Transcription
Fraud maturity model:advancing the anti-fraudmanagement program25th Annual ACFE Global Fraud Conference17 June 2014Presenter:Beth Junellbeth.junell@ey.com
Discussion topicsRole of corporate ethics and integrity Creating a culture of compliance Advancing maturity of the anti-fraud management program Question and answer session Page 1Fraud maturity model: advancing the anti-fraud management program
Role of corporate ethics and integrityCompliance and integrity management are used toaugment a sustainable ethical culture in the organization. Compliance programs should be built on the company’score values. Critical success factors: Businessintegrity Leadership CulturePage 2Fraud maturity model: advancing the anti-fraud management program
Creating a culture of complianceWhy it is so important in managing fraudPeople make decisions daily that impact the company’sethics and compliance posture. “Just follow the rules” Acompany’s reputation can still be harmed by conduct that islegal, but may not be seen as ethical. Let’s talk about the gray areas.Page 3Fraud maturity model: advancing the anti-fraud management program
Unethical behaviour persistsEY’s 13th Global Fraud Survey, Figures 1,5&10% AgreeUSOffering entertainment towin/retain etsAllrespondents33302829Personal gifts towin/retain business45111714Cash payments towin/retain business0171613Misstating company’sfinancial performance2348635384542At least one of these canbe justified30% AgreeQ. Which, if any, of the following do you feel can be justified if they help a business survive an economic downturn?Base: US 2014 (50); North America 2014 (100); developed markets 2014 (1103); emerging markets 2014 (1616); all respondents 2014 (2719)% don't know and none of the above have been omitted to allow better comparison between responses givenPage 4June 2014Fraud maturity model: advancing the anti-fraud management program
Creating a culture of complianceEthical decision-making model Move toward ethical decision making Focusemployees on the culture of making ethical decisionstied to the company’s values Encourage employees to “do the right thing” An ethical decision-making model can guide employeeswhen the “right” course of conduct may not be clear. Isthe action at issue in line with corporate values? Is the action consistent with company policy? Is the action legal? Would I want everyone to know I took the action? Would I be embarrassed if my family or friends knew?Page 5Fraud maturity model: advancing the anti-fraud management program
Role of corporate compliance programUnderpin business successEffective compliance programs allow companies to createa culture of compliance and help employees to do theright thing. The ultimate outcome of an effective compliance programis a reputation for underpinning business success. Page 6Fraud maturity model: advancing the anti-fraud management program
Enron Code of EthicsExcerptedRespectWe treat others as we would like to be treated ourselves.Ruthlessness, callousness and arrogance don’t belong here.IntegrityWe work with customers and prospects openly, honestly andsincerely. When we say we will do something, we will do it ExcellenceWe are satisfied with nothing less than the very best. We willcontinue to raise the bar for everyone.Page 7Fraud maturity model: advancing the anti-fraud management program
Business integrity & corporate compliance(BI&CC) frameworkIntegrity and ComplianceCompliance& IntegrityStrategyTone at the topMission and valuesCompany Mission and ValuesCultureTone at the TopCultureEffective and aligned compliance activitiesEffectiveand AlignedComplianceActivitiesBoard oversight/ managementresponsibilityBoard Oversight / Management SponsorshipIntegrity & compliance organizationCompliance NDCompliance risk assessment and monitoringCompliance Risk Assessment and Continuous sSystemsSpeaking up andconfidential reportingCode of conductCode of ConductConfidential ReportingPolicies, procedures,processes and controlsPolicies and ProceduresEducation and adviceEducation and AdviceThird party diligence3rdParties and new venturesMonitoring, reviewsand auditingMonitoring, Reviewsand AuditingIncident andcaseIncidentmanagementandCase ManagementInvestigationInvestigationCorrective ated riskand complianceIntegratedfunctionsrisk functionsDisciplineIncentivesData analyticsRemediationIncentivesData AnalyticsRemediationOperationalexcellenceInternal and external communication/program reportingRequirement Management and Implementing ProcessesRequirement management and implementing processesInternal and External CommunicationProgram evaluation and compliance sustainabilityProgram Evaluation and Compliance SustainabilityStrategy & support functionsOperations & business unitsStrategy & Support FunctionsOperations & Business UnitsEngaged and accountable employeesPage 8Fraud maturity model: advancing the anti-fraud management program
