“RAISE THE RED FLAG” · WorldCom Scandal CMS Energy Round Trip Trades 2003 Massive Mutual Fund...

“RAISE THE RED FLAG”AN AUDITORS WORKING GUIDE TO EVALUATING FOR FRAUD

Lynn Fountain, CGMA, CRMAwww.lynnfountain.netfountainlynn1@gmail.com

Raise The Red Flag• RaisetheRedFlag combinesprinciplesandtheoriesoffraudpreventionanddetectionwithreal-worldscenariosandhands-onprocedures.

• Whetheryouaredeterminingyourinternalauditdepartment’spreparednesstosupportyourorganization’santi-fraudeffortsorinvestigatingactualallegationsoffraud, RaisetheRedFlag providesvaluabletechniquesandapproachesyoucanputintopracticerightaway.

• Withprofessionalskepticismandaquestioningmind,internalauditorswillknowwhentoraisetheredflag– andwhattodoaboutit

Introduction• Thetopicoffraudcontinuestobeontheradarofinvestors,shareholders,andregulators.

• RecentfraudsurveybyKrollAdvisoryfoundthattheproportionofcompaniesthatsufferedanincidentwasapproximately75%.

• However,ongoingtechnologicaladvancesinITinfrastructure,newandemergingfraudmethodsarecontinuallybeingidentified.

Introduction• Auditorsarenotexpectedtohavethespecialtyexpertiseofforensicinvestigators.

• Shouldmaintainadequateknowledgeoftheaspectsoffraudandaskepticalmindwhenreviewingpotentialviolations.

• Fraudcontinuestoevolveandauditorsmuststayabreastofitsrootcausesandsuggestedmitigationandinvestigationtechniques.

• WhetheryouarepartofalargeIAorsmallIAgroup,itisimportantforallauditprofessionalstounderstandprocessesthatcouldinvolvefraud.

US Fraud Stats – Kroll Global Fraud Report

2015-2016 2013-2044Prevalenceofcompaniesaffectedbyfraud

75% 66%

Average% ofrevenuelosttofraud

.9% 1.2%

Areasoffrequentloss • Theftofphysicalassets–22%• Vendor, supplier,

procurement- 19%• Informationtheft,lossor

attack- 17%

• Managementconflictofinterest-21%

• Informationtheft,lossorattack–20%

• Theftphysicalassets–20%

Biggestdriverofincreasedexposure

• Highstaffturnover – 34%• Increasedoffshoringand

outsourcing– 15%• Increasedcollaboration

betweenfirms– 14%

• ITcomplexity– 44%

Agenda• Thepsychologyoffraud.• Examinehowpastfraudincidentshaveimpactedtheauditor’srole.

• IPPFresponsibilitiestocomplywithfraud.• EmployingCOSO2013conceptswithininternalauditfraudwork.

• Understandingfraudredflags- actualfraudandcontrolgaps.

• Fraudevaluationvs.fraudinvestigation.• Newagedigitalfraud.• Fraudreporting.

PSYCHOLOGY OF WHITE COLLAR CRIMEConnection to Fraud Triangle and Fraud Diamond

Fraud Defined• Fraudisanyintentional actoromissiondesignedtodeceiveothers.• Resultsinthevictimsufferingalossand/ortheperpetratorachievingagain.

• Organizationdon’twanttobelievefraudcanoccurintheircompany.• Iffraudisidentified,thereisadesireto“handleitourselves”.

• Auditorsandorganizationsmustbeawareofcertainpsychologicalaspectsoffraud.

Companies affected by Fraud and Vulnerable To ITTypesofFraud %

Companiesimpactedinpast12months

%Describingthemselvesashighlyormoderatelyvulnerable

IPtheft 45% 37%

Theftofphysicalassets 22% 62%

Vendor, supplierorprocurementfraud

17% 49%

Information theft 14% 51%

ManagementCOI 12% 36%

Regulatoryor compliancebreach 12% 40%

Corruptionandbribery 11% 40%

Internal financialfraud 9% 43%

Companyfundmisappropriation 7% 40%

Moneylaundering 4% 34%

Marketcollusion 2% 26%

Perpetrators ofknownfraud %offirmshitbyfraudwheresomeoneinnamedgroupwasperpetrator

Junioremployees 45%

Seniorormiddlemanagement 36%

Moneylaundering 34%

Agents andintermediaries 23%

Vendors,Suppliers 18%

JVpartners 8%

Regulators 7%

Customers 5%

Governmentalofficials 3%

Other 3%

Source: Kroll 2015/2016 Fraud Report

Top 5 Drivers of Increased Fraud Risk• Highstaffturnover– 33%• Increasedoutsourcing/offshoring– 16%• Entrytonew/riskermarkets– 13%• Complexityofproductsorservicessold– 11%• Increasedcollaborationbetweenfirms– 10%

Source: Kroll 2015/2016 Fraud Report

Fraud Evolution• Whydoesthetopicoffraudseemsoprevalent?• Majorcorporatedownfalls,• Newlegislation/regulation,• High-profilecases,• Increasedfraudawarenessbyconsumers,

• Enhancedinformationtechnologyprocessesandcyberfraud,

• Moresophisticatedfraudsters.

Psychological Dynamics of Fraud• Isallfraudintoday’sbusinessworldconnectedafinancialloss?• Ultimatelyitmaybeextrapolatedtosomelossbutistherealternativemotivepossibilities?• Doeseveryonesharethesamemoralcompass?• Howdoindividualsdefinewhatisright/wrong?• Iseverythingalwaysblackandwhite?(Shouldmedicalmarijuanabelegal?)

• Howdoperceptionsimpactreality?• Howdotoday’spressuresimpactthepsychologyofindividualswhomaycommitfraudulentacts?

Fraud Theories

Fraud Triangle Fraud Diamond

Think Out of The Box• Thefraudtrianglelistspressureasthefirstlegwithopportunityandrationalizationfallingnext.

• Today’sbusinessenvironmentbegsthequestionofwhether“pressure”istrulylegone.

