Category Archives: continuous fraud auditing

Private Company Employee Health

Our last post presented a short list of the chief fraud threats targeting government run health programs.  We thought it might be useful to practitioners to balance it with one on frauds directed at private company health insurance plans.  From one perspective, many of the schemes, as you’d expect, are similar; but there are significant differences. Losses due to fraud in both public and private health-care spending are notoriously difficult to estimate but amount to more than US $6o billion annually, according to a statement made by the then U.S. Attorney General  several years ago at a National Institutes of Health summit.  Like all fraud, by definition, health-care fraud involves deception or misrepresentation that results in an unauthorized benefit.  In the private sector, it increases the cost of providing benefits to employees company-wide, which in turn increases the overall cost of doing business, regardless of industry. And while only a slight percentage of health-care providers and consumers deliberately engage in fraud, that small percentage can raise the cost of doing business significantly. The increased costs appear in the form of higher premiums and out-of-pocket expenses or reduced benefits or coverage for employees and affect small businesses disproportionately.

But the news isn’t all bad.  The good news is that, especially with the rise of fraud prevention approaches based on data analytics, companies have more and more tools at their disposal to help combat this problem. Most important, perhaps, are the contributions our fraud examiner profession is making and the unique expertise we bring to fraud-fighting efforts. With the right approach and technology tools, fraud risk assessors can help identify control weaknesses that leave the organization susceptible to health-care fraud and track down potential indicators that such fraud may have occurred or is in progress. Working with management as well as with other assurance professionals and external parties, fraud examiners can help meet this challenge and even prevent it by applying well designed system edits that identify fraudulent insurance claims on the front end, preventing them from even being paid (pre-payment prevention as opposed to post-payment pay and chase).

Every fraud examiner and forensic accountant knows that access to the right information is critical to combating the ever mutating array of health-care frauds targeting both the private and governmental sectors. Asking the appropriate questions and carefully sifting through relevant data can reveal potentially fraudulent activity and shed light on abuses that otherwise may not be identified.

Much of the needed health-care information often resides with an organization’s health insurance provider or third-party claims administrators (TPAs); fraud examiners and company management should work cooperatively with these parties to obtain an understanding of the details. Specifically, employers should hold regular discussions with their providers or TPAs to collaborate on anti-fraud activities and to understand their provider’s approach to the problem. Providers, on their side, should share the details of their anti-fraud efforts with organizational management. They should also explain their, often proprietary, techniques used to detect fraud and abuse and provide specific examples of potential frauds recently identified.  Companies also have access to employee historical health claims databases through their insurance provider or their TPA. Analysis should be performed by these parties, and it generally should focus on identifying unusual patterns or trends as such findings could signal fraudulent activity in the claims data; the objective in doing so is to develop payment system edits targeting specific fraud schemes so that claims related to the schemes are prevented by the edits from paying the related health service claims.  Even if the data does not contain indicators of potential fraud schemes, fraud examiners should still recommend that it be mined continually to ferret out potential mistakes.

If it’s not already part of your client company’s regular human resource (HR) administration process, simply matching employee data with the TPA’s files could also shed light on potential problems. Some employees, for instance, may be in the wrong plan or have the wrong coverage. Moreover, former employees may still be listed as covered.  Which brings us to the big problem of dependent eligibility; I say ‘big’ because dependent eligibility is a costly issue for all employee health plans because providing costly health insurance coverage to the ineligible dependents of company employees can quickly prove a budget buster for enterprises of all sizes.

To determine a client’s risk of exposure to ineligible dependents, fraud risk assessors should start with an assessment of the controls built into the benefits enrollment process. If the organization doesn’t require proof of eligibility during the initial enrollment process, the risk of exposure increases. Risk also increases if proof is required upon initial enrollment but not thereafter, such as when covered children reach a certain age. Based on the level of risk identified, examiners, in conjunction with HR, can select one of several approaches to the next phase of their review.

