Tag Archives: fraud prevention program

The Client Requested Recommendation

We fraud examiners must be very circumspect about drawing conclusions. But who among us has not found him or herself in a discussion with a corporate counsel who wants a recommendation from us about how best to prevent the occurrence of a fraud in the future?  In most situations, the conclusions from a well conducted examination should be self-evident and should not need to be pointed out in the report. If the conclusions are not obvious, the report might need to be clarified. Our job as fraud examiners is to obtain sufficient relevant and reliable evidence to determine the facts with a reasonable degree of forensic certainty. Assuming facts without obtaining sufficient relevant and reliable evidence is generally inappropriate.

Opinions regarding technical matters, however, are permitted if the fraud examiner is qualified as an expert in the matter being considered (many fraud examiners are certified not only as CFE’s but also as CPA’s, CIA’s or CISA’s).  For example, a permissible expert opinion, and accompanying client requested recommendation, might address the relative adequacy of an entity’s internal controls. Another opinion (and accompanying follow-on recommendation) might discuss whether financial transactions conform to generally accepted accounting principles. So, recommended remedial measures to prevent future occurrences of similar frauds are also essentially opinions, but are acceptable in fraud examination reports.

Given that examiners should always be cautious in complying with client examination related requests for recommendations regarding future fraud prevention, there is no question that such well-considered recommendations can greatly strengthen any client’s fraud prevention program.  But requested recommendations can also become a point of contention with management, as they may suggest additional procedures for staff or offend members of management if not presented sensitively and correctly. Therefore, examiners should take care to consider ways of follow-on communication with the various effected stakeholders as to how their recommendations will help fix gaps in fraud prevention and mitigate fraud risks.  Management and the stakeholders themselves will have to evaluate whether the CFE’s recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).

Broadly, an examination recommendation (where included in the final report or not) is either a suggestion to fix an unacceptable scenario or a suggestion for improvement regarding a business process.  At management’s request, fraud examination reports can provide recommendations to fix unacceptable fraud vulnerabilities because they are easy to identify and are less likely to be disputed by the business process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it ideally could be. The value of the fraud examiner’s solicited recommendation can lie not only in providing solutions to existing vulnerability issues but in instigating thought-provoking discussions.  Recommendations also can include suggestions that can move the process, or the department being examined to the next level of anti-fraud efficiency.  When recommendations aimed at future prevention improvements are included, examination reports can become an additional tool in shaping the strategic fraud prevention direction of the client being examined.

An examiner can shape requested recommendations for fraud prevention improvement using sources both inside and outside the client organization. Internal sources of recommendations require a tactful approach as process owners may not be inclined to share unbiased opinions with a contracted CFE, but here, corporate counsel can often smooth the way with a well-timed request for cooperation. External sources include research libraries maintained by the ACFE, AICPA and other professional organizations.

It’s a good practice, if you expect to receive a request for improvement recommendations from management, to jot down fraud prevention recommendation ideas as soon as they come to mind, even though they may or may not find a place in the final report. Even if examination testing does not result in a specific finding, the CFE may still recommend improvements to the general fraud prevention process.

If requested, the examiner should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete understanding. Client requested recommendations should be written simply and should:

–Address the root cause if a control deficiency is the basis of the fraud vulnerability;
–Address the business process rather than a specific person;
–Include bullets or numbering if describing a process fraud vulnerability that has several steps;
–Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to implement;
–Position the most important observation or fraud risk first and the rest in descending order of risk;
–Indicate a suggested priority of implementation based on the risk and the ease of implementation;
–Explain how the recommendation will mitigate the fraud risk or vulnerability in question;
–List any recommendations separately that do not link directly to an examination finding but seek to improve anti-fraud processes, policies, or systems.

The ACFE warns that recommendations, even if originally requested by client management, will go nowhere if they turn out to be unvalued by that management. Therefore, the process of obtaining management feedback on proposed anti-fraud recommendations is critical to make them practical. Ultimately, process owners may agree with a recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it.  They also may choose to revisit the recommendation at a future date as the risk is not imminent or disagree with the recommendation because of varying perceptions of risk or mitigating controls.

It’s my experience that management in the public sector can be averse to recommendations because of public exposure of their reports. Therefore, CFEs should clearly state in their reports if their recommendations do not correspond to any examination findings but are simply suggested improvements. More proposed fraud prevention recommendations do not necessarily mean there are more faults with the process, and this should be communicated clearly to the process owners.

Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if the response tends to dilute the examiner’s objectivity and independence and becomes representative of management’s opinions and concerns. It is the examiner’s prerogative to provide recommendations that the client has requested, regardless of whether management agrees with them. Persuasive and open-minded discussions with the appropriate levels of client management are important to achieving agreeable and implementable requested fraud prevention recommendations.