• Individualswhoperpetratefraudmaydosobecausetheyfirst:• Recognizethe“opportunity”andthen…• Findsomewayto“rationalize”theirbehavior.

• Pressureiscertainlyanelementbutmaynotalwaysbethedrivingforce.

Opportunity Considerations• Auditorsrecognizeopportunitycantiecloselytopoorlydesignedcontrols,controlgapsorcontrolavoidance.

• Controlgapscreateopportunityforthefraudstertotakeadvantageofanduseittoperpetuatefraud.

Opportunity Considerations• Opportunityextendsbeyondthisdefinedconcept.

• Personwhoidentifiesopportunitytoperpetuateafraudthroughapoorlydesignedcontroldoesnotnecessarilyhavetobeapersoninatrustpositionoracurrentfinancialpredicament.

• Inoriginalfraudtriangletheory,thepersonmustseesomewayhecanusehispositionoftrusttosolvehisfinancialproblemwithalowperceivedriskofgettingcaught.

Added Dimension: Capability Concept• Individualswhocommitfraudhavecertaintraitsthatallowthemtohavethecapability tocarrythroughontheiractions.

• Technical skillstounderstandopportunityandtakeadvantage.

• Coercionskillstoconvinceotheremployeestomisstateinformation,becomplicitin/concealthefraud,orassistwithcarryingouttheactualfraud.

• Deceptionskillstolieandmaintainlieovertime.

Added Dimension: Capability Concept• Ability todealwiththestressofcontinuingthedeception.

• Organizationalpositioning providesopportunitynotavailabletoothers.

• Intelligencetounderstand/exploitinternalcontrolweakness.

• Egotobelievetheywillnotbedetected.• Stressmanagementskillsthatallowthepersontomanagestresswellasthefraud.

The Psychology Behind Fraud• Auditorlesson- takethecapabilitytraitsintoconsiderationwhenattemptingtoprioritizeormeasurethefraudthreatpotentialofidentifiedcontrolweaknesses.

• Inclusionofthisconsiderationmayassisttheauditorinappropriatelycalibratingcontrolfindings.

• Considerhowyourorganizationsetstheir“moralcompass”.

• Doesmanagementuseconsistenttheorieswhendetermining“whatisright”?

Examples – Digging Deeper• AuditorInquiry:“Tellmeabouthowtheresourcingforyourdepartmenthasbeenmanagedoverthepastfewyears.”

• Listenfor“clues”thatrepresentpressureonresourcingissues.• Indicationofhighturnover?Canyouidentifyrootcause?• Constraintstofillopenpositions?Impactonemployees?Excessiveovertime?Areemployeesrequiredtoonresponsibilitiesnotpartofnormaljob?

• ResourcingissuesduetoLTperiodsofPTObycertainemployees– isthereunduepressureonotheremployees?

• Isthereexcessiveovertimewhichmayputpressureonpersonnel?Isthereareasonwhythedepartmenthasnotbeenabletoaddresources?

Lessons Learned• Rememberthefraudtriangle!

• Rationalization,opportunity,pressure.• Considerimplicationsofthefrauddiamond.• Managementmustmakebesteffortstodefineblackvs.white.(Difficultconcept).

• Leavingjudgmentsopenforinterpretationwillimpactoutcomes.• Withoutcleardefinitionoutcomesbecomedependentonindividualmoralities.

• Theclearerthepath……

Past Fraud Incidents

SECallegesEnronFalseFilings

Xeroxfalsifiedearningsfor5years

SECinitiatesEnroninvestigation

BristolMyersinflatedrevenuesby$1.5M(channelstuffing

AAConvictedandbeginstofallapart

Adelphia($3.1Binoffbalancesheetloans

AOL,Tyco,WorldComScandal

CMSEnergyRoundTripTrades

MassiveMutualFundFraud

HealthSouthindictedon85countsofconspiracy

MarthaSteward

FreddieMacEarningSmoothing

HCApays$1.7Btosettle9yearfraud.

2004-2006

FannieMaetorestateearningsbackto2001

Stewardconvicted

Ebbersconvicted

Skilling/Layconvicted

Broadcomandoptionsscandal

NewCenturyandBearSternsBankruptcy

FannieMaylossescontinue

WSJaccusesbanksofLiborScandal

SalyamCEOresignsandadmitsfraud

Madoffsentencedto15years

FormerLouisianaUniversityDeanpleadsguiltytofraud

BPagreestopay$20B

AuditorsforWAMUtestifyinfrontofcongress

2008-2009 2011

J&Jagreesto$77MFCPAsettlement

FirstcompanyconvictedunderFCPA

DirectoratGoldmanSach,pays$10Mtosecurebailforchargesofinsidertrading.

Olympusscandal

2012-2013

GlaxoSmithKlinefraud

CapitolOnefined$210Mdeceivingcustomers

Wal-MartAllegations

FiestaBowlchiefguiltyfunnelingpoliticalcontributions

BestBuyScandalLiborRigging

911Firefighterdisabilityfraudclaims

Targetcreditcardhacking

20162014- 2015

Portfoliomanager- SACCapitalAdvisershedgefundfoundguiltyon5countsofinsidertrading.Resultedinconvictionsof77people.

JPMorganChasepaid$2.6BtotheU.S.govt.B.MadoffvictimstosettleallegationsthebankfailedtotellauthoritiesaboutsuspicionsoffraudatMadoff'sfund.

WorldHealthAlternativesCEOsentencedfor$41Mfraudscheme.

TheIRSpaid$3.6Binfraudulenttaxrefundstoidentitythieves.

Sept.2016,MichaelHudson orderedtopayrestitutionof$3.1MtoFrisch’sRestaurant,$505KtoTravelersInsuranceand$970KtotheIRSforwirefraudandfalseIRSreturns.

LogitechInternationalpaid$7.5Mforfraudulentlyinflatingfiscalyear2011financialresultstomeetearningsguidanceandcommittingotheraccounting-relatedviolationsduringa5yr.period.

