Tag Archives: auditing for fraud

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.  The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.

On Business Process Flow

During the last few years attention has increasingly turned to consideration of client critical business processes functioning as a unified whole as a focus of both risk assessment and fraud prevention efforts.  As result of this attention has come the accompanying realization that superior design of individual business processes is not only critical to the success of the overall organization but to its fraud prevention effort as well. For example, take bid preparation, a process that is usually conducted under time pressure, and requires cross-organizational coordination involving the finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender, all outcomes that increase the risk of the emergence of irregularities and perhaps even to the enhanced facilitation of actual fraud. 

An additional realization has been that business processes require process based management.  As CFE’s, our client organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, like the bid process, are cross-organizational, involving several functions within the organization.  A raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, the process may be impaired due to a lack of coordination among the units. To prevent the obvious fraud vulnerabilities related to this problem, the ACFE emphasizes the need to manage the business process fraud prevention effort end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing (and risk assessing) the control, monitoring and measurement of all the processes at work. 

In the modern business world, change is constantly occurring; admirable as this fact is from an innovation perspective, anything that creates change, especially rapid change, can constitute opportunity for the ethically challenged.  Despite this and associated risks, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Automated processes based on information systems are usually more difficult and expensive to change than manual processes (of which there are fewer left every day). Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications and often, less management oversight and control and more vulnerability to fraud. 

Any business that is successful over the long term has most likely performed some kind of risk assessment, and had some success at managing business risks. Managers of successful entities have thought out what risks could have a significant negative impact on their ability to successfully execute the business plan, or even just cause a substantial loss of business, and have attempted to provided mitigating activities to address those risks. With the pervasiveness of fraud and, more important, their increasing dependence on cross organizational business processes, entities have had to consider a fraud risk assessment as a sizeable portion of any fraud prevention effort. Yet, many entities struggle with the issue or, if convinced of the need to conduct an assessment across business process flows, with where to begin in performing an effective one. 

The primary focus of a cross-organizational business process fraud risk assessment is to identify risks that the totality of such business processes present to the business, i.e., adverse effects related to these processes, whether taken as a whole or individually, are not in the best interests of the entity. These risks are usually associated with business elements such as the ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). Weak anti-fraud controls can introduce risks in any of these areas, and more. For instance, robust anti-fraud controls can enhance the entity’s ability to sell its products over the internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts).   The bottom line is that there is a need to have an effective identification and assessment of business process risks where the risks are at a degree that is more than trivial. 

Typically, fraud risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each cross-organizational process risk, someone is asking the questions: what is the magnitude of the identified fraud risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)? One thing the CFE can do is to obtain a copy of the client’s current risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over fraud risk being properly mitigated is lowered. Another good start is to obtain the client’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the CFE to understand where cross business process fraud risks could occur.   

Another thing the CFE should do is gain a good understanding of the loss prevention function (if there is one), including its managerial and operational aspects. Then, depending on the entity, there could be an extensive list of technologies or systems that will need to be evaluated for risk in operations. From the management side, it includes the internal audit and loss prevention staffs. A measure of the competency of staff devoted to the fraud prevention effort is a key factor. Obviously, the more competent the staff, the lower the risks associated with all the elements of operations they affect, and vice versa. 

Since traditional systems are transaction based and handle each transaction and business document separately, it’s difficult to audit processes end to end.  Therefore, in such systems proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred is maintained.  A focus on entire business processes, by contrast, is process flow based and therefore audit trails are a built-in feature.  In automated systems featuring this type of inter-process flow, all incidents and steps of multi-business processes are documented and linked to each other in the order they occurred.  

From the access control aspect of operations, an assessment should be made as to risk of unauthorized activities. For example, do access controls sufficiently limit access to systems and supported business process flows by effective authorization and authentication controls? Does the information management test new systems and applications thoroughly before deployment? Is there a sufficient staging area so that business process flow support applications can be tested not only on a stand-alone basis but also when interfaced with other applications and whole systems? If applications are not tested, this would lead the CFE to have less assurance about mitigating fraud risks facilitated by bugs and system failures.

The focus of fraud mitigation has moved, with increasing automation, away from the simple single fraud scenario to the entire flow of the interlocking business processes constituting the modern organization and their analytic footprint. 

The Facts Speak for Themselves

fact-findingOne of the most frequent topics our Chapter receives questions about from new members and from our on-line guests concerns the documenting and reporting of investigative results.  What types of reports do fraud examiners and forensic accountants typically produce based on what types of documentation? What should be included in the various types of documentation and reports and what should be avoided?

