Fraud Auditing Overview - The Institute of Internal Auditors

Transcription

Fraud Auditing Overview - The Institute of Internal Auditors
 Danny M. Goldberg Partner, Professional Development CPA, CIA, CISA, CGEIT, CRISC, CRMA, CGMA, CCSA © 2012 Sunera LLC. All rights reserved
2
Danny M. Goldberg n  Partner, Professional Development (www.sunera.com) n  Founding Partner, SOFT GRC (www.thesoHaudit.com) n  CPA – Since 2000 n  CIA – Since 2008 n  CISA – Since 2008 n  CGEIT (CerSficaSon in the –  Sold to Sunera January 2011 n  Former Director of Corporate Audit/
SOX at Dr Pepper Snapple Group n 
n  Former CAE -­‐ Tyler Technologies n  Published Author (Book/ArScles) n 
n  Texas A&M University – 97/98 n 
n 
© 2012 Sunera LLC. All rights reserved
Governance of Enterprise IT) – Since 2009 CRISC (CerSficaSon in Risk and InformaSon Systems Control) – Since 2011 CRMA (CerSficaSon in Risk Management Assurance) – Since 2011 CCSA (CerSficaSon in Control Self-­‐
Assessment) – Since 2007 CGMA (Chartered Global Management Accountant) – Since 2012 3
Danny M. Goldberg (cont.) n  Chairman of the Leadership Council of the American Lung AssociaSon -­‐ North Texas – 2012 CY n  Served on the Audit Commi^ee of the Dallas Independent School District (CY 2008) n  Current Dallas IIA Programs Co-­‐Chair (2011-­‐2012 and 2012-­‐2013) n  Former IIA Volunteer Instructor n  Published Author –  Commissioned by the IIARF to Write “Crucial Communica9ons: Tools When the Stakes are High”; to be published in Spring 2013 –  Bureau of Na9onal Affairs -­‐ Internal Audit: Fundamental Principles and Best PracSces –  ISACA Journal (May 2012, August 2012) –  Internal Auditor ArScles (August 2007, December 2007, October 2010) –  ISACA Online ArScle (December 2009) –  Audit Report Ar9cles (June 2010 Cover, March 2011, March 2012) –  New Perspec9ves (December 2010) –  Dallas Business Journal (January 2011) – The Yes Man Phenomenon © 2012 Sunera LLC. All rights reserved
4
Danny M. Goldberg (cont.) n  Speaking publicly for 5 years n  RelaSonships with over 55 IIA/ISACA Chapters throughout the WORLD. n  Ra5ngs/Evalua5ons: –  #8 out of 120 speakers – 2012 IIA Interna5onal Conference –  “Top Rated” (Excellent/Outstanding) Speaker – 20th Annual American Society for Quality (ASQ) Audit Division Conference (out of 44 presenters) –  Top 10 PresentaSon – 2011 IIA Midwest Regional (36 total concurrent sessions, 3.75 overall raSng out of 4.0) –  Top 3 Ranked Speaker – Michigan CPA’s Healthcare Conference 2011 (29 total speakers) –  Top 3 Ranked Speaker – ArkSarBen IIA 2011 District Conference (24 total sessions) –  3.58/4.00 RaSng – 2011 ACFE Annual North American Conference –  1 of 100 Presenters invited to present at the 2012 IIA InternaSonal Conference © 2012 Sunera LLC. All rights reserved
5
Sample Professional Development Associa5on Clients !
!
!
!
!
!
!
© 2012 Sunera LLC. All rights reserved
!
6
Regional/Na5onal Conferences – Since 2011 !
© 2012 Sunera LLC. All rights reserved
7
Sunera Snapshot ü  Professional consultancy focused on regulatory compliance, internal audit, informaSon technology & accounSng advisory services ü  Founded by former public accounSng partners and professionals ü  Delivered more than 1500 projects to over 300 clients across a broad spectrum of industries ü  Employ full-­‐5me professionals in twelve offices across the United States and Canada ü  PCI Qualified Security Assessor (QSA) & Approved Scanning Vendor (ASV) ü  Registered with NASBA to offer CPE’s for our ACL & Internal Audit training courses ü  Cer5fied integra5on partner for leading conSnuous controls monitoring soluSons, including ACL, Approva & SAP © 2012 Sunera LLC. All rights reserved
8
Sunera Offices
Vancouver Calgary Toronto New York Phoenix Dallas Atlanta Boston Raleigh Orlando Tampa Houston © 2012 Sunera LLC. All rights reserved
Miami 9
You can also visit us at www.sunera.com
Contact Information
Please contact any of the following Sunera Texas Leadership Team members:
Brian Amend
Managing Partner
Texas Practice
(972) 955-5652
bamend@sunera.com
Danny M. Goldberg
Partner, Professional Development
(214) 514-8883
dgoldberg@sunera.com
Dallas Office Address
1400 Preston Road
Suite 400
Plano, Texas 75093
Houston Office Address
5100 Westheimer Road
Suite 200
Houston, Texas 77056
© 2012 Sunera LLC. All rights reserved.