ThreeexecutivesatEner1paidpenaltiesforthecompany’smateriallyoverstatedrevenuesandassetsforyear-end2010andoverstatedassetsinthefirstquarterof2011.

FRAUD AND THE IPPF FRAMEWORK

Auditors and the IPPF• Asinternalauditors,welooktoTheIIA’sIPPFtoguidehowwecanmosteffectivelyexecuteourresponsibilities.

• ThemannerinthesestandardsareappliedmayvarydependentonmanyfactorsincludingIA’sstatedcharterandstaffing.

• Fraudandallofitsimplicationsisoneofthoseareasthathasbeenmanagedavarietyofwaysbyorganizations.

• WiththeimpetusoftheCOSO2013updateorganizations’responsibilitiesforassessingtheriskoffraudhavebecomeclearer.

IPPF Standards Related to Fraud• DoesyourorganizationunderstandandrecognizetheIIAstandardrequirements?

• WhenwasthelasttimeyoureviewedtherequirementswithyourCFO/CEOorauditcommittee?

• Manyauditcommittee’sandmanagementdonotfullyunderstandandembracetheIIAstandards.Why?

Auditors and the IPPF• InternalauditorscanapplytheprinciplesinCOSO’s2013tosolidifytheirroleandhowtheyworkwithmanagementonvariousfraudinitiatives.

• AuditorsshouldensuretheirworkdirectlysupportstheStandards,includingStandard2120.A2,RiskAssessment:• “Theinternalauditactivitymustevaluatethepotentialfortheoccurrenceoffraudandhowtheorganizationmanagesfraudrisk.”

• HowdoesyourorganizationmeetStandard2120.A2?

When Management Objects?• Managers mayperceivethatincluding“fraud”testsduringanauditreflectsbadlyontheirabilitiestomanageaprocessarea.• Includingfraudtestsmayseemlikeanaccusationaboutimproperactsoccurringwithintheirsphereofcontrol.

When Management Objects?• IAmustbeabletoprovidemanagementwithsufficientinformationaboutwhysuchevaluationsareappropriate.

• ConsiderclarifyingtheIndividualObjectivityStandard1210.A2:• “Internalauditorsmusthavesufficientknowledgetoevaluatetheriskoffraudandthemannerinwhichitismanagedbytheorganization,butarenotexpectedtohavetheexpertiseofapersonwhoseprimaryresponsibilityisdetectingandinvestigatingfraud.”

IPPF Standards and Auditor’s Challenge• TheIIAisnotalawmaking/enforcingbody.• Theyestablishguidelinesandstandardsthatarenotalwaysrecognizedbyallorganizations.

• Therearenopenaltiestoorganization’sfornotfollowingstandards.

• Auditor’sdonotcarrya“licensetopractice”

• ProfessionisnotviewedinthesamemannerasthosethatmaycarryalicensetopracticelikelawyersandCPAs.

IPPF Standards• Auditorsmusttakeapro-activeapproachtoeducatingmanagementandtheboardontheIIAstandardsandrelatedbenefits.

• Thisincludesensuringmanagementunderstandsthestandardsrelatedtotherequirementsforfraudevaluations.

• HOWEVER– InternalAuditmustensuretheyarequalifiedandpreparedtoengageinthevarioustypesoffraudrelatedwork.• Don’tjustdoitbecauseitsoundsinteresting.

• WhatroleshouldIAplay?

1. ClarifytomanagementtheIPPFstandards.2. Establishinternalprocedurestosupportinternalauditors

whenexecutingoncompetencyandprofessionalskepticism.3. Haveastructuredfraudmethodologyinplaceforinternal

audit.4. Ensureprofessionalsassignedtofraudworkhavethe

organizationalknowledgeandperceivedstandingtoadequatelyexecuteontheirprofessionalskepticism.

5. Neversendanauditoronafraudinterviewalone.6. Encourageauditorstocheckthefactstwiceand assess

evidencewithoutbeingoverlycriticalorsuspicious.7. Followalltrailsofevidence.

Potential Steps• ClarifytomanagementtheIPPFstandards.

• Internalauditorshaveguidelinesjustlikelawyersanddoctors.

• Ensureyourgrouphastheabilitytomeetthecompetencystandardsrelatedtofraudevaluations.• Ifyoudon’thaveadequatequalifications,executionmaybeadifficultthing.

• Establishinternalprocedurestosupportinternalauditorswhenexecutingoncompetencyandprofessionalskepticism.

Internal Steps• Haveastructuredfraudmethodologyinplaceforinternalaudit.• Methodology shoulddefinehow,when,whyetc.youwillgetinvolvedwithissuesthatmaybeinvolvedinfraud.

• Protocol shouldincludecommunicationprocedureswithmanagement,theboardandanyregulatoryauthorities.

• Involve yourLegalgroup– Knowtherulesofevidence.• Understandthedifferencebetweenidentifyingredflagsandidentifyingfraud.

• Knowthedifferencebetweendoingafraudinvestigationversusafraudevaluation.

• Understand thetypesoffraudprevalentinyourindustry.

Internal Steps• Ensureprofessionalsassignedtofraudworkhavetheorganizationalknowledgeandperceivedstandingtoadequatelyexecuteontheirprofessionalskepticism.

• Acknowledge noteveryoneusesthesameapproach.• Noteveryonewillcometothesameconclusionormakethesameintuitiveinterpretation.

• Quickestwaytostopprofessionalsfromexercisingaquestioningmindistotightentheropeeverytimeamisjudgmentoccurs.

Internal Steps• Neversendanauditoronafraudinterviewalone.

• Evenanexperiencedauditor,canhaveahesaid/shesaidexperience.

• Encourageauditorstocheckthefactstwiceand assessevidencewithoutbeingoverlycriticalorsuspicious.

• Executingprofessionalskepticismrequiresemployingabalanceofquestioningmindandensuringfactsarecorrect.

• Managementmaydistrustobservationsofauditorswhojumptoconclusionsordonothaveallthefacts.

