Recent Posts
Archives
Categories
Blogroll
theinnerauditor
BLOG OF THE CENTRAL VIRGINIA CHAPTER OF THE ASSOCIATION OF CERTIFIED FRAUD EXAMINERS
The Use of External Auditor Confirmations by Fraud Examiners
Posted by on May 20, 2013
A couple of years ago a well-known metropolitan newspaper reported that an executive at a major insurance company gave his external auditor a false address for a marketable securities confirmation, intercepted the confirmation, then returned it with no exceptions noted. The company verified its possession of $20 million dollars in falsified assets in this manner.
As the accountants and auditors among us will recall from our school days, a confirmation is an audit tool that provides written communication from a third party, such as a customer, supplier or (as in the case above) asset custodian of the audit client in response to an auditor’s request for information. Using confirmations as audit evidence may be appropriate whenever a third party possesses knowledge regarding an amount or disclosure in the client’s information system. Confirmations are commonly used when testing accounts receivable balances, but other confirmed accounts that can be of interest to fraud examiners conducting examinations include cash (i.e., bank confirmations), accounts and notes payable, off site inventory and securities.
When a fraud examiner or forensic accountant is trying to determine the chronological chain of events constituting a fraud scenario, it can be important to know who said what and when they said it with regard to important account balances and transactions deemed critical to the pattern of commission of the fraud. Because a third party sends the completed confirmation directly to the auditor, it’s difficult for the client to tamper with the evidence. In an embezzlement case, for example, it can be critical to building a case for prosecution to know what the bank said the balance in a cash account under the control of the suspected embezzler was on a given date or series of dates. The same can be said for the usefulness of auditor confirmations of any other balances relevant to the financial transactions constituting the fraud.
There are two types of confirmations positive and negative and both can be conveyed to the confirmer by physical letter or electronically by e-mail. A positive confirmation requests a response whether or not the recipient agrees with the amount confirmed. A negative confirmation asks the recipient to respond only if s/he disagrees with the amount in the confirmation. Positive confirmations provide more competent audit evidence than negatives and are, therefore, more useful to fraud examiners in establishing dates and chronologies but recipients may not be as likely to respond to a positive confirmation because it requires more effort to complete.
In using the supplemental evidence that external or internal auditor initiated confirmations can provide about the chronology of account balances and related transactions, it’s important for the fraud examiner or forensic accountant to understand how the auditor designed the confirmation process to ensure that confirmations have an appropriate chain of custody; the example given in the first paragraph of this post is a vivid example of what can happen when the chain of custody of a confirmation is broken. To safeguard that all confirmations reach their intended recipients and are returned directly to the auditor, the auditor should have physically mailed (or e-mailed) the confirmations personally and specified that they be returned only to her personal e-mail account or physical address.
The incorporation of evidence from properly controlled auditor initiated confirmations can constitute an additional, useful tool in the fraud examiners tool kit. However, fraud examiners must be sure that the confirmation process was designed and implemented appropriately and that the auditor in question correctly investigated and interpreted any exceptions to ensure the competency of the resulting evidence.
Richmond ACFE Chapter Meeting Webcast – 5/19/2013 – The Laws of Fraud
Posted by on May 19, 2013
Every two weeks the Central Virginia Chapter of the Association of Certified Fraud Examiners (ACFE) presents a webcast on a topic related to the practice of fraud examination and/or forensic accounting. These webcasts are presented primarily for the benefit of Chapter members but are open to all with a general interest in improving the practice of auditing and fraud examination.
Members of the Central Virginia Chapter will have received an e-mail notifying them that the bi-weekly webcast is available at this site; the e-mail contains three questions which must be answered and returned for the award of one hour of continuing education credit.
If you are an audit professional or a student and would like to listen to these lectures as a Richmond Chapter member for continuing education credit, please visit our website at www.cpenet.net and join our Chapter on-line by clicking on the first picture of a set of scales, registering as a site user and paying $15.00 annual dues. We offer at least 20 hours of continuing education credit on fraud related topics for the one time annual fee. You don’t have to be a resident of the Richmond area or even of Virginia to join… we have members all across North America.
This week’s webcast is fifty-five minutes in length, on the topic of The Laws of Fraud & Where to Find Them.
Playing Hide & Seek in Asset Recoveries
Posted by on May 16, 2013
A fraud examiner contact of mine on LinkedIn is currently working on a case that might end up involving hidden assets; she was wondering about the best way to proceed once the suspicion has developed that an investigative subject might be hiding assets of value.
