Fraud Risk Management

02/28/2012

COSO Framework Draft Update

Draft stamp imageThe Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently updated its Internal Control Integrated Framework (Framework) to ensure it remains relevant in the changing business environment.  A Draft for Public Exposure is currently available on COSO’s website.

Key items of the Framework have not changed in the updated version including the core definition of internal control, the three control objectives, and the five components of internal control.  If your Company already has an effective internal control system, you will not need to make any significant updates under the updated Framework.

The updated Framework includes codification of the internal control concepts introduced in the original Framework. The codification occurs within the five (5) categories of control environment, risk assessment, control activities, information and communication and monitoring activities. The following is a summary of the seventeen (17) internal controls principles.

Continue reading "COSO Framework Draft Update" »

Posted at 04:27 PM in ERM - Enterprise Risk Management, Fraud Risk Management, Have You Heard?, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security | | Comments (3)

|

11/17/2011

Internal Auditing and Fraud

Fraud-Traingle-737837This practice guide summary will discuss how Internal audit can add value to the organization through its role in helping to deter and identify fraud. Fraud results in negative financial, reputational, psychological, and social effects on an organization.  To minimize the risk associated with fraud it is important for organizations to have a strong fraud program that includes awareness, prevention, and detection programs.

Fraud Awareness

Fraud schemes are often ongoing and can last for months or years. Employees commit fraud when they have access to confidential information and internal controls are inadequate or management can override controls without question.

Most frauds have the following characteristics:

  • Pressure or incentive – need the fraudster is trying to satisfy by committing the fraud.
  • Opportunity – the fraudster’s ability to commit the fraud.
  • Rationalization – the fraudster’s ability to justify the fraud in his or her mind.

There are often red flags to indicate individuals might be committing fraud such as spending lavishly, becoming more secretive of their activities, and reluctance to take vacation or sick time.  While none of these red flags means an employee is actually committing fraud, a combination of occurrences may indicate the need for inquiries and increased audit attention.

Continue reading "Internal Auditing and Fraud" »

Posted at 10:52 AM in Fraud Risk Management, Internal Audit | | Comments (1)

|

01/04/2011

What Can Internal Audit Learn from the IIA Down Under?


World

Why do we care what is happening in Australia? In this global economy, it is important to leverage best practices and forward thinking ideas when available. In this case, Australia has consistently ranked ahead of the US on the Corruption Perceptions Index issued by Transparency International. The Corruption Perceptions Index is on a scale from ten (10 - very clean) to zero (0 - highly corrupt). Check out the Transparency International website for more details of their annual studies.

Corruption Perceptions Index (CPI)

Year

Australia

United States

Rank

CPI

Rank

CPI

2010

8

8.7

22

7.5

2009

8

8.7

19

7.5

2008

9

8.7

18

7.3

2007

11

8.6

20

7.2

2006

9

8.7

20

7.3

2005

9

8.8

17

7.6

2004

9

8.8

17

7.5

 

Lessons Learned

What are some of the lessons learned that we in the US could leverage from Australia? Achieving High Performance, a study completed by the IIA and Protiviti, provides some insight into the Internal Audit profession in Australia and how they function. Some key lessons learned include:

What do Audit Committees at high achieving companies do?

  • Appoint and remove the Chief Audit Executive.
  • Approve the scope and budget of the Internal Audit plan.
  • Approve the Chief Audit Executive’s salary.
  • Evaluate the performance of the Chief Audit Executive.


What are the top five priorities of the Chief Audit Executives?

  • Internal controls over the core financial processes.
  • Proactive involvement in major project implementations.
  • Attesting to risk management.
  • Information Technology.
  • Strategic risk.


IIA Australia Policy Agenda

The IIA in Australia is calling for action to reduce the reputational scandals and destruction of shareholder value that continues in all industries.  Their recommendations include five policy principles, which apply to all organizations. These policy statements call for effective self-regulation. It is time for organizations to stop relying upon government regulations and to proactively take accountability for their organization’s risk management and internal control processes.