reserved
10
© 2012 Sunera LLC. All rights reserved
11
Fraud Quiz 1.  What % of its revenue does the typical organizaSon loose to fraud each year? 2.  How many months does a fraud usually last before being reported? 3.  What is the most common type of occupaSonal fraud? 4.  Three industries most common vicSmized by fraud are: 5.  How many prior offenses have occupaSonal fraudsters oHen commi^ed? 6.  Do the higher fraud losses tend to be commi^ed by fraudsters with low or high tenure with an organizaSon? 7.  What departments do most fraudster’s work in? © 2012 Sunera LLC. All rights reserved
12
Fraud Quiz Answers – Page 1 of 2 n  What % of its revenue does the typical organizaSon loose to fraud each year? –  (Answer – 5%) n  How many months does a fraud usually last before being reported? –  (Answer – 18 months) n  What is the most common type of occupaSonal fraud? –  (Answer – asset misappropriaSon) n  Source – Report to the Na9ons on Occupa9onal Fraud and Abuse – 2012 Global Fraud Study, AssociaSon of CerSfied Fraud Examiners © 2012 Sunera LLC. All rights reserved
13
Fraud Quiz Answers – Page 2 of 2 n  Three industries most common vicSmized by fraud are: –  (Answer – banking & financial services, government & public administraSon, and manufacturing) n  How many prior offenses have occupaSonal fraudsters oHen commi^ed? –  (Answer – None! Most are first offenders with clean histories) n  Do the higher fraud losses tend to be commi^ed by fraudsters with low or high tenure with an organizaSon? –  (Answer – the higher the fraud loss – median of $229,000 are commi^ed by fraudsters with more than 10 years. Those during the first year on the job commi^ed a median of $25,000) n  What departments do most fraudster’s work in? –  (Answer – accounSng, operaSons, sales, execuSve/upper mgmt., customer service, and purchasing) © 2012 Sunera LLC. All rights reserved
14
The Defini5on of Fraud “… any illegal act characterized by deceit, concealment, or viola5on of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by par5es and organizaSons to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.” © 2012 Sunera LLC. All rights reserved
15
Fraud Audi5ng Overview n Audits are not designed to detect fraud –  Goal: Determine whether the financial statement is free from material misstatements. n Auditors test only a small fracSon of transacSons n Auditors must: –  Be aware of the potenSal of fraud –  Discuss how fraud could occur –  Delve into suspicious observaSons and report them © 2012 Sunera LLC. All rights reserved
16
Auditor Responsibility n  All auditors should have at least: –  Some semblance of fraud training/experience –  CreaSon/Involvement of the anS-­‐fraud assessment –  Solid understanding of measures intended to prevent and detect fraud –  Awareness of financial fraud schemes and scenarios and knowledge of forensic invesSgaSons –  Ability to detect financial statement fraud, which requires a firm understanding of financial reporSng standards © 2012 Sunera LLC. All rights reserved
17
The Fraud Triangle Opportunity
Rationalization
• 
• 
• 
Must gain access to assets/
records
Can be controlled/prevented
by organization
• 
Follow through and commit
the fraud
Can be controlled/prevented
by organization
Pressure
•  The more incentive, the easier it is to justify
•  Financial or personal problems, financial
pressure, mental instability
© 2012 Sunera LLC. All rights reserved
18
The Fraud Triangle What to look for… n  Consistent inventory adjustments for defecSve items or shrinkage n  CompensaSon Sed to operaSng results n  Consistently meet/exceed analyst expectaSons n  OperaSons in countries with history of bribery n  Related party transacSons n  Material or frequent adjusSng entries n  Missing, altered, late documents n  Lackadaisical oversight combined with friendly employee relaSons n  Change in personal habits or behavior © 2012 Sunera LLC. All rights reserved
19
How is Fraud Discovered? © 2012 Sunera LLC. All rights reserved
20
How is Fraud Discovered? © 2012 Sunera LLC. All rights reserved
21
Factors Contribu5ng to Fraud Contributing Factor
Percentage
Poor Controls
59%
Management Override
36%
High Risk Industry
34%
Third Party Collusion
33%
No Ethics Policy
7%
No Board of Directors Control
6%
Other
2%
© 2012 Sunera LLC. All rights reserved
22
Categories of Fraud Risk n  Misappropria5on of Assets –  involve the theH or misuse of an organizaSon’s assets. (Common examples include skimming revenues, stealing inventory, and payroll fraud.) n  Corrup5on –  fraudsters wrongfully use their influence in a business transacSon in order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another. (Common examples include accepSng kickbacks and engaging in conflicts of interest.) n  Fraudulent Financial Statements –  falsificaSon of an organizaSon’s financial statements. (Common examples include overstaSng revenues and understaSng liabiliSes or expenses.) © 2012 Sunera LLC. All rights reserved
23
What is a Trusted Employee? n Independent n Almost all work alone n Never take vacaSon n Knows everything n Work long hours – To work early/leave late Ø We trust employees too much (blind trust) Ø Must use trust but verify concept (monitoring) © 2012 Sunera LLC. All rights reserved
24
What is an “At Risk” Employee? n  Employee work habits (1) Come to work early or leave late (2) Works nights and weekends (3) Seldom missing for leave or vacaSon (4) Reports to office during brief absences (5) Ask others to hold work while gone (6) Knows too much (7) Too helpful or too involved The Issue is Control © 2012 Sunera LLC. All rights reserved
25
© 2012 Sunera LLC. All rights reserved
26
Employee Red Flags n Significant change in lifestyle, such as new wealth n Financial difficulSes may create need –  Gambling or drug addicSon –  Infidelity is an expensive habit n Criminal background n Chronic legal problems n Dishonest behavior in other parts of life n Beat the system –  Break rules commonly n Chronic dissaSsfacSon with job © 2012 Sunera LLC. All rights reserved
27
Organiza5onal Red Flags n Lack of communicaSon of expectaSons n Too much trust in key employees n Lack of proper authorizaSon procedures n Lack of a^enSon to detail n Changes in organizaSonal structure n Tendency towards crisis management © 2012 Sunera LLC. All rights reserved
28
Financial Document Red Flags n Missing/Altered documents n Excessive number of voided documents n Documents not numerically controlled n QuesSonable handwriSng or authorizaSon n Numerous duplicate payments n Unusual billing addresses n Address of employee same as vendor n Duplicate or photocopied invoices n Invoices not folded for envelope © 2012 Sunera LLC. All rights reserved
29
Accountability and Control Red Flags n Lack of segregaSon of duSes n Lack of physical security and/or key control n Weak links in chain of controls and accountability © 2012 Sunera LLC. All rights reserved
n Missing independent checks on performance n Weak management style n Poor system design n Inadequate training 30
How to Minimize Fraud Risk n  Adhere to policies/procedures (especially documentaSon and authorizaSon) n  IdenSfy and understand of key controls and fraud areas n  Ensure physical security over assets n  Provide proper training to employees n  Independently review and monitor tasks n  Review segregaSon of duSes n  Ensure clear lines of authority © 2012 Sunera LLC. All rights reserved
