Category Archives: Fraud, Waste and Abuse Detection Systems

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

The Fire Alarm & the Bottom Line

fire-alarmI was having lunch with a couple of colleagues yesterday and the topic of ‘pulling the fire alarm’ came up.  Specifically, ‘pulling the fire alarm’ relates to a corporate employee alerting management about the suspected fraudulent activity of a fellow employee.  Everyone at the table agreed that the main reason management is often deprived of this vital intelligence is that your typical employee has a very hard time getting his or her head around the fact that their personally well-known co-worker can even be deceptive or dishonest, let alone actually steal something.

CFE’s are trained to know that good people can be, and often are, deceptive.  When people think of deception, they often envision being tricked or having the wool pulled over their eyes. Although fraudulent acts are frequently acts of deception, the fallacy lies in believing that individuals within “our organization” would never commit a deceptive act. After all, our conflicted employee tells herself, our organization goes to great lengths to hire top-notch talent who will be loyal and faithful. Our potential whistle-blower is aware that company employees are promoted through the ranks into leadership roles only because they’ve displayed some unique attributes related to their individual knowledge or talent.

ACFE interviews with fraudsters tell us that the psychological impact of events on professionals in today’s world is difficult to predict. Individuals who’re typically reasonable and display high integrity can frequently be placed in situations where both personal and professional stress can impact their decisions and actions in ways they may have never imagined. This is where the almost universal tendency to bestow the dangerous gift of the benefit of the doubt must be countered.  No question that organizations must encourage that general openness and transparency in everyday actions be practiced by their employees at all levels. But employees must also be made to understand that if someone questions an action or event, established outlets are available to report those concerns without the fear of repercussions. A specific example that unintentionally supports the benefit of the doubt syndrome is an instance where an employee repeatedly performs an inappropriate action among a group of co-workers within the corporate setting. Someone who witnesses the act may not feel comfortable speaking up at the time of the occurrence, especially if the person performing the action is his or her superior in the corporate hierarchy. However, that doesn’t mean it’s okay to walk away from the situation and say nothing. The outlets to report concerns may be as simple as speaking to a supervisor, contacting a human resources representative, or even calling the employee hotline. Employees must be encouraged to speak up whenever they see activity occurring that they believe is inappropriate. If they don’t, they’re perpetuating a culture of denial and silent acceptance.

Such a culture of silent acceptance can grow almost imperceptibly until the organization can irrationally come to unconsciously believe it’s immune to fraud.   My luncheon companions agreed that this syndrome is entirely natural given that all organizations want to believe they’re immune to fraud; then the table talk turned to the following interesting and related points…

It’s unfortunate that it takes some shattering event like a major embezzlement to make some organizations face the fact that fraud doesn’t discriminate; it can happen anywhere, any time. Just as individuals may rationalize why it’s okay to commit fraud, organizations sometimes attempt to rationalize the “whys” that support their belief that fraud won’t happen to them. Every CFE has seen instances of this defensive stance even during on-going fraud examinations! There can be multiple beliefs within corporate cultures that contribute to this act of rationalization. What one person views as a very strict policy, another person may see as a simple guideline open to interpretation. It’s always important to maintain several levels of defense against fraud, including multiple-preventive and detective controls. Because it is not possible to provide absolute assurance against fraud, it becomes even more critical to ensure that controls in place are sufficient to place periodic roadblocks, warning signs, or the proverbial fire alarm in appropriate places. It also is important that those controls and warning signs are uniformly applied to all employees within the organizational ranks.

Then there’s the old canard about materiality. Almost the first question you get about a suspected fraud, especially in my experience from financial personnel, is “Is it material?” meaning is it material to the financial statements. The implication is that the discovered fraud isn’t that important because it will have little or no effect on the bottom line. The ACFE tells us that fraud is dynamic and often can occur long before there is any significant impact to the financial statements. For example, frauds resulting in identity and information theft may eventually prove to have financial ramifications. However, the initial ramifications are breach of identity and information confidentiality. The question about materiality is one of the signs that management may not fully understand the variance between control gaps, which may create opportunity for inappropriate actions or actual control failures. When it comes to fraud prevention, the question shouldn’t be, “How much was taken or how much did we lose?” but instead, “What fraud opportunity has been created from the control gap identified?” Thus, no fraud is ever immaterial because even a small amount of identified stolen money may only be the tip of the iceberg. Where one fraud has been identified, there may be several related others operative but not yet detected.

