Memo for Home Based Employees

Document Sample
Memo for Home Based Employees Powered By Docstoc
					                                                                                         FRAUD RISK ASSESSMENT
                                                                                               RISK MAP

                                                                                    SIGNIFICANCE                                                                                                          CONTROL
                                                                                       OF RISKS        LIKELIHOOD OF                                                                                     REFERENCE
CODE                 COMMON FRAUDS                            RISK AREA                  (A)              RISKS (B)     QUADRANT (C)                        CONTROL ACTIVITY                              NUMBER
  1    Payments to fictitious vendors                 Accounts Payable                             7                4        I         AP 11: Segregation of duties; AP 63 Vendor master file           AP.11, AP.63,
                                                                                                                                       reviewed and PO's checked against it; AP 109: systems detects    AP.109, AP.81
                                                                                                                                       and purges or deactivates inactive vendors; AP 81:User
                                                                                                                                       Requests reviewed for proper approval and accuracy of data
                                                                                                                                       elements NEW: D&B checks by A/R Team plus D&B review


 2     Duplicate payments                             Accounts Payable                             7                4         I        AP.11: Segregation of duties; AP. 43: Royalty liabilities are    AP.11, AP.43,
                                                                                                                                       documented and authorized prior to payment; AP. 133:             AP.133, AP.51
                                                                                                                                       potential duplicate report is run and reviewed and researched
                                                                                                                                       daily; AP. 51: System rejects the duplicate entry of an
                                                                                                                                       invoice. ALSO: Post Audit activity
 3     Overpayments to vendors                        Accounts Payable                             6                4         I        AP.25: Exceptions to 3-way match between PO, invoice and         AP.25, AP.26,
                                                                                                                                       receipt are investigated daily; AP.26: Exceptions to Proof of    AP.64, AP,81
                                                                                                                                       Delivery requirement properly approved and monitored;
                                                                                                                                       AP.64: Vendor statements are reconciled to A/P detail; AP.81:
                                                                                                                                       User Requests reviewed for proper approval and accuracy of
                                                                                                                                       data elements. ALSO: Post Audit activity


 4     Loss of receivables through bad credit -       Sales / Accounts Receivable                  2                1        IV        Credit sales are approved by the authorization system before        SA.14
       extended or obtained fraudulently                                                                                               they are accepted by the POS system. Store manager reviews
                                                                                                                                       and approves up to established dollar threshold. NEW: vendor
                                                                                                                                       credit to be validated by A/R Credit group review of D&B


 5     Falsified sales                                Sales / Accounts Receivable                  4                2        IV        Cash is deposited daily and cash reconciliations are                SA.03
                                                                                                                                       performed. Store manager audit duties.
 6     Improper sales cutoff                          Sales / Accounts Receivable                  4                2        IV        Sales are posted based on sales date. Returns are posted as of      SA.49
                                                                                                                                       the date received. Discounts and allowances are posted
                                                                                                                                       according to the date specified on the credit memo.
                                                                                                                                       Merchant and Merchandise Finance review of VATS.


 7     Cash and check theft                           Cash and Cash Equivalents                    4                5        III       Log of checks/cash received is compared to daily deposit.           CA.20
                                                                                                                                       Store manager cash audit. Positive pay controls in Treasury.

 8     Unauthorized bank accounts in company name Cash and Cash Equivalents                        7                2        II        Cash is deposited daily and cash reconciliations are performed      CA.06
                                                                                                                                       to verify that all cash, checks and payment transactions
                                                                                                                                       received at company locations are accounted for in deposits.


 9     Sell items (inventory, fixed assets, equipment) Cash and Cash Equivalents                   3                5        III       Perpetual/physical is reconciled to G/L. POS system. Policy         INV.42
       for cash without recording sale                                                                                                 requiring VP to authorize. Customer receipt. Code of
                                                                                                                                       Conduct. LP function.




