Risk-Centric Fraud Prevention

A number of our certified Chapter members, currently practicing both independently and as corporate staff, report being asked to proactively assist in the establishment of first time internal fraud prevention programs by clients and employers. That this development is something new is borne out by recent articles in the trade press but, on a moment’s reflection, shouldn’t be surprising since CFEs are so uniquely qualified for the particular task.

At a time when an increasingly volatile stock environment, increased cases of cyber fraud, the pressure of globalization and a multitude of increased regulatory requirements are of major concern to all managements, risk assessment and fraud prevention really have to play an important role in ensuring that corporations are not exposed to unexpected and poorly controlled risks. Internal fraud prevention related activities need to be revisited with a focus not just on all these new business paradigms but also on stakeholders’ expectations, transparency, and accountability.

It just makes sense then that today’s environment also calls for greater collaboration and strong relationships between all types of assurance professionals with their clients at all levels to ensure an internal anti-fraud structure is in place (if one doesn’t presently exist) that facilitates a healthy, secure and transparent operating environment.

To facilitate the establishment of a risk-centric approach, today’s fraud prevention functions (new or presently existing) must continually revisit their methodologies, processes, and practices. CFEs can provide experienced insight and real-time value to their client organization by expanding their consulting efforts to facilitate a risk-centric approach, helping to establish the foundation for a more sophisticated and nimble tone at the top, and by focusing on increased collaboration and strategic engagement.

Fraud prevention efforts have been dominated for some time now by a control focused approach that is often reactive and regressive in actual practice in the face of today’s swiftly changing realities. Anti-fraud professionals today need to widen their proactive scope to address the growing governance threats and risk management needs of increasingly global organizations. This requires them to adopt a revised risk-centric approach that involves:

–Taking fraud prevention and business ethics from a compliance perspective to a cultural mind-set. Accurately assessing these risks requires more than just checking to see whether rules are being followed; practitioners must also try to ensure that the spirit of these rules is incorporated into activities at every level.

–Determining key business and fraud risks rather than casting a wide net over numerous risks, many of which may be remote or obscure; the concept of critical business process identification drawn from disaster recovery and continuous operations planning is especially relevant here.

–Identifying emerging risk issues and trends, such as changes in the regulatory environment (which are often wholly reactive), and bringing them to the attention of key stakeholders.

–Estimating the significance of each fraud risk and assessing its probability of occurrence based on a deeper understanding of the present sense conveyed by constantly shifting data and as sometimes pinpointed by sophisticated statistical analysis.

–Identifying programs and controls designed to more sensitively detect and address risk and by concurrent testing of their effectiveness in real-time.

–Coordinating with the other critical risk and control related business processes, such as compliance, risk management, fiscal control, and legal, to ensure that fraud risks are identified, controlled and managed appropriately.

To provide real strategic value to the organization, new and existing fraud prevention practitioners need to help develop risk-based action plans that respond to their present state of risk assessment awareness and which focus on stakeholder expectations. Internal anti-fraud plans should incorporate risk identification and prioritization, as well as analysis and quantification of risk factors particularly in the new business ventures and strategies so characteristic of today’s volatile environment. Such planning should also reflect an understanding of shared risks among various projects and initiatives, and feature continuous monitoring of business activities and key performance indicators.

In the present cyber-threat laden environment the internal fraud prevention business process has to move from being just another routine and disconnected function to being a fulcrum of organizational governance and risk, working in concert with management, the board, and external auditors. Top management can establish the fraud prevention function’s role by:

–Allowing senior fraud examiners and investigators exposure to security information presently associated with key management and governance committees;
–Championing the importance of ethical conduct, fraud identification and fraud prevention consistently.
–Taking immediate and proactive action on fraud examination and investigative findings regardless of whatever level of the organization suspected perpetrators are identified.
–Holding senior executives accountable for identified instances of fraud, waste and abuse in business processes over which they exercise management oversight.
–Supporting the management of the fraud prevention function when its findings and recommendations to improve security prove politically unpopular.
–Defining fraud prevention’s role and management’s expectations.
–Providing appropriate funding, talent and authority to the function.

The ACFE has long indicated that a strong tone at the top from senior management about the importance of a internal fraud prevention function goes a long way toward promoting the engagement of managers throughout the client organization.

For staff assigned to an internal fraud prevention plan to proactively review important business strategies successfully for fraud vulnerability, examiners need to collaborate with management. In addition to providing assurance on compliance initiatives, examiners should develop a forward-looking approach to their assessment planning in which they cooperate and coordinate with related risk and control functions, focus on critical business risks and exposures, and determine the relevance and effectiveness of gathered executive responses to help an organization manage fraud risk proactively. To be forward-looking, fraud prevention professionals need to be fully integrated into the strategic planning process so that they can clearly identify which fraud related risks the organization will be undertaking. They also must be involved with the business in evaluating problems that come to light to determine whether they are the result of control weaknesses that could also emerge in other parts of the organization.

To identify and analyze rapidly emerging risks, direct resources toward areas of greatest risk, and conduct targeted, real-time investigations in response to specific, predicated risks, examiners must leverage technology, learn new skills, and work with management to understand and clarify their evolving expanded role.

To assess the new emerging risks effectively, fraud prevention professionals must develop a deeper understanding of the client business and of the processes that make competitors in the client’s industry successful. An effective fraud prevention activity that can deal with contemporary business risks and meet the ever-increasing demands of management and stakeholders requires a solid staffing strategy. As CFEs we must help spread the word that our client organizations need to invest in skilled resources, methods, training, career paths, and technical infrastructure to deal with increasing cyber-related business risks related to fraud, their internal controls, and government imposed regulations. When staffing a fraud prevention function, top management should:

–Establish a program for selecting and developing the fraud prevention team.
–Identify the skills and expertise required for an effective anti-fraud business process; the ACFE’s guidance and training programs are an invaluable resource to any organization contemplating a new fraud prevention function or looking to strengthen an existing one.
–Assess existing resources to identify staffing gaps.
–Identify and create key performance indicators for deploying fraud prevention and investigatory resources.
–Co-source or outsource internal fraud prevention activities, based on an assessment of current resources, budget, and strategic and tactical requirements.

Acquiring new skills through ACFE training can enable internally focused examiners to direct resources to those techniques that are the most effective in identifying risks to the organization. Especially important is the need to develop deep expertise in specialties such as credit, IT, finance, compliance, and cyber. In addition, investigators and examiners will have to be trained to approach their work strategically, beginning with a detailed understanding of where its owners and stakeholders view where the client business has been and where it is going.

In summary, progressive internal fraud prevention and investigation functions need to partner with their client organization’s risk management function to gain comprehensive visibility into enterprise-wide risks and to support performance of automation supported follow-on risk assessments that can help prevent fraud vulnerability issues from turning into fraud events. Such insight into the organization’s risk profile allows internal investigative professionals to deliver more strategic value by focusing their proactive fraud risk evaluation efforts on areas that represent the greatest risk to the organization as well as proactively anticipating where emerging fraud risk issues are most likely to cause problems. In addition, leveraging the activities performed by the client’s risk management function can lower fraud prevention’s overall cost of operation.

The Man in the Mirror

I readily confess I would not have won any awards for effective delegation during my early years as a fraud examiner/information systems audit professional. To my mind the buck stopped with the guy in the mirror I saw shaving every morning. I prided myself on being personally capable of performing every routine task of every assignment involved in whatever function I was managing at the time. What finally weaned me from the practice of doing it all myself was the threat of burn-out and the seemingly ever-increasing demands of a typical work week of seventy hours.

The demands of managing in an assurance environment featuring risk assessments, regulatory compliance, fraud investigations, corporate governance, and engagement quality control can be crushing for any new (or not so new) manager but especially so for those unwilling or who simply lack the skills to adequately delegate; those skills usually only come with experience.

While some new to assurance or investigative management may think delegating simply means passing off work to subordinates, the lines of delegation also can occur laterally to peers and upward to superiors. The distinction is important, because in delegating to subordinates, one of the goals is to achieve long term investigative team development. This goal comes with a shift in emphasis from managing to leading. Managing is about getting the work done, whereas leading fosters learning, growth, and a greater sense of responsibility among individual members of the your team.

