Detect and Prevent

I got a call last week from a long term colleague, one of whose smaller client firms recently discovered a long running key-employee initiated fraud. My friend has been asked to assist her client in developing approaches to strengthen controls to, hopefully, prevent such disasters in the future.

ACFE training has consistently told us over the years, and daily experience repeatedly confirmed, that it is simply not possible or economical to stop all fraud before it happens. The only way for a retail concern to absolutely stop shoplifting might be to close and accept orders only over the Internet. Similarly, the only way for a bank to absolutely stop all loan fraud might be for it to stop lending money.

In general, my friend and I agreed during our conversation, that increasing preventive security can reduce fraud losses, but beyond some point, the cost of additional preventive security will exceed the related savings from reduced fraud losses. This is where detection comes in; it may be economical when prevention is not. One way to prevent a salesclerk from stealing from the register would be for the security department to carefully monitor, review, and approve every one of the clerk’s sales. However, it would likely be much more cost effective instead to implement a simple detective control: an end-of-shift reconciliation between the cash in the register and the transactions logged by the cash register during the clerk’s shift. If refunds are not given at the point of sale, the end-of-shift balance of cash in the register should equal the shift’s sales per the transaction logs minus the balance of cash in the register at the beginning of the shift. Any significant failure of these numbers to reconcile would amount to a red flag. Of course, further investigation could show that the clerk simply made an error and so did not commit fraud.

But the cost effectiveness of detective controls, like preventive controls, imposes limits. First, such controls are not cost free to implement, and improving detective controls may cost more than the results they provide. Second, detective controls produce both false positives and false negatives. A false positive occurs when a detective control signals a possible fraud that upon investigation turns up a reasonable explanation for the indicator. A false negative occurs when a detective control fails to signal a possible fraud when one exists. Reducing false negatives means increasing the fraud detection rate.

Similarly, the cost effectiveness of increasing preventive security has a limit as does the benefit of increasing the fraud detection rate. To increase the detection rate, it’s necessary to increase the frequency at which the detective control signals possible fraud. The result is more expensive investigations, and the cost of such additional investigations can exceed the resulting reduction in fraud losses.

As we all learned in undergraduate auditing, controls are essentially policies and procedures designed to minimize losses due to fraud or to other events such as errors or acts of nature. Corrective controls are merely special control types involved once a loss is known to exist. With respect to fraud, an important corrective control involves the investigation of potential frauds and the investigation and recovery process from discovered frauds.

More generally speaking, fraud investigations themselves serve not only a corrective function but also detective and preventive functions. Such investigations are detective of fraud to the extent that they follow up on fraud signals or red flags in order to confirm or disconfirm the presence of fraud. But once fraud is confirmed to exist, fraud examinations shift toward gathering evidence and become corrective by assisting in recovery from the perpetrator and other sources such as from insurance. Fraud investigations are also corrective in that they can lead to the revelation and repair of heretofore unknown weaknesses.

The end result is that the fraud investigation functions to correct the original loss, and the related discovery of the fraud scenario leads to prevention of similar losses in the future. In summary, the fraud examination has served to detect, correct, and prevent fraud. However, fraud investigations are not normally thought of as detective controls. This so is because fraud investigations tend to be much more costly than standard detective controls and therefore are normally used only when there is already some predication in the form of a fraud indicator triggered by a typical detective control. Therefore, the primary functions of fraud investigations are to address existing frauds and help to prevent future ones.

In some cases, the primary benefit of a fraud investigation might be to prevent future frauds. Even when recovery is impossible or impractical (e.g., because the thief has no assets), unwinding the fraud scheme may still have the benefit of leading to the prevention of the same scheme in the future. Furthermore, a company might benefit from spending a very large sum of money to investigate and prosecute a very small theft in order to deter other individuals from defrauding the company in the same way. Many State governments have statutes specifying that every fraud affecting governmental assets, whether large or small, must be fully investigated because taxpayer funds are involved (the assets affected are public property).

There is never a guarantee that investigating a fraud indicator will lead to the discovery of fraud. Depending on the situation, an investigation might lead to nothing at all (i.e., produce a reasonable explanation for the original red flag) or to the discovery of losses due to simple errors, waste, inefficiencies, or even uncontrollable events like acts of nature. If a lender is considering a loan application, a fraud indicator might indicate nothing, fraud, or an error. On the other hand, in regard to the possible theft of raw materials in a production process, a fraud indicator just might indicate undocumented waste or scrap.

Two important factors to consider concerning the general design of a fraud detection process are not only the costs and benefits of detecting, correcting, and preventing a given fraud scenario but also the costs and benefits of detecting, correcting, and preventing errors, waste, uncontrollable events, and inefficiencies in general. Of course, the particular costs that are relevant will vary from one type of business process to another.

As a general rule, we can say that both preventive controls and detective controls cost less than corrective controls. Corrective controls tend to involve hands-on, resource-intensive investigations, and in many cases, such investigations do not result in recovering the loss. On the other hand, preventive controls can also be quite costly. Banks pay armed guards and incur costs to maintain expensive vaults and alarm systems. Companies surround their headquarters with high fences and armed guards, and use security checkpoints and biometric key card systems inside. On the information technology side, firms use sophisticated firewalls and multi-layer access controls. The costs of all these preventive measures can add up to staggering sums in large companies. Of course, losses that are not prevented or corrected in a timely fashion can lead to the ultimate corrective measure: bankruptcy. In fact, some ACFE estimates show that about one-third of all business failures relate to some form of fraudulent activity.

One positive aspect of the cost of preventive controls is that unlike detective controls, they do not generate fraud indicators that lead to costly investigations. In fact, they tend to do their job in complete silence so that management never even knows when they prevent a fraud. The thick door of a bank vault with a time lock prevents bank employees from entering the building at night to steal its contents. Similarly, passwords, pin numbers, and biometric data silently provide access to authorized individuals and prevent access from others.

The problem with preventive controls is that they are always subject to circumvention by determined and cunning fraudsters. There is no perfect solution to preventing acts of fraud, so detection is necessary as a secondary line of defense, and in some cases, as the primary line of defense. Consider a lending company that accepts online loan applications. It may be difficult or impossible to prevent fraudulent applications, but the company can certainly put a sophisticated (and expensive) system in place to analyze applications and provide indicators that suggest when an application may be fraudulent.

In general, the optimal allocation of resources to prevention versus detection depends on the particular business process under consideration. So, there is no general rule that dictates the optimal allocation of resources between prevention versus detection. But there are some general steps that can assist in making the allocation:

1. Analyze the target business process and identify threats and vulnerabilities.
2. Select reasonable preventive controls according to the business process and customs within the client’s industry.
3. Estimate fraud losses given the assumed preventive controls.
4. Identify and add a basic set of detective controls to the system.
5. For a given set of detective controls, identify the optimal mix of false negatives versus false positives. The optimal mix depends on the costs of investigations versus the costs of losses. Large losses and small investigation costs favor relatively low false negatives and high false positives for red flags.
6. Given the assumed mix of false negative and false positive errors, estimate the incremental cost associated with adding the detective (and related corrective) controls, and estimate the resulting reduction in fraud losses.
7. Compare the reduction in fraud losses with the increase in costs associated with adding the optimal mix of detection and correction controls.
8. If increase in costs is significantly lower than the related reduction in fraud losses, consider adding more detective controls. Otherwise, accept the set of detective controls under consideration.

The Unsanctioned Invoice

Of all the frauds classified as occupational, one of the most pernicious encountered by CFEs is the personal purchase with company funds scam. I say pernicious because not only is this type of fraud a cancer, devouring it’s host organization from within, but also because this basic fraud scenario can take on so many different forms.

Instead of undertaking externally involved schemes to generate cash, many employed fraudsters choose to betray their employers by simply purchasing personal items with their company’s money. Company accounts are used by the vampires to buy items for their side businesses and for their families. The list of benefiting recipients goes on and on. In one case a supervisor started a company for his son and directed work to the son’s company. In addition to this ethically challenged behavior, the supervisor saw to it that his employer purchased all the materials and supplies necessary for running the son’s business. As the fraud matured, the supervisor purchased materials through his employer that were used to add a room to his own house. All in all, the perpetrator bought nearly $50,000 worth of supplies and materials for himself and various others using company money.

