Fraud Risk Management And Assessment - NYSICA
Fraud Risk Management and AssessmentDavid L. Cotton, CPA, CFE, CGFMCotton & Company LLPAlexandria, VA 22314www.cottoncpa.comdcotton@cottoncpa.com
DAVID L. COTTON, CPA, CFE, CGFMCOTTON & COMPANY LLP CHAIRMANDave Cotton is chairman of Cotton & Company LLP, Certified Public Accountants, headquartered in Alexandria,Virginia. The firm was founded in 1981 and has a practice concentration in assisting Federal and State governmentagencies, inspectors general, and government grantees and contractors with a variety of government programrelated assurance and advisory services. Cotton & Company has performed grant and contract, indirect cost rate,financial statement, financial related, and performance audits for more than two dozen Federal inspectors generalas well as numerous other Federal and State agencies and programs.Cotton & Company’s Federal agency audit clients have included the U.S. Government Accountability Office, U.S.Navy, U.S. Marine Corps, U.S. Transportation Command, U.S. House of Representatives, U.S. Capitol Police, U.S.Small Business Administration, U.S. Bureau of Prisons, Millennium Challenge Corporation, U.S. Marshals Service,and Bureau of Alcohol, Tobacco, Firearms and Explosives. Cotton & Company also assists numerous Federalagencies in preparing financial statements and improving financial management, accounting, and internal controlsystems.Dave received a BS in mechanical engineering (1971) and an MBA in management science and labor relations(1972) from Lehigh University in Bethlehem, PA. He also pursued graduate studies in accounting and auditing at theUniversity of Chicago Graduate School of Business (1977 to 1978). He is a Certified Public Accountant (CPA),Certified Fraud Examiner (CFE), and Certified Government Financial Manager (CGFM).Dave served on the Advisory Council on Government Auditing Standards (the Council advises the United StatesComptroller General on promulgation of Government Auditing Standards—GAO’s yellow book) from 2006 to 2009.He served on the Institute of Internal Auditors (IIA) Anti-Fraud Programs and Controls Task Force and co-authoredManaging the Business Risk of Fraud: A Practical Guide. He served on the American Institute of CPAs Anti-FraudTask Force and co-authored Management Override: The Achilles Heel of Fraud Prevention. Dave is the past-chairof the AICPA Federal Accounting and Auditing Subcommittee and has served on the AICPA GovernmentalAccounting and Auditing Committee and the Government Technical Standards Subcommittee of the AICPA Professional Ethics Executive Committee. Dave chaired the Fraud Risk Management Task Force, sponsored by COSO andACFE and is a principal author of the COSO-ACFE Fraud Risk Management Guide.Dave served on the board of the Virginia Society of Certified Public Accountants (VSCPA) and on the VSCPALitigation Services Committee, Professional Ethics Committee, Quality Review Committee, and GovernmentalAccounting and Auditing Committee. He is a member of the Association of Government Accountants (AGA) andpast-advisory board chairman and past-president of the AGA Northern Virginia Chapter. He is also a member of theInstitute of Internal Auditors and the Association of Certified Fraud Examiners.Dave has testified as an expert in governmental accounting, auditing, and fraud issues before the United StatesCourt of Federal Claims and other administrative and judicial bodies.Dave has spoken frequently on cost accounting, professional ethics, and auditors’ fraud detection responsibilitiesunder SAS 99, Consideration of Fraud in a Financial Statement Audit. He has been an instructor for the GeorgeWashington University masters of accountancy program (Fraud Examination and Forensic Accounting), and hasinstructed for the George Mason University Small Business Development Center (Fundamentals of Accounting forGovernment Contracts).Dave was the recipient of the ACFE 2018 Certified Fraud Examiner of the Year Award (“presented to a CFE who hasdemonstrated outstanding achievement in the field of fraud examination based on their contributions to theACFE, to the profession, and to the community”); AGA’s 2012 Educator Award (“to recognize individuals who havemade significant contributions to the education and training of government financial managers”); and AGA’s 2006Barr Award (“to recognize the cumulative achievements of private sector individuals who throughout their careershave served as a role model for others and who have consistently exhibited the highest personal and professionalstandards”).