The ACFE tells us that documenting an investigation is as important as performing it. A poorly documented case file can lead to a disappointing conclusion, a dissatisfied client, and can even damage the investigator’s reputation. Various means by which the fraud examiner or forensic accounting investigator may report her findings have been established by over two decades of practice.  The form of the report, whether oral or written, is always a matter to be discussed with the client and with counsel. While it’s not the responsibility of the fraud examiner to advise on the legal perils associated with various forms of reporting, there are certain issues of which new investigators should be aware as their clients debate the form of reporting that will conclude the investigator’s examination.

The ACFE suggests that practitioners try to determine at the outset whether a written report is expected and, if so, its form and timing. In the usual circumstance that this point can’t be decided at the inception of the engagement, the examiner should conduct the investigation in a manner that will facilitate a comprehensive oral report, including the key documents and any exhibits necessary to illustrate the findings. Many investigations begin small, but there’s no way to know with certainty where they will lead and what will be required at the conclusion. Although the client may not have requested a report at the outset of the investigation, some event during the investigation may change the client’s mind, and the investigator should to be prepared to respond. For example, you may determine during an investigation that an officer of the company violated a law or regulation, thereby requiring the company to consider self-reporting and possibly

bringing a civil action against the officer and other third parties. Alternatively, you may be subpoenaed for your part in an investigation that has captured the attention of regulatory agencies or law enforcement. While you can testify only as to what procedures you recall performing and the attendant findings, your client, and your own reputation, will be better served if you always have through and proper documentation. Try to perform an investigation as if you might be asked later to report formally on your findings and on the exact procedures performed.

Members also ask about the types of reports.  The most common reports are:

Written reports

  • Report of investigation. This form of written report is given directly to the client, which may be the company’s management, board, audit committee of the board, in-house counsel or outside counsel. The report should stand on its own; that is, it should identify all the relevant evidence that was used in concluding on the allegations under investigation. This is important because the client may rely on the report for various purposes such as corporate filings, lawsuits, employment actions, or alterations to procedures and controls.
  • Expert report filed in a civil court proceeding. The American Institute of Certified Public Accountants (AICPA) publishes an excellent practice aid on the full range of expert reports.
  • Affidavits. These are voluntary declarations of facts and are communicated in written form and sworn to by the witness (declarant) before an officer authorized by the court.
  • Informal reports. These consist of memos to file, summary outlines used in delivery of an oral report, interview notes, spreadsheets listing transactions along with explanatory annotations, and other less-formal written material prepared by the investigation team.

Oral reports

  • Oral reports are usually delivered by the investigation engagement leader to those overseeing an investigation, such as a company’s board, or to those who represent the company’s interests, such as outside counsel.
  • Oral reports involve giving a deposition, as a fact witness or expert witness, during which everything that is said, by all parties to the deposition, is transcribed by a court reporter.

Reports documenting an investigation differ considerably from audit opinions issued under generally accepted auditing standards (GAAS). The investigative report writer is not constrained by the required language of a governing standard, and investigative reports differ from one another in organization and content depending on the client’s stated needs. In contrast, financial audit reports adhere to set formula prescribed by GAAS. The uses of written reports also differ. The client could do any of the following things with an investigative report:

  • Distribute the report to a select group of individuals associated with the company in various capacities;
  • Voluntarily give the report to a prosecutor as a referral for prosecution;
  • Enter the report as evidence in a civil fraud proceeding;
  • Give the report to outside counsel for use in preparing regulatory findings, entering negotiations, or providing other legal services on behalf of the company.

However the client decides to use the report, its basic elements usually include the following organizaton:

  • Identify your client;
  • In the case of a lawsuit, identify the parties;
  • State in broad terms what you were asked to do;
  • Describe your scope, including the period examined;
  • Include mention of any restriction as to distribution and use of the report;
  • Identify the professional standards under which the work was conducted;
  • Identify exclusions in the reliance on your report (the report is not a financial audit, etc.);
  • State that your work should not be relied on to detect all fraud;
  • Include the procedures you performed, technical pronouncements relied upon, and findings.

Although a summary can be helpful to the reader it may be perilous for the report writer in terms of keeping critical information and perspectives intact. Caution is advised when preparing two types of summary sections: executive summary and conclusion.  If you do write a summary, be careful not to offer an opinion on the factual findings unless specifically requested to do so by the client. The facts should speak for themselves.

It may be appropriate to include in a concluding section of the Report of Investigation certain recommendations for additional investigative procedures or a description of control breakdowns you have observed. Also, a carefully written executive summary at the beginning of the report can be extremely helpful to the reader, especially when it precedes a long and complex report. The executive summary should offer in simple, straightforward language an accurate statement of significant findings. Each summarized finding should include a reference to the full description of findings included in the complete Report of Investigation.

Fraud examination reports are powerful tools which can assist client management in a myriad of ways but, like anything else, if ineptly prepared, represent a minefield for the beginning practitioner.

