Author Archives: cwl890 - Page 2

Do We Owe It?

During one of our past May training events, our speaker, shared a fascinating, real life example from her own practice of how detailed analytic analysis could be especially helpful in addressing false billing frauds. In addition, she explained at length just how this type of fraud works.

In a false billing scheme, an employee or outside party creates false vouchers or submits false invoices to a target organizational payer. These documents cause the payer to issue payments for goods or services that are either completely fictitious or overstated in price. The perpetrator then collects the fraudulent payments/checks and converts them for personal use. Another common billing fraud involves buying personal goods or services with company money.

A false billing fraud affects the purchasing cycle, causing the company to pay for nonexistent or non-essential goods or services. Most false billing frauds involve a service, since it is easier to conceal a service that is never performed than to conceal goods never received. As our speaker’s example demonstrated, the most common billing scheme, is setting up one or more bogus vendors. There are several ways to do this. The most common is to create a fictitious vendor (often called a shell company), open a bank account in the shell company’s name, and bill the victimized company. The perpetrator then creates an invoice and sends it to his/her employer. Invoices can be professionally produced via computer and desktop publishing software, typewritten, or even prepared manually. Often, the most difficult aspect of a fraudulent billing scheme is getting the false invoice approved and paid. In many instances of billing fraud, the person perpetrating the fraud is also the person in the company who is authorized to approve invoices for payment. Another popular means of getting invoice approval is to submit invoices to an inattentive, trusting, or “rubber-stamp” manager. Furthermore, perpetrators often create false supporting documents to facilitate approvals and payments, e.g., voucher packages.

A perpetrator can also use a shell company to perpetrate a pass-through billing scheme: the perpetrator places orders for goods with his shell company, has his shell company order the goods from a legitimate supplier at market prices, and then sells those goods to his employer at inflated prices. The fraud lies in the fact that the victimized company is buying the goods it needs from an unauthorized vendor at inflated prices. The perpetrator “profits” from the inflated prices gained while acting as an unauthorized middle-man in a necessary company transaction.

Rather than utilizing shell companies to overbill, some employees generate false disbursements through invoices of non-accomplice vendors. In what is called a pay and return scheme, the perpetrator makes an error in a vendor payment to facilitate the theft. One way to do that is to overpay or double-up on payments, request a check from the vendor for the excess, and steal the check when it arrives. Another scenario is to pay the wrong vendor by placing vendor checks in the wrong envelopes, then calling the vendors to explain the mistake and requesting the return of the checks. When the checks return, they are stolen. The support documents are sent through the accounts payable system a second time; and these checks are sent to the proper vendors.

Another scheme involves purchasing personal items with company money. One popular way to do this is to make a personal purchase, then run the unauthorized invoice through the accounts payable system. If the perpetrator is not in a position to approve the purchase, s/he may have to create a false purchase order to make the transaction appear legitimate or alter an existing purchase order and have an accomplice in receiving remove the excess merchandise.
Another way to purchase personal items with company money is to have the company order merchandise, then intercept the goods when they are delivered. To avoid having the merchandise delivered to the company, the perpetrator often will have it diverted to their home or some other address, such as a spouse’s business address. A third way to purchase personal items with company money is to make personal purchases on company credit cards. No matter which of the approaches is used, the perpetrator will either keep the purchases for personal use or turn the purchase into cash (or a credit card refund) by returning the merchandise.

Our event speaker pointed out that, in some ways, it’s easier to conceal a billing fraud than other frauds, but in other ways, it’s harder. It’s easier in that the perpetrator does not have to remove cash or inventory from company premises; instead, the company mails her a check. It’s more difficult in that, when the perpetrator creates a bogus vendor or shell company, s/he has to come up with a name, mailing address (often the fraudster’s home address or a postal box), and phone number (often a home phone number); open a bank account in the shell company’s name (usually requiring him or her to file or forge articles of incorporation) or in his own name; deposit and withdraw money; and create and send vendor invoices. Any of these can lead back to the perpetrator, making it easier to find him once the fraud is detected and the shell company identified.

