Fraud Risk Assessment - ACUA A Practical Approach Fraud... · The Fraud Risk Assessment consists of 15 modules, each containing a series of questions designed to help ... No random

1

Office of Internal Audit

ACUA 2013 Annual Conference

Presented by:

Lori Tesch – CPA, CFE, CFF, CGMADirector, Forensic Audits

Fraud Risk Assessment

1September 2013

• Understand what a Forensic/Fraud Risk Assessment is and it’s key elements

• Discuss the development and design of an effective assessment

• Examine tools for executing the assessment

• Report results

• Incorporate results into the Audit Plan and sustain the program

Objectives

2September 2013

Definitions

3

Fraud Risk

• Organization’s vulnerability to overcoming the three elements of fraud

• Internal and external sources

September 2013

2

Definitions

4


Process to identify where fraud may occur and who may be committing it

September 2013

Identifying Fraud

5September 2013

Identify the Fraudster

6September 2013

3

Key Elements

7

Identify inherent fraud risk

Assess likelihood and significance

Respond to reasonably likely and significant inherent and residual fraud risks

September 2013

What makes a good Fraud Risk Assessment?

8

Understand where it falls within an Effective Anti-Fraud Program

Code of Ethics

Fraud Prevention

Policies

Communication & Training

Controls Monitoring

Fraud Response

Plan


September 2013

9

What makes a good Fraud Risk Assessment?

Necessary Elements

CollaborationThe Right Sponsor

Independence & Objectivity

Working Knowledge of

BusinessTrust

Access to All People

Think the Unthinkable

Sustainability

September 2013

4

Development and Design

10

Package it right

One size does NOT fit all

Keep it simple

September 2013

Development and Design

11

Prepare the Organization

Team Technique Agreement Educate

September 2013

Team

12

Accounting & Finance

Internal Audit Nonfinancial/ Operations

Risk Management

External Consultants

General Counsel

Ethics or Compliance

Business Leaders

September 2013

5

Technique

13

Survey

Interview

Facilitated Session

September 2013

Agreement and Education

14

Obtain sponsor’s agreement

Educate the employees

Promote the process

September 2013

Assessing Possible Risks

15

Likelihood

Significance

People/department

September 2013

6

Online Resources

16

http://www.acfe.com/fraud-prevention-checkup.aspx

http://www.aicpa.org/InterestAreas/ForensicAndValuation/Resources/FraudPreventionDetectionResponse/Pages/Managing%20the%20Bu

siness%20Risk%20of%20Fraud.aspx

http://www.cgma.org/Resources/Reports/Pages/fraud-risk-management.aspx

Fraud Prevention Checkup - ACFE

Managing the Business Risk of Fraud

CGMA Fraud Risk Management

September 2013

Tools

17

Survey Software

Questionnaire

Self-Assessment

September 2013

Report Results

18

Report objective – not subjective - results

KISS

Focus on what really matters

Identify clear and measurable actions

September 2013

7

Report Results

19September 2013

Reporting

20September 2013

Reporting

21September 2013

8

Reporting

22September 2013

Reporting

23September 2013

Incorporate with Audit Process

24

Combine results

Focus on high priority risks

Design test procedures

September 2013

9

Sustain the Program

25

Begin a dialogue across the organization

Continue to look for fraud in high risk areas

Hold responsible parties accountable

Monitor key controls

September 2013

Final Thoughts

26

1. There is no standard

2. Just like a fraud investigation, no two are alike

3. Ongoing, continuous process

September 2013

Final Thoughts

27September 2013

10

Final Thoughts

28September 2013

Final Thoughts

29September 2013

Auditor Humor

5 – In God we trust, everybody else gets audited

30

4 – What do you call an Auditor without an opinion?