31
How to Minimize Fraud Risk n  Rotate duSes in posiSons suscepSble to fraud n  Ensure employees take regular vacaSons n  Schedule regular independent audits of areas suscepSble to fraud n  Ensure background checks including criminal and credit for all employees n  Make sure internal controls are followed n  Ask for documentaSon n  Ensure that one person does not have total responsibility for a process n  Evaluate performance regularly n  Report suspicious acSvity © 2012 Sunera LLC. All rights reserved
32
© 2012 Sunera LLC. All rights reserved
33
The COSO Defini5on of Internal Control Internal control is a process, effected by an enSty’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objecSves in the following categories: §  EffecSveness and efficiency of operaSons §  Reliability of financial reporSng §  Compliance with applicable laws and regulaSons © 2012 Sunera LLC. All rights reserved
34
Reasonable Assurance Internal controls are to provide a reasonable assurance that the objecSves of the system will be accomplished Risk
Costs
Benefits
© 2012 Sunera LLC. All rights reserved
35
COSO Internal Controls Cube © 2012 Sunera LLC. All rights reserved
36
Control Environment §  Sets the tone of the organizaSon – influencing control consciousness of its people §  Includes integrity, ethical values, competence, authority, and responsibility §  Acts as foundaSon for all other components of control §  Pervasive influence on all the decisions and acSviSes of an organizaSon. §  EffecSve organizaSons set a posiSve “tone at the top”. © 2012 Sunera LLC. All rights reserved
37
Risk Assessment §  IdenSficaSon and analysis of relevant risks to achieving the enSty's objecSves – forming the basis for determining control acSviSes §  Risks are internal & external events (economic condiSons, staffing changes, new systems, regulatory changes, natural disasters, etc.) that threaten the accomplishment of objecSves. §  Risk assessment is the process of idenSfying, evaluaSng, and deciding how to manage these events… What is the likelihood of the event occurring? What would be the impact if it were to occur? What can we do to prevent or reduce the risk? © 2012 Sunera LLC. All rights reserved
38
Control Ac5vi5es § 
§ 
§ 
§ 
Tools -­‐ policies, procedures, processes -­‐designed and implemented to help ensure that management direcSves are carried out. Range of acSviSes, including approvals, authorizaSons, verificaSons, recommendaSons, performance reviews, asset security, and segregaSon of duSes Help prevent or reduce the risks that can impede the accomplishment of objecSves. Occur throughout the organizaSon, at all levels, and in all funcSons. © 2012 Sunera LLC. All rights reserved
39
Informa5on and Communica5on §  PerSnent informaSon idenSfied, captured, and communicated in a Smely manner §  Access to internally and externally generated informaSon §  Flow of informaSon that allows for successful control acSons from instrucSons on responsibiliSes to summary of findings for management acSon §  EffecSve informaSon and communicaSon systems enable the organizaSon’s people to exchange the informaSon needed to conduct, manage, and control its operaSons. © 2012 Sunera LLC. All rights reserved
40
Monitoring §  Assessment of a control system's performance over Sme §  CombinaSon of ongoing and separate evaluaSon…Have controls become outdated, redundant, or obsolete? §  Respond to dynamically changing condi9ons §  Management and supervisory acSviSes §  Internal audit acSviSes §  Internal control systems must be monitored to assess their effecSveness… Are they opera9ng as intended?. © 2012 Sunera LLC. All rights reserved
41
© 2012 Sunera LLC. All rights reserved
42
What Do We Do on a Daily Basis that Involves Internal Control? §  Lock-­‐up valuable belongings §  Keep copies of your tax returns and related support §  Balance your checkbook §  Keeping passwords unique and separate §  Planning Ahead §  Home and Car Insurance §  Seat Belts §  Physical Control of Credit Cards © 2012 Sunera LLC. All rights reserved
43
What is the Risk of Weak Internal Controls? Business InterrupSon §  system breakdowns or catastrophes, excessive re-­‐work to correct for errors. Erroneous Management Decisions §  based on erroneous, inadequate or misleading informaSon. Fraud, Embezzlement and TheH §  by management, employees, customers, vendors, or the public-­‐at-­‐large. © 2012 Sunera LLC. All rights reserved
44
What is the Risk of Weak Internal Controls? Statutory SancSons §  penalSes arising from failure to comply with regulatory requirements, as well as overt violaSons. Excessive Costs/Deficient Revenues §  expenses which could have been avoided, as well as loss of revenues. Loss, Misuse or DestrucSon of Assets §  unintenSonal loss of physical assets such as cash, inventory, and equipment. © 2012 Sunera LLC. All rights reserved
45
§ 
§ 
§ 
§ 
§ 
What is the Benefit of Strong Internal Controls? Providing appropriate checks and balances. Reducing and prevenSng errors in a cost-­‐ effecSve manner. Ensuring priority issues and risks are idenSfied and addressed. ProtecSng employees & resources. Having more efficient audits, resulSng in shorter Smelines, less tesSng, and fewer demands on staff. © 2012 Sunera LLC. All rights reserved
46
Controls Applicable to All n  EXERCISE – Based on your view of internal controls, what controls apply to all processes regardless of type? The
foundation of
our controls
home!
© 2012 Sunera LLC. All rights reserved
47
ANSWER n  SegregaSon of DuSes n  Physical and IT Access n  Review and ReconciliaSon Controls (Management Oversight) –  Balance Sheet ReconciliaSons –  JE Reviews n  Tiered Approvals n  Pre-­‐numbered documents n  Policies and Procedures © 2012 Sunera LLC. All rights reserved
48
Other Controls n  Code of Conduct n  Hotline n  Whistle-­‐blower policy n  Conflict of interest policy n  Fiscal Policy © 2012 Sunera LLC. All rights reserved
49
Five Key Internal Control Ac5vi5es © 2012 Sunera LLC. All rights reserved
50
1. Separation of Duties
§ 
§ 
§ 
We will perform a detailed review of segregation
through the next two days
Divide responsibilities between different
employees so one individual doesn’t control all
aspects of a transaction
Reduce the opportunity for an employee to
commit and conceal errors (intentional or
unintentional) or perpetrate fraud
§ 
Most employees do not want too much responsibility/
opportunity
© 2012 Sunera LLC. All rights reserved
51
2. Documentation
§ 
§ 
§ 
§ 
Critical decisions and significant events...typically
involving the use, commitment, or transfer of
resources.
Transactions - enables a transaction to be traced
from its inception to completion.
Policies & Procedures - documents which set
forth the fundamental principles and methods
that employees rely on to do their jobs.
Controls – should be documented to be
evidenced.
q  Is
there a grey area?
© 2012 Sunera LLC. All rights reserved
52
3. Authoriza5on & Approvals § 
Management documents and communicates which acSviSes require approval, and by whom, based on the level of risk to the organizaSon. § 
Ensure that transacSons are approved and executed only by employees acSng within the scope of their authority granted by management. § 
Tiered approvals © 2012 Sunera LLC. All rights reserved
53
4. Security of Assets § 
§ 
§ 
§ 
