Accounts Payable Fraud Matrix - Excel by kxy29287

VIEWS: 1,822 PAGES: 7

More Info
									                                                                                        FRAUD RISK ASSESSMENT
                                                                                              RISK MAP

                                                                                  SIGNIFICANCE                                                                                                      CONTROL
                                                                                     OF RISKS      LIKELIHOOD OF                                                                                   REFERENCE
CODE                 COMMON FRAUDS                          RISK AREA                   (A)           RISKS (B)     QUADRANT (C)                        CONTROL ACTIVITY                             NUMBER
  1    Payments to fictitious vendors               Accounts Payable                             7              4        I         AP 11: Segregation of duties; AP 63 Vendor master file          AP.11, AP.63,
                                                                                                                                   reviewed and PO's checked against it; AP 109: systems           AP.109, AP.81
                                                                                                                                   detects and purges or deactivates inactive vendors; AP
                                                                                                                                   81:User Requests reviewed for proper approval and accuracy
                                                                                                                                   of data elements NEW: D&B checks by A/R Team plus D&B
                                                                                                                                   review
 2     Duplicate payments                           Accounts Payable                             7              4         I        AP.11: Segregation of duties; AP. 43: Royalty liabilities are   AP.11, AP.43,
                                                                                                                                   documented and authorized prior to payment; AP. 133:            AP.133, AP.51
                                                                                                                                   potential duplicate report is run and reviewed and researched
                                                                                                                                   daily; AP. 51: System rejects the duplicate entry of an
                                                                                                                                   invoice. ALSO: Post Audit activity
 3     Overpayments to vendors                      Accounts Payable                             6              4         I        AP.25: Exceptions to 3-way match between PO, invoice and        AP.25, AP.26,
                                                                                                                                   receipt are investigated daily; AP.26: Exceptions to Proof of    AP.64, AP,81
                                                                                                                                   Delivery requirement properly approved and monitored;
                                                                                                                                   AP.64: Vendor statements are reconciled to A/P detail;
                                                                                                                                   AP.81: User Requests reviewed for proper approval and
                                                                                                                                   accuracy of data elements. ALSO: Post Audit activity


 4     Loss of receivables through bad credit -     Sales / Accounts Receivable                  2              1        IV        Credit sales are approved by the authorization system before        SA.14
       extended or obtained fraudulently                                                                                           they are accepted by the POS system. Store manager reviews
                                                                                                                                   and approves up to established dollar threshold. NEW: vendor
                                                                                                                                   credit to be validated by A/R Credit group review of D&B


 5     Falsified sales                              Sales / Accounts Receivable                  4              2        IV        Cash is deposited daily and cash reconciliations are                SA.03
                                                                                                                                   performed. Store manager audit duties.
 6     Improper sales cutoff                        Sales / Accounts Receivable                  4              2        IV        Sales are posted based on sales date. Returns are posted as         SA.49
                                                                                                                                   of the date received. Discounts and allowances are posted
                                                                                                                                   according to the date specified on the credit memo.
                                                                                                                                   Merchant and Merchandise Finance review of VATS.


 7     Cash and check theft                         Cash and Cash Equivalents                    4              5        III       Log of checks/cash received is compared to daily deposit.           CA.20
                                                                                                                                   Store manager cash audit. Positive pay controls in Treasury.

 8     Unauthorized bank accounts in company name Cash and Cash Equivalents                      7              2        II        Cash is deposited daily and cash reconciliations are                CA.06
                                                                                                                                   performed to verify that all cash, checks and payment
                                                                                                                                   transactions received at company locations are accounted for
                                                                                                                                   in deposits.
 9     Sell items (inventory, fixed assets,         Cash and Cash Equivalents                    3              5        III       Perpetual/physical is reconciled to G/L. POS system. Policy        INV.42
       equipment) for cash without recording sale                                                                                  requiring VP to authorize. Customer receipt. Code of
                                                                                                                                   Conduct. LP function.




