Tag Archives: fraud prevention

The Complex Non-Profit

Our Chapter was contacted several weeks ago by the management of a not-for-profit organization seeking a referral to a CFE for conduct of an examination of suspected fraud.  Following a lively discussion with the requester’s corporate counsel, we made the referral which, we’ve subsequently learned, is working out well.  Our discussion of the case with counsel brought the following thoughts to mind. When talking not-for-profits, we’re talking programs; projects that are not funded through the sale of a product or service, but projects that obtain outside funding via the government, charitable grants, or donations to achieve a specific outcome. These outcomes can be any of a variety of things, from a scientific research study to find a cure for a catastrophic illness or federally legislated programs to provide health care to the indigent and elderly, as with the Medicaid and Medicare programs, respectively; or a not-for-profit charity that provides several programs, each funded from different sources, but all providing services to the elderly such as delivered meals, community center operations, adult daycare, and wellness programs. Typically, these outcomes are a social benefit. Some of these programs are of a specific duration, while others are renewed on a periodic basis depending on continued funding and the successful management of the program to achieve the desired outcomes.

In an examination for fraud in such entities, it’s typically not the core projects or programs themselves that are the object of the review; it’s the management of the program. Managers are engaged to operate such programs consistent with the program’s scope and budget. The opportunity for fraud in these programs will vary in several specific aspects: by the independence provided to the program manager, by the organizational structure of the program, and by the level of oversight by the funding source. These three elements make the conduct of a fraud examination of program management different from that of investigations for fraud in the typical core business functions of enterprises like those involved in manufacturing or retail trade. The fraud schemes will be similar because of the ACFE defined primary fraud classifications that apply to almost all organizations, but the key is how they’ve been adapted by program management.

The three primary classifications of fraud that are most common in program management fraud are schemes related to asset misappropriation, corruption, and financial statement reporting.

With asset misappropriation, the fraudulent action most commonly involved is embezzlement, not just simple theft of funds.  While they are both criminal actions, embezzlement has a specific meaning. Black’s Law Dictionary states it best: “the fraudulent taking of private property with which one has been entrusted, especially as a fiduciary.” It really is a matter of intent.
Examples of some inherent fraud schemes and of how these schemes are carried out within a program are:

False expenditures:

— The program is not being conducted, but funds are being expended. This sounds like the classic shell company scam, except a program rather than a for profit business is being exploited. The program by itself is legitimate, but it’s the intent of management that makes it a fraud;

–The program is not performed to its completion; however, the funds are fully expended. The decision to be made is whether the intent was to embezzle funds throughout the program or if there are other underlying reasons as to why the program wasn’t completed that resulted in the embezzlement of the funds;

–The program budget does not allow for program completion. Is this a case of bad budgeting or the use of budgeting with the intent to embezzle;

–The work plan is partially or wholly fictitious. It’s important for the examiner to keep in mind that some programs involve work that is so technologically or scientifically complex that it can be difficult for the examiner to understand just what the objective is.


Unlike false expenditures, the use of overbilling within programs is more of a means to commit the fraudulent act of embezzlement within the program’s specific functions rather than within the overall program as with false expenditures. Specifically, overbilling schemes are found associated with misuse of time or assets by staff or with expenditures not used in an approved manner. For example:

–Staff members are performing non-program duties. Often, personnel are pulled from one program to work on another. There are many reasons for why this decision is made, but was the funding for that amount of personnel intentionally requested with the purpose of using personnel on another program that is not entitled to receive the funding for additional staff members?

–Staff members are misrepresenting the performance of the program. Often, staff will show the project to be operating on a level that seemingly should require more resources. The project is really operating on a lower level of resources, and whoever has the authority to bill uses that authority to overbill.

–Staff members are hired who are not qualified to perform program duties. Many times, often with large grant monies involved, the program manager hires friends or relatives, or perhaps there is such a strict time frame involved with the funding that management will hire a warm body just to fill the approved slot. In both cases, proper vetting procedures should be in place, even though the granting authority may not require them.

–As with staffing, funds are often redirected to other programs for similar reasons.

–Funds expended are not consistent with the proposed budget. The CFE should ask why the budget is out of line with expenditures? Is the approved budget in use, or was it just prepared as window-dressing for a grant proposal?

–Funds are expended that are not consistent with the governing cost principles. The classic example is the outrageous amounts the military spends on commonly used items, like the $5,000 toilet seat the ACFE originally told us about.

–The program is not completed, but the funding has been expended. Embezzlement can occur within the framework of asset misappropriation or overbilling, but because programs can differ in their objectives to a large degree, the vulnerability is greater to asset misappropriation schemes than to schemes involving overbilling.

Program Reporting:

Financial reporting and program reporting are two different things. Financial reporting can be a component of program reporting, but not the other way around. Many funded projects have strict guidelines on how to report project performance.  Like a disease that goes undetected because everything checked out in a physical exam, ethically challenged program managers find subtle ways to misrepresent performance, either to hide misuse of funds or just to indicate program success when there is none.
For example:

–The status of the project is falsely reported. This type of program reporting misstatement is typically done to give the illusion that the project’s objectives will be met to continue the objective of an uninterrupted steam of funding.

–The program results are falsely reported. The difference between project status and program results may not be apparent at first glance. The motivation is the same in that both are done to hide fraud. The false reporting of program status is typically done to keep funds ongoing throughout the project; the falsification of program results is typically done to ensure renewal of funding for another year or for a period of years. The project type will typically determine the likelihood of which type of false reporting is occurring.

–Improper criteria are used to measure performance. This concerns overall performance as opposed to financial performance. Given that funded projects can be difficult to understand considering the complexity of the activity being performed, performance measurement criteria can be manipulated because of the inherently complicated nature of the basic project. No one understands the project, so how can anyone know whether it’s succeeding? This phenomenon is commonly encountered if the project is divided into so many subparts that no one person, except the project manager, knows with certainty just how it’s proceeding.

–Program accomplishments are falsely reported. How many times have newspapers parroted the declaration from a non-profit that their program provided such and such a level of service to the indigent?  How do readers know if the program’s actual goal (and related funding) wasn’t to provide services to a level of recipients three times the amount reported?

