Implementing COSO's New Fraud - Aventri
Implementing COSO’s New FraudRisk Management Guidelines
Fraud risk management is much more than amere fraud risk assessment The responsibility for managing fraud risk falls on everyone: “The board of directors, and top management and personnel at alllevels of the organization — including every level of management,staff, and internal auditors — have responsibility for managing fraudrisk.”Fraud deterrence is achieved when the organization: Establishes a visible and rigorous fraud governance processCreates a transparent and sound anti-fraud cultureIncludes a thorough fraud risk assessment periodicallyDesigns, implements, and maintains preventive and detective fraudcontrol processes and proceduresTakes swift action in response to allegations of fraud, including, whereappropriate, actions against those involved in wrongdoingSource: 2016 COSO Fraud Risk Management GuidelinesPage 2
2008: First major attempt to increase fraud riskmanagement and fraud risk assessmentsIIA, ACFE, AICPA Sponsors Fraud Risk Governance Fraud Risk Assessment Fraud Prevention Fraud Detection Fraud Investigation andCorrective ActionPage 3
2016 COSO Fraud Risk Management Guidelines1)2)3)4)5)Establishment of a Fraud RiskManagement ProgramPerforms comprehensivefraud risk assessmentsSelects, develops anddeploys preventative anddetective fraud controlactivitiesInvestigation programOngoing evaluations andcorrective action of the overallprogramSource: 2016 COSO Fraud Risk Management GuidelinesPage 4
Summary of Fraud Risk ManagementComponents and PrinciplesSource: 2016 COSO Fraud Risk Management GuidelinesPage 5
What do the COSO Fraud Risk ManagementGuidelines (FRMG) mean for my organization?COSO ERM Organization A fraud risk assessment no longercovers the expectation of Principle 8of COSO – ERM FrameworkA formal fraud risk managementprogram is the expectation.Internal auditors are expected toassess internal anti-fraud processesand controls against the FRMGExternal Auditors can assess theentity’s implementation of Principle8 of the COSO ERM Frameworkusing this guide.Page 6Non-COSO Organization Non-COSO organizations will beunable to claim that sufficientguidance or information anti-fraudprograms, controls, processes andsystems was not available.Fraud loss litigation, such asshareholder suits, could point to theCOSO FRM Guidelines and placemore responsibility for the loss onmanagement and the lack of aneffective anti-fraud program.
Principle 1 - Fraud Risk GovernancePage 7
Principle 1 - Fraud Risk GovernanceBoard and Senior Management: Makes an organizational commitment to fraud riskmanagement. Supports fraud risk governance. Establishes a comprehensive fraud risk managementpolicy. Establishes fraud governance roles and responsibilitiesthroughout the organization. Documents the fraud risk management program. Communicates fraud risk management at all organizationlevels.Source: 2016 COSO Fraud Risk Management GuidelinesPage 8
A Documented and Formal fraud riskmanagement program1.2.3.4.5.A stand-alone comprehensive document addressing indetail all aspects of fraud control activities.Development of a brief strategy outline emphasizing theattributes of fraud control activities with design andspecifics left to the responsible business functions.Providing defined, proactive processes and controlactivities to deter, prevent, and detect fraud AND theindividuals who will execute the activities.Providing a strategy for proactively using data analysisProviding a compilation of plans developed by divisionsor subsidiariesSource: 2016 COSO Fraud Risk Management GuidelinesPage 9
Analytics considerationsPrinciples 1 through 5: Aligned with GovernanceCOSO 2013 FrameworkPrinciplesControl Environment1. The organization demonstratesa commitment to integrity andethical values2. The board of directorsdemonstrates independence frommanagement and exercisesoversight of the development andperformance of internal control.3. Management establishes, withboard oversight, structures,reporting lines, and appropriateauthorities and responsibilities inthe pursuit of objectives.4. The organization demonstratesa commitment to attract, develop,and retain competent individualsin alignment with objectives.5. The organization holdsindividuals accountable for theirinternal control responsibilities inthe pursuit of objectives.Page 10Fraud Risk ManagementPrinciples1. The organizationestablishes andcommunicates afraud riskmanagementprogram thatdemonstrates theexpectations of theboard of directorsand seniormanagement andtheir commitmentto high integrityand ethical valuesregardingmanaging fraudrisk.Analytic Considerations Executivereporting Interactivedashboards Targeted analysisaround metrics,compliance andratios