                                                                                                                                     C:\Docstoc\Working\pdf\471447d9-a8e9-4739-be4c-c833b25960b4.xls
                                                                                     FRAUD RISK ASSESSMENT
                                                                                           RISK MAP

                                                                               SIGNIFICANCE                                                                                                          CONTROL
                                                                                  OF RISKS      LIKELIHOOD OF                                                                                       REFERENCE
CODE                 COMMON FRAUDS                         RISK AREA                 (A)           RISKS (B)     QUADRANT (C)                         CONTROL ACTIVITY                                NUMBER
 10    Theft of treasury payment instructions     Physical / Access Security                  8              2        II        Communication out to the store and DCs is through our VPN              IDTS
                                                                                                                                which contains SSL encryption (same with our connection to
                                                                                                                                GXS and our Banking partners). Within the KRC/KTC campus,
                                                                                                                                communication is in the clear unless someone specifically
                                                                                                                                encrypts the message. Our cryptographis keys for KPAS and
                                                                                                                                our credit/debit network are kept under physical lock and key.
                                                                                                                                Keys are never transmitted. In addition, the ACH file that is
                                                                                                                                sent to BoNY or BoA cannot be accessed by anyone once it
                                                                                                                                has been created unless it is an emergency.

 11    Theft of passwords (company wide)          Physical / Access Security                  7              2        II        All major systems are protected via single factor authentication        ITDS
                                                                                                                                which is user id and password. Our information security policy
                                                                                                                                states that the user ids must resolve to an individual. Access to
                                                                                                                                system resources is restricted using tolls that match
                                                                                                                                authorization to user id. Authorization is granted by
                                                                                                                                management to the appropriate resource. There are
                                                                                                                                requirements to regularly change passwords. Passwords are
                                                                                                                                required to be non-trivial.
 12    Theft of sensitive corporate information   Physical / Access Security                  6              5         I        Code of conduct. Security guards in HQ.                                Control
                                                                                                                                                                                                     Environment
                                                                                                                                                                                                    documentation
 13    Theft of company assets                    Physical / Access Security                  4              5        III       Code of conduct; LP at stores. Video Surveillance,                     Control
                                                                                                                                Sensormatic at exits. Security at HQ and DC's.                       Environment
                                                                                                                                                                                                    documentation
 14    Hacking                                    Computer and                                7              2        III       Communication out to the store and DCs is through our VPN               IDTS
                                                  Communications Security                                                       which contains SSL encryption (same with our connection to
                                                                                                                                GXS and our Banking partners). Within the KRC/KTC campus,
                                                                                                                                communication is in the clear unless someone specifically
                                                                                                                                encrypts the message. Our cryptographis keys for KPAS and
                                                                                                                                our credit/debit network are kept under physical lock and key.
                                                                                                                                Keys are never transmitted.

 15    Electronic eavesdropping                   Computer and                                2              1        IV        Communication out to the store and DCs is through our VPN               IDTS
                                                  Communications Security                                                       which contains SSL encryption (same with our connection to
                                                                                                                                GXS and our Banking partners). Within the KRC/KTC campus,
                                                                                                                                communication is in the clear unless someone specifically
                                                                                                                                encrypts the message. Our cryptographis keys for KPAS and
                                                                                                                                our credit/debit network are kept under physical lock and key.
                                                                                                                                Keys are never transmitted.

 16    Fictitious employees                       Payroll and Benefits                        4              3        IV        PR.05: Cost by department are compared to budget; PR.06:            PR.05; PR.06;
                                                                                                                                Distribution of hours for each department is reviewed; PR.12        PR.12; PR.15;
                                                                                                                                HR authorizes changes in employment status; PR.15 Monthly            PR.29; PR.87
                                                                                                                                payroll activity is compared to previous period; PR.29: System
                                                                                                                                will not generate paychecks for terminated employees; PR.87
                                                                                                                                Periodic access reviews to payroll systems




                                                                                                                                  C:\Docstoc\Working\pdf\471447d9-a8e9-4739-be4c-c833b25960b4.xls
                                                                                    FRAUD RISK ASSESSMENT
                                                                                          RISK MAP

                                                                              SIGNIFICANCE                                                                                                      CONTROL
                                                                                 OF RISKS      LIKELIHOOD OF                                                                                   REFERENCE
CODE                 COMMON FRAUDS                            RISK AREA             (A)           RISKS (B)     QUADRANT (C)                        CONTROL ACTIVITY                             NUMBER
 17    Falsified wages                               Payroll and Benefits                    4              3       IV         PR.33: Time reports are reviewed before payment; PR.30:         PR.33; PR.30;
                                                                                                                               The application automatically controls the time entry           PR.27; PR.87;
                                                                                                                               approval process. Payments only made for approved time;             PR.12
                                                                                                                               PR.27: System does not allow for entering of a time card
                                                                                                                               twice; PR.87 Periodic access reviews to payroll systems;
                                                                                                                               PR.12 HR authorizes changes in employment status.