According to the ACFE, the first step to successful delegation within examination work is recognizing when to let go rather than trying to do too much. For CFEs new to leadership responsibilities, a willingness to delegate can be challenging. CFEs typically advance to management positions as a result of their individual achievements and performance. This advancement fosters a sense that the person best suited to accomplish a given task is the one whose already done it satisfactorily, but that is not the way leaders should think. Even though an assurance professional has advanced to a management position based on past accomplishments, he or she needs to take a broader view of what is in the long term interest of her function group and/or organization. A conscious commitment to delegation can enable the individual manager to not only increase their personal productivity but also (and here I speak from personal experience) gain better control of their lives and, hence, prevent burnout.

An honest self-examination is a precursor to delegation. CFEs and other assurance professionals in a management position need to understand their capabilities and role(s) within the organization. One way to do this is by considering their vision for and the needs of the organization. Then, what are the assurance function’s immediate and long-term goals, including capabilities and developmental needs? Realizing that trusting others, not just one self, to do a high quality job is a personal decision and there can be many barriers to it. What is the nature of your own personal career goals and your priorities for work-life balance? A periodic, wholly candid assessment of these and similar issues can give any manager a better perspective on his or her motives in relation to delegating.

Delegating is more than just shoving work on someone who possesses the skill set to fit the task. Rather, delegating is an opportunity to cultivate members of the investigative team by increasing the number of people who are capable of taking on a bigger role, which can help strengthen the team and create a succession plan in the event of unexpected personnel turnover. How often have we all been witness to the chaos which can ensure when a key staff member leaves and no-one has been groomed to fill her place?

To the extent possible, an new staff CFE should be matched strategically with an assignment that is a bit above his or her head as a way of providing a positive learning experience. Delegating with career development in mind means managers will need to resist playing the role of lifeguard. Subordinates will struggle at times, but managers shouldn’t be too quick to act as helicopter parents and come to the rescue. Instead, managers should remain confident in the basic capabilities of their staff and allow reasonable time for learning and growth, which enables the team to gain experience and add more value to the organization.

Knowing whether a particular assignment is within an examiner’s potential capabilities and can enable him or her to grow professionally, however, is often not an easy task. As managers delegate assignments, they should consider not limiting assignments only to those areas in which an investigator has had prior experience. Also, managers need to avoid the tendency toward primarily delegating interesting or important assignments to the most favored team members; managers should groom everyone on the team not just the superstars; it’s the superstars who are, let’s face it, the most desirable targets for external recruiters. The same is true for undesirable assignments; managers also should spread those among the whole team, which can demonstrate that everyone is treated fairly. A thoughtful delegating process helps keep the assurance team challenged and motivated, thereby reducing the likelihood of losing promising but insufficiently challenged staff members.

Initial parameters need to be established to prevent misunderstandings, deficient productivity, or delays in the timely completion of examinations. All parties involved should have a clear understanding of the delegated assignment and of expectations. However, managers should refrain from giving excessively detailed instructions. Successful delegating does not mean micromanaging anyone. Instead, managers should consider focusing on discussing the objectives, scope, and outcomes of the assignment. When examiners are allowed the flexibility and freedom to perform their work, they not only learn more but also may show considerable ingenuity. Managing CFEs can foster an environment of participative management by encouraging input from subordinates toward refining the plans, expectations, and deadlines, as well as emphasize how the present investigation fits into the larger scheme. When a team member sees the whole process rather than only a part, he or she is less likely to miss a critical matter and may become more motivated to deliver a quality product.

The ACFE recommends that the CFE engagement manager should give his or her subordinates authority to operationally pursue their assignment and to make decisions as they see fit. Delegating the authority is no less important than assigning the responsibility for a task. In the absence of conferring an appropriate level of authority, the team member’s performance could be undercut. Also, examination managers should keep an open mind by welcoming new ideas, innovative suggestions, and alternative proposals from others. Nothing is more motivating for a subordinate than to realize that he or she has a significant ownership stake in the results. This is another reason why managers should delegate as much of an entire assignment, rather than a small portion, as possible. Doing so can help instill a sense of importance and self-esteem for the staff investigator no matter what the number of years of their experience.

Communication is an essential element of successful delegating, and regular updates about progress, results, and deadlines should occur weekly, or sometimes daily, depending on the staff member’s level of experience and the type of assignment. Meetings can be conducted face-to-face, by phone, or through videoconferencing and do not always have to be long to be effective.

As managers check on progress, they should be supportive rather than intrusive and avoid putting a subordinate on the defensive by being too critical. Managers also should allow for communication flexibility by encouraging more immediate contact between progress meetings in the event a matter requiring urgent attention unexpectedly develops.

Any significant delegated assignment should culminate with a constructive evaluation of the subordinate’s performance. Often, there is a tendency to view the simple act of delegation itself as work done. As an old colleague of mine used to say, “A task delegated is a task completed.” Even in a case where the smaller scope of a subordinate’s assignment does not merit an exit session, it is still a boost for team morale to give recognition and show gratitude for the work done.

I have never met an experienced (and successful) CFE investigation team leader who did not embrace the role and significance of delegating. However, the ability to delegate depends on trust, communication, and encouragement. When delegating, assurance managers need to accept the risk that mistakes can and will occur and remember that professionals can learn from their mistakes. Not only is valuable experience gained by the investigative team, but the manager’s time also is freed up for more critical tasks and projects. In the long run, a commitment to delegation serves to strengthen any team of investigators as well as benefit our client organization, whatever and wherever that might be.

Empty Shells

I attended an out of town presentation not too long ago on investment and tax avoidance scams targeting well-to-do retirees. An especially interesting portion of the CFE presenter’s presentation (a recent retiree himself), focused on the use of paper or shell corporations and companies as tools by the perpetrators of such schemes.

Our presenter emphasized that regulators and other law enforcement personnel attempt to identify instances of fraud against retirees and others in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, such frauds tend to be an under-reported crime as victims may be embarrassed that they easily fell prey to the fraudster or may remain connected to the offender because of the engendered trust cultivated. Reluctance to report the crime can stem from a belief that the fraudster will ultimately do the right thing and return any fees or funds. In order to stop such fraud, regulators and law enforcement must be able to detect and identify crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

He went on to say that one of the foremost reasons for the existence of the underground economy is to escape taxation, which in some countries can be as high as 51 percent of a person’s nominal income. Swiss bankers have a saying, “There would be no tax havens without tax hells.” As the rate of taxation increases, so does the cost of honesty. The higher the tax burden, the more incentive people have to attempt evading those taxations. Because it is illegal, tax evasion always involves financial secrecy.

Every few years the Internal Revenue Service (IRS) releases its top 12 most blatant tax scams affecting American taxpayers. Over the years the Service has repeatedly warned retirees not to fall for schemes peddled by scammers for the avoidance of taxes featuring the use of dummy corporations (or shells) associated with off-shore accounts in tax havens and emphasizing that there is no secret trick that can eliminate any senior’s tax obligations. Every tax payer should be wary of anyone peddling any of these scams.

The IRS aggressively pursues taxpayers and promoters involved in promoting abusive offshore transactions to wealthy seniors. Such promoters pitch seniors in the use of methods to avoid or evade U.S. income tax by hiding income through shells with accounts in offshore banks, brokerage accounts, or through other entities. Such actively promoted scams feature the use of offshore debit cards, credit cards, wire transfers, foreign trusts, employee-leasing schemes, and private annuities or life insurance plans. The IRS has also identified the use of shells in abusive offshore schemes including those that involve use of electronic funds transfer and payment systems, offshore business merchant accounts and private banking relationships.

But, as our speaker pointed out, shell companies aren’t just for big and medium-sized tax evaders anymore. They have become the financial and deception vehicle of choice for some of the most corrupt, dangerous and ruthless individuals and entities on the planet. Arms dealers, drug cartels, corrupt politicians, scammers, terrorists and cybercriminals are just a few of the most creative and frequent users of shells.

It’s also important to emphasize that not all shell companies are used for nefarious purposes; assurance professionals and investigators need to be aware that there are legitimate uses for these entities, such as using one as a holding company or creating a shell company (in name) to preserve future business rights or opportunities. Not every shell is involved in a criminal conspiracy, so it’s important to understand why someone might use a shell for criminal purposes.