One might wonder why a purchases fraud is not classified by the ACFE as a theft of inventory or other assets rather than as a billing scheme. After all, in purchases schemes the fraudster buys something with company money, then takes the purchased item for himself or others. In the case cited above, the supervisor took building materials and supplies. How does this differ from those frauds where employees steal supplies and other materials? On first glance, the schemes appear very similar. In fact, the perpetrator of a purchases fraud is stealing inventory just as s/he would in any other-inventory theft scheme. Nevertheless, the heart of the scheme is not the taking of the inventory but the purchasing of the inventory. In other words, when an employee steals merchandise from a warehouse, s/he is stealing an asset that the company needs, an asset that it has on hand for a particular reason. The harm to the victim company is not only the cost of the asset, but the loss of the asset itself. In a purchasing scheme, on the other hand, the asset which is taken is superfluous. The perpetrator causes the victim company to order and pay for an asset which it does not really need in the course of business, so the only damage to the victim company is the money lost in purchasing the particular item. This is why purchasing schemes are categorized as invoice frauds.

Most of the employees identified by the ACFE as undertaking purchase schemes do so by running unsanctioned invoices through the accounts payable system. The fraudster buys an item and submits the bill to his employer as if it represented a purchase on behalf of the company. The goal is to have the company pay the invoice. Obviously, the invoice which the employee submits to his company is not legitimate. The main hurdle for a fraudster to overcome, therefore, is to avoid scrutiny of the invalid invoice and to obtain authorization for the bill to be paid.

As in the many cases of shell company related schemes we’ve written about on this blog, the person who engages in a purchases scheme is often the very person in the company whose duties include authorizing purchases. Obviously, proper controls should preclude anyone from approving her own purchases. Such poorly separated functions leave little other than her conscience to dissuade an employee from fraud. Nevertheless, CFEs see many examples of small to medium sized companies in which this lapse in controls exists. As the ACFE continues to point out, fraud arises in part because of a perceived opportunity. An employee who sees that no one is reviewing his or her actions is more likely to turn to fraud than one who knows that her company applies due diligence in the attempt to detect all employee theft.

An example of how poor controls can lead to fraud was the case where a manager of a remote location of a large, publicly traded company was authorized to both order supplies and approve vendor invoices for payment. For over a year, the manager routinely added personal items and supplies for his own business to orders made on behalf of his employer. The orders often included a strange mix of items; technical supplies and home furnishings might, for instance, be purchased in the same order. Because the manager was in a position to approve his own purchases, he could get away with such blatantly obvious frauds. In addition to ordering personal items, the perpetrator changed the delivery address for certain supplies so that they would be delivered directly to his home or side business. This scheme cost the victim company approximately $300,000 in unnecessary purchases. In a similar case, an employee with complete control of purchasing and storing supplies for his department bought approximately $100,000 worth of unnecessary supplies using company funds. The employee authorized both the orders and the payments. The excess supplies were taken to the perpetrator’s home where he used them to manufacture a product for his own business. It should be obvious that not only do poor controls pave the way for fraud, a lack of oversight regarding the purchasing function can allow an employee to remove huge amounts from the company’s bottom line.

Not all fraudsters are free to approve their own purchases. Those who cannot must rely on other methods to get their personal bills paid by the company. The chief control document in many voucher systems is the purchase order. When an employee wants to buy goods or services, s/he submits a purchase requisition to a superior. If the purchase requisition is approved, a purchase order is sent to a vendor. A copy of this purchase order, retained in the voucher, tells accounts payable that the transaction has been approved. Later, when an invoice and receiving report corresponding to this purchase order are assembled, accounts payable will issue a check.

So in order to make their purchases appear authentic, some fraudsters generate false purchase orders. In one case, an employee forged the signature of a division controller on purchase orders. Thus the purchase orders appeared to be authentic and the employee was able to buy approximately $3,000 worth of goods at his company’s expense. In another instance, a part time employee at an educational institution obtained unused purchase order numbers and used them to order computer equipment under a fictitious name. The employee then intercepted the equipment as it arrived at the school and loaded the items into his car. Eventually, the employee began using fictitious purchase order numbers instead of real ones. The scheme came to light when the perpetrator inadvertently selected the name of a real vendor. After scrutinizing the documents, the school knew that it had been victimized. In the meantime, the employee had bought nearly $8,000 worth of unnecessary equipment.

Purchase orders can also be altered by employees who seek to obtain merchandise at their employer’s expense. In one instance, several individuals conspired to purchase over $2 million worth of materials for their personal use. The ringleader of the scheme was a low-level supervisor who had access to the computer system which controlled the requisition and receipt of materials. This supervisor entered the system and either initiated orders of materials that exceeded the needs of a particular project or altered existing orders to increase the amount of materials being requisitioned. Because the victim organization had poor controls, it did not compare completed work orders on projects to the amount of materials ordered for those projects. This allowed the inflated orders to go undetected.

Another way for an employee to get a false purchase approved is to misrepresent the nature of the purchase. In many companies, those with the power to authorize purchases are not always attentive to their duties. If a trusted subordinate vouches for an acquisition, for instance, busy supervisors often give rubber stamp approval to purchase requisitions. Additionally, employees sometimes misrepresent the nature of the items they are purchasing in order to pass a cursory review by their superiors.

Instead of running false invoices through accounts payable, some employees make personal purchases on company credit cards or running accounts with vendors. As with invoicing schemes, the key to getting away with a false credit card purchase is avoiding detection. Unlike invoicing schemes, however, prior approval for purchases is not required. An employee with a company credit card can buy an item merely by signing his or her name (or forging someone else’s) at the time of purchase. Later review of the credit card statement, however, may detect the fraudulent purchase.

As with invoicing schemes, those who committed the frauds were often in a position to approve their own purchases;, the same is often true with credit card schemes. A manager in one case, reviewed and approved his own credit card statements. This allowed him to make fraudulent purchases on the company card for approximately two years.

Finally, there is, the fraudster who buys items and then returns them for cash. A good example of such a scheme is that in which an employee made fraudulent gains from a business travel account. The employee’s scheme began by purchasing tickets for herself and her family through her company’s travel budget. Poor separation of duties allowed the fraudster to order the tickets, receive them, prepare claims for payments, and distribute checks. The only review of her activities was made by a busy and rather uninterested supervisor who approved the employee’s claims without requiring support documentation. Eventually, the employee’s scheme evolved. She began to purchase airline tickets and return them for their cash value. An employee of the travel agency assisted in the scheme by encoding the tickets as though the fraudster had paid for them herself. That caused the airlines to pay refunds directly to the fraudster rather than to her employer. In the course of two years, this employee embezzled over $100,000 through her purchases scheme.

Risk-Centric Fraud Prevention

A number of our certified Chapter members, currently practicing both independently and as corporate staff, report being asked to proactively assist in the establishment of first time internal fraud prevention programs by clients and employers. That this development is something new is borne out by recent articles in the trade press but, on a moment’s reflection, shouldn’t be surprising since CFEs are so uniquely qualified for the particular task.

At a time when an increasingly volatile stock environment, increased cases of cyber fraud, the pressure of globalization and a multitude of increased regulatory requirements are of major concern to all managements, risk assessment and fraud prevention really have to play an important role in ensuring that corporations are not exposed to unexpected and poorly controlled risks. Internal fraud prevention related activities need to be revisited with a focus not just on all these new business paradigms but also on stakeholders’ expectations, transparency, and accountability.

It just makes sense then that today’s environment also calls for greater collaboration and strong relationships between all types of assurance professionals with their clients at all levels to ensure an internal anti-fraud structure is in place (if one doesn’t presently exist) that facilitates a healthy, secure and transparent operating environment.

To facilitate the establishment of a risk-centric approach, today’s fraud prevention functions (new or presently existing) must continually revisit their methodologies, processes, and practices. CFEs can provide experienced insight and real-time value to their client organization by expanding their consulting efforts to facilitate a risk-centric approach, helping to establish the foundation for a more sophisticated and nimble tone at the top, and by focusing on increased collaboration and strategic engagement.

Fraud prevention efforts have been dominated for some time now by a control focused approach that is often reactive and regressive in actual practice in the face of today’s swiftly changing realities. Anti-fraud professionals today need to widen their proactive scope to address the growing governance threats and risk management needs of increasingly global organizations. This requires them to adopt a revised risk-centric approach that involves:

–Taking fraud prevention and business ethics from a compliance perspective to a cultural mind-set. Accurately assessing these risks requires more than just checking to see whether rules are being followed; practitioners must also try to ensure that the spirit of these rules is incorporated into activities at every level.

–Determining key business and fraud risks rather than casting a wide net over numerous risks, many of which may be remote or obscure; the concept of critical business process identification drawn from disaster recovery and continuous operations planning is especially relevant here.

–Identifying emerging risk issues and trends, such as changes in the regulatory environment (which are often wholly reactive), and bringing them to the attention of key stakeholders.