The journey from a client request for a fraud prevention recommendation to a final recommendation (whether included in the examination report or not) is complex and can be influenced by every stakeholder and constraint in the examination process, be it the overall posture of the organization toward change in general, its philosophy regarding fraud prevention, the scope of the individual fraud examination itself, views  of the effected business process owner, experience and exposure of the examination staff, or available technology. However, CFEs understand that every thought may add value to the client’s fraud prevention program and deserves consideration by the examination team. The questions at the end of every examination should be, did this examination align with the organization’s anti-fraud strategy and direction? How does our examination compare with the quality of practice as seen elsewhere? And finally, to what degree have the fraud prevention recommendations we were asked to make added value?

Assessing the Unknown

Some level of uncertainty and risk must exist in any fraud examination involving financial statement fraud. For example, there may be uncertainty about the competence of management and the accounting staff, about the effectiveness of internal controls, about the quality of evidence, and so on. These uncertainties or risks are commonly classified as inherent risks, control risks, or detection risks.

Assessing the degree of risk present and identifying the areas of highest risk are critical initial steps in detecting financial statement fraud. The auditor specifically evaluates fraud risk factors when assessing the degree of risk and approaches this risk assessment with a high level of professional skepticism, setting aside any prior beliefs about management’s integrity.  Knowledge of the circumstances that can increase the likelihood of fraud, as well as other risk factors, should aid in this assessment.

SAS 99 identifies fraud risk categories that auditors and fraud examiners may evaluate in assessing the risk of fraud. The three main categories of fraud risk factors related to fraudulent financial reporting are management characteristics, industry characteristics and operating characteristics including financial stability.

Management characteristics pertain to management’s abilities, pressures, style, and attitude as they have to do with internal control and the financial reporting process. These characteristics include management’s motivation to engage in fraudulent financial reporting – for instance, compensation contingent on achieving aggressive financial targets; excessive involvement of non-financial management in the selection of accounting principles or estimates; high turnover of senior management, counsel, or board members; strained relationship between management and external auditors; and any known history of securities violations.

Industry characteristics pertain to the economic and regulatory environment in which the entity operates, ranging from stable features of that environment to changing features such as new accounting or regulatory requirements, increased competition, market saturation, or adoption by the company of more aggressive accounting policies to keep pace with the industry.

Operating characteristics and financial stability encompass items such as the nature and complexity of the entity and its transactions, the geographic areas in which it operates, the number of locations where transactions are recorded and disbursements made, the entity’s financial condition, and its profitability. Again, the fraud examiner would look for potential risk factors, such as significant pressure on the company to obtain additional capital, threats of bankruptcy, or hostile take-over.

The two primary categories of fraud risk factors related to asset misappropriation are susceptibility of assets to misappropriation and adequacy of controls.  Susceptibility of assets to misappropriation refers to the nature or type of an entity’s assets and the degree to which they are subject to theft or a fraudulent scheme.  A company with inventories or fixed assets that includes items of small size, high value, or high demand often is more susceptible, as is a company with easily convertible assets such as diamonds, computer chips or large amounts of cash receipts or cash on hand.  Cash misappropriation is also included  in this category through fraudulent schemes such as vendor fraud. Adequacy of controls refers to the ability of controls to prevent or detect misappropriations of assets, owning to the design, implementation and monitoring of such controls.

SAS 99 discusses fraud risk factors in the context of the fraud triangle which we’ve often discussed on this blog.  SAS 99 also suggests that the auditor consider the following attributes of risk:

–Type of risk that may be present – that is fraudulent financial reporting, asset misappropriation and/or corruption.

–Significance of risk – that is whether it could result in a material misstatement.

–Likelihood of the risk

–Pervasiveness of the risk – that is whether it relates to the financial statements as whole or to just particular accounts, transactions or assertions.

Finally, management selection and application of accounting principles are important factors for the examiner to consider.

After the Deluge

delugeFew events are more devastating to a firm’s reputation than a well-publicized fraud and even more so if the fraud extends to a circle of one or more trusted business partners.

The ACFE tells us that a fraud can impact an organization’s reputation in many ways; and that reputation is based on how well the firm meets the expectations of diverse stakeholders such as customers and investors. Events like a fraud that indicate the organization may have fallen short of such expectations can impact the bottom line directly in terms of sales, expenses, and capital availability.  Surviving and moving forward from such an event and, more importantly, restoring confidence and ensuring that reputational damage is not extended or repeated depends on the policies and people the organization has in place to manage its damaged reputation moving forward.