3 – We’re not happy until you’re not happy

2 – If your mother tells you she loves you… check it out

1 – There were Thirteen Commandments… before the auditor questioned three of them

I don’t know, I’ve never heard of one

September 2013

11

31September 2013

Page 1 of 2

FRAUD RISK ASSESSMENT FORM

Identified Fraud risks and

Schemes1

Likelihood2 Significance

3

People

and/or

Department4

Existing Anti-

fraud

Controls5

Controls

Effectiveness

Assessment6

Residual

Risks7

Fraud Risk

Response8

FINANCIAL REPORTING:

MISAPPROPRIATION OF

ASSETS:

CORRUPTION:

Page 2 of 2

1. Identified Fraud Risks and Schemes: This column should include a full list of the potential fraud risks and schemes that may face the

organization. This list will be different for different organizations and should be formed by discussions with employees and management and

brainstorming sessions.

2. Likelihood of Occurrence: To design an efficient fraud risk management program, it is important to assess the likelihood of the identified fraud

risks so that the organization establishes proper anti-fraud controls for the risks that are deemed most likely. For purposes of the assessment, it

should be adequate to evaluate the likelihood of risks as remote, reasonably possible, and probable.

3. Significance to the Organization: Quantitative and qualitative factors should be considered when assessing the significance of fraud risks to an

organization. For example, certain fraud risks may only pose an immaterial direct financial risk to the organization, but could greatly impact its

reputation, and therefore, would be deemed to be a more significant risk to the organization. For purposes of the assessment, it should be

adequate to evaluate the significance of risks as immaterial, significant, and material.

4. People and/or Department Subject to the Risk: As fraud risks are identified and assessed, it is important to evaluate which people inside and

outside the organization are subject to the risk. This knowledge will assist the organization in tailoring its fraud risk response, including

establishing appropriate segregation of duties, proper review and approval chains of authority, and proactive fraud auditing procedures.

5. Existing Anti-fraud Internal Controls: Map pre-existing controls to the relevant fraud risks identified. Note that this occurs after fraud risks are

identified and assessed for likelihood and significance. By progressing in this order, this framework intends for the organization to assess

identified fraud risks on an inherent basis, without consideration of internal controls.

6. Assessment of Internal Controls Effectiveness: The organization should have a process in place to evaluate whether the identified controls are

operating effectively and mitigating fraud risks as intended. Organizations should consider and review what monitoring procedures would be

appropriate to implement to gain assurance that their internal control structure is operating as intended.

7. Residual Risks: After consideration of the internal control structure, it may be determined that certain fraud risks may not be mitigated

adequately due to several factors, including (a) properly designed controls are not in place to address certain fraud risks or (b) controls

identified are not operating effectively. These residual risks should be evaluated by the organization in the development of the fraud risk

response.

8. Fraud Risk Response: Residual risks should be evaluated by the organization and fraud risk responses should to address such remaining risk.

The fraud risk response could be implementing additional controls and/or designing proactive fraud auditing techniques.

ACFE Fraud Risk Assessment Instructions

The Fraud Risk Assessment consists of 15 modules, each containing a series of questions designed to help

organizations zoom in on areas of risk. The fraud professional and the client or employer should begin the

risk assessment process by working together to answer the questions in each module. It is important that

the client or employer select people within the organization who have extensive knowledge of company

operations, such as managers and internal auditors, to work with the fraud professional. Upon completion

of all of the questions, the fraud professional should review the results of the assessment with the client or

employer in order to:

Identify the potential inherent fraud risks.

Assess the likelihood and significance of occurrence of the identified fraud risks.

Evaluate which people and departments are most likely to commit fraud and identify the

methods they are likely to use.

Identify and map existing preventive and detective controls to the relevant fraud risks.

Evaluate whether the identified controls are operating effectively and efficiently.

Identify and evaluate residual fraud risks resulting from ineffective or nonexistent controls.

Respond to residual fraud risks.

The Fraud Risk Assessment may reveal certain residual fraud risks that have not been adequately

mitigated due to lack of, or non-compliance with, appropriate preventive and detective controls. The fraud

professional should work with the client to develop mitigation strategies for any residual risks with an

unacceptably high likelihood or significance of occurrence. Responses should be evaluated in terms of

their costs versus benefits and in light of the organization's level of risk tolerance.

Be aware, however, that this assessment only provides a snapshot of a particular point in time. The

dynamic nature of organizations requires routine monitoring and updating of their financial risk

assessment processes in order for them to remain effective.

