RECOMMENDATION FOR AN EFFECTIVE Issue 19 May 2007 – July 2007

CONTINUOUS AUDIT PROCESS…………..1

RISK MANAGEMENT IN PRACTICE: FRAUD AND

CORRUPTION….. .6

COMMUNICATING WITH THE CEO………9

BROUGHT TO YOU BY THE PRODIGY GROUP

SINGAPORE | HONG KONG | MALAYSIA | INDONESIA
Prodigy
Newsbyte
Recommendation For An Effective
Continuous Audit Process
By David Coderre
An evolving regulatory environment, increased globalisation of
businesses, market pressure to improve operations, and rapidly
changing business conditions are creating the need for more timely
and ongoing assurance that controls are working effectively and risk
is mitigated properly. To meet this need, many internal auditors are
using continuous auditing to maximise the effectiveness of their
work. Learning what continuous auditing does and how it works can
help auditors make better use of this process, while maintaining
internal audit's independence and objectivity in evaluating the
effectiveness of controls, risk management, and governance
processes.

What Is Continuous Auditing?

To understand the benefits of continuous auditing, it is important to
know the differences between continuous auditing and continuous
monitoring. Continuous auditing is the use of audit methods, ranging
from ongoing control evaluations to continuous risk assessments on
a more frequent or ongoing basis. Technology plays a key role in the
continuous audit process by automating the pattern analysis of key
numeric fields and the examination of trends. Technology also
enables the comparison of detailed transaction analysis against
specific thresholds, the identification of exceptions and anomalies,
the testing of controls, and the comparison of processes or systems
over time.
For example, depending on the specific control rule,
On the other hand, continuous monitoring is a process that related test, and threshold parameters, certain
management puts in place to ensure that its policies, procedures, transactions are flagged as control exceptions after
and business processes are operating effectively. It typically which management is notified. The continuous
addresses management's responsibility to assess the adequacy and monitoring function also may be tied to key
effectiveness of internal controls. For instance, management may performance indicators (KPIs) and other performance
identify critical control points and implement automated tests to measurement activities.
determine if these controls are working properly.
Many of the continuous monitoring techniques used
The continuous monitoring process usually involves the automated by management are similar to those performed by
testing of all transactions and system activities within a given internal auditors during continuous audit activities.
business process area against control rules. Monitoring may occur However, continuous auditing usually enables
on a daily, weekly, or monthly basis based on the nature of the auditors to evaluate the adequacy of management's
underlying business cycle. monitoring function and identify and assess risk
areas

Continued in page 2
 Page 2

Continued from page1

[The Prodigy Group] By using data-driven indicators of risk and electronic testing of controls, IT auditors can
provide audit committees and senior management with independent assurance that control
Singapore – (65) 6221 2810 systems are working effectively and risk is being managed. Furthermore, continuous
Hong Kong – (852) 2815 5606 auditing helps IT-savvy auditors to:
Malaysia – (60) (3) 2283 5050
Indonesia – (62) (21) 4288 3120
Develop a dynamic risk-based plan by assessing changing levels of risk on an ongoing
basis
[Email: [email protected]]
Support the scope and objectives of individual audits by providing the audit team with
a better understanding of the materiality and nature of the transactions being
performed
Find us on the Web:
Assess levels of compliance by performing detailed testing of controls
[www.prodigy-group.com]
Identify potential fraud, waste, and abuse by brainstorming fraud risks and the
development of data-support audit tests

Continuous auditing consists of two main components — continuous risk assessment and
continuous control assessment. Below is a description of each. Continuous risk
assessments refer to audit activities that identify and evaluate companywide risk levels by
examining trends and comparisons within a single process or system. These processes are
then compared to their past performance and other business systems. For example,
product line performance is compared to previous-year results and also is assessed within
the context of one plant's performance versus the others.

While management is responsible for developing and maintaining a system that identifies
and mitigates risk, The Institute of Internal Auditors' (The IIA's) states that auditors should
assist the organisation by identifying and evaluating significant exposures to risk and by
contributing to the improvement of risk management and control systems.