What’s essential is that every organization have some sort of formal plan in place, preferably prior to a fraud event, to manage the post event fall out; if it doesn’t have such a plan, it behooves every enterprise to develop one as a critical component of its overall fraud prevention program.

The nature of the reputational risk specific to the organization, its risk appetite, and its major reputational risk management activities are all important pieces of information used to craft the overall fraud response plan. Defining the focus and output of the response plan is a critical step not only to development of the plan itself, but also to craft the timing of effective communications to stakeholders, pre and post any fraud event, addressed by the plan. Determining these details up front will give management the substance needed to create a road map that yields compelling results both through the after-fraud period and into the future.

The first step in crafting a reputational risk component of the fraud response plan is to determine the specific nature of this type of risk at the CFE’s client organization. For example, a company that produces consumer products may need to consider its reputation in terms of:

–Consumers. Perceived product quality, value, and safety.
–Investors. Perceived future returns on investment resulting from the company’s innovations, strategy, and execution.
–Suppliers/vendors. Perceived reliability of orders and timeliness of payment.
–Employees. Perceived fairness of the treatment they receive while manufacturing, selling, and supporting the company and its products.
–Online community. Perceptions of stakeholders, including consumers’ product opinions, media reporting on company activities, and competitors.
–Regulatory entities. Perception that the company’s products comply with laws.
–Local community. Perception of the company as a responsible corporate citizen.

CFE’s need to identify the key reputational risks, work with business process experts to prioritize those risks based on the extent to which they could impact the bottom line, and then determine which risks will be included in the final plan. A plan that tries to cover all aspects of reputational risk in the manner of a check list may be too broad to execute; the enterprise’s specific reputational risks to be covered need to be identified and pre-agreed to with management up front.  As the CFE and management work to determine the reputational risk scope, both need to understand the organization’s reputational risk appetite. Many organizations conceive risk appetite solely in terms of financial impact, sometimes further defining it based on financial drivers such as customer loss or asset value reduction. Facilitating a discussion of reputational risk appetite among the enterprises business process owners is a valuable CFE contribution that not only will assist in the development of the response plan, but also in its acceptance by the business. Quantifying reputational risk appetite helps management understand the tangible impact of the risk and thus how much reputational risk executives are willing to bear. In addition, it allows the CFE to communicate the impact of the reputational review work in the individualized value terms defined by the organization’s leadership.

The value added by the up-front work to understand the major vehicles the organization presently uses to manage its reputational risk will depend on the factors affecting that risk and the nature of the business itself.  Some mitigation activities may be proactive, such as establishing a product quality department or monitoring the organization’s social media presence. Others may be reactive, such as having a sales refund plan.  It’s important to remember successful reputation management following a fraud does not hinge upon one person or process (like having a hotline of public relations function), but rather on a series of controls and processes across the entire organization that work together to form a wide pattern of reputational defense. Being aware of existing activities will prepare CFE’s to include an evaluation of them in the fraud response plan. The focus of a fraud response plan can vary based on the nature of the risk and the maturity of the reputational risk management infrastructure. If there is no formal existing plan, then the CFE might prepare and present a best practice fact finding of the present state of the controls over reputational risk. If some kind of response program does exist, then the CFE might focus on control enhancement and process improvement. Financial implications, including reputational damage impact modeling and the cost of risk mitigation, also could be made part of an existing response plan, as could regulatory compliance processes such as the steps involved in the reporting of data breaches.

When one or more of the victim enterprise’s business partners are involved in a fraud against it, the reputational challenge in the post-fraud period is further complicated.  Important questions to ask concerning such third-party relationships during and after the investigative and prosecutorial phases of the fraud are complete include:

–Is there a formal business contract?
–What requirements and rights regarding compliance, possible fraud and anti-corruption does the contract contain?
–Does the contract include an audit clause?
–Who owns the business partner?
–Has the partner disclosed all relevant third-party relationships?
–Have all of the partner’s operating locations been disclosed?
–Does the partner have ongoing litigation or unique governmental relationships that might create an adverse impression among existing customers or external regulators?

Where information is needed involving client response to post-fraud reputational impact, CFE’s can visit partner organizations to gather the appropriate data.  Red flags impacting reputational risk for the CFE to be aware of include limited information about the respective entities, inconsistent data points, operations in politically charged locales, prior regulatory sanctions, and connections to or ownership by politically exposed individuals or environments with uncertain economic or commercial laws or regulations. And while examination of these items falls within the purview of compliance or legal departments, and ultimately management, some opportunity exists for CFE’s to assist with the review of due diligence reports to assess the completeness and adequacy of information in support of management’s general reputation evaluation process and decision-making.

