using analytics to your advantage – interpretations from coso's

Using analytics to your advantage –interpretations from COSO’s new Fraud RiskProgram Guidance

Topics for discussion

About the new COSO Fraud Risk Guidance to Principle #8

Mapping COSO to fraud risks and analytics examples

Fraud risk governance

Analytics use case examples

About the new COSO Fraud Risk Guidance toPrinciple #8

Progressing with the times

About the new COSO Guidance

► Stems from 2013 InternalControls Framework

► Specifically addresses Principle#8 – Fraud Risk Assessment

► Incorporates previous ACFE / IIA/ AICPA publication on“Managing the Business Risk ofFraud”

► Released September 2016

► Maps to the 17 COSO InternalControls Principles set forth inthe 2013 Framework

► Increased focus on dataanalytics

► Scope is broader than just doing“fraud risk assessments”

More than just a fraud risk assessment

Guide includes guidance on establishing an overall fraud riskmanagement program including:

► Establishing fraud risk governance policies

► Performing a fraud risk assessment

► Designing and deploying fraud prevention and detect control activities

► Conducting investigations

► Monitoring activities

ROI considerations2016 ACFE Report to the Nations

Companies without data monitoring/analytics in place suffered a median lossper incident of $200k vs. $92k with data analytics in place.20 investigations per year x $102k = $2.16M in savings per year.

Mapping the COSO Framework to fraud risks

An integrated platform for anti-fraud monitoring andresponse

Visualization: Detectfraud risks within abusiness process,taking a risk-basedapproach

Case Management: Assigntasks, flag transactions anddelegate projects for review

Statistical: Applypredictive modelingand anomaly detectionto surface hidden risksor new patterns

Pattern & Link: Uncoverhidden relationship orconflicts of interest

Detect

Investigate

Respond

Discover

COSO 2013 Internal Controls FrameworkPrinciples 1 through 5

Con

trol

Envi

ronm

ent

1. The organization demonstratesa commitment to integrity andethical values

2. The board of directorsdemonstrates independence frommanagement and exercisesoversight of the development andperformance of internal control.

3. Management establishes, withboard oversight, structures,reporting lines, and appropriateauthorities and responsibilities inthe pursuit of objectives.

4. The organization demonstratesa commitment to attract, develop,and retain competent individualsin alignment with objectives.

5. The organization holdsindividuals accountable for theirinternal control responsibilities inthe pursuit of objectives.

1. The organizationestablishes andcommunicates afraud riskmanagementprogram thatdemonstrates theexpectations of theboard of directorsand seniormanagement andtheir commitmentto high integrityand ethical valuesregardingmanaging fraudrisk.

• Executivereporting

• Interactivedashboards

• Targeted analysisaround metrics,compliance andratios

COSO FrameworkPrinciples

Fraud Risk ManagementPrinciples

Analytic Considerations

COSO FrameworkPrinciples 6 through 9

Ris

kA

sses

smen

t

6. The organization specifiesobjectives with sufficient clarity toenable the identification andassessment of risks relating toobjectives.

7. The organization identifiesrisks to the achievement of itsobjectives across the entity andanalyzes risks as a basis fordetermining how the risks shouldbe managed.

8. The organization considersthe potential for fraud inassessing risks to theachievement of objectives.

9. The organization identifies andassesses changes that couldsignificantly impact the system ofinternal control.



2. The organizationperformscomprehensivefraud riskassessments toidentify specificfraud schemes andrisks, assess theirlikelihood andsignificance,evaluate existingfraud controlactivities, andimplement actionsto mitigate residualfraud risks.


• Surveys & heat maps

• Media scans andexternal sources suchas industry news

• Complaints database


Con

trol

Act

iviti

es

10. The organization selects anddevelops control activities thatcontribute to the mitigation ofrisks to the achievement ofobjectives to acceptable levels.

11. The organization selects anddevelops general control activitiesover technology to support theachievement of objectives.

12. The organization deployscontrol activities through policiesthat establish what is expectedand procedures that put policiesinto action.

3. The organizationselects, develops,and deployspreventive anddetective fraudcontrol activities tomitigate the risk offraud eventsoccurring or notbeing detected in atimely manner.