These questions are provided as a guide only. The user is free to modify the questions as appropriate to

match the size and structure of the organization. Additional information on fraud risk assessment may be

obtained from:

ACFE's Fraud Resources

Fraud Examiners Manual

Corporate Fraud Handbook, Third Edition, by Joseph T. Wells

The ACFE would like to thank Larry Cook, CFE, for his invaluable contribution to the Fraud Risk

Assessment. The Fraud Risk Assessment was originally developed by Mr. Cook, and we thank him for

allowing us to build upon his foundation and share his assessment process with our members.

http://www.acfe.com/fraud-resources.aspx

http://www.acfe.com/products.aspx?id=4294975950

http://www.acfe.com/products.aspx?id=2133

Copyright Notice: The modules and the questions are the property of the Association of Certified Fraud

Examiners. The ACFE grants its members the right to use these modules and questions for their own use,

or for the use of their clients or employers. Neither, these modules, nor any part thereof, may be sold in

whole or in part unless as part of consulting or fraud examination services to a client or employer.

Modules

1 - Employee Assessment

2 - Management/Key Employee Assessment

3 - Physical Controls

4 - Skimming Schemes

5 - Cash Larceny Scheme

6 - Check Tampering Schemes

7 - Cash Register Schemes

8 - Purchasing and Billing Schemes

9 - Payroll Schemes

10 - Expense Schemes

11 - Theft of Inventory and Equipment

12 - Theft of Proprietary Information

13 - Corruption

14 - Conflicts of Interest

15 - Fraudulent Financial Reports

http://www.acfe.com/frat.aspx?id=6854















2013 Survey Software Review

Rank #1 #2 #3 #4 #5 #6 #7 #8 #9 #10

10-9 8-6 5-4 3-2 1-0

ExcellentGoodAveragePoorBad

The SurveySystem

KeyPoint SurveyGold Survey CrafterProfessional

StatPac SurveyPro SurveyMonkey iMagic SurveyDesigner

Survey Said Survey Toolsfor Windows

10

9

8

7

6

5

4

3

2

1

Overall Rating

Survey Creation

Survey Analysis

Survey Administration

Ease of Use

Help & Support

Ratings 9.50 9.33 9.13 8.88 8.65 8.38 7.45 6.63 6.15 6.00

Product Cost

Pricing $999 $777* $100 $495 $495 $1,995 $780** $149 $199 $695

Survey Creation

Create Custom Questions

Multiple Choice Single

Response

Multiple Choice Multiple

Responses

Question Matrix

Comment

Sample Surveys

Skip Pattern/ Branching

Require Answers

Rating

Restrict Access

Curb Ballot Box Stuffing

Ranking

Save Incomplete Surveys

Stock Questions

Custom Design

Respondents Can Update

Answers

Survey Analysis

Graphs

Bar

Pie

Line

Percentages

Cross Tabulations

Filters

Print Results

Mean

Median

Mode

Maximum Value

Minimum Value

Standard Deviation

Frequency Tables

Banner Tabulations

Correlation Matrices

Survey Administration

Online

Paper

Interview

Email

Import/Export

Export Results

Export Survey

Import Results

Import Survey

Help & Support

Email

User Manual or Guide

Phone

Tutorials

FAQs

Supported Configurations

Windows 8

Windows 7

Windows Vista

Windows XP

Mac OS

BASICFree

DESIGN FEATURES

10 questions per survey 100 responses per survey

No white-label surveys

Easy-to-use web-based survey tool

31 survey templates

15 types of questions

All languages supported (Unicode)