In today’s technological world sophisticated information systems include workflow, authority delegation, acceptance reporting, system alerts, and intrusion technology. These processes rely on programming controls and periodic monitoring techniques to ensure access is in line with company objectives. Although these system enhancements have improved efficiency in many ways, there are often loopholes that provide a knowledgeable, often high-level, individual with the opportunity to rationalize or take advantage of poorly designed procedures to support a wide range of fraudulent activity. So, “authorized” can represent a danger if managements place too much reliance on system-established fraud prevention controls and then don’t build in mechanisms to appropriately monitor and manage those controls.  The simplest example of unauthorized transactions is illustrated in how delegation of authority is established and maintained within systems. If authority delegations are established with no end-date, or extended to individuals at a lower responsibility level than the true need, then expenditures may not be approved in line with corporate guidelines. This may seem like a minor control gap, but the potential for fraud, waste and abuse can be significant. And, if this trend goes undetected for an extended period, the risk can become even greater.

Another example may be the use of administrative user IDs for management, granting administrative access to systems and financial accounts. There is a very distinct and established purpose for granting this type of access; however, if the granting of the IDs is not well-controlled or monitored, there can be a significant internal control exposure that creates the opportunity for a potentially high level of fraudulent behavior to occur. This doesn’t mean that just because a company has excessive administrative IDs, it can expect that fraud is occurring within its corporate environs. However, those of us around the table agreed that this is why senior management and the board need to understand the reality of an administrative fraud control gap. In case after case, overuse and poor monitoring of these types of IDs by senior corporate officials (like CFO’s and CEO’s) have created the threat or opportunity for some activity that may not be acceptable to the organization.

Fraudsters are continually evolving, just like the rest of society. As CFE’s, we’re painfully aware that unauthorized transactions don’t always occur just because of external hacking, although the very real hacking threat seems the current obsession. Assurance professionals mustn’t overlook all of the internal fraud possibilities and probabilities that are present due to sophisticated business systems. Fraud in the digital age continues to expand and mature. We have to assist our client organizations to take an on-going, proactive approach to the examination and identification of ways that a myriad type of unauthorized transactions can slip through their internal firewalls and control procedures.

Communication is Who We Are

BusinessMeet2One of the most frequently requested topics for ACFE lead instruction concerns the art of fraud interviewing, one of the most complex and crucial disciplines of the many comprising the fraud examination process.  And at the heart of the interviewing process lies communication.  As we all know, communication is the process of effectively sending and receiving information, thoughts, and feelings. First and foremost, an effective interviewer is an effective communicator and being an effective communicator depends on building rapport. According to the ACFE, if you don’t establish rapport with a subject at the outset of the fraud interview, the possibilities of your spotting anything are very low. Rapport is the establishment of a connection between two individuals that is based on some level of trust and a belief in the existence of a relationship that is mutually beneficial to both parties.

The interviewer who thinks s/he will find a cooperative subject without making a connection with that individual is in for a disappointment. Rapport is determined by our attitude toward the subject. Just as we as interviewers use our powers of perception to “read” the subject, the subject reads us as well. If he senses condemnation, superiority, hostility, or deceit, you can expect little but superficial cooperation from any interaction.  Besides, above all else, as the experts tell us, we are professionals. As professionals, personal judgments have no place in an interview setting. Our job is to gather information empirically, objectively, and without prejudice towards our subjects.  Why do we identify with and speak more freely to some people than to others? We’re naturally drawn to those with whom we share similar characteristics and identities. Techniques and tools are important, but only to the extent that they complement our attitude toward the interview process. So, effective communication is, in this important sense,  not what we do – it’s who we are.

