtriangle-rationalizationandpressure.

• Anotheremergingphilosophyisthefrauddiamondandrequirestheconsiderationof“capability”asacomponent.


8. Organization considers the potential for fraud in assessing risks to the achievement of objectives.

Risk Assessment

COSO 2013 Principles

• Principle 8 possesses the most direct tie to managements responsibility for fraud processes.


Points of Focus• Considers various types of fraud• Assesses incentive and pressures• Assesses opportunities• Assess attitudes and rationalizations

Principle 8 - Point of Focus

• Doesyourorganizationassessthepotentialforalltypesoffraudincluding:• Fraudulentreporting(financialandoperational),• Corruptionfrommisconduct,• Incentives/pressures,• Opportunitiesforunauthorizedacquisition,useordisposalofassetsorassetloss,

• Alteringoftheentity’sreportingrecords,• Howmanagementandotherpersonnelmightengageinorjustifyinappropriateactions.


FRAUD RED FLAGS –ACTUAL FRAUD VS. CONTROL GAPS

60

Variance• FraudRedFlags arewarningsignsthatmayindicateahigherfraud risk.

• TheyareNOT evidencethatfraud hasoccurred.• Acontrolgapdoesnotmean“fraud”occurred.• Internalauditorsmustrecognizethedifferenceandbecautiouswhenevaluatingandreportingoncontrolgapsvs.fraudredflags.

• Ifitisaredflag– canyouidentifythepotentialimpactandlikelihood?• Howwillyouevaluatewhethertherecouldbepotentialmisdoingsorwhetheritisaninternalcontrolgap?


Fraud Red Flags • Financialstabilitythreatenedbyeconomic/industry/operatingconditions.

• Recurringnegativecashflows/inabilitytogeneratecashflow.• Excessivepressureonpersonneltomeetfinancialgoals.• Significantaccountsoroperationsintax-havenjurisdictions.• Complex/unstableorganizationalstructure.• Inadequateorineffectiveinternalcontrols.• Excessiveinterestbymanagementinmaintainingorincreasingstockprice/earningstrend.

• Managementfailuretocorrectknownreportableconditions.• Recurringattemptsbymanagementtojustifymarginal/inappropriateaccounting.


Fraud Red Flags• Unusual/suspiciousitemsinvolvingaccountingrecords.

• Missingdocuments,excessivevoidsorcredits.• Commonnames,telephonenumbers,oraddressees.• Counterfeit/alterationsofdocuments.

• Managementoverrides,topsidedentries.• JEadjustmentsatornearendofreportingperiod.• Unusualrequestsmadenearcloseperiods.• Significantestimatesthatdeviatingfromtrends.• Transactionsoutsidenormalcourseofbusiness.• Shakethetrees!!!


Anti-Fraud Controls• Thepresenceofanti-fraudcontrolsiscorrelatedwithsignificantdecreasesinthecostanddurationofoccupationalfraudschemes.

• Victimorganizationsthatimplementanyofthecommonanti-fraudcontrols,experiencelowerlossesandtime-to-detectionthanorganizationslacking.

• Don’tcloseyoureyes…..don’tassumeitissomeoneelse'sworry….speakup…..


EVALUATIONS VS. INVESTIGATIONS


Evaluation vs. Investigation• Evaluations– systematicexaminationsofanarea’smerit,worthandsignificance.• Usesspecificcriteriagovernedbyasetofstandards.• Primarypurposeistogainaninsightintoanareatoenablemorein-depthanalysis

• Resultinganalysiswillhelpidentifyrootcausesandgapsincontrols.

• Investigation– thescientificmethodofgatheringandexamininginformationaboutaparticulareventtodetermineandfinalizeanassessment.


Evaluations• Evaluationsmayoccurinthenormalcourseofanaudit:

• Anomaliesinaprocessareidentifiedandfurtherreviewiswarranted.• Intheseinstances,theevaluationfocusesonaspecificprocessareaorpossiblyevenagroupofindividuals.

• Observationsareresultofindividualaudits.• Iffraudriskisincludedinanaudit,evaluationmayidentifytheneedforfurthertargetedresearch.