Fraud Happens Most organizations think it can’t happen to them Then are devastated when it does ACFE consistently estimates that the averageorganization loses about 5% of its revenues dueto fraud annually– Median loss from a single case: 150,000– 23% of cases studied resulted in losses of more than 1,000,000– Frauds are always devastating and sometimescatastrophicFraud Risk Management and Assessment Fraud Risk Management’s Historical Context Fraud Risk Management and the 2013 COSO InternalControl Framework The COSO/ACFE Fraud Risk Management Guide–––––Governance and the Control EnvironmentFraud Risk AssessmentFraud Control ActivitiesInformation, Investigation, and ReportingMonitoring My Predictions for the Future: What Can/Should BeDone to Empower Auditors to Find More Fraud; andHelp Organizations Better Manage Fraud?dcotton@cottoncpa.com1
Historical Context3A Brief History . 4000 BC: In ancient Athens “Humble citizens and slaveswere educated and employed as bookkeepers. For the mostpart, Athenians preferred public slaves as comptrollers andauditors because they could be tortured on the rack andfreemen could not.”** The Reckoning: Financial Accountability and the Rise and Fall of Nations, Jacob Soll, Basic Books, 2014.dcotton@cottoncpa.com2
A Brief History . 1985: The Committee of Sponsoring Organizations of theTreadway Commission was formed–––––American Institute of Certified Public Accountants (AICPA)American Accounting Association (AAA)Financial Executives Institute (FEI)Institute of Internal Auditors (IIA)National Association of Accountants (now the Institute ofManagement Accountants (IMA))6dcotton@cottoncpa.com3
Treadway’s 49 Recommendations For public companies––––––Tone at the topInternal accounting and audit functionsAudit committeeManagement and audit committee reports“Opinion shopping”Quarterly reporting For independent public accountants––––Fraud detectionAudit qualityCommunicationsAudit standards-setting process7Treadway’s 49 Recommendations For the SEC and others––––––Tougher sanctions and criminal prosecutionImproved regulation of public accountingSEC resourcesImproved regulation of financial institutionsBetter oversight by state boards of accountancyInsurance and liability crises For educators––––Business and accounting curriculaProfessional certification examinationsContinuing professional educationFive-year accounting programs8dcotton@cottoncpa.com4
“Fraud” appears 554times in the 183-pagedocument.9A Brief History . 1987: The Treadway Commission declared victory anddisbanded, but COSO carried on 1992: COSO issued its Internal 5
Very little emphasis on fraudFocus was on: Economy and efficiency of operations,including safeguarding of assets andachievement of desired outcomes; Reliability of financial and managementreports; and Compliance with laws and regulations.11Very little emphasis on fraud“Fraud” appears 21times in the 159-pagedocument.12dcotton@cottoncpa.com6
A Brief History . 1992 to 2001: The COSO Internal Control Framework gainedbroad recognition 2002: Sarbanes-Oxley Act became law– Section 404 mandates that all publicly traded companies mustestablish and report on internal controls 2002-2012: The COSO Internal Control Framework becamethe globally recognized set of best practices related toestablishing and maintaining internal controls– All US publicly-traded companies follow the COSO frameworkA Brief History . 2005: The AICPA formed a task force to define “attestablecriteria” for fraud risk management That task force instead wrote/issue the “Achilles’ Heel”publicationdcotton@cottoncpa.com7
Guidance for Audit CommitteesFREE rship/Published in 2005; updated in 2016A Brief History . 2007: An IIA, ACFE, AICPA Task Force publishedManaging the Business Risk of Fraud—A Practical Guide(“attestable criteria” for fraud risk management)dcotton@cottoncpa.com8