–Estimating the significance of each fraud risk and assessing its probability of occurrence based on a deeper understanding of the present sense conveyed by constantly shifting data and as sometimes pinpointed by sophisticated statistical analysis.

–Identifying programs and controls designed to more sensitively detect and address risk and by concurrent testing of their effectiveness in real-time.

–Coordinating with the other critical risk and control related business processes, such as compliance, risk management, fiscal control, and legal, to ensure that fraud risks are identified, controlled and managed appropriately.

To provide real strategic value to the organization, new and existing fraud prevention practitioners need to help develop risk-based action plans that respond to their present state of risk assessment awareness and which focus on stakeholder expectations. Internal anti-fraud plans should incorporate risk identification and prioritization, as well as analysis and quantification of risk factors particularly in the new business ventures and strategies so characteristic of today’s volatile environment. Such planning should also reflect an understanding of shared risks among various projects and initiatives, and feature continuous monitoring of business activities and key performance indicators.

In the present cyber-threat laden environment the internal fraud prevention business process has to move from being just another routine and disconnected function to being a fulcrum of organizational governance and risk, working in concert with management, the board, and external auditors. Top management can establish the fraud prevention function’s role by:

–Allowing senior fraud examiners and investigators exposure to security information presently associated with key management and governance committees;
–Championing the importance of ethical conduct, fraud identification and fraud prevention consistently.
–Taking immediate and proactive action on fraud examination and investigative findings regardless of whatever level of the organization suspected perpetrators are identified.
–Holding senior executives accountable for identified instances of fraud, waste and abuse in business processes over which they exercise management oversight.
–Supporting the management of the fraud prevention function when its findings and recommendations to improve security prove politically unpopular.
–Defining fraud prevention’s role and management’s expectations.
–Providing appropriate funding, talent and authority to the function.

The ACFE has long indicated that a strong tone at the top from senior management about the importance of a internal fraud prevention function goes a long way toward promoting the engagement of managers throughout the client organization.

For staff assigned to an internal fraud prevention plan to proactively review important business strategies successfully for fraud vulnerability, examiners need to collaborate with management. In addition to providing assurance on compliance initiatives, examiners should develop a forward-looking approach to their assessment planning in which they cooperate and coordinate with related risk and control functions, focus on critical business risks and exposures, and determine the relevance and effectiveness of gathered executive responses to help an organization manage fraud risk proactively. To be forward-looking, fraud prevention professionals need to be fully integrated into the strategic planning process so that they can clearly identify which fraud related risks the organization will be undertaking. They also must be involved with the business in evaluating problems that come to light to determine whether they are the result of control weaknesses that could also emerge in other parts of the organization.

To identify and analyze rapidly emerging risks, direct resources toward areas of greatest risk, and conduct targeted, real-time investigations in response to specific, predicated risks, examiners must leverage technology, learn new skills, and work with management to understand and clarify their evolving expanded role.

To assess the new emerging risks effectively, fraud prevention professionals must develop a deeper understanding of the client business and of the processes that make competitors in the client’s industry successful. An effective fraud prevention activity that can deal with contemporary business risks and meet the ever-increasing demands of management and stakeholders requires a solid staffing strategy. As CFEs we must help spread the word that our client organizations need to invest in skilled resources, methods, training, career paths, and technical infrastructure to deal with increasing cyber-related business risks related to fraud, their internal controls, and government imposed regulations. When staffing a fraud prevention function, top management should:

–Establish a program for selecting and developing the fraud prevention team.
–Identify the skills and expertise required for an effective anti-fraud business process; the ACFE’s guidance and training programs are an invaluable resource to any organization contemplating a new fraud prevention function or looking to strengthen an existing one.
–Assess existing resources to identify staffing gaps.
–Identify and create key performance indicators for deploying fraud prevention and investigatory resources.
–Co-source or outsource internal fraud prevention activities, based on an assessment of current resources, budget, and strategic and tactical requirements.

Acquiring new skills through ACFE training can enable internally focused examiners to direct resources to those techniques that are the most effective in identifying risks to the organization. Especially important is the need to develop deep expertise in specialties such as credit, IT, finance, compliance, and cyber. In addition, investigators and examiners will have to be trained to approach their work strategically, beginning with a detailed understanding of where its owners and stakeholders view where the client business has been and where it is going.

In summary, progressive internal fraud prevention and investigation functions need to partner with their client organization’s risk management function to gain comprehensive visibility into enterprise-wide risks and to support performance of automation supported follow-on risk assessments that can help prevent fraud vulnerability issues from turning into fraud events. Such insight into the organization’s risk profile allows internal investigative professionals to deliver more strategic value by focusing their proactive fraud risk evaluation efforts on areas that represent the greatest risk to the organization as well as proactively anticipating where emerging fraud risk issues are most likely to cause problems. In addition, leveraging the activities performed by the client’s risk management function can lower fraud prevention’s overall cost of operation.

The Man in the Mirror

I readily confess I would not have won any awards for effective delegation during my early years as a fraud examiner/information systems audit professional. To my mind the buck stopped with the guy in the mirror I saw shaving every morning. I prided myself on being personally capable of performing every routine task of every assignment involved in whatever function I was managing at the time. What finally weaned me from the practice of doing it all myself was the threat of burn-out and the seemingly ever-increasing demands of a typical work week of seventy hours.

The demands of managing in an assurance environment featuring risk assessments, regulatory compliance, fraud investigations, corporate governance, and engagement quality control can be crushing for any new (or not so new) manager but especially so for those unwilling or who simply lack the skills to adequately delegate; those skills usually only come with experience.

While some new to assurance or investigative management may think delegating simply means passing off work to subordinates, the lines of delegation also can occur laterally to peers and upward to superiors. The distinction is important, because in delegating to subordinates, one of the goals is to achieve long term investigative team development. This goal comes with a shift in emphasis from managing to leading. Managing is about getting the work done, whereas leading fosters learning, growth, and a greater sense of responsibility among individual members of the your team.

According to the ACFE, the first step to successful delegation within examination work is recognizing when to let go rather than trying to do too much. For CFEs new to leadership responsibilities, a willingness to delegate can be challenging. CFEs typically advance to management positions as a result of their individual achievements and performance. This advancement fosters a sense that the person best suited to accomplish a given task is the one whose already done it satisfactorily, but that is not the way leaders should think. Even though an assurance professional has advanced to a management position based on past accomplishments, he or she needs to take a broader view of what is in the long term interest of her function group and/or organization. A conscious commitment to delegation can enable the individual manager to not only increase their personal productivity but also (and here I speak from personal experience) gain better control of their lives and, hence, prevent burnout.

An honest self-examination is a precursor to delegation. CFEs and other assurance professionals in a management position need to understand their capabilities and role(s) within the organization. One way to do this is by considering their vision for and the needs of the organization. Then, what are the assurance function’s immediate and long-term goals, including capabilities and developmental needs? Realizing that trusting others, not just one self, to do a high quality job is a personal decision and there can be many barriers to it. What is the nature of your own personal career goals and your priorities for work-life balance? A periodic, wholly candid assessment of these and similar issues can give any manager a better perspective on his or her motives in relation to delegating.

Delegating is more than just shoving work on someone who possesses the skill set to fit the task. Rather, delegating is an opportunity to cultivate members of the investigative team by increasing the number of people who are capable of taking on a bigger role, which can help strengthen the team and create a succession plan in the event of unexpected personnel turnover. How often have we all been witness to the chaos which can ensure when a key staff member leaves and no-one has been groomed to fill her place?

To the extent possible, an new staff CFE should be matched strategically with an assignment that is a bit above his or her head as a way of providing a positive learning experience. Delegating with career development in mind means managers will need to resist playing the role of lifeguard. Subordinates will struggle at times, but managers shouldn’t be too quick to act as helicopter parents and come to the rescue. Instead, managers should remain confident in the basic capabilities of their staff and allow reasonable time for learning and growth, which enables the team to gain experience and add more value to the organization.

Knowing whether a particular assignment is within an examiner’s potential capabilities and can enable him or her to grow professionally, however, is often not an easy task. As managers delegate assignments, they should consider not limiting assignments only to those areas in which an investigator has had prior experience. Also, managers need to avoid the tendency toward primarily delegating interesting or important assignments to the most favored team members; managers should groom everyone on the team not just the superstars; it’s the superstars who are, let’s face it, the most desirable targets for external recruiters. The same is true for undesirable assignments; managers also should spread those among the whole team, which can demonstrate that everyone is treated fairly. A thoughtful delegating process helps keep the assurance team challenged and motivated, thereby reducing the likelihood of losing promising but insufficiently challenged staff members.