Secure and restrict access to equipment, cash, inventory, confidenSal informaSon, etc. to reduce the risk of loss or unauthorized use. Perform periodic physical inventories to verify existence, quanSSes, locaSon, condiSon, and uSlizaSon. Secure access to key IT resources/systems Base the level of security on the vulnerability of items being secured, the likelihood of loss, and the potenSal impact should a loss occur. © 2012 Sunera LLC. All rights reserved
54
5. Reconcilia5on & Review § 
§ 
§ 
§ 
Examine transacSons, informaSon, and events to verify accuracy, completeness, appropriateness, and compliance. Base level of review on materiality, risk, and overall importance to organizaSon’s objecSves. Ensure frequency is adequate enough to detect and act upon quesSonable acSviSes in a Smely manner. Tiered level reviews © 2012 Sunera LLC. All rights reserved
55
© 2012 Sunera LLC. All rights reserved
56
© 2012 Sunera LLC. All rights reserved
57
Overview n  Cash is King! n  Cash Controls feed every other aspect in a company – if cash is not well controlled, many other gaps will become evident. n  Most frauds occur with cash – least trackable trail and most immediate benefit n  Appropriate SeparaSon of DuSes must be constantly stressed © 2012 Sunera LLC. All rights reserved
58
4 W’s of Cash Access n  When proper cash accountability exists, you can answer the four W's during a process: –  Who has access to cash –  Why they have access to cash –  Where cash is at all Smes –  What has occurred from the transacSon's beginning to end © 2012 Sunera LLC. All rights reserved
59
FRF: Cash Schemes n Cash Larceny: IntenSonal taking away of an employer’s money against the will of the employer. –  TheH of “on-­‐book” cash n Skimming: TheH of cash from a vicSm enSty prior to its entry in an accounSng system. –  “Off-­‐book” fraud –  No direct audit trail (since the missing cash is never recorded). –  Its principal advantage is its difficulty to detect. © 2012 Sunera LLC. All rights reserved
60
FRF: Cash (Fraudulent Disbursement) Schemes n Billing Schemes: Use false documentaSon to cause a payment to be issued for a fraudulent purpose –  Among the most costly and most common forms of occupaSon fraud. –  Invoicing in MicrosoH Excel n Payroll Schemes: a person who works for an organizaSon causes that organizaSon to issue a payment by making false claims for compensaSon. n Expense Reimburse: Employees make false claims for reimbursement of ficSSous or inflated business expenses –  Is this fraud or an error in judgment? © 2012 Sunera LLC. All rights reserved
61
FRF: Cash (Fraudulent Disbursement) Schemes n Check Tampering: Check tampering occurs when an employee converts on enSty’s funds by either: –  IntercepSng a check drawn on the enSty’s account that is intended for a 3rd party and converSng that check to his own benefit n Register Disburse: Involve the taking of money from a cash register; when money is taken from the cash register, the removal of the money is recorded on the register tape and made to look like a legiSmate disbursement (false refunds, false voids). © 2012 Sunera LLC. All rights reserved
62
FRF -­‐ Lapping Scheme n Primarily present in accounts receivable systems, but can also be present at any central cashier funcSon n DefiniSon: Cashiers credit one account with the payment of funds received on another account –  A version of “robbing Peter to pay Paul” n Scheme becomes complex as the number of manipulated transacSons and the amount of dollar losses increase over Sme © 2012 Sunera LLC. All rights reserved
63
FRF -­‐ Lapping Scheme n  Example using three customers each owe $100 in an accounts receivable system –  Customer “A” pays $100. Funds are misappropriated –  Customer “B” pays $100. Funds are credited to account of Customer “A” (made whole) –  Customer “C” pays $100. Funds are credited to account of Customer “B” (made whole) –  The loss begins with Customer “A”, but ends with Customer “C” –  A list of these accounts must be prepared to prove the amount of loss in the case –  A^empSng to find all of the manipulated accounts in the scheme is fruitless © 2012 Sunera LLC. All rights reserved
64
FRF -­‐ Lapping Scheme n  Fraud perpetrators must maintain accurate records in order to conceal the irregular acSvity –  Borrowing at first, because they intend to pay it back –  When hopelessness sets in, then stop keeping records n  Mistakes ulSmately bring down these schemes –  It just takes one valid customer complaint –  Disaster strikes with devastaSng results n  Independent party resoluSon of customer feedback (complaints and confirmaSon) is essenSal for fraud detecSon © 2012 Sunera LLC. All rights reserved
65
© 2012 Sunera LLC. All rights reserved
66
The Dry Cleaner n  Dry Cleaner – mid 1990’s n  New coupons distributed via mail n  Store Manager has a stack of coupons and uSlizes them when customers do not uSlize coupons n  No SoD n  Manager works alone © 2012 Sunera LLC. All rights reserved
67
© 2012 Sunera LLC. All rights reserved
68
FRF – Accounts Payable: Fraud Risks n  Debit Balances n  Large/Old balances n  New Suppliers (review of process) n  No payment date n  Unrecorded liabiliSes © 2012 Sunera LLC. All rights reserved
69
FRF -­‐ Purchasing Fraud n  Duplicate : –  Disbursement Amounts –  Invoice numbers/dates n  Fake Vendor in Vendor Database (Test for duplicate names and addresses, vendor & EE names/addresses same, PO Boxes) n  Right at thresholds (refunds) © 2012 Sunera LLC. All rights reserved
70
FRF – Disbursement Fraud Concepts n  Most cash disbursement frauds employ common and simple methods n  Cash disbursements fraud is recorded in the accounSng system. –  Fraud is concealed in accounts with high volumes and high dollar acSvity n  Fraud perpetrators are unpredictable as to posiSon and background and change over Sme with the internal control system (the chameleon effect) n  It is difficult to disSnguish original documents from false original documents. The difference is that no goods or services were received for the false transacSons. n  Make sure that all supporSng documents are valid and represent actual purchases of good and services. Watch out for: –  Cut-­‐and-­‐paste documents (no detail shown for purchases made), and –  Numerical sequencing of receipts or invoices used for reimbursement purposes n  IdenSfy documents that serve the same purpose as blank checks (pe^y cash, travel vouchers, and Sme cards) © 2012 Sunera LLC. All rights reserved
71
FRF -­‐ Other Disbursement Areas n  Collusion between employee and vendor (difficult to detect) n  Implement a policy on employee/vendor contacts (conflicts of interest) and use a “Holiday” le^er as a reminder n  Picking up assets versus a central delivery desSnaSon n  Review posiSon of employee to see if purchases are an act out of character (not the normal job) n  Invoices must include a descripSon of the item purchases (not just a part number) n  Obtain original receipts for purchases © 2012 Sunera LLC. All rights reserved
72
FRF -­‐ Other Disbursement Areas n  Credit cards –  Monitor for personal purchases –  Track personal credit history –  Properly train employees on use –  Maintain a log of all credit cards issued –  Do not pay from credit card statements –  Obtain original receipts –  Review bank statements –  Maintain gasoline use records versus vehicle mileage © 2012 Sunera LLC. All rights reserved
73
© 2012 Sunera LLC. All rights reserved
74