The organisation encourages auditors to establish risk-based plans to determine the

priorities of internal audit activities that are consistent with the organisation's goals.
Throughout the continuous audit process, auditors are responsible for evaluating the state
of risk and control systems and providing this information to the audit committee and senior
management. In the case of legislation such as the U.S. Sarbanes-Oxley Act of 2002,
auditors also evaluate management's assessments of their internal controls. Ideally,
internal auditors are not part of the controls monitoring process and do not design or
maintain the controls, thereby retaining their independence. Auditors can use continuous
risk assessments to identify and evaluate risk levels on an ongoing basis. This allows
auditors to assess management's risk mitigation activities and support the development of
objectives for individual audits and the annual audit plan. Continuous risk assessments can
include the evaluation of detailed transactions against a cut-off point and a comparative
analysis on a summary of the transactions. This type of comparison enables auditors to
examine a process' consistency by measuring its variability in a number of dimensions. In
operations, for instance, measuring the variability in the number of defects is a method for
testing the consistency of a production line. The more variability in the number of defects,
the more concerns about the proper and consistent functioning of the production line.

The second component of continuous auditing is continuous control assessment.

Continuous control assessment refers to audit activities that identify whether selected
controls are working properly. Traditionally, control testing is performed on a retrospective
and cyclical basis after business activities occur. The testing procedures often are based
on a sampling approach and include activities such as reviews of policies, procedures,
approvals, and reconciliations.

Continued in page 3

JUST FOR LAUGH

 Page 34

Continued from page 2 In areas where management has not

[The Prodigy Group] implemented continuous monitoring, auditors
Today, organisations recognise that this should apply detailed testing by employing
approach gives internal auditors a narrow continuous audit techniques such as testing
Singapore – (65) 6221 2810 detailed transactions from an ERP system to
scope of evaluation and is used too late to
Hong Kong – (852) 2815 5606 determine segregation of duties were not
be of real value to business performance or
Malaysia – (60) (3) 2283 5050 violated. The same is true for management's
regulatory compliance activities. Through
Indonesia – (62) (21) 4288 3120 ERM function. In some cases, auditors may
continuous control assessments, individual
transactions are monitored against a set of play a proactive role establishing risk
[Email: [email protected]] management and control processes. In
control rules that determine if internal
controls are functioning as designed and that companies where management is performing
highlight exceptions. A well-defined set of continuous monitoring or ERM, auditors only
Find us on the Web: control rules warns organizations when need to perform procedures to determine if
[www.prodigy-group.com] process or system controls are not working they can rely on these processes, such as:
as intended or are compromised. By
identifying control weaknesses and
Reviewing the continuous monitoring and
violations, auditors can let audit committees ERM framework.
and senior management know whether
Determining whether there is a systematic
controls are working properly. process to identify and assess risks and
controls

Verifying that the organisation responds
Continuous control assessments don't need properly to identify risks and control
to occur in real-time. The frequency depends deficiencies.
on the control's risk level and the degree to
which management is monitoring the A second starting place is the organisation's
controls. For example, management may current risk-based audit plan. Simply by
perform ongoing monitoring of purchase including data-driven indicators of risk,
cards on a transaction basis, while auditors auditors easily can bring continuous auditing
run the purchase card analytics once a to bear on the selection of audit activities. A
month after receiving the card transactions key point to remember is that auditors can
from the credit card company. And, in some start small. The IT auditor or audit team
cases, auditors may perform the initial leader can increase the use of data analysis
control testing, after which management will to support individual audits, then run the
monitor the control on an ongoing basis. same analysis six months later to see if the
audit recommendations have been
Starting The Continuous Audit Process implemented and if they had the desired
Many organisations have been evaluating effect.
the introduction of continuous auditing to
support regulatory control assessment The key to making effective use of
requirements. While having an adequate continuous auditing is to develop a good
automated system for testing controls understanding of the main business
contributes to the assessment of internal processes and the associated information
controls and the overall mandate for a higher systems and infrastructure (i.e., their controls
standard of corporate governance, additional and the data contained therein). However,
benefits in the form of improved business the adoption of continuous auditing will not
performance can be equally significant. only require auditors to have knowledge of
Therefore, it is important for the chief audit information systems, but also enable them to
executives (CAEs) to consider the short- and analyse the data. This means that IT auditors
long-term objectives of continuous auditing. need to have the necessary data analysis
The effort involved in gaining access to and skills.
knowledge of key business systems and
processes has the potential to reduce the Furthermore, auditors must realise that
burden of compliance and eliminate continuous auditing will change the way
impediments to business performance. audits are conducted, including the
procedures and level of effort required by
To start the continuous audit process, auditors. This will place demands on the
auditors first need to understand continuous audit department and possibly the work
audit objectives and requirements. performed by IT auditors. In particular,
Continuous auditing can be approached on auditors will have to obtain the support of the
an incremental basis (i.e., starting small and audit committee and senior management to
building on each success). When developing move forward with the implementation of
an approach to continuous auditing, IT continuous auditing.
auditors should make sure they have
considered the short- and long-term Continuous auditing also will allow auditors
objectives to address management-set goals to identify the organisation's key controls and
adequately. The continuous audit process risk areas any time during the year. The
can be started in two ways. The first requires results will not be linked to a specific audit
the use of the organisation's continuous necessarily, nor will the level of assurance
monitoring or enterprise risk management be as high as if a full audit was conducted. In
(ERM) function. The extent to which addition, a formal audit report may not even
management is performing continuous be issued. The audit committee,
monitoring will affect the continuous audit management function, and internal auditors
effort, as well as internal audit's assessment will have to realise the implications this may
of management’s continuous monitoring. Continued in page 4
 Page 4

