BNSF Fraud Risk Assessment Final Version - Corporate Executive ...
BNSF Fraud Risk Assessment Final Version - Corporate Executive ...
BNSF Fraud Risk Assessment Final Version - Corporate Executive ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
TABLE OF CONTENTS<br />
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong><br />
Page<br />
Introduction and Objectives……..………………………………………………… 1<br />
The <strong>Risk</strong> <strong>Assessment</strong> Methodology……………..………………………………… 2<br />
Conclusion and Key Findings……………..……………………………………….. 4<br />
<strong>Risk</strong> of Management Override……………………………………………………… 6<br />
Uniform Occupational <strong>Fraud</strong> Classification System……..………………………..<br />
Appendix A
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
<strong>Corporate</strong> Audit Services <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong><br />
Introduction and Objectives<br />
‣ The <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> is a key element of <strong>BNSF</strong>’s anti-fraud programs and controls.<br />
‣ The objective of the <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> is to reduce the risks of fraud facing the company and to<br />
improve company performance by identifying, acknowledging, and controlling fraud risks that<br />
threaten the company’s resources.<br />
ü Highlights the critical areas where internal controls may need to be strengthened.<br />
ü Provides assurances to the Audit Committee and PricewaterhouseCoopers that the risk of<br />
fraud at <strong>BNSF</strong> is being effectively managed.<br />
ü Minimizes the risk of overlooking fraud during internal audit planning stages.<br />
‣ The <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> should be considered as an outline to identify frauds that could occur, in<br />
an effort to prevent frauds before they occur, to detect frauds and fraud attempts as soon as possible,<br />
and to remediate fraud if it is discovered.<br />
‣ <strong>BNSF</strong>’s <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> is subject to continuing review throughout the year.<br />
ü Included in the continuing review are the occurrence of frauds and attempted frauds that are<br />
identified through monthly and quarterly surveys of business areas of the company.<br />
ü The external environment is continually scanned for occurrences of fraud for consideration as<br />
a possibility at <strong>BNSF</strong>.<br />
ü Data is also gathered from Employee Hotline calls, from letters to company officials, and<br />
from analytical tools that are being developed and implemented to identify potential frauds<br />
indicated in financial and other data bases maintained by the company.<br />
‣ Audits performed by <strong>Corporate</strong> Audit Services consider the risk areas identified in the planning for<br />
audits to be conducted.<br />
ü The results of the fraud risk assessment were integrated into our annual audit planning<br />
activities.<br />
1
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
The <strong>Risk</strong> <strong>Assessment</strong> Methodology<br />
<strong>Risk</strong><br />
Internal<br />
Controls<br />
<strong>Risk</strong><br />
<strong>Risk</strong><br />
<strong>Risk</strong><br />
Shareholder Value<br />
<strong>Corporate</strong> Assets<br />
Reputation<br />
<strong>Risk</strong><br />
‣ The <strong>BNSF</strong> <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> considers the fraud risks, and then identifies existing controls or<br />
procedures that reduce those risks.<br />
ü Best practices indicate that the fraud risk assessment be scheme- and scenario-based rather<br />
than based on control risk scenarios.<br />
ü The fraud risk assessment requires ongoing collaboration across the company.<br />
‣ The frauds described in this assessment are classified according to the Uniform Occupational <strong>Fraud</strong><br />
Classification System (Appendix A), as promulgated by the Association of Certified <strong>Fraud</strong><br />
Examiners.<br />
‣ Identification of potential frauds for the 2006 <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> included a brainstorming<br />
session with key business process owners from across the company.<br />
ü Accounting – Disbursements Management<br />
ü Accounting – Financial Reporting<br />