And along with rapport, the analysis of the quality of the interaction between both interview participants is critical to the communication process.  An interview is a structured session, ideally between one interviewer and one subject, during which the interviewer seeks to obtain information from a subject about a particular matter.  And just as we signal each other with voice pitch and body language patterns when we’re sad, angry, delighted, or bored, we also display distinct patterns when trying to deceive each other. Fortunately for those of us who interview others as part of our profession, if we learn to recognize these patterns, our jobs are made much simpler. Of course there is no single behavior pattern one can point to and say “Aha! This person is being deceptive!” What the professional can point to is change in behavior. Should a subject begin showing signs of stress as our questions angle in a certain direction, for example, we know we have hit an area of sensitivity that probably requires further exploration.  If you interview people regularly, you probably already know that it is more likely for a subject to omit part of the story than actually lie to you. Omission is a much more innocuous form of deceit and causes less anxiety than fabricating a falsehood. So even more importantly than recognizing behavior associated with lying, the interviewer must fine tune her skills to also spot concealment patterns.

ACFE experts tell us that each party to a fraud interview may assume that they understand what the other person is conveying. However, the way we communicate and gather information is based in part on which of our senses is dominant. The three dominant senses, sight, hearing, and touch influence our perceptions and expressions more than most people realize. A sight dominant subject may “see” what you are saying and tell you he wants to “clear” things up. An auditory dominant person may “hear” what your point is and respond that it “sounds” good to him. A touch dominant person may have a “grasp” of what you are trying to convey, but “feel uncomfortable” about discussing it further.

By analyzing a subject’s use of words, an interviewer can identify his dominant sense and choose her words to match. This helps strengthen the rapport between interviewer and subject, increasing the chances of a good flow of information. Essential, of course, to analyzing and identifying a subject’s dominant senses are good listening skills. Effective communication requires empathetic listening by the interviewer.  Empathetic listening and analysis of the subject’s verbal and nonverbal communication allows us to both hear and see what the other person is attempting to communicate. It is the information that’s not provided and that’s concealed, that is most critical to our professional efforts.

In developing your listening abilities, and by practicing them with others with whom you communicate every day, the vast array and inexhaustible variations of the human vocabulary are bound to strike you. The most effective way to communicate is with clear, concise sentences that create no questions. However, the words we choose to use, and the way that we say them, are limited only by what is important to us. A subject, reluctant or cooperative, will speak volumes with what they say, and even more significantly, what they don’t say. Analysis of the latter often reveals more than the information the subject actually relates. For instance, the omission of personal pronouns could mean unwillingness on the part of the subject to identify himself with the action.

One final note of caution.  If you ask the experts about the biggest impediment to an effective interview, they will probably give you a surprising answer. Most experienced interviewers will tell you that often the greatest impediment to a successful interview is the interviewer herself. Most interviewers use all of their energies observing and evaluating the subject’s responses without realizing how their own actions and attitudes can contaminate an interview. In fact, it’s virtually impossible to conduct an interview without contaminating it to some extent. Every word used, the phrasing of a question, tone, body language, attire, the setting – all send signals to the subject.  The effective interviewer, however, has learned to contaminate as little as possible. By  retaining an objective demeanor, by asking questions which reveal little about what s/he already knows, by choosing a private setting and interviewing one subject at a time, s/he keeps the integrity of the interview intact to the best of her ability.

Go with the Flow!

WaterfallAs a fraud examiner and internal auditor, I’ve always been a big fan of the cash flow statement and, if you’re a fraud examiner,  I think you should be too.  For the non-accountants among you, the cash flow statement reveals what happened to the client’s cash during the reporting period. It’s very much like your bank account statement: You have a beginning balance of cash at the start of the month, you deposit your paycheck, you write some checks for your mortgage and groceries, and then you end the month with a new cash balance. This is what a cash flow statement is: simply a beginning balance of cash, plus or minus some cash transactions, to arrive at an ending cash balance.

