Webinar Series Overview: In today’s world, fraud investigations have become an everyday part of corporate life and the auditor must gain expertise in this area.
The 8 part series will cover the tasks of the fraud auditor, Forensic techniques and tools and the abilities required of the fraud auditor, the type and nature of common frauds, investigating fraud, computer fraud and control, white collar crime, the auditor in court.
This session Forensic and Investigative Audit Reporting
• Types of reporting
• Management
• Board/Audit committee
• Disciplinary action
• Litigation support
• Criminal process
• Follow up and remedial action
1. 11/6/2017
1
Forensic and Investigative
Audit Reporting
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors (now
available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007 Bradford
Cadmus Memorial Award.
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
2. 11/6/2017
2
About Richard Cascarino, MBA,
CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
3
About AuditNet® LLC
• AuditNet®, the global resource for auditors, is available on the
Web, iPad, iPhone, Windows and Android devices and features:
• Over 2,700 Reusable Templates, Audit Programs,
Questionnaires, and Control Matrices
• Training without Travel Webinars focusing on fraud, data
analytics, IT audit, and internal audit
• Audit guides, manuals, and books on audit basics and using
audit technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
• NASBA Approved CPE Sponsor
Introductions
Page 4
3. 11/6/2017
3
Housekeeping
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique
join link.
We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
If you have indicated you would like CPE you must answer the polling questions (all or minimum
required) to receive CPE per NASBA.
If you meet the NASBA criteria for earning CPE you will receive a link via email to download your
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to
white list this address. It is from this email that your CPE credit will be sent. There is a processing
fee to have your CPE credit regenerated post event.
Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
Please complete the evaluation questionnaire to help us continuously improve our Webinars.
IMPORTANT INFORMATION
REGARDING CPE!
SUBSCRIBERS/SITE LICENSE USERS - If you attend the Webinar and answer the polling
questions (all or minimum required) you will receive an email with the link to download your CPE
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important
to white list this address. It is from this email that your CPE credit will be sent. There is a
processing fee to have your CPE credit regenerated post event.
NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the Webinar and answer the
polling questions (all or minimum required) and requested CPE you must pay a fee to receive
your CPE. No exceptions!
We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your
email system or a firewall that will redirect or not allow delivery of this email from Gensend.io
Anyone may register, attend and view the Webinar without fees if they opted out of receiving
CPE.
We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
4. 11/6/2017
4
The views expressed by the presenters do not necessarily represent
the views, positions, or opinions of AuditNet® LLC. These materials,
and the oral presentation accompanying them, are for educational
purposes only and do not constitute accounting or legal advice or
create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is
accurate and complete, AuditNet® makes no representations,
guarantees, or warranties as to the accuracy or completeness of the
information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from
the information contained in this presentation, including any
websites maintained by third parties and linked to the AuditNet®
website.
Any mention of commercial products is for information only; it does
not imply recommendation or endorsement by AuditNet® LLC
Today’s Agenda
Fraud Reporting
Types of reporting
Management
Board/Audit committee
Disciplinary action
Litigation support
Criminal process
Follow up and remedial action
Page 8
5. 11/6/2017
5
Fraud Reporting and
Whistle Blowing
Internal Auditor "the eyes and ears of management"
Reporting to legal authorities and media neither required
nor encouraged by IIA
Where such reporting is required by law then IIA requires
compliance
Code of Ethics require loyalty in all matters pertaining to
the operations of the employer except where in conflict
with legal issues
Mandated to report wrongdoings internally as a minimum
State of Virginia has laws protecting Internal Auditors from
firing for whistle-blowing
9
From a US Survey of 8000
Employees
Most employees believe reporting wrongdoing is ethical and morally
right
Most employees who observe wrongdoing do not report it to
anyone
Internal auditors whose job entails reporting are more likely
to report wrongdoing
Employees who observe serious, well-documented, or
frequent wrongdoings are more likely to report it
Employees who observe wrongdoings are more likely to
report when their organization's policies encourage them to
do so
10
6. 11/6/2017
6
Steps in Deciding to Report
Did wrongdoing occur?
Does the wrongdoing require action?
Am I responsible for acting?
What actions are available to me?
Will the benefits of acting outweigh the costs?
Has previous action proved beneficial to all
parties?
Was my action effective?
11
Reasons for Non-reporting
Not sure whom to report it to
Nothing would be done
Nothing could be done
Not enough evidence
Too risky
Not my job
Not important
12
7. 11/6/2017
7
Reporting
13
Who makes the decision?
Under what conditions?