It’s been my experience that the sooner you start looking for hidden property, money and other assets during your investigation (for inclusion in your eventual recovery plan) the better…but there are several important things to keep in mind. Even though it’s hard to do on the front end, try to determine as best you can if the recovery effort will be cost-effective…will the realized recovery justify the time and expense (often considerable) of pursuing a remedy and enforcing a judgment? If you determine that the payoff just isn’t there in a sufficient amount to make the effort worthwhile, don’t pursue it.
You will also need to decide against whom to pursue the recovery; pick your target carefully from among the potentially liable persons and pick the person(s) who are most likely to have the money or other assets to respond to a judgment. Who wants to go to all the trouble of getting a judgment if it’s worth nothing because the target has insufficient assets?
Once you’ve addressed those two issues the question becomes one of analysis as to whether or not hidden assets or property are actually involved in the case. The two classic analytical methods for detecting whether a potential subject has hidden assets or property are the analysis of lifestyle indicators and financial analysis. Lifestyle indicators suggest that the target is living beyond his or her apparent means, and thus probably has hidden income or sources of income. To perform this analysis properly requires you to learn about the target’s personal characteristics (wears expensive clothes, carries large amounts of cash, maintains club memberships, etc.); has lavish home furnishings, automobiles and engages in expensive leisure activities.
On the financial analysis side, you’re looking for unexplained changes in the target’s income and/or expenses over time. The key words are “over time” since one-shot variations aren’t usually indicators of anything except random chance and life’s vicissitudes. Individual categories of an income statement, balance sheet, or cash flow statement, expressed in percentages of the whole, are compared over a period of time, and changes in percentages between categories (vertical analysis) or over time within a category (horizontal analysis), or in ratios between categories (ratio analysis) may indicate activities intended to conceal income or income producing property.
You can obtain information about the target’s property and assets for input to your financial analysis from friends, family, ex-spouses, neighbors, in short, from anyone in a position to know. You can obtain from witnesses the records or documents which you want or need in order to trace and locate property, proceeds or other assets. Finally, don’t forget accomplices from whom you can learn how the fraud scenario actually worked so you can identify the records or transactions that will enable you to trace or locate the property.
Professional Social Networks and the Scammers
Posted by on May 11, 2013
We all use social networks for a wide variety of personal and professional reasons. Linking together like minded practitioners can be the life blood of any professional organization (like our Richmond, Virginia NACFE Chapter) and has been proven to contribute to elevated levels of public service and customer satisfaction.
Social networks like Facebook and LinkedIn are based on the concept of online identities that interact together to form a virtual social network. The identities are created as user profiles that reveal the kind of information the individual user wants to display on the network. I use my LinkedIn page to share posts on this blog with my professional contacts.
It’s hard to set an appropriate control on user profiles that can guarantee the veracity of the associated identities completely…scammers are aware of this and take advantage accordingly. One of the most common techniques used by attackers is the generation of fake profiles. These profiles can be of celebrities, of spoofed known professionals, or wholly fake identities set up to model a profile designed to be attractive to a certain kind of victim. Fake profiles can be used for many purposes including the monitoring of users of a certain type, for revenge and for engaging in nefarious businesses of all kinds.
Fake profiles temp users to read malicious content posted on the message walls and in the e-mails used for communication. Once users visit such profiles, embedded malicious codes start infecting the users with malicious executables. One infected node (user) can unwittingly infect all her contacts on the network. From a security perspective, this is a clear case of fraud based on identify assumption, identity fabrication, or identify theft and the type of information present in fake profiles runs the gamut for use in a wide range of scams. It’s a sad fact that such scams are virtually uncontrollable by the social networks themselves. The users of every social networking site have fallen victim to such profiles so no network is immune; this is because it’s so hard to restrict the actions of users based simply on information contained in their network profiles.
A spammer might set up a fake e-mail directing a user to a fake profile that uses hyperlinks to redirect the user to a malicious domain. The rogue profile temps users to visit the domain by presenting them with an attractive link reading, “Click here to view a statement by [the name of a known person].” Clicking on the link will open the fake statement and download malware used to control the user’s machine.
–Professionals using on-line social networking should educate themselves as to the nature of the malware they can encounter specifically in the form of fake profiles and phishing e-mails. Collaborate with your fellow professionals and share information about the exploits you’ve experienced or read about.