–Low Risk: Offer employees an amnesty period. The organization should remind employees of the benefit plan requirements and let them know that a review of eligibility will be performed. They should be given a reasonable amount of time to adjust their coverage as necessary without any repercussions; sometimes this alone can result in a significant level of compliance.

–Medium Risk: Require eligibility certification. In addition to the steps associated with low risk, the organization should require employees to complete an affidavit that certifies all of their covered dependents are eligible under the benefit plan requirements.

–High Risk: Audit employee eligibility. The company’s internal audit function should perform a full eligibility audit after the organization completes the steps associated with low and medium risk situations.

As this blog and the ACFE have repeated over and over again, employee awareness can be the best fraud prevention tool available. Fraud Examiners working in every industry should learn more about health-care fraud scenarios and their effect on their client’s businesses and pursue opportunities to educate management on the cost drivers and the impact of fraud on their companies. If the organization’s compliance program includes employee training and distribution of periodic educational updates, this would be a logical medium into which to integrate employee awareness messaging. At a minimum, Fraud Examiners should be sure that any new employee orientation sessions cover basic healthcare benefits guidance:

–Don’t provide personal health coverage information to strangers. If the employee is uncertain why a third party is requesting certain personal information, they should be instructed to contact their company’s benefits administrator.

–Don’t loan an insurance card to anyone not listed on the card as a covered individual.

–Employees need to familiarize themselves with the conditions under which health coverage is being extended to them and to their dependents.

Given the complexities of health benefits administration, an organization almost cannot provide too much information to its employees about their coverage. Taking the guesswork out of the administration process can result in lower costs and happier employees in the long run.  Although many anticipated long-term benefits from U.S. health-care reforms contained in the Affordable Care Act, in the short term most employers were required to expand coverage offerings for employees and their dependents, thereby increasing costs. All of these factors point to an opportunity for health-care fraud to continue growing and, consequently, for Fraud Examiners and for fraud risk assessors to continue to play an important role in keeping this relentless source of monetary loss at bay.

Getting Out of Your Own Way

One of the most frequently requested topics for ACFE lead instruction concerns the art of fraud interviewing, one of the most complex and crucial disciplines of the many comprising the fraud examination process. And at the heart of the interviewing process lies communication. As we all know, communication is the process of effectively sending and receiving information, thoughts, and feelings. First and foremost, an effective interviewer is an effective communicator and being an effective communicator depends on building rapport. According to the ACFE, if you don’t establish rapport with a subject at the outset of the fraud interview, the possibilities of your spotting anything are very low. Rapport is the establishment of a connection between two individuals that is based on some level of trust and a belief in a relationship that is mutually beneficial to both parties.

The interviewer who thinks s/he will find a cooperative subject without making a connection with that individual is in for a disappointment. Rapport is determined by our attitude toward the subject. Just as we as interviewers use our powers of perception to “read” the subject, the subject reads us as well. If s/he senses condemnation, superiority, hostility, or deceit, you can expect little but superficial cooperation from any interaction. Besides, above all else, as the experts tell us, we are professionals. As professionals, personal judgments have no place in an interview setting. Our job is to gather information empirically, objectively, and without prejudice towards our subjects. Why do we identify with and speak more freely to some people? We are naturally drawn to those with whom we share similar characteristics and identities. Techniques and tools are important, but only to the extent that they complement our attitude toward the interview process. So, effective communication is not what we do – it’s who we are.

And along with rapport, the analysis of the quality of the interaction between both interview participants is critical to the communication process. An interview is a structured session, ideally between one interviewer and one subject, during which the interviewer seeks to obtain information from a subject about a particular matter. And just as we signal each other with voice pitch and body language patterns when we’re sad, angry, delighted, or bored, we also display distinct patterns when trying to deceive each other. Fortunately for those of us who interview others as part of our profession, if we learn to recognize these patterns, our jobs are made much simpler. Of course there is no single behavior pattern one can point to and say “Aha! This person is being deceptive!” What the professional can point to is change in behavior. Should a subject begin showing signs of stress as our questions angle in a certain direction, for example, we know we have hit an area of sensitivity that probably requires further exploration. If you interview people regularly, you probably already know that it is more likely for a subject to omit part of the story than actually lie to you. Omission is a much more innocuous form of deceit and causes less anxiety than fabricating a falsehood. So even more importantly than recognizing behavior associated with lying, the interviewer must fine tune her skills to also spot concealment patterns.