No page logic

No question logic

No random assignment

No question & answer piping

No question randomization

No theme customization

No survey branding

Randomize & sort answer choices

15 pre-set visual themes

Survey completion progress bar

Auto-numbering for pages & questions

Validate/require survey responses

Fully accessible & 508 compliant

No custom redirect upon survey completion

No custom "thank-you" page

No printable PDF version

COLLECTION FEATURES

Send out your survey via weblink, email, or Twitter

SELECT$17 per month** Billed $204 annuallySee monthly plan

DESIGN FEATURES

Unlimited questions Unlimited responses



51 survey templates



Page logic

Question logic

No random assignment

No question & answer piping

No question randomization

Customized themes

Brand your survey with a logo







No custom redirect upon survey completion

Custom "thank-you" page

Printable PDF version

COLLECTION FEATURES


GOLD$25 per month** Billed $300 annually

DESIGN FEATURES




51 survey templates



Page logic

Question logic

NEW Random assignment

NEW Question & answer piping

NEW Question randomization

Customized themes








Custom redirect upon survey completion



COLLECTION FEATURES


PLATINUM$65 per month** Billed $780 annually

DESIGN FEATURES


NEW White label surveys


51 survey templates



Page logic

Question logic

NEW Random assignment

NEW Question & answer piping

NEW Question randomization

Customized themes








Custom redirect upon survey completion



COLLECTION FEATURES


Sign Up » Sign Up » Sign Up » Sign Up »

Home How It Works Examples Survey Services Plans & Pricing

Sign In Help

Page 1 of 2SurveyMonkey Plans and Pricing

4/22/2013http://www.surveymonkey.com/pricing/details/?ut_source=header

No Custom URL

Share your survey on Facebook

Embed your survey into a page or on your website

Deploy your survey via a website pop-up

Send your survey using our email manager

No enhanced security (SSL)

ANALYSIS FEATURES

Real-time results

No text analysis

No SPSS integration

No multiple custom reports

No filtering & cross tabulating responses by custom criteria

No downloading responses

No creating & downloading custom charts

No sharing responses

SUPPORT FEATURES

24x7 email support

No expedited email responses

No phone support

BASICFree

Custom URL





Enhanced security (SSL)

ANALYSIS FEATURES

Real-time results

No text analysis

No SPSS integration

Multiple custom reports

Filter & cross tabulate responses by custom criteria

Download responses

Create & download custom charts

Share responses

SUPPORT FEATURES

24x7 email support

Customer support email responses in 2 hours or less

No phone support

SELECT$17 per month** Billed $204 annuallySee monthly plan

Custom URL






ANALYSIS FEATURES

Real-time results

NEW Text analysis

NEW SPSS integration



Download responses


Share responses

SUPPORT FEATURES

24x7 email support


No phone support

GOLD$25 per month** Billed $300 annually

Custom URL






ANALYSIS FEATURES

Real-time results

NEW Text analysis

NEW SPSS integration



Download responses


Share responses

SUPPORT FEATURES

24x7 email support


Expert phone support to answer any of your questions

PLATINUM$65 per month** Billed $780 annually

Sign Up » Sign Up » Sign Up » Sign Up »

Copyright © 1999-2012 SurveyMonkey

Follow Us: Facebook Twitter LinkedIn Our Blog Google+ YouTube

Help: FAQs & Tutorials Contact Support

About Us: Management Team Board of Directors Partners Newsroom Contact Us Jobs Sitemap

Policies: Terms of Use Privacy Policy Anti-Spam Policy Security Statement Email Opt-Out

Dansk Deutsch English Español Français 한국어 Italiano Nederlands 日本語 Norsk Português Русский Suomi Svenska 中文(繁體)

Page 2 of 2SurveyMonkey Plans and Pricing

4/22/2013http://www.surveymonkey.com/pricing/details/?ut_source=header

Page 1

Sample Fraud Risk AssessmentSample Fraud Risk AssessmentSample Fraud Risk AssessmentSample Fraud Risk Assessment

In an effort to better assess the organization's fraud risks, we have developed this Fraud Risk Assessment. The survey should take no more than 20 minutes to complete. Please note that the survey must be fully completed once started. You cannot exit and restart the survey. Please complete all sections no later than Friday, August 3, 2013. Should you have any questions, please contact XXXXXXXXX. Thank you in advance for your cooperation. Name and title of support person

INTRODUCTION

Page 2


1. How would you rate the overall ethical behavior of the department in the following areas:

2. Are measures taken to reduce the risk of fraud in your area concerning:

3. Are there instances in your area where employees have close friends or immediate relatives reporting to them or they are working in the same S/C/D?

