using analytics to your advantage – interpretations from coso's
TRANSCRIPT
Page 2
Topics for discussion
About the new COSO Fraud Risk Guidance to Principle #8
Mapping COSO to fraud risks and analytics examples
Fraud risk governance
Analytics use case examples
Page 5
About the new COSO Guidance
► Stems from 2013 InternalControls Framework
► Specifically addresses Principle#8 – Fraud Risk Assessment
► Incorporates previous ACFE / IIA/ AICPA publication on“Managing the Business Risk ofFraud”
► Released September 2016
► Maps to the 17 COSO InternalControls Principles set forth inthe 2013 Framework
► Increased focus on dataanalytics
► Scope is broader than just doing“fraud risk assessments”
Page 6
More than just a fraud risk assessment
Guide includes guidance on establishing an overall fraud riskmanagement program including:
► Establishing fraud risk governance policies
► Performing a fraud risk assessment
► Designing and deploying fraud prevention and detect control activities
► Conducting investigations
► Monitoring activities
Page 7
ROI considerations2016 ACFE Report to the Nations
Companies without data monitoring/analytics in place suffered a median lossper incident of $200k vs. $92k with data analytics in place.20 investigations per year x $102k = $2.16M in savings per year.
Page 9
An integrated platform for anti-fraud monitoring andresponse
Visualization: Detectfraud risks within abusiness process,taking a risk-basedapproach
Case Management: Assigntasks, flag transactions anddelegate projects for review
Statistical: Applypredictive modelingand anomaly detectionto surface hidden risksor new patterns
Pattern & Link: Uncoverhidden relationship orconflicts of interest
Detect
Investigate
Respond
Discover
Page 10
COSO 2013 Internal Controls FrameworkPrinciples 1 through 5
Con
trol
Envi
ronm
ent
1. The organization demonstratesa commitment to integrity andethical values
2. The board of directorsdemonstrates independence frommanagement and exercisesoversight of the development andperformance of internal control.
3. Management establishes, withboard oversight, structures,reporting lines, and appropriateauthorities and responsibilities inthe pursuit of objectives.
4. The organization demonstratesa commitment to attract, develop,and retain competent individualsin alignment with objectives.
5. The organization holdsindividuals accountable for theirinternal control responsibilities inthe pursuit of objectives.
1. The organizationestablishes andcommunicates afraud riskmanagementprogram thatdemonstrates theexpectations of theboard of directorsand seniormanagement andtheir commitmentto high integrityand ethical valuesregardingmanaging fraudrisk.
• Executivereporting
• Interactivedashboards
• Targeted analysisaround metrics,compliance andratios
COSO FrameworkPrinciples
Fraud Risk ManagementPrinciples
Analytic Considerations
Page 11
COSO FrameworkPrinciples 6 through 9
Ris
kA
sses
smen
t
6. The organization specifiesobjectives with sufficient clarity toenable the identification andassessment of risks relating toobjectives.
7. The organization identifiesrisks to the achievement of itsobjectives across the entity andanalyzes risks as a basis fordetermining how the risks shouldbe managed.
8. The organization considersthe potential for fraud inassessing risks to theachievement of objectives.
9. The organization identifies andassesses changes that couldsignificantly impact the system ofinternal control.
COSO FrameworkPrinciples
Fraud Risk ManagementPrinciples
2. The organizationperformscomprehensivefraud riskassessments toidentify specificfraud schemes andrisks, assess theirlikelihood andsignificance,evaluate existingfraud controlactivities, andimplement actionsto mitigate residualfraud risks.
Analytic Considerations
• Surveys & heat maps
• Media scans andexternal sources suchas industry news
• Complaints database
Page 12
COSO FrameworkPrinciples 10 through 12
Con
trol
Act
iviti
es
10. The organization selects anddevelops control activities thatcontribute to the mitigation ofrisks to the achievement ofobjectives to acceptable levels.
11. The organization selects anddevelops general control activitiesover technology to support theachievement of objectives.
12. The organization deployscontrol activities through policiesthat establish what is expectedand procedures that put policiesinto action.
3. The organizationselects, develops,and deployspreventive anddetective fraudcontrol activities tomitigate the risk offraud eventsoccurring or notbeing detected in atimely manner.
