Category Archives: continuous fraud auditing

Cyberfraud & Business Continuity

We received an e-mail inquiry from a follower of our Chapter’s LinkedIn page last week asking specifically about recovery following a cyberfraud penetration and, in general, about disaster planning for smaller financial institutions. It’s a truism that with virtually every type of business process and customer moving away from brick-and-mortar places of business to cloud supported business transactions and communication, every such organization faces an exponential increase in the threat of viruses, bots, phishing attacks, identity theft, and a whole host of other cyberfraud intrusion risks.  All these threats illustrate why a post-intrusion continuity plan should be at or near the top of any organization’s risk assessment, yet many of our smaller clients especially remain stymied by what they feel are the costs and implementational complexity of developing such a plan. Although management understands that it should have a plan, many say, “we’ll have to get to that next year”, yet it never seems to happen.

Downtime due to unexpected penetrations, breeches and disasters of all kinds not only affect our client businesses individually, but can also affect the local, regional, or worldwide economy if the business is sufficiently large or critical. Organizations like Equifax do not operate in a vacuum; they are held accountable by customers, vendors, and owners to operate as expected. Moreover, the extent of the impact on a business depends on the products or services it offers. Having an updated, comprehensive, and tested general continuity plan can help organizations mitigate operational losses in the event of any disaster or major disruption. Whether it’s advising the organization about cyberfraud in general or reviewing the different elements of a continuity plan for fraud impact, the CFE can proactively assist the client organization on the front end in getting a cyberfraud-recovery continuity plan in place and then in ensuring its efficient operation on the back end.

Specifically, regarding the impact of cyberfraud, the ACFE tells us that, until relatively recently, many organizations reported not having directly addressed it in their formal business continuity plans. Some may have had limited plans that addressed only a few financial fraud-related scenarios, such as employee embezzlement or supplier billing fraud, but hadn’t equipped general employees to deal with even the most elemental impacts of cyberfraud.   However, as these threats increasingly loomed, and as their on-line business expanded, more organizations have committed themselves to the process of formally addressing them.

An overall business continuity plan, including targeted elements to address cyberfraud, isn’t a short-term project, but rather an ongoing set of procedures and control definitions that must evolve along with the organization and its environment. It’s an action plan, complete with the tools and resources needed to continue those critical business processes necessary to keep the entity operating after a cyber disruption. Before advising our clients to embark on such a business continuity plan project, we need to make them aware that there is a wealth of documentation available that they can review to help in their planning and execution effort. An example of such documentation is one written for the industry of our Chapter’s inquirer, banking; the U.S. Federal Financial Institutions Examination Council’s (FFIEC’s) Business Continuity Planning Handbook. And there are other such guides available on-line to orient the continuity process for entities in virtually every other major business sector.  While banks are held to a high standard of preparedness, and are subject to regular bank examination, all types of organizations can profit from use of the detailed outline the FFIEC handbook provides as input to develop their own plans. The publication encourages organizations of all sizes to adopt a process-oriented approach to continuity planning that involves business impact analysis as well as fraud risk assessment, management, and monitoring.

An effective plan begins with client commitment from the top. Senior management and the board of directors are responsible for managing and controlling risk; plan effectiveness depends on management’s willingness to commit to the process from start to finish. Working as part of the implementation team, CFEs can make sure both the audit committee and senior management understand this commitment and realize that business disruption from cyber-attack represents an elevated risk to the organization that merits senior-level attention. The goal of this analysis is to identify the impact of cyber threats and related events on all the client organizations’ business processes. Critical needs are assessed for all functions, processes, and personnel, including specialized equipment requirements, outsourced relationships and dependencies, alternate site needs, staff cross-training, and staff support such as specialized training and guidance from human resources regarding related personnel issues. As participants in this process, CFEs acting proactively are uniquely qualified to assist management in the identification of different cyberfraud threats and their potential impacts on the organization.

Risk assessment helps gauge whether planned cyberfraud-related continuity efforts will be successful. Business processes and impact assumptions should be stress tested during this phase. Risks related to protecting customer and financial information, complying with regulatory guidelines, selecting new systems to support the business, managing vendors, and maintaining secure IT should all be considered. By focusing on a single type of potential cyber threat’s impact on the business, our client organizations can develop realistic scenarios of related threats that may disrupt the cyber-targeted processes.  At the risk assessment stage, organization should perform a gap analysis to compare what actions are needed to recover normal operations versus those required for a major business interruption. This analysis highlights cyber exposures that the organization will need to address in developing its recovery plan. Clients should also consider conducting another gap analysis to compare what is present in their proposed or existing continuity plan with what is outlined (in the case of a bank) in the recommendations presented in the FFIEC handbook. This is an excellent way to assess needs and compliance with these and/or the guidelines available for other industries. Here too, CFEs can provide value by employing their skills in fraud risk assessment to assist the organization in its identification of the most relevant cyber risks.

After analyzing the business impact analysis and risk assessment, the organization should devise a strategy to mitigate the risks of business interruption from cyberfraud. This becomes the plan itself, a catalog of steps and checklists, which includes team members and their roles for recovery, to initiate action following a cyber penetration event. The plan should go beyond technical issues to also include processes such as identifying a lead team, creating lists of emergency contacts, developing calling trees, listing manual procedures, considering alternate locations, and outlining procedures for dealing with public relations.  As members of the team CFEs, can work with management throughout response plan creation and installation, consulting on plan creation, while advising management on areas to consider and ensuring that fraud related risks are transparently defined and addressed.

Testing is critical to confirm cyber fraud contingency plans. Testing objectives should start small, with methods such as walkthroughs, and increase to eventually encompass tabletop exercises and full enterprise wide testing. The plan should be reviewed and updated for any changes in personnel, policies, operations, and technology. CFEs can provide management with a fraud-aware review of the plan and how it operates, but their involvement should not replace management’s participation in testing the actual plan. If the staff who may have to execute the plan have never touched it, they are setting themselves up for failure.