ACFE experts tell us that each party to a fraud interview may assume that they understand what the other person is conveying. However, the way we communicate and gather information is based in part on which of our senses is dominant. The three dominant senses, sight, hearing, and touch influence our perceptions and expressions more than most realize. A sight dominant subject may “see” what you are saying and tell you he wants to “clear” things up. An auditory dominant person may “hear” what your point is and respond that it “sounds” good to him. A touch dominant person may have a “grasp” of what you are trying to convey, but “feel uncomfortable” about discussing it further.

By analyzing a subject’s use of words, an interviewer can identify his or her dominant sense and choose her words to match. This helps strengthen the rapport between interviewer and subject, increasing the chances of a good flow of information. Essential, of course, to analyzing and identifying a subject’s dominant senses are good listening skills. Effective communication requires empathetic listening by the interviewer. Empathetic listening and analysis of the subject’s verbal and nonverbal communication allows us to both hear and see what the other person is attempting to communicate. It is the information that is not provided and that is concealed, that is most critical to our professional efforts.

By developing your listening abilities, practicing them with others with whom you communicate every day, the vast array and inexhaustible variations of the human vocabulary are bound to strike you. The most effective way to communicate is with clear, concise sentences that create no questions. However, the words we choose to use, and the way that we say them, are limited only by what is important to us. A subject, reluctant or cooperative, will speak volumes with what they say, and even more significantly, what they don’t say. Analysis of the latter often reveals more than the information the subject actually relates. For instance, the omission of personal pronouns could mean unwillingness on the part of the subject to identify himself with the action.

One final note of caution. If you ask the experts about the biggest impediment to an effective interview, they will probably give you a surprising answer. Most experienced interviewers will tell you that often the greatest impediment to a successful interview is the interviewer. Most interviewers use all of their energies observing and evaluating the subject’s responses without realizing how their own actions and attitudes can contaminate an interview. In fact, it is virtually impossible to conduct an interview without contaminating it to some extent. Every word used, the phrasing of a question, tone, body language, attire, the setting – all send signals to the subject. The effective interviewer, however, has learned to contaminate as little as possible. By retaining an objective demeanor, by asking questions which reveal little about what s/he already knows, by choosing a private setting and interviewing one subject at a time, s/he keeps the integrity of the interview intact to the best of her ability.

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.  The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.

Cyberfraud & Business Continuity

We received an e-mail inquiry from a follower of our Chapter’s LinkedIn page last week asking specifically about recovery following a cyberfraud penetration and, in general, about disaster planning for smaller financial institutions. It’s a truism that with virtually every type of business process and customer moving away from brick-and-mortar places of business to cloud supported business transactions and communication, every such organization faces an exponential increase in the threat of viruses, bots, phishing attacks, identity theft, and a whole host of other cyberfraud intrusion risks.  All these threats illustrate why a post-intrusion continuity plan should be at or near the top of any organization’s risk assessment, yet many of our smaller clients especially remain stymied by what they feel are the costs and implementational complexity of developing such a plan. Although management understands that it should have a plan, many say, “we’ll have to get to that next year”, yet it never seems to happen.

