Fraud Risk Management

Introduction

Bret Hood, CFE

Director, 21st Century Learning & Consulting

© 2018 Association of Certified Fraud Examiners, Inc.

CPE Information

© 2018 Association of Certified Fraud Examiners, Inc. 2 of 27

Discussion Questions

1. On a scale of 1 to 10 (1 being lowest and 10

being highest), how much emphasis does
your organization place on preventing fraud?
Detecting fraud? Investigating known
instances of fraud?

© 2018 Association of Certified Fraud Examiners, Inc. 3 of 27

Discussion Questions

2. Think of an instance of fraud that occurred at

your organization (or another organization, if
necessary). What were the indirect costs and
effects of the fraud?

© 2018 Association of Certified Fraud Examiners, Inc. 4 of 27

Discussion Questions

3. Which departments or business activities in

your organization present the highest risk of
employee theft?
4. What business activities at your organization
are most prone to fraudulent misstatements?

© 2018 Association of Certified Fraud Examiners, Inc. 5 of 27

Learning Objectives—Introduction

▪ Define fraud and its components.

▪ Identify different types of fraud.
▪ Examine the impact of fraud on organizations.
▪ Understand why people commit fraud.
▪ Examine the relationship between anti-fraud
initiatives and risk management.

© 2018 Association of Certified Fraud Examiners, Inc. 6 of 27

Foundational Guidance for
Managing Fraud Risks
Enterprise Risk
Fraud Risk
Management—
Management Guide
Integrating with Strategy
(COSO and ACFE,
and Performance
2016)
(COSO, 2017)

Managing the Business

Risk of Fraud: A Internal Control— ISO 31000: 2018,
Practical Guide (IIA, Integrated Framework Risk Management—
AICPA, and ACFE, (COSO, 2013) Guidelines (ISO, 2018)
2008)

ISO 31010:2009,
Risk Management— ISO 37001, Anti-Bribery
Risk Assessment Management Systems
Techniques (ISO, 2016)
(ISO, 2009)

© 2018 Association of Certified Fraud Examiners, Inc. 7 of 27

What Is Fraud?

▪ A knowing
misrepresentation of the
truth or concealment of a
material fact to induce
another to act to his or her
detriment

© 2018 Association of Certified Fraud Examiners, Inc. 8 of 27

Elements of Fraud

▪ A material false statement

▪ Knowledge that the statement was false when it
was uttered
▪ Reliance on the false statement by the victim
▪ Damages resulting from the victim’s reliance on
the false statement

© 2018 Association of Certified Fraud Examiners, Inc. 9 of 27

Components of Fraud

▪ The act
▪ The concealment
▪ The conversion

© 2018 Association of Certified Fraud Examiners, Inc. 10 of 27

Types of Fraud

▪ Internal/occupational fraud:
• Asset misappropriation (embezzlement)
• Corruption
• Financial statement fraud
▪ External fraud:
• Dishonest vendors
• Dishonest customers
• Unknown third parties

© 2018 Association of Certified Fraud Examiners, Inc. 11 of 27

The Impact of Fraud

▪ All organizations are

susceptible to fraud.
▪ Fraud is a human
problem, not an
accounting problem.

© 2018 Association of Certified Fraud Examiners, Inc. 12 of 27

ACFE 2018 Report to the Nations

▪ CFEs estimate the typical organization loses

5% of its annual revenue to fraud.
• Potential total fraud loss of nearly $4 trillion
worldwide
▪ Median loss caused by occupational fraud is
$130,000.
▪ 22% of the frauds involved losses of at least
$1 million.

© 2018 Association of Certified Fraud Examiners, Inc. 13 of 27

ACFE 2018 Report to the Nations

▪ Asset misappropriation schemes

• Most common—89% of cases
• Least costly—median loss of $114,000
▪ Financial statement frauds
• Least common—10% of cases
• Costliest—median misstatement of $800,000
▪ Corruption schemes:
• 38% of cases
• Median loss of $250,000

© 2018 Association of Certified Fraud Examiners, Inc. 14 of 27

The Indirect Fallout

▪ Impact extending well beyond the actual

dollar amount stolen
▪ Loss of employee confidence
▪ Loss of productivity
▪ Decline in company image and reputation

© 2018 Association of Certified Fraud Examiners, Inc. 15 of 27

Why Do People Commit Fraud?