While supporting the preparation and on-going management of client fraud response plans, CFE’s can provide additional value as the organization experiences changes over time. As the company grows, changes its sourcing and marketing strategies, and acquires other businesses, new third parties that provide products and services to and on behalf of the company will be identified and should be considered for inclusion in the company’s reputational planning.  The company’s reputational management efforts need to keep pace with the organization, and CFE’s can help evaluate the scope and breadth of that program by assessing alignment with the company’s changing business and operational fraud prevention profile.

Acting within the framework of their knowledge of the client organization, business risk assessment competency, and mandate to evaluate the adequacy of design and overall effectiveness of anti-fraud related internal controls, CFE’s can help facilitate any company’s fraud recovery/reputational repair due diligence efforts.

You Can’t Prevent What You Can’t See

uncle-samThe long, rainy Central Virginia fourth of July weekend gave me a chance to review the ACFE’s latest Report to the Nations and I was struck by what the report had to say about proactive data analytics as an element of internal control, especially as applicable to small business fraud prevention.

We’re all familiar with the data analytics performed by larger businesses of which proactive data analytic tests form only a part.  This type of analysis is accomplished with the use of sophisticated software applications that comb through massive volumes of data to determine weak spots in the control system. By analyzing data in this manner, large companies can prevent fraud from happening or detect an ongoing fraud scheme. The Report to the Nations reveals, among other things that, of the anti-fraud controls analyzed, proactive data monitoring and analysis appears to be the most effective at limiting the duration and cost of fraud schemes. By performing proactive data analysis, companies detected fraud schemes sooner, limiting the total potential loss. Data analysis is not a new concept, but, as we all know, with the increasing number of electronic transactions due to advances in technology, analyzing large volumes of data has become ever more complex and costly to implement and manage.

Companies of all sizes are accountable not only to shareholders but to lenders and government regulators.  Although small businesses are not as highly regulated by the government since they are typically not publically financed, small business leaders share the same fiduciary duty as large businesses: to protect company assets. Since, according to the ACFE, the average company loses 5% of revenue to fraud, it stands to reason that preventing losses due to fraud could increase profitability by 5%. When viewed in this light, many small businesses would benefit from taking a second look at implementing stronger fraud prevention controls.  The ACFE also reports that small businesses tend to be victims of fraud more frequently than large businesses because small businesses have limited financial and human resources. In terms of fraud prevention and detection, having fewer resources overall translates into having fewer resources dedicated to strong internal controls. The Report also states that small businesses (less than 100 employees) experience significantly larger losses percentage-wise than larger businesses (greater than 100 employees). Since small businesses do not have the resources to dedicate to fraud prevention and detection, they’re not able to detect fraud schemes as quickly, prolonging the scheme and increasing the losses to the company.

The ACFE goes on to tell us that certain controls are anti-fraud by nature and can prevent and detect fraud, including conducting an external audit of a set of financial statements, maintaining an internal audit department, having an independent audit committee, management review of all financial statements, providing a hotline to company employees, implementing a company code of conduct and anti-fraud policy, and practicing pro-active data monitoring. While most of these controls are common for large companies, small businesses have difficulty implementing some of them, again,  because of their limited financial and human resources.

What jumped out at me from the ACFE’s Report was that only 15% of businesses under 100 employees currently perform proactive data analysis, while 41.9% of businesses over 100 employees do. This is a sign that many small businesses could be doing a basic level of data analysis, but aren’t. The largest costs associated with data analysis are software costs and employee time to perform the analysis. With respect to employee resources, data analysis is a control that can be performed by a variety of employees, such as a financial analyst, an accountant, an external consultant, a controller, or even the CFO. The level of data analysis should always be structured to fit within the cost structure of the company. While larger companies may be able to assign a full time analyst to handle these responsibilities, smaller companies may only be able to allocate a portion of their time to this task. Given these realities, smaller businesses, need to look for basic data analysis techniques that can be easily implemented.

The most basic data analysis techniques are taught in introductory accounting courses and aren’t particularly complex: vertical analysis, horizontal analysis, liquidity ratios, and profitability ratios. Large public companies are required to prepare these type of calculations for their filings with the Securities and Exchange Commission. For small businesses, these ratios and analyses can be calculated by using two of the basic financial statements produced by any accounting software:  the income statement and the balance sheet. By comparing the results of these calculations to prior periods or to industry peers, significant variances can point to areas where fraudulent transactions may have occurred. This type of data analysis can be performed in a tabular format and the results used to create visual aids. Charts and graphs are a great way for a small business analyst to visualize variances and trends for management.