–Operating statistics are manipulated to provide false results. Operating statistics are not financial statistics. An example would be a program that provides meals to the homebound elderly. An amount of payment by those receiving the meals is suggested. However, the government reimbursement for those meals deducts any amount contributed by the elderly being served. The project manager may manipulate the statistics to give more weight to the fixed-income, city-dwelling elderly it services, because such recipients are usually unable to pay anything for their delivered meals.

In summary, in approaching the fraud examination of non-profit entities, it’s not the overall programs themselves that are typically fraudulent, meaning that examinations don’t have to start with a determination of whether the entity is real or a shell. Fraud is committed by people, not programs or business systems; they are the tools of fraud. The ultimate funding source of programs are people as well, whether taxpayers (in the case of Federal or State governments) or private citizens (in the case of private charities).   It is not only the vast amount of funding that can flow to not-for-profit programs that constitutes the justification for combating fraud committed by the management of such programs. Programs that rely on funding as non-profits are typically entities that are established to provide a public benefit; to fill in the gaps for services and products not provided through any other means. So, the occurrence of fraud in these programs, no matter the size of the program or the fraud, is an especially heinous act given the loss of social benefit that results. For that reason alone, the examination of program management by CFEs is vital to the public interest.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.

Navigating the Cloud

I’ve read several articles in the trade press recently that indicate CFEs are finding some aspects of fraud investigations involving cloud based data to be especially challenging. This is a consequent follow-on of the uncontested fact that, for many organizations, cloud based computing does improve performance and dramatically reduces a wide range of IT and administrative costs.

Commissioning a cloud service provider can enable an organization to off-load much of the difficulty that comes with implementing, maintaining, and physically protecting the systems required for company operations. The organization no longer needs to employ such a large team of network engineers, database administrators, developers, and other technical staff. Instead, it can use smaller, in-house teams to maintain the cloud solution and keep everything running as anticipated. Moving to the cloud also can introduce new capabilities, such as the ability to add and remove servers based on seasonal demand, an option that would be impractical for a traditional data center.

Now that cloud computing has become a mainstream service, CFEs and forensic accountants are increasingly called upon to assess the cloud environment with an eye to devising innovative approaches to cope with the unique investigative features and risks these services pose while at the same time grappling with the effects on their examinations of the security, reliability and availability of critical data housed by their client’s outside IT provider. Based on this assessment, CFEs can advise their client organizations in how best to meet the new investigative challenges when the inevitable cloud involved fraud strikes.

The cloud encompasses application service providers, cloud infrastructure, and the virtual placement of a server, set of servers, or other set of computing power in an environment that is shared among many entities and organizations. Cloud platforms and servers extend and supplement an organization’s own servers, resulting in multiple options for computing and application hosting. It is not sufficient to think of cloud platform and infrastructure oversight as mere vendor management.  Fraud examinations involving these environments are more complex, because of several factors about which the investigative team needs to make decisions  when determining the structure of the examination.

The ACFE tells us that a cloud deployment can be just as variable in structure and architecture as a traditional IT implementation. Among the numerous cloud platforms confronting the CFE, the most common are infrastructure as a service, software as a service, and platform as a service. The employment of these three options alone makes a wide variety of models and other options available. Each of these options additionally poses a distinct set of fraud risks and preventative controls, depending on a client organization’s specific deployment of a particular cloud platform and infrastructure.

Many challenges and barriers to an unfettered examination can appear when the CFEs client organization has contracted with a cloud provider who is, in actual form, a third-party vendor. In some cases, reviewing the cloud service provider’s processes and infrastructure might not be allowed by contract. In its place, the vendor may offer attestation reports such as the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements No. 16 (SSAE 16) as evidence of organizational controls. In other cases, the provider might restrict the examination to a select portion of the service which can be problematic when the CFE is working to obtain an overview of a complex fraud. Further, providers often require the client to obtain specific approvals before any fraud examination activities can even begin. Ideally, client organizations should take these types of consideration into account before contracting with a cloud vendor, but such consideration is, for the most part, not realistic unless a client organization has historically experienced a large number of frauds.  Fraud is, most often, not usually the first thing on many client’s minds when initially contracting with a cloud service provider.

One of the most difficult aspects of the fraud examination of a cloud infrastructure deployment is determining which fraud prevention controls are currently managed by the client organization and which by the cloud provider. With many cloud deployments, few controls are the actual responsibility of the provider. For example, the CFEs client may be responsible for configuration management, patch management, and access management, while the provider is only responsible for physical and environmental security.

A client organization’s physical assets are tangible. The organization buys a physical piece of equipment and keeps a record of this asset; a CFE can see all the organization’s technology assets just by walking through the data center. Cloud infrastructure deployments, however, are virtual, and it’s easy to add and remove these systems. Many organizations base their models on servers and systems that are there one day and gone the next. IT departments themselves also struggle with managing cloud assets, and tools to help cloud providers and clients are continually evolving. As a result, from the CFEs perspective, the examination scope can be hard to manage and execute.  The CFE is also confronted with the fact that, because cloud computing is a relatively recent and fast-growing technology service, a client organization’s employees themselves may not possess much cloud expertise. This scarcity creates risks to the CFEs examination because IT administrators often aren’t positioned to fully explain the details of the cloud deployment and structure so critical details bearing on the fraud under investigation may not be adequately documented. Also, migrating from facilities that are operating internally to cloud-based services can dramatically alter the fraud risk profile of any organization. For example, when an organization moves to a cloud based service, in most cases, all its data is stored on the same physical equipment where other organizations’ data is housed. If configured inappropriately, data leaks can result.

Interacting with the client organization’s IT and management is the CFEs first step toward understanding how the organization’s cloud strategy is or is not related to the circumstances of the fraud under investigation. How did the organization originally expect to use the cloud and how is it using it in actual practice? What are the benefits and drawbacks of using it the way it uses it? What is the scope, from a fraud prevention and security perspective, of the organization’s cloud deployment? The lack of a cohesive, formal, and well-aligned cloud infrastructure strategy should be a red flag for the CFE as a possible contributing factor in any fraud involving cloud computing services.