The primary purpose of the use of a shell in a fraud scheme is like that of the fraud itself: to conceal fraudulent activity. This may include the nature, origin, or destination of misappropriated funds and/or concealment of the true owners and decision-makers of a criminal act or conspiracy.

In many instances, one shell company isn’t enough; fraudsters create networks. Dozens of shells, nominee directors, addresses and fake shareholders might be required to fully conceal a scheme or criminal plot. Big-time criminal conspirators will utilize shell incorporators to do the heavy lifting and help create a corporate web of disguise that can perplex and confuse even the best of investigators.

Shells can come in all different shapes and sizes, and the jurisdiction in which they reside can help further the concealment. Some fraudsters create shell companies for single uses and then discard them. Or they may use them repeatedly and have them change hands multiple times. They also may form what our speaker dubbed shelf companies and not use them for a period of time. A shelf company has a better chance of appearing legitimate and fooling a novice investigator or basic due diligence mechanisms because it appears to have existed longer than it really has. An older shelf could have a creation date predating any specific areas of investigative concern, which would allow it to engage in business activities when it otherwise couldn’t without arousing suspicion.

Given the intent, with a small sum of money, time and patience, fraudsters can set up a very elaborate web of shell companies in little time. But establishing the company name is only the first step in creating a shell network of deception. The company needs nominee directors and shareholders, often illegitimate, to further the concealment.

Scammers use nominee directors, and in some instances, other shell companies, to disguise true owners of entities while giving the appearance of legitimacy. Some nominees simply sell their names to fraudsters who use them on company documents. Others actually provide limited services for the shell companies such as processing corporate records, signing for company documents and forwarding mail. These nominee directors are the linchpins to linking and disguising international criminal organizations and operatives. Their use is so widespread that IRS conducted searches among entities frequently disclose nominee directors crossing paths. Some are even listed as directors for the same shell entities.

So what does our speaker recommend that individual CFEs do if we think that one of our clients may be unwittingly doing business with a nefarious shell?

— A shell company can be set up practically anywhere, but successful incorporators have learned to use particular countries and regions. Advantages can include lack of government enforcement or specific laws protecting corporate secrecy. A good source of a high-risk country list is the U.S. State Department’s annual list of major money-laundering countries.
— Use SWIFT codes – a SWIFT code is a unique identifier that’s associated with particular financial and non-financial institutions around the world. If you can identify the SWIFT code for the financial entities the suspected shell is dealing with, you might consider monitoring for any funds originating from or being disbursed to these banks or check to see if any of your client’s customers/vendors have bank accounts associated with these specific institutions.
–Review all available internal data that contains contact, banking, address and ownership information, such as vendor/customer data, wire transfer data, ship to/ship from locations for sales and purchases, purchase orders and invoice support documentation.

Look for :

• Information that doesn’t make sense given the nature of the business relationship with the entity.
• Entity information mismatch: address, phone, fax, ship to, bank, cell contact, etc. in different geographic locations.
• No discernible online presence when compared to the goods/services and the amount of money changing hands.
• The entity “representative” is associated with numerous other companies.
• Payment is made to or received from an unrelated third party. Review incoming/outgoing wire transfer documents.

Our speaker summarized that involvement with shell companies and those associated with them can be very bad news for any of our client companies. Fraudsters within your client organization might make use of them as vehicles of corruption or asset diversion. External perpetrators can passively use them as money-laundering vehicles against your client organization.

All assurance professionals should attempt to stay current with the latest types of abuse associated with the shell company model, trends in international corruption, fraud and asset diversion, and money laundering. ACFE training is, as usual, an excellent resource to do this. To the extent possible, try to screen information on your client’s customers, vendors and employees on an on-going basis. Cross-reference known bad actors and shell companies in the news against the entities with which your clients are doing business. Contact authorities if you and/or your client determine that it has become the victim of a shell company related scheme.

Inventory of Fraud

One of the first frauds I worked on early in my career was a scheme by management to overstate the periodic inventory of the Prison Industries system of a state Department of Corrections.   In that case the manipulation was carried out by creating false inventory counts and altering records after the physical count.

What made this an especially interesting case of management fraud were the various reasons that the audit report subsequently revealed why accounting management had decided to overstate the inventory:

• To overstate the income of Prison Industries.
• To achieve internally projected goals.
• To increase Prison Industry’s perceived value in the eyes of  the State government administration.
• To meet Department of Corrections stiff goals for Prison Industry management.
• To hide poor operational performance.
• To enhance the perceived performance of individual members of management.
• To hide the theft of some inventory.

These reasons are in contrast to fraudster goals if a fraud scheme’s overall objective is to show reduced inventory:

• To reduce income.
• The entity has achieved its goals and wants to show reduced results for the reporting period.
• To reduce the overall value of the business or enterprise.
• A new management team is in place and wants to defer reporting additional performance to the future.

Such inventory counting related schemes are likely to occur with inventory components perceived to be less likely of being counted or in conjunction with a planned reason for the false count. The hope is that any examiner/auditor will view the false count as an error versus an intentional plan to misstate the inventory. Therefore, the examiner needs to ensure that management has no record of the test counts. Certain types of inventory counts are more susceptible to being false, such as:

• Periodic Inventory. This particular inventory is susceptible to false counting because the auditor has no inventory reports to determine what the inventory should have been prior to the count.
• Perpetual Inventory. Variances or in-transit items are often used as an explanation for any deviations.
• Multiple Inventory locations. The non-tested sites are susceptible to false counts because the auditor is not performing procedures at those locations. Management may also use other scams in conjunction with the false-count fraud schemes.

As every accounting student knows, inventory is tangible property that either (1) is held for sale in the ordinary course of business (finished goods); (2) is in the process of production for such sale (work in process); or (3) is currently consumed either directly or indirectly in the production of goods or services available for sale (raw materials). The primary basis of accounting for inventory is cost. By definition, inventory excludes long-term assets subject to depreciation accounting.

The inventory records at Prison Industries were complex. Inventory was constantly being transferred between manufacturing processes, was often dispensed in several locations across the state’s correctional system, and normally comprised a significantly large amount of items. For these reasons, as well as the variety of decisions made about direct valuations, inventory was an appealing place for management to decide to commit financial statement fraud, in this case by manipulating and altering the physical inventory count.

Inventory falsification occurred at Prison Industries when the entity showed inventory on its financial statements that both did not exist and was improperly valued;  the two methods were  used simultaneously.  Techniques used to inflate the value of inventory included the creation of false documents, such as inventory count sheets, receiving reports, and manipulation of the actual physical inventory. During the fraud, it was common for management to insert phony inventory count sheets during the inventory observation or to alter the quantities on the count sheets. There where instances where management created the illusion that inventory existed with the help of phony inventory items. Simply put, some items of inventory that appeared real on paper were actually fake.

The fraud examination was originated as a result of predication provided by a Hot Line tip and featured the application of a number of procedures. Interviews were conducted with management and personnel. Questions asked included the following to determine whether the inventory represented by management actually existed and whether it was properly valued:

– Do the inventories included in the Prison Industries balance sheet physically exist?
– Does the inventory represent items held for use in the ordinary course of production?
– Do inventory quantities include all items on hand or in transit?
– Are inventory listings accurately compiled and are they properly included in the inventory accounts?
– Does the State have legal title or ownership rights to the inventory items?
– Does the inventory exclude items billed to customers or owned by others?
– Are inventory costs the result of an acceptable method consistently applied?
– Are inventories properly classified in the balance sheet and are the related disclosures adequate?

The examiners calculated the inventory turnover ratio. The inventory turnover ratio measures how fast inventory was moving through the entity. If the inventory is inflated, then the average inventory balance will be overstated, causing the inventory turnover ratio to decline. The  inventory turnover ratio was compared with the results from prior years and with industry averages for reasonableness.

