The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

A Ship of Fools

Our Chapter’s January-February 2018 lecture for CPE credit is concerned with the broader ethical implications of the types of fraud, many interlocking and coordinated, that made up the 2007-2008 Great Recession.  At the center of the scandal were ethically challenged actions by bank managements and their boards, but also by the investment companies and ratings agencies, who not only initiated much of the fraud and deception but, in many cases, actively expanded and perpetuated it.

Little more than a glance at the historical record confirms that deception by bank executives of regulators and of their own investors about illegal activity or about the institution’s true financial condition to conceal poor performance, poor management, or questionable transactions is not new to the world of U.S. finance. In fact, it was a key practice during the meltdown of the financial markets in 2007. In addition, the period saw heated debate about alleged deception by the rating agencies, Standard & Poor’s, Moody’s, and Fitch, of major institutional investors, who depended on the agencies’ valuations of subprime-backed securities in the making of investment decisions. Thus, not only deceptive borrowers and unscrupulous mortgage brokers and appraisers contributed to the meltdown. The maelstrom of lies and deception that drove the entire U.S. financial system in mid to late 2005 accelerated to the point of no return, and the crisis that ensued proved unavoidable.

There were ample instances of bank deception in the years leading up to the Great Depression of the 1930’s. The facts came out with considerable drama and fanfare through the work of the era’s Pecora Commission. However, the breadth and scope of executive deception that came under the legal and regulatory microscope following the financial market collapse of 2007 to 2009 represent some of history’s most brazen cases of concealment of irresponsible lending practices, fraudulent underwriting, shady financial transactions, and intentionally false statements to investors, federal regulators, and investigators.

According to the ACFE and other analysts, the lion’s share of direct blame for the meltdown lies with top executives of the major banks, investment firms, and rating agencies. They charge the commercial bank bosses with perpetuating a boom in reckless mortgage lending and the investment bankers with essentially tricking institutional investors into buying the exotic derivative securities backed by the millions and millions of toxic mortgages sold off by the mortgage lenders. The commercial bank bosses and investment bankers were, according to these observers, aided and abetted by the rating agencies, which lowered their rating standards on high-risk mortgage-backed securities that should never have received investment-grade ratings but did so because the rating agencies were paid by the very investment banks which issued the bonds. The agencies reportedly feared losing business if they gave poor ratings to the securities.

As many CFEs know, fraud is always the principal credit risk of any nonprime mortgage lending operation. It’s impossible in practice to detect fraud without reviewing a sample of the loan files. Paper loan files are bulky, so they are photographed, and the images are stored on computer tapes. Unfortunately, most investors (the large commercial and investment banks that purchased non-prime loans and pooled them to create financial derivatives) didn’t review the loan files before purchasing them and did not even require the original lenders to provide them with the loan tapes requisite for subsequent review and audit.

The rating agencies also never reviewed samples of loan files before giving AAA ratings to nonprime mortgage financial derivatives. The “AAA’ rating is supposed to indicate that there is virtually no credit risk, the risk being thought equivalent to U.S. government bonds, which the finance industry refers to as “risk-free.”  The rating agencies attained their lucrative profits because they gave AAA ratings to nonprime financial derivatives exposed to staggering default risk. A graph of their profits in this era rises like a stairway to the stars. Turning a blind eye to the mortgage fraud epidemic was the only way the rating agencies could hope to attain, and sustain, those profit levels. If they had engaged forensic accountants to review even small samples of nonprime loans, they would have been confronted with only two real choices: (1) rating them as toxic waste, which would have made it impossible to sell the associated nonprime financial derivatives or (2) documenting that they themselves were committing, aiding and abetting, a blatant accounting fraud.

A statement made during the 2008 House of Representatives hearings on the topic of the rating agencies’ role in the crisis represents an apt summary of how the financial and government communities viewed the actions and attitudes of the three rating agencies in the years leading up to the subprime crisis. An S&P employee, testified that “the rating agencies continue to create an even bigger monster, the CDO [collateralized debt obligation] market. Let’s hope we all are wealthy and retired by the time this house of cards falters.”

With respect to bank executives, the examples of proved and alleged deception during the period are so numerous as to almost defy belief. Among the most noteworthy are:

–The SEC investigated Citigroup as to whether it misled investors by failing to disclose critical details about the troubled mortgage assets it was holding as the financial markets began to collapse in 2007. The investigation came only after some of the mortgage-related securities being held by Citigroup were downgraded by an independent rating agency. Shortly thereafter, Citigroup announced quarterly losses of around $10 billion on its subprime-mortgage holdings, an astounding amount that directly contributed to the resignation of then CEO, Charles Prince;

–The SEC conducted similar investigations into Bank of America, now-defunct Lehman Brothers, and Merrill Lynch (now a part of Bank of America);

–The SEC filed civil fraud charges against Angelo Mozilo, cofounder and former CEO of Countrywide Financial Corp. In the highest-profile government legal action against a chief executive related to the financial crisis, the SEC charged Mozilo with insider trading and alleged failure to disclose material information to shareholders, according to people familiar with the matter. Mozilo sold $130 million of Countrywide stock in the first half of 2007 under an executive sales plan, according to government filings.

As the ACFE points out, every financial services company has its own unique internal structure and management policies. Some are more effective than others in reducing the risk of management-level fraud. The best anti-fraud controls are those designed to reduce the risk of a specific type of fraud threatening the organization.  Designing effective anti-fraud controls depends directly on accurate assessment of those risks. How, after all, can management or the board be expected to design and implement effective controls if it is unclear about which frauds are most threatening? That’s why a fraud risk assessment (FRA) is essential to any anti-fraud Program; an essential exercise designed to determine the specific types of fraud to which your client organization is most vulnerable within the context of its existing anti-fraud controls. This enables management to design, customize, and implement the best controls to minimize fraud risk throughout the organization.  Again, according to the ACFE (joined by the Institute of Internal Auditors, and the American Institute of Certified Public Accountants), an organization’s contracted CFEs backed by its own internal audit team can play a direct role in this all-important effort.

