There is new guidance just released on fraud risk management for COSO principle 8 and the full COSO framework.
[Excerpt from the ACFE Forum]
We are excited to announce the publication of the new Fraud Risk Management Guide, a resource jointly sponsored by COSO and the ACFE. This guide is an update to the previously released ACFE/IIA/AICPA publication, Managing the Business Risk of Fraud, and is designed to build on both COSO principle 8 and the full COSO Internal Control–Integrated Framework as a foundation for a comprehensive fraud risk management program.
The Executive Summary of the guide is attached to this post. We’ve also created a website (ACFE.com/fraudrisktools) that provides interactive tools and other resources to assist in implementing the practices put forth in the guide. We hope you find this new guide a valuable resource in assessing and improving your organizations’ fraud risk management programs.
Andi McNeal CFE, CPA
Director of Research
Association of Certified Fraud Examiners
Blockchain Technology for Compliance and Managing Risk (Part 2)
Join us on this episode of FraudCast as we discuss blockchain technology for compliance and managing risk with Ian Worrall, CEO of Encrypted Labs. We answer questions such as: How did you get started? How do you address people being skeptical about robots? Regulatory concerns? Private and/or government? And much more.
YouTube link: https://youtu.be/Uw4gsd4z-pQ
Blockchain Technology for Compliance and Managing Risk
Join us on this episode of FraudCast as we discuss blockchain technology for compliance and managing risk with Ian Worrall, CEO of Encrypted Labs. We answer questions such as: What is Blockchain Technology? How can it be used to reduce systemic Fraud? What is the competitive advantage of BigchainDB? And much more.
YouTube link: https://youtu.be/8m9RblWfORM
PDF (92 pages)
DOWNLOAD the Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study by the Association of Certified Fraud Examiners (ACFE).
The other day I was at a client site assisting them with building their global antifraud program. While there, I realized they did not have a process for back-up related to employees who travelled. They had a robust system-level process for backing up desktops and laptops while they were actively connected to their network. However, there was no process in place (manual or otherwise) to back-up the data on employee’s laptops when they were travelling and thus not connected to the organization’s network. Many of the thousands of people who travelled would be in the field (yes, sometimes an actual field near a tiny village in the jungle) for weeks at a time without a viable way to back-up their data.
From a risk perspective, this concerned me; especially when those people who travelled were part of the C-Suite or upper management. What would happen if their laptop was damaged in transit? What if their data was stolen? The risk seemed to grow as more and more scenarios were considered. Cost appeared to be the driving force behind not implementing a back-up plan for key people who travelled. However, when I recommended they consider a cloud solution, they pushed back with concerns of security and other questions that kept them from going in that direction. It made me realize they did not fully understand what “The Cloud” was and even their Chief Technology Officer at the global level decided a hardware solution would be better.
Unfortunately, they bought external hard-drives for only the people that asked for them and instructed the employees to back-up at will. First of all, if the laptop and only back-up in the form of an external drive are in the same travel bag and it gets stolen – the data is still gone. Keeping both of the only two copies of the data in the same place does not mitigate the risk of theft. It only prevents a loss of data should the laptop files get corrupted in transit. Second, there was no discussion about encrypting the data on the hard drive and it was not mandated at the headquarters level by policy, so the copy was practically gift wrapped for any potential fraudster. Third, if you leave it up to people to back-up their data on their own schedule, it rarely gets back-up at all. The best way to mitigate that risk is to automate the process. That was not done with the eternal drive solution. Fourth, a cloud solution could have provided a commiserate level of security had it been implemented and set-up properly. Fifth, there could have been a cloud solution that cost less than the combination of hardware cost and increased risk of loss of data not to mention the potential regulatory issues that come with a loss of sensitive data.
While I believe any executive makes decisions based on various inputs, I do hope they make informed decisions with all of the relevant information so they can make them in the best interest of the company. This experience highlighted to me that although “The Cloud” has been around for a while, many people still do not adequately understand what it is or how best to use it in their organization. Since the topic is beyond my skill set, I reached out to a subject matter expert and asked him to explain in laymen’s terms what the cloud is and how a company can make it work for them.
Grab some popcorn, sit back and I hope you find the conversation as interesting and useful as I did.
Your company can benefit from the new technology advances in cell phone forensics. Watch this short video for just a few of the ways cell phone forensics can help you with your fraud management program.
For more information, request a consultation.
The following are companion documents and images for the book entitled Mortgage Fraud and the Illegal Property Flipping Scheme: A Case Study of United States v. Quintero-Lopez.
Mortgage fraud has been described as “a form of bank robbery where the bank is not even aware it has been robbed until months or years later.” Within the United States, an estimated $14 billion (0.66% of all loans) in fraudulent loans were originated in 2009 alone. In United States v. Quintero-Lopez, 15 defendants were indicted on 70 counts in the Southern District of Florida for a mortgage fraud scheme involving 16 fraudulent loans totaling $6 million in disbursements. This case study examines over 3 ½ years of activity, incorporates a detailed risk assessment and highlights best practices for prevention, detection, and investigation. The methodology of the scheme is detailed in a process flowchart, link analysis, and timeline of events.
ORDER the Paperback Book
For a detailed process flowchart of the fraud scheme specific to United States v. Quintero-Lopez (2007):
DOWNLOAD Process Flowchart (PDF): 206 KB
Using Analyst’s Notebook software, the following was created for United States v. Quintero-Lopez (2007):
DOWNLOAD Link analysis (PNG image): 2.63 MB
Many years ago, I was in a meeting that had a surprising outcome. The effect has stayed with me all these years. In my company at the time, we had the luxury of attending one of the first meetings held in our brand new office building. It was beautiful. The design took full advantage of natural lighting, open spaces, and everyone loved the neutral color scheme. You could still smell the wet paint in the air as we found our way to our seats.
On this particular day, the CEO was leading a discussion and we were thrilled just to have the privilege of hearing him speak. He was a kind man who made everyone he spoke to feel special; like they were the only one in the room. He had a way of making you feel at ease in his presence. He treated everyone with immense respect regardless of their title or position on the org chart. He asked questions that conveyed his sincere interest in your life and then consistently remembered the details even years later. When he spoke, you could tell that he had put much thought into what he said. You always knew you would learn a valuable life lesson and that you would walk away from the experience a better person as a result.