Depending on the scheme and organizational controls in place, the perpetrator may have to falsify or alter a purchase requisition, purchase order, receiving report, or vendor invoice, or fool or force the authorizing person to approve or forge an authorization. Perpetrators involved in a pay and return fraud usually have to intercept any checks that are returned.

Our speaker additionally presented a number of red flags usually present when a false billing fraud is taking place, including:

• An unexplained increase in services performed (services that were paid for, but never performed);
• Payments to unapproved vendors;
• Invoices approved without supporting documents;
• Falsified or altered voucher documents; for example, altering a purchase order after its approval;
• Inflated prices on purchases or orders of unnecessary goods and services;
• Payments to an entity controlled by an employee;
• Multiple payments on the same invoice or over payments on an invoice;
• Personal purchases with company credit cards or charge accounts;
• Excessive returns to vendors, or full payment not received for items returned;
• A vendor with a post office box address (many post office box addresses are legitimate, but a smart.

On May 15-16th, 2019 our Chapter will be hosting a two-day ACFE lead seminar entitled, ‘How to Testify’. Our speaker, Hugo Holland, wants to make a courtroom pro out of you! Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course. To review the event content and to register to attend, click here. Hope you can join us!

Fraudsters, All Too Human

Our certified Chapter members often get questions from clients and employers related to why a fraudster who’s victimized them did what he or she did. Examiners with the most experience in the process of interviewing those later convicted of fraud comment again and again about the usefulness to their overall investigation of a basic understanding of the fraudster’s basic mind set. Such knowledge can aid the examiner in narrowing down the preliminary pool of suspects, and, most importantly, assist in gaining an admission in a subsequent admissions seeking interview. ACFE experts regard fraud (and the process of interviewing) primarily as human constructs, and especially within the content of the interview process, to be able to tie in the pressure that the individual might have been under (as they perceived it) to the interview process; to understand that individual with regard to their rationalization as they were able to affect it, significantly increases the possibility of getting the compliance and cooperation that the examiner wants from the interviewee.

During your investigation, it’s important to remember that people do things for a reason. The fraud examiner might not understand the reasons a fraudster commits his or her crime, but the motivations certainly make sense to the perpetrator. For example, a perpetrator might commit fraud because her life has spiraled out of control, although it might not be out of control under a objective, reasonable person’s definition. But in the perpetrator’s view, her life has become so problematic that fraud is the only way she can see to restore balance. And during the fraud examination, if the examiner can get the suspected perpetrator to talk about the lack of control in her life, the examiner can often use this information to compel the fraudster to admit guilt and provide valuable insight into ways that similar frauds might be prevented in the future.

As a continuation of this line of thought, the examiner should consider possible human motives when examining evidence. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes. It can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused, and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, she might suspect a payroll employee who recently complained about not receiving a raise in the past two years. Although such information doesn’t mean that the payroll employee committed fraud, the possible motive can guide the examiner.

ACFE experts also agree that interviewers should seek to understand the possible motives of the various suspects they encounter during an examination. To do this, interviewers should suspend their own value system. This will better position the interviewer to persuade the suspect(s) to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions. In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his motivations, even if the suspect reveals her motivations in an indirect manner. So when conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work as opposed to how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s normal behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Always remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. As indicated above, unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason. Situational fraudsters (those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises) do not tend to view themselves as criminals. In contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud, situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if she can genuinely communicate that she understands how anyone under similar circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is presenting a trap, he generally will not make any admission of wrongdoing.

So, in your examinations, never lose sight of the human element; that by definition, fraud involves human deception for personal gain. Why do people deceive to get what they want, or in some cases, what they need? Most humans commit deceptive acts to protect themselves from various consequences of the truth. Avoiding punishment is the most common reason for deception, but there are other reasons, including to protect another person, to win the admiration or respect of others, to avoid embarrassment, enjoy the thrill of accomplishment and to avoid hard work to achieve goals. When people feel that their self-security is threatened, they might resort to deception to preserve their image. Further, people can become so engaged in managing how others perceive them that they become unable to separate the truth from fiction in their own minds.