To whom do they report?
What are the effects on them personally?
With management's approval?
Ethical Considerations of
Whistle Blowing
Who is the client?
Originally management
(IIA Statement of Responsibility 1947)
Now the organisation
(IIA Statement of Responsibility 1981)
As a result of the growth in audit committees
14
8. 11/6/2017
8
IIA Code of Ethics
II Members, in holding the trust of their
employers, shall exhibit loyalty .... however,
members shall not knowingly be a party to any
illegal or improper activity
V Members shall not use confidential information
for personal gain nor in a manner which would
be detrimental to the welfare of their employer
15
Employer - Employee
Relationship
Trust
Loyalty
Internal Auditors in a privileged situation
Breach would permanently impair working
relationship
Loss of unrestricted access
Fear and mistrust
16
9. 11/6/2017
9
Reporting
Internal Reporting
Is not whistle blowing
Is not a matter of choice
Part of the auditor's duty
Expected by employers
External Reporting
If no law is broken, there is no obligation to externalize
If there is a legal requirement to report, it is not whistle
blowing
Non-reporting may not be, in itself a crime
Conspiracy to commit, aid, conceal or abet is a crime
Specific authority from employers to externalize is therefore
required
17
Fraud Reporting
Guidelines
All frauds must be reported to employers
Frauds should not be externalized unless authorized
Lawful interests of employers should not be
jeopardized by the audit process
Consult with the company's legal representatives
when unlawful activities become apparent
Audit files should be protected to avoid jeopardizing
the employers lawful business
Internal auditors should not knowingly be a party to
illegal acts
Whether or not the employer agrees to take action
18
10. 11/6/2017
10
External Auditors
Leaking to external auditors probably falls under improper
activities
No requirement to communicate to external auditors
unless explicitly or implicitly authorized by management
If authorized by management, there must be no active or
passive misleading
If access to internal audit files only approved and no
representations are made about their completeness, there
is no ethical obligation to provide additional information
Internal auditors must not exceed the authorized
boundaries of cooperation
Fundamental judgment not legal but right and wrong
19
Overriding Social Need
Circumstances may eventually necessitate
whistle blowing
Social threats
Health
Safety
Threat to property
Conscience dictates
Report as an individual not as an internal auditor
May have unfortunate results for the whistle
blower
20
11. 11/6/2017
11
From a US Survey of 8000
Employees
A substantial number, though not a majority, of
employees who report wrongdoing suffer retaliation
of some sort, particularly when the reporting is
externalized
Retaliation is more likely if the wrongdoing is
serious
Internal Auditors suffer retaliation at about the same
rate as other employees, even though they are
mandated to report wrongdoing
21
POLLING QUESTION
12. 11/6/2017
12
Types of Reporting
Typical recipients of risk reports/ profiles:
Board
Executive
Committees (Risk/Audit/Finance etc.)
Risk Owners/ Line Managers
Staff
External (Secretariats & Departments, Public)
Government Recovery Board
23
After establishing ‘Likelihood’ and
‘Consequence’ you can use a table like this to
set a level of risk.
Extreme Very high Moderate Low Negligible
Almost
certain
Severe Severe High Major Moderate
Likely Severe High Major Significant Moderate
Moderate High Major Significant Moderate Low
Unlikely Major Significant Moderate Low Very low
Rare Significant Moderate Low Very low Very Low
You must define what these risk levels mean to you in
terms of the Risk Appetite
You must define what these risk levels mean to you in
terms of the Risk Appetite
Board Reporting against Risk
Appetite
24
13. 11/6/2017
13
Risks facing Management
Externally Driven
Internally Driven
Regulated
Rate
Decreases
Power prices /
Supplier of Last
Resort
RTO
Evolution
Post Merger
Integration
Increasing
customer
expectation
Evolving Technology / Alternatives
(e.g. micro generation)
Aging System
Load / Demand
Forecasting
System Reliability
Crew Productivity
Labor Contracts
Weather / Storms
Workers’ Comp
3rd Party
System Damage
Safety
Vehicular
Liability / Loss
Terrorism
Property
Damage /
Medical Liability
Interest
Rate
Fluctuation
Foreign
Currency
Exposure
Value Creation
from M&A
Information Systems
New Legislation
& Regulations
Enron Fall-Out
Liquidity /
Cash Mgt.
Working
Capital Mgt.