The Auditor and the Fraud Examiner

financial-statementsOur Chapter averages about three new members a month, a majority of whom are drawn from the pool of relatively recent college graduates in accounting or finance, most of whom possessing an interest in fraud examination and having a number of courses in auditing under their belts.  From the comments I get it seems that our new members are often struck by the apparent similarities between fraud examination and auditing imparted by their formal training and yet hazy about the differences between the two in actual practice.

But, unlike the financial statement focus in financial auditing, fraud examination involves resolving fraud allegations from inception to disposition. Fraud examination methodology requires that all fraud allegations be handled in a uniform, legal fashion and be resolved on a timely basis. Assuming there is sufficient reason (predication) to conduct a fraud examination, specific examination steps usually are employed. At each step of the fraud examination process, the evidence obtained and the effectiveness of the fraud theory approach are continually assessed and re-assessed. Further, the fraud examination methodology gathers evidence from the general to the specific. As such, the suspect (subject) of the inquiry typically would be interviewed last, only after the fraud examiner has obtained enough general and specific information to address the allegations adequately.  However, just like a financial statement audit, a fraud investigation consists of a multitude of steps necessary to resolve allegations of fraud: interviewing witnesses, assembling evidence, writing reports, and dealing with prosecutors and the courts. Because of the legal ramifications of the fraud examiners’ actions, the rights of all individuals must be observed throughout. Additionally, fraud examinations must be conducted only with adequate cause or predication.

Predication is the totality of circumstances that would lead a reasonable, professionally trained, and prudent individual to believe a fraud has occurred, is occurring, or will occur. Predication is the basis upon which an examination is commenced. Unlike a financial audit, fraud examinations should never be conducted without proper predication. Each fraud examination begins with the prospect that the case will end in litigation. To solve a fraud without complete and perfect evidence, the examiner must make certain assumptions. This is not unlike the scientist who postulates a theory based on observation and then tests it. In the case of a complex fraud, fraud theory is almost indispensable. Fraud theory begins with a hypothesis, based on the known facts, of what might have occurred. Then that hypothesis or key assumption is tested to determine whether it’s provable.

The fraud theory approach involves the following steps, in the order of their occurrence:

  • Analyze available data.
  • Create a hypothesis.
  • Test the hypothesis.
  • Refine and amend the hypothesis.
  • Accept or reject the hypothesis based on the evidence.

With that said, fraud examinations incorporate many auditing techniques; however, the primary differences between an audit and a fraud investigation are the scope, methodology, and reporting. It’s also true that many of the fraud examiners in our Chapter (as in every ACFE Chapter) have an accounting background. Indeed, some of our members are employed primarily in the audit function of their organizations. Although fraud examination and auditing are related, they are not the same discipline. So how do they differ?  First, there’s the question of timing.  Financial audits are conducted on a regular recurring basis while fraud examinations are non-recurring; they’re conducted only with sufficient predication.

The scope of the examination in a financial audit is general (the scope of the audit is a general examination of financial data) while the fraud examination is conducted to resolve specific allegations.

An audit is generally conducted for the purpose of expressing an opinion on the financial statements or related information.  The fraud examination’s goal is to determine whether fraud has occurred, is occurring, or will occur, and to determine who is responsible.

The external audit process is non-adversarial in nature. Fraud examinations, because they involve efforts to affix blame, are adversarial in nature.

Audits are conducted primarily by examining financial data. Fraud examinations are conducted by (1) document examination; (2) review of outside data, such as public records; and (3) interviews.

Auditors are required to approach audits with professional skepticism. Fraud examiners approach the resolution of a fraud by attempting to establish sufficient proof to support or refute an allegation of fraud.

As a general rule during a financial fraud investigation, documents and data should be examined before interviews are conducted. Documents typically provide circumstantial evidence rather than direct evidence. Circumstantial evidence is all proof, other than direct admission, of wrongdoing by the suspect or a co-conspirator.  In collecting evidence, it’s important to remember that every fraud examination may result in litigation or prosecution. Although documents can either help or harm a case, they generally do not make the case; witnesses do. However, physical evidence can make or break the witnesses. Examiners should ensure that the evidence is credible, relevant, and material when used to support allegations of fraud.

From the moment evidence is received, its chain of custody must be maintained for it to be accepted by the court. This means that a record must be made when the item is received or when it leaves the care, custody, or control of the fraud examiner. This is best handled by a memorandum of interview by the custodian of the records when the evidence is received.

Fraud examiners are not expected to be forensic document experts; however, they should possess adequate knowledge superior to that of a lay person.

In fraud investigations, examiners discover facts and assemble evidence. Confirmation is typically accomplished by interviews. Interviewing witnesses and conspirators is an information-gathering tool critical in the detection of fraud. Interviews in financial statement fraud cases are different than those in most other cases because the suspect being interviewed might also be the boss.