Downtime due to unexpected penetrations, breeches and disasters of all kinds not only affect our client businesses individually, but can also affect the local, regional, or worldwide economy if the business is sufficiently large or critical. Organizations like Equifax do not operate in a vacuum; they are held accountable by customers, vendors, and owners to operate as expected. Moreover, the extent of the impact on a business depends on the products or services it offers. Having an updated, comprehensive, and tested general continuity plan can help organizations mitigate operational losses in the event of any disaster or major disruption. Whether it’s advising the organization about cyberfraud in general or reviewing the different elements of a continuity plan for fraud impact, the CFE can proactively assist the client organization on the front end in getting a cyberfraud-recovery continuity plan in place and then in ensuring its efficient operation on the back end.

Specifically, regarding the impact of cyberfraud, the ACFE tells us that, until relatively recently, many organizations reported not having directly addressed it in their formal business continuity plans. Some may have had limited plans that addressed only a few financial fraud-related scenarios, such as employee embezzlement or supplier billing fraud, but hadn’t equipped general employees to deal with even the most elemental impacts of cyberfraud.   However, as these threats increasingly loomed, and as their on-line business expanded, more organizations have committed themselves to the process of formally addressing them.

An overall business continuity plan, including targeted elements to address cyberfraud, isn’t a short-term project, but rather an ongoing set of procedures and control definitions that must evolve along with the organization and its environment. It’s an action plan, complete with the tools and resources needed to continue those critical business processes necessary to keep the entity operating after a cyber disruption. Before advising our clients to embark on such a business continuity plan project, we need to make them aware that there is a wealth of documentation available that they can review to help in their planning and execution effort. An example of such documentation is one written for the industry of our Chapter’s inquirer, banking; the U.S. Federal Financial Institutions Examination Council’s (FFIEC’s) Business Continuity Planning Handbook. And there are other such guides available on-line to orient the continuity process for entities in virtually every other major business sector.  While banks are held to a high standard of preparedness, and are subject to regular bank examination, all types of organizations can profit from use of the detailed outline the FFIEC handbook provides as input to develop their own plans. The publication encourages organizations of all sizes to adopt a process-oriented approach to continuity planning that involves business impact analysis as well as fraud risk assessment, management, and monitoring.

An effective plan begins with client commitment from the top. Senior management and the board of directors are responsible for managing and controlling risk; plan effectiveness depends on management’s willingness to commit to the process from start to finish. Working as part of the implementation team, CFEs can make sure both the audit committee and senior management understand this commitment and realize that business disruption from cyber-attack represents an elevated risk to the organization that merits senior-level attention. The goal of this analysis is to identify the impact of cyber threats and related events on all the client organizations’ business processes. Critical needs are assessed for all functions, processes, and personnel, including specialized equipment requirements, outsourced relationships and dependencies, alternate site needs, staff cross-training, and staff support such as specialized training and guidance from human resources regarding related personnel issues. As participants in this process, CFEs acting proactively are uniquely qualified to assist management in the identification of different cyberfraud threats and their potential impacts on the organization.

Risk assessment helps gauge whether planned cyberfraud-related continuity efforts will be successful. Business processes and impact assumptions should be stress tested during this phase. Risks related to protecting customer and financial information, complying with regulatory guidelines, selecting new systems to support the business, managing vendors, and maintaining secure IT should all be considered. By focusing on a single type of potential cyber threat’s impact on the business, our client organizations can develop realistic scenarios of related threats that may disrupt the cyber-targeted processes.  At the risk assessment stage, organization should perform a gap analysis to compare what actions are needed to recover normal operations versus those required for a major business interruption. This analysis highlights cyber exposures that the organization will need to address in developing its recovery plan. Clients should also consider conducting another gap analysis to compare what is present in their proposed or existing continuity plan with what is outlined (in the case of a bank) in the recommendations presented in the FFIEC handbook. This is an excellent way to assess needs and compliance with these and/or the guidelines available for other industries. Here too, CFEs can provide value by employing their skills in fraud risk assessment to assist the organization in its identification of the most relevant cyber risks.