Policy 1: Good Governance

Strong Internal Audit Function: Internal Audit provides a separation of ownership and an independence not afforded by management. This independent review function is a critical component of good governance.

Policy 2: Oversight

Strong and Effective Audit Committee: A strong independent Audit Committee is required to maintain oversight of management and the internal audit functions. Key characteristics include:

  • At least three members with a majority being independent.
  • The Audit Committee Chair is independent and does not chair the board.
  • The Audit Committee members collectively provide deep finance, accounting and audit experience.
  • The pay for Audit Committee members is commensurate with their workload, experience and personal exposure.

Policy 3: Internal Audit Reporting Lines

Independent Audit Function: Reporting to an active and knowledgeable Audit Committee is important to maintain the independence of the Internal Audit function. Key audit committee oversight functions include:

  • The Board makes Chief Audit Executive (CAE) hiring and firing decisions based upon Audit Committee recommendations.
  • The Audit Committee recommends and approves the Chief Audit Executive’s compensation.
  •  Based upon the Chief Audit Executive’s recommendations, the Audit Committee decides audit scope and budget.
  • The Chief Audit Executive reports all audit work to the Audit Committee who regularly monitors progress against the audit plan.
  • The Audit Committee monitors the Internal Audit function including:   
    • 1) Audit Committee Chair private meetings with the CAE, and 
    • 2) Audit Committee meetings with the CAE without management at least annually.

Policy 4: Accountability for Risk Management and Internal Controls

Management Accountability: A risk culture where management is aware of and owns risks and risk mitigation strategies are keys to proactive risk management and internal control. Steps to accomplish this include:

  • Implementation of an effective system of risk management and internal control.
  • Management attests quarterly or annually that:
    • 1) The system of risk management and internal control is effective, and 
    • 2) They have reported all known material risks to the board with a true status of these risks.
  • Internal Audit independently reviews and advises the Board on management’s attestation.
  • Awareness that delegation of management’s attestation requirement to Internal Audit is not appropriate.

Policy 5: Internal Audit Maintains a High Standard

IIA International Standards for the Professional Practice of Internal Auditing (Standards): The IIA Standards provide solid guidance for effective management and operations of an Internal Audit function. Requirements of the Internal Audit function should include:

  • Mandatory use of the IIA Standards.
  • Audit Committee commissioning of an external quality review every five years. Internal Audit provides a plan for remediation of any issues found during the review.
  • Maintenance of active IIA membership by the Internal Audit function.
  • The CAE and internal auditors who issue reports maintain active IIA certification.


Conclusion

An effective, independent Internal Audit function serves as a deterrent and reduces the opportunity for risks to elevate to the level of reputational damage or erosion of shareholder value. Do you have an Internal Audit function? If so, are you getting the unaltered facts?

For any questions, contact Elaine Nissley, Principal at ENissley@macpas.com.

References

Transparency International: http://www.transparency.org/

IIA Australia: www.iia.org.au/

 

Posted at 01:18 PM in Fraud Risk Management, Internal Audit, Internal Audit & Controls, Risk & Internal Controls | | Comments (0)

|

12/07/2010

Fraudulent Financial Reporting - Time to Learn from the Past

Share
In the coming decade, will history repeat itself or will we learn from the past? This year the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released their second report on fraudulent financial reporting. This report covers the years from 1998 – 2007.  Their previous 1999 report covered the years 1987 - 1997.

 What have we learned?

 The findings are not very encouraging. Fraud is even more prevalent in the past ten years than the prior 10 years. The 2010 report identified 347 cases of fraud compared to 294 cases of public companies reporting fraud in the 1999 report. In addition, the mean fraud rose from $4.1 million in the 1999 study to $12.05 million in the 2010 study. In the years 1998 through 2007, there was nearly $120 billion in known misstatements or misappropriations. Since the 2010 report only included a limited number of cases after the implementation of the Sarbanes-Oxley (SOX) legislation, it is too early to assess the effect of SOX on addressing fraud.