Initial parameters need to be established to prevent misunderstandings, deficient productivity, or delays in the timely completion of examinations. All parties involved should have a clear understanding of the delegated assignment and of expectations. However, managers should refrain from giving excessively detailed instructions. Successful delegating does not mean micromanaging anyone. Instead, managers should consider focusing on discussing the objectives, scope, and outcomes of the assignment. When examiners are allowed the flexibility and freedom to perform their work, they not only learn more but also may show considerable ingenuity. Managing CFEs can foster an environment of participative management by encouraging input from subordinates toward refining the plans, expectations, and deadlines, as well as emphasize how the present investigation fits into the larger scheme. When a team member sees the whole process rather than only a part, he or she is less likely to miss a critical matter and may become more motivated to deliver a quality product.

The ACFE recommends that the CFE engagement manager should give his or her subordinates authority to operationally pursue their assignment and to make decisions as they see fit. Delegating the authority is no less important than assigning the responsibility for a task. In the absence of conferring an appropriate level of authority, the team member’s performance could be undercut. Also, examination managers should keep an open mind by welcoming new ideas, innovative suggestions, and alternative proposals from others. Nothing is more motivating for a subordinate than to realize that he or she has a significant ownership stake in the results. This is another reason why managers should delegate as much of an entire assignment, rather than a small portion, as possible. Doing so can help instill a sense of importance and self-esteem for the staff investigator no matter what the number of years of their experience.

Communication is an essential element of successful delegating, and regular updates about progress, results, and deadlines should occur weekly, or sometimes daily, depending on the staff member’s level of experience and the type of assignment. Meetings can be conducted face-to-face, by phone, or through videoconferencing and do not always have to be long to be effective.

As managers check on progress, they should be supportive rather than intrusive and avoid putting a subordinate on the defensive by being too critical. Managers also should allow for communication flexibility by encouraging more immediate contact between progress meetings in the event a matter requiring urgent attention unexpectedly develops.

Any significant delegated assignment should culminate with a constructive evaluation of the subordinate’s performance. Often, there is a tendency to view the simple act of delegation itself as work done. As an old colleague of mine used to say, “A task delegated is a task completed.” Even in a case where the smaller scope of a subordinate’s assignment does not merit an exit session, it is still a boost for team morale to give recognition and show gratitude for the work done.

I have never met an experienced (and successful) CFE investigation team leader who did not embrace the role and significance of delegating. However, the ability to delegate depends on trust, communication, and encouragement. When delegating, assurance managers need to accept the risk that mistakes can and will occur and remember that professionals can learn from their mistakes. Not only is valuable experience gained by the investigative team, but the manager’s time also is freed up for more critical tasks and projects. In the long run, a commitment to delegation serves to strengthen any team of investigators as well as benefit our client organization, whatever and wherever that might be.

Empty Shells

I attended an out of town presentation not too long ago on investment and tax avoidance scams targeting well-to-do retirees. An especially interesting portion of the CFE presenter’s presentation (a recent retiree himself), focused on the use of paper or shell corporations and companies as tools by the perpetrators of such schemes.

Our presenter emphasized that regulators and other law enforcement personnel attempt to identify instances of fraud against retirees and others in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, such frauds tend to be an under-reported crime as victims may be embarrassed that they easily fell prey to the fraudster or may remain connected to the offender because of the engendered trust cultivated. Reluctance to report the crime can stem from a belief that the fraudster will ultimately do the right thing and return any fees or funds. In order to stop such fraud, regulators and law enforcement must be able to detect and identify crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

He went on to say that one of the foremost reasons for the existence of the underground economy is to escape taxation, which in some countries can be as high as 51 percent of a person’s nominal income. Swiss bankers have a saying, “There would be no tax havens without tax hells.” As the rate of taxation increases, so does the cost of honesty. The higher the tax burden, the more incentive people have to attempt evading those taxations. Because it is illegal, tax evasion always involves financial secrecy.

Every few years the Internal Revenue Service (IRS) releases its top 12 most blatant tax scams affecting American taxpayers. Over the years the Service has repeatedly warned retirees not to fall for schemes peddled by scammers for the avoidance of taxes featuring the use of dummy corporations (or shells) associated with off-shore accounts in tax havens and emphasizing that there is no secret trick that can eliminate any senior’s tax obligations. Every tax payer should be wary of anyone peddling any of these scams.

The IRS aggressively pursues taxpayers and promoters involved in promoting abusive offshore transactions to wealthy seniors. Such promoters pitch seniors in the use of methods to avoid or evade U.S. income tax by hiding income through shells with accounts in offshore banks, brokerage accounts, or through other entities. Such actively promoted scams feature the use of offshore debit cards, credit cards, wire transfers, foreign trusts, employee-leasing schemes, and private annuities or life insurance plans. The IRS has also identified the use of shells in abusive offshore schemes including those that involve use of electronic funds transfer and payment systems, offshore business merchant accounts and private banking relationships.

But, as our speaker pointed out, shell companies aren’t just for big and medium-sized tax evaders anymore. They have become the financial and deception vehicle of choice for some of the most corrupt, dangerous and ruthless individuals and entities on the planet. Arms dealers, drug cartels, corrupt politicians, scammers, terrorists and cybercriminals are just a few of the most creative and frequent users of shells.

It’s also important to emphasize that not all shell companies are used for nefarious purposes; assurance professionals and investigators need to be aware that there are legitimate uses for these entities, such as using one as a holding company or creating a shell company (in name) to preserve future business rights or opportunities. Not every shell is involved in a criminal conspiracy, so it’s important to understand why someone might use a shell for criminal purposes.

The primary purpose of the use of a shell in a fraud scheme is like that of the fraud itself: to conceal fraudulent activity. This may include the nature, origin, or destination of misappropriated funds and/or concealment of the true owners and decision-makers of a criminal act or conspiracy.

In many instances, one shell company isn’t enough; fraudsters create networks. Dozens of shells, nominee directors, addresses and fake shareholders might be required to fully conceal a scheme or criminal plot. Big-time criminal conspirators will utilize shell incorporators to do the heavy lifting and help create a corporate web of disguise that can perplex and confuse even the best of investigators.

Shells can come in all different shapes and sizes, and the jurisdiction in which they reside can help further the concealment. Some fraudsters create shell companies for single uses and then discard them. Or they may use them repeatedly and have them change hands multiple times. They also may form what our speaker dubbed shelf companies and not use them for a period of time. A shelf company has a better chance of appearing legitimate and fooling a novice investigator or basic due diligence mechanisms because it appears to have existed longer than it really has. An older shelf could have a creation date predating any specific areas of investigative concern, which would allow it to engage in business activities when it otherwise couldn’t without arousing suspicion.

Given the intent, with a small sum of money, time and patience, fraudsters can set up a very elaborate web of shell companies in little time. But establishing the company name is only the first step in creating a shell network of deception. The company needs nominee directors and shareholders, often illegitimate, to further the concealment.

Scammers use nominee directors, and in some instances, other shell companies, to disguise true owners of entities while giving the appearance of legitimacy. Some nominees simply sell their names to fraudsters who use them on company documents. Others actually provide limited services for the shell companies such as processing corporate records, signing for company documents and forwarding mail. These nominee directors are the linchpins to linking and disguising international criminal organizations and operatives. Their use is so widespread that IRS conducted searches among entities frequently disclose nominee directors crossing paths. Some are even listed as directors for the same shell entities.

So what does our speaker recommend that individual CFEs do if we think that one of our clients may be unwittingly doing business with a nefarious shell?

— A shell company can be set up practically anywhere, but successful incorporators have learned to use particular countries and regions. Advantages can include lack of government enforcement or specific laws protecting corporate secrecy. A good source of a high-risk country list is the U.S. State Department’s annual list of major money-laundering countries.
— Use SWIFT codes – a SWIFT code is a unique identifier that’s associated with particular financial and non-financial institutions around the world. If you can identify the SWIFT code for the financial entities the suspected shell is dealing with, you might consider monitoring for any funds originating from or being disbursed to these banks or check to see if any of your client’s customers/vendors have bank accounts associated with these specific institutions.
–Review all available internal data that contains contact, banking, address and ownership information, such as vendor/customer data, wire transfer data, ship to/ship from locations for sales and purchases, purchase orders and invoice support documentation.

Look for :

• Information that doesn’t make sense given the nature of the business relationship with the entity.
• Entity information mismatch: address, phone, fax, ship to, bank, cell contact, etc. in different geographic locations.
• No discernible online presence when compared to the goods/services and the amount of money changing hands.
• The entity “representative” is associated with numerous other companies.
• Payment is made to or received from an unrelated third party. Review incoming/outgoing wire transfer documents.