The ability to sympathetically cast oneself into the human situation of others is one of the most valuable skills that a fraud examiner can have in our efforts to determine the truth.

Cash In – Cash Out

One of our associate Chapter members has become involved in her first fraud investigation just months after graduating from university and joining her first employer. She’s working for a restaurant management consulting practice and the investigation involves cash theft targeting the cash registers of one of the firm’s smaller clients. Needless to say, we had a lively discussion!

There are basically two ways a fraudster can steal cash from his or her employer. One is to trick the organization into making a payment for a fraudulent purpose. For instance, a fraudster might produce an invoice from a nonexistent company or submit a timecard claiming hours that s/he didn’t really work. Based on the false information that the fraudster provides, the organization issues a payment, e.g., by sending a check to the bogus company or by issuing an inflated paycheck to the employee. These schemes are known as fraudulent disbursements of cash. In a fraudulent disbursement scheme, the organization willingly issues a payment because it thinks that the payment is for a legitimate purpose. The key to the success of these types of schemes is to convince the organization that money is owed.

The second way (as in our member’s restaurant case) to misappropriate cash is to physically remove it from the organization through a method other than the normal disbursement process. An employee takes cash out of his cash register, puts it in his pocket, and walks out the door. Or, s/he might just remove a portion of the cash from the bank deposit on their way to the bank. This type of misappropriation is what is referred to as a cash theft scheme. These schemes reflect what most people think of when they hear the term “theft”; a person simply grabs the money and sneaks away with it.

What are commonly denoted cash theft schemes divide into two categories, skimming and larceny. The difference between whether it’s skimming or larceny depends completely on when the cash is stolen, a distinction confusing to our associate member. Cash larceny is the theft of money that has already appeared on a victim organization’s books, while skimming is the theft of cash that has not yet been recorded in the accounting system. The way an employee extracts the cash may be exactly the same for a cash larceny or skimming scheme. Because the money is stolen before it appears on the books, skimming is known as an “off-book” fraud. The absence of any recorded entry for the missing money also means there is no direct audit trail left by a skimming scheme. The fact that the funds are stolen before they are recorded means that the organization may not be “aware” that the cash was ever received. Consequently, it may be very difficult to detect that the money has been stolen.

The basic structure of a skimming scheme is simple: Employee receives payment from a customer, employee pockets payment, employee does not record the payment. There are a number of variations on the basic plot, however, depending on the position of the perpetrator, the type of company that is victimized, and the type of payment that is skimmed. In addition, variations can occur depending on whether the employee skims sales or receivables (this post is only about sales).

Most skimming, particularly in the retail sector, occurs at the cash register – the spot where revenue enters the organization. When the customer purchases merchandise, he or she pays a cashier and leaves the store with whatever s/he purchased, i.e., a shirt, a meal, etc. Instead of placing the money in the cash register, the employee simply puts it in his or her pocket without ever recording the sale. The process is made much easier when employees at cash collection points are left unsupervised as is the case in many small restaurants. A common technique is to ring a “no sale” or some other non-cash transaction on the employee’s register. The false transaction is entered on the register so that it appears that the employee is recording the sale. If a manager is nearby, it will look like the employee is following correct cash receipting procedures, when in fact the employee is stealing the customer’s payment. Another way employees sometimes skim unrecorded sales is by conducting sales during nonbusiness hours. For instance, many employees have been caught selling company merchandise on weekends or after hours without the knowledge of the owners. In one case, a manager opened his store two hours early every day and ran it business-as-usual, pocketing all sales made during the “unofficial” store hours. As the real opening time approached, he would destroy all records from the off-hours transactions and start the day from scratch.