Credit Rating
Environmental
Damage
New
Ventures
CAPEX Over /
Under Investment
Major Facility Damage
(fire, earthquake)
Arrival of new
competitors
Impact of newly
de-regulated markets
Political risks
Cost control
Trading Risks
Industry margin squeeze
Strategic
Commercial and
Operational
Financial
Hazard Related
Oil price hike
PR / public
support
Infrastructure
economics
Supply base
risk
25
Evaluate Fraud Risks to Risk
Appetite/Tolerance
Scales for Tolerance
Very Low Tolerance – Management is not willing to
accept more than a nominal level of fraud risk. Adverse
fraud risks are intolerable whatever benefits the activity will
bring and risk reduction measures are essential – whatever
their cost.
Moderate Tolerance – Management will accept a
moderate level of fraud risk. Costs and benefits are taken
into account and opportunities balanced against potential
adverse consequences.
Extremely High Tolerance – Management will accept an
extremely high level of fraud risk. Negative fraud risks are
negligible or so small that no risk treatment measures are
needed.
26
14. 11/6/2017
14
Evaluate Risks Against
Risk Tolerances
27
Impact Likelihood Tolerance Analysis
1 Industry 6.6 4.0 Moderate • Industry changes would have moderate to high impact as the
Company’s product may have to undergo significant changes.
• Technological changes are inherent with industry, hence ABC
Company’s likelihood and tolerance are both moderate
8 Brand
Equity
7.4 4.0 Low • Protecting ABC Company’s brand is paramount for future
growth and success; hence high impact and low tolerance.
• High quality assurance and ongoing R&D result in low
likelihood
12 Product
Failure
7.8 3.8 Low • High quality products and performance are very important to
the ABC Company; hence high impact and low tolerance.
• Company’s strong quality control helps keep likelihood low
(good audit candidate)
23 Legal &
Regulatory
6.6 3.4 Low • Changes in legal and regulations could have a moderately high
impact on the company
• As these changes are infrequent, ABC Company is successful
in managing these changes to low tolerance level
25 Health &
Safety
6.4 3.2 Low • Considering the high value placed on employees, Company
has a low tolerance to health & safety risks which could have a
moderate impact
• The Company has an effective health & safety program, which
has helped the likelihood of this risk remain low
Treat Fraud Risks
28
Accept
Reduce
Transfer
Avoid
Not CoreCore
Not
Manage
ManageConsistentExceedsHigh
Far
Exceeds
Choices
Risk to Company
Strategy
Management
Believes It Can
Effectively
Risk Impact to Company Tolerance
15. 11/6/2017
15
POLLING QUESTION
Audit Committee Reporting
Reporting on the results of Management’s
annual review of the effectiveness of internal
control
Provision of periodic monitoring reports on the
high-level (and other significant) risks
Auditing to ensure that ‘early warning
indicators’ are in place where appropriate
Following-up on management assurances on
mitigating controls, further actions and residual
risks
30
16. 11/6/2017
16
Audit Committee Reporting
Ensuring that all corporate objectives are
adequately mapped against risks and the
audit plan
Ensuring that there is a process in place to
identify new or emerging risks from an audit
perspective
Challenging the acceptability and treatment
of residual risks
Ensuring that ‘further actions’ identified in
the risk management process are actually
undertaken
31
Board /Audit Committee
Reporting
Reviews of
Accounting and financial internal and
fraud/embezzlement related controls and processes
Risk assessment and management
Possible entity and individual liability and reputation risk
exposure
Compliance assessment and management relating to
laws, regulations, and rules
Page 32
17. 11/6/2017
17
Audit Committees and
Whistleblowing
The AC should review arrangements by which
staff of the company may, in confidence, raise
concerns about possible improprieties in matters
of financial reporting or other matters. The AC’s
objective should be to ensure that arrangements
are in place for the independent investigation of
such matters and for appropriate follow up action.
(Revised Singapore Code, Guideline 11.7)
33
REPORT FRAUD, WASTE & ABUSE
One of the core missions of the Recovery Board is to prevent fraud, waste, and mismanagement
of Recovery funds. Recovery.gov gives you the ability to find Recovery projects in your own
neighborhood and if you suspect fraudulent actions related to the project you can report those
concerns in several ways:
Submit a Complaint Form electronically
Call the Recovery Board Fraud Hotline: 1-877-392-3375 (1-877-FWA-DESK)
Fax the Recovery Board: 1-877-329-3922 (1-877-FAX-FWA2)
Write the Recovery Board:
Recovery Accountability and Transparency Board
Attention: Hotline Operators
P.O. Box 27545
Washington, D.C. 20038-7958
The Recovery Board is committed to helping ensure these funds are spent properly, but we
cannot do it without your help. Additionally, the Recovery Act provides protections for certain
individuals (whistleblowers) who make specific disclosures about uses of Recovery Act funds.
