Risk Management

and Fraud
Everhard Carstens

1
 Risk Management –
Role of Internal Audit
Definition of Internal Audit:

Internal auditing is an independent,

objective assurance and consulting activity
designed to add value and improve an
organization’s operations. It helps an
organization accomplish its objectives by
bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control, and governance
processes.

2
 Internal Audit
The Institute of Internal Auditors (IIA) UK
and Ireland issued a position paper on
“The Role of Internal Audit in Enterprise-
wide Risk Management” in Sept 2004.
This statement defines core audit roles,
legitimate roles as well as roles that
should NOT be undertaken by internal
audit. The latter includes:
• Setting the risk appetite.
• Imposing risk management processes.
• Management assurance on risks.
• Taking decisions on risk responses.
• Implementing risk responses on management's behalf.
3
 Internal Audit Role
Five core internal audit roles

1. Giving assurance that the processes

used by management to identify all
significant risks are effective.
2. Giving assurance that risks are
correctly assessed (scored) by
management, in order to prioritise
them.
3. Evaluating risk management processes,
to ensure the response to any risk is
appropriate and conforms to the
organisation’s policies.

4
 Internal Audit Role
Five core internal audit roles

4. Evaluating the reporting of key

risks, by managers to directors.
5. Reviewing the management of key
risks by managers to ensure controls
have been put into operation and
are being monitored.

5
6
 Auditing Risk Management
Assessing Adequacy of RM process
Types of Audit Procedures
 Research and review reference materials and
background information on risk management
methodologies – Best Practice
 Review developments, trends, industry
information related to the business
conducted by the organization
 Review the adequacy and timeliness of
reporting on risk management results
 Ensure qualifications of risk management
personnel are adequate

7
 Auditing Risk Management

Types of Audit Procedures

 Review corporate policies, board, and audit

committee minutes to determine the
organization’s
 business strategies,
 risk management philosophy,
 risk management methodology,
 appetite for risk, and
 acceptance of risks.

8
 Auditing Risk Management
Types of Audit Procedures
 Determine whether operational personnel
understand and formally accept residual risk
subsequent to each assessment, i.e. – proof of
acceptance and sign-off.
 Review previous risk evaluation reports by
management & other assurance services
 Assimilate information to independently
evaluate the effectiveness of risk mitigation,
monitoring, and communication of risks and
associated control activities.

9
 Auditing Risk Management
Types of Audit Procedures
 Assess the appropriateness of reporting lines
for risk monitoring activities.
 Review the completeness of management’s
risk analysis, actions taken to remedy issues
raised by risk management processes, and
suggest improvements.
 Ensure risk assessment documentation
complies with the adopted risk management
methodology and
 documentation is appropriately prepared and
maintained
10
 Auditing Risk Management
Such documentation could
include:
 Details on process adopted & reference to
methodology adopted.
 Description of significant risks linked to individual
business objectives.
 Risk scoring criteria & overall prioritization
results.
 Heat maps graphically depicting high, moderate
and low threats.
 Risk action plans

11
 Auditing Risk Management

Types of Audit Procedures

 Determine effectiveness of management’s
self-assessment processes through

 observations,
 direct tests of control and
monitoring procedures,
 testing the accuracy of information
used in monitoring activities,

12
DISCUSSION TOPICS
 Background
 What is a Red Flag?
 Why are Red Flags important?
 General Red Flags
 Structural red flags
 Management Red Flags
 Personnel red flags
 Operational red flags
 Accounting system red flags
 Financial performance red flags
 Professional service red flags
 Red Flags in organisational Processes 13
 Background
 69% of South African respondents indicated
that they had experienced economic crime,
which is nine percentage points higher than
in 2011.
 There has been an alarming shift in the
perpetrator profile in South Africa. Senior
management is now the main perpetrator of
economic crimes committed by insiders.
 PwC Global Economic Crime Survey

14
 Background
 Bribery & corruption has been the fastest
growing economic crime category in South
Africa since 2011.
 Formal fraud risk management
programmes have become the most
effective fraud detection method. Despite
this, a significant portion of South African
organisations do not carry out fraud risk
assessments.
 PwC Global Economic Crime Survey

15
 What is a Red Flag?
A red flag is an event or set of
circumstances that ought to alert an
entity to the presence of risk. Within
the organisation, individuals need to be
alert to red flags - what to look out for,
how to respond, how to follow-up. By
responding appropriately to red flags,
fraud can be detected sooner and, in
some cases, prevented altogether.

16
 What is a Red Flag?
Fraud indicators are only symptoms or
characteristics of possible fraud. An
indicator may be caused by the
fraudulent act itself or may result from
an attempt to hide the fraudulent
scheme. In addition, the auditor must
consider the total picture when deciding
whether to refer a suspected irregularity

17
IPPF

1210 – Proficiency
Internal auditors must possess the knowledge, skills, and
other competencies needed to perform their individual
responsibilities. The internal audit activity collectively
must possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.

 1210.A2 – Internal auditors must have

sufficient knowledge to evaluate the risk of fraud and
the manner in which it is managed by the organization,
but are not expected to have the expertise of a person
whose primary responsibility is detecting and
investigating fraud.

18
Your Role
Effective fraud
awareness is anchored
in understanding and
remaining alert for the
red flags and warning
signs of fraud.