 What can we do?

 Pay Attention to the C-Suite: Accounting and Auditing Enforcement Releases (AAER) from the Securities and Exchange Commission (SEC) named the CEO and/or CFO as defendants in 90% of the cases in the years 1998-2007. Boards and auditors need to be ever vigilant to the red flags of fraud and should understand what drives the CEO or the CFO to commit financial statement fraud. It is important boards and auditors work to reduce incentives and pressures on management to commit financial statement fraud.

 Look for Revenue Fraud: Over 60 % of the fraud cases in the 2010 report involved revenue fraud. A look at the stock graphs for WorldCom and Enron provide a picture of a company in trouble and the ultimate results. Industry specific studies are important ways to identify overstatement of revenues. The Board and the auditors must find ways to identify and investigate potential overstatement of revenue before it becomes an SEC issue or a major fraud.

 Board GovernanceThe 2010 report does not identify differences in governance characteristics between companies with fraud and those without. According to COSO, this area requires additional research. Does your management and board have an attitude of transparency and the desire to have all information, good and bad, out in the open? If not, you may want to take steps to develop this attitude. In addition, check out the article on Strengthening Enterprise Risk Management within the context of the risk related to management compensation and the pressure to meet the financial expectations.

 Change of Auditors: COSO determined that there is a trend for companies to change auditors between clean and fraudulent financial statements. This puts an extra burden on the Financial Auditors to look into prior years to compare the financials to the year under review and note any unexplainable discrepancies.

 Consequences: The severe consequences of fraud are well publicized. These include sanctions against individuals and companies. This frequently includes jail time and restitution judgments against the perpetrators. There is significant negative impact to the shareholders including bankruptcy, abnormal stock declines and job losses.

 Though greed appears to have increased over the past two decades, the time is right for boards and auditors to take this trend seriously and recognize that everyone is a potential candidate to commit fraud. Learn the red flags of fraud and never be afraid to ask the hard questions and get the right answers. Dig deeper and do not accept a cursory response; the hard question may be the best question you ever asked.

 The entire 2010 report by COSO, Fraudulent Financial Reporting 1998 – 2007 is located at http://www.coso.org/documents/COSOFRAUDSTUDY2010.pdf

 For a copy of the fraud checklist, contact Elaine Nissley at ENissley@macpas.com.

 

Posted at 03:12 PM in Fraud Risk Management, Have You Heard? | | Comments (3)

|

10/04/2010

Internal Auditing - An Introduction

01-hand-in-cookie-jar-e1282322757149 Why Internal Audit?

If you could have 5% of your annual revenue rain from the sky would this excite you? Have you ever caught one of your children with their hand in the cookie jar? Or, you know the cookies are disappearing but not why or by whom? Did you ever wonder what Internal Audit (IA) does or why your company needs an IA function?

The 2010 Global Fraud Study by the Association of Fraud Examiners retrieved from http://www.acfe.com/rttn/rttn-2010.pdf. states the typical fraud loss is 5% of annual revenue. When applied to the 2009 Gross World Product, this is a potential fraud loss of $2.9 trillion. (CFE, pg. 4) The report indicates that in 60% of the cases examined, the IA function contributed to detecting or limiting the fraud. (CFE, pg. 44)

Surprise audits conducted by IA can work for you in catching or limiting the impact of the "hand in your cookie jar" effect. The IA function does not even need to be full-time internal staff. Outsourcing the IA function may entail only several hundred hours of work each year. But before we elaborate on how internal audit can help, let's discuss what internal audit is.

What is Internal Audit?

The Institute of Internal Auditors (IIA) is the professional association that provides technical guidance, certification, education, and research in the area of Internal Auditing. The IIA's definition of Internal Auditing retrieved from http://www.theiia.org/theiia/ is as follows:

Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Who doesn't want a specialized group working to improve the organization?