FREE /08/ManagingTheBusinessRiskofFraud.pdfPublished in 2007A Brief History . May 2013: COSO updated its Internal Control IntegratedFramework and added 17 Principles– Principle #8: The organization considers the potential for fraudin assessing risks to the achievement of objectives.dcotton@cottoncpa.com9
dcotton@cottoncpa.com10
A Brief History . 2014: In response to user demands, COSO and ACFEformed a new task force to develop more detailedguidance on assessing fraud riskFraud RiskManagement and the2013 COSO InternalControl Framework22dcotton@cottoncpa.com11
Joint ACFE-COSO Task ForceJoint ACFE-COSO Advisory Paneldcotton@cottoncpa.com12
Buy the Guide atCOSO or ACFE websites ( 69; 59 formembers)Executive Summaryis FREE ship/The COSO/ACFE FraudRisk ManagementGuide26dcotton@cottoncpa.com13
Mapping ofCOSOComponents andPrinciples to theFraud RiskManagementGuideYou do not needto start fromscratch dcotton@cottoncpa.com14
dcotton@cottoncpa.com15
4 Pagesdcotton@cottoncpa.com16
4 PagesRequired by COSOPrinciple 8dcotton@cottoncpa.com17
Implied by COSOPrinciple 8These two are integrateddcotton@cottoncpa.com18
You need ahotline; and aprocess in placefor quickly andthoroughlyinvestigating anyreported fraud FRM is not a “onceand-done” exercise;you must have aprocess in place formonitoring, andperiodlically reassessing fraud riskdcotton@cottoncpa.com19
Updated Guide Can Be Used: Just for complying with Principle #8—performing a fraud risk assessment, or For developing and implementing acomprehensive fraud risk managementprogramSo, .You get to work one Monday morning and yourboss says,“Hey, we need to do a fraud risk assessment inorder to comply with the new COSO Principleabout fraud risk, and we want you to head upthe effort to do that for us. Get started rightaway and report back when you are done.”dcotton@cottoncpa.com20
So, .You get to work one Monday morning and yourboss says,“Hey, we need to do a fraud risk assessment inorder to comply with the new COSO Principleabout fraud risk, and we want you to head upthe effort to do that for us. Get started rightaway and report back when you are done.”What would you do?You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– Documentation– Physical counts– Reconciliations– Etc.dcotton@cottoncpa.com21
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationThese are all excellent controls designed– Physical countsto ensure accuracy in accounting and– Reconciliationsfinancial reporting. But, if your focus is– Etc.now specifically on fraud, maybe we needsomething more You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if the several– Physical countspeople doing these things get together– Reconciliationsand collude?– Etc.dcotton@cottoncpa.com22
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if the several– Physical countspeople doing these things get together– Reconciliationsand collude?– Etc.Maybe we need a policy requiringperiodic rotation of these duries; andsome mechanism to assure that thesepolicies are, in fact, in place You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if an employee– Physical countscan access the list and add a bogus– Reconciliationscompany?– Etc.dcotton@cottoncpa.com23
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if an employee– Physical countscan access the list and add a bogus– Reconciliationscompany?– Etc.Maybe we need to use data analytics toperiodically compare all fields in ourvendor and employee data bases You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if employees– Physical countssplit purchases to circumvent this control?– Reconciliations– Etc.dcotton@cottoncpa.com24
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if employees– Physical countssplit purchases to circumvent this control?– Reconciliations– Etc.Maybe we need to use digital analysis(Benford’s Law) to find evidence ofpurchase-splitting You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if– Physical countsdocumentation is altered?– Reconciliations– Etc.dcotton@cottoncpa.com25
