Taking Fraud Risk Management
To the Next Level
Daniel Williams
CGA, CFE, CIA, CISA, CAMS, PMP
October 28, 2012
Topics
1.
Introduction
2.
The Prevalence of Fraud
3.
The Impact of Fraud
4.
Managing Fraud Risk
5.
Performing a Fraud Risk Assessment
6.
Evaluating & Enhancing a Fraud Management Program
7.
Leveraging the Whistleblower Program
8.
Effective Response Protocols
1
© Deloitte & Touche LLP and affiliated entities.
Introduction
2
© Deloitte & Touche LLP and affiliated entities.
Objectives
1. Walk through how to build an effective fraud risk management program and
identify some of the key elements that are often missing or inadequate
2. Show how the effectiveness of key fraud response protocols will help to
minimize the damage to an organization should an incident occur
3
© Deloitte & Touche LLP and affiliated entities.
The Prevalence of Fraud
4
© Deloitte & Touche LLP and affiliated entities.
The Prevalence of Fraud
“The average fraud scheme lasted 24 months before it was detected”
“A typical organization loses a staggering 6% of its annual revenue to occupational fraud”
“The average organization loses more than $9 a day per employee to fraud and abuse”
“Fraud cases are estimated to have a median loss of $175,000 per incident”
“Public sector fraud cases are estimated to have a median loss of $100,000 per incident”
“Approximately 46% of fraud cases were detected by tips from employees, customers, vendors, etc.”
“The implementation of anti-fraud controls appears to have measurable impact on the organization’s
exposure to fraud. “
“Lack of adequate internal control was cited by 35% of respondents as a factor that allowed fraud to occur. “
- ACFE; 2010 Report to the Nation on Occupational Fraud and Abuse
5
© Deloitte & Touche LLP and affiliated entities.
The Impact of Fraud
6
© Deloitte & Touche LLP and affiliated entities.
The Impact of Fraud
•
•
•
•
•
•
•
•
•
Financial losses to the organization
Financial losses to stakeholders
Civil litigation
Regulatory fines
Criminal litigation and prosecution
Diversion of executive attention and organization resources
Expensive compliance and/or monitoring programs
Expensive investigation fees
Reputation damage including:
– Loss of public trust
– Negative public perception
– Greater scrutiny from public advocates and leadership
– Negative media attention
7
© Deloitte & Touche LLP and affiliated entities.
The Impact of Fraud - Reputation Risk
Reputation risk is the risk of loss of brand image, or
stakeholders’ support such that the organization will be
unable to operate at its full capacity.
It is the risk of losing the ability to compete, due to
perceptions that the organization does not deal fairly
with its stakeholders or know how to manage its
business; furthermore, it is the risk a decline in
stakeholders' confidence that may impair the organization’s
ability to have support in the community and to efficiently
raise capital.
8
© Deloitte & Touche LLP and affiliated entities.
Managing Fraud Risk
9
© Deloitte & Touche LLP and affiliated entities.
Managing the Risk of Fraud
Fraud is predictable and manageable; however, only through diligent and
ongoing effort can an organization protect itself against acts of fraud.
• The IIA has developed five key principles for proactively establishing a Fraud
Risk Management Program to effectively manage an organization’s fraud risk:
1. As part of an organization’s governance structure, a fraud risk management program
should be in place including a written policy to convey the expectations of the board of
directors and senior management regarding fraud risk;
2. Fraud risk exposure should be assessed periodically by the organization to identify
specific potential fraud schemes and events that the organization must mitigate;
3. Prevention techniques to avoid potential key fraud risk events should be established,
where feasible, to mitigate possible impacts on the organization;
4. Detection techniques should be established to uncover fraud events when preventive
measures fail or unmitigated risks are realized;
5. A reporting process should be in place to solicit input on potential fraud, an a
coordinated approach to investigation and corrective action should be used to help
ensure potential fraud is addressed appropriately and timely.
10
© Deloitte & Touche LLP and affiliated entities.
What is Motivating Organizations to Develop a Comprehensive and Holistic Fraud
Management Strategy (what are the drivers?)
• Stakeholders are becoming
increasingly aware of fraud risk
• Organizations that are perceived as
being vulnerable to fraud can lose
stakeholder confidence and
ultimately suffer business losses
• Loss from reimbursing stakeholders
for losses incurred
• Loss from incident response,
investigation and recovery efforts
Stakeholder
Confidence
• Loss from diversion of resources in
response to fraud
Fraud Loss
• Geographical expansion and
changes in customer demography
introduce new threat factors requiring
businesses to prepare and respond
to emerging fraud risks
Globalization
Fraud
Risk
Brand
Risk
Changing
Business
Model
• Ongoing modifications to services,
products and infrastructure exposes
the organization to new threats that
need to be considered
Advances in
Technology
• With fraudsters using sophisticated
technology , organizations must
continually enhance and refine
controls
• Technology tends to make fraud risk
more pervasive and can impact a
number of areas of operations
11
© Deloitte & Touche LLP and affiliated entities.
Applying the COSO Framework
•
•
•
•
• Identify fraud risk
factors, fraud risks
and fraud schemes
Tone at the top
Code of conduct/ethics
Whistleblower hotline
Investigation process
Creating
a Control
Environment
• Monitoring
effectiveness of
antifraud programs
and controls
Monitoring
Activities
FRMP
Sharing
Information and
Communication
• Effective communication of
antifraud programs and
controls throughout
Performing
Fraud Risk
Assessments
Designing and
Implementing
Antifraud
Control
Activities
• Link/map identified
fraud risks to
control activities
© Deloitte & Touche LLP and affiliated entities.
Effective Fraud Risk Management Program
Elements of an Effective Fraud Risk Management Program
Prevention
• Good governance
• Code of conduct and related
standards
• Fraud and misconduct risk
assessment
Detection
Response
• Hotlines and whistleblower
mechanisms
• Timely and consistent response
mechanisms
• Auditing and monitoring
• Comprehensive internal
investigation protocols
• Quality assurance
• Proactive data analysis
• Employee and third party due
diligence
• Comprehensive Enforcement
and accountability protocols
• Disclosure protocols
• Communication and training
• Remedial action protocols
• Process-specific fraud risk
controls
Deterrence
13
© Deloitte & Touche LLP and affiliated entities.