Internal Steps• Followalltrailsofevidence.

• Itcanbetemptingtoacceptanansweratfacevalue.• Remember,oneperson’sperceptionofblack/whitemaybedifferentthananotherperson’s.

• Itisnotsufficienttointerviewonlytoplevelexecutives.• Ifyouquestionaccuracyoftheinformation,youmustuseduecaretofollowuponthatquestion.

• Importanttoindependently/objectivelypursueallavenuesofinquiry.

INTERNAL AUDIT’S RESPONSIBILITY

Determining Your Role• ConsiderFraudAwareness:

• Fraudawarenesswithinanorganizationassistsinminimizingcollusionactivities.

• Personnelbecomeawareoftheconsequencesofbecominginvolvedintheunacceptablebehavior.

• Lackofawarenesstacticsislikeasilent“acceptance”ofbehavior.

• Toexecutefraudawarenessroll,auditor’smustunderstandthebusiness.• Understandthemanytypesoffraudthatcanoccurinyourindustry.

• Obtainstatisticsonfraudincidentsandemergingtrends.

Internal Audit’s Role• Whatarethekeystoright-sizingIA’sresponsibilityforfraudactivities?• Intoday’sworldofdoingworkfaster,moreefficiently,andwithfewerresources,itisdifficulttobalancerequirements.

• Theunexpectedoftenoccursandresourcesgetpulledindifferentdirections.

• Participationinfraudworkcanbeoneofthoseareaswheretheunexpectedoccursandtimeallocationisnotsufficient.

• Considerthesestepsandwhendefiningyourroleandtimeallocation.

Types of Roles• Considerthepotentialthattheremaybea“requiredrole”anda“potentialrole”forIAwhenitcomestofraudwork.• Requiredrole:MeettheintentoftheIIARiskAssessmentStandard.

• Potentialrole:Involvementinfraudevaluations,investigationsorholisticriskassessments.

Required Role• MeetingStandard2120.A2:Theinternalauditactivitymustevaluatethepotentialfortheoccurrenceoffraudandhowtheorganizationmanagesfraudrisk.

• Considerthismeansmorethanperiodicevaluationthroughtheannualauditassessment.

• Whatwouldbeinvolvedinfulfillingtherequiredrole?

Potential Steps: Required Role• Internalauditmusthaverelevantmethodologiesinplacerelatedtothefollowing:• Inclusionoffraudriskevaluationwithintheannualauditplan.

• Providedirectionforevaluationofthepotentialforfraudriskwithineachindividualaudit.

• Includeaprotocolforauditorstofollowwhenredflagsareidentifiedeitherduringanauditorthroughanotherindependentmanner.

Potential Steps: Required Role• Internalauditmustprovideadequatesupportforstaffincluding:• Ensurestaffhaverequiredtrainingandunderstandingtoevaluatethepotentialforfraudredflags.

• Ensurestaffcanadequatelyexecuteprofessionalskepticismwhenexecutingprojects.

• Ensurestaffunderstandthesensitivitiesofthetopicandthepropercommunicationprotocols.

Defining Potential Role • DoestheIAdepartmenthaverelevantpersonnelexpertise?

• DoesdepartmentalCFEhavethe“experience”tobeinvolvedinsignificantfraudinvestigations?

• Isthereaprotocolforhowtimewillbeassignedandreallocatedintheeventafraudprojectarises?• Willcompletionoftheauditplanbeimpacted?• Howdoesmanagement/auditcommitteeviewIA’srole?

• WhatdoesyourIAchartersay?• Whatisthelegaldepartment’sroleandwhomanagesthehotline?

• Isthereacleardefinitionofvariancebetweenfraudevaluations/fraudinvestigationsandrequirementsofeach?

Steps: Potential Role1. Ensureroleisagreedtoby

managementandtheAC.2. Developaninternalholisticfraud

methodologythatdifferentiatesbetweenassessments,evaluationsandinvestigations.

3. Definerequirementsforeachtypeoffraudwork.(e.g.:auditorskillset,background,needforspecialtyexperience).

Steps: Potential Role4. Identifyhowprojectswillbe

resourced(e.g.internally,externally).5. Establishapre-defined

communicationprotocolforvarioustypesoffraudwork.(Knowwhenanevaluation,investigationorassessmentshouldbemovedtothenextstep).

6. Haveadefinedmethodologyforprojectdocumentation.(Knowwhentoconsultwithlegal).

Steps: Potential Role7. EnsureprofessionalsinIA

assignedtofraudworkhavetherequiredexperience,organizationalknowledgeandperceivedstandingtoadequatelyexecuteontheirprofessionalskepticism.

8. Ensureauditorshavethepropersupport(resourcesandmoral)relatedtotheproject.

Steps: Potential Role9. Encourageauditorstocheckthe

factstwiceandassessevidencewithoutbeingoverlycriticalorsuspicious.

• Executingprofessionalskepticismrequiresemployingabalanceofaquestioningmindandensuringallfactsarecorrect.

• Managementmaydistrustobservationsofauditorswhojumptoconclusionsordonothaveallthefacts.

Right-Sizing Steps1. Clarifyyourdepartmentcharter.

• ClarifytheroleIAwillplayinfraudawarenessanddetection.• Determinehowthatrolewillworkwithinyourauditplan.

2. ValidatethattheACandmanagementagreewithrole.• EnsurerolesasidentifiedinthecharterarefullyunderstoodbytheACandmanagement.

• Ifthereisa“dropeverything”perceptionwhenitcomestotheneedforIAtobeinvolvedinafraudinvestigation,thismustbeclearlyunderstoodbymanagementandtheboard.

Right Sizing Steps3. Evaluatetheneedforfraudspecificauditors.

• Ifthecompanyisinahighriskfraudindustry,IAmayhavededicatedfraudauditors.

• Whenplanningworkload,don’tfallintotrapofonlyconsideringpasthours.Circumstanceschange,businessevolve.Timeallocationresourcesmayneedtochange.