Evaluation Considerations• Complexityoftheprocess.• Howthetransactionflows.• Sophisticationofthesystem.

• Legacysystems• NewSystems

• Hastheprocessareexperiencedpastissuesthatappeartobesystematicorarenotaddressed?

• Understandthecontrolenvironmentoftheprocessandpersonnelinvolved?


Investigation• Investigationmayentail:

• Interviews/observationsdesignedtogainrelevantevidencetoprovecasefacts.

• Backgroundcheckofallegedperpetrators.• Subpoenasforspecificdocumentaryevidence:bankrecords,titlesearches,otherlegaldocumentsnotreadilyaccessible.

• Assetsearchestodetermineownershipissues.• Recordanalysestoevaluateddocumentationofinformationrelatedtotheallegeact.

• Surveillanceofspecificprocessorindividuals.• Interrogationofspecificpersonnelwhomayhaveknowledgeoftheincident.


THE NEW AGE DIGITAL FRAUD


The New Age Digital Fraud• Digitalfraudstersareonestepahead.Fraudsterstakeadvancedstepswithknowledgefromthedigitalworld.

• Digitalfraudhascreatedseamlessboundarieswhichincreasetheperpetuationoffraud.

• Whatisdigitalfraud?• Webcrawlers,chatroomormaliciousbots,• Automatedprogramsthatrunovertheinternet• Digitalnetworksthattransmitvoice,video,data• Identifytheftandcreditcardtheft,securitycodehacking• E-mailscams,• Thelistisendless…• SeeAppendix


Cyber attack realities• Noturnkeycybersolution.• Buildafortressbutsecureitfromtheinside.

• Notedlackofinvestmentininternalmonitoringsystems.• Datalossisasymptomofabiggerproblemtobeinvestigated.

• Mustinvestigatetofindthesourceandtoexplaintotheregulatorhowyouhavefixedtheproblem.

• Theattackeroftenstaysinthesystemaftertheattack.• Thegoalofonlineattackersistostaywithinasystemforaslongastheycan.Attackedsystemsmustbemonitored.

• Cyberfatigueisreal,butnotanexcuseforinaction.• Inabilitytoaddresswillencouragethefraudsterstocontinuetomoveforward.


Cryptocurrency• Cryptocurrencygoesbymanygenericnames.• Itisoftenreferredtoasvirtualcurrency.• ThesimplestdefinitioncomesfromFinCEN:

• “‘virtual’currencyisamediumofexchangethatoperateslikeacurrencyinsomeenvironments,butdoesnothavealltheattributesofrealcurrency.Inparticular,virtualcurrencydoesnothavelegaltenderstatusinanyjurisdiction.”

• Transactionanonymityandirreversibilityofpayments,havemadethesecurrenciesattractivetocyber-criminals,drugdealers,moneylaunderersandthoseinvolvedinglobalfraud.

• Commonexampleisbitcoins.


Bitcoin• Bitcoinsarenotissuedbyacentralbankorgovernment,butarepurchasedfromaBitcoinexchanger.• ExchangersacceptconventionalcurrenciesandexchangethemforBitcoinsbasedonafluctuatingexchangerates.

• Bitcoinsarestoredinadigitalwalletassociatedwith“theuser’sBitcoin‘address,’analogoustoabankaccountnumber,whichisdesignatedbyacomplexstringoflettersandnumbers.”

• ABitcointransaction,whichtakestheformofatransferofvaluebetweenBitcoinwallets,isrecordedinapublicledgercalleda“blockchain”.


Benefits of Bitcoin for Fraud• Virtualcurrenciesrepresentachallengeforlawenforcement.• Theyposetheriskofcriminalactivities,includingmoneylaundering,tradinginillicitdrugsandglobalfraud.

• Thefollowingtraitsmakevirtualcurrenciesattractivetothefraudster:• Anonymityoftransaction• Globalreach• Speed• Non-reversible• Difficultforauthoritiestotrack


Identity Theft• Broadlydefinedastheuseofoneperson’sidentityorpersonalidentifyinginformationwithoutthepersonspermission.