Source: Recovery.gov
Recovery Board
18. 11/6/2017
18
POLLING QUESTION
The Purpose of Employee
Discipline
Eliminate inappropriate behavior
Create a "win-win" situation for manager and
subordinates
Not to exercise vengeance or eliminate a
problematic employee
36
19. 11/6/2017
19
The Purpose of Employee
Discipline
Neglecting discipline has consequences:
Negative effect on productivity and morale
Difficulty in enforcing long-ignored standards later on
Disciplinary Process - A step-by-step method of
dealing with performance problems in employees.
37
Organizational Policy and
Procedure
Policy and Procedure (P&P)
A written standard used within an organization to
describe what is to be done and how to do it.
Usually policies and procedures are written for
tasks that are done repeatedly and by more than
one individual.
38
20. 11/6/2017
20
Organizational Policy and
Procedure
Importance of a written disciplinary policy and
procedure
Protects manager and organization
Guarantees rights of employee
Teaches manager how to discipline employees
39
Organizational Policy and
Procedure
Components of policies and procedures
Policy Statement
The component of a P&P that states what is to be
done.
Progressive Discipline - A disciplinary process
characterized by the use of more drastic penalties for
each repeated instance of poor performance.
40
21. 11/6/2017
21
Organizational Policy and
Procedure – Components
Purpose
Statement of Purpose - Part of a P&P that explains
rationale for a policy and may include how the policy
relates to an organization’s philosophy.
Scope
An optional component of the policy section of a P&P that
lists the individuals or groups impacted by the policy.
41
Organizational Policy and
Procedure – Components
Procedure - usually has a minimum of 4
steps:
Verbal warning
Written warning
Suspension
Termination
42
22. 11/6/2017
22
Organizational Policy and
Procedure – Components
Procedure
Disciplinary Action - The activity performed by
a manager when implementing a step in
progressive discipline in order to assist an
employee to correct a behavioral or performance
problem.
43
The Disciplinary Process
Verbal Warning
The first step in employee discipline, which includes
identification of the problem and information sharing
between the manager and the employee.
Manager:
Meets with employee
States problem that has been identified
Listens to employee's perspective
Discusses potential solutions with employee
Ends on a positive, hopeful note
44
23. 11/6/2017
23
The Disciplinary Process
Verbal warning
If employee is unaware of a policy they are
violating, they should be coached instead of
disciplined
Prior to a verbal warning, manager must become
aware of the problem and verify it exists
45
The Disciplinary Process
Written Warning
The second, more formal, step in employee
discipline, which includes stating the problem and
noting repetition over time.
Includes:
Meeting similar to verbal warning
Placement of formal document in the employee's file
46
24. 11/6/2017
24
The Disciplinary Process
Suspension
The third step in the employee disciplinary
process, in which the employee is given time off,
usually without pay, to demonstrate the
seriousness of the problem.
Manager meets with employee as before, and
review formal documentation of suspension.
47
The Disciplinary Process
Termination
The final action in the employee disciplinary
process, which leads to the end of employment
and that results after repeated failure of the
employee to correct the problem.
48
25. 11/6/2017
25
The Disciplinary Process
Special circumstances
Certain events such as fraud may result in
termination without progressive discipline
Before immediate termination, manager should
consider:
Magnitude of problem behavior
Prior record of employee
49
POLLING QUESTION
26. 11/6/2017
26
The Fraud Auditor in Court
Evidence collected will be
disputed for three reasons:
Legality of the acquisition of the
evidence
Integrity of the evidence
Interpretation of the evidence
Evidentiary Considerations
Preserving and Protecting Evidence
documents – paper and electronic
physical – i.e., core sample
chain of custody/illegal search issues
Interviewing Witnesses
false imprisonment issues
self-incrimination issues
union contract issues
Maintain Confidentiality – “Need to
know.”
Let the “Pros” Handle It
27. 11/6/2017
27
Definition of Forensic
Accounting Litigation Service
53
Forensic accounting litigation services are the
professional assistance accountants provide related
to the litigation process.
These services may involve accounting, financial,
auditing, tax, quantitative analysis, and investigative
and research skills, as well as an understanding of
the legal process to provide assistance for actual,
pending, or potential legal or regulatory proceedings
before a trial of fact in connection with the resolution
of a dispute between parties.