19
Why are Red Flags Important
Internal frauds are a big issue for organisations and are usually
triggered by one of four situations:
 Opportunistic crime - employees commit fraud for their own
benefit
 Lack of a corporate ethic - low-level fraud may appear to be
condoned by both employer and employee.
 The recruited criminal - some individuals seek employment
with the deliberate intention of defrauding their employer
 Employee intimidation - organised crime groups are
increasingly involved in the intimidation of staff to directly
participate in frauds
 An introduction to fraud indicators.pdf

20
Umbrella Themes

BEHAVIOURAL
 Employees who consistently work longer hours than their
colleagues for no apparent reason.
 Employees who are reluctant to take holidays and/or time
off.
 Employees who are excessively secretive in relation to
their work.
 Employees known by others to be under duress for personal
reasons.
 Employees with a sudden change of lifestyle and/or social
circle.
 Employees under apparent stress without identifiable
pressure.

21
 Umbrella Themes
BEHAVIOURAL
 Employees who are aggressive or
defensive when challenged and/or
controlling of certain colleagues.
 Employees who are subject to complaints
and/or tend to break the rules.
 Employees who delay providing
information or who provide different
answers to different people.

22
Umbrella Themes
BEHAVIOURAL
 Employees who ask to defer internal audits or
inspections to ‘properly prepare’.
 Employees with new and unusual relationships
with other individuals or departments within
the organisation.
 Employees who request significant detail
about proposed internal audit scopes or
inspections.
 Excessively high or low staff turnover and/or
new employees resigning quickly.

23
Umbrella Themes
FINANCIAL
 Cash-only transactions.
 Poorly reconciled cash expenses or
customer accounts.
 Rising costs with no explanation or
that are not commensurate with an
increase in revenue.
 Large volume of refunds to customers.
 Unusually large inventories.
24
Umbrella Themes
FINANCIAL
 Unusual transactions or inter-account
transfers (even for small amounts).
 Remuneration disproportionately linked to
activities such as sales.
 Employees known by others to be under
external financial pressure.
 Employees who appear to make a greater
than normal number of mistakes,
especially where these lead to financial
loss through cash or account transactions.

25
Umbrella Themes
FINANCIAL
 Employees with unexplained sources of
wealth.
 Employees with competing or
undeclared external business interests.
 Employees who submit inconsistent
and/or unreasonable expense claims.
 Employees at the highest level of
performance (e.g. sales) where there
might be a concern that they are
achieving this through suspect activity.

26
Umbrella Themes
PROCEDURAL
 Employees making procedural or computer-
system enquiries inconsistent or not related
to their normal duties.
 New employees with knowledge of industry
procedures but no such experience disclosed
on their CV.
 Prospective employees who are reluctant to
provide full background information or who
provide inaccurate or inconsistent
information.
 Key managers with too much hands-on
control.
27
Umbrella Themes
PROCEDURAL
 Insufficient oversight/audit applied.
 An unusual number of customer
complaints.
 Customers or suppliers insisting on
dealing with just one individual.
 Managers who avoid using the
purchasing department.

28
Umbrella Themes
PROCEDURAL
 Tendering to one supplier only or to
the same suppliers.
 Lack of transparency.
 Poor engagement with corporate
governance philosophy.
 Too much delegation by senior
managers without proper review
procedures.
29
Specific Red Flags
 PROCUREMENT AND CONTRACTING
 ADMINISTRATION
 PERSONNEL
 CASHIER OPERATIONS
 CONSULAR OPERATIONS
 Detail Fraud Indicators.docx

30
Developing the Fraud Checklist

 Understand the ‘red flags’. Consider how

they may apply to your organisation. Be
vigilant.
 Use ‘red flags’ in conjunction with
broader risk management.
 Take account of changes in business
activities and/or control procedures that
may open up new potential fraud risks.
 Involve staff in identifying and discussing
fraud risks and how to prevent fraud from
occurring within your organisation.
31
Developing the Fraud
Checklist

 Educate all staff and raise awareness

of fraud indicators.
 Implement systems and processes to
detect the early warning signs of
fraud.
 Establish a credible mechanism for
staff to report suspicions of fraud.
Encourage an open culture where the
reporting of genuine suspicions is
acceptable.
32
Developing the Fraud
Checklist
 Be alert to possible collusion between
staff and third parties.
 Ensure regular monitoring of
compliance with fraud prevention and
detection policies, processes and
controls.
 Have a fraud response plan which
outlines the policies and procedures to
follow in the event of a fraud being
discovered or suspected. This should
clearly define roles and
responsibilities.
33
DO NOT!

 Ignore ‘red flags’. Certain industries

and/or activities are exposed to
specific fraud risks. Ensure that any
risks specific to the business are
adequately addressed.
 Act too swiftly. They are only
indicators of potential fraudulent
activity – not proof.
 Overlook petty or frivolous
reporting by employees.
34
Who is the Typical Fraudster?
 348 Fraud Investigations
 69 Countries
 Male
 36 – 45 Years old
 Commits fraud against his own employer
 Works in the finance function or finance related
role
 Holds a senior management position
 Employed by the organisation for more than 10
years
 Works in collusion with another perpetrator

35
Who is the Typical Fraudster?

36
The Fraudster

37
38
39
Profile of a Fraudster
 profile-of-a-fraudster.pptx

40
Fraud Prevention
Best Practices
 Fraud Awareness and Education
 Management of Fraud Control
 Effective Fraud Control Policies
 Monitoring Fraud Control Policies
 Personnel Monitoring
 Pre-Employment Integrity Screening
 On-going Monitoring of Integrity

41
Fraud Prevention
 Transaction Monitoring
 Software to Analyse Normal
Transaction Patterns
 Payment Authorisation
 Centralised Reporting
 Personal Identification
 Biometric Identification
 Databases

 The 100 Point System

42
Fraud Prevention

 Counterfeiting Prevention
 Computer Systems Monitoring
 Legal Deterrence

43
44