Corporate compliance life cyclePage 9Fraud maturity model: advancing the anti-fraud management program
Comparison of guidanceComponentsCOSO IntegratedControl SECFCPAguidanceUK Bribery ActAdequateProceduresOECDGood PracticeGuidanceControlenvironment Risk assessment Control activities Information andcommunication Monitoring Page 10Fraud maturity model: advancing the anti-fraud management program
Updated COSO frameworkPrinciples-based approach: the principles are the fundamental concepts associated with the components of internalcontrol. It is generally expected that all principles will, to some extent, be present and functioning for an organization tohave effective internal control. When a principle is not being met, some form of internal control deficiency exists.1. Controlenvironment2. Risk assessment1.Demonstrates commitment to integrity and ethical values2.Board of Directors demonstrates independence from management and exercisesoversight responsibility3.Management, with Board oversight, establishes structure, authority and responsibility4.The organization demonstrates commitment to competence5.The organization establishes and enforces accountability6.Specifies relevant objectives with sufficient clarity to enable identification of risks7.Identifies and assesses risk8.Considers the potential for fraud in assessing risk9.Identifies and assesses significant change that could impact system of internal control10. Selects and develops control activities3. Control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures13. Obtains or generates relevant, quality information4. Information andcommunication14. Communicates internally15. Communicates externally5. MonitoringPage 1116. Selects, develops and performs ongoing and separate evaluations17. Evaluates and communicates deficienciesFraud maturity model: advancing the anti-fraud management programPrinciplesin theframework
Anti-fraud management program(Focusing on culture and controls to reduce risk)
Mature anti-fraud management programsbuild off of the BI&CC frameworkAddress all core program elements Start with governance and tone at the top regarding thecompany’s tolerance of fraud Address education of employees about fraud Provide reporting options and encourage reporting Provide non-retaliation policy Map fraud risks to controls Address control weaknesses and program gaps Page 13Fraud maturity model: advancing the anti-fraud management program
Fraud risk management maturity modelMaturity continuumAnti-fraud controls activities and monitoringIncident responseAnti-fraud program componentsPage 14Fraud maturity model: advancing the anti-fraud management programFunctional siloFraud risk assessmentHybridFraud awareness trainingRisk focusFraud prevention policiesEnterprise wideCode of conductGeographyBoard oversight/management sponsorship
ACFE 2014 Report to the NationsFrequency of anti-fraud controls Presence of anti-fraud controls Reduced fraud lossesShorter fraud duration 18 anti-fraud controls in the survey Most are present in the BI&CCframework All percentages are higher inorganizations with 100 employeesPage 15 Code of conduct – 77.4% IA department – 70.6% Management review – 62.6% Independent audit committee – 62.0% Hotline – 54.1% Employee support programs – 52.4% Fraud training (management and employeesseparate in survey) – 47.8% Anti-fraud policy – 45.4% Dedicated fraud department, function or team –38.6% Proactive data monitoring/analysis – 34.8% Formal fraud risk assessment – 33.5% Surprise audits – 33.2% Job rotation/mandatory vacation – 19.9% Rewards for whistleblowers – 10.5%Fraud maturity model: advancing the anti-fraud management program
Maturity continuum definedAnti-fraud programelementsBoard oversight/managementresponsibilityCode of conductFraud preventionpoliciesBasicEvolvingAlmostSome parts ofnothing exists this elementfor theexist;elementapplication ondifferent levelsis inconsistentEstablishedElement isdefined;consistentlyapplied onsome but notall levelsAdvancedElement isdefined withElement ismore detaildefined inand applieddetail andconsistentlyconsistentlyon most levels applied on alllevels involvedFraud awarenesstraining andcommunicationFraud riskassessmentControls activitiesand monitoringIncident managementand responsePage 16LeadingpracticeFraud maturity model: advancing the anti-fraud management program