FRF -­‐ Payroll Concepts to Remember n  Payroll = 50-­‐80% of all expenditures n  Every employee can falsify own payroll n  Know that employee Sme cards are blank checks and can be falsified (aHer approval) – look for a straight line from source to approval to payroll n  No one should approve their own Sme sheet © 2012 Sunera LLC. All rights reserved
75
FRF -­‐ Payroll Fraud Schemes n  Individuals receive more pay than authorized – fraud of choice -­‐ most common n  Employees issue checks to themselves: –  For too much money –  For work not performed –  For unauthorized vacaSon buy-­‐outs n  The fraud can involve: –  Normal payroll –  OverSme –  VacaSon and sick leave n  Primary suspects: –  Payroll employees –  Department Smekeeper © 2012 Sunera LLC. All rights reserved
76
FRF -­‐ The Five Most Common Payroll Fraud Schemes n  Ghost employees n  Mid-­‐month payroll draws not deducted from end-­‐of-­‐month payroll n  Unauthorized employee pay n  COBRA program abuses n  Advance release of withheld funds © 2012 Sunera LLC. All rights reserved
77
© 2012 Sunera LLC. All rights reserved
78
Lynwood Facts n  Located in Los Angeles County, CA n  PopulaSon of 72,984 n  Per Capita: $10,640 n  Where Paris Hilton & Nicole Richie were jailed © 2012 Sunera LLC. All rights reserved
79
Paul H. Richards, II n  Mayor of Lynwood, CA for 7 terms n  Created consulSng firm-­‐ Allied Government Services (AGS) n  Used control over city council to award AGS contracts n  Contacts Involving AGS –  Nuisance Abatement Contract •  $25,000/month
–  TransportaSon Contract w/ Trolley Operator •  $60,000
–  Billboard Contracts •  $960,000
© 2012 Sunera LLC. All rights reserved
80
Detec5on of Fraud n  Fraud lasted 1999 – 2003 n  Los Angeles Times published arScles n  ElecSon recalled n  Richards removed from office © 2012 Sunera LLC. All rights reserved
81
Charges to the Perpetrators March 20,2006 n  Paul H. "Petey" Richards II (Former Mayor of Lynwood) –  Convicted on 35 counts of extorSon, fraud, money laundering and making false statements to invesSgators –  Sentenced to 188 months in federal prison n  Paula Cameo Harris (President/Owner – AGS) –  Sentenced to 72 months in prison n  Bevan Atlee Thomas (former consultant to Lynwood) –  Sentenced to 119 months in prison n  Lynwood City Council Members Jailed, Released On Bail –  5 members charged with misappropriaSon of public funds –  Unfortunately, ex-­‐mayor Paul Richard's harsh sentence had –  NO deterrent effect on the successor city officials of Lynwood © 2012 Sunera LLC. All rights reserved
82
Were Management Being Distracted? n Majority of City Council members enjoyed: –  Six-­‐figure incomes –  Lavish foreign travel –  Generous use of City credit cards for meals and entertainment © 2012 Sunera LLC. All rights reserved
83
Case Study Ques5ons To Answer n  How did Management fail to detect the fraud? n  How could Management prevent/detect a fraud of this nature? n  What should the external auditors have done to detect this fraud? © 2012 Sunera LLC. All rights reserved
84
© 2012 Sunera LLC. All rights reserved
85
How Management Failed to Detect the Fraud n Mayor failed to disclosed link to AGS n Mayor overrode controls n Management was not skepScal n Management did not follow policies or normal pracSces © 2012 Sunera LLC. All rights reserved
86
How Management Would Have Detected/
Prevented the Fraud n  SegregaSon of DuSes n  Stricter Policies & PracSces n  Appropriate Reviews & Approvals of TransacSons n  More Frequent ReconciliaSons n  Contract Monitoring n  Budget/Actual Comparison © 2012 Sunera LLC. All rights reserved
87
What Auditors Should Have Done n  AnalyScal procedures n  DocumentaSon n  PresentaSon and disclosure n  Staff interviews © 2012 Sunera LLC. All rights reserved
88
Facts About the Audit n  Original Auditors: Simpson & Simpson –  Gave unqualified opinions –  Had no findings –  Classified client as "low risk auditee” n  New Auditors: Moss, Levy & Hartzheim –  Had 30 findings –  Found inefficiencies in internal controls –  Gave disclaimers of opinion © 2012 Sunera LLC. All rights reserved
89
Why This Case? n Simple fraud resulSng in large losses n Did not take any financial savvy to perpetrate n Could have easily been discovered by auditors n Longest poliScal corrupSon sentence ever © 2012 Sunera LLC. All rights reserved
90
© 2012 Sunera LLC. All rights reserved
91
Asset Misappropria5on Scheme
Payroll
Scenario
•"Payment"to"fictitious"employees
•"Payment"to"terminated"employees
•"Overpayment"to"existing"employees
•"Theft"of"inventory"items
Inventory
•"Consistent"shrinkage"of"items
•"Increased"defective/warranty"claims
•"Reimbursement"for"personal"expenses
Credit4Cards
•"Use"of"card"to"circumvent"competitive"bid"requirements
Larceny
•"Theft"of"materials,"supplies,"cash
•"Using"purchasing"authority"to"purchase"raw"materials"for"
Purchasing
personal"use.
•"Using"procurement"card"for"personal,"exorbitant"
Procurement
purchases
•"Reimbursement"for"undocumented"expenses
Reimbursement
•"Reimbursement"for"luxury"accommodations
•"Reimbursement"for"travel"expenses"of"family"members
Improper4Payments •"Payments"to"phantom"vendors,"shell"companies
© 2012 Sunera LLC. All rights reserved
92
Corrup5on/FCPA Scheme
Scenario
•"Improper"or"early"revenue"recognition
•"Falsifying"revenue
•"Earnings"manipulation"through"reserves
•"Recording"pending"transactions"as"completed"
transactions
Overstating0Assets
Improper"valuation"of"securities,"inventory,"fixed"
assets
Understating0Liabilities0
•"Hiding"losses"in"future"reporting"periods
and0Expenses
•"Understating"expense"account"balances
•"Reclassifying"(capitalizing)"expenses"as"assets
•"Improper"valuation"or"manipulation"of"
intercompany"accounts
Improper0Note0Disclosure •"Omission"of"contingencies"or"subsequent"events
•"Falsifying"external"documents"to"suppliers
•"Internal"memorandums"give"misleading"
NonAfinancial
information
•"Publicly"announced"unsubstantiated"information
•"Manipulation"of"management"estimates"for"
Management0Estimates
receivables,"goodwill"or"depreciation
Fictitious0Revenue
© 2012 Sunera LLC. All rights reserved
93
Financial Statement Fraud Scheme Fic55ous Revenue Scenario • Improper or early revenue recogniSon • Falsifying revenue • Earnings manipulaSon through reserves • Recording pending transacSons as completed transacSons Oversta5ng Assets • Improper valuaSon of securiSes, inventory, fixed assets Understa5ng Liabili5es • Hiding losses in future reporSng periods and Expenses • UnderstaSng expense account balances • Reclassifying (capitalizing) expenses as assets • Improper valuaSon or manipulaSon of intercompany accounts Improper Note Disclosure • Omission of material conSngencies or subsequent events Non-­‐financial • Falsifying external documents to suppliers • Internal memorandums give misleading informaSon • Publicly announced unsubstanSated informaSon Management Es5mates • ManipulaSon of management esSmates for receivables, goodwill or depreciaSon © 2012 Sunera LLC. All rights reserved
94
© 2012 Sunera LLC. All rights reserved
95
FRA -­‐ Purpose n  IdenSfy and recognize fraud risks in the organizaSon n  Determine the likelihood n  Determine how to manage and miSgate fraud risk n  Determine criScal informaSon n  IdenSfy systems that process, store, or transmit criScal informaSon used for red flag idenSficaSon n  Discover vulnerabiliSes n  Create new processes, controls and procedures for miSgaSng fraud risk © 2012 Sunera LLC. All rights reserved