Completing a Fraud Risk
Assessment
14
© Deloitte & Touche LLP and affiliated entities.
Step 1 – Define Fraud as it Relates to Your Organization
The first step in developing any fraud risk management program is to
define fraud as it relates to your organization.
As simple as this may seem, it is crucial that a firm definition is developed
and applied consistently throughout the organization including:
– Any and all communications to staff;
– When developing a fraud risk assessment to determine if specific scenarios that can be
executed are, in fact, fraudulent;
– When developing and publishing policies and procedures (including the code of
conduct and the fraud risk management charter); and
– When developing and facilitating fraud awareness training.
15
© Deloitte & Touche LLP and affiliated entities.
Definition(s) of Fraud
“Fraud is criminal deception intended to financially benefit the deceiver”
- The Accountant’s Handbook of Fraud and Commercial Crime (CICA)
“Fraud is a generic term, embracing all multifarious means which human ingenuity can devise, and which are
resorted to by one individual to get an advantage over another by false suggestions or suppressions of truth,
and unfair way by which another is cheated”
- Black’s Law Dictionary
“Fraud is any act of deception carried out for the purpose of unfair, undeserved and/or unlawful gain, either
valuable financially or comprising a legal right”
- Wikipedia
“Fraud is any act of wrongdoing where the organization is knowingly misled for personal (or third party) gain”
- Deloitte
16
© Deloitte & Touche LLP and affiliated entities.
Step 2 – Determine Your Approach for Identifying Risks
Fraud risk identification includes:
• Gathering external information from regulatory bodies, industry sources, key guidance
setting groups (such as COSO), and professional bodies/service providers; and
• Consulting internal sources including:
– Examining the incentives, pressures and opportunities to commit fraud specifically within your
organization (i.e. – performance metrics, incentive programs, etc.);
– Reviewing past whistleblower complaints;
– Reviewing external audit management letters that identify issues pertaining to flaws in processes,
procedures or controls;
– Reviewing any fraudulent acts that may have occurred in the past;
– Reviewing incident reports and other analytical reports on errors, customer complaints, vendor
complaints, employee feedback, etc.; and
– Collaborating with employees across the organization to identify specific fraud scenarios that could
occur as well as weaknesses in the processes that would allow fraud to occur.
17
© Deloitte & Touche LLP and affiliated entities.
Engaging Employees to Identify Fraud Risk Scenarios
Employee
Engagement
Surveys/
Questionnaires
issued to employees
Interviews with the
Board and Executive
Interviews with
Management
Workshops with
Employees
(recommended)
Collaboration with a
Project Team
(recommended)
18
Minimal
Minimal
Moderate
Time Required
Minimal
Moderate
Moderate
Fraud Scenarios
Identified
Pros
Generic
Minimal impact on
resources and little
effort required.
There is a risk that
you will not receive
open and honest
responses from
Generic
Minimal impact on
resources and little
effort required.
Board members may
not have a strong
understanding of day
to day operations.
High Level
Minimal impact on
resources and little
effort required.
Management may
not have insight into
specific weaknesses
within the process.
Detailed fraud
scenarios are identified.
High
Significant
Detailed
Opportunity to educate
employees.
High
Significant
Cons
Detailed
Project team members
provide valuable input
and can be advocates
for remediation
strategies.
Significant impact on
resources and
significant effort
required.
Moderate impact on
resources and
significant effort
required.
© Deloitte & Touche LLP and affiliated entities.
Step 3 – Identify Fraud Risk Scenarios
Fraud risk assessments differ somewhat from the more conventional methods
used to assess risk in that they are scheme/scenario-based. This requires
experienced personnel who are familiar with the more common fraud schemes
impacting today's organizations.
Fraud, by definition entails intentional misconduct, designed to evade
detection. As such, those performing a fraud risk assessment should
engage in strategic reasoning to anticipate the behavior of a potential
fraud perpetrator. In essence, you need to think like a criminal.
Initially, fraud scenarios are initially identified and assessed based on inherent
risk assuming the absence of controls.
It is difficult to take a “one-size-fits-all” approach by obtaining a list of generic
fraud risks and using it as the fraud risk assessment as a boiler plate listing will
most likely not include all fraud opportunities inherent to your organization.
19
© Deloitte & Touche LLP and affiliated entities.
Step 4.a – Determine Likelihood Assessment Criteria
• The Likelihood that an event will occur based on inherent factors such as:
– Access to assets by an individual
– Level of trust placed in an individual
– How difficult it is to commit the act without involving others
• Likelihood assessment criteria:
– High – a significant opportunity that can be executed by just one person
– Moderate – requires collusion with other and/or an activity outside of normal
operational processes/procedures
– Low - many people involved increasing the chance of being detected and an audit trail
is available for review by others
20
© Deloitte & Touche LLP and affiliated entities.
Step 4.b – Determine Consequence Assessment Criteria
• The Consequence of an event occurring is derived from two key factors:
– Qualitative (relating to reputation risk)
– Quantitative (relating to a specific dollar amount lost due to the fraud occurring)
• Consequence assessment criteria:
– High – significant loss of public trust and/or a high dollar value (i.e. - $200,000)
– Moderate – moderate public reaction and/or a moderate dollar value (i.e. - $30,000)
– Low – little to no public reaction and/or a low dollar value (i.e. - $5,000)
21
© Deloitte & Touche LLP and affiliated entities.
Step 5 – Map Existing Controls to Fraud Schemes
Once all fraud risk scenarios have been identified, the next step is to link
each risk to relevant internal controls that can mitigate each risk to an
acceptable level.
It is important to identify and leverage existing controls to determine if
they are designed effectively to actually prevent or detect fraud.
This can be a value-added activity:
– The mapping exercise provides Management with a gap analysis that will identify
residual fraud risks – risks that remain outside the organization’s tolerable range.
– A gap analysis will also identify inefficiencies/ineffectiveness in internal controls.
– The assessment may identify a misallocation of resources and or redundancies
in internal controls.
22
© Deloitte & Touche LLP and affiliated entities.
Step 6.a – Assess Internal Controls
How effective is the control in mitigating the risk of fraud?
Has the control been designed effectively – not just in principal but in
practice?
Objective-based versus activity-based controls.
23
© Deloitte & Touche LLP and affiliated entities.
Step 6.b – Assess the Control Environment
• This is not your typical control environment assessment.