Another way to view the cash flow statement is as an income statement that is adjusted for non-cash transactions and transactions that have not yet impacted cash. Non-cash transactions are transactions that affect the income statement but will never affect cash. Depreciation is a non-cash transaction that is added back to profits on the cash flow statement since cash is never paid out or collected when an asset is depreciated. The cash flow statement also clarifies transactions that immediately impact cash. A company can make a sale but not collect on it, or incur an expense and not immediately pay for it in cash. These are called accounts receivable and accounts payable, respectively. Revenues that are earned but not received and expenses that are incurred but not paid would show up on the income statement, but not on the cash flow statement.  So the formula for the statement is simply …

Beginning Cash Balance
+I- Net Cash Flows from Operating Activities
+I- Net Cash Flows from Investing Activities
+I- Net Cash Flows from Financing Activities
= Ending Cash Balance

There are two methods of reporting cash flows from operations; in the direct method, the sources of operating cash flows are listed along with the uses of operating cash flows, with the difference between them being the net cash flow from operating activities.  In contrast, the indirect method reconciles net income per the income statement with net cash flows from operating activities; that is, accrual-basis net income is adjusted for non-cash revenues and expenses to arrive at net cash flows from operations.  The net cash flows from operating activities is the same amount regardless of which method is used. The indirect method is usually easier to compute and provides a comparison of the company’s operating results under the accrual and cash methods of accounting. As a result, most companies choose to use the indirect method, but either method is acceptable.

So what does all  this provide as a tool for the fraud examiner?  Simply, the cash flow statement provides any CFE with lots of neat information for further analysis in a very compact form.  First of all, the statement tells you what the company’s cash receipts and cash payments were for the period. Remember that it’s unlike the income statement in that the income statement takes into account all revenue and expense transactions, whether or not they affected cash. The cash flow statement only considers transactions that involve cash.

The cash flow statement divides the company’s cash transactions into three categories:

  • Operating activities, which include all cash received and paid out in connection with the company’s normal business operations, such as cash received from customers and funds paid to vendors. This category essentially encompasses any cash transactions that affect items on the income statement.
  • Investing activities, which are cash flows related to the sale or purchase of non-current assets, such as fixed assets, intangible assets, and investments. This category generally covers those cash transactions that affect the asset side of the balance sheet.
  • Financing activities, which are all cash inflows and outflows pertaining to the company’s debt and equity financing. Inflows include the proceeds received from issuing stocks and bonds and from borrowing money from a bank. Outflows include debt repayments and cash dividends paid to shareholders. In general, this category includes the cash transactions that affect the liabilities and owners’ equity side of the balance sheet.

In a perfect world, a company should only need loans when it has a timing problem between collecting and spending money or when it’s expanding. However, if a company expends more money than it will ever make, it will eventually go out of business. This is where the cash flow statement is so useful to the fraud examiner. You will want to get an idea of the cash flow necessary to run the business so that you will be able to tell whether the company is generating enough cash from operations to continue to do business. Chronic lack of cash is a red flag directly related to the motivation for many frauds. The examiner can also evaluate the relationship between total cash generated from financing and investing activities and the amount generated by operating activities.

Some things you will want to note from the cash flow statement in connection with any suspected financial fraud:

  • Does the company have heavy demands on its operating cash each period?
  • Do the inflows equal or exceed the outflows?
  • Is the cash balance increasing or decreasing over time?
  • Is the company making smart decisions about sources and uses of cash given its apparent financial condition?

This is information pertinent to the investigation of a wide range of fraud scenarios, the successful investigation of which involves different data than that commonly available in the income statement.  The income statement alone does not reveal a complete picture of the company’s financial health, necessary for a full investigation of many types of fraud. Evaluating income and cash flows includes considering the timing of items, such as collections of accounts receivable. In the end, a company might have a fabulous looking income statement, but might not have any cash available for operations. This may occur because the revenues recorded on the income statement have not been collected. Remember, as part of doing business, companies usually allow customers to make purchases on credit; this means those companies will collect the cash subsequent to the actual recording of the revenues.  For example, a small high-tech manufacturer might have a healthy looking profit on its income statement, but not be able to pay its employees’ salaries. However, the entrepreneurial owners of the company expect all is well, since they think the net income on the income statement to equal the amount of cash in the company’s bank account. But, as is often the case, there’s a timing difference between when the company records a sale and when it actually receives the cash from its customers. As a result, the cash balance seldom, if ever, will match the income on the income statement.  Other transactions – such as accrued or prepaid expenses, depreciation, and inventory purchases – will also cause a disparity between an organization’s net income and its net cash flows.

The statement of cash flows represents a trove of invaluable information that can cast light on virtually every aspect of a client’s financial health and, thus inform any fraud investigation.  Use it to your advantage!