In conclusion, auditing procedures are indeed often used in a financial statement fraud examination. Auditing procedures are the acts or steps performed by an auditor in conducting the review. According to the third standard of fieldwork of generally accepted auditing standards, “The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.”  Common auditing procedures routinely used during fraud examination, as during financial statement examination, are confirmations, physical examination, observation, inquiry, scanning, inspection, vouching, tracing, re-performance, re-computation, analytical procedures, and data mining; these are all vital tools in the arsenal of both practitioners as well as of all financial assurance professionals.

Plum Street Dialogue #4 – Some Fraud Schemes Involving Cash

patio-set-5Over the years I’ve been involved in on-going discussions with any number of practicing certified fraud examiners, many of whom have provided me with excellent insights on every aspect of the profession.   Using the notes I’m constantly taking, I thought it might be fun (and instructive) to cast some of their thoughts on actual practice in the form of a series of fictitious dialogues on everything fraud examination.  This third is a discussion on the topic of financial fraud; the dialogue is between three composite fraud examiners, Glenn, Alex and Terrie.  Our three friends meet, as before, after work, in the garden behind Glenn’s house on Plum Street in the Fan District of Richmond, Virginia.

[As we join our friends in the shade of Glenn’s patio, Terrie is talking about one of her recent cases specifically as well as cash fraud schemes in general … she’s saying that there are numerous schemes that employees use to defraud organizations. The schemes generally involve cash, accounts receivable, inventory, purchasing, investments and fixed assets, as well as the manipulation of payroll and personal expenses.]

Terrie:  Cash defalcations, like the case I’m currently working on, are probably the most common of all employee embezzlement schemes. Since most companies keep relatively good control over cash, the schemes are frequent but rarely material.  A little more complex scheme involves kiting. Kiting is the process where two or more banks are used to create artificial deposits. Checks written on one bank are deposited in the other and then cash is removed from the second bank. In order to keep the checks from being returned, the fraudster writes new checks periodically. All kiting schemes require banks to pay on unfunded deposits.

Alex: In your experience, Terrie, what’s the best way to go about detecting cash frauds?

Terrie: I use several basic techniques to detect cash frauds. Classically, they include bank reconciliations, cut-off bank statements, surprise cash counts, investigation of customer complaints, journal entry review, and the review of historical sales and cost trends.

Alex: I just finished working a case involving accounts receivable.

Glenn: What do accounts receivable schemes look like?

Alex: There are about four that I’m aware of: lapping, fictitious receivables, diversion of payments on old written-off accounts, and borrowing against the receivables.

Glenn: Define lapping …

Alex: The term is used to describe a method of concealing a defalcation where cash received from a customer is misappropriated by the employee, and at a later date cash received from another customer is credited to the first customer’s account. The second customer’s account is credited still later by cash received by a third customer, and so on. These lapping schemes are usually detected when the scheme becomes too difficult to conceal, when an employee makes a mistake by not crediting the right account, or the customer subsequently complains (which they almost always do). Old or written-off accounts receivable are almost always vulnerable to theft by cashier and accounts receivable employees. Because few controls exist on written-off accounts receivable, subsequent payments can sometimes be diverted. That’s exactly what happened in the case I just finished.

Fictitious accounts receivable are also a common way businesses attempt to artificially inflate their assets and income. They are also sometimes furnish motive for salesmen and others to meet quotas and receive commissions.

Glenn:  According to the speaker at one of our Richmond Chapter’s recent training events, employees will even use the company’s accounts receivable as collateral for their own personal loans.

Alex:  Just as there are four basic schemes, there are four basic detection methods for accounts receivable frauds. They include matching deposit dates, customer confirmations, accounting cut-off analysis, and trend analysis on written-off accounts. Account receivables frauds can be prevented through the adequate segregation of duties. The collection of cash, posting of accounts receivable, and the writing off of old uncollectible accounts receivable should all be done by different personnel if possible. Also, some customer receipts can be made to a lock box rather than to the company’s normal mailing address. This allows the customer to make payments directly to the bank and therefore eliminate time delays.

Terrie:  Don’t forget inventories …because so many companies carry large inventories, these assets are particularly susceptible to abuse. The most frequent inventory scheme concerns the theft or appropriation of the company’s items. The theft of scrap sales proceeds is also pretty common. Because the amounts are generally insignificant to the company, scrap sales are usually not well controlled and good inventories aren’t kept.  In some instances, since inventory accounts are not generally reconciled until the end of the year, embezzlements can be charged to these accounts.

Alex: And how do you detect it? …

Terrie: Most inventory fraud is detected through missing financial documentation, physical inventory counts, or analytical review. If the company’s cost of sales has risen significantly from one period to the next, this could either be because of legitimate reasons or because embezzlements in significant amounts are being charged to the inventory accounts.

Glenn: And purchasing! …

Terrie: Right.  Don’t ever forget purchasing!

