Upload
dinhhanh
View
223
Download
3
Embed Size (px)
Citation preview
© 2017 Association of Certified Fraud Examiners, Inc.
Fraud Risk Management
Fraud Risk Management—Overview
© 2017 Association of Certified Fraud Examiners, Inc. 2 of 27
Discussion Questions
1. Does your organization follow a specific risk
management model? If so, which one? Do you
think this model adequately addresses the risks
your organization faces? Why or why not?
© 2017 Association of Certified Fraud Examiners, Inc. 3 of 27
Discussion Questions
2. What are some of the risks your organization
faces? Where does the risk of fraud fit into your
organization’s risk hierarchy?
© 2017 Association of Certified Fraud Examiners, Inc. 4 of 27
Discussion Questions
3. Does your organization have a formal risk
management function? If so, are anti-fraud
initiatives integrated into the risk management
initiatives?
© 2017 Association of Certified Fraud Examiners, Inc. 5 of 27
Discussion Questions
4. How does your organization categorize the
risks that are identified in the risk management
process?
© 2017 Association of Certified Fraud Examiners, Inc. 6 of 27
Learning Objectives
▪ Analyze the current state of the risk
management landscape.
▪ Compare different risk management
frameworks.
▪ Recognize what fraud risk is and the factors
that influence it.
▪ Understand the reasons for effectively
managing fraud risk.
▪ Determine who is responsible for managing
fraud risk within an organization.
© 2017 Association of Certified Fraud Examiners, Inc. 7 of 27
Introduction to Risk Management
▪ Risk management
involves:
• Identification of risks
• Prioritization of risks
• Treatment of risks
• Monitoring of risks
© 2017 Association of Certified Fraud Examiners, Inc. 8 of 27
Introduction to Risk Management
▪ Balances risk appetite with the ability to meet
strategic, operational, reporting, and
compliance objectives
▪ Requires a proactive, rather than reactive,
approach
© 2017 Association of Certified Fraud Examiners, Inc. 9 of 27
2016 Report on Current State
of Risk Management Initiatives
▪ Risk management initiatives appear relatively
immature:
• 25% describe their risk management implementation
as “systematic, robust, and repeatable.”
• 40% described their risk management processes as
“very immature” or “developing.”
© 2017 Association of Certified Fraud Examiners, Inc. 10 of 27
2016 Report on Current State
of Risk Management Initiatives
▪ 56% are “minimally” or “not at all” satisfied with
the nature and extent of reporting of key risk
indicators to senior executives.
▪ More than half do not have risk oversight
activities formally assigned to a board
subcommittee.
▪ Boards of directors are placing greater
expectations on management to strengthen risk
oversight.
© 2017 Association of Certified Fraud Examiners, Inc. 11 of 27
Risk Management Frameworks
▪ An entity’s risk management program should be
specifically tailored to its unique needs.
▪ However, the use of a framework can provide
guidance and structure in developing the
program.
© 2017 Association of Certified Fraud Examiners, Inc. 12 of 27
COSO Enterprise Risk Management—
Integrated Framework (2004)
5. Risk response
6. Control activities
7. Information and
communication
8. Monitoring
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
© 2017 Association of Certified Fraud Examiners, Inc. 13 of 27
COSO Enterprise Risk Management—
Integrated Framework (2004)
© 2017 Association of Certified Fraud Examiners, Inc. 14 of 27
COSO Enterprise Risk Management:
2016 Draft Revision
▪ Five interrelated components:
1. Risk governance and culture
2. Risk, strategy, and objective-setting
3. Risk in execution
4. Risk information, communication, and reporting
5. Monitoring enterprise risk management performance
© 2017 Association of Certified Fraud Examiners, Inc. 15 of 27
ISO 31000
▪ Lays out 11 principles of effective risk
management
▪ Provides guidance on developing both a
framework and a process for managing risk that
is based on those principles
© 2017 Association of Certified Fraud Examiners, Inc. 16 of 27
ISO 31000:2009
Risk Management Principles
Creates valueIntegral part of organizational
processes
Part of decision making
Explicitly addresses
uncertainty
Systematic, structured, and
timely
Based on the best available
informationTailored
Takes human and cultural factors
into account
Transparent and inclusive
Dynamic, iterative, and responsive to
change
Facilitates continual
improvement and enhancement
© 2017 Association of Certified Fraud Examiners, Inc. 17 of 27
ISO 31000:2009
(Source: ISO 31000:2009, Risk Management—Principles and Guidelines )
© 2017 Association of Certified Fraud Examiners, Inc. 18 of 27
Choosing a Risk Management Framework
▪ Might start with COSO or ISO framework as is
▪ But should customize to the organization and its
needs based on:
• Organizational structure
• Nature of operations
• Environment(s)
• Size
• Nature of risks
© 2017 Association of Certified Fraud Examiners, Inc. 19 of 27
Fraud Risk Management Guide 2016
▪ Published by COSO in collaboration with ACFE
▪ Five principles of FRM
• One aligned with each of the five components of
internal control
▪ Supported by individual points of focus for each
principle
▪ Not formally linked to COSO ERM 2016D, but
several obvious connections
© 2017 Association of Certified Fraud Examiners, Inc. 20 of 27
IC ↔ FRM ↔ ERM
IC 2013 Component FRM 2016 Principle ERM 2016D Component
Control environment
The organization establishes and communicates a Fraud Risk Management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.
