Strategies for Implementing a Formal
and Effective Anti-Fraud Program
Josh Shilts CPA/CFF, CFE

MIS Training Institute Session 13 - Slide 2
n We will NOT discuss:
u The definition of Fraud
u Types & Categories of Fraud
u Why people commit fraud
n What we will do:
u Discuss steps for you to use in implementing your anti-fraud
program (“AFP”)
u Assess and understand fraud management & forensic
accounting techniques
u Understand what is necessary for an anti-fraud program to be
effective in your organization
u Review tools that can be used by you in implementing an anti-
fraud program
Key Points

MIS Training Institute Session 13 - Slide 3
Anti-Fraud Program Objective
Prevent or detect the occurrence of fraud and
implement proactive solutions to reduce or
eliminate fraud’s effects on the organization…

MIS Training Institute Session 13 - Slide 4
Before We Begin, Remember…
The design of an organization’s formal and
effective anti-fraud program evolves from the
collaborative efforts of executive
management, oversight committees, and
specific departments within the organization…

MIS Training Institute Session 13 - Slide 5
n Benchmark
What are we doing now?
u “Routine” Audits
u SOX & other regulatory audits
u Code of Conduct
u Management Oversight (financial
reconciliation, expense reporting
reviews, etc.)
Pre -Implementation Steps
What can we be doing?
Continuous Assurance
Training (auditors, business owners)
Anti-fraud audit procedures
Enhanced Due Diligence procedures
(employee hiring, vendor on-boarding,
etc.)
Management Buy-In
Potential cost savings
Ex. 5% (per ACFE the avg. loss) X Gross
Expenses
Operational Improvements
Strengthen Control Environment
Identify Operational Efficiencies
Risks lead to Opportunities
VS.

MIS Training Institute Session 13 - Slide 6
Benchmark/GAP Analysis
Identify “Best Practices” and other sources to
Benchmark existing activities against to identify
elements already established…
Analyze current procedures and protocols to
determine if applicable to anti-fraud initiatives…
Engage others within your organization and
executive management to provide feedback on
existing practices…
Document and present your analysis…
Element Activity
Exceeds
Expectations
Meets
Expectations
Does Not Meet
Expectations
Responsible
Party(s)
Enhancement Opportunities
Prevention
Anti-Fraud
Training
X Compliance
Begin training within specific
departments (i.e. Acctg.)
Investigation
& Corrective
Action
Investigative
process is clearly
defined
X
Compliance &
Security
Formalize investigation process
and define specific roles &
responsibilities
Detection
Analytical
Reviews
X Internal Audit
Review analytical programs to
determine if enhancement areas
exist
Assign activities to meet element objectives and determine if your program is
meeting those defined objectives…

MIS Training Institute Session 13 - Slide 7
Established Benchmark Guidance
Assess current procedures against established frameworks/guidance…
Identify opportunities for improvement (e.g. modify or implement
procedures, protocols, etc)...
IIA, ACFE and AICPA’s “Managing
the Business Risk of Fraud: A
Practical Guide”, April 2008
IIA’s International Professional Practices
Framework (“IPPF”) – Practice Guide:
“Internal Auditing and Fraud”, December 2009

MIS Training Institute Session 13 - Slide 8
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of
fraud and the manner in which it is managed by the organization, but are not
expected to have the expertise of a person whose primary responsibility is to detect
and investigate fraud;
1220.A1 – Internal auditors must exercise due professional care by considering
the...probability of significant errors, fraud, or noncompliance...;
2120.A2 – The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk;
2210.A2 – Internal auditors must consider the probability of significant errors,
fraud, noncompliance, and other exposures when developing the engagement
objectives; and
2060 – The chief audit executive must report periodically to senior management
and the board of directors on the internal audit activity’s purpose, authority,
responsibility, and performance relative to its plan. Reporting must also include
significant risk exposures and control issues, including fraud risks, governance
issues, and other matters needed or requested by senior management and the
board of directors.
IIA Fraud Standards
Guidance provided by The IIA’s International Professional Practices Framework

MIS Training Institute Session 13 - Slide 9
Governance - The program should include a written policy (or policies)
to convey the expectations of the board of directors and the executive
management team regarding managing fraud risk.
Fraud Risk Assessment - An organization’s fraud risk exposure should
be assessed periodically by the organization to identify specific scenarios
that the organization needs to mitigate.
Prevention - Prevention techniques to avoid potential key fraud risk
events should be established, where feasible, to mitigate possible impacts
on the organization.
Detection - Detection techniques should be established to uncover fraud
events when preventive measures fail or unmitigated risks are realized.
Investigation & Corrective Action - A reporting process should be in
place to solicit input on potential fraud and a coordinated approach to
investigation and corrective action should be used to help ensure potential
fraud is addressed appropriately and timely. The investigative function
should be coordinated between appropriate parties selected by
management.
Anti-Fraud Program Elements

