Get documents about "Fraud and Risk Management
Description
Fraud and Risk Management document sample
Document Sample
Business Practices for Fraud Risk
Management
Jeffrey S. Zanzig
Jacksonville State University
And
Dale L. Flesher
The University of Mississippi
Presentation
Topics
I. Background Information
II. Risk Assessment and
Common Control Activities
III. Fraud Case Management
IV. Controlling Employee Fraud
V. Closing the Gaps
I. Background Information
A. Motivation of Research
B. Development of Survey
Topics and Ratings
C. Gender of
Respondents
D. Organization Types
Represented
A. Motivation of Research
Deficiencies in the fraud risk practices of organizations
should be clearly identified in order to show where
emphasis for improvement is needed.
B. Development of Survey Topics and
Ratings
Gaps
C. Gender of Respondents
No
Response
2%
Male
39%
Female
59%
D. Organization Types Represented
35 33
30
25
20 18 19
15
10
6
5
0
Industry Education Financial Other
II. Risk Assessment and Common
Control Activities
Risk Assessment and Controls
1. An organizational process is in place to
perform a cost-benefit analysis of implementing
controls for significant fraud exposures.
Organizations are unlikely to invest in controls unless they
feel like they are getting something for their investment.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 5.3% 30.3% 18.3% 39.5% 6.6% 3.12
Desired -- 3.9% 1.4% 57.9% 36.8% 4.28
Risk Assessment and Controls
2. Organizational policies for fraud detection
include technology controls that perform
continuous operations auditing by identifying
unusual situations in large populations of
transactions.
Fraud detection can be difficult when occurrences are
isolated and cleverly hidden.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 6.6% 11.8% 13.2% 50.0% 18.4% 3.62
Desired -- -- 2.6% 38.2% 59.2% 4.57
Risk Assessment and Controls
3. An organizational process is in place to
identify and assess the potential significance of
fraud-related risks.
An effective system of risk assessment is needed to
establish proper control procedures.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 2.6% 5.3% 13.1% 48.7% 30.3% 3.99
Desired -- -- 2.6% 21.1% 76.3% 4.74
Risk Assessment and Controls
4. Organizational policies for fraud detection include
organizational process controls such as periodic
reconciliation of assets with records and physical
asset inspections that are regularly performed.
Verification of records against assets is a long-accepted
practice in audit.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 1.3% 3.9% 6.6% 42.1% 46.1% 4.28
Desired -- -- 1.3% 34.2% 64.5% 4.63
III. Fraud Case Management
Fraud Case Management
1. The organization maintains a fraud investigation
program that logs all allegations of fraud into a case
management system.
An integrated and standardized case management system
assists in proper evaluation and follow-up.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 3.9% 13.2% 11.8% 38.2% 32.9% 3.83
Desired -- -- 3.9% 38.2% 57.9% 4.54
Fraud Case Management
2. The organization maintains a fraud investigation
program that includes personnel with appropriate
authority and training to evaluate allegations of fraud
and determine appropriate courses of actions.
Personnel with appropriate authority and talent are necessary
to ensure that fraud issues are appropriately handled.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 1.3% 10.5% 6.6% 46.1% 35.5% 4.04
Desired -- -- -- 38.2% 61.8% 4.62*
Fraud Case Management
3. The organization maintains a fraud investigation
program that ensures that any material findings
are reported to appropriate parties such as a
company board of directors or audit committee.
Ensuring high enough level personnel can help ensure that
there is appropriate discipline and changes in company policy.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 1.3% 3.9% 14.5% 38.2% 42.1% 4.16
Desired -- -- -- 31.6% 68.4% 4.68*
Fraud Case Management
4. Organizational policies for fraud detection include
providing a process for the submission of anonymous
tips regarding the occurrence of fraud.
Preserving the anonymity of reporting parties can make people
more willing to report fraud issues.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 2.6% 1.3% 5.4% 36.8% 53.9% 4.38
Desired -- -- -- 30.3% 69.7% 4.70
IV. Controlling
Employee Fraud
Controlling Employee Fraud
1. Employees normally understand how their job
procedures are designed to manage fraud risks.
Control procedures over fraud could be
circumvented when situational
pressures tempt employees to bypass
normal procedures due to time
constraints.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 1.3% 28.9% 18.5% 48.7% 2.6% 3.22
Desired -- 2.6% 1.4% 42.1% 53.9% 4.47*
* Distributions are significantly different.
Controlling Employee Fraud
2. Employee policies include a requirement that all
employees receive initial and ongoing education in
the organization’s fraud risk management program.
Organizations sometimes feel a conflict between trust and
working against fraud.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 5.3% 27.6% 21.0% 25.0% 21.1% 3.29
Desired -- 2.6% 3.9% 50.0% 43.5% 4.34*
* Distributions are significantly different.
Controlling Employee Fraud
3. Employees normally have a basic
understanding of indicators of fraud.
Despite the level of integrity of individual employees, a
failure to recognize certain indicators of fraud could result
in many situations going undetected.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current -- 22.4% 9.2% 56.6% 11.8% 3.58
Desired -- 2.6% 2.6% 25.0% 69.8% 4.62*
* Distributions are significantly different.
Controlling Employee Fraud
4. Employee policies include compensation and
promotion practices that emphasize long-run
performance on a variety of measures, rather than
short-run performance using financial results.