Risk governance and culture
Risk assessment The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.
Risk, strategy and objective-setting
© 2017 Association of Certified Fraud Examiners, Inc. 21 of 27
IC ↔ FRM ↔ ERM
IC 2013 Component FRM 2016 Principle ERM 2016D Component
Control activities The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.
Risk in execution
Information & communication
The organization establishes a communication process to obtain information about potential fraud and deploys a coordinate approach to investigation and corrective action to address fraud appropriately and in a timely manner.
Risk information, communication & reporting
© 2017 Association of Certified Fraud Examiners, Inc. 22 of 27
IC ↔ FRM ↔ ERM
IC 2013 Component FRM 2016 Principle ERM 2016D Component
Monitoring activities
The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.
Monitoring risk management performance
© 2017 Association of Certified Fraud Examiners, Inc. 23 of 27
IC ↔ FRM ↔ ISO 31000
IC 2013 Component
FRM 2016 PrincipleISO 31000
FrameworkISO 31000
Process
Control environment
The organization establishes and communicates a Fraud Risk Management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.
Mandate and
commitment (4.2)
Design of
framework for
managing risk (4.3)
Establish the
context (5.3)
Risk assessment
The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.
Design of
framework for
managing risk (4.3)
Implementing risk
management (4.4)
Risk Assessment
(5.4):
− Identification
− Analysis
− Evaluation
© 2017 Association of Certified Fraud Examiners, Inc. 24 of 27
IC ↔ FRM ↔ ISO 31000
IC 2013 Component
FRM 2016 PrincipleISO 31000
FrameworkISO 31000
Process
Control
activities
The organization selects, develops,
and deploys preventive and detective
fraud controls activities to mitigate the
risk of fraud events occurring or not
being detected in a timely manner.
Implementing risk
management (4.4)
Risk Treatment (5.5)
Information and
communication
The organization establishes a
communication process to obtain
information about potential fraud and
deploys a coordinate approach to
investigation and corrective action to
address fraud appropriately and in a
timely manner.
Implementing risk
management (4.4)
Monitoring and
review of the
framework (4.5)
Communication
and Consultation
Throughout the
Process (5.2)
© 2017 Association of Certified Fraud Examiners, Inc. 25 of 27
IC ↔ FRM ↔ ISO 31000
IC 2013 Component
FRM 2016 PrincipleISO 31000
FrameworkISO 31000
Process
Monitoring
activities
The organization selects, develops, and
performs ongoing evaluations to ascertain
whether each of the five principles of
fraud risk management is present and
functioning and communicates Fraud Risk
Management Program deficiencies in a
timely manner to parties responsible for
taking corrective action, including senior
management and the board of directors.
Monitoring and
review of the
framework (4.5)
Continual
improvement of
the framework
(4.6)
Monitoring and
Review of Controls,
Risks, etc. (5.6)
© 2017 Association of Certified Fraud Examiners, Inc. 26 of 27
IC ↔ ISO 31000
© 2017 Association of Certified Fraud Examiners, Inc. 27 of 27
The Fraud Risk Management Process
Establish a fraud risk management policy as part of organizational
governance.
Perform a comprehensive fraud risk assessment.
Select, develop, and deploy preventive
and detective fraud control activities.
Establish a fraud reporting process and coordinated approach to investigation
and corrective action.
Monitor the fraud risk management process,
report results, and improve the process.
© 2017 Association of Certified Fraud Examiners, Inc. 28 of 27
What Is Fraud Risk?
▪ The vulnerability that an organization has to
those capable of overcoming the three
elements of the fraud triangle
▪ Comes from both internal and external sources
▪ Differs from other risks because fraud, by
definition, entails intentional misconduct
designed to evade detection
© 2017 Association of Certified Fraud Examiners, Inc. 29 of 27
Types of Fraud Risk
▪ Inherent risk—risk present before management
takes action
▪ Residual risk—risk that remains after
management takes action
© 2017 Association of Certified Fraud Examiners, Inc. 30 of 27
Factors Influencing Fraud Risk
▪ The nature of the business
▪ Economic conditions
▪ The operating environment
▪ The ethics and values of the company and its
people
▪ Technology
▪ The legal environment
▪ The effectiveness of internal controls
© 2017 Association of Certified Fraud Examiners, Inc. 31 of 27
Who Is Responsible for
Managing Fraud Risk?
▪ Team responsible for executing, monitoring,
and ensuring success:
• Executive management
• Audit committee
• Investigations group
• Compliance
• Controller’s group
• Internal audit
• IT
• Security
• Legal department
• Human resources
© 2017 Association of Certified Fraud Examiners, Inc. 32 of 27
Who Is Responsible for
Managing Fraud Risk?
▪ The team should have a
designated leader.
▪ Synergy and
communication are keys.