Definition of Forensic
Accounting Litigation Service
54
“Briefly, forensic accounting is a science that deals with
the relation and application of facts to business and
social problems.” Lenny smiled and turned toward the
jury. “As I tell my students, a forensic accountant is like
the Columbo or Quincy character of yesteryear, except
he uses accounting records and facts to uncover fraud,
missing assets, insiders’ trading, and other white-collar
crimes.” Lenny turned back to the pinstriped lawyer.
I.W. Collett & M. Smith, Trap Doors and Trojan Horses, Thomas Horton & Daughters, p. 76
28. 11/6/2017
28
Six Areas of Litigation Services
55
1. Damages
Lost profits
Lost value
Lost cash flow
Lost revenue
Extra cost
Mitigation
Personal Injury
Environmental
2. Antitrust Analysis
Price-fixing
Market share, market
definition
Pricing below cost
Dumping and other price
distribution
Anti-competition actions
Monopolization
3. Accounting
CPA malpractice
Bankruptcy/
reorganization
Tracing
Contract cost and claims
Regulated industries
Frauds (civil and
criminal)
Historical analyses
Family law
Source: Management Advisory Services Technical Consulting Practice Aid 7: Litigation Services, (AICPA, 1986);
http://www.aicpa.org/innovation/fp/overview_litigat_disput.htm
Six Areas of Litigation Services
56
4. Valuation
Business and professional
practices
Pension
Intangibles/intelligent
property
Property
5. General Consulting
Arbitration
Mediation
Actuarial analyses
Statistical analyses
Projections
Industrial engineering
Market analyses
Computer consulting
Industry practices
Merger/acquisitions
Document management
6. Analyses
Tax bases
Cost allocations
Tax treatment of specific
transactions
Source: Management Advisory Services Technical Consulting Practice Aid 7: Litigation Services, (AICPA, 1986);
http://www.aicpa.org/innovation/fp/overview_litigat_disput.htm
29. 11/6/2017
29
Ten Commandments of Demonstrative
Evidence
57
1. Keep it Simple
2. Use Graphics with Every Witness (show & tell)
3. (memory increases 700%)
4. Improve Interest Through Variety
5. Test Your Charts with Those Unfamiliar with the Dispute
6. Use Only Properly-scaled and Labeled Color Charts
7. Use Word Charts Rarely
8. Remember the Seriousness of the Setting
9. Charts Improve the Entire Process
10. Keep Up with Technology
11. Get Help
Fulcrum Inquiry, "The Ten Commandments of Demonstrative Evidence in Litigation."
Ten Commandments for
Depositions
58
Always tell the truth, but answer only the question asked.
Think before answering.
Never answer a question you do not understand.
Do not guess or speculate.
Do not bring notes, diagrams, books, or other written material to the deposition
unless a subpoena or your attorney requires you to do so.
Listen carefully to each objection made by your lawyer.
Do not argue or become angry or hostile with the examining attorney.
Even if a question calls for a yes or no answer, ask to explain your response if
you feel a qualification or explanation is required to complete your answer.
Beware of questions which involve absolutes.
Do not memorize your answers before the deposition.
Source: B.P. Brinig, “The Art of Testifying,” in Handbook of Financial Planning for Divorce and Separation, John Wiley, 1990.
30. 11/6/2017
30
POLLING QUESTION
Report Follow-up and Remedial
Action
Page 60
Response may be to:
Accept the advice or recommendations
Auditor must follow-up to ensure promised action is taken
Reject the advice or recommendations
Auditor must ascertain that top management has assumed the risk
of non-action
No further follow-up is required
Management's decision - not audit's
Can be a major cause of auditor frustration
The audit committee can help
31. 11/6/2017
31
The Internal Audit Process
The Nine Steps
Selection of the Auditee
Audit Preparation
Preliminary Survey of Operations
Internal Control Description and
Analysis
Expanded Tests of Control Systems
Develop Findings and
Recommendations
Reporting
Follow-up
Audit Evaluation
Remember
61
POLLING QUESTION
32. 11/6/2017
32
Questions?
Any Questions?
Don’t be Shy!
AuditNet® and cRisk Academy
If you would like
forever access to this
webinar recording
If you are watching
the recording, and
would like to obtain
CPE credit for this
webinar
Previous AuditNet®
webinars are also
available on-demand
for CPE credit
http://criskacademy.com
http://ondemand.criskacade
my.com
Use coupon code: 50OFF
for a discount on this
webinar for one week
33. 11/6/2017
33
Thank You!
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Richard Cascarino & Associates
Cell: +1 970 819 7963 - South Africa +27 (0)78 980 7685
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
Page 65