4. Beproactivewhenidentifyingtheneedforoutsideexperts.• Ifyourcharterincludesinvolvementinfraudinvestigations,butIAdoesnottypicallyhaveresourcesfortheeffort,ensurethecharterprovidestheabilitytoenlistoutsideexperts.

Right Sizing Steps5. Assessneedtouseothersubjectmatterexperts.

• Assistanceofindividualsfromotherbusinessareas.• Establishrelevantrelationshipsupfront.(Subjectmatterexperts)

6. Considerallocationof“specializedhours”asaplaceholder.• Isthis“padding”theauditplan?• Theallocationof“specializedhours”canincludecomplianceissues,regulatoryissues,orfraudinvestigations.

• Ensureyouhaveadequatelyassessedyourpotentialneedsfortheauditplanandsupportitwithyourfraudriskassessment,pastexperience,andevaluationofongoingandemergingrisksinyourbusiness.

COSO 2013 AND THE CRITICAL LINK TO FRAUD

COSO and Fraud• WhenexaminingtheCOSO’sdefinitionofCE;akeyphrasehelpsunderstandhowandwhythetopicoffraudcanimpactanorganizationscontrolenvironmentandculture.• “Thecontrolenvironmentsetsthetoneofanorganization,influencingthecontrolconsciousnessofitspeople. Itisthefoundationforallothercomponentsofinternalcontrol,providingdisciplineandstructure.”

COSO and Fraud• Whenexecutingyourfiduciarydutyrelatedtofraudevaluations,rememberconceptsoftheIIAstandardsaswellasCOSO2013andprinciple8.• Challenge:HowdoyoumeetthePrincipleonFraudrelatedtoCOSO2013.

COSO and Fraud• Keyphrase

• “influencingthecontrolconsciousnessofitspeople”.

• Phraserecognizessomeoftheattributesidentifiedinthefraudtriangle-rationalizationandpressure.

• Anotheremergingphilosophyisthefrauddiamondandrequirestheconsiderationof“capability”asacomponent.

8. Organization considers the potential for fraud in assessing risks to the achievement of objectives.

Risk Assessment

COSO 2013 Principles

• Principle 8 possesses the most direct tie to managements responsibility for fraud processes.

Points of Focus• Considers various types of fraud• Assesses incentive and pressures• Assesses opportunities• Assess attitudes and rationalizations

Principle 8 - Point of Focus

• Doesyourorganizationassessthepotentialforalltypesoffraudincluding:• Fraudulentreporting(financialandoperational),• Corruptionfrommisconduct,• Incentives/pressures,• Opportunitiesforunauthorizedacquisition,useordisposalofassetsorassetloss,

• Alteringoftheentity’sreportingrecords,• Howmanagementandotherpersonnelmightengageinorjustifyinappropriateactions.

FRAUD RED FLAGS –ACTUAL FRAUD VS. CONTROL GAPS

Variance• FraudRedFlags arewarningsignsthatmayindicateahigherfraud risk.

• TheyareNOT evidencethatfraud hasoccurred.• Acontrolgapdoesnotmean“fraud”occurred.• Internalauditorsmustrecognizethedifferenceandbecautiouswhenevaluatingandreportingoncontrolgapsvs.fraudredflags.

• Ifitisaredflag– canyouidentifythepotentialimpactandlikelihood?• Howwillyouevaluatewhethertherecouldbepotentialmisdoingsorwhetheritisaninternalcontrolgap?

Fraud Red Flags • Financialstabilitythreatenedbyeconomic/industry/operatingconditions.

• Recurringnegativecashflows/inabilitytogeneratecashflow.• Excessivepressureonpersonneltomeetfinancialgoals.• Significantaccountsoroperationsintax-havenjurisdictions.• Complex/unstableorganizationalstructure.• Inadequateorineffectiveinternalcontrols.• Excessiveinterestbymanagementinmaintainingorincreasingstockprice/earningstrend.

• Managementfailuretocorrectknownreportableconditions.• Recurringattemptsbymanagementtojustifymarginal/inappropriateaccounting.

Fraud Red Flags• Unusual/suspiciousitemsinvolvingaccountingrecords.

• Missingdocuments,excessivevoidsorcredits.• Commonnames,telephonenumbers,oraddressees.• Counterfeit/alterationsofdocuments.

• Managementoverrides,topsidedentries.• JEadjustmentsatornearendofreportingperiod.• Unusualrequestsmadenearcloseperiods.• Significantestimatesthatdeviatingfromtrends.• Transactionsoutsidenormalcourseofbusiness.• Shakethetrees!!!

Anti-Fraud Controls• Thepresenceofanti-fraudcontrolsiscorrelatedwithsignificantdecreasesinthecostanddurationofoccupationalfraudschemes.

• Victimorganizationsthatimplementanyofthecommonanti-fraudcontrols,experiencelowerlossesandtime-to-detectionthanorganizationslacking.

• Don’tcloseyoureyes…..don’tassumeitissomeoneelse'sworry….speakup…..

EVALUATIONS VS. INVESTIGATIONS

Evaluation vs. Investigation• Evaluations– systematicexaminationsofanarea’smerit,worthandsignificance.• Usesspecificcriteriagovernedbyasetofstandards.• Primarypurposeistogainaninsightintoanareatoenablemorein-depthanalysis

• Resultinganalysiswillhelpidentifyrootcausesandgapsincontrols.

• Investigation– thescientificmethodofgatheringandexamininginformationaboutaparticulareventtodetermineandfinalizeanassessment.

Evaluations• Evaluationsmayoccurinthenormalcourseofanaudit:

• Anomaliesinaprocessareidentifiedandfurtherreviewiswarranted.• Intheseinstances,theevaluationfocusesonaspecificprocessareaorpossiblyevenagroupofindividuals.

• Observationsareresultofindividualaudits.• Iffraudriskisincludedinanaudit,evaluationmayidentifytheneedforfurthertargetedresearch.

Evaluation Considerations• Complexityoftheprocess.• Howthetransactionflows.• Sophisticationofthesystem.

