Transcript Slide 1

“Good” Fraud Management:
Applying Corporate Governance to
Increase Revenue, Cut Costs and
Safeguard Assets & Brand Value
Jonny Frank
Fraud Risks & Controls
March 2010
(Preliminary Draft)
“Good Fraud” vs. “Bad Fraud”
Revenue
Leakage
Misappropriation
of Assets
Expenditure
Leakage
Financial
Reporting &
Disclosure
Manipulation
Unauthorized
Receivables /
Acquisition of
Assets
Unauthorized
Expenses /
Disposal of
Assets
Good Fraud = Leakage related activities,
that when prevented or
detected early, leads to
improved financial results.
Bad Fraud = Liability related activities,
that if not prevented, leads
to government sanctions,
and damage to brand value
and reputation of individual
members of the Board and
senior management.
2
So How Are Organizations Maximizing Opportunities &
Mitigating Risk?
1. Assess how organization manages fraud risk
2. Conduct “scheme and scenario” fraud, corruption and abuse
assessment
3. Address high impact common and industry specific fraud,
corruption and misconduct risks
–
–
–
–
Schemes
Presumptive controls
Indicators
Audit procedures
3
Fraud Management Framework
Control environment
Fraud event identification and risk assessment
•
•
•
•
Identity entity
level scheme
& scenario risks
Board oversight
Codes of ethics/conduct
Anonymous reporting
Other entity level activities
Incident response & remediation
Continuous
reassessment
People
Process
Technology
•
•
•
•
Investigate
Perform root cause analysis
Search for other misconduct
Enhance controls
Assess
likelihood
& impact
Monitoring activities
• Monitor fraud risk
factors & indicators
• Audit for ‘Red flags’
Conduct self-assessment
at function & local business
unit levels
Develop a
risk response
Entity and business process level control activities
Develop new/
enhance
existing controls
Validate
operating
effectiveness
Evaluate
controls
design
Build three lines of defense – business, finance and internal audit/compliance
Identify significant risks, evaluate vulnerability to collusion, monitor/audit for red flags
Disaggregate schemes into key risk indicators, develop data analytics, maximize
available technology
4
Antifraud Programs & Controls Criteria*
(SEC, DOJ, PCAOB, USSG, COSO et. al.)
• Control Environment
–
–
–
–
–
–
–
–
–
–
–
High integrity culture
Board oversight
High level overall responsibility
Day-to-day responsibility
Front line personnel
Internal audit function
Knowledge management
Code of conduct
Anonymous reporting
Hiring and promotion
Third party relationships
• Fraud Risk Assessment (FRA)
– Systematic process
– Management participation
– Legal, financial reporting and
operations risks
• FRA Cont’d
– Management override
– Tailored to local units &
functions
• Control Activities
– Linkage to assessment
– Vulnerability to circumvention
• Detection and Monitoring
– Risk factors and indicators
– Data analytics and other
technology
– Contemporaneous monitoring
– After the fact reviews
• Incident Response and
Remediation
– Investigative process
– Remediation
*Bolded Italics denotes common deficiency.
5
“Scheme and Scenario” Fraud Risk Assessment
Step 1: Identify
High Impact
Scenarios
• Create a "Straw" List of Inherent
Schemes and Scenarios
Step 3: Create
Early Warning
Detection
Procedures*
Step 2: Evaluate
Existing
Response
• Identify existing prevention and
detection processes and controls
• Fraud factors – Changes of
circumstance that gives rise to risk
• Inventories of common and sector
specific scenarios
• Attack processes and controls from
perpetrator’s perspective
• Fraud indicators - Red flags and
other key risk indicators
• Industry research
• Consider susceptibility of controls to
circumvention, management override,
or collusion
• Procedures
• Risks identified in the documentation
and testing of internal control over
financial reporting
• Operational and other risks identified
by risk officers, compliance, internal
audit and external audit
• Consider impact of “intangible
controls”
• Field and desk top research
• Interviews and focus groups
• Analytics
• Transaction testing
• Results of internal and other
investigations
• Narrow “Straw” to Capture High
Impact Risks
• Assess likelihood and significance
• Consider quantitative and qualitative
impact as well as direct and indirect
consequences
• Establish thresholds to measure
impact on reputation, operations,
legal vulnerabilities and strategic
objectives
• Tailor and vet with business unit and
functions
6
10 Suggested Action Steps
1. Host a “perfect crime” dinner or play “angels v. demons” with the C-suite
and/or finance team.