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if– Physical countsdocumentation is altered?– Reconciliations– Etc.Maybe we need to add some additionalsoftware controls designed toprevent/detect altered documents You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if inventory is– Physical countsmoved during counts; what if boxes are– Reconciliationsempty?– Etc.dcotton@cottoncpa.com26
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if inventory is– Physical countsmoved during counts; what if boxes are– Reconciliationsempty?– Etc.Maybe we need to frequently change ourinventory process and procedures and dosurprise counts on a sample basis You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if subsidiary– Physical countsjournals are falsified?– Reconciliations– Etc.dcotton@cottoncpa.com27
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationFrom a fraud focus, what if subsidiary– Physical countsjournals are falsified?– Reconciliations– Etc.Maybe we need use data analytics tocovertly monitor journal activity You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationThis risk assessment method– Physical countswould probably do a pretty– Reconciliationsgood job and would likely– Etc.satisfy COSO Principle #8.dcotton@cottoncpa.com28
You could . (a) Start with your organization’s existing internal controls anddetermine whether they are adequate to mitigate FRAUD risk – Segregation of duties– Approved vendor list– Higher level approvals required for large transactions– DocumentationThis risk assessment method wouldThisrisk assessment methodprobably do a pretty good job and would– Physical countswouldprobablydo #8.a prettylikely satisfyOSO Principle– Reconciliationsgood job and would likely– Etc.satisfy COSO Principle #8.On the other hand, these controls are all focused onaccounting and financial reporting; and we knowthat many frauds can occur elsewhere So, perhaps you should . (b) spend 59 to buy the FRMG, start from scratch, and perform amore comprehensive fraud risk assessmentdcotton@cottoncpa.com29
The Fraud Risk Assessment ProcessFraud RiskAssessment59Establish the fraud riskassessment team, considering:- Appropriate management levels- All organizational componentsIdentify all fraud schemes andfraud risks, considering:- Internal and external factors- Various types of fraud- Risk of management overrideFraud RiskAssessment60dcotton@cottoncpa.com30
Establish the fraud riskassessment team, considering:- Appropriate management levels- All organizational componentsi. e., “Brainstorming”Identify all fraud schemes andfraud risks, considering:- Internal and external factors- Various types of fraud- Risk of management overrideFraud RiskAssessment61dcotton@cottoncpa.com31
dcotton@cottoncpa.com32
ACFE is in the process ofmoving this list to their“Fraud Risk ManagementTools” page and addinghyperlinkeddefinitions/descriptionsEstablish the fraud riskassessment team, considering:- Appropriate management levels- All organizational componentsIdentify all fraud schemes andfraud risks, considering:- Internal and external factors- Various types of fraud- Risk of management overrideFraud RiskAssessmentEstimate likelihood andsignificance of each fraudscheme and risk66dcotton@cottoncpa.com33
Establish the fraud riskassessment team, considering:- Appropriate management levels- All organizational componentsIdentify all fraud schemes andfraud risks, considering:- Internal and external factors- Various types of fraud- Risk of management overrideDocument the riskassessmentFraud RiskAssessmentAssess and respond to residualrisks that need to be mitigated:Determine all personnel anddepartments potentially involvedconsidering the fraud triangle-Strengthen existing controlactivities-Add control activities-Consider data analyticsEstimate likelihood andsignificance of each fraudscheme and riskIdentify existing controls andassess their effectiveness68dcotton@cottoncpa.com34