• Canbecommittedagainstanindividualororganization.• Thefederalcriminaldefinitionofidentitytheftiswhensomeone”knowinglytransfers,possesses,oruses,withoutlawfulauthority,ameansofidentificationofanotherpersonwiththeintenttocommitfraud.


Identity Theft• Until1996,identitytheftwasnotrecognizedasacrimeatthestatelevel.

• ArizonawasthefirststateintheUnitedStatestopasslawsagainstidentitytheft.

• OnMay10,2006,PresidentBushissuedExecutiveOrder13402thatestablishedtheIdentityTheftTaskForce.

• Manytypesofidentitytheft:


CriminalIdentityTheft

MedicalIdentifyTheft

InsuranceIdentifyTheft(Auto,Homeowners,Life,Business, Malpractice)

ChildIdentityTheft

ProfessionalIdentity Theft

BusinessIdentityTheft

NewAccountFraud

AccountTakeover

Cloning CreditCardIdentity

SyntheticIdentity GovernmentBenefitsTheft

Governmentdocumentsidentify theft

EmploymentFraud

UtilityFraud Bankruptcy

TaxReturnIdentity

Digital Fraud Summary• Digitalfraudisadvancingfasterthanthebusinessworldprefers.• Organizationsmustbediligentinunderstandingcyberthreatsandthevarioustypesofdigitalfraudthatcanoccur.

• Organizationsshouldestablishadigitalfraudriskinventory.• WorkwithmanagementandtheCIOtounderstandwhatareastheorganizationcanbeexposedtodigitalfraud.

• Ensurerelevantfocusisplacedonthisemergingrisk.• Ifyoudon’thavetheresources– findthem.

• BecautiouswhenusingoutsourcedprovidersandrelyingonSSAE16ServiceOrganizationControlReports(SOCReports).


FRAUD REPORTING


Conceptual Reporting Thoughts• Buildingaframeworkforafinalreportingprotocolisbeneficialandcanassistinensuringprocessesfollowconsistentandestablishedsteps.• Forgetthe“F”word• Revisitthefacts• Accountforthedetail• Understandanypoliticalorsensitivereportingimplications• Don’t“accuse”unlessyoucanactuallyprove.


Reporting Considerations• Formalreportingofinvestigativeprocessthatmayhaveimplicationsoffraudwillbesensitive.Auditormustremember:• Formalreportsareretainedoninformationsystems.• Considerconfidentialityrequirements.• Written/formalreportsareseenbyBOD/legalcounsel.Liketheinternet,reportswrittenexistforperpetuity.

• AfraudevaluationcompletedbyIAmaynotlenditselftonormalreportingprotocols.

• Determinebestmethodofcommunicationofthefacts.• Maybeinaformalmemo,PowerPointorevenformalverbalpresentation.


Reporting Considerations• Willtheissuehavelegalimplications?• Doesanypartoftheevaluationcomeunderlegalprivilege?• Isthereportdiscoverablebyoutsideparties?• Doestheevaluationrequireaformalwrittensummaryasasourceofevidence?

• Whoaretherecipientsofthereport?


Lessons Learned• Rememberthefraudtriangle!

• Rationalization,opportunity,pressure.• Considerimplicationsofthefrauddiamond.• Managementmustmakebesteffortstodefineblackvs.white.(Difficultconcept)

• Leavingjudgmentsopenforinterpretationwillimpactoutcomes.• Withoutcleardefinitionoutcomesbecomedependentonindividualmoralities.

• Theclearerthepath……


APPENDIXTOP 10 SCAMS OF 2017

84

2017 Top Scams• Techsupportscams

• Calleraskforaccesstoyourcomputertofixaproblem.• Fake/counterfitmerchandiseschemes

• Scammerssetupgenericonlinestoressellingnamebranditemsormimicwebsitesofbignamebrands.

• Scammerssellfakeorcounterfeitproductsatsignificantlyreducedpricesdesignedtoattractbuyerslookingforbigdealsonnamebrandmerchandise.