Detailed Planning is the Key to Successful Fraud Auditing

CoffeeMugIt’s difficult to believe that it’s already October! The 2014 Chapter year has flown by and has been extremely good for all of us with twenty new members nationwide and three very successful live Chapter training events!

Something Dr. Doug Ziegenfuss said about fraud audit planning during our session on Ethics 2014 for CPA’s and Fraud Examiners struck me as being worthy of a post.   Considering the various techniques internal audit organizations are using to fight fraud, Doug singled out the use of specialty audit software like ACL as critical to the success of analytics based programs, critical if the modern control assurance enterprise is to have even a hope of being ultimately successful.   But just having software isn’t in itself enough. It’s true that audit analytics can quickly examine large files and flag the digital markers of potentially fraudulent activity to help auditors of all kinds work more effectively and efficiently. But any tool is only as effective as the planning for its use allows it to be.

As we fraud examiners are painfully aware and the news media daily attest, evidence of on-going fraud often resides deep in an organization’s data.  Unfortunately, these schemes often go undetected for months or even years, draining evermore revenue from the organization.  Dr. Doug’s point is that this is often the case because of superficial audit planning.  Development of a risk based audit program is no easy task but there is no alternative if the auditing effort is going to be more than a superficial light dusting of the control structure.  Risk based programs with emphasis on analytics are based on the preparation of descriptive system narratives, detailed workflow diagrams, and risk assessments; hard work on the front end but, if comprehensive,  not as difficult to update and maintain over the long run as many auditors think.

As we’ve said in post after post on this blog, leveraging fraud identification technology should always be directed at the solving of the business problem of fraud revelation, control and eradication rather than at acquiring technology for technologies sake.  The effort requires a clear assessment of the entire audit life cycle of the organization to find ways to use technology to enable a reasonable level of measurable efficiency.  It’s up to the chief audit executive (CAE) and the audit committee (if there is one) to ensure that audit analytics are leveraged to achieve well defined goals built on a solid foundation of key risk measures.

Once data analytic targets are established, the specific analytic technology audit management has selected can be used to extract, scrub, and analyze data for a variety of anomalies and fraud scenarios.  Any chosen analytic solution should always provide independent access to source data, minimizing the need for the organization’s IT department to intervene and simultaneously protecting network integrity.  As a key component of fraud audit strategy, the independent assurance effort should strive to have each of its audits include enough analytics based tests to pinpoint such anomalies as indication of segregation of duties conflicts, transactions modified to avoid approval or authorization, funds leakage, inappropriate payments and a whole host of abuse of corporate assets related frauds.

The fact that every organization has unique data issues is another reason for instituting a program of long range audit planning. As every auditor knows, a data series cannot be validated in a vacuum; it must be tied to another series to ensure its accuracy.  Organizational data idiosyncrasies and patterns mean that data validation is crucial to the success of the audit analysis effort.  This is where Certified Fraud Examiner’s (CFE) experience with fraud audit analysis and audit technology becomes especially valuable to the organization’s analytics program.  Once the audit team has documented the nuances of the organization’s data, an experienced CFE can assist the team in the development of a fraud-indicator approach that weights audit test results based on their propensity for fraud.  Transactions or vendors flagged in multiple tests, for example, rank as a higher review priority than a lower-risk anomaly that appears only once such as an invoice submitted on the weekend or vendor payments directed to post office boxes.

Detailed audit planning of analytic supported reviews is the key to success for every organization eager to strengthen internal controls in the modern distributed computing environment. Fraud audit analytics minimizes sampling risk and promotes efficient, highly focused audit practices.  Only if properly planned for can such anti-fraud solutions provide full population-visibility and the power to uncover small anomalies in the virtual ocean of data, casting a wider net to more effectively fight deeply buried instances of fraud, waste and abuse.

The Masquerade – There Will Be Fraud

west_indian_day_carnival“We are honored to have this guest post from our Richmond Chapter member, Rumbi Bwerinofa, CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of, where she discusses financial forensic issues.”

My husband is working on a photographic project, documenting the New York City West Indian-American Day Carnival. This Carnival, also called the Labor Day Parade, is, arguably, the largest parade, street fair or festival in North America, with estimates of between one and three million people attending the festivities. It certainly is the biggest cultural event of the year. With thousands of participants involved in being parts of parading groups, bands and floats, preparations for the Carnival begin months in advance of the big day. Last Friday my husband invited me to attend a Mas Camp with him. I went along, completely clueless about what a Mas Camp is and what happens when people go to a Mas Camp. It was a great opportunity to tag along and get a sense of what he has been doing. Plus, I love Caribbean cuisine and he had promised dinner.

I learned that the parade is made up of floats surrounded by teams of costumed revelers that are known as masqueraders. The floats and masqueraders are dressed and decorated according to a theme and together they form a masquerade band, or mas band. In the months before Carnival, the band leaders set up a mas camp where people can sign up to be part of the mas band and order costumes. As I walked around the couple of mas camps that I visited, I saw various masquerade costumes on display with prices disclosed on signs close by. In addition to time and effort, people invest a substantial amount of money into their costumes and being a part of a mas band. Costumes run into the hundreds and, for some, thousands of dollars. For that kind of money, the revelers expect to receive a well-made costume that looks like the advertised version that they ordered and to be a part of a band that parades down Eastern Parkway in this celebration of Caribbean history and culture. But, where there is money, there will be fraud.

As I marveled at the themes, costumes and their prices, I noticed a yellow sign hanging on the entrance to the mas camp, which was a store front. The man giving us the tour of the mas camp explained that it was their certificate. The West Indian-American Caribbean Day Association (WIADCA) organizes and holds the Carnival. Mas band leaders attend meetings called by WIADCA and police precincts where they are told the rules and regulations of the parade, in order to preserve the spirit and safety of the parade. Mas bands are registered with WIADCA and issued certificates that they must hang in a visible location. This is so that, before anyone spends money at mas camp, they can check to make sure they are with a valid mas band and not a scam out to take their money and run. The certification gives assurance that the mas band will meet certain standards, will produce their costume and will be there on Labor Day morning for the march up Eastern Parkway. People can check with WIADCA, who keeps a register of all certified mas bands and they can also take complaints to WIADCA who in turn can discipline or decertify mas bands that do not abide by the rules and regulations.

This is the way it works with CPAs and credentialed forensic accountants. When a person seeks the services of a qualified professional, getting their word or seeing a lot of framed certificates is all well and good, but it must all be backed up by something that can be verified. The professional bodies that govern these credentials have a code of conduct and professional standards that forensic accountants must abide by. The bodies also have coursework and testing that must be taken to attain and maintain the credential. These professional designations also have continuing education requirements to help ensure that a person holding a particular credential is up to date on the knowledge and experience required by the designation. You know how, on television, cops knock on someone’s door and flash their badges and how, sometimes, a person yells, “I want your badge number”? Well, the same goes for credentialed forensic accountant. Whether that forensic accountant is Certified in Financial Forensics (CFF), a Certified Fraud Examiner (CFE) or holds a different forensic specialization, that credential will have its own unique number that has been issued by the governing authority. This means that if someone claims to be a CFE, you can verify their information with the Association of Certified Fraud Examiners and confirm that they are accredited and that their credential is currently active. If you cannot independently verify their qualifications, then you shouldn’t trust them with your money or with investigating any financial forensic matter.

There are several advantages to working with a credentialed forensic accountant:

  • You can consult the standards and areas of expertise covered by the credentialing body and find out what body of knowledge your forensic specialist possesses. In this way you can focus on retaining the services of the right type of expert.
  • Should your expert provide substandard services, you can take your complaints to the credentialing body, which will investigate and resolve your issue.
  • Knowing that they could face disciplinary action, including suspension or revocation of their credential, is an incentive for the certified forensic accountant to behave in an ethical and professional manner, per the rules and regulations of their credential issuing body.
  • If you have a matter that ends up in court, having an expert witness who holds credentials that are pertinent to the matter at hand tends to hold weight with the judge and jury and lend more credibility to the testimony of the expert. I mean, when receiving a diagnosis, who would you trust – a doctor or someone who watches a lot of medical shows?

So, be it dancing and celebrating as a masquerader at Carnival or having a financial forensic matter investigated, don’t you want to be sure you are placing your investment and trust in the right hands?

Ponzi or Pyramid?

file-folders-4One question I get over and over again, especially when giving presentations on common frauds and scams to senior citizen groups  is, “What’s the difference between a Ponzi scheme and an illegal pyramid?”  Which is certainly an understandable question since seniors are prime targets for investment scams of all kinds.

Both Ponzi’s and pyramids use the money of investors to make promised payoffs to other investors.  But they’re run very differently by their promoters and legally they’re prosecuted under different laws.  A very important distinction to make is between legal and illegal pyramid schemes.  Ponzi schemes and illegal pyramids are the same, only somewhat different.

The promoter of an illegal pyramid generates revenue by continually recruiting new members.  The different operations may offer goods or services for sale, but it’s important to keep in mind that the only significant revenues come from new recruitments.  Some legitimate sales companies use a pyramid structure to rank their employee-owners and calculate their compensation.  So when does a legal pyramid structure become illegal?   That happens when the company makes its money primarily by recruiting people.  Instead of selling a product or service, the group deals primarily in new memberships.   Joining the group allows the new member to profit by personally signing up new members.  The process continues until the available pool of new members is drained, which always happens a lot faster than most people think.

As a rule of thumb, courts in the U.S. apply the 70% rule.  This requires that at least 70 percent of the distributor’s profit come from actual retail sales.  Is this rule hard to verify?  You bet.  Distributors often sign falsified compliance statements because promoters warn that if they don’t authorities will shut the whole thing down and everyone will lose.  So the bottom line as to legality hinges on what the pyramid operators emphasize… if the company emphasizes the recruitment of new members over the sale of products, and if the only way to recognize the promised return is through additional recruitment, then the operation will likely be classified as an illegal pyramid.

Illegal pyramids are promoted as pyramids… Ponzi schemes are promoted as investment opportunities.  The key element in the Ponzi is that initial investors are paid with subsequent investors’ money.  There is little, if any, legitimate commerce.  In an illegal pyramid no one is really selling that much of the product; they’re coaxing new people to put up money.  The original members of the pyramid get rich on subsequent investors’ money…so, a pyramid is a Ponzi scheme.  Is a Ponzi scheme a pyramid?  In the sense that it requires exponential growth to avoid a collapse, a Ponzi scheme is a pyramid scheme.  The difference is that in a pyramid scheme, each member financially gains from personally recruiting additional members, but in a Ponzi scheme, all proceeds are pooled and participants are not directly rewarded for recruiting additional members.

Setting Up the Client Data Mine to Screen Out Fraud, Waste and Abuse

The process of developing a data warehouse of client information is a critical first step in the data mapping and data mining effort that has proved a challenge for fraud examiners and auditors setting out to utilize these tools for the first time.  Consider what we’d need if we were thinking about taking a vacation involving a long road trip.  First, we’d need some kind of vehicle to drive; we can’t really determine what kind of vehicle we need until we know how many people will be going with us (entities about which we’ll be storing information).   Then we’re going to need a roadmap (the data) to guide our trip.  We also need to be prepared for unforeseen events (data anomalies) along the way that don’t appear on the map.  Then, once we arrive at each of the various milestones along the way, we take in information from that stage of the journey and re-evaluate our route…it’s an on-going process.

So we can think of the implementation of a data mapping and data mining effort for fraud examination as an on-going process built on a foundation of operational or managerial auditing procedures; the process involves defining the data elements to be gathered, the collection of the data, the design of the tables and decision trees in which the data will be stored and processed by queries, and the on-going surveillance of the data.  The pre-condition here is that the data flows continuously as in health care, billing or quarterly updated financial applications.

Once a warehouse had been appropriately mapped and data mining activated, the ongoing activity is surveillance.  This is where auditor judgment proves critical.  Finding patterns in the on-going flow of data indicative of the presence of scenarios linked to fraud, waste and abuse is a skill which can be developed only over time and through experience with what “normal” data for the entity under surveillance should look like… how, in the company environment, should normal data look and what makes this data look “abnormal”?

This analysis is not a one-time event but an ongoing, constantly evolving tool for efficiently obtaining the intelligence to identify fraud and then alter controls to prevent such transactions from being processed in the future.  We’re not looking to recoup the losses from identified past fraud scenarios (pay and chase) so much as we’re looking to adjust our systems and controls through edits to prevent the data associated with such scenarios from even being processed in the future.

Simply put, we need to identify the anomalous output and study the hidden patterns associated with each anomaly; document the sequence of events leading to the offense; identify potential perpetrators; document the loss; and finally, adjust system edits so that the  processing pattern associated with the fraud does not recur.


October 17, 2012 AGA-ACFE Joint Fraud & Technology Seminar

October 17,2012 AGA-ACFE Joint Fraud & Technology Seminar

This year’s joint seminar between the Richmond Chapter of the Association of Governmental Accountants and the Central Virginia Chapter of the Association of Certified Fraud Examiners featured a full program of presentations by eight practitioners on topics related to the intersection between accounting, fraud examination and applied financial technology.

The Seminar Agenda and Speaker’s List

Following opening remarks by Al Subramanian – AGA President and Charles Lawver – ACFE President, the morning session commenced.

Mike Morehart, the newly appointed State Inspector General for Virginia presented on the topic of the “New Office of the Inspector General”.  The statewide office of the Inspector General is an innovation new to Virginia, the success of which will require the involvement of all levels of Virginia government.

David McGinnis of the U.S. Postal Service presented on the topic of  “Consumer Fraud Awareness”.   The postal service is being used by a host of different types of criminals to facilitate numerous fraud schemes associated with money laundering, frauds targeting the elderly and work at home scams.

 Howard Mulholland of the Virginia Office of the Attorney General and Detective  Timothy J. Ortwein of the Loudoun County Sheriff’s Office presented on the Dianna Atari mortgage fraud case.  This complex investigation involved the manipulation of hundreds of loan transactions made to legitimate and illegitimate mortgage borrowers as well as credit improvement and bank fraud manipulations.

Special Agent Shawn Monaghan (no photograh) of the Fairfax County Police Department discussed the money laundering aspects of the Virginia illegal drug trade as well as emerging trends in the investigation of narcotics networks nationally, in Mexico and in the Commonwealth.

 Special Agent Denise Ashley – NICB Major Medical Task Force presented various automated tools made available to law enforcement and to state agencies free of charge to battle fraud, waste and abuse in the insurance industry.

Walter Kucharski, retiring Virginia State Auditor of Public Accounts, presented on the topic, “The APA – Fraud Prevention and Risk Management.”

Charles W. Lawver, 2012-2013 President of the Central Virginia Chapter of the Association of Certified Fraud Examiners, spoke on the topic of “Medicaid Fraud Waste and Abuse Detection Systems – Data Mining & Data Analytics.”

Ignorance of Fraud Makes Fraud Easy – Pod Cast

Auditors of all kinds as well as government regulators are exhorted by congressional committees on C-Span every other week to be leaders in fraud and irregularity prevention, especially with regard to the financial and trading irregularities committed by the personnel of too-big-to-fail banking and investment firms. They are told to design tighter control systems to identify fraud and wrong doing in the cradle, before it has a chance to get out of hand and result in another JP Morgan Chase size embarrassment. This suggested strategy is, at best, a band-aid solution to a large and pervasive problem. Business activity is built on the trust that people at all levels will do their jobs properly…control systems are a two edged sword because, in the extreme, they can strangle any business in layers of bureaucracy while preventing the targeted  wrong-doing.

It’s sad that among all the talk of more regulation and yet more controls piled on existing controls, one of the most effective fraud deterrents of all is consistently under emphasized…fraud awareness education. Study after study has revealed that it’s ignorance of fraud itself, among business people and the general public alike, that makes fraud so ridiculously easy to commit. Victim education is the most effective of fraud deterrence tools and one of the cheapest to implement.  The more educated eyes there are on any transaction, or group of transactions, the harder it is for the fraudster or waster to go undetected.

The following pod cast was adapted from the presentation of a guest speaker at our Chapter’s recent joint conference with the Association of Government Accountants. I hope you enjoy it…

Ignorance of Fraud Makes Fraud Easy – Pod Cast