I like to point out to small business clients that all of the above calculations can be performed with Microsoft Excel and Microsoft Access. These are off-the-shelf tools that any analyst can use to perform even analytical calculations of great complexity. The availability of computing power in Excel and Access and the relatively easy access to audit tools … known as Computer Assisted Audit Techniques (CAAT), have accelerated the analytical review process generally. Combined with access to the accounting server and its related applications and to the general ledger, CAATS are very powerful tools indeed.

The next step would be to consider using more advanced data analysis programs. Microsoft Excel has many features to perform data analysis, and it is probably already installed on many computers within small enterprises. CFE’s might suggest to their clients adding the Audit Control Language (ACL) Add-In to client Excel installations to add yet another layer of advanced analysis that will help make data analytics more effective and efficient. When a small business reaches a level of profitability where it can incorporate a more advanced data analysis program,it can add a more robust tool such as IDEA or ACL Analytics. Improving controls by adding a specialized software program will require financial resources to acquire it and to train employees. It will also require the dedication of time from employees serving in the role of internal examiners for fraud like internal auditors and financial personnel. Professional organizations such as the ACFE and AICPA have dedicated their time and efforts to ensuring that companies of all sizes are aware of the threats of fraud in the workplace. One suggestion I might make to these professional organizations would be to work with accounting software developers and the current developers of proactive data analysis tools to incorporate data analysis reports into their standard products. If a small business had the ability to run an anti-fraud report as a part of their monthly management review of financial statements without having to program the report, it would save a significant amount of company resources and improve the fraud prevention program overall.

To sum up, according to Joseph T. Wells, founder of the ACFE, “data analytics have never been more important or useful to a fraud examiner. There are more places for fraud to hide, and more opportunities for fraudsters to conceal it.” Clearly there are many resources available today for small businesses of almost any size to implement proactive data analysis tools. With the significant advances in technology, exciting new anti-fraud solutions appear on the horizon almost daily; the only thing standing between them and our clients is the decision to pick them up and use them.

The Fire Alarm & the Bottom Line

fire-alarmI was having lunch with a couple of colleagues yesterday and the topic of ‘pulling the fire alarm’ came up.  Specifically, ‘pulling the fire alarm’ relates to a corporate employee alerting management about the suspected fraudulent activity of a fellow employee.  Everyone at the table agreed that the main reason management is often deprived of this vital intelligence is that your typical employee has a very hard time getting his or her head around the fact that their personally well-known co-worker can even be deceptive or dishonest, let alone actually steal something.

CFE’s are trained to know that good people can be, and often are, deceptive.  When people think of deception, they often envision being tricked or having the wool pulled over their eyes. Although fraudulent acts are frequently acts of deception, the fallacy lies in believing that individuals within “our organization” would never commit a deceptive act. After all, our conflicted employee tells herself, our organization goes to great lengths to hire top-notch talent who will be loyal and faithful. Our potential whistle-blower is aware that company employees are promoted through the ranks into leadership roles only because they’ve displayed some unique attributes related to their individual knowledge or talent.

ACFE interviews with fraudsters tell us that the psychological impact of events on professionals in today’s world is difficult to predict. Individuals who’re typically reasonable and display high integrity can frequently be placed in situations where both personal and professional stress can impact their decisions and actions in ways they may have never imagined. This is where the almost universal tendency to bestow the dangerous gift of the benefit of the doubt must be countered.  No question that organizations must encourage that general openness and transparency in everyday actions be practiced by their employees at all levels. But employees must also be made to understand that if someone questions an action or event, established outlets are available to report those concerns without the fear of repercussions. A specific example that unintentionally supports the benefit of the doubt syndrome is an instance where an employee repeatedly performs an inappropriate action among a group of co-workers within the corporate setting. Someone who witnesses the act may not feel comfortable speaking up at the time of the occurrence, especially if the person performing the action is his or her superior in the corporate hierarchy. However, that doesn’t mean it’s okay to walk away from the situation and say nothing. The outlets to report concerns may be as simple as speaking to a supervisor, contacting a human resources representative, or even calling the employee hotline. Employees must be encouraged to speak up whenever they see activity occurring that they believe is inappropriate. If they don’t, they’re perpetuating a culture of denial and silent acceptance.