The second step is CFE review of the client’s security program (or lack thereof) itself.  IT departments and business units should ideally have a cloud security strategy available for CFE review. Such a strategy includes determining the type of data permissible to store in the cloud and how its security will be enforced. It also includes the integration of the information security program into the cloud. All the usual IT risks of traditional data centers apply to cloud deployment as well, among them, malware propagation, denial of service attacks, data breaches, and identity theft, all of which, depending on the implementation, can fall on either party to the contract.  Professionals who have received training in cloud computing may or may not be able to adapt traditional IT programs for fraud examination of servers in physical form to a cloud environment.

There is good news for the examining CFE, however. Cloud infrastructure brings with it myriad security technologies useful to the CFE in conducting his or her examination that are not affordable in most traditional deployments from real-time chronological reports on suspect activities related to identity and access management systems, to network segmentation, and multifactor authentication.

In summary, CFEs and forensic accountants should not approach a cloud involved engagement in the same way they approach other fraud examinations involving third-party vendors. Cloud engagements present their own complexities, which CFEs should attempt to understand and assess adequately. SSAE 16 and other attestation reports based on audit and attestation standards can be valuable as informational background to examination of a fraud involving cloud services.  CFEs can help as a profession by reinforcing client community understanding that a correctly implemented cloud infrastructure can reduce a client organization’s residual risk of fraud by offloading a portion of the responsibility for managing IT risks to a cloud service provider. CFEs have a valuable opportunity to see that their client organizations benefit from the cloud while adequately addressing the new fraud risks that are introduced when their clients contract with a service provider and move IT operations to the cloud. Applying the same level of rigor to examinations involving cloud technology that they apply to technology managed in-house creates an environment in which the CFE and forensic accounting professions can be primary advocates for strong cloud strategy implemented within the structure of the client organization’s fraud prevention program.

A Blueprint for Fraud Risk Assessment

It appears that several of our Chapter members have been requested these last few months to assist their employers in conducting several types of fraud risk assessments. They usually do so as the Certified Fraud Examiner (CFE) member of their employing company’s internal audit-lead assessment team.   There is a consensus emerging among anti-fraud experts that conducting a fraud risk assessment (FRA) is critical to the process of detecting, and ultimately designing controls to prevent the ever-evolving types of fraud threatening organizations.

The ACFE tells us that FRAs do not necessarily specify what types of fraud are occurring in an organization. Instead, they are designed to focus detection efforts on specific fraud schemes and scenarios that could occur as well as on incidents that are known to have occurred in the past. Once these are identified, the audit team can proceed with the series of basic and specific fraud detection exercises that broad experience has shown to be effective. The objective of these exercises is to hopefully reveal the specific fraud schemes to which the organization is most exposed. This information will enable the organization’s audit team to recommend to management and to support the implementation of antifraud controls designed to address exactly those risks that have been identified.  It’s important to emphasize that fraud risk assessments are not meant to prevent fraud directly in and of themselves. They are exercises for identifying those specific fraud schemes and scenarios to which an organization is most vulnerable. That information is in turn used to conduct fraud audit exercises to highlight the circumstances that have allowed actual, known past frauds to occur or to blueprint future frauds that could occur so that the necessary controls can be put in place to prevent similar future illegal activity.

In the past, those FRAs that were conducted were usually performed by the firm’s external auditors. Increasingly, however, internal audit departments are being pressured by senior management to conduct FRAs of their own. Since internal audit departments are increasingly employing CFEs or have their expertise available to them through other company departments (like loss prevention or security), this effort can be effective since internal auditors have the tenure and experience with their organizations to know better than anyone how its financial and business operations function and can understand more readily how fraud could occur in particular processes, transactions, and business cycles.

Internal audit employed CFE’s and CIA’s aren’t involved by requirement of their professional standards in daily operations and can, therefore, provide an independent check on their organization’s overall risk management process. Audits can be considered a second channel of information on how well the enterprise’s anti-fraud controls are functioning and whether there are any deficiencies that need to be corrected.  To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or to the board of directors and not to the chief executive officer or company president who may have responsibility for her company’s internal controls.

The Institute of Internal Auditors has endorsed audit standards that outline the techniques and procedures for conducting an FRA, specifically those contained in Statement of Auditing Standards 99 (SAS 99). By this (and other) key guidelines, an FRA is meant to assist auditors and/or fraud examiners in adjusting their audit and investigation plans to focus on gathering evidence of potential fraud schemes and scenarios identified by the FRA.

Responding to FRA findings requires the auditor to adjust the timing, nature, and extent of testing in such ways as:

• Performing procedures at physical locations on a surprise or unannounced basis by, for example, counting cash at different subsidiary locations on a surprise basis or reviewing loan portfolios of random loan officers or divisions of a savings and loan on a surprise basis;
• Requesting that financial performance data be evaluated at the end of the reporting period or on a date closer to period-end, in order, for example, to minimize the risk of manipulation of records in the period between the dates of account closings and the end of the reporting period;
• Making oral inquiries of major customers and vendors in addition to sending written confirmations, or sending confirmation requests to a specific party within vendor or customer organization;
• Performing substantive analytical procedures using disaggregated data by, for example, comparing gross profit or operating margins by branch office, type of service, line of business, or month to auditor-developed expectations;
• Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified in the past (such as at the country or regional level) to obtain their insights about the risk and how controls could address the risk.

CFE team members can make a substantial contribution to the internal audit lead team effort since it’s essential that financial operations managers and internal audit professionals understand how to conduct an FRA and to thoroughly assess the organization’s exposure to specific frauds. That contribution can add value to management’s eventual formulation and implementation of specific, customized controls designed to mitigate each type of fraud risk identified in the FRA. These are the measures that go beyond the basic, essential control checklists followed by many external auditors; they optimize the organization’s defenses against these risks. As such, they must vary from organization to organization, in accordance with the particular processes and procedures that are identified as vulnerable to fraud.