Price tests were performed. A fraud examiner must determine whether the pricing of the inventory is reasonable. Price testing employs vouching, tracing, and re-computation procedures to test the auditee’s  pricing of its inventory. An examiner should test the application of prices by vouching items to vendors’ invoices and to cost accounting records to verify that the inventory is properly priced. For example, an examiner selects from the inventory detail item L243, classified as a raw material. According to the company’s records as of the balance sheet date, there are twenty L243s at $120 apiece. The examiner reviews the last invoice representing the purchase of L243s and discovers that the company purchased the L243s at $60 apiece. This price discrepancy is a sign that management might be trying to inflate the value of its inventory. Vendors’ invoices should also be traced to the books to confirm proper price recording. Examiners should recompute the quantities indicated on-hand by the observation with vendor prices to determine that the inventory, balances on the balance sheet are correct.

Following the fraud examination inventory was re-performed. The physical inventory was re-performed to ensure that the enterprise’s application of corrective action to methods for counting inventory would result in an accurate and reliable count in future. The re-examination of physical inventory included observation, as well as inquiries and physical examination (i.e., test counts). It is important to remember that management is responsible for the propriety of the inventory. The examiner observed the re-taking of the inventory to satisfy his/her reliance on management’s representations of the quantities and prices.

Cut off tests were performed. A cut-off test is a procedure to control the shipping and receiving activities at the physical inventory date. For the time of the physical inventory, the examiner  noted the numbers of the last pre-numbered shipping and receiving documents because purchases of inventory often are recorded when received and sales recorded when shipped. Identifying the document numbers helped the examiner determine whether the inventory was properly or improperly included or excluded from the inventory counts. For instance, if management indicated that the last shipping document for 1991 was #2500, then the examiner would assume that #2501 was shipped in January 1992. If, upon review of shipping document #2501, the examiner notices that the inventory was shipped in 1991, then there is the possibility that management is inflating the quantity and value of the company’s inventory at year-end. Therefore, inquiry and further testing are warranted. These cut-off numbers are often used in conjunction with the cut-off test used in accounts receivable and accounts payable testing. If cut-off procedures appear unclear or indicate possible inclusions in inventory of goods sold, then cut-off tests should be expanded.

There are several other audit procedures that can be used in detecting inventory fraud scenarios. These include:

• Reviewing the statement of cash flows and asking whether the increases and decreases in cash make sense in relation to the inventory account balances and changes.
• Computing the inventory turnover ratio and days-to-sell ratio. Do these ratios make sense in relation to what the auditor has verified regarding the physical aspects of the inventory?
• Computing the percentage of gross profit and the related percentage of the cost of goods sold, and then the trend to look for understatement of the cost of goods sold percentage.
• Ensuring there is a consistent use of the inventory cost flow assumption. For example, the use of first-in-first out (FIFO) gives a higher net income in an inflationary environment.

It was the large number of items comprising the inventory that made it an attractive target for fraudulent manipulation at Prison Industries. Theft and misuse are the actions of choice when it comes to inventory fraud. The rationale typically Is: “Who is going to miss a few hundred widgets in an inventory of thousands, perhaps millions?” The size of inventory as a percentage of the amount of total assets also makes it an easy target for management-initiated financial reporting misstatement. Having the possibility of two types of fraudulent acts ganging up on inventories at the same time, the CFE doesn’t want to waste time going down the wrong path, so it’s very important to determine which fraudulent act is likely occurring.

Any discussion of fraud likelihood involves the concepts of concealment, conversion, and opportunity. So, in addition to “how” the Inventory fraud took place, other questions need to be addressed, such as: How sophisticated is the concealment strategy? Who has the most benefit to gain by the theft, misuse, or misstatement of the inventories? Who has and where are the opportunities to divert/misstate inventories? These are the questions that need to be answered by the CFE/auditor, and fortunately, the tools and guidance are available from the ACFE to achieve the right answers when faced with almost any pattern of inventory fraud.

On Motivation

The ACFE tells us that there is no simple profile for employees who commit fraud. However, some ACFE statistics are available. Its research has repeatedly shown that about 10 percent to 15 percent of employees are fundamentally dishonest and are likely to steal from their company if given the opportunity. About 66 percent of employees are likely to steal under the right circumstances, such as when under pressure, or when “everyone is doing it,” and the opportunity exists. In contrast, about 20 percent to 25 percent of employees are fundamentally honest and are unlikely to steal under any circumstances.

Furthermore, those employees who do steal from the company are unlikely to have a prior criminal record, and those with a good education, family, background, and work record can be just as likely to steal as anyone else.

On the other hand, research shows that the three elements of the standard fraud triangle, with which we’re all familiar, have proven themselves descriptive over many the years in explaining which employees may defraud our client companies.

• Pressure – Usually related to financial pressure such as large medical bills, gambling problems, drug habits, and extravagant living.

• Opportunity – Required to commit any fraud.

• Rationalization – Likely depends on the type of criminal and the criminal’s personality type or possible personality disorder.

The rationalization component of the fraud triangle suggests possible types of individuals who may commit fraud:

• The fundamentally dishonest employee without a personality disorder. This person could habitually be dishonest but does not have a personality disorder. Rationalization comes easily because the person is accustomed to dishonesty. Therefore, the rationalizations are likely to include statements such as “I need it more than they do” and “They won’t miss it.”

• The fundamentally dishonest employee with a personality disorder. Various personality disorders may contribute to the ability of the employee to rationalize fraud. Psychiatry uses the diagnosis antisocial personality disorder and the related diagnosis dissocial personality disorder. The following are characteristics that apply to persons with these types of mental disorders:

— Nonconformist behavior; tend to be misfits.
— Habitual lying and dishonesty.
— Impulsiveness.
— Irritability and aggressiveness.
— Insensitivity to harming self or others.
— Strong disregard for the needs of self and others.
— Tendency to blame others for personal faults and mistakes.
— Lack of responsibility.
— Difficulty in establishing and maintaining close relationships.
— Absence of the ability to feel emotions or the full range of normal emotions.

The deceitfulness dimension of these disorders could enable the person to hide some or all of his or her antisocial characteristics. This type of person is often able to steal without giving much conscious thought to rationalizations. The crime could simply arise out of the mental disturbance.

• Then there is the normally honest employee who steals given pressure and opportunity and rationalizes the theft. A person who does not normally steal is likely to give serious thought to rationalizing the theft. One common rationalization is that the person is only borrowing the money; often the person takes money with the intent to pay it back, and many times does in fact pay it back. The result is that the corporate till can become the employee’s personal lending institution; however, in many cases, the person is never able to pay back the ill-gotten loan. The normally honest employee is likely to steal out of a sudden financial need or because of a problem with a financially excessive lifestyle.

The ACFE advises us to consider possible motives when examining evidence related to an occupational fraud. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes: it can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused; and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, s/he might suspect a payroll employee who recently complained about not having received a raise in the past two years. Although such information does not mean that the payroll employee committed fraud, the possible motive can guide the examiner.

During the process of interviewing suspects, interviewers should seek to understand the possible motives of interviewees. To do this, interviewers should suspend their own value system. This will better position the interviewer(s) to persuade suspects to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions.

In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his or her motivations, even if the suspect reveals those motivations in an indirect manner.

In interviewing suspects for motives:

• Leave your ego at the door.
• Talk to the suspected perpetrator as an adult.
• Do not patronize the suspect.
• Use good communication skills to develop rapport with subjects so that they will feel comfortable talking to you.
• Avoid being confrontational with the suspect. If the interviewer is confrontational, the perpetrator will be less likely to make an admission.

When conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work and how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s “normal” behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Next, the interviewer might ask non-accusatory questions related to the issue at hand, such as:

• Why do you think someone would do something like this?
• What do you think should happen to a person who would do something like this?
• Of all of the people who work in this area, who could be involved?

The answers to these questions can help the interviewer understand the possible motives of various suspects, narrow the pool of suspects, or even obtain an admission. For example, a suspect who answers the question “Why do you think someone would do something like this?” with a sympathetic answer might be trying to appeal to the interviewer’s sense of compassion to reduce or minimize his or her punishment.

The more the interviewer knows about the perpetrator, the better chance s/he will have of identifying the perpetrator’s motive and rationalization. Once the perpetrator thinks that the interviewer understands her motive, she will become more likely to confess.

During the motivation identifying interview, fraud examiners must also remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. Unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason.

Situational fraudsters, those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises, do not tend to view themselves as criminals. This is in contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud. Situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if s/he can genuinely communicate that s/he understands how anyone under similar-circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is constructing a trap, s/he generally will not make an admission of wrongdoing.