 18    Ex-employees not removed from payroll         Payroll and Benefits                    4              3        IV        HR authorizes changes in employment status; System will not     PR.12; PR.29
       register                                                                                                                generate paychecks for terminated employees.
 19    Pay medical claims for fictitious employees   Payroll and Benefits                    2              2        IV        KRC generalists reference Compensation Guidelines when              PR.24
                                                                                                                               preparing compensation summaries for KRC associates eligible
                                                                                                                               for wage changes, ensuring that supervisors approve all
                                                                                                                               changes and that changes requested outside of the guidelines
                                                                                                                               are authorized by an HRD and executive mgt (if significant).
                                                                                                                               Outside service provider verifies associate eligibility.


 20    Use confidential employee records to commit Payroll and Benefits                      4              3        IV        Code of conduct; PR.87 Periodic access reviews to payroll          Control
       fraud (identity theft)                                                                                                  systems                                                         Environment
                                                                                                                                                                                              documentation;
                                                                                                                                                                                                   PR.87
 21    Employer misrepresents the amount of          Payroll and Benefits                    2              2        IV        System assigns coding for all personnel.                            PR.45
       payroll or classification of its employees
 22    Fraudulent worker's compensation claims -     Payroll and Benefits                    2              2        IV        Code of conduct; PR.87 Periodic access reviews to payroll          Control
       false representation of a material fact to                                                                              systems; detective control: workers' comp probably              Environment
       obtain or to deny WC benefits or to avoid                                                                               investigates any large claims (we should ask them). Workers'   documentation;
       responsibility under the law                                                                                            Comp: claims analysis (outside and internal). Medical               PR.87
                                                                                                                               verification necessary.
 23    Manipulate financial statements to receive    Accounting / Financial                  7              4         I        FS.03: Financial statements and trial balance are reviewed;     FS.03; FS.07;
       bonus                                         Reporting                                                                 FS.07: Support for nonstandard journal entries is reviewed;     FS.08; FS.17;
                                                                                                                               FS.08: A journal approval hierarchy is defined in the               FS.36
                                                                                                                               application to control the journal entry approval process;
                                                                                                                               FS.17: Procedures and controls over classification
                                                                                                                               /presentation/disclosure are documented and followed;
                                                                                                                               FS.36: All changes in accounting methods should be
                                                                                                                               documented, reviewed and approved. Ethics hotline; Audit
                                                                                                                               Committee review of subjective accounting accruals; External
                                                                                                                               audit; Disclosure Controls and Procedures


 24    Accounting cutoffs manipulated to maximize    Accounting / Financial                  8              3        II        Same as above                                                       FS.03
       financial performance                         Reporting
 25    Use insider information to profit in stock    Accounting / Financial                  6              3        II        Code of conduct; Trading window closed for employees during       Control
       market                                        Reporting                                                                 specific times. Identification of Section 16 officers and       Environment
                                                                                                                               communication/instructions to them.                            documentation
 26    Concealed expenses                            Accounting / Financial                  4              5        III       AP.17: Comparison of amounts to budget and prior years;        AP.17
                                                     Reporting and Accounts                                                    AP.40/AP.05: Accounts payable detail is reconciled to the
                                                     Payable                                                                   Purchase Journal and Stockledger Weekly
                                                                                                                                 C:\Docstoc\Working\pdf\471447d9-a8e9-4739-be4c-c833b25960b4.xls
                                                                                     FRAUD RISK ASSESSMENT
                                                                                           RISK MAP