2. Self-assess your antifraud program.
3. Conduct a “leakage audit” to identify opportunities to maximize revenue,
cut costs and safeguard assets - - particularly if your company engages
in business in emerging markets.
4. Equip front line personnel with knowledge and skills to function as an
effective “first” line of defense.
5. Conduct a scenario analysis to identify high impact legal/reputation risks
6. Link and evaluate adequacy of transaction level controls.
7. Identify and monitor key fraud risk factors and indicators.
8. Maximize internal and 3rd party information systems and technology
9. Develop an incident response and remediation process before a crisis
occurs
10. Pray that LeBron James joins the Knicks or Nets to bring winning
basketball back to NYC
Facilitator Contact & Biographical Information
Jonny J. Frank
[email protected]
1.646.471.8590
Jonny Frank has over 30 years public and private sector experience and over 20 years university teaching experience in preventing,
detecting and investigating business irregularities. He is an award winning author of over 30 articles and book chapters, including the
IIA's Thurston Award for outstanding scholarship. Jonny earned his LLM from Yale Law School in 1983 and his JD from Boston College
Law School in 1980, where he ranked no.1 in a class of 250 and graduated summa cum laude.
Executive Assistant United States Attorney, Eastern District of New York
Jonny began his professional career as a Federal prosecutor in the early 1980s in the U.S. Department of Justice, where he served for
12 years. His prosecutorial career included investigating and prosecuting over 1,000 economic crimes cases involving Fortune 500
companies across every business sector. In the mid-1990s, the Justice Department appointed Jonny to serve as Special Counsel to the
New York City Mayoral Commission on Police Corruption. He also led trips to train former Soviet bloc prosecutors and judges on the
investigation of economic crime.
Co-founder, PwC Investigations
PwC recruited Jonny to join the firm as a partner in 1997 to help develop and lead the firm's investigations practice. Leveraging this
public sector experience, Jonny developed a global practice, focusing on investigation and remediation of fraud and corruption. Jonny
led over 1000 engagements during his five years as practice leader.
Founder, PwC Fraud Risks & Controls (FR&C)
Following Enron, PwC appointed Jonny to build and lead a practice devoted to prevention, detection, and remediation. The practice has
professionals in Africa, Canada, Central, Eastern & Western Europe, India, South America, and the United Kingdom.
In 2003, Jonny pioneered PwC's "scheme and scenario" fraud risk assessment framework, which the SEC, AICPA, IIA, and COSO
have embraced. FR&C have embedded this framework at numerous internal audit departments and finance functions, in addition to
using it on over 1500 PwC audits.
Jonny also developed a fraud auditing training methodology, comprised of classroom and on-the-job coaching. PwC applied this
methodology to train over 350 experienced audit managers to serve as fraud specialists on their engagements.
Yale School of Management, Fordham University, Brooklyn Law School
Simultaneous to his DOJ and PwC career, Jonny has taught for over 20 years at the professional school level. He serves as an Adjunct
Professor of Law at Fordham University Law School (1988 – present) (ranked no. 3 nationally in evening law programs) and previously
taught at Yale School of Management (Senior Faculty Fellow 2003 – 2006) and Brooklyn Law School (1089 – 2004).
pwc.com
The information contained in this document is for general guidance on matters of interest only. The application and impact of laws can vary widely based on
the specific facts involved. Given the changing nature of laws, rules and regulations, there may be omissions or inaccuracies in information contained in this
document. This document is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or
other professional advice and services. It should not be used as a substitute for consultation with professional accounting, tax, legal or other competent
advisers. Before making any decision or taking any action, you should consult a PricewaterhouseCoopers professional.
While we have made every attempt to ensure that the information contained in this document has been obtained from reliable sources,
PricewaterhouseCoopers is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information in this
document is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without
warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no
event will PricewaterhouseCoopers, its related partnerships or corporations, or the partners, agents or employees thereof be liable to you or anyone else for
any decision made or action taken in reliance on the information in this document or for any consequential, special or similar damages, even if advised of the
possibility of such damages.