Once the plan is created and tested, maintaining it becomes the most challenging activity and is vital to success in today’s ever-evolving universe of cyber threats. Therefore, concurrent updating of the plan in the face of new and emerging threats is critical.

In summary, cyberfraud-threat continuity planning is an ongoing process for all types of internet dependent organizations that must remain flexible as daily threats change and migrate. The plan is a “living” document. The IT departments of organizations are challenged with identifying and including the necessary elements unique to their processes and environment on a continuous basis. Equally important, client management must oversee update of the plan on a concurrent basis as the business grows and introduces new on-line dependent products and services. CFEs can assist by ensuring that their client organizations keep cyberfraud related continuity planning at the top of mind by conducting periodic reviews of the basic plan and by reporting on the effectiveness of its testing.

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

On Business Process Flow

During the last few years attention has increasingly turned to consideration of client critical business processes functioning as a unified whole as a focus of both risk assessment and fraud prevention efforts.  As result of this attention has come the accompanying realization that superior design of individual business processes is not only critical to the success of the overall organization but to its fraud prevention effort as well. For example, take bid preparation, a process that is usually conducted under time pressure, and requires cross-organizational coordination involving the finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender, all outcomes that increase the risk of the emergence of irregularities and perhaps even to the enhanced facilitation of actual fraud. 

An additional realization has been that business processes require process based management.  As CFE’s, our client organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, like the bid process, are cross-organizational, involving several functions within the organization.  A raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, the process may be impaired due to a lack of coordination among the units. To prevent the obvious fraud vulnerabilities related to this problem, the ACFE emphasizes the need to manage the business process fraud prevention effort end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing (and risk assessing) the control, monitoring and measurement of all the processes at work. 

In the modern business world, change is constantly occurring; admirable as this fact is from an innovation perspective, anything that creates change, especially rapid change, can constitute opportunity for the ethically challenged.  Despite this and associated risks, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Automated processes based on information systems are usually more difficult and expensive to change than manual processes (of which there are fewer left every day). Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications and often, less management oversight and control and more vulnerability to fraud. 

Any business that is successful over the long term has most likely performed some kind of risk assessment, and had some success at managing business risks. Managers of successful entities have thought out what risks could have a significant negative impact on their ability to successfully execute the business plan, or even just cause a substantial loss of business, and have attempted to provided mitigating activities to address those risks. With the pervasiveness of fraud and, more important, their increasing dependence on cross organizational business processes, entities have had to consider a fraud risk assessment as a sizeable portion of any fraud prevention effort. Yet, many entities struggle with the issue or, if convinced of the need to conduct an assessment across business process flows, with where to begin in performing an effective one. 

The primary focus of a cross-organizational business process fraud risk assessment is to identify risks that the totality of such business processes present to the business, i.e., adverse effects related to these processes, whether taken as a whole or individually, are not in the best interests of the entity. These risks are usually associated with business elements such as the ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). Weak anti-fraud controls can introduce risks in any of these areas, and more. For instance, robust anti-fraud controls can enhance the entity’s ability to sell its products over the internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts).   The bottom line is that there is a need to have an effective identification and assessment of business process risks where the risks are at a degree that is more than trivial. 

Typically, fraud risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each cross-organizational process risk, someone is asking the questions: what is the magnitude of the identified fraud risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)? One thing the CFE can do is to obtain a copy of the client’s current risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over fraud risk being properly mitigated is lowered. Another good start is to obtain the client’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the CFE to understand where cross business process fraud risks could occur.   

Another thing the CFE should do is gain a good understanding of the loss prevention function (if there is one), including its managerial and operational aspects. Then, depending on the entity, there could be an extensive list of technologies or systems that will need to be evaluated for risk in operations. From the management side, it includes the internal audit and loss prevention staffs. A measure of the competency of staff devoted to the fraud prevention effort is a key factor. Obviously, the more competent the staff, the lower the risks associated with all the elements of operations they affect, and vice versa. 

Since traditional systems are transaction based and handle each transaction and business document separately, it’s difficult to audit processes end to end.  Therefore, in such systems proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred is maintained.  A focus on entire business processes, by contrast, is process flow based and therefore audit trails are a built-in feature.  In automated systems featuring this type of inter-process flow, all incidents and steps of multi-business processes are documented and linked to each other in the order they occurred.  

From the access control aspect of operations, an assessment should be made as to risk of unauthorized activities. For example, do access controls sufficiently limit access to systems and supported business process flows by effective authorization and authentication controls? Does the information management test new systems and applications thoroughly before deployment? Is there a sufficient staging area so that business process flow support applications can be tested not only on a stand-alone basis but also when interfaced with other applications and whole systems? If applications are not tested, this would lead the CFE to have less assurance about mitigating fraud risks facilitated by bugs and system failures.

The focus of fraud mitigation has moved, with increasing automation, away from the simple single fraud scenario to the entire flow of the interlocking business processes constituting the modern organization and their analytic footprint. 

Inside and Out

college-studentsI had quite a good time a little over a month ago, addressing a senior auditing class at the University of Richmond on the topic of how fraud examiners and forensic accountants can work jointly together, primarily with a client’s internal auditors and, secondarily with its external auditors, to substantially strengthen any fraud investigation assignment.