After analyzing the business impact analysis and risk assessment, the organization should devise a strategy to mitigate the risks of business interruption from cyberfraud. This becomes the plan itself, a catalog of steps and checklists, which includes team members and their roles for recovery, to initiate action following a cyber penetration event. The plan should go beyond technical issues to also include processes such as identifying a lead team, creating lists of emergency contacts, developing calling trees, listing manual procedures, considering alternate locations, and outlining procedures for dealing with public relations.  As members of the team CFEs, can work with management throughout response plan creation and installation, consulting on plan creation, while advising management on areas to consider and ensuring that fraud related risks are transparently defined and addressed.

Testing is critical to confirm cyber fraud contingency plans. Testing objectives should start small, with methods such as walkthroughs, and increase to eventually encompass tabletop exercises and full enterprise wide testing. The plan should be reviewed and updated for any changes in personnel, policies, operations, and technology. CFEs can provide management with a fraud-aware review of the plan and how it operates, but their involvement should not replace management’s participation in testing the actual plan. If the staff who may have to execute the plan have never touched it, they are setting themselves up for failure.

Once the plan is created and tested, maintaining it becomes the most challenging activity and is vital to success in today’s ever-evolving universe of cyber threats. Therefore, concurrent updating of the plan in the face of new and emerging threats is critical.

In summary, cyberfraud-threat continuity planning is an ongoing process for all types of internet dependent organizations that must remain flexible as daily threats change and migrate. The plan is a “living” document. The IT departments of organizations are challenged with identifying and including the necessary elements unique to their processes and environment on a continuous basis. Equally important, client management must oversee update of the plan on a concurrent basis as the business grows and introduces new on-line dependent products and services. CFEs can assist by ensuring that their client organizations keep cyberfraud related continuity planning at the top of mind by conducting periodic reviews of the basic plan and by reporting on the effectiveness of its testing.

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

On Business Process Flow

During the last few years attention has increasingly turned to consideration of client critical business processes functioning as a unified whole as a focus of both risk assessment and fraud prevention efforts.  As result of this attention has come the accompanying realization that superior design of individual business processes is not only critical to the success of the overall organization but to its fraud prevention effort as well. For example, take bid preparation, a process that is usually conducted under time pressure, and requires cross-organizational coordination involving the finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender, all outcomes that increase the risk of the emergence of irregularities and perhaps even to the enhanced facilitation of actual fraud. 

An additional realization has been that business processes require process based management.  As CFE’s, our client organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, like the bid process, are cross-organizational, involving several functions within the organization.  A raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, the process may be impaired due to a lack of coordination among the units. To prevent the obvious fraud vulnerabilities related to this problem, the ACFE emphasizes the need to manage the business process fraud prevention effort end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing (and risk assessing) the control, monitoring and measurement of all the processes at work. 

In the modern business world, change is constantly occurring; admirable as this fact is from an innovation perspective, anything that creates change, especially rapid change, can constitute opportunity for the ethically challenged.  Despite this and associated risks, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Automated processes based on information systems are usually more difficult and expensive to change than manual processes (of which there are fewer left every day). Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications and often, less management oversight and control and more vulnerability to fraud. 

Any business that is successful over the long term has most likely performed some kind of risk assessment, and had some success at managing business risks. Managers of successful entities have thought out what risks could have a significant negative impact on their ability to successfully execute the business plan, or even just cause a substantial loss of business, and have attempted to provided mitigating activities to address those risks. With the pervasiveness of fraud and, more important, their increasing dependence on cross organizational business processes, entities have had to consider a fraud risk assessment as a sizeable portion of any fraud prevention effort. Yet, many entities struggle with the issue or, if convinced of the need to conduct an assessment across business process flows, with where to begin in performing an effective one. 

The primary focus of a cross-organizational business process fraud risk assessment is to identify risks that the totality of such business processes present to the business, i.e., adverse effects related to these processes, whether taken as a whole or individually, are not in the best interests of the entity. These risks are usually associated with business elements such as the ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). Weak anti-fraud controls can introduce risks in any of these areas, and more. For instance, robust anti-fraud controls can enhance the entity’s ability to sell its products over the internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts).   The bottom line is that there is a need to have an effective identification and assessment of business process risks where the risks are at a degree that is more than trivial. 