Board oversight/management responsibilityBasicMinimal briefings to board; management delegatescompliance and integrity leadership to a functional leader; noformal structures or processesCompliance and integrity are embedded in the board’sLeading comprehensive risk management, governance andpractice management review processes; management ensures aneffective compliance program at all levelsPage 17Fraud maturity model: advancing the anti-fraud management program
Responsibility for compliance liesthroughout the organizationCorporate governance and uditcommitteeBoardCompliance risk management functionsIntegrated andeffectivecomplianceinfrastructureChief compliance/ethics officerGeneralcounselInternalaudit departmentStrategy and support functionsExecution:embeddedinto the businessRiskcommitteeOperations and business unitsLegalCorporate socialresponsibilityHRTaxOperationsResearch ionsFinanceITSalesMarketingSupply chain*Individual employees * Includes extended enterprise compliance through contractors and suppliersPage 18Fraud maturity model: advancing the anti-fraud management program
Forms of ownership of an anti-fraud programEnterprise-wide approachFunctional-specific (silo) approach Oversight from anti-fraud committee at executivemanagement or board level Execution by: Finance Task force Compliance Program management office (PMO) Global security Corporate compliance department Geographically based Business unit, division or segment based Used by diversified life insurance company and anengineering, procurement and construction companyHybrid approach Ownership of fraud risk is at functional level Example silos: Most common approachRisk-focused approachDiversified industrial products company Ownership of fraud risk is by risk category Corporate-level oversight, e.g., chiefcompliance officer Example categories – program owner: Execution by PMOs within each major businessunit or division (i.e., distinct silos)Apparel retail company Oversight by chief financial officer Execution by senior business leaders assigned tomajor risk categoryPage 19 Financial reporting – CFO FCPA – compliance officer Loss prevention – security Antitrust – legal Owners report separately to board-level committee Used by international heavy-machinery manufacturerFraud maturity model: advancing the anti-fraud management program
Managing fraud within the organizationBoard of Directors Audit CommitteeSets the proper toneEnsures management designs effective fraud riskmanagement policiesEstablishes mechanisms to ensure it receives accurateand timely informationMonitors the effectiveness of the anti-fraud program Composed of independent board membersActive role in the risk assessment processFraud risks monitored via internal auditingDirect reporting channel for external auditAnti-fraud programroles and responsibilitiesInternal Audit ManagementEnsures fraud prevention and detection controls aresufficient for identified risksMay be responsible for investigating suspectedinstances of fraudCompany charter should dictate Internal Audit’s rolewith respect to anti-fraud development Page 20Is responsible for design, implementation and day-today execution of the anti-fraud program Setting the proper tone Reactive ProactiveReinforces setting the proper tone at the topHelps to create a culture of zero fraud toleranceFraud maturity model: advancing the anti-fraud management program
Code of conduct (tone at the top)regarding fraudBasicCode only addresses subjects required by corporategovernance rules in legalistic terms and one language;no/minimal management communicationCode is recognized as a mutual commitment among theLeading organization’s stakeholders to the organization’s values,practicestandards of behavior and culture; effectiveness is measuredPage 21Fraud maturity model: advancing the anti-fraud management program
Code of conduct regarding fraudLeading practicesRecognized as a mutual commitment among theorganization’s stakeholders Periodically refreshed to reflect the organization’s risks Specifically addresses fraud Translated into local languages Senior management makes periodic communications Effectiveness is measured and reported Actively encourages employees to “speak up” Page 22Fraud maturity model: advancing the anti-fraud management program
ACFE 2014 Report to the Nationson “speaking-up”Tips are consistently and by far the most common detectionmethod.In 2014 report, 42.2% of cases showed a tip as the mostcommon method of initial detection of occupational fraud.Management review is second at 16%.Organizations with hotlines Were much more likely to catch fraud by a tip Detected the fraud 50% quicker Experienced frauds that were 41% less costlyPage 23Fraud maturity model: advancing the anti-fraud management program