Internal and external auditors each play an important role in the governance structure of their client organizations. Like CFEs, both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, as I told the very lively class, both types of auditors operate independently of the activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks faced by the organizations they serve. Yet, with all their similarities, internal auditing and external auditing are two distinct functions that have numerous differences. The Institute of Internal Auditors (IAA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Internal auditors in the public sector (where I spent most of my audit career as a CIA) place an additional emphasis on providing assurance on performance and compliance with policies and procedures. Concerned with all aspects of the organization – both financial and non-financial – the internal auditors focus on future events because of their continuous review and evaluation of controls and processes.

In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period are represented accurately, and whether the financial statements have been affected materially (i.e., whether they include a misstatement that is likely to influence the economic decisions of financial statement users). External auditing’s approach is mainly historical in nature, although some forward-looking improvements may be suggested in the auditors’ recommendations to management based on the analysis of controls during a financial statement audit.

I emphasized to the students that these definitions alone pinpoint the key distinctions that separate the two audit approaches. However, internal auditing is much broader and more encompassing than external auditing. Its value resides in the function’s ability to look at the underlying operations that drive the financial numbers before those numbers hit the books. For instance, when considering “sales” as a line item in a set of financial statements, the external audit focuses primarily on the existence, completeness, accuracy, classification, timing, posting and summarization of sales numbers. The internal audit goes beyond these assertions and looks at sales operations in a much broader context by asking questions regarding the target market, sales plan, organizational structure of the sales department, qualifications of sales personnel, effectiveness of sales operations, measurement of sales performance, and compliance with sales policies.

These types of questions probe the very core of sales operations and can greatly impact the sales numbers recorded in financial statements. For example, assuming a sales number of $6 million, the external auditor has merely to render an opinion regarding the validity of that number. The internal auditor, however, can ask whether the number could  have really been $12 million, if only the right market had been targeted, and if operations had been effective in the first place. It’s this emersion in detail and the overall knowledge of operations that makes the internal auditor such a strong partner for the fraud examiner in any joint investigation.

Internal auditors represent an integral part of the organization – their primary clients are management and the board. Although historically internal auditors reported to the chief financial officer or other senior management staff, for the last two decades internal auditing has reported directly to the audit committee of the board of directors, which helps strengthen auditor independence and objectivity. Today, internal audit functions, for the most part, follow this reporting relationship, which is consistent with the IIA’s Standard on Organizational Independence.

The chief audit executive’s (CAE’s) appointment is normally meant to be permanent, unless he or she resigns or is dismissed. In some quasi and intergovernmental organizations, CAEs are given tenured positions – five-year appointments, for example – to enhance independence.  Conversely, external auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by their main client, the board of directors. External auditors are appointed by the board, and they submit an annual report to the company’s shareholders. The appointment is meant to extend for a specified time – external auditors can be re-appointed at the company’s annual general meeting. In some jurisdictions, there are limits on an external auditor’s length of service, often five or seven years.

In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations’ discretion but internal auditing is mandatory in some cases. Companies listed on the New York Stock Exchange must have an internal audit function, whether in-house or outsourced.  An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature.

The necessary qualifications for an internal auditor rest solely on the judgment of the employer. Although internal auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them abundantly qualified to perform internal auditing. Annually, more and more internal auditors hold the IIA’s Certified Internal Auditor designation, which demonstrates competency and professionalism in the field of internal auditing. Because of their continuous investigation into all the organization’s operating systems, internal auditors who remain in the same organization for many years constitute a unique resource to the CFE of comprehensive and current knowledge of the organization and its operations.

External auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law – for example, the Institute of Chartered Accountants in England and Wales, American Institute of Certified Public Accountants, or Canadian Institute of Chartered Accountants.  Because external auditors’ scope of work is narrowly focused on financial statement auditing, and they come into the organization only once or twice a year, their knowledge of the organization’s operations is unlikely to be as extensive as that of the internal auditors.

Those entering the CFE profession need to realize that patterns of business growth, globalization, and corporate scandals have changed the thrust of the internal audit profession in recent years. In its early years, internal auditing focused on protection oriented objectives and emphasized compliance with accounting and operational procedures, verification of calculation accuracy, fraud detection and protection of assets. Gradually, new dimensions were added that ranged from an evaluation of financial and compliance risks to an assessment of business risks, ethics and corporate governance. These changes have only increased the gap between the disciplines of internal and external auditing. Yet, despite their differences, internal auditing and external auditing no longer work in competition, as was the case before the U.S. Sarbanes-Oxley Act was enacted, when a company’s external auditors would sometimes compete with in-house audit departments for internal audit work. Regulations like Sarbanes-Oxley prohibited the external auditor from providing both external and internal audit services to the same company. Today all CFEs can benefit from the complementary skills, areas of expertise, and perspectives of both the external and the internal auditors.  The ACFE recommends that to strengthen the fraud prevention program they should meet periodically to discuss common interests (like the fraud prevention program), strive to understand each other’s scope of work and methods, discuss audit coverage and scheduling to minimize redundancies, jointly assess areas of fraud risk, and provide access to each other’s reports, programs, and work papers.

In summary, fulfilling its oversight responsibilities for assurance, the board also should require internal and external auditors to coordinate their audit work to increase the economy, efficiency, and effectiveness of the overall audit process. Despite some similarities, a world of difference exists between internal auditing and external auditing. Nonetheless, both audit types, and the respective services they provide, are essential to maintaining an effective governance structure. With a greater understanding of the unique perspective of each, CFEs can maximize the aggregate contribution or each to our joint investigations and thereby ensure organizational success.

Exploiting the Dual

businessmeet1Many of today’s CFE’s hold dual certifications as CPA’s, CIA’s, CISA’s and a host of others.  This proven enhanced expertise endows the employers of fraud examiners engaged as full time corporate auditing staff with a whole host of new and exciting fraud detection and prevention capabilities.  This is especially true of corporations whose operations are daily fraud targets.  Rather than dealing with the infrequent single instance of fraud, as is most often the case in conventional CFE practice, these staff practitioners endow their employers with enhanced power in the task of devising investigative and preventative approaches to cope with random, most often automated, fraud attempts arriving on a recurring basis, twenty-four hours a day, 365 days a year.