MIS Training Institute Session 13 - Slide 10
Benchmark/Gap Analysis
Elements of Effective
Anti-Fraud
Management
Executive
Leadership
Compliance Legal Audit Security Accounting HR
Tone at the Top X
Code of Conduct X X
Establish & Maintain System of
Internal Controls
X X
Internal Control Reviews X
Deter & Detect Potential Conflicts
of Interest
X X
Hotline Administration X
Investigation of Fraud
Allegations
X X X X
Referral to Law Enforcement X
Fraud & Compliance Awareness
Training
X X
Civil Litigation and Recovery of
Losses Due to Fraud
X
Corrective Actions / Remediation
to Prevent Recurrences of Fraud
X
Proactive Fraud Auditing X
Fraud Risk Assessment X X
Employee Assistance Program X
Responsibility matrices can assist you in identifying and assigning responsibilities…
Use the matrix to benchmark, clearly define roles & responsibilities and periodic
evaluations…

MIS Training Institute Session 13 - Slide 11
Governance
Image obtained from the ACFE’s article “Who Owns Fraud? Uniting Everyone to Effectively Manage the Anti-Fraud Program” by Dan Tropey,
CPA and Mike Sherrod, CFE, CPA

MIS Training Institute Session 13 - Slide 12
Governance Best Practices
Formal Anti-Fraud Policy – conveying the expectations of the board of
directors and executive management. The policy (or policies) can include:
Organization’s Definition of Fraud
Organization’s attitude toward fraud (i.e. Zero-Tolerance, Materiality)
Relationship between anti-fraud and Code of Conduct
Summary of Fraud Control Strategies
Overview of Fraud Risk Management functions
Procedures for Reporting Fraud (i.e. Whistleblower Hotline)
HR Employment Conditions and Processes
Investigation Procedures (e.g. Confidentiality Protocol, Privilege, Fraud
Response Management, Root-Cause Analysis)
Department/Committee Roles & Responsibilities
Attitude towards retaliation

MIS Training Institute Session 13 - Slide 13
Identify
Plan
Risk Assessment Process

MIS Training Institute Session 13 - Slide 14
Risk Assessment - Categories
*Refer to the 2010 Report to the Nations on Occupational Fraud and Abuse, ACFE
Present your “FRA” at a level that board members/executive management can
understand…
Use these categories and a Top-Down approach to build your Fraud Scheme
Repository …

MIS Training Institute Session 13 - Slide 15
Risk Assessment – Fraud Scheme Mngt.
Using the categories defined for presentation purposes build a granular fraud
scheme repository specific to your organization’s activities & risks…
The repository schemes can then be tracked and measured at a granular level
and rolled up to assist in measuring the sub-risk and categories…
Vendor A is required to pay the bidding manager
$2,000 to participate in the bidding process
Extortion Corruption
Funds are misappropriated to a shell company.
Vendor setup is colluding with accounts payable.
Fraudulent Disbursement
– Billing Scheme
Asset
Misappropriation
Management has decided to book revenue for items
shipped and ships items to meet expectations.
Financial – Fictitious
Revenues
Fraudulent
Statements
KPIs Mitigation Actions
1. Hotline Statistics 1. SOX Controls
2. SEC Enforcement Actions 2. Audit Procedures
Fraud Scheme Sub Risk Category

MIS Training Institute Session 13 - Slide 16
Risk Assessment - Measures
KPIs and Mitigating Activities provide “real” data to support your assessment;
however, Management should be updated and risks ranked by using the…
Magnitude (i.e. Significance):
High (3) = > $10 Million
Med (2) = Between $4 Million and $10 Million
Low (1) = < $4 Million
Likelihood (i.e. Controls, Mitigating Activity):
Strong (1) = Preferred Practice
Good (2) = Adequate
Low (3) = Needs Improvement
Likelihood (i.e. Pressure, Occurrence):
High (3) = Significant pressure
Med (2) = Moderate pressure
Low (1) = Little to no pressure
Magnitude + Likelihood [(Controls) + (Pressure)] = Rank
$s should reflect your Organization’s Appetite

MIS Training Institute Session 13 - Slide 17
Risk Assessment - Presentation
Magnitude
Major >$50M 5
Substantial >$25M 4
Moderate >$ 10M 3
Minor >$1M 2
Insignificant <$1M 1
Define how Financial Impact
is measured (i.e. Net Income,
Revenues, etc.)
1 2 3 4 5
Remote Unlikely Possible Likely
Almost
Certain
Likelihood
12
11
3
10
4
6
5
14
13
2
15
9
8
1
7
Heat Map Other Measures
(1) Velocity – Measurement of
the rate of change…
Measure as Immediate, Rapid or
Slow
(2) Risk – Gross & Residual
Gross before Mitigating Activities
and Residual Measures After
Measure as High, Medium or
Low