Our speaker summarized that involvement with shell companies and those associated with them can be very bad news for any of our client companies. Fraudsters within your client organization might make use of them as vehicles of corruption or asset diversion. External perpetrators can passively use them as money-laundering vehicles against your client organization.

All assurance professionals should attempt to stay current with the latest types of abuse associated with the shell company model, trends in international corruption, fraud and asset diversion, and money laundering. ACFE training is, as usual, an excellent resource to do this. To the extent possible, try to screen information on your client’s customers, vendors and employees on an on-going basis. Cross-reference known bad actors and shell companies in the news against the entities with which your clients are doing business. Contact authorities if you and/or your client determine that it has become the victim of a shell company related scheme.

Inventory of Fraud

One of the first frauds I worked on early in my career was a scheme by management to overstate the periodic inventory of the Prison Industries system of a state Department of Corrections.   In that case the manipulation was carried out by creating false inventory counts and altering records after the physical count.

What made this an especially interesting case of management fraud were the various reasons that the audit report subsequently revealed why accounting management had decided to overstate the inventory:

• To overstate the income of Prison Industries.
• To achieve internally projected goals.
• To increase Prison Industry’s perceived value in the eyes of  the State government administration.
• To meet Department of Corrections stiff goals for Prison Industry management.
• To hide poor operational performance.
• To enhance the perceived performance of individual members of management.
• To hide the theft of some inventory.

These reasons are in contrast to fraudster goals if a fraud scheme’s overall objective is to show reduced inventory:

• To reduce income.
• The entity has achieved its goals and wants to show reduced results for the reporting period.
• To reduce the overall value of the business or enterprise.
• A new management team is in place and wants to defer reporting additional performance to the future.

Such inventory counting related schemes are likely to occur with inventory components perceived to be less likely of being counted or in conjunction with a planned reason for the false count. The hope is that any examiner/auditor will view the false count as an error versus an intentional plan to misstate the inventory. Therefore, the examiner needs to ensure that management has no record of the test counts. Certain types of inventory counts are more susceptible to being false, such as:

• Periodic Inventory. This particular inventory is susceptible to false counting because the auditor has no inventory reports to determine what the inventory should have been prior to the count.
• Perpetual Inventory. Variances or in-transit items are often used as an explanation for any deviations.
• Multiple Inventory locations. The non-tested sites are susceptible to false counts because the auditor is not performing procedures at those locations. Management may also use other scams in conjunction with the false-count fraud schemes.

As every accounting student knows, inventory is tangible property that either (1) is held for sale in the ordinary course of business (finished goods); (2) is in the process of production for such sale (work in process); or (3) is currently consumed either directly or indirectly in the production of goods or services available for sale (raw materials). The primary basis of accounting for inventory is cost. By definition, inventory excludes long-term assets subject to depreciation accounting.

The inventory records at Prison Industries were complex. Inventory was constantly being transferred between manufacturing processes, was often dispensed in several locations across the state’s correctional system, and normally comprised a significantly large amount of items. For these reasons, as well as the variety of decisions made about direct valuations, inventory was an appealing place for management to decide to commit financial statement fraud, in this case by manipulating and altering the physical inventory count.

Inventory falsification occurred at Prison Industries when the entity showed inventory on its financial statements that both did not exist and was improperly valued;  the two methods were  used simultaneously.  Techniques used to inflate the value of inventory included the creation of false documents, such as inventory count sheets, receiving reports, and manipulation of the actual physical inventory. During the fraud, it was common for management to insert phony inventory count sheets during the inventory observation or to alter the quantities on the count sheets. There where instances where management created the illusion that inventory existed with the help of phony inventory items. Simply put, some items of inventory that appeared real on paper were actually fake.

The fraud examination was originated as a result of predication provided by a Hot Line tip and featured the application of a number of procedures. Interviews were conducted with management and personnel. Questions asked included the following to determine whether the inventory represented by management actually existed and whether it was properly valued:

– Do the inventories included in the Prison Industries balance sheet physically exist?
– Does the inventory represent items held for use in the ordinary course of production?
– Do inventory quantities include all items on hand or in transit?
– Are inventory listings accurately compiled and are they properly included in the inventory accounts?
– Does the State have legal title or ownership rights to the inventory items?
– Does the inventory exclude items billed to customers or owned by others?
– Are inventory costs the result of an acceptable method consistently applied?
– Are inventories properly classified in the balance sheet and are the related disclosures adequate?

The examiners calculated the inventory turnover ratio. The inventory turnover ratio measures how fast inventory was moving through the entity. If the inventory is inflated, then the average inventory balance will be overstated, causing the inventory turnover ratio to decline. The  inventory turnover ratio was compared with the results from prior years and with industry averages for reasonableness.

Price tests were performed. A fraud examiner must determine whether the pricing of the inventory is reasonable. Price testing employs vouching, tracing, and re-computation procedures to test the auditee’s  pricing of its inventory. An examiner should test the application of prices by vouching items to vendors’ invoices and to cost accounting records to verify that the inventory is properly priced. For example, an examiner selects from the inventory detail item L243, classified as a raw material. According to the company’s records as of the balance sheet date, there are twenty L243s at $120 apiece. The examiner reviews the last invoice representing the purchase of L243s and discovers that the company purchased the L243s at $60 apiece. This price discrepancy is a sign that management might be trying to inflate the value of its inventory. Vendors’ invoices should also be traced to the books to confirm proper price recording. Examiners should recompute the quantities indicated on-hand by the observation with vendor prices to determine that the inventory, balances on the balance sheet are correct.

Following the fraud examination inventory was re-performed. The physical inventory was re-performed to ensure that the enterprise’s application of corrective action to methods for counting inventory would result in an accurate and reliable count in future. The re-examination of physical inventory included observation, as well as inquiries and physical examination (i.e., test counts). It is important to remember that management is responsible for the propriety of the inventory. The examiner observed the re-taking of the inventory to satisfy his/her reliance on management’s representations of the quantities and prices.

Cut off tests were performed. A cut-off test is a procedure to control the shipping and receiving activities at the physical inventory date. For the time of the physical inventory, the examiner  noted the numbers of the last pre-numbered shipping and receiving documents because purchases of inventory often are recorded when received and sales recorded when shipped. Identifying the document numbers helped the examiner determine whether the inventory was properly or improperly included or excluded from the inventory counts. For instance, if management indicated that the last shipping document for 1991 was #2500, then the examiner would assume that #2501 was shipped in January 1992. If, upon review of shipping document #2501, the examiner notices that the inventory was shipped in 1991, then there is the possibility that management is inflating the quantity and value of the company’s inventory at year-end. Therefore, inquiry and further testing are warranted. These cut-off numbers are often used in conjunction with the cut-off test used in accounts receivable and accounts payable testing. If cut-off procedures appear unclear or indicate possible inclusions in inventory of goods sold, then cut-off tests should be expanded.

There are several other audit procedures that can be used in detecting inventory fraud scenarios. These include:

• Reviewing the statement of cash flows and asking whether the increases and decreases in cash make sense in relation to the inventory account balances and changes.
• Computing the inventory turnover ratio and days-to-sell ratio. Do these ratios make sense in relation to what the auditor has verified regarding the physical aspects of the inventory?
• Computing the percentage of gross profit and the related percentage of the cost of goods sold, and then the trend to look for understatement of the cost of goods sold percentage.
• Ensuring there is a consistent use of the inventory cost flow assumption. For example, the use of first-in-first out (FIFO) gives a higher net income in an inflationary environment.

It was the large number of items comprising the inventory that made it an attractive target for fraudulent manipulation at Prison Industries. Theft and misuse are the actions of choice when it comes to inventory fraud. The rationale typically Is: “Who is going to miss a few hundred widgets in an inventory of thousands, perhaps millions?” The size of inventory as a percentage of the amount of total assets also makes it an easy target for management-initiated financial reporting misstatement. Having the possibility of two types of fraudulent acts ganging up on inventories at the same time, the CFE doesn’t want to waste time going down the wrong path, so it’s very important to determine which fraudulent act is likely occurring.

Any discussion of fraud likelihood involves the concepts of concealment, conversion, and opportunity. So, in addition to “how” the Inventory fraud took place, other questions need to be addressed, such as: How sophisticated is the concealment strategy? Who has the most benefit to gain by the theft, misuse, or misstatement of the inventories? Who has and where are the opportunities to divert/misstate inventories? These are the questions that need to be answered by the CFE/auditor, and fortunately, the tools and guidance are available from the ACFE to achieve the right answers when faced with almost any pattern of inventory fraud.