One of the most effective innovations that dually certified CFE’s can bring to bear in such dynamic fraud environments involves some version of a mixture of continuous monitoring, continuous fraud auditing and continuous assurance. As the external and internal auditing professions view the first of these general concepts, continuous monitoring constitutes a feedback mechanism, primarily used by management, to ensure that systems operate and transactions are processed as prescribed. For example, as one of hundreds of possible examples, management might mandate that its staff CFE (s) periodically monitor the key fraud prevention controls that ensure that customer orders are checked against credit limits to ensure that the controls remain in place and aren’t deactivated.

Continuous auditing for fraud has been defined as the collection of evidence concerning fraud scenarios, by one or more examiners, on systems and transactions, on a continuous basis throughout a temporal period. For example, the staff examiners could routinely extract details of any unusually large adjusting journal entry for investigation, validate the reasons for the entry, determine whether it had been approved, and document these findings. The historical case file of irregularities will be built up from this and like evidence and from its related investigation, as will the examiner’s knowledge of the landscape of on-going fraud threats confronting the business.

Continuous fraud control assurance can even provide a concurrent or on demand assurance opinion on systems or transactions. A continuous opinion could represent an examiner’s or auditor’s opinion that overall fraud prevention controls are operating satisfactorily, unless a report is given to the contrary (often referred to as an ‘evergreen’ fraud control report). On-demand assessment concerning the functioning of key anti-fraud controls can be called for at any time to provide a spot evaluation at a point that does not necessarily coincide with a fiscal year or month-end. For example, a potential investor or lender might want to know the state of a company’s fraud prevention controls on the day that he/she makes a final investing or lending decision. Although these types of control assessments are still relatively rare, it’s possible that, given the pervasiveness of fraud in some heavily automated financial industries, the demand for this type of assessment may accelerate in the future.

Each of these three elements are built upon (and depend on) the one that precedes it. A continuous process of fraud assessment needs continuous monitoring systems to be in place to be effective. These monitoring systems provide the evidence to be collected and assessed upon which to build management assurance.

One of the biggest benefits of a program of continuous fraud control assessment is the beneficial effect it can have on an employing organization’s overall fraud control program. It’s obvious that, with continuous assessment, any key fraud control failures are detected and fixed as soon as they occur, bringing the effectiveness of the failed controls again more closely into conjunction with management’s expectations.  An additional plus for the continuous fraud control evaluation approach is that it provides early warning of problems; employing management can be apprised of a control failure as soon as it happens, providing maximum rectification time. Early warning reduces rectification downtime for the control. The objective is for the external auditors, when they later perform their checks, to find that the control weakness identified by the staff fraud examiner is now corrected and the corrected control operative as of the sign-off date, thus avoiding audit points.  One more advantage conferred by the presence of a dually certified fraud examiner on the audit staff is that many of the controls critical to the anti-fraud program can be fully automated under the CFE’s supervision and thus lend themselves to a continuous review approach. This proactive ‘no surprises’ approach to fraud control should be attractive to all organizations considering employing those holding the CFE certification as either staff auditors or security professionals.

What does it take for management to get this fraud prevention approach off the ground?  First, hire more dually certified CFE’s.  Next, automation is key to the program’s success, especially emphasizing data mining and analytics. Technology that can speed up communication is also needed, because there is no value in identifying an issue quickly if it is not communicated equally quickly to those who need to know about it. Continuous auditing for fraud includes continuous monitoring and reporting by exception on problems that arise. Therefore, the control environment of the employing organization must be at least good enough to ensure that the number of exceptions detected is not initially overwhelming. If anti-fraud controls are at a semi-mature level of effectiveness, however, there is really no reason why, with effort, a continuous assurance approach can’t work.

In setting up continuous audit tests, CFE’s must understand what can go wrong and know what they are looking for, in advance; this is a point where dual certification as an experience CPA or CIA is a plus in guiding the testing process and for creating the business rules for detecting exceptions and understanding them. This latter point is no trivial matter since something that could seem an exception under one set of circumstances, can be perfectly normal under a different set and trained financial assurance professionals know the difference.

Creatively employing their dually certified CFEs in an enhanced fraud detection and prevention effort based on the continuous audit approach confers several benefits to any management while enhancing the fraud prevention program:

–Creation of a database of the most frequently occurring fraud scenarios coupled with the most effective audit approaches to investigate and resolve them;

–Development of tailored data analytics and investigative tools for common fraud scenarios; auditors can get the fraud related data they need when they want them;

— Faster and more thorough fraud examinations and greater depth of audit for the same cost;

— Investigation and resolution of fraud related issues as they occur is a proven proactive approach demonstrating an enhanced level of management due diligence;

— The entire audit staff can have more alternatives in the way they perform fraud related work, including reliance on preventive controls like front end systems edits which prevent fraud be screening out transactions likely to contain fraud on the system’s front end.

–Because fraud related auditing is more effective it becomes more visible for those being audited both within and without the enterprise. Senior management has first-hand knowledge that auditors are ‘on the case’ even if they do not see them every day of the week. This visibility can also act as an additional deterrent to frauds, both internal and external.

Where the Money Is

bank-robberyOne of the followers of our Central Virginia Chapter’s group on LinkedIn is a bank auditor heavily engaged in his organization’s analytics based fraud control program.  He was kind enough to share some of his thoughts regarding his organization’s sophisticated anti-fraud data modelling program as material for this blog post.

