Fraud Risk Assessment Lets talk about the Fword

Fraud Risk Assessment – Let’s talk about the F-word NACA September 2020

Agenda 1. Introduction 2. Why Perform a Fraud Risk Assessment - best practices 3. Forget the best practices and theory - Really why perform a fraud risk assessment 4. Why fraud risks need to be openly discussed 5. Fraud risk assessment process 6. Construction industry relevancy 7. The fraud risk workshop – hosts, attendees, topics 8. Updating fraud risk and how it is factored into the audit plan 9. Conclusion 10. Q&A

Why Perform a Fraud Risk Assessment – Best Practice 2013 COSO Framework

Why Perform a Fraud Risk Assessment – Best Practice 2013 COSO Framework, COSO & ACFE Fraud Risk Mgmt Guide

Polling Question #1 Does your organization perform a fraud risk assessment? q. Yes q. No q. I don’t know

The Real Benefit - Why Perform a Fraud Risk Assessment? Performing a Fraud Risk Assessment on a regular basis has a number of benefits, including: • Improved communication and awareness about fraud; • Hear from the people on the ground - not only the tone from the top – hear the message from the middle – and the buy-in from the bottom; • Connecting with the front line people that are the first line of defense; • Identifying where your company is most vulnerable to fraud and what activities put the organization at the greatest risk; • Knowing which roles / functions put the organization at the greatest risk; • Developing plans to mitigate fraud risk; • Developing techniques to determine if fraud has occurred in high-risk areas; • Assessing internal controls - provide a basis for Internal Auditing and continuous monitoring; and • Demonstrating Audits’ value in the organization and providing opportunities for consultancy and advisory services.

Annual Fraud Risk Assessment Process Identify potential fraud schemes Update annual audit plan to address risks identified Assess likelihood and significance of schemes Most Critical asset – your people Document and report on the Fraud Risk Assessment Perform fraud risk assessment workshops General Counsel and Stakeholder Relations Chief Compliance Officer Identify any control gaps = residual risk Map existing controls to schemes Test operating effectiveness of antifraud controls

Construction Industry Relevance ACFE 2020 Report to the Nations

How is fraud detected in US and Canada? 2020 ACFE Report to the Nations

Median duration of fraud per the ACFE Not all fraud can be prevented. Even in the most secure organizations, it is likely that some type of employee fraud will eventually occur. Consequently, quick detection of fraud is vital protecting an organization from potential damage. to Research shows that the median duration of a fraud —that is, the typical time between when a fraud begins and when it is detected—is 14 months. greater the financial losses The longer a fraud remains undetected, the So how do we identify fraud sooner? 2020 ACFE Report to the Nations

Fraud Risk Workshop = Information Pipeline General Counsel and Stakeholder Relations Chief Compliance Officer 2020 ACFE Report to the Nations

Polling Question #2 Does your organization perform fraud risk workshops? q. Yes q. No q. I don’t know

Fraud Risk Assessment Workshops – Hosts Potential Hosts: • • Auditors Investigators Compliance Officers Lawyers Required Skills: General Counsel and Stakeholder Relations Chief Compliance Officer • Engaging and fun • Trust Builder – find something relatable to kick off the conversation • Don’t talk too much “corporate speak” • Listen without judgement • Use relevant examples

Fraud Risk Assessment Workshops – Attendees Potential Recipient Departments: • • • Supply Chain Payroll Project Management Project Controls Teams Project Attest Teams Quality/Safety Personnel Required Skills for workshop: • Participate and share knowledge If you perform your assessment from the highest tower, you may not see the chaos below General Counsel and Stakeholder Relations Chief Compliance Officer

Fraud Risk Assessment Workshops – Key Topics • Attendees are a key part of our operations, and we want to hear from them! • The definition of fraud and the difference from error, and the concept of intent • The fraud triangle and explain each component with real life examples General Counsel and Stakeholder Relations Chief Compliance Officer • The fraud tree • Brainstorming session Donald Cressey – Other People’s Money

The Fraud Triangle Fraud can happen when three components leading to fraud are present, Pressure, Opportunity, and Rationalization. This is typically illustrated as the “fraud triangle“, which was developed by Donald Cressey, a famed Penologist, Criminologist and Sociologist, who studied white collar crime. Donald Cressey – Other People’s Money 16

Fraud Risk Workshop - FRAUD TREE 2020 ACFE Report to the Nations

Polling Question #3 What is the most untapped asset in fraud detection? q. The input from the front line people

Updating the Fraud Risks/Assessing /Audit Planning

Continuous Cycles of Fraud Risk Assessment - The fraud risk assessment is a living, breathing process – use it to build the audit plan for each upcoming year - Re-visit each year – assess the required audiences, the new risks - Create relationships with your critical assets in detecting fraud – the people

Questions?