Although sales skimming does not directly affect the books, it can show up on a company’s records in indirect ways, usually as inventory shrinkage; this is how the skimming thefts were detected at our member’s client. The bottom line is that unless skimming is being conducted on a very large scale, it is usually easier for the fraudster to ignore the shrinkage problem. From a practical standpoint, a few missing pieces of inventory are not usually going to trigger a fraud investigation. However, if a skimming scheme is large enough, it can have a marked effect on a small business’ inventory, especially in a restaurant where profit margins are always tight and a few bad sales months can put the concern out of business. Small business owners should conduct regular inventory counts and make sure that all shortages are promptly investigated and accounted for.

Any serious attempt to deter and detect cash theft must begin with observation of employees.
Skimming and cash larceny almost always involve some form of physical misappropriation of cash or checks; the perpetrator actually handles, conceals, and removes money from the company. Because the perpetrator will have to get a hold of funds and actually carry them away from the company’s premises, it is crucial for management to be able to observe employees who handle incoming cash.

Charting the Road Ahead

There are a number of good reasons why fraud examiners and forensic accountants should work hard at including inclusive, well written descriptions of fraud scenarios in their reports; some of these reasons are obvious and some less so. A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud. It’s been my experience that well written reports, couched in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.

A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board. They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur. The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its reoccurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves. A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore, only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling. A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome. Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate. The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can sometimes be many and related. Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls work as separate lines of defense, at times in a sequential way, and at other times interacting with each other to help prevent the re-occurrence of the adverse event. The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts. Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation. If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them. These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time. This question is best answered by involved managers, in particular with the loss prevention manager. If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence. Is it the worst case loss, or the most likely or median loss? In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization. Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face). Documented control failures should always be clearly associated with the losses. Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine fraud prevention programs. Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the ongoing process of fraud risk assessment for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

! RVACFES May 2019 Spring Training Event !

The ACFE wants to help establish you as a consummate courtroom professional! Certified Fraud Examiners, accountants, auditors and investigative/assurance professionals of all kinds are called upon to provide testimony in criminal and civil prosecutions where their services can be used to support investigations of matters such as financial frauds, embezzlements, misapplication of funds, bankruptcy fraud, improper accounting practices, and tax fraud. Fraud examiners may also be used as defense witnesses or to support the defendant’s counsel on matters that involve accounting or audit related issues.

LEARN MORE

There are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing lay testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

As you will learn, the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Our speaker, HUGO HOLLAND, CFE, JD will expound in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” an expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this. The best thing for an inexperienced expert witness is to work with experienced attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• How to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• Remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• How best to state the facts. The expert witness should tell truth plainly and simply. You will learn how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which she does not know the answer but should simply say that she does not know or does not have enough information to form an opinion.

• Learn to control the pace The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that she is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.
• Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course.

REGISTER HERE!

The Association of Certified Fraud Examiners is the world’s largest anti-fraud organization and premier provider of antifraud training and education. Together with more than 85,000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession. Visit ACFE.com to learn more.

“ACFE,” “CFE,” “Certified Fraud Examiner,” “CFE Exam Prep Course,” “Fraud Magazine,” “Association of Certified Fraud Examiners,” “Report to the Nations,” the ACFE Seal, the ACFE Logo and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

Inflexible Reporting

Our Chapter and the ACFE have published a number of articles and posts over the last few years about the various types of pressures that can push ethically challenged employees over the line between temptation and the perpetration of an actual accounting fraud. One category of such pressure stems directly from the nature of our present system of periodic financial reporting which, it can be argued, not only creates unnecessary volatility in the stock and financial markets but ends up requiring rational investors to demand a premium for securities investments by emphasizing the short term risk that near term, inflexable, quarterly earnings targets will not be met. The pressure to meet these short term targets can only give rise to operational inefficiencies which in turn drive up the inherent inefficiency in the transmission of information from public companies to financial markets based on a model which hasn’t changed much since its original definition during the Great Depression years of the 1930’s.