Policies, procedures, processes and controlsfor fraud prevention and detectionBasicEntity-level compliance policies for certain risks addressed inthe code of conduct with limited procedural guidance forbusiness-unit adaptationPeriodic assessment of policies and procedures; periodicLeading assessment of the effectiveness of the process and controlpractice environment in the organization’s operations and integratedinto “life cycle” managementPage 24Fraud maturity model: advancing the anti-fraud management program
Anti-fraud policies and proceduresLeading practices Guidance for identified fraud areas/risks; expanding on Fraud Tree asapplicable to the organization Financial statement misstatement Asset misappropriation Corruption and briberyRelated policies and procedures, for example: Hiring ethical employees Hiring and managing ethical third partiesCorresponding entity-level and business-unit controlsCommunicated to employees and third partiesPeriodic assessment for effectiveness; integrated into “life cycle”managementPage 25Fraud maturity model: advancing the anti-fraud management program
Fraud awareness training and communicationBasicInformal on-the-job training with no clear links to specific fraudrisks/controls; limited to no ongoing communication regardingfraud risks/issuesFraud awareness courses are delivered through a learningmanagement system that sets curricula for job requirementsof new and experienced personnel, assesses audienceLeading engagement, tests comprehension and tracks completion;practice compliance and integrity advisors build open relationshipswith the businessPage 26Fraud maturity model: advancing the anti-fraud management program
Fraud awareness training and communicationLeading practices Given to employees and third parties periodicallyConsiders new hire, re-assignment and promotion needsClear guidance on: Prevention Redflags Reporting suspicious activity Disciplinary actions Updated to address emerging fraud risks, issues and trendsbased on “life cycle” management processIncorporates realistic and relevant scenarios Mediareports Actual events within the organization (sanitized)Page 27Fraud maturity model: advancing the anti-fraud management program
Fraud risk assessmentBasicNo comprehensive fraud risk assessment processFraud risk assessment process and risk mitigation plans areutilized to drive resource allocation and program activities; riskLeading monitoring provides leadership with early warning insights forpractice improved strategic and operational decision making andmanagement of enterprise risksPage 28Fraud maturity model: advancing the anti-fraud management program
Fraud risk assessmentLeading practice: repeatable processPlanAssessConfirm goalsand schedule12Assess currentstate of fraudrisksRespond3Identify gaps,strengths andrecommendationsReportFindings andrecommendations4Continuous coordination between management and assessment team Assemble the properteam, considering: Key stakeholders Technical expertise Industry knowledge Understand and refinethe fraud risk universe Communicate thegoals of theassessment to theorganizationPage 29 Conduct interviews Lead facilitatedsessionsMap identified risks tointernal controls Assess effectivenessof the controls Compare to leadingpractices Perform sampletesting Distributequestionnaires andsurveysIdentify fraud riskspresent in theorganizationAssess the potentialimpact of risks to theorganization Determine level of riskand assign priorityratings to risksidentifiedFraud maturity model: advancing the anti-fraud management program Determine anddocumentmanagement’sresponse to residualrisk Avoid Transfer Mitigate AssumeDetermine plan forcontinuous monitoringof identified risks
Fraud risk assessmentLeading practice: consider fraud risk factors Fraud risk universe specific to the organizationFraud Tree Financial and non financial reporting Safeguarding cash, inventory and other assets Corruption, bribery and conflicts of interestFraud Triangle Pressures Opportunities RationalizationsOther Management bias Technology and management’s ability to manipulate data Government and regulatory enforcement actionsPage 30Fraud maturity model: advancing the anti-fraud management program
Fraud risk assessmentLeading practice: fraud risk rankingPage 31Fraud maturity model: advancing the anti-fraud management program
On going anti-fraud controls activities andmonitoringBasicNo mapping of specific control activities to fraud risks exists,and there are no monitoring activitiesControls are rationalized against risks to identify most efficientdesign; monitoring provides leadership with early warningLeadingpractice insights for improved strategic and operationaldecision making and management of enterprise risksPage 32Fraud maturity model: advancing the anti-fraud management program
