The Role of Internal Auditing in Proactively Managing Fraud Risks Oklahoma City, OK Chapter of The IIA September 10, 2009

Congratulations on 60 Years

Discussion Topics  





Highlights of surveys and articles How we performed our Fraud Risk Assessment How we keep the topic of fraud and ethics in front of our associates and suppliers How we use continuous monitoring tools

Recent Frauds in the News 







FEI Study shows 60% of senior executives “lack confidence” in their risk management practices Alleged CEO insider trading nets $140 million in illegal profits Major U.S. corporation pays $50 million to settle accounting fraud A third of company directors do not understand the major risks

The IIA Standards (1210.A2) Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Performance of a Fraud Risk Assessment 







Evaluated the adequacy of controls to mitigate fraud risks Identified potential gaps in the control design Reviewed the monitoring and oversight processes to prevent and detect fraudulent activity Identified additional anti-fraud control enhancements

Fraud Risk Assessment Approach  





Used a cross functional team Conducted brainstorming sessions Used a scheme and scenario based approach Mapped controls to each fraud scenario

Fraud Risk Assessment Template Business Process Owner Real Estate

Fraud Schemes/Scenarios Bribes or kickbacks paid by a contractor to obtain business.

Controls Competitive bidding for all construction jobs. Change orders approved by Senior Levels of Management not interacting with contractors. Sealed bid process with all bids opened by a selection committee. Hotline information provided to all bidders on request to bid form. Statement of Business Ethics.

Monitoring The following areas monitor these activities: Real Estate Management Capital Appropriations Committee Procurement Internal Auditing

Preventive Fraud Controls  

    

Statement of Business Ethics Communication to our Associates Communication to our Suppliers Associate Training Background Checks Exit Interviews Measuring Performance

Statement of Business Ethics 



 

On-line statement includes policies and procedures and real life examples Required to sign the Certification of Compliance each year and make any disclosures Follow-up mechanisms in place Must report a violation

Communication to our Associates 





Senior Management sets the “Tone at the Top” Penney Idea ~ Does it square with what is right and just? Strong ethical culture and setting the right tone at the top is essential to helping to prevent fraud

Communication to our Suppliers 

  

Understand the importance our Company places on conducting all business transactions in an ethical manner Posted to our supplier website Host an annual Supplier Summit Focused supplier letters

Associate Training 



Provide on-going Ethics and Legal Compliance training Some training provided:  

  

Insider Trading Conflicts of Interest FCPA Investigations Disclosure of Company Information

Use of Criminal Background Checks  



Performed on all new hires and rehires Performed on current associates who transfer into key positions Weed out problem applicants

Exit Interviews  

HR conducts exit interviews Ask associates if they are aware of any fraud or ethical issues

Measuring our Performance 



Complete an annual Winning Together associate survey Survey asks questions like: 



 

Do you feel you can report violations of law, ethics or Company policy without fear of retaliation? Would the Company take appropriate action if you were to report a possible violation?

Provides us with valuable information Survey results are provided to both our Audit Committee and the Board of Directors

Investigative Protocol 







Defines who is responsible for managing the investigation Ensures allegations are adequately researched to a conclusion Maintains consistency between investigations Defines documentation and communication standards

Fraud Detection  

 

Use of Hotlines Internal Auditing’s Role in Detecting Fraud Use of Technology in Combating Fraud Ten Commandments of Detecting Fraud

Use of Hotlines  



  

Robust on-line database Enhanced reporting capabilities 24/7 coverage with professional call takers Multilingual service Benchmarking and trend analysis Transparency of calls

Key Roles of the Internal Auditor in Fighting Fraud  

   

Know the fraud risk schemes/scenarios Critically assess where are your major fraud risks Consider fraud on each audit Investigate fraud cases Support an effective hotline process Support education and training

What are we doing at JCPenney to Combat Fraud?  

 



Perform a fraud risk assessment Educate the team on the red flags of fraud Develop a fraud red flags poster Issue a quarterly Fraud and Ethics Newsletter Stress professional skepticism

What are we doing at JCPenney to Combat Fraud? ~ con’t.. 

  



Imbed fraud audit steps into our audit programs Perform data mining Review the system of internal controls Conduct awareness and ethics presentations Require the business owners to present to the Audit Committee

Quarter Close Review Process  

   

Test select transactions Review material reserves Query the general ledger Review revenue recognition processes Review account reconciliations Review the 10-K and 10-Q

Continuous Auditing  



 

Match vendor and associate data Review for changes in supplier critical fields Review for duplicate payments to suppliers Review for Purchase Card expenses Review for duplicate travel expenses

On-going Monitoring of our 1,100 Stores  



Short cash expense by store Bad debt expense by store Fixed funds

Ten Commandments of Detecting Fraud 1

1. 2.

3. 4.

5.

Assume anyone can and will commit fraud under the right circumstances Use your knowledge of internal controls to “think dirty” and then check out your suspicions Remember that good documentation does not mean something happened; only that someone said it happened Pay attention to documents themselves and the supporting paperwork, observing the consistency of numbers, dates, dollar amounts, tax and the general condition of the document Consider the reasonableness of account balances and accounting entries, especially adjustments

1 Audit Director Roundtable – Fraud Awareness Training 2009

Ten Commandments of Detecting Fraud ~ con’t.. 1

6.

Develop relationships and pay attention to hints or rumors of wrongdoing 7. Check out hunches; first impressions are often right. Have faith in yourself. Perception increases with experience 8. Be nosy; don’t easily accept explanations, especially if you don’t understand them 9. Use statistical sampling to force you to look at items you would not generally otherwise examine 10. Look for patterns of unusual transactions (If you’re surprised, it’s unusual!) 1 Audit Director Roundtable – Fraud Awareness Training 2009

Questions