• Legacysystems• NewSystems

• Hastheprocessareexperiencedpastissuesthatappeartobesystematicorarenotaddressed?

• Understandthecontrolenvironmentoftheprocessandpersonnelinvolved?

Investigation• Investigationmayentail:

• Interviews/observationsdesignedtogainrelevantevidencetoprovecasefacts.

• Backgroundcheckofallegedperpetrators.• Subpoenasforspecificdocumentaryevidence:bankrecords,titlesearches,otherlegaldocumentsnotreadilyaccessible.

• Assetsearchestodetermineownershipissues.• Recordanalysestoevaluateddocumentationofinformationrelatedtotheallegeact.

• Surveillanceofspecificprocessorindividuals.• Interrogationofspecificpersonnelwhomayhaveknowledgeoftheincident.

THE NEW AGE DIGITAL FRAUD

The New Age Digital Fraud• Digitalfraudstersareonestepahead.Fraudsterstakeadvancedstepswithknowledgefromthedigitalworld.

• Digitalfraudhascreatedseamlessboundarieswhichincreasetheperpetuationoffraud.

• Whatisdigitalfraud?• Webcrawlers,chatroomormaliciousbots,• Automatedprogramsthatrunovertheinternet• Digitalnetworksthattransmitvoice,video,data• Identifytheftandcreditcardtheft,securitycodehacking• E-mailscams,• Thelistisendless…• SeeAppendix

Cyber attack realities• Noturnkeycybersolution.• Buildafortressbutsecureitfromtheinside.

• Notedlackofinvestmentininternalmonitoringsystems.• Datalossisasymptomofabiggerproblemtobeinvestigated.

• Mustinvestigatetofindthesourceandtoexplaintotheregulatorhowyouhavefixedtheproblem.

• Theattackeroftenstaysinthesystemaftertheattack.• Thegoalofonlineattackersistostaywithinasystemforaslongastheycan.Attackedsystemsmustbemonitored.

• Cyberfatigueisreal,butnotanexcuseforinaction.• Inabilitytoaddresswillencouragethefraudsterstocontinuetomoveforward.

Cryptocurrency• Cryptocurrencygoesbymanygenericnames.• Itisoftenreferredtoasvirtualcurrency.• ThesimplestdefinitioncomesfromFinCEN:

• “‘virtual’currencyisamediumofexchangethatoperateslikeacurrencyinsomeenvironments,butdoesnothavealltheattributesofrealcurrency.Inparticular,virtualcurrencydoesnothavelegaltenderstatusinanyjurisdiction.”

• Transactionanonymityandirreversibilityofpayments,havemadethesecurrenciesattractivetocyber-criminals,drugdealers,moneylaunderersandthoseinvolvedinglobalfraud.

• Commonexampleisbitcoins.

Bitcoin• Bitcoinsarenotissuedbyacentralbankorgovernment,butarepurchasedfromaBitcoinexchanger.• ExchangersacceptconventionalcurrenciesandexchangethemforBitcoinsbasedonafluctuatingexchangerates.

• Bitcoinsarestoredinadigitalwalletassociatedwith“theuser’sBitcoin‘address,’analogoustoabankaccountnumber,whichisdesignatedbyacomplexstringoflettersandnumbers.”

• ABitcointransaction,whichtakestheformofatransferofvaluebetweenBitcoinwallets,isrecordedinapublicledgercalleda“blockchain”.

Benefits of Bitcoin for Fraud• Virtualcurrenciesrepresentachallengeforlawenforcement.• Theyposetheriskofcriminalactivities,includingmoneylaundering,tradinginillicitdrugsandglobalfraud.

• Thefollowingtraitsmakevirtualcurrenciesattractivetothefraudster:• Anonymityoftransaction• Globalreach• Speed• Non-reversible• Difficultforauthoritiestotrack

Identity Theft• Broadlydefinedastheuseofoneperson’sidentityorpersonalidentifyinginformationwithoutthepersonspermission.

• Canbecommittedagainstanindividualororganization.• Thefederalcriminaldefinitionofidentitytheftiswhensomeone”knowinglytransfers,possesses,oruses,withoutlawfulauthority,ameansofidentificationofanotherpersonwiththeintenttocommitfraud.

Identity Theft• Until1996,identitytheftwasnotrecognizedasacrimeatthestatelevel.

• ArizonawasthefirststateintheUnitedStatestopasslawsagainstidentitytheft.

• OnMay10,2006,PresidentBushissuedExecutiveOrder13402thatestablishedtheIdentityTheftTaskForce.

• Manytypesofidentitytheft:

CriminalIdentityTheft

MedicalIdentifyTheft

InsuranceIdentifyTheft(Auto,Homeowners,Life,Business, Malpractice)

ChildIdentityTheft

ProfessionalIdentity Theft

BusinessIdentityTheft

NewAccountFraud

AccountTakeover

Cloning CreditCardIdentity

SyntheticIdentity GovernmentBenefitsTheft

Governmentdocumentsidentify theft

EmploymentFraud

UtilityFraud Bankruptcy

TaxReturnIdentity

Digital Fraud Summary• Digitalfraudisadvancingfasterthanthebusinessworldprefers.• Organizationsmustbediligentinunderstandingcyberthreatsandthevarioustypesofdigitalfraudthatcanoccur.

• Organizationsshouldestablishadigitalfraudriskinventory.• WorkwithmanagementandtheCIOtounderstandwhatareastheorganizationcanbeexposedtodigitalfraud.

• Ensurerelevantfocusisplacedonthisemergingrisk.• Ifyoudon’thavetheresources– findthem.

• BecautiouswhenusingoutsourcedprovidersandrelyingonSSAE16ServiceOrganizationControlReports(SOCReports).

FRAUD REPORTING

Conceptual Reporting Thoughts• Buildingaframeworkforafinalreportingprotocolisbeneficialandcanassistinensuringprocessesfollowconsistentandestablishedsteps.• Forgetthe“F”word• Revisitthefacts• Accountforthedetail• Understandanypoliticalorsensitivereportingimplications• Don’t“accuse”unlessyoucanactuallyprove.