                                                                               SIGNIFICANCE                                                                                                       CONTROL
                                                                                  OF RISKS      LIKELIHOOD OF                                                                                    REFERENCE
CODE                 COMMON FRAUDS                            RISK AREA              (A)           RISKS (B)     QUADRANT (C)                       CONTROL ACTIVITY                               NUMBER
 27    Improper asset valuations - from impairment    Accounting / Financial                  8              3        II        Annual impairment review. See below (#39)                           FA.08
                                                      Reporting
 28    Income tax evasion by omission of income       Tax                                     2              2        IV        Support for nonstandard journal entries is reviewed. Review         TAX.06
                                                                                                                                of return by outside auditor.
 29    Unlawful tax deductions                        Tax                                     3              2        IV        Support for nonstandard journal entries is reviewed. Multiple       TAX.06
                                                                                                                                levels of review.
 30    Charge personal purchases to company           Purchasing                              3              3        IV        AP.25: Exceptions to 3-way match between PO, invoice and         AP.25, AP.11,
       through misuse of purchase orders                                                                                        receipt are investigated daily; AP.11: An appropriate                AP.28
                                                                                                                                segregation of duties exist between individuals involved in
                                                                                                                                vendor maintenance; invoice approval, and cash
                                                                                                                                disbursements. (Peoplesoft); AP.28: Invoices are reviewed by
                                                                                                                                authorized person prior to payment (Post Audit) Competitive
                                                                                                                                bidding requirement for purchases over $25k; PeopleSoft
                                                                                                                                purchasing approval hierarchy.


 31    Purchase goods through related-party           Purchasing                              4              5        III       AP.37: POs require dollar amount and coding approvals and        AP.37, AP.45,
       suppliers at non-competitive prices                                                                                      are checked for authorization, accuracy, completeness, and           AP.63
                                                                                                                                reasonabless; AP.45: Significant vendor agreements are
                                                                                                                                reviewed by management; AP.63: Vendor master file is
                                                                                                                                reviewed and maintained and all purchase orders are checked
                                                                                                                                against it to ensure vendors are valid, purchase limits not
                                                                                                                                exceeded, whether special terms apply, and appropriate
                                                                                                                                sales tax rate.

 32    Steal inventory and falsify records to cover   Inventory                               4              5        III       INV.66: Sales Journal reconciled to the Stock Ledger monthly;    INV.66; SA.21;
       theft (includes shrink)                                                                                                  SA.21: Physical inventories are taken and shortages are           SA.12; SA.05
                                                                                                                                investigated; SA.12: Store managers review daily sales that
                                                                                                                                also show returns, discounts, and allowances; SA.05:
                                                                                                                                Adjustments to sales (return, discounts, allowances) must be
                                                                                                                                authorized by an appropriate individual. Outside inventory
                                                                                                                                counting firm (RGIS) used for inventory cycle counts;
                                                                                                                                investigation of variances; corporate reconciliation/recording
                                                                                                                                (Merchandise Acctg)


 33    Falsify counts so that inventory results are   Inventory                               4              5        III       INV.28: Inventory count crews are supervised; SA.21: Physical    INV.28; SA.21
       favorable                                                                                                                inventories are taken and shortages are investigated. Outside
                                                                                                                                inventory counting firm used. Internal audit observation of a
                                                                                                                                sample of cycle counts.
 34    Re-direct returned goods to home location for Inventory                                2              3        IV        SA.12: Store managers review daily sales that also show           SA.12; SA.05
       personal use                                                                                                             returns, discounts, and allowances; SA.05: Adjustments to
                                                                                                                                sales (return, discounts, allowances) must be authorized by
                                                                                                                                an appropriate individual.
 35    Delete obsolete stock from records             Inventory                               3              3        IV        Calculations and assumptions for excess and obsolete                 INV.07
                                                                                                                                inventory are reviewed.




                                                                                                                                  C:\Docstoc\Working\pdf\471447d9-a8e9-4739-be4c-c833b25960b4.xls
                                                                                  FRAUD RISK ASSESSMENT
                                                                                        RISK MAP