                                                                                                                                          D:\Docstoc\Working\pdf\d42bd998-119b-47bf-804a-2e253ee6e321.xls
                                                                                    FRAUD RISK ASSESSMENT
                                                                                          RISK MAP

                                                                               SIGNIFICANCE                                                                                                             CONTROL
                                                                                  OF RISKS        LIKELIHOOD OF                                                                                        REFERENCE
CODE                 COMMON FRAUDS                         RISK AREA                (A)              RISKS (B)     QUADRANT (C)                         CONTROL ACTIVITY                                NUMBER
 10    Theft of treasury payment instructions     Physical / Access Security                  8                2        II        Communication out to the store and DCs is through our VPN               IDTS
                                                                                                                                  which contains SSL encryption (same with our connection to
                                                                                                                                  GXS and our Banking partners). Within the KRC/KTC campus,
                                                                                                                                  communication is in the clear unless someone specifically
                                                                                                                                  encrypts the message. Our cryptographis keys for KPAS and
                                                                                                                                  our credit/debit network are kept under physical lock and key.
                                                                                                                                  Keys are never transmitted. In addition, the ACH file that is
                                                                                                                                  sent to BoNY or BoA cannot be accessed by anyone once it has
                                                                                                                                  been created unless it is an emergency.

 11    Theft of passwords (company wide)          Physical / Access Security                  7                2        II        All major systems are protected via single factor authentication        ITDS
                                                                                                                                  which is user id and password. Our information security policy
                                                                                                                                  states that the user ids must resolve to an individual. Access to
                                                                                                                                  system resources is restricted using tolls that match
                                                                                                                                  authorization to user id. Authorization is granted by
                                                                                                                                  management to the appropriate resource. There are
                                                                                                                                  requirements to regularly change passwords. Passwords are
                                                                                                                                  required to be non-trivial.
 12    Theft of sensitive corporate information   Physical / Access Security                  6                5         I        Code of conduct. Security guards in HQ.                                Control
                                                                                                                                                                                                       Environment
                                                                                                                                                                                                      documentation
 13    Theft of company assets                    Physical / Access Security                  4                5        III       Code of conduct; LP at stores. Video Surveillance,                     Control
                                                                                                                                  Sensormatic at exits. Security at HQ and DC's.                       Environment
                                                                                                                                                                                                      documentation
 14    Hacking                                    Computer and                                7                2        III       Communication out to the store and DCs is through our VPN               IDTS
                                                  Communications Security                                                         which contains SSL encryption (same with our connection to
                                                                                                                                  GXS and our Banking partners). Within the KRC/KTC campus,
                                                                                                                                  communication is in the clear unless someone specifically
                                                                                                                                  encrypts the message. Our cryptographis keys for KPAS and
                                                                                                                                  our credit/debit network are kept under physical lock and key.
                                                                                                                                  Keys are never transmitted.

 15    Electronic eavesdropping                   Computer and                                2                1        IV        Communication out to the store and DCs is through our VPN               IDTS
                                                  Communications Security                                                         which contains SSL encryption (same with our connection to
                                                                                                                                  GXS and our Banking partners). Within the KRC/KTC campus,
                                                                                                                                  communication is in the clear unless someone specifically
                                                                                                                                  encrypts the message. Our cryptographis keys for KPAS and
                                                                                                                                  our credit/debit network are kept under physical lock and key.
                                                                                                                                  Keys are never transmitted.

 16    Fictitious employees                       Payroll and Benefits                        4                3        IV        PR.05: Cost by department are compared to budget; PR.06:            PR.05; PR.06;
                                                                                                                                  Distribution of hours for each department is reviewed; PR.12        PR.12; PR.15;
                                                                                                                                  HR authorizes changes in employment status; PR.15 Monthly           PR.29; PR.87
                                                                                                                                  payroll activity is compared to previous period; PR.29: System
                                                                                                                                  will not generate paychecks for terminated employees; PR.87
                                                                                                                                  Periodic access reviews to payroll systems




                                                                                                                                     D:\Docstoc\Working\pdf\d42bd998-119b-47bf-804a-2e253ee6e321.xls
                                                                                   FRAUD RISK ASSESSMENT
                                                                                         RISK MAP