• The assessment needs to consider:
– The maturity of the control environment as it relates to the sophistication, size and
scope of the organization;
– How effective the control environment is in preventing fraud; and
– How effective the control environment is in communicating appropriate standards of
conduct. It is not sufficient to say that management is communicating the right
message; rather we need to confirm that employees are actually receiving and
appreciating that message.
• The assessment includes:
– Reviewing documentation
– Enquiries of Management and employees
– Direct observation
24
© Deloitte & Touche LLP and affiliated entities.
Step 7 – Determine Residual Risk and Response
The final step is to determine what the acceptable level of risk for the
organization is and work towards addressing each fraud scenario that exceeds
the organization’s risk tolerance.
A detailed fraud risk assessment will help identify areas where residual risk may
not be appropriate and prioritize areas that require immediate attention.
The fraud risk assessment may also identify critical areas that were so highly
exposed to undue risk that it would require investigation of past transactions to
determine if inappropriate activity had taken place.
Finally, the fraud risk assessment will allow an organization to consider
necessary remediation strategies for each risk identified:
– Revise the existing process to reduce the inherent risk;
– Accept or increase the tolerated risk level based on the organization’s operating model;
– Reduce residual risk through increased control effectiveness.
25
© Deloitte & Touche LLP and affiliated entities.
Fraud Risk Assessment Template - SAMPLE
Fraud Risk
Scenarios
Likelihood
Assessment
Consequence
Assessment
Inherent
Risk
Internal
Controls
Residual
Risk
L
The CFO directs
employees to hold the
books open after year
end to accrue
additional revenues.
M
M
M
A.1
A.2
B.3
The inventory manager
misappropriates
inventory and then
makes an adjustment
to the GL to cover up
the theft.
L
L
L
C.6
L
An supervisor colludes
with another employee
by authorizing
fraudulent overtime
claims.
H
H
H
C.6
D.1
M
Ghost employees are
added to the payroll by
the HR Manager.
H
L
M
N/A
M
26
© Deloitte & Touche LLP and affiliated entities.
Additional Benefits
• Identify inefficiencies in operations, processes or controls that expose the organization to
the risk of to waste and error as well.
• Identify redundant internal controls or other risk management practices.
• Find ways to optimize/ enhance existing internal controls (which were initially designed to
support another program) in such a way as to have them also prevent/detect fraud.
• Revise or enhance various organizational process assets (such as the internal audit
charter, code of conduct/ethics and various policies and procedures)
– For example training materials can be enhanced to include information on fraud
awareness. The code of conduct/ethics can also include a fraud policy.
• Leverage and/or align with the organization’s Enterprise Risk Management Framework,
SOX program, anti-corruption/ compliance and ethics program, etc.
27
© Deloitte & Touche LLP and affiliated entities.
Additional Benefits: Example #1 (Procurement Function)
• Through conducting our fraud risk assessment, it was noted that third party suppliers
were sometimes engaged without going through the proper procurement process
• Suppliers were selected and being paid for services:
– Without being recognized as an “approved vendor” by the procurement function;
– Without going out to tender;
– Without undergoing the proper due diligence; and
– Without being formally added to the Accounts Payable system as an approved vendor for payment
• While the intent was not malicious, it did demonstrate that an opportunity to commit fraud
existed. More importantly, it presented several other risk scenarios:
– Suppliers/ services were engaged which are contrary to the organization’s goals/objectives;
– By engaging an alternate Supplier, the organization violated contractual terms/ conditions it had
with existing Suppliers;
– The organization engaged a Supplier that, due to weak/ questionable business practices, exposed
the organization to excessive risk (FCPA);
– An employee committed the organization to an inappropriate contractual arrangement with a
Supplier (i.e., unfavorable terms, inappropriate pricing, etc.)
– These suppliers were being paid outside the normal Accounts Payable process
28
© Deloitte & Touche LLP and affiliated entities.
Benefits: Example #2 (Accounts Payable Process)
• Through conducting our fraud risk assessment, it was noted that the organization’s
current Accounts Payable process was inefficient and, due to the high level of
inefficiency, exposed the organization to an excessive number of inherent risks.
– Management was unaware of this until all risks were identified through conducting a proper fraud
risk assessment and mapping the risks to the Accounts Payable Process flow;
– Given the current process, the cost of mitigation was too high (there are too many inherent risks
that would need to be addressed with control activities);
– The process was so weak that we were almost certain that fraud, waste or error was already taking
place but it was too costly to address it given the current process.
•
The solution was to map all risk scenarios to the business process to find out where
they would fall along the process flow.
•
We then determined what weaknesses in the process flow contributed to the inherent
risks identified.
•
We designed a new process flow to address these weaknesses and limiting the number
of inherent risks found in the revised process.
•
Finally, we identified and implemented internal controls to address the remaining
inherent risks.
29
© Deloitte & Touche LLP and affiliated entities.
Employee 1
Activity 2
Activity 3
Activity 4
Activity 5
Activity 6
Employee 4
Employee 3
Activity 1
Employee 2
Benefits: Example #2 (Accounts Payable Process)
Activity 8
= High Risk
30
= Moderate Risk
Activity 11
Activity 7
Activity 9
Activity 10
= Low Risk
© Deloitte & Touche LLP and affiliated entities.
Benefits: Example #2 (Accounts Payable Process)
• We also took this opportunity to design a Segregation of Duties map to help with the
reconstruction process:
Accountable for this duty.
As
su
ran
ce
De
p
Em
pl o
ye
e
Ac
co
un
ts
P
Qu
ali
ty
ay
ab
le
Inv
oic
e
art
me
nt
He
ad
Ve
nd
or
The following key duties performed along the process must be separated to
ensure that the risk of fraud/error is mitigated and operational efficiencies are
achieved through specialization and standardization of activities.
Pro
ce
ss
ing
Should not be performing this duty.
Acceptable to perform this duty.
1. REQUISITION
- submits invoice, call in for payment etc.