I’ve seen articles in the Journal of Accountancy and in other authoritative financial publications pointing toward a better way and, with the advent of and widening support for the electronic reporting of financial results to the SCC (the XBRL initiative), we can hope we’re well into the drawn of a new age. That there’s been pushback to this effort is understandable. Those familiar with the technical and professional minefield of the present quarterly reporting process can only feel sympathy with those financial officers who have to go through it, quarter by quarter and year after year. Questions originally abounded about process and mechanics like how is electronically published financial information going to be verified and what real controls are there over its reliability? What happens if there’s an honest mistake?

Think about all this from the point of view of the fraud examiner. If enterprises, listed and non-listed, can make the transition from a periodic to a real-time, electronic based financial reporting system, the resulting efficiencies and the decrease in numerous types of fraud related risk would be truly striking. Real-time financial reporting would free our clients from the tyranny of the present, economically nonsensical, reporting of quarterly results. How much of the incentive to commit financial fraud to meet the numbers does that immediately alleviate? As one financial expert after another has pointed out over the years, there’s just no justification for focusing on a calendar quarter as the unit in which to take stock of financial performance, beyond the fact that that’s what’s presently codified in the law. By contrast, what if financial information were published and available to all users on a real-time basis? The immediate availability of such information, continuously updated, on whatever basis is appropriate for the individual enterprise and its industry, would force companies to adopt a reporting unit that ready makes sense to them and to their principal information users. For some companies that unit might be a week, a month, a quarter, semi-annually or a year. So be it. Let a thousand flowers bloom; the upshot is that what would end up being reported would make sense for the company, its industry and for the information users rather than the one-size fits all, set in stone, prescription of the present law.

An additional advantage, and one with immediate implications for fraud prevention, would be the opportunity for increased efficiency in financial markets as investment dollars could be allocated not according to quarterly results or according to the best guess estimates of financial analysts, but by reliable financial information provided directly by the company all the time; goodbye to many of the present information control vulnerabilities that support insider trading because information is not widely and efficiently disseminated. The point is that by employing digital, cloud-based analytics report building tools properly, users of all kinds could customize a set of up-to-date financial reports (in whatever format) on whatever time period, that suits their fancy.

But many have also pointed out that if there is to be such a shift from periodic to real-time financial reporting, there needs to be a fundamental change in basic attitudes toward financial reporting. Those who report and those who inspect financial information will have to change their focus from methods by which the numbers themselves are checked (audited) to methods (as with XBRL) that focus on the reliability of the system that generates the numbers. That’s where fraud examiners and other financial insurance professionals come in. On-line financial information will be published with such frequency and so rapidly, that there will be no time to “check” individual numbers; the emphasis for assurance professionals will, therefore, need to shift away from checking numbers and balances to analysis of and reporting on the integrity of the system of internal controls over the reporting system itself; understanding of the details of the internal control system over financial reporting will gain a level of prominence it’s never had before.

Fraud examiners need to be aware of these issues when counseling clients about the profound impact that digitally based, on-line reporting of financial information is and will have on their fraud prevention and fraud risk assessment programs. As with all else in life, real time financial reporting will inevitably decrease the risk of some fraud scenarios and increase the risk of others.

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

Sniffing it Out

The first Virginia governor I worked for directly was John Dalton, who was fond of saying that his personal gauge for ethically challenged behavior was the smell test, i.e., did any proposed action (and its follow-on implications) have the odor of appropriateness. Philosophical theories provide the bases for most useful practical decision approaches and aids, although a majority of seasoned executives are unaware of how and why this is so. Whatever the foundation of the phenomena may be, most experienced directors, executives, professional accountants (and governors) appear to have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis.