On Motivation

The ACFE tells us that there is no simple profile for employees who commit fraud. However, some ACFE statistics are available. Its research has repeatedly shown that about 10 percent to 15 percent of employees are fundamentally dishonest and are likely to steal from their company if given the opportunity. About 66 percent of employees are likely to steal under the right circumstances, such as when under pressure, or when “everyone is doing it,” and the opportunity exists. In contrast, about 20 percent to 25 percent of employees are fundamentally honest and are unlikely to steal under any circumstances.

Furthermore, those employees who do steal from the company are unlikely to have a prior criminal record, and those with a good education, family, background, and work record can be just as likely to steal as anyone else.

On the other hand, research shows that the three elements of the standard fraud triangle, with which we’re all familiar, have proven themselves descriptive over many the years in explaining which employees may defraud our client companies.

• Pressure – Usually related to financial pressure such as large medical bills, gambling problems, drug habits, and extravagant living.

• Opportunity – Required to commit any fraud.

• Rationalization – Likely depends on the type of criminal and the criminal’s personality type or possible personality disorder.

The rationalization component of the fraud triangle suggests possible types of individuals who may commit fraud:

• The fundamentally dishonest employee without a personality disorder. This person could habitually be dishonest but does not have a personality disorder. Rationalization comes easily because the person is accustomed to dishonesty. Therefore, the rationalizations are likely to include statements such as “I need it more than they do” and “They won’t miss it.”

• The fundamentally dishonest employee with a personality disorder. Various personality disorders may contribute to the ability of the employee to rationalize fraud. Psychiatry uses the diagnosis antisocial personality disorder and the related diagnosis dissocial personality disorder. The following are characteristics that apply to persons with these types of mental disorders:

— Nonconformist behavior; tend to be misfits.
— Habitual lying and dishonesty.
— Impulsiveness.
— Irritability and aggressiveness.
— Insensitivity to harming self or others.
— Strong disregard for the needs of self and others.
— Tendency to blame others for personal faults and mistakes.
— Lack of responsibility.
— Difficulty in establishing and maintaining close relationships.
— Absence of the ability to feel emotions or the full range of normal emotions.

The deceitfulness dimension of these disorders could enable the person to hide some or all of his or her antisocial characteristics. This type of person is often able to steal without giving much conscious thought to rationalizations. The crime could simply arise out of the mental disturbance.

• Then there is the normally honest employee who steals given pressure and opportunity and rationalizes the theft. A person who does not normally steal is likely to give serious thought to rationalizing the theft. One common rationalization is that the person is only borrowing the money; often the person takes money with the intent to pay it back, and many times does in fact pay it back. The result is that the corporate till can become the employee’s personal lending institution; however, in many cases, the person is never able to pay back the ill-gotten loan. The normally honest employee is likely to steal out of a sudden financial need or because of a problem with a financially excessive lifestyle.

The ACFE advises us to consider possible motives when examining evidence related to an occupational fraud. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes: it can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused; and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, s/he might suspect a payroll employee who recently complained about not having received a raise in the past two years. Although such information does not mean that the payroll employee committed fraud, the possible motive can guide the examiner.

During the process of interviewing suspects, interviewers should seek to understand the possible motives of interviewees. To do this, interviewers should suspend their own value system. This will better position the interviewer(s) to persuade suspects to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions.

In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his or her motivations, even if the suspect reveals those motivations in an indirect manner.

In interviewing suspects for motives:

• Leave your ego at the door.
• Talk to the suspected perpetrator as an adult.
• Do not patronize the suspect.
• Use good communication skills to develop rapport with subjects so that they will feel comfortable talking to you.
• Avoid being confrontational with the suspect. If the interviewer is confrontational, the perpetrator will be less likely to make an admission.

When conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work and how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s “normal” behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Next, the interviewer might ask non-accusatory questions related to the issue at hand, such as:

• Why do you think someone would do something like this?
• What do you think should happen to a person who would do something like this?
• Of all of the people who work in this area, who could be involved?

The answers to these questions can help the interviewer understand the possible motives of various suspects, narrow the pool of suspects, or even obtain an admission. For example, a suspect who answers the question “Why do you think someone would do something like this?” with a sympathetic answer might be trying to appeal to the interviewer’s sense of compassion to reduce or minimize his or her punishment.

The more the interviewer knows about the perpetrator, the better chance s/he will have of identifying the perpetrator’s motive and rationalization. Once the perpetrator thinks that the interviewer understands her motive, she will become more likely to confess.

During the motivation identifying interview, fraud examiners must also remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. Unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason.

Situational fraudsters, those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises, do not tend to view themselves as criminals. This is in contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud. Situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if s/he can genuinely communicate that s/he understands how anyone under similar-circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is constructing a trap, s/he generally will not make an admission of wrongdoing.

In summary, the fraud triangle is always helpful in explaining motivations for employees to defraud their employing organization by drawing attention to pressure, opportunity, and rationalization. Pressure is typically caused by sudden financial needs arising from things such as medical bills, gambling problems, drug habits, and extravagant living. The opportunity depends on the employee’s position and the strength of the company’s internal control processes. Rationalization depends on the type of criminal. The pure sociopath may need little or no rationalization. The fundamentally dishonest employee may give some conscious thought to rationalizing crimes, but the rationalization comes easily because the person is accustomed to dishonesty. Finally, the normally honest employee generally expends the most effort in rationalizing the crime, and often this type of person will really think that s/he is only borrowing the money.

Cloud Shapes

Just as clouds can take different shapes and be perceived differently, so too is cloud computing perceived differently by our various types of client companies. To some, the cloud looks like web-based applications, a revival of the old thin client. To others, the cloud looks like utility computing, a grid that charges metered rates for processing time. To some, the cloud could be parallel computing, designed to scale complex processes for improved efficiency. Interestingly, cloud services are wildly different. Amazon’s Elastic Compute Cloud offers full Linux machines with root access and the opportunity to run whatever apps the user chooses. Google’s App Engine will also let users run any program they want, as long as the user specifies it in a limited version of Python and uses Google’s database.

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It is also important to remember what our ACFE tells us, that the Internet itself is in fact a primitive transport cloud. Users place something on the path with an expectation that it will get to the proper destination, in a reasonable time, with all parties respecting the privacy and security of the artifact.

Cloud computing, as everyone now knows, brings many advantages to users and vendors. One of its biggest advantages is that a user may no longer have to be tethered to a traditional computer to use an application, or have to buy a version of an application that is specifically configured for a phone, a tablet or other device. Today, any device that can access the Internet can run a cloud-based application. Application services are available independent of the user’s home or office devices and network interfaces. Regardless of the device being used, users also face fewer maintenance issues. End users don’t have to worry about storage capacity, compatibility or other similar concerns.

From a fraud prevention perspective, these benefits are the result of the distributed nature of the web, which necessitates a clear separation between application and interaction logic. This is because application logic and user data reside mostly on the web cloud and manifest themselves in the form of tangible user interfaces at the point of interaction, e.g., within a web browser or mobile web client. Cloud computing is also beneficial for our client’s vendors. Businesses frequently find themselves using the vast majority of their computing capacity in a small percentage of time, leaving expensive equipment often idle. Cloud computing can act as a utility grid for vendors and optimize the use of their resources. Consider, for example, a web-based application running in Amazon’s cloud. Suppose there is a sudden surge in visitors as a result of media coverage, for example. Formerly, many web applications would fail under the load of big traffic spikes. But in the cloud, assuming that the web application has been designed intelligently, additional machine instances can be launched on demand.

With all the benefits, there are related constraints. Distrust is one of the main constraints on online environments generally. particularly in terms of consumer fraud, waste and abuse protection. Although the elements that contribute to building trust can be identified in broad terms, there are still many uncertainties in defining and establishing trust in online environments. Why should users trust cloud environments to store their personal information and to share their privacy in such a large and segregated environment? This question can be answered only by investigating these uncertainties in the context of risk assessment and by exploring the relationship between trust and the way in which the risk is perceived by stakeholders. Users are assumed to be willing to disclose personal information and have that information used subsequently to store their personal data or to create consumer profiles for business use when they perceive that fair procedures are in place to protect their individual privacy.