Y
N
N
Y
N
N
2. INVOICE PROCESSING
- sets up invoice in system
- reviews invoice for completeness, validity and accuracy
N
Y
N
N
N
N
3. AUTHORIZATION
- approves invoice for payment and applies spending authority
N
N
Y
N
N
N
4. SECONDARY REVIEW
- reviews invoice for completeness and accuracy
N
N
Y
N
N
N
5. TERTIARY REVIEW
- reviews invoice for completeness, accuracy and validity
N
N
N
Y
N
N
6. DISBURSEMENT
- issues payment
- maintains chain of custody over payments
N
N
N
N
Y
N
7. QUALITY ASSURANCE
- compliance check
N
N
N
N
N
Y
8. VENDOR MAINTENANCE
- updates vendors on changes related to all client account information
- monitors vendors for compliance with policies and standards
- modifies and maintains vendor master data
N
N
N
N
Y
P
31
© Deloitte & Touche LLP and affiliated entities.
Evaluating & Enhancing a
Fraud Management
Program
32
© Deloitte & Touche LLP and affiliated entities.
Stakeholder Value
A Model for Evaluating FRMP Maturity
Tribal & Heroic
Specialist Silos
• Ad-hoc/chaotic
• Independent risk
• Depends primarily
management
on individual
activities
heroics,
• Limited focus on
capabilities, and
the linkage
verbal wisdom
between risks
• Limited alignment
of risk to
strategies
• Disparate
monitoring and
reporting
functions
Top Down
• Common
framework, program
statement, policy
• Routine risk
assessments
• Communication of
top strategic risks to
the Board
• Executive/Steering
Committee
• Knowledge sharing
across risk functions
• Awareness activities
• Formal risk
consulting
• Dedicated team
- 33 -
Systemic Risk Mgmt.
• Coordinated risk mgmt,
activities across silos
• Risk appetite is fully
define
• Enterprise-wide risk
monitoring, measuring,
and reporting
• Technology
implementation
• Contingency plans and
escalation procedures
• Risk management
training
Risk Intelligence
• Embedded in strategic
planning
• Early warning risk
indicators
• Development of
performance metrics and
key risk indicators
• Linkage to performance
measurement/
incentives
• Risk modeling/scenarios
• Industry benchmarking
Evaluating the Program Using a Common Framework
A comprehensive Fraud Risk Management Program Framework encompasses seven domains that can help manage fraud, waste
and error across the enterprise
Strategy
Governance
Enterprise strategy that defines the Fraud Management Program function, role and objectives, and
establishes a strategic roadmap
Fraud Risk Management Program oversight structure with well defined roles and responsibilities to
manage risks ensuring that there is adequate collaboration among the various forums/functions
Policies, Standards
and Procedures
Policies, standards and procedures defining risk management methodology and activities, risk
tolerance levels and integration points between risk management functions to ensure
consistency and quality across all program activities
Risk Management *
Due diligence and ongoing oversight that an organization must exercise
throughout the fraud management lifecycle
Tools and Technology
Tools and technology that drive commonalities in risk management process,
and support data accuracy, availability and timeliness.
Metrics and Reporting
Metrics and reports that provide a comprehensive view of
enterprise Fraud risk to the relevant stakeholders across the
enterprise.
Coordinated communication channels and programs to educate
stakeholders of responsibilities at all stages of the fraud
management lifecycle.
Communication, Training and Awareness
- 34 -
DRAFT – FOR DISCUSSION PURPOSES ONLY
How to Refine the Fraud Risk Management Strategy
Program Management
1
Assess
Develop
Define target state by developing a
fraud management architectural
framework
Develop fraud management
governance materials
Conduct organization readiness
review and gap analysis based on the
fraud management architectural
framework
Design fraud management process
flows
Develop fraud management roles and
responsibilities
Identify stakeholders and establish
fraud management organization
Work Products
• Fraud Management Architectural
Framework
• Fraud Management Roles and
Responsibilities
• Fraud Management Organization
Structure
• Fraud risk governance interaction
model
• Forum, charter and mandate
35
2
3
Execute
Operationalize fraud management
processes and controls
Develop fraud risk assessment
questionnaire and risk ranking model
Develop fraud detection and
prevention technology controls
Conduct fraud management training
sessions
Develop fraud management
monitoring and reporting metrics
Work Products
• Fraud Management Policy
• Fraud Management Process Flows
• Fraud Risk Assessment
Questionnaire
• Fraud Risk Ranking Model
• Fraud Management Technology
Architecture
• Fraud Management Monitoring and
Reporting Metrics
Work Products
• Fraud Management Training
Materials
• Program review and assessment
• Trend analysis and industry
benchmarking
• Continuous improvement
© Deloitte & Touche LLP and affiliated entities.
Governance
36
© Deloitte & Touche LLP and affiliated entities.
Governance
Observation: Groups, forums and functions do not interact or support each other; further, governance forums are
created without knowledge and/or approval of the organization.
Recommendation: Document the current governance framework and interaction model to identify gaps and
deficiencies. Then, determine how to realign the framework to encourage greater collaboration.
• By formally documenting the fraud governance framework and interaction model, the organization will
have clear insight into how to align the governance forums and drive synergy.
Enterprise-wide Fraud Governance
Enterprise Fraud Risk
Management Committee /
Owner
Internal Audit
Investigations
Enterprise Fraud Risk
Management Group
Compliance
Forum level Governance
`
`
Ideal State
Business Unit 1
Business Unit 2
Forum 1
Inputs /
Outputs
Function 1
37
Legal
Forum 2
Cross-Forum
Exchange
Inputs /
Outputs
Function 2
Isolated Silo
Isolated Silo
Business Unit 1
Business Unit 2
Forum 3
Inputs /
Outputs
Function 3
Forum 4
Output
only
Function 4
© Deloitte & Touche LLP and affiliated entities.