Continued from page 3

[The Prodigy Group] have on future audit reports and findings. Finally, auditors must be prepared to manage and
report the results obtained. For instance, auditors need to consider:
Singapore – (65) 6221 2810
Hong Kong – (852) 2815 5606
How often will continuous audit tests be run?
Malaysia – (60) (3) 2283 5050
How will the company deal with anomalies?
Indonesia – (62) (21) 4288 3120
What reporting mechanisms will be developed?

What will be audit's and management's response?
[Email: [email protected]]
Other Considerations
While technology has made data easier to access than before, and computing power makes
Find us on the Web: real-time analysis increasingly feasible, technical hurdles remain. In particular, information to
[www.prodigy-group.com] be audited must be generated by reliable systems, the continuous audit process must be
highly automated, and an effective link between the auditor's system and that of the audited
entity must exist. The CAE must ensure that continuous auditing is adopted as an integrated,
consistent approach to a controls-based, risk-oriented audit plan.

In addition, the audit department will have to document, develop, and maintain the technical
competencies and technology necessary to access, manipulate, and analyze the data
contained in disparate information systems. To overcome these challenges, IT auditors must
understand the business process sufficiently well before defining the appropriate analytical
techniques and identifying potential risk and key control points. IT auditors also should have
the ability to gain access to relevant data in a timely manner and be capable of normalising
data from disparate systems across the organization.

In addition, the audit department will have to document, develop, and maintain the technical
competencies and technology necessary to access, manipulate, and analyze the data
contained in disparate information systems.
To overcome these challenges, IT auditors must understand the business process sufficiently
well before defining the appropriate analytical techniques and identifying potential risk and key
control points. IT auditors also should have the ability to gain access to relevant data in a
timely manner and be capable of normalising data from disparate systems across the
organization. The aim is to identify the most accurate and effective data source and control
points to perform continuous audit tests and analyses. This also will enable auditors to
perform a comprehensive set of tests and analyses that address key control points and risk
areas, as well as report results in a timely manner. Doing this will require auditors to
understand the nature of the tests or analyses used to:

Investigate exceptions, processes, and systems identified as being at risk.

Accumulate and quantify total risk exposures.

Monitor and modify continuous audit variables, tuning the system to produce manageable
results.

Finally, IT auditors will have to manage and respond to continuous audit results and determine
their appropriate use, follow-up, and reporting mechanisms. For instance, auditors will have to
identify whether appropriate action is taken on the findings reported to management and if
continuous audit results are considered by management when assessing activities.

Moving Forward
Management's use of continuous audit procedures will help determine if controls are effective
and the information produced for decision-making is relevant and reliable. An important
benefit of continuous auditing is that instances of error and fraud are reduced significantly,
operational efficiency is increased, and bottom-line results are improved through a
combination of cost savings and a reduction in overpayments. Additionally, organisations that
use continuous auditing often find that they achieve a rapid return on investment. When using
continuous auditing, internal auditors need to address the end-to-end business process and IT
controls present in business activities. The reliability of business systems and transactional
data is paramount not only to the internal control framework and the integrity of financial
reporting, but also to the efficiency of business operations. Thus, ensuring the reliability,
integrity, and availability of business systems and data should be a key objective for IT
auditors and senior managers.