ü Accounting – Payroll<br />
ü Accounting – Revenue Management<br />
ü CAS<br />
ü Customer Support<br />
ü Law<br />
ü Marketing – Mexico Business Unit<br />
ü Police Solutions<br />
ü Strategic Sourcing – Contract Administration<br />
ü Systems Security – Electronic Forensics Specialist<br />
2
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
Summarizing and Analyzing <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong><br />
‣ A <strong>Fraud</strong> <strong>Risk</strong> Map was developed, plotting each scheme / scenario based upon significance and<br />
likelihood. The purpose of the <strong>Fraud</strong> <strong>Risk</strong> Map is to guide the appropriate response for each potential<br />
fraud scenario or scheme.<br />
‣ The significance of the potential fraud schemes is considered as the fraud scheme or scenario might<br />
impact any of three principal areas of <strong>BNSF</strong>:<br />
ü Financial loss or misstatements within the Financial Statements.<br />
ü Consequences of a fraud on <strong>BNSF</strong>’s reputation.<br />
ü Impact on <strong>BNSF</strong> operations.<br />
‣ The likelihood of occurrence of the considered fraud schemes and scenarios is based on past<br />
occurrences of the scheme or scenario within or outside <strong>BNSF</strong>, as well as the sophistication required<br />
to commit the scheme or scenario.<br />
3
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
Conclusion and Key Findings<br />
‣ Through the brainstorming sessions, discussions with key business process owners, data gathering<br />
and analysis, ongoing analysis of Hotline calls and the review of known frauds, CAS identified 40<br />
additional fraud scenarios from 2005, totaling 235 fraud schemes and scenarios.<br />
ü Six scenarios were reclassified from Quadrant I (Prevent at Source) to Quadrant II (Detect &<br />
Monitor) based upon our reassessment of the likelihood of occurrence. CAS believes that<br />
these schemes—all within <strong>Fraud</strong>ulent Financial Statements—were less likely to occur than<br />
CAS initially estimated.<br />
ü Four of 40 additional scenarios fell within Quadrants I and II. These related to <strong>Fraud</strong>ulent<br />
Financial Statements, Corruption, and Asset Misappropriation schemes.<br />
ü 24 of the additional schemes added to Quadrants III and IV were associated with Asset<br />
Misappropriation. Nine of the additional schemes added to Quadrants III and IV were<br />
associated with Corruption.<br />
‣ It is impossible to accurately predict all fraud that might occur in the future.<br />
‣ The <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> should not be viewed as a standalone indicator of the presence or absence<br />
of fraud at <strong>BNSF</strong>, or as an evaluation of the effectiveness of the internal control process. It is one<br />
element of the overall anti-fraud program at <strong>BNSF</strong>.<br />
Major <strong>Fraud</strong> Category<br />
/ Quadrant<br />
Quadrant I<br />
(Prevent at Source)<br />
Quadrant II<br />
(Detect and Monitor)<br />
Quadrant III<br />
(Monitor)<br />
Quadrant IV<br />
(Low Control)<br />
<strong>Fraud</strong>ulent<br />
Financial<br />
Statements<br />
Total Scenarios Identified By Category /<br />
Total Identified with Offsetting Controls<br />
Asset<br />
Misappropriation<br />
Corruption<br />
Money<br />
Laundering<br />
9 / 9 3 / 3 1 / 1 0 / NA<br />
22 / 22 3 /3 3 / 3 0 / NA<br />
4 / 3 68 / 55 11 / 9 0 / NA<br />
13 / 9 64 / 48 30 / 22 4 / 2<br />
4
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
‣ There were 13 scenarios identified within Quadrant I. Based upon our assessment, most potential<br />
fraud schemes may be mitigated by existing controls—either preventive or detective.<br />
ü Of the scenarios identified, nine were related to the potential for <strong>Fraud</strong>ulent Financial<br />
Statements.<br />
• Manipulating key assumptions used for accounting estimates associated with significant<br />
accruals.<br />
o Employing “cookie jar” type accounting—accruing expenses to meet financial<br />
targets.<br />
o Improper recording of liabilities.<br />
• Accounting Classification<br />
o Expenses mischaracterized as capital, rebillable construction or work in progress in<br />
order to improve financial performance.<br />