–Users should secure their browsers by installing appropriate client-side filters, such as NoScript in Mozilla, to nullify the type of malicious scripts that render in browsers. In short, choose the client side filters that are appropriate for your browser type.
–Don’t click on suspicious hyperlinks. Carefully scrutinize the origin of hyperlinks on professional social network profiles to avoid traps; if you aren’t fully comfortable with a hyperlink, don’t click on it.
–Configure your professional profile by applying the appropriate restrictions provided by standard social networking websites to protect privacy; all the sites have such restrictions…review them and use them.
–Report all suspicious profiles, messages and e-mails directly to the security team of the professional network you’re using. This can help administrators apply filters to prevent the affiliated scams.
–Install anti-virus software and keep your operating system patches up-to-date.
The professional networking sites we use represent a virtualized world that can be of great value to us in our careers; the aim of malware is to infect users and steal information. User ignorance is a big factor in the spread of malware and we all have a responsibility as we enjoy the benefits of professional social networks to keep ourselves and our colleagues as safe as we can
Marrying Fraud Risk Assessment & Enterprise Risk Management
Posted by on May 8, 2013
Before conducting a fraud risk assessment, Fraud Examiners should determine if the client organization has a mature enterprise risk assessment (ERM) business process in place; if it does, it’s to everyone’s advantage to tailor the fraud assessment as an exercise deserving unique treatment within the overall ERM process; this tailoring would address the unique aspects of fraud risk assessment which distinguish it from more routine risk assessments , including the appropriate specialized expertise of personnel involved in the assessment, communicating the final results of the assessment, and developing an action plan to address the identified fraud risks.
As every practitioner who’s ever performed one well knows, conducting a comprehensive fraud risk assessment for a medium to large size client consumes considerable time and resources. I’ve found that many organizations attempt to embed assessing the risk of fraud as just another normal assessment task within their general overall ERM approach. Although certainly practical, this approach does not always yield the best results. A better way is to focus specifically on pre-defined fraud schemes and scenarios; this approach provides the best chance of identifying those schemes that have the highest probability of adversely impacting the client organization.
Another challenge for fraud examiners is to ensure that their fraud assessment results don’t fall on deaf ears. What I mean is by that is, although it’s important to identify fraud risks, it’s equally important to reduce those risks by adequately addressing them. In organizations without a well defined, guiding ERM process, there’s a not-inconsiderable risk that your identified vulnerabilities won’t be addressed at all because there’s no formal process in place to do so. Only when management is made aware and held somehow accountable (two things a good ERM process does well), will the risk of fraud be actually reduced in the client organization.
As an example, if you identify systems security user authentication as a risk in your assessment, you must communicate that risk to the business process owner (the IT Director) overseeing the systems authentication business process. Under traditional ERM, s/he would be held accountable for implementing appropriate controls to reduce the risk. The staff responsible for implementing the controls would be provided with a remediation plan to ensure timely reduction of the risk within a prescribed period. This action plan should be included as a recommendation with the final assessment report and communicated to client management.
Fraud examiners are ultimately qualified to assess and reduce fraud risk. Practitioners can promote their extensive knowledge of fraud scenarios and detection methods on the front end, during the risk assessment process itself, rather having the client rely solely on traditional anti-fraud programs and tools like whistle blower hotlines, codes of conduct, fraud awareness training and after-the- fact forensic accounting /auditing procedures. An ounce of prevention is worth a pound of cure.
So as fraud examiners conducting risk assessments, we should leverage existing client ERM strategies as tools to get the risks we identify addressed by client management according to documented ERM standard process procedures. Only those practitioners who adopt and execute a well-designed approach can ensure identification of the fraud risk that, left unaddressed, can cripple any organization.
Using Text Analytics to Test for Fraud Signatures and Risk Control
Posted by on May 7, 2013
All assurance professionals are pressured by our clients to find new ways to contribute to business performance and fraud examiners and forensic accountants are no exception. One way we can do this in today’s overwhelmingly information rich environment is to help management identify the many categories of emerging enterprise risks.
How often are we confronted during our fraud examinations and audits with mountains of digitized text in the forms of e-mails, policies and procedures and company web-based content, any of which may or may not be relevant to the actual examination at hand? It’s been estimated by the NACFE that in excess of 80% of total company records related to frauds are in the form of text based data; yet, because so much current analytics effort is directed to numeric data, until quite recently, the software tools have just not been available to practicing professionals to allow them to analyze large volumes of digitized text efficiently.