Finally, continuous auditing can help internal auditors and senior management identify and
assess risk at many levels throughout the organisation. At a higher level, continuous auditing
should take place as part of the annual planning process. Continuous audit results should be
used when determining the risk-based audit plan and be made available to the audit team
leader as a starting point for the audit. During the conduct of individual audits, continuous
auditing can be used to further examine risks. As part of the planning and implementation
phases, specific key controls can be tested, such as separation of duties, while comparisons
can be used to identify operation improvement areas. After the audit, data-driven indicators
can be used to determine if improvements were realised and whether audit recommendations
were implemented and had the desired effect.
 Page 5

[The Prodigy Group]

Singapore – (65) 6221 2810

Hong Kong – (852) 2815 5606
Malaysia – (60) (3) 2283 5050 Building New and Different
Indonesia] – (62) (21) 4288 3120
Sessions in Your Log File Now
[Email: [email protected]] ACL automatically creates a Steps in Adding New Named your
command log when you Session session
create an ACL project. The Go to log file then Right Click
Find us on the Web: command log records and
[www.prodigy-group.com] choose “Add New Session
displays the commands
issued and the results
obtained during your data
analysis project. The
command log acts as
valuable documentation that
you can use to retrace your
steps and repeat earlier
results.

But do you know in the Any commands that you performed from now on will be
context of the command log, recorded onto the new session log file (in the example
sessions give you the ability above, the new activities will be log onto Accounting Audit
to label a series of Session).
commands for historical
purposes? When you start a
session, you can give it a
descriptive name. When you
later review your log, you can
easily see the commands in
the session, and the
descriptive name reminds
you why you performed the
commands.

Planning For The Best

Source: CFO
A new study by the American Productivity and Quality Centre (APQC) finds that finance
organisations that focus on planning, budgeting, and forecasting as key elements of their
business strategy are higher performers in all areas than those that focus on cost
accounting, controls, and cost management. In general, high-performing companies
spend a higher percentage of their resources on budgeting and planning (B&P), but when
compared with poor performers, they spend less overall on finance.

The top 20% of participants in the study spent 29 US cents for each US$1,000 of revenue
on budgeting, planning, and forecasting, making it their highest cost. They spent just 25
US cents on cost accounting, controls, and cost management, and 24 US cents on
evaluating and managing financial performance. The worst performers spent the most on
controls and cost management (US$2.47) and still spent US$1.81 on planning and
US$2.08 on managing financial performance.

“High cost does not equal effectiveness,” says Lisa Higgins, chief operating officer of
APQC and co-author of the report. She says companies that spend a higher percentage
up front on B&P have lower overall costs across the board in finance and faster cycle
times.

For example, the top performers complete the budget cycle in 30 days, while the bottom
20% take 90 days. High performers are also more likely to use rolling forecasts and link
the budgeting process to strategy and compensation. Of course, higher spending on
controls and cost management is often a symptom of deeper problems rather than a
cause of them. Companies that spend more on planning probably have the luxury of
doing so because their financial house is already in order.

Continued in page 6
 Page 6

[The Prodigy Group]

Singapore – (65) 6221 2810

Hong Kong – (852) 2815 5606
Malaysia – (60) (3) 2283 5050
Indonesia – (62) (21) 4288 3120

[Email: [email protected]]

Find us on the Web:

[www.prodigy-group.com]

Risk Management In Practice:

Fraud & Corruption
Source: Martin Samociuk
Despite significant investment in governance frameworks, fraud and corruption management
rarely gets beyond compliance requirements. Martin Samociuk explains how employees can
be harnessed in the ongoing fraud fight.

Over the past few years, most large organisations have expended a great deal of effort in
complying with new legislation that has been introduced in response to a spate of corporate
collapses resulting from fraudulent and corrupt behaviour. This has included significant
investment in corporate governance, operational risk management and corporate responsibility
frameworks.

The result is that there is a greater understanding of the processes and controls that mitigate
fraud and corruption. However, once the regulatory requirements have been satisfied, that has
usually been the extent of the fraud and corruption prevention strategy, particularly if the
organisation has not suffered any prior large frauds. As a number of banks have recently
discovered, focusing purely on processes and controls is not enough to prevent fraud. Even
after expending all the effort to comply with the legislation, fraudsters have still been able to
work undetected over long periods of time. Those organisations have found that there are
other elements of a strategy that need to be in place if they are to avoid the unpleasant effects
of fraud and corruption.

They have realised that they have not invested enough time and effort in developing one of the
most potent anti-fraud and corruption weapons – their own employees. To implement an
effective strategy, the organisation needs to empower employees to prevent fraud and
corruption. The first step in this process is to make senior management aware that investing in
an anti-fraud and corruption culture can help to avoid the unpleasant after effects.