Such a culture of silent acceptance can grow almost imperceptibly until the organization can irrationally come to unconsciously believe it’s immune to fraud.   My luncheon companions agreed that this syndrome is entirely natural given that all organizations want to believe they’re immune to fraud; then the table talk turned to the following interesting and related points…

It’s unfortunate that it takes some shattering event like a major embezzlement to make some organizations face the fact that fraud doesn’t discriminate; it can happen anywhere, any time. Just as individuals may rationalize why it’s okay to commit fraud, organizations sometimes attempt to rationalize the “whys” that support their belief that fraud won’t happen to them. Every CFE has seen instances of this defensive stance even during on-going fraud examinations! There can be multiple beliefs within corporate cultures that contribute to this act of rationalization. What one person views as a very strict policy, another person may see as a simple guideline open to interpretation. It’s always important to maintain several levels of defense against fraud, including multiple-preventive and detective controls. Because it is not possible to provide absolute assurance against fraud, it becomes even more critical to ensure that controls in place are sufficient to place periodic roadblocks, warning signs, or the proverbial fire alarm in appropriate places. It also is important that those controls and warning signs are uniformly applied to all employees within the organizational ranks.

Then there’s the old canard about materiality. Almost the first question you get about a suspected fraud, especially in my experience from financial personnel, is “Is it material?” meaning is it material to the financial statements. The implication is that the discovered fraud isn’t that important because it will have little or no effect on the bottom line. The ACFE tells us that fraud is dynamic and often can occur long before there is any significant impact to the financial statements. For example, frauds resulting in identity and information theft may eventually prove to have financial ramifications. However, the initial ramifications are breach of identity and information confidentiality. The question about materiality is one of the signs that management may not fully understand the variance between control gaps, which may create opportunity for inappropriate actions or actual control failures. When it comes to fraud prevention, the question shouldn’t be, “How much was taken or how much did we lose?” but instead, “What fraud opportunity has been created from the control gap identified?” Thus, no fraud is ever immaterial because even a small amount of identified stolen money may only be the tip of the iceberg. Where one fraud has been identified, there may be several related others operative but not yet detected.

In today’s technological world sophisticated information systems include workflow, authority delegation, acceptance reporting, system alerts, and intrusion technology. These processes rely on programming controls and periodic monitoring techniques to ensure access is in line with company objectives. Although these system enhancements have improved efficiency in many ways, there are often loopholes that provide a knowledgeable, often high-level, individual with the opportunity to rationalize or take advantage of poorly designed procedures to support a wide range of fraudulent activity. So, “authorized” can represent a danger if managements place too much reliance on system-established fraud prevention controls and then don’t build in mechanisms to appropriately monitor and manage those controls.  The simplest example of unauthorized transactions is illustrated in how delegation of authority is established and maintained within systems. If authority delegations are established with no end-date, or extended to individuals at a lower responsibility level than the true need, then expenditures may not be approved in line with corporate guidelines. This may seem like a minor control gap, but the potential for fraud, waste and abuse can be significant. And, if this trend goes undetected for an extended period, the risk can become even greater.

Another example may be the use of administrative user IDs for management, granting administrative access to systems and financial accounts. There is a very distinct and established purpose for granting this type of access; however, if the granting of the IDs is not well-controlled or monitored, there can be a significant internal control exposure that creates the opportunity for a potentially high level of fraudulent behavior to occur. This doesn’t mean that just because a company has excessive administrative IDs, it can expect that fraud is occurring within its corporate environs. However, those of us around the table agreed that this is why senior management and the board need to understand the reality of an administrative fraud control gap. In case after case, overuse and poor monitoring of these types of IDs by senior corporate officials (like CFO’s and CEO’s) have created the threat or opportunity for some activity that may not be acceptable to the organization.

Fraudsters are continually evolving, just like the rest of society. As CFE’s, we’re painfully aware that unauthorized transactions don’t always occur just because of external hacking, although the very real hacking threat seems the current obsession. Assurance professionals mustn’t overlook all of the internal fraud possibilities and probabilities that are present due to sophisticated business systems. Fraud in the digital age continues to expand and mature. We have to assist our client organizations to take an on-going, proactive approach to the examination and identification of ways that a myriad type of unauthorized transactions can slip through their internal firewalls and control procedures.

Bring Your Own

woman-on-cell-phone-22A mention of the use of their own electronic devices by company employees in one of our recent Fraud in the News items prompted a reader to state in a comment that she was under the impression that a ‘bring your own device’ policy could be ‘quite risky’ for any company who implements one.  Our reader is right in that many of today’s personal devices are prone to security vulnerabilities.  I remember reading in the trade press not long ago that more than half of all Android devices have security flaws that could be exploited by malicious applications to gain access to the data stored on them.