Glenn:  The purchasing function of a business is particularly vulnerable to employee abuses. Typical schemes involve fictitious invoices, over-billing, checks payable to employees, and conflicts of interest. Purchasing fraud doesn’t necessarily require collusion with another employee or an outsider, although it often occurs.  I recall a case where a vendor opened up a credit card account for the personal use of a client company’s purchasing officer.

Alex:  That’s a good one and, I would imagine, hard to detect.  Fictitious invoices are one of the most common red flags of employee fraud. They normally involve purchases for goods or services not delivered or rendered. An over-billing scheme is a method where the fraudster submits an artificially inflated invoice to her company for payment. The amount of the overpayment is then diverted or paid to the employee or an accomplice. In a few instances, employees simply make out checks to themselves, deposit the checks in their personal bank accounts, and then destroy them when they are returned in the company’s bank statement. Purchasing or accounts payable employees can also have duplicate payments issued for the same item. Conflicts of interest in purchasing occur when an employee, manager, or executive has an undisclosed interest in a business that supplies goods or services to his employer.

Glenn:  So, the bottom line, how are purchasing schemes generally detected in your experience?

Alex: By analytical review in some instances.  Going over the various general ledger accounts might reveal unusual or unexpected items.  The fraud examiner can also use the computer to facilitate analytical review of timing of bids, patterns of bids, amount of work, patterns of new vendors, and similar trends.

Terrie:  Duplicate addresses in the vendor file. And also addresses that look like addresses that match, like they are different companies, but they end up going to the same P.O. Box. That’s definitely one to look for. And going to a drop box. You know how you get situations where the address is let’s say 100 Warren Street, Suite 150. Well, that’s a drop box for post office box 150. You have to look for things like that. Vendors with post office boxes. You know you can have a post office box and have a check come to you. You should always have a street address. You should know for sure that’s a real street address or real company or just take the time to look it up.

[A pizza delivery man bearing two large boxes and an invoice appears at the edge of the patio and clears his voice…]

Glenn: Well, I see that dinner has arrived and we’ve only touched the surface … we can continue this discussion, if you want,  the next time we choose to meet.

Terrie:  Sounds like a plan!

Before You Pay that Invoice!


HandOnMouseDuring our April 2015 training event, ‘Using Analytics to Detect Fraud’, our speaker, Bethmara Kessler, gave a fascinating, real life example from her own practice of how detailed analytic analysis could be especially helpful in addressing false billing frauds.  In addition, she explained at length just how this type of fraud works. In a false billing scheme, an employee or outside party creates false vouchers or submits false invoices to a target organizational payer. These documents cause the payer to issue payments for goods or services that are either completely fictitious or overstated in price. The perpetrator then collects the fraudulent payments/checks and converts them for personal use. Another type of billing fraud involves buying personal goods or services with company money.

A false billing fraud affects the purchasing cycle, causing the company to pay for nonexistent or non-essential goods or services. Most false billing frauds involve a service, since it is easier to conceal a service that is never performed than to conceal goods never received. As Bethmara’s example demonstrated, the most common billing scheme is setting up one or more bogus vendors.   There are several ways to do this. The most common is to create a fictitious vendor (often called a shell company), open a bank account in the shell company’s name, and bill the victimized company. The perpetrator then creates an invoice and sends it to his employer. Invoices can be professionally produced via computer and desktop publishing software, typewritten, or even prepared manually. Often, the most difficult aspect of a fraudulent billing scheme is getting the false invoice approved and paid. In many instances of billing fraud, the person perpetrating the fraud is also the person in the company who is authorized to approve invoices for payment. Another popular means of getting invoice approval is to submit invoices to an inattentive, trusting, or “rubber-stamp” manager. Furthermore, perpetrators often create false supporting documents to facilitate approvals and payments, e.g., voucher packages.

A perpetrator can also use a shell company to perpetrate a pass-through billing scheme: the perpetrator places orders for goods with his shell company, has his shell company order the goods from a legitimate supplier at market prices, and then sells those goods to his employer at inflated prices. The fraud lies in the fact that the victimized company is buying the goods it needs from an unauthorized vendor at inflated prices. The perpetrator “profits” from the inflated prices gained while acting as an unauthorized “middle man” in a necessary company transaction.

Rather than utilizing shell companies to over-bill, some employees generate false disbursements through invoices of non-accomplice vendors. In what is called a pay and return scheme, the perpetrator makes an error in a vendor payment to facilitate the theft. One way to do that is to overpay or double-up on payments, request a check from the vendor for the excess, and steal the check when it arrives. Another scenario is to pay the wrong vendor by placing vendor checks in the wrong envelopes, then calling the vendors to explain the mistake and requesting the return of the checks. When the checks return, they are stolen. The support documents are sent through the accounts payable system a second time; and these checks are sent to the proper vendors.