Documenting the Fraud RiskAssessmentEstablish the fraud riskassessment team, considering:- Appropriate management levels- All organizational componentsReassess risk periodically,considering changes:Identify all fraud schemes andfraud risks, considering:- External to the organization- Internal and external factors- Operational- Various types of fraud- Leadership- Risk of management overrideDocument the riskassessmentFraud RiskAssessmentAssess and respond to residualrisks that need to be mitigated:Determine all personnel anddepartments potentially involvedconsidering the fraud triangle-Strengthen existing controlactivities-Add control activities-Consider data analyticsEstimate likelihood andsignificance of each fraudscheme and riskIdentify existing controls andassess their effectiveness70dcotton@cottoncpa.com35
FRMG AppendicesA: GLOSSARYB: ROLES AND RESPONSIBILITIESC: CONSIDERATIONS FOR SMALLER ENTITIESD: REFERENCE MATERIALE: DATA ANALYTICSData Analyticsdcotton@cottoncpa.com36
FRMG AppendicesF: SAMPLE GOVERNANCE MATERIALSF1: FRAUD CONTROL POLICY FRAMEWORKF2: FRAUD RISK HIGH-LEVEL ASSESSMENTF3: FRAUD POLICY RESPONSIBILITY MATRIXF4: FRAUD RISK MANAGEMENT POLICYF5: FRAUD RISK MANAGEMENT SURVEYG: LIST OF FRAUD RISK EXPOSURESH: SAMPLE FRAUD RISK ASSESSMENTdcotton@cottoncpa.com37
FRMG AppendicesI: FRAUD RISK MANAGEMENT ASSESSMENTSCORECARDSI1: FRAUD RISK GOVERNANCEI2: FRAUD RISK ASSESSMENTI3: FRAUD CONTROL ACTIVITIESI4: FRAUD INVESTIGATION AND FOLLOWUPI5: FRAUD RISK MANAGEMENT MONITORINGAutomated versions of these scorecardsreside at the ACFE “Fraud RiskManagement Tools” pagedcotton@cottoncpa.com38
dcotton@cottoncpa.com39
dcotton@cottoncpa.com40
FRMG AppendicesI: FRAUD RISK MANAGEMENT ASSESSMENTSCORECARDSI1: FRAUD RISK GOVERNANCEI2: FRAUD RISK ASSESSMENTI3: FRAUD CONTROL ACTIVITIESI4: FRAUD INVESTIGATION AND FOLLOWUPI5: FRAUD RISK MANAGEMENT MONITORINGJ: HYPERLINKS TO ADDITIONAL TOOLSdcotton@cottoncpa.com41
HYPERLINKS TO ADDITIONAL TOOLS Interactive Scorecardsdcotton@cottoncpa.com42
HYPERLINKS TO ADDITIONAL TOOLS Interactive Scorecards Points of Focus Documentation TemplatesPoints of Focus DocumentationTemplatesdcotton@cottoncpa.com43
HYPERLINKS TO ADDITIONAL TOOLS Interactive Scorecards Points of Focus Documentation Templates Risk Assessment and Follow-up ActionsTemplateRisk Assessment and Follow-up ActionsTemplatedcotton@cottoncpa.com44
Fraud Risk Heat MapFraud Risk Ranking Matrixdcotton@cottoncpa.com45
HYPERLINKS TO ADDITIONAL TOOLS Interactive Scorecards Points of Focus Documentation Templates Risk Assessment and Follow-up ActionsTemplate Log for allegations of fraud and investigationresultsLog for allegations of fraud and investigation resultsdcotton@cottoncpa.com46
HYPERLINKS TO ADDITIONAL TOOLS Interactive Scorecards Points of Focus Documentation Templates Risk Assessment and Follow-up ActionsTemplate Log for allegations of fraud and investigationresults Interactive Scorecards Library of Data Analytics TestsSkimmingdcotton@cottoncpa.com47
Library of Data Analytics TestsCASH - SKIM M INGCash Receipts AnalysisReview sequential num bering of cash receipts journal to ensure no out-of-sequence num bersVertical AnalysisVertical analysis of sales accounts, (i.e., cash as a percentage of total assets over tim e, etc. can be used to detect skim m ingat a high level)Horizontal AnalysisHorizontal analysis of sales accounts, (i.e., cash percent change over tim e, can be used to detect skim m ing at a high level)Current Ratio AnalysisTrack current assets to current liabilities over tim eQuick Ratio Analysis(Cash Securities Receivables) over Current Liabilities percent change over tim eInventory AnalysisTrack inventory shrinkage due to unrecorded sales. Inventory detection m ay include statistical sam pling, trend analysis,reviews of receiving reports and inventory records and verification for m aterial requisition and shipping docum entation as wellas actual physical inventory countsRed FlagsBank em ployee questions the validity of a checkRed FlagsInspect for a forged endorsem ent on a checkRed