• PetsforSaleScams• Fakewebsitesclaimingtobeassociatedwithpetadoption/animalnurseries.Offerpetsforadoptionorsaleatpricessignificantlybelowthenorm.

• Victimstoldtheymustpayforatleasttheinsurance,shippingandotherservicesforprocessinganddeliveringthepets.

• Victimsarerequiredtomaketheirpurchasesand/orpayfeeswithnon-returnablecash-likeformsofpayment.


2017 Top Scams• GrantScams

• Acquireconsumerpersonaldetailsfromunsuspectingadvertisingagencieswhorunleadgenerationcampaignstargetingconsumersinneedofloans.

• ThencontactthepeoplefromtheselistsandclaimtheyrepresenttheU.S.government.

• CollectionAgencyScams• Resentingafakecollectionagency,scammersmakecoldcallstovictimsandthreatenlawsuitsorembarrassingon-the-jobconfrontationsunlessthevictimsstartmakingpayments.


2017 Top Scams• House/Vacantpropertyrentals

• Scammersadvertisepropertiestheydon'townonclassifiedadswebsites,suchasCraigslist.

• Paymentsarerequestedvianon-returnablemethodslikeMoneygram,WesternUnion,Vanillaandwiretransfer.

• PaydayLoanScams• Relyheavilyonlegitimateleadsgatheredbypaydayloanaffiliatewebsitecompaniesoradvertisingagencies.

• Oncetheinformationisgathered,theysellittoothercompaniesandre-sellitoverandoveruntilascammingcompanyposingasalegitimatecompanygainsaccesstoit.


2017 Top Scams• TimeshareResaleScams

• Tellvictimstheyhavebuyersorrenters,readytotaketimeshare.• Requireanupfrontfeetomoveforwardwiththeprocess.• Scammersgivevictimsawiderangeofreasonsforthefee,includingappraisal,marketinganalysisandfees

• Datingandrelationshipscams• Workfromhomeinspectingandshippingmerchandise

• Scammerssetupprofessional-lookingwebsitesandclaimthatthesitesareownedbyshippingandlogisticsintermediaries.

• Oncevirtualworkersarehired,scammersusestolencreditcardstopurchasemerchandiseandshipittotheirnewwork-at-home"employees"withinstructionsonhowtoopenthepackages,inspectthemerchandiseandshipitelsewhere.


TYPES OF DIGITAL FRAUDS

89

Digital Scams • Phishing

• GainPI,(usernames,passwords,SSnumbers,creditcardnumbers)forpurposesofidentitytheft.

• Accomplishedbyusingfraudulente-mailmessagesthatappeartocomefromlegitimatebusinesses.

• Whaling• Phishingafterverylargescores.• Donewhenhighnetworthindividualsaretargetedorwhencorporationsaretargetedinordertogetcreditcardinformationfromalargenumberofcustomersatonetime.


Digital Scams• Vishing

• ObtainingPIoverthephone.Callinformingindividualstheyhavewonaprizebuttheyneedtopaytaxesorshippingfees.

• Fakeacallfromalocalbusinesswhereanindividualshopstoverifycreditcardinformationonatransaction.

• Pharming• Avirusormalicioussoftwaresecretlyloadedontothevictim’scomputerandhijacksthewebbrowser.

• Whenthevictimtypesintheaddressofalegitimatewebsite,theyarereroutedtoafictitiouscopyofthesitewithoutrealizingit.


Digital Scams• SocialMedia

• Usessocialmediawebsitestogatherinformationonvictims.• Friendsandrelativesinadvertentlypostthevictim’sPIontheirsocialmediasites.

• Hacking• StealPIfromgovernmentandbusinesscomputers.• EmployeescopythePIcontainedontheiremployer’scomputersandselltheinformation.

• FraudulentRecruiterScam• Retrievethevictims’contactinformationfromtheironlineresumesandsendtheme-mailsposingasrecruiters.


Digital Fraud• Pretexting

• PerpetratorposesaslegitimategovernmentofficialormemberoflegitimatebusinessandcallsvictimsaskingforPI.