Our LinkedIn connection reports that, in his opinion, getting fraud data accurately captured, categorized, and stored is the first, vitally important challenge to using data-driven technology to combat fraud losses. This might seem relatively easy to those not directly involved in the process but, experience quickly reveals that having fraud related data stored reliably over a long period of time and in a readily accessible format represents a significant challenge requiring a systematic approach at all levels of any organization serious about the effective application of analytically supported fraud management. The idea of any single piece of data being of potential importance to addressing a problem is a relatively new concept in the history of banking and of most other types of financial enterprises.

Accumulating accurate data starts with an overall vision of how the multiple steps in the process connect to affect the outcome. It’s important for every member of the fraud control team to understand how important each process pre-defined step is in capturing the information correctly — from the person who is responsible for risk management in the organization to the people who run the fraud analytics program to the person who designs the data layout to the person who enters the data. Even a customer service analyst or a fraud analyst not marking a certain type of transaction correctly as fraud can have an on-going impact on developing an accurate fraud control system. It really helps to establish rigorous processes of data entry on the front end and to explain to all players exactly why those specific processes are in place. Process without communication and communication without process both are unlikely to produce desirable results. In order to understand the importance of recording fraud information correctly, it’s important for management to communicate to all some general understanding about how a data-driven detection system (whether it’s based on simple rules or on sophisticated models) is developed.

Our connection goes on to say that even after an organization has implemented a fraud detection system that is based on sophisticated techniques and that can execute effectively in real time, it’s important for the operational staff to use the output recommendations of the system effectively. There are three ways that fraud management can improve results within even a highly sophisticated system like that of our LinkedIn connection.

The first strategy is never to allow operational staff to second-guess a sophisticated model at will. Very often, a model score of 900 (let’s say this is an indicator of very high fraud risk), when combined with some decision keys and sometimes on its own, can perform extremely well as a fraud predictor. It’s good practice to use the scores at this high risk range generated by a tested model as is and not allow individual analysts to adjust it further. This policy will have to be completely understood and controlled at the operational level. Using a well-developed fraud score as is without watering it down is one of the most important operational strategies for the long term success of any model. Application of this rule also makes it simpler to identify instances of model scoring failure by rendering them free of any subsequent analyst adjustments.

Second, fraud analysts will have to be trained to use the scores and the reason codes (reason codes explain why the score is indicative of risk) effectively in operations. Typically, this is done by writing some rules in operations that incorporate the scores and reason codes as decision keys. In the fraud management world, these rules are generally referred to as strategies. It’s extremely important to ensure strategies are applied uniformly by all fraud analysts. It’s also essential to closely monitor how the fraud analysts are operating using the scores and strategies.

Third, it’s very important to train the analysts to mark transactions that are confirmed or reported to be fraudulent by the organization’s customers accurately in their data store.

All three of these strategies may seem very straight forward to accomplish, but in practical terms, they are not that easy without a lot of planning, time, and energy. A superior fraud detection system can be rendered almost useless if it is not used correctly. It is extremely important to allow the right level of employee to exercise the right level of judgment.  Again, individual fraud analysts should not be allowed to second-guess the efficacy of a fraud score that is the result of a sophisticated model. Similarly, planners of operations should take into account all practical limitations while coming up with fraud strategies (fraud scenarios). Ensuring that all of this gets done the right way with the right emphasis ultimately leads the organization to good, effective fraud management.

At the heart of any fraud detection system is a rule or a model that attempts to detect a behavior that has been observed repeatedly in various frequencies in the past and classifies it as fraud or non-fraud with a certain rank ordering. We would like to figure out this behavior scenario in advance and stop it in its tracks. What we observe from historical data and our experience needs be converted to some sort of a rule that can be systematically applied to the data real-time in the future. We expect that these rules or models will improve our chance of detecting aberrations in behavior and help us distinguish between genuine customers and fraudsters in a timely manner. The goal is to stop the bleeding of cash from the account and to accomplish that as close to the start of the fraud episode as we can. If banks can accurately identify early indicators of on-going fraud, significant losses can be avoided.

In statistical terms, what we define as a fraud scenario would be the dependent variable or the variable we are trying to predict (or detect) using a model. We would try to use a few independent variables (as many of the variables used in the model tend to have some dependency on each other in real life) to detect fraud. Fundamentally, at this stage we are trying to model the fraud scenario using these independent variables. Typically, a model attempts to detect fraud as opposed to predict fraud. We are not trying to say that fraud is likely to happen on this entity in the future; rather, we are trying to determine whether fraud is likely happening at the present moment, and the goal of the fraud model is to identify this as close to the time that the fraud starts as possible.

In credit risk management, we try to predict if there will likely be serious delinquency or default risk in the future, based on the behavior exhibited in the entity today. With respect to detecting fraud, during the model-building process, not having accurate fraud data is akin to not knowing what the target is in a shooting range. If a model or rule is built on data that is only 75 percent accurate, it is going to cause the model’s accuracy and effectiveness to be suspect as well. There are two sides to this problem.  Suppose we mark 25 percent of the fraudulent transactions inaccurately as non-fraud or good transactions. Not only are we missing out on learning from a significant portion of fraudulent behavior, by misclassifying it as non-fraud, the misclassification leads to the model assuming the behavior is actually good behavior. Hence, misclassification of data affects both sides of the equation. Accurate fraud data is fundamental to addressing the fraud problem effectively.

So, in summary, collecting accurate fraud data is not the responsibility of just one set of people in any organization. The entire mind-set of the organization should be geared around collecting, preserving, and using this valuable resource effectively. Interestingly, our LinkedIn connection concludes, the fraud data challenges faced by a number of other industries are very similar to those faced by financial institutions such as his own. Banks are probably further along in fraud management and can provide a number of pointers to other industries, but fundamentally, the problem is the same everywhere. Hence, a number of techniques he details in this post are applicable to a number of industries, even though most of his experience is bank based. As fraud examiners and forensic accountants, we will no doubt witness the impact of the application of analytically based fraud risk management by an ever multiplying number of client industrial types.