As an example, company A may process invoices in such a tightly controlled way, with double or triple approvals of new vendors, manual review of all invoices, and so on, that an FRA reveals few if any areas where red flags of vendor fraud can be identified. Company B, on the other hand, may process invoices simply by having the appropriate department head review and approve them. In the latter case, an FRA would raise red flags of potential fraud that could occur through double billing, sham company schemes, or collusion between a dishonest vendor and a company insider. For that reason, SAS 99 indicates that some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls, and other procedures that are needed to mitigate the identified risks. Effective internal controls will include a well-developed control environment, an effective and secure information system, and appropriate control and monitoring activities. Because of the importance of information technology in supporting operations and the processing of transactions, management also needs to implement and maintain appropriate controls, whether automated or manual, over computer generated information.

The ACFE tells us that the heart of an effective internal controls system and the effectiveness of an anti-fraud program are contingent on an effective risk management assessment.  Although conducting an FRA is not terribly difficult, it does require careful planning and methodical execution. The structure and culture of the organization dictate how the FRA is formulated. In general, however, there is a basic, generally accepted form of the FRA that the audit and fraud prevention communities have agreed on and about which every experienced CFE is expected to be knowledgeable. Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s reputation and its legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk. An organization can cost-effectively manage its fraud risks by assessing the likelihood and significance of fraudulent behavior.

The FRA team should include a senior internal auditor (or the chief internal auditor, if feasible) and/or an experienced inside or outside certified fraud examiner with substantial experience in conducting FRAs for organizations in the company’s industry.  The management of the internal audit department should prepare a plan for all the assignments to be performed. The audit plan includes the timing and frequency of planned internal audit work. This audit plan is based on a methodical control risk assessment A control risk assessment documents the internal auditor’s understanding of the institution’s significant activities and their associated risks. The management of the internal audit department should establish the principles of the risk assessment methodology in writing and regularly update them to reflect changes to the system of internal control or work process, and to incorporate new lines of business. The risk analysis examines all the entity’s activities, and the complete internal control system. Based on the results of the risk analysis, an audit plan for several years is established, considering the degree of risk inherent in the activities. The plan also considers expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (audit cycle principle for example, three
years). All those concerns will determine the extent, nature and frequency of the assignments to be performed.

In summary…

• A fraud risk assessment is an analysis of an organization’s risks of being victimized by specific types of fraud;
• Approaches to FRAs will differ from organization to organization, but most FRAs focus on identifying fraud risks in six key categories:
— Fraudulent financial reporting;
— Misappropriation of assets;
— Expenditures and liabilities for an improper purpose;
— Revenue and assets obtained by fraud;
— Costs and expenses avoided by fraud;
— Financial misconduct by senior management.
• A properly conducted FRA guides auditors in adjusting their audit plans and testing to focus specifically on gathering evidence of possible fraud;
• The capability to conduct an FRA is essential to effective assessment of the viability of existing anti-fraud controls and to strengthen the organization’s inadequate controls, as identified by the results of the FRA;
• In addition to assessing the types of fraud for which the organization is at risk, the FRA assesses the likelihood that each of those frauds might occur;
• After the FRA and subsequent fraud auditing work is completed, the FRA team should have a good idea of the specific controls needed to minimize the organization’s vulnerability to fraud;
• Auditing for fraud is a critical next step after assessing fraud risks, and this requires auditing for evidence of frauds that may exist according to the red flags identified by the FRA.

Write & Wrong

It’s an adage in the auditing world that examination results that can’t be effectively communicated might as well not exist.  Unlike a financial statement audit report, the CFE’s final report presents a unique challenge because there is no standardized format. Our Chapter receives more general inquiries from new practitioners about the form and content of final examination reports than about almost any other topic.

Each fraud investigation report is different in structure and content, depending on the nature and results of the assignment and the information that needs to be communicated, as well as to whom the results are being directed. To be effective, therefore, the report must communicate the findings in an accurate and concise form. Corporate counsel, law enforcement, juries, an employing attorney and/or the audit committee and management of the victimized organization must all be able to delineate and understand the factual aspects of the fraud as well as the related risks and control deficiencies discovered so that appropriate actions can be taken timely. Thus, the choice of words used and the tone of the CFE’s final report are as important as the information presented within it. To help ensure their reports are persuasive and bring positive results, CFEs should strive to keep them specific, meaningful, actionable, results oriented, and timely.

Because the goal of the final report is to ensure that the user can interpret the results of the investigation or analysis with accuracy and according to the intentions of the fraud examiner or forensic accountant, the report’s tone and structure are paramount. The report should begin by aligning issues and recommendations with applicable ACFE and with any other applicable professional standards and end with results that are clearly written and timely presented. To ensure quality and accuracy, there are some basic guidelines or ground rules that authorities recommend should be considered when putting together a final report that adds value.

The CFE should consider carefully what specifically to communicate in the report, including the conditions, cause, effect, and “why” of each of the significant fraud related facts uncovered.  Fraud investigators should always identify and address issues in a specific context rather than in broad or general terms. For example, stating that the fraud resulted from weaknesses in the collection and processing of vendor payment receipts is too broad. The report should identify the exact circumstances and the related control issues and risk factors identified, the nature of the findings, an analysis of the specific actions constituting the fraud and some discussion (if the CFE has been requested to do so) of possible corrective actions that might be taken.

To force the writing toward more specificity, each paragraph of the report should express only one finding, with major points enumerated, or bulleted, and parallel structure should be used for each itemized statement of a listing of items. Further, the most important findings should be listed in the first sentence of a paragraph. Once findings are delineated, the explanatory narration of facts aligned to each finding should be presented. Being specific means leaving nothing to the
user’s interpretation beyond that which is intended by the writer.  Another way to achieve specificity is to align the writing of the report to an existing control framework like the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) internal control or risk management frameworks. When issues are aligned with existing standards or to a framework, it can be easier for the CFE to explain the weaknesses in the client’s control environment that made the fraud possible.

The question to be answered is: Can the client(s) readily tell what the issues are by reading the investigative report alone? If the answer is “no,” how will they satisfactorily address areas the client will eventually deem important in moving forward toward either remediation or possible prosecution? This aspect of the writing process requires the practitioner to, first, identify to whom the final report is specifically directed and, second, determine what is to be communicated that will add value for the client. For example, the report may a communication to an employing attorney, to corporate counsel, to the client’s management or audit committee or to all three. What are their expectations? Is the report the result of a routine investigation requested by client management of possible accounts payable fraud or a special investigation to address a suspected, specifically identified fraud? The answer to these and related questions will help determine the appropriate technical level and tone for the report.