If these preliminary tests give rise to concerns, most think a more thorough analysis should be performed. It is often appropriate (and quite common in practice) for subordinate managers and other employees to be asked to check a proposed decision in a quick, preliminary manner to see if an additional full-blown ethical or practicality analysis is required. These quick tests are often referred to as sniff tests. If any of these quick tests are negative, employees are asked to seek out someone like the corporate counsel or an ethics officer (if there is one) for consultation, or to personally perform a full-blown analysis of the proposed action. This analysis is usually retained, and perhaps even reviewed by upper management.

Some of the more common sniff tests employed by managers with whom I’ve worked are:

–Would I be comfortable if this action or decision were to appear on the front page of a national newspaper tomorrow morning?
Will I be proud of this decision?
Will my mother and father be proud of this decision?
Is this action or decision in accord with the corporation’s mission and code?
Does this feel right to me?

Unfortunately, although sniff tests and commonly used ethical rules of thumb are based on ethical principles as popularly conceived and are often useful, they rarely, by themselves, represent anything approaching a comprehensive examination of the confronting decision and therefore can leave the individuals and organization(s) involved vulnerable to making a challengeable choice. For this reason, experts advise that more comprehensive techniques of evaluation should be employed whenever a proposed decision is questionable or likely to have significant consequences. Analysis of specific sniff tests and the related heuristics reveals that they usually focus on a fraction of the comprehensive set of criteria that more complete forms of analysis examine.

Traditionally, an accepted business school case approach to the assessment of a corporate decision and the resulting action has been to evaluate the end results or consequences of the action. To most businesspeople, this evaluation has traditionally been based on the decision’s impact on the interests of the company’s owners or shareholders.

Usually these impacts have been measured in terms of the profit or loss involved, because net profit has been the measure of well-being that shareholders have wanted to maximize. This traditional view of corporate accountability has been modified over the last two decades in two ways. First, the assumption that all shareholders want to maximize only short-term profit appears to represent too narrow a focus. Second, the rights and claims of many non-shareholder groups, such as employees, consumers/clients, suppliers, lenders, environmentalists, host communities, and governments that have a stake or interest in the outcome of the decision, or in the company itself, are being accorded an increased status in corporate decision making.

Modern corporations are increasingly declaring that they are holding themselves self -accountable to shareholders and to non-shareholder groups alike, both of which form the set of stakeholders to which the company pledges to respond. It has become evident (look at the Enron example) that a company cannot reach its full potential, and may even perish, if it loses the support of even one of a select set of its stakeholders known as primary stakeholders.

The assumption of a monolithic shareholder group interested only in short-term profit is undergoing modification primarily because modem corporations are finding their shareholders are to an increasing degree made up of persons and institutional investors who are interested in longer-term time horizons and in how ethically individual businesses are conducted. The latter, who are referred to as ethical investors, apply two screens to investments: Do the investee companies make a profit in excess of appropriate hurdle rates, and do they strive to earn that profit in a demonstrably ethical manner?

Because of the size of the shareholdings of mutual and pension funds, and of other types of institutional investors involved, corporate directors and executives have found that the wishes of ethical investors can be ignored only at their peril. Ethical investors have developed informal and formal networks through which they inform themselves about corporate activity, decide how to vote proxies, and how to approach boards of directors to get them to pay attention to their concerns in such areas as environmental protection, excessive executive compensation, and human rights activities in specific countries and regions. Ethical investors as well as other stakeholder groups, tend to be increasingly unwilling to squeeze the last ounce of profit out of the current year if it means damaging the environment or the privacy rights of other stakeholders. They believe in managing the corporation on a broader basis than short-term profit only. Usually the maximization of profit in a longer than one-year time frame requires harmonious relationships with most stakeholder groups based on the recognition of the interests of those groups.

A negative public relations experience can be a significant and embarrassing price to pay for a decision making process that fails to take the. wishes of stakeholder groups into account. Whether or not special interest groups of private citizens are also shareholders, their capacity to make corporations accountable through social media is evident and growing. The farsighted executive and director will want these concerns taken into account before offended stakeholders have to remind them.