In summary, the fraud triangle is always helpful in explaining motivations for employees to defraud their employing organization by drawing attention to pressure, opportunity, and rationalization. Pressure is typically caused by sudden financial needs arising from things such as medical bills, gambling problems, drug habits, and extravagant living. The opportunity depends on the employee’s position and the strength of the company’s internal control processes. Rationalization depends on the type of criminal. The pure sociopath may need little or no rationalization. The fundamentally dishonest employee may give some conscious thought to rationalizing crimes, but the rationalization comes easily because the person is accustomed to dishonesty. Finally, the normally honest employee generally expends the most effort in rationalizing the crime, and often this type of person will really think that s/he is only borrowing the money.

Cloud Shapes

Just as clouds can take different shapes and be perceived differently, so too is cloud computing perceived differently by our various types of client companies. To some, the cloud looks like web-based applications, a revival of the old thin client. To others, the cloud looks like utility computing, a grid that charges metered rates for processing time. To some, the cloud could be parallel computing, designed to scale complex processes for improved efficiency. Interestingly, cloud services are wildly different. Amazon’s Elastic Compute Cloud offers full Linux machines with root access and the opportunity to run whatever apps the user chooses. Google’s App Engine will also let users run any program they want, as long as the user specifies it in a limited version of Python and uses Google’s database.

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It is also important to remember what our ACFE tells us, that the Internet itself is in fact a primitive transport cloud. Users place something on the path with an expectation that it will get to the proper destination, in a reasonable time, with all parties respecting the privacy and security of the artifact.

Cloud computing, as everyone now knows, brings many advantages to users and vendors. One of its biggest advantages is that a user may no longer have to be tethered to a traditional computer to use an application, or have to buy a version of an application that is specifically configured for a phone, a tablet or other device. Today, any device that can access the Internet can run a cloud-based application. Application services are available independent of the user’s home or office devices and network interfaces. Regardless of the device being used, users also face fewer maintenance issues. End users don’t have to worry about storage capacity, compatibility or other similar concerns.

From a fraud prevention perspective, these benefits are the result of the distributed nature of the web, which necessitates a clear separation between application and interaction logic. This is because application logic and user data reside mostly on the web cloud and manifest themselves in the form of tangible user interfaces at the point of interaction, e.g., within a web browser or mobile web client. Cloud computing is also beneficial for our client’s vendors. Businesses frequently find themselves using the vast majority of their computing capacity in a small percentage of time, leaving expensive equipment often idle. Cloud computing can act as a utility grid for vendors and optimize the use of their resources. Consider, for example, a web-based application running in Amazon’s cloud. Suppose there is a sudden surge in visitors as a result of media coverage, for example. Formerly, many web applications would fail under the load of big traffic spikes. But in the cloud, assuming that the web application has been designed intelligently, additional machine instances can be launched on demand.

With all the benefits, there are related constraints. Distrust is one of the main constraints on online environments generally. particularly in terms of consumer fraud, waste and abuse protection. Although the elements that contribute to building trust can be identified in broad terms, there are still many uncertainties in defining and establishing trust in online environments. Why should users trust cloud environments to store their personal information and to share their privacy in such a large and segregated environment? This question can be answered only by investigating these uncertainties in the context of risk assessment and by exploring the relationship between trust and the way in which the risk is perceived by stakeholders. Users are assumed to be willing to disclose personal information and have that information used subsequently to store their personal data or to create consumer profiles for business use when they perceive that fair procedures are in place to protect their individual privacy.

The changing trust paradigm represented by cloud computing means that less information is stored locally on our client’s machines and is instead being hosted elsewhere on earth. No one for the most part buys software anymore; users just rent it or receive it for free using the Software as a Service (SaaS) business model. On the personal front, cloud computing means Google is storing user’s mail, Instagram their photographs, and Dropbox their documents, not to mention what mobile phones are automatically uploading to the cloud for them. In the corporate world, enterprise customers not only are using Dropbox but also have outsourced primary business functions that would have previously been handled inside the company to SaaS providers such as Salesforce.com, Zoho.com, and Box.com.

From a crime and security perspective, the aggregation of all these data, exabytes and exabytes of it, means that user’s most personal of information is no longer likely stored solely on their local hard drives but now aggregated on computer servers around the world. By aggregating important user data, financial and otherwise, on cloud-based computer servers, the cloud has obviated the need for criminals to target everybody’s hard drive individually and instead put all the jewels in a single place for criminals and hackers to target (think Willie Sutton).

The cloud is here to stay, and at this point there is no going back. But with this move to store all available data in the cloud come additional risks. Thinking of some of the largest hacks to date, Target, Heartland Payment Systems, TJX, and Sony PlayStation Network; all of these thefts of hundreds of millions of accounts were made possible because the data were stored in the same virtual location. The cloud is equally convenient for individuals, businesses, and criminals.

The virtualization and storage of all of these data is a highly complex process and raises a wide array of security, public policy, and legal issues for all CFEs and for our clients. First, during an investigation, where exactly is this magical cloud storing my defrauded client’s data? Most users have no idea when they check their status on Facebook or upload a photograph to Pinterest where in the real world this information is actually being stored. That they do not even stop to pose the question is a testament to the great convenience, and opacity, of the system. Yet from a corporate governance and fraud prevention risk perspective, whether your client’s data are stored on a computer server in America, Russia, China, or Iceland makes a difference.

ACFE guidance emphasizes that the corporate and individual perimeters that used to protect information internally are disappearing, and the beginning and end of corporate user computer networks are becoming far less well defined. It’s making it much harder for examiners and auditors to see what data are coming and going from a company, and the task is nearly impossible on the personal front. The transition to the cloud is a game changer for anti-fraud security because it completely redefines where data are stored, moved, and accessed, creating sweeping new opportunities for criminal hackers. Moreover, the non-local storage of data raises important questions about deep dependence on cloud-based information systems. When these services go down or become unavailable i.e., a denial of service attack, or the Internet connection is lost, the data become unavailable, and your client for our CFE services is out of business.

All the major cloud service providers are routinely remotely targeted by criminal attacks, including Dropbox, Google, and Microsoft, and more such attacks occur daily. Although it may be your client’s cloud service provider that is targeted in such attack, the client is the victim, and the data taken is theirs’s. Of course, the rights reserved to the providers in their terms of service agreements (and signed by users) usually mean that provider companies bear little or no liability when data breaches occur. These attacks threaten intellectual property, customer data, and even sensitive government information.

To establish trust with end users in the cloud environment, all organizations should address these fraud related risks. They also need to align their users’ perceptions with their policies. Efforts should be made to develop a standardized approach to trust and risk assessment across different domains to reduce the burden on users who seek to better understand and compare policies and practices across cloud provider organizations. This standardized approach will also aid organizations that engage in contractual sharing of consumer information, making it easier to assess risks across organizations and monitor practices for compliance with contracts. policies and law.

During the fraud risk assessment process, CFEs need to advise their individual corporate clients to mandate a given cloud based activity in which they participate to be conducted fairly and to address their privacy concerns. By ensuring this fairness and respecting privacy, organizations give their customers the confidence to disclose personal information on the cloud and to allow that information subsequently to be used to create consumer profiles for business use. Thus, organizations that understand the roles of trust and risk should be advised to continuously monitor user perceptions to understand their relation to risk aversion and risk management. Managers should not rely solely on technical control measures. Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast. issues revolving around the use of computers by lay users and the creation of active incentives to avoid fraud have been relatively neglected. Many ACFE lead studies have shown that human errors are the main cause of information security incidents.

Piecemeal approaches to control security issues related to cloud environments fail simply because they are usually driven by a haphazard occurrence; reaction to the most recent incident or the most recently publicized threat. In other words, managing information security in cloud environments requires collaboration among experts from different disciplines, including computer scientists. engineers. economists, lawyers and anti-fraud assurance professionals like CFE’s, to forge common approaches.

MAC Documents

As our upcoming Ethics 2019 lecture for January-February 2019 makes clear, many of the most spectacular cases of fraud during the last two decades that were, at least initially, successfully concealed from auditors involved the long running falsification of documents. Bernie Madoff and Enron come especially to mind. In hindsight, the auditors involved in these individual cases failed to detect the fraud for multiple reasons, one of which was a demonstrated lack of professional skepticism coupled with a general lack of awareness.