When there are different readers of the report, the process necessarily becomes more complex under the necessity to meet the expectations, understandings and eventual usages of all the parties. Finding the right words to address the identified fraud related facts in a positive tone, especially when client conditions surrounding the fraud are sometimes sensitive or at least not favorable, is crucial to making the report meaningful as well as persuasive. The investigative findings must be clear and logical. If the reported results are understood and meaningful actions that add value to the position of the various users are taken because of the findings, then the purpose and meaning of the CFE’s report (and work) will be realized.

What about investigative situations in which the CFE or forensic accountant is asked to move beyond a straight-forward presentation of the facts and, as an expert on fraud and on fraud prevention, make recommendations as to corrective actions that the client might take to forestall the future commission of frauds similar to those dealt with in the final report? In such cases (which are quite common, especially with larger clients), the final report should strive to demonstrate to the extent possible the capacity of the entity to implement the recommendations the CFE has included in the report and still maintain an acceptable level of operation.  To this end, the requested recommended actions should be written in a way that conveys to management that implementing the recommendations will strengthen the organization’s overall fraud prevention capability. The writing, as well as the complexity of the corrective action, should position the client organization to implement recommendations to strengthen fraud prevention. The report should begin with the most critical issue and progress to the least important and move from the easiest recommended corrective steps to the most difficult, or to the sequence of steps to implement a recommendation. The cost to correct the fraud vulnerability should be
apparent and easily determined in the written report. Additionally, the report should provide management with a rubric to evaluate the extent to which a deficiency is corrected (e.g., minimally corrected, fully corrected). Such a guide can be used to gauge the fraud prevention related decisions of management and serve as a basis for future fraud risk assessments.

Developing the CFE’s final report is a process that involves four stages: outlining, drafting, revising, and editing. In the outlining stage, the practitioner should gather and organize the information so that, when converted to a report, it is easy for the reader to follow. This entails reviewing the working papers and making a list of the fraud related facts to be addressed and of their related chronologies. These should be discussed with the investigative team (if any) and the
client attorney, if necessary, to ensure that there is a clear understanding of the underlying facts of the case. Any further work or research should be completed at this stage. This process may be simple or complicated, depending on the extent of the investigation, the unit or operation that is under examination, and the number of fraud related facts that must be addressed.

Once all information has been gathered, the next stage is writing the draft of the report. In completing the draft, concise and coherent statements with sufficient detail should enable the reader to understand the chronology and related facts of the fraud, the fraud’s impact on operations, and the proposed corrective actions (if requested by the client). After completing the draft, revisions may be necessary to make sure that the evidence supports the results and is written in a specific context.

The final stage involves proofreading and editing for correct grammar, sentence structure, and word usage to ensure that the facts and issues related to the fraud are effectively and completely presented and that the report is coherent. Reviewers should be used at this stage to give constructive feedback. Several iterations may be necessary before a final report is completed.

In summary, the CFE’s final report should be designed to add value and to guide the client organization’s subsequent steps to a satisfactory overall fraud response and conclusion. If the CFE’s report is deficient in communicating results, critical follow-on steps requiring immediate action may be skipped or ignored. This can be costly for any company in lost opportunities for loss recoveries, botched prosecutions and damaged reputation.

The Other Assets Dance

Studies by the ACFE and various academics have revealed over the years that, while not as common as cash schemes, employee misappropriations of other types of corporate assets than cash can sometimes prove even more disastrous than cash theft for any organization that suffers them.  The median losses associated with noncash schemes is generally higher than cash schemes, being $100,000 as opposed to $60,000.

The other asset category includes such assets as inventories of all kinds, i.e., inventory for sale, supplies and equipment and some categories of fixed assets; in short, the term inventory and other assets is generally meant to encompass misapplication schemes involving any assets held by an enterprise other than cash.  The theft of non-cash assets is generally classified by the ACFE into three groups: inventory schemes, supplies schemes and other asset schemes; of these schemes inventory related schemes account for approximately 70% of the losses while misappropriation of company supplies accounts for another 20%…the remaining losses are associated with several types of fixed assets, equipment, and corporate related information.

Those who study these types of fraud generally lump non-cash assets together for describing how these types of assets are misappropriated since the methods for misappropriation don’t vary much among the various asset types.  The asset, no matter what it is, can be misused (or “borrowed”) or it can be stolen.  Assets that are misused rather than stolen outright include company assigned vehicles, company supplies of all kinds, computers, and other office equipment.  As a very frequently occurring example, a company executive might make use of a company car when on an out of the home office assignment; false documentation (both in writing and verbally) is provided to the company by the employee regarding the nature of her use of the vehicle.  At the end of the trip, the car is returned intact and the cost to the fraudster’s company is only a few hundred dollars at most; but what we have here is, nonetheless, an instance of fraud when a false statement or declaration accompanies the use.

In contrast, the costs of inventory misuse schemes can be very costly.  To many employees, inventory fraud of some kinds is not perceived as a crime, but rather as “borrowing” and, in truth, the actual cost of borrowing a laptop to do personal computing at home may often be immaterial if the asset is returned undamaged.  On the other hand, if the employee uses the laptop to operate a side business during and after normal work hours, the consequences can be more serious for the company, especially if the employee’s business is in competition with that of the employer.  Since the employee is not performing his or her assigned work duties, the employer suffers a loss of productivity and is defrauded of that portion of the employee’s wages related to the fraud.  If the employee’s low productivity continues for any length of time, the employer might have to engage additional employees to compensate which means more capital diverted to wages.  As noted above, if the employee’s business is like that of the employer’s, lost business for the employer would be an additional cost of the scheme.  If the employee had not contracted work for his own company, the business would presumably have gone to her employer. Unauthorized use of company equipment can also mean additional wear and tear, causing company owned equipment to break down sooner than it would have under normal operating conditions.