FlagsInspect for an em ployee bank account with a nam e sim ilar to the com pany nam eRed FlagsInspect for alteration of the check payee or endorsem entAnalysis of journal entries m ade to the cash and inventory accounts to identify: (1) False credits to inventory to concealunrecorded or understated sales, (2) W rite-offs related to lost, stolen or obsolete product, (3) W rite-offs to accountsJournal Entry Reviewreceivable, (4) Irregular entries to cash accountsJournal Entry ReviewAnalysis of journal entries to review suspicous or inaccurate journal entries.Journal Entry ReviewIdentify larger entries split into sm aller entries to avoid exceeding their approval lim it. To ensure authorization and validity ofthe Journal Entry based on the approval lim itsBid Riggingdcotton@cottoncpa.com48
Library of Data Analytics TestsBID RIGGINGCorruption: Bid RiggingCompare inventory levels and turnover rates on a by project or by product basis, by regionCorruption: Bid RiggingInventory written-off and then new purchase made (total write-offs and quantities purchased by product)Corruption: Bid RiggingCompare contract awards by vendor (number of contracts won compared to bids submitted)Corruption: Bid RiggingSole sourced contracts - number of bids per contractCorruption: Bid RiggingCheck for vague contract specifications: (i) amendments, extension, increases in contract values, (ii) total number of amendments, (iii) originaldelivery date and final delivery date, (iv) original contract value and final contract valueCorruption: Bid RiggingCheck for split contract (same vendor, same day)Corruption: Bid RiggingBids submitted after bid closing dateCorruption: Bid RiggingLast bid winsCorruption: Bid RiggingLow bidder drops out, and subcontracts to higher bidder (compare contractor with invoice payee)Corruption: Bid RiggingFictitious bids - verify bidders and pricesFictitious Revenuedcotton@cottoncpa.com49
Library of Data Analytics TestsREVENUE RECOGNITIONBill & HoldAnalysis of inventory that has been "segregated" or shipped to a third party interm ediary where the custom er has not taken title andassum ed the risks, yet the com pany has booked this isolated inventory as revenueBill & HoldIdentify revenue and receivables recorded prior to shipm entChannel StuffingCom pare discounts or incentives on a m onthly basis to identify unusual spikes at the end of the quarter or year.Channel StuffingCom pare sales and corresponding returns on a per custom er basisDebt SwapIdentification of Journal Entries with Net Debit to Liability and Credit to RevenueDebt SwapIdentification of Journal Entries with Net Debit to Liability and Credit to ExpensesFake InvoicesAnalysis of sequentially num bered invoicesFake InvoicesBenford's analysis of the first two digits to identify anom alies such as a disproportionate num ber of invoices starting with 7, 8 or 9Fake InvoicesAnalysis of com pany nam es that "sound like" known vendorsFake InvoicesExam ine inventory records to identify locations or item s that require specific attention during or after the physical inventory countRevenue RecognitionAnalysis and anom aly detection of the sequence of transactions to identify m issing checks, invoicesRevenue RecognitionCom pare A/R credit m em os to A/P invoicesRevenue RecognitionCom pare revenue reported by m onth and by product line during the current period with com parable prior periodsRevenue RecognitionConfirm with selected, high risk custom ers relevant contract term s or question com pany staff regarding shipm ents near the end of theperiodRevenue RecognitionIdentification of revenue recognized at period end and subsequently reversed or partially reversedFraud Triangle AnalyticsE-m ail analysis of selected em ployees (accounting or sales) for "Rev Rec" related key words around incentive/pressure, opportun ity andrationalizationNEW TOOL—COMING SOONList of fraud schemes,hyperlinked to underlyingdefinitions anddescriptions.To be expanded throughcrowdsourcing.dcotton@cottoncpa.com50
