BNSF Fraud Risk Assessment Final Version - Corporate Executive ...

Fraud Risk Assessment Process 

Report to the Audit Committee 

TABLE OF CONTENTS 

Fraud Risk Assessment 

Page 

Introduction and Objectives……..………………………………………………… 1 

The Risk Assessment Methodology……………..………………………………… 2 

Conclusion and Key Findings……………..……………………………………….. 4 

Risk of Management Override……………………………………………………… 6 

Uniform Occupational Fraud Classification System……..……………………….. 

Appendix A



Corporate Audit Services Fraud Risk Assessment 

Introduction and Objectives 

‣ The Fraud Risk Assessment is a key element of BNSF’s anti-fraud programs and controls. 

‣ The objective of the Fraud Risk Assessment is to reduce the risks of fraud facing the company and to 

improve company performance by identifying, acknowledging, and controlling fraud risks that 

threaten the company’s resources. 

ü Highlights the critical areas where internal controls may need to be strengthened. 

ü Provides assurances to the Audit Committee and PricewaterhouseCoopers that the risk of 

fraud at BNSF is being effectively managed. 

ü Minimizes the risk of overlooking fraud during internal audit planning stages. 

‣ The Fraud Risk Assessment should be considered as an outline to identify frauds that could occur, in 

an effort to prevent frauds before they occur, to detect frauds and fraud attempts as soon as possible, 

and to remediate fraud if it is discovered. 

‣ BNSF’s Fraud Risk Assessment is subject to continuing review throughout the year. 

ü Included in the continuing review are the occurrence of frauds and attempted frauds that are 

identified through monthly and quarterly surveys of business areas of the company. 

ü The external environment is continually scanned for occurrences of fraud for consideration as 

a possibility at BNSF. 

ü Data is also gathered from Employee Hotline calls, from letters to company officials, and 

from analytical tools that are being developed and implemented to identify potential frauds 

indicated in financial and other data bases maintained by the company. 

‣ Audits performed by Corporate Audit Services consider the risk areas identified in the planning for 

audits to be conducted. 

ü The results of the fraud risk assessment were integrated into our annual audit planning 

activities. 

1



The Risk Assessment Methodology 

Risk 

Internal 

Controls 




Shareholder Value 

Corporate Assets 

Reputation 


‣ The BNSF Fraud Risk Assessment considers the fraud risks, and then identifies existing controls or 

procedures that reduce those risks. 

ü Best practices indicate that the fraud risk assessment be scheme- and scenario-based rather 

than based on control risk scenarios. 

ü The fraud risk assessment requires ongoing collaboration across the company. 

‣ The frauds described in this assessment are classified according to the Uniform Occupational Fraud 

Classification System (Appendix A), as promulgated by the Association of Certified Fraud 

Examiners. 

‣ Identification of potential frauds for the 2006 Fraud Risk Assessment included a brainstorming 

session with key business process owners from across the company. 

ü Accounting – Disbursements Management 

ü Accounting – Financial Reporting 

ü Accounting – Payroll 

ü Accounting – Revenue Management 

ü CAS 

ü Customer Support 

ü Law 

ü Marketing – Mexico Business Unit 

ü Police Solutions 

ü Strategic Sourcing – Contract Administration 

ü Systems Security – Electronic Forensics Specialist 

2



Summarizing and Analyzing Fraud Risk Assessment 

‣ A Fraud Risk Map was developed, plotting each scheme / scenario based upon significance and 

likelihood. The purpose of the Fraud Risk Map is to guide the appropriate response for each potential 

fraud scenario or scheme. 

‣ The significance of the potential fraud schemes is considered as the fraud scheme or scenario might 

impact any of three principal areas of BNSF: 

ü Financial loss or misstatements within the Financial Statements. 

ü Consequences of a fraud on BNSF’s reputation. 

ü Impact on BNSF operations. 

‣ The likelihood of occurrence of the considered fraud schemes and scenarios is based on past 

occurrences of the scheme or scenario within or outside BNSF, as well as the sophistication required 

to commit the scheme or scenario. 

3



Conclusion and Key Findings 

‣ Through the brainstorming sessions, discussions with key business process owners, data gathering 

and analysis, ongoing analysis of Hotline calls and the review of known frauds, CAS identified 40 

additional fraud scenarios from 2005, totaling 235 fraud schemes and scenarios. 

ü Six scenarios were reclassified from Quadrant I (Prevent at Source) to Quadrant II (Detect & 

Monitor) based upon our reassessment of the likelihood of occurrence. CAS believes that 

these schemes—all within Fraudulent Financial Statements—were less likely to occur than 

CAS initially estimated. 

ü Four of 40 additional scenarios fell within Quadrants I and II. These related to Fraudulent 

Financial Statements, Corruption, and Asset Misappropriation schemes. 

ü 24 of the additional schemes added to Quadrants III and IV were associated with Asset 

Misappropriation. Nine of the additional schemes added to Quadrants III and IV were 

associated with Corruption. 