Enterprise Fraud Risk Management (EFRM) Framework
Nine Principles for Building an Enterprise
Fraud Risk Management Framework
The Risk Intelligent Enterprise
Line 3.A
Oversee & Endorse
Common Definition of Risk
Common Risk Framework
Oversight
Risk Governance
Roles & Responsibilities
Board of Directors
Tone at the
top
Transparency for Governing Bodies
Quasi-Independent
Line 2
Operate & Enable
Common Risk Infrastructure
including management & reponse
Executive Management
Responsibility
Risk Infrastructure
and Management
Common Risk
Infrastructure
Executive Management
Quasi-Independent
Objective Assurance and
Monitoring
People
Process
Technology
Line 1
Own & Execute
Risk Process
Business Unit Responsibility
Support of Pervasive Functions
Risk
Ownership
Identify Risks
Assess &
Evaluate
Risks
Integrate
Risks
Respond
to Risks
Level 1
Design,
Implement &
Test
Controls
Monitor,
Assure &
Escalate
Business Units and
Supporting
Functions
Risk Classes
Governance
Strategy
& Planning
Operations/
Infrastructure
Internal Audit
Compliance
Reporting
Line 3.B
Observe & Evaluate
Independent
- 38 -
Establishing an EFRM Governance & Operating Model
1st Line of Defense
2nd Line of Defense
 Implement internal controls and practices
consistent with company-wide policies &
procedures
 Managers appointed by the Lines of Business
(LOBs) are responsible for identifying, assessing
and mitigating risk associated with their business
3rd Line of Defense
 Design and assist in implementing company-wide
risk framework and oversee enterprise risks
 Independently test, verify and evaluate risk
management controls against internal policies
 Business partners work with the LOB’s to identify,
assess and mitigate all risks
 Assess design and operating effectiveness of the
program considering enhancements to
operations, increased customer base or
geographical expansion
 Provide tools and resources to enable effective &
efficient execution of risk management activities
Board of
Directors
 Define and implement Fraud
Risk Guiding Principles and
Strategy
 Leverage the whistleblower
program to identify trends
and/or Program weaknesses
 Provide regulatory
interpretation
and guidance
3rd Line of Defense
Risk Steering
Committee
Fraud Risk
Advisory Board
Internal Audit
 Establish risk
tolerances and
advice on
complex risk
issues
2nd Line of Defense
1st Line of Defense
 Identify critical
risk scenarios
 Own fraud risk
for the business
 Maintain
accountability for
FRM practices
 Identify risks and
mitigation strategy
 Manage and
resolve day-to-day
issues
 Implement key
controls
 Perform periodic
audits and testing
to monitor policy
compliance
Line of
Business
Line of
Business
Line of
Business
Centre of Excellence (COE)
FRM Office
Risk Officers
Line of
Business
Line of
Business
Line of
Business
 Maintain
accountability for
FRM practices and
identified risks
 Drive consistent process across LOBs
 Provide enterprise FRM standard processes
and templates
 Track issues and facilitate corrective actions
 Interact with regulators on fraud risk and
information security topics
 Set FRM policies, procedures and
standards to govern O/O activity
Investigations
HR
Finance
Risk
Compliance
Technology
Legal
Corporate
Communications
 Assist in developing TPRM
guidelines, tools and templates
 Provide subject matter expertise to
1st Line of Defense
 Promote consistency and quality of
FRM practices
 Provide ongoing training
© Deloitte & Touche LLP and affiliated entities.
DRAFT – FOR DISCUSSION PURPOSES ONLY
Assessing & Enhancing
Tools
40
© Deloitte & Touche LLP and affiliated entities.
Assessing and Enhancing Tools
A technology architecture for managing Fraud risk is an ecosystem of orchestrated processes and systems which, if designed
appropriately, can help ensure that all relevant data obtained across the Fraud lifecycle (including fraud scenarios, metrics, and
whistleblower logs, and incident reports) is available to facilitate risk assessment, classification, monitoring and reporting.
TPRM Tool Box
Key Data Inventory
Risk Scenario Inventory
Risk Management / Monitoring Systems
Performance Monitoring
Risk & Compliance Assessment
Third Party Event Monitoring
Infrastructure Components
Reporting / Notification Rules
Information Entitlements & Security
Logging / Audit Trails
Risk Metrics Calculation/ Modeling
Interfaces with Databases and Risk Systems
Fraud Information Databases
Reporting
Risk Aggregation
Scenario Risk Score calculation
Standardized
Reports
Key Risk Indicators
Dashboards
Risk Threshold/ Tolerance
Performance Metrics
Analytics
Residual Risk Calculation
Feedback: promotes continuous improvement to data, systems and architecture
- 41 -
DRAFT – FOR DISCUSSION PURPOSES ONLY
Develop Industry-Specific Metrics
Develop metrics to assess the performance of the FRMP and identify emerging
risks/issues. Having the right metrics in place enables an organization to:
• Document, measure and monitor the organization’s risk appetite for Fraud Risk when
making various business decisions (i.e., whether to outsource to a third party, to expand
into a specific geographical region, etc.)
• Identify trends in fraudulent activity as well as allowing for the discernment of
weaknesses in the current process and/or applications that expose the organization and
its customers to undue risk.
• Determine the “true cost” of fraud including losses to the customer, incident response
costs, investigation and recovery cost and the impact on customer attrition.
• Make better decisions for how to manage fraud and what areas to focus resources on;
• Entertain the idea of implementing control activities that were initially perceived as being
costly to the organization
• Measure its performance in relation to loss mitigation, total cost of mitigation, total funds
recovered and cost of recovery.
42
© Deloitte & Touche LLP and affiliated entities.
43
Risk Appetite and Enterprise Fraud Risk Management (EFRM)
Components of an effective ERM
Program
Enterprise
Risk
Management
Vision
and
Strategy
Articulating Risk Appetite
•
Provides a structure for discussion of the balance
between business strategy and risk
Governance
•
Provides guiding principles for management in
determining whether strategic/business activities and
risk levels are acceptable or not
Culture
•
Provides a consistent view of risk across the
organization to facilitate decision making
Methodology
•
Enhances the risk awareness culture
•
Establish thresholds to monitor against
•
Allows the business to make decisions considering risk
Common Language
Risk Measurement
Risk Policies
Risk Monitoring
Risk Appetite
Reporting and Escalation
Risk Assessment
Independent Verification/
Testing
© Deloitte & Touche LLP and affiliated entities.
Risk and Reward Scale
Risk Appetite
`
Risk Seeking
Risk Tolerant
Risk Neutral
Risk Averse
Description
Taking risk is
considered part of
company’s
strategy
Company takes an Company takes a Company accepts
aggressive
balanced approach as little risk as
approach towards to risk taking
possible
taking risk
Example risk
appetite by
business activity
New market
expansion and
acquisition
activities
Innovation, tax
activities
44
Operations,
Health, safety,
financing activities environment,
security, fraud,
financial reporting,
regulatory
compliance, and
reputation
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Developing and Monitor Key Risk Indicators (KRI) to proactively identify, when
tolerable risk thresholds are exceeded
Develop comprehensive risk reporting which takes into account a composite view of emerging risks or trends/behaviors
which may indicate that a risk has been, or is about to be realized.