HYPERLINKS TO ADDITIONAL TOOLS These tools reside at the ACFE web site– http://www.acfe.com/fraudrisktools/tools.aspx These are intended to be dynamic and “crowdsourced”– As more fraud schemes are discovered, Appendix G will beadjusted accordingly– As new data analytic tests are invented, the library of testswill be updated– Etc. ACFE has formed a Tools Steering Committee tooversee this ongoing process– Email me if you would like to get more involved in thiseffortFRMG AppendicesG: LIST OF FRAUD RISK EXPOSURESH: SAMPLE FRAUD RISK ASSESSMENTI: FRAUD RISK MANAGEMENT ASSESSMENTSCORECARDSI1: FRAUD RISK GOVERNANCEI2: FRAUD RISK ASSESSMENTI3: FRAUD CONTROL ACTIVITIESI4: FRAUD INVESTIGATION AND FOLLOWUPI5: FRAUD RISK MANAGEMENT MONITORINGJ: HYPERLINKS TO ADDITIONAL TOOLSK: MANAGING THE RISK OF FRAUD IN GOVERNMENTdcotton@cottoncpa.com51
Still not convinced that you need FraudRisk Management? Go to p/ and download and print the fivescorecards Go to Staples and buy some red, yellow, and greendots At your next board retreat or senior staff meeting,use the scorecards to self assess Tape those scorecards on the wall and step back If you see a lot of RED, you definitely need toimplement fraud risk managementFor those of us who work in or forgovernmentdcotton@cottoncpa.com52
GAO’s Fraud Risk Management Framework:Not Just for Federal AgenciesGAO’s Fraud Risk Management Framework“While the primary target audience of this studyis managers in the U.S. federal government, thepractices and concepts described in theFramework may also be applicable to state,local, and foreign government agencies, as wellas nonprofit entities that are responsible forfraud risk management.”dcotton@cottoncpa.com53
Alignment with COSOThe COSO Internal Control—Integrat
performing a fraud risk assessment, or For developing and implementing a comprehensive fraud risk management program So, . You get to work one Monday morning and your boss says, "Hey, we need to do a fraud risk assessment in order to comply with the new COSO Principle about fraud risk, and we want you to head up the effort to do that .
COSO issued guidelines in the Fraud Risk Management Guide [3] to conduct a risk assessment. The following is the recommended fraud risk assessment process for PT X. It should be adopted among the strategies it uses to anticipate the risk of fraud faced by the company. 1) Establish a fraud risk assessment team The fraud risk assessment team may .
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Fraud risk management strategy Fraud prevention Anti-fraud culture Risk awareness Whistleblowing Sound internal control systems A fraud policy statement, effective recruitment policies and good internal controls can minimise the risk of fraud. Fraud detection Performing regular checks. Warning signals/fraud risk indicators:
nance policy from scratch. The Fraud Risk Management Guide contains a "Sample Fraud Control Policy Framework" and a "Sample Fraud Risk Management Policy" that can be adapted to any organization. 2. Assess fraud risk This step is the most important fraud risk management step, because it establishes the baseline for succeeding steps. As-
Making the case for a Fraud Risk Management Program . A COSO-consistent Process for Fraud Risk Management . Roles of Key Parties in Managing Fraud Risk ; Control Environment and Fraud Risk Assessments . Anti-Fraud Con
Card Fraud 11 Unauthorised debit, credit and other payment card fraud 12 Remote purchase (Card-not-present) fraud 15 Counterfeit Card Fraud 17 Lost and Stolen Card Fraud 18 Card ID theft 20 Card not-received fraud 22 Internet/e-commerce card fraud los
b. What is AngularJS? 2. Basic Angular Security Concepts a. Strict Contextual Auto Escaping b. The HTML Sanitizer 3. Common Security pitfalls a. Server-Side Template Injection b. Client-Side Template Injection c. Converting strings to HTML d. White- and Blacklisting URLs 4. Conclusion Agenda