                                                                            SIGNIFICANCE                                                                                                     CONTROL
                                                                               OF RISKS      LIKELIHOOD OF                                                                                  REFERENCE
CODE                  COMMON FRAUDS                             RISK AREA         (A)           RISKS (B)     QUADRANT (C)                        CONTROL ACTIVITY                            NUMBER
 36    Sell inventory stock for cash and               Inventory                           4              3       IV         CA.14: Customer requests a receipt; CA.41: Bar code scanners   CA.14; CA.41;
       misappropriate the receipts (includes shrink)                                                                         used to automatically record sales and returns; SA.52: Store       SA.52
                                                                                                                             Manager reviews and signs Audit of Cash report. Manager
                                                                                                                             matches supporting documents to report. Conducts
                                                                                                                             interviews as needed. Corrections entered following day, if
                                                                                                                             necessary.
 37    Overstate value of assets to improve balance    Fixed Assets                        4              3        IV        FA.08: Assumptions for impairment estimates are reviewed;       FA.08; FA.09;
       sheet                                                                                                                 FA.09: Assumptions used in depreciation calcs are reviewed;      FA.20; FA.21
                                                                                                                             FA.20: FAS 142 intangible asset impairment analysis is
                                                                                                                             reviewed; FA.21: Financial commitments required to follow
                                                                                                                             Contracts, Purchase Orders and Other Commitments Policy
                                                                                                                             approval.
 38    Modify depreciation expense calculations to     Fixed Assets                        5              3        IV        FA.09: Assumptions used in depreciation calcs are reviewed;     FA.09; FA.05;
       report less expense                                                                                                   FA.05: Acct Mgr reviews property addition classifications        FA.15; FA.25
                                                                                                                             compared to policy; FA.15: Depreciation calculation is
                                                                                                                             compared to budget; FA.25: New assets entered into
                                                                                                                             subledger are reviewed.
 39    Kickbacks on real estate deals                  Real Estate                         5              3        II        Code of conduct; FA.21 Financial commitments required to           Control
                                                                                                                             follow Contracts, Purchase Orders and Other Commitments         Environment
                                                                                                                             Policy approval.                                               documentation;
                                                                                                                                                                                                 FA.21
 40    Expense Report Fraud                                                                1              5        II        Code of conduct; FA.21 Financial commitments required to           Control
                                                                                                                             follow Contracts, Purchase Orders and Other Commitments         Environment
                                                                                                                             Policy approval. Require manager approval. All expenses        documentation;
                                                                                                                             reviewed for compliance by A/P team.                                FA.21




                                                                                                                               C:\Docstoc\Working\pdf\471447d9-a8e9-4739-be4c-c833b25960b4.xls
                                                                                               FRAUD RISK ASSESSMENT
                                                                                                     RISK MAP

                                                                                        SIGNIFICANCE                                                                                                           CONTROL
                                                                                           OF RISKS        LIKELIHOOD OF                                                                                      REFERENCE
CODE                    COMMON FRAUDS                              RISK AREA                  (A)             RISKS (B)        QUADRANT (C)                             CONTROL ACTIVITY                        NUMBER

 KEY

 (A) Significance is the impact the risk (event, action or inaction) would have on the organization or process if it occurred. Ranked from 1 to 10. 1 being the
 lowest significance.

 (B) Likelihood is the probability that the risk (event, action or inaction) would occur, assuming there are no controls in place to mitigate the risk. Ranked from 1
 to 5. 1 being the lowest likelihood. Ranking is based on inherent risks, as well as, known past irregularities at Kmart.

 (C) Quadrants:

 I - High priority risks
 II - Significant risks but less likely to occur
 III - Risks are likely to occur but less significant if they do
 IV - Low priority risks




                                                                                                                                                     C:\Docstoc\Working\pdf\471447d9-a8e9-4739-be4c-c833b25960b4.xls
                                                        FRAUD RISK ASSESSMENT


                        9


                                                                        27
                        8                        10                     24

                                                                                       2
                                                                                       23
                        7
                                         II      8 14
                                                 11                                    1    I
SIGNIFICANCE OF RISKS




                                                                        25                                4
                        6                                                              3                  12



                        5                                               39
                                                                        38
                                                                        20
                                                                        18
                        4                        5 6                    17
                                                                        16
                                                                        36                                7
                                                                                                          33
                                                                                                          32
                                                                                                          31
                                                                                                          26
                                                                                                          13



                        3               IV                              30
                                                                        35                      III       9

                                                 29
                                                 28
                        2       4
                                15               22
                                                 19                     34
                                                 21


                        1       #REF!
                            1                2                      3              4                  5
                                                             LIKELIHOOD OF RISKS

								
To top