Taking the concerns or interests of stakeholders into account when making decisions, by considering the potential impact of decisions on each stakeholder, is therefore a wise practice if executives want to maintain stakeholder support. However, the multiplicity of stakeholders and stakeholder groups makes this a complex task. To simplify the process, it is desirable to identify and consider a set of commonly held or fundamental stakeholder interests to help focus analyses and decision making on ethical dimensions; stakeholder interests such as the following:

1.Their interest(s) should be better off as a result of the decision.
2. The decision should result in a fair distribution of benefits and burdens.
3. The decision should not offend any of the rights of any stakeholder, including the decision maker, and ..
4. The resulting behavior should demonstrate duties owed as virtuously as expected.

To some extent, these fundamental interests have to be tempered by the realities facing decision makers. For example, although a proposed decision should maximize the betterment of all stakeholders, trade-offs often have to be made between stakeholders’ interests. Consequently, the incurrence of pollution control costs may be counter to the interests of short-term profits that are of interest to some current shareholders and managers. Similarly, there are times when all stakeholders will find a decision acceptable even though one or more of them, or the groups they represent, may be worse off as a result.

In recognition of the requirement for trade-offs and for the understanding that a decision can advance the well-being of all stakeholders as a group, even if some individuals are personally worse off, this fundamental interest should be modified to focus on the well-being of stakeholders rather than only on their betterment. This modification represents a shift from utilitarianism to consequentialism. Once the focus on betterment is relaxed to shift to well-being, the need to analyze the impact of a decision in terms of all four fundamental interests becomes apparent. It is possible, for example, to find that a proposed decision may produce an overall benefit, but the distribution of the burden of producing that decision may be so debilitating to the interests of one or more stakeholder groups that it may be considered grossly unfair. Alternatively, a decision may result in an overall net benefit and be fair, but may offend the rights of a stakeholder and therefore be considered not right. For example, deciding not to recall a marginally flawed product may be cost effective, but would not be considered to be right if users could be seriously injured. Similarly, a decision that does not demonstrate the character, integrity, or courage expected will be considered ethically suspect by stakeholders.

A professional CFE can use an assessment of our client organization’s stakeholder ethical concerns in making pro-active recommendations about fraud detection and prevention strategies and in conducting investigations and should be ready to prepare or assist in such assessments for employers or clients just as they currently do in other fraud deterrence related business processes.

Although many hard-numbers-oriented investigators will be wary of becoming involved with the soft risk assessment of management’s tone-at-the-top ethically shaped decisions, they should bear in mind that the world is changing to put a much higher value on the quality and impact of management’s whole governance structure, the posture of which cannot failure to negatively or positively affect the design of the client’s fraud control and prevention programs.

Ambiguous Transactions

As any experienced fraud examiner will be happy to tell you, unambiguously distinguishing individual instances of fraud, waste and abuse, one from the other, can be challenging; that’s because transactions demonstrating characteristics of one of these issues so often share characteristics of the other(s). A spate of recent articles in the trade press confirm the public impression not only that health care costs are constantly rising but that poorly controlled health care provider reimbursement systems represent significant targets of waste and abuse, both within companies themselves and from external bad actors.

While some organizations review their health benefits programs and health administrator organizations annually, others appear to be doing relatively little in this area. Consequently, CFEs are increasingly being asked as audit team members to participate in fraud risk assessments of hearth benefits administration (HBA) programs for corporations, government entities, and nonprofit organizations. As a consequence, ACFE members are increasingly identifying practices that result in recoverable losses as well as losses that were never recovered because some among our client organizations have never effectively audited their health benefit plans.

A good place to start with this type of fraud risk assessment is for the CFE to evaluate the oversight of HBA reporting activities that could identify unidentified losses for the client organization.