                                                                              SIGNIFICANCE                                                                                                           CONTROL
                                                                                 OF RISKS        LIKELIHOOD OF                                                                                      REFERENCE
CODE                 COMMON FRAUDS                            RISK AREA            (A)              RISKS (B)     QUADRANT (C)                        CONTROL ACTIVITY                               NUMBER
 17    Falsified wages                               Payroll and Benefits                    4                3       IV         PR.33: Time reports are reviewed before payment; PR.30: The       PR.33; PR.30;
                                                                                                                                 application automatically controls the time entry approval        PR.27; PR.87;
                                                                                                                                 process. Payments only made for approved time; PR.27:                 PR.12
                                                                                                                                 System does not allow for entering of a time card twice; PR.87
                                                                                                                                 Periodic access reviews to payroll systems; PR.12 HR
                                                                                                                                 authorizes changes in employment status.
 18    Ex-employees not removed from payroll         Payroll and Benefits                    4                3        IV        HR authorizes changes in employment status; System will not       PR.12; PR.29
       register                                                                                                                  generate paychecks for terminated employees.
 19    Pay medical claims for fictitious employees   Payroll and Benefits                    2                2        IV        KRC generalists reference Compensation Guidelines when               PR.24
                                                                                                                                 preparing compensation summaries for KRC associates eligible
                                                                                                                                 for wage changes, ensuring that supervisors approve all
                                                                                                                                 changes and that changes requested outside of the guidelines
                                                                                                                                 are authorized by an HRD and executive mgt (if significant).
                                                                                                                                 Outside service provider verifies associate eligibility.


 20    Use confidential employee records to commit Payroll and Benefits                      4                3        IV        Code of conduct; PR.87 Periodic access reviews to payroll            Control
       fraud (identity theft)                                                                                                    systems                                                           Environment
                                                                                                                                                                                                  documentation;
                                                                                                                                                                                                       PR.87
 21    Employer misrepresents the amount of payroll Payroll and Benefits                     2                2        IV        System assigns coding for all personnel.                             PR.45
       or classification of its employees
 22    Fraudulent worker's compensation claims -     Payroll and Benefits                    2                2        IV        Code of conduct; PR.87 Periodic access reviews to payroll            Control
       false representation of a material fact to                                                                                systems; detective control: workers' comp probably                Environment
       obtain or to deny WC benefits or to avoid                                                                                 investigates any large claims (we should ask them). Workers'     documentation;
       responsibility under the law                                                                                              Comp: claims analysis (outside and internal). Medical                 PR.87
                                                                                                                                 verification necessary.
 23    Manipulate financial statements to receive    Accounting / Financial                  7                4         I        FS.03: Financial statements and trial balance are reviewed;       FS.03; FS.07;
       bonus                                         Reporting                                                                   FS.07: Support for nonstandard journal entries is reviewed;       FS.08; FS.17;
                                                                                                                                 FS.08: A journal approval hierarchy is defined in the                 FS.36
                                                                                                                                 application to control the journal entry approval process;
                                                                                                                                 FS.17: Procedures and controls over classification
                                                                                                                                 /presentation/disclosure are documented and followed;
                                                                                                                                 FS.36: All changes in accounting methods should be
                                                                                                                                 documented, reviewed and approved. Ethics hotline; Audit
                                                                                                                                 Committee review of subjective accounting accruals; External
                                                                                                                                 audit; Disclosure Controls and Procedures

 24    Accounting cutoffs manipulated to maximize    Accounting / Financial                  8                3        II        Same as above                                                        FS.03
       financial performance                         Reporting
 25    Use insider information to profit in stock    Accounting / Financial                  6                3        II        Code of conduct; Trading window closed for employees during         Control
       market                                        Reporting                                                                   specific times. Identification of Section 16 officers and         Environment
                                                                                                                                 communication/instructions to them.                              documentation
 26    Concealed expenses                            Accounting / Financial                  4                5        III       AP.17: Comparison of amounts to budget and prior years;              AP.17
                                                     Reporting and Accounts                                                      AP.40/AP.05: Accounts payable detail is reconciled to the
                                                     Payable                                                                     Purchase Journal and Stockledger Weekly
 27    Improper asset valuations - from impairment   Accounting / Financial                  8                3        II        Annual impairment review. See below (#39)                            FA.08
                                                     Reporting
                                                                                                                                    D:\Docstoc\Working\pdf\d42bd998-119b-47bf-804a-2e253ee6e321.xls
                                                                                FRAUD RISK ASSESSMENT
                                                                                      RISK MAP