96
FRA All fraud risks are idenSfied and assigned a risk raSng © 2012 Sunera LLC. All rights reserved
97
Why Conduct a FRA? n  Legal duty of care to shareholders n  Professional Standards –  ACFE –  IIA –  AICPA n  Regulatory Compliance n  Indirect & direct costs of fraud n  Exposure idenSficaSon where the internal control environment may have limitaSons, i.e. collusion n  Fraud is a business risk to be managed, not just a compliance issue © 2012 Sunera LLC. All rights reserved
98
Why Conduct an FRA (cont)? n  TradiSonal risk assessments link risks to the organizaSon’s key objecSves. Fraud can be overlooked during this type of review if it is not considered a core company objecSve. n  A fraud risk assessment expands upon the tradiSonal risk assessment. It is scheme and scenario based rather than based on control risk or inherent risk. n  Assessment teams must be able to idenSfy the potenSal schemes and scenarios impacSng the industries and geographic markets in which the organizaSon conducts business. © 2012 Sunera LLC. All rights reserved
n  Evaluate fraud risk factors -­‐ IdenSfy possible fraud schemes & Scenarios n  PrioriSze idenSfied fraud risks n  Evaluate whether miSgaSng controls exist or are effecSve n  Document the risk assessment process & conclusions n  Conduct periodic reviews and updates 99
Planning the FRA Pi|alls n Management does not take responsibility for the FRA n The FRA is not risk-­‐
based n The FRA is too broadly based RecommendaSons n  Management should own the FRA and have significant input into the FRA. –  Educate the Board and External Auditors on the FRA – get their support/ buy-­‐in n  The FRA should be risk-­‐
based n  The FRA should be focused on the higher risk areas © 2012 Sunera LLC. All rights reserved
100
Planning the FRA Pimalls n  The planned approach is Recommenda5ons n  The planned approach should contrary to the organizaSonal fit into the organizaSonal culture culture – consider a mixed approach, e.g., interviews and n  The organizaSon does not have group brainstorming sessions the necessary skill sets to perform the FRA n  Hire in the necessary skill sets (employees/consultants) n  The FRA process does not include the appropriate people n  Consider who should be involved as part of the n  The FRA is not systemaSc and planning process recurring n  The FRA should be systema5c and recurring © 2012 Sunera LLC. All rights reserved
101
Who Should be Involved? n  C – Suite Officer –  CEO –  CFO –  CIO –  General Counsel –  Chief Compliance Officer n  Management –  Business Unit Managers –  Sales –  MarkeSng –  Human Resources © 2012 Sunera LLC. All rights reserved
n  AccounSng –  Controller –  AccounSng Manager –  AccounSng Supervisors n  Oversight –  Internal Audit –  Board of Directors –  Audit Commi^ee –  External Auditors 102
© 2012 Sunera LLC. All rights reserved
103
Step 1 – Iden5fy and Evaluate Fraud Risk Factors 1.  Schedule interviews and develop the approach. 2.  IdenSfy fraud risk factors at the en5ty level, significant loca5ons, accounts and business process level. : Consider whether each fraud risk factor indicates the existence of an incenSve/pressure, opportunity or a}tudes/
raSonalizaSons. 3.  For each idenSfied fraud risk factor, idenSfy the account balances and potenSal errors that may be affected and assess the fraud risks. © 2012 Sunera LLC. All rights reserved
104
Step 1 – Iden5fy and Evaluate Fraud Risk Factors Pimalls n  Fraud Risk Factors are not considered n  ExisSng controls are considered n  The potenSal for management override of controls is not considered n  Interviews are not value-­‐
added Recommenda5ons n  Use the Fraud Triangle to explain the significance of fraud risk factors and to iniSate thinking n  Do not consider controls EXCEPT when considering the potenSal for management override n  Develop interview approach that matches area and culture © 2012 Sunera LLC. All rights reserved
105
Step 1 – Iden5fy and Evaluate Fraud Risk Factors n  IdenSfy fraud risk factors at the enSty level, significant locaSon, significant account and business process level. Consider whether each fraud risk factor indicates the existence of incenSve, pressure, opportunity or a}tude and raSonalizaSon. n  IdenSfy incenSves / pressures to commit fraud, opportuniSes to commit fraud, or a}tudes / raSonalizaSons to jusSfy fraud. –  Personnel from various levels of the organizaSon should be involved in the process. –  Consider internal and external (e.g., regulatory, industry) influences. © 2012 Sunera LLC. All rights reserved
106
Step 2: Iden5fy Possible Fraud Risks, Schemes and Scenarios 1.  IdenSfy fraud risks and determine if the fraud risks are pervasive or specific. 2.  Brainstorm specific fraud schemes that could result from the specific risks idenSfied. 3.  For each fraud scheme, idenSfy internal and external parSes who could be involved with reference to incenSves/
pressure, opportuniSes, a}tudes & raSonalizaSons. © 2012 Sunera LLC. All rights reserved
107
Step 2: Iden5fy Possible Fraud Risks, Schemes and Scenarios Pimalls n  The schemes are too general, not allowing for sufficient consideraSon of risks and prevenSng appropriate level of mapping to controls n  The schemes do not consider the potenSal for management override of controls n  The schemes do not consider the potenSal for collusion Recommenda5ons n  Detail each scheme by considering: –  Why? –  Who? –  What? –  Where? –  When? –  How? n  Brainstorming ineffecSve © 2012 Sunera LLC. All rights reserved
108
Step 3: Priori5ze Iden5fied Fraud Risks n  Evaluate possible fraud schemes by: –  Type –  Likelihood –  Significance –  Pervasiveness n  Consider Inherent Risk RaSng (IRR) © 2012 Sunera LLC. All rights reserved
109
Step 3: Priori5ze Iden5fied Fraud Risks Pimalls n All fraud risks are considered equally important Recommenda5ons n PrioriSze the idenSfied fraud risks based on likelihood and significance © 2012 Sunera LLC. All rights reserved
110
Step 3: Priori5ze Iden5fied Fraud Risks n  Evaluate possible fraud schemes by type, likelihood, significance and pervasiveness. Arrive at inherent risk level for each scheme. © 2012 Sunera LLC. All rights reserved
111
4. Evaluate the Controls’ Existence and Effec5veness 1.  Link fraud schemes to miSgaSng controls. Assess whether each mapped or linked control acSvity is preventaSve or detecSve in nature. 2.  Evaluate the effecSveness of controls to determine if they sufficiently miSgate the risk of the idenSfied fraud schemes (control gap analysis). 3.  Evaluate the residual fraud risk. © 2012 Sunera LLC. All rights reserved
112
4. Evaluate Mi5ga5ng Controls n AnSfraud control acSviSes can be preventa5ve or detec5ve in nature – Preventa5ve controls are designed to miSgate specific fraud risks and can deter frauds from occurring – Detec5ve control acSviSes are designed to idenSfy fraud if it occurs. DetecSve controls can also be used as a monitoring acSvity to assess the effecSveness of anSfraud controls and may provide addiSonal evidence of the effecSveness of anSfraud programs and controls. © 2012 Sunera LLC. All rights reserved
113