• Convincevictiminformationisneededtocompleteatransactionandthatsomeoneistryingtoaccesstheiraccount.EncouragevictimtoverifyPI.

• Spoofing• Fraudulente-mailactivitywheresender’saddressorotherpartsofthee-mailheaderarealteredtoappearthee-mailoriginatedfromadifferentsource.


Digital Frauds• Skimming

• Attachesadevicetoamachinethatrecordstheinformationonthecard’smagneticstrip.

• Informationcanbeimprintedonothercards.• MiniaturecamerasusedtocapturethePINsenteredbythevictims.

• FreePublicWi-Fi• SetupfreepublicWi-Finetworksinairports,nearhotels,andinotherpublicplaces.

• Informationonvictim’scomputersandotherelectronicdevicesishacked.

• Cangaincontrolofe-mailaccounts,bankaccounts,socialmediaaccounts,andsoon.


Digital Fraud• Malware

• Placedoncomputersorcellphonestohijackthecomputers,stealdata,orencryptthedataforransom.

• DataBreeches• Stealingdatafromcomputersystemsbelongingtocompanies,governmentalunits,andevennot-for-profitorganizations.

• Largeamountsofinformationarestoleninashortamountoftime.


RAISE THE RED FLAGChapter Outline

96

Raise The Red Flag - Outline• Chapter1:TheIPPFFrameworkandtheAuditorsresponsibility

• FraudandtheIPPF.• Valueaddedrolesinfraudpreventionfortheinternalauditor.• CommunicatingonIAsdutyrelatedtofraudprocesses.• Right-sizingIA’sresponsibilityforfrauddetection.• MonitoringforfraudandunderstandingtheextentoftheIAauditrole.

• Chapter2:FraudandconnectiontotheCEandCOSO2013.• TheimpactoffraudontheControlEnvironmentandcorporateculture.• Determiningimpactoffraudissuesontheidentificationofdeficiencystatus.

• Chapter3:TheIA’sdilemmawheninvestigatinginternalfraud.• Managingtherequestprocessforinternalinvestigation.• DeterminingwhetherIAshouldbeinvolvedintheinvestigation.• Methodstoemployforinternalinvestigations.


Raise The Red Flag - Outline• Chapter4:ConductingaFraudRiskAssessmentfortheCompany.

• Evaluatingthecorporateculturetoprepareforafraudriskassessment.• IA’sroleinfacilitatingaproperfraudriskassessment.• Stepsinidentifyingpotentialfraudscenariosandtheirimpact/likelihood

• Chapter5:Includingfraudanalysisandevaluationwithineachaudit.• Techniquesforconductingafraudriskassessmentforindividualaudits.• Determiningrelativesignificanceandimpactofidentifiedinappropriatebehavior.

• Chapter6:Evaluationvs.investigation• Understandingwhenanissuemovesfromevaluationtoinvestigation.• DeterminingIA’songoingrolewhenissueanalysisturnstoinvestigation.• Methodsforcommunicationissuestomanagementandtheboard.


Raise The Red Flag - Outline• Chapter7:Isdataanalysissufficient?

• Theroleofdataanalysisinongoingmonitoringforfraud.• Determininghow,what,whereandwhentoenhancemonitoring.• Supportingmanagement’smonitoringprocess.• HowtoanalyzetheeffectivenessofFraudPreventionprograms.

• Chapter8:COSO2013– Thecriticalcomponentofmonitoringactivities• Managingtheexpectationof“waittilltheauditorscomein”.• Whattodowhenmanagementfailstoreportinappropriateactivity.• Ensuringoperationalmonitoringiseffectivelyexecuted.

• Chapter9:Reportingproceduresforaneffectivefraudprogram• Howmuchreliancetoplaceonthewhistleblowerhotline.• Internalreportingandlegalprivilege.• Reportingissuestotheboardandauditcommittee.


Documents

“RAISE THE RED FLAG” · WorldCom Scandal CMS Energy Round Trip Trades 2003 Massive Mutual Fund Fraud HealthSouth indicted on 85 counts of conspiracy Martha Steward Freddie Mac