In addition, unsecured portable devices may be vulnerable to security exploits such as unauthorized carrier billing charges charged by cyber criminals; illicit sign up of costly premium text messaging services and installation of spyware that can steal sensitive data, including credit card numbers, e-mail account log-on credentials, on-line banking credentials, and contact list information.  Another significant concern for organizations that we’ve highlighted many times in this blog, is e-discovery litigation associated with storing company email and data on devises outside company control. Moreover, unsecured storage of sensitive customer information increases regulatory exposure.

So why do companies do it?  Among other benefits, the main reason seems to be that businesses can save significant outlays on overhead resources when employees are able to use their own smartphones, laptops, and tablets to do their assigned work.  Other related benefits accruing to the client company include:

— Easing overhead by eliminating the need to manage a service provider.
–Eliminating overhead needed to monitor usage and cost overruns exceeding contractual limits.
–Eliminating the need to manage and pay for service plans, individually managed calls, and data usage.
–Increasing employees’ productivity by enabling them to work when traveling or away from the office.
–Eliminating or reducing IT infrastructure resources and associated costs.
–Providing a recruiting incentive for prospective employees who want to use their own devices.

However, bring your own device programs can introduce data security, compliance, and privacy risks such as data leakage when employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing providers. Fraud examiners should consider recommending that, to mitigate these concerns, our client organizations need to have an effective bring your own device policy in place, including, if they can afford it, some kind of automated mobile device management solution.  For our part, as part of our fraud risk assessments, CFE’s should request and obtain technical support in evaluating compliance with the policy and assess the mobile device management system’s ability to provide multi layered security, policy enforcement, and control across a variety of devices.

A mobile device management solution is a fraud prevention best practice that can enable your client organizations to manage employee-owned portable devices and enforce security policies remotely once employees have installed the software on their devices and agreed to the organization’s terms and conditions.  Ideally, a mobile device management system solution should strike a balance between providing enterprise security and preserving the employee’s user experience, convenience, and privacy.  Indeed, some products can configure portable devices to have two separate logical “containers” that segregate business from personal data. This method permits the employee’s personal data to remain private while enabling the organization to control only the business container where the organization’s apps, data, and email reside.

So what security capabilities should CFE’s expect the mobile device management system to support?

— Anti-malware and firewall policy. Mandates installation of security software to protect the device’s apps, content, and operating system.
–App/operating system update policy. Requires devices to be configured to receive and install software updates and security patches automatically.
–App-vetting policy. Ensures that only trustworthy “white listed” apps can be installed; blocks “black listed” apps that could contain malicious code.
–Encryption policy. Ensures that the contents of the device’s business container are encrypted and secured.
–PIN policy. Sets up PIN complexity rules and expiration periods, as well as prevents reuse of old Pins.
–Inactive-device lockout policy. Makes the device inoperable after a predetermined period of inactivity, after which a PIN must be entered to unlock it.
–Jail break policy. Prohibits unauthorized alteration of a device’s system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.
–Remote wipe policy. Erases the device’s business container contents should the device be lost or stolen.
–Revoke access policy. Disconnects the employee’s device from the organization’s network when the mobile device management system’s remote monitoring feature determines that the device is no longer in compliance.

Clients who are too small or which lack the funds to implement a fully operational mobile device management solution can still take steps to protect their data on employee mobile devices by:

–Setting the Bluetooth feature to non-discoverable mode or disabling it altogether if it’s not needed. This can protect against connections with other devices that could upload malware.
–Using a virtual private network (VPN) or secured website connection when accessing company email and data through a public Wi-Fi hotspot.
–Not forwarding company email messages to non-company computer systems, personal email accounts, cloud service providers, or file-sharing services, which may cause data leakage.
–Protecting against unauthorized observation of sensitive information in public places.

Furthermore, organizations should advise employees to consult their owner’s manual or seek assistance from their service provider if they are unsure of how to configure their personal devices for optimal security.

Several clients for whom I’ve worked have instituted an equitable employee reimbursement policy to compensate employees for work-related activities on their personal devices when such work is mandated by the organization. Employees are accountable for paying their monthly bill to their service provider because a contractual relationship exists between them, not the organization. Two popular compensation models to consider are a monthly usage stipend or expense reimbursement based on the percentage of use for business purposes. Regardless of the model used, CFE’s should evaluate reimbursement practices to ensure controls are in place to prevent fraud or abuse, as well as to assess compliance with compensation policies.

Based on growth projections for the use of personal devices in the workplace and the associated risk, CFE’s should consider the adequacy of existing client policies to protect proprietary and sensitive information. Moreover, it’s important for the overall fraud prevention program that mobile device use policies and practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations.