Typically, fraud risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each cross-organizational process risk, someone is asking the questions: what is the magnitude of the identified fraud risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)? One thing the CFE can do is to obtain a copy of the client’s current risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over fraud risk being properly mitigated is lowered. Another good start is to obtain the client’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the CFE to understand where cross business process fraud risks could occur.   

Another thing the CFE should do is gain a good understanding of the loss prevention function (if there is one), including its managerial and operational aspects. Then, depending on the entity, there could be an extensive list of technologies or systems that will need to be evaluated for risk in operations. From the management side, it includes the internal audit and loss prevention staffs. A measure of the competency of staff devoted to the fraud prevention effort is a key factor. Obviously, the more competent the staff, the lower the risks associated with all the elements of operations they affect, and vice versa. 

Since traditional systems are transaction based and handle each transaction and business document separately, it’s difficult to audit processes end to end.  Therefore, in such systems proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred is maintained.  A focus on entire business processes, by contrast, is process flow based and therefore audit trails are a built-in feature.  In automated systems featuring this type of inter-process flow, all incidents and steps of multi-business processes are documented and linked to each other in the order they occurred.  

From the access control aspect of operations, an assessment should be made as to risk of unauthorized activities. For example, do access controls sufficiently limit access to systems and supported business process flows by effective authorization and authentication controls? Does the information management test new systems and applications thoroughly before deployment? Is there a sufficient staging area so that business process flow support applications can be tested not only on a stand-alone basis but also when interfaced with other applications and whole systems? If applications are not tested, this would lead the CFE to have less assurance about mitigating fraud risks facilitated by bugs and system failures.

The focus of fraud mitigation has moved, with increasing automation, away from the simple single fraud scenario to the entire flow of the interlocking business processes constituting the modern organization and their analytic footprint. 

Inside and Out

college-studentsI had quite a good time a little over a month ago, addressing a senior auditing class at the University of Richmond on the topic of how fraud examiners and forensic accountants can work jointly together, primarily with a client’s internal auditors and, secondarily with its external auditors, to substantially strengthen any fraud investigation assignment.

Internal and external auditors each play an important role in the governance structure of their client organizations. Like CFEs, both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, as I told the very lively class, both types of auditors operate independently of the activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks faced by the organizations they serve. Yet, with all their similarities, internal auditing and external auditing are two distinct functions that have numerous differences. The Institute of Internal Auditors (IAA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Internal auditors in the public sector (where I spent most of my audit career as a CIA) place an additional emphasis on providing assurance on performance and compliance with policies and procedures. Concerned with all aspects of the organization – both financial and non-financial – the internal auditors focus on future events because of their continuous review and evaluation of controls and processes.

In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period are represented accurately, and whether the financial statements have been affected materially (i.e., whether they include a misstatement that is likely to influence the economic decisions of financial statement users). External auditing’s approach is mainly historical in nature, although some forward-looking improvements may be suggested in the auditors’ recommendations to management based on the analysis of controls during a financial statement audit.

I emphasized to the students that these definitions alone pinpoint the key distinctions that separate the two audit approaches. However, internal auditing is much broader and more encompassing than external auditing. Its value resides in the function’s ability to look at the underlying operations that drive the financial numbers before those numbers hit the books. For instance, when considering “sales” as a line item in a set of financial statements, the external audit focuses primarily on the existence, completeness, accuracy, classification, timing, posting and summarization of sales numbers. The internal audit goes beyond these assertions and looks at sales operations in a much broader context by asking questions regarding the target market, sales plan, organizational structure of the sales department, qualifications of sales personnel, effectiveness of sales operations, measurement of sales performance, and compliance with sales policies.