The effects of fraud and corruption

Discovery of fraud and corruption in an organisation has a number of unpleasant effects. The
first is the dramatic and damaging effect on innocent employees and third parties – loss of
morale and shattered confidence, high stress from investigations and being under suspicion.
There is also an unpleasant realisation by senior management that because fraud and
corruption losses eventually come off the bottom line, every dollar lost reduces net income by
the same amount. If the profit margin of the organisation is, say, 10 per cent, then to recover
the lost income requires 10 times the revenue to be generated. Hence, to recover a $10 million
loss requires $100 million dollars of extra revenue. Additionally, in most cases, the hidden
indirect cost such as constraints on expansion and development, damage to reputation and
employee morale greatly outweigh the direct costs. Senior managers quickly realise that the
costs of investigation are not to be taken lightly. If a case is complicated and involves the
international movement of funds, then the investigation costs can be very complex. It is not
unusual to spend $1 million or more on investigating a $10 million fraud. When cross border
money transfers and offshore tax havens are involved, this can cost more than the amount
lost.

Continued in page 7
 Page 7

Continued from page 6

[The Prodigy Group] They desire influence and power over their
colleagues and make plans over long
Singapore – (65) 6221 2810 periods of time and lie, deceive and
Hong Kong – (852) 2815 5606 manipulate as necessary to commit their
Malaysia – (60) (3) 2283 5050 frauds without feeling any remorse to
Indonesia – (62) (21) 4288 3120 commit their fraud. They enjoy humiliating
staff without making it obvious that they are
[Email: [email protected]] behind it and can change their stories so
skillfully that it can leave employees
confused and wondering if they have
Find us on the Web: stumbled onto a room full of smoke and
[www.prodigy-group.com] mirrors.
Probably the single most important (and often
the most ignored) realisation by senior There is very little to distinguish this type of
management is that the organisation may be person from those in the upper echelons of
carrying other ongoing frauds. There is a organised crime. Very few people actually
wealth of evidence to support this message. see the real persona. Only those few who
For example, research by the Association of are on the receiving end of the psychopath’s
Certified Fraud Examiners in the US across a attention catch a glimpse of what is lurking
wide range of industries has repeatedly below the surface. The pressure exerted by
indicated that the typical organisation loses such a dishonest CEO, director or senior
around 5 per cent of its annual revenues to manager can motivate other managers and
fraud and corruption. employees to participate in a major fraud.
Such frauds can have catastrophic effects
Clearly, investing in preventing fraud and and, once started, are hard to stop.
corruption, and hence removing hidden costs, Management-initiated frauds can spread
is far better than investigating and cleaning up rapidly through an organisation.
post event. Once this is acknowledged, then
there are a number of steps that can be taken This leads to a lack of interest in controlling
to enhance a fraud and corruption risk the business and an increasing temptation to
management strategy. join in with similar, albeit smaller frauds.
Honest employees may be powerless
Tone at the top because they have not been provided with
The first step is to set the correct tone at the any awareness training as to what
top. A healthy and ethical organisational constitutes fraudulent or corrupt behaviour,
culture from the top down is a cornerstone of nor a practical means of reporting concerns.
effective fraud and corruption prevention. Employees need to see that dishonest or
However, there is a big difference in aboard of corrupt business practices are not tolerated
directors simply issuing a code of conduct and anywhere in the organisation, even at the
fraud and corruption policy and then only top.
paying lip service to it, and in empowering
employees to prevent dishonest or corrupt Fraud and corruption awareness training
business practices. Practical awareness training is essential to
assist employees to identify when they may
For example, some chief executive officers are be dealing with fraudulent or corrupt
hired because they achieve results by being individuals, particularly those who may be
ruthless, decisive, aggressive risk-takers who senior to them, and to train them how to
are totally fixated on the bottom line profit. respond. It is common to find that very few
There is nothing intrinsically wrong with this employees have previously received any
because improved profit is still what the form of practical instructions.
shareholders and stock markets want to see.
However, after training, all employees,
However, when these CEOs are surrounded whatever their position or level, have found
by weak fellow directors and managers, they the subject engaging, interesting and as a
may begin to treat the company and its assets result have been much more prepared to do
as their own. They run up large personal something about the problem of fraud and
expenses which the company pays for, or corruption. The most effective programs are
have work done on their homes by company those that are realistic, enjoyable, and
contractors, or treat their employees as interactive where feedback from the
personal servants. participants is an integral part of the
program. Practical, engaging training
They also pressure employees to indulge in scenarios and case examples should be
business practices that may be fraudulent and used as a mandatory part of training for all
corrupt, but are acceptable, as long as they employees. The content and examples used
are making large profits for the company. At should be regularly reviewed and updated. It
the extreme end of the scale, and the most is very important, before developing and
difficult for employees to deal with, is the launching a fraud and corruption awareness
personality type known as the ‘corporate program, to identify a sponsor that will
psychopath’. Corporate psychopaths have an support it and ensure that it has received
overwhelming urge to obtain power and the sufficient management attention. Sponsors
status that having a lot of money brings. can include corporate security, human
Continued in page 8
 Page 8
Continued from page 7