The Fire Alarm & the Bottom Line

fire-alarmI was having lunch with a couple of colleagues yesterday and the topic of ‘pulling the fire alarm’ came up.  Specifically, ‘pulling the fire alarm’ relates to a corporate employee alerting management about the suspected fraudulent activity of a fellow employee.  Everyone at the table agreed that the main reason management is often deprived of this vital intelligence is that your typical employee has a very hard time getting his or her head around the fact that their personally well-known co-worker can even be deceptive or dishonest, let alone actually steal something.

CFE’s are trained to know that good people can be, and often are, deceptive.  When people think of deception, they often envision being tricked or having the wool pulled over their eyes. Although fraudulent acts are frequently acts of deception, the fallacy lies in believing that individuals within “our organization” would never commit a deceptive act. After all, our conflicted employee tells herself, our organization goes to great lengths to hire top-notch talent who will be loyal and faithful. Our potential whistle-blower is aware that company employees are promoted through the ranks into leadership roles only because they’ve displayed some unique attributes related to their individual knowledge or talent.

ACFE interviews with fraudsters tell us that the psychological impact of events on professionals in today’s world is difficult to predict. Individuals who’re typically reasonable and display high integrity can frequently be placed in situations where both personal and professional stress can impact their decisions and actions in ways they may have never imagined. This is where the almost universal tendency to bestow the dangerous gift of the benefit of the doubt must be countered.  No question that organizations must encourage that general openness and transparency in everyday actions be practiced by their employees at all levels. But employees must also be made to understand that if someone questions an action or event, established outlets are available to report those concerns without the fear of repercussions. A specific example that unintentionally supports the benefit of the doubt syndrome is an instance where an employee repeatedly performs an inappropriate action among a group of co-workers within the corporate setting. Someone who witnesses the act may not feel comfortable speaking up at the time of the occurrence, especially if the person performing the action is his or her superior in the corporate hierarchy. However, that doesn’t mean it’s okay to walk away from the situation and say nothing. The outlets to report concerns may be as simple as speaking to a supervisor, contacting a human resources representative, or even calling the employee hotline. Employees must be encouraged to speak up whenever they see activity occurring that they believe is inappropriate. If they don’t, they’re perpetuating a culture of denial and silent acceptance.

Such a culture of silent acceptance can grow almost imperceptibly until the organization can irrationally come to unconsciously believe it’s immune to fraud.   My luncheon companions agreed that this syndrome is entirely natural given that all organizations want to believe they’re immune to fraud; then the table talk turned to the following interesting and related points…

It’s unfortunate that it takes some shattering event like a major embezzlement to make some organizations face the fact that fraud doesn’t discriminate; it can happen anywhere, any time. Just as individuals may rationalize why it’s okay to commit fraud, organizations sometimes attempt to rationalize the “whys” that support their belief that fraud won’t happen to them. Every CFE has seen instances of this defensive stance even during on-going fraud examinations! There can be multiple beliefs within corporate cultures that contribute to this act of rationalization. What one person views as a very strict policy, another person may see as a simple guideline open to interpretation. It’s always important to maintain several levels of defense against fraud, including multiple-preventive and detective controls. Because it is not possible to provide absolute assurance against fraud, it becomes even more critical to ensure that controls in place are sufficient to place periodic roadblocks, warning signs, or the proverbial fire alarm in appropriate places. It also is important that those controls and warning signs are uniformly applied to all employees within the organizational ranks.

Then there’s the old canard about materiality. Almost the first question you get about a suspected fraud, especially in my experience from financial personnel, is “Is it material?” meaning is it material to the financial statements. The implication is that the discovered fraud isn’t that important because it will have little or no effect on the bottom line. The ACFE tells us that fraud is dynamic and often can occur long before there is any significant impact to the financial statements. For example, frauds resulting in identity and information theft may eventually prove to have financial ramifications. However, the initial ramifications are breach of identity and information confidentiality. The question about materiality is one of the signs that management may not fully understand the variance between control gaps, which may create opportunity for inappropriate actions or actual control failures. When it comes to fraud prevention, the question shouldn’t be, “How much was taken or how much did we lose?” but instead, “What fraud opportunity has been created from the control gap identified?” Thus, no fraud is ever immaterial because even a small amount of identified stolen money may only be the tip of the iceberg. Where one fraud has been identified, there may be several related others operative but not yet detected.

In today’s technological world sophisticated information systems include workflow, authority delegation, acceptance reporting, system alerts, and intrusion technology. These processes rely on programming controls and periodic monitoring techniques to ensure access is in line with company objectives. Although these system enhancements have improved efficiency in many ways, there are often loopholes that provide a knowledgeable, often high-level, individual with the opportunity to rationalize or take advantage of poorly designed procedures to support a wide range of fraudulent activity. So, “authorized” can represent a danger if managements place too much reliance on system-established fraud prevention controls and then don’t build in mechanisms to appropriately monitor and manage those controls.  The simplest example of unauthorized transactions is illustrated in how delegation of authority is established and maintained within systems. If authority delegations are established with no end-date, or extended to individuals at a lower responsibility level than the true need, then expenditures may not be approved in line with corporate guidelines. This may seem like a minor control gap, but the potential for fraud, waste and abuse can be significant. And, if this trend goes undetected for an extended period, the risk can become even greater.