© 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to
PricewaterhouseCoopers LLP or, as the context requires, the PricewaterhouseCoopers global network or other
member firms of the network, each of which is a separate and independent legal entity. *connectedthinking is
trademark of PricewaterhouseCoopers LLP (US).
PwC
Appendix
10
“Good Fraud” vs. “Bad Fraud”
Revenue
Leakage
Misappropriation
of Assets
Expenditure
Leakage
Financial
Reporting &
Disclosure
Manipulation
Unauthorized
Receivables /
Acquisition of
Assets
Unauthorized
Expenses /
Disposal of
Assets
Good Fraud = Leakage related activities,
that when prevented or
detected early, leads to
improved financial results.
Bad Fraud = Liability related activities,
that if not prevented, leads
to government sanctions,
and damage to brand value
and reputation of individual
members of the Board and
senior management.
11
Identifying High Impact Risks: Expenditure Leakage
Illustrations:
Revenue
Leakage
Misappropriation
of Assets
Expenditure
Leakage
Financial
Reporting &
Disclosure
Manipulation
Unauthorized
Receivables /
Acquisition of
Assets
Unauthorized
Expenses /
Disposal of
Assets
• Orders from fictitious vendor
• Kickbacks in return for allowing supplier
to inflate price
• Advertiser charges for advertising not
delivered
• Vendors/contractors charge for work not
performed
•
“Double dips” on p-card and credit card
• Salesperson obtains reimbursement for
fictitious travel expenses
12
Identifying High Impact Risks: Unauthorized Expenses
Illustrations:
Revenue
Leakage
Financial
Reporting &
Disclosure
Manipulation
• Payments to public officials for permits
and licensing
• Payments to facilitate sales
• Payments to avoid sanctions
Misappropriation
of Assets
Unauthorized
Receivables /
Acquisition of
Assets
• Leakage of private information, e.g.,
patient information, credit cards, etc..
• Environmental violations
Expenditure
Leakage
Unauthorized
Expenses /
Disposal of
Assets
13
Identifying High Impact Risks: Asset Misappropriation
Illustrations
Revenue
Leakage
Misappropriation
of Assets
Expenditure
Leakage
Financial
Reporting &
Disclosure
Manipulation
Unauthorized
Receivables /
Acquisition of
Assets
Unauthorized
Expenses /
Disposal of
Assets
• Employee steals liquid assets,
•
Salesperson steals customer list for use
at a competitor
•
Event planner receives 15%
“commission” on rooms
•
HR employees puts shadow employee
on payroll
14
Identifying High Impact Risks: Unauthorized Receipts
Revenue
Leakage
Financial
Reporting &
Disclosure
Manipulation
Illustrations:
• Overbilling customers
Unauthorized
Receivables /
Acquisition of
Assets
Misappropriation
of Assets
Expenditure
Leakage
• Antitrust and restraint of trade
• Improperly obtaining rebates
• False marketing statements
Unauthorized
Expenses /
Disposal of
Assets
15
Identifying High Impact Risks: Revenue Leakage
Illustrations:
Revenue
Leakage
Misappropriation
of Assets
Expenditure
Leakage
Financial
Reporting &
Disclosure
Manipulation
Unauthorized
Receivables /
Acquisition of
Assets
Unauthorized
Expenses /
Disposal of
Assets
•
Salesperson discounts price in return
for kickback
•
Business leader runs parallel business
•
Salesperson violates non-compete
clause after leaving company
•
Salesperson enters side agreement
with customer unable to make payment,
ultimately resulting in write off receivable
and/or debt
16
Identifying High Impact Risks: Reporting & Disclosure
Revenue
Leakage
Misappropriation
of Assets
Financial
Reporting &
Disclosure
Manipulation
Illustrations:
• Improper revenue recognition
• Manipulation of significant management
estimates
Unauthorized
Receivables /
Acquisition of
Assets
• Inconsistent or improper accounting of
intercompany transactions to improve
operating performance of business
units.
• False statements in MD&A
Expenditure
Leakage
Unauthorized
Expenses /
Disposal of
Assets
• Deceptive marketing
17