Anti-fraud controls activities and monitoringLeading practices Core work processes definedFraud risk assessment mapped to anti-fraud controls identified withincore work processesBusiness engages in continuous monitoring of key anti-fraud controlsand “red flags” are identifiedBusiness conducts regular reviews of compliance with anti-fraudpolicies, procedures and controlsAnti-fraud management program audited periodicallyMonitoring and auditing reports used to improve the anti-fraudmanagement programMonitoring and audit utilize forensic data analyticsPage 33Fraud maturity model: advancing the anti-fraud management program
Forensic data analytics maturity modelBeyond traditional “rules-based queries” – consider all four quadrantsUnstructured dataStructured dataLowHighAnomaly detection,clustering, risk ranking,predictive modelingMatching, grouping,ordering, joining, filtering“Traditional” rule-based,descriptive queriesand analyticsStatistical analysisKeyword searchData visualization, drill downinto data, text miningTraditional keyword searchingData visualizationand text miningHighPage 34Detection rateFalse-positive rateFraud maturity model: advancing the anti-fraud management programLow
Confidential reporting and incidenceresponseBasicProcess for intake and tracking of issues or allegations, andincident response plan does not exist; or if it exists, corporateculture does not support openly asking questions aboutintegrity and compliance concerns, including fraud“Speak up” culture where employees have confidence in theprocess; systems provide robust data for updates toLeading management and the board, with proactive use of informationpractice tied into program improvements and early warning andescalationPage 35Fraud maturity model: advancing the anti-fraud management program
Confidential reporting and incidence responseLeading practices Employees encouraged to report/speak upMultiple localized reporting mechanisms available to employeesgloballyAnonymous reporting mechanism provides for continuedcommunication with a reporterAnonymity of employees respectedNon-retaliation policy enforced at all levelsCentralized aggregation of reportingTriage planIncident and case management system used to track completion ofeach phase of case resolution, corrective action and remediationprocessesPage 36Fraud maturity model: advancing the anti-fraud management program
SummaryAdvancing maturity of the anti-fraud management program Anti-fraudmanagement program, as a part of the complianceprogram, should be built on the company’s core values Move toward leading practices, as appropriate for theorganization Inclusion of fraud, specifically in all program elements Critical success factors Businessintegrity, leadership and corporate culture Accountability, oversight and governance Monitoring and continuous improvement Anti-fraudPage 37management program has a perpetual life cycleFraud maturity model: advancing the anti-fraud management program
Question and answer session
EY Assurance Tax Transactions AdvisoryAbout EYEY is a global leader in assurance, tax, transaction andadvisory services. The insights and quality services wedeliver help build trust and confidence in the capitalmarkets and in economies the world over. We developoutstanding leaders who team to deliver on ourpromises to all of our stakeholders. In so doing, we playa critical role in building a better working world for ourpeople, for our clients and for our communities.EY refers to the global organization, and may refer toone or more, of the member firms of Ernst & YoungGlobal Limited, each of which is a separate legal entity.Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. For moreinformation about our organization, please visit ey.com.Ernst & Young LLP is a client-serving member firm ofErnst & Young Global Limited operating in the US. 2014 Ernst & Young LLP.All Rights Reserved.1405-1251556ED NoneThis material has been prepared for general informational purposesonly and is not intended to be relied upon as accounting, tax, or otherprofessional advice. Please refer to your advisors for specific advice.ey.com
Page 13 Fraud maturity model: advancing the anti-fraud management program Mature anti-fraud management programs build off of the BI&CC framework Address all core program elements Start with governance and tone at the top regarding the company's tolerance of fraud Address education of employees about fraud