Principle 2 – Fraud Risk AssessmentPage 11
Principle 2 – Fraud Risk Assessment Involves the appropriate level of managementIncludes entity, subsidiary, division, operating unit and functional levelsAnalyzes internal and external factorsConsiders various types of fraudSpecifically considers the risk of management override of controlsEstimates the likelihood and significance of risks identifiedAssess personnel or departments involved and all aspects of the fraudtriangleIdentifies existing fraud control activities and assesses their effectivenessDetermines how to respond to risksUses data analytics techniques for fraud risk assessment and fraud riskresponsesPerforms periodic risk assessments and assess changes to fraud riskDocuments the risk assessmentSource: 2016 COSO Fraud Risk Management GuidelinesPage 12
Analytics considerationsPrinciples 6 through 9: Aligned with Fraud Risk AssessmentCOSO 2013 FrameworkPrinciplesRisk Assessment6. The organization specifiesobjectives with sufficient clarity toenable the identification andassessment of risks relating toobjectives.7. The organization identifiesrisks to the achievement of itsobjectives across the entity andanalyzes risks as a basis fordetermining how the risks shouldbe managed.8. The organization considersthe potential for fraud inassessing risks to theachievement of objectives.9. The organization identifies andassesses changes that couldsignificantly impact the system ofinternal control.Page 13Fraud Risk ManagementPrinciplesAnalytic Considerations Surveys & heat maps2. The organizationperformscomprehensivefraud riskassessments toidentify specificfraud schemes andrisks, assess theirlikelihood andsignificance,evaluate existingfraud controlactivities, andimplement actionsto mitigate residualfraud risks. Media scans andexternal sources suchas industry news Complaints database
Principle 3 - Fraud Control ActivitiesPage 14
Principle 3 – Fraud Control Activities Promotes fraud deterrence through preventive anddetective control activitiesIntegrates with the fraud risk assessmentConsiders organization-specific factors and relevantbusiness processesConsiders the application of control activities to differentlevels of the organizationUtilizes a combination of fraud control activitiesConsiders management override of controlsUses proactive data analytics proceduresDeploys control activities through policies andproceduresSource: 2016 COSO Fraud Risk Management GuidelinesPage 15
A comprehensive and methodical dataanalytics process is the keySource: 2016 COSO Fraud Risk Management GuidelinesPage 16
Analytics considerationsPrinciples 10 through 12: Aligned with Fraud Control ActivitiesCOSO 2013 FrameworkPrinciplesFraud Risk ManagementPrinciplesAnalytic Considerations ABaC analyticsControl Activities10. The organization selects anddevelops control activities thatcontribute to the mitigation ofrisks to the achievement ofobjectives to acceptable levels.11. The organization selects anddevelops general control activitiesover technology to support theachievement of objectives.3. The organizationselects, develops,and deployspreventive anddetective fraudcontrol activities tomitigate the risk offraud eventsoccurring or notbeing detected in atimely manner. P2P, O2C, T&E,CRM analysis General ledgertransaction analysis12. The organization deployscontrol activities through policiesthat establish what is expectedand procedures that put policiesinto action.Page ementDemo
Frequent compliance analytics risk areas,particularly in emerging marketsMeals & EntertainmentMarketing & EventsCRM and SalesInformationSecurity/Insider ThreatEmployee PayrollSales, Distributor &Margin AnalysisVendor Payments / APCapital ProjectsAccountingReservesInventory3rd Party Due Diligence &Watchlist,Shell CompaniesCharity & DonationsEmerging monitoring activities may include Social MediaMonitoringPage 18Advanced EmailMonitoringMobil Devices
Big data techniques to counter fraud Multiple data sources – structured and unstructured Data visualization Text analytics Payment/transaction risk scoring Predictive modeling – technology assisted monitoring Case management, issue coding and built in workflow Flexible deployment modelsPage 19