So, what about prevention?  There are preventative measures for control of other asset related frauds which, if properly installed and operating, may help prevent employee exploits directed against all the many types of inventories maintained by a typical business:
For each type of asset inventory (for sale, supplies, equipment, etc.), the following items (as appropriate) should be pre-numbered and controlled:

–receiving reports
–perpetual records
–raw materials requisitions
–shipping documents
–job cost sheets

The following duties related to the distinct types of asset inventories should be handled by different employees:

–requisition of inventory
–receipt of inventory
–disbursement of inventory
–conversion of inventory to scrap
–receipt of proceeds from disposal of scrape.

Someone independent of the purchasing or warehousing function should conduct physical observation of all asset inventories according to defined schedules.  Personnel conducting physical observations of these types of assets should be knowledgeable about the inventory, i.e., what types of material it should contain, where the material should physically be, etc.  All company owned merchandise should be physically guarded and locked; and access should be limited to authorized personnel only.

Threat Assessment & Cyber Security

One rainy Richmond evening last week I attended the monthly dinner meeting of one of the professional organizations of which I’m a member.  Our guest speaker’s presentation was outstanding and, in my opinion, well worth sharing with fellow CFE’s especially as we find more and more of our client’s grappling with the reality of  ever-evolving cyber threats.

Our speaker started by indicating that, according to a wide spectrum of current thinking, technology issues in isolation should be but one facet of the overall cyber defense strategy of any enterprise. A holistic view on people, process and technology is required in any organization that wants to make its chosen defense strategy successful and, to be most successful, that strategy needs to be supplemented with a good dose of common sense creative thinking. That creative thinking proved to be the main subject of her talk.

Ironically, the sheer size, complexity and geopolitical diversity of the modern-day enterprise can constitute an inherent obstacle for its goal of achieving business objectives in a secured environment.  The source of the problem is not simply the cyber threats themselves, but threat agents. The term “threat agent,” from the Open Web Application Security Project (OWASP), is used to indicate an individual or group that can manifest a threat. Threat agents are represented by the phenomena of:

–Corporate Espionage;
–Government Actors;
–Common Criminals (individual and organized).

Irrespective of the type of threat, the threat agent takes advantage of an identified vulnerability and exploits it in the attempt to negatively impact the value the individual business has at risk. The attempt to execute the threat in combination with the vulnerability is called hacking. When this attempt is successful, and the threat agent can negatively impact the value at risk, it can be concluded that the vulnerability was successfully exploited. So, essentially, enterprises are trying to defend against hacking and, more importantly, against the threat agent that is the hacker in his or her many guises. The ACFE identifies hacking as the single activity that has resulted in the greatest number of cyber breaches in the past decade.

While there is no one-size-fits-all standard to build and run a sustainable security defense in a generic enterprise context, most companies currently deploy something resembling the individual components of the following general framework:

–Business Drivers and Objectives;
–A Risk Strategy;
–Policies and Standards;
–Risk Identification and Asset Profiling;
–People, Process, Technology;
–Security Operations and Capabilities;
–Compliance Monitoring and Reporting.

Most IT risk and security professionals would be able to identify this framework and agree with the assertion that it’s a sustainable approach to managing an enterprise’s security landscape. Our speaker pointed out, however, that in her opinion, if the current framework were indeed working as intended, the number of security incidents would be expected to show a downward trend as most threats would fail to manifest into full-blown incidents. They could then be routinely identified by enterprises as known security problems and dealt with by the procedures operative in day-to-day security operations. Unfortunately for the existing framework, however, recent security surveys conducted by numerous organizations and trade groups clearly show an upward trend of rising security incidents and breaches (as every reader of daily press reports well knows).

The rising tide of security incidents and breaches is not surprising since the trade press also reports an average of 35 new, major security failures on each and every day of the year.  Couple this fact with the ease of execution and ready availability of exploit kits on the Dark Web and the threat grows in both probability of exploitation and magnitude of impact. With speed and intensity, each threat strikes the security structure of an enterprise and whittles away at its management credibility to deal with the threat under the routine, daily operational regimen presently defined. Hence, most affected enterprises endure a growing trend of negative security incidents experienced and reported.

During the last several years, in response to all this, many firms have responded by experimenting with a new approach to the existing paradigm. These organizations have implemented emergency response teams to respond to cyber-threats and incidents. These teams are a novel addition to the existing control structure and have two main functions: real-time response to security incidents and the collection of concurrent internal and external security intelligence to feed predictive analysis. Being able to respond to security incidents via a dedicated response team boosts the capacity of the operational organization to contain and recover from attacks. Responding to incidents, however efficiently, is, in any case, a reactive approach to deal with cyber-threats but isn’t the whole story. This is where cyber-threat intelligence comes into play. Threat intelligence is a more proactive means of enabling an organization to predict incidents. However, this approach also has a downside. The influx of a great deal of intelligence information may limit the ability of the company to render it actionable on a timely basis.

Cyber threat assessments are an effective means to tame what can be this overwhelming influx of intelligence information. Cyber threat assessment is currently recognized in the industry as red teaming, which is the practice of viewing a problem from an adversary or competitor’s perspective. As part of an IT security strategy, enterprises can use red teams to test the effectiveness of the security structure as a whole and to provide a relevance factor to the intelligence feeds on cyber threats. This can help CEOs decide what threats are relevant and have higher exposure levels compared to others. The evolution of cyber threat response, cyber threat
intelligence and cyber threat assessment (red teams) in conjunction with the existing IT risk framework can be used as an effective strategy to counter the agility of evolving cyber threats. The cyber threat assessment process assesses and challenges the structure of existing enterprise security systems, including designs, operational-level controls and the overall cyber threat response and intelligence process to ensure they remain capable of defending against current relevant exploits.