Fraud audit and red flag testing procedures are designed to validate the authenticity of documents and the performance of internal controls. Red flag testing procedures are based on observing indicators in the internal documents and in the internal controls. In contrast, fraud audit testing procedures verify the authenticity of the representations in the documents and internal controls. While internal controls are an element of each, they are not the same as the testing procedures performed in a traditional audit. Considering that fraud audit testing procedures are the basis of the fraud audit program, the analysis of documents will differ between the fraud audit and the traditional verification audit. Business systems are driven by paper documents, both imaged paper documents and electronic documents. Approvals are handwritten, created mechanically, or created electronically through a computerized business application. Therefore, the ability to examine a document for the red flags indicative of a fraud scenario is a critical component in the process of fraud detection.

The ACFE points out that within fraud auditing, there are levels of document examination: the forensic document examination performed by a certified document examiner and the document examination performed by an independent external auditor conducting a fraud audit are distinct. Clearly, the auditor is not required to have the skills of a certified document examiner; however, the auditor should understand the difference between questioned document examination and the examination of documents for red flags.

Questioned, or forensic, document examination is the application of science to the law. The forensic document examiner, using specialized techniques, examines documents and any handwriting on the documents to establish their authenticity and to detect alterations. The American Academy of Forensic Sciences (AAFS) Questioned Document Section and the American Society of Questioned Document Examiners (ASQDE) provide guidance and standards to assurance professionals in the field of document examination. For example, the American Society for Testing and Materials, International (ASTM) Standard E444-09 (Standard Guide for Scope of Work of Forensic Document Examiners) indicates there are four components to the work of a forensic document examiner. These components are the following:

1. Establish document genuineness or non-genuineness, expose forgery, or reveal alterations, additions, or deletions.
2. Identify or eliminate persons as the source of handwriting.
3. Identify or eliminate the source of typewriting or other impression, marks, or relative evidence.
4. Write reports or give testimony, when needed, to aid the users of the examiner’s services in understanding the examiner’s findings.

CFEs will find that some forensic document examiners (FDEs) limit their work to the examination and comparison of handwriting, however, most inspect and examine the whole document in accordance with the ASTM standard.

The fraud examiner or auditor also focuses on the authenticity of the document, with two fundamental differences:

1. The degree of certainty. With forensic document examination, the forensic certainty is based on scientific principles. Fraud audit document examination is based on visual observations and informed audit experience.
2. Central focus. Fraud audit document examination focuses on the red flags associated with a hypothetical fraud scenario. Forensic document examination focuses on the genuineness of the document or handwriting under examination.

Awareness of the basic principles and objectives of forensic document examination is of assistance to any auditor or examiner in determining if, when and how to use the services of a certified document examiner in the process of conducting a fraud audit.

ACFE training indicates that documentary red flags are among the most important of all red flags. Examiners and auditors need to be aware not only of how a fraud scenario occurs, but also of how to employ the correct methodology in identifying and describing the documents related to a given scenario. These capabilities are critical as well in order to be successful in the identification of document related red flags. Specifically, a document must link to the fraud scenario and to the key controls of the involved business process(es).

The target document should be examined for the following: document condition, document format, document information, and industry standards. To these characteristics the concepts of missing, altered, and created content should be applied. The second aspect of the document examination is linking the document to the internal controls. Linking the document examination to the internal controls is a critical aspect of developing the decision tree aspect of the fraud audit program. Using a document examination methodology aids the fraud auditor in building his or her fraud audit program.

The ACFE’s acronym MAC is a useful aid to assist the auditor in identifying red flags and the corresponding audit response. The ‘M’ stands for missing, either missing the entire document or missing information on a document; the ‘A’ for altered information on a document; and the ‘C’ for created documents or information on a document. Specifically:

A missing document is a red flag. Missing documents occur because the document was never created, was destroyed, or has been misfiled. Documents are either the basis of initiating the transaction or support the transaction.

The frequency of missing documents must be linked to the fraud scenario. In some instances, missing one document may be a red flag, although typically repetition is necessary to warrant fraud audit testing procedures. The audit response should focus on the following attributes assuming the document links to a key control:

— Is the document externally or internally created? The existence of externally created documents can be confirmed with the source, assuming the source is not identified as involved in the fraud scenario.
— Is the document necessary to initiate the transaction or is the document a supporting one? Documents used to initiate a transaction had to have existed at some point; therefore, logic dictates that the document was destroyed or misfiled.
— One, two, or all three of the following questions could apply to internal documents:

• Is there a pattern of missing documents associated with the same entity?
• Is there a pattern of missing documents associated with an internal employee?
• Does the document support a key anti-fraud control, therefore being a trigger red flag, or is the missing document related to a non-key control?

With regard to missing information on a document, several questions arise, one of which is: are there tears, torn pieces, soiled areas, or charred areas that cause information to be missing? To address any of these situations, finding a similar document type is needed to determine if the intent of the document has changed because of the missing information.  Another question is: is information obliterated (e.g., covered, blotted, or wiped out)? Overwriting is commonly used to obscure existing writing. Correction fluid is also a common method, but the underlying writing can be read and photographed using transmitted light from underneath the document.

Scratching out writing with a pen will obliterate writing successfully if it results in the page being torn. Spilled liquids can also obliterate writing.

‘A’, altered, pertains to changing or adding information to the original document. The information may be altered manually or through the use of desktop publishing capabilities. For example, manual changes tend to be visible through a difference in handwriting, and electronic documents would generally be altered via the software used to create the document.

Any altering of information would be detected through the same red flags as adding information. In the context of fraud, forgery is the first thing that comes to mind in any discussion of the altering of documents. Forgery is a legal term applied to fraudulent imitation. It is an alteration of writing as to convey a false impression that a document itself, not its contents, is authentic, thereby imposing a legal liability. It is an alteration of a document with the intent to defraud. It should be noted that it is possible for a document examiner to identify a document or signature as a forgery, but it is much less common for the examiner to identify the forger. This is due to the nature of handwriting, whereby a forger is attempting to imitate the writing habit of another person, thereby suppressing his own writing characteristics and style, and in essence, disguising his or her writing.

A ‘C’, or created document is any document prepared by the perpetrator of the fraud scenario. This type of changed document can include added or created documents or added and created text on a document. The document can be prepared by an external source (e.g., a vendor in an over-billing scheme) or an internal source (e.g., a purchasing agent who creates false bids).

Some signs of document creation can include the age of the document being inconsistent with the purported creation date, or the document lacking the sophistication typically associated with normal business standards. Added or created text can inserted with the use of ink or whatever type of writing instrument was used on the original. It can also be added through cutting and pasting sections of text, then photocopying the document to eliminate any outline. When pages are suspected of being added in this manner, a comparison of the type of paper used for the original and the photocopy should be made. In terms of computer-generated and machine-produced documents differences in the software used may result in textual differences.

As the MAC acronym seeks to demonstrate, fraudulent document information can be categorized as missing information, incorrect information, or information inconsistent with normal business standards. Therefore, the investigating CFE or auditor needs to have the requisite business and industry knowledge to correctly associate the appropriate red flags with the relevant documentary information consistent with the fraud scenario under investigation.

The Human Financial Statement

A finance professor of mine in graduate school at the University of Richmond was fond of saying, in relation to financial statement fraud, that as staff competence goes down, the risk of fraud goes up. What she meant by that was that the best operated, most flawless control ever put in place can be tested and tested and tested again and score perfectly every time. But its still no match for the employee who doesn’t know, or perhaps doesn’t even care, how to operate that control; or for the manager who doesn’t read the output correctly, or for the executive who hides part of a report and changes the numbers in the rest. That’s why CFEs and the members of any fraud risk assessment team (especially our client managers who actually own the process and its results), should always take a careful look at the human component of risk; the real-world actions, and lack thereof, taken by real-life employees in addressing the day-to-day duties of their jobs.