[The Prodigy Group] Not having a sponsor can lead to the program not being taken seriously and people being too
scared to report potential problems for fear of retribution. Often a joint sponsorship team
Singapore – (65) 6221 2810 involving one or more executive board members is the preferred and stronger solution. The
training program should demystify fraud and corruption for the participants, help their
Hong Kong – (852) 2815 5606
Malaysia – (60) (3) 2283 5050 understanding of the methods used against the company by different opponents, as well as
Indonesia – (62) (21) 4288 3120 teach them how to defend against fraud and how to spot and deal with the red flags.
Participants should be encouraged to recognise the loopholes from the perspective of a
potential criminal, and the way that psychology may be used to fool an honest person.
[Email: [email protected]]
Example
An employee with a severe gambling problem used a ballpoint pen containing erasable ink to
Find us on the Web: make out a spurious cheque to a genuine payee. He waited until his manager had an office
[www.prodigy-group.com]
full of people before knocking on the door and requesting an ‘urgent’ signature. The
manager, whose mind was on other urgent issues, verified that the cheque was made out to
the expected payee and signed it without querying the supporting documentation. After this,
the employee rubbed out the payee name, inserted his own name and cashed the cheque.
He used this technique to raise dozens of cheques over a number of years and obtained
more than $5 million. The fraud only came to light when he went on holiday and a colleague
discovered how he had been hiding discrepancies in the books. Equally important is to train
managers to detect when employees may have problems that could potentially lead to fraud.
For example, several recent frauds have involved employees who had developed gambling
addictions as a result of depression. To feed their addictions, they had resorted to stealing
from their employer. In each case, the employees had displayed changes to their behaviour
and other red flags, which colleagues had either ignored, or not recognised the significance
of. Specific training should be provided on how to identify and deal with employees who may
be suffering from depression.

Empowering employees
Having trained employees to spot the red flags or fraud and corruption, it is then essential to
empower employees to report concerns. Usually, the first reporting line is to their direct line
manager. If that is not feasible – for example, when they have suspicions about their line
manager – the organisation should implement a whistle blowing procedure to provide a
confidential and anonymous route for employees. There is a legal requirement in some
countries that have adopted whistle blowing legislation for the whistleblower to be protected
from any adverse reaction by the company or directors following their disclosure, providing
that the disclosure was not malicious. However, in spite of improvements in legislation, it is
still a brave employee who raises issues involving the CEO or other executive director.

Employees working for an executive who is a corporate psychopath may find it very difficult to
come up with solid proof even if suspicions are raised about behaviour or lifestyle, or if there
is evidence in transactions or documents. The corporate psychopath is an expert at
manipulating situations, evidence and people and will have built up a powerful network of
supporters, both executive and non-executive. The employee who raises concerns can be
sidelined, but not in a manner where they could successfully argue that they had been
unfairly discriminated against as a result of them blowing the whistle. Designing and
implementing a whistle blowing reporting line, the sponsors together with independent
executives – for example, on the audit committee – should include a procedure for dealing
with those extreme cases where an employee or external party may raise issues implicating
the CEO or other director. Employees are then empowered to report concerns at every level
of the organisation without the fear of retribution.

Measuring fraud and corruption resistance

An increasing number of organisations are realising that even though they may be able to
certify that they comply with relevant legislation, they still do not have any effective way of
measuring how resistant they are to fraudsters or corrupt individuals, or of benchmarking
against other organisations, nor of testing the level of understanding by employees about
fraud and corruption. Recognizing this need, one of the world’s largest independent third
party certification and assessment agencies, Det Norske Veritas (DNV), has developed a
prototype Fraud and Corruption Resistance Assessment protocol which comprises 12 main
elements. The objective is to test in practical terms how effective has been the
implementation of the fraud and corruption strategy. The result is a unique fraud and
corruption resistance profile of the particular organisation and the gaps represent where there
is room for improvement. Behind the assessment model, a detailed protocol consisting of
over 500 questions has been developed in an attempt to ensure consistency and avoid
ambiguity. Also a weighting and scoring system for each of the 12 elements is applied.