Another scheme involves purchasing personal items with company money. One popular way to do this is to make a personal purchase, then run the unauthorized invoice through the accounts payable system. If the perpetrator is not in a position to approve the purchase, s/he may have to create a false purchase order to make the transaction appear legitimate or alter an existing purchase order and have an accomplice in receiving remove the excess merchandise.

Another way to purchase personal items with company money is to have the company order merchandise, then intercept the goods when they are delivered. To avoid having the merchandise delivered to the company, the perpetrator often will have it diverted to his home or some other address, such as a spouse’s business address. A third way to purchase personal items with company money is to make personal purchases on company credit cards. No matter which of the approaches is used, the perpetrator will either keep the purchases for personal use or turn the purchase into cash (or a credit card refund) by returning the merchandise.

Bethmara pointed out that, in some ways, it’s easier to conceal a billing fraud than other frauds – but in other ways, it’s harder. It’s easier in that the perpetrator does not have to remove cash or inventory from company premises; instead, the company mails her a check. It’s more difficult in that, when the perpetrator creates a bogus vendor or shell company, he has to come up with a name, mailing address (often the fraudster’s home address or a postal box), and phone number (often a home phone number); open a bank account in the shell company’s name (usually requiring him to file or forge articles of incorporation) or in his own name; deposit and withdraw money; and create and send vendor invoices. Any of these can lead back to the perpetrator, making it easier to find him once the fraud is detected and the shell company identified.

Depending on the scheme and organizational controls in place, the perpetrator may have to falsify or alter a purchase requisition, purchase order, receiving report, or vendor invoice, or fool or force the authorizing person to approve or forge an authorization. Perpetrators involved in a pay and return fraud usually have to intercept any checks that are returned.

Finally, Bethmara presented a number of red flags usually present when a false billing fraud is taking place, including:

  • An unexplained increase in services performed (services that were paid for, but never performed);
  • Payments to unapproved vendors;
  • Invoices approved without supporting documents;
  • Falsified or altered voucher documents; for example, altering a purchase order after its approval;
  • Inflated prices on purchases or orders of unnecessary goods and services;
  • Payments to an entity controlled by an employee;
  • Multiple payments on the same invoice or over payments on an invoice;
  • Personal purchases with company credit cards or charge accounts;
  • Excessive returns to vendors, or full payment not received for items returned;
  • A vendor with a post office box address.

On July 23, 2015 our Chapter will be hosting a one-day ACFE seminar entitled, ‘Fraud Prevention’.  Our speaker, Chis Rosetti, will be presenting a host of effective measures anti-fraud practitioners and client management can take to prevent the false billing and other common frauds so eloquently described by Bethmara Kessler and Jerry Sacks at our recent prior events (8 high quality CPE for just $150.00). Hope you can join us!

That Break’s For You


vacation“We are again honored to have a seventh guest post from our friend and Richmond Chapter 2015 Vice-President, Rumbi Bwerinofa, CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of TheFStudent.com, where she discusses financial forensic issues.” – Charles Lawver-2015 RVACFES Chapter President…”

I live in New York City, the city that, in its own mind at least, never sleeps. Those of us who live here wear that like a badge of pride.  Rest? Only when we’re dead! If you ride the subway, death apparently includes the daily rush-hour commute. Here, we’re a city of zombies who have even figured out to sleep, standing up, crammed like sardines into whatever tin box is taking us to work. Out bosses love our never rest attitude. What could be better than workers who express shame when requesting time off? Who wouldn’t like an office full of people competing to see who can pull the longest hours?

Well, it turns out that, perhaps, a worker who never leaves his or her desk may not be such a good thing for company health, when it comes to fraud prevention and detection. That person who’s so diligent that, not only does she never need help, but she’s even willing to take on additional tasks like, say, picking up and distributing the mail or making bank deposits, may be taking on all these extra tasks for a reason, say to make sure that no one discovers she’s actively stealing from the company. That why it’s important for forensic accountants and fraud examiners to help our clients understand the criticality of enforced staff vacations for the overall integrity of their fraud prevention programs.

It’s so important to stress to the employer that, when employees do take vacations, desks mustn’t be allowed to sit idle, with work and mail just piling up, untouched for two or three weeks.  Vacation times represent the perfect point to perform targeted, concurrent fraud prevention and detection related tests. One, or more, of the vacationing employee’s cross-trained peers should take over the daily, detailed tasks of the employee. Such tests are especially important if the employee has access to assets or cash, but it’s a good prevention practice for every employee’s desk. Mail should be opened, bank statements reconciled and checks to vendors written. In this way, fraud and error stand a good chance of being caught.  Just knowing that this type of testing is mandatory during enforced annual vacations is a potent fraud deterrent in itself.