ETHICS

*Excellent Above Average Average Below Average Poor

Commitment to accurate financial reporting

nmlkj nmlkj nmlkj nmlkj nmlkj

Disclosing wrongdoing nmlkj nmlkj nmlkj nmlkj nmlkj

Proper review and approval nmlkj nmlkj nmlkj nmlkj nmlkj

Complying with policies and procedures

nmlkj nmlkj nmlkj nmlkj nmlkj

Doing what is right nmlkj nmlkj nmlkj nmlkj nmlkj

*Strongly Agree Agree Disagree Strongly Disagree

Reviews nmlkj nmlkj nmlkj nmlkj

Reconciliations nmlkj nmlkj nmlkj nmlkj

Segregation of duties nmlkj nmlkj nmlkj nmlkj

Safeguarding physical assets and sensitive data

nmlkj nmlkj nmlkj nmlkj

*

Additional Comments:


Yes

nmlkj No

nmlkj N/A

nmlkj

If yes, has management been made aware of the situation?

Page 3


4. Are employees aware of how to report occurrences of suspected fraud or suspicious activity?

5. Please identify the top five frauds that could occur in your area.

6. Of the following types of fraud, which ones could occur in your area (check all that apply).

7. Can you identify potential “red flags” which are indicators of possible fraud or fraudulent behavior?

FRAUD AWARENESS

*

*1.

2.

3.

4.

5.

*

*

Yes

nmlkj

No

nmlkj

Unsure

nmlkj


Conflict of interest

gfedc

Financial statement manipulation

gfedc

Theft of assets

gfedc

Falsification or alteration of documents

gfedc

Time theft

gfedc

Inappropriate Pcard transactions

gfedc

Inappropriate or unapproved travel

gfedc

Unauthorized use or abuse of signature authority

gfedc

Unauthorized use of University assets

gfedc

Manipulation of information on University systems

gfedc

Other

gfedc

Yes

nmlkj No

nmlkj

If yes, please list some examples below:

55

66

Page 4


8. Do you currently have employees in positions that, as the result of budget cuts and/or other cutbacks, may have an issue with segregation of duties?

9. How effective are current processes with ensuring segregation of duties in the following areas:

SEGREGATION OF DUTIES

*

*Excellent Above Average Average Below Average Poor N/A

Credit Card Processing nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Cash Activities nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Bank Deposits nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Account Reconciliations nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Bank Reconciliations nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Posting of Cash Receipts nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Cash Disbursements nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Petty Cash Accounts nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Frequency of Process Review

nmlkj nmlkj nmlkj nmlkj nmlkj nmlkj

Yes

nmlkj

No

nmlkj



Page 5


10. How effective is the process for reviewing and/or approving key documents for discrepancies, unusual activity or misuse in the areas of:

11. How effective is management with providing feedback related to:

12. A background check was done on all new employees within the past three years.

13. How important is it to monitor employee leave time to prevent time theft or ensure employees are reporting time accurately as it relates to:

PROCESS REVIEW


Financial transactions nmlkj nmlkj nmlkj nmlkj nmlkj

Operational activities nmlkj nmlkj nmlkj nmlkj nmlkj

Academic activities nmlkj nmlkj nmlkj nmlkj nmlkj

Grant funds compliance nmlkj nmlkj nmlkj nmlkj nmlkj


Employee performance nmlkj nmlkj nmlkj nmlkj nmlkj

Departmental performance nmlkj nmlkj nmlkj nmlkj nmlkj

General feedback nmlkj nmlkj nmlkj nmlkj nmlkj

*

*Critical Very Important Important Not Important

Sick Leave nmlkj nmlkj nmlkj nmlkj

Special Needs Time nmlkj nmlkj nmlkj nmlkj

Vacation nmlkj nmlkj nmlkj nmlkj

Holidays nmlkj nmlkj nmlkj nmlkj

Personal Business/Any Purpose

nmlkj nmlkj nmlkj nmlkj

Please list any issues with specific areas/transactions below:

55

66


Yes

nmlkj No

nmlkj N/A

nmlkj



Page 2

2014 Fraud Risk Assessment2014 Fraud Risk Assessment2014 Fraud Risk Assessment2014 Fraud Risk Assessment

1. Are you aware of any weaknesses in internal controls that would provide an opportunity for someone to steal or commit fraud?