Utilizing data visualization to do morePlan and build tests for: Payment risk scoring Vendor risk scoring High risk transactions Revenue recognition orsales commissions Conflicts of interestsAdditional tests forenhanced reviews: Inventory management Salaries & payroll Employee travel &entertainment FCPA/UKBA (corruptionrisks) Selected compliancetopicsPage 20Interactivedashboards inthe hands of thebusiness users
Data visualization: Accounts payable monitoringHigh risk payment descriptionsPage 21
Utilizing transaction risk scoring to do morePage 22
Forensic data analytics frameworkAn integrated, platform – from a work flow and monitoring perspectiveMonitoring UNTINGDATALibrary ofCounterFraud testsInvestigationToolsPattern MatchingText mining& advancedsearchMASTER &REFERENCEDATAStatistical& PredictiveINTERNALRISK ELEMENTSWatson / CognitiveBig dataprocessing platformEXTERNAL,SOCIAL MEDIADATAVISUALIZATION& RISK RANKINGRepeat the process:Continuous AuditingTriage, Stop Paymentand/orSample Audit SelectionAudit, Shared Services, CompliancePage 23Case Manager, TaskDelegation andData Refresh / ScriptingAutomationInvestigative mindset
Principle 4 - Fraud Investigation andCorrective ActionPage 24
Why is a formal investigation programnecessary? Increasing number of poorly performed investigationsFrauds and fraudsters missed,Root causes not obtained and internal controls notimproved,Legal and human resource implications,Poor interviewing skills and increased liabilities,Lack of dedicated and experienced forensic orinvestigative skill sets,Inadequate technological resources,Lack of routine and repetitive investigation trainingInconsistent or non-existent corrective actionPoor investigation tracking and reporting mechanismsPage 25
Principle 4 - Fraud Investigation andCorrective Action Establishes fraud investigation and response protocols Confidentiality, urgency, evidence preservation, legal protections,forensic support, investigation protocols, reporting process, rootcause and mitigating controls, etc.Conducts investigationsCommunicates investigation resultsTakes corrective actionEvaluates investigation performanceSource: 2016 COSO Fraud Risk Management GuidelinesPage 26
Monitoring investigation performance metrics Resolution timeInvestigation costsRepeat incidentsIncident location (business unit, operational area orgeography)Value of losses recovered and future losses preventedCorrective actions Internal control remediation, business process remediation,disciplinary action, training, insurance claims, extendedinvestigations, civil actions, criminal referrals**Corrective actions for fraud related incidents is an evaluationcomponent within the Federal Sentencing GuidelinesSource: 2016 COSO Fraud Risk Management GuidelinesPage 27
Analytics considerationsPrinciples 13 through 15: Aligned with Investigative ActivitiesCOSO 2013 FrameworkPrinciplesFraud Risk ManagementPrinciplesAnalytic ConsiderationsInformation & Communication Case management13. The organization obtains orgenerates and uses relevant,quality information to support thefunctioning of other componentsof internal control.14. The organization internallycommunicates information,including objectives andresponsibilities for internalcontrol, necessary to support thefunctioning of internal control.15. The organizationcommunicates with externalparties regarding mattersaffecting the functioning of othercomponents of internal control.Page 284. The organizationestablishes acommunicationprocess to obtaininformation aboutpotential fraud anddeploys acoordinatedapproach toinvestigation andcorrective action toaddress fraudappropriately andin a timely manner. Escalation and triage Review workflowmanagement
Principle 5 - Fraud Risk ManagementMonitoring ActivitiesPage 29
Principle 5 - Fraud Risk ManagementMonitoring Activities Considers a mix of ongoing and separate evaluationsConsiders factors for setting the scope and frequency ofevaluationsEstablishes appropriate measurement criteriaConsiders known fraud schemes and new fraud casesEvaluate, communicates and remediates deficienciesSource: 2016 COSO Fraud Risk Management GuidelinesPage 30
Fraud risk management monitoring bringsthe process full circle and becomes cyclicalSource: 2016 COSO Fraud Risk Management GuidelinesPage 31