People often put more emphasis on what is measured as
opposed to what is said to be important.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 2.6% 13.2% 21.0% 50.0% 13.2% 3.58
Desired -- -- 5.3% 43.4% 51.3% 4.46*
* Distributions are significantly different.
Controlling Employee Fraud
5. Employees normally know how to report
suspicions or incidences of fraud.
Fraud awareness may do little if employees are unaware
of how to report fraud.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current -- 10.5% 9.2% 46.1% 34.2% 4.04
Desired 1.3% 1.3% 1.3% 15.8% 80.3% 4.72*
* Distributions are significantly different.
Controlling Employee Fraud
6. Employee policies include verification of the
work history and education of job applicants.
Verification can provide evidence of both the personal
integrity and competence of potential employees.
1 2 3 4 5
Strongly Strongly
Disagree Disagree Uncertain Agree Agree Mean
Current 1.3% -- 15.8% 36.8% 46.1% 4.26
Desired -- -- 2.6% 32.9% 64.5% 4.62
V. Closing the Gaps
A. Risk Assessment and
Controls
B. Fraud Case
Management
C. Controlling Employee
Fraud
A. Risk Assessment and Controls
Concept Desired Current Mean
Number Concept Mean Mean Gap
Cost-benefit analysis of
1 implementing controls 4.28 3.12 1.16 *
Technology controls for
2 continuous operations 4.57 3.62 0.97 *
auditing
Fraud identification and
3 risk assessment 4.74 3.99 0.75 *
Periodic reconciliation of
4 assets with records 4.63 4.28 0.35
* Distributions are significantly different between current and desired situations.
1. Cost Benefit Analysis
Consider both a quantitative and
qualitative analysis.
Management could quantify known
benefits and compute a net present value.
The needed soft benefits could then be
estimated (see illustration below).
Illustration
Assume that management is considering implementing a control procedure over
the next five years and has computed a negative net present value (NPV)
$10,701.20. They could estimate the needed soft benefits as follows:
$10,701.20 negative NPV = $2,895.42 needed annual soft benefits
3.6959 (PVIFA 11%, 5 years)
2. Implementing Technology Controls
Computer-based controls are such
that they can be made a part of
routine processing and be applied
to all transactions relevant to the
processing being conducted:
Payroll to terminated employees -
termination date is less than the date of
the current payroll period.
Fictitious vendors - match between the
phone numbers and/or addresses of
employees and vendors.
“Fraud Prevention and Detection in an Automated World” published
by the IIA in December 2009.
B. Fraud Case Management
Concept Desired Current Mean
Number Concept Mean Mean Gap
Case logging into
1 management system 4.54 3.83 0.71 *
Investigation personnel
2 with authority and training 4.62 4.04 0.58 *
Reporting material
3 findings to appropriate 4.68 4.16 0.52 *
parties
Submission of anonymous
4 tips 4.70 4.38 0.32
* Distributions are significantly different between current and desired situations.
1. Logging Into a Case Management System
“Our organization is
very decentralized
which makes it
difficult to ensure
that all frauds are
investigated.”
Standardized Processing
Integrated Storage Standardization to some extent
Appropriate persons need to is also necessary to ensure
have access to consistent that important company
records of case policies and laws are adhered
information and evidence. to regarding case processing.
C. Controlling Employee Fraud
Concept Desired Current Mean
Number Concept Mean Mean Gap
Understand how job
1 procedures manage fraud 4.47 3.22 1.25 *
Ongoing education in fraud
2 risk management 4.34 3.29 1.05 *
Understanding of fraud
3 indicators 4.62 3.58 1.04 *
Long-run compensation and
4 promotion practices 4.46 3.58 0.88 *
Understand how to report
5 fraud 4.72 4.04 0.68 *
Verification of job applicant
6 information 4.62 4.26 0.36
* Distributions are significantly different between current and desired situations.
1-3. Fraud Understanding and Education
“I believe that education
of employees is key in
providing an effective
fraud program.
Additionally,
management needs
to stand behind the
program and
demonstrate support
through talking about
the program and
holding people
responsible.”
1-3. Fraud
One internal audit director holds classes
Understanding
dealing with the prevention and detection of and Education
fraud and ends the sessions with an unusual (Continued)
twist that the director calls “Rip Off the
Organization”. During this exercise the
professionals are asked to think like crooks
and consider how they could defraud their
company either internally or from the
outside.
Banks, D.G. (2004). The Fight Against
Fraud. Internal Auditor, April, pp. 34-39.
4. Compensation and Promotion
Practices
Although equity-based compensation increases the
productive effort of management, it also has the
undesirable result of making fraud more attractive
to managers.
Bruner, D., McKee M. and Santore R. (2008). Hand in the Cookie Jar: An
Experimental Investigation of Equity-Based Compensation and
Managerial Fraud. Southern Economic Journal, 75(1), pp. 261-278.
4. Compensation and Promotion
Practices (Continued) The concept of a
balanced scorecard
People care more considers both past
about how their financial results and
performance is
measured than
forward-looking
what someone says areas such as
is important! process
improvements and
organizational
learning.
We wish to express our sincere appreciation to the
Birmingham Chapter of the Institute of Internal
Auditors and their membership whose
contributions made this research possible.
Related docs
Other docs by arc34003