2. If someone in your department/area decided to steal or commit fraud, how could they do it and get away with it?

3. Are you aware of any behaviors that may expose your department/area or the University to regulatory violations, fines or penalties?

4. Do you have any knowledge of fraud in your department/area or the University?

FRAUD AWARENESS

*

*

55

66

*

*

Yes

nmlkj No

nmlkj Unsure

nmlkj

If yes, please list some examples below:

55

66

Yes

gfedc

No

gfedc

Unsure

gfedc

If yes, please list any concerns you may have:

Yes

nmlkj No

nmlkj

If yes, please explain.

Page 3


5. Are you aware of any employee that exhibits behavior that is unethical or inappropriate for the workplace?

6. Are you aware of any conficts of interest or nepotism in your department/area or the University?

7. Are you aware of anyone who does any of the following during work time (check all that apply):

ETHICS

*

*

*

Yes

gfedc

No

gfedc

Unsure

gfedc

If yes or unsure, please describe the behavior(s) and why you are concerned.

Yes

gfedc

No

gfedc

If yes, please explain.

Runs a personal business

gfedc

Spends a great deal of time surfing the internet

gfedc

Receives gifts from outside businesses or individuals

gfedc

Disappears for large blocks of time

gfedc

Additional comments:

Page 4


8. Do you know of anyone who exhibits any of the following behaviors (check all that apply):*

Easily annoyed at reasonable questions

gfedc

Viewing, transmitting or downloading inappropriate data

gfedc

Never, or rarely, takes vacation

gfedc

Sexual harrassment, sexual jokes and innuendo

gfedc

Excessive gambling

gfedc

Affairs, inside or outside the office

gfedc

Bullying

gfedc

Provides unreasonable responses to questions

gfedc

Intimidation

gfedc

Appears to be living beyond their means

gfedc

Retaliation

gfedc

Overprotective of data or information

gfedc

Vulgarity, profanity, and abusive language directed at people

gfedc

General harassment

gfedc


Page 5


9. If you had knowledge that an unethical/fraudulent activity was occurring within your department/area or the University, what would you do?

10. What are ways that an individual can report fraud or abuse to the University? (check all that apply).

11. The reporting of fraud or abuse to the University can truly be completely anonymous. Do you agree or disagree with this statement?

REPORTING

*

55

66

*

*

Supervisor or other upper level management

gfedc

Hotline

gfedc

Office of Internal Audit

gfedc

Human Resources

gfedc

Labor Relations

gfedc

Anonymous tips form

gfedc

Office of Equal Opportunity

gfedc

Public Safety

gfedc

Agree

nmlkj

Disagree

nmlkj

If you disagree, why?

Page 6


12. How effective is the process for reviewing and/or approving key documents for discrepancies, unusual activity or misuse in the areas of:

13. Do you have knowledge of anyone abusing their position to circumvent or bypass departmental processes or procedures?

PROCESS REVIEW

*Excellent Average Poor N/A Unsure

Financial transactions nmlkj nmlkj nmlkj nmlkj nmlkj

Operational activities nmlkj nmlkj nmlkj nmlkj nmlkj

Academic activities nmlkj nmlkj nmlkj nmlkj nmlkj

Grant fund compliance nmlkj nmlkj nmlkj nmlkj nmlkj

*

Please list any issues with specific areas/transactions below:

Yes

nmlkj

No

nmlkj

Unsure

nmlkj

If yes or unsure, please explain.

Page 7


14. Do you currently have employees in positions that, as the result of budget cuts and/or other cutbacks, may have an issue with segregation of duties?

15. Is there anything else you would like us to know?

SEGREGATION OF DUTIES

*

55

66

Yes

gfedc

No

gfedc

Additional comments:

Documents

Fraud Risk Assessment - ACUA A Practical Approach Fraud... · The Fraud Risk Assessment consists of 15 modules, each containing a series of questions designed to help ... No random