For example, element 1 (Tone at the Top) explores the role of senior management in setting
the ‘tone at the top’ and how the message that fraud and corruption will not be tolerated is
communicated throughout the organisation. It is then further divided into eight sub-elements:
policy; quality of policy; fraud and corruption resistance management strategy; stakeholder
engagement; management representative; operational risk management; existence of
relevant standards and procedures; and senior management participation.
Continued in page 9
 Page 9

Continued from page 8

[The Prodigy Group]
This is with a total of 46 key questions which carry a weighting equivalent to 12.5 per cent
of the total. The end result is a rating that measures resistance. A regular fraud and
Singapore – (65) 6221 2810 corruption resistance assessment would typically be requested by either a non-executive
Hong Kong – (852) 2815 5606 board member or the audit committee, but it could equally be initiated from within the
Malaysia – (60) (3) 2283 5050 company, provided there was some degree of independent assessment. It is unlikely that
Indonesia – (62) (21) 4288 3120 any organisation is ever going to be 100 per cent fraud and corruption proof. Just being in
business carries an inherent risk of fraud and corruption, and fraudsters are very adept at
[Email: [email protected]] identifying and exploiting new opportunities. However, executives who empower their
employees can build an organisation with a much higher resistance to fraud and corruption,
thereby adding significant value for shareholders and stakeholders alike.
Find us on the Web:
[www.prodigy-group.com]

The following statistics about fraud and white-collar crime are featured in the Association of
Certified Fraud Examiners’ Report to the Nation. The Report contains a wealth of
information about the causes of fraud, the direct and indirect costs of occupational fraud
and abuse, and the methods by which employees and other insiders commit fraud. Fraud
and abuse costs U.S. organizations more than $400 billion annually.
• The average organization loses more than $9 per day per employee to fraud and
abuse.
• The average organization loses about 6% of its total annual revenue to fraud and
abuse committed by its own employees.
• The typical perpetrator is a college-educated white male.
• Men commit nearly 75% of the offenses.
• Losses caused by managers are four times those caused by employees.
• Median losses caused by executives are 16 times those of their employees.
• The most costly abuses occur in organizations with less than 100 employees.

Communicating With The CEO

Source: CFO
What can the board of directors do to make sure that their CEO has moved to a place
focused on mitigating operational risks to enhance opportunities and long term strategy?
Fundamentally, the first task is to make sure that the CEO has a management system in
place for operational risk. What is needed is a process approach for establishing,
implementing, operating, monitoring, maintaining and improving the effectiveness of an
organisation’s operational risk enterprise architecture (OREA).

Let’s break OREA down this a little further to get a better view of some of the specific
operational attributes:

Plan
Establish policy, objectives, targets, processes and procedures for managing operational
risks to deliver results in accordance with the organisations business objectives.

Do
Implement and operate the policy, controls, processes and procedures.

Check
Assess and measure in applicable areas while reporting results to management for
review.

Act
Take corrective and preventive actions based on results to continually improve the OREA
framework.

Operational risk management is getting the attention of organizations outside of the major
banks at a rapid pace. Board of directors in any industry will soon realize that the
successful CEO of the future will be a master of building a culture with effective
operational risk management systems at its core.
 Page 10

[The Prodigy Group]

Singapore – (65) 6221 2810

Hong Kong – (852) 2815 5606
Malaysia – (60) (3) 2283 5050
Indonesia – (62) (21) 4288 3120

[Email: [email protected]]

Find us on the Web:

[www.prodigy-group.com]
FFrraauudd R
Riisskk M
Maannaaggeem
meenntt C
Coonnssuullttiinngg
Huge costs are associated with a fraud occurring. Beyond losses directly from the fraud, there
are significant costs associated with investigation, litigation, legal, regulatory issues, public
relations, staff issues and management time.
ISACA International Conference
Working closely with our partner – Insight Risk Consulting, we are able to help your
ACL Services Ltd is proud to be one organisation to strengthen your business and maintain good corporate governance. With our
of the sponsors for the ISACA extensive experience servicing the needs of financial services and multi-national clients in
International Conference which will Asia, Australia, the United States and Europe, we are sure in providing a proven approach to
be held In Swissotel, The Stamford – identify fraud exposures and avoiding the catastrophic consequences of fraud.
th
Singapore on the 11 July 2007.
Let us begin stress test your control environment and identify loopholes that lead to fraud
succeeding. Contact us at [email protected] for more information.