Another example may be the use of administrative user IDs for management, granting administrative access to systems and financial accounts. There is a very distinct and established purpose for granting this type of access; however, if the granting of the IDs is not well-controlled or monitored, there can be a significant internal control exposure that creates the opportunity for a potentially high level of fraudulent behavior to occur. This doesn’t mean that just because a company has excessive administrative IDs, it can expect that fraud is occurring within its corporate environs. However, those of us around the table agreed that this is why senior management and the board need to understand the reality of an administrative fraud control gap. In case after case, overuse and poor monitoring of these types of IDs by senior corporate officials (like CFO’s and CEO’s) have created the threat or opportunity for some activity that may not be acceptable to the organization.

Fraudsters are continually evolving, just like the rest of society. As CFE’s, we’re painfully aware that unauthorized transactions don’t always occur just because of external hacking, although the very real hacking threat seems the current obsession. Assurance professionals mustn’t overlook all of the internal fraud possibilities and probabilities that are present due to sophisticated business systems. Fraud in the digital age continues to expand and mature. We have to assist our client organizations to take an on-going, proactive approach to the examination and identification of ways that a myriad type of unauthorized transactions can slip through their internal firewalls and control procedures.

Global Storm Clouds Rising

TankThe recent turbulence in the global financial markets is raising the by now too familiar questions in the trade press.  Who is managing the risk? Where is the oversight? Could this financial turmoil have been avoided if associated risks had been managed more proactively? Manage has a positive connotation, implying that someone is in control, as in “The governor is managing the coastal flooding event.” Risk has a negative connotation, implying a lack of control, as in “An unattended gun puts lives at risk.” Risk is everywhere and can be an opportunity or a threat. Although an effective risk management system cannot provide absolute assurance that events such as the current unsettled market situation will not occur, it can, as the least, lend confidence that the key risks will be identified and dealt with timely.

As a first step, understanding the structure and dimensions of ideal risk management can support common understanding and effective implementation by management and an adequate fraud risk assessment effort by CFE’s and other assurance professionals. Management must understand the key vulnerabilities to the business model and establish risk expectations, which can then be incorporated into business practices. Likewise, CFE’s must understand and consider the context of those expectations in their periodic fraud risk assessments. A thorough management understanding of fraud risk also improves the quality of any subsequent investigation of financial irregularities as it creates a standard against which to compare management’s due diligence efforts. Although it may be difficult for your individual clients to identify ideal standards for risk management, addressing some fundamentals can help frame those ideals.

Regulatory, market, and fraud risks are common and familiar to CFE’s, who’re used to identifying these external events and asking “What if” questions: What if this process is not in compliance? What if a fraud were to occur as a result? Inside counsel and auditors often encourage management to address these types of risks immediately, which can result in operational silos dedicated to addressing a single significant fraud risk. However, these single events are only part of the picture. What about process efficiency risk, process design risk, system implementation risk, data integrity risk, skill-set risk, and the myriad other internal risks that, from the CFE’s informed perspective impact operations and fraud prevention?  In the end, a risk is only important if it affects achievement of strategic and business objectives. Both external and internal risks can be placed in the context of their impact on business objectives. The strategic and objective framework must be defined and understood if an organization is to gauge the impact of the risks confronting it. The simplest way to define this framework is to start with the strategy and identify who is accountable for its parts. The framework is further defined as interviews with senior management reveal its objectives and accountability. The process continues until the framework has been constructively defined down to a relevant level for any external or internal risk. The relevance is determined based on the fraud risk’s ability to impact key elements of the framework. The framework provides a formal structure for ensuring strategic achievement.

Fraud risk management requires adequate identification of general risks and an awareness of existing vulnerabilities. Failure to do so can have dire consequences as the ever increasing volume of recent fraud cases attest. A century ago, modern soldiers recognized that good weapons were important to survival. However, realizing the value of tanks and exploding shells was only one element of effective risk management. Another was assessing the quality of the armor tanks carried into battle. No general would order a tank advance, without adequate vehicle armor. An army with limited protection would avoid or delay battles while its vehicles were being adequately fitted. Likewise, as an organization pursues its objectives, it must understand its strengths and vulnerabilities. Organizations cannot charge into daily economic battles without both weapons for success and armor to manage their inherent risks. Historically, assurance professionals have operated in a black-and-white world – a control is either present or absent, effective or ineffective. Although this may work for compliance or financial reporting objectives, it doesn’t help management effectively improve governance, risk management, or overall fraud prevention. Recognizing that business operations mature over time requires critical anti-fraud controls to mature with them. So if operations and controls mature over time, how does an organization organize the current state of affairs to avoid fraud vulnerabilities?

It’s important for fraud prevention to evaluate how effectively current business processes are supporting the achievement of strategic and business objectives. This evaluation will provide insights into the overall maturity of the fraud prevention controls that are in place to manage key risks. If the objective is to attack, yet the process or control maturity shows insufficient strength, it’s likely that the risk appetite of the general exceeds that of his government and country. Risk becomes more manageable with a framework of key risks in the context of key objectives and process/control maturity.

Business process and control vulnerability to fraud can be measured by defining high-level management controls that illustrate what management is doing to achieve its strategic and business objectives. By this point organizations should understand the strategy and objectives and be aware of their people, process, and technology capabilities; but this alone does not provide an overall understanding of fraud control maturity. Because maturity implies sustainability, it’s important to concurrently understand just how capable or strong the systems of control are. One way to begin creating a control maturity perspective is to look at what management is currently doing to ensure it achieves its objectives.

  • Does management have formal fraud prevention objectives that are well-written and communicated?
  • Is accountability clearly established?
  • Have metrics been set to measure the progress of those who are accountable?
  • Is existing reporting capable of illustrating the metric?
  • Are the information and communication channels adequate?
  • Does the tone at the top champion ethical behavior?