Too often fraud is caught by accident, when one employee happens to be out of the office and a question needs to be answered. Someone will dig into that employee’s work and stumbles onto something amiss. Rita Crundwell  stole almost $54 million from the city of Dixon during the nearly three decades she was that city’s comptroller. Her crime was discovered while she was out of her office, on vacation, and the acting comptroller, asked for bank statements, found a statement for an account that was not recorded in the ledger. The account held millions, had an official-sounding name wasn’t identified in any city record. Had, someone else in the city’s finance department routinely performed banking and mail duties while Crundwell was out of the office (of even at random times when she wasn’t), this embezzlement may have been caught years earlier.  Prior to the fraud’s discovery, no manager in authority seemed to see a conflict of duties issue with Crundwell, the comptroller, picking up all the city’s mail. While she was on vacation, she would have a relative or city employee pick up the mail, separate out hers’, and distribute the rest. Yes, a relative, not even a city employee, picked up and distributed the city’s mail!  Had Crundwell known that her work would be independently randomly checked and reviewed on a regular basis, she may have decided that stealing from the city was just too risky and have never perpetrated her crime.

The FDIC and SEC recommend mandatory vacations of two consecutive weeks for traders and others in the financial industry. This guarantees there’s adequate time for the employer to have another staff member perform the work of the vacationing employee and check for fraud and error. Any business would benefit from adding this process to their control systems.

An earlier post on The Inner Auditor discussed the risks and control weaknesses associated with only one person in a business holding the bulk of the information about how things work. Should that person take an extended vacation, retire or quit, the company could very well come to a confused standstill because no one else knows how to perform certain processes or where certain information is kept. A benefit of and enforced mandatory vacation and random testing policy is that other staff members will be forced to learn, through cross-training,  what their colleagues do and know; knowledge about the functioning of every desk will be shared among various employees.

Employers should be thoroughly briefed on benefits for fighting fraud, reducing error and sharing knowledge that a well-planned and executed vacation and concurrent testing policy can bring to the fraud prevention effort. They may or may not worry too much about how tired their workers are, but I’m pretty sure that they care a lot about keeping their assets safe.

Ancient Analytics


CPU5Our Chapter, along with our partners the Virginia State Police and national ACFE, will be hosting a two day seminar starting April 8th entitled, ‘Hands on Analytics – Using Data Analytics to Identify Fraud’ at the VASP Training Academy here in Richmond, Virginia.  Our presenter will be one of the ACFE’s best, the renowned fraud examiner Bethmara Kessler, Chief Audit Officer of the Campbell Soup Company.  The science of analytics has come a long way in its evolution into the effective tool we know and all make such good use of today.  I can remember being hired fresh out of graduate school at the University of Chicago by a Virginia bank (long since vanished into the mists of time) to do market and operations research in the early 1970’s.

The bank had just started accumulating operational and branch related data for use with a fairly primitive IBM mainframe relational database; simple as that first application was, it was like a new day had dawned!  The bank’s holding company was expanding rapidly, buying up correspondent banks all over the state so, as you can imagine, we were hungry for all sorts of actionable market and financial information.  In those early days, in the almost total absence of any real information, when data about the holding company was first being accumulated and some initial reports run, it felt like lighting a candle in a dark room!  At first blush, the information seemed very useful and numbers-savvy people poured over the reports identifying how some of the quantities (variables) in the reports varied in relation to others.  As we all know now, based on a wider and more informed experience, there’s sometimes a direct correlation between fields and sometimes there’s an implied correlation. When our marketing and financial analysts began to see these correlations, relating the numbers to their own experiences in branch bank location and in lending risk management for example, it was natural for them to write up some rules to manage vulnerable areas like branch operations and fraud risk.  With regard to fraud control, the data based rules worked great for a while but since they were only rules, fraudsters quickly proved surprisingly effective at figuring out exactly what sort of fraud the rules were designed to stop.  If the rule cutoff was $300 for a cash withdrawal, we found that fraudsters soon experimented with various amounts and determined that withdrawing $280 was a safe option.  The bank’s experts saw this and started designing rules to prevent a whole range of specific scenarios but it quickly became a losing game for the bank since fraudsters only got craftier and craftier.

Linear regression models were first put forward to address this incessant back and forth issue of rule definition and fraudster response as database software became more adept at handling larger amounts of data effectively and so enough data could be analyzed to begin to identify persistent patterns.  The linear regression model assumed that the relationships between the predictors used in the model and the fraud target were linear and so the algorithm tries to fit a linear model to detect fraud by identifying outliers from the basic fit of the regression line.   The regression models proved better than the rule based approach since they could systematically look at all the bank’s credit card data, for instance, and so could draw more effective conclusions about what was actually going on than the rules ever could.

