There is new guidance just released on fraud risk management for COSO principle 8 and the full COSO framework.
[Excerpt from the ACFE Forum]
We are excited to announce the publication of the new Fraud Risk Management Guide, a resource jointly sponsored by COSO and the ACFE. This guide is an update to the previously released ACFE/IIA/AICPA publication, Managing the Business Risk of Fraud, and is designed to build on both COSO principle 8 and the full COSO Internal Control–Integrated Framework as a foundation for a comprehensive fraud risk management program.
The Executive Summary of the guide is attached to this post. We’ve also created a website (ACFE.com/fraudrisktools) that provides interactive tools and other resources to assist in implementing the practices put forth in the guide. We hope you find this new guide a valuable resource in assessing and improving your organizations’ fraud risk management programs.
Andi McNeal CFE, CPA
Director of Research
Association of Certified Fraud Examiners
FCPA Compliance & Translation Considerations
Join us on this episode of FraudCast as we discuss this with Jay Rosen, VP of Legal & Corporate Language Solutions at Merrill Brink International, a United Language Group company. We answer questions such as: Where do translation services fit into the non-English language investigation protocol? How do most organizations attempt to deal with non-English language data? How should a global organization with potential risk exposure go about finding and vetting a qualified Language Solutions Provider (LSP)? And much more.
YouTube link: https://youtu.be/-HsfrDixGZ8
Blockchain Technology for Compliance and Managing Risk (Part 2)
Join us on this episode of FraudCast as we discuss blockchain technology for compliance and managing risk with Ian Worrall, CEO of Encrypted Labs. We answer questions such as: How did you get started? How do you address people being skeptical about robots? Regulatory concerns? Private and/or government? And much more.
YouTube link: https://youtu.be/Uw4gsd4z-pQ
Are you at risk for AUTO FRAUD?
Join us on this episode of FraudCast as we discuss fraud in the automotive industry with Todd Wolf, Vehicle Theft Investigator of the California Highway Patrol. We answer questions such as: Why is auto fraud an issue? Who are the victims in auto fraud scams? What are some of the red flags for auto fraud? How can you protect yourself from auto fraud? And much more.
Blockchain Technology for Compliance and Managing Risk
Join us on this episode of FraudCast as we discuss blockchain technology for compliance and managing risk with Ian Worrall, CEO of Encrypted Labs. We answer questions such as: What is Blockchain Technology? How can it be used to reduce systemic Fraud? What is the competitive advantage of BigchainDB? And much more.
YouTube link: https://youtu.be/8m9RblWfORM
Specializing in antifraud for
INSIDER THREAT & FRAUD MANAGEMENT.
The first step in effective fraud management is the Fraud Risk Assessment. It provides much more than the inputs required for a risk-based annual audit plan. The results of the evaluation begin the process to allow for the determination of risk appetite, tolerance levels (+/- %), key risk indicators (KRIs), identification of anomalies, and the development of predefined management actions and communication strategy in response to exception reporting.
Benefits of the fraud risk assessment include:
- Visibility into the organization’s fraud risk;
- Understanding of the risks by department and scheme;
- Prioritize antifraud efforts and allocate resources effectively by focusing on the risks with the greatest impact and likelihood first;
- Quantify impact and likelihood for COSO Enterprise Risk Management (ERM);
- Benchmark for Key Risk Indicators (KRIs); and
- Specific product recommendations for Information Security (InfoSec) authentication risks to mitigate the occurrence & impact of cyber-attacks.
Our proprietary risk assessment consists of two main parts:
- We ask a myriad of questions through a questionnaire and those answers become the inputs for our statistical model. The resulting report is an approximately 45-page detailed statistical fraud risk report; and
- An in-person evaluation that consists of interviews, walk-throughs, document review, and observation. The resulting report will highlight the primary fraud risks and provide recommendations specific to your organization.
Organizations with a fully implemented antifraud program can begin to shift from a purely reactionary response to a proactive model where prevention is the focus. We can address any of the following areas to help you get to the next level.
Request a Consultation today.
What is the ROI for compliance and fraud prevention programs?
Join us on this episode of FraudCast as we discuss compliance and fraud prevention programs with Susan Walberg, Vice President & National Director of Compliance at Kohler Healthcare Inc. We answer questions such as: Why is the ROI for compliance and fraud prevention programs even a discussion? What keeps people from building a program? What are the costs and benefits? How can you keep the budget realistic given all of the risks? And much more.
YouTube link: https://youtu.be/Q6V-WMvzaKc
PDF (92 pages)
DOWNLOAD the Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study by the Association of Certified Fraud Examiners (ACFE).
Check out these fraudulent insurance claims…
Infographic courtesy of Damien Gallagher of Top Quote in Ireland.
The other day I was at a client site assisting them with building their global antifraud program. While there, I realized they did not have a process for back-up related to employees who travelled. They had a robust system-level process for backing up desktops and laptops while they were actively connected to their network. However, there was no process in place (manual or otherwise) to back-up the data on employee’s laptops when they were travelling and thus not connected to the organization’s network. Many of the thousands of people who travelled would be in the field (yes, sometimes an actual field near a tiny village in the jungle) for weeks at a time without a viable way to back-up their data.
From a risk perspective, this concerned me; especially when those people who travelled were part of the C-Suite or upper management. What would happen if their laptop was damaged in transit? What if their data was stolen? The risk seemed to grow as more and more scenarios were considered. Cost appeared to be the driving force behind not implementing a back-up plan for key people who travelled. However, when I recommended they consider a cloud solution, they pushed back with concerns of security and other questions that kept them from going in that direction. It made me realize they did not fully understand what “The Cloud” was and even their Chief Technology Officer at the global level decided a hardware solution would be better.
Unfortunately, they bought external hard-drives for only the people that asked for them and instructed the employees to back-up at will. First of all, if the laptop and only back-up in the form of an external drive are in the same travel bag and it gets stolen – the data is still gone. Keeping both of the only two copies of the data in the same place does not mitigate the risk of theft. It only prevents a loss of data should the laptop files get corrupted in transit. Second, there was no discussion about encrypting the data on the hard drive and it was not mandated at the headquarters level by policy, so the copy was practically gift wrapped for any potential fraudster. Third, if you leave it up to people to back-up their data on their own schedule, it rarely gets back-up at all. The best way to mitigate that risk is to automate the process. That was not done with the eternal drive solution. Fourth, a cloud solution could have provided a commiserate level of security had it been implemented and set-up properly. Fifth, there could have been a cloud solution that cost less than the combination of hardware cost and increased risk of loss of data not to mention the potential regulatory issues that come with a loss of sensitive data.
While I believe any executive makes decisions based on various inputs, I do hope they make informed decisions with all of the relevant information so they can make them in the best interest of the company. This experience highlighted to me that although “The Cloud” has been around for a while, many people still do not adequately understand what it is or how best to use it in their organization. Since the topic is beyond my skill set, I reached out to a subject matter expert and asked him to explain in laymen’s terms what the cloud is and how a company can make it work for them.
Grab some popcorn, sit back and I hope you find the conversation as interesting and useful as I did.