Frank answers to these types of simple questions help determine whether the CFE’s client organization is closer to the top, middle, or low levels of management fraud control maturity. This determination can help the organization identify gaps between its current level of maturity and the desired level so that actions can be prioritized to address the largest gaps. The answers to these questions can also help determine how formally objective achievement is being managed. They also provide a window into process capabilities and indicate the degree to which these capabilities are aligned with objective achievement. Informal alignment can create vulnerabilities. Management fraud control maturity is by no means the ultimate tool, but it provides a bridge in assessing risk management vulnerabilities.

All CFE’s have a role in educating senior management and the board (if there is one) about effective fraud risk management and irregularity prevention. Risk management means many things to almost everyone, yet communicating a few basic principles to clients will help CFE’s not only be successful but will provide the foundation for a program of robust fraud risk assessment. These principles help define a framework for valuing risk, assessing vulnerabilities, and determining the necessary steps for improving management fraud control maturity. Taken together, they can help any client organization improve the management of its overall risk and fraud prevention program.

To Control Cyber Fraud Rapidly Identify System Abnormalities


sun-broochAccording to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes.  Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continues unabated, with organizations of all kinds losing productivity, revenue and more customers every month.  ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies.  As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls.  And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing system changes.  It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work.  By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

  • Are systems monitored for unauthorized changes in real time?
  • Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations.  Researchers found that these top six controls help organizations manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and look backward, identifying definitively the source of outages, fraud associated abnormalities  or service issues.  Because they have a process that tracks and records all changes to their infrastructure and their success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and re-mediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail.  The organization must cultivate a “culture” of change management and causality throughout, with zero tolerance for unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all changes must follow, an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy.  One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.

Perhaps most important for responding to and controlling system changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from those incidents, and dramatically longer and less-effective resolution times.  On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to  reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of an identified  high volume of failed system changes.  All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

That Break’s For You


vacation“We are again honored to have a seventh guest post from our friend and Richmond Chapter 2015 Vice-President, Rumbi Bwerinofa, CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of TheFStudent.com, where she discusses financial forensic issues.” – Charles Lawver-2015 RVACFES Chapter President…”

I live in New York City, the city that, in its own mind at least, never sleeps. Those of us who live here wear that like a badge of pride.  Rest? Only when we’re dead! If you ride the subway, death apparently includes the daily rush-hour commute. Here, we’re a city of zombies who have even figured out to sleep, standing up, crammed like sardines into whatever tin box is taking us to work. Out bosses love our never rest attitude. What could be better than workers who express shame when requesting time off? Who wouldn’t like an office full of people competing to see who can pull the longest hours?

Well, it turns out that, perhaps, a worker who never leaves his or her desk may not be such a good thing for company health, when it comes to fraud prevention and detection. That person who’s so diligent that, not only does she never need help, but she’s even willing to take on additional tasks like, say, picking up and distributing the mail or making bank deposits, may be taking on all these extra tasks for a reason, say to make sure that no one discovers she’s actively stealing from the company. That why it’s important for forensic accountants and fraud examiners to help our clients understand the criticality of enforced staff vacations for the overall integrity of their fraud prevention programs.

It’s so important to stress to the employer that, when employees do take vacations, desks mustn’t be allowed to sit idle, with work and mail just piling up, untouched for two or three weeks.  Vacation times represent the perfect point to perform targeted, concurrent fraud prevention and detection related tests. One, or more, of the vacationing employee’s cross-trained peers should take over the daily, detailed tasks of the employee. Such tests are especially important if the employee has access to assets or cash, but it’s a good prevention practice for every employee’s desk. Mail should be opened, bank statements reconciled and checks to vendors written. In this way, fraud and error stand a good chance of being caught.  Just knowing that this type of testing is mandatory during enforced annual vacations is a potent fraud deterrent in itself.

Too often fraud is caught by accident, when one employee happens to be out of the office and a question needs to be answered. Someone will dig into that employee’s work and stumbles onto something amiss. Rita Crundwell  stole almost $54 million from the city of Dixon during the nearly three decades she was that city’s comptroller. Her crime was discovered while she was out of her office, on vacation, and the acting comptroller, asked for bank statements, found a statement for an account that was not recorded in the ledger. The account held millions, had an official-sounding name wasn’t identified in any city record. Had, someone else in the city’s finance department routinely performed banking and mail duties while Crundwell was out of the office (of even at random times when she wasn’t), this embezzlement may have been caught years earlier.  Prior to the fraud’s discovery, no manager in authority seemed to see a conflict of duties issue with Crundwell, the comptroller, picking up all the city’s mail. While she was on vacation, she would have a relative or city employee pick up the mail, separate out hers’, and distribute the rest. Yes, a relative, not even a city employee, picked up and distributed the city’s mail!  Had Crundwell known that her work would be independently randomly checked and reviewed on a regular basis, she may have decided that stealing from the city was just too risky and have never perpetrated her crime.

The FDIC and SEC recommend mandatory vacations of two consecutive weeks for traders and others in the financial industry. This guarantees there’s adequate time for the employer to have another staff member perform the work of the vacationing employee and check for fraud and error. Any business would benefit from adding this process to their control systems.

An earlier post on The Inner Auditor discussed the risks and control weaknesses associated with only one person in a business holding the bulk of the information about how things work. Should that person take an extended vacation, retire or quit, the company could very well come to a confused standstill because no one else knows how to perform certain processes or where certain information is kept. A benefit of and enforced mandatory vacation and random testing policy is that other staff members will be forced to learn, through cross-training,  what their colleagues do and know; knowledge about the functioning of every desk will be shared among various employees.

Employers should be thoroughly briefed on benefits for fighting fraud, reducing error and sharing knowledge that a well-planned and executed vacation and concurrent testing policy can bring to the fraud prevention effort. They may or may not worry too much about how tired their workers are, but I’m pretty sure that they care a lot about keeping their assets safe.