4. Evaluate Mi5ga5ng Controls n  Special consideraSon should be given to the risk of management override of controls. n  Some programs and controls that deal with management override include: –  AcSve oversight from the audit commi^ee –  Whistle-­‐blower programs and a system to receive and –  InvesSgate anonymous complaints; and –  Reviewing journal entries and other adjustments for evidence of possible material misstatement due to fraud. © 2012 Sunera LLC. All rights reserved
114
4. Evaluate Mi5ga5ng Controls Pimalls Recommenda5ons n  Where gaps are idenSfied, no n  Design and implement controls to n  Future changes in risk are not n  The FRA should be iteraSve and n  EffecSveness of controls is not n  EvaluaSng the effecSveness of the n  Mapping is done incorrectly and n  Only map those controls idenSfied as remediaSon efforts are made incorporated into the FRA and remediaSon is not performed evaluated close idenSfied gaps should be reassessed at least annually and when there is a significant change in the control environment controls without consideraSon of exisSng controls and documentaSon significant n  IdenSfy enSty level controls that will assist in miSgaSng remaining residual risk n  Leverage of exisSng efforts and controls © 2012 Sunera LLC. All rights reserved
115
Results © 2012 Sunera LLC. All rights reserved
116
Risk Map Ra5onale © 2012 Sunera LLC. All rights reserved
117
Step 5: Risk Treatment 1.  Prepare a Fraud Risk AcSon Plan to treat and miSgate fraud risk schemes requiring a^enSon. 2.  Implement Fraud Risk AcSon Plan. © 2012 Sunera LLC. All rights reserved
118
Step 5: Risk Treatment n  Prepare a Fraud Risk Ac5on Plan to treat and mi5gate fraud risk schemes requiring aoen5on. –  Controls should be implemented or enhanced for idenSfied fraud schemes where controls are not already present, inadequately designed or poorly implemented. –  Ensure overall responsibility is assigned to responsible personnel to monitor control implementaSon as detailed in the Fraud Risk AcSon Plan. –  This responsibility could be defined in the Fraud Control Policy of the enSty or specified elsewhere. –  The Audit Commi^ee should oversee the enSre process. © 2012 Sunera LLC. All rights reserved
119
Documen5ng the FRA n  DocumentaSon may include: –  Spreadsheet lisSng idenSfied risks, controls and evaluaSons –  “Heat map” summary of key risks –  Process narraSve –  Minutes of fraud brainstorm sessions –  Copies of instrucSons and reference materials provided to ParScipants –  E-­‐mail and other correspondence related to the process –  Minutes of audit commi^ee meeSngs during which management’s fraud risk assessment was presented, reviewed, discussed, or approved © 2012 Sunera LLC. All rights reserved
120
Monitoring the FRA – Keep it Current n  Conduct quarterly updates n  Imbed on-­‐going FRA in 404 efforts n  Re-­‐visit FRA as part of ERM acSviSes n  Report changes and updates to Sr. Team and Board on a quarterly basis n  Update FRA for changes in the business and/or business environment (economy, industry, changes in compeStor businesses) n  Use the FRA to refine and focus internal audit tesSng © 2012 Sunera LLC. All rights reserved
121
© 2012 Sunera LLC. All rights reserved
122
An5-­‐Fraud Response n  An increase in any element in the triangle increases the risks of fraud. An9-­‐fraud controls are built to deter or prevent the ability, incen9ve, and opportunity to commit fraud. © 2012 Sunera LLC. All rights reserved
123
An5-­‐Fraud Response n  Managing key fraud risks –  IdenSfied fraud risks in key operaSonal and financial areas can be miSgated by: •  Strengthening existing procedures
•  Implementing new procedures and controls
!
© 2012 Sunera LLC. All rights reserved
124
Top Fraud Risk and Response n  Customize Response to IdenSfied Fraud Schemes and Scenarios © 2012 Sunera LLC. All rights reserved
125
© 2012 Sunera LLC. All rights reserved
126
© 2012 Sunera LLC. All rights reserved
127
© 2012 Sunera LLC. All rights reserved
128
Why Interview for Fraud?
n People actually admit they have commi^ed fraud, abuse, or other illegal acts when confronted n People who have knowledge of wrongdoing but are not involved in fraud oHen will not come forward (in most cases) with informaSon unless asked n Quickly idenSfies control weaknesses © 2012 Sunera LLC. All rights reserved
129
What is Communication?
n  The process of effecSvely sending and receiving informaSon, thought, or feeling. n  Whether verbal or nonverbal communicaSon, it is essenSal that we analyze communicaSon (1) within context, and (2) as a pa^ern. © 2012 Sunera LLC. All rights reserved
130
Modes of Communication
Five methods/modes of communicaSon: n  Nonverbal n  Reading
n  Speaking n  WriSng n  Listening © 2012 Sunera LLC. All rights reserved
131
Nonverbal Communication
n  Over half of our communicaSon is made up of nonverbal communicaSon or body language, n  Tone makes up about one-­‐third of our communicaSon, n  Less than twenty percent of communicaSon is made up of the words we use. © 2012 Sunera LLC. All rights reserved
132
Nonverbal
n  The Head –  Tilted to one side indicates listening –  Chin dropped to chest indicates acceptance of guilt or depression n  The Face –  Turns pale –  Becomes flushed, red, or splotchy –  Onset of Scs © 2012 Sunera LLC. All rights reserved
133
Nonverbal
n  The Nose –  Touching nose indicates stress n  The Mouth –  Yawning conSnuously –  Yawning to stall or fake boredom –  Placing pens and other objects in mouth n  The Eyes –  ShiHing eye behavior © 2012 Sunera LLC. All rights reserved
134
Nonverbal
n  The Eyes –  Blink rapidly –  Look away during certain responses –  Stare intently during certain responses n  The Arms and Shoulders –  Arms crossed and hands clenched –  Shrugging shoulders to quesSons © 2012 Sunera LLC. All rights reserved
135
Nonverbal
n  The Hands –  Finger tapping or drumming –  Playing with jewelry –  Checking watches –  Wringing hands n  The Legs –  Crossing/uncrossing legs –  Bouncing legs © 2012 Sunera LLC. All rights reserved
136
Nonverbal Clusters
n  Nonverbal signals come in clusters. n  No signal by itself tells you anything. n  Consider all signals as part of a pa^ern. –  Examples: Subject sits behind a desk or table and leans toward the door, quivering chin and crossed arms with clenched fists, deep sigh and slumping shoulders, crossing hand behind head and yawning © 2012 Sunera LLC. All rights reserved
137
Communication Analysis
n  What did the subject say? n  What did the subject NOT say? n  Vocabulary, parts of speech, syntax, and structure form the basis for analyzing communicaSon. © 2012 Sunera LLC. All rights reserved
138
Key Words / Phrases
n  Adverbs – –  “I usually [but not always] unlock the safe.” –  “I normally [but not always] reconcile the accounts.” –  “Basically [but not completely], that’s what happened.” –  “Mostly [but not always], I get a second signature.” © 2012 Sunera LLC. All rights reserved
139
Key Words / Phrases
n  Adverbs – –  “I rarely [but not exclusively] speak with him anymore.” –  “I hardly knew him [but I did know him].” © 2012 Sunera LLC. All rights reserved
140
Adjectives
n  Dishonest subjects oHen omit adjecSves altogether or qualify their remarks – “I think…” © 2012 Sunera LLC. All rights reserved
141
© 2012 Sunera LLC. All rights reserved
142
Fraud Interviews n  Create a list of 10 standard Fraud quesSons you would have listed to uSlize © 2012 Sunera LLC. All rights reserved
143
