Category Archives: Anti-Fraud Training

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.

Navigating the Cloud

I’ve read several articles in the trade press recently that indicate CFEs are finding some aspects of fraud investigations involving cloud based data to be especially challenging. This is a consequent follow-on of the uncontested fact that, for many organizations, cloud based computing does improve performance and dramatically reduces a wide range of IT and administrative costs.

Commissioning a cloud service provider can enable an organization to off-load much of the difficulty that comes with implementing, maintaining, and physically protecting the systems required for company operations. The organization no longer needs to employ such a large team of network engineers, database administrators, developers, and other technical staff. Instead, it can use smaller, in-house teams to maintain the cloud solution and keep everything running as anticipated. Moving to the cloud also can introduce new capabilities, such as the ability to add and remove servers based on seasonal demand, an option that would be impractical for a traditional data center.

Now that cloud computing has become a mainstream service, CFEs and forensic accountants are increasingly called upon to assess the cloud environment with an eye to devising innovative approaches to cope with the unique investigative features and risks these services pose while at the same time grappling with the effects on their examinations of the security, reliability and availability of critical data housed by their client’s outside IT provider. Based on this assessment, CFEs can advise their client organizations in how best to meet the new investigative challenges when the inevitable cloud involved fraud strikes.

The cloud encompasses application service providers, cloud infrastructure, and the virtual placement of a server, set of servers, or other set of computing power in an environment that is shared among many entities and organizations. Cloud platforms and servers extend and supplement an organization’s own servers, resulting in multiple options for computing and application hosting. It is not sufficient to think of cloud platform and infrastructure oversight as mere vendor management.  Fraud examinations involving these environments are more complex, because of several factors about which the investigative team needs to make decisions  when determining the structure of the examination.

The ACFE tells us that a cloud deployment can be just as variable in structure and architecture as a traditional IT implementation. Among the numerous cloud platforms confronting the CFE, the most common are infrastructure as a service, software as a service, and platform as a service. The employment of these three options alone makes a wide variety of models and other options available. Each of these options additionally poses a distinct set of fraud risks and preventative controls, depending on a client organization’s specific deployment of a particular cloud platform and infrastructure.

Many challenges and barriers to an unfettered examination can appear when the CFEs client organization has contracted with a cloud provider who is, in actual form, a third-party vendor. In some cases, reviewing the cloud service provider’s processes and infrastructure might not be allowed by contract. In its place, the vendor may offer attestation reports such as the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements No. 16 (SSAE 16) as evidence of organizational controls. In other cases, the provider might restrict the examination to a select portion of the service which can be problematic when the CFE is working to obtain an overview of a complex fraud. Further, providers often require the client to obtain specific approvals before any fraud examination activities can even begin. Ideally, client organizations should take these types of consideration into account before contracting with a cloud vendor, but such consideration is, for the most part, not realistic unless a client organization has historically experienced a large number of frauds.  Fraud is, most often, not usually the first thing on many client’s minds when initially contracting with a cloud service provider.

One of the most difficult aspects of the fraud examination of a cloud infrastructure deployment is determining which fraud prevention controls are currently managed by the client organization and which by the cloud provider. With many cloud deployments, few controls are the actual responsibility of the provider. For example, the CFEs client may be responsible for configuration management, patch management, and access management, while the provider is only responsible for physical and environmental security.

A client organization’s physical assets are tangible. The organization buys a physical piece of equipment and keeps a record of this asset; a CFE can see all the organization’s technology assets just by walking through the data center. Cloud infrastructure deployments, however, are virtual, and it’s easy to add and remove these systems. Many organizations base their models on servers and systems that are there one day and gone the next. IT departments themselves also struggle with managing cloud assets, and tools to help cloud providers and clients are continually evolving. As a result, from the CFEs perspective, the examination scope can be hard to manage and execute.  The CFE is also confronted with the fact that, because cloud computing is a relatively recent and fast-growing technology service, a client organization’s employees themselves may not possess much cloud expertise. This scarcity creates risks to the CFEs examination because IT administrators often aren’t positioned to fully explain the details of the cloud deployment and structure so critical details bearing on the fraud under investigation may not be adequately documented. Also, migrating from facilities that are operating internally to cloud-based services can dramatically alter the fraud risk profile of any organization. For example, when an organization moves to a cloud based service, in most cases, all its data is stored on the same physical equipment where other organizations’ data is housed. If configured inappropriately, data leaks can result.

Interacting with the client organization’s IT and management is the CFEs first step toward understanding how the organization’s cloud strategy is or is not related to the circumstances of the fraud under investigation. How did the organization originally expect to use the cloud and how is it using it in actual practice? What are the benefits and drawbacks of using it the way it uses it? What is the scope, from a fraud prevention and security perspective, of the organization’s cloud deployment? The lack of a cohesive, formal, and well-aligned cloud infrastructure strategy should be a red flag for the CFE as a possible contributing factor in any fraud involving cloud computing services.

The second step is CFE review of the client’s security program (or lack thereof) itself.  IT departments and business units should ideally have a cloud security strategy available for CFE review. Such a strategy includes determining the type of data permissible to store in the cloud and how its security will be enforced. It also includes the integration of the information security program into the cloud. All the usual IT risks of traditional data centers apply to cloud deployment as well, among them, malware propagation, denial of service attacks, data breaches, and identity theft, all of which, depending on the implementation, can fall on either party to the contract.  Professionals who have received training in cloud computing may or may not be able to adapt traditional IT programs for fraud examination of servers in physical form to a cloud environment.

There is good news for the examining CFE, however. Cloud infrastructure brings with it myriad security technologies useful to the CFE in conducting his or her examination that are not affordable in most traditional deployments from real-time chronological reports on suspect activities related to identity and access management systems, to network segmentation, and multifactor authentication.

In summary, CFEs and forensic accountants should not approach a cloud involved engagement in the same way they approach other fraud examinations involving third-party vendors. Cloud engagements present their own complexities, which CFEs should attempt to understand and assess adequately. SSAE 16 and other attestation reports based on audit and attestation standards can be valuable as informational background to examination of a fraud involving cloud services.  CFEs can help as a profession by reinforcing client community understanding that a correctly implemented cloud infrastructure can reduce a client organization’s residual risk of fraud by offloading a portion of the responsibility for managing IT risks to a cloud service provider. CFEs have a valuable opportunity to see that their client organizations benefit from the cloud while adequately addressing the new fraud risks that are introduced when their clients contract with a service provider and move IT operations to the cloud. Applying the same level of rigor to examinations involving cloud technology that they apply to technology managed in-house creates an environment in which the CFE and forensic accounting professions can be primary advocates for strong cloud strategy implemented within the structure of the client organization’s fraud prevention program.

New Rules for New Tools

I’ve been struck these last months by several articles in the trade press about CFE’s increasingly applying advanced analytical techniques in support of their work as full-time employees of private and public-sector enterprises.  This is gratifying to learn because CFE’s have been bombarded for some time now about the risks presented by cloud computing, social media, big data analytics, and mobile devices, and told they need to address those risk in their investigative practice.  Now there is mounting evidence of CFEs doing just that by using these new technologies to change the actual practice of fraud investigation and forensic accounting by using these innovative techniques to shape how they understand and monitor fraud risk, plan and manage their work, test transactions against fraud scenarios, and report the results of their assessments and investigations to management; demonstrating what we’ve all known, that CFEs, especially those dually certified as CPAs, CIAs, or CISA’s can bring a unique mix of leveraged skills to any employer’s fraud prevention or detection program.

Some examples …

Social Media — following a fraud involving several of the financial consultants who work in its branches and help customers select accounts and other investments, a large multi-state bank requested that a staff CFE determine ways of identifying disgruntled employees who might be prone to fraud. The effort was important to management not only because of fraud prevention but because when the bank lost an experienced financial consultant for any reason, it also lost the relationships that individual had established with the bank’s customers, affecting revenue adversely. The staff CFE suggested that the bank use social media analytics software to mine employees’ email and posts to its internal social media groups. That enabled the bank to identify accurately (reportedly about 33 percent) the financial consultants who were not currently satisfied with their jobs and were considering leaving. Management was able to talk individually with these employees and address their concerns, with the positive outcome of retaining many of them and rendering them less likely to express their frustration by ethically challenged behavior.  Our CFE’s awareness that many organizations use social media analytics to monitor what their customers say about them, their products, and their services (a technique often referred to as sentiment analysis or text analytics) allowed her to suggest an approach that rendered value. This text analytics effort helped the employer gain the experience to additionally develop routines to identify email and other employee and customer chatter that might be red flags for future fraud or intrusion attempts.

Analytics — A large international bank was concerned about potential money laundering, especially because regulators were not satisfied with the quality of their related internal controls. At a CFE employee’s recommendation, it invested in state-of-the-art business intelligence solutions that run “in-memory”, a new technique that enables analytics and other software to run up to 300,000 times faster, to monitor 100 percent of its transactions, looking for the presence of patterns and fraud scenarios indicating potential problems.

Mobile — In the wake of an identified fraud on which he worked, an employed CFE recommended that a global software company upgrade its enterprise fraud risk management system so senior managers could view real-time strategy and risk dashboards on their mobile devices (tablets and smartphones). The executives can monitor risks to both the corporate and to their personal objectives and strategies and take corrective actions as necessary. In addition, when a risk level rises above a defined target, the managers and the risk officer receive an alert.

Collaboration — The fraud prevention and information security team at a U.S. company wanted to increase the level of employee acceptance and compliance with its fraud prevention – information security policy. The CFE certified Security Officer decided to post a new policy draft to a collaboration area available to every employee and encouraged them to post comments and suggestions for upgrading it. Through this crowd-sourcing technique, the company received multiple comments and ideas, many of which were incorporated into the draft. When the completed policy was published, the company found that its level of acceptance increased significantly, its employees feeling that they had part ownership.

As these examples demonstrate, there is a wonderful opportunity for private and public sector employed CFE’s to join in the use of enterprise applications to enhance both their and their employer’s investigative efficiency and effectiveness.  Since their organizations are already investing heavily in a wide variety of innovative technologies to transform the way in which they deliver products to and communicate with customers, as well as how they operate, manage, and direct the business, there is no reason that CFE’s can’t use these same tools to transform each stage of their examination and fraud prevention work.

A risk-based fraud prevention approach requires staff CFEs to build and maintain the fraud prevention plan, so it addresses the risks that matter to the organization, and then update that plan as risks change. In these turbulent times, dominated by cyber, risks change frequently, and it’s essential that fraud prevention teams understand the changes and ensure their approach for addressing them is updated continuously. This requires monitoring to identify and assess both new risks and changes in previously identified risks.  Some of the recent technologies used by organizations’ financial and operational analysts, marketing and communications professionals, and others to understand both changes within and outside the business can also be used to great advantage by loss prevention staff for risk monitoring. The benefits of leveraging this same software are that the organization has existing experts in place to teach CFE’s how to use it, the IT department already is providing technical support, and the software is currently used against the very data enterprise fraud prevention professionals like staff CFEs want to analyze.  A range of enhanced analytics software such as business intelligence, analytics (including predictive and mobile analytics), visual intelligence, sentiment analysis, and text analytics enable fraud prevention to monitor and assess risk levels. In some cases, the software monitors transactions against predefined rules to identify potential concerns such as heightened fraud risks in any given business process or in a set of business processes (the inventory or financial cycles).  For example, a loss prevention team headed by a staff CFE can monitor credit memos in the first month of each quarter to detect potential revenue accounting fraud. Another use is to identify trends associated with known fraud scenarios, such as changes in profit margins or the level of employee turnover, that might indicate changes in risk levels. For example, the level of emergency changes to enterprise applications can be analyzed to identify a heightened risk of poor testing and implementation protocols associated with a higher vulnerability to cyber penetration.

Finally, innovative staff CFEs have used some interesting techniques to report fraud risk assessments and examination results to management and to boards. Some have adopted a more visually appealing representation in a one-page assessment report; others have moved to the more visual capabilities of PowerPoint from the traditional text presentation of Microsoft Word.  New visualization technology, sometimes called visual analytics when allied with analytics solutions, provides more options for fraud prevention managers seeking to enhance or replace formal reports with pictures, charts, and dashboards.  The executives and boards of their employing organizations are already managing their enterprise with dashboards and trend charts; effective loss prevention communications can make effective use of the same techniques. One CFE used charts and trend lines to illustrate how the time her employing company was taking to process small vendor contracts far exceeded acceptable levels, had contributed to fraud risk and was continuing to increase. The graphic, generated by a combination of a business intelligence analysis and a visual analytics tool to build the chart, was inserted into a standard monthly loss prevention report.

CFE headed loss prevention departments and their allied internal audit and IT departments have a rich selection of technologies that can be used by them individually or in combination to make them all more effective and efficient. It is questionable whether these three functions can remain relevant in an age of cyber, addressing and providing assurance on the risks that matter to the organization, without an ever wider use of modern technology. Technology can enable the an internal CFE to understand the changing business environment and the risks that can affect the organization’s ability to achieve its fraud prevention related objectives.

The world and its risks are evolving and changing all the time, and assurance professionals need to address the issues that matter now. CFEs need to review where the risk is going to be, not where it was when the anti-fraud plan was built. They increasingly need to have the ability to assess cyber fraud risk quickly and to share the results with the board and management in ways that communicate assurance and stimulate necessary change.

Technology must be part of the solution to that need. Technological tools currently utilized by CFEs will continue to improve and will be joined by others over time. For example, solutions for augmented or virtual reality, where a picture or view of the physical world is augmented by data about that picture or view enables loss prevention professionals to point their phones at a warehouse and immediately access operational, personnel, safety, and other useful information; representing that the future is a compound of both challenge and opportunity.

The Other Assets Dance

Studies by the ACFE and various academics have revealed over the years that, while not as common as cash schemes, employee misappropriations of other types of corporate assets than cash can sometimes prove even more disastrous than cash theft for any organization that suffers them.  The median losses associated with noncash schemes is generally higher than cash schemes, being $100,000 as opposed to $60,000.

The other asset category includes such assets as inventories of all kinds, i.e., inventory for sale, supplies and equipment and some categories of fixed assets; in short, the term inventory and other assets is generally meant to encompass misapplication schemes involving any assets held by an enterprise other than cash.  The theft of non-cash assets is generally classified by the ACFE into three groups: inventory schemes, supplies schemes and other asset schemes; of these schemes inventory related schemes account for approximately 70% of the losses while misappropriation of company supplies accounts for another 20%…the remaining losses are associated with several types of fixed assets, equipment, and corporate related information.

Those who study these types of fraud generally lump non-cash assets together for describing how these types of assets are misappropriated since the methods for misappropriation don’t vary much among the various asset types.  The asset, no matter what it is, can be misused (or “borrowed”) or it can be stolen.  Assets that are misused rather than stolen outright include company assigned vehicles, company supplies of all kinds, computers, and other office equipment.  As a very frequently occurring example, a company executive might make use of a company car when on an out of the home office assignment; false documentation (both in writing and verbally) is provided to the company by the employee regarding the nature of her use of the vehicle.  At the end of the trip, the car is returned intact and the cost to the fraudster’s company is only a few hundred dollars at most; but what we have here is, nonetheless, an instance of fraud when a false statement or declaration accompanies the use.

In contrast, the costs of inventory misuse schemes can be very costly.  To many employees, inventory fraud of some kinds is not perceived as a crime, but rather as “borrowing” and, in truth, the actual cost of borrowing a laptop to do personal computing at home may often be immaterial if the asset is returned undamaged.  On the other hand, if the employee uses the laptop to operate a side business during and after normal work hours, the consequences can be more serious for the company, especially if the employee’s business is in competition with that of the employer.  Since the employee is not performing his or her assigned work duties, the employer suffers a loss of productivity and is defrauded of that portion of the employee’s wages related to the fraud.  If the employee’s low productivity continues for any length of time, the employer might have to engage additional employees to compensate which means more capital diverted to wages.  As noted above, if the employee’s business is like that of the employer’s, lost business for the employer would be an additional cost of the scheme.  If the employee had not contracted work for his own company, the business would presumably have gone to her employer. Unauthorized use of company equipment can also mean additional wear and tear, causing company owned equipment to break down sooner than it would have under normal operating conditions.

So, what about prevention?  There are preventative measures for control of other asset related frauds which, if properly installed and operating, may help prevent employee exploits directed against all the many types of inventories maintained by a typical business:
For each type of asset inventory (for sale, supplies, equipment, etc.), the following items (as appropriate) should be pre-numbered and controlled:

–requisitions
–receiving reports
–perpetual records
–raw materials requisitions
–shipping documents
–job cost sheets

The following duties related to the distinct types of asset inventories should be handled by different employees:

–requisition of inventory
–receipt of inventory
–disbursement of inventory
–conversion of inventory to scrap
–receipt of proceeds from disposal of scrape.

Someone independent of the purchasing or warehousing function should conduct physical observation of all asset inventories according to defined schedules.  Personnel conducting physical observations of these types of assets should be knowledgeable about the inventory, i.e., what types of material it should contain, where the material should physically be, etc.  All company owned merchandise should be physically guarded and locked; and access should be limited to authorized personnel only.

Help for the Little Guy

It’s clear to the news media and to every aware assurance professional that today’s cybercriminals are more sophisticated than ever in their operations and attacks. They’re always on the lookout for innovative ways to exploit vulnerabilities in every global payment system and in the cloud.

According to the ACFE, more consumer records were compromised in 2015-16 than in the previous four years combined. Data breach statistics from this year (2017) are projected to be even grimmer due to the growth of increasingly sophisticated attack methods such as increasingly complex malware infections and system vulnerability exploits, which grew tenfold in 2016. With attacks coming in many different forms and from many different channels, consumers, businesses and financial institutions (often against their will) are being forced to gain a better understanding of how criminals operate, especially in ubiquitous channels like social networks. They then have a better chance of mitigating the risks and recognizing attacks before they do severe damage.

As your Chapter has pointed out over the years in this blog, understanding the mechanics of data theft and the conversion process of stolen data into cash can help organizations of all types better anticipate in the exact ways criminals may exploit the system, so that organizations can put appropriate preventive measures in place. Classic examples of such criminal activity include masquerading as a trustworthy entity such as a bank or credit card company. These phishers send e-mails and instant messages that prompt users to reply with sensitive information such as usernames, passwords and credit card details, or to enter the information at a rogue web site. Other similar techniques include using text messaging (SMSishing or smishing) or voice mail (vishing) or today’s flood of offshore spam calls to lure victims into giving up sensitive information. Whaling is phishing targeted at high-worth accounts or individuals, often identified through social networking sites such as LinkedIn or Facebook. While it’s impossible to anticipate or prevent every attack, one way to stay a step ahead of these criminals is to have a thorough understanding of how such fraudsters operate their enterprises.

Although most cyber breaches reported recently in the news have struck large companies such as Equifax and Yahoo, the ACFE tells us that small and mid-sized businesses suffer a far greater number of devastating cyber incidents. These breaches involve organizations of every industry type; all that’s required for vulnerability is that they operate network servers attached to the internet. Although the number of breached records a small to medium sized business controls is in the hundreds or thousands, rather than in the millions, the cost of these breaches can be higher for the small business because it may not be able to effectively address such incidents on its own.  Many small businesses have limited or no resources committed to cybersecurity, and many don’t employ any assurance professionals apart from the small accounting firms performing their annual financial audit. For these organizations, the key questions are “Where should we focus when it comes to cybersecurity?” and “What are the minimum controls we must have to protect the sensitive information in our custody?” Fraud Examiners and forensic accountants with client attorneys assisting small businesses can assist in answering these questions by checking that their client attorney’s organizations implement a few vital cybersecurity controls.

First, regardless of their industry, small businesses must ensure their network perimeter is protected. The first step is identifying the vulnerabilities by performing an external network scan at least quarterly. A small business can either hire an outside company to perform these scans, or, if they have small in-house or contracted IT, they can license off-the-shelf software to run the scans, themselves. Moreover, small businesses need a process in place to remedy the identified critical, high, and medium vulnerabilities within three months of the scan run date, while low vulnerabilities are less of a priority. The fewer vulnerabilities the perimeter network has,
the less chance that an external hacker will breach the organization’s network.

Educating employees about their cybersecurity responsibilities is not a simple check-sheet matter. Smaller businesses not only need help in implementing an effective information security policy, they also need to ensure employees are aware of the policy and of their responsibilities. The policy and training should cover:

–Awareness of phishing attacks;
–Training on ransomware management;
–Travel tips;
–Potential threats of social engineering;
–Password protection;
–Risks of storing sensitive data in the cloud;
–Accessing corporate information from home computers and other personal devices;
–Awareness of tools the organization provides for securely sending emails or sharing large files;
–Protection of mobile devices;
–Awareness of CEO spoofing attacks.

In addition, small businesses should verify employees’ level of awareness by conducting simulation exercises. These can be in the form of a phishing exercise in which organizations themselves send fake emails to their employees to see if they will click on a web link, or a social engineering exercise in which a hired individual tries to enter the organization’s physical location and steal sensitive information such as information on computer screens left in plain sight.

In small organizations, sensitive information tends to proliferate across various platforms and folders. For example, employees’ personal information typically resides in human resources software or with a cloud service provider, but through various downloads and reports, the information can proliferate to shared drives and folders, laptops, emails, and even cloud folders like Dropbox or Google Drive. Assigned management at the organization should check that the organization has identified the sites of such proliferation to make sure it has a good handle on the state of all the organization’s sensitive information:

–Inventory all sensitive business processes and the related IT systems. Depending on the organization’s industry, this information could include customer information, pricing data, customers’ credit card information, patients’ health information, engineering data, or financial data;
–For each business process, identify an information owner who has complete authority to approve user access to that information;
–Ensure that the information owner periodically reviews access to all the information he or she owns and updates the access list.

Organizations should make it hard to get to their sensitive data by building layers or network segments. Although the network perimeter is an organization’s first line of defense, the probability of the network being penetrated is today at an all-time high. Management should check whether the organization has built a layered defense to protect its sensitive information. Once the organization has identified its sensitive information, management should work with the IT function to segment those servers that run its sensitive applications.  This segmentation will result in an additional layer of protection for these servers, typically by adding another firewall for the segment. Faced with having to penetrate another layer of defense, an intruder may decide to go elsewhere where less sensitive information is stored.

An organization’s electronic business front door also can be the entrance for fraudsters and criminals. Most of today’s malware enters through the network but proliferates through the endpoints such as laptops and desktops. At a minimum, internal small business management must ensure that all the endpoints are running anti-malware/anti-virus software. Also, they should check that this software’s firewall features are enabled. Moreover, all laptop hard drives should be encrypted.

In addition to making sure their client organizations have implemented these core controls, assurance professionals should advise small business client executives to consider other protective controls:

–Monitor the network. Network monitoring products and services can provide real-time alerts in case there is an intrusion;
–Manage service providers. Organizations should inventory all key service providers and review all contracts for appropriate security, privacy, and data breach notification language;
–Protect smart devices. Increasingly, company information is stored on mobile devices. Several off-the-shelf solutions can manage and protect the information on these devices. Small businesses should ensure they are able to wipe the sensitive information from these devices if they are lost or stolen;
–Monitor activity related to sensitive information. Management IT should log activities against their sensitive information and keep an audit log in case an incident occurs and they need to review the logs to evaluate the incident.

Combined with the controls listed above, these additional controls can help any small business reduce the probability of a data breach. But a security program is only as strong as its weakest link Through their assurance and advisory work, CFE’s and forensic accountants can proactively help identify these weaknesses and suggest ways to strengthen their smaller client organization’s anti-fraud defenses.

From Inside the Building

By Rumbi Petrozzello, CFE, CPA/CFF
2017 Vice-President – Central Virginia Chapter ACFE

Several months ago, I attended an ACFE session where one of the speakers had worked on the investigation of Edward Snowden. He shared that one of the ways Snowden had gained access to some of the National Security Agency (NSA) data that he downloaded was through the inadvertent assistance of his supervisor. According to this investigator, Snowden’s supervisor shared his password with Snowden, giving Snowden access to information that was beyond his subordinate’s level of authorization. In addition to this, when those security personnel reviewing downloads made by employees noticed that Snowden was downloading copious amounts of data, they approached Snowden’s supervisor to question why this might be the case. The supervisor, while acknowledging this to be true, stated that Snowden wasn’t really doing anything untoward.

At another ACFE session, a speaker shared information with us about how Chelsea Manning was able to download and remove data from a secure government facility. Manning would come to work, wearing headphones, listening to music on a Discman. Security would hear the music blasting and scan the CDs. Day after day, it was the same scenario. Manning showed up to work, music blaring.  Security staff grew so accustomed to Manning, the Discman and her CDs that when she came to work though security with a blank CD boldly labelled “LADY GAGA”, security didn’t blink. They should have because it was that CD and ones like it that she later carried home from work that contained the data she eventually shared with WikiLeaks.

Both these high-profile disasters are notable examples of the bad outcome arising from a realized internal threat. Both Snowden and Manning worked for organizations that had, and have, more rigorous security procedures and policies in place than most entities. Yet, both Snowden and Manning did not need to perform any magic tricks to sneak data out of the secure sites where the target data was held; it seems that it all it took was audacity on the one side and trust and complacency on the other.

When organizations deal with outside parties, such as vendors and customers, they tend to spend a lot of time setting up the structures and systems that will guide how the organization will interact with those vendors and customers. Generally, companies will take these systems of control seriously, if only because of the problems they will have to deal with during annual external audits if they don’t. The typical new employee will spend a lot of time learning what the steps are from the point when a customer places an order through to the point the customer’s payment is received. There will be countless training manuals to which to refer and many a reminder from co-workers who may be negatively impacted if the rooky screws up.

However, this scenario tends not to hold up when it comes to how employees typically share information and interact with each other. This is true despite the elevated risk that a rogue insider represents. Often, when we think about an insider causing harm to a company through fraudulent acts, we tend to imagine a villain, someone we could identify easily because s/he is obviously a terrible person. After all, only a terrible person could defraud their employer. In fact, as the ACFE tells us, the most successful fraudsters are the ones who gain our trust and who, therefore, don’t really have to do too much for us to hand over the keys to the kingdom. As CFEs and Forensic Accountants, we need to help those we work with understand the risks that an insider threat can represent and how to mitigate that risk. It’s important, in advising our clients, to guide them toward the creation of preventative systems of policy and procedure that they sometimes tend to view as too onerous for their employees. Excuses I often hear run along the lines of:

• “Our employees are like family here, we don’t need to have all these rules and regulations”

• “I keep a close eye on things, so I don’t have to worry about all that”

• “My staff knows what they are supposed to do; don’t worry about it.”

Now, if people can easily walk sensitive information out of locations that have documented systems and are known to be high security operations, can you imagine what they can do at your client organizations? Especially if the employer is assuming that their employees magically know what they are supposed to do? This is the point that we should be driving home with our clients. We should look to address the fact that both trust and complacency in organizations can be problems as well as assets. It’s great to be able to trust employees, but we should also talk to our clients about the fraud triangle and how one aspect of it, pressure, can happen to any staff member, even the most trusted. With that in mind, it’s important to institute controls so that, should pressure arise with an employee, there will be little opportunity open to that employee to act. Both Manning and Snowden have publicly spoken about the pressures they felt that led them to act in the way they did. The reason we even know about them today is that they had the opportunity to act on those pressures. I’ve spent time consulting with large organizations, often for months at a time. During those times, I got to chat with many members of staff, including security. On a couple of occasions, I forgot and left my building pass at home. Even though I was on a first name basis with the security staff and had spent time chatting with them about our personal lives, they still asked me for identification and looked me up in the system. I’m sure they thought I was a nice and trustworthy enough person, but they knew to follow procedures and always checked on whether I was still authorized to access the building. The important point is that they, despite knowing me, knew to check and followed through.

Examples of controls employees should be reminded to follow are:

• Don’t share your password with a fellow employee. If that employee cannot access certain information with their own password, either they are not authorized to access that information or they should speak with an administrator to gain the desired access. Sharing a password seems like a quick and easy solution when under time pressures at work, but remind employees that when they share their login information, anything that goes awry will be attributed to them.

• Always follow procedures. Someone looking for an opportunity only needs one.

• When something looks amiss, thoroughly investigate it. Even if someone tells you that all is well, verify that this is indeed the case.

• Explain to staff and management why a specific control is in place and why it’s important. If they understand why they are doing something, they are more likely to see the control as useful and to apply it.

• Schedule training on a regular basis to remind staff of the controls in place and the systems they are to follow. You may believe that staff knows what they are supposed to do, but reminding them reduces the risk of them relying on hearsay and secondhand information. Management is often surprised by what they think staff knows and what they find out the staff really knows.

It should be clear to your clients that they have control over who has access to sensitive information and when and how it leaves their control. It doesn’t take much for an insider to gain access to this information. A face you see smiling at you daily is the face of a person you can grow comfortable with and with whom you can drop your guard. However, if you already have an adequate system and effective controls in place, you take the personal out of the equation and everyone understands that we are all just doing our job.

An Ethical Toolbox

As CFE’s we know organizations that have clearly articulated values and a strong culture of ethical behavior tend to control fraud more effectively. They usually have well-established frameworks, principles, rules, standards, and policies that encompass the attributes of generally accepted fraud control. These attributes include leadership, an ethical framework, responsibility structures, a fraud control policy; prevention systems, fraud awareness, third-party management systems, notification systems, detection systems, and investigation systems.

CFE’s are increasingly being called upon to assist in the planning for an assessment of a client organization’s integrity and ethics safeguards and then as active members of the team performing the engagement. The increasing demand for such assessments has grown out of the increasing awareness that a strong ethical culture is a vital part of effective fraud prevention.  Conducting such targeted research within the client organization, within its industry; and its region will help determine the emerging risk areas and potential gaps in most organizational anti-fraud safeguards. Four key elements of integrity and ethics safeguards have emerged over the past few years.  These are the fraud control plan, handling conflicts of interest, shaping ethical dealings with third parties, and natural justice principles for employees facing allegations of wrongdoing.

The need for a fraud control plan is borne out by an organization’s potential fraud losses; typically, about five percent of revenues are lost to fraud each year, according to the ACFE’s 2016 Report to the Nations on Occupational Fraud and Abuse. A fraud control plan typically will articulate an organization’s fraud risks, controls, and mitigation strategies, including:

–Significant business activities;
–Potential areas of fraud risk;
–Related fraud controls;
–Gaps in control coverage and assurance activities;
–Defined remedial actions to minimize fraud risks;
–Review mechanisms evaluating the effectiveness of fraud control strategies.

Management should review and update the fraud control plan periodically and report the results to the audit committee and senior management. Thus, the role of the board and of the audit committee of the board are vital for the implementation of any ethically based fraud control plan. The chairman of the board is, or should be, the chief advocate for the shareholders, and completely independent of management. It is the chairman’s primary job to direct the company’s executives and drive oversight of their activities in the name of the shareholders. An independent and highly skilled audit committee chairman is essential to maintain a robust system of checks and balances over all operations. To be truly effective, the chairman must be independent of those he or she is charged with watching.  The chairmen of the board and the audit committee must devote material time to their duties. While the board can use the company’s oversight functions to maintain a checks and balances process, there is no substitute for personal, direct involvement. The board must be willing to direct inquiries into allegations of misconduct, and have unquestioned confidential spending authority to conduct reviews and investigations as it deems necessary.

One of the most effective compliance tools available to the board is the day-to-day vigilance of the company’s employees. When an individual employee detects wrongdoing, he or she must have an effective and safe method to report observations, such as a third-party ethics hotline that reports to the chairman of the board and audit committee. All employees must be protected from retribution to avoid any possibility of corrupting the process.

A zero-based budgeting process, requiring that the individual elements of the company’s budget be built from the bottom up, reviewed in detail, and justified, can identify unusual spending in numerous corporate and operating units. This provides an in-depth view of spending as opposed to basing the current year’s spending, in aggregate, on last year’s spending, where irregularities may be buried and overlooked.

In organizations with an internal audit division the overall review would typically be performed by Director of Internal Audit (CAE) whom the CFE and other specialists would support. This review should be integrated into the organization’s wider business planning to ensure synergies exist with other business processes, and should link to the organization-wide risk assessment and to other anti-fraud processes.

The ACFE tells us that there is a growing consensus that managing conflicts of interest is critical to curbing corruption. Reports indicate that unmanaged conflicts of interest continue to cost organizations millions of dollars. To minimize these risks, organizations need a clear and well-understood conflict of interest policy, coupled with practical arrangements to implement and monitor policy requirements. Stated simply, a conflict of interest occurs when the independent judgment of a person is swayed, or might be swayed, from making decisions in the best interest of others who are relying on that judgment. An executive or employee is expected to make judgments in the best interest of the company. A director is legally expected to make judgments in the best interest of the company and of its shareholders, and to do so strategically so that no harm and perhaps some benefit will come to other stakeholders and to the public interest. A professional accountant is expected to make judgments that are in the public interest. Decision makers usually have a priority of duties that they are expected to fulfill, and a conflict of interests confuses and distracts the decision maker from that duty, resulting in harm to those legitimate expectations that are not fulfilled. Sometimes the term apparent conflict of interest is used, but it is a misnomer because it refers to a situation where no conflict of interest exists, although because of lack of information someone other than the decision maker would be justified in concluding (however tentatively) that the decision maker does have one

A special or conflicting interest could include any interest, loyalty, concern, emotion, or other feature of a situation tending to make the decision maker’s judgment (in that situation) less reliable than it would normally be, without rendering the decision maker incompetent. Commercial interests and family connections are the most common sources of conflict of interest, but love, prior statements, gratitude, and other subjective tugs on judgment can also constitute interest in this sense.

The perception of competing interests, impaired judgment, or undue influence also can be a conflict of interest. Good practices for managing conflicts of interest involve both prevention and detection, such as:

–Promoting ethical standards through a documented, explicit conflict of interest policy as well as well-stated values and clear conflicts provisions in the code of ethics;
–Identifying, understanding, and managing conflicts of interest through open and transparent communication to ensure that decision-making is efficient, transparent, and fair, and that everyone is aware of what to do if they suspect a conflict;
–Informing third parties of their responsibilities and the consequences of noncompliance through a statement of business ethics and formal contractual requirements;
–Ensuring transparency through well-established arrangements for declaring and registering gifts and other benefits;
–Ensuring that decisions are made independently, with evidence that staff and contractors routinely declare all actual, potential, and perceived conflicts of interests, involving at-risk areas such as procurement, management of contracts, human resources, decision-making, and governmental policy advice;
–Establishing management, internal controls, and independent oversight to detect breaches of policy and to respond appropriately to noncompliance.

Contemporary business models increasingly involve third parties, with external supplier costs now representing one of the most significant lines of expenditure for many organizations. Such interactions can provide an opportunity for fraud and corruption. An enterprise’s strong commitment to ethical values needs to be communicated to suppliers through a Statement of Business Ethics. Many forward-thinking organizations already have codes of ethics in place that set out the values and ethical expectations of both their board members and staff. The board code of conduct should define the behavioral standards for members, while the staff code of conduct should detail standards for employee conduct and the sanctions that apply for wrongdoing. Similar statements also are appropriate for third parties such as suppliers, service providers, and business partners.

A statement of business ethics outlines both acceptable and unacceptable practices in third-party dealings with an organization. Common features include:

–The CEO’s statement on the organization’s commitment to operating ethically;
–The organization’s values and business principles;
–What third parties can expect in their dealings with the organization and the behaviors expected of them;
–Guidance related to bribery, gifts, benefits, hospitality, travel, and accommodation; conflicts of interest; confidentiality and privacy of information; ethical communications; secondary employment; and other expectations.
–Contact information for concerns, clarification, reporting of wrongdoing, and disputes.

Once established, the organization needs to implement a well-rounded communication strategy for the statement of business ethics that includes education of staff members, distribution to third parties, publication on the organization’s website, references to it in the annual report, and inclusion in future tender proposals and bid packs.

Engaged and capable employees underpin the success of most organizations, yet management does not always recognize the bottom-line effects and employee turnover costs when innocent employees are the subject of allegations of fraud and other wrongdoing. About 60 percent of allegations against employees turn out to be unsubstantiated, according to the ACFE. A charter of rights compiles in a single document all the information that respondents to allegations of wrongdoing may require. Such a charter should be written in an easy-to-understand style to meet the needs of its target audience. It should:

–Outline the charter’s purpose, how it will operate, how it supports a robust complaints and allegations system, and how it aligns with the organization’s values;
–Describe how management handles workplace allegations and complaints, and ensure principles of natural justice and other legislative obligations, such as privacy, are in place;
–Provide a high-level overview diagram of the allegation assessment and investigation process, including the channels for submitting allegations; the distinct phases for logging, assessing, and investigating the allegations; and the final decision-making phase;
–Include details of available support such as contact information for human resource specialists, details about an external confidential employee help line, and processes for updates throughout the investigation;
–Illustrate the tiered escalation process for handling allegations that reflects (at one end) how issues of a serious, sensitive, or significant nature are addressed, and encourages (at the other end) the handling of low level localized issues as close to the source as possible;
–Provide answers to frequent questions that respondents might have about the process for dealing with allegations, such as “What can I expect?” “Are outcomes always reviewable?” “What does frivolous and vexatious mean?” “What will I be told about the outcome?” and “What happens when a process is concluded?”;
–Outline the options for independent reviews of adverse investigation outcomes.

For Appearance Sake

By Rumbi Petrozzello, CPA/CFF, CFE
2017 Vice-President – Central Virginia Chapter ACFE

Last Thursday, the 15th of June 2017, the New York State Senate Committee on Ethics and Internal Governance met. The previous sentence reads like a big yawn with which no one, beyond perhaps the members of the committee itself, would be concerned. However, this meeting was big news. The room was packed with members of the media and every member of the committee was in attendance. Why? Because this was the first meeting the committee had empaneled since 2009, as confirmed by the committee’s published archive of events. It turns out that it was indeed a big deal that all committee members were in attendance because, for eight years straight, none of the committee members had attended a single meeting.

If you are thinking that the ethics committee did not meet for eight years because there were no ethical issues to discuss and our state’s legislative leadership practiced only ethical and upright behavior, you would be sorely mistaken. John Sampson, the State Senator who chaired the committee at that last meeting in 2009 was found guilty, of obstruction of justice and of lying to federal agents in 2015 and sentenced to jail time in January 2017. Evidently, taking their cues from the tone at the top evidenced by the leadership of their ethics committee, during the same eight-year meeting hiatus, seven other state senators were convicted on charges that included mail fraud, looting a nonprofit and bribery.

So, you might ask, what happened at the meeting last week? The committee had come together to discuss stipends, that are supposed to go to committee chairs, that were apparently also being paid to committee vice-chairs (and, in one case, to a deputy vice-chair, whatever that is). There was a motion proposed to stop making these payments to anyone but the committee chair. It seems that just coming together was more than enough work for the committee and, therefore, they tabled the motion, a motion that would not even have been binding, until its next meeting. It should be noted that two of the senators receiving this chair stipend, as vice-chairs, serve on the ethics committee and both voted to postpone voting on the motion. It would be laughable if it were a laughing matter.

Think about where you work and about all the clients with whom we work, as fraud examiners and forensic accountants. We work with our clients and with those who employ us to suggest comprehensive policies that cover good business practices and ethical behaviors and actions. Reading about the shenanigans of the State Senate Committee on Ethics recalled several thoughts:

The assumption that personnel will automatically be motivated to behave as corporate owners want is no longer valid. People are motivated more by self-interest than in the past and are likely to come from backgrounds that emphasize different priorities of duty. As a result, there is greater need than ever for clear guidance and for identifying and effectively managing threats to good governance and accountability.

Even when different employee backgrounds are not an issue, personnel can misunderstand the organization’s objectives and their own role and fiduciary duty. For example, many directors and employees at Enron evidently believed that the company’s objectives were best served by actions that brought short term profit:

—through ethical dishonesty, manipulation of energy markets or sham displays of trading floors;
—through book keeping that was illusory;
—through actions that benefited themselves at the expense of other stakeholders.

Frequently, employees are tempted to cut ethical corners, and they have done so because they believed that their top management wanted them to; they were ordered to do so; or they were encouraged to do so by misguided or manipulative incentive programs. These actions occurred although the board of directors would have preferred (sometimes with hindsight) that they had not. Personnel simply misunderstood what was expected by the board because guidance was unclear or they were led astray and did not understand that they were to report the problem for appropriate corrective action, or to whom or how.

Among our clients, lack of proper guidance or reporting mechanisms may have been the result of directors and others not understanding their duties as fiduciaries. Directors owe shareholders and regulators several duties, including obedience, loyalty, and due care. Recognition of the increasing complexity, volatility and risk inherent in modern corporate interests and operations, particularly as their scope expands to diverse groups and cultures has led to the requirement for risk identification, assessment and management systems.

  • If our client businesses want to do an excellent job at implementing effective ethics programs, orientation of new employees should always involve a review of the code of ethical practice by the staff tasked with compliance and with enforcing policies. How many entities are actively practicing what they preach during such sessions? The values that a company’s directors wish to instill to motivate the beliefs and actions of its personnel need to be conveyed to provide the required guidance. Usually, such guidance takes the form of a code of conduct that states the values selected, the principles that flow from those values, and any rules that are to be followed to ensure that appropriate values are respected.
  • After orientation, what steps are companies taking to maintain their ethics programs on an on-going basis? Principles are more useful to employees than just rules because principles facilitate interpretation when the precise circumstances encountered do not exactly fit the rules prescribed. A blend of principles and rules is often optimal in maintaining of a code of conduct in the long term.
  • Is leadership periodically coming together to talk about where their firm stands when it comes to ethics and compliance? A code on its own may be nothing more than ‘ethical art’ that hangs on the wall but is rarely studied or followed. Experience has revealed that, to be effective, a code must be reinforced by a comprehensive ethical culture.
  • Is anyone reviewing how whistleblowing claims are being dealt with? Does the company even have a whistleblower program? If so, does the staff even know about it and how it works? Whistle-blowers are part of a needed monitoring, risk management and remediation system.
  • Is leadership setting a positive tone at the top and displaying the behaviors that it is demanding from employees? The ethical behavior expected must be referred to in speeches and newsletters by top management as often as they refer to their health and safety programs, or to their antipollution program or else it will be viewed as less important by employees. If personnel never or rarely hear about ethical expectations, they will perceive them as not a serious priority.

Once, I worked at a company where senior management smoked in the office; behavior that is illegal and was, on paper, not allowed. When staff members complained to human resources, no corrective action was taken. Frustrated, some staff members called the city hotline to file a report. Following visits from the city, human resources put up no smoking signs and then notices encouraging employees to keep reports of inappropriate staff smoking internal. By only paying lip service to policy, this company’s management seemed populated by future candidates for the State’s Senate Ethics Committee. But my former employer doesn’t stand alone as evidenced by frauds at Wells Fargo and at others. A company can pull out screeds of rules and regulations, but what matters most is what the staff knows and what the leadership does.

In the case of the New York State Senate Committee on Ethics and Internal Governance, what it did was delay a vote on the issues before it until the next meeting. And when will the next meeting be? After taking eight years to set up its last meeting, the committee was in no hurry to set a date for the next. They adjourned without scheduling the next one. They did, however, take a moment to congratulate themselves on attending this meeting. You can’t forget the important stuff.

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

The Initially Immaterial Financial Fraud

At one point during our recent two-day seminar ‘Conducting Internal Investigations’ an attendee asked Gerry Zack, our speaker, why some types of frauds, but specifically financial frauds can go on so long without detection. A very good question and one that Gerry eloquently answered.

First, consider the audit committee. Under modern systems of internal control and corporate governance, it’s the audit committee that’s supposed to be at the vanguard in the prevention and detection of financial fraud. What kinds of failures do we typically see at the audit committee level when financial fraud is given an opportunity to develop and grow undetected? According to Gerry, there is no single answer, but several audit committee inadequacies are candidates. One inadequacy potentially stems from the fact that the members of the audit committee are not always genuinely independent. To be sure, they’re required by the rules to attain some level of technical independence, but the subtleties of human interaction cannot always be effectively governed by rules. Even where technical independence exists, it may be that one or more members in substance, if not in form, have ties to the CEO or others that make any meaningful degree of independence awkward if not impossible.

Another inadequacy is that audit committee members are not always terribly knowledgeable, particularly in the ways that modern (often on-line, cloud based) financial reporting systems can be corrupted. Sometimes, companies that are most susceptible to the demands of analyst earnings expectations are new, entrepreneurial companies that have recently gone public and that have engaged in an epic struggle to get outside analysts just to notice them in the first place. Such a newly hatched public company may not have exceedingly sophisticated or experienced fiscal management, let alone the luxury of sophisticated and mature outside directors on its audit committee. Rather, the audit committee members may have been added to the board in the first place because of industry expertise, because they were friends or even relatives of management, or simply because they were available.

A third inadequacy is that audit committee members are not always clear on exactly what they’re supposed to do. Although modern audit committees seem to have a general understanding that their focus should be oversight of the financial reporting system, for many committee members that “oversight” can translate into listening to the outside auditor several times a year. A complicating problem is a trend in corporate governance involving the placement of additional responsibilities (enterprise risk management is a timely example) upon the shoulders of the audit committee even though those responsibilities may be only tangentially related, or not at all related, to the process of financial reporting.

Again, according to Gerry, some or all the previously mentioned audit committee inadequacies may be found in companies that have experienced financial fraud. Almost always there will be an additional one. That is that the audit committee, no matter how independent, sophisticated, or active, will have functioned largely in ignorance. It will not have had a clue as to what was happening within the organization. The reason is that a typical audit committee (and the problem here is much broader than newly public startups) will get most of its information from management and from the outside auditor. Rarely is management going to voluntarily reveal financial manipulations. And, relying primarily on the outside auditor for the discovery of fraud is chancy at best. Even the most sophisticated and attentive of audit committee members have had the misfortune of accounting irregularities that have unexpectedly surfaced on their watch. This unfortunate lack of access to candid information on the part of the audit committee directs attention to the second in the triumvirate of fraud preventers, the internal audit department.

It may be that the internal audit department has historically been one of the least understood, and most ineffectively used, of all vehicles to combat financial fraud. Theoretically, internal audit is perfectly positioned to nip in the bud an accounting irregularity problem. The internal auditors are trained in financial reporting and accounting. The internal auditors should have a vivid understanding as to how financial fraud begins and grows. Unlike the outside auditor, internal auditors work at the company full time. And, theoretically, the internal auditors should be able to plug themselves into the financial reporting environment and report directly to the audit committee the problems they have seen and heard. The reason these theoretical vehicles for the detection and prevention of financial fraud have not been effective is that, where massive financial frauds have surfaced, the internal audit department has often been somewhere between nonfunctional and nonexistent.. Whatever the explanation, (lack of independence, unfortunate reporting arrangements, under-staffing or under-funding) in many cases where massive financial fraud has surfaced, a viable internal audit function is often nowhere to be found.

That, of course, leaves the outside auditor, which, for most public companies, means some of the largest accounting firms in the world. Indeed, it is frequently the inclination of those learning of an accounting irregularity problem to point to a failure by the outside auditor as the principal explanation. Criticisms made against the accounting profession have included compromised independence, a transformation in the audit function away from data assurance, the use of immature and inexperienced audit staff for important audit functions, and the perceived use by the large accounting firms of audit as a loss leader rather than a viable professional engagement in itself. Each of these reasons is certainly worthy of consideration and inquiry, but the fundamental explanation for the failure of the outside auditor to detect financial fraud lies in the way that fraudulent financial reporting typically begins and grows. Most important is the fact that the fraud almost inevitably starts out very small, well beneath the radar screen of the materiality thresholds of a normal audit, and almost inevitably begins with issues of quarterly reporting. Quarterly reporting has historically been a subject of less intense audit scrutiny, for the auditor has been mainly concerned with financial performance for the entire year. The combined effect of the small size of an accounting irregularity at its origin and the fact that it begins with an allocation of financial results over quarters almost guarantees that, at least at the outset, the fraud will have a good chance of escaping outside auditor detection.

These two attributes of financial fraud at the outset are compounded by another problem that enables it to escape auditor detection. That problem is that, at root, massive financial fraud stems from a certain type of corporate environment. Thus, detection poses a challenge to the auditor. The typical audit may involve fieldwork at the company once a year. That once-a-year period may last for only a month or two. During the fieldwork, the individual accountants are typically sequestered in a conference room. In dealing with these accountants, moreover, employees are frequently on their guard. There exists, accordingly, limited opportunity for the outside auditor to get plugged into the all-important corporate environment and culture, which is where financial fraud has its origins.

As the fraud inevitably grows, of course, its materiality increases as does the number of individuals involved. Correspondingly, also increasing is the susceptibility of the fraud to outside auditor detection. However, at the point where the fraud approaches the thresholds at which outside auditor detection becomes a realistic possibility, deception of the auditor becomes one of the preoccupations of the perpetrators. False schedules, forged documents, manipulated accounting entries, fabrications and lies at all levels, each of these becomes a vehicle for perpetrating the fraud during the annual interlude of audit testing. Ultimately, the fraud almost inevitably becomes too large to continue to escape discovery, and auditor detection at some point is by no means unusual. The problem is that, by the time the fraud is sufficiently large, it has probably gone on for years. That is not to exonerate the audit profession, and commendable reforms have been put in place over the last decade. These include a greater emphasis on fraud, involvement of the outside auditor in quarterly data, the reduction of materiality thresholds, and a greater effort on the part of the profession to assess the corporate culture and environment. Nonetheless, compared to, say, the potential for early fraud detection possessed by the internal audit department, the outside auditor is at a noticeable disadvantage.

Having been missed for so long by so many, how does the fraud typically surface? There are several ways. Sometimes there’s a change in personnel, from either a corporate acquisition or a change in management, and the new hires stumble onto the problem. Sometimes the fraud, which quarter to quarter is mathematically incapable of staying the same, grows to the point where it can no longer be hidden from the outside auditor. Sometimes detection results when the conscience of one of the accounting department people gets the better of him or her. All along s/he wanted to tell somebody, and it gets to the point where s/he can’t stand it anymore and s/he does. Then you have a whistleblower. There are exceptions to all of this. But in almost any large financial fraud, as Gerry told us, one will see some or all these elements. We need only change the names of the companies and of the industry.