The new software to support text analytics stems from a combination of developments in the fields of litigation support and electronic discovery, counterterrorism and surveillance technology, customer relations management and artificial intelligence. Text mining tools can help fraud examiners and forensic accountants extract, group, tag and analyze patterns associated with a given fraud scenario and identify the digitized documents that contain those patterns. They can create categories, or hierarchical knowledge representations, to auto-classify documents and extracted data. The more sophisticated programs can also apply statistical techniques to cluster documents according to discovered characteristics. For example, as Director of Internal Audit for Virginia Medicaid, I analyzed digitized Departmental, state and Federal policies and procedures running to many thousands of pages as part of a review to determine the probability that the occurrence of fraud signatures associated with two different fraud scenarios would be prevented by existing defined controls; this without personally reading a single word.
When analyzing the behavior of suspected participants in a fraud under investigation, textual analytics of e-mail (link analysis) can be used to determine who is talking to whom, about what (language concept clustering), and over what period of time (for example, as related to an actual fraud related event).
More broadly, during a company’s internal risk assessment, compliance risks can be mapped to divisions or departments using textual analysis. A textual analysis of existing policies and procedures will assist in revealing how, or if, the identified compliance risks are being addressed by divisional management. The objective here is to focus use of the software to screen data for potential issues before they become less manageable rather than just employing the software as an analytical tool after a fraud or significant event has actually occurred. A good way to begin to do this is to adopt a risk based approach to introduce the concept to management, perhaps performing a text based analysis of four or five individuals in a high risk department or newly acquired unit and then sharing the results with the powers that be.
Fraud examiners have yet another tool in text analytics to make their reviews more through and efficient specifically and to generally speed and improve the fraud investigation and prevention process for our clients.
The Consistency of Digital Financial Statements Between Fraud Examination Clients
Posted by on May 4, 2013
An interesting issue arose during a presentation I made a few nights ago to a group of fraud examiners regarding the usefulness of digital financial statements (specifically XBRL and XBRLS based statements) as a tool to enhance the fraud investigation process. It turned out that several of the participants, intense users of financial information but not practicing accountants, seemed to expect that every aspect of every client entity’s financial report be comparable to every other client entity’s financial report, especially if the clients were in the same business, say if both were retailers. This is simply not the case. Financial reports are not, and should not, be ‘forms’ simply filled out by an accountant. One strength of US GAAP is its ability to let reporting entities report useful information specific to themselves.
It’s true that financial information reporting by entities in the same industry sector, for example, steel companies, tends to be more comparable than financial information reported by entities in a different industry. It’s also true that a reporting entity’s disclosures from period to period tend to be very comparable. While that disclosure information is considered useful by a given reporting entity for a given event or transaction, accountants creating a financial report structure use disclose rules/requirements, guiding principles and their judgment when weaving together an appropriate financial report. The required application of professional judgment is of equal necessity whether the financial report is ultimately presented on paper, electronically or digitally.
Some financial report disclosures tend to take the shape of very specific and objective quantitative measures. For example, the disclosure of earnings per share is an example of such a specific quantitative measure. These sorts of disclosures are like an “on/off” switch; either the disclosure is required or it is not and if it is required, what must be presented or disclosed is crystal clear. There may be judgment involved in computing or measuring the amount disclosed, but the need for the disclosure itself tends to be objective.
Other disclosures take a more subjective shape and use more qualitative measures. For example in the case of derivative instruments, the meaning of a business acquisition or divestiture to the overall financial position of a reporting entity and/or which information about the acquisition or divestiture is the important information depends on many different criteria and, in each case, it is the role of the accountant(s)s to exercise his or her judgment and determine the appropriate disclosures, all things considered, using known guiding principles.
Understanding which disclosures tend to take which shape and otherwise understanding these moving pieces is critical for digital financial taxonomy creation, financial report creation in general, and analysis of financial information expressed by these taxonomies and financial reports.
Fraud examiners, forensic accountants and all intensive users of financial statement information, digitally or electronically based, need to understand that there are times when a certain specific financial disclosure in the two different financial reports of two clients will be very different, because each report presents different facts. The bottom line is that both financial disclosures are appropriate for the circumstances and both satisfy prescribed disclosure rules/requirements, and both are useful, etc. So, there is no one size that fits all in describing most transactions, but, that said, there are indeed some times when the facts disclosed should be identical for the majority of reporting entities in a given sector.