Reporting Considerations• Formalreportingofinvestigativeprocessthatmayhaveimplicationsoffraudwillbesensitive.Auditormustremember:• Formalreportsareretainedoninformationsystems.• Considerconfidentialityrequirements.• Written/formalreportsareseenbyBOD/legalcounsel.Liketheinternet,reportswrittenexistforperpetuity.

• AfraudevaluationcompletedbyIAmaynotlenditselftonormalreportingprotocols.

• Determinebestmethodofcommunicationofthefacts.• Maybeinaformalmemo,PowerPointorevenformalverbalpresentation.

Reporting Considerations• Willtheissuehavelegalimplications?• Doesanypartoftheevaluationcomeunderlegalprivilege?• Isthereportdiscoverablebyoutsideparties?• Doestheevaluationrequireaformalwrittensummaryasasourceofevidence?

• Whoaretherecipientsofthereport?

Lessons Learned• Rememberthefraudtriangle!

• Rationalization,opportunity,pressure.• Considerimplicationsofthefrauddiamond.• Managementmustmakebesteffortstodefineblackvs.white.(Difficultconcept)

• Leavingjudgmentsopenforinterpretationwillimpactoutcomes.• Withoutcleardefinitionoutcomesbecomedependentonindividualmoralities.

• Theclearerthepath……

APPENDIXTOP 10 SCAMS OF 2017

2017 Top Scams• Techsupportscams

• Calleraskforaccesstoyourcomputertofixaproblem.• Fake/counterfitmerchandiseschemes

• Scammerssetupgenericonlinestoressellingnamebranditemsormimicwebsitesofbignamebrands.

• Scammerssellfakeorcounterfeitproductsatsignificantlyreducedpricesdesignedtoattractbuyerslookingforbigdealsonnamebrandmerchandise.

• PetsforSaleScams• Fakewebsitesclaimingtobeassociatedwithpetadoption/animalnurseries.Offerpetsforadoptionorsaleatpricessignificantlybelowthenorm.

• Victimstoldtheymustpayforatleasttheinsurance,shippingandotherservicesforprocessinganddeliveringthepets.

• Victimsarerequiredtomaketheirpurchasesand/orpayfeeswithnon-returnablecash-likeformsofpayment.

2017 Top Scams• GrantScams

• Acquireconsumerpersonaldetailsfromunsuspectingadvertisingagencieswhorunleadgenerationcampaignstargetingconsumersinneedofloans.

• ThencontactthepeoplefromtheselistsandclaimtheyrepresenttheU.S.government.

• CollectionAgencyScams• Resentingafakecollectionagency,scammersmakecoldcallstovictimsandthreatenlawsuitsorembarrassingon-the-jobconfrontationsunlessthevictimsstartmakingpayments.

2017 Top Scams• House/Vacantpropertyrentals

• Scammersadvertisepropertiestheydon'townonclassifiedadswebsites,suchasCraigslist.

• Paymentsarerequestedvianon-returnablemethodslikeMoneygram,WesternUnion,Vanillaandwiretransfer.

• PaydayLoanScams• Relyheavilyonlegitimateleadsgatheredbypaydayloanaffiliatewebsitecompaniesoradvertisingagencies.

• Oncetheinformationisgathered,theysellittoothercompaniesandre-sellitoverandoveruntilascammingcompanyposingasalegitimatecompanygainsaccesstoit.

2017 Top Scams• TimeshareResaleScams

• Tellvictimstheyhavebuyersorrenters,readytotaketimeshare.• Requireanupfrontfeetomoveforwardwiththeprocess.• Scammersgivevictimsawiderangeofreasonsforthefee,includingappraisal,marketinganalysisandfees

• Datingandrelationshipscams• Workfromhomeinspectingandshippingmerchandise

• Scammerssetupprofessional-lookingwebsitesandclaimthatthesitesareownedbyshippingandlogisticsintermediaries.

• Oncevirtualworkersarehired,scammersusestolencreditcardstopurchasemerchandiseandshipittotheirnewwork-at-home"employees"withinstructionsonhowtoopenthepackages,inspectthemerchandiseandshipitelsewhere.

TYPES OF DIGITAL FRAUDS

Digital Scams • Phishing

• GainPI,(usernames,passwords,SSnumbers,creditcardnumbers)forpurposesofidentitytheft.

• Accomplishedbyusingfraudulente-mailmessagesthatappeartocomefromlegitimatebusinesses.

• Whaling• Phishingafterverylargescores.• Donewhenhighnetworthindividualsaretargetedorwhencorporationsaretargetedinordertogetcreditcardinformationfromalargenumberofcustomersatonetime.

Digital Scams• Vishing

• ObtainingPIoverthephone.Callinformingindividualstheyhavewonaprizebuttheyneedtopaytaxesorshippingfees.

• Fakeacallfromalocalbusinesswhereanindividualshopstoverifycreditcardinformationonatransaction.

• Pharming• Avirusormalicioussoftwaresecretlyloadedontothevictim’scomputerandhijacksthewebbrowser.

• Whenthevictimtypesintheaddressofalegitimatewebsite,theyarereroutedtoafictitiouscopyofthesitewithoutrealizingit.

Digital Scams• SocialMedia

• Usessocialmediawebsitestogatherinformationonvictims.• Friendsandrelativesinadvertentlypostthevictim’sPIontheirsocialmediasites.

• Hacking• StealPIfromgovernmentandbusinesscomputers.• EmployeescopythePIcontainedontheiremployer’scomputersandselltheinformation.

• FraudulentRecruiterScam• Retrievethevictims’contactinformationfromtheironlineresumesandsendtheme-mailsposingasrecruiters.

Digital Fraud• Pretexting

• PerpetratorposesaslegitimategovernmentofficialormemberoflegitimatebusinessandcallsvictimsaskingforPI.