Aggregate &
Review KRI Values
Gather Data
•Establish Data Points
per KRI
•Identify Data Source(s)
per Data Point
•Determine data usage
Identify Data
Points
•Determine collection
method
•Obtain data from
relevant sources
including existing
reports and key
databases
•Perform in-depth
review of data
elements at each step
of process to ensure
data quality and
accuracy
Review Data
Points
KRI Information
KRI Ref No.
45
KRI Description
•Combine data points
to generate KRI values
•Determine thresholds
to monitor
KRI Thresholds
KRI Calculation
Formula
Outcome
Value
1
Number of whistleblower complaints related to fraud
Count
0
2
Number of internal control operating deficiencies identified
Count
0
3
Count of significant breach events against applicable ethical standards,
Count
as defined in supplier contract
<3
>0
0
1-2
>2
2
3-5
>5
8
RAG
© Deloitte & Touche LLP and affiliated entities.
Metrics to Consider
Monitoring KRIs based on geographical location, areas of operation, and/or services provided will help an organization
determine where to allocate resources in response to emerging risks.
Trends/Weaknesses Exploited
Loss/Damage Quantification







Total customer losses to be reimbursed.
Customer attrition costs due to experiencing a fraud incident.
Total effort expended per incident and the related costs.
Total incidents for each period.
Average legal fees per incident.
Number of employee hours diverted to incident response.
Cross-Channel losses resulting from incidents originating in a
specific department/division.
 Successful bypass of internal controls – what controls are getting
targeted and bypassed the most?
 Incidents of management override of controls.
 Attack volume.
 Incident by type and transaction.
 Incident by geographic location.
 Trends – time of day most attacks occur.
 Trends – types of businesses targeted.
Response and Recovery
Performance
 Number of compromised customers in a period.
 Number of repeat offences against a customer in a period.
 Number of incidents identified by the organization compared to
incidents identified by the customer.
 Number of fraudulent attacks denied versus successful attempts.
 Total false positives recognized in a period.
 Total incidents in a period.
 Total incidents by theme.
 Impact of remediation efforts on total incidents.
46





Total effort required to respond to each incident.
Response time for each incident.
Timeliness of investigation and wrap up.
Total funds recovered in a period.
Cost-benefit analysis as it relates to cost of recovery versus actual
funds recovered.
 Phishing – time from notification to take down.
 Phishing – success rate of take down.
© Deloitte & Touche LLP and affiliated entities.
Use metrics to determine the “true cost” of fraud
• An online banking division had been experiencing an increase in the following fraud scenarios:
- Access of a legitimate customer account by a fraudulent third party with the intention of acquiring sensitive client information (browsing); and
- Access of a legitimate customer account by a fraudulent third party with the intention of executing unauthorized transactions for personal gain.
• Perpetrators were successfully able to access client accounts through the deployment of financial malware.
• Once a perpetrator gains access to valid customer credentials, the perpetrator is then able to access the client account and commence with
fraudulent browsing on the account and/or the execution of fraudulent transactions.
Fraudulent Event Frequency and Detection
• There have been 45 fraud incidents since October of the prior year
o October to June: 1-4 incidents occurred per month.
o July: 10 incidents occurred.
o August: 12 incidents occurred.
• Only half of all fraud incidents are detected by the bank. The other
half are discovered and reported by the customers.
• Business customers account for 80% of fraud.
Impact
• Average loss to the customer was $15,000 per incident.
• 235 to 660 employee hours are consumed for each fraud incident
depending on the severity.
• Hours consumed by employees for incident response are estimated
to be as follows:
o Contacting the client: 50 – 75;
o Freezing. closing and opening new accounts:150 – 300;
o Corporate Security: 25 to 250 (depending if an investigation is
warranted);
o IT: 0 – 15;
o Management: 10 – 20.
• At an average cost of $50 per hour, it is estimated to cost
approximately $11,750 to $33,000 in payroll expenses per incident.
• Investigation costs are averaging $10,000 per incident.
• Total costs do not consider the cost of customer attrition should
customers leave subsequent to falling victim to a fraud incident
and/or reimbursements made to clients.
For the months of July and August alone, the total cost incurred to mitigate, manage and respond to incidents of fraud was estimated
to be between $300,000 and $500,000.
47
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Extending the FRMP to
Third Parties
48
© Deloitte & Touche LLP and affiliated entities.
Third Party Risk
Third Party Risk Management is the discipline of systematic measurement and management of risks associated with Third Parties throughout
the relationship lifecycle.
What is Third Party Risk
•
•
Reliance on third-party relationships can significantly increase a organization’s strategic, reputation, compliance, and transaction risk. Increased risk most
often arises from poor planning, oversight, and control on the part of the organization and/or inferior performance or service on the part of the third party.
The consequences can go well beyond direct financial loss to include damage to reputation, media embarrassment, regulatory scrutiny and loss of customers.
How Third Party Risk Manifests Itself
Potential Risks
Strategic
The presence and severity of each risk vary based on the nature
of the third party relationship. Determining factors include:
1.
Reputation
2.
Compliance
Transaction
Credit
3.
4.
Country
Business Continuity
5.
Contractual
Financial Stability
Information Security/ Privacy
Third Party Profile
• Geographical location
• Type of service provided
• Nature and extent of customer interaction
Criticality of Outsourced Product/ Service
• The impact to the organization (financial, reputational, etc.) should
the third party be unable to meet its contractual obligations
Access to Confidential/Sensitive Information
• The impact to the organization should confidential information be
misappropriated and/or transferred across borders
Level and point of Integration with Operations
• At what point(s) within the process flow do third parties contribute to
the execution of the process
• How ingrained a third party’s people, practices and technology are in
support of the execution of a process (i.e., payroll, data processing)
Service Model Affecting Level of Oversight Over the Third Party
• Staff Augmentation
• Managed Service
• Co-sourcing
Note that a third party’s risk profile can be greatly enhanced if the third
party chooses to rely on a fourth party for support
Note that while you can outsource a
product/service, you cannot
outsource the risk
• Reliance on third-party relationships
can significantly increase an
organization’s fraud risk
• Organizations that outsource
products or services need to
understand that their Fraud Risk
Management Program is as strong
as the weakest practices in the Third
Parties they are outsourcing to
• Failure to extend the Fraud Risk
Management Program to Third
Parties an result in the organization
facing severe penalties and greater
regulatory scrutiny (FCPA, UK
Bribery Act, CFPB, Privacy Laws,
etc.)