Audit Risk Management

Kuala Lumpur, 12-13 Aug 2007 www.prodigy-group.com ACL Certification
The Prodigy Group is holding a 2 We are pleased to invite you to our NEW
Exam
days conference targeting on the WEBSITE at www.prodigy-group.com.
issues and challenges on Audit & We are pleased to launch the ACL
Risk Management. We cordially In this newly design website, we have included Certification which participants will
invite you to join us in this fruitful more information with regards to our products and earn the ACDA (ACL Certified Data
event. services, as well as industries resources for areas Analyst) designation. For more than
such as risk management, audit & compliance, 16 years, ACL’s proven solutions have
For information of the seminar or financial planning and management and security enabled auditors and financial
becoming as one our prominent management. decision makers to assure control
speakers, please email us at compliance, reduce risk, detect fraud,
[email protected] Also, visit our newly launched PDS Career Center minimise loss, enhance profitability,
(under the Community Tab) for recruitment help! and achieve fast pay back.
If you have ever used Monster, CareerBuilder or
hundreds of other job boards, you’ll know that they The ACL Certification Program sets
can be an extremely effective means to post and the industry benchmark for technical
IIA Malaysia National search for jobs. proficiency and professional expertise
Conference 2007 in using ACL software. You will gain
We understand that highly-skilled field like risk greater confidence, broader
The Prodigy Group is proud to be management, audit and compliance require recognition of you competence and
one of the sponsors for the IIA something more targeted. As our website is experience using ACL technology,
Malaysia National Conference to be frequently visited by professionals in the field of and a competitive advantage in
held at the Kuala Lumpur risk management, audit, compliance and finance, today’s job market.
Convention Centre from 20 to it provides you a targeted platform to receive
21August 2007. We would like to quality candidates instead of dozens of unqualified To find out more about the ACL
invite our valued customers to our ones. Certification Exam, please contact us
booth at the conference for a lucky at [email protected]
draw. Simply drop your business
card to qualify for the draw. For more
information on our participation at
the IIAM conference 2007, Kindly S
Suucccceessss TToo OOuurr FFiirrsstt M
Maaiiddeenn S
Seem
miinnaarr
contact conference@prodigy-
group.com. IInn H
Hoonngg K Koonngg
The very first maiden Hong Kong seminar was held at the Renaissance Harbour View Hotel –
th
Hong Kong on the 25 April 2007 in conjunction with ACL Services Ltd. We had received
overwhelming respond in this half day seminar and we would like to express our sincere
thanks to all delegates and our prominent speakers for their continuous support and
participation.

Interested to be on our mailing list for our next Hong Kong seminar? Email us at
[email protected]
 Page 11

[The Prodigy Group]

Open Enrolment
Singapore – (65) 6221 2810
ACL Training Schedule
Hong Kong – (852) 2815 5606 Singapore  Hong Kong  Malaysia  Indonesia  Thailand  Philippines
Malaysia – (60) (3) 2283 5050 May – June 2007
Indonesia – (62) (21) 4288 3120
Prodigy Data Solution is the ONLY ACL certified trainer in Asia South. As certified training provider, we
can ensure that your classes will use the latest version of the software, the most up-to-date training
[Email: [email protected]] materials, and techniques distilled from ACL's experience in delivering training worldwide to over 30,000
ACL users for over a decade.

Find us on the Web:

[www.prodigy-group.com]

In our next issue,

♦ Corporate Governance
♦ Operational Risk
♦ Sarbanes Oxley
♦ ACL Tips
♦ Just For Laugh etc……

Onsite specialised workshops are also available. Kindly contact [email protected] for more information
The Prodigy Group is a total solution provider offering extensive solutions on Audit & Compliance, Risk Management,
Financial Management and Security Management to financial executives, audit professionals, fraud investigators, risk
managers, business analysts, IT professionals and senior executives. Through the experiences and expertise of our
consultants, our solutions developed have been proven and tested in many established organisations, giving our clients
confidence in the reliability, accuracy, and integrity of the data underlying the increasingly complex business operations.

Integrating market-leading software, Prodigy facilitates our clients in managing commitments and obligations better and
hence improved their internal business processes. Transformed around the themes of simplicity and usability, our solution
can be applied extensively throughout the organisation, be it for financial management, anti-money laundering, data
forensics, performance analysis, management reporting and so forth, providing organisations with the in-depth analysis
and foresight needed to overcome the complex challenges ahead and to Prodigy's overarching goal of performance with
integrity.

Authorised Distributor for ACL, KnowRisk, INCA Planning & Arbutus