Your client’s internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and review management’s fraud management capabilities periodically. They should interview and communicate regularly with those conducting the organization’s risk assessments, as well as with others in key positions throughout the organization, to help them ensure that all fraud risks have been considered appropriately. When performing proactive fraud risk assessment engagements, CFEs should direct adequate time and attention to evaluating the design and operation of internal controls specifically related to fraud risk management. We should exercise professional skepticism when reviewing activities and be on guard for the tell-tale signs of fraud. Suspected frauds uncovered during an engagement should be treated in accordance with a well-designed response plan consistent with professional and legal standards.

As this month’s lecture recommends, CFEs and forensic accountants can also contribute value by proactively taking a proactive role in support of the organization’s underlying ethical culture.

The Anti-Fraud Blockchain

Blockchain technology, the series of interlocking algorithms powering digital currencies like BitCoin, is emerging as a potent fraud prevention tool.  As every CFE knows, technology is enabling new forms of money and contracting, and the growing digital economy holds great promise to provide a full range of new financial tools, especially to the world’s poor and unbanked. These emerging virtual currencies and financial techniques are often anonymous, and none have received quite as much press as Bitcoin, the decentralized peer-to-peer digital form of money.

Bitcoins were invented in 2009 by a mysterious person (or group of people) using the alias Satoshi Nakamoto, and the coins are created or “mined” by solving increasingly difficult mathematical equations, requiring extensive computing power. The system is designed to ensure no more than twenty-one million Bitcoins are ever generated, thereby preventing a central authority from flooding the market with new Bitcoins. Most people purchase Bitcoins on third-party exchanges with traditional currencies, such as dollars or euros, or with credit cards. The exchange rates against the dollar for Bitcoin fluctuate wildly and have ranged from fifty cents per coin around the time of its introduction to over $16,0000 in December 2017. People can send Bitcoins, or percentages of bitcoin, to each other using computers or mobile apps, where coins are stored in digital wallets. Bitcoins can be directly exchanged between users anywhere in the world using unique alphanumeric identifiers, akin to e-mail addresses, and there are no transaction fees in the basic system, absent intermediaries.

Anytime a purchase takes place, it is recorded in a public ledger known as the blockchain, which ensures no duplicate transactions are permitted. Crypto currencies are called such because they use cryptography to regulate the creation and transfer of money, rather than relying on central authorities. Bitcoin acceptance continues to grow rapidly, and it is possible to use Bitcoins to buy cupcakes in San Francisco, cocktails in Manhattan, and a Subway sandwich in Allentown.

Because Bitcoin can be spent online without the need for a bank account and no ID is required to buy and sell the crypto currency, it provides a convenient system for anonymous, or more precisely pseudonymous, transactions, where a user’s true name is hidden. Though Bitcoin, like all forms of money, can be used for both legal and illegal purposes, its encryption techniques and relative anonymity make it strongly attractive to fraudsters and criminals of all kinds. Because funds are not stored in a central location, accounts cannot readily be seized or frozen by police, and tracing the transactions recorded in the blockchain is significantly more complex than serving a subpoena on a local bank operating within traditionally regulated financial networks. As a result, nearly all the so-called Dark Web’s illicit commerce is facilitated through alternative currency systems. People do not send paper checks or use credit cards in their own names to buy meth and pornography. Rather, they turn to anonymous digital and virtual forms of money such as Bitcoin.

A blockchain is, essentially, a way of moving information between parties over the Internet and storing that information and its transaction history on a disparate network of computers. Bitcoin, and all the other digital currencies, operates on a blockchain: as transactions are aggregated into blocks, each block is assigned a unique cryptographic signature called a “hash.” Once the validating cryptographic puzzle for the latest block has been solved by a coin mining computer, three things happen: the result is time-stamped, the new block is linked irrevocably to the blocks before and after it by its unique hash, and the block and its hash are posted to all the other computers that were attempting to solve the puzzle involved in the mining process for new coins. This decentralized network of computers is the repository of the immutable ledger of bitcoin transactions.  If you wanted to steal a bitcoin, you’d have to rewrite the coin’s entire history on the blockchain in broad daylight.

While bitcoin and other digital currencies operate on a blockchain, they are not the blockchain itself. It’s an insight of many computer scientists that in addition to exchanging digital money, the blockchain can be used to facilitate transactions of other kinds of digitized data, such as property registrations, birth certificates, medical records, and bills of lading. Because the blockchain is decentralized and its ledger immutable, all these types of transactions would be protected from hacking; and because the blockchain is a peer-to-peer system that lets people and businesses interact directly with each other, it is inherently more efficient and  cheaper than current systems that are burdened with middlemen such as lawyers and regulators.

A CFE’s client company that aims to reduce drug counterfeiting could have its CFE investigator use the blockchain to follow pharmaceuticals from provenance to purchase. Another could use it to do something similar with high-end sneakers. Yet another, a medical marijuana producer, could create a blockchain that registers everything that has happened to a cannabis product, from seed to sale, letting consumers, retailers and government regulators know where everything came from and where it went. The same thing can be done with any normal crop so, in the same way that a consumer would want to know where the corn on her table came from, or the apple that she had at lunch originated, all stake holders involved in the medical marijuana enterprise would know where any batch of product originated and who touched it all along the way.