Opportunity

Fraud
Triangle

Pressure Rationalization

© 2018 Association of Certified Fraud Examiners, Inc. 16 of 27

Why Do People Commit Fraud?

© 2018 Association of Certified Fraud Examiners, Inc. 17 of 27

When Does the Fraud
Triangle Not Apply?
▪ Predatory employees—
those with a
premeditated intent of
stealing from the
employer
▪ Need for rationalization
often dissipates after the
first offense

© 2018 Association of Certified Fraud Examiners, Inc. 18 of 27

When Does the Fraud
Triangle Not Apply?

© 2018 Association of Certified Fraud Examiners, Inc. 19 of 27

Why Sanctions Alone Don’t Deter Fraud

▪ Perpetrators do not anticipate getting caught.

▪ Perpetrators rationalize their conduct so that it
seems legal or justified and thus should not be
sanctioned.
▪ The greatest threat perpetrators face is the
detection of their crime.

© 2018 Association of Certified Fraud Examiners, Inc. 20 of 27

How Does Fraud Relate to
Risk Management?
▪ Risk is the effect
(positive or negative)
of uncertainty on an
organization’s
objectives.

© 2018 Association of Certified Fraud Examiners, Inc. 21 of 27

How Does Fraud Relate to
Risk Management?
▪ Risks are commonly grouped into the following
categories to facilitate risk mitigation:
• Strategic
• Operational
• Reporting
• Compliance
▪ Fraud might be a compliance, financial, or
operational risk.

© 2018 Association of Certified Fraud Examiners, Inc. 22 of 27

How Does Fraud Relate to
Risk Management?
▪ What is risk management?
• COSO: “the culture, capabilities, and practices,
integrated with strategy-setting and its
performance, that organizations rely on to manage
risk in creating, preserving, and realizing value”
• ISO 31000: “coordinated activities to direct and
control an organization with regard to risk”

© 2018 Association of Certified Fraud Examiners, Inc. 23 of 27

How Does Fraud Relate to
Risk Management?
▪ Many risk management professionals
underestimate the role of fraud in—or even
exclude fraud risks from—the scope of their
professional duties.

© 2018 Association of Certified Fraud Examiners, Inc. 24 of 27

How Does Fraud Relate to
Risk Management?
▪ This course explains how to integrate anti-fraud
and risk management initiatives to:
• Identify, assess, and manage fraud risks.
• Support fraud risk management by establishing an
anti-fraud culture and promoting fraud awareness.
• Develop a system of internal controls to address
fraud risks.
• Address and respond to identified fraud.

© 2018 Association of Certified Fraud Examiners, Inc. 25 of 27

Fraud Risk Management and
Internal Control

Internal Fraud Risk Enterprise Risk

Control Management Management

© 2018 Association of Certified Fraud Examiners, Inc. 26 of 27

COSO Definition of Internal Control

▪ Internal control is a process, effected by an

entity’s board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting, and compliance.

© 2018 Association of Certified Fraud Examiners, Inc. 27 of 27

Objectives of Internal Control

▪ Operations objectives: the effectiveness and

efficiency of the organization’s operations
▪ Reporting objectives: the reporting of financial
and nonfinancial information to internal and
external parties
▪ Compliance objectives: the organization’s
adherence to the laws and the regulations to
which it is subject

© 2018 Association of Certified Fraud Examiners, Inc. 28 of 27

COSO Internal Control—
Integrated Framework
▪ Control environment
▪ Risk assessment
▪ Control activities
▪ Information and communication
▪ Monitoring

© 2018 Association of Certified Fraud Examiners, Inc. 29 of 27

Control Environment
▪ Sets the moral tone and provides foundation for
all other control components
▪ Principles:
1. Commitment to integrity and ethical values
2. Independent board that oversees development and
performance of internal control
3. Appropriate structures, reporting lines, and
authorities and responsibilities
4. Commitment to attract, develop, and retain
competent individuals
5. Accountability for internal control responsibilities

© 2018 Association of Certified Fraud Examiners, Inc. 30 of 27

Risk Assessment

▪ Dynamic and iterative process that forms the

basis for determining how risks will be managed
▪ Principles:
6. Set sufficiently clear objectives to enable the
identification and assessment of risks.
7. Identify and analyze risks to the achievement of
objectives across the entity.
8. Consider potential for fraud in assessing risks to the
achievement of objectives.
9. Identify and assess changes that could significantly
impact the system of internal control.