Drivers for Third Party Risk Management
Heightened Regulatory
Awareness & Expectations
(CFPB, FFIEC, OCC, FCPA)
Increased Outsourcing of
Critical Services Increasing
the Exposure to Continuity
of Business Risk
Increased Reliance on Third
and Fourth Parties as they
become more accessible
- 49 -
Increased Third Party
Access to PII and Other
Confidential/Sensitive Data
Deloitte Confidential
Key Elements of a Third Part Risk Management Program
The organization must first understand that each Third Party’s risk profile is unique and requires a tailored risk management strategy. The
appropriate strategy is dependent on the nature of the particular Third Party relationship, the type and materiality of the risks present, and the
ability of the organization to manage those risks. Therefore, a holistic risk management program with select risk management practices
targeted to address specific Third Party Risks must be in place across the entire Third Party Lifecycle
Applying the Third Party Risk Management Program Across the Third Party Lifecycle
Evaluate & Select
Contract & On-board
Manage & Monitor
Terminate & Off-board
Ongoing Program Management & Reporting
• Risk assessment
• Inherent Risk Profiling and
Vendor Selection Reviews
• Third party approval and tiering
process
• Contract negotiation and
legal/procurement approvals
• Control assessments including
• Exit strategy and contract review
̶
Information Security review
̶
Physical Security Review
̶
Vulnerability and Threat
Assessment
̶
Business Continuity
assessment
̶
SLA and Performance
monitoring
• Contract Language Exception
Management
• Review Vendor for the following
̶
Financial Viability
̶
Exit strategy
̶
Sanction screening
̶
Reputational reviews
̶
Compliance assessments
̶
Country risk reviews
̶
News and event monitoring
̶
Ability to meet compliance
obligations
̶
Reputational reviews
̶
Country risk reviews
̶
Contract reviews
• Termination Management to
confirm that the Vendor meets
the obligations of their contract
and all client data is removed per
the Vendor’s contractual
obligations
Changes in environmental factors have increased the depth and frequency of regulatory reviews. A proactive organization will try to minimize
such regulatory scrutiny and possibility of penalties due to non-compliance. It also allows the organization to retain the flexibility in developing
and implementing risk management strategies on their own absent direction from a regulatory authority (i.e., MRA, consent order).
- 50 -
DRAFT – FOR DISCUSSION PURPOSES
ONLY
Deloitte Confidential
Leveraging the
Whistleblower Program
51
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
The 2012 Corporate Governance and Compliance Hotline Benchmarking report is a compilation of 599,162 reports
throughout a fiive-year period covering 2007 to 2011. In 2011, 129,199 reports were taken from 1,128 organizations
representing 15,052,215 employees.
Source: The Network “2012 Corporate Governance and Compliance Hotline Benchmarking Report
“As organizations continue to either implement or improve their Whistleblower Programs, their ability to detect and
prevent fraud grows.”
Note that the percentage of
whistleblower complaints pertaining
to Fraud have significantly increased
52
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
Observation: Whistleblower Programs get used the most in industries focused on Retail or Service
Observation: There are 7 key types of incidents that are escalated via the Whistleblower Program
53
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
Observation: Phone is still the most popular intake method by far
Observation: Incidents of retaliation for reporting are on the rise
54
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
Observation: Organizations are finding creative ways to inform stakeholders of the Whistleblower Program
55
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
Observation: Minimal preference over the ability to report anonymously
Observation: Preference to not want to notify management
56
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
In 2011, 67% of all reports warranted an investigation and only 16% did not warrant an investigation. This is referred to
as the “actionability” of the report. Of the 67%, 41% resulted in a corrective action on being taken. In 2010 and 2011
there has been nearly a 10% increase from 2007 in the “other” category, which may be due to companies implementing
variations in the reporting outcomes.
57
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
Features of a Well-Designed Whistleblower Program
• Option for anonymity
• Organization-wide (global) and available 24/7, ideally by telephone, with professionally-trained
interviewers in all local languages
• Single hotline for all ethics-related issues
• Dual dissemination of the information received so that no single person controls the information, with
criteria for immediate escalation where warranted, and for notification of the audit committee when
financial irregularities or senior management are involved
• Case management protocols, including processes for the timely investigation of hotline reports and
documentation of the results
• Supports the collection and analysis of data to identify trending
• Management analysis of trends and comparison to norms
• Data security and retention policies and procedures (including geographical trends)
• Customization to comply with the laws of foreign jurisdictions and to address cultural differences
• Ongoing messaging to motivate everyone in the organization, as well as vendors, to use the hotline
58
© Deloitte & Touche LLP and affiliated entities.
Whistleblower Program
• A significant number of fraud schemes are uncovered due to employee tips
• A whistleblower program provides employees with a way to report their concerns to the
appropriate stakeholders of the organizations
• Can only be effective if the following criteria are met:
1.
The program is targeted to the relevant stakeholders
2.
The stakeholders are aware that such a program exists
3.
The stakeholders have a requirement to report
4.
The stakeholders have a reasonable assurance of anonymity
5.
The stakeholders have access to reporting mechanisms inexpensively and with as few
complications as possible and the program supports direct communication
6.
The stakeholder feels comfortable communicating her/his concerns
7.
The stakeholder believes that appropriate action will be taken
8.
The stakeholder has reasonable assurance that she/he will not be persecuted for reporting her/his
concerns
Consider extending your whistleblower program out to
external parties as well
59
© Deloitte & Touche LLP and affiliated entities.
Effective Response
Protocols
60
© Deloitte & Touche LLP and affiliated entities.
Develop a fraud policy with appropriate fraud response protocols and ownership of
fraud risk management
Formalize and document roles and responsibilities as well as fraud response protocols within an enterprise-wide fraud
policy. This is to help ensure that incidents are responded to in a timely manner to minimize the financial and
reputational impact
•
It is essential that any violations, deviations, or other breaches of the code of conduct or controls, regardless of where
in the organization, or by whom, they are committed, be reported and dealt with consistently and in a timely manner.