• Convincevictiminformationisneededtocompleteatransactionandthatsomeoneistryingtoaccesstheiraccount.EncouragevictimtoverifyPI.

• Spoofing• Fraudulente-mailactivitywheresender’saddressorotherpartsofthee-mailheaderarealteredtoappearthee-mailoriginatedfromadifferentsource.

Digital Frauds• Skimming

• Attachesadevicetoamachinethatrecordstheinformationonthecard’smagneticstrip.

• Informationcanbeimprintedonothercards.• MiniaturecamerasusedtocapturethePINsenteredbythevictims.

• FreePublicWi-Fi• SetupfreepublicWi-Finetworksinairports,nearhotels,andinotherpublicplaces.

• Informationonvictim’scomputersandotherelectronicdevicesishacked.

• Cangaincontrolofe-mailaccounts,bankaccounts,socialmediaaccounts,andsoon.

Digital Fraud• Malware

• Placedoncomputersorcellphonestohijackthecomputers,stealdata,orencryptthedataforransom.

• DataBreeches• Stealingdatafromcomputersystemsbelongingtocompanies,governmentalunits,andevennot-for-profitorganizations.

• Largeamountsofinformationarestoleninashortamountoftime.

RAISE THE RED FLAGChapter Outline

Raise The Red Flag - Outline• Chapter1:TheIPPFFrameworkandtheAuditorsresponsibility

• FraudandtheIPPF.• Valueaddedrolesinfraudpreventionfortheinternalauditor.• CommunicatingonIAsdutyrelatedtofraudprocesses.• Right-sizingIA’sresponsibilityforfrauddetection.• MonitoringforfraudandunderstandingtheextentoftheIAauditrole.

• Chapter2:FraudandconnectiontotheCEandCOSO2013.• TheimpactoffraudontheControlEnvironmentandcorporateculture.• Determiningimpactoffraudissuesontheidentificationofdeficiencystatus.

• Chapter3:TheIA’sdilemmawheninvestigatinginternalfraud.• Managingtherequestprocessforinternalinvestigation.• DeterminingwhetherIAshouldbeinvolvedintheinvestigation.• Methodstoemployforinternalinvestigations.

Raise The Red Flag - Outline• Chapter4:ConductingaFraudRiskAssessmentfortheCompany.

• Evaluatingthecorporateculturetoprepareforafraudriskassessment.• IA’sroleinfacilitatingaproperfraudriskassessment.• Stepsinidentifyingpotentialfraudscenariosandtheirimpact/likelihood

• Chapter5:Includingfraudanalysisandevaluationwithineachaudit.• Techniquesforconductingafraudriskassessmentforindividualaudits.• Determiningrelativesignificanceandimpactofidentifiedinappropriatebehavior.

• Chapter6:Evaluationvs.investigation• Understandingwhenanissuemovesfromevaluationtoinvestigation.• DeterminingIA’songoingrolewhenissueanalysisturnstoinvestigation.• Methodsforcommunicationissuestomanagementandtheboard.

Raise The Red Flag - Outline• Chapter7:Isdataanalysissufficient?

• Theroleofdataanalysisinongoingmonitoringforfraud.• Determininghow,what,whereandwhentoenhancemonitoring.• Supportingmanagement’smonitoringprocess.• HowtoanalyzetheeffectivenessofFraudPreventionprograms.

• Chapter8:COSO2013– Thecriticalcomponentofmonitoringactivities• Managingtheexpectationof“waittilltheauditorscomein”.• Whattodowhenmanagementfailstoreportinappropriateactivity.• Ensuringoperationalmonitoringiseffectivelyexecuted.

• Chapter9:Reportingproceduresforaneffectivefraudprogram• Howmuchreliancetoplaceonthewhistleblowerhotline.• Internalreportingandlegalprivilege.• Reportingissuestotheboardandauditcommittee.

“RAISE THE RED FLAG” · WorldCom Scandal CMS Energy Round Trip Trades 2003 Massive Mutual Fund...

Documents

Transcript of “RAISE THE RED FLAG” · WorldCom Scandal CMS Energy Round Trip Trades 2003 Massive Mutual Fund...

THE WORLDCOM CASE: LOOKING AT BANKRUPTCY …€¦ · THE WORLDCOM CASE: LOOKING AT BANKRUPTCY AND COMPETITION ... amine the WorldCom case and determine whether there ... restated

worldcom Case Study

HealthSouth (HLS) - ValueX Vail 2014

FROM GREAT TO GHASTLY: HOW TOXIC …faculty.mu.edu.sa/public/uploads/1360755171.1273organizational... · THE RISE AND FALL OF ENRON, WORLDCOM, HEALTHSOUTH, AND ... Dennis Kozlowski

HealthSouth Scandals Negative Ramifications

HEALTHSOUTH FRAUD

Aaron Beam-HealthSouth, IIA-ACFE Conf 2015.04southfloridaacfe.org/downloads/April_17__2015_ACFE_IIA_6th_Annual... · Why’didAaron’Beam’take’part’in ... Aaron Beam-HealthSouth,

Indicted - jfk.hood.edu

U.S. Corporate Governance: What Went Wrong and …. Corporate... · U.S. Corporate Governance: What Went Wrong and Can It Be Fixed? ... WorldCom, Tyco, Adelphia, HealthSouth, ...

WorldCom and Satyam

Accounting Fraud At Worldcom Case Solution · Accounting Fraud At Worldcom Case Solution Author: TheCaseSolutions.com Subject: Accounting Fraud At Worldcom Case Solution Keywords:

Epilogue: WorldCom/MCI

Worldcom,Enron,largest bankruptcy,how worldcom,SOA

Analysis of Worldcom Scandal

MCI Worldcom MCI Worldcom MCI Worldcom HelenArthur ... · MCI Worldcom MCI Worldcom MCI Worldcom MarcShaub MarkTurner StephenVonRump ... Bill Beckham BellSouth Mobility DCS I Marcus

WorldCom Paper

BRF WorldCom

HealthSouth the Wagon to Disaster

Worldcom 2

worldcom company