Many organizations contract with third-party administrators (TPAs) to oversee their employee insurance claims process, health care provider network, care utilization review, and employee health plan membership functions. In the arena of claims processing, in today’s environment of rising costs, TPAs can make significant claim payment errors that result in financial losses to the CFE’s client organization if such errors are not promptly identified, recovered, and credited back to the plan. Claim overpayments are common in the industry; and most TPAs themselves have audit processes in place to minimize the losses to their clients. Many control assurance professionals incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can block a true understanding of the nature of the exposures and lessen the client’s sense of the necessity that systematic fraud and waste detection audits of health care claims transactions are performed, both externally and internally.

The trade press recently reported that an administrator for a U.S. federal government health benefit’s health plan changed its method of administering coordination of benefits (COB) from “pursue and pay” to “pay and pursue.” Under “pursue and pay,” the administrator determines who the primary insurance payer is before making payment. Under “pay and pursue,” the administrator pays the insurance claim and pursues a refund only if it itself is determined to be the secondary payer. In this case, the clients were billed for the payment of full benefits, even though they should have been the secondary payers. The financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, one of the client plans received a check for $2.3 million for its share of the refunds that were not returned to it. Is this case of apparent deception an example of fraud? Of waste? Or of abuse?

If COB savings had been routinely monitored by each of the plans, along with each client’s other cost containment activities, they would have noticed that the COB savings had fallen off and were next to nothing under “pay and pursue.” When looking at COB, CFEs and client internal auditors should review the provisions of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and the requirements for the reporting of savings to the client organization by the administrator. In conducting their risk assessments, client management and CFEs also should consider the controls over the organization’s oversight of monitoring COB savings and over the other cost containment activities performed by the administrator.

The COB case considered above was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request refunds from healthcare providers (hospitals, physicians, etc.), or use the provider offset method, which deducts the overpayment from the provider’s next payment. The ACFE has reported one case in which a provider voluntarily returned an overpayment. The administrator’s policy was to return the refund check to the submitting provider with a form to complete including instructions to send the form and the check back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client found that, because of a lack of training, personnel of its administrator had deposited the returned checks from providers into an administrative holding account. Subsequent to the investigation and administrative staff training, the client’s refund activity increased from almost nothing to more than $1 million a year. Including the monitoring and analyzing of refund activity as a component of the fraud prevention program will unfailingly provide insight into how well claim overpayments are being controlled.

When assessing for fraud risk regarding refund activity for health insurance overpayments, CFEs should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should be required to include an analysis of refund activity, the reasons for the refund(s), breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.

Sometimes it cannot be determined whether an organization’s losses are intentional or unintentional. For example, in one review, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator. The organization’s finance division requested a review which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization.

Monitoring and approving the funding requests against some measure of expected costs can identify when costs should be investigated. When reviewing funding requests, assurance professionals should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for follow-up investigation, bank account setup and account access, and the internal funding reconciliation process.

While losses may occur because of the administrator’s practices, losses (waste) also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed health care plans. When organizations use PPO networks that are independent of the administrator’s contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing and payment.

In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator’s network claims with the negotiated rates into the claims system. However, because the client’s external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO’s quarterly billings for its share of the savings to a discount savings as reported by the administrator.

While examining risks regarding discounts, CFE’s auditors should review the administrator’s or independent PPO network’s contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should be instructed to review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.

There are frequent reports on fraud, abuse, and errors in government health programs issued by the U.S. Department of Health and Human Services’ Office of the Inspector General and by the U.S. Government Accountability Office; all these reports can be of use to CFEs in the conduct of our investigations. Because many of our client organization’s health plans mirror government programs, the fraud risk exposure in organizations is almost everywhere the same. Organizations have incurred tremendous losses by not systematically reviewing benefits administration and through lack of understanding of the dynamics of health plan oversight within their organizations. Developing and promoting a team response within an organization to foster understanding of the exposures in the industry is a practical role for all CFEs. This posture puts fraud examiners (as members of the fraud/abuse prevention and response team) in a position to provide management with assurance that the reporting on the millions spent on employees’ health benefits is accurate and reasonable and that associated costs are justified.