The changing trust paradigm represented by cloud computing means that less information is stored locally on our client’s machines and is instead being hosted elsewhere on earth. No one for the most part buys software anymore; users just rent it or receive it for free using the Software as a Service (SaaS) business model. On the personal front, cloud computing means Google is storing user’s mail, Instagram their photographs, and Dropbox their documents, not to mention what mobile phones are automatically uploading to the cloud for them. In the corporate world, enterprise customers not only are using Dropbox but also have outsourced primary business functions that would have previously been handled inside the company to SaaS providers such as Salesforce.com, Zoho.com, and Box.com.

From a crime and security perspective, the aggregation of all these data, exabytes and exabytes of it, means that user’s most personal of information is no longer likely stored solely on their local hard drives but now aggregated on computer servers around the world. By aggregating important user data, financial and otherwise, on cloud-based computer servers, the cloud has obviated the need for criminals to target everybody’s hard drive individually and instead put all the jewels in a single place for criminals and hackers to target (think Willie Sutton).

The cloud is here to stay, and at this point there is no going back. But with this move to store all available data in the cloud come additional risks. Thinking of some of the largest hacks to date, Target, Heartland Payment Systems, TJX, and Sony PlayStation Network; all of these thefts of hundreds of millions of accounts were made possible because the data were stored in the same virtual location. The cloud is equally convenient for individuals, businesses, and criminals.

The virtualization and storage of all of these data is a highly complex process and raises a wide array of security, public policy, and legal issues for all CFEs and for our clients. First, during an investigation, where exactly is this magical cloud storing my defrauded client’s data? Most users have no idea when they check their status on Facebook or upload a photograph to Pinterest where in the real world this information is actually being stored. That they do not even stop to pose the question is a testament to the great convenience, and opacity, of the system. Yet from a corporate governance and fraud prevention risk perspective, whether your client’s data are stored on a computer server in America, Russia, China, or Iceland makes a difference.

ACFE guidance emphasizes that the corporate and individual perimeters that used to protect information internally are disappearing, and the beginning and end of corporate user computer networks are becoming far less well defined. It’s making it much harder for examiners and auditors to see what data are coming and going from a company, and the task is nearly impossible on the personal front. The transition to the cloud is a game changer for anti-fraud security because it completely redefines where data are stored, moved, and accessed, creating sweeping new opportunities for criminal hackers. Moreover, the non-local storage of data raises important questions about deep dependence on cloud-based information systems. When these services go down or become unavailable i.e., a denial of service attack, or the Internet connection is lost, the data become unavailable, and your client for our CFE services is out of business.

All the major cloud service providers are routinely remotely targeted by criminal attacks, including Dropbox, Google, and Microsoft, and more such attacks occur daily. Although it may be your client’s cloud service provider that is targeted in such attack, the client is the victim, and the data taken is theirs’s. Of course, the rights reserved to the providers in their terms of service agreements (and signed by users) usually mean that provider companies bear little or no liability when data breaches occur. These attacks threaten intellectual property, customer data, and even sensitive government information.

To establish trust with end users in the cloud environment, all organizations should address these fraud related risks. They also need to align their users’ perceptions with their policies. Efforts should be made to develop a standardized approach to trust and risk assessment across different domains to reduce the burden on users who seek to better understand and compare policies and practices across cloud provider organizations. This standardized approach will also aid organizations that engage in contractual sharing of consumer information, making it easier to assess risks across organizations and monitor practices for compliance with contracts. policies and law.

During the fraud risk assessment process, CFEs need to advise their individual corporate clients to mandate a given cloud based activity in which they participate to be conducted fairly and to address their privacy concerns. By ensuring this fairness and respecting privacy, organizations give their customers the confidence to disclose personal information on the cloud and to allow that information subsequently to be used to create consumer profiles for business use. Thus, organizations that understand the roles of trust and risk should be advised to continuously monitor user perceptions to understand their relation to risk aversion and risk management. Managers should not rely solely on technical control measures. Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast. issues revolving around the use of computers by lay users and the creation of active incentives to avoid fraud have been relatively neglected. Many ACFE lead studies have shown that human errors are the main cause of information security incidents.

Piecemeal approaches to control security issues related to cloud environments fail simply because they are usually driven by a haphazard occurrence; reaction to the most recent incident or the most recently publicized threat. In other words, managing information security in cloud environments requires collaboration among experts from different disciplines, including computer scientists. engineers. economists, lawyers and anti-fraud assurance professionals like CFE’s, to forge common approaches.

MAC Documents

As our upcoming Ethics 2019 lecture for January-February 2019 makes clear, many of the most spectacular cases of fraud during the last two decades that were, at least initially, successfully concealed from auditors involved the long running falsification of documents. Bernie Madoff and Enron come especially to mind. In hindsight, the auditors involved in these individual cases failed to detect the fraud for multiple reasons, one of which was a demonstrated lack of professional skepticism coupled with a general lack of awareness.

Fraud audit and red flag testing procedures are designed to validate the authenticity of documents and the performance of internal controls. Red flag testing procedures are based on observing indicators in the internal documents and in the internal controls. In contrast, fraud audit testing procedures verify the authenticity of the representations in the documents and internal controls. While internal controls are an element of each, they are not the same as the testing procedures performed in a traditional audit. Considering that fraud audit testing procedures are the basis of the fraud audit program, the analysis of documents will differ between the fraud audit and the traditional verification audit. Business systems are driven by paper documents, both imaged paper documents and electronic documents. Approvals are handwritten, created mechanically, or created electronically through a computerized business application. Therefore, the ability to examine a document for the red flags indicative of a fraud scenario is a critical component in the process of fraud detection.

The ACFE points out that within fraud auditing, there are levels of document examination: the forensic document examination performed by a certified document examiner and the document examination performed by an independent external auditor conducting a fraud audit are distinct. Clearly, the auditor is not required to have the skills of a certified document examiner; however, the auditor should understand the difference between questioned document examination and the examination of documents for red flags.

Questioned, or forensic, document examination is the application of science to the law. The forensic document examiner, using specialized techniques, examines documents and any handwriting on the documents to establish their authenticity and to detect alterations. The American Academy of Forensic Sciences (AAFS) Questioned Document Section and the American Society of Questioned Document Examiners (ASQDE) provide guidance and standards to assurance professionals in the field of document examination. For example, the American Society for Testing and Materials, International (ASTM) Standard E444-09 (Standard Guide for Scope of Work of Forensic Document Examiners) indicates there are four components to the work of a forensic document examiner. These components are the following:

1. Establish document genuineness or non-genuineness, expose forgery, or reveal alterations, additions, or deletions.
2. Identify or eliminate persons as the source of handwriting.
3. Identify or eliminate the source of typewriting or other impression, marks, or relative evidence.
4. Write reports or give testimony, when needed, to aid the users of the examiner’s services in understanding the examiner’s findings.

CFEs will find that some forensic document examiners (FDEs) limit their work to the examination and comparison of handwriting, however, most inspect and examine the whole document in accordance with the ASTM standard.

The fraud examiner or auditor also focuses on the authenticity of the document, with two fundamental differences:

1. The degree of certainty. With forensic document examination, the forensic certainty is based on scientific principles. Fraud audit document examination is based on visual observations and informed audit experience.
2. Central focus. Fraud audit document examination focuses on the red flags associated with a hypothetical fraud scenario. Forensic document examination focuses on the genuineness of the document or handwriting under examination.

Awareness of the basic principles and objectives of forensic document examination is of assistance to any auditor or examiner in determining if, when and how to use the services of a certified document examiner in the process of conducting a fraud audit.

ACFE training indicates that documentary red flags are among the most important of all red flags. Examiners and auditors need to be aware not only of how a fraud scenario occurs, but also of how to employ the correct methodology in identifying and describing the documents related to a given scenario. These capabilities are critical as well in order to be successful in the identification of document related red flags. Specifically, a document must link to the fraud scenario and to the key controls of the involved business process(es).

The target document should be examined for the following: document condition, document format, document information, and industry standards. To these characteristics the concepts of missing, altered, and created content should be applied. The second aspect of the document examination is linking the document to the internal controls. Linking the document examination to the internal controls is a critical aspect of developing the decision tree aspect of the fraud audit program. Using a document examination methodology aids the fraud auditor in building his or her fraud audit program.

The ACFE’s acronym MAC is a useful aid to assist the auditor in identifying red flags and the corresponding audit response. The ‘M’ stands for missing, either missing the entire document or missing information on a document; the ‘A’ for altered information on a document; and the ‘C’ for created documents or information on a document. Specifically:

A missing document is a red flag. Missing documents occur because the document was never created, was destroyed, or has been misfiled. Documents are either the basis of initiating the transaction or support the transaction.