MIS Training Institute Session 13 - Slide 18
Prevention
Prevention techniques are as varied as the industries and size of businesses we
work in…
Exit Interviews
SecurityCameras
SOX/ICFR

MIS Training Institute Session 13 - Slide 19
Prevention – Keep your Ears on the Track
Continue to improve & enhance these activities based on past experiences, new
concepts and information from your fraud risk assessment…
1. Integrate current activities with anti-fraud objectives
2. Continue to assess preventative activities as part audit and SOX
procedures and identify ways to improve prevention activities
3. Adjust preventive activities based upon new ideas, frauds, etc.
4. Seek feedback from business owners
5. Try to stay ahead of the Fraudster by educating yourself and your team

MIS Training Institute Session 13 - Slide 20
Detection
Structured
Audits
 Fraud Training/Planning embedded in plan
 Fraud-Specific Audits
 Other Department Audits
Continuous Assurance
 Base review areas on Assessment
 Analytic Tools
SOX/IFRS Control Reviews
Whistleblower Programs
Analytical Financial Data Reviews
Unstructured
Emails , Instant Messages
Key Word Searches
Base on high risk areas
Memos, Contracts, Invoice Details, etc.
Dates, $s, names, etc.

MIS Training Institute Session 13 - Slide 21
Detection – Use Existing Knowledge
Leading & Lagging Indicators
1. Hotline Complaints
2. Fraud Risk Research Stats
3. New Audits w/ Fraud Objectives
1. Ratio Analysis
2. Prior Audit Findings
3. Hotline Complaint Trends
Audit Planning & Testing Training
SOX/ICFR Testing
Continuous Monitoring Focus Areas
Fraud Risk Assessment
AuditPlanning
Policy ObjectivesManagement/Employee Awareness

MIS Training Institute Session 13 - Slide 22
Detection – Fraud Materiality
Materiality is a concept or convention within auditing and accounting relating
to the importance/significance of an amount, transaction, or discrepancy
FRAUD HAS NO MATERIALITY
1. Define your company’s fraud appetite
2. Review local laws/regulations for guidance on
criminal fraud amounts
3. Project potential total losses over time
ASSESS & DECIDE

MIS Training Institute Session 13 - Slide 23
Concept of Forensic Accountant vs. Fraud Manager
Forensic accountants are experienced auditors,
accountants, and investigators of legal and financial
documents that are hired to look into possible
suspicions of fraudulent activity within a company…
Whereas various individuals are fraud managers in
that they assist in the deterrence and/or detection
of fraud or indications of fraud…

MIS Training Institute Session 13 - Slide 24
Investigation & Corrective Action
1. A reporting process should be in place to solicit input on
potential fraud.
2. A coordinated approach to investigation and corrective action
should be used to help ensure potential fraud is addressed
appropriately and timely (“Fraud Response Plan”).
3. The investigative function should be coordinated between appropriate parties
selected by management (Who is the quarterback?).
4. The function should clearly define the roles and responsibilities of identifying,
responding and reporting to an alleged fraud. Including internal and external
resources. Build the investigation team based upon skill sets.
5. Each part of the investigative process should be clearly documented and
reported. Legal should be involved within the process to provide guidance.
6. Maintain consistent disciplinary procedures. “Set the tone” within the
organization with respect to fraud.
7. As part of this process management should review the investigation’s findings
to determine what the appropriate follow-up should be.
8. The investigative team should also review periodically their process to
determine if there are improvement opportunities (i.e. learning roundtables).

MIS Training Institute Session 13 - Slide 25
Investigation & Corrective Action
Corrective actions can include a root-cause analysis, internal control
or process improvement reviews and/or criminal or civil actions…
Coordinate remediation action steps across business units
Utilize the investigation findings to determine the
likelihood of the potential fraud risk from reoccurring and
learn how to effectively mitigate the action
Determine the value of
your actions and present
to management

MIS Training Institute Session 13 - Slide 26
Now What?
Prioritize Your Next Steps
•Management Buy In
•Explain the value (Regulations or $ Savings)
•Find your place at the “Table”
•Internal Audits Role
•Define your Plan
•Risk Assessment, Detection/Prevention
•Measure, Assess and Adjust
•Manage resources efficiently and effectively
NEVER Stop Thinking of New Ways to Prevent or Detect Fraud

MIS Training Institute Session 13 - Slide 27
Questions