ACFE training emphasizes that client management must evaluate whether it has implemented anti-fraud controls that adequately address the risk that a material misstatement in the financial statements will not be prevented or detected timely and then focus on fixing or developing controls to fill any gaps. The guidance offers several specific suggestions for conducting top-down, risk-based anti-fraud focused evaluations, and many of them require the active participation of staff drawn from all over the assessed enterprise. The ACFE documentation also recommends that management consider whether a control is manual or automated, its complexity, the risk of management override, and the judgment required to operate it. Moreover, it suggests that management consider the competence of the personnel who perform the control or monitor its performance.

That’s because the real risk of financial statement misstatements lies not in a company’s processes or the controls around them, but in the people behind the processes and controls who make the organization’s control environment such a dynamic, challenging piece of the corporate puzzle. Reports and papers that analyze fraud and misstatement risk use words like “mistakes” and “improprieties.” Automated controls don’t do anything “improper.” Properly programmed record-keeping and data management processes don’t make “mistakes.” People make mistakes, and people commit improprieties. Of course, human error has always been and will always be part of the fraud examiner’s universe, and an SEC-encouraged, top-down, risk-based assessment of a company’s control environment, with a view toward targeting the control processes that pose the greatest misstatement risk, falls nicely within most CFE’s existing operational ambit. The elevated role for CFEs, whether on staff or in independent private practice, in optionally conducting fraud risk evaluations offers our profession yet another chance to show its value.

Focusing on the human element of misstatement fraud risk is one important way our client companies can make significant progress in identifying their true financial statement and other fraud exposures. It also represents an opportunity for management to identify the weak links that could ultimately result in a misstatement, as well as for CFEs to make management’s evaluation process a much simpler task. I can remember reading many articles in the trade press these last years in which commentators have opined that dramatic corporate meltdowns like Wells Fargo are still happening today, under today’s increased regulatory strictures, because the controls involved in those frauds weren’t the problem, the people were. That is certainly true. Hence, smart risk assessors are integrating the performance information they come across in their risk assessments on soft controls into management’s more quantitative, control-related evaluation data to paint a far more vivid picture of what the risks look like. Often the risks will wear actual human faces. The biggest single factor in calculating restatement risk as a result of a fraud relates to the complexity of the control(s) in question and the amount of human judgment involved. The more complex a control, the more likely it is to require complicated input data and to involve highly technical calculations that make it difficult to determine from system output alone whether something is wrong with the process itself. Having more human judgment in the mix gives rise to greater apparent risk.

A computer will do exactly what you tell it to over and over; a human may not, but that’s what makes humans special, special and risky. In the case of controls, especially fraud prevention related controls, our human uniqueness can manifest as simple afternoon sleepiness or family financial troubles that prove too distracting to put aside during the workday. So many things can result in a mistaken judgment, and simple mistakes in judgment can be extremely material to the final financial statements.

CFEs, of course, aren’t in the business of grading client employees or of even commenting to them about their performance but whether the fraud risk assessment in question is related to financial report integrity or to any other issue, CFEs in making such assessments at management’s request need to consider the experience, training, quality, and capabilities of the people performing the most critical controls.

You can have a well-designed control, but if the person in charge doesn’t know, or care, what to do, that control won’t operate. And whether such a lack of ability, or of concern, is at play is a judgment call that assessing CFEs shouldn’t be afraid to make. A negative characterization of an employee’s capability doesn’t mean that employee is a bad worker, of course. It may simply mean he or she is new to the job, or it may reveal training problems in that employee’s department. CFEs proactively involved in fraud risk assessment need to keep in mind that, in some instances, competence may be so low that it results in greater risk. Both the complexity of a control and the judgment required to operate it are important. The ability to interweave notions of good and bad judgment into the fabric of a company’s overall fraud risk comes from CFEs experience doing exactly that on fraud examinations. A critical employee’s intangibles like conscientiousness, commitment, ethics and morals, and honesty, all come into play and either contribute to a stronger fraud control environment or cause it to deteriorate. CFEs need to be able, while acting as professional risk assessors, to challenge to management the quality, integrity, and motivation of employees at all levels of the organization.

Many companies conduct fraud-specific tests as a component of the fraud prevention program, and many of the most common forms of fraud can be detected by basic controls already in place. Indeed, fraud is a common concern throughout all routine audits, as opposed to the conduct of separate fraud-only audits. It can be argued that every internal control is a fraud deterrent control. But fraud still exists.

What CFEs have to offer to the risk assessment of financial statement and other frauds is their overall proficiency in fraud detection and the reality that they are well-versed in, and cognizant of, the risk of fraud in every given business process of the company; they are, therefore, well positioned to apply their best professional judgment to the assessment of the degree of risk of financial statement misstatement that fraud represents in any given client enterprise.

Forensic Data Analysis

As a long term advocate of big data based solutions to investigative challenges, I have been interested to see the recent application of such approaches to the ever-growing problem of data beaches. More data is stored electronically than ever before, financial data, marketing data, customer data, vendor listings, sales transactions, email correspondence, and more, and evidence of fraud can be located anywhere within those mountains of data. Unfortunately, fraudulent data often looks like legitimate data when viewed in the raw. Taking a sample and testing it might not uncover fraudulent activity. Fortunately, today’s fraud examiners have the ability to sort through piles of information by using special software and data analysis techniques. These methods can identify future trends within a certain industry, and they can be configured to identify breaks in audit control programs and anomalies in accounting records.

In general, fraud examiners perform two primary functions to explore and analyze large amounts of data: data mining and data analysis. Data mining is the science of searching large volumes of data for patterns. Data analysis refers to any statistical process used to analyze data and draw conclusions from the findings. These terms are often used interchangeably. If properly used, data analysis processes and techniques are powerful resources. They can systematically identify red flags and perform predictive modeling, detecting a fraudulent situation long before many traditional fraud investigation techniques would be able to do so.

Big data are high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization. Simply put, big data is information of extreme size, diversity, and complexity. In addition to thinking of big data as a single set of data, fraud investigators and forensic accountants are conceptualizing about the way data grow when different data sets are connected together that might not normally be connected. Big data represents the continuous expansion of data sets, the size, variety, and speed of generation of which makes it difficult for investigators and client managements to manage and analyze.

Big data can be instrumental to the evidence gathering phase of an investigation. Distilled down to its core, how do fraud examiners gather data in an investigation? They look at documents and financial or operational data, and they interview people. The challenge is that people often gravitate to the areas with which they are most comfortable. Attorneys will look at documents and email messages and then interview individuals. Forensic accounting professionals will look at the accounting and financial data (structured data). Some people are strong interviewers. The key is to consider all three data sources in unison.

Big data helps to make it all work together to bring the complete picture into focus. With the ever-increasing size of data sets, data analytics has never been more important or useful. Big data requires the use of creative and well-planned analytics due to its size and complexity. One of the main advantages of using data analytics in a big data environment is that it allows the investigator to analyze an entire population of data rather than having to choose a sample and risk drawing erroneous conclusions in the event of a sampling error.

To conduct an effective data analysis, a fraud examiner must take a comprehensive approach. Any direction can (and should) be taken when applying analytical tests to available data. The more creative fraudsters get in hiding their breach-related schemes, the more creative the fraud examiner must become in analyzing data to detect these schemes. For this reason, it is essential that fraud investigators consider both structured and unstructured data when planning their engagements.

Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports. Unstructured data, by contrast, is data not found in a traditional spreadsheet or database. Examples of unstructured data include vendor invoices, email and user documents, human resources files, social media activity, corporate document repositories, and news feeds. When using data analysis to conduct a fraud examination, the fraud examiner might use structured data, unstructured data, or a combination of the two. For example, conducting an analysis on email correspondence (unstructured data) among employees might turn up suspicious activity in the purchasing department. Upon closer inspection of the inventory records (structured data), the fraud examiner might uncover that an employee has been stealing inventory and covering her tracks in the record.

Recent reports of breach responses detailed in social media and the trade press indicate that those investigators deploying advanced forensic data analysis tools across larger data sets provided better insights into the penetration, which lead to more focused investigations, better root cause analysis and contributed to more effective fraud risk management. Advanced technologies that incorporate data visualization, statistical analysis and text-mining concepts, as compared to spreadsheets or relational database tools, can now be applied to massive data sets from disparate sources enhancing breach response at all organizational levels.