•
Appropriate punishment must be imposed, and suitable remediation completed.
•
The board should ensure that the same rules are applied at all levels of the organization, including senior
management.
•
The organization should ensure that the organization develops a system for prompt, competent, and confidential
review, investigation, and resolution of allegations involving potential fraud or misconduct.
•
Protocols for the board’s involvement in such cases — which will vary depending on the nature, potential impact, and
seniority of persons involved — should be defined clearly and communicated to management by the board.
•
The roles of the board, management, legal counsel, internal audit and others in the investigation process should be
clearly defined.
61
© Deloitte & Touche LLP and affiliated entities.
A Fraud Policy
Many organizations use a fraud policy to communicate the organization’s approach to
fraud. An effective fraud policy typically contains the following:
62
•
A statement of the organization’s attitude to fraud (e.g., zero tolerance);
•
A discussion on the commitment of leadership to address and respond to fraud risks;
•
Alignment with the code of conduct/ethics;
•
Alignment with the whistleblower policy;
•
The allocation of responsibilities for the management of fraud including:
–
Reporting suspicions of fraud including whistleblower arrangements (if used);
–
The procedures employees should follow if fraud is identified;
–
Guidance on training for the prevention/detection of fraud;
–
Reference to the response plans and protocols that have been devised to deal with and minimize
the damage caused by an incident of fraud;
–
Reference to the remedial action protocols in place.
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Developing Investigation Standards
Management is ultimately responsible for developing standards and controls over the
investigation process, including:
– Developing policies and procedures for effective investigations;
– Preserving evidence;
– Handling the results of investigations;
– Reporting to the board; and
– Internal and external communications.
Such standards often documented in a fraud policy.
Internal audit may assist in the evaluation of the policy.
It is often important to assemble the investigation team without delay. If the
organization is likely to need external experts, the organization may want to prequalify service providers so external resources are quickly available when
needed.
63
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
The Key Elements of an Investigation
The investigation and response system should include a process for:
– Categorizing issues;
– Confirming the validity of the allegation;
– Defining the severity of the allegation;
– Escalating the issue or investigation when appropriate;
– Referring issues outside the scope of the program;
– Conducting the investigation and fact-finding;
– Resolving or closing the investigation;
– Listing types of information that should be kept confidential;
– Defining how the investigation will be documented; and
– Managing and retaining documents and information.
Investigations should be performed in accordance with protocols approved by the
board. A consistent process for conducting investigations can help the
organization mitigate losses and manage risks associated with the investigation.
Consider using investigation templates and checklists to standardize and formalize
the investigation process (including who to contact and when).
64
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Internal Audit’s Role in Responding to Incidents of Fraud
It is acceptable for Internal Audit or other internal personnel to participate in the
investigation provided that those persons conducting the investigation are
sufficiently independent, objective and possess the relevant skills and expertise
necessary to:
– Conduct interviews;
– Collect and manage evidence;
– Compile and analyze evidence;
– Access and analyze public records;
– Access and analyze personal documents belonging to the perpetrator;
– Conduct computer forensic examinations; and
– Liaise with legal counsel to prepare evidence and provide a forensic report.
If in doubt – consult!
– To ensure that investigations are completed timely, effectively and efficiently, it is
always recommended that external resources be consulted.
65
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Legal Counsel Considerations
It is in the best interest of the company (and its stakeholders), both
professionally and legally, to work effectively with legal counsel and to become
familiar with the relevant laws in the country the fraud investigation occurs.
Legal counsel may also be able to assess the impact the fraud will have on the
board and management and provide guidance on how to manage both internal
and external communications regarding the status of the fraud and the
investigation.
It is strongly recommended, in many cases, to use counsel to invoke attorneyclient privilege thus having the investigation being executed under the direction
of legal counsel. This will maximize the legal privilege attached to any work
performed by the investigation team.
66
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Fraud Policy Decision Matrix
Similar to a RACI, a fraud policy decision matrix summarizes the roles and responsibilities
articulated in the fraud policy itself:
Action Required
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Controls to prevent fraud
Incident reporting
Investigation of fraud
Referrals to law enforcement
Recovery of monies
Internal controls review
Handle sensitive cases
Publicity/ press releases
Civil litigation
Corrective action/ recommendations
to prevent recurrences
Monitor recoveries
Proactive fraud auditing
Fraud education/training
Risk analysis of areas of vulnerability
Trend analysis
Investigation case analysis
Whistleblower complaint monitoring
P (Primary Responsibility)
67
Private and Confidential
Investigations Internal Audit Finance
S
P
P
P
P
SR
S
S
S
S
S
P
S
S
S
S
SR
SR
S
S
SR
S
S
P
S
Executive
Risk
Human
Public Relations
Management Management
Resources
P
SR
S
S
S
SR
S
S
S
SR
S
P
S
S
P
Legal
S
S
S
S
S
P
SR
P
SR
P
P
P
S
SR
SR
SR
S (Secondary Responsibiltiy)
S
P
P
S
S
P
SR (Shared Responsibiltiy)
© Deloitte & Touche LLP and affiliated entities.
Incorporate Post Investigation Considerations into the FRMP
Develop a formalized process in which investigations, management and internal audit collaborate to identify deficiencies
in operations and/or internal controls that led to the fraud and determine optimal solutions to address this deficiency.
Resolution - consists of determining what actions will be taken by the organization once a fraud
scheme and perpetrator(s) have been fully investigated, and evidence has been reviewed.
Management and the Board are responsible for determining how to resolve the incident.
Reflection - The results of a fraud investigation may indicate that an occupational fraud had a
previously undiscovered adverse effect on the organization’s financial position and its operational
results. Senior management and the board need to be informed of this so they can decide on the
appropriate reporting requirements.
Remediation - After the fraud has been investigated and communicated, it is important for
management and internal audit to consider the lessons learned.
– How did the fraud occur?
– What weaknesses were exploited?
– What controls failed?
– Why wasn’t this caught and what were the red flags?
68
Private and Confidential
© Deloitte & Touche LLP and affiliated entities.
Questions & Answers
69
© Deloitte & Touche LLP and affiliated entities.
Questions & Answers
Daniel J. Williams
CGA, CFE, CIA, CISA, CAMS, PMP
604.640.3286
604.351.5567
[email protected]
70
© Deloitte & Touche LLP and affiliated entities.