Fraud Reports as Road Maps to Future Fraud & Loss Prevention

portfolio-3There are a number of good reasons why fraud examiners should work hard at including inclusive, well written descriptions of fraud scenarios in their reports;  some of these reasons are obvious and some less so.  A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud.  It’s been my experience that well written reports, in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.   A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board.  They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur.   The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its re-occurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves.   A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore,  only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling.  A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome.  Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate.   The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can be many and related.  Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls  work as separate lines of defense,  at times in a sequential way, and at other times interacting with each other to help prevent the occurrence of the adverse event.  The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts.  Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation.  If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them.  These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time.  This question is best answered by involved managers, in particular with the loss prevention manager.  If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence.  Is it the worst case loss, or the most likely or median loss?  In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization.  Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face).  Documented control failures should always be clearly associated with the losses.  Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine their fraud prevention programs.  Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the fraud risk assessment ongoing process for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

Control Self-Assessment – A Tool for Fraud Prevention

pumpkin-pie-4That control self-assessment (CSA) can be used as an effective facilitation tool to develop fraud risk assessments is, I’m sure, of no surprise to many of the readers of this blog.  But, for those of you who are not so aware … typically, a control self-assessment session to identify fraud risk is a facilitated meeting of managerial and operational staff (the business process experts) coming together to openly discuss fraud risk prevention objectives related to identified risk factors associated with one or more of a company’s business processes.

Fraud prevention objectives for the business process are identified during the session, as well as obstacles impeding the success of those objectives.  Finally, the team formally suggests, for upper management consideration, ways to overcome identified obstacles and a proposed corrective action plan is prepared.  At the start of the self-assessment session, the participants adopt a Team Operating Agreement to ensure that an open and honest discussion takes place in a threat free environment.  It takes a consensus of the participants to approve the operating agreement which all the participants in the session sign; no management decisions regarding actions to be taken are made during the session.

After the Operating Team Agreement is in place, team members typically develop and approve what they perceive to be a list of fraud prevention objectives for the target business process under discussion.  Once the anti-fraud objectives are defined, the participants enter into a discussion (and develop a list) of what they feel to be the existing overall fraud prevention strengths of the subject process.  Next, the team discusses and develops a list of the hindrances currently preventing the process from achieving its anti-fraud related objectives.  Finally, the team develops recommendations for overcoming the identified hindrances.  Sometimes the team ranks its fraud reduction recommendations by order of importance but this step is not critical.

A CSA for fraud prevention is akin to a risk assessment brainstorming session.  For example, the scope of such a session regarding a financial reporting related business process might be tailored to the risks of financial statement fraud and misstatement as well as to the issue of management override of controls over financial statement reporting.  The objective of the CSA is for the team to identify and discuss fraud risks, fraud scenarios and mitigating controls followed by the preparation of a set of recommendations for referral to management.

For each risk factor identified the CSA team should:

–try to identify what might cause a fraud to occur, or detail the risk factor itself;
–determine the specific fraud risk;
–determine potential fraud schemes or scenarios associated with the risk;
–identify affected financial accounts;
–identify staff positions that could potentially be involved;
–try to assess the type, likelihood, significance and inherent risk(s) involved;
–formulate the controls or changes to controls that could mitigate the risk;
–classify the controls by type (i.e., preventative, detective, entity, and process level);
–identify and assess residual risk.

Certified fraud examiners (CFE’s) have an active role to play in tailoring the CSA format for use in risk identification and mitigation as well as in performing actual facilitation of the CSA sessions.   Specifically, CFE’s can help client staff develop a more detailed, in-depth understanding of complex fraud risks that management and operational staff sometimes only vaguely perceive.  Armed with the knowledge developed during the CSA session(s) and coupled with their risk assessment and group facilitation skills, CFE’s can assist management and the audit committee of the client identify, assess, and develop final fraud risk mitigation strategies to strengthen the fraud prevention program of the organization as a whole.  Following what are sometimes multiple CSA sessions, CFE’s can assist the team in detailing the menu of anti-fraud measures developed during the individual sessions in a report to client management embodying the anti-fraud recommendations of the CSA team members to the Executive Management Team and to the audit committee for their consideration.  It’s up to upper management to decide which of the CSA team’s anti-fraud recommendations to implement and which of the team’s identified risks to accept.

Just a few of the advantages of conducting fraud prevention related CSA’s for critical client business processes include:

–building fraud risk awareness among those middle level managers charged with day-to- day management of our client companies business processes;
–mapping organization wide fraud prevention efforts to specific business processes;
–establishing links between information technology (IT) systems development projects and the broader fraud prevention program;
–identifying, documenting and strengthening fraud prevention skill sets across all the business processes of the organization;
–support for the construction of a strong, management supported fraud prevention program that enjoys full management and board support organization wide.