o Utilizing non-GAAP accounting, under the rationale of industry practice, to misstate<br />
earnings.<br />
• Intentional Omissions<br />
o Long-term leases kept off the balance sheet or footnotes.<br />
o Contract allowances, storage and other revenues booked gross, without appropriate<br />
reserves.<br />
• Timing<br />
o Improper recognition of recoveries or credits.<br />
o Assets increased on the balance sheet by not claiming release of inventory, such as<br />
track materials, when the transaction occurs.<br />
• False entries<br />
o Financial statements for an employee’s area of responsibility falsified to conceal poor<br />
performance, or earn to bonuses.<br />
ü Of the scenarios identified, three were related to the potential for Asset Misappropriation.<br />
• A vendor intentionally delivers substandard / nonconforming safety related materials<br />
(rail, wheels, brake materials, signal materials, etc.).<br />
• Other companies or individuals debit <strong>BNSF</strong> bank and investment accounts.<br />
• Virus, worm, or Trojan horse attacks on information systems.<br />
ü Of the scenarios identified, one was related to the potential for Corruption.<br />
• Insider trading of stock.<br />
5
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
<strong>Risk</strong> of Management Override<br />
‣ One new scenario identified in Quadrant II is being researched further. This scenario is the risk that a<br />
customer could ship undeclared hazardous material. Some of the mitigating controls are:<br />
ü <strong>BNSF</strong>’s rules which incorporate Federal laws require customers to properly disclose<br />
hazardous materials in the shipping documents.<br />
ü The Load and Ride Solutions Group selects some intermodal shipments to be opened and the<br />
contents reviewed for compliance with proper loading practices and proper declaration of<br />
contents.<br />
‣ The mitigating controls can be rendered less effective if there is management override of controls or<br />
if collusion is present.<br />
ü The existence of the preventive or detective controls will seldom provide assurance that<br />
management override can be prevented or timely detected.<br />
ü The potential of management override can be addressed through a combination of an<br />
effective control environment and pervasive enterprise-wide controls.<br />
ü Examples currently in place at <strong>BNSF</strong> include:<br />
• <strong>BNSF</strong>’s Hotline process.<br />
• <strong>BNSF</strong>’s Code of Conduct process.<br />
• Periodic reviews of manual journal entries by CAS.<br />
• Reporting relationship between internal and external auditors and the Board and Audit<br />
Committee.<br />
• Ongoing communication between the Audit Committee and the internal and external<br />
auditors.<br />
6
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee<br />
Appendix A<br />
Types of <strong>Fraud</strong> Considered in the <strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong><br />
‣ Most frauds fall into one of the three major categories of fraud:<br />
ü <strong>Fraud</strong>ulent Statements: This category generally involves falsification of an organization’s<br />
financial statements. Common examples include overstating revenues, or understating<br />
liabilities or expenses.<br />
ü Asset Misappropriation: Involves the theft or misuse of an organization’s assets.<br />
ü Corruption: Involves the wrongful use of influence in a business transaction in order to<br />
procure some benefit for an employee or other person, contrary to the employees’ duty to<br />
their employer or the rights of another. Common examples are kickbacks and conflicts of<br />
interest.<br />
‣ The following schema, the Uniform Occupational <strong>Fraud</strong> Classification System, highlights the various<br />
schemes for each of the three major categories of fraud<br />
‣ In addition to these categories, Money Laundering was added for consideration, in light of recent<br />
prosecutions involving other companies in other industries. Money laundering involves financial<br />
transactions designed to conceal the source of funds obtained from illegal activities, or to avoid<br />
reporting requirements.<br />
7
8<br />
<strong>Fraud</strong> <strong>Risk</strong> <strong>Assessment</strong> Process<br />
Report to the Audit Committee