Cyber threat assessment exercises can also be extremely helpful in highlighting the most relevant attacks and in quantifying their potential impacts. The word “adversary” in the definition of the term ‘red team’ is key in that it emphasizes the need to independently challenge the security structure from the view point of an attacker.  Red team exercises should be designed to be independent of the scope, asset profiling, security, IT operations and coverage of existing security policies. Only then can enterprises realistically apply the attacker’s perspective, measure the success of its risk strategy and see how it performs when challenged. It’s essential that red team exercises have the freedom to treat the complete security structure and to point to flaws in all components of the IT risk framework. It’s a common notion that a red team exercise is a penetration test. This is not the case. Use of penetration test techniques by red teams is a means to identify the information required to replicate cyber threats and to create a controlled security incident. The technical shortfalls that are identified during standard penetration testing are mere symptoms of gaps that may exist in the governance of people, processes and technology. Hence, to make the organization more resilient against cyber threats, red team focus should be kept on addressing the root cause and not merely on fixing the security flaws discovered during the exercise. Another key point is to include cyber threat response and threat monitoring in the scope of such assessments. This demands that red team exercises be executed, and partially announced, with CEO-level approval. This ensures that enterprises challenge the end-to-end capabilities of an enterprise to cope with a real-time security incident. Lessons learned from red teaming can be documented to improve the overall security posture of the organization and as an aid in dealing with future threats.

Our speaker concluded by saying that as cyber threats evolve, one-hundred percent security for an active business is impossible to achieve. Business is about making optimum use of existing resources to derive the desired value for stakeholders. Cyber-defense cannot be an exception to this rule. To achieve optimized use of their security investments, CEOs should ensure that security spending for their organization is mapped to the real emerging cyber threat landscape. Red teaming is an effective tool to challenge the status quo of an enterprise’s security framework and to make informed judgements about the actual condition of its actual security posture today. Not only can the judgements resulting from red team exercises be used to improve cyber threat defense, they can also prove an effective mechanism to guide a higher return on cyber-defense investment.

A CDC for Cyber

I remember reading somewhere a few years back that Microsoft had commissioned a report which recommended that the U.S. government set up an entity akin to its Center for Disease Control but for cyber security.  An intriguing idea.  The trade press talks about malware and computer viruses and infections to describe self -replicating malicious code in the same way doctors talk about metastasizing cancers or the flu; likewise, as with public health, rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest/prosecute (cure) those responsible (the cancer cells, hackers) long after the original harm is done. Regarding cyber, what if we extended this paradigm and instead viewed global cyber security as an exercise in public health?

As I recall, the report pointed out that organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats; structures and frameworks that are far more developed than those existent in today’s cyber-security community. Given the many parallels between communicable human diseases and those affecting today’s technologies, there is also much fraud examiners and security professionals can learn from the public health model, an adaptable system capable of responding to an ever-changing array of pathogens around the world.

With cyber as with matters of public health, individual actions can only go so far. It’s great if an individual has excellent techniques of personal hygiene, but if everyone in that person’s town has the flu, eventually that individual will probably succumb as well. The comparison is relevant to the world of cyber threats. Individual responsibility and action can make an enormous difference in cyber security, but ultimately the only hope we have as a nation in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to construct new institutions to coordinate our response. A trusted, international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies, a crucial step required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.

Such a proposed cyber CDC could go a long way toward counteracting the technological risks our country faces today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. A cyber CDC could fulfill many roles that are carried out today only on an ad hoc basis, if at all, including:

• Education — providing members of the public with proven methods of cyber hygiene to protect themselves;
• Network monitoring — detection of infection and outbreaks of malware in cyberspace;
• Epidemiology — using public health methodologies to study digital cyber disease propagation and provide guidance on response and remediation;
• Immunization — helping to ‘vaccinate’ companies and the public against known threats through software patches and system updates;
• Incident response — dispatching experts as required and coordinating national and global efforts to isolate the sources of online infection and treat those affected.

While there are many organizations, both governmental and non-governmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that cyber risks continue to mount. An epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the disease in those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the pools where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What stagnant pools can we drain in cyberspace to achieve a comparable result? The answer represents the yet unanswered challenge.

There is another major challenge a cyber CDC would face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This significant difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have even joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised. The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you’re sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others?

Addressing these issues could be a key area of import for any proposed cyber CDC and fundamental to future communal safety and that of critical information infrastructures. Cyber-security researchers have pointed out the obvious Achilles’ heel of the modern technology infused world, the fact that today everything is either run by computers (or will be) and that everything is reliant on these computers continuing to work. The challenge is that we must have some way of continuing to work even if all the computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly give way, what would humanity’s backup plan be? The answer is simply, we don’t now have one.

Complicating all this from a law enforcement and fraud investigation perspective is that black hats generally benefit from technology long before defenders and investigators ever do. The successful ones have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who must follow the digital evidence trail to investigate the matter?  As with all government activities, policies, and procedures, regulations must be followed. Trans-border cyber-attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Baltimore has no authority to compel an ISP in Paris to provide evidence, nor can he make an arrest on the right bank. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, most countries still do not even have cyber-crime laws on the books, meaning that criminals can act with impunity making response through a coordinating entity like a cyber-CDC more valuable to the U.S. specifically and to the world in general.

Experts have pointed out that we’re engaged in a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched.  The point is, if we are to survive the progress offered by our technologies and enjoy their benefits, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats confronting us. On this most important of imperatives, there is unambiguously no time to lose.

The Initially Immaterial Financial Fraud

At one point during our recent two-day seminar ‘Conducting Internal Investigations’ an attendee asked Gerry Zack, our speaker, why some types of frauds, but specifically financial frauds can go on so long without detection. A very good question and one that Gerry eloquently answered.

First, consider the audit committee. Under modern systems of internal control and corporate governance, it’s the audit committee that’s supposed to be at the vanguard in the prevention and detection of financial fraud. What kinds of failures do we typically see at the audit committee level when financial fraud is given an opportunity to develop and grow undetected? According to Gerry, there is no single answer, but several audit committee inadequacies are candidates. One inadequacy potentially stems from the fact that the members of the audit committee are not always genuinely independent. To be sure, they’re required by the rules to attain some level of technical independence, but the subtleties of human interaction cannot always be effectively governed by rules. Even where technical independence exists, it may be that one or more members in substance, if not in form, have ties to the CEO or others that make any meaningful degree of independence awkward if not impossible.