What Does Internal Audit Do?

The two main activities are assurance services and consulting services. Assurance services are:

1. To perform an objective assessment, and
2. To render an independent opinion on systems or operations.

IA does this work on prioritized areas of review based upon the annual risk assessments and areas of greatest concern to management.

IA provides consulting services at the request of management. Consulting services are:

1. Advisory and objective in nature, and
2. Scoped based upon management's objectives.

Management uses these services to support such activities as fraud investigation, due diligence reviews, and preparation for regulatory and compliance reviews.

Raining Money The optimum use of internal audit structures the audit work to reduce the costs and operational staff time related to external requirements, such as financial audits, Sarbanes-Oxley, Model Audit Rule, Market Conduct, and other external and regulatory reviews.

Conclusion

Having your own objective consultants inside your company working for you to make your operations better will help you close the gap on the 5% you are missing. These objective employees will help you better prevent the "hand in the cookie jar" effect, because after all, if your children know you are checking on them, they are less likely to take cookies from the jar without asking, right?

Internal auditor's must maintain independence and provide assurance or advisory services that include unbiased and impartial opinions. In addition, they must maintain objectivity by avoiding conflict of interest situations and not engaging in activities, such as assuming operational responsibility, which may influence their attitude.

Next Up

In the next article, we will discuss the Institute of Internal Auditor's Code of Ethics and introduce the International Professional Practices Framework (IPPF). The standards that, when followed, provide assurance to management that the IA function is following the highest standards of the profession. The last of the series will cover the External Quality Review process that is necessary for an IA function to state, "Audits are performed in accordance with the professional standards of the Institute of Internal Auditors".

Please respond to the blog or direct questions and comments to Elaine Nissley, MBA, CISA, PMP, CCSA, Principal, McKonly & Asbury at ENissley@macpas.com.

Posted at 02:45 PM in Fraud Risk Management, Internal Audit, Internal Audit & Controls | | Comments (0)

|

08/16/2010

Security and Fraud Prevention Seminar

McKonly & Asbury will be hosting a Security and Fraud Prevention Seminar on Friday, September 24, 2010, at the Sheraton Harrisburg/Hershey on Lindle Road in Harrisburg, PA. The seminar will begin at 8:00am and conclude at 3:30 pm, with lunch provided at noon. There is a $35 registration fee and CPE credits are available. 

At this seminar, you'll learn more about...

  • Current trends in cyber crime and identity theft, along with a discussion of the methods you can use to protect yourself from being a victim. 
  • Resources available to prevent attacks on our critical infrastructure and how to report suspicious activity and crime. 
  • The components of fraud, identification of red flags, and other fraud prevention tips related to financial institutions. 
  • Banking fraud concerns for businesses and options for minimizing risk. 
  • Practical security and the 10 Tips for Success. 
  • Mortgage fraud.

Speakers include:

Scott Sutherland, Special Agent of the FBI

David Clark, Special Agent of the FBI

Julie Krause, Regional Sales Manager - Treasury Management at M&T Bank

Tom Strause, Partner with Financial Outsourcing Solutions

David Hammarberg, IT Director with McKonly & Asbury

Samuel BowerCraft, Senior Manager with McKonly & Asbury

 

Agenda:

8:00am - 8:30am: Registration 
8:30am - 8:35am: Welcome (Scott Heintzelman, McKonly & Asbury)
8:35am - 10:00am: IT Security Topic (Scott Sutherland, FBI)
10:00am - 10:15am: Break
10:15am - 11:15am: Practical Security: 10 Tips for Success (David Hammarberg & Samuel BowerCraft, McKonly & Asbury)
11:15am - 12:00pm: Banking Fraud Concerns for Businesses (Julie Krause, M&T Bank)

12:00pm - 1:00pm: Lunch

1:00pm - 1:45pm: Financial Institution Fraud (Tom Strause, Financial Outsourcing Solutions)
1:45pm - 2:00pm: Break
2:00pm - 3:25pm: Mortgage Fraud (David Clark, FBI)
3:25pm - 3:30pm: Closing (Scott Heintzelman, McKonly & Asbury)

If you would like to register, please contact Melissa Roberson at mroberson@macpas.com or by calling 717-761-7910.