• ABaC analytics

• P2P, O2C, T&E,CRM analysis

• General ledgertransaction analysis

http://www.ey.com/PZ/en/Home/EYCounterFraudManagementDemo





Info

rmat

ion

&C

omm

unic

atio

n 13. The organization obtains orgenerates and uses relevant,quality information to support thefunctioning of other componentsof internal control.

14. The organization internallycommunicates information,including objectives andresponsibilities for internalcontrol, necessary to support thefunctioning of internal control.

15. The organizationcommunicates with externalparties regarding mattersaffecting the functioning of othercomponents of internal control.

4. The organizationestablishes acommunicationprocess to obtaininformation aboutpotential fraud anddeploys acoordinatedapproach toinvestigation andcorrective action toaddress fraudappropriately andin a timely manner.

• Case management

• Escalation and triage

• Review workflowmanagement




COSO FrameworkPrinciples 16 & 17

Mon

itorin

gA

ctiv

ities

16. The organization selects,develops, and performs ongoingand/or separate evaluations toascertain whether thecomponents of internal controlare present and functioning.

17. The organization evaluatesand communicates internalcontrol deficiencies in a timelymanner to those partiesresponsible for taking correctiveaction, including seniormanagement and the board ofdirectors, as appropriate.

5. The organizationselects, develops, andperforms ongoingevaluations toascertain whethereach of the fiveprinciples of fraudrisk management ispresent andfunctioning andcommunicates fraudrisk managementprogram deficienciesin a timely manner toparties responsible fortaking correctiveaction, includingsenior managementand the board ofdirectors.

• Investigativeprocedures

• Deep dive analysis

• Email andcommunicationsreview




Graphic 1: Forensic Data Analytics Processused in COSO guidance

AnalyticsDesign

DataCollection

DataOrganization &

Calculations

DataAnalysis

Findings,Observations &

Remediation

• Identify risksbased onindustry &company-specificknowledge

• Map risks toappropriatedata sourcesand assessavailability

• Develop workplan anddefineanalytics andprocedures

• Defineengagementtimeline anddeliverables

• Work withinformationtechnologypersonnel tomap identifiedtests to relevantdata sources

• Assess dataintegrity andcompleteness

• Extract,transform /normalize andload data intothe analyticsplatform

• Validate thatdata has beenloadedcompletely andaccurately

• Execute on theanalytics workplan

• Modify analyticsas appropriatebased on datareceived, dataquality and userfeedback

• Considerintegratingadvancedanalyticsproceduressuch as textmining,statisticalanalysis andpattern / linkanalysis

• Evaluate initialanalyticsresults

• If possible,develop scoringmodel andprioritizetransactions orentities basedon multiple riskattributes

• Tune the modelas needed torefine resultsfor relevancy

• Requestsupportingdocumentsand/or validateas available

• Determinesampleselections, ortriage/escalationprocedures

• Developremediationand/orinvestigativeplan

• Escalatefindings asappropriate andtrackdispositions

Fraud risk governance

Who owns fraud?Having a seat at the table from a governance perspective

Companies are creating plans to address fraud proactively and reactively

ReactiveProactiveSetting the proper tone

MonitorIm

prov

e

Assess

Communicate

Code ofethics/tone at

the top

Fraudprevention

policies

Communicationand

training

Fraud riskassessment

Controlsmonitoring

Fraudresponse

plan

Internalaudit

Generalcounsel

Auditcommittee

IT

HR

Controllersgroup

Executivemgmt

Compliance Security

Proactive and reactiveresponse to fraud

Why people commit fraud: the fraud triangleCressey’s “fraud triangle”

InternalControls

Internal and ExternalPressure

Layoffs andsalary cuts createpersonal financial

hardship

Tight creditenvironment

Opportunity tocommit fraud

More regulatory focusincreased

Budgets are decreasing;companies and organizations are

doing more with less

Companies aredecentralized,

with inconsistentinternal controls

Stressed anddisgruntled

employees mayhave greater ability

to rationalizeimproper actions

Pressure

Opportunity

Rationalization

Large projectsand acquisitionsincrease risks ofcosts not being

noticed

Lack of infrastructureand controls in

locations

Stockprices areunstable

Companies aredownsizing,

impacting internalcontrols

Dissatisfaction withcompensation

compared to peersand supervisors

Fraud tree: Need to consider all three categoriesNew website coming:

Fraud Tree

Cash Larceny Theft of OtherAssets –

Inventory/AR/Fixed Assets

RevenueRecognition

NonFinancial

Conflicts ofInterest

Bribery/Corruption/

FCPAIllegal

GratuitiesBid-Rigging/Procurement

Corruption FraudulentStatements

AssetMisappropriation

Fake Vendor Payroll Fraud T&E Fraud Theft of Data(incl. cyber)

Reserves

Traditional focus ofexternal auditors

Traditional focus ofinternal auditors

and SOX compliance

Traditional focus ofcompliance

and legal

20

Frequent compliance analytics risk areas,particularly in emerging markets

Social MediaMonitoring

Advanced EmailMonitoring Mobil Devices

Meals & Entertainment Marketing & Events CRM and Sales

InformationSecurity/Insider Threat Employee Payroll Sales, Distributor &

Margin Analysis

Capital Projects AccountingReserves

Emerging monitoring activities may include…

Vendor Payments / AP

Inventory3rd Party Due Diligence &

Watchlist,Shell Companies

Charity & Donations

Analytics use cases

Big data techniques to counter fraud

► Multiple data sources – structured and unstructured

► Data visualization

► Text analytics

► Payment/transaction risk scoring

► Predictive modeling – technology assisted monitoring

► Case management, issue coding and built in workflow

► Flexible deployment models

Dashboard examples

Plan and build tests for:ü Payment risk scoringü Vendor risk scoringü High risk transactionsü Revenue recognition or

sales commissionsü Conflicts of interests

Additional tests forenhanced reviews:ü Inventory managementü Salaries & payrollü Employee travel &

entertainmentü FCPA/UKBA (corruption

risks)ü Selected compliance

topics

Interactivedashboards in

the hands of thebusiness users

Risk ranking

Data visualization: Accounts payable monitoringHigh risk payment descriptions

Forensic data analytics frameworkAn integrated, platform – from a work flow and monitoring perspective

FINANCIALACCOUNTINGDATA

MASTER &REFERENCEDATA

INTERNALRISK ELEMENTS

EXTERNAL,SOCIAL MEDIADATA

Library ofCounter

Fraud tests

Text mining& advanced

search

VISUALIZATION& RISK RANKING

Triage, Stop Paymentand/or

Sample Audit Selection

Big dataprocessing platform

structuredunstructured

Statistical& Predictive

Pattern Matching

Case Manager, TaskDelegation andData Refresh / ScriptingAutomation

Monitoring &DetectionTools

InvestigationTools

Repeat the process:Continuous Auditing

Audit, Shared Services, Compliance

Watson / Cognitive

Investigative mindset

Current challenge - Legacy surveillance &anti-fraud tools are falling short

► Legacy surveillance technologies suffer from overreliance on rule-based triggers, ranging from simple if-then statements to basic“keyword” searches on text fields and electroniccommunications…both of which can be easily circumvented.

► The approach described above results in increasing volumes ofsurveillance alerts and false positives, while real threats get buriedand go undetected.

► A tool, in and of itself, will never be effective without the support by theright team with the right skills sets.

Five success factors in deploying forensicdata analytics

1. Focus on the low hanging fruit, the priority of the first projectmatters

2. Go beyond traditional “rules-based” tests – incorporate big datathinking

3. Communicate: share information on early successes acrossdepartments / business units to gain broad support

4. Leadership gets it funded, but interpretation of the results byexperienced or trained professionals make the program successful

5. Enterprise-wide deployment takes time, don’t expect overnightadoption

Thank you

Vincent WaldenPartner, EY Fraud Investigation & Dispute [email protected]

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights andquality services we deliver help build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaders who team to deliver on ourpromises to all of our stakeholders. In so doing, we play a critical role in building a betterworking world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms ofErnst & Young Global Limited, each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provide services to clients. For moreinformation about our organization, please visit ey.com.Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operatingin the US.

Ernst & Young LLP, an equal opportunity employer, values the diversity of our work force andthe knowledge of our people.

© 2016 Ernst & Young LLP. All Rights Reserved.

SCORE no. XX0000

1603-1886034ED noneEY is committed to reducing its impact on the environment. This document was printed usingrecycled paper and vegetable-based ink.

This material has been prepared for general informational purposes only and is not intended tobe relied upon as accounting, tax, or other professional advice. Please refer to your advisorsfor specific advice.

ey.com

using analytics to your advantage – interpretations from coso's

Documents