Another inadequacy is that audit committee members are not always terribly knowledgeable, particularly in the ways that modern (often on-line, cloud based) financial reporting systems can be corrupted. Sometimes, companies that are most susceptible to the demands of analyst earnings expectations are new, entrepreneurial companies that have recently gone public and that have engaged in an epic struggle to get outside analysts just to notice them in the first place. Such a newly hatched public company may not have exceedingly sophisticated or experienced fiscal management, let alone the luxury of sophisticated and mature outside directors on its audit committee. Rather, the audit committee members may have been added to the board in the first place because of industry expertise, because they were friends or even relatives of management, or simply because they were available.

A third inadequacy is that audit committee members are not always clear on exactly what they’re supposed to do. Although modern audit committees seem to have a general understanding that their focus should be oversight of the financial reporting system, for many committee members that “oversight” can translate into listening to the outside auditor several times a year. A complicating problem is a trend in corporate governance involving the placement of additional responsibilities (enterprise risk management is a timely example) upon the shoulders of the audit committee even though those responsibilities may be only tangentially related, or not at all related, to the process of financial reporting.

Again, according to Gerry, some or all the previously mentioned audit committee inadequacies may be found in companies that have experienced financial fraud. Almost always there will be an additional one. That is that the audit committee, no matter how independent, sophisticated, or active, will have functioned largely in ignorance. It will not have had a clue as to what was happening within the organization. The reason is that a typical audit committee (and the problem here is much broader than newly public startups) will get most of its information from management and from the outside auditor. Rarely is management going to voluntarily reveal financial manipulations. And, relying primarily on the outside auditor for the discovery of fraud is chancy at best. Even the most sophisticated and attentive of audit committee members have had the misfortune of accounting irregularities that have unexpectedly surfaced on their watch. This unfortunate lack of access to candid information on the part of the audit committee directs attention to the second in the triumvirate of fraud preventers, the internal audit department.

It may be that the internal audit department has historically been one of the least understood, and most ineffectively used, of all vehicles to combat financial fraud. Theoretically, internal audit is perfectly positioned to nip in the bud an accounting irregularity problem. The internal auditors are trained in financial reporting and accounting. The internal auditors should have a vivid understanding as to how financial fraud begins and grows. Unlike the outside auditor, internal auditors work at the company full time. And, theoretically, the internal auditors should be able to plug themselves into the financial reporting environment and report directly to the audit committee the problems they have seen and heard. The reason these theoretical vehicles for the detection and prevention of financial fraud have not been effective is that, where massive financial frauds have surfaced, the internal audit department has often been somewhere between nonfunctional and nonexistent.. Whatever the explanation, (lack of independence, unfortunate reporting arrangements, under-staffing or under-funding) in many cases where massive financial fraud has surfaced, a viable internal audit function is often nowhere to be found.

That, of course, leaves the outside auditor, which, for most public companies, means some of the largest accounting firms in the world. Indeed, it is frequently the inclination of those learning of an accounting irregularity problem to point to a failure by the outside auditor as the principal explanation. Criticisms made against the accounting profession have included compromised independence, a transformation in the audit function away from data assurance, the use of immature and inexperienced audit staff for important audit functions, and the perceived use by the large accounting firms of audit as a loss leader rather than a viable professional engagement in itself. Each of these reasons is certainly worthy of consideration and inquiry, but the fundamental explanation for the failure of the outside auditor to detect financial fraud lies in the way that fraudulent financial reporting typically begins and grows. Most important is the fact that the fraud almost inevitably starts out very small, well beneath the radar screen of the materiality thresholds of a normal audit, and almost inevitably begins with issues of quarterly reporting. Quarterly reporting has historically been a subject of less intense audit scrutiny, for the auditor has been mainly concerned with financial performance for the entire year. The combined effect of the small size of an accounting irregularity at its origin and the fact that it begins with an allocation of financial results over quarters almost guarantees that, at least at the outset, the fraud will have a good chance of escaping outside auditor detection.

These two attributes of financial fraud at the outset are compounded by another problem that enables it to escape auditor detection. That problem is that, at root, massive financial fraud stems from a certain type of corporate environment. Thus, detection poses a challenge to the auditor. The typical audit may involve fieldwork at the company once a year. That once-a-year period may last for only a month or two. During the fieldwork, the individual accountants are typically sequestered in a conference room. In dealing with these accountants, moreover, employees are frequently on their guard. There exists, accordingly, limited opportunity for the outside auditor to get plugged into the all-important corporate environment and culture, which is where financial fraud has its origins.

As the fraud inevitably grows, of course, its materiality increases as does the number of individuals involved. Correspondingly, also increasing is the susceptibility of the fraud to outside auditor detection. However, at the point where the fraud approaches the thresholds at which outside auditor detection becomes a realistic possibility, deception of the auditor becomes one of the preoccupations of the perpetrators. False schedules, forged documents, manipulated accounting entries, fabrications and lies at all levels, each of these becomes a vehicle for perpetrating the fraud during the annual interlude of audit testing. Ultimately, the fraud almost inevitably becomes too large to continue to escape discovery, and auditor detection at some point is by no means unusual. The problem is that, by the time the fraud is sufficiently large, it has probably gone on for years. That is not to exonerate the audit profession, and commendable reforms have been put in place over the last decade. These include a greater emphasis on fraud, involvement of the outside auditor in quarterly data, the reduction of materiality thresholds, and a greater effort on the part of the profession to assess the corporate culture and environment. Nonetheless, compared to, say, the potential for early fraud detection possessed by the internal audit department, the outside auditor is at a noticeable disadvantage.

Having been missed for so long by so many, how does the fraud typically surface? There are several ways. Sometimes there’s a change in personnel, from either a corporate acquisition or a change in management, and the new hires stumble onto the problem. Sometimes the fraud, which quarter to quarter is mathematically incapable of staying the same, grows to the point where it can no longer be hidden from the outside auditor. Sometimes detection results when the conscience of one of the accounting department people gets the better of him or her. All along s/he wanted to tell somebody, and it gets to the point where s/he can’t stand it anymore and s/he does. Then you have a whistleblower. There are exceptions to all of this. But in almost any large financial fraud, as Gerry told us, one will see some or all these elements. We need only change the names of the companies and of the industry.