‣ It is impossible to accurately predict all fraud that might occur in the future. 

‣ The Fraud Risk Assessment should not be viewed as a standalone indicator of the presence or absence 

of fraud at BNSF, or as an evaluation of the effectiveness of the internal control process. It is one 

element of the overall anti-fraud program at BNSF. 

Major Fraud Category 

/ Quadrant 

Quadrant I 

(Prevent at Source) 

Quadrant II 

(Detect and Monitor) 

Quadrant III 

(Monitor) 

Quadrant IV 

(Low Control) 

Fraudulent 

Financial 

Statements 

Total Scenarios Identified By Category / 

Total Identified with Offsetting Controls 

Asset 

Misappropriation 

Corruption 

Money 

Laundering 

9 / 9 3 / 3 1 / 1 0 / NA 

22 / 22 3 /3 3 / 3 0 / NA 

4 / 3 68 / 55 11 / 9 0 / NA 

13 / 9 64 / 48 30 / 22 4 / 2 

4



‣ There were 13 scenarios identified within Quadrant I. Based upon our assessment, most potential 

fraud schemes may be mitigated by existing controls—either preventive or detective. 

ü Of the scenarios identified, nine were related to the potential for Fraudulent Financial 

Statements. 

• Manipulating key assumptions used for accounting estimates associated with significant 

accruals. 

o Employing “cookie jar” type accounting—accruing expenses to meet financial 

targets. 

o Improper recording of liabilities. 

• Accounting Classification 

o Expenses mischaracterized as capital, rebillable construction or work in progress in 

order to improve financial performance. 

o Utilizing non-GAAP accounting, under the rationale of industry practice, to misstate 

earnings. 

• Intentional Omissions 

o Long-term leases kept off the balance sheet or footnotes. 

o Contract allowances, storage and other revenues booked gross, without appropriate 

reserves. 

• Timing 

o Improper recognition of recoveries or credits. 

o Assets increased on the balance sheet by not claiming release of inventory, such as 

track materials, when the transaction occurs. 

• False entries 

o Financial statements for an employee’s area of responsibility falsified to conceal poor 

performance, or earn to bonuses. 

ü Of the scenarios identified, three were related to the potential for Asset Misappropriation. 

• A vendor intentionally delivers substandard / nonconforming safety related materials 

(rail, wheels, brake materials, signal materials, etc.). 

• Other companies or individuals debit BNSF bank and investment accounts. 

• Virus, worm, or Trojan horse attacks on information systems. 

ü Of the scenarios identified, one was related to the potential for Corruption. 

• Insider trading of stock. 

5



Risk of Management Override 

‣ One new scenario identified in Quadrant II is being researched further. This scenario is the risk that a 

customer could ship undeclared hazardous material. Some of the mitigating controls are: 

ü BNSF’s rules which incorporate Federal laws require customers to properly disclose 

hazardous materials in the shipping documents. 

ü The Load and Ride Solutions Group selects some intermodal shipments to be opened and the 

contents reviewed for compliance with proper loading practices and proper declaration of 

contents. 

‣ The mitigating controls can be rendered less effective if there is management override of controls or 

if collusion is present. 

ü The existence of the preventive or detective controls will seldom provide assurance that 

management override can be prevented or timely detected. 

ü The potential of management override can be addressed through a combination of an 

effective control environment and pervasive enterprise-wide controls. 

ü Examples currently in place at BNSF include: 

• BNSF’s Hotline process. 

• BNSF’s Code of Conduct process. 

• Periodic reviews of manual journal entries by CAS. 

• Reporting relationship between internal and external auditors and the Board and Audit 

Committee. 

• Ongoing communication between the Audit Committee and the internal and external 

auditors. 

6



Appendix A 

Types of Fraud Considered in the Fraud Risk Assessment 

‣ Most frauds fall into one of the three major categories of fraud: 

ü Fraudulent Statements: This category generally involves falsification of an organization’s 

financial statements. Common examples include overstating revenues, or understating 

liabilities or expenses. 

ü Asset Misappropriation: Involves the theft or misuse of an organization’s assets. 

ü Corruption: Involves the wrongful use of influence in a business transaction in order to 

procure some benefit for an employee or other person, contrary to the employees’ duty to 

their employer or the rights of another. Common examples are kickbacks and conflicts of 

interest. 

‣ The following schema, the Uniform Occupational Fraud Classification System, highlights the various 

schemes for each of the three major categories of fraud 

‣ In addition to these categories, Money Laundering was added for consideration, in light of recent 

prosecutions involving other companies in other industries. Money laundering involves financial 

transactions designed to conceal the source of funds obtained from illegal activities, or to avoid 

reporting requirements. 

7

8 


Report to the Audit Committee

BNSF Fraud Risk Assessment Final Version - Corporate Executive ...

Create successful ePaper yourself

Delete template?

Save as template?