Posted at 10:11 AM in Fraud Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security | | Comments (1)

|

04/05/2010

Charities Beware: Does It Look Too Good To Be True?

Charity

The Case


Are you in a position to accept charitable donations, sit on the Board of Directors of a charity, or donate to charities? What would the organization(s) you are affiliated with do if an insurance company offered them a stock certificate for 226,112.55 shares of insurance company stock and a check for $20,000? Would they accept the stock certificate and check? Would they agree to write a receipt and have their picture taken with the stock certificate? That is exactly what 20 charitable organizations did and they are now left with 5% ownership in Walshire and unforeseen potential financial liabilities. More detail is in the court opinion located here. It is noted that these transactions were for the purpose of having the charitable organizations accept the detritus (debris). When you look at the list of organizations involved in this case, you find names of prominent organizations which many of you may have dealt with.

The Solution

What should an organization do to avoid becoming a victim of donation schemes? The following are several steps organizations should take.

Continue reading "Charities Beware: Does It Look Too Good To Be True?" »

Posted at 03:19 PM in ERM - Enterprise Risk Management, Fraud Risk Management, Non-Profit | | Comments (0)

|

02/08/2010

Security Zen – Fraud and Controls – Closing the Door


Why Worry?

When we talk about security, we talk about keeping things safe… safe from harm, safe from hurt, safe from loss.  In business, this means addressing risk in many areas from many perspectives: technology, people, inventory, weather, etc.  Whatever the perspective may be, we want to prevent loss in the most time effective way we can.  Preventing all loss would require spending all of our time working on prevention, and not much else would get done.

Continue reading "Security Zen – Fraud and Controls – Closing the Door" »

Posted at 08:00 AM in Fraud Risk Management, IT, Security | | Comments (0)

|

12/08/2009

Fraud: An Introduction

 

When we talk about security in an organization, we talk about keeping things safe from nefarious acts and deception.  That being said, it is important to consider information security, but also security regarding assets and financial reports. For this reason, we need to speak about fraud.

Continue reading "Fraud: An Introduction" »

Posted at 08:54 PM in Fraud Risk Management | | Comments (0)

|

11/25/2009

GRC: Implications of Lack of Independence and Ethics. What Can We Do?

 Week 4 GRC  

Link to GRC Post:

A recent large company scandal and court decisions relates to the shareholders claims against Washington Mutual Bank (WaMu) (WaMu Fact Sheet. pdf).  This case involves billions of dollars and the court upheld the right to file claims against both WaMu executives and their external auditors Deloitte and Touche (D&T). (Internal Controls WaMu and D&T.pdf). There is speculation that this case may be the downfall of D&T, much like Enron and Arthur Andersen in 2002.  As I read through the various posts from insiders, a common thread appears:  Management and the External Auditors knew of the risks related to WaMu’s lending practices.  Management did not take the recommended action to mitigate those risks, that is, increase reserves.  Management then proceeded to lead shareholders astray by attesting to the effectiveness of internal controls over financial reporting.  So, if this is true, why did these insiders not speak up prior to the collapse?

Continue reading "GRC: Implications of Lack of Independence and Ethics. What Can We Do?" »

Posted at 03:44 PM in ERM - Enterprise Risk Management, Fraud Risk Management, Internal Audit, SOX | | Comments (0)

|

Next »

Search

Links


McKonly & Asbury LLP.
News & Updates


The Affordable Housing Gurus


Contractors Center Point


The Lean Accountants


The Risk, Management, and Control Advisors


The Corporate Confidante