© 2018 Association of Certified Fraud Examiners, Inc. 31 of 27

Control Activities

▪ Policies and procedures that enforce

management’s directives
▪ Principles:
10. Select and develop control activities that mitigate
risks to acceptable levels.
11. Select and develop general control activities over
technology.
12. Deploy control activities through policies that
establish what is expected and procedures that put
policies into action.

© 2018 Association of Certified Fraud Examiners, Inc. 32 of 27

Information and Communication
▪ The exchange of information in a way that
allows employees to carry out their
responsibilities and achieve objectives
▪ Principles:
13. Obtain or generate and use relevant, quality
information to support the functioning of controls.
14. Internally communicate information, including
objectives and responsibilities, necessary to support
the functioning of internal control.
15. Communicate with external parties regarding
matters affecting the functioning of internal control.

© 2018 Association of Certified Fraud Examiners, Inc. 33 of 27

Monitoring
▪ The process that assesses the effectiveness of
the control system over time
▪ Principles:
16. Select, develop, and perform ongoing or separate
evaluations to ascertain whether the components of
internal control are present and functioning.
17. Evaluate and communicate control deficiencies in a
timely manner to those parties responsible for taking
corrective action.

© 2018 Association of Certified Fraud Examiners, Inc. 34 of 27

Business Case for Managing Fraud Risk

▪ Organizations that
deny the true
possibility of fraud are
at the greatest risk.

© 2018 Association of Certified Fraud Examiners, Inc. 35 of 27

Business Case for Managing Fraud Risk

▪ CFEs estimate the typical organization loses

5% of its annual revenues to fraud.
▪ Recovery is typically very little, if any.
▪ Additional time and money invested in:
• Investigating how frauds happened
• Pursuing action against perpetrators
• Remediating system weaknesses

© 2018 Association of Certified Fraud Examiners, Inc. 36 of 27

Business Case for Managing Fraud Risk
Median Loss Based on Presence of Anti-Fraud Controls

(Source: ACFE 2018 Report to the Nations)

© 2018 Association of Certified Fraud Examiners, Inc. 37 of 27

Business Case for Managing Fraud Risk
Median Duration of Fraud Based on Presence of Anti-Fraud Controls

(Source: ACFE 2018 Report to the Nations)

© 2018 Association of Certified Fraud Examiners, Inc. 38 of 27

Business Case for Managing Fraud Risk

▪ A proactive fraud risk management program:

• Sends a clear anti-fraud message
• Demonstrates a sound business strategy
• Enhances the organization’s image and reputation
• Promotes goodwill
• Ensures compliance with laws and regulations
• Directly increases the bottom line

© 2018 Association of Certified Fraud Examiners, Inc. 39 of 27

Federal Sentencing Guidelines
for Organizations
1. Have policies defining standards and
procedures that the organization’s agents and
employees must follow.
2. Assign specific high-level personnel who have
ultimate responsibility to ensure compliance.
3. Use due care not to delegate significant
discretionary authority to people whom the
organization knew or should have known to
have a propensity to engage in illegal activities.

© 2018 Association of Certified Fraud Examiners, Inc. 40 of 27

Federal Sentencing Guidelines
for Organizations
4. Communicate standards and procedures to all
agents and employees and require participation
in training programs.
5. Take reasonable steps to achieve compliance;
for example, by use of monitoring and auditing
systems and by having and publicizing a
reporting system where employees can report
criminal conduct without fear of retribution
(hotline or ombudsman program).

© 2018 Association of Certified Fraud Examiners, Inc. 41 of 27

Federal Sentencing Guidelines
for Organizations
6. Consistently enforce standards through
appropriate discipline, ranging from dismissal to
reprimand.
7. After detection of an offense, the organization
must have taken all reasonable steps to
respond to this offense and prevent further
similar offenses—including modifying its
program and appropriately disciplining
individuals responsible for the offense and
those who failed to detect it.

© 2018 Association of Certified Fraud Examiners, Inc. 42 of 27

Federal Sentencing Guidelines
for Organizations
▪ The organization shall periodically assess the
risk of criminal conduct and shall take
appropriate steps to design, implement, or
modify each requirement set forth in [the seven
elements] to reduce the risk of criminal conduct
identified through this process.

© 2018 Association of Certified Fraud Examiners, Inc. 43 of 27