Analytics considerationsPrinciples 16 & 17: Aligned with Monitoring ActivitiesMonitoring ActivitiesCOSO 2013 FrameworkPrinciples16. The organization selects,develops, and performs ongoingand/or separate evaluations toascertain whether thecomponents of internal controlare present and functioning.17. The organization evaluatesand communicates internalcontrol deficiencies in a timelymanner to those partiesresponsible for taking correctiveaction, including seniormanagement and the board ofdirectors, as appropriate.Page 32Fraud Risk ManagementPrinciples5. The organizationselects, develops, andperforms ongoingevaluations toascertain whethereach of the fiveprinciples of fraudrisk management ispresent andfunctioning andcommunicates fraudrisk managementprogram deficienciesin a timely manner toparties responsible fortaking correctiveaction, includingsenior managementand the board ofdirectors.Analytic Considerations Investigativeprocedures Deep dive analysis Email andcommunicationsreview
Key takeaways, action items and next steps Determine your organization’s adherence to COSO ERMFramework, whether formal, informal or not at allIdentify and formalize all anti-fraud and investigationactivities under the umbrella of a formal and documentedfraud risk management programIdentify the appropriate sponsor and/or process owner(s)Conduct an assessment to identify gaps, weaknesses andduplicative or ineffective anti-fraud effortsDevelop/enhance and deploy comprehensive preventativeand detective data analytics capabilitiesIntegrate the fraud risk management componentsthroughout the organizationPage 33
Thank youPage 34
EY Assurance Tax Transactions AdvisoryAbout EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliverhelp build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaderswho team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a betterworking world for our people, for our clients and for our communities.EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does notprovide services to clients. For more information about our organization, please visit ey.com.Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.Ernst & Young LLP, an equal opportunity employer, values the diversity of our work force and the knowledge of ourpeople. 2016 Ernst & Young LLP. All Rights Reserved.SCORE no. XX00001603-1886034ED noneEY is committed to reducing its impact on the environment. This document was printed using recycled paper andvegetable-based ink.This material has been prepared for general informational purposes only and is not intended to be relied upon asaccounting, tax, or other professional advice. Please refer to your advisors for specific advice.ey.com
Page 2 Fraud risk management is much more than a mere fraud risk assessment The responsibility for managing fraud risk falls on everyone: "The board of directors, and top management and personnel at all levels of the organization — including every level of management, staff, and internal auditors — have responsibility for managing fraud .
1992 on the Internal Controls-Integrated Framework. Because, Internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Card Fraud 11 Unauthorised debit, credit and other payment card fraud 12 Remote purchase (Card-not-present) fraud 15 Counterfeit Card Fraud 17 Lost and Stolen Card Fraud 18 Card ID theft 20 Card not-received fraud 22 Internet/e-commerce card fraud los
nance policy from scratch. The Fraud Risk Management Guide contains a "Sample Fraud Control Policy Framework" and a "Sample Fraud Risk Management Policy" that can be adapted to any organization. 2. Assess fraud risk This step is the most important fraud risk management step, because it establishes the baseline for succeeding steps. As-
Making the case for a Fraud Risk Management Program . A COSO-consistent Process for Fraud Risk Management . Roles of Key Parties in Managing Fraud Risk ; Control Environment and Fraud Risk Assessments . Anti-Fraud Con
COSO issued guidelines in the Fraud Risk Management Guide [3] to conduct a risk assessment. The following is the recommended fraud risk assessment process for PT X. It should be adopted among the strategies it uses to anticipate the risk of fraud faced by the company. 1) Establish a fraud risk assessment team The fraud risk assessment team may .
Good Practices Guide -Fraud Prevention Prevent fraud through effective internal controls Prevent staff (insider) fraud by proper vetting and . (COSO) Framework, Principal 8 - Fraud Risk Assessment, Fowler & Company, LTD. . FRAUD RISK MANAGEMENT ACTIVITIES OCS, April /May 2019 53. OCS, April/May 2019 54 .