These technologies enable our client companies to ask new compliance questions of their data that they might not have been able to ask previously. Fraud examiners can establish important trends in business conduct or identify suspect transactions among millions of records rather than being forced to rely on smaller samplings that could miss important transactions.

Data breaches bring enhanced regulatory attention. It’s clear that data breaches have raised the bar on regulators’ expectations of the components of an effective compliance and anti-fraud program. Adopting big data/forensic data analysis procedures into the monitoring and testing of compliance can create a cycle of improved adherence to company policies and improved fraud prevention and detection, while providing additional comfort to key stakeholders.

CFEs and forensic accountants are increasingly being called upon to be members of teams implementing or expanding big data/forensic data analysis programs so as to more effectively manage data breaches and a host of other instances of internal and external fraud, waste and abuse. To build a successful big data/forensic data analysis program, your client companies would be well advised to:

— begin by focusing on the low-hanging fruit: the priority of the initial project(s) matters. The first and immediately subsequent projects, the low-hanging investigative fruit, normally incurs the largest cost associated with setting up the analytics infrastructure, so it’s important that the first few investigative projects yield tangible results/recoveries.

— go beyond usual the rule-based, descriptive analytics. One of the key goals of forensic data analysis is to increase the detection rate of internal control noncompliance while reducing the risk of false positives. From a technology perspective, client’s internal audit and other investigative groups need to move beyond rule-based spreadsheets and database applications and embrace both structured and unstructured data sources that include the use of data visualization, text-mining and statistical analysis tools.

— see that successes are communicated. Share information on early successes across divisional and departmental lines to gain broad business process support. Once validated, success stories will generate internal demand for the outputs of the forensic data analysis program. Try to construct a multi-disciplinary team, including information technology, business users (i.e., end-users of the analytics) and functional specialists (i.e., those involved in the design of the analytics and day-to-day operations of the forensic data analysis program). Communicate across multiple departments to keep key stakeholders assigned to the fraud prevention program updated on forensic data analysis progress under a defined governance program. Don’t just seek to report instances of noncompliance; seek to use the data to improve fraud prevention and response. Obtain investment incrementally based on success, and not by attempting to involve the entire client enterprise all at once.

—leadership support will gets the big data/forensic data analysis program funded, but regular interpretation of the results by experienced or trained professionals are what will make the program successful. Keep the analytics simple and intuitive; don’t try to cram too much information into any one report. Invest in new, updated versions of tools to make analytics sustainable. Develop and acquire staff professionals with the required skill sets to sustain and leverage the forensic data analysis effort over the long-term.
Finally, enterprise-wide deployment of forensic data analysis takes time; clients shouldn’t be lead to expect overnight adoption; an analytics integration is a journey, not a destination. Quick-hit projects might take four to six weeks, but the program and integration can take one to two years or more.

Our client companies need to look at a broader set of risks, incorporate more data sources, move away from lightweight, end-user, desktop tools and head toward real-time or near-real time analysis of increased data volumes. Organizations that embrace these potential areas for improvement can deliver more effective and efficient compliance programs that are highly focused on identifying and containing damage associated with hacker and other exploitation of key high fraud-risk business processes.

Regulating the Financial Data Breach

During several years of my early career, I was employed as a Manager of Operations Research by a mid-sized bank holding company. My small staff and I would endlessly discuss issues related to fraud prevention and develop techniques to keep our customer’s checking and savings accounts safe, secure and private. A never ending battle!

It was a simpler time back then technically but since a large proportion of fraud committed against banks and financial institutions today still involves the illegal use of stolen customer or bank data, some of the newest and most important laws and regulations that management assurance professionals, like CFEs, must be aware of in our practice, and with which our client banks must comply, relate to the safeguarding of confidential data both from internal theft and from breaches of the bank’s information security defenses by outside criminals.

As the ACFE tells us, there is no silver bullet for fully protecting any organization from the ever growing threat of information theft. Yet full implementation of the measures specified by required provisions of now in place federal banking regulators can at least lower the risk of a costly breach occurring. This is particularly true since the size of recent data breaches across all industries have forced Federal enforcement agencies to become increasingly active in monitoring compliance with the critical rules governing the safeguarding of customer credit card data, bank account information, Social Security numbers, and other personal identifying information. Among these key rules are the Federal Reserve Board’s Inter-agency Guidelines Establishing Information Security Standards, which define customer information as any record containing nonpublic personal information about an individual who has obtained a financial product or service from an institution that is to be used primarily for personal, family, or household purposes and who has an ongoing relationship with the institution.

Its important to realize that, under the Inter-agency Guidelines, customer information refers not only to information pertaining to people who do business with the bank (i.e., consumers); it also encompasses, for example, information about (1) an individual who applies for but does not obtain a loan; (2) an individual who guarantees a loan; (3) an employee; or (4) a prospective employee. A financial institution must also require, by contract, its own service providers who have access to consumer information to develop appropriate measures for the proper disposal of the information.

The FRB’s Guidelines are to a large extent drawn from the information protection provisions of the Gramm Leach Bliley Act (GLBA) of 1999, which repealed the Depression-era Glass-Steagall Act that substantially restricted banking activities. However, GLBA is best known for its formalization of legal standards for the protection of private customer information and for rules and requirements for organizations to safeguard such information. Since its enactment, numerous additional rules and standards have been put into place to fine-tune the measures that banks and other organizations must take to protect consumers from the identity-related crimes to which information theft inevitably leads.

Among GLBA’s most important information security provisions affecting financial institutions is the so-called Financial Privacy Rule. It requires banks to provide consumers with a privacy notice at the time the consumer relationship is established and every year thereafter.

The notice must provide details collected about the consumer, where that information is shared, how that information is used, and how it is protected. Each time the privacy notice is renewed, the consumer must be given the choice to opt out of the organization’s right to share the information with third-party entities. That means that if bank customers do not want their information sold to another company, which will in all likelihood use it for marketing purposes, they must indicate that preference to the financial institution.

CFEs should note , that most pro-privacy advocacy groups strongly object to this and other privacy related elements of GLBA because, in their view, these provisions do not provide substantive protection of consumer privacy. One major advocacy group has stated that GLBA does not protect consumers because it unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect his or her data, GLBA weakens customer power to control their financial information. The agreement’s opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to do so by their customers and, if customers neglect to respond, it gives institutions the freedom to disclose customer nonpublic personal information.

CFEs need to be aware, however, that for bank clients, regardless of how effective, or not, GLBA may be in protecting customer information, noncompliance with the Act itself is not an option. Because of the current explosion in breaches of bank information security systems, the privacy issue has to some degree been overshadowed by the urgency to physically protect customer data; for that reason, compliance with the Interagency Guidelines concerning information security is more critical than ever. The basic elements partially overlap with the preventive measures against internal bank employee abuse of the bank’s computer systems. However, they go quite a bit further by requiring banks to:

—Design an information security program to control the risks identified through a security risk assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.
—Evaluate a variety of policies, procedures, and technical controls and adopt those measures that are found to most effectively minimize the identified risks.
—Application and enforcement of access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
—Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
—Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may gain access.
—Procedures designed to ensure that customer information system modifications are consistent with the institution’s information security program.
—Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
—Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
—Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
—Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

The Inter-agency Guidelines require a financial institution to determine whether to adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this control, a financial institution also should consider the need for a firewall to safeguard confidential electronic records. If the institution maintains Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, the institution must consider whether its risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt necessary encryption measures that protect information in transit, in storage, or both. The Inter-agency Guidelines do not impose specific authentication or encryption standards, so it is advisable for CFEs to consult outside experts on the technical details applicable to your client institution’s security requirements especially when conducting after the fact fraud examinations.

The financial institution also must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, the institution should evaluate the ability, or lack thereof, of its staff to rapidly and accurately identify an intrusion. It also should assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken.

The regulatory agencies have also provided our clients with requirements for responding to information breaches. These are contained in a related document entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Incident Response Guidance). According to the Incident Response Guidance, a financial institution should develop and implement a response program as part of its information security program. The response program should address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Finally, the Inter-agency Guidelines require financial institutions to train staff to prepare and implement their information security programs. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

For example, an institution should:

—Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext spam calling.
—Provide staff members responsible for building or maintaining computer systems and local and wide area networks with adequate training, including instruction about computer security.
—Train staff to properly dispose of customer information.