These types of questions probe the very core of sales operations and can greatly impact the sales numbers recorded in financial statements. For example, assuming a sales number of $6 million, the external auditor has merely to render an opinion regarding the validity of that number. The internal auditor, however, can ask whether the number could  have really been $12 million, if only the right market had been targeted, and if operations had been effective in the first place. It’s this emersion in detail and the overall knowledge of operations that makes the internal auditor such a strong partner for the fraud examiner in any joint investigation.

Internal auditors represent an integral part of the organization – their primary clients are management and the board. Although historically internal auditors reported to the chief financial officer or other senior management staff, for the last two decades internal auditing has reported directly to the audit committee of the board of directors, which helps strengthen auditor independence and objectivity. Today, internal audit functions, for the most part, follow this reporting relationship, which is consistent with the IIA’s Standard on Organizational Independence.

The chief audit executive’s (CAE’s) appointment is normally meant to be permanent, unless he or she resigns or is dismissed. In some quasi and intergovernmental organizations, CAEs are given tenured positions – five-year appointments, for example – to enhance independence.  Conversely, external auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by their main client, the board of directors. External auditors are appointed by the board, and they submit an annual report to the company’s shareholders. The appointment is meant to extend for a specified time – external auditors can be re-appointed at the company’s annual general meeting. In some jurisdictions, there are limits on an external auditor’s length of service, often five or seven years.

In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations’ discretion but internal auditing is mandatory in some cases. Companies listed on the New York Stock Exchange must have an internal audit function, whether in-house or outsourced.  An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature.

The necessary qualifications for an internal auditor rest solely on the judgment of the employer. Although internal auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them abundantly qualified to perform internal auditing. Annually, more and more internal auditors hold the IIA’s Certified Internal Auditor designation, which demonstrates competency and professionalism in the field of internal auditing. Because of their continuous investigation into all the organization’s operating systems, internal auditors who remain in the same organization for many years constitute a unique resource to the CFE of comprehensive and current knowledge of the organization and its operations.

External auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law – for example, the Institute of Chartered Accountants in England and Wales, American Institute of Certified Public Accountants, or Canadian Institute of Chartered Accountants.  Because external auditors’ scope of work is narrowly focused on financial statement auditing, and they come into the organization only once or twice a year, their knowledge of the organization’s operations is unlikely to be as extensive as that of the internal auditors.

Those entering the CFE profession need to realize that patterns of business growth, globalization, and corporate scandals have changed the thrust of the internal audit profession in recent years. In its early years, internal auditing focused on protection oriented objectives and emphasized compliance with accounting and operational procedures, verification of calculation accuracy, fraud detection and protection of assets. Gradually, new dimensions were added that ranged from an evaluation of financial and compliance risks to an assessment of business risks, ethics and corporate governance. These changes have only increased the gap between the disciplines of internal and external auditing. Yet, despite their differences, internal auditing and external auditing no longer work in competition, as was the case before the U.S. Sarbanes-Oxley Act was enacted, when a company’s external auditors would sometimes compete with in-house audit departments for internal audit work. Regulations like Sarbanes-Oxley prohibited the external auditor from providing both external and internal audit services to the same company. Today all CFEs can benefit from the complementary skills, areas of expertise, and perspectives of both the external and the internal auditors.  The ACFE recommends that to strengthen the fraud prevention program they should meet periodically to discuss common interests (like the fraud prevention program), strive to understand each other’s scope of work and methods, discuss audit coverage and scheduling to minimize redundancies, jointly assess areas of fraud risk, and provide access to each other’s reports, programs, and work papers.

In summary, fulfilling its oversight responsibilities for assurance, the board also should require internal and external auditors to coordinate their audit work to increase the economy, efficiency, and effectiveness of the overall audit process. Despite some similarities, a world of difference exists between internal auditing and external auditing. Nonetheless, both audit types, and the respective services they provide, are essential to maintaining an effective governance structure. With a greater understanding of the unique perspective of each, CFEs can maximize the aggregate contribution or each to our joint investigations and thereby ensure organizational success.