The frequency of missing documents must be linked to the fraud scenario. In some instances, missing one document may be a red flag, although typically repetition is necessary to warrant fraud audit testing procedures. The audit response should focus on the following attributes assuming the document links to a key control:

— Is the document externally or internally created? The existence of externally created documents can be confirmed with the source, assuming the source is not identified as involved in the fraud scenario.
— Is the document necessary to initiate the transaction or is the document a supporting one? Documents used to initiate a transaction had to have existed at some point; therefore, logic dictates that the document was destroyed or misfiled.
— One, two, or all three of the following questions could apply to internal documents:

• Is there a pattern of missing documents associated with the same entity?
• Is there a pattern of missing documents associated with an internal employee?
• Does the document support a key anti-fraud control, therefore being a trigger red flag, or is the missing document related to a non-key control?

With regard to missing information on a document, several questions arise, one of which is: are there tears, torn pieces, soiled areas, or charred areas that cause information to be missing? To address any of these situations, finding a similar document type is needed to determine if the intent of the document has changed because of the missing information.  Another question is: is information obliterated (e.g., covered, blotted, or wiped out)? Overwriting is commonly used to obscure existing writing. Correction fluid is also a common method, but the underlying writing can be read and photographed using transmitted light from underneath the document.

Scratching out writing with a pen will obliterate writing successfully if it results in the page being torn. Spilled liquids can also obliterate writing.

‘A’, altered, pertains to changing or adding information to the original document. The information may be altered manually or through the use of desktop publishing capabilities. For example, manual changes tend to be visible through a difference in handwriting, and electronic documents would generally be altered via the software used to create the document.

Any altering of information would be detected through the same red flags as adding information. In the context of fraud, forgery is the first thing that comes to mind in any discussion of the altering of documents. Forgery is a legal term applied to fraudulent imitation. It is an alteration of writing as to convey a false impression that a document itself, not its contents, is authentic, thereby imposing a legal liability. It is an alteration of a document with the intent to defraud. It should be noted that it is possible for a document examiner to identify a document or signature as a forgery, but it is much less common for the examiner to identify the forger. This is due to the nature of handwriting, whereby a forger is attempting to imitate the writing habit of another person, thereby suppressing his own writing characteristics and style, and in essence, disguising his or her writing.

A ‘C’, or created document is any document prepared by the perpetrator of the fraud scenario. This type of changed document can include added or created documents or added and created text on a document. The document can be prepared by an external source (e.g., a vendor in an over-billing scheme) or an internal source (e.g., a purchasing agent who creates false bids).

Some signs of document creation can include the age of the document being inconsistent with the purported creation date, or the document lacking the sophistication typically associated with normal business standards. Added or created text can inserted with the use of ink or whatever type of writing instrument was used on the original. It can also be added through cutting and pasting sections of text, then photocopying the document to eliminate any outline. When pages are suspected of being added in this manner, a comparison of the type of paper used for the original and the photocopy should be made. In terms of computer-generated and machine-produced documents differences in the software used may result in textual differences.

As the MAC acronym seeks to demonstrate, fraudulent document information can be categorized as missing information, incorrect information, or information inconsistent with normal business standards. Therefore, the investigating CFE or auditor needs to have the requisite business and industry knowledge to correctly associate the appropriate red flags with the relevant documentary information consistent with the fraud scenario under investigation.

The Human Financial Statement

A finance professor of mine in graduate school at the University of Richmond was fond of saying, in relation to financial statement fraud, that as staff competence goes down, the risk of fraud goes up. What she meant by that was that the best operated, most flawless control ever put in place can be tested and tested and tested again and score perfectly every time. But its still no match for the employee who doesn’t know, or perhaps doesn’t even care, how to operate that control; or for the manager who doesn’t read the output correctly, or for the executive who hides part of a report and changes the numbers in the rest. That’s why CFEs and the members of any fraud risk assessment team (especially our client managers who actually own the process and its results), should always take a careful look at the human component of risk; the real-world actions, and lack thereof, taken by real-life employees in addressing the day-to-day duties of their jobs.

ACFE training emphasizes that client management must evaluate whether it has implemented anti-fraud controls that adequately address the risk that a material misstatement in the financial statements will not be prevented or detected timely and then focus on fixing or developing controls to fill any gaps. The guidance offers several specific suggestions for conducting top-down, risk-based anti-fraud focused evaluations, and many of them require the active participation of staff drawn from all over the assessed enterprise. The ACFE documentation also recommends that management consider whether a control is manual or automated, its complexity, the risk of management override, and the judgment required to operate it. Moreover, it suggests that management consider the competence of the personnel who perform the control or monitor its performance.

That’s because the real risk of financial statement misstatements lies not in a company’s processes or the controls around them, but in the people behind the processes and controls who make the organization’s control environment such a dynamic, challenging piece of the corporate puzzle. Reports and papers that analyze fraud and misstatement risk use words like “mistakes” and “improprieties.” Automated controls don’t do anything “improper.” Properly programmed record-keeping and data management processes don’t make “mistakes.” People make mistakes, and people commit improprieties. Of course, human error has always been and will always be part of the fraud examiner’s universe, and an SEC-encouraged, top-down, risk-based assessment of a company’s control environment, with a view toward targeting the control processes that pose the greatest misstatement risk, falls nicely within most CFE’s existing operational ambit. The elevated role for CFEs, whether on staff or in independent private practice, in optionally conducting fraud risk evaluations offers our profession yet another chance to show its value.

Focusing on the human element of misstatement fraud risk is one important way our client companies can make significant progress in identifying their true financial statement and other fraud exposures. It also represents an opportunity for management to identify the weak links that could ultimately result in a misstatement, as well as for CFEs to make management’s evaluation process a much simpler task. I can remember reading many articles in the trade press these last years in which commentators have opined that dramatic corporate meltdowns like Wells Fargo are still happening today, under today’s increased regulatory strictures, because the controls involved in those frauds weren’t the problem, the people were. That is certainly true. Hence, smart risk assessors are integrating the performance information they come across in their risk assessments on soft controls into management’s more quantitative, control-related evaluation data to paint a far more vivid picture of what the risks look like. Often the risks will wear actual human faces. The biggest single factor in calculating restatement risk as a result of a fraud relates to the complexity of the control(s) in question and the amount of human judgment involved. The more complex a control, the more likely it is to require complicated input data and to involve highly technical calculations that make it difficult to determine from system output alone whether something is wrong with the process itself. Having more human judgment in the mix gives rise to greater apparent risk.

A computer will do exactly what you tell it to over and over; a human may not, but that’s what makes humans special, special and risky. In the case of controls, especially fraud prevention related controls, our human uniqueness can manifest as simple afternoon sleepiness or family financial troubles that prove too distracting to put aside during the workday. So many things can result in a mistaken judgment, and simple mistakes in judgment can be extremely material to the final financial statements.

CFEs, of course, aren’t in the business of grading client employees or of even commenting to them about their performance but whether the fraud risk assessment in question is related to financial report integrity or to any other issue, CFEs in making such assessments at management’s request need to consider the experience, training, quality, and capabilities of the people performing the most critical controls.

You can have a well-designed control, but if the person in charge doesn’t know, or care, what to do, that control won’t operate. And whether such a lack of ability, or of concern, is at play is a judgment call that assessing CFEs shouldn’t be afraid to make. A negative characterization of an employee’s capability doesn’t mean that employee is a bad worker, of course. It may simply mean he or she is new to the job, or it may reveal training problems in that employee’s department. CFEs proactively involved in fraud risk assessment need to keep in mind that, in some instances, competence may be so low that it results in greater risk. Both the complexity of a control and the judgment required to operate it are important. The ability to interweave notions of good and bad judgment into the fabric of a company’s overall fraud risk comes from CFEs experience doing exactly that on fraud examinations. A critical employee’s intangibles like conscientiousness, commitment, ethics and morals, and honesty, all come into play and either contribute to a stronger fraud control environment or cause it to deteriorate. CFEs need to be able, while acting as professional risk assessors, to challenge to management the quality, integrity, and motivation of employees at all levels of the organization.

Many companies conduct fraud-specific tests as a component of the fraud prevention program, and many of the most common forms of fraud can be detected by basic controls already in place. Indeed, fraud is a common concern throughout all routine audits, as opposed to the conduct of separate fraud-only audits. It can be argued that every internal control is a fraud deterrent control. But fraud still exists.

What CFEs have to offer to the risk assessment of financial statement and other frauds is their overall proficiency in fraud detection and the reality that they are well-versed in, and cognizant of, the risk of fraud in every given business process of the company; they are, therefore, well positioned to apply their best professional judgment to the assessment of the degree of risk of financial statement misstatement that fraud represents in any given client enterprise.