• ABaC analytics
• P2P, O2C, T&E,CRM analysis
• General ledgertransaction analysis
http://www.ey.com/PZ/en/Home/EYCounterFraudManagementDemo
COSO FrameworkPrinciples
Fraud Risk ManagementPrinciples
Analytic Considerations
Page 13
COSO FrameworkPrinciples 13 through 15
Info
rmat
ion
&C
omm
unic
atio
n 13. The organization obtains orgenerates and uses relevant,quality information to support thefunctioning of other componentsof internal control.
14. The organization internallycommunicates information,including objectives andresponsibilities for internalcontrol, necessary to support thefunctioning of internal control.
15. The organizationcommunicates with externalparties regarding mattersaffecting the functioning of othercomponents of internal control.
4. The organizationestablishes acommunicationprocess to obtaininformation aboutpotential fraud anddeploys acoordinatedapproach toinvestigation andcorrective action toaddress fraudappropriately andin a timely manner.
• Case management
• Escalation and triage
• Review workflowmanagement
COSO FrameworkPrinciples
Fraud Risk ManagementPrinciples
Analytic Considerations
Page 14
COSO FrameworkPrinciples 16 & 17
Mon
itorin
gA
ctiv
ities
16. The organization selects,develops, and performs ongoingand/or separate evaluations toascertain whether thecomponents of internal controlare present and functioning.
17. The organization evaluatesand communicates internalcontrol deficiencies in a timelymanner to those partiesresponsible for taking correctiveaction, including seniormanagement and the board ofdirectors, as appropriate.
5. The organizationselects, develops, andperforms ongoingevaluations toascertain whethereach of the fiveprinciples of fraudrisk management ispresent andfunctioning andcommunicates fraudrisk managementprogram deficienciesin a timely manner toparties responsible fortaking correctiveaction, includingsenior managementand the board ofdirectors.
• Investigativeprocedures
• Deep dive analysis
• Email andcommunicationsreview
COSO FrameworkPrinciples
Fraud Risk ManagementPrinciples
Analytic Considerations
Page 15
Graphic 1: Forensic Data Analytics Processused in COSO guidance
AnalyticsDesign
DataCollection
DataOrganization &
Calculations
DataAnalysis
Findings,Observations &
Remediation
• Identify risksbased onindustry &company-specificknowledge
• Map risks toappropriatedata sourcesand assessavailability
• Develop workplan anddefineanalytics andprocedures
• Defineengagementtimeline anddeliverables
• Work withinformationtechnologypersonnel tomap identifiedtests to relevantdata sources
• Assess dataintegrity andcompleteness
• Extract,transform /normalize andload data intothe analyticsplatform
• Validate thatdata has beenloadedcompletely andaccurately
• Execute on theanalytics workplan
• Modify analyticsas appropriatebased on datareceived, dataquality and userfeedback
• Considerintegratingadvancedanalyticsproceduressuch as textmining,statisticalanalysis andpattern / linkanalysis
• Evaluate initialanalyticsresults
• If possible,develop scoringmodel andprioritizetransactions orentities basedon multiple riskattributes
• Tune the modelas needed torefine resultsfor relevancy
• Requestsupportingdocumentsand/or validateas available
• Determinesampleselections, ortriage/escalationprocedures
• Developremediationand/orinvestigativeplan
• Escalatefindings asappropriate andtrackdispositions
Page 17
Who owns fraud?Having a seat at the table from a governance perspective
Companies are creating plans to address fraud proactively and reactively
ReactiveProactiveSetting the proper tone
MonitorIm
prov
e
Assess
Communicate
Code ofethics/tone at
the top
Fraudprevention
policies
Communicationand
training
Fraud riskassessment
Controlsmonitoring
Fraudresponse
plan
Internalaudit
Generalcounsel
Auditcommittee
IT
HR
Controllersgroup
Executivemgmt
Compliance Security
Proactive and reactiveresponse to fraud
Page 18
Why people commit fraud: the fraud triangleCressey’s “fraud triangle”
InternalControls
Internal and ExternalPressure
Layoffs andsalary cuts createpersonal financial
hardship
Tight creditenvironment
Opportunity tocommit fraud
More regulatory focusincreased
Budgets are decreasing;companies and organizations are
doing more with less
Companies aredecentralized,
with inconsistentinternal controls
Stressed anddisgruntled
employees mayhave greater ability
to rationalizeimproper actions
Pressure
Opportunity
Rationalization
Large projectsand acquisitionsincrease risks ofcosts not being
noticed
Lack of infrastructureand controls in
locations
Stockprices areunstable
Companies aredownsizing,
impacting internalcontrols
Dissatisfaction withcompensation
compared to peersand supervisors