Example Ques5ons n Do you think the Company has a problem with fraud? n If employees or managers are stealing from the Company, why do you think they do it? n Frequently, small theHs by employees can add up to a lot of money. If you knew another employee was stealing, what would you do? © 2012 Sunera LLC. All rights reserved
144
Example Ques5ons n  Do you know of anyone who might be stealing or taking advantage of the Company? n  Suppose someone who worked for the Company decided to steal or commit fraud. How could they do it and get away with it? n  In your opinion, who is beyond suspicion when it comes to commi}ng fraud at this Company? n  Is there any other informaSon you wish to provide regarding any possible fraud within this Company? © 2012 Sunera LLC. All rights reserved
145
Making “rou5ne”inquiries about fraud… n Inquire of management about: –  Knowledge of any fraud or suspected fraud –  Any allegaSons about fraud –  Risks of fraud in the enSty –  Programs and controls that miSgate these risks –  Monitoring of operaSng locaSons and business segments; and any locaSons or segments that might have higher fraud risk –  If (and how) management communicates its view on business pracSces and ethics –  Any fraud-­‐related reports it has made to the audit commi^ee © 2012 Sunera LLC. All rights reserved
146
Making “rou5ne” inquiries about fraud… n  Inquire directly to the audit commioee about: –  The commi^ee’s views on fraud risk –  Any knowledge of fraud or suspected fraud –  MiSgaSng controls –  How the commi^ee exercises oversight in this area © 2012 Sunera LLC. All rights reserved
147
Making “rou5ne” inquiries about fraud… n  Inquire of internal audit personnel about: –  Their views about fraud risks –  Any knowledge of fraud or suspected fraud –  Any fraud-­‐related work they have done –  The adequacy of management’s responses to any fraud-­‐
related findings © 2012 Sunera LLC. All rights reserved
148
Making “rou5ne” inquiries about fraud… n Inquire of other personnel about the existence of fraud or suspicion about fraud: –  To learn more about or corroborate what others have said about fraud risk –  To allow individuals an opportunity to convey informaSon that might not otherwise be communicated –  To obtain perspecSves that are different from that of individuals involved in financial reporSng –  To learn more about management’s ability to override controls –  To determine how effecSvely management has communicated standards of ethical behavior © 2012 Sunera LLC. All rights reserved
149
Ques5on Types n  Open or Indirect n  Closed or Direct n  Probing or follow-­‐up © 2012 Sunera LLC. All rights reserved
150
Open Ques5ons n  Cannot be answered with yes/no response. n  Pros: Useful when you’re not sure of what informaSon you need or if you want to know how someone feels about an issue. n  Cons: Can take a lot of Sme and requires more note taking, more difficult to control, and interviewee may not be sure of what you want. © 2012 Sunera LLC. All rights reserved
151
Closed Ques5ons n  Answered restricted to a few choices (yes/no) n  Pros: Useful when answers require li^le or no explanaSon, saves Sme, and makes it easy to tabulate results. n  Cons: Limits informaSon that can be obtained © 2012 Sunera LLC. All rights reserved
152
Probing/follow-­‐up Ques5ons n  Asking another quesSon to clarify or obtain further informaSon about a interviewee’s response. n  Pros: Useful when the interviewee provides inadequate answers, sSmulates discussion, and can be used to resolve inconsistencies. n  Cons: Can make interviewee become defensive © 2012 Sunera LLC. All rights reserved
153
Ques5oning the Subject n  ConfronSng the Subject –  Avoid confrontaSon unSl later in the interview –  Handle and manage confrontaSon to your advantage -­‐ be^er to focus on clarificaSon “I am confused. You told me that you always got a second signature on checks over $5,000. However, you told me you signed the check to Jeff Hardware, Inc. and mailed it. Am I missing something?” © 2012 Sunera LLC. All rights reserved
154
Ques5oning the Subject n  Go from broad to the specific. n  Move from the indirect to the direct to elicit informaSon. n  Allow the subject to speak. The role of the interviewer is to observe, to guide, to steer, to collect, and most importantly, to listen. © 2012 Sunera LLC. All rights reserved
155
Review of Interview Material n  Confirm with subject that the informaSon provided is accurate. n  Go criScal point by point and get affirmaSve verbal responses from subject. Make correcSons when necessary. n  Is there any other informaSon relevant to our discussion that we have not covered? © 2012 Sunera LLC. All rights reserved
156
Closing and Rela5onship Building n  Thank subject for Sme. n  If applicable, thank subject for cooperaSon. n  May be good to repeat quesSon about any further informaSon not covered. © 2012 Sunera LLC. All rights reserved
157
Conduc5ng the Interview n If something is not clear, keep asking n Use follow-­‐up quesSons as needed to clarify issues n Drill-­‐down on an issue n Don’t let your quesSon go unanswered © 2012 Sunera LLC. All rights reserved
158
Interview Dont’s
n Don’t ask more than one quesSon at a Sme. n Don’t jump to conclusions n Don’t assume you know the response n Don’t interrupt or debate with the interviewee n Don’t monopolize the conversaSon (70/30 rule) n Don’t think about the next quesSon n Don’t read documents n Don’t be annoying (finger tapping, clock watching) © 2012 Sunera LLC. All rights reserved
159
Note Taking n  Note taking Sps: –  Do not record the interviews –  Take accurate and complete notes, but do not distract the interviewee –  Try to avoid taking notes when the interviewee is talking about a sensiSve subject –  Begin each interview on a clean page. –  Try to have a a separate person take notes while the interviewer asks the quesSons. © 2012 Sunera LLC. All rights reserved
160
Note Taking n  IdenSfy the date, Sme, and place of the interview and all individuals present during the interview. n  Obtain biographical data for the subject, including telephone numbers, posiSon, Stle, etc. n  IniSal and date the notes. © 2012 Sunera LLC. All rights reserved
161
Note Taking n  Document the interviewer’s quesSons. n  Take verbaSm notes if possible, Concentrate on subject’s responses to: –  Nouns –  Pronouns –  Verb Tense –  Qualifiers –  Indicators of responsibility, innocence, or guilt © 2012 Sunera LLC. All rights reserved
162
Advanced Interviewing Skills n  More experienced auditors, not new staff, should do these interviews n  Be prepared, but do not follow a checklist n  Put the subject at ease n  Be conversaSonal n  Make good eye contact n  Get the subject talking…let subject talk © 2012 Sunera LLC. All rights reserved
163
Interview versus Interroga5on Interview Interroga5on n  Purpose is to gather n  Purpose is to get a n  Non-­‐accusatory n  Free-­‐flowing n  Interviewer speaks 5% n  Stay within social zone n  Note taking O.K. n  No Miranda warning n  Accusatory n  Structured n  Interrogator speaks 95% n  Start at personal zone, move informaSon required
confession to inSmate zone n  No notes (unSl aHer confession) n  No Sme limit © 2012 Sunera LLC. All rights reserved
164
Zero Tolerance? n Apply top-­‐down approach! –  Involve board & senior management –  Threats posing greatest fraud risk receive most a^enSon –  MiSgate unacceptable vulnerabiliSes to ensure idenSfied fraud risks do not exceed risk appeSte © 2012 Sunera LLC. All rights reserved
165