As we at the bank found in the early days of attempted analytics based fraud detection, when operating managers get together and devise fraud identification rules, they generally do slightly better than random chance in identifying cases of actual fraud; this is because, no matter how good and well formulated the rules are, they can’t cover the entire universe of possible transactions.  We can only give anti-fraud coverage to the portion of transactions addressed by the rules.  When the bank built a linear model employing algorithms comparing actual past experience with present actual experience the analysis experienced the advantage of covering the entire set of transactions and classifying them as either fraudulent or good.   Fraud identification improved considerably above chance.

It’s emerged over the years that a big drawback with using linear regression models to identify fraud is that, although there are many cases in which the underlying risk is truly linear, there are more where it’s non-linear; where both the target (fraud) and independent variables are non-continuous.  While there are many problems where a 90% solution is good enough, fraud is not one of them.  This is where such non-linear techniques, like the neural networks Bethmara Kessler will be discussing, come in.  Neural networks were originally developed to model the functioning of the brain; their statistical properties also make them an excellent fit for addressing many risk related problems.

As our April seminar will demonstrate, there are generally two lines of thought regarding the building of models to perform fraud analytics.  One is that techniques don’t matter that much; what matters is the data itself and how much of it and its variety the fraud analyst can get; the more data, the better the analysis.  The other line of thought holds that, whereas, more data is always good, techniques do matter.  There are many well documented fraud investigation situations in which improving the sophistication of the techniques has yielded truly amazing results.

All of these issues and more will be covered in our Chapter’s April seminar.  I hope all of you can join us!

Continuous Auditing versus Continuous Monitoring in Fraud Prevention Programs

wreath-4The efficacy of modern fraud prevention programs has been vastly improved by advances in data mining, analytics and the near ubiquitous cloud based storage and availability of client transactional data; the advances, however, have been accompanied by some confusion on the part of fraud prevention professionals in the incorporation of  these new tools into an effective, risk based, prevention program.  Three common sources of confusion usually arise during the implementation process of analytically supported fraud prevention schemes; first, is the confusion  between the continuous monitoring of transactions (made possible by data mining and analytics coupled with enterprise risk management approaches for the identification of high risk business processes) and continuous auditing for fraud.  Second is the need to understand the role of the continuous auditing for fraud in high risk business processes as a meta control (i.e., as a control of controls) and third is the concern of separation of duties (i.e., who will do what when actual instances of suspected fraud are identified by the process).

The continuous, analytically based,  monitoring of high risk business processes found to be especially vulnerable to pre-identified,  attempted fraud scenarios is a dynamic process (i.e., the fraud examiner/auditor can turn analytical procedures on and off by re-configuring tests based on what fraud scenarios and levels of accompanying risk s/he feels  are presently most active as threats.  By continuously monitoring particular, configurable high risk items, continuous testing for the presence of likely fraud scenarios constitutes a wholly new control level, acting as a meta control.  For example, a bank’s analytically based loan transaction system can issue an alarm regarding the presence of a suspected component of a fraud scenario and issue an alarm, under pre-specified  circumstances, to the bank manager’s supervisor as loans to a given customer exceed pre-authorized levels.  This fraud prevention program measure thus increases the number of configurable controls (e.g., choosing to issue an alarm and when) by going past simple continuous monitoring all way to the level of continuous auditing/testing and subsequent management alert.

Implementing this type of approach to fraud prevention generally means taking the following general types of steps:

—identifying the client’s high risk business processes for scenario testing.  The choice of high risk business processes should be integrated into the annual fraud prevention plan and the enterprise risk management (ERM) annual review.  This exercise should be integrated with other compliance plans (for example, with the internal audit annual plan, if there is one).

—identify rules that will guide the analytically based fraud scenario testing activity; these rules need to be programmed, repeated frequently and reconfigured when needed.  As an example, a financial institution might have defined a critical component of a given fraud scenario;  in response the bank monitors all checking accounts nightly by extracting files that meet the criteria of having a debt balance that is 20 percent larger than the loan threshold for a certain type of customer.

—determine the frequency of testing for the critical fraud scenarios and related business processes; this is important because the chosen frequency of testing has to depend on the natural rhythm of the subject business process including the timing of computer and business activities and the availability to the client of fraud examiners and auditors with experience of the underlying fraud scenario.

—cost benefit analysis needs to be performed; only the most high risk business processes vulnerable to a given frequently occurring  fraud scenario should be continuously tested; once the threat is determined to have subsided (perhaps by the application or tightening of  prevention controls) shut the continuous testing down as no longer cost effective.

—mechanisms must be in place to communicate positive testing results to business owners and the communication must be independent, objective and consistent; all the parties who will address elements of the suspected fraud and whose role requires taking some pre-defined action under the identified fraud scenario must be informed.

The evolution of fraud prevention programs to incorporate analytically based fraud evaluation and examination testing on a continuous and near continuous basis  is a giant step for the fraud examination and auditing professions. This evolution will take time, substantial attention from senior management and additional costs and resources as continuous fraud auditing activities are implemented and extended; these efforts will have a lasting effect on the future of both professions.