Page 19
Fraud tree: Need to consider all three categoriesNew website coming:
Fraud Tree
Cash Larceny Theft of OtherAssets –
Inventory/AR/Fixed Assets
RevenueRecognition
NonFinancial
Conflicts ofInterest
Bribery/Corruption/
FCPAIllegal
GratuitiesBid-Rigging/Procurement
Corruption FraudulentStatements
AssetMisappropriation
Fake Vendor Payroll Fraud T&E Fraud Theft of Data(incl. cyber)
Reserves
Traditional focus ofexternal auditors
Traditional focus ofinternal auditors
and SOX compliance
Traditional focus ofcompliance
and legal
Page 20 20
Frequent compliance analytics risk areas,particularly in emerging markets
Social MediaMonitoring
Advanced EmailMonitoring Mobil Devices
Meals & Entertainment Marketing & Events CRM and Sales
InformationSecurity/Insider Threat Employee Payroll Sales, Distributor &
Margin Analysis
Capital Projects AccountingReserves
Emerging monitoring activities may include…
Vendor Payments / AP
Inventory3rd Party Due Diligence &
Watchlist,Shell Companies
Charity & Donations
Page 22
Big data techniques to counter fraud
► Multiple data sources – structured and unstructured
► Data visualization
► Text analytics
► Payment/transaction risk scoring
► Predictive modeling – technology assisted monitoring
► Case management, issue coding and built in workflow
► Flexible deployment models
Page 23
Dashboard examples
Plan and build tests for:ü Payment risk scoringü Vendor risk scoringü High risk transactionsü Revenue recognition or
sales commissionsü Conflicts of interests
Additional tests forenhanced reviews:ü Inventory managementü Salaries & payrollü Employee travel &
entertainmentü FCPA/UKBA (corruption
risks)ü Selected compliance
topics
Interactivedashboards in
the hands of thebusiness users
Page 26
Forensic data analytics frameworkAn integrated, platform – from a work flow and monitoring perspective
FINANCIALACCOUNTINGDATA
MASTER &REFERENCEDATA
INTERNALRISK ELEMENTS
EXTERNAL,SOCIAL MEDIADATA
Library ofCounter
Fraud tests
Text mining& advanced
search
VISUALIZATION& RISK RANKING
Triage, Stop Paymentand/or
Sample Audit Selection
Big dataprocessing platform
structuredunstructured
Statistical& Predictive
Pattern Matching
Case Manager, TaskDelegation andData Refresh / ScriptingAutomation
Monitoring &DetectionTools
InvestigationTools
Repeat the process:Continuous Auditing
Audit, Shared Services, Compliance
Watson / Cognitive
Investigative mindset
Page 27
Current challenge - Legacy surveillance &anti-fraud tools are falling short
► Legacy surveillance technologies suffer from overreliance on rule-based triggers, ranging from simple if-then statements to basic“keyword” searches on text fields and electroniccommunications…both of which can be easily circumvented.
► The approach described above results in increasing volumes ofsurveillance alerts and false positives, while real threats get buriedand go undetected.
► A tool, in and of itself, will never be effective without the support by theright team with the right skills sets.
Page 28
Five success factors in deploying forensicdata analytics
1. Focus on the low hanging fruit, the priority of the first projectmatters
2. Go beyond traditional “rules-based” tests – incorporate big datathinking
3. Communicate: share information on early successes acrossdepartments / business units to gain broad support
4. Leadership gets it funded, but interpretation of the results byexperienced or trained professionals make the program successful
5. Enterprise-wide deployment takes time, don’t expect overnightadoption
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights andquality services we deliver help build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaders who team to deliver on ourpromises to all of our stakeholders. In so doing, we play a critical role in building a betterworking world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms ofErnst & Young Global Limited, each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provide services to clients. For moreinformation about our organization, please visit ey.com.Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operatingin the US.
Ernst & Young LLP, an equal opportunity employer, values the diversity of our work force andthe knowledge of our people.
© 2016 Ernst & Young LLP. All Rights Reserved.
SCORE no. XX0000
1603-1886034ED noneEY is committed to reducing its impact on the environment. This document was printed usingrecycled paper and vegetable-based ink.
This material has been prepared for general informational purposes only and is not intended tobe relied upon as accounting, tax, or other professional advice. Please refer to your advisorsfor specific advice.
ey.com