                                                                           SIGNIFICANCE                                                                                                          CONTROL
                                                                              OF RISKS        LIKELIHOOD OF                                                                                     REFERENCE
CODE                COMMON FRAUDS                              RISK AREA        (A)              RISKS (B)     QUADRANT (C)                         CONTROL ACTIVITY                             NUMBER
 28    Income tax evasion by omission of income        Tax                                2                2       IV         Support for nonstandard journal entries is reviewed. Review         TAX.06
                                                                                                                              of return by outside auditor.
 29    Unlawful tax deductions                         Tax                                3                2        IV        Support for nonstandard journal entries is reviewed. Multiple       TAX.06
                                                                                                                              levels of review.
 30    Charge personal purchases to company            Purchasing                         3                3        IV        AP.25: Exceptions to 3-way match between PO, invoice and         AP.25, AP.11,
       through misuse of purchase orders                                                                                      receipt are investigated daily; AP.11: An appropriate                AP.28
                                                                                                                              segregation of duties exist between individuals involved in
                                                                                                                              vendor maintenance; invoice approval, and cash
                                                                                                                              disbursements. (Peoplesoft); AP.28: Invoices are reviewed by
                                                                                                                              authorized person prior to payment (Post Audit) Competitive
                                                                                                                              bidding requirement for purchases over $25k; PeopleSoft
                                                                                                                              purchasing approval hierarchy.


 31    Purchase goods through related-party            Purchasing                         4                5        III       AP.37: POs require dollar amount and coding approvals and        AP.37, AP.45,
       suppliers at non-competitive prices                                                                                    are checked for authorization, accuracy, completeness, and           AP.63
                                                                                                                              reasonabless; AP.45: Significant vendor agreements are
                                                                                                                              reviewed by management; AP.63: Vendor master file is
                                                                                                                              reviewed and maintained and all purchase orders are checked
                                                                                                                              against it to ensure vendors are valid, purchase limits not
                                                                                                                              exceeded, whether special terms apply, and appropriate sales
                                                                                                                              tax rate.

 32    Steal inventory and falsify records to cover    Inventory                          4                5        III       INV.66: Sales Journal reconciled to the Stock Ledger monthly;    INV.66; SA.21;
       theft (includes shrink)                                                                                                SA.21: Physical inventories are taken and shortages are           SA.12; SA.05
                                                                                                                              investigated; SA.12: Store managers review daily sales that
                                                                                                                              also show returns, discounts, and allowances; SA.05:
                                                                                                                              Adjustments to sales (return, discounts, allowances) must be
                                                                                                                              authorized by an appropriate individual. Outside inventory
                                                                                                                              counting firm (RGIS) used for inventory cycle counts;
                                                                                                                              investigation of variances; corporate reconciliation/recording
                                                                                                                              (Merchandise Acctg)


 33    Falsify counts so that inventory results are    Inventory                          4                5        III       INV.28: Inventory count crews are supervised; SA.21: Physical    INV.28; SA.21
       favorable                                                                                                              inventories are taken and shortages are investigated. Outside
                                                                                                                              inventory counting firm used. Internal audit observation of a
                                                                                                                              sample of cycle counts.
 34    Re-direct returned goods to home location for Inventory                            2                3        IV        SA.12: Store managers review daily sales that also show          SA.12; SA.05
       personal use                                                                                                           returns, discounts, and allowances; SA.05: Adjustments to
                                                                                                                              sales (return, discounts, allowances) must be authorized by an
                                                                                                                              appropriate individual.
 35    Delete obsolete stock from records              Inventory                          3                3        IV        Calculations and assumptions for excess and obsolete                INV.07
                                                                                                                              inventory are reviewed.
 36    Sell inventory stock for cash and               Inventory                          4                3        IV        CA.14: Customer requests a receipt; CA.41: Bar code scanners     CA.14; CA.41;
       misappropriate the receipts (includes shrink)                                                                          used to automatically record sales and returns; SA.52: Store         SA.52
                                                                                                                              Manager reviews and signs Audit of Cash report. Manager
                                                                                                                              matches supporting documents to report. Conducts interviews
                                                                                                                              as needed. Corrections entered following day, if necessary.
                                                                                                                                 D:\Docstoc\Working\pdf\d42bd998-119b-47bf-804a-2e253ee6e321.xls
                                                                                FRAUD RISK ASSESSMENT
                                                                                      RISK MAP

                                                                           SIGNIFICANCE                                                                                                        CONTROL
                                                                              OF RISKS        LIKELIHOOD OF                                                                                   REFERENCE
CODE                 COMMON FRAUDS                             RISK AREA        (A)              RISKS (B)     QUADRANT (C)                        CONTROL ACTIVITY                            NUMBER
 37    Overstate value of assets to improve balance   Fixed Assets                        4                3       IV         FA.08: Assumptions for impairment estimates are reviewed;      FA.08; FA.09;
       sheet                                                                                                                  FA.09: Assumptions used in depreciation calcs are reviewed;    FA.20; FA.21
                                                                                                                              FA.20: FAS 142 intangible asset impairment analysis is
                                                                                                                              reviewed; FA.21: Financial commitments required to follow
                                                                                                                              Contracts, Purchase Orders and Other Commitments Policy
                                                                                                                              approval.
 38    Modify depreciation expense calculations to    Fixed Assets                        5                3        IV        FA.09: Assumptions used in depreciation calcs are reviewed;    FA.09; FA.05;
       report less expense                                                                                                    FA.05: Acct Mgr reviews property addition classifications      FA.15; FA.25
                                                                                                                              compared to policy; FA.15: Depreciation calculation is
                                                                                                                              compared to budget; FA.25: New assets entered into
                                                                                                                              subledger are reviewed.
 39    Kickbacks on real estate deals                 Real Estate                         5                3        II        Code of conduct; FA.21 Financial commitments required to          Control
                                                                                                                              follow Contracts, Purchase Orders and Other Commitments        Environment
                                                                                                                              Policy approval.                                              documentation;
                                                                                                                                                                                                 FA.21
 40    Expense Report Fraud                                                               1                5        II        Code of conduct; FA.21 Financial commitments required to          Control
                                                                                                                              follow Contracts, Purchase Orders and Other Commitments        Environment
                                                                                                                              Policy approval. Require manager approval. All expenses       documentation;
                                                                                                                              reviewed for compliance by A/P team.                               FA.21




                                                                                                                                 D:\Docstoc\Working\pdf\d42bd998-119b-47bf-804a-2e253ee6e321.xls
                                                                                               FRAUD RISK ASSESSMENT
                                                                                                     RISK MAP

                                                                                        SIGNIFICANCE                                                                                                            CONTROL
                                                                                           OF RISKS        LIKELIHOOD OF                                                                                       REFERENCE
CODE                    COMMON FRAUDS                              RISK AREA                 (A)              RISKS (B)        QUADRANT (C)                             CONTROL ACTIVITY                        NUMBER

 KEY

 (A) Significance is the impact the risk (event, action or inaction) would have on the organization or process if it occurred. Ranked from 1 to 10. 1 being the
 lowest significance.

 (B) Likelihood is the probability that the risk (event, action or inaction) would occur, assuming there are no controls in place to mitigate the risk. Ranked from 1
 to 5. 1 being the lowest likelihood. Ranking is based on inherent risks, as well as, known past irregularities at Kmart.

 (C) Quadrants:

 I - High priority risks
 II - Significant risks but less likely to occur
 III - Risks are likely to occur but less significant if they do
 IV - Low priority risks




                                                                                                                                                     D:\Docstoc\Working\pdf\d42bd998-119b-47bf-804a-2e253ee6e321.xls
                                                        FRAUD RISK ASSESSMENT


                        9


                                                                        27
                        8                        10                     24

                                                                                       2
                                                                                       23
                        7
                                         II      8 14
                                                 11                                    1    I
SIGNIFICANCE OF RISKS




                                                                        25                                4
                        6                                                              3                  12



                        5                                               39
                                                                        38
                                                                        20
                                                                        18
                        4                        5 6                    17
                                                                        16
                                                                        36                                7
                                                                                                          33
                                                                                                          32
                                                                                                          31
                                                                                                          26
                                                                                                          13



                        3               IV                              30
                                                                        35                      III       9

                                                 29
                                                 28
                        2       4
                                15               22
                                                 19                     34
                                                 21


                        1       #REF!
                            1                2                      3              4                  5
                                                             LIKELIHOOD OF RISKS

				
DOCUMENT INFO
Description: Memo for Home Based Employees document sample