While a blockchain is not a full-on solution to fraud or hacking, its decentralized infrastructure ensures that there are no “honeypots” of data available, like financial or medical records on isolated company servers, for criminals to exploit. Still, touting a bitcoin-derived technology as an answer to cybercrime may seem a stretch considering the high-profile, and lucrative, thefts of cryptocurrency over the past few years. Its estimated that as of March 2015, a full third of  all Bitcoin exchanges, (where people store their bitcoin), up to then had been hacked, and nearly half had closed. There was, most famously, the 2014 pilferage of Mt. Gox, a Japanese based digital coin exchange, in which 850,000 bitcoins worth $460,000,000 disappeared. Two years later another exchange, Bitfinex, was hacked and around $60 million in bitcoin was taken; the company’s solution was to spread the loss to all its customers, including those whose accounts had not been drained.

Unlike money kept in a bank, cryptocurrencies are uninsured and unregulated. That is one of the consequences of a monetary system that exists, intentionally, beyond government control or oversight. It may be small consolation to those who were affected by these thefts that the bitcoin network itself and the blockchain has never been breached, which perhaps proves the immunity of the blockchain to hacking.

This security of the blockchain itself demonstrates how smart contracts can be written and stored on it. These are covenants, written in code, that specify the terms of an agreement. They are smart because as soon as its terms are met, the contract executes automatically, without human intervention. Once triggered, it can’t be amended, tampered with, or impeded. This is programmable money. Such smart contracts are a tool with the potential to change how business in done. The concept, as with digital currencies, is based on computers synced together. Now imagine that rather than syncing a transaction, software is synced. Every machine in the network runs the same small program. It could be something simple, like a loan: A sends B some money, and B’s account automatically pays it back, with interest, a few days later. All parties agree to these terms, and it’s locked in using the smart contract. The parties have achieved programmable money!

There is no doubt that smart contracts and the blockchain itself will augment the trend toward automation, though it is automation through lines of code, not robotics. For businesses looking to cut costs and reduce fraud, this is one of the main attractions of blockchain technology. The challenge is that, if contracts are automated, what will happen to traditional firm control structures, processes, and intermediaries like lawyers and accountants? And what about managers? Their roles would all radically change. Most blockchain advocates imagine them changing so radically as to disappear altogether, taking with them many of the costs currently associated with doing business. According to a recent report in the trade press, the blockchain could reduce banks’ infrastructure costs attributable to cross-border payments, securities trading, and regulatory compliance by $15-20 billion per annum by 2022.  Whereas most technologies tend to automate workers on the periphery, blockchain automates away the center. Instead of putting the taxi driver out of a job, blockchain puts Uber out of a job and lets the taxi drivers work with the customer directly.

Whether blockchain technology will be a revolution for good or one that continues what has come to seem technology’s inexorable, crushing ascendance will be determined not only by where it is deployed, but how. The blockchain could be used by NGOs to eliminate corruption in the distribution of foreign aid by enabling funds to move directly from giver to receiver. It is also a way for banks to operate without external oversight, encouraging other kinds of corruption. Either way, we as CFEs would be wise to remember that technology is never neutral. It is always endowed with the values of its creators. In the case of the blockchain and crypto-currency, those values are libertarian and mechanistic; trust resides in algorithmic rules, while the rules of the state and other regulatory bodies are often viewed with suspicion and hostility.

With a Little Help

by Rumbi Petrozzello, CPA/CFF, CFE
2018 Vice-President – Central Virginia Chapter ACFE

In November, my husband and I headed out to our usual spot, on Fourth Avenue in Brooklyn, to cheer for those running the New York marathon. A marathon, for those who don’t know, is 26.2 miles long. People who complete marathons get nothing but respect from me – success in marathoning only comes with a lot of dedication and training. Many people spend at least six months following a training plan that is not just about building distance. For instance, when learning (and it is learning) how to complete 26.2 miles of running (or walking for that matter) people must learn how to remain fueled and hydrated while running. This training also then applies to making lifestyle adjustments such as changing one’s diet and sleeping habits. Years ago, when I was training for the New York Marathon, friends knew to not call after 10PM because I was going to bed early to get enough sleep before early morning runs. I tried not to go out on Friday nights, because I went on my long runs on Saturday mornings and wanted to be energized for them. I spent a lot of time and energy doing research, talking to friends who were seasoned runners and even took running classes to improve my performance and chances of success during the race. Despite the very popular tag line “Just Do It”, a lot of work goes into even getting to that point.

The past few months, I have been doing quite a bit of work that involves assessing the controls that companies have over their systems to detect, deter and prevent fraud and error. Going in, the time energy and money that companies have put into all of this is impressive. They will have an audit committee, an internal audit function and a lot of documentation around what their systems are. There will be volumes of documentation on procedures and protocols and, at the very least, on paper, things look fantastic. However, when we start talking to employees about what their reality is, things often are very different. Some of the issues we found included:

• Staff who did not quite understand what some technical terms meant and, so ignored the parts they didn’t understand. We spoke with people who were very happy to perform and review controls, but they didn’t know how best to do that, and no one was telling them the how;

• Some staff did not understand why they were being asked to change things and, believing that what they had been doing for years constituted a good system, stuck with that;

• In some cases, it wasn’t clear just who was responsible for ownership of a process and that meant, often, that nothing ended up getting done;

• In other instances, staff were given such vague instructions that they resorted to making it up as they went along.

Having the rules is completely useless if your people don’t know what do with them and, just as importantly, why they’re doing what they’ve been asked to do in the first place. What is vital in all of this, is the proper training. As CFEs and Forensic Accountants, we are perfectly positioned to work with clients to ensure that controls and systems go beyond theory. So it’s vitally important for success to constantly work with clients to strengthen systems and controls. This can be done by recommending that our corporate clients:

• Provide training to employees. This training must include the identification of control owners and then the process of working directly with them to ensure that they understand what their roles are and specifically why they need to follow the steps being asked of them. Sometimes, when a control owner is given a requested role, they are told to “review” something. Review can mean anything and often what some people consider to be a review is insufficient for complete understanding. For instance, an employee may think that merely saying they checked something is sufficient. Or that having a verbal conversation is enough proof of review. Be sure to recommend to clients that they let employees know that there should be written evidence of a mandated review and to be equally sure to provide clear examples of what qualifies as evidence of that review.

• Review systems and controls to ensure that they address risks. A company may institute many systems and related procedures but, upon review, a CFE or forensic accountant may find inadequate segregation of duties. You may find that a supervisor is checking a team’s work, but no one is authorizing that supervisor’s. This becomes particularly risky if that supervisor has access to many aspects of the business. A CFE or forensic accountant, can review roles and duties to ensure that duties are sufficiently segregated.

• Training should be ongoing and updated for changes in the company as well as changes in technology and processes. At least once a year, employees should receive updated training and performance reviews. In this way, companies can also learn if there have been material changes that might lead to systems and processes having been adjusted in such a way as to create weakness and holes that could lead to future fraud or error.

It’s all well and good to have ads where famous people run, jump and play and tell you to “just do it”. I remember people rolling their eyes at me when I mentioned that I was dashing to running class – why do you have to learn how to run? Doesn’t everyone know how to do that? Yes, I could run, but with training, I ran a better marathon and lived to tell the tale (unlike the original guy). Yes, employees may know how to do the compliance and control work but as a CFE or forensic accountant, you can help a client company work with their employees to perform their work better, be aware of controls and be cognizant of risk and how to mitigate it. It’s so much better than just doing it.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.

Navigating the Cloud

I’ve read several articles in the trade press recently that indicate CFEs are finding some aspects of fraud investigations involving cloud based data to be especially challenging. This is a consequent follow-on of the uncontested fact that, for many organizations, cloud based computing does improve performance and dramatically reduces a wide range of IT and administrative costs.

Commissioning a cloud service provider can enable an organization to off-load much of the difficulty that comes with implementing, maintaining, and physically protecting the systems required for company operations. The organization no longer needs to employ such a large team of network engineers, database administrators, developers, and other technical staff. Instead, it can use smaller, in-house teams to maintain the cloud solution and keep everything running as anticipated. Moving to the cloud also can introduce new capabilities, such as the ability to add and remove servers based on seasonal demand, an option that would be impractical for a traditional data center.

Now that cloud computing has become a mainstream service, CFEs and forensic accountants are increasingly called upon to assess the cloud environment with an eye to devising innovative approaches to cope with the unique investigative features and risks these services pose while at the same time grappling with the effects on their examinations of the security, reliability and availability of critical data housed by their client’s outside IT provider. Based on this assessment, CFEs can advise their client organizations in how best to meet the new investigative challenges when the inevitable cloud involved fraud strikes.

The cloud encompasses application service providers, cloud infrastructure, and the virtual placement of a server, set of servers, or other set of computing power in an environment that is shared among many entities and organizations. Cloud platforms and servers extend and supplement an organization’s own servers, resulting in multiple options for computing and application hosting. It is not sufficient to think of cloud platform and infrastructure oversight as mere vendor management.  Fraud examinations involving these environments are more complex, because of several factors about which the investigative team needs to make decisions  when determining the structure of the examination.

The ACFE tells us that a cloud deployment can be just as variable in structure and architecture as a traditional IT implementation. Among the numerous cloud platforms confronting the CFE, the most common are infrastructure as a service, software as a service, and platform as a service. The employment of these three options alone makes a wide variety of models and other options available. Each of these options additionally poses a distinct set of fraud risks and preventative controls, depending on a client organization’s specific deployment of a particular cloud platform and infrastructure.

Many challenges and barriers to an unfettered examination can appear when the CFEs client organization has contracted with a cloud provider who is, in actual form, a third-party vendor. In some cases, reviewing the cloud service provider’s processes and infrastructure might not be allowed by contract. In its place, the vendor may offer attestation reports such as the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements No. 16 (SSAE 16) as evidence of organizational controls. In other cases, the provider might restrict the examination to a select portion of the service which can be problematic when the CFE is working to obtain an overview of a complex fraud. Further, providers often require the client to obtain specific approvals before any fraud examination activities can even begin. Ideally, client organizations should take these types of consideration into account before contracting with a cloud vendor, but such consideration is, for the most part, not realistic unless a client organization has historically experienced a large number of frauds.  Fraud is, most often, not usually the first thing on many client’s minds when initially contracting with a cloud service provider.

One of the most difficult aspects of the fraud examination of a cloud infrastructure deployment is determining which fraud prevention controls are currently managed by the client organization and which by the cloud provider. With many cloud deployments, few controls are the actual responsibility of the provider. For example, the CFEs client may be responsible for configuration management, patch management, and access management, while the provider is only responsible for physical and environmental security.

A client organization’s physical assets are tangible. The organization buys a physical piece of equipment and keeps a record of this asset; a CFE can see all the organization’s technology assets just by walking through the data center. Cloud infrastructure deployments, however, are virtual, and it’s easy to add and remove these systems. Many organizations base their models on servers and systems that are there one day and gone the next. IT departments themselves also struggle with managing cloud assets, and tools to help cloud providers and clients are continually evolving. As a result, from the CFEs perspective, the examination scope can be hard to manage and execute.  The CFE is also confronted with the fact that, because cloud computing is a relatively recent and fast-growing technology service, a client organization’s employees themselves may not possess much cloud expertise. This scarcity creates risks to the CFEs examination because IT administrators often aren’t positioned to fully explain the details of the cloud deployment and structure so critical details bearing on the fraud under investigation may not be adequately documented. Also, migrating from facilities that are operating internally to cloud-based services can dramatically alter the fraud risk profile of any organization. For example, when an organization moves to a cloud based service, in most cases, all its data is stored on the same physical equipment where other organizations’ data is housed. If configured inappropriately, data leaks can result.

Interacting with the client organization’s IT and management is the CFEs first step toward understanding how the organization’s cloud strategy is or is not related to the circumstances of the fraud under investigation. How did the organization originally expect to use the cloud and how is it using it in actual practice? What are the benefits and drawbacks of using it the way it uses it? What is the scope, from a fraud prevention and security perspective, of the organization’s cloud deployment? The lack of a cohesive, formal, and well-aligned cloud infrastructure strategy should be a red flag for the CFE as a possible contributing factor in any fraud involving cloud computing services.

The second step is CFE review of the client’s security program (or lack thereof) itself.  IT departments and business units should ideally have a cloud security strategy available for CFE review. Such a strategy includes determining the type of data permissible to store in the cloud and how its security will be enforced. It also includes the integration of the information security program into the cloud. All the usual IT risks of traditional data centers apply to cloud deployment as well, among them, malware propagation, denial of service attacks, data breaches, and identity theft, all of which, depending on the implementation, can fall on either party to the contract.  Professionals who have received training in cloud computing may or may not be able to adapt traditional IT programs for fraud examination of servers in physical form to a cloud environment.

There is good news for the examining CFE, however. Cloud infrastructure brings with it myriad security technologies useful to the CFE in conducting his or her examination that are not affordable in most traditional deployments from real-time chronological reports on suspect activities related to identity and access management systems, to network segmentation, and multifactor authentication.

In summary, CFEs and forensic accountants should not approach a cloud involved engagement in the same way they approach other fraud examinations involving third-party vendors. Cloud engagements present their own complexities, which CFEs should attempt to understand and assess adequately. SSAE 16 and other attestation reports based on audit and attestation standards can be valuable as informational background to examination of a fraud involving cloud services.  CFEs can help as a profession by reinforcing client community understanding that a correctly implemented cloud infrastructure can reduce a client organization’s residual risk of fraud by offloading a portion of the responsibility for managing IT risks to a cloud service provider. CFEs have a valuable opportunity to see that their client organizations benefit from the cloud while adequately addressing the new fraud risks that are introduced when their clients contract with a service provider and move IT operations to the cloud. Applying the same level of rigor to examinations involving cloud technology that they apply to technology managed in-house creates an environment in which the CFE and forensic accounting professions can be primary advocates for strong cloud strategy implemented within the structure of the client organization’s fraud prevention program.

A Blueprint for Fraud Risk Assessment

It appears that several of our Chapter members have been requested these last few months to assist their employers in conducting several types of fraud risk assessments. They usually do so as the Certified Fraud Examiner (CFE) member of their employing company’s internal audit-lead assessment team.   There is a consensus emerging among anti-fraud experts that conducting a fraud risk assessment (FRA) is critical to the process of detecting, and ultimately designing controls to prevent the ever-evolving types of fraud threatening organizations.

The ACFE tells us that FRAs do not necessarily specify what types of fraud are occurring in an organization. Instead, they are designed to focus detection efforts on specific fraud schemes and scenarios that could occur as well as on incidents that are known to have occurred in the past. Once these are identified, the audit team can proceed with the series of basic and specific fraud detection exercises that broad experience has shown to be effective. The objective of these exercises is to hopefully reveal the specific fraud schemes to which the organization is most exposed. This information will enable the organization’s audit team to recommend to management and to support the implementation of antifraud controls designed to address exactly those risks that have been identified.  It’s important to emphasize that fraud risk assessments are not meant to prevent fraud directly in and of themselves. They are exercises for identifying those specific fraud schemes and scenarios to which an organization is most vulnerable. That information is in turn used to conduct fraud audit exercises to highlight the circumstances that have allowed actual, known past frauds to occur or to blueprint future frauds that could occur so that the necessary controls can be put in place to prevent similar future illegal activity.

In the past, those FRAs that were conducted were usually performed by the firm’s external auditors. Increasingly, however, internal audit departments are being pressured by senior management to conduct FRAs of their own. Since internal audit departments are increasingly employing CFEs or have their expertise available to them through other company departments (like loss prevention or security), this effort can be effective since internal auditors have the tenure and experience with their organizations to know better than anyone how its financial and business operations function and can understand more readily how fraud could occur in particular processes, transactions, and business cycles.

Internal audit employed CFE’s and CIA’s aren’t involved by requirement of their professional standards in daily operations and can, therefore, provide an independent check on their organization’s overall risk management process. Audits can be considered a second channel of information on how well the enterprise’s anti-fraud controls are functioning and whether there are any deficiencies that need to be corrected.  To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or to the board of directors and not to the chief executive officer or company president who may have responsibility for her company’s internal controls.

The Institute of Internal Auditors has endorsed audit standards that outline the techniques and procedures for conducting an FRA, specifically those contained in Statement of Auditing Standards 99 (SAS 99). By this (and other) key guidelines, an FRA is meant to assist auditors and/or fraud examiners in adjusting their audit and investigation plans to focus on gathering evidence of potential fraud schemes and scenarios identified by the FRA.

Responding to FRA findings requires the auditor to adjust the timing, nature, and extent of testing in such ways as:

• Performing procedures at physical locations on a surprise or unannounced basis by, for example, counting cash at different subsidiary locations on a surprise basis or reviewing loan portfolios of random loan officers or divisions of a savings and loan on a surprise basis;
• Requesting that financial performance data be evaluated at the end of the reporting period or on a date closer to period-end, in order, for example, to minimize the risk of manipulation of records in the period between the dates of account closings and the end of the reporting period;
• Making oral inquiries of major customers and vendors in addition to sending written confirmations, or sending confirmation requests to a specific party within vendor or customer organization;
• Performing substantive analytical procedures using disaggregated data by, for example, comparing gross profit or operating margins by branch office, type of service, line of business, or month to auditor-developed expectations;
• Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified in the past (such as at the country or regional level) to obtain their insights about the risk and how controls could address the risk.

CFE team members can make a substantial contribution to the internal audit lead team effort since it’s essential that financial operations managers and internal audit professionals understand how to conduct an FRA and to thoroughly assess the organization’s exposure to specific frauds. That contribution can add value to management’s eventual formulation and implementation of specific, customized controls designed to mitigate each type of fraud risk identified in the FRA. These are the measures that go beyond the basic, essential control checklists followed by many external auditors; they optimize the organization’s defenses against these risks. As such, they must vary from organization to organization, in accordance with the particular processes and procedures that are identified as vulnerable to fraud.

As an example, company A may process invoices in such a tightly controlled way, with double or triple approvals of new vendors, manual review of all invoices, and so on, that an FRA reveals few if any areas where red flags of vendor fraud can be identified. Company B, on the other hand, may process invoices simply by having the appropriate department head review and approve them. In the latter case, an FRA would raise red flags of potential fraud that could occur through double billing, sham company schemes, or collusion between a dishonest vendor and a company insider. For that reason, SAS 99 indicates that some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls, and other procedures that are needed to mitigate the identified risks. Effective internal controls will include a well-developed control environment, an effective and secure information system, and appropriate control and monitoring activities. Because of the importance of information technology in supporting operations and the processing of transactions, management also needs to implement and maintain appropriate controls, whether automated or manual, over computer generated information.

The ACFE tells us that the heart of an effective internal controls system and the effectiveness of an anti-fraud program are contingent on an effective risk management assessment.  Although conducting an FRA is not terribly difficult, it does require careful planning and methodical execution. The structure and culture of the organization dictate how the FRA is formulated. In general, however, there is a basic, generally accepted form of the FRA that the audit and fraud prevention communities have agreed on and about which every experienced CFE is expected to be knowledgeable. Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s reputation and its legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk. An organization can cost-effectively manage its fraud risks by assessing the likelihood and significance of fraudulent behavior.

The FRA team should include a senior internal auditor (or the chief internal auditor, if feasible) and/or an experienced inside or outside certified fraud examiner with substantial experience in conducting FRAs for organizations in the company’s industry.  The management of the internal audit department should prepare a plan for all the assignments to be performed. The audit plan includes the timing and frequency of planned internal audit work. This audit plan is based on a methodical control risk assessment A control risk assessment documents the internal auditor’s understanding of the institution’s significant activities and their associated risks. The management of the internal audit department should establish the principles of the risk assessment methodology in writing and regularly update them to reflect changes to the system of internal control or work process, and to incorporate new lines of business. The risk analysis examines all the entity’s activities, and the complete internal control system. Based on the results of the risk analysis, an audit plan for several years is established, considering the degree of risk inherent in the activities. The plan also considers expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (audit cycle principle for example, three
years). All those concerns will determine the extent, nature and frequency of the assignments to be performed.

In summary…

• A fraud risk assessment is an analysis of an organization’s risks of being victimized by specific types of fraud;
• Approaches to FRAs will differ from organization to organization, but most FRAs focus on identifying fraud risks in six key categories:
— Fraudulent financial reporting;
— Misappropriation of assets;
— Expenditures and liabilities for an improper purpose;
— Revenue and assets obtained by fraud;
— Costs and expenses avoided by fraud;
— Financial misconduct by senior management.
• A properly conducted FRA guides auditors in adjusting their audit plans and testing to focus specifically on gathering evidence of possible fraud;
• The capability to conduct an FRA is essential to effective assessment of the viability of existing anti-fraud controls and to strengthen the organization’s inadequate controls, as identified by the results of the FRA;
• In addition to assessing the types of fraud for which the organization is at risk, the FRA assesses the likelihood that each of those frauds might occur;
• After the FRA and subsequent fraud auditing work is completed, the FRA team should have a good idea of the specific controls needed to minimize the organization’s vulnerability to fraud;
• Auditing for fraud is a critical next step after assessing fraud risks, and this requires auditing for evidence of frauds that may exist according to the red flags identified by the FRA.

Write & Wrong

It’s an adage in the auditing world that examination results that can’t be effectively communicated might as well not exist.  Unlike a financial statement audit report, the CFE’s final report presents a unique challenge because there is no standardized format. Our Chapter receives more general inquiries from new practitioners about the form and content of final examination reports than about almost any other topic.

Each fraud investigation report is different in structure and content, depending on the nature and results of the assignment and the information that needs to be communicated, as well as to whom the results are being directed. To be effective, therefore, the report must communicate the findings in an accurate and concise form. Corporate counsel, law enforcement, juries, an employing attorney and/or the audit committee and management of the victimized organization must all be able to delineate and understand the factual aspects of the fraud as well as the related risks and control deficiencies discovered so that appropriate actions can be taken timely. Thus, the choice of words used and the tone of the CFE’s final report are as important as the information presented within it. To help ensure their reports are persuasive and bring positive results, CFEs should strive to keep them specific, meaningful, actionable, results oriented, and timely.

Because the goal of the final report is to ensure that the user can interpret the results of the investigation or analysis with accuracy and according to the intentions of the fraud examiner or forensic accountant, the report’s tone and structure are paramount. The report should begin by aligning issues and recommendations with applicable ACFE and with any other applicable professional standards and end with results that are clearly written and timely presented. To ensure quality and accuracy, there are some basic guidelines or ground rules that authorities recommend should be considered when putting together a final report that adds value.

The CFE should consider carefully what specifically to communicate in the report, including the conditions, cause, effect, and “why” of each of the significant fraud related facts uncovered.  Fraud investigators should always identify and address issues in a specific context rather than in broad or general terms. For example, stating that the fraud resulted from weaknesses in the collection and processing of vendor payment receipts is too broad. The report should identify the exact circumstances and the related control issues and risk factors identified, the nature of the findings, an analysis of the specific actions constituting the fraud and some discussion (if the CFE has been requested to do so) of possible corrective actions that might be taken.

To force the writing toward more specificity, each paragraph of the report should express only one finding, with major points enumerated, or bulleted, and parallel structure should be used for each itemized statement of a listing of items. Further, the most important findings should be listed in the first sentence of a paragraph. Once findings are delineated, the explanatory narration of facts aligned to each finding should be presented. Being specific means leaving nothing to the
user’s interpretation beyond that which is intended by the writer.  Another way to achieve specificity is to align the writing of the report to an existing control framework like the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) internal control or risk management frameworks. When issues are aligned with existing standards or to a framework, it can be easier for the CFE to explain the weaknesses in the client’s control environment that made the fraud possible.

The question to be answered is: Can the client(s) readily tell what the issues are by reading the investigative report alone? If the answer is “no,” how will they satisfactorily address areas the client will eventually deem important in moving forward toward either remediation or possible prosecution? This aspect of the writing process requires the practitioner to, first, identify to whom the final report is specifically directed and, second, determine what is to be communicated that will add value for the client. For example, the report may a communication to an employing attorney, to corporate counsel, to the client’s management or audit committee or to all three. What are their expectations? Is the report the result of a routine investigation requested by client management of possible accounts payable fraud or a special investigation to address a suspected, specifically identified fraud? The answer to these and related questions will help determine the appropriate technical level and tone for the report.

When there are different readers of the report, the process necessarily becomes more complex under the necessity to meet the expectations, understandings and eventual usages of all the parties. Finding the right words to address the identified fraud related facts in a positive tone, especially when client conditions surrounding the fraud are sometimes sensitive or at least not favorable, is crucial to making the report meaningful as well as persuasive. The investigative findings must be clear and logical. If the reported results are understood and meaningful actions that add value to the position of the various users are taken because of the findings, then the purpose and meaning of the CFE’s report (and work) will be realized.

What about investigative situations in which the CFE or forensic accountant is asked to move beyond a straight-forward presentation of the facts and, as an expert on fraud and on fraud prevention, make recommendations as to corrective actions that the client might take to forestall the future commission of frauds similar to those dealt with in the final report? In such cases (which are quite common, especially with larger clients), the final report should strive to demonstrate to the extent possible the capacity of the entity to implement the recommendations the CFE has included in the report and still maintain an acceptable level of operation.  To this end, the requested recommended actions should be written in a way that conveys to management that implementing the recommendations will strengthen the organization’s overall fraud prevention capability. The writing, as well as the complexity of the corrective action, should position the client organization to implement recommendations to strengthen fraud prevention. The report should begin with the most critical issue and progress to the least important and move from the easiest recommended corrective steps to the most difficult, or to the sequence of steps to implement a recommendation. The cost to correct the fraud vulnerability should be
apparent and easily determined in the written report. Additionally, the report should provide management with a rubric to evaluate the extent to which a deficiency is corrected (e.g., minimally corrected, fully corrected). Such a guide can be used to gauge the fraud prevention related decisions of management and serve as a basis for future fraud risk assessments.

Developing the CFE’s final report is a process that involves four stages: outlining, drafting, revising, and editing. In the outlining stage, the practitioner should gather and organize the information so that, when converted to a report, it is easy for the reader to follow. This entails reviewing the working papers and making a list of the fraud related facts to be addressed and of their related chronologies. These should be discussed with the investigative team (if any) and the
client attorney, if necessary, to ensure that there is a clear understanding of the underlying facts of the case. Any further work or research should be completed at this stage. This process may be simple or complicated, depending on the extent of the investigation, the unit or operation that is under examination, and the number of fraud related facts that must be addressed.

Once all information has been gathered, the next stage is writing the draft of the report. In completing the draft, concise and coherent statements with sufficient detail should enable the reader to understand the chronology and related facts of the fraud, the fraud’s impact on operations, and the proposed corrective actions (if requested by the client). After completing the draft, revisions may be necessary to make sure that the evidence supports the results and is written in a specific context.

The final stage involves proofreading and editing for correct grammar, sentence structure, and word usage to ensure that the facts and issues related to the fraud are effectively and completely presented and that the report is coherent. Reviewers should be used at this stage to give constructive feedback. Several iterations may be necessary before a final report is completed.

In summary, the CFE’s final report should be designed to add value and to guide the client organization’s subsequent steps to a satisfactory overall fraud response and conclusion. If the CFE’s report is deficient in communicating results, critical follow-on steps requiring immediate action may be skipped or ignored. This can be costly for any company in lost opportunities for loss recoveries, botched prosecutions and damaged reputation.

New Rules for New Tools

I’ve been struck these last months by several articles in the trade press about CFE’s increasingly applying advanced analytical techniques in support of their work as full-time employees of private and public-sector enterprises.  This is gratifying to learn because CFE’s have been bombarded for some time now about the risks presented by cloud computing, social media, big data analytics, and mobile devices, and told they need to address those risk in their investigative practice.  Now there is mounting evidence of CFEs doing just that by using these new technologies to change the actual practice of fraud investigation and forensic accounting by using these innovative techniques to shape how they understand and monitor fraud risk, plan and manage their work, test transactions against fraud scenarios, and report the results of their assessments and investigations to management; demonstrating what we’ve all known, that CFEs, especially those dually certified as CPAs, CIAs, or CISA’s can bring a unique mix of leveraged skills to any employer’s fraud prevention or detection program.

Some examples …

Social Media — following a fraud involving several of the financial consultants who work in its branches and help customers select accounts and other investments, a large multi-state bank requested that a staff CFE determine ways of identifying disgruntled employees who might be prone to fraud. The effort was important to management not only because of fraud prevention but because when the bank lost an experienced financial consultant for any reason, it also lost the relationships that individual had established with the bank’s customers, affecting revenue adversely. The staff CFE suggested that the bank use social media analytics software to mine employees’ email and posts to its internal social media groups. That enabled the bank to identify accurately (reportedly about 33 percent) the financial consultants who were not currently satisfied with their jobs and were considering leaving. Management was able to talk individually with these employees and address their concerns, with the positive outcome of retaining many of them and rendering them less likely to express their frustration by ethically challenged behavior.  Our CFE’s awareness that many organizations use social media analytics to monitor what their customers say about them, their products, and their services (a technique often referred to as sentiment analysis or text analytics) allowed her to suggest an approach that rendered value. This text analytics effort helped the employer gain the experience to additionally develop routines to identify email and other employee and customer chatter that might be red flags for future fraud or intrusion attempts.

Analytics — A large international bank was concerned about potential money laundering, especially because regulators were not satisfied with the quality of their related internal controls. At a CFE employee’s recommendation, it invested in state-of-the-art business intelligence solutions that run “in-memory”, a new technique that enables analytics and other software to run up to 300,000 times faster, to monitor 100 percent of its transactions, looking for the presence of patterns and fraud scenarios indicating potential problems.

Mobile — In the wake of an identified fraud on which he worked, an employed CFE recommended that a global software company upgrade its enterprise fraud risk management system so senior managers could view real-time strategy and risk dashboards on their mobile devices (tablets and smartphones). The executives can monitor risks to both the corporate and to their personal objectives and strategies and take corrective actions as necessary. In addition, when a risk level rises above a defined target, the managers and the risk officer receive an alert.

Collaboration — The fraud prevention and information security team at a U.S. company wanted to increase the level of employee acceptance and compliance with its fraud prevention – information security policy. The CFE certified Security Officer decided to post a new policy draft to a collaboration area available to every employee and encouraged them to post comments and suggestions for upgrading it. Through this crowd-sourcing technique, the company received multiple comments and ideas, many of which were incorporated into the draft. When the completed policy was published, the company found that its level of acceptance increased significantly, its employees feeling that they had part ownership.

As these examples demonstrate, there is a wonderful opportunity for private and public sector employed CFE’s to join in the use of enterprise applications to enhance both their and their employer’s investigative efficiency and effectiveness.  Since their organizations are already investing heavily in a wide variety of innovative technologies to transform the way in which they deliver products to and communicate with customers, as well as how they operate, manage, and direct the business, there is no reason that CFE’s can’t use these same tools to transform each stage of their examination and fraud prevention work.

A risk-based fraud prevention approach requires staff CFEs to build and maintain the fraud prevention plan, so it addresses the risks that matter to the organization, and then update that plan as risks change. In these turbulent times, dominated by cyber, risks change frequently, and it’s essential that fraud prevention teams understand the changes and ensure their approach for addressing them is updated continuously. This requires monitoring to identify and assess both new risks and changes in previously identified risks.  Some of the recent technologies used by organizations’ financial and operational analysts, marketing and communications professionals, and others to understand both changes within and outside the business can also be used to great advantage by loss prevention staff for risk monitoring. The benefits of leveraging this same software are that the organization has existing experts in place to teach CFE’s how to use it, the IT department already is providing technical support, and the software is currently used against the very data enterprise fraud prevention professionals like staff CFEs want to analyze.  A range of enhanced analytics software such as business intelligence, analytics (including predictive and mobile analytics), visual intelligence, sentiment analysis, and text analytics enable fraud prevention to monitor and assess risk levels. In some cases, the software monitors transactions against predefined rules to identify potential concerns such as heightened fraud risks in any given business process or in a set of business processes (the inventory or financial cycles).  For example, a loss prevention team headed by a staff CFE can monitor credit memos in the first month of each quarter to detect potential revenue accounting fraud. Another use is to identify trends associated with known fraud scenarios, such as changes in profit margins or the level of employee turnover, that might indicate changes in risk levels. For example, the level of emergency changes to enterprise applications can be analyzed to identify a heightened risk of poor testing and implementation protocols associated with a higher vulnerability to cyber penetration.

Finally, innovative staff CFEs have used some interesting techniques to report fraud risk assessments and examination results to management and to boards. Some have adopted a more visually appealing representation in a one-page assessment report; others have moved to the more visual capabilities of PowerPoint from the traditional text presentation of Microsoft Word.  New visualization technology, sometimes called visual analytics when allied with analytics solutions, provides more options for fraud prevention managers seeking to enhance or replace formal reports with pictures, charts, and dashboards.  The executives and boards of their employing organizations are already managing their enterprise with dashboards and trend charts; effective loss prevention communications can make effective use of the same techniques. One CFE used charts and trend lines to illustrate how the time her employing company was taking to process small vendor contracts far exceeded acceptable levels, had contributed to fraud risk and was continuing to increase. The graphic, generated by a combination of a business intelligence analysis and a visual analytics tool to build the chart, was inserted into a standard monthly loss prevention report.

CFE headed loss prevention departments and their allied internal audit and IT departments have a rich selection of technologies that can be used by them individually or in combination to make them all more effective and efficient. It is questionable whether these three functions can remain relevant in an age of cyber, addressing and providing assurance on the risks that matter to the organization, without an ever wider use of modern technology. Technology can enable the an internal CFE to understand the changing business environment and the risks that can affect the organization’s ability to achieve its fraud prevention related objectives.

The world and its risks are evolving and changing all the time, and assurance professionals need to address the issues that matter now. CFEs need to review where the risk is going to be, not where it was when the anti-fraud plan was built. They increasingly need to have the ability to assess cyber fraud risk quickly and to share the results with the board and management in ways that communicate assurance and stimulate necessary change.

Technology must be part of the solution to that need. Technological tools currently utilized by CFEs will continue to improve and will be joined by others over time. For example, solutions for augmented or virtual reality, where a picture or view of the physical world is augmented by data about that picture or view enables loss prevention professionals to point their phones at a warehouse and immediately access operational